diff --git a/.circleci/config.yml b/.circleci/config.yml
index 88e8a9b74348..658fc2212c75 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -35,7 +35,9 @@ jobs:
         command: make ci-verify
   install-ui-dependencies:
     docker:
-    - image: node:10-buster
+    - environment:
+        JOBS: 2
+      image: node:10-buster
     shell: /usr/bin/env bash -euo pipefail -c
     working_directory: /go/src/github.com/hashicorp/vault
     steps:
@@ -98,7 +100,9 @@ jobs:
     - GOTESTSUM_VERSION: 0.3.3
   test-ui:
     docker:
-    - image: node:10-buster
+    - environment:
+        JOBS: 2
+      image: node:10-buster
     shell: /usr/bin/env bash -euo pipefail -c
     working_directory: /go/src/github.com/hashicorp/vault
     resource_class: medium+
@@ -136,7 +140,9 @@ jobs:
         path: ui/test-results
   test-ui-browserstack:
     docker:
-    - image: node:10-buster
+    - environment:
+        JOBS: 2
+      image: node:10-buster
     shell: /usr/bin/env bash -euo pipefail -c
     working_directory: /go/src/github.com/hashicorp/vault
     resource_class: medium+
@@ -299,6 +305,29 @@ jobs:
     - GO_VERSION: 1.12.14
     - GO111MODULE: 'off'
     - GOTESTSUM_VERSION: 0.3.3
+  website-docker-image:
+    docker:
+    - image: circleci/buildpack-deps
+    shell: /usr/bin/env bash -euo pipefail -c
+    steps:
+    - checkout
+    - setup_remote_docker
+    - run:
+        command: |
+          echo 'export PACKAGE_LOCK_CHANGED=$(git diff --name-only $(git log --pretty=format:'%h' -n1 HEAD~1)...HEAD | grep -c website/package-lock.json)' >> $BASH_ENV
+        name: Diff package-lock.json
+    - run:
+        command: |
+          if [ "$CIRCLE_BRANCH" = "master" ] && [ $PACKAGE_LOCK_CHANGED -gt 0 ]; then
+            cd website/
+            docker build -t hashicorp/vault-website:$CIRCLE_SHA1 .
+            docker tag hashicorp/vault-website:$CIRCLE_SHA1 hashicorp/vault-website:latest
+            docker login -u $DOCKER_USER -p $DOCKER_PASS
+            docker push hashicorp/vault-website
+          else
+            echo "Not building a new website docker image - branch is not master and/or dependencies have not changed."
+          fi
+        name: Build Docker Image if Necessary
 workflows:
   ci:
     jobs:
@@ -326,6 +355,7 @@ workflows:
     - test-go-race:
         requires:
         - build-go-dev
+    - website-docker-image
   version: 2
 
 # Original config.yml file:
@@ -426,7 +456,9 @@ workflows:
 #     working_directory: /go/src/github.com/hashicorp/vault
 #   node:
 #     docker:
-#     - image: node:10-buster
+#     - environment:
+#         JOBS: 2
+#       image: node:10-buster
 #     shell: /usr/bin/env bash -euo pipefail -c
 #     working_directory: /go/src/github.com/hashicorp/vault
 #   python:
@@ -566,6 +598,29 @@ workflows:
 #           export PATH=\"${PWD}\"/bin:${PATH}
 #           make test-ui-browserstack
 #         name: Run Browserstack Tests
+#   website-docker-image:
+#     docker:
+#     - image: circleci/buildpack-deps
+#     shell: /usr/bin/env bash -euo pipefail -c
+#     steps:
+#     - checkout
+#     - setup_remote_docker
+#     - run:
+#         command: |
+#           echo 'export PACKAGE_LOCK_CHANGED=$(git diff --name-only $(git log --pretty=format:'%h' -n1 HEAD~1)...HEAD | grep -c website/package-lock.json)' >> $BASH_ENV
+#         name: Diff package-lock.json
+#     - run:
+#         command: |
+#           if [ \"$CIRCLE_BRANCH\" = \"master\" ] && [ $PACKAGE_LOCK_CHANGED -gt 0 ]; then
+#             cd website/
+#             docker build -t hashicorp/vault-website:$CIRCLE_SHA1 .
+#             docker tag hashicorp/vault-website:$CIRCLE_SHA1 hashicorp/vault-website:latest
+#             docker login -u $DOCKER_USER -p $DOCKER_PASS
+#             docker push hashicorp/vault-website
+#           else
+#             echo \"Not building a new website docker image - branch is not master and/or dependencies have not changed.\"
+#           fi
+#         name: Build Docker Image if Necessary
 # references:
 #   cache:
 #     go-sum: go-sum-v1-{{ checksum \"go.sum\" }}
@@ -599,4 +654,5 @@ workflows:
 #         - build-go-dev
 #     - test-go-race:
 #         requires:
-#         - build-go-dev
\ No newline at end of file
+#         - build-go-dev
+#     - website-docker-image
\ No newline at end of file
diff --git a/.circleci/config/@config.yml b/.circleci/config/@config.yml
index 54288b372515..47a6abb16f02 100644
--- a/.circleci/config/@config.yml
+++ b/.circleci/config/@config.yml
@@ -36,6 +36,8 @@ executors:
   node:
     docker:
       - image: *NODE_IMAGE
+        environment:
+            JOBS: 2
     shell: /usr/bin/env bash -euo pipefail -c
     working_directory: /go/src/github.com/hashicorp/vault
   python:
diff --git a/.circleci/config/jobs/website-docker-image.yml b/.circleci/config/jobs/website-docker-image.yml
new file mode 100644
index 000000000000..fb7299853204
--- /dev/null
+++ b/.circleci/config/jobs/website-docker-image.yml
@@ -0,0 +1,22 @@
+docker:
+  - image: circleci/buildpack-deps
+shell: /usr/bin/env bash -euo pipefail -c
+steps:
+  - checkout
+  - setup_remote_docker
+  - run:
+      name: Diff package-lock.json
+      command: |
+        echo 'export PACKAGE_LOCK_CHANGED=$(git diff --name-only $(git log --pretty=format:'%h' -n1 HEAD~1)...HEAD | grep -c website/package-lock.json)' >> $BASH_ENV
+  - run:
+      name: Build Docker Image if Necessary
+      command: |
+        if [ "$CIRCLE_BRANCH" = "master" ] && [ $PACKAGE_LOCK_CHANGED -gt 0 ]; then
+          cd website/
+          docker build -t hashicorp/vault-website:$CIRCLE_SHA1 .
+          docker tag hashicorp/vault-website:$CIRCLE_SHA1 hashicorp/vault-website:latest
+          docker login -u $DOCKER_USER -p $DOCKER_PASS
+          docker push hashicorp/vault-website
+        else
+          echo "Not building a new website docker image - branch is not master and/or dependencies have not changed."
+        fi
diff --git a/.circleci/config/workflows/ci.yml b/.circleci/config/workflows/ci.yml
index 8716556ccaab..af4ff61f7464 100644
--- a/.circleci/config/workflows/ci.yml
+++ b/.circleci/config/workflows/ci.yml
@@ -15,12 +15,13 @@ jobs:
         - install-ui-dependencies
         - build-go-dev
       filters:
-          branches:
-            # Forked pull requests have CIRCLE_BRANCH set to pull/XXX
-            ignore: /pull\/[0-9]+/
+        branches:
+          # Forked pull requests have CIRCLE_BRANCH set to pull/XXX
+          ignore: /pull\/[0-9]+/
   - test-go:
       requires:
         - build-go-dev
   - test-go-race:
       requires:
         - build-go-dev
+  - website-docker-image
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f510048d87f1..f262b47014b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,6 @@
 
 IMPROVEMENTS:
 
-* auth/azure: Fix Azure compute client to use correct base URL [AZURE-27]
 * auth/jwt: Additional OIDC callback parameters available for CLI logins [JWT-80 & JWT-86]
 * auth/jwt: Bound claims may be optionally configured using globs [JWT-89]
 * core: Separate out service discovery interface from storage interface to allow
@@ -10,19 +9,40 @@ IMPROVEMENTS:
 * cli: Incorrect TLS configuration will now correctly fail [GH-8025] 
 * secrets/gcp: Allow specifying the TTL for a service key [GCP-54]
 * secrets/gcp: Add support for rotating root keys [GCP-53]
+* secrets/nomad: Add support to specify TLS options per Nomad backend [GH-8083]
+* storage/raft: Nodes in the raft cluster can all be given possible leader
+  addresses for them to continuously try and join one of them, thus automating
+  the process of join to a greater extent [GH-7856]
 
 BUG FIXES:
 
-* plugin: Fix issue where a plugin unwrap request potentially used an expired token [GH-8058]
-* secrets/database: Fix issue where a manual static role rotation could potentially panic [GH-8098]
-* secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [GH-8040]
 * ui: Update headless Chrome flag to fix `yarn run test:oss` [GH-8035]
-* ui: Change `.box-radio` height to min-height to prevent overflow issues [GH-8065]
 
 ## 1.3.2 (Unreleased)
 
+IMPROVEMENTS:
+ * auth/aws: Add aws metadata to identity alias [GH-7975]
+
 BUG FIXES:
+
+* auth/azure: Fix Azure compute client to use correct base URL [AZURE-27]
+* auth/ldap: Fix renewal of tokens without cofigured policies that are 
+  generated by an LDAP login [GH-8072]
+* auth/okta: Fix renewal of tokens without configured policies that are 
+  generated by an Okta login [GH-8072]
+* plugin: Fix issue where a plugin unwrap request potentially used an expired token [GH-8058]
+* replication: Fix issue where a forwarded request from a performance/standby node could run in 
+  a timeout 
+* secrets/database: Fix issue where a manual static role rotation could potentially panic [GH-8098]
+* secrets/database: Fix issue where a manual root credential rotation request is not forwarded
+  to the primary node [GH-8125]
+* secrets/database: Fix issue where a manual static role rotation request is not forwarded
+  to the primary node [GH-8126]
+* secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [GH-8040]
 * ui: Fix deleting namespaces [GH-8132]
+* ui: Fix Error handler on kv-secret edit and kv-secret view pages [GH-8133]
+* ui: Fix OIDC callback to check storage [GH-7929].
+* ui: Change `.box-radio` height to min-height to prevent overflow issues [GH-8065]
 
 ## 1.3.1 (December 18th, 2019)
 
diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go
index 7096f6cb4feb..75046ec0d2a0 100644
--- a/builtin/credential/aws/cli.go
+++ b/builtin/credential/aws/cli.go
@@ -13,6 +13,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/sdk/helper/awsutil"
 )
@@ -40,7 +41,8 @@ func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRe
 	// Use the credentials we've found to construct an STS session
 	region, err := awsutil.GetRegion(configuredRegion)
 	if err != nil {
-		return nil, err
+		hclog.Default().Warn(fmt.Sprintf("defaulting region to %q due to %s", awsutil.DefaultRegion, err.Error()))
+		region = awsutil.DefaultRegion
 	}
 	stsSession, err := session.NewSessionWithOptions(session.Options{
 		Config: aws.Config{
diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go
index a798a1c2497e..18123323e04f 100644
--- a/builtin/credential/ldap/path_login.go
+++ b/builtin/credential/ldap/path_login.go
@@ -133,9 +133,10 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 	password := req.Auth.InternalData["password"].(string)
 
 	loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password)
-	if len(loginPolicies) == 0 {
+	if err != nil || (resp != nil && resp.IsError()) {
 		return resp, err
 	}
+
 	finalPolicies := cfg.TokenPolicies
 	if len(loginPolicies) > 0 {
 		finalPolicies = append(finalPolicies, loginPolicies...)
diff --git a/builtin/credential/okta/path_login.go b/builtin/credential/okta/path_login.go
index 8538a7a3c957..b1fb6b857414 100644
--- a/builtin/credential/okta/path_login.go
+++ b/builtin/credential/okta/path_login.go
@@ -118,7 +118,7 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 	}
 
 	loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password)
-	if len(loginPolicies) == 0 {
+	if err != nil || (resp != nil && resp.IsError()) {
 		return resp, err
 	}
 
diff --git a/builtin/logical/nomad/backend.go b/builtin/logical/nomad/backend.go
index 32d21a231181..56c99f0f15a7 100644
--- a/builtin/logical/nomad/backend.go
+++ b/builtin/logical/nomad/backend.go
@@ -62,6 +62,15 @@ func (b *backend) client(ctx context.Context, s logical.Storage) (*api.Client, e
 		if conf.Token != "" {
 			nomadConf.SecretID = conf.Token
 		}
+		if conf.CACert != "" {
+			nomadConf.TLSConfig.CACertPEM = []byte(conf.CACert)
+		}
+		if conf.ClientCert != "" {
+			nomadConf.TLSConfig.ClientCertPEM = []byte(conf.ClientCert)
+		}
+		if conf.ClientKey != "" {
+			nomadConf.TLSConfig.ClientKeyPEM = []byte(conf.ClientKey)
+		}
 	}
 
 	client, err := api.NewClient(nomadConf)
diff --git a/builtin/logical/nomad/path_config_access.go b/builtin/logical/nomad/path_config_access.go
index 3943ae932834..3044394d4ca3 100644
--- a/builtin/logical/nomad/path_config_access.go
+++ b/builtin/logical/nomad/path_config_access.go
@@ -28,6 +28,21 @@ func pathConfigAccess(b *backend) *framework.Path {
 				Type:        framework.TypeInt,
 				Description: "Max length for name of generated Nomad tokens",
 			},
+			"ca_cert": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `CA certificate to use when verifying Nomad server certificate,
+must be x509 PEM encoded.`,
+			},
+			"client_cert": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `Client certificate used for Nomad's TLS communication,
+must be x509 PEM encoded and if this is set you need to also set client_key.`,
+			},
+			"client_key": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `Client key used for Nomad's TLS communication,
+must be x509 PEM encoded and if this is set you need to also set client_cert.`,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -101,6 +116,18 @@ func (b *backend) pathConfigAccessWrite(ctx context.Context, req *logical.Reques
 	if ok {
 		conf.Token = token.(string)
 	}
+	caCert, ok := data.GetOk("ca_cert")
+	if ok {
+		conf.CACert = caCert.(string)
+	}
+	clientCert, ok := data.GetOk("client_cert")
+	if ok {
+		conf.ClientCert = clientCert.(string)
+	}
+	clientKey, ok := data.GetOk("client_key")
+	if ok {
+		conf.ClientKey = clientKey.(string)
+	}
 
 	conf.MaxTokenNameLength = data.Get("max_token_name_length").(int)
 
@@ -126,4 +153,7 @@ type accessConfig struct {
 	Address            string `json:"address"`
 	Token              string `json:"token"`
 	MaxTokenNameLength int    `json:"max_token_name_length"`
+	CACert             string `json:"ca_cert"`
+	ClientCert         string `json:"client_cert"`
+	ClientKey          string `json:"client_key"`
 }
diff --git a/builtin/logical/ssh/backend_test.go b/builtin/logical/ssh/backend_test.go
index 62460e1180e1..065fdf30ba3c 100644
--- a/builtin/logical/ssh/backend_test.go
+++ b/builtin/logical/ssh/backend_test.go
@@ -35,6 +35,7 @@ const (
 	testOTPKeyType       = "otp"
 	testDynamicKeyType   = "dynamic"
 	testCIDRList         = "127.0.0.1/32"
+	testAtRoleName       = "test@RoleName"
 	testDynamicRoleName  = "testDynamicRoleName"
 	testOTPRoleName      = "testOTPRoleName"
 	testKeyName          = "testKeyName"
@@ -256,6 +257,7 @@ func TestSSHBackend_Lookup(t *testing.T) {
 	resp2 := []string{testOTPRoleName}
 	resp3 := []string{testDynamicRoleName, testOTPRoleName}
 	resp4 := []string{testDynamicRoleName}
+	resp5 := []string{testAtRoleName}
 	logicaltest.Test(t, logicaltest.TestCase{
 		AcceptanceTest: true,
 		LogicalFactory: testingFactory,
@@ -270,6 +272,10 @@ func TestSSHBackend_Lookup(t *testing.T) {
 			testLookupRead(t, data, resp4),
 			testRoleDelete(t, testDynamicRoleName),
 			testLookupRead(t, data, resp1),
+			testRoleWrite(t, testAtRoleName, testDynamicRoleData),
+			testLookupRead(t, data, resp5),
+			testRoleDelete(t, testAtRoleName),
+			testLookupRead(t, data, resp1),
 		},
 	})
 }
@@ -289,12 +295,29 @@ func TestSSHBackend_RoleList(t *testing.T) {
 			},
 		},
 	}
+	resp3 := map[string]interface{}{
+		"keys": []string{testAtRoleName, testOTPRoleName},
+		"key_info": map[string]interface{}{
+			testOTPRoleName: map[string]interface{}{
+				"key_type": testOTPKeyType,
+			},
+			testAtRoleName: map[string]interface{}{
+				"key_type": testOTPKeyType,
+			},
+		},
+	}
 	logicaltest.Test(t, logicaltest.TestCase{
 		LogicalFactory: testingFactory,
 		Steps: []logicaltest.TestStep{
 			testRoleList(t, resp1),
 			testRoleWrite(t, testOTPRoleName, testOTPRoleData),
 			testRoleList(t, resp2),
+			testRoleWrite(t, testAtRoleName, testOTPRoleData),
+			testRoleList(t, resp3),
+			testRoleDelete(t, testAtRoleName),
+			testRoleList(t, resp2),
+			testRoleDelete(t, testOTPRoleName),
+			testRoleList(t, resp1),
 		},
 	})
 }
@@ -319,6 +342,8 @@ func TestSSHBackend_DynamicKeyCreate(t *testing.T) {
 			testNamedKeysWrite(t, testKeyName, testSharedPrivateKey),
 			testRoleWrite(t, testDynamicRoleName, testDynamicRoleData),
 			testCredsWrite(t, testDynamicRoleName, data, false),
+			testRoleWrite(t, testAtRoleName, testDynamicRoleData),
+			testCredsWrite(t, testAtRoleName, data, false),
 		},
 	})
 }
@@ -343,6 +368,10 @@ func TestSSHBackend_OTPRoleCrud(t *testing.T) {
 			testRoleRead(t, testOTPRoleName, respOTPRoleData),
 			testRoleDelete(t, testOTPRoleName),
 			testRoleRead(t, testOTPRoleName, nil),
+			testRoleWrite(t, testAtRoleName, testOTPRoleData),
+			testRoleRead(t, testAtRoleName, respOTPRoleData),
+			testRoleDelete(t, testAtRoleName),
+			testRoleRead(t, testAtRoleName, nil),
 		},
 	})
 }
@@ -374,6 +403,10 @@ func TestSSHBackend_DynamicRoleCrud(t *testing.T) {
 			testRoleRead(t, testDynamicRoleName, respDynamicRoleData),
 			testRoleDelete(t, testDynamicRoleName),
 			testRoleRead(t, testDynamicRoleName, nil),
+			testRoleWrite(t, testAtRoleName, testDynamicRoleData),
+			testRoleRead(t, testAtRoleName, respDynamicRoleData),
+			testRoleDelete(t, testAtRoleName),
+			testRoleRead(t, testAtRoleName, nil),
 		},
 	})
 }
@@ -405,6 +438,8 @@ func TestSSHBackend_OTPCreate(t *testing.T) {
 		Steps: []logicaltest.TestStep{
 			testRoleWrite(t, testOTPRoleName, testOTPRoleData),
 			testCredsWrite(t, testOTPRoleName, data, false),
+			testRoleWrite(t, testAtRoleName, testOTPRoleData),
+			testCredsWrite(t, testAtRoleName, data, false),
 		},
 	})
 }
@@ -1108,14 +1143,17 @@ func testRoleRead(t *testing.T, roleName string, expected map[string]interface{}
 			if err := mapstructure.Decode(resp.Data, &d); err != nil {
 				return fmt.Errorf("error decoding response:%s", err)
 			}
-			if roleName == testOTPRoleName {
+			switch d.KeyType {
+			case "otp":
 				if d.KeyType != expected["key_type"] || d.DefaultUser != expected["default_user"] || d.CIDRList != expected["cidr_list"] {
 					return fmt.Errorf("data mismatch. bad: %#v", resp)
 				}
-			} else {
+			case "dynamic":
 				if d.AdminUser != expected["admin_user"] || d.CIDRList != expected["cidr_list"] || d.KeyName != expected["key"] || d.KeyType != expected["key_type"] {
 					return fmt.Errorf("data mismatch. bad: %#v", resp)
 				}
+			default:
+				return fmt.Errorf("unknown key type. bad: %#v", resp)
 			}
 			return nil
 		},
diff --git a/builtin/logical/ssh/path_creds_create.go b/builtin/logical/ssh/path_creds_create.go
index b9b9a6410405..f6fa7e766043 100644
--- a/builtin/logical/ssh/path_creds_create.go
+++ b/builtin/logical/ssh/path_creds_create.go
@@ -20,7 +20,7 @@ type sshOTP struct {
 
 func pathCredsCreate(b *backend) *framework.Path {
 	return &framework.Path{
-		Pattern: "creds/" + framework.GenericNameRegex("role"),
+		Pattern: "creds/" + framework.GenericNameWithAtRegex("role"),
 		Fields: map[string]*framework.FieldSchema{
 			"role": &framework.FieldSchema{
 				Type:        framework.TypeString,
diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go
index 450d76844779..6cd20cba6aa5 100644
--- a/builtin/logical/ssh/path_roles.go
+++ b/builtin/logical/ssh/path_roles.go
@@ -69,7 +69,7 @@ func pathListRoles(b *backend) *framework.Path {
 
 func pathRoles(b *backend) *framework.Path {
 	return &framework.Path{
-		Pattern: "roles/" + framework.GenericNameRegex("role"),
+		Pattern: "roles/" + framework.GenericNameWithAtRegex("role"),
 		Fields: map[string]*framework.FieldSchema{
 			"role": &framework.FieldSchema{
 				Type: framework.TypeString,
diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
index a64edfa2d9a8..95e12af1a42d 100644
--- a/builtin/logical/ssh/path_sign.go
+++ b/builtin/logical/ssh/path_sign.go
@@ -37,7 +37,7 @@ type creationBundle struct {
 
 func pathSign(b *backend) *framework.Path {
 	return &framework.Path{
-		Pattern: "sign/" + framework.GenericNameRegex("role"),
+		Pattern: "sign/" + framework.GenericNameWithAtRegex("role"),
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.UpdateOperation: b.pathSign,
diff --git a/command/seal_migration_test.go b/command/seal_migration_test.go
index ca1d5693cf1b..c4e724132ab9 100644
--- a/command/seal_migration_test.go
+++ b/command/seal_migration_test.go
@@ -7,19 +7,125 @@ import (
 	"encoding/base64"
 	"testing"
 
-	hclog "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers"
+	"github.com/hashicorp/vault/shamir"
+
+	"github.com/hashicorp/go-hclog"
 	wrapping "github.com/hashicorp/go-kms-wrapping"
 	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
-	"github.com/hashicorp/vault/api"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/physical"
 	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
-	"github.com/hashicorp/vault/shamir"
 	"github.com/hashicorp/vault/vault"
 	"github.com/hashicorp/vault/vault/seal"
 )
 
+func TestSealMigrationAutoToShamir(t *testing.T) {
+	logger := logging.NewVaultLogger(hclog.Trace).Named(t.Name())
+	phys, err := physInmem.NewInmem(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	haPhys, err := physInmem.NewInmemHA(nil, logger)
+	if err != nil {
+		t.Fatal(err)
+	}
+	autoSeal := vault.NewAutoSeal(seal.NewTestSeal(nil))
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		Seal:            autoSeal,
+		Physical:        phys,
+		HAPhysical:      haPhys.(physical.HABackend),
+		DisableSealWrap: true,
+	}, &vault.TestClusterOptions{
+		Logger:      logger,
+		HandlerFunc: vaulthttp.Handler,
+		SkipInit:    true,
+		NumCores:    1,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	client := cluster.Cores[0].Client
+	initResp, err := client.Sys().Init(&api.InitRequest{
+		RecoveryShares:    5,
+		RecoveryThreshold: 3,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testhelpers.WaitForActiveNode(t, cluster)
+
+	keys := initResp.RecoveryKeysB64
+	rootToken := initResp.RootToken
+	core := cluster.Cores[0].Core
+
+	client.SetToken(rootToken)
+	if err := client.Sys().Seal(); err != nil {
+		t.Fatal(err)
+	}
+
+	shamirSeal := vault.NewDefaultSeal(&seal.Access{
+		Wrapper: aeadwrapper.NewWrapper(&wrapping.WrapperOptions{
+			Logger: logger.Named("shamir"),
+		}),
+	})
+	shamirSeal.SetCore(core)
+
+	if err := adjustCoreForSealMigration(logger, core, shamirSeal, autoSeal); err != nil {
+		t.Fatal(err)
+	}
+
+	var resp *api.SealStatusResponse
+	unsealOpts := &api.UnsealOpts{}
+	for _, key := range keys {
+		unsealOpts.Key = key
+		unsealOpts.Migrate = false
+		resp, err = client.Sys().UnsealWithOptions(unsealOpts)
+		if err == nil {
+			t.Fatal("expected error due to lack of migrate parameter")
+		}
+		unsealOpts.Migrate = true
+		resp, err = client.Sys().UnsealWithOptions(unsealOpts)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected response")
+		}
+		if !resp.Sealed {
+			break
+		}
+	}
+	if resp.Sealed {
+		t.Fatalf("expected unsealed state; got %#v", *resp)
+	}
+
+	// Seal and unseal again to verify that things are working fine
+	if err := client.Sys().Seal(); err != nil {
+		t.Fatal(err)
+	}
+	unsealOpts.Migrate = false
+	for _, key := range keys {
+		unsealOpts.Key = key
+		resp, err = client.Sys().UnsealWithOptions(unsealOpts)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected response")
+		}
+		if !resp.Sealed {
+			break
+		}
+	}
+	if resp.Sealed {
+		t.Fatalf("expected unsealed state; got %#v", *resp)
+	}
+}
+
 func TestSealMigration(t *testing.T) {
 	logger := logging.NewVaultLogger(hclog.Trace).Named(t.Name())
 	phys, err := physInmem.NewInmem(nil, logger)
@@ -30,13 +136,13 @@ func TestSealMigration(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	shamirwrapper := vault.NewDefaultSeal(&seal.Access{
+	wrapper := vault.NewDefaultSeal(&seal.Access{
 		Wrapper: aeadwrapper.NewWrapper(&wrapping.WrapperOptions{
 			Logger: logger.Named("shamir"),
 		}),
 	})
 	coreConfig := &vault.CoreConfig{
-		Seal:            shamirwrapper,
+		Seal:            wrapper,
 		Physical:        phys,
 		HAPhysical:      haPhys.(physical.HABackend),
 		DisableSealWrap: true,
@@ -149,6 +255,41 @@ func TestSealMigration(t *testing.T) {
 			t.Fatalf("expected unsealed state; got %#v", *resp)
 		}
 
+		// Make sure the seal configs were updated correctly
+		b, err := autoSeal.BarrierConfig(context.Background())
+		if err != nil {
+			t.Fatal(err)
+		}
+		if b.Type != autoSeal.BarrierType() {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.SecretShares != 1 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.SecretThreshold != 1 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.StoredShares != 1 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+
+		r, err := autoSeal.RecoveryConfig(context.Background())
+		if err != nil {
+			t.Fatal(err)
+		}
+		if r.Type != wrapping.Shamir {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+		if r.SecretShares != 2 {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+		if r.SecretThreshold != 2 {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+		if r.StoredShares != 0 {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+
 		cluster.Cleanup()
 		cluster.Cores = nil
 	}
@@ -243,6 +384,41 @@ func TestSealMigration(t *testing.T) {
 			t.Fatalf("expected unsealed state; got %#v", *resp)
 		}
 
+		// Make sure the seal configs were updated correctly
+		b, err := altSeal.BarrierConfig(context.Background())
+		if err != nil {
+			t.Fatal(err)
+		}
+		if b.Type != altSeal.BarrierType() {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.SecretShares != 1 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.SecretThreshold != 1 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.StoredShares != 1 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+
+		r, err := altSeal.RecoveryConfig(context.Background())
+		if err != nil {
+			t.Fatal(err)
+		}
+		if r.Type != wrapping.Shamir {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+		if r.SecretShares != 2 {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+		if r.SecretThreshold != 2 {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+		if r.StoredShares != 0 {
+			t.Fatalf("bad seal config: %#v", r)
+		}
+
 		cluster.Cleanup()
 		cluster.Cores = nil
 	}
@@ -257,7 +433,13 @@ func TestSealMigration(t *testing.T) {
 
 		core := cluster.Cores[0].Core
 
-		if err := adjustCoreForSealMigration(logger, core, shamirwrapper, altSeal); err != nil {
+		wrapper := vault.NewDefaultSeal(&seal.Access{
+			Wrapper: aeadwrapper.NewWrapper(&wrapping.WrapperOptions{
+				Logger: logger.Named("shamir"),
+			}),
+		})
+
+		if err := adjustCoreForSealMigration(logger, core, wrapper, altSeal); err != nil {
 			t.Fatal(err)
 		}
 
@@ -286,6 +468,29 @@ func TestSealMigration(t *testing.T) {
 			t.Fatalf("expected unsealed state; got %#v", *resp)
 		}
 
+		// Make sure the seal configs were updated correctly
+		b, err := wrapper.BarrierConfig(context.Background())
+		if err != nil {
+			t.Fatal(err)
+		}
+		if b.Type != wrapping.Shamir {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.SecretShares != 2 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.SecretThreshold != 2 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+		if b.StoredShares != 1 {
+			t.Fatalf("bad seal config: %#v", b)
+		}
+
+		_, err = wrapper.RecoveryConfig(context.Background())
+		if err == nil {
+			t.Fatal("expected error")
+		}
+
 		cluster.Cleanup()
 		cluster.Cores = nil
 	}
@@ -293,7 +498,7 @@ func TestSealMigration(t *testing.T) {
 	{
 		logger.SetLevel(hclog.Trace)
 		logger.Info("integ: verify autoseal is off and the expected key shares work")
-		coreConfig.Seal = shamirwrapper
+		coreConfig.Seal = wrapper
 		cluster := vault.NewTestCluster(t, coreConfig, clusterConfig)
 		cluster.Start()
 		defer cluster.Cleanup()
diff --git a/command/server.go b/command/server.go
index add994b7dd4f..b586e7a86d4d 100644
--- a/command/server.go
+++ b/command/server.go
@@ -1505,6 +1505,15 @@ CLUSTER_SYNTHESIS_COMPLETE:
 		}()
 	}
 
+	// When the underlying storage is raft, kick off retry join if it was specified
+	// in the configuration
+	if config.Storage.Type == "raft" {
+		if err := core.InitiateRetryJoin(context.Background()); err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to initiate raft retry join, %q", err.Error()))
+			return 1
+		}
+	}
+
 	// Perform service discovery registrations and initialization of
 	// HTTP server after the verifyOnly check.
 
diff --git a/command/server/config.go b/command/server/config.go
index e78656aec1e6..6c6b7963691e 100644
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -3,6 +3,7 @@ package server
 import (
 	"errors"
 	"fmt"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"io"
 	"io/ioutil"
 	"os"
@@ -730,11 +731,25 @@ func ParseStorage(result *Config, list *ast.ObjectList, name string) error {
 		key = item.Keys[0].Token.Value().(string)
 	}
 
-	var m map[string]string
-	if err := hcl.DecodeObject(&m, item.Val); err != nil {
+	var config map[string]interface{}
+	if err := hcl.DecodeObject(&config, item.Val); err != nil {
 		return multierror.Prefix(err, fmt.Sprintf("%s.%s:", name, key))
 	}
 
+	m := make(map[string]string)
+	for key, val := range config {
+		valStr, ok := val.(string)
+		if ok {
+			m[key] = valStr
+			continue
+		}
+		valBytes, err := jsonutil.EncodeJSON(val)
+		if err != nil {
+			return err
+		}
+		m[key] = string(valBytes)
+	}
+
 	// Pull out the redirect address since it's common to all backends
 	var redirectAddr string
 	if v, ok := m["redirect_addr"]; ok {
diff --git a/command/server/config_test.go b/command/server/config_test.go
index 808df7bffe58..e287a1a1251d 100644
--- a/command/server/config_test.go
+++ b/command/server/config_test.go
@@ -37,3 +37,7 @@ func TestParseListeners(t *testing.T) {
 func TestParseEntropy(t *testing.T) {
 	testParseEntropy(t, true)
 }
+
+func TestConfigRaftRetryJoin(t *testing.T) {
+	testConfigRaftRetryJoin(t)
+}
diff --git a/command/server/config_test_helpers.go b/command/server/config_test_helpers.go
index b639a7e01b84..54f479a158d0 100644
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -12,6 +12,38 @@ import (
 	"github.com/hashicorp/hcl/hcl/ast"
 )
 
+func testConfigRaftRetryJoin(t *testing.T) {
+	config, err := LoadConfigFile("./test-fixtures/raft_retry_join.hcl")
+	if err != nil {
+		t.Fatal(err)
+	}
+	retryJoinConfig := `[{"leader_api_addr":"http://127.0.0.1:8200"},{"leader_api_addr":"http://127.0.0.2:8200"},{"leader_api_addr":"http://127.0.0.3:8200"}]` + "\n"
+	expected := &Config{
+		Listeners: []*Listener{
+			{
+				Type: "tcp",
+				Config: map[string]interface{}{
+					"address": "127.0.0.1:8200",
+				},
+			},
+		},
+
+		Storage: &Storage{
+			Type: "raft",
+			Config: map[string]string{
+				"path":       "/storage/path/raft",
+				"node_id":    "raft1",
+				"retry_join": retryJoinConfig,
+			},
+		},
+		DisableMlock:    true,
+		DisableMlockRaw: true,
+	}
+	if !reflect.DeepEqual(config, expected) {
+		t.Fatalf("\nexpected: %#v\n actual:%#v\n", config, expected)
+	}
+}
+
 func testLoadConfigFile_topLevel(t *testing.T, entropy *Entropy) {
 	config, err := LoadConfigFile("./test-fixtures/config2.hcl")
 	if err != nil {
diff --git a/command/server/seal/server_seal_awskms.go b/command/server/seal/server_seal_awskms.go
index 2d5b71ea583e..173fbaadf7e2 100644
--- a/command/server/seal/server_seal_awskms.go
+++ b/command/server/seal/server_seal_awskms.go
@@ -3,6 +3,7 @@ package seal
 import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-hclog"
+	wrapping "github.com/hashicorp/go-kms-wrapping"
 	"github.com/hashicorp/go-kms-wrapping/wrappers/awskms"
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -10,9 +11,14 @@ import (
 	"github.com/hashicorp/vault/vault/seal"
 )
 
-func configureAWSKMSSeal(configSeal *server.Seal, infoKeys *[]string, info *map[string]string, logger hclog.Logger, inseal vault.Seal) (vault.Seal, error) {
+var getAWSKMSFunc = func(opts *wrapping.WrapperOptions, config map[string]string) (wrapping.Wrapper, map[string]string, error) {
 	kms := awskms.NewWrapper(nil)
-	kmsInfo, err := kms.SetConfig(configSeal.Config)
+	kmsInfo, err := kms.SetConfig(config)
+	return kms, kmsInfo, err
+}
+
+func configureAWSKMSSeal(configSeal *server.Seal, infoKeys *[]string, info *map[string]string, logger hclog.Logger, inseal vault.Seal) (vault.Seal, error) {
+	kms, kmsInfo, err := getAWSKMSFunc(nil, configSeal.Config)
 	if err != nil {
 		// If the error is any other than logical.KeyNotFoundError, return the error
 		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
diff --git a/command/server/seal/server_seal_transit.go b/command/server/seal/server_seal_transit.go
index 0a9bc1e7a689..e8838d98a3a1 100644
--- a/command/server/seal/server_seal_transit.go
+++ b/command/server/seal/server_seal_transit.go
@@ -11,11 +11,17 @@ import (
 	"github.com/hashicorp/vault/vault/seal"
 )
 
+var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, config map[string]string) (wrapping.Wrapper, map[string]string, error) {
+	transitSeal := transit.NewWrapper(opts)
+	sealInfo, err := transitSeal.SetConfig(config)
+	return transitSeal, sealInfo, err
+}
+
 func configureTransitSeal(configSeal *server.Seal, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) {
-	transitSeal := transit.NewWrapper(&wrapping.WrapperOptions{
-		Logger: logger.ResetNamed("seal-transit"),
-	})
-	sealInfo, err := transitSeal.SetConfig(configSeal.Config)
+	transitSeal, sealInfo, err := GetTransitKMSFunc(
+		&wrapping.WrapperOptions{
+			Logger: logger.ResetNamed("seal-transit"),
+		}, configSeal.Config)
 	if err != nil {
 		// If the error is any other than logical.KeyNotFoundError, return the error
 		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
diff --git a/command/server/seal/server_seal_transit_acc_test.go b/command/server/seal/server_seal_transit_acc_test.go
index 5b469c04109c..2c13958fa775 100644
--- a/command/server/seal/server_seal_transit_acc_test.go
+++ b/command/server/seal/server_seal_transit_acc_test.go
@@ -10,9 +10,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/go-kms-wrapping/wrappers/transit"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/command/server/seal"
 	"github.com/ory/dockertest"
 )
 
@@ -29,8 +29,8 @@ func TestTransitWrapper_Lifecycle(t *testing.T) {
 		"mount_path": mountPath,
 		"key_name":   keyName,
 	}
-	s := transit.NewWrapper(nil)
-	_, err := s.SetConfig(wrapperConfig)
+
+	s, _, err := seal.GetTransitKMSFunc(nil, wrapperConfig)
 	if err != nil {
 		t.Fatalf("error setting wrapper config: %v", err)
 	}
@@ -86,8 +86,7 @@ func TestTransitSeal_TokenRenewal(t *testing.T) {
 		"mount_path": mountPath,
 		"key_name":   keyName,
 	}
-	s := transit.NewWrapper(nil)
-	_, err = s.SetConfig(wrapperConfig)
+	s, _, err := seal.GetTransitKMSFunc(nil, wrapperConfig)
 	if err != nil {
 		t.Fatalf("error setting wrapper config: %v", err)
 	}
diff --git a/command/server/test-fixtures/raft_retry_join.hcl b/command/server/test-fixtures/raft_retry_join.hcl
new file mode 100644
index 000000000000..a4f1f3df0139
--- /dev/null
+++ b/command/server/test-fixtures/raft_retry_join.hcl
@@ -0,0 +1,19 @@
+storage "raft" {
+	path = "/storage/path/raft"
+	node_id = "raft1"
+	retry_join = [
+    {
+    "leader_api_addr" = "http://127.0.0.1:8200"
+    },
+    {
+    "leader_api_addr" = "http://127.0.0.2:8200"
+    },
+    {
+    "leader_api_addr" = "http://127.0.0.3:8200"
+    }
+  ]
+}
+listener "tcp" {
+	address = "127.0.0.1:8200"
+}
+disable_mlock = true
diff --git a/command/server_util.go b/command/server_util.go
index 0098dfbf586a..6d58028bac12 100644
--- a/command/server_util.go
+++ b/command/server_util.go
@@ -54,9 +54,6 @@ func adjustCoreForSealMigration(logger log.Logger, core *vault.Core, barrierSeal
 		}
 	}
 
-	var existSeal vault.Seal
-	var newSeal vault.Seal
-
 	if existBarrierSealConfig.Type == barrierSeal.BarrierType() {
 		// In this case our migration seal is set so we are using it
 		// (potentially) for unwrapping. Set it on core for that purpose then
@@ -69,15 +66,49 @@ func adjustCoreForSealMigration(logger log.Logger, core *vault.Core, barrierSeal
 		return errors.New(`Recovery seal configuration not found for existing seal`)
 	}
 
+	if onEnterprise && barrierSeal.BarrierType() == wrapping.Shamir {
+		return errors.New("Migrating from autoseal to Shamir seal is not currently supported on Vault Enterprise")
+	}
+
+	var migrationSeal vault.Seal
+	var newSeal vault.Seal
+
+	// Determine the migrationSeal. This is either going to be an instance of
+	// shamir or the unwrapSeal.
 	switch existBarrierSealConfig.Type {
 	case wrapping.Shamir:
 		// The value reflected in config is what we're going to
-		existSeal = vault.NewDefaultSeal(&vaultseal.Access{
+		migrationSeal = vault.NewDefaultSeal(&vaultseal.Access{
 			Wrapper: aeadwrapper.NewWrapper(&wrapping.WrapperOptions{
 				Logger: logger.Named("shamir"),
 			}),
 		})
-		newSeal = barrierSeal
+
+	default:
+		// If we're not coming from Shamir we expect the previous seal to be
+		// in the config and disabled.
+		migrationSeal = unwrapSeal
+	}
+
+	// newSeal will be the barrierSeal
+	newSeal = barrierSeal
+
+	// Set the appropriate barrier and recovery configs.
+	switch {
+	case migrationSeal.RecoveryKeySupported() && newSeal.RecoveryKeySupported():
+		// Migrating from auto->auto, copy the configs over
+		newSeal.SetCachedBarrierConfig(existBarrierSealConfig)
+		newSeal.SetCachedRecoveryConfig(existRecoverySealConfig)
+	case migrationSeal.RecoveryKeySupported():
+		// Migrating from auto->shamir, clone auto's recovery config and set
+		// stored keys to 1.
+		newSealConfig := existRecoverySealConfig.Clone()
+		newSealConfig.StoredShares = 1
+		newSeal.SetCachedBarrierConfig(newSealConfig)
+	case newSeal.RecoveryKeySupported():
+		// Migrating from shamir->auto, set a new barrier config and set
+		// recovery config to a clone of shamir's barrier config with stored
+		// keys set to 0.
 		newBarrierSealConfig := &vault.SealConfig{
 			Type:            newSeal.BarrierType(),
 			SecretShares:    1,
@@ -85,21 +116,13 @@ func adjustCoreForSealMigration(logger log.Logger, core *vault.Core, barrierSeal
 			StoredShares:    1,
 		}
 		newSeal.SetCachedBarrierConfig(newBarrierSealConfig)
-		newSeal.SetCachedRecoveryConfig(existBarrierSealConfig)
-
-	default:
-		if onEnterprise && barrierSeal.BarrierType() == wrapping.Shamir {
-			return errors.New("Migrating from autoseal to Shamir seal is not currently supported on Vault Enterprise")
-		}
 
-		// If we're not coming from Shamir we expect the previous seal to be
-		// in the config and disabled.
-		existSeal = unwrapSeal
-		newSeal = barrierSeal
-		newSeal.SetCachedBarrierConfig(existRecoverySealConfig)
+		newRecoveryConfig := existBarrierSealConfig.Clone()
+		newRecoveryConfig.StoredShares = 0
+		newSeal.SetCachedRecoveryConfig(newRecoveryConfig)
 	}
 
-	core.SetSealsForMigration(existSeal, newSeal, unwrapSeal)
+	core.SetSealsForMigration(migrationSeal, newSeal, unwrapSeal)
 
 	return nil
 }
diff --git a/go.mod b/go.mod
index fa0acc2259e4..92a7b4628b25 100644
--- a/go.mod
+++ b/go.mod
@@ -59,14 +59,14 @@ require (
 	github.com/hashicorp/go-msgpack v0.5.5
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a
-	github.com/hashicorp/go-rootcerts v1.0.1
+	github.com/hashicorp/go-rootcerts v1.0.2
 	github.com/hashicorp/go-sockaddr v1.0.2
 	github.com/hashicorp/go-syslog v1.0.0
 	github.com/hashicorp/go-uuid v1.0.2
 	github.com/hashicorp/gokrb5 v7.3.1-0.20191209171754-1a6fa9886ec3+incompatible
 	github.com/hashicorp/golang-lru v0.5.3
 	github.com/hashicorp/hcl v1.0.0
-	github.com/hashicorp/nomad/api v0.0.0-20190412184103-1c38ced33adf
+	github.com/hashicorp/nomad/api v0.0.0-20191220223628-edc62acd919d
 	github.com/hashicorp/raft v1.1.2-0.20191002163536-9c6bd3e3eb17
 	github.com/hashicorp/raft-snapshot v1.0.2-0.20190827162939-8117efcc5aab
 	github.com/hashicorp/vault-plugin-auth-alicloud v0.5.2-0.20190814210027-93970f08f2ec
diff --git a/go.sum b/go.sum
index 2275b2b2b398..c680772f4c0b 100644
--- a/go.sum
+++ b/go.sum
@@ -265,6 +265,8 @@ github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c h1:Lh2aW+HnU2Nbe1gqD9SOJLJxW1jBMmQOktN2acDyJk8=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM=
+github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible h1:AQwinXlbQR2HvPjQZOmDhRqsv5mZf+Jb1RnSLxcqZcI=
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
@@ -326,6 +328,8 @@ github.com/hashicorp/go-retryablehttp v0.6.2/go.mod h1:gEx6HMUGxYYhJScX7W1Il64m6
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-rootcerts v1.0.1 h1:DMo4fmknnz0E0evoNYnV48RjWndOsmd6OW+09R3cEP8=
 github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
@@ -355,8 +359,8 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/memberlist v0.1.4 h1:gkyML/r71w3FL8gUi74Vk76avkj/9lYAY9lvg0OcoGs=
 github.com/hashicorp/memberlist v0.1.4/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
-github.com/hashicorp/nomad/api v0.0.0-20190412184103-1c38ced33adf h1:U/40PQvWkaXCDdK9QHKf1pVDVcA+NIDVbzzonFGkgIA=
-github.com/hashicorp/nomad/api v0.0.0-20190412184103-1c38ced33adf/go.mod h1:BDngVi1f4UA6aJq9WYTgxhfWSE1+42xshvstLU2fRGk=
+github.com/hashicorp/nomad/api v0.0.0-20191220223628-edc62acd919d h1:BXqsASWhyiAiEVm6FcltF0dg8XvoookQwmpHn8lstu8=
+github.com/hashicorp/nomad/api v0.0.0-20191220223628-edc62acd919d/go.mod h1:WKCL+tLVhN1D+APwH3JiTRZoxcdwRk86bWu1LVCUPaE=
 github.com/hashicorp/raft v1.0.1/go.mod h1:DVSAWItjLjTOkVbSpWQ0j0kUADIvDaCtBxIcbNAQLkI=
 github.com/hashicorp/raft v1.1.2-0.20191002163536-9c6bd3e3eb17 h1:p+2EISNdFCnD9R+B4xCiqSn429MCFtvM41aHJDJ6qW4=
 github.com/hashicorp/raft v1.1.2-0.20191002163536-9c6bd3e3eb17/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8=
diff --git a/helper/testhelpers/mysql/mysqlhelper.go b/helper/testhelpers/mysql/mysqlhelper.go
new file mode 100644
index 000000000000..d5a26ffbc946
--- /dev/null
+++ b/helper/testhelpers/mysql/mysqlhelper.go
@@ -0,0 +1,67 @@
+package mysqlhelper
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/helper/testhelpers/docker"
+	"github.com/ory/dockertest"
+)
+
+func PrepareMySQLTestContainer(t *testing.T, legacy bool, pw string) (cleanup func(), retURL string) {
+	if os.Getenv("MYSQL_URL") != "" {
+		return func() {}, os.Getenv("MYSQL_URL")
+	}
+
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		t.Fatalf("Failed to connect to docker: %s", err)
+	}
+
+	imageVersion := "5.7"
+	if legacy {
+		imageVersion = "5.6"
+	}
+
+	resource, err := pool.Run("mysql", imageVersion, []string{"MYSQL_ROOT_PASSWORD=" + pw})
+	if err != nil {
+		t.Fatalf("Could not start local MySQL docker container: %s", err)
+	}
+
+	cleanup = func() {
+		docker.CleanupResource(t, pool, resource)
+	}
+
+	retURL = fmt.Sprintf("root:%s@(localhost:%s)/mysql?parseTime=true", pw, resource.GetPort("3306/tcp"))
+
+	// exponential backoff-retry
+	if err = pool.Retry(func() error {
+		var err error
+		var db *sql.DB
+		db, err = sql.Open("mysql", retURL)
+		if err != nil {
+			return err
+		}
+		defer db.Close()
+		return db.Ping()
+	}); err != nil {
+		cleanup()
+		t.Fatalf("Could not connect to MySQL docker container: %s", err)
+	}
+
+	return
+}
+
+func TestCredsExist(t testing.TB, connURL, username, password string) error {
+	// Log in with the new creds
+	connURL = strings.Replace(connURL, "root:secret", fmt.Sprintf("%s:%s", username, password), 1)
+	db, err := sql.Open("mysql", connURL)
+	if err != nil {
+		return err
+	}
+	defer db.Close()
+	return db.Ping()
+}
diff --git a/helper/testhelpers/testhelpers.go b/helper/testhelpers/testhelpers.go
index d6cf76c60932..1a657d58ec2c 100644
--- a/helper/testhelpers/testhelpers.go
+++ b/helper/testhelpers/testhelpers.go
@@ -378,11 +378,19 @@ func RaftClusterJoinNodes(t testing.T, cluster *vault.TestCluster) {
 		vault.TestWaitActive(t, leaderCore.Core)
 	}
 
+	leaderInfo := &raft.LeaderJoinInfo{
+		LeaderAPIAddr: leaderAPI,
+		TLSConfig:     leaderCore.TLSConfig,
+	}
+
 	// Join core1
 	{
 		core := cluster.Cores[1]
 		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderAPI, leaderCore.TLSConfig, false, false)
+		leaderInfos := []*raft.LeaderJoinInfo{
+			leaderInfo,
+		}
+		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -394,7 +402,10 @@ func RaftClusterJoinNodes(t testing.T, cluster *vault.TestCluster) {
 	{
 		core := cluster.Cores[2]
 		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
-		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderAPI, leaderCore.TLSConfig, false, false)
+		leaderInfos := []*raft.LeaderJoinInfo{
+			leaderInfo,
+		}
+		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
 		if err != nil {
 			t.Fatal(err)
 		}
diff --git a/http/sys_raft.go b/http/sys_raft.go
index 75d6ccf96b20..09828a3d6bf4 100644
--- a/http/sys_raft.go
+++ b/http/sys_raft.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
+	"github.com/hashicorp/vault/physical/raft"
 	"io"
 	"net/http"
 
@@ -44,7 +45,14 @@ func handleSysRaftJoinPost(core *vault.Core, w http.ResponseWriter, r *http.Requ
 		}
 	}
 
-	joined, err := core.JoinRaftCluster(context.Background(), req.LeaderAPIAddr, tlsConfig, req.Retry, req.NonVoter)
+	leaderInfos := []*raft.LeaderJoinInfo{
+		{
+			LeaderAPIAddr: req.LeaderAPIAddr,
+			TLSConfig:     tlsConfig,
+			Retry:         req.Retry,
+		},
+	}
+	joined, err := core.JoinRaftCluster(context.Background(), leaderInfos, req.NonVoter)
 	if err != nil {
 		respondError(w, http.StatusInternalServerError, err)
 		return
diff --git a/physical/raft/raft.go b/physical/raft/raft.go
index 2bee74e96dea..88c1c7b11f35 100644
--- a/physical/raft/raft.go
+++ b/physical/raft/raft.go
@@ -2,8 +2,11 @@ package raft
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/helper/tlsutil"
 	"io"
 	"io/ioutil"
 	"os"
@@ -107,6 +110,64 @@ type RaftBackend struct {
 	permitPool *physical.PermitPool
 }
 
+// LeaderJoinInfo contains information required by a node to join itself as a
+// follower to an existing raft cluster
+type LeaderJoinInfo struct {
+	// LeaderAPIAddr is the address of the leader node to connect to
+	LeaderAPIAddr string `json:"leader_api_addr"`
+
+	// LeaderCACert is the CA cert of the leader node
+	LeaderCACert string `json:"leader_ca_cert"`
+
+	// LeaderClientCert is the client certificate for the follower node to establish
+	// client authentication during TLS
+	LeaderClientCert string `json:"leader_client_cert"`
+
+	// LeaderClientKey is the client key for the follower node to establish client
+	// authentication during TLS
+	LeaderClientKey string `json:"leader_client_key"`
+
+	// Retry indicates if the join process should automatically be retried
+	Retry bool `json:"-"`
+
+	// TLSConfig for the API client to use when communicating with the leader node
+	TLSConfig *tls.Config `json:"-"`
+}
+
+// JoinConfig returns a list of information about possible leader nodes that
+// this node can join as a follower
+func (b *RaftBackend) JoinConfig() ([]*LeaderJoinInfo, error) {
+	config := b.conf["retry_join"]
+	if config == "" {
+		return nil, nil
+	}
+
+	var leaderInfos []*LeaderJoinInfo
+	err := jsonutil.DecodeJSON([]byte(config), &leaderInfos)
+	if err != nil {
+		return nil, errwrap.Wrapf("failed to decode retry_join config: {{err}}", err)
+	}
+
+	if len(leaderInfos) == 0 {
+		return nil, errors.New("invalid retry_join config")
+	}
+
+	for _, info := range leaderInfos {
+		info.Retry = true
+		var tlsConfig *tls.Config
+		var err error
+		if len(info.LeaderCACert) != 0 || len(info.LeaderClientCert) != 0 || len(info.LeaderClientKey) != 0 {
+			tlsConfig, err = tlsutil.ClientTLSConfig([]byte(info.LeaderCACert), []byte(info.LeaderClientCert), []byte(info.LeaderClientKey))
+			if err != nil {
+				return nil, errwrap.Wrapf(fmt.Sprintf("failed to create tls config to communicate with leader node %q: {{err}}", info.LeaderAPIAddr), err)
+			}
+		}
+		info.TLSConfig = tlsConfig
+	}
+
+	return leaderInfos, nil
+}
+
 // EnsurePath is used to make sure a path exists
 func EnsurePath(path string, dir bool) error {
 	if !dir {
@@ -442,14 +503,8 @@ func (b *RaftBackend) SetupCluster(ctx context.Context, opts SetupOpts) error {
 	case opts.ClusterListener == nil:
 		return errors.New("no cluster listener provided")
 	default:
-		// Load the base TLS config from the cluster listener.
-		baseTLSConfig, err := opts.ClusterListener.TLSConfig(ctx)
-		if err != nil {
-			return err
-		}
-
 		// Set the local address and localID in the streaming layer and the raft config.
-		streamLayer, err := NewRaftLayer(b.logger.Named("stream"), opts.TLSKeyring, opts.ClusterListener.Addr(), baseTLSConfig)
+		streamLayer, err := NewRaftLayer(b.logger.Named("stream"), opts.TLSKeyring, opts.ClusterListener)
 		if err != nil {
 			return err
 		}
diff --git a/physical/raft/streamlayer.go b/physical/raft/streamlayer.go
index e1fcedbda4b4..fcf0a0be57f8 100644
--- a/physical/raft/streamlayer.go
+++ b/physical/raft/streamlayer.go
@@ -110,7 +110,7 @@ func GenerateTLSKey(reader io.Reader) (*TLSKey, error) {
 		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign,
 		SerialNumber: big.NewInt(mathrand.Int63()),
 		NotBefore:    time.Now().Add(-30 * time.Second),
-		// 30 years of single-active uptime ought to be enough for anybody
+		// 30 years ought to be enough for anybody
 		NotAfter:              time.Now().Add(262980 * time.Hour),
 		BasicConstraintsValid: true,
 		IsCA:                  true,
@@ -162,13 +162,14 @@ type raftLayer struct {
 	dialerFunc func(string, time.Duration) (net.Conn, error)
 
 	// TLS config
-	keyring       *TLSKeyring
-	baseTLSConfig *tls.Config
+	keyring         *TLSKeyring
+	clusterListener cluster.ClusterHook
 }
 
 // NewRaftLayer creates a new raftLayer object. It parses the TLS information
 // from the network config.
-func NewRaftLayer(logger log.Logger, raftTLSKeyring *TLSKeyring, clusterAddr net.Addr, baseTLSConfig *tls.Config) (*raftLayer, error) {
+func NewRaftLayer(logger log.Logger, raftTLSKeyring *TLSKeyring, clusterListener cluster.ClusterHook) (*raftLayer, error) {
+	clusterAddr := clusterListener.Addr()
 	switch {
 	case clusterAddr == nil:
 		// Clustering disabled on the server, don't try to look for params
@@ -176,11 +177,11 @@ func NewRaftLayer(logger log.Logger, raftTLSKeyring *TLSKeyring, clusterAddr net
 	}
 
 	layer := &raftLayer{
-		addr:          clusterAddr,
-		connCh:        make(chan net.Conn),
-		closeCh:       make(chan struct{}),
-		logger:        logger,
-		baseTLSConfig: baseTLSConfig,
+		addr:            clusterAddr,
+		connCh:          make(chan net.Conn),
+		closeCh:         make(chan struct{}),
+		logger:          logger,
+		clusterListener: clusterListener,
 	}
 
 	if err := layer.setTLSKeyring(raftTLSKeyring); err != nil {
@@ -236,6 +237,24 @@ func (l *raftLayer) setTLSKeyring(keyring *TLSKeyring) error {
 	return nil
 }
 
+func (l *raftLayer) ServerName() string {
+	key := l.keyring.GetActive()
+	if key == nil {
+		return ""
+	}
+
+	return key.parsedCert.Subject.CommonName
+}
+
+func (l *raftLayer) CACert(ctx context.Context) *x509.Certificate {
+	key := l.keyring.GetActive()
+	if key == nil {
+		return nil
+	}
+
+	return key.parsedCert
+}
+
 func (l *raftLayer) ClientLookup(ctx context.Context, requestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
 	for _, subj := range requestInfo.AcceptableCAs {
 		for _, key := range l.keyring.Keys {
@@ -346,26 +365,6 @@ func (l *raftLayer) Addr() net.Addr {
 
 // Dial is used to create a new outgoing connection
 func (l *raftLayer) Dial(address raft.ServerAddress, timeout time.Duration) (net.Conn, error) {
-
-	tlsConfig := l.baseTLSConfig.Clone()
-
-	key := l.keyring.GetActive()
-	if key == nil {
-		return nil, errors.New("no active key")
-	}
-
-	tlsConfig.NextProtos = []string{consts.RaftStorageALPN}
-	tlsConfig.ServerName = key.parsedCert.Subject.CommonName
-
-	l.logger.Debug("creating rpc dialer", "host", tlsConfig.ServerName)
-
-	pool := x509.NewCertPool()
-	pool.AddCert(key.parsedCert)
-	tlsConfig.RootCAs = pool
-	tlsConfig.ClientCAs = pool
-
-	dialer := &net.Dialer{
-		Timeout: timeout,
-	}
-	return tls.DialWithDialer(dialer, "tcp", string(address), tlsConfig)
+	dialFunc := l.clusterListener.GetDialerFunc(context.Background(), consts.RaftStorageALPN)
+	return dialFunc(string(address), timeout)
 }
diff --git a/plugins/database/mysql/mysql_test.go b/plugins/database/mysql/mysql_test.go
index 8f7ea22ade66..3c39b44acc36 100644
--- a/plugins/database/mysql/mysql_test.go
+++ b/plugins/database/mysql/mysql_test.go
@@ -3,69 +3,22 @@ package mysql
 import (
 	"context"
 	"database/sql"
-	"fmt"
-	"os"
 	"strings"
 	"testing"
 	"time"
 
 	stdmysql "github.com/go-sql-driver/mysql"
-	"github.com/hashicorp/vault/helper/testhelpers/docker"
+	mysqlhelper "github.com/hashicorp/vault/helper/testhelpers/mysql"
 	"github.com/hashicorp/vault/sdk/database/dbplugin"
 	"github.com/hashicorp/vault/sdk/database/helper/credsutil"
 	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
-	"github.com/ory/dockertest"
 )
 
 var _ dbplugin.Database = (*MySQL)(nil)
 
-func prepareMySQLTestContainer(t *testing.T, legacy bool, pw string) (cleanup func(), retURL string) {
-	if os.Getenv("MYSQL_URL") != "" {
-		return func() {}, os.Getenv("MYSQL_URL")
-	}
-
-	pool, err := dockertest.NewPool("")
-	if err != nil {
-		t.Fatalf("Failed to connect to docker: %s", err)
-	}
-
-	imageVersion := "5.7"
-	if legacy {
-		imageVersion = "5.6"
-	}
-
-	resource, err := pool.Run("mysql", imageVersion, []string{"MYSQL_ROOT_PASSWORD=" + pw})
-	if err != nil {
-		t.Fatalf("Could not start local MySQL docker container: %s", err)
-	}
-
-	cleanup = func() {
-		docker.CleanupResource(t, pool, resource)
-	}
-
-	retURL = fmt.Sprintf("root:%s@(localhost:%s)/mysql?parseTime=true", pw, resource.GetPort("3306/tcp"))
-
-	// exponential backoff-retry
-	if err = pool.Retry(func() error {
-		var err error
-		var db *sql.DB
-		db, err = sql.Open("mysql", retURL)
-		if err != nil {
-			return err
-		}
-		defer db.Close()
-		return db.Ping()
-	}); err != nil {
-		cleanup()
-		t.Fatalf("Could not connect to MySQL docker container: %s", err)
-	}
-
-	return
-}
-
 func TestMySQL_Initialize(t *testing.T) {
-	cleanup, connURL := prepareMySQLTestContainer(t, false, "secret")
+	cleanup, connURL := mysqlhelper.PrepareMySQLTestContainer(t, false, "secret")
 	defer cleanup()
 
 	connectionDetails := map[string]interface{}{
@@ -100,7 +53,7 @@ func TestMySQL_Initialize(t *testing.T) {
 }
 
 func TestMySQL_CreateUser(t *testing.T) {
-	cleanup, connURL := prepareMySQLTestContainer(t, false, "secret")
+	cleanup, connURL := mysqlhelper.PrepareMySQLTestContainer(t, false, "secret")
 	defer cleanup()
 
 	connectionDetails := map[string]interface{}{
@@ -133,7 +86,7 @@ func TestMySQL_CreateUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
@@ -143,7 +96,7 @@ func TestMySQL_CreateUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
@@ -155,14 +108,14 @@ func TestMySQL_CreateUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
 }
 
 func TestMySQL_CreateUser_Legacy(t *testing.T) {
-	cleanup, connURL := prepareMySQLTestContainer(t, true, "secret")
+	cleanup, connURL := mysqlhelper.PrepareMySQLTestContainer(t, true, "secret")
 	defer cleanup()
 
 	connectionDetails := map[string]interface{}{
@@ -195,7 +148,7 @@ func TestMySQL_CreateUser_Legacy(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
@@ -205,13 +158,13 @@ func TestMySQL_CreateUser_Legacy(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 }
 
 func TestMySQL_RotateRootCredentials(t *testing.T) {
-	cleanup, connURL := prepareMySQLTestContainer(t, false, "secret")
+	cleanup, connURL := mysqlhelper.PrepareMySQLTestContainer(t, false, "secret")
 	defer cleanup()
 
 	connURL = strings.Replace(connURL, "root:secret", `{{username}}:{{password}}`, -1)
@@ -247,7 +200,7 @@ func TestMySQL_RotateRootCredentials(t *testing.T) {
 }
 
 func TestMySQL_RevokeUser(t *testing.T) {
-	cleanup, connURL := prepareMySQLTestContainer(t, false, "secret")
+	cleanup, connURL := mysqlhelper.PrepareMySQLTestContainer(t, false, "secret")
 	defer cleanup()
 
 	connectionDetails := map[string]interface{}{
@@ -274,7 +227,7 @@ func TestMySQL_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
@@ -284,7 +237,7 @@ func TestMySQL_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err == nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err == nil {
 		t.Fatal("Credentials were not revoked")
 	}
 
@@ -294,7 +247,7 @@ func TestMySQL_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
@@ -305,19 +258,19 @@ func TestMySQL_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, username, password); err == nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, username, password); err == nil {
 		t.Fatal("Credentials were not revoked")
 	}
 }
 
 func TestMySQL_SetCredentials(t *testing.T) {
-	cleanup, connURL := prepareMySQLTestContainer(t, false, "secret")
+	cleanup, connURL := mysqlhelper.PrepareMySQLTestContainer(t, false, "secret")
 	defer cleanup()
 
 	// create the database user and verify we can access
 	dbUser := "vaultstatictest"
 	createTestMySQLUser(t, connURL, dbUser, "password", testRoleStaticCreate)
-	if err := testCredsExist(t, connURL, dbUser, "password"); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, "password"); err != nil {
 		t.Fatalf("Could not connect with credentials: %s", err)
 	}
 
@@ -351,7 +304,7 @@ func TestMySQL_SetCredentials(t *testing.T) {
 	}
 
 	// verify new password works
-	if err := testCredsExist(t, connURL, dbUser, newPassword); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, newPassword); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
@@ -363,14 +316,14 @@ func TestMySQL_SetCredentials(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	if err := testCredsExist(t, connURL, dbUser, newPassword); err != nil {
+	if err := mysqlhelper.TestCredsExist(t, connURL, dbUser, newPassword); err != nil {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 }
 
 func TestMySQL_Initialize_ReservedChars(t *testing.T) {
 	pw := "#secret!%25#{@}"
-	cleanup, connURL := prepareMySQLTestContainer(t, false, pw)
+	cleanup, connURL := mysqlhelper.PrepareMySQLTestContainer(t, false, pw)
 	defer cleanup()
 
 	// Revert password set to test replacement by db.Init
@@ -397,17 +350,6 @@ func TestMySQL_Initialize_ReservedChars(t *testing.T) {
 	}
 }
 
-func testCredsExist(t testing.TB, connURL, username, password string) error {
-	// Log in with the new creds
-	connURL = strings.Replace(connURL, "root:secret", fmt.Sprintf("%s:%s", username, password), 1)
-	db, err := sql.Open("mysql", connURL)
-	if err != nil {
-		return err
-	}
-	defer db.Close()
-	return db.Ping()
-}
-
 func createTestMySQLUser(t *testing.T, connURL, username, password, query string) {
 	t.Helper()
 	db, err := sql.Open("mysql", connURL)
diff --git a/sdk/helper/awsutil/region.go b/sdk/helper/awsutil/region.go
index 7ab0c21e1cd8..727c3b91044d 100644
--- a/sdk/helper/awsutil/region.go
+++ b/sdk/helper/awsutil/region.go
@@ -14,7 +14,8 @@ import (
 // is a widely used region, and is the most common one for some services like STS.
 const DefaultRegion = "us-east-1"
 
-var ec2MetadataBaseURL = "http://169.254.169.254"
+// This is nil by default, but is exposed in case it needs to be changed for tests.
+var ec2Endpoint *string
 
 /*
 It's impossible to mimic "normal" AWS behavior here because it's not consistent
@@ -54,7 +55,7 @@ func GetRegion(configuredRegion string) (string, error) {
 	}
 
 	metadata := ec2metadata.New(sess, &aws.Config{
-		Endpoint:                          aws.String(ec2MetadataBaseURL + "/latest"),
+		Endpoint:                          ec2Endpoint,
 		EC2MetadataDisableTimeoutOverride: aws.Bool(true),
 		HTTPClient: &http.Client{
 			Timeout: time.Second,
@@ -68,6 +69,5 @@ func GetRegion(configuredRegion string) (string, error) {
 	if err != nil {
 		return "", errwrap.Wrapf("unable to retrieve region from instance metadata: {{err}}", err)
 	}
-
 	return region, nil
 }
diff --git a/ui/app/components/auth-jwt.js b/ui/app/components/auth-jwt.js
index acaeb98ae011..f349c5cf4060 100644
--- a/ui/app/components/auth-jwt.js
+++ b/ui/app/components/auth-jwt.js
@@ -109,13 +109,14 @@ export default Component.extend({
   },
 
   exchangeOIDC: task(function*(event, oidcWindow) {
-    if (event.key !== 'oidcState') {
+    let oidcState = event.storageArea.getItem('oidcState');
+    if (oidcState === null || oidcState === undefined) {
       return;
     }
     this.onLoading(true);
     // get the info from the event fired by the other window and
     // then remove it from localStorage
-    let { namespace, path, state, code } = JSON.parse(event.newValue);
+    let { namespace, path, state, code } = JSON.parse(oidcState);
     this.getWindow().localStorage.removeItem('oidcState');
 
     // defer closing of the window, but continue executing the task
diff --git a/ui/app/templates/partials/secret-form-create.hbs b/ui/app/templates/partials/secret-form-create.hbs
index 4f427b823b1b..3470343406df 100644
--- a/ui/app/templates/partials/secret-form-create.hbs
+++ b/ui/app/templates/partials/secret-form-create.hbs
@@ -1,7 +1,7 @@
 <form class="{{if showAdvancedMode 'advanced-edit' 'simple-edit'}}" onsubmit={{action "createOrUpdateKey" "create"}}>
   <div class="field box is-fullwidth is-sideless is-marginless">
     <NamespaceReminder @mode="create" @noun="secret" />
-    <MessageError @model={{model}} @errorMessage={{error}} />
+    <MessageError @model={{modelForData}} @errorMessage={{error}} />
     <label class="is-label" for="kv-key">Path for this secret</label>
     <p class="control is-expanded">
       {{input 
diff --git a/ui/app/templates/partials/secret-form-edit.hbs b/ui/app/templates/partials/secret-form-edit.hbs
index c2958e0402de..af6f9b55780b 100644
--- a/ui/app/templates/partials/secret-form-edit.hbs
+++ b/ui/app/templates/partials/secret-form-edit.hbs
@@ -1,6 +1,6 @@
 <form onsubmit={{action "createOrUpdateKey" "update"}}>
   <div class="box is-sideless is-fullwidth is-marginless is-paddingless">
-    <MessageError @model={{model}} @errorMessage={{error}} />
+    <MessageError @model={{modelForData}} @errorMessage={{error}} />
     <NamespaceReminder @mode="edit" @noun="secret" />
     {{#if (and (not model.failedServerRead) (not model.selectedVersion.failedServerRead) (not-eq model.selectedVersion.version model.currentVersion))}}
       <div class="form-section">
diff --git a/ui/tests/integration/components/auth-jwt-test.js b/ui/tests/integration/components/auth-jwt-test.js
index 9c2bd9f015f9..f4d1a56c0592 100644
--- a/ui/tests/integration/components/auth-jwt-test.js
+++ b/ui/tests/integration/components/auth-jwt-test.js
@@ -31,6 +31,7 @@ const fakeWindow = EmberObject.extend(Evented, {
   }),
   localStorage: computed(function() {
     return {
+      getItem: sinon.stub(),
       removeItem: sinon.stub(),
     };
   }),
@@ -202,7 +203,7 @@ module('Integration | Component | auth jwt', function(hooks) {
     assert.equal(this.error, ERROR_WINDOW_CLOSED, 'calls onError with error string');
   });
 
-  test('oidc: storage event fires with wrong key', async function(assert) {
+  test('oidc: storage event fires without state key', async function(assert) {
     await renderIt(this);
     this.set('selectedAuthPath', 'foo');
     await component.role('test');
@@ -210,12 +211,14 @@ module('Integration | Component | auth jwt', function(hooks) {
     await waitUntil(() => {
       return this.openSpy.calledOnce;
     });
-    this.window.trigger('storage', { key: 'wrongThing' });
+    this.window.localStorage.getItem.returns(null);
+    this.window.trigger('storage', { storageArea: this.window.localStorage });
     run.cancelTimers();
-    assert.equal(this.window.localStorage.removeItem.callCount, 0, 'never calls removeItem');
+    assert.ok(this.window.localStorage.getItem.calledOnce, 'calls getItem');
+    assert.notOk(this.window.localStorage.removeItem.called, 'never calls removeItem');
   });
 
-  test('oidc: storage event fires with correct key, wrong params', async function(assert) {
+  test('oidc: storage event fires with state key, wrong params', async function(assert) {
     await renderIt(this);
     this.set('selectedAuthPath', 'foo');
     await component.role('test');
@@ -223,13 +226,15 @@ module('Integration | Component | auth jwt', function(hooks) {
     await waitUntil(() => {
       return this.openSpy.calledOnce;
     });
-    this.window.trigger('storage', { key: 'oidcState', newValue: JSON.stringify({}) });
+    this.window.localStorage.getItem.returns(JSON.stringify({}));
+    this.window.trigger('storage', { storageArea: this.window.localStorage });
     run.cancelTimers();
-    assert.equal(this.window.localStorage.removeItem.callCount, 1, 'calls removeItem');
+    assert.ok(this.window.localStorage.getItem.calledOnce, 'calls getItem');
+    assert.ok(this.window.localStorage.removeItem.calledOnce, 'calls removeItem');
     assert.equal(this.error, ERROR_MISSING_PARAMS, 'calls onError with params missing error');
   });
 
-  test('oidc: storage event fires with correct key, correct params', async function(assert) {
+  test('oidc: storage event fires with state key, correct params', async function(assert) {
     await renderIt(this);
     this.set('selectedAuthPath', 'foo');
     await component.role('test');
@@ -237,14 +242,14 @@ module('Integration | Component | auth jwt', function(hooks) {
     await waitUntil(() => {
       return this.openSpy.calledOnce;
     });
-    this.window.trigger('storage', {
-      key: 'oidcState',
-      newValue: JSON.stringify({
+    this.window.localStorage.getItem.returns(
+      JSON.stringify({
         path: 'foo',
         state: 'state',
         code: 'code',
-      }),
-    });
+      })
+    );
+    this.window.trigger('storage', { storageArea: this.window.localStorage });
     await settled();
     assert.equal(this.selectedAuth, 'token', 'calls onSelectedAuth with token');
     assert.equal(this.token, 'token', 'calls onToken with token');
diff --git a/vault/cluster.go b/vault/cluster.go
index 9ba85f6a091a..e9bc2bb10eda 100644
--- a/vault/cluster.go
+++ b/vault/cluster.go
@@ -5,7 +5,6 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
@@ -302,7 +301,13 @@ func (c *Core) startClusterListener(ctx context.Context) error {
 
 	c.logger.Debug("starting cluster listeners")
 
-	c.clusterListener.Store(cluster.NewListener(c.clusterListenerAddrs, c.clusterCipherSuites, c.logger.Named("cluster-listener")))
+	networkLayer := c.clusterNetworkLayer
+
+	if networkLayer == nil {
+		networkLayer = cluster.NewTCPLayer(c.clusterListenerAddrs, c.logger.Named("cluster-listener.tcp"))
+	}
+
+	c.clusterListener.Store(cluster.NewListener(networkLayer, c.clusterCipherSuites, c.logger.Named("cluster-listener")))
 
 	err := c.getClusterListener().Run(ctx)
 	if err != nil {
@@ -310,7 +315,7 @@ func (c *Core) startClusterListener(ctx context.Context) error {
 	}
 	if strings.HasSuffix(c.ClusterAddr(), ":0") {
 		// If we listened on port 0, record the port the OS gave us.
-		c.clusterAddr.Store(fmt.Sprintf("https://%s", c.getClusterListener().Addrs()[0]))
+		c.clusterAddr.Store(fmt.Sprintf("https://%s", c.getClusterListener().Addr()))
 	}
 	return nil
 }
@@ -355,37 +360,3 @@ func (c *Core) SetClusterListenerAddrs(addrs []*net.TCPAddr) {
 func (c *Core) SetClusterHandler(handler http.Handler) {
 	c.clusterHandler = handler
 }
-
-// getGRPCDialer is used to return a dialer that has the correct TLS
-// configuration. Otherwise gRPC tries to be helpful and stomps all over our
-// NextProtos.
-func (c *Core) getGRPCDialer(ctx context.Context, alpnProto, serverName string, caCert *x509.Certificate) func(string, time.Duration) (net.Conn, error) {
-	return func(addr string, timeout time.Duration) (net.Conn, error) {
-		clusterListener := c.getClusterListener()
-		if clusterListener == nil {
-			return nil, errors.New("clustering disabled")
-		}
-
-		tlsConfig, err := clusterListener.TLSConfig(ctx)
-		if err != nil {
-			c.logger.Error("failed to get tls configuration", "error", err)
-			return nil, err
-		}
-		if serverName != "" {
-			tlsConfig.ServerName = serverName
-		}
-		if caCert != nil {
-			pool := x509.NewCertPool()
-			pool.AddCert(caCert)
-			tlsConfig.RootCAs = pool
-			tlsConfig.ClientCAs = pool
-		}
-		c.logger.Debug("creating rpc dialer", "host", tlsConfig.ServerName)
-
-		tlsConfig.NextProtos = []string{alpnProto}
-		dialer := &net.Dialer{
-			Timeout: timeout,
-		}
-		return tls.DialWithDialer(dialer, "tcp", addr, tlsConfig)
-	}
-}
diff --git a/vault/cluster/cluster.go b/vault/cluster/cluster.go
index 2e6de3dfbb05..8b7ed14efc64 100644
--- a/vault/cluster/cluster.go
+++ b/vault/cluster/cluster.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
+	"fmt"
 	"net"
 	"sync"
 	"sync/atomic"
@@ -27,6 +28,8 @@ const (
 // Client is used to lookup a client certificate.
 type Client interface {
 	ClientLookup(context.Context, *tls.CertificateRequestInfo) (*tls.Certificate, error)
+	ServerName() string
+	CACert(ctx context.Context) *x509.Certificate
 }
 
 // Handler exposes functions for looking up TLS configuration and handing
@@ -48,6 +51,7 @@ type ClusterHook interface {
 	StopHandler(alpn string)
 	TLSConfig(ctx context.Context) (*tls.Config, error)
 	Addr() net.Addr
+	GetDialerFunc(ctx context.Context, alpnProto string) func(string, time.Duration) (net.Conn, error)
 }
 
 // Listener is the source of truth for cluster handlers and connection
@@ -60,13 +64,13 @@ type Listener struct {
 	shutdownWg *sync.WaitGroup
 	server     *http2.Server
 
-	listenerAddrs []*net.TCPAddr
-	cipherSuites  []uint16
-	logger        log.Logger
-	l             sync.RWMutex
+	networkLayer NetworkLayer
+	cipherSuites []uint16
+	logger       log.Logger
+	l            sync.RWMutex
 }
 
-func NewListener(addrs []*net.TCPAddr, cipherSuites []uint16, logger log.Logger) *Listener {
+func NewListener(networkLayer NetworkLayer, cipherSuites []uint16, logger log.Logger) *Listener {
 	// Create the HTTP/2 server that will be shared by both RPC and regular
 	// duties. Doing it this way instead of listening via the server and gRPC
 	// allows us to re-use the same port via ALPN. We can just tell the server
@@ -84,19 +88,22 @@ func NewListener(addrs []*net.TCPAddr, cipherSuites []uint16, logger log.Logger)
 		shutdownWg: &sync.WaitGroup{},
 		server:     h2Server,
 
-		listenerAddrs: addrs,
-		cipherSuites:  cipherSuites,
-		logger:        logger,
+		networkLayer: networkLayer,
+		cipherSuites: cipherSuites,
+		logger:       logger,
 	}
 }
 
-// TODO: This probably isn't correct
 func (cl *Listener) Addr() net.Addr {
-	return cl.listenerAddrs[0]
+	addrs := cl.Addrs()
+	if len(addrs) == 0 {
+		return nil
+	}
+	return addrs[0]
 }
 
-func (cl *Listener) Addrs() []*net.TCPAddr {
-	return cl.listenerAddrs
+func (cl *Listener) Addrs() []net.Addr {
+	return cl.networkLayer.Addrs()
 }
 
 // AddClient adds a new client for an ALPN name
@@ -236,29 +243,15 @@ func (cl *Listener) Run(ctx context.Context) error {
 	// The server supports all of the possible protos
 	tlsConfig.NextProtos = []string{"h2", consts.RequestForwardingALPN, consts.PerfStandbyALPN, consts.PerformanceReplicationALPN, consts.DRReplicationALPN}
 
-	for i, laddr := range cl.listenerAddrs {
+	for _, ln := range cl.networkLayer.Listeners() {
 		// closeCh is used to shutdown the spawned goroutines once this
 		// function returns
 		closeCh := make(chan struct{})
 
-		if cl.logger.IsInfo() {
-			cl.logger.Info("starting listener", "listener_address", laddr)
-		}
-
-		// Create a TCP listener. We do this separately and specifically
-		// with TCP so that we can set deadlines.
-		tcpLn, err := net.ListenTCP("tcp", laddr)
-		if err != nil {
-			cl.logger.Error("error starting listener", "error", err)
-			continue
-		}
-		if laddr.String() != tcpLn.Addr().String() {
-			// If we listened on port 0, record the port the OS gave us.
-			cl.listenerAddrs[i] = tcpLn.Addr().(*net.TCPAddr)
-		}
+		localLn := ln
 
 		// Wrap the listener with TLS
-		tlsLn := tls.NewListener(tcpLn, tlsConfig)
+		tlsLn := tls.NewListener(localLn, tlsConfig)
 
 		if cl.logger.IsInfo() {
 			cl.logger.Info("serving cluster requests", "cluster_listen_address", tlsLn.Addr())
@@ -281,7 +274,7 @@ func (cl *Listener) Run(ctx context.Context) error {
 				// Set the deadline for the accept call. If it passes we'll get
 				// an error, causing us to check the condition at the top
 				// again.
-				tcpLn.SetDeadline(time.Now().Add(ListenerAcceptDeadline))
+				localLn.SetDeadline(time.Now().Add(ListenerAcceptDeadline))
 
 				// Accept the connection
 				conn, err := tlsLn.Accept()
@@ -365,3 +358,67 @@ func (cl *Listener) Stop() {
 	cl.shutdownWg.Wait()
 	cl.logger.Info("rpc listeners successfully shut down")
 }
+
+// GetDialerFunc returns a function that looks up the TLS information for the
+// provided alpn name and calls the network layer's dial function.
+func (cl *Listener) GetDialerFunc(ctx context.Context, alpn string) func(string, time.Duration) (net.Conn, error) {
+	return func(addr string, timeout time.Duration) (net.Conn, error) {
+		tlsConfig, err := cl.TLSConfig(ctx)
+		if err != nil {
+			cl.logger.Error("failed to get tls configuration", "error", err)
+			return nil, err
+		}
+
+		if tlsConfig == nil {
+			return nil, errors.New("no tls config found")
+		}
+
+		cl.l.RLock()
+		client, ok := cl.clients[alpn]
+		cl.l.RUnlock()
+		if !ok {
+			return nil, fmt.Errorf("no client configured for alpn: %q", alpn)
+		}
+
+		serverName := client.ServerName()
+		if serverName != "" {
+			tlsConfig.ServerName = serverName
+		}
+
+		caCert := client.CACert(ctx)
+		if caCert != nil {
+			pool := x509.NewCertPool()
+			pool.AddCert(caCert)
+			tlsConfig.RootCAs = pool
+			tlsConfig.ClientCAs = pool
+		}
+
+		tlsConfig.NextProtos = []string{alpn}
+		cl.logger.Debug("creating rpc dialer", "alpn", alpn, "host", tlsConfig.ServerName)
+
+		return cl.networkLayer.Dial(addr, timeout, tlsConfig)
+	}
+}
+
+// NetworkListener is used by the network layer to define a net.Listener for use
+// in the cluster listener.
+type NetworkListener interface {
+	net.Listener
+
+	SetDeadline(t time.Time) error
+}
+
+// NetworkLayer is the network abstraction used in the cluster listener.
+// Abstracting the network layer out allows us to swap the underlying
+// implementations for tests.
+type NetworkLayer interface {
+	Addrs() []net.Addr
+	Listeners() []NetworkListener
+	Dial(address string, timeout time.Duration, tlsConfig *tls.Config) (*tls.Conn, error)
+	Close() error
+}
+
+// NetworkLayerSet is used for returning a slice of layers to a caller.
+type NetworkLayerSet interface {
+	Layers() []NetworkLayer
+}
diff --git a/vault/cluster/inmem_layer.go b/vault/cluster/inmem_layer.go
new file mode 100644
index 000000000000..0a00981e2a9e
--- /dev/null
+++ b/vault/cluster/inmem_layer.go
@@ -0,0 +1,323 @@
+package cluster
+
+import (
+	"crypto/tls"
+	"errors"
+	"net"
+	"sync"
+	"time"
+
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/sdk/helper/base62"
+	"go.uber.org/atomic"
+)
+
+// InmemLayer is an in-memory implementation of NetworkLayer. This is
+// primarially useful for tests.
+type InmemLayer struct {
+	listener *inmemListener
+	addr     string
+	logger   log.Logger
+
+	servConns   map[string][]net.Conn
+	clientConns map[string][]net.Conn
+
+	peers map[string]*InmemLayer
+	l     sync.Mutex
+
+	stopped *atomic.Bool
+	stopCh  chan struct{}
+}
+
+// NewInmemLayer returns a new in-memory layer configured to listen on the
+// provided address.
+func NewInmemLayer(addr string, logger log.Logger) *InmemLayer {
+	return &InmemLayer{
+		addr:        addr,
+		logger:      logger,
+		stopped:     atomic.NewBool(false),
+		stopCh:      make(chan struct{}),
+		peers:       make(map[string]*InmemLayer),
+		servConns:   make(map[string][]net.Conn),
+		clientConns: make(map[string][]net.Conn),
+	}
+}
+
+// Addrs implements NetworkLayer.
+func (l *InmemLayer) Addrs() []net.Addr {
+	l.l.Lock()
+	defer l.l.Unlock()
+
+	if l.listener == nil {
+		return nil
+	}
+
+	return []net.Addr{l.listener.Addr()}
+}
+
+// Listeners implements NetworkLayer.
+func (l *InmemLayer) Listeners() []NetworkListener {
+	l.l.Lock()
+	defer l.l.Unlock()
+
+	if l.listener != nil {
+		return []NetworkListener{l.listener}
+	}
+
+	l.listener = &inmemListener{
+		addr:         l.addr,
+		pendingConns: make(chan net.Conn),
+
+		stopped: atomic.NewBool(false),
+		stopCh:  make(chan struct{}),
+	}
+
+	return []NetworkListener{l.listener}
+}
+
+// Dial implements NetworkLayer.
+func (l *InmemLayer) Dial(addr string, timeout time.Duration, tlsConfig *tls.Config) (*tls.Conn, error) {
+	l.l.Lock()
+	defer l.l.Unlock()
+
+	peer, ok := l.peers[addr]
+	if !ok {
+		return nil, errors.New("inmemlayer: no address found")
+	}
+
+	conn, err := peer.clientConn(l.addr)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConn := tls.Client(conn, tlsConfig)
+
+	l.clientConns[addr] = append(l.clientConns[addr], tlsConn)
+
+	return tlsConn, nil
+}
+
+// clientConn is executed on a server when a new client connection comes in and
+// needs to be Accepted.
+func (l *InmemLayer) clientConn(addr string) (net.Conn, error) {
+	l.l.Lock()
+	defer l.l.Unlock()
+
+	if l.listener == nil {
+		return nil, errors.New("inmemlayer: listener not started")
+	}
+
+	_, ok := l.peers[addr]
+	if !ok {
+		return nil, errors.New("inmemlayer: no peer found")
+	}
+
+	retConn, servConn := net.Pipe()
+
+	l.servConns[addr] = append(l.servConns[addr], servConn)
+
+	select {
+	case l.listener.pendingConns <- servConn:
+	case <-time.After(2 * time.Second):
+		return nil, errors.New("inmemlayer: timeout while accepting connection")
+	}
+
+	return retConn, nil
+}
+
+// Connect is used to connect this transport to another transport for
+// a given peer name. This allows for local routing.
+func (l *InmemLayer) Connect(peer string, remote *InmemLayer) {
+	l.l.Lock()
+	defer l.l.Unlock()
+	l.peers[peer] = remote
+}
+
+// Disconnect is used to remove the ability to route to a given peer.
+func (l *InmemLayer) Disconnect(peer string) {
+	l.l.Lock()
+	defer l.l.Unlock()
+	delete(l.peers, peer)
+
+	// Remove any open connections
+	servConns := l.servConns[peer]
+	for _, c := range servConns {
+		c.Close()
+	}
+	delete(l.servConns, peer)
+
+	clientConns := l.clientConns[peer]
+	for _, c := range clientConns {
+		c.Close()
+	}
+	delete(l.clientConns, peer)
+}
+
+// DisconnectAll is used to remove all routes to peers.
+func (l *InmemLayer) DisconnectAll() {
+	l.l.Lock()
+	defer l.l.Unlock()
+	l.peers = make(map[string]*InmemLayer)
+
+	// Close all connections
+	for _, peerConns := range l.servConns {
+		for _, c := range peerConns {
+			c.Close()
+		}
+	}
+	l.servConns = make(map[string][]net.Conn)
+
+	for _, peerConns := range l.clientConns {
+		for _, c := range peerConns {
+			c.Close()
+		}
+	}
+	l.clientConns = make(map[string][]net.Conn)
+}
+
+// Close is used to permanently disable the transport
+func (l *InmemLayer) Close() error {
+	if l.stopped.Swap(true) {
+		return nil
+	}
+
+	l.DisconnectAll()
+	close(l.stopCh)
+	return nil
+}
+
+// inmemListener implements the NetworkListener interface.
+type inmemListener struct {
+	addr         string
+	pendingConns chan net.Conn
+
+	stopped *atomic.Bool
+	stopCh  chan struct{}
+
+	deadline time.Time
+}
+
+// Accept implements the NetworkListener interface.
+func (ln *inmemListener) Accept() (net.Conn, error) {
+	deadline := ln.deadline
+	if !deadline.IsZero() {
+		select {
+		case conn := <-ln.pendingConns:
+			return conn, nil
+		case <-time.After(time.Until(deadline)):
+			return nil, deadlineError("deadline")
+		case <-ln.stopCh:
+			return nil, errors.New("listener shut down")
+		}
+	}
+
+	select {
+	case conn := <-ln.pendingConns:
+		return conn, nil
+	case <-ln.stopCh:
+		return nil, errors.New("listener shut down")
+	}
+}
+
+// Close implements the NetworkListener interface.
+func (ln *inmemListener) Close() error {
+	if ln.stopped.Swap(true) {
+		return nil
+	}
+
+	close(ln.stopCh)
+	return nil
+}
+
+// Addr implements the NetworkListener interface.
+func (ln *inmemListener) Addr() net.Addr {
+	return inmemAddr{addr: ln.addr}
+}
+
+// SetDeadline implements the NetworkListener interface.
+func (ln *inmemListener) SetDeadline(d time.Time) error {
+	ln.deadline = d
+	return nil
+}
+
+type inmemAddr struct {
+	addr string
+}
+
+func (a inmemAddr) Network() string {
+	return "inmem"
+}
+func (a inmemAddr) String() string {
+	return a.addr
+}
+
+type deadlineError string
+
+func (d deadlineError) Error() string   { return string(d) }
+func (d deadlineError) Timeout() bool   { return true }
+func (d deadlineError) Temporary() bool { return true }
+
+// InmemLayerCluster composes a set of layers and handles connecting them all
+// together. It also satisfies the NetworkLayerSet interface.
+type InmemLayerCluster struct {
+	layers []*InmemLayer
+}
+
+// NewInmemLayerCluster returns a new in-memory layer set that builds n nodes
+// and connects them all together.
+func NewInmemLayerCluster(nodes int, logger log.Logger) (*InmemLayerCluster, error) {
+	clusterID, err := base62.Random(4)
+	if err != nil {
+		return nil, err
+	}
+
+	clusterName := "cluster_" + clusterID
+
+	var layers []*InmemLayer
+	for i := 0; i < nodes; i++ {
+		nodeID, err := base62.Random(4)
+		if err != nil {
+			return nil, err
+		}
+
+		nodeName := clusterName + "_node_" + nodeID
+
+		layers = append(layers, NewInmemLayer(nodeName, logger))
+	}
+
+	// Connect all the peers together
+	for _, node := range layers {
+		for _, peer := range layers {
+			// Don't connect to itself
+			if node == peer {
+				continue
+			}
+
+			node.Connect(peer.addr, peer)
+			peer.Connect(node.addr, node)
+		}
+	}
+
+	return &InmemLayerCluster{layers: layers}, nil
+}
+
+// ConnectCluster connects this cluster with the provided remote cluster,
+// connecting all nodes to each other.
+func (ic *InmemLayerCluster) ConnectCluster(remote *InmemLayerCluster) {
+	for _, node := range ic.layers {
+		for _, peer := range remote.layers {
+			node.Connect(peer.addr, peer)
+			peer.Connect(node.addr, node)
+		}
+	}
+}
+
+// Layers implements the NetworkLayerSet interface.
+func (ic *InmemLayerCluster) Layers() []NetworkLayer {
+	ret := make([]NetworkLayer, len(ic.layers))
+	for i, l := range ic.layers {
+		ret[i] = l
+	}
+
+	return ret
+}
diff --git a/vault/cluster/inmem_layer_test.go b/vault/cluster/inmem_layer_test.go
new file mode 100644
index 000000000000..35d7e44eb7bb
--- /dev/null
+++ b/vault/cluster/inmem_layer_test.go
@@ -0,0 +1,240 @@
+package cluster
+
+import (
+	"sync"
+	"testing"
+	"time"
+
+	"go.uber.org/atomic"
+)
+
+func TestInmemCluster_Connect(t *testing.T) {
+	cluster, err := NewInmemLayerCluster(3, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	server := cluster.layers[0]
+
+	listener := server.Listeners()[0]
+	var accepted int
+	stopCh := make(chan struct{})
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for {
+			select {
+			case <-stopCh:
+				return
+			default:
+			}
+
+			listener.SetDeadline(time.Now().Add(5 * time.Second))
+
+			_, err := listener.Accept()
+			if err != nil {
+				return
+			}
+
+			accepted++
+
+		}
+	}()
+
+	// Make sure two nodes can connect in
+	conn, err := cluster.layers[1].Dial(server.addr, 0, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if conn == nil {
+		t.Fatal("nil conn")
+	}
+
+	conn, err = cluster.layers[2].Dial(server.addr, 0, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if conn == nil {
+		t.Fatal("nil conn")
+	}
+
+	close(stopCh)
+	wg.Wait()
+
+	if accepted != 2 {
+		t.Fatalf("expected 2 connections to be accepted, got %d", accepted)
+	}
+}
+
+func TestInmemCluster_Disconnect(t *testing.T) {
+	cluster, err := NewInmemLayerCluster(3, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	server := cluster.layers[0]
+	server.Disconnect(cluster.layers[1].addr)
+
+	listener := server.Listeners()[0]
+	var accepted int
+	stopCh := make(chan struct{})
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for {
+			select {
+			case <-stopCh:
+				return
+			default:
+			}
+
+			listener.SetDeadline(time.Now().Add(5 * time.Second))
+
+			_, err := listener.Accept()
+			if err != nil {
+				return
+			}
+
+			accepted++
+
+		}
+	}()
+
+	// Make sure node1 cannot connect in
+	conn, err := cluster.layers[1].Dial(server.addr, 0, nil)
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	if conn != nil {
+		t.Fatal("expected nil conn")
+	}
+
+	// Node2 should be able to connect
+	conn, err = cluster.layers[2].Dial(server.addr, 0, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if conn == nil {
+		t.Fatal("nil conn")
+	}
+
+	close(stopCh)
+	wg.Wait()
+
+	if accepted != 1 {
+		t.Fatalf("expected 1 connections to be accepted, got %d", accepted)
+	}
+}
+
+func TestInmemCluster_DisconnectAll(t *testing.T) {
+	cluster, err := NewInmemLayerCluster(3, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	server := cluster.layers[0]
+	server.DisconnectAll()
+
+	// Make sure nodes cannot connect in
+	conn, err := cluster.layers[1].Dial(server.addr, 0, nil)
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	if conn != nil {
+		t.Fatal("expected nil conn")
+	}
+
+	conn, err = cluster.layers[2].Dial(server.addr, 0, nil)
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	if conn != nil {
+		t.Fatal("expected nil conn")
+	}
+}
+
+func TestInmemCluster_ConnectCluster(t *testing.T) {
+	cluster, err := NewInmemLayerCluster(3, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	cluster2, err := NewInmemLayerCluster(3, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cluster.ConnectCluster(cluster2)
+
+	var accepted atomic.Int32
+	stopCh := make(chan struct{})
+	var wg sync.WaitGroup
+	acceptConns := func(listener NetworkListener) {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			for {
+				select {
+				case <-stopCh:
+					return
+				default:
+				}
+
+				listener.SetDeadline(time.Now().Add(5 * time.Second))
+
+				_, err := listener.Accept()
+				if err != nil {
+					return
+				}
+
+				accepted.Add(1)
+
+			}
+		}()
+	}
+
+	// Start a listener on each node.
+	for _, node := range cluster.layers {
+		acceptConns(node.Listeners()[0])
+	}
+	for _, node := range cluster2.layers {
+		acceptConns(node.Listeners()[0])
+	}
+
+	// Make sure each node can connect to each other
+	for _, node1 := range cluster.layers {
+		for _, node2 := range cluster2.layers {
+			conn, err := node1.Dial(node2.addr, 0, nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if conn == nil {
+				t.Fatal("nil conn")
+			}
+
+			conn, err = node2.Dial(node1.addr, 0, nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if conn == nil {
+				t.Fatal("nil conn")
+			}
+		}
+	}
+
+	close(stopCh)
+	wg.Wait()
+
+	if accepted.Load() != 18 {
+		t.Fatalf("expected 18 connections to be accepted, got %d", accepted)
+	}
+}
diff --git a/vault/cluster/tcp_layer.go b/vault/cluster/tcp_layer.go
new file mode 100644
index 000000000000..475f7726cef7
--- /dev/null
+++ b/vault/cluster/tcp_layer.go
@@ -0,0 +1,111 @@
+package cluster
+
+import (
+	"crypto/tls"
+	"net"
+	"sync"
+	"time"
+
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-multierror"
+	"go.uber.org/atomic"
+)
+
+// TCPLayer implements the NetworkLayer interface and uses TCP as the underlying
+// network.
+type TCPLayer struct {
+	listeners []NetworkListener
+	addrs     []*net.TCPAddr
+	logger    log.Logger
+
+	l       sync.Mutex
+	stopped *atomic.Bool
+}
+
+// NewTCPLayer returns a TCPLayer.
+func NewTCPLayer(addrs []*net.TCPAddr, logger log.Logger) *TCPLayer {
+	return &TCPLayer{
+		addrs:   addrs,
+		logger:  logger,
+		stopped: atomic.NewBool(false),
+	}
+}
+
+// Addrs implements NetworkLayer.
+func (l *TCPLayer) Addrs() []net.Addr {
+	l.l.Lock()
+	defer l.l.Unlock()
+
+	if len(l.addrs) == 0 {
+		return nil
+	}
+
+	ret := make([]net.Addr, len(l.addrs))
+	for i, a := range l.addrs {
+		ret[i] = a
+	}
+
+	return ret
+}
+
+// Listeners implements NetworkLayer. It starts a new TCP listener for each
+// configured address.
+func (l *TCPLayer) Listeners() []NetworkListener {
+	l.l.Lock()
+	defer l.l.Unlock()
+
+	if l.listeners != nil {
+		return l.listeners
+	}
+
+	listeners := []NetworkListener{}
+	for i, laddr := range l.addrs {
+		if l.logger.IsInfo() {
+			l.logger.Info("starting listener", "listener_address", laddr)
+		}
+
+		tcpLn, err := net.ListenTCP("tcp", laddr)
+		if err != nil {
+			l.logger.Error("error starting listener", "error", err)
+			continue
+		}
+		if laddr.String() != tcpLn.Addr().String() {
+			// If we listened on port 0, record the port the OS gave us.
+			l.addrs[i] = tcpLn.Addr().(*net.TCPAddr)
+		}
+
+		listeners = append(listeners, tcpLn)
+	}
+
+	l.listeners = listeners
+
+	return listeners
+}
+
+// Dial implements the NetworkLayer interface.
+func (l *TCPLayer) Dial(address string, timeout time.Duration, tlsConfig *tls.Config) (*tls.Conn, error) {
+	dialer := &net.Dialer{
+		Timeout: timeout,
+	}
+	return tls.DialWithDialer(dialer, "tcp", address, tlsConfig)
+}
+
+// Close implements the NetworkLayer interface.
+func (l *TCPLayer) Close() error {
+	if l.stopped.Swap(true) {
+		return nil
+	}
+	l.l.Lock()
+	defer l.l.Unlock()
+
+	var retErr *multierror.Error
+	for _, ln := range l.listeners {
+		if err := ln.Close(); err != nil {
+			retErr = multierror.Append(retErr, err)
+		}
+	}
+
+	l.listeners = nil
+
+	return retErr.ErrorOrNil()
+}
diff --git a/vault/cluster_test.go b/vault/cluster_test.go
index d148e5f786ff..f6f9693f3ae6 100644
--- a/vault/cluster_test.go
+++ b/vault/cluster_test.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"net/http"
 	"testing"
 	"time"
@@ -15,6 +14,7 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/physical"
 	"github.com/hashicorp/vault/sdk/physical/inmem"
+	"github.com/hashicorp/vault/vault/cluster"
 )
 
 var (
@@ -100,13 +100,13 @@ func TestCluster_ListenForRequests(t *testing.T) {
 	// Wait for core to become active
 	TestWaitActive(t, cores[0].Core)
 
-	cores[0].getClusterListener().AddClient(consts.RequestForwardingALPN, &requestForwardingClusterClient{cores[0].Core})
+	clusterListener := cores[0].getClusterListener()
+	clusterListener.AddClient(consts.RequestForwardingALPN, &requestForwardingClusterClient{cores[0].Core})
 	addrs := cores[0].getClusterListener().Addrs()
 
 	// Use this to have a valid config after sealing since ClusterTLSConfig returns nil
 	checkListenersFunc := func(expectFail bool) {
-		parsedCert := cores[0].localClusterParsedCert.Load().(*x509.Certificate)
-		dialer := cores[0].getGRPCDialer(context.Background(), consts.RequestForwardingALPN, parsedCert.Subject.CommonName, parsedCert)
+		dialer := clusterListener.GetDialerFunc(context.Background(), consts.RequestForwardingALPN)
 		for i := range cores[0].Listeners {
 
 			clnAddr := addrs[i]
@@ -172,11 +172,25 @@ func TestCluster_ForwardRequests(t *testing.T) {
 	// Make this nicer for tests
 	manualStepDownSleepPeriod = 5 * time.Second
 
-	testCluster_ForwardRequestsCommon(t)
+	t.Run("tcpLayer", func(t *testing.T) {
+		testCluster_ForwardRequestsCommon(t, nil)
+	})
+
+	t.Run("inmemLayer", func(t *testing.T) {
+		// Run again with in-memory network
+		inmemCluster, err := cluster.NewInmemLayerCluster(3, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		testCluster_ForwardRequestsCommon(t, &TestClusterOptions{
+			ClusterLayers: inmemCluster,
+		})
+	})
 }
 
-func testCluster_ForwardRequestsCommon(t *testing.T) {
-	cluster := NewTestCluster(t, nil, nil)
+func testCluster_ForwardRequestsCommon(t *testing.T, clusterOpts *TestClusterOptions) {
+	cluster := NewTestCluster(t, nil, clusterOpts)
 	cores := cluster.Cores
 	cores[0].Handler.(*http.ServeMux).HandleFunc("/core1", func(w http.ResponseWriter, req *http.Request) {
 		w.Header().Add("Content-Type", "application/json")
diff --git a/vault/core.go b/vault/core.go
index fb3e343fffff..059edb1c2c82 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -18,7 +18,7 @@ import (
 	"sync/atomic"
 	"time"
 
-	metrics "github.com/armon/go-metrics"
+	"github.com/armon/go-metrics"
 	"github.com/hashicorp/errwrap"
 	log "github.com/hashicorp/go-hclog"
 	wrapping "github.com/hashicorp/go-kms-wrapping"
@@ -162,6 +162,7 @@ type raftInformation struct {
 	leaderClient        *api.Client
 	leaderBarrierConfig *SealConfig
 	nonVoter            bool
+	joinInProgress      bool
 }
 
 // Core is used as the central manager of Vault activity. It is the primary point of
@@ -204,6 +205,15 @@ type Core struct {
 	// seal is our seal, for seal configuration information
 	seal Seal
 
+	// raftJoinDoneCh is used by the raft retry join routine to inform unseal process
+	// that the join is complete
+	raftJoinDoneCh chan struct{}
+
+	// postUnsealStarted informs the raft retry join routine that unseal key
+	// validation is completed and post unseal has started so that it can complete
+	// the join process when Shamir seal is in use
+	postUnsealStarted *uint32
+
 	// raftInfo will contain information required for this node to join as a
 	// peer to an existing raft cluster
 	raftInfo *raftInformation
@@ -483,6 +493,14 @@ type Core struct {
 	secureRandomReader io.Reader
 
 	recoveryMode bool
+
+	clusterNetworkLayer cluster.NetworkLayer
+
+	// PR1103disabled is used to test upgrade workflows: when set to true,
+	// the correct behaviour for namespaced cubbyholes is disabled, so we
+	// can test an upgrade to a version that includes the fixes from
+	// https://github.com/hashicorp/vault-enterprise/pull/1103
+	PR1103disabled bool
 }
 
 // CoreConfig is used to parameterize a core
@@ -566,6 +584,8 @@ type CoreConfig struct {
 	CounterSyncInterval time.Duration
 
 	RecoveryMode bool
+
+	ClusterNetworkLayer cluster.NetworkLayer
 }
 
 func (c *CoreConfig) Clone() *CoreConfig {
@@ -601,6 +621,7 @@ func (c *CoreConfig) Clone() *CoreConfig {
 		DisableIndexing:           c.DisableIndexing,
 		AllLoggers:                c.AllLoggers,
 		CounterSyncInterval:       c.CounterSyncInterval,
+		ClusterNetworkLayer:       c.ClusterNetworkLayer,
 	}
 }
 
@@ -696,6 +717,7 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 		maxLeaseTTL:                  conf.MaxLeaseTTL,
 		cachingDisabled:              conf.DisableCache,
 		clusterName:                  conf.ClusterName,
+		clusterNetworkLayer:          conf.ClusterNetworkLayer,
 		clusterPeerClusterAddrsCache: cache.New(3*cluster.HeartbeatInterval, time.Second),
 		enableMlock:                  !conf.DisableMlock,
 		rawEnabled:                   conf.EnableRaw,
@@ -721,7 +743,9 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 			requests:     new(uint64),
 			syncInterval: syncInterval,
 		},
-		recoveryMode: conf.RecoveryMode,
+		recoveryMode:      conf.RecoveryMode,
+		postUnsealStarted: new(uint32),
+		raftJoinDoneCh:    make(chan struct{}),
 	}
 
 	atomic.StoreUint32(c.sealed, 1)
@@ -1032,13 +1056,26 @@ func (c *Core) unseal(key []byte, useRecoveryKeys bool) (bool, error) {
 			return c.unsealInternal(ctx, masterKey)
 		}
 
-		// If we are in the middle of a raft join send the answer and wait for
-		// data to start streaming in.
-		if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), c.raftInfo); err != nil {
-			return false, err
+		switch c.raftInfo.joinInProgress {
+		case true:
+			// JoinRaftCluster is already trying to perform a join based on retry_join configuration.
+			// Inform that routine that unseal key validation is complete so that it can continue to
+			// try and join possible leader nodes, and wait for it to complete.
+
+			atomic.StoreUint32(c.postUnsealStarted, 1)
+
+			c.logger.Info("waiting for raft retry join process to complete")
+			<-c.raftJoinDoneCh
+
+		default:
+			// This is the case for manual raft join. Send the answer to the leader node and
+			// wait for data to start streaming in.
+			if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), c.raftInfo); err != nil {
+				return false, err
+			}
+			// Reset the state
+			c.raftInfo = nil
 		}
-		// Reset the state
-		c.raftInfo = nil
 
 		go func() {
 			keyringFound := false
diff --git a/vault/external_tests/policy/no_default_test.go b/vault/external_tests/policy/no_default_test.go
index a296d1364b1a..fcba0d011028 100644
--- a/vault/external_tests/policy/no_default_test.go
+++ b/vault/external_tests/policy/no_default_test.go
@@ -1,21 +1,20 @@
 package policy
 
-// This is TODO once tokenhelper is added to ldaputil
-/*
-
 import (
 	"testing"
+	"time"
 
 	"github.com/go-test/deep"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/builtin/credential/ldap"
+	ldaphelper "github.com/hashicorp/vault/helper/testhelpers/ldap"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
 )
 
-func TestNoDefaultPolicy(t *testing.T) {
+func TestPolicy_NoDefaultPolicy(t *testing.T) {
 	var err error
 	coreConfig := &vault.CoreConfig{
 		DisableMlock: true,
@@ -47,12 +46,17 @@ func TestNoDefaultPolicy(t *testing.T) {
 	}
 
 	// Configure LDAP auth backend
-	secret, err := client.Logical().Write("auth/ldap/config", map[string]interface{}{
-		"url":                     "ldap://ldap.forumsys.com",
-		"userattr":                "uid",
-		"userdn":                  "dc=example,dc=com",
-		"groupdn":                 "dc=example,dc=com",
-		"binddn":                  "cn=read-only-admin,dc=example,dc=com",
+	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
+	defer cleanup()
+
+	_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
+		"url":                     cfg.Url,
+		"userattr":                cfg.UserAttr,
+		"userdn":                  cfg.UserDN,
+		"groupdn":                 cfg.GroupDN,
+		"groupattr":               cfg.GroupAttr,
+		"binddn":                  cfg.BindDN,
+		"bindpass":                cfg.BindPassword,
 		"token_no_default_policy": true,
 	})
 	if err != nil {
@@ -60,7 +64,7 @@ func TestNoDefaultPolicy(t *testing.T) {
 	}
 
 	// Create a local user in LDAP
-	secret, err = client.Logical().Write("auth/ldap/users/tesla", map[string]interface{}{
+	secret, err := client.Logical().Write("auth/ldap/users/hermes conrad", map[string]interface{}{
 		"policies": "foo",
 	})
 	if err != nil {
@@ -68,8 +72,8 @@ func TestNoDefaultPolicy(t *testing.T) {
 	}
 
 	// Login with LDAP and create a token
-	secret, err = client.Logical().Write("auth/ldap/login/tesla", map[string]interface{}{
-		"password": "password",
+	secret, err = client.Logical().Write("auth/ldap/login/hermes conrad", map[string]interface{}{
+		"password": "hermes",
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -86,4 +90,94 @@ func TestNoDefaultPolicy(t *testing.T) {
 		t.Fatal(diff)
 	}
 }
-*/
+
+func TestPolicy_NoConfiguredPolicy(t *testing.T) {
+	var err error
+	coreConfig := &vault.CoreConfig{
+		DisableMlock: true,
+		DisableCache: true,
+		Logger:       hclog.NewNullLogger(),
+		CredentialBackends: map[string]logical.Factory{
+			"ldap": ldap.Factory,
+		},
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	cores := cluster.Cores
+
+	vault.TestWaitActive(t, cores[0].Core)
+
+	client := cores[0].Client
+
+	err = client.Sys().EnableAuthWithOptions("ldap", &api.EnableAuthOptions{
+		Type: "ldap",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Configure LDAP auth backend
+	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
+	defer cleanup()
+
+	_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
+		"url":       cfg.Url,
+		"userattr":  cfg.UserAttr,
+		"userdn":    cfg.UserDN,
+		"groupdn":   cfg.GroupDN,
+		"groupattr": cfg.GroupAttr,
+		"binddn":    cfg.BindDN,
+		"bindpass":  cfg.BindPassword,
+		"token_ttl": "24h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a local user in LDAP without any policies configured
+	secret, err := client.Logical().Write("auth/ldap/users/hermes conrad", map[string]interface{}{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Login with LDAP and create a token
+	secret, err = client.Logical().Write("auth/ldap/login/hermes conrad", map[string]interface{}{
+		"password": "hermes",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	token := secret.Auth.ClientToken
+
+	// Lookup the token to get the entity ID
+	secret, err = client.Auth().Token().Lookup(token)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if diff := deep.Equal(secret.Data["policies"], []interface{}{"default"}); diff != nil {
+		t.Fatal(diff)
+	}
+
+	// Renew the token with an increment of 2 hours to ensure that lease renewal
+	// occurred and can be checked against the default lease duration with a
+	// big enough delta.
+	secret, err = client.Logical().Write("auth/token/renew", map[string]interface{}{
+		"token":     token,
+		"increment": "2h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify that the lease renewal extended the duration properly.
+	if float64(secret.Auth.LeaseDuration) < (1 * time.Hour).Seconds() {
+		t.Fatalf("failed to renew lease, got: %v", secret.Auth.LeaseDuration)
+	}
+}
diff --git a/vault/external_tests/raft/raft_test.go b/vault/external_tests/raft/raft_test.go
index 2d47dbd7c09a..9c9f47677e7d 100644
--- a/vault/external_tests/raft/raft_test.go
+++ b/vault/external_tests/raft/raft_test.go
@@ -2,8 +2,10 @@ package rafttests
 
 import (
 	"bytes"
+	"context"
 	"crypto/md5"
 	"fmt"
+	"github.com/hashicorp/vault/helper/namespace"
 	"io/ioutil"
 	"net/http"
 	"strings"
@@ -32,6 +34,85 @@ func raftCluster(t testing.TB) *vault.TestCluster {
 	return cluster
 }
 
+func TestRaft_Retry_Join(t *testing.T) {
+	var conf vault.CoreConfig
+	var opts = vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
+	teststorage.RaftBackendSetup(&conf, &opts)
+	opts.SetupFunc = nil
+	cluster := vault.NewTestCluster(t, &conf, &opts)
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	addressProvider := &testhelpers.TestRaftServerAddressProvider{Cluster: cluster}
+
+	leaderCore := cluster.Cores[0]
+	leaderAPI := leaderCore.Client.Address()
+	atomic.StoreUint32(&vault.UpdateClusterAddrForTests, 1)
+
+	{
+		testhelpers.EnsureCoreSealed(t, leaderCore)
+		leaderCore.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		cluster.UnsealCore(t, leaderCore)
+		vault.TestWaitActive(t, leaderCore.Core)
+	}
+
+	leaderInfos := []*raft.LeaderJoinInfo{
+		&raft.LeaderJoinInfo{
+			LeaderAPIAddr: leaderAPI,
+			TLSConfig:     leaderCore.TLSConfig,
+			Retry:         true,
+		},
+	}
+
+	{
+		core := cluster.Cores[1]
+		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		time.Sleep(2 * time.Second)
+
+		cluster.UnsealCore(t, core)
+	}
+
+	{
+		core := cluster.Cores[2]
+		core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider)
+		_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		time.Sleep(2 * time.Second)
+
+		cluster.UnsealCore(t, core)
+	}
+
+	checkConfigFunc := func(expected map[string]bool) {
+		secret, err := cluster.Cores[0].Client.Logical().Read("sys/storage/raft/configuration")
+		if err != nil {
+			t.Fatal(err)
+		}
+		servers := secret.Data["config"].(map[string]interface{})["servers"].([]interface{})
+
+		for _, s := range servers {
+			server := s.(map[string]interface{})
+			delete(expected, server["node_id"].(string))
+		}
+		if len(expected) != 0 {
+			t.Fatalf("failed to read configuration successfully")
+		}
+	}
+
+	checkConfigFunc(map[string]bool{
+		"core-0": true,
+		"core-1": true,
+		"core-2": true,
+	})
+}
+
 func TestRaft_Join(t *testing.T) {
 	var conf vault.CoreConfig
 	var opts = vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
diff --git a/vault/logical_system_raft.go b/vault/logical_system_raft.go
index 00b79e6dd039..5a589ffe6c71 100644
--- a/vault/logical_system_raft.go
+++ b/vault/logical_system_raft.go
@@ -176,23 +176,24 @@ func (b *SystemBackend) handleRaftRemovePeerUpdate() framework.OperationFunc {
 
 func (b *SystemBackend) handleRaftBootstrapChallengeWrite() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-		_, ok := b.Core.underlyingPhysical.(*raft.RaftBackend)
-		if !ok {
-			return logical.ErrorResponse("raft storage is not in use"), logical.ErrInvalidRequest
-		}
-
 		serverID := d.Get("server_id").(string)
 		if len(serverID) == 0 {
 			return logical.ErrorResponse("no server id provided"), logical.ErrInvalidRequest
 		}
 
-		uuid, err := uuid.GenerateRandomBytes(16)
-		if err != nil {
-			return nil, err
+		answer, ok := b.Core.pendingRaftPeers[serverID]
+		if !ok {
+			var err error
+			answer, err = uuid.GenerateRandomBytes(16)
+			if err != nil {
+				return nil, err
+			}
+			b.Core.pendingRaftPeers[serverID] = answer
 		}
 
 		sealAccess := b.Core.seal.GetAccess()
-		eBlob, err := sealAccess.Encrypt(ctx, uuid, nil)
+
+		eBlob, err := sealAccess.Encrypt(ctx, answer, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -201,7 +202,6 @@ func (b *SystemBackend) handleRaftBootstrapChallengeWrite() framework.OperationF
 			return nil, err
 		}
 
-		b.Core.pendingRaftPeers[serverID] = uuid
 		sealConfig, err := b.Core.seal.BarrierConfig(ctx)
 		if err != nil {
 			return nil, err
@@ -285,6 +285,8 @@ func (b *SystemBackend) handleRaftBootstrapAnswerWrite() framework.OperationFunc
 			return nil, err
 		}
 
+		b.logger.Info("follower node answered the raft bootstrap challenge", "follower_server_id", serverID)
+
 		return &logical.Response{
 			Data: map[string]interface{}{
 				"peers":       peers,
diff --git a/vault/raft.go b/vault/raft.go
index 75e8eda9a24a..3d0c99f4b730 100644
--- a/vault/raft.go
+++ b/vault/raft.go
@@ -2,10 +2,10 @@ package vault
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"github.com/hashicorp/vault/sdk/helper/tlsutil"
 	"math"
 	"net/http"
 	"net/url"
@@ -14,8 +14,9 @@ import (
 	"sync/atomic"
 	"time"
 
-	proto "github.com/golang/protobuf/proto"
+	"github.com/golang/protobuf/proto"
 	"github.com/hashicorp/errwrap"
+
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	wrapping "github.com/hashicorp/go-kms-wrapping"
 	uuid "github.com/hashicorp/go-uuid"
@@ -525,18 +526,43 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co
 	}
 }
 
-func (c *Core) JoinRaftCluster(ctx context.Context, leaderAddr string, tlsConfig *tls.Config, retry, nonVoter bool) (bool, error) {
-	if len(leaderAddr) == 0 {
-		return false, errors.New("No leader address provided")
+func (c *Core) InitiateRetryJoin(ctx context.Context) error {
+	raftStorage, ok := c.underlyingPhysical.(*raft.RaftBackend)
+	if !ok {
+		return errors.New("raft storage not configured")
+	}
+
+	if raftStorage.Initialized() {
+		return nil
+	}
+
+	leaderInfos, err := raftStorage.JoinConfig()
+	if err != nil {
+		return err
 	}
 
+	// Nothing to do if config wasn't supplied
+	if len(leaderInfos) == 0 {
+		return nil
+	}
+
+	c.logger.Info("raft retry join initiated")
+
+	if _, err = c.JoinRaftCluster(ctx, leaderInfos, false); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJoinInfo, nonVoter bool) (bool, error) {
 	raftStorage, ok := c.underlyingPhysical.(*raft.RaftBackend)
 	if !ok {
 		return false, errors.New("raft storage not configured")
 	}
 
 	if raftStorage.Initialized() {
-		return false, errors.New("raft is already initialized")
+		return false, errors.New("raft storage is already initialized")
 	}
 
 	init, err := c.Initialized(ctx)
@@ -544,103 +570,174 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderAddr string, tlsConfig
 		return false, errwrap.Wrapf("failed to check if core is initialized: {{err}}", err)
 	}
 	if init {
-		return false, errwrap.Wrapf("join can't be invoked on an initialized cluster: {{err}}", ErrAlreadyInit)
+		return true, nil
 	}
 
-	transport := cleanhttp.DefaultPooledTransport()
-	if tlsConfig != nil {
-		transport.TLSClientConfig = tlsConfig.Clone()
-		if err := http2.ConfigureTransport(transport); err != nil {
-			return false, errwrap.Wrapf("failed to configure TLS: {{err}}", err)
-		}
-	}
-	client := &http.Client{
-		Transport: transport,
-	}
-	config := api.DefaultConfig()
-	if config.Error != nil {
-		return false, errwrap.Wrapf("failed to create api client: {{err}}", config.Error)
-	}
-	config.Address = leaderAddr
-	config.HttpClient = client
-	config.MaxRetries = 0
-	apiClient, err := api.NewClient(config)
-	if err != nil {
-		return false, errwrap.Wrapf("failed to create api client: {{err}}", err)
-	}
+	join := func(retry bool) error {
+		joinLeader := func(leaderInfo *raft.LeaderJoinInfo) error {
+			if leaderInfo == nil {
+				return errors.New("raft leader information is nil")
+			}
+			if len(leaderInfo.LeaderAPIAddr) == 0 {
+				return errors.New("raft leader address not provided")
+			}
 
-	join := func() error {
-		// Unwrap the token
-		secret, err := apiClient.Logical().Write("sys/storage/raft/bootstrap/challenge", map[string]interface{}{
-			"server_id": raftStorage.NodeID(),
-		})
-		if err != nil {
-			return errwrap.Wrapf("error during bootstrap init call: {{err}}", err)
-		}
-		if secret == nil {
-			return errors.New("could not retrieve bootstrap package")
-		}
+			init, err := c.Initialized(ctx)
+			if err != nil {
+				return errwrap.Wrapf("failed to check if core is initialized: {{err}}", err)
+			}
+			if init {
+				c.logger.Info("returning from raft join as the node is initialized")
+				return nil
+			}
+			if !c.Sealed() {
+				c.logger.Info("returning from raft join as the node is unsealed")
+				return nil
+			}
 
-		var sealConfig SealConfig
-		err = mapstructure.Decode(secret.Data["seal_config"], &sealConfig)
-		if err != nil {
-			return err
-		}
+			c.logger.Info("attempting to join possible raft leader node", "leader_addr", leaderInfo.LeaderAPIAddr)
 
-		if sealConfig.Type != c.seal.BarrierType() {
-			return fmt.Errorf("mismatching seal types between leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierType())
-		}
+			// Create an API client to interact with the leader node
+			transport := cleanhttp.DefaultPooledTransport()
 
-		challengeB64, ok := secret.Data["challenge"]
-		if !ok {
-			return errors.New("error during raft bootstrap call, no challenge given")
-		}
-		challengeRaw, err := base64.StdEncoding.DecodeString(challengeB64.(string))
-		if err != nil {
-			return errwrap.Wrapf("error decoding challenge: {{err}}", err)
-		}
+			if leaderInfo.TLSConfig == nil && (len(leaderInfo.LeaderCACert) != 0 || len(leaderInfo.LeaderClientCert) != 0 || len(leaderInfo.LeaderClientKey) != 0) {
+				leaderInfo.TLSConfig, err = tlsutil.ClientTLSConfig([]byte(leaderInfo.LeaderCACert), []byte(leaderInfo.LeaderClientCert), []byte(leaderInfo.LeaderClientKey))
+				if err != nil {
+					return errwrap.Wrapf("failed to create TLS config: {{err}}", err)
+				}
+			}
 
-		eBlob := &wrapping.EncryptedBlobInfo{}
-		if err := proto.Unmarshal(challengeRaw, eBlob); err != nil {
-			return errwrap.Wrapf("error decoding challenge: {{err}}", err)
-		}
-		raftInfo := &raftInformation{
-			challenge:           eBlob,
-			leaderClient:        apiClient,
-			leaderBarrierConfig: &sealConfig,
-			nonVoter:            nonVoter,
-		}
-		if c.seal.BarrierType() == wrapping.Shamir {
-			c.raftInfo = raftInfo
-			c.seal.SetBarrierConfig(ctx, &sealConfig)
+			if leaderInfo.TLSConfig != nil {
+				transport.TLSClientConfig = leaderInfo.TLSConfig.Clone()
+				if err := http2.ConfigureTransport(transport); err != nil {
+					return errwrap.Wrapf("failed to configure TLS: {{err}}", err)
+				}
+			}
+
+			client := &http.Client{
+				Transport: transport,
+			}
+			config := api.DefaultConfig()
+			if config.Error != nil {
+				return errwrap.Wrapf("failed to create api client: {{err}}", config.Error)
+			}
+			config.Address = leaderInfo.LeaderAPIAddr
+			config.HttpClient = client
+			config.MaxRetries = 0
+			apiClient, err := api.NewClient(config)
+			if err != nil {
+				return errwrap.Wrapf("failed to create api client: {{err}}", err)
+			}
+
+			// Attempt to join the leader by requesting for the bootstrap challenge
+			secret, err := apiClient.Logical().Write("sys/storage/raft/bootstrap/challenge", map[string]interface{}{
+				"server_id": raftStorage.NodeID(),
+			})
+			if err != nil {
+				return errwrap.Wrapf("error during raft bootstrap init call: {{err}}", err)
+			}
+			if secret == nil {
+				return errors.New("could not retrieve raft bootstrap package")
+			}
+
+			var sealConfig SealConfig
+			err = mapstructure.Decode(secret.Data["seal_config"], &sealConfig)
+			if err != nil {
+				return err
+			}
+
+			if sealConfig.Type != c.seal.BarrierType() {
+				return fmt.Errorf("mismatching seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierType())
+			}
+
+			challengeB64, ok := secret.Data["challenge"]
+			if !ok {
+				return errors.New("error during raft bootstrap call, no challenge given")
+			}
+			challengeRaw, err := base64.StdEncoding.DecodeString(challengeB64.(string))
+			if err != nil {
+				return errwrap.Wrapf("error decoding raft bootstrap challenge: {{err}}", err)
+			}
+
+			eBlob := &wrapping.EncryptedBlobInfo{}
+			if err := proto.Unmarshal(challengeRaw, eBlob); err != nil {
+				return errwrap.Wrapf("error decoding raft bootstrap challenge: {{err}}", err)
+			}
+			raftInfo := &raftInformation{
+				challenge:           eBlob,
+				leaderClient:        apiClient,
+				leaderBarrierConfig: &sealConfig,
+				nonVoter:            nonVoter,
+			}
+
+			if c.seal.BarrierType() == wrapping.Shamir {
+				c.raftInfo = raftInfo
+				if err := c.seal.SetBarrierConfig(ctx, &sealConfig); err != nil {
+					return err
+				}
+
+				if !retry {
+					return nil
+				}
+
+				// Wait until unseal keys are supplied
+				c.raftInfo.joinInProgress = true
+				if atomic.LoadUint32(c.postUnsealStarted) != 1 {
+					return errors.New("waiting for unseal keys to be supplied")
+				}
+			}
+
+			if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), raftInfo); err != nil {
+				return errwrap.Wrapf("failed to send answer to raft leader node: {{err}}", err)
+			}
+
+			if c.seal.BarrierType() == wrapping.Shamir {
+				// Reset the state
+				c.raftInfo = nil
+
+				// In case of Shamir unsealing, inform the unseal process that raft join is completed
+				close(c.raftJoinDoneCh)
+			}
+
+			c.logger.Info("successfully joined the raft cluster", "leader_addr", leaderInfo.LeaderAPIAddr)
 			return nil
 		}
 
-		if err := c.joinRaftSendAnswer(ctx, c.seal.GetAccess(), raftInfo); err != nil {
-			return errwrap.Wrapf("failed to send answer to leader node: {{err}}", err)
+		// Each join try goes through all the possible leader nodes and attempts to join
+		// them, until one of the attempt succeeds.
+		for _, leaderInfo := range leaderInfos {
+			err = joinLeader(leaderInfo)
+			if err == nil {
+				return nil
+			}
+			c.logger.Info("join attempt failed", "error", err)
 		}
 
-		return nil
+		return errors.New("failed to join any raft leader node")
 	}
 
-	switch retry {
+	switch leaderInfos[0].Retry {
 	case true:
 		go func() {
 			for {
-				// TODO add a way to shut this down
-				err := join()
+				select {
+				case <-ctx.Done():
+					return
+				default:
+				}
+				err := join(true)
 				if err == nil {
 					return
 				}
-				c.logger.Error("failed to join raft cluster", "error", err)
-				time.Sleep(time.Second * 2)
+				c.logger.Error("failed to retry join raft cluster", "retry", "2s")
+				time.Sleep(2 * time.Second)
 			}
 		}()
 
 		// Backgrounded so return false
 		return false, nil
 	default:
-		if err := join(); err != nil {
+		if err := join(false); err != nil {
 			c.logger.Error("failed to join raft cluster", "error", err)
 			return false, errwrap.Wrapf("failed to join raft cluster: {{err}}", err)
 		}
diff --git a/vault/request_forwarding.go b/vault/request_forwarding.go
index b97263e6ded4..e7961ee938cc 100644
--- a/vault/request_forwarding.go
+++ b/vault/request_forwarding.go
@@ -99,6 +99,19 @@ func (c *requestForwardingClusterClient) ClientLookup(ctx context.Context, reque
 	return nil, nil
 }
 
+func (c *requestForwardingClusterClient) ServerName() string {
+	parsedCert := c.core.localClusterParsedCert.Load().(*x509.Certificate)
+	if parsedCert == nil {
+		return ""
+	}
+
+	return parsedCert.Subject.CommonName
+}
+
+func (c *requestForwardingClusterClient) CACert(ctx context.Context) *x509.Certificate {
+	return c.core.localClusterParsedCert.Load().(*x509.Certificate)
+}
+
 // ServerLookup satisfies the ClusterHandler interface and returns the server's
 // tls certs.
 func (rf *requestForwardingHandler) ServerLookup(ctx context.Context, clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -246,19 +259,22 @@ func (c *Core) refreshRequestForwardingConnection(ctx context.Context, clusterAd
 	}
 
 	clusterListener := c.getClusterListener()
-	if clusterListener != nil {
-		clusterListener.AddClient(consts.RequestForwardingALPN, &requestForwardingClusterClient{
-			core: c,
-		})
+	if clusterListener == nil {
+		c.logger.Error("no cluster listener configured")
+		return nil
 	}
 
+	clusterListener.AddClient(consts.RequestForwardingALPN, &requestForwardingClusterClient{
+		core: c,
+	})
+
 	// Set up grpc forwarding handling
 	// It's not really insecure, but we have to dial manually to get the
 	// ALPN header right. It's just "insecure" because GRPC isn't managing
 	// the TLS state.
 	dctx, cancelFunc := context.WithCancel(ctx)
 	c.rpcClientConn, err = grpc.DialContext(dctx, clusterURL.Host,
-		grpc.WithDialer(c.getGRPCDialer(ctx, consts.RequestForwardingALPN, parsedCert.Subject.CommonName, parsedCert)),
+		grpc.WithDialer(clusterListener.GetDialerFunc(ctx, consts.RequestForwardingALPN)),
 		grpc.WithInsecure(), // it's not, we handle it in the dialer
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time: 2 * cluster.HeartbeatInterval,
diff --git a/vault/testing.go b/vault/testing.go
index d485399942b2..2686b845a2ab 100644
--- a/vault/testing.go
+++ b/vault/testing.go
@@ -31,6 +31,7 @@ import (
 	hclog "github.com/hashicorp/go-hclog"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/vault/cluster"
 	"github.com/hashicorp/vault/vault/seal"
 	"github.com/mitchellh/copystructure"
 
@@ -1057,7 +1058,11 @@ type TestClusterOptions struct {
 	FirstCoreNumber   int
 	RequireClientAuth bool
 	// SetupFunc is called after the cluster is started.
-	SetupFunc func(t testing.T, c *TestCluster)
+	SetupFunc      func(t testing.T, c *TestCluster)
+	PR1103Disabled bool
+
+	// ClusterLayers are used to override the default cluster connection layer
+	ClusterLayers cluster.NetworkLayerSet
 }
 
 var DefaultNumCores = 3
@@ -1093,6 +1098,11 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 		numCores = opts.NumCores
 	}
 
+	var disablePR1103 bool
+	if opts != nil && opts.PR1103Disabled {
+		disablePR1103 = true
+	}
+
 	var firstCoreNumber int
 	if opts != nil {
 		firstCoreNumber = opts.FirstCoreNumber
@@ -1486,6 +1496,10 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 			}
 		}
 
+		if opts != nil && opts.ClusterLayers != nil {
+			localConfig.ClusterNetworkLayer = opts.ClusterLayers.Layers()[i]
+		}
+
 		switch {
 		case localConfig.LicensingConfig != nil:
 			if pubKey != nil {
@@ -1506,6 +1520,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 			t.Fatalf("err: %v", err)
 		}
 		c.coreNumber = firstCoreNumber + i
+		c.PR1103disabled = disablePR1103
 		cores = append(cores, c)
 		coreConfigs = append(coreConfigs, &localConfig)
 		if opts != nil && opts.HandlerFunc != nil {
diff --git a/vendor/github.com/gorilla/websocket/.gitignore b/vendor/github.com/gorilla/websocket/.gitignore
new file mode 100644
index 000000000000..cd3fcd1ef72a
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/.gitignore
@@ -0,0 +1,25 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+
+.idea/
+*.iml
diff --git a/vendor/github.com/gorilla/websocket/AUTHORS b/vendor/github.com/gorilla/websocket/AUTHORS
new file mode 100644
index 000000000000..1931f400682c
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/AUTHORS
@@ -0,0 +1,9 @@
+# This is the official list of Gorilla WebSocket authors for copyright
+# purposes.
+#
+# Please keep the list sorted.
+
+Gary Burd <gary@beagledreams.com>
+Google LLC (https://opensource.google.com/)
+Joachim Bauch <mail@joachim-bauch.de>
+
diff --git a/vendor/github.com/gorilla/websocket/LICENSE b/vendor/github.com/gorilla/websocket/LICENSE
new file mode 100644
index 000000000000..9171c9722522
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/LICENSE
@@ -0,0 +1,22 @@
+Copyright (c) 2013 The Gorilla WebSocket Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+  Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+  Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/gorilla/websocket/README.md b/vendor/github.com/gorilla/websocket/README.md
new file mode 100644
index 000000000000..0827d059c11a
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/README.md
@@ -0,0 +1,64 @@
+# Gorilla WebSocket
+
+[![GoDoc](https://godoc.org/github.com/gorilla/websocket?status.svg)](https://godoc.org/github.com/gorilla/websocket)
+[![CircleCI](https://circleci.com/gh/gorilla/websocket.svg?style=svg)](https://circleci.com/gh/gorilla/websocket)
+
+Gorilla WebSocket is a [Go](http://golang.org/) implementation of the
+[WebSocket](http://www.rfc-editor.org/rfc/rfc6455.txt) protocol.
+
+### Documentation
+
+* [API Reference](http://godoc.org/github.com/gorilla/websocket)
+* [Chat example](https://github.com/gorilla/websocket/tree/master/examples/chat)
+* [Command example](https://github.com/gorilla/websocket/tree/master/examples/command)
+* [Client and server example](https://github.com/gorilla/websocket/tree/master/examples/echo)
+* [File watch example](https://github.com/gorilla/websocket/tree/master/examples/filewatch)
+
+### Status
+
+The Gorilla WebSocket package provides a complete and tested implementation of
+the [WebSocket](http://www.rfc-editor.org/rfc/rfc6455.txt) protocol. The
+package API is stable.
+
+### Installation
+
+    go get github.com/gorilla/websocket
+
+### Protocol Compliance
+
+The Gorilla WebSocket package passes the server tests in the [Autobahn Test
+Suite](https://github.com/crossbario/autobahn-testsuite) using the application in the [examples/autobahn
+subdirectory](https://github.com/gorilla/websocket/tree/master/examples/autobahn).
+
+### Gorilla WebSocket compared with other packages
+
+<table>
+<tr>
+<th></th>
+<th><a href="http://godoc.org/github.com/gorilla/websocket">github.com/gorilla</a></th>
+<th><a href="http://godoc.org/golang.org/x/net/websocket">golang.org/x/net</a></th>
+</tr>
+<tr>
+<tr><td colspan="3"><a href="http://tools.ietf.org/html/rfc6455">RFC 6455</a> Features</td></tr>
+<tr><td>Passes <a href="https://github.com/crossbario/autobahn-testsuite">Autobahn Test Suite</a></td><td><a href="https://github.com/gorilla/websocket/tree/master/examples/autobahn">Yes</a></td><td>No</td></tr>
+<tr><td>Receive <a href="https://tools.ietf.org/html/rfc6455#section-5.4">fragmented</a> message<td>Yes</td><td><a href="https://code.google.com/p/go/issues/detail?id=7632">No</a>, see note 1</td></tr>
+<tr><td>Send <a href="https://tools.ietf.org/html/rfc6455#section-5.5.1">close</a> message</td><td><a href="http://godoc.org/github.com/gorilla/websocket#hdr-Control_Messages">Yes</a></td><td><a href="https://code.google.com/p/go/issues/detail?id=4588">No</a></td></tr>
+<tr><td>Send <a href="https://tools.ietf.org/html/rfc6455#section-5.5.2">pings</a> and receive <a href="https://tools.ietf.org/html/rfc6455#section-5.5.3">pongs</a></td><td><a href="http://godoc.org/github.com/gorilla/websocket#hdr-Control_Messages">Yes</a></td><td>No</td></tr>
+<tr><td>Get the <a href="https://tools.ietf.org/html/rfc6455#section-5.6">type</a> of a received data message</td><td>Yes</td><td>Yes, see note 2</td></tr>
+<tr><td colspan="3">Other Features</tr></td>
+<tr><td><a href="https://tools.ietf.org/html/rfc7692">Compression Extensions</a></td><td>Experimental</td><td>No</td></tr>
+<tr><td>Read message using io.Reader</td><td><a href="http://godoc.org/github.com/gorilla/websocket#Conn.NextReader">Yes</a></td><td>No, see note 3</td></tr>
+<tr><td>Write message using io.WriteCloser</td><td><a href="http://godoc.org/github.com/gorilla/websocket#Conn.NextWriter">Yes</a></td><td>No, see note 3</td></tr>
+</table>
+
+Notes:
+
+1. Large messages are fragmented in [Chrome's new WebSocket implementation](http://www.ietf.org/mail-archive/web/hybi/current/msg10503.html).
+2. The application can get the type of a received data message by implementing
+   a [Codec marshal](http://godoc.org/golang.org/x/net/websocket#Codec.Marshal)
+   function.
+3. The go.net io.Reader and io.Writer operate across WebSocket frame boundaries.
+  Read returns when the input buffer is full or a frame boundary is
+  encountered. Each call to Write sends a single frame message. The Gorilla
+  io.Reader and io.WriteCloser operate on a single WebSocket message.
+
diff --git a/vendor/github.com/gorilla/websocket/client.go b/vendor/github.com/gorilla/websocket/client.go
new file mode 100644
index 000000000000..962c06a391c2
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/client.go
@@ -0,0 +1,395 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"errors"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"strings"
+	"time"
+)
+
+// ErrBadHandshake is returned when the server response to opening handshake is
+// invalid.
+var ErrBadHandshake = errors.New("websocket: bad handshake")
+
+var errInvalidCompression = errors.New("websocket: invalid compression negotiation")
+
+// NewClient creates a new client connection using the given net connection.
+// The URL u specifies the host and request URI. Use requestHeader to specify
+// the origin (Origin), subprotocols (Sec-WebSocket-Protocol) and cookies
+// (Cookie). Use the response.Header to get the selected subprotocol
+// (Sec-WebSocket-Protocol) and cookies (Set-Cookie).
+//
+// If the WebSocket handshake fails, ErrBadHandshake is returned along with a
+// non-nil *http.Response so that callers can handle redirects, authentication,
+// etc.
+//
+// Deprecated: Use Dialer instead.
+func NewClient(netConn net.Conn, u *url.URL, requestHeader http.Header, readBufSize, writeBufSize int) (c *Conn, response *http.Response, err error) {
+	d := Dialer{
+		ReadBufferSize:  readBufSize,
+		WriteBufferSize: writeBufSize,
+		NetDial: func(net, addr string) (net.Conn, error) {
+			return netConn, nil
+		},
+	}
+	return d.Dial(u.String(), requestHeader)
+}
+
+// A Dialer contains options for connecting to WebSocket server.
+type Dialer struct {
+	// NetDial specifies the dial function for creating TCP connections. If
+	// NetDial is nil, net.Dial is used.
+	NetDial func(network, addr string) (net.Conn, error)
+
+	// NetDialContext specifies the dial function for creating TCP connections. If
+	// NetDialContext is nil, net.DialContext is used.
+	NetDialContext func(ctx context.Context, network, addr string) (net.Conn, error)
+
+	// Proxy specifies a function to return a proxy for a given
+	// Request. If the function returns a non-nil error, the
+	// request is aborted with the provided error.
+	// If Proxy is nil or returns a nil *URL, no proxy is used.
+	Proxy func(*http.Request) (*url.URL, error)
+
+	// TLSClientConfig specifies the TLS configuration to use with tls.Client.
+	// If nil, the default configuration is used.
+	TLSClientConfig *tls.Config
+
+	// HandshakeTimeout specifies the duration for the handshake to complete.
+	HandshakeTimeout time.Duration
+
+	// ReadBufferSize and WriteBufferSize specify I/O buffer sizes in bytes. If a buffer
+	// size is zero, then a useful default size is used. The I/O buffer sizes
+	// do not limit the size of the messages that can be sent or received.
+	ReadBufferSize, WriteBufferSize int
+
+	// WriteBufferPool is a pool of buffers for write operations. If the value
+	// is not set, then write buffers are allocated to the connection for the
+	// lifetime of the connection.
+	//
+	// A pool is most useful when the application has a modest volume of writes
+	// across a large number of connections.
+	//
+	// Applications should use a single pool for each unique value of
+	// WriteBufferSize.
+	WriteBufferPool BufferPool
+
+	// Subprotocols specifies the client's requested subprotocols.
+	Subprotocols []string
+
+	// EnableCompression specifies if the client should attempt to negotiate
+	// per message compression (RFC 7692). Setting this value to true does not
+	// guarantee that compression will be supported. Currently only "no context
+	// takeover" modes are supported.
+	EnableCompression bool
+
+	// Jar specifies the cookie jar.
+	// If Jar is nil, cookies are not sent in requests and ignored
+	// in responses.
+	Jar http.CookieJar
+}
+
+// Dial creates a new client connection by calling DialContext with a background context.
+func (d *Dialer) Dial(urlStr string, requestHeader http.Header) (*Conn, *http.Response, error) {
+	return d.DialContext(context.Background(), urlStr, requestHeader)
+}
+
+var errMalformedURL = errors.New("malformed ws or wss URL")
+
+func hostPortNoPort(u *url.URL) (hostPort, hostNoPort string) {
+	hostPort = u.Host
+	hostNoPort = u.Host
+	if i := strings.LastIndex(u.Host, ":"); i > strings.LastIndex(u.Host, "]") {
+		hostNoPort = hostNoPort[:i]
+	} else {
+		switch u.Scheme {
+		case "wss":
+			hostPort += ":443"
+		case "https":
+			hostPort += ":443"
+		default:
+			hostPort += ":80"
+		}
+	}
+	return hostPort, hostNoPort
+}
+
+// DefaultDialer is a dialer with all fields set to the default values.
+var DefaultDialer = &Dialer{
+	Proxy:            http.ProxyFromEnvironment,
+	HandshakeTimeout: 45 * time.Second,
+}
+
+// nilDialer is dialer to use when receiver is nil.
+var nilDialer = *DefaultDialer
+
+// DialContext creates a new client connection. Use requestHeader to specify the
+// origin (Origin), subprotocols (Sec-WebSocket-Protocol) and cookies (Cookie).
+// Use the response.Header to get the selected subprotocol
+// (Sec-WebSocket-Protocol) and cookies (Set-Cookie).
+//
+// The context will be used in the request and in the Dialer.
+//
+// If the WebSocket handshake fails, ErrBadHandshake is returned along with a
+// non-nil *http.Response so that callers can handle redirects, authentication,
+// etcetera. The response body may not contain the entire response and does not
+// need to be closed by the application.
+func (d *Dialer) DialContext(ctx context.Context, urlStr string, requestHeader http.Header) (*Conn, *http.Response, error) {
+	if d == nil {
+		d = &nilDialer
+	}
+
+	challengeKey, err := generateChallengeKey()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	switch u.Scheme {
+	case "ws":
+		u.Scheme = "http"
+	case "wss":
+		u.Scheme = "https"
+	default:
+		return nil, nil, errMalformedURL
+	}
+
+	if u.User != nil {
+		// User name and password are not allowed in websocket URIs.
+		return nil, nil, errMalformedURL
+	}
+
+	req := &http.Request{
+		Method:     "GET",
+		URL:        u,
+		Proto:      "HTTP/1.1",
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		Header:     make(http.Header),
+		Host:       u.Host,
+	}
+	req = req.WithContext(ctx)
+
+	// Set the cookies present in the cookie jar of the dialer
+	if d.Jar != nil {
+		for _, cookie := range d.Jar.Cookies(u) {
+			req.AddCookie(cookie)
+		}
+	}
+
+	// Set the request headers using the capitalization for names and values in
+	// RFC examples. Although the capitalization shouldn't matter, there are
+	// servers that depend on it. The Header.Set method is not used because the
+	// method canonicalizes the header names.
+	req.Header["Upgrade"] = []string{"websocket"}
+	req.Header["Connection"] = []string{"Upgrade"}
+	req.Header["Sec-WebSocket-Key"] = []string{challengeKey}
+	req.Header["Sec-WebSocket-Version"] = []string{"13"}
+	if len(d.Subprotocols) > 0 {
+		req.Header["Sec-WebSocket-Protocol"] = []string{strings.Join(d.Subprotocols, ", ")}
+	}
+	for k, vs := range requestHeader {
+		switch {
+		case k == "Host":
+			if len(vs) > 0 {
+				req.Host = vs[0]
+			}
+		case k == "Upgrade" ||
+			k == "Connection" ||
+			k == "Sec-Websocket-Key" ||
+			k == "Sec-Websocket-Version" ||
+			k == "Sec-Websocket-Extensions" ||
+			(k == "Sec-Websocket-Protocol" && len(d.Subprotocols) > 0):
+			return nil, nil, errors.New("websocket: duplicate header not allowed: " + k)
+		case k == "Sec-Websocket-Protocol":
+			req.Header["Sec-WebSocket-Protocol"] = vs
+		default:
+			req.Header[k] = vs
+		}
+	}
+
+	if d.EnableCompression {
+		req.Header["Sec-WebSocket-Extensions"] = []string{"permessage-deflate; server_no_context_takeover; client_no_context_takeover"}
+	}
+
+	if d.HandshakeTimeout != 0 {
+		var cancel func()
+		ctx, cancel = context.WithTimeout(ctx, d.HandshakeTimeout)
+		defer cancel()
+	}
+
+	// Get network dial function.
+	var netDial func(network, add string) (net.Conn, error)
+
+	if d.NetDialContext != nil {
+		netDial = func(network, addr string) (net.Conn, error) {
+			return d.NetDialContext(ctx, network, addr)
+		}
+	} else if d.NetDial != nil {
+		netDial = d.NetDial
+	} else {
+		netDialer := &net.Dialer{}
+		netDial = func(network, addr string) (net.Conn, error) {
+			return netDialer.DialContext(ctx, network, addr)
+		}
+	}
+
+	// If needed, wrap the dial function to set the connection deadline.
+	if deadline, ok := ctx.Deadline(); ok {
+		forwardDial := netDial
+		netDial = func(network, addr string) (net.Conn, error) {
+			c, err := forwardDial(network, addr)
+			if err != nil {
+				return nil, err
+			}
+			err = c.SetDeadline(deadline)
+			if err != nil {
+				c.Close()
+				return nil, err
+			}
+			return c, nil
+		}
+	}
+
+	// If needed, wrap the dial function to connect through a proxy.
+	if d.Proxy != nil {
+		proxyURL, err := d.Proxy(req)
+		if err != nil {
+			return nil, nil, err
+		}
+		if proxyURL != nil {
+			dialer, err := proxy_FromURL(proxyURL, netDialerFunc(netDial))
+			if err != nil {
+				return nil, nil, err
+			}
+			netDial = dialer.Dial
+		}
+	}
+
+	hostPort, hostNoPort := hostPortNoPort(u)
+	trace := httptrace.ContextClientTrace(ctx)
+	if trace != nil && trace.GetConn != nil {
+		trace.GetConn(hostPort)
+	}
+
+	netConn, err := netDial("tcp", hostPort)
+	if trace != nil && trace.GotConn != nil {
+		trace.GotConn(httptrace.GotConnInfo{
+			Conn: netConn,
+		})
+	}
+	if err != nil {
+		return nil, nil, err
+	}
+
+	defer func() {
+		if netConn != nil {
+			netConn.Close()
+		}
+	}()
+
+	if u.Scheme == "https" {
+		cfg := cloneTLSConfig(d.TLSClientConfig)
+		if cfg.ServerName == "" {
+			cfg.ServerName = hostNoPort
+		}
+		tlsConn := tls.Client(netConn, cfg)
+		netConn = tlsConn
+
+		var err error
+		if trace != nil {
+			err = doHandshakeWithTrace(trace, tlsConn, cfg)
+		} else {
+			err = doHandshake(tlsConn, cfg)
+		}
+
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	conn := newConn(netConn, false, d.ReadBufferSize, d.WriteBufferSize, d.WriteBufferPool, nil, nil)
+
+	if err := req.Write(netConn); err != nil {
+		return nil, nil, err
+	}
+
+	if trace != nil && trace.GotFirstResponseByte != nil {
+		if peek, err := conn.br.Peek(1); err == nil && len(peek) == 1 {
+			trace.GotFirstResponseByte()
+		}
+	}
+
+	resp, err := http.ReadResponse(conn.br, req)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if d.Jar != nil {
+		if rc := resp.Cookies(); len(rc) > 0 {
+			d.Jar.SetCookies(u, rc)
+		}
+	}
+
+	if resp.StatusCode != 101 ||
+		!strings.EqualFold(resp.Header.Get("Upgrade"), "websocket") ||
+		!strings.EqualFold(resp.Header.Get("Connection"), "upgrade") ||
+		resp.Header.Get("Sec-Websocket-Accept") != computeAcceptKey(challengeKey) {
+		// Before closing the network connection on return from this
+		// function, slurp up some of the response to aid application
+		// debugging.
+		buf := make([]byte, 1024)
+		n, _ := io.ReadFull(resp.Body, buf)
+		resp.Body = ioutil.NopCloser(bytes.NewReader(buf[:n]))
+		return nil, resp, ErrBadHandshake
+	}
+
+	for _, ext := range parseExtensions(resp.Header) {
+		if ext[""] != "permessage-deflate" {
+			continue
+		}
+		_, snct := ext["server_no_context_takeover"]
+		_, cnct := ext["client_no_context_takeover"]
+		if !snct || !cnct {
+			return nil, resp, errInvalidCompression
+		}
+		conn.newCompressionWriter = compressNoContextTakeover
+		conn.newDecompressionReader = decompressNoContextTakeover
+		break
+	}
+
+	resp.Body = ioutil.NopCloser(bytes.NewReader([]byte{}))
+	conn.subprotocol = resp.Header.Get("Sec-Websocket-Protocol")
+
+	netConn.SetDeadline(time.Time{})
+	netConn = nil // to avoid close in defer.
+	return conn, resp, nil
+}
+
+func doHandshake(tlsConn *tls.Conn, cfg *tls.Config) error {
+	if err := tlsConn.Handshake(); err != nil {
+		return err
+	}
+	if !cfg.InsecureSkipVerify {
+		if err := tlsConn.VerifyHostname(cfg.ServerName); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/gorilla/websocket/client_clone.go b/vendor/github.com/gorilla/websocket/client_clone.go
new file mode 100644
index 000000000000..4f0d943723a9
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/client_clone.go
@@ -0,0 +1,16 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.8
+
+package websocket
+
+import "crypto/tls"
+
+func cloneTLSConfig(cfg *tls.Config) *tls.Config {
+	if cfg == nil {
+		return &tls.Config{}
+	}
+	return cfg.Clone()
+}
diff --git a/vendor/github.com/gorilla/websocket/client_clone_legacy.go b/vendor/github.com/gorilla/websocket/client_clone_legacy.go
new file mode 100644
index 000000000000..babb007fb414
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/client_clone_legacy.go
@@ -0,0 +1,38 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !go1.8
+
+package websocket
+
+import "crypto/tls"
+
+// cloneTLSConfig clones all public fields except the fields
+// SessionTicketsDisabled and SessionTicketKey. This avoids copying the
+// sync.Mutex in the sync.Once and makes it safe to call cloneTLSConfig on a
+// config in active use.
+func cloneTLSConfig(cfg *tls.Config) *tls.Config {
+	if cfg == nil {
+		return &tls.Config{}
+	}
+	return &tls.Config{
+		Rand:                     cfg.Rand,
+		Time:                     cfg.Time,
+		Certificates:             cfg.Certificates,
+		NameToCertificate:        cfg.NameToCertificate,
+		GetCertificate:           cfg.GetCertificate,
+		RootCAs:                  cfg.RootCAs,
+		NextProtos:               cfg.NextProtos,
+		ServerName:               cfg.ServerName,
+		ClientAuth:               cfg.ClientAuth,
+		ClientCAs:                cfg.ClientCAs,
+		InsecureSkipVerify:       cfg.InsecureSkipVerify,
+		CipherSuites:             cfg.CipherSuites,
+		PreferServerCipherSuites: cfg.PreferServerCipherSuites,
+		ClientSessionCache:       cfg.ClientSessionCache,
+		MinVersion:               cfg.MinVersion,
+		MaxVersion:               cfg.MaxVersion,
+		CurvePreferences:         cfg.CurvePreferences,
+	}
+}
diff --git a/vendor/github.com/gorilla/websocket/compression.go b/vendor/github.com/gorilla/websocket/compression.go
new file mode 100644
index 000000000000..813ffb1e8433
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/compression.go
@@ -0,0 +1,148 @@
+// Copyright 2017 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"compress/flate"
+	"errors"
+	"io"
+	"strings"
+	"sync"
+)
+
+const (
+	minCompressionLevel     = -2 // flate.HuffmanOnly not defined in Go < 1.6
+	maxCompressionLevel     = flate.BestCompression
+	defaultCompressionLevel = 1
+)
+
+var (
+	flateWriterPools [maxCompressionLevel - minCompressionLevel + 1]sync.Pool
+	flateReaderPool  = sync.Pool{New: func() interface{} {
+		return flate.NewReader(nil)
+	}}
+)
+
+func decompressNoContextTakeover(r io.Reader) io.ReadCloser {
+	const tail =
+	// Add four bytes as specified in RFC
+	"\x00\x00\xff\xff" +
+		// Add final block to squelch unexpected EOF error from flate reader.
+		"\x01\x00\x00\xff\xff"
+
+	fr, _ := flateReaderPool.Get().(io.ReadCloser)
+	fr.(flate.Resetter).Reset(io.MultiReader(r, strings.NewReader(tail)), nil)
+	return &flateReadWrapper{fr}
+}
+
+func isValidCompressionLevel(level int) bool {
+	return minCompressionLevel <= level && level <= maxCompressionLevel
+}
+
+func compressNoContextTakeover(w io.WriteCloser, level int) io.WriteCloser {
+	p := &flateWriterPools[level-minCompressionLevel]
+	tw := &truncWriter{w: w}
+	fw, _ := p.Get().(*flate.Writer)
+	if fw == nil {
+		fw, _ = flate.NewWriter(tw, level)
+	} else {
+		fw.Reset(tw)
+	}
+	return &flateWriteWrapper{fw: fw, tw: tw, p: p}
+}
+
+// truncWriter is an io.Writer that writes all but the last four bytes of the
+// stream to another io.Writer.
+type truncWriter struct {
+	w io.WriteCloser
+	n int
+	p [4]byte
+}
+
+func (w *truncWriter) Write(p []byte) (int, error) {
+	n := 0
+
+	// fill buffer first for simplicity.
+	if w.n < len(w.p) {
+		n = copy(w.p[w.n:], p)
+		p = p[n:]
+		w.n += n
+		if len(p) == 0 {
+			return n, nil
+		}
+	}
+
+	m := len(p)
+	if m > len(w.p) {
+		m = len(w.p)
+	}
+
+	if nn, err := w.w.Write(w.p[:m]); err != nil {
+		return n + nn, err
+	}
+
+	copy(w.p[:], w.p[m:])
+	copy(w.p[len(w.p)-m:], p[len(p)-m:])
+	nn, err := w.w.Write(p[:len(p)-m])
+	return n + nn, err
+}
+
+type flateWriteWrapper struct {
+	fw *flate.Writer
+	tw *truncWriter
+	p  *sync.Pool
+}
+
+func (w *flateWriteWrapper) Write(p []byte) (int, error) {
+	if w.fw == nil {
+		return 0, errWriteClosed
+	}
+	return w.fw.Write(p)
+}
+
+func (w *flateWriteWrapper) Close() error {
+	if w.fw == nil {
+		return errWriteClosed
+	}
+	err1 := w.fw.Flush()
+	w.p.Put(w.fw)
+	w.fw = nil
+	if w.tw.p != [4]byte{0, 0, 0xff, 0xff} {
+		return errors.New("websocket: internal error, unexpected bytes at end of flate stream")
+	}
+	err2 := w.tw.w.Close()
+	if err1 != nil {
+		return err1
+	}
+	return err2
+}
+
+type flateReadWrapper struct {
+	fr io.ReadCloser
+}
+
+func (r *flateReadWrapper) Read(p []byte) (int, error) {
+	if r.fr == nil {
+		return 0, io.ErrClosedPipe
+	}
+	n, err := r.fr.Read(p)
+	if err == io.EOF {
+		// Preemptively place the reader back in the pool. This helps with
+		// scenarios where the application does not call NextReader() soon after
+		// this final read.
+		r.Close()
+	}
+	return n, err
+}
+
+func (r *flateReadWrapper) Close() error {
+	if r.fr == nil {
+		return io.ErrClosedPipe
+	}
+	err := r.fr.Close()
+	flateReaderPool.Put(r.fr)
+	r.fr = nil
+	return err
+}
diff --git a/vendor/github.com/gorilla/websocket/conn.go b/vendor/github.com/gorilla/websocket/conn.go
new file mode 100644
index 000000000000..6f17cd299827
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/conn.go
@@ -0,0 +1,1201 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"bufio"
+	"encoding/binary"
+	"errors"
+	"io"
+	"io/ioutil"
+	"math/rand"
+	"net"
+	"strconv"
+	"sync"
+	"time"
+	"unicode/utf8"
+)
+
+const (
+	// Frame header byte 0 bits from Section 5.2 of RFC 6455
+	finalBit = 1 << 7
+	rsv1Bit  = 1 << 6
+	rsv2Bit  = 1 << 5
+	rsv3Bit  = 1 << 4
+
+	// Frame header byte 1 bits from Section 5.2 of RFC 6455
+	maskBit = 1 << 7
+
+	maxFrameHeaderSize         = 2 + 8 + 4 // Fixed header + length + mask
+	maxControlFramePayloadSize = 125
+
+	writeWait = time.Second
+
+	defaultReadBufferSize  = 4096
+	defaultWriteBufferSize = 4096
+
+	continuationFrame = 0
+	noFrame           = -1
+)
+
+// Close codes defined in RFC 6455, section 11.7.
+const (
+	CloseNormalClosure           = 1000
+	CloseGoingAway               = 1001
+	CloseProtocolError           = 1002
+	CloseUnsupportedData         = 1003
+	CloseNoStatusReceived        = 1005
+	CloseAbnormalClosure         = 1006
+	CloseInvalidFramePayloadData = 1007
+	ClosePolicyViolation         = 1008
+	CloseMessageTooBig           = 1009
+	CloseMandatoryExtension      = 1010
+	CloseInternalServerErr       = 1011
+	CloseServiceRestart          = 1012
+	CloseTryAgainLater           = 1013
+	CloseTLSHandshake            = 1015
+)
+
+// The message types are defined in RFC 6455, section 11.8.
+const (
+	// TextMessage denotes a text data message. The text message payload is
+	// interpreted as UTF-8 encoded text data.
+	TextMessage = 1
+
+	// BinaryMessage denotes a binary data message.
+	BinaryMessage = 2
+
+	// CloseMessage denotes a close control message. The optional message
+	// payload contains a numeric code and text. Use the FormatCloseMessage
+	// function to format a close message payload.
+	CloseMessage = 8
+
+	// PingMessage denotes a ping control message. The optional message payload
+	// is UTF-8 encoded text.
+	PingMessage = 9
+
+	// PongMessage denotes a pong control message. The optional message payload
+	// is UTF-8 encoded text.
+	PongMessage = 10
+)
+
+// ErrCloseSent is returned when the application writes a message to the
+// connection after sending a close message.
+var ErrCloseSent = errors.New("websocket: close sent")
+
+// ErrReadLimit is returned when reading a message that is larger than the
+// read limit set for the connection.
+var ErrReadLimit = errors.New("websocket: read limit exceeded")
+
+// netError satisfies the net Error interface.
+type netError struct {
+	msg       string
+	temporary bool
+	timeout   bool
+}
+
+func (e *netError) Error() string   { return e.msg }
+func (e *netError) Temporary() bool { return e.temporary }
+func (e *netError) Timeout() bool   { return e.timeout }
+
+// CloseError represents a close message.
+type CloseError struct {
+	// Code is defined in RFC 6455, section 11.7.
+	Code int
+
+	// Text is the optional text payload.
+	Text string
+}
+
+func (e *CloseError) Error() string {
+	s := []byte("websocket: close ")
+	s = strconv.AppendInt(s, int64(e.Code), 10)
+	switch e.Code {
+	case CloseNormalClosure:
+		s = append(s, " (normal)"...)
+	case CloseGoingAway:
+		s = append(s, " (going away)"...)
+	case CloseProtocolError:
+		s = append(s, " (protocol error)"...)
+	case CloseUnsupportedData:
+		s = append(s, " (unsupported data)"...)
+	case CloseNoStatusReceived:
+		s = append(s, " (no status)"...)
+	case CloseAbnormalClosure:
+		s = append(s, " (abnormal closure)"...)
+	case CloseInvalidFramePayloadData:
+		s = append(s, " (invalid payload data)"...)
+	case ClosePolicyViolation:
+		s = append(s, " (policy violation)"...)
+	case CloseMessageTooBig:
+		s = append(s, " (message too big)"...)
+	case CloseMandatoryExtension:
+		s = append(s, " (mandatory extension missing)"...)
+	case CloseInternalServerErr:
+		s = append(s, " (internal server error)"...)
+	case CloseTLSHandshake:
+		s = append(s, " (TLS handshake error)"...)
+	}
+	if e.Text != "" {
+		s = append(s, ": "...)
+		s = append(s, e.Text...)
+	}
+	return string(s)
+}
+
+// IsCloseError returns boolean indicating whether the error is a *CloseError
+// with one of the specified codes.
+func IsCloseError(err error, codes ...int) bool {
+	if e, ok := err.(*CloseError); ok {
+		for _, code := range codes {
+			if e.Code == code {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// IsUnexpectedCloseError returns boolean indicating whether the error is a
+// *CloseError with a code not in the list of expected codes.
+func IsUnexpectedCloseError(err error, expectedCodes ...int) bool {
+	if e, ok := err.(*CloseError); ok {
+		for _, code := range expectedCodes {
+			if e.Code == code {
+				return false
+			}
+		}
+		return true
+	}
+	return false
+}
+
+var (
+	errWriteTimeout        = &netError{msg: "websocket: write timeout", timeout: true, temporary: true}
+	errUnexpectedEOF       = &CloseError{Code: CloseAbnormalClosure, Text: io.ErrUnexpectedEOF.Error()}
+	errBadWriteOpCode      = errors.New("websocket: bad write message type")
+	errWriteClosed         = errors.New("websocket: write closed")
+	errInvalidControlFrame = errors.New("websocket: invalid control frame")
+)
+
+func newMaskKey() [4]byte {
+	n := rand.Uint32()
+	return [4]byte{byte(n), byte(n >> 8), byte(n >> 16), byte(n >> 24)}
+}
+
+func hideTempErr(err error) error {
+	if e, ok := err.(net.Error); ok && e.Temporary() {
+		err = &netError{msg: e.Error(), timeout: e.Timeout()}
+	}
+	return err
+}
+
+func isControl(frameType int) bool {
+	return frameType == CloseMessage || frameType == PingMessage || frameType == PongMessage
+}
+
+func isData(frameType int) bool {
+	return frameType == TextMessage || frameType == BinaryMessage
+}
+
+var validReceivedCloseCodes = map[int]bool{
+	// see http://www.iana.org/assignments/websocket/websocket.xhtml#close-code-number
+
+	CloseNormalClosure:           true,
+	CloseGoingAway:               true,
+	CloseProtocolError:           true,
+	CloseUnsupportedData:         true,
+	CloseNoStatusReceived:        false,
+	CloseAbnormalClosure:         false,
+	CloseInvalidFramePayloadData: true,
+	ClosePolicyViolation:         true,
+	CloseMessageTooBig:           true,
+	CloseMandatoryExtension:      true,
+	CloseInternalServerErr:       true,
+	CloseServiceRestart:          true,
+	CloseTryAgainLater:           true,
+	CloseTLSHandshake:            false,
+}
+
+func isValidReceivedCloseCode(code int) bool {
+	return validReceivedCloseCodes[code] || (code >= 3000 && code <= 4999)
+}
+
+// BufferPool represents a pool of buffers. The *sync.Pool type satisfies this
+// interface.  The type of the value stored in a pool is not specified.
+type BufferPool interface {
+	// Get gets a value from the pool or returns nil if the pool is empty.
+	Get() interface{}
+	// Put adds a value to the pool.
+	Put(interface{})
+}
+
+// writePoolData is the type added to the write buffer pool. This wrapper is
+// used to prevent applications from peeking at and depending on the values
+// added to the pool.
+type writePoolData struct{ buf []byte }
+
+// The Conn type represents a WebSocket connection.
+type Conn struct {
+	conn        net.Conn
+	isServer    bool
+	subprotocol string
+
+	// Write fields
+	mu            chan bool // used as mutex to protect write to conn
+	writeBuf      []byte    // frame is constructed in this buffer.
+	writePool     BufferPool
+	writeBufSize  int
+	writeDeadline time.Time
+	writer        io.WriteCloser // the current writer returned to the application
+	isWriting     bool           // for best-effort concurrent write detection
+
+	writeErrMu sync.Mutex
+	writeErr   error
+
+	enableWriteCompression bool
+	compressionLevel       int
+	newCompressionWriter   func(io.WriteCloser, int) io.WriteCloser
+
+	// Read fields
+	reader  io.ReadCloser // the current reader returned to the application
+	readErr error
+	br      *bufio.Reader
+	// bytes remaining in current frame.
+	// set setReadRemaining to safely update this value and prevent overflow
+	readRemaining int64
+	readFinal     bool  // true the current message has more frames.
+	readLength    int64 // Message size.
+	readLimit     int64 // Maximum message size.
+	readMaskPos   int
+	readMaskKey   [4]byte
+	handlePong    func(string) error
+	handlePing    func(string) error
+	handleClose   func(int, string) error
+	readErrCount  int
+	messageReader *messageReader // the current low-level reader
+
+	readDecompress         bool // whether last read frame had RSV1 set
+	newDecompressionReader func(io.Reader) io.ReadCloser
+}
+
+func newConn(conn net.Conn, isServer bool, readBufferSize, writeBufferSize int, writeBufferPool BufferPool, br *bufio.Reader, writeBuf []byte) *Conn {
+
+	if br == nil {
+		if readBufferSize == 0 {
+			readBufferSize = defaultReadBufferSize
+		} else if readBufferSize < maxControlFramePayloadSize {
+			// must be large enough for control frame
+			readBufferSize = maxControlFramePayloadSize
+		}
+		br = bufio.NewReaderSize(conn, readBufferSize)
+	}
+
+	if writeBufferSize <= 0 {
+		writeBufferSize = defaultWriteBufferSize
+	}
+	writeBufferSize += maxFrameHeaderSize
+
+	if writeBuf == nil && writeBufferPool == nil {
+		writeBuf = make([]byte, writeBufferSize)
+	}
+
+	mu := make(chan bool, 1)
+	mu <- true
+	c := &Conn{
+		isServer:               isServer,
+		br:                     br,
+		conn:                   conn,
+		mu:                     mu,
+		readFinal:              true,
+		writeBuf:               writeBuf,
+		writePool:              writeBufferPool,
+		writeBufSize:           writeBufferSize,
+		enableWriteCompression: true,
+		compressionLevel:       defaultCompressionLevel,
+	}
+	c.SetCloseHandler(nil)
+	c.SetPingHandler(nil)
+	c.SetPongHandler(nil)
+	return c
+}
+
+// setReadRemaining tracks the number of bytes remaining on the connection. If n
+// overflows, an ErrReadLimit is returned.
+func (c *Conn) setReadRemaining(n int64) error {
+	if n < 0 {
+		return ErrReadLimit
+	}
+
+	c.readRemaining = n
+	return nil
+}
+
+// Subprotocol returns the negotiated protocol for the connection.
+func (c *Conn) Subprotocol() string {
+	return c.subprotocol
+}
+
+// Close closes the underlying network connection without sending or waiting
+// for a close message.
+func (c *Conn) Close() error {
+	return c.conn.Close()
+}
+
+// LocalAddr returns the local network address.
+func (c *Conn) LocalAddr() net.Addr {
+	return c.conn.LocalAddr()
+}
+
+// RemoteAddr returns the remote network address.
+func (c *Conn) RemoteAddr() net.Addr {
+	return c.conn.RemoteAddr()
+}
+
+// Write methods
+
+func (c *Conn) writeFatal(err error) error {
+	err = hideTempErr(err)
+	c.writeErrMu.Lock()
+	if c.writeErr == nil {
+		c.writeErr = err
+	}
+	c.writeErrMu.Unlock()
+	return err
+}
+
+func (c *Conn) read(n int) ([]byte, error) {
+	p, err := c.br.Peek(n)
+	if err == io.EOF {
+		err = errUnexpectedEOF
+	}
+	c.br.Discard(len(p))
+	return p, err
+}
+
+func (c *Conn) write(frameType int, deadline time.Time, buf0, buf1 []byte) error {
+	<-c.mu
+	defer func() { c.mu <- true }()
+
+	c.writeErrMu.Lock()
+	err := c.writeErr
+	c.writeErrMu.Unlock()
+	if err != nil {
+		return err
+	}
+
+	c.conn.SetWriteDeadline(deadline)
+	if len(buf1) == 0 {
+		_, err = c.conn.Write(buf0)
+	} else {
+		err = c.writeBufs(buf0, buf1)
+	}
+	if err != nil {
+		return c.writeFatal(err)
+	}
+	if frameType == CloseMessage {
+		c.writeFatal(ErrCloseSent)
+	}
+	return nil
+}
+
+// WriteControl writes a control message with the given deadline. The allowed
+// message types are CloseMessage, PingMessage and PongMessage.
+func (c *Conn) WriteControl(messageType int, data []byte, deadline time.Time) error {
+	if !isControl(messageType) {
+		return errBadWriteOpCode
+	}
+	if len(data) > maxControlFramePayloadSize {
+		return errInvalidControlFrame
+	}
+
+	b0 := byte(messageType) | finalBit
+	b1 := byte(len(data))
+	if !c.isServer {
+		b1 |= maskBit
+	}
+
+	buf := make([]byte, 0, maxFrameHeaderSize+maxControlFramePayloadSize)
+	buf = append(buf, b0, b1)
+
+	if c.isServer {
+		buf = append(buf, data...)
+	} else {
+		key := newMaskKey()
+		buf = append(buf, key[:]...)
+		buf = append(buf, data...)
+		maskBytes(key, 0, buf[6:])
+	}
+
+	d := time.Hour * 1000
+	if !deadline.IsZero() {
+		d = deadline.Sub(time.Now())
+		if d < 0 {
+			return errWriteTimeout
+		}
+	}
+
+	timer := time.NewTimer(d)
+	select {
+	case <-c.mu:
+		timer.Stop()
+	case <-timer.C:
+		return errWriteTimeout
+	}
+	defer func() { c.mu <- true }()
+
+	c.writeErrMu.Lock()
+	err := c.writeErr
+	c.writeErrMu.Unlock()
+	if err != nil {
+		return err
+	}
+
+	c.conn.SetWriteDeadline(deadline)
+	_, err = c.conn.Write(buf)
+	if err != nil {
+		return c.writeFatal(err)
+	}
+	if messageType == CloseMessage {
+		c.writeFatal(ErrCloseSent)
+	}
+	return err
+}
+
+// beginMessage prepares a connection and message writer for a new message.
+func (c *Conn) beginMessage(mw *messageWriter, messageType int) error {
+	// Close previous writer if not already closed by the application. It's
+	// probably better to return an error in this situation, but we cannot
+	// change this without breaking existing applications.
+	if c.writer != nil {
+		c.writer.Close()
+		c.writer = nil
+	}
+
+	if !isControl(messageType) && !isData(messageType) {
+		return errBadWriteOpCode
+	}
+
+	c.writeErrMu.Lock()
+	err := c.writeErr
+	c.writeErrMu.Unlock()
+	if err != nil {
+		return err
+	}
+
+	mw.c = c
+	mw.frameType = messageType
+	mw.pos = maxFrameHeaderSize
+
+	if c.writeBuf == nil {
+		wpd, ok := c.writePool.Get().(writePoolData)
+		if ok {
+			c.writeBuf = wpd.buf
+		} else {
+			c.writeBuf = make([]byte, c.writeBufSize)
+		}
+	}
+	return nil
+}
+
+// NextWriter returns a writer for the next message to send. The writer's Close
+// method flushes the complete message to the network.
+//
+// There can be at most one open writer on a connection. NextWriter closes the
+// previous writer if the application has not already done so.
+//
+// All message types (TextMessage, BinaryMessage, CloseMessage, PingMessage and
+// PongMessage) are supported.
+func (c *Conn) NextWriter(messageType int) (io.WriteCloser, error) {
+	var mw messageWriter
+	if err := c.beginMessage(&mw, messageType); err != nil {
+		return nil, err
+	}
+	c.writer = &mw
+	if c.newCompressionWriter != nil && c.enableWriteCompression && isData(messageType) {
+		w := c.newCompressionWriter(c.writer, c.compressionLevel)
+		mw.compress = true
+		c.writer = w
+	}
+	return c.writer, nil
+}
+
+type messageWriter struct {
+	c         *Conn
+	compress  bool // whether next call to flushFrame should set RSV1
+	pos       int  // end of data in writeBuf.
+	frameType int  // type of the current frame.
+	err       error
+}
+
+func (w *messageWriter) endMessage(err error) error {
+	if w.err != nil {
+		return err
+	}
+	c := w.c
+	w.err = err
+	c.writer = nil
+	if c.writePool != nil {
+		c.writePool.Put(writePoolData{buf: c.writeBuf})
+		c.writeBuf = nil
+	}
+	return err
+}
+
+// flushFrame writes buffered data and extra as a frame to the network. The
+// final argument indicates that this is the last frame in the message.
+func (w *messageWriter) flushFrame(final bool, extra []byte) error {
+	c := w.c
+	length := w.pos - maxFrameHeaderSize + len(extra)
+
+	// Check for invalid control frames.
+	if isControl(w.frameType) &&
+		(!final || length > maxControlFramePayloadSize) {
+		return w.endMessage(errInvalidControlFrame)
+	}
+
+	b0 := byte(w.frameType)
+	if final {
+		b0 |= finalBit
+	}
+	if w.compress {
+		b0 |= rsv1Bit
+	}
+	w.compress = false
+
+	b1 := byte(0)
+	if !c.isServer {
+		b1 |= maskBit
+	}
+
+	// Assume that the frame starts at beginning of c.writeBuf.
+	framePos := 0
+	if c.isServer {
+		// Adjust up if mask not included in the header.
+		framePos = 4
+	}
+
+	switch {
+	case length >= 65536:
+		c.writeBuf[framePos] = b0
+		c.writeBuf[framePos+1] = b1 | 127
+		binary.BigEndian.PutUint64(c.writeBuf[framePos+2:], uint64(length))
+	case length > 125:
+		framePos += 6
+		c.writeBuf[framePos] = b0
+		c.writeBuf[framePos+1] = b1 | 126
+		binary.BigEndian.PutUint16(c.writeBuf[framePos+2:], uint16(length))
+	default:
+		framePos += 8
+		c.writeBuf[framePos] = b0
+		c.writeBuf[framePos+1] = b1 | byte(length)
+	}
+
+	if !c.isServer {
+		key := newMaskKey()
+		copy(c.writeBuf[maxFrameHeaderSize-4:], key[:])
+		maskBytes(key, 0, c.writeBuf[maxFrameHeaderSize:w.pos])
+		if len(extra) > 0 {
+			return w.endMessage(c.writeFatal(errors.New("websocket: internal error, extra used in client mode")))
+		}
+	}
+
+	// Write the buffers to the connection with best-effort detection of
+	// concurrent writes. See the concurrency section in the package
+	// documentation for more info.
+
+	if c.isWriting {
+		panic("concurrent write to websocket connection")
+	}
+	c.isWriting = true
+
+	err := c.write(w.frameType, c.writeDeadline, c.writeBuf[framePos:w.pos], extra)
+
+	if !c.isWriting {
+		panic("concurrent write to websocket connection")
+	}
+	c.isWriting = false
+
+	if err != nil {
+		return w.endMessage(err)
+	}
+
+	if final {
+		w.endMessage(errWriteClosed)
+		return nil
+	}
+
+	// Setup for next frame.
+	w.pos = maxFrameHeaderSize
+	w.frameType = continuationFrame
+	return nil
+}
+
+func (w *messageWriter) ncopy(max int) (int, error) {
+	n := len(w.c.writeBuf) - w.pos
+	if n <= 0 {
+		if err := w.flushFrame(false, nil); err != nil {
+			return 0, err
+		}
+		n = len(w.c.writeBuf) - w.pos
+	}
+	if n > max {
+		n = max
+	}
+	return n, nil
+}
+
+func (w *messageWriter) Write(p []byte) (int, error) {
+	if w.err != nil {
+		return 0, w.err
+	}
+
+	if len(p) > 2*len(w.c.writeBuf) && w.c.isServer {
+		// Don't buffer large messages.
+		err := w.flushFrame(false, p)
+		if err != nil {
+			return 0, err
+		}
+		return len(p), nil
+	}
+
+	nn := len(p)
+	for len(p) > 0 {
+		n, err := w.ncopy(len(p))
+		if err != nil {
+			return 0, err
+		}
+		copy(w.c.writeBuf[w.pos:], p[:n])
+		w.pos += n
+		p = p[n:]
+	}
+	return nn, nil
+}
+
+func (w *messageWriter) WriteString(p string) (int, error) {
+	if w.err != nil {
+		return 0, w.err
+	}
+
+	nn := len(p)
+	for len(p) > 0 {
+		n, err := w.ncopy(len(p))
+		if err != nil {
+			return 0, err
+		}
+		copy(w.c.writeBuf[w.pos:], p[:n])
+		w.pos += n
+		p = p[n:]
+	}
+	return nn, nil
+}
+
+func (w *messageWriter) ReadFrom(r io.Reader) (nn int64, err error) {
+	if w.err != nil {
+		return 0, w.err
+	}
+	for {
+		if w.pos == len(w.c.writeBuf) {
+			err = w.flushFrame(false, nil)
+			if err != nil {
+				break
+			}
+		}
+		var n int
+		n, err = r.Read(w.c.writeBuf[w.pos:])
+		w.pos += n
+		nn += int64(n)
+		if err != nil {
+			if err == io.EOF {
+				err = nil
+			}
+			break
+		}
+	}
+	return nn, err
+}
+
+func (w *messageWriter) Close() error {
+	if w.err != nil {
+		return w.err
+	}
+	return w.flushFrame(true, nil)
+}
+
+// WritePreparedMessage writes prepared message into connection.
+func (c *Conn) WritePreparedMessage(pm *PreparedMessage) error {
+	frameType, frameData, err := pm.frame(prepareKey{
+		isServer:         c.isServer,
+		compress:         c.newCompressionWriter != nil && c.enableWriteCompression && isData(pm.messageType),
+		compressionLevel: c.compressionLevel,
+	})
+	if err != nil {
+		return err
+	}
+	if c.isWriting {
+		panic("concurrent write to websocket connection")
+	}
+	c.isWriting = true
+	err = c.write(frameType, c.writeDeadline, frameData, nil)
+	if !c.isWriting {
+		panic("concurrent write to websocket connection")
+	}
+	c.isWriting = false
+	return err
+}
+
+// WriteMessage is a helper method for getting a writer using NextWriter,
+// writing the message and closing the writer.
+func (c *Conn) WriteMessage(messageType int, data []byte) error {
+
+	if c.isServer && (c.newCompressionWriter == nil || !c.enableWriteCompression) {
+		// Fast path with no allocations and single frame.
+
+		var mw messageWriter
+		if err := c.beginMessage(&mw, messageType); err != nil {
+			return err
+		}
+		n := copy(c.writeBuf[mw.pos:], data)
+		mw.pos += n
+		data = data[n:]
+		return mw.flushFrame(true, data)
+	}
+
+	w, err := c.NextWriter(messageType)
+	if err != nil {
+		return err
+	}
+	if _, err = w.Write(data); err != nil {
+		return err
+	}
+	return w.Close()
+}
+
+// SetWriteDeadline sets the write deadline on the underlying network
+// connection. After a write has timed out, the websocket state is corrupt and
+// all future writes will return an error. A zero value for t means writes will
+// not time out.
+func (c *Conn) SetWriteDeadline(t time.Time) error {
+	c.writeDeadline = t
+	return nil
+}
+
+// Read methods
+
+func (c *Conn) advanceFrame() (int, error) {
+	// 1. Skip remainder of previous frame.
+
+	if c.readRemaining > 0 {
+		if _, err := io.CopyN(ioutil.Discard, c.br, c.readRemaining); err != nil {
+			return noFrame, err
+		}
+	}
+
+	// 2. Read and parse first two bytes of frame header.
+
+	p, err := c.read(2)
+	if err != nil {
+		return noFrame, err
+	}
+
+	final := p[0]&finalBit != 0
+	frameType := int(p[0] & 0xf)
+	mask := p[1]&maskBit != 0
+	c.setReadRemaining(int64(p[1] & 0x7f))
+
+	c.readDecompress = false
+	if c.newDecompressionReader != nil && (p[0]&rsv1Bit) != 0 {
+		c.readDecompress = true
+		p[0] &^= rsv1Bit
+	}
+
+	if rsv := p[0] & (rsv1Bit | rsv2Bit | rsv3Bit); rsv != 0 {
+		return noFrame, c.handleProtocolError("unexpected reserved bits 0x" + strconv.FormatInt(int64(rsv), 16))
+	}
+
+	switch frameType {
+	case CloseMessage, PingMessage, PongMessage:
+		if c.readRemaining > maxControlFramePayloadSize {
+			return noFrame, c.handleProtocolError("control frame length > 125")
+		}
+		if !final {
+			return noFrame, c.handleProtocolError("control frame not final")
+		}
+	case TextMessage, BinaryMessage:
+		if !c.readFinal {
+			return noFrame, c.handleProtocolError("message start before final message frame")
+		}
+		c.readFinal = final
+	case continuationFrame:
+		if c.readFinal {
+			return noFrame, c.handleProtocolError("continuation after final message frame")
+		}
+		c.readFinal = final
+	default:
+		return noFrame, c.handleProtocolError("unknown opcode " + strconv.Itoa(frameType))
+	}
+
+	// 3. Read and parse frame length as per
+	// https://tools.ietf.org/html/rfc6455#section-5.2
+	//
+	// The length of the "Payload data", in bytes: if 0-125, that is the payload
+	// length.
+	// - If 126, the following 2 bytes interpreted as a 16-bit unsigned
+	// integer are the payload length.
+	// - If 127, the following 8 bytes interpreted as
+	// a 64-bit unsigned integer (the most significant bit MUST be 0) are the
+	// payload length. Multibyte length quantities are expressed in network byte
+	// order.
+
+	switch c.readRemaining {
+	case 126:
+		p, err := c.read(2)
+		if err != nil {
+			return noFrame, err
+		}
+
+		if err := c.setReadRemaining(int64(binary.BigEndian.Uint16(p))); err != nil {
+			return noFrame, err
+		}
+	case 127:
+		p, err := c.read(8)
+		if err != nil {
+			return noFrame, err
+		}
+
+		if err := c.setReadRemaining(int64(binary.BigEndian.Uint64(p))); err != nil {
+			return noFrame, err
+		}
+	}
+
+	// 4. Handle frame masking.
+
+	if mask != c.isServer {
+		return noFrame, c.handleProtocolError("incorrect mask flag")
+	}
+
+	if mask {
+		c.readMaskPos = 0
+		p, err := c.read(len(c.readMaskKey))
+		if err != nil {
+			return noFrame, err
+		}
+		copy(c.readMaskKey[:], p)
+	}
+
+	// 5. For text and binary messages, enforce read limit and return.
+
+	if frameType == continuationFrame || frameType == TextMessage || frameType == BinaryMessage {
+
+		c.readLength += c.readRemaining
+		// Don't allow readLength to overflow in the presence of a large readRemaining
+		// counter.
+		if c.readLength < 0 {
+			return noFrame, ErrReadLimit
+		}
+
+		if c.readLimit > 0 && c.readLength > c.readLimit {
+			c.WriteControl(CloseMessage, FormatCloseMessage(CloseMessageTooBig, ""), time.Now().Add(writeWait))
+			return noFrame, ErrReadLimit
+		}
+
+		return frameType, nil
+	}
+
+	// 6. Read control frame payload.
+
+	var payload []byte
+	if c.readRemaining > 0 {
+		payload, err = c.read(int(c.readRemaining))
+		c.setReadRemaining(0)
+		if err != nil {
+			return noFrame, err
+		}
+		if c.isServer {
+			maskBytes(c.readMaskKey, 0, payload)
+		}
+	}
+
+	// 7. Process control frame payload.
+
+	switch frameType {
+	case PongMessage:
+		if err := c.handlePong(string(payload)); err != nil {
+			return noFrame, err
+		}
+	case PingMessage:
+		if err := c.handlePing(string(payload)); err != nil {
+			return noFrame, err
+		}
+	case CloseMessage:
+		closeCode := CloseNoStatusReceived
+		closeText := ""
+		if len(payload) >= 2 {
+			closeCode = int(binary.BigEndian.Uint16(payload))
+			if !isValidReceivedCloseCode(closeCode) {
+				return noFrame, c.handleProtocolError("invalid close code")
+			}
+			closeText = string(payload[2:])
+			if !utf8.ValidString(closeText) {
+				return noFrame, c.handleProtocolError("invalid utf8 payload in close frame")
+			}
+		}
+		if err := c.handleClose(closeCode, closeText); err != nil {
+			return noFrame, err
+		}
+		return noFrame, &CloseError{Code: closeCode, Text: closeText}
+	}
+
+	return frameType, nil
+}
+
+func (c *Conn) handleProtocolError(message string) error {
+	c.WriteControl(CloseMessage, FormatCloseMessage(CloseProtocolError, message), time.Now().Add(writeWait))
+	return errors.New("websocket: " + message)
+}
+
+// NextReader returns the next data message received from the peer. The
+// returned messageType is either TextMessage or BinaryMessage.
+//
+// There can be at most one open reader on a connection. NextReader discards
+// the previous message if the application has not already consumed it.
+//
+// Applications must break out of the application's read loop when this method
+// returns a non-nil error value. Errors returned from this method are
+// permanent. Once this method returns a non-nil error, all subsequent calls to
+// this method return the same error.
+func (c *Conn) NextReader() (messageType int, r io.Reader, err error) {
+	// Close previous reader, only relevant for decompression.
+	if c.reader != nil {
+		c.reader.Close()
+		c.reader = nil
+	}
+
+	c.messageReader = nil
+	c.readLength = 0
+
+	for c.readErr == nil {
+		frameType, err := c.advanceFrame()
+		if err != nil {
+			c.readErr = hideTempErr(err)
+			break
+		}
+
+		if frameType == TextMessage || frameType == BinaryMessage {
+			c.messageReader = &messageReader{c}
+			c.reader = c.messageReader
+			if c.readDecompress {
+				c.reader = c.newDecompressionReader(c.reader)
+			}
+			return frameType, c.reader, nil
+		}
+	}
+
+	// Applications that do handle the error returned from this method spin in
+	// tight loop on connection failure. To help application developers detect
+	// this error, panic on repeated reads to the failed connection.
+	c.readErrCount++
+	if c.readErrCount >= 1000 {
+		panic("repeated read on failed websocket connection")
+	}
+
+	return noFrame, nil, c.readErr
+}
+
+type messageReader struct{ c *Conn }
+
+func (r *messageReader) Read(b []byte) (int, error) {
+	c := r.c
+	if c.messageReader != r {
+		return 0, io.EOF
+	}
+
+	for c.readErr == nil {
+
+		if c.readRemaining > 0 {
+			if int64(len(b)) > c.readRemaining {
+				b = b[:c.readRemaining]
+			}
+			n, err := c.br.Read(b)
+			c.readErr = hideTempErr(err)
+			if c.isServer {
+				c.readMaskPos = maskBytes(c.readMaskKey, c.readMaskPos, b[:n])
+			}
+			rem := c.readRemaining
+			rem -= int64(n)
+			c.setReadRemaining(rem)
+			if c.readRemaining > 0 && c.readErr == io.EOF {
+				c.readErr = errUnexpectedEOF
+			}
+			return n, c.readErr
+		}
+
+		if c.readFinal {
+			c.messageReader = nil
+			return 0, io.EOF
+		}
+
+		frameType, err := c.advanceFrame()
+		switch {
+		case err != nil:
+			c.readErr = hideTempErr(err)
+		case frameType == TextMessage || frameType == BinaryMessage:
+			c.readErr = errors.New("websocket: internal error, unexpected text or binary in Reader")
+		}
+	}
+
+	err := c.readErr
+	if err == io.EOF && c.messageReader == r {
+		err = errUnexpectedEOF
+	}
+	return 0, err
+}
+
+func (r *messageReader) Close() error {
+	return nil
+}
+
+// ReadMessage is a helper method for getting a reader using NextReader and
+// reading from that reader to a buffer.
+func (c *Conn) ReadMessage() (messageType int, p []byte, err error) {
+	var r io.Reader
+	messageType, r, err = c.NextReader()
+	if err != nil {
+		return messageType, nil, err
+	}
+	p, err = ioutil.ReadAll(r)
+	return messageType, p, err
+}
+
+// SetReadDeadline sets the read deadline on the underlying network connection.
+// After a read has timed out, the websocket connection state is corrupt and
+// all future reads will return an error. A zero value for t means reads will
+// not time out.
+func (c *Conn) SetReadDeadline(t time.Time) error {
+	return c.conn.SetReadDeadline(t)
+}
+
+// SetReadLimit sets the maximum size in bytes for a message read from the peer. If a
+// message exceeds the limit, the connection sends a close message to the peer
+// and returns ErrReadLimit to the application.
+func (c *Conn) SetReadLimit(limit int64) {
+	c.readLimit = limit
+}
+
+// CloseHandler returns the current close handler
+func (c *Conn) CloseHandler() func(code int, text string) error {
+	return c.handleClose
+}
+
+// SetCloseHandler sets the handler for close messages received from the peer.
+// The code argument to h is the received close code or CloseNoStatusReceived
+// if the close message is empty. The default close handler sends a close
+// message back to the peer.
+//
+// The handler function is called from the NextReader, ReadMessage and message
+// reader Read methods. The application must read the connection to process
+// close messages as described in the section on Control Messages above.
+//
+// The connection read methods return a CloseError when a close message is
+// received. Most applications should handle close messages as part of their
+// normal error handling. Applications should only set a close handler when the
+// application must perform some action before sending a close message back to
+// the peer.
+func (c *Conn) SetCloseHandler(h func(code int, text string) error) {
+	if h == nil {
+		h = func(code int, text string) error {
+			message := FormatCloseMessage(code, "")
+			c.WriteControl(CloseMessage, message, time.Now().Add(writeWait))
+			return nil
+		}
+	}
+	c.handleClose = h
+}
+
+// PingHandler returns the current ping handler
+func (c *Conn) PingHandler() func(appData string) error {
+	return c.handlePing
+}
+
+// SetPingHandler sets the handler for ping messages received from the peer.
+// The appData argument to h is the PING message application data. The default
+// ping handler sends a pong to the peer.
+//
+// The handler function is called from the NextReader, ReadMessage and message
+// reader Read methods. The application must read the connection to process
+// ping messages as described in the section on Control Messages above.
+func (c *Conn) SetPingHandler(h func(appData string) error) {
+	if h == nil {
+		h = func(message string) error {
+			err := c.WriteControl(PongMessage, []byte(message), time.Now().Add(writeWait))
+			if err == ErrCloseSent {
+				return nil
+			} else if e, ok := err.(net.Error); ok && e.Temporary() {
+				return nil
+			}
+			return err
+		}
+	}
+	c.handlePing = h
+}
+
+// PongHandler returns the current pong handler
+func (c *Conn) PongHandler() func(appData string) error {
+	return c.handlePong
+}
+
+// SetPongHandler sets the handler for pong messages received from the peer.
+// The appData argument to h is the PONG message application data. The default
+// pong handler does nothing.
+//
+// The handler function is called from the NextReader, ReadMessage and message
+// reader Read methods. The application must read the connection to process
+// pong messages as described in the section on Control Messages above.
+func (c *Conn) SetPongHandler(h func(appData string) error) {
+	if h == nil {
+		h = func(string) error { return nil }
+	}
+	c.handlePong = h
+}
+
+// UnderlyingConn returns the internal net.Conn. This can be used to further
+// modifications to connection specific flags.
+func (c *Conn) UnderlyingConn() net.Conn {
+	return c.conn
+}
+
+// EnableWriteCompression enables and disables write compression of
+// subsequent text and binary messages. This function is a noop if
+// compression was not negotiated with the peer.
+func (c *Conn) EnableWriteCompression(enable bool) {
+	c.enableWriteCompression = enable
+}
+
+// SetCompressionLevel sets the flate compression level for subsequent text and
+// binary messages. This function is a noop if compression was not negotiated
+// with the peer. See the compress/flate package for a description of
+// compression levels.
+func (c *Conn) SetCompressionLevel(level int) error {
+	if !isValidCompressionLevel(level) {
+		return errors.New("websocket: invalid compression level")
+	}
+	c.compressionLevel = level
+	return nil
+}
+
+// FormatCloseMessage formats closeCode and text as a WebSocket close message.
+// An empty message is returned for code CloseNoStatusReceived.
+func FormatCloseMessage(closeCode int, text string) []byte {
+	if closeCode == CloseNoStatusReceived {
+		// Return empty message because it's illegal to send
+		// CloseNoStatusReceived. Return non-nil value in case application
+		// checks for nil.
+		return []byte{}
+	}
+	buf := make([]byte, 2+len(text))
+	binary.BigEndian.PutUint16(buf, uint16(closeCode))
+	copy(buf[2:], text)
+	return buf
+}
diff --git a/vendor/github.com/gorilla/websocket/conn_write.go b/vendor/github.com/gorilla/websocket/conn_write.go
new file mode 100644
index 000000000000..a509a21f87af
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/conn_write.go
@@ -0,0 +1,15 @@
+// Copyright 2016 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.8
+
+package websocket
+
+import "net"
+
+func (c *Conn) writeBufs(bufs ...[]byte) error {
+	b := net.Buffers(bufs)
+	_, err := b.WriteTo(c.conn)
+	return err
+}
diff --git a/vendor/github.com/gorilla/websocket/conn_write_legacy.go b/vendor/github.com/gorilla/websocket/conn_write_legacy.go
new file mode 100644
index 000000000000..37edaff5a578
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/conn_write_legacy.go
@@ -0,0 +1,18 @@
+// Copyright 2016 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !go1.8
+
+package websocket
+
+func (c *Conn) writeBufs(bufs ...[]byte) error {
+	for _, buf := range bufs {
+		if len(buf) > 0 {
+			if _, err := c.conn.Write(buf); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/gorilla/websocket/doc.go b/vendor/github.com/gorilla/websocket/doc.go
new file mode 100644
index 000000000000..c6f4df8960ff
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/doc.go
@@ -0,0 +1,227 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package websocket implements the WebSocket protocol defined in RFC 6455.
+//
+// Overview
+//
+// The Conn type represents a WebSocket connection. A server application calls
+// the Upgrader.Upgrade method from an HTTP request handler to get a *Conn:
+//
+//  var upgrader = websocket.Upgrader{
+//      ReadBufferSize:  1024,
+//      WriteBufferSize: 1024,
+//  }
+//
+//  func handler(w http.ResponseWriter, r *http.Request) {
+//      conn, err := upgrader.Upgrade(w, r, nil)
+//      if err != nil {
+//          log.Println(err)
+//          return
+//      }
+//      ... Use conn to send and receive messages.
+//  }
+//
+// Call the connection's WriteMessage and ReadMessage methods to send and
+// receive messages as a slice of bytes. This snippet of code shows how to echo
+// messages using these methods:
+//
+//  for {
+//      messageType, p, err := conn.ReadMessage()
+//      if err != nil {
+//          log.Println(err)
+//          return
+//      }
+//      if err := conn.WriteMessage(messageType, p); err != nil {
+//          log.Println(err)
+//          return
+//      }
+//  }
+//
+// In above snippet of code, p is a []byte and messageType is an int with value
+// websocket.BinaryMessage or websocket.TextMessage.
+//
+// An application can also send and receive messages using the io.WriteCloser
+// and io.Reader interfaces. To send a message, call the connection NextWriter
+// method to get an io.WriteCloser, write the message to the writer and close
+// the writer when done. To receive a message, call the connection NextReader
+// method to get an io.Reader and read until io.EOF is returned. This snippet
+// shows how to echo messages using the NextWriter and NextReader methods:
+//
+//  for {
+//      messageType, r, err := conn.NextReader()
+//      if err != nil {
+//          return
+//      }
+//      w, err := conn.NextWriter(messageType)
+//      if err != nil {
+//          return err
+//      }
+//      if _, err := io.Copy(w, r); err != nil {
+//          return err
+//      }
+//      if err := w.Close(); err != nil {
+//          return err
+//      }
+//  }
+//
+// Data Messages
+//
+// The WebSocket protocol distinguishes between text and binary data messages.
+// Text messages are interpreted as UTF-8 encoded text. The interpretation of
+// binary messages is left to the application.
+//
+// This package uses the TextMessage and BinaryMessage integer constants to
+// identify the two data message types. The ReadMessage and NextReader methods
+// return the type of the received message. The messageType argument to the
+// WriteMessage and NextWriter methods specifies the type of a sent message.
+//
+// It is the application's responsibility to ensure that text messages are
+// valid UTF-8 encoded text.
+//
+// Control Messages
+//
+// The WebSocket protocol defines three types of control messages: close, ping
+// and pong. Call the connection WriteControl, WriteMessage or NextWriter
+// methods to send a control message to the peer.
+//
+// Connections handle received close messages by calling the handler function
+// set with the SetCloseHandler method and by returning a *CloseError from the
+// NextReader, ReadMessage or the message Read method. The default close
+// handler sends a close message to the peer.
+//
+// Connections handle received ping messages by calling the handler function
+// set with the SetPingHandler method. The default ping handler sends a pong
+// message to the peer.
+//
+// Connections handle received pong messages by calling the handler function
+// set with the SetPongHandler method. The default pong handler does nothing.
+// If an application sends ping messages, then the application should set a
+// pong handler to receive the corresponding pong.
+//
+// The control message handler functions are called from the NextReader,
+// ReadMessage and message reader Read methods. The default close and ping
+// handlers can block these methods for a short time when the handler writes to
+// the connection.
+//
+// The application must read the connection to process close, ping and pong
+// messages sent from the peer. If the application is not otherwise interested
+// in messages from the peer, then the application should start a goroutine to
+// read and discard messages from the peer. A simple example is:
+//
+//  func readLoop(c *websocket.Conn) {
+//      for {
+//          if _, _, err := c.NextReader(); err != nil {
+//              c.Close()
+//              break
+//          }
+//      }
+//  }
+//
+// Concurrency
+//
+// Connections support one concurrent reader and one concurrent writer.
+//
+// Applications are responsible for ensuring that no more than one goroutine
+// calls the write methods (NextWriter, SetWriteDeadline, WriteMessage,
+// WriteJSON, EnableWriteCompression, SetCompressionLevel) concurrently and
+// that no more than one goroutine calls the read methods (NextReader,
+// SetReadDeadline, ReadMessage, ReadJSON, SetPongHandler, SetPingHandler)
+// concurrently.
+//
+// The Close and WriteControl methods can be called concurrently with all other
+// methods.
+//
+// Origin Considerations
+//
+// Web browsers allow Javascript applications to open a WebSocket connection to
+// any host. It's up to the server to enforce an origin policy using the Origin
+// request header sent by the browser.
+//
+// The Upgrader calls the function specified in the CheckOrigin field to check
+// the origin. If the CheckOrigin function returns false, then the Upgrade
+// method fails the WebSocket handshake with HTTP status 403.
+//
+// If the CheckOrigin field is nil, then the Upgrader uses a safe default: fail
+// the handshake if the Origin request header is present and the Origin host is
+// not equal to the Host request header.
+//
+// The deprecated package-level Upgrade function does not perform origin
+// checking. The application is responsible for checking the Origin header
+// before calling the Upgrade function.
+//
+// Buffers
+//
+// Connections buffer network input and output to reduce the number
+// of system calls when reading or writing messages.
+//
+// Write buffers are also used for constructing WebSocket frames. See RFC 6455,
+// Section 5 for a discussion of message framing. A WebSocket frame header is
+// written to the network each time a write buffer is flushed to the network.
+// Decreasing the size of the write buffer can increase the amount of framing
+// overhead on the connection.
+//
+// The buffer sizes in bytes are specified by the ReadBufferSize and
+// WriteBufferSize fields in the Dialer and Upgrader. The Dialer uses a default
+// size of 4096 when a buffer size field is set to zero. The Upgrader reuses
+// buffers created by the HTTP server when a buffer size field is set to zero.
+// The HTTP server buffers have a size of 4096 at the time of this writing.
+//
+// The buffer sizes do not limit the size of a message that can be read or
+// written by a connection.
+//
+// Buffers are held for the lifetime of the connection by default. If the
+// Dialer or Upgrader WriteBufferPool field is set, then a connection holds the
+// write buffer only when writing a message.
+//
+// Applications should tune the buffer sizes to balance memory use and
+// performance. Increasing the buffer size uses more memory, but can reduce the
+// number of system calls to read or write the network. In the case of writing,
+// increasing the buffer size can reduce the number of frame headers written to
+// the network.
+//
+// Some guidelines for setting buffer parameters are:
+//
+// Limit the buffer sizes to the maximum expected message size. Buffers larger
+// than the largest message do not provide any benefit.
+//
+// Depending on the distribution of message sizes, setting the buffer size to
+// to a value less than the maximum expected message size can greatly reduce
+// memory use with a small impact on performance. Here's an example: If 99% of
+// the messages are smaller than 256 bytes and the maximum message size is 512
+// bytes, then a buffer size of 256 bytes will result in 1.01 more system calls
+// than a buffer size of 512 bytes. The memory savings is 50%.
+//
+// A write buffer pool is useful when the application has a modest number
+// writes over a large number of connections. when buffers are pooled, a larger
+// buffer size has a reduced impact on total memory use and has the benefit of
+// reducing system calls and frame overhead.
+//
+// Compression EXPERIMENTAL
+//
+// Per message compression extensions (RFC 7692) are experimentally supported
+// by this package in a limited capacity. Setting the EnableCompression option
+// to true in Dialer or Upgrader will attempt to negotiate per message deflate
+// support.
+//
+//  var upgrader = websocket.Upgrader{
+//      EnableCompression: true,
+//  }
+//
+// If compression was successfully negotiated with the connection's peer, any
+// message received in compressed form will be automatically decompressed.
+// All Read methods will return uncompressed bytes.
+//
+// Per message compression of messages written to a connection can be enabled
+// or disabled by calling the corresponding Conn method:
+//
+//  conn.EnableWriteCompression(false)
+//
+// Currently this package does not support compression with "context takeover".
+// This means that messages must be compressed and decompressed in isolation,
+// without retaining sliding window or dictionary state across messages. For
+// more details refer to RFC 7692.
+//
+// Use of compression is experimental and may result in decreased performance.
+package websocket
diff --git a/vendor/github.com/gorilla/websocket/go.mod b/vendor/github.com/gorilla/websocket/go.mod
new file mode 100644
index 000000000000..1a7afd5028a7
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/go.mod
@@ -0,0 +1,3 @@
+module github.com/gorilla/websocket
+
+go 1.12
diff --git a/vendor/github.com/gorilla/websocket/go.sum b/vendor/github.com/gorilla/websocket/go.sum
new file mode 100644
index 000000000000..cf4fbbaa07ac
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/go.sum
@@ -0,0 +1,2 @@
+github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
diff --git a/vendor/github.com/gorilla/websocket/join.go b/vendor/github.com/gorilla/websocket/join.go
new file mode 100644
index 000000000000..c64f8c82901a
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/join.go
@@ -0,0 +1,42 @@
+// Copyright 2019 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"io"
+	"strings"
+)
+
+// JoinMessages concatenates received messages to create a single io.Reader.
+// The string term is appended to each message. The returned reader does not
+// support concurrent calls to the Read method.
+func JoinMessages(c *Conn, term string) io.Reader {
+	return &joinReader{c: c, term: term}
+}
+
+type joinReader struct {
+	c    *Conn
+	term string
+	r    io.Reader
+}
+
+func (r *joinReader) Read(p []byte) (int, error) {
+	if r.r == nil {
+		var err error
+		_, r.r, err = r.c.NextReader()
+		if err != nil {
+			return 0, err
+		}
+		if r.term != "" {
+			r.r = io.MultiReader(r.r, strings.NewReader(r.term))
+		}
+	}
+	n, err := r.r.Read(p)
+	if err == io.EOF {
+		err = nil
+		r.r = nil
+	}
+	return n, err
+}
diff --git a/vendor/github.com/gorilla/websocket/json.go b/vendor/github.com/gorilla/websocket/json.go
new file mode 100644
index 000000000000..dc2c1f6415ff
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/json.go
@@ -0,0 +1,60 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"encoding/json"
+	"io"
+)
+
+// WriteJSON writes the JSON encoding of v as a message.
+//
+// Deprecated: Use c.WriteJSON instead.
+func WriteJSON(c *Conn, v interface{}) error {
+	return c.WriteJSON(v)
+}
+
+// WriteJSON writes the JSON encoding of v as a message.
+//
+// See the documentation for encoding/json Marshal for details about the
+// conversion of Go values to JSON.
+func (c *Conn) WriteJSON(v interface{}) error {
+	w, err := c.NextWriter(TextMessage)
+	if err != nil {
+		return err
+	}
+	err1 := json.NewEncoder(w).Encode(v)
+	err2 := w.Close()
+	if err1 != nil {
+		return err1
+	}
+	return err2
+}
+
+// ReadJSON reads the next JSON-encoded message from the connection and stores
+// it in the value pointed to by v.
+//
+// Deprecated: Use c.ReadJSON instead.
+func ReadJSON(c *Conn, v interface{}) error {
+	return c.ReadJSON(v)
+}
+
+// ReadJSON reads the next JSON-encoded message from the connection and stores
+// it in the value pointed to by v.
+//
+// See the documentation for the encoding/json Unmarshal function for details
+// about the conversion of JSON to a Go value.
+func (c *Conn) ReadJSON(v interface{}) error {
+	_, r, err := c.NextReader()
+	if err != nil {
+		return err
+	}
+	err = json.NewDecoder(r).Decode(v)
+	if err == io.EOF {
+		// One value is expected in the message.
+		err = io.ErrUnexpectedEOF
+	}
+	return err
+}
diff --git a/vendor/github.com/gorilla/websocket/mask.go b/vendor/github.com/gorilla/websocket/mask.go
new file mode 100644
index 000000000000..577fce9efd72
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/mask.go
@@ -0,0 +1,54 @@
+// Copyright 2016 The Gorilla WebSocket Authors. All rights reserved.  Use of
+// this source code is governed by a BSD-style license that can be found in the
+// LICENSE file.
+
+// +build !appengine
+
+package websocket
+
+import "unsafe"
+
+const wordSize = int(unsafe.Sizeof(uintptr(0)))
+
+func maskBytes(key [4]byte, pos int, b []byte) int {
+	// Mask one byte at a time for small buffers.
+	if len(b) < 2*wordSize {
+		for i := range b {
+			b[i] ^= key[pos&3]
+			pos++
+		}
+		return pos & 3
+	}
+
+	// Mask one byte at a time to word boundary.
+	if n := int(uintptr(unsafe.Pointer(&b[0]))) % wordSize; n != 0 {
+		n = wordSize - n
+		for i := range b[:n] {
+			b[i] ^= key[pos&3]
+			pos++
+		}
+		b = b[n:]
+	}
+
+	// Create aligned word size key.
+	var k [wordSize]byte
+	for i := range k {
+		k[i] = key[(pos+i)&3]
+	}
+	kw := *(*uintptr)(unsafe.Pointer(&k))
+
+	// Mask one word at a time.
+	n := (len(b) / wordSize) * wordSize
+	for i := 0; i < n; i += wordSize {
+		*(*uintptr)(unsafe.Pointer(uintptr(unsafe.Pointer(&b[0])) + uintptr(i))) ^= kw
+	}
+
+	// Mask one byte at a time for remaining bytes.
+	b = b[n:]
+	for i := range b {
+		b[i] ^= key[pos&3]
+		pos++
+	}
+
+	return pos & 3
+}
diff --git a/vendor/github.com/gorilla/websocket/mask_safe.go b/vendor/github.com/gorilla/websocket/mask_safe.go
new file mode 100644
index 000000000000..2aac060e52e7
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/mask_safe.go
@@ -0,0 +1,15 @@
+// Copyright 2016 The Gorilla WebSocket Authors. All rights reserved.  Use of
+// this source code is governed by a BSD-style license that can be found in the
+// LICENSE file.
+
+// +build appengine
+
+package websocket
+
+func maskBytes(key [4]byte, pos int, b []byte) int {
+	for i := range b {
+		b[i] ^= key[pos&3]
+		pos++
+	}
+	return pos & 3
+}
diff --git a/vendor/github.com/gorilla/websocket/prepared.go b/vendor/github.com/gorilla/websocket/prepared.go
new file mode 100644
index 000000000000..74ec565d2c38
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/prepared.go
@@ -0,0 +1,102 @@
+// Copyright 2017 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"bytes"
+	"net"
+	"sync"
+	"time"
+)
+
+// PreparedMessage caches on the wire representations of a message payload.
+// Use PreparedMessage to efficiently send a message payload to multiple
+// connections. PreparedMessage is especially useful when compression is used
+// because the CPU and memory expensive compression operation can be executed
+// once for a given set of compression options.
+type PreparedMessage struct {
+	messageType int
+	data        []byte
+	mu          sync.Mutex
+	frames      map[prepareKey]*preparedFrame
+}
+
+// prepareKey defines a unique set of options to cache prepared frames in PreparedMessage.
+type prepareKey struct {
+	isServer         bool
+	compress         bool
+	compressionLevel int
+}
+
+// preparedFrame contains data in wire representation.
+type preparedFrame struct {
+	once sync.Once
+	data []byte
+}
+
+// NewPreparedMessage returns an initialized PreparedMessage. You can then send
+// it to connection using WritePreparedMessage method. Valid wire
+// representation will be calculated lazily only once for a set of current
+// connection options.
+func NewPreparedMessage(messageType int, data []byte) (*PreparedMessage, error) {
+	pm := &PreparedMessage{
+		messageType: messageType,
+		frames:      make(map[prepareKey]*preparedFrame),
+		data:        data,
+	}
+
+	// Prepare a plain server frame.
+	_, frameData, err := pm.frame(prepareKey{isServer: true, compress: false})
+	if err != nil {
+		return nil, err
+	}
+
+	// To protect against caller modifying the data argument, remember the data
+	// copied to the plain server frame.
+	pm.data = frameData[len(frameData)-len(data):]
+	return pm, nil
+}
+
+func (pm *PreparedMessage) frame(key prepareKey) (int, []byte, error) {
+	pm.mu.Lock()
+	frame, ok := pm.frames[key]
+	if !ok {
+		frame = &preparedFrame{}
+		pm.frames[key] = frame
+	}
+	pm.mu.Unlock()
+
+	var err error
+	frame.once.Do(func() {
+		// Prepare a frame using a 'fake' connection.
+		// TODO: Refactor code in conn.go to allow more direct construction of
+		// the frame.
+		mu := make(chan bool, 1)
+		mu <- true
+		var nc prepareConn
+		c := &Conn{
+			conn:                   &nc,
+			mu:                     mu,
+			isServer:               key.isServer,
+			compressionLevel:       key.compressionLevel,
+			enableWriteCompression: true,
+			writeBuf:               make([]byte, defaultWriteBufferSize+maxFrameHeaderSize),
+		}
+		if key.compress {
+			c.newCompressionWriter = compressNoContextTakeover
+		}
+		err = c.WriteMessage(pm.messageType, pm.data)
+		frame.data = nc.buf.Bytes()
+	})
+	return pm.messageType, frame.data, err
+}
+
+type prepareConn struct {
+	buf bytes.Buffer
+	net.Conn
+}
+
+func (pc *prepareConn) Write(p []byte) (int, error)        { return pc.buf.Write(p) }
+func (pc *prepareConn) SetWriteDeadline(t time.Time) error { return nil }
diff --git a/vendor/github.com/gorilla/websocket/proxy.go b/vendor/github.com/gorilla/websocket/proxy.go
new file mode 100644
index 000000000000..e87a8c9f0c96
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/proxy.go
@@ -0,0 +1,77 @@
+// Copyright 2017 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"bufio"
+	"encoding/base64"
+	"errors"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type netDialerFunc func(network, addr string) (net.Conn, error)
+
+func (fn netDialerFunc) Dial(network, addr string) (net.Conn, error) {
+	return fn(network, addr)
+}
+
+func init() {
+	proxy_RegisterDialerType("http", func(proxyURL *url.URL, forwardDialer proxy_Dialer) (proxy_Dialer, error) {
+		return &httpProxyDialer{proxyURL: proxyURL, forwardDial: forwardDialer.Dial}, nil
+	})
+}
+
+type httpProxyDialer struct {
+	proxyURL    *url.URL
+	forwardDial func(network, addr string) (net.Conn, error)
+}
+
+func (hpd *httpProxyDialer) Dial(network string, addr string) (net.Conn, error) {
+	hostPort, _ := hostPortNoPort(hpd.proxyURL)
+	conn, err := hpd.forwardDial(network, hostPort)
+	if err != nil {
+		return nil, err
+	}
+
+	connectHeader := make(http.Header)
+	if user := hpd.proxyURL.User; user != nil {
+		proxyUser := user.Username()
+		if proxyPassword, passwordSet := user.Password(); passwordSet {
+			credential := base64.StdEncoding.EncodeToString([]byte(proxyUser + ":" + proxyPassword))
+			connectHeader.Set("Proxy-Authorization", "Basic "+credential)
+		}
+	}
+
+	connectReq := &http.Request{
+		Method: "CONNECT",
+		URL:    &url.URL{Opaque: addr},
+		Host:   addr,
+		Header: connectHeader,
+	}
+
+	if err := connectReq.Write(conn); err != nil {
+		conn.Close()
+		return nil, err
+	}
+
+	// Read response. It's OK to use and discard buffered reader here becaue
+	// the remote server does not speak until spoken to.
+	br := bufio.NewReader(conn)
+	resp, err := http.ReadResponse(br, connectReq)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+
+	if resp.StatusCode != 200 {
+		conn.Close()
+		f := strings.SplitN(resp.Status, " ", 2)
+		return nil, errors.New(f[1])
+	}
+	return conn, nil
+}
diff --git a/vendor/github.com/gorilla/websocket/server.go b/vendor/github.com/gorilla/websocket/server.go
new file mode 100644
index 000000000000..887d558918c7
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/server.go
@@ -0,0 +1,363 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"bufio"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+// HandshakeError describes an error with the handshake from the peer.
+type HandshakeError struct {
+	message string
+}
+
+func (e HandshakeError) Error() string { return e.message }
+
+// Upgrader specifies parameters for upgrading an HTTP connection to a
+// WebSocket connection.
+type Upgrader struct {
+	// HandshakeTimeout specifies the duration for the handshake to complete.
+	HandshakeTimeout time.Duration
+
+	// ReadBufferSize and WriteBufferSize specify I/O buffer sizes in bytes. If a buffer
+	// size is zero, then buffers allocated by the HTTP server are used. The
+	// I/O buffer sizes do not limit the size of the messages that can be sent
+	// or received.
+	ReadBufferSize, WriteBufferSize int
+
+	// WriteBufferPool is a pool of buffers for write operations. If the value
+	// is not set, then write buffers are allocated to the connection for the
+	// lifetime of the connection.
+	//
+	// A pool is most useful when the application has a modest volume of writes
+	// across a large number of connections.
+	//
+	// Applications should use a single pool for each unique value of
+	// WriteBufferSize.
+	WriteBufferPool BufferPool
+
+	// Subprotocols specifies the server's supported protocols in order of
+	// preference. If this field is not nil, then the Upgrade method negotiates a
+	// subprotocol by selecting the first match in this list with a protocol
+	// requested by the client. If there's no match, then no protocol is
+	// negotiated (the Sec-Websocket-Protocol header is not included in the
+	// handshake response).
+	Subprotocols []string
+
+	// Error specifies the function for generating HTTP error responses. If Error
+	// is nil, then http.Error is used to generate the HTTP response.
+	Error func(w http.ResponseWriter, r *http.Request, status int, reason error)
+
+	// CheckOrigin returns true if the request Origin header is acceptable. If
+	// CheckOrigin is nil, then a safe default is used: return false if the
+	// Origin request header is present and the origin host is not equal to
+	// request Host header.
+	//
+	// A CheckOrigin function should carefully validate the request origin to
+	// prevent cross-site request forgery.
+	CheckOrigin func(r *http.Request) bool
+
+	// EnableCompression specify if the server should attempt to negotiate per
+	// message compression (RFC 7692). Setting this value to true does not
+	// guarantee that compression will be supported. Currently only "no context
+	// takeover" modes are supported.
+	EnableCompression bool
+}
+
+func (u *Upgrader) returnError(w http.ResponseWriter, r *http.Request, status int, reason string) (*Conn, error) {
+	err := HandshakeError{reason}
+	if u.Error != nil {
+		u.Error(w, r, status, err)
+	} else {
+		w.Header().Set("Sec-Websocket-Version", "13")
+		http.Error(w, http.StatusText(status), status)
+	}
+	return nil, err
+}
+
+// checkSameOrigin returns true if the origin is not set or is equal to the request host.
+func checkSameOrigin(r *http.Request) bool {
+	origin := r.Header["Origin"]
+	if len(origin) == 0 {
+		return true
+	}
+	u, err := url.Parse(origin[0])
+	if err != nil {
+		return false
+	}
+	return equalASCIIFold(u.Host, r.Host)
+}
+
+func (u *Upgrader) selectSubprotocol(r *http.Request, responseHeader http.Header) string {
+	if u.Subprotocols != nil {
+		clientProtocols := Subprotocols(r)
+		for _, serverProtocol := range u.Subprotocols {
+			for _, clientProtocol := range clientProtocols {
+				if clientProtocol == serverProtocol {
+					return clientProtocol
+				}
+			}
+		}
+	} else if responseHeader != nil {
+		return responseHeader.Get("Sec-Websocket-Protocol")
+	}
+	return ""
+}
+
+// Upgrade upgrades the HTTP server connection to the WebSocket protocol.
+//
+// The responseHeader is included in the response to the client's upgrade
+// request. Use the responseHeader to specify cookies (Set-Cookie) and the
+// application negotiated subprotocol (Sec-WebSocket-Protocol).
+//
+// If the upgrade fails, then Upgrade replies to the client with an HTTP error
+// response.
+func (u *Upgrader) Upgrade(w http.ResponseWriter, r *http.Request, responseHeader http.Header) (*Conn, error) {
+	const badHandshake = "websocket: the client is not using the websocket protocol: "
+
+	if !tokenListContainsValue(r.Header, "Connection", "upgrade") {
+		return u.returnError(w, r, http.StatusBadRequest, badHandshake+"'upgrade' token not found in 'Connection' header")
+	}
+
+	if !tokenListContainsValue(r.Header, "Upgrade", "websocket") {
+		return u.returnError(w, r, http.StatusBadRequest, badHandshake+"'websocket' token not found in 'Upgrade' header")
+	}
+
+	if r.Method != "GET" {
+		return u.returnError(w, r, http.StatusMethodNotAllowed, badHandshake+"request method is not GET")
+	}
+
+	if !tokenListContainsValue(r.Header, "Sec-Websocket-Version", "13") {
+		return u.returnError(w, r, http.StatusBadRequest, "websocket: unsupported version: 13 not found in 'Sec-Websocket-Version' header")
+	}
+
+	if _, ok := responseHeader["Sec-Websocket-Extensions"]; ok {
+		return u.returnError(w, r, http.StatusInternalServerError, "websocket: application specific 'Sec-WebSocket-Extensions' headers are unsupported")
+	}
+
+	checkOrigin := u.CheckOrigin
+	if checkOrigin == nil {
+		checkOrigin = checkSameOrigin
+	}
+	if !checkOrigin(r) {
+		return u.returnError(w, r, http.StatusForbidden, "websocket: request origin not allowed by Upgrader.CheckOrigin")
+	}
+
+	challengeKey := r.Header.Get("Sec-Websocket-Key")
+	if challengeKey == "" {
+		return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: 'Sec-WebSocket-Key' header is missing or blank")
+	}
+
+	subprotocol := u.selectSubprotocol(r, responseHeader)
+
+	// Negotiate PMCE
+	var compress bool
+	if u.EnableCompression {
+		for _, ext := range parseExtensions(r.Header) {
+			if ext[""] != "permessage-deflate" {
+				continue
+			}
+			compress = true
+			break
+		}
+	}
+
+	h, ok := w.(http.Hijacker)
+	if !ok {
+		return u.returnError(w, r, http.StatusInternalServerError, "websocket: response does not implement http.Hijacker")
+	}
+	var brw *bufio.ReadWriter
+	netConn, brw, err := h.Hijack()
+	if err != nil {
+		return u.returnError(w, r, http.StatusInternalServerError, err.Error())
+	}
+
+	if brw.Reader.Buffered() > 0 {
+		netConn.Close()
+		return nil, errors.New("websocket: client sent data before handshake is complete")
+	}
+
+	var br *bufio.Reader
+	if u.ReadBufferSize == 0 && bufioReaderSize(netConn, brw.Reader) > 256 {
+		// Reuse hijacked buffered reader as connection reader.
+		br = brw.Reader
+	}
+
+	buf := bufioWriterBuffer(netConn, brw.Writer)
+
+	var writeBuf []byte
+	if u.WriteBufferPool == nil && u.WriteBufferSize == 0 && len(buf) >= maxFrameHeaderSize+256 {
+		// Reuse hijacked write buffer as connection buffer.
+		writeBuf = buf
+	}
+
+	c := newConn(netConn, true, u.ReadBufferSize, u.WriteBufferSize, u.WriteBufferPool, br, writeBuf)
+	c.subprotocol = subprotocol
+
+	if compress {
+		c.newCompressionWriter = compressNoContextTakeover
+		c.newDecompressionReader = decompressNoContextTakeover
+	}
+
+	// Use larger of hijacked buffer and connection write buffer for header.
+	p := buf
+	if len(c.writeBuf) > len(p) {
+		p = c.writeBuf
+	}
+	p = p[:0]
+
+	p = append(p, "HTTP/1.1 101 Switching Protocols\r\nUpgrade: websocket\r\nConnection: Upgrade\r\nSec-WebSocket-Accept: "...)
+	p = append(p, computeAcceptKey(challengeKey)...)
+	p = append(p, "\r\n"...)
+	if c.subprotocol != "" {
+		p = append(p, "Sec-WebSocket-Protocol: "...)
+		p = append(p, c.subprotocol...)
+		p = append(p, "\r\n"...)
+	}
+	if compress {
+		p = append(p, "Sec-WebSocket-Extensions: permessage-deflate; server_no_context_takeover; client_no_context_takeover\r\n"...)
+	}
+	for k, vs := range responseHeader {
+		if k == "Sec-Websocket-Protocol" {
+			continue
+		}
+		for _, v := range vs {
+			p = append(p, k...)
+			p = append(p, ": "...)
+			for i := 0; i < len(v); i++ {
+				b := v[i]
+				if b <= 31 {
+					// prevent response splitting.
+					b = ' '
+				}
+				p = append(p, b)
+			}
+			p = append(p, "\r\n"...)
+		}
+	}
+	p = append(p, "\r\n"...)
+
+	// Clear deadlines set by HTTP server.
+	netConn.SetDeadline(time.Time{})
+
+	if u.HandshakeTimeout > 0 {
+		netConn.SetWriteDeadline(time.Now().Add(u.HandshakeTimeout))
+	}
+	if _, err = netConn.Write(p); err != nil {
+		netConn.Close()
+		return nil, err
+	}
+	if u.HandshakeTimeout > 0 {
+		netConn.SetWriteDeadline(time.Time{})
+	}
+
+	return c, nil
+}
+
+// Upgrade upgrades the HTTP server connection to the WebSocket protocol.
+//
+// Deprecated: Use websocket.Upgrader instead.
+//
+// Upgrade does not perform origin checking. The application is responsible for
+// checking the Origin header before calling Upgrade. An example implementation
+// of the same origin policy check is:
+//
+//	if req.Header.Get("Origin") != "http://"+req.Host {
+//		http.Error(w, "Origin not allowed", http.StatusForbidden)
+//		return
+//	}
+//
+// If the endpoint supports subprotocols, then the application is responsible
+// for negotiating the protocol used on the connection. Use the Subprotocols()
+// function to get the subprotocols requested by the client. Use the
+// Sec-Websocket-Protocol response header to specify the subprotocol selected
+// by the application.
+//
+// The responseHeader is included in the response to the client's upgrade
+// request. Use the responseHeader to specify cookies (Set-Cookie) and the
+// negotiated subprotocol (Sec-Websocket-Protocol).
+//
+// The connection buffers IO to the underlying network connection. The
+// readBufSize and writeBufSize parameters specify the size of the buffers to
+// use. Messages can be larger than the buffers.
+//
+// If the request is not a valid WebSocket handshake, then Upgrade returns an
+// error of type HandshakeError. Applications should handle this error by
+// replying to the client with an HTTP error response.
+func Upgrade(w http.ResponseWriter, r *http.Request, responseHeader http.Header, readBufSize, writeBufSize int) (*Conn, error) {
+	u := Upgrader{ReadBufferSize: readBufSize, WriteBufferSize: writeBufSize}
+	u.Error = func(w http.ResponseWriter, r *http.Request, status int, reason error) {
+		// don't return errors to maintain backwards compatibility
+	}
+	u.CheckOrigin = func(r *http.Request) bool {
+		// allow all connections by default
+		return true
+	}
+	return u.Upgrade(w, r, responseHeader)
+}
+
+// Subprotocols returns the subprotocols requested by the client in the
+// Sec-Websocket-Protocol header.
+func Subprotocols(r *http.Request) []string {
+	h := strings.TrimSpace(r.Header.Get("Sec-Websocket-Protocol"))
+	if h == "" {
+		return nil
+	}
+	protocols := strings.Split(h, ",")
+	for i := range protocols {
+		protocols[i] = strings.TrimSpace(protocols[i])
+	}
+	return protocols
+}
+
+// IsWebSocketUpgrade returns true if the client requested upgrade to the
+// WebSocket protocol.
+func IsWebSocketUpgrade(r *http.Request) bool {
+	return tokenListContainsValue(r.Header, "Connection", "upgrade") &&
+		tokenListContainsValue(r.Header, "Upgrade", "websocket")
+}
+
+// bufioReaderSize size returns the size of a bufio.Reader.
+func bufioReaderSize(originalReader io.Reader, br *bufio.Reader) int {
+	// This code assumes that peek on a reset reader returns
+	// bufio.Reader.buf[:0].
+	// TODO: Use bufio.Reader.Size() after Go 1.10
+	br.Reset(originalReader)
+	if p, err := br.Peek(0); err == nil {
+		return cap(p)
+	}
+	return 0
+}
+
+// writeHook is an io.Writer that records the last slice passed to it vio
+// io.Writer.Write.
+type writeHook struct {
+	p []byte
+}
+
+func (wh *writeHook) Write(p []byte) (int, error) {
+	wh.p = p
+	return len(p), nil
+}
+
+// bufioWriterBuffer grabs the buffer from a bufio.Writer.
+func bufioWriterBuffer(originalWriter io.Writer, bw *bufio.Writer) []byte {
+	// This code assumes that bufio.Writer.buf[:1] is passed to the
+	// bufio.Writer's underlying writer.
+	var wh writeHook
+	bw.Reset(&wh)
+	bw.WriteByte(0)
+	bw.Flush()
+
+	bw.Reset(originalWriter)
+
+	return wh.p[:cap(wh.p)]
+}
diff --git a/vendor/github.com/gorilla/websocket/trace.go b/vendor/github.com/gorilla/websocket/trace.go
new file mode 100644
index 000000000000..834f122a00db
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/trace.go
@@ -0,0 +1,19 @@
+// +build go1.8
+
+package websocket
+
+import (
+	"crypto/tls"
+	"net/http/httptrace"
+)
+
+func doHandshakeWithTrace(trace *httptrace.ClientTrace, tlsConn *tls.Conn, cfg *tls.Config) error {
+	if trace.TLSHandshakeStart != nil {
+		trace.TLSHandshakeStart()
+	}
+	err := doHandshake(tlsConn, cfg)
+	if trace.TLSHandshakeDone != nil {
+		trace.TLSHandshakeDone(tlsConn.ConnectionState(), err)
+	}
+	return err
+}
diff --git a/vendor/github.com/gorilla/websocket/trace_17.go b/vendor/github.com/gorilla/websocket/trace_17.go
new file mode 100644
index 000000000000..77d05a0b5748
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/trace_17.go
@@ -0,0 +1,12 @@
+// +build !go1.8
+
+package websocket
+
+import (
+	"crypto/tls"
+	"net/http/httptrace"
+)
+
+func doHandshakeWithTrace(trace *httptrace.ClientTrace, tlsConn *tls.Conn, cfg *tls.Config) error {
+	return doHandshake(tlsConn, cfg)
+}
diff --git a/vendor/github.com/gorilla/websocket/util.go b/vendor/github.com/gorilla/websocket/util.go
new file mode 100644
index 000000000000..7bf2f66c6747
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/util.go
@@ -0,0 +1,283 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"crypto/rand"
+	"crypto/sha1"
+	"encoding/base64"
+	"io"
+	"net/http"
+	"strings"
+	"unicode/utf8"
+)
+
+var keyGUID = []byte("258EAFA5-E914-47DA-95CA-C5AB0DC85B11")
+
+func computeAcceptKey(challengeKey string) string {
+	h := sha1.New()
+	h.Write([]byte(challengeKey))
+	h.Write(keyGUID)
+	return base64.StdEncoding.EncodeToString(h.Sum(nil))
+}
+
+func generateChallengeKey() (string, error) {
+	p := make([]byte, 16)
+	if _, err := io.ReadFull(rand.Reader, p); err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(p), nil
+}
+
+// Token octets per RFC 2616.
+var isTokenOctet = [256]bool{
+	'!':  true,
+	'#':  true,
+	'$':  true,
+	'%':  true,
+	'&':  true,
+	'\'': true,
+	'*':  true,
+	'+':  true,
+	'-':  true,
+	'.':  true,
+	'0':  true,
+	'1':  true,
+	'2':  true,
+	'3':  true,
+	'4':  true,
+	'5':  true,
+	'6':  true,
+	'7':  true,
+	'8':  true,
+	'9':  true,
+	'A':  true,
+	'B':  true,
+	'C':  true,
+	'D':  true,
+	'E':  true,
+	'F':  true,
+	'G':  true,
+	'H':  true,
+	'I':  true,
+	'J':  true,
+	'K':  true,
+	'L':  true,
+	'M':  true,
+	'N':  true,
+	'O':  true,
+	'P':  true,
+	'Q':  true,
+	'R':  true,
+	'S':  true,
+	'T':  true,
+	'U':  true,
+	'W':  true,
+	'V':  true,
+	'X':  true,
+	'Y':  true,
+	'Z':  true,
+	'^':  true,
+	'_':  true,
+	'`':  true,
+	'a':  true,
+	'b':  true,
+	'c':  true,
+	'd':  true,
+	'e':  true,
+	'f':  true,
+	'g':  true,
+	'h':  true,
+	'i':  true,
+	'j':  true,
+	'k':  true,
+	'l':  true,
+	'm':  true,
+	'n':  true,
+	'o':  true,
+	'p':  true,
+	'q':  true,
+	'r':  true,
+	's':  true,
+	't':  true,
+	'u':  true,
+	'v':  true,
+	'w':  true,
+	'x':  true,
+	'y':  true,
+	'z':  true,
+	'|':  true,
+	'~':  true,
+}
+
+// skipSpace returns a slice of the string s with all leading RFC 2616 linear
+// whitespace removed.
+func skipSpace(s string) (rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if b := s[i]; b != ' ' && b != '\t' {
+			break
+		}
+	}
+	return s[i:]
+}
+
+// nextToken returns the leading RFC 2616 token of s and the string following
+// the token.
+func nextToken(s string) (token, rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if !isTokenOctet[s[i]] {
+			break
+		}
+	}
+	return s[:i], s[i:]
+}
+
+// nextTokenOrQuoted returns the leading token or quoted string per RFC 2616
+// and the string following the token or quoted string.
+func nextTokenOrQuoted(s string) (value string, rest string) {
+	if !strings.HasPrefix(s, "\"") {
+		return nextToken(s)
+	}
+	s = s[1:]
+	for i := 0; i < len(s); i++ {
+		switch s[i] {
+		case '"':
+			return s[:i], s[i+1:]
+		case '\\':
+			p := make([]byte, len(s)-1)
+			j := copy(p, s[:i])
+			escape := true
+			for i = i + 1; i < len(s); i++ {
+				b := s[i]
+				switch {
+				case escape:
+					escape = false
+					p[j] = b
+					j++
+				case b == '\\':
+					escape = true
+				case b == '"':
+					return string(p[:j]), s[i+1:]
+				default:
+					p[j] = b
+					j++
+				}
+			}
+			return "", ""
+		}
+	}
+	return "", ""
+}
+
+// equalASCIIFold returns true if s is equal to t with ASCII case folding as
+// defined in RFC 4790.
+func equalASCIIFold(s, t string) bool {
+	for s != "" && t != "" {
+		sr, size := utf8.DecodeRuneInString(s)
+		s = s[size:]
+		tr, size := utf8.DecodeRuneInString(t)
+		t = t[size:]
+		if sr == tr {
+			continue
+		}
+		if 'A' <= sr && sr <= 'Z' {
+			sr = sr + 'a' - 'A'
+		}
+		if 'A' <= tr && tr <= 'Z' {
+			tr = tr + 'a' - 'A'
+		}
+		if sr != tr {
+			return false
+		}
+	}
+	return s == t
+}
+
+// tokenListContainsValue returns true if the 1#token header with the given
+// name contains a token equal to value with ASCII case folding.
+func tokenListContainsValue(header http.Header, name string, value string) bool {
+headers:
+	for _, s := range header[name] {
+		for {
+			var t string
+			t, s = nextToken(skipSpace(s))
+			if t == "" {
+				continue headers
+			}
+			s = skipSpace(s)
+			if s != "" && s[0] != ',' {
+				continue headers
+			}
+			if equalASCIIFold(t, value) {
+				return true
+			}
+			if s == "" {
+				continue headers
+			}
+			s = s[1:]
+		}
+	}
+	return false
+}
+
+// parseExtensions parses WebSocket extensions from a header.
+func parseExtensions(header http.Header) []map[string]string {
+	// From RFC 6455:
+	//
+	//  Sec-WebSocket-Extensions = extension-list
+	//  extension-list = 1#extension
+	//  extension = extension-token *( ";" extension-param )
+	//  extension-token = registered-token
+	//  registered-token = token
+	//  extension-param = token [ "=" (token | quoted-string) ]
+	//     ;When using the quoted-string syntax variant, the value
+	//     ;after quoted-string unescaping MUST conform to the
+	//     ;'token' ABNF.
+
+	var result []map[string]string
+headers:
+	for _, s := range header["Sec-Websocket-Extensions"] {
+		for {
+			var t string
+			t, s = nextToken(skipSpace(s))
+			if t == "" {
+				continue headers
+			}
+			ext := map[string]string{"": t}
+			for {
+				s = skipSpace(s)
+				if !strings.HasPrefix(s, ";") {
+					break
+				}
+				var k string
+				k, s = nextToken(skipSpace(s[1:]))
+				if k == "" {
+					continue headers
+				}
+				s = skipSpace(s)
+				var v string
+				if strings.HasPrefix(s, "=") {
+					v, s = nextTokenOrQuoted(skipSpace(s[1:]))
+					s = skipSpace(s)
+				}
+				if s != "" && s[0] != ',' && s[0] != ';' {
+					continue headers
+				}
+				ext[k] = v
+			}
+			if s != "" && s[0] != ',' {
+				continue headers
+			}
+			result = append(result, ext)
+			if s == "" {
+				continue headers
+			}
+			s = s[1:]
+		}
+	}
+	return result
+}
diff --git a/vendor/github.com/gorilla/websocket/x_net_proxy.go b/vendor/github.com/gorilla/websocket/x_net_proxy.go
new file mode 100644
index 000000000000..2e668f6b8821
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/x_net_proxy.go
@@ -0,0 +1,473 @@
+// Code generated by golang.org/x/tools/cmd/bundle. DO NOT EDIT.
+//go:generate bundle -o x_net_proxy.go golang.org/x/net/proxy
+
+// Package proxy provides support for a variety of protocols to proxy network
+// data.
+//
+
+package websocket
+
+import (
+	"errors"
+	"io"
+	"net"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+type proxy_direct struct{}
+
+// Direct is a direct proxy: one that makes network connections directly.
+var proxy_Direct = proxy_direct{}
+
+func (proxy_direct) Dial(network, addr string) (net.Conn, error) {
+	return net.Dial(network, addr)
+}
+
+// A PerHost directs connections to a default Dialer unless the host name
+// requested matches one of a number of exceptions.
+type proxy_PerHost struct {
+	def, bypass proxy_Dialer
+
+	bypassNetworks []*net.IPNet
+	bypassIPs      []net.IP
+	bypassZones    []string
+	bypassHosts    []string
+}
+
+// NewPerHost returns a PerHost Dialer that directs connections to either
+// defaultDialer or bypass, depending on whether the connection matches one of
+// the configured rules.
+func proxy_NewPerHost(defaultDialer, bypass proxy_Dialer) *proxy_PerHost {
+	return &proxy_PerHost{
+		def:    defaultDialer,
+		bypass: bypass,
+	}
+}
+
+// Dial connects to the address addr on the given network through either
+// defaultDialer or bypass.
+func (p *proxy_PerHost) Dial(network, addr string) (c net.Conn, err error) {
+	host, _, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.dialerForRequest(host).Dial(network, addr)
+}
+
+func (p *proxy_PerHost) dialerForRequest(host string) proxy_Dialer {
+	if ip := net.ParseIP(host); ip != nil {
+		for _, net := range p.bypassNetworks {
+			if net.Contains(ip) {
+				return p.bypass
+			}
+		}
+		for _, bypassIP := range p.bypassIPs {
+			if bypassIP.Equal(ip) {
+				return p.bypass
+			}
+		}
+		return p.def
+	}
+
+	for _, zone := range p.bypassZones {
+		if strings.HasSuffix(host, zone) {
+			return p.bypass
+		}
+		if host == zone[1:] {
+			// For a zone ".example.com", we match "example.com"
+			// too.
+			return p.bypass
+		}
+	}
+	for _, bypassHost := range p.bypassHosts {
+		if bypassHost == host {
+			return p.bypass
+		}
+	}
+	return p.def
+}
+
+// AddFromString parses a string that contains comma-separated values
+// specifying hosts that should use the bypass proxy. Each value is either an
+// IP address, a CIDR range, a zone (*.example.com) or a host name
+// (localhost). A best effort is made to parse the string and errors are
+// ignored.
+func (p *proxy_PerHost) AddFromString(s string) {
+	hosts := strings.Split(s, ",")
+	for _, host := range hosts {
+		host = strings.TrimSpace(host)
+		if len(host) == 0 {
+			continue
+		}
+		if strings.Contains(host, "/") {
+			// We assume that it's a CIDR address like 127.0.0.0/8
+			if _, net, err := net.ParseCIDR(host); err == nil {
+				p.AddNetwork(net)
+			}
+			continue
+		}
+		if ip := net.ParseIP(host); ip != nil {
+			p.AddIP(ip)
+			continue
+		}
+		if strings.HasPrefix(host, "*.") {
+			p.AddZone(host[1:])
+			continue
+		}
+		p.AddHost(host)
+	}
+}
+
+// AddIP specifies an IP address that will use the bypass proxy. Note that
+// this will only take effect if a literal IP address is dialed. A connection
+// to a named host will never match an IP.
+func (p *proxy_PerHost) AddIP(ip net.IP) {
+	p.bypassIPs = append(p.bypassIPs, ip)
+}
+
+// AddNetwork specifies an IP range that will use the bypass proxy. Note that
+// this will only take effect if a literal IP address is dialed. A connection
+// to a named host will never match.
+func (p *proxy_PerHost) AddNetwork(net *net.IPNet) {
+	p.bypassNetworks = append(p.bypassNetworks, net)
+}
+
+// AddZone specifies a DNS suffix that will use the bypass proxy. A zone of
+// "example.com" matches "example.com" and all of its subdomains.
+func (p *proxy_PerHost) AddZone(zone string) {
+	if strings.HasSuffix(zone, ".") {
+		zone = zone[:len(zone)-1]
+	}
+	if !strings.HasPrefix(zone, ".") {
+		zone = "." + zone
+	}
+	p.bypassZones = append(p.bypassZones, zone)
+}
+
+// AddHost specifies a host name that will use the bypass proxy.
+func (p *proxy_PerHost) AddHost(host string) {
+	if strings.HasSuffix(host, ".") {
+		host = host[:len(host)-1]
+	}
+	p.bypassHosts = append(p.bypassHosts, host)
+}
+
+// A Dialer is a means to establish a connection.
+type proxy_Dialer interface {
+	// Dial connects to the given address via the proxy.
+	Dial(network, addr string) (c net.Conn, err error)
+}
+
+// Auth contains authentication parameters that specific Dialers may require.
+type proxy_Auth struct {
+	User, Password string
+}
+
+// FromEnvironment returns the dialer specified by the proxy related variables in
+// the environment.
+func proxy_FromEnvironment() proxy_Dialer {
+	allProxy := proxy_allProxyEnv.Get()
+	if len(allProxy) == 0 {
+		return proxy_Direct
+	}
+
+	proxyURL, err := url.Parse(allProxy)
+	if err != nil {
+		return proxy_Direct
+	}
+	proxy, err := proxy_FromURL(proxyURL, proxy_Direct)
+	if err != nil {
+		return proxy_Direct
+	}
+
+	noProxy := proxy_noProxyEnv.Get()
+	if len(noProxy) == 0 {
+		return proxy
+	}
+
+	perHost := proxy_NewPerHost(proxy, proxy_Direct)
+	perHost.AddFromString(noProxy)
+	return perHost
+}
+
+// proxySchemes is a map from URL schemes to a function that creates a Dialer
+// from a URL with such a scheme.
+var proxy_proxySchemes map[string]func(*url.URL, proxy_Dialer) (proxy_Dialer, error)
+
+// RegisterDialerType takes a URL scheme and a function to generate Dialers from
+// a URL with that scheme and a forwarding Dialer. Registered schemes are used
+// by FromURL.
+func proxy_RegisterDialerType(scheme string, f func(*url.URL, proxy_Dialer) (proxy_Dialer, error)) {
+	if proxy_proxySchemes == nil {
+		proxy_proxySchemes = make(map[string]func(*url.URL, proxy_Dialer) (proxy_Dialer, error))
+	}
+	proxy_proxySchemes[scheme] = f
+}
+
+// FromURL returns a Dialer given a URL specification and an underlying
+// Dialer for it to make network requests.
+func proxy_FromURL(u *url.URL, forward proxy_Dialer) (proxy_Dialer, error) {
+	var auth *proxy_Auth
+	if u.User != nil {
+		auth = new(proxy_Auth)
+		auth.User = u.User.Username()
+		if p, ok := u.User.Password(); ok {
+			auth.Password = p
+		}
+	}
+
+	switch u.Scheme {
+	case "socks5":
+		return proxy_SOCKS5("tcp", u.Host, auth, forward)
+	}
+
+	// If the scheme doesn't match any of the built-in schemes, see if it
+	// was registered by another package.
+	if proxy_proxySchemes != nil {
+		if f, ok := proxy_proxySchemes[u.Scheme]; ok {
+			return f(u, forward)
+		}
+	}
+
+	return nil, errors.New("proxy: unknown scheme: " + u.Scheme)
+}
+
+var (
+	proxy_allProxyEnv = &proxy_envOnce{
+		names: []string{"ALL_PROXY", "all_proxy"},
+	}
+	proxy_noProxyEnv = &proxy_envOnce{
+		names: []string{"NO_PROXY", "no_proxy"},
+	}
+)
+
+// envOnce looks up an environment variable (optionally by multiple
+// names) once. It mitigates expensive lookups on some platforms
+// (e.g. Windows).
+// (Borrowed from net/http/transport.go)
+type proxy_envOnce struct {
+	names []string
+	once  sync.Once
+	val   string
+}
+
+func (e *proxy_envOnce) Get() string {
+	e.once.Do(e.init)
+	return e.val
+}
+
+func (e *proxy_envOnce) init() {
+	for _, n := range e.names {
+		e.val = os.Getenv(n)
+		if e.val != "" {
+			return
+		}
+	}
+}
+
+// SOCKS5 returns a Dialer that makes SOCKSv5 connections to the given address
+// with an optional username and password. See RFC 1928 and RFC 1929.
+func proxy_SOCKS5(network, addr string, auth *proxy_Auth, forward proxy_Dialer) (proxy_Dialer, error) {
+	s := &proxy_socks5{
+		network: network,
+		addr:    addr,
+		forward: forward,
+	}
+	if auth != nil {
+		s.user = auth.User
+		s.password = auth.Password
+	}
+
+	return s, nil
+}
+
+type proxy_socks5 struct {
+	user, password string
+	network, addr  string
+	forward        proxy_Dialer
+}
+
+const proxy_socks5Version = 5
+
+const (
+	proxy_socks5AuthNone     = 0
+	proxy_socks5AuthPassword = 2
+)
+
+const proxy_socks5Connect = 1
+
+const (
+	proxy_socks5IP4    = 1
+	proxy_socks5Domain = 3
+	proxy_socks5IP6    = 4
+)
+
+var proxy_socks5Errors = []string{
+	"",
+	"general failure",
+	"connection forbidden",
+	"network unreachable",
+	"host unreachable",
+	"connection refused",
+	"TTL expired",
+	"command not supported",
+	"address type not supported",
+}
+
+// Dial connects to the address addr on the given network via the SOCKS5 proxy.
+func (s *proxy_socks5) Dial(network, addr string) (net.Conn, error) {
+	switch network {
+	case "tcp", "tcp6", "tcp4":
+	default:
+		return nil, errors.New("proxy: no support for SOCKS5 proxy connections of type " + network)
+	}
+
+	conn, err := s.forward.Dial(s.network, s.addr)
+	if err != nil {
+		return nil, err
+	}
+	if err := s.connect(conn, addr); err != nil {
+		conn.Close()
+		return nil, err
+	}
+	return conn, nil
+}
+
+// connect takes an existing connection to a socks5 proxy server,
+// and commands the server to extend that connection to target,
+// which must be a canonical address with a host and port.
+func (s *proxy_socks5) connect(conn net.Conn, target string) error {
+	host, portStr, err := net.SplitHostPort(target)
+	if err != nil {
+		return err
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return errors.New("proxy: failed to parse port number: " + portStr)
+	}
+	if port < 1 || port > 0xffff {
+		return errors.New("proxy: port number out of range: " + portStr)
+	}
+
+	// the size here is just an estimate
+	buf := make([]byte, 0, 6+len(host))
+
+	buf = append(buf, proxy_socks5Version)
+	if len(s.user) > 0 && len(s.user) < 256 && len(s.password) < 256 {
+		buf = append(buf, 2 /* num auth methods */, proxy_socks5AuthNone, proxy_socks5AuthPassword)
+	} else {
+		buf = append(buf, 1 /* num auth methods */, proxy_socks5AuthNone)
+	}
+
+	if _, err := conn.Write(buf); err != nil {
+		return errors.New("proxy: failed to write greeting to SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+
+	if _, err := io.ReadFull(conn, buf[:2]); err != nil {
+		return errors.New("proxy: failed to read greeting from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+	if buf[0] != 5 {
+		return errors.New("proxy: SOCKS5 proxy at " + s.addr + " has unexpected version " + strconv.Itoa(int(buf[0])))
+	}
+	if buf[1] == 0xff {
+		return errors.New("proxy: SOCKS5 proxy at " + s.addr + " requires authentication")
+	}
+
+	// See RFC 1929
+	if buf[1] == proxy_socks5AuthPassword {
+		buf = buf[:0]
+		buf = append(buf, 1 /* password protocol version */)
+		buf = append(buf, uint8(len(s.user)))
+		buf = append(buf, s.user...)
+		buf = append(buf, uint8(len(s.password)))
+		buf = append(buf, s.password...)
+
+		if _, err := conn.Write(buf); err != nil {
+			return errors.New("proxy: failed to write authentication request to SOCKS5 proxy at " + s.addr + ": " + err.Error())
+		}
+
+		if _, err := io.ReadFull(conn, buf[:2]); err != nil {
+			return errors.New("proxy: failed to read authentication reply from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+		}
+
+		if buf[1] != 0 {
+			return errors.New("proxy: SOCKS5 proxy at " + s.addr + " rejected username/password")
+		}
+	}
+
+	buf = buf[:0]
+	buf = append(buf, proxy_socks5Version, proxy_socks5Connect, 0 /* reserved */)
+
+	if ip := net.ParseIP(host); ip != nil {
+		if ip4 := ip.To4(); ip4 != nil {
+			buf = append(buf, proxy_socks5IP4)
+			ip = ip4
+		} else {
+			buf = append(buf, proxy_socks5IP6)
+		}
+		buf = append(buf, ip...)
+	} else {
+		if len(host) > 255 {
+			return errors.New("proxy: destination host name too long: " + host)
+		}
+		buf = append(buf, proxy_socks5Domain)
+		buf = append(buf, byte(len(host)))
+		buf = append(buf, host...)
+	}
+	buf = append(buf, byte(port>>8), byte(port))
+
+	if _, err := conn.Write(buf); err != nil {
+		return errors.New("proxy: failed to write connect request to SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+
+	if _, err := io.ReadFull(conn, buf[:4]); err != nil {
+		return errors.New("proxy: failed to read connect reply from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+
+	failure := "unknown error"
+	if int(buf[1]) < len(proxy_socks5Errors) {
+		failure = proxy_socks5Errors[buf[1]]
+	}
+
+	if len(failure) > 0 {
+		return errors.New("proxy: SOCKS5 proxy at " + s.addr + " failed to connect: " + failure)
+	}
+
+	bytesToDiscard := 0
+	switch buf[3] {
+	case proxy_socks5IP4:
+		bytesToDiscard = net.IPv4len
+	case proxy_socks5IP6:
+		bytesToDiscard = net.IPv6len
+	case proxy_socks5Domain:
+		_, err := io.ReadFull(conn, buf[:1])
+		if err != nil {
+			return errors.New("proxy: failed to read domain length from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+		}
+		bytesToDiscard = int(buf[0])
+	default:
+		return errors.New("proxy: got unknown address type " + strconv.Itoa(int(buf[3])) + " from SOCKS5 proxy at " + s.addr)
+	}
+
+	if cap(buf) < bytesToDiscard {
+		buf = make([]byte, bytesToDiscard)
+	} else {
+		buf = buf[:bytesToDiscard]
+	}
+	if _, err := io.ReadFull(conn, buf); err != nil {
+		return errors.New("proxy: failed to read address from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+
+	// Also need to discard the port number
+	if _, err := io.ReadFull(conn, buf[:2]); err != nil {
+		return errors.New("proxy: failed to read port from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/hashicorp/go-rootcerts/README.md b/vendor/github.com/hashicorp/go-rootcerts/README.md
index f5abffc29343..6a128e1e14a2 100644
--- a/vendor/github.com/hashicorp/go-rootcerts/README.md
+++ b/vendor/github.com/hashicorp/go-rootcerts/README.md
@@ -28,8 +28,9 @@ Here's a snippet demonstrating how this library is meant to be used:
 func httpClient() (*http.Client, error)
 	tlsConfig := &tls.Config{}
 	err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{
-		CAFile: os.Getenv("MYAPP_CAFILE"),
-		CAPath: os.Getenv("MYAPP_CAPATH"),
+		CAFile:      os.Getenv("MYAPP_CAFILE"),
+		CAPath:      os.Getenv("MYAPP_CAPATH"),
+		Certificate: os.Getenv("MYAPP_CERTIFICATE"),
 	})
 	if err != nil {
 		return nil, err
diff --git a/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go b/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go
index aeb30ece3240..69aabd6bc74a 100644
--- a/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go
+++ b/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go
@@ -3,21 +3,26 @@ package rootcerts
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 )
 
-// Config determines where LoadCACerts will load certificates from. When both
-// CAFile and CAPath are blank, this library's functions will either load
+// Config determines where LoadCACerts will load certificates from. When CAFile,
+// CACertificate and CAPath are blank, this library's functions will either load
 // system roots explicitly and return them, or set the CertPool to nil to allow
 // Go's standard library to load system certs.
 type Config struct {
 	// CAFile is a path to a PEM-encoded certificate file or bundle. Takes
-	// precedence over CAPath.
+	// precedence over CACertificate and CAPath.
 	CAFile string
 
+	// CACertificate is a PEM-encoded certificate or bundle. Takes precedence
+	// over CAPath.
+	CACertificate []byte
+
 	// CAPath is a path to a directory populated with PEM-encoded certificates.
 	CAPath string
 }
@@ -44,6 +49,9 @@ func LoadCACerts(c *Config) (*x509.CertPool, error) {
 	if c.CAFile != "" {
 		return LoadCAFile(c.CAFile)
 	}
+	if len(c.CACertificate) != 0 {
+		return AppendCertificate(c.CACertificate)
+	}
 	if c.CAPath != "" {
 		return LoadCAPath(c.CAPath)
 	}
@@ -68,6 +76,18 @@ func LoadCAFile(caFile string) (*x509.CertPool, error) {
 	return pool, nil
 }
 
+// AppendCertificate appends an in-memory PEM-encoded certificate or bundle and returns a pool.
+func AppendCertificate(ca []byte) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+
+	ok := pool.AppendCertsFromPEM(ca)
+	if !ok {
+		return nil, errors.New("Error appending CA: Couldn't parse PEM")
+	}
+
+	return pool, nil
+}
+
 // LoadCAPath walks the provided path and loads all certificates encounted into
 // a pool.
 func LoadCAPath(caPath string) (*x509.CertPool, error) {
diff --git a/vendor/github.com/hashicorp/nomad/api/agent.go b/vendor/github.com/hashicorp/nomad/api/agent.go
index 46979403c21d..d372b8062bd2 100644
--- a/vendor/github.com/hashicorp/nomad/api/agent.go
+++ b/vendor/github.com/hashicorp/nomad/api/agent.go
@@ -237,6 +237,57 @@ func (a *Agent) Health() (*AgentHealthResponse, error) {
 	return nil, fmt.Errorf("unable to unmarshal response with status %d: %v", resp.StatusCode, err)
 }
 
+// Monitor returns a channel which will receive streaming logs from the agent
+// Providing a non-nil stopCh can be used to close the connection and stop log streaming
+func (a *Agent) Monitor(stopCh <-chan struct{}, q *QueryOptions) (<-chan *StreamFrame, <-chan error) {
+	errCh := make(chan error, 1)
+	r, err := a.client.newRequest("GET", "/v1/agent/monitor")
+	if err != nil {
+		errCh <- err
+		return nil, errCh
+	}
+
+	r.setQueryOptions(q)
+	_, resp, err := requireOK(a.client.doRequest(r))
+	if err != nil {
+		errCh <- err
+		return nil, errCh
+	}
+
+	frames := make(chan *StreamFrame, 10)
+	go func() {
+		defer resp.Body.Close()
+
+		dec := json.NewDecoder(resp.Body)
+
+		for {
+			select {
+			case <-stopCh:
+				close(frames)
+				return
+			default:
+			}
+
+			// Decode the next frame
+			var frame StreamFrame
+			if err := dec.Decode(&frame); err != nil {
+				close(frames)
+				errCh <- err
+				return
+			}
+
+			// Discard heartbeat frame
+			if frame.IsHeartbeat() {
+				continue
+			}
+
+			frames <- &frame
+		}
+	}()
+
+	return frames, errCh
+}
+
 // joinResponse is used to decode the response we get while
 // sending a member join request.
 type joinResponse struct {
diff --git a/vendor/github.com/hashicorp/nomad/api/allocations.go b/vendor/github.com/hashicorp/nomad/api/allocations.go
index 109174f07529..05892a77e05e 100644
--- a/vendor/github.com/hashicorp/nomad/api/allocations.go
+++ b/vendor/github.com/hashicorp/nomad/api/allocations.go
@@ -1,9 +1,18 @@
 package api
 
 import (
+	"context"
+	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
+	"net"
 	"sort"
+	"strconv"
+	"sync"
 	"time"
+
+	"github.com/gorilla/websocket"
 )
 
 var (
@@ -61,6 +70,219 @@ func (a *Allocations) Info(allocID string, q *QueryOptions) (*Allocation, *Query
 	return &resp, qm, nil
 }
 
+// Exec is used to execute a command inside a running task.  The command is to run inside
+// the task environment.
+//
+// The parameters are:
+// * ctx: context to set deadlines or timeout
+// * allocation: the allocation to execute command inside
+// * task: the task's name to execute command in
+// * tty: indicates whether to start a pseudo-tty for the command
+// * stdin, stdout, stderr: the std io to pass to command.
+//      If tty is true, then streams need to point to a tty that's alive for the whole process
+// * terminalSizeCh: A channel to send new tty terminal sizes
+//
+// The call blocks until command terminates (or an error occurs), and returns the exit code.
+func (a *Allocations) Exec(ctx context.Context,
+	alloc *Allocation, task string, tty bool, command []string,
+	stdin io.Reader, stdout, stderr io.Writer,
+	terminalSizeCh <-chan TerminalSize, q *QueryOptions) (exitCode int, err error) {
+
+	ctx, cancelFn := context.WithCancel(ctx)
+	defer cancelFn()
+
+	errCh := make(chan error, 4)
+
+	sender, output := a.execFrames(ctx, alloc, task, tty, command, errCh, q)
+
+	select {
+	case err := <-errCh:
+		return -2, err
+	default:
+	}
+
+	// Errors resulting from sending input (in goroutines) are silently dropped.
+	// To mitigate this, extra care is needed to distinguish between actual send errors
+	// and from send errors due to command terminating and our race to detect failures.
+	// If we have an actual network failure or send a bad input, we'd get an
+	// error in the reading side of websocket.
+
+	go func() {
+
+		bytes := make([]byte, 2048)
+		for {
+			if ctx.Err() != nil {
+				return
+			}
+
+			input := ExecStreamingInput{Stdin: &ExecStreamingIOOperation{}}
+
+			n, err := stdin.Read(bytes)
+
+			// always send data if we read some
+			if n != 0 {
+				input.Stdin.Data = bytes[:n]
+				sender(&input)
+			}
+
+			// then handle error
+			if err == io.EOF {
+				// if n != 0, send data and we'll get n = 0 on next read
+				if n == 0 {
+					input.Stdin.Close = true
+					sender(&input)
+					return
+				}
+			} else if err != nil {
+				errCh <- err
+				return
+			}
+		}
+	}()
+
+	// forwarding terminal size
+	go func() {
+		for {
+			resizeInput := ExecStreamingInput{}
+
+			select {
+			case <-ctx.Done():
+				return
+			case size, ok := <-terminalSizeCh:
+				if !ok {
+					return
+				}
+				resizeInput.TTYSize = &size
+				sender(&resizeInput)
+			}
+
+		}
+	}()
+
+	// send a heartbeat every 10 seconds
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			// heartbeat message
+			case <-time.After(10 * time.Second):
+				sender(&execStreamingInputHeartbeat)
+			}
+
+		}
+	}()
+
+	for {
+		select {
+		case err := <-errCh:
+			// drop websocket code, not relevant to user
+			if wsErr, ok := err.(*websocket.CloseError); ok && wsErr.Text != "" {
+				return -2, errors.New(wsErr.Text)
+			}
+			return -2, err
+		case <-ctx.Done():
+			return -2, ctx.Err()
+		case frame, ok := <-output:
+			if !ok {
+				return -2, errors.New("disconnected without receiving the exit code")
+			}
+
+			switch {
+			case frame.Stdout != nil:
+				if len(frame.Stdout.Data) != 0 {
+					stdout.Write(frame.Stdout.Data)
+				}
+				// don't really do anything if stdout is closing
+			case frame.Stderr != nil:
+				if len(frame.Stderr.Data) != 0 {
+					stderr.Write(frame.Stderr.Data)
+				}
+				// don't really do anything if stderr is closing
+			case frame.Exited && frame.Result != nil:
+				return frame.Result.ExitCode, nil
+			default:
+				// noop - heartbeat
+			}
+		}
+	}
+}
+
+func (a *Allocations) execFrames(ctx context.Context, alloc *Allocation, task string, tty bool, command []string,
+	errCh chan<- error, q *QueryOptions) (sendFn func(*ExecStreamingInput) error, output <-chan *ExecStreamingOutput) {
+	nodeClient, _ := a.client.GetNodeClientWithTimeout(alloc.NodeID, ClientConnTimeout, q)
+
+	if q == nil {
+		q = &QueryOptions{}
+	}
+	if q.Params == nil {
+		q.Params = make(map[string]string)
+	}
+
+	commandBytes, err := json.Marshal(command)
+	if err != nil {
+		errCh <- fmt.Errorf("failed to marshal command: %s", err)
+		return nil, nil
+	}
+
+	q.Params["tty"] = strconv.FormatBool(tty)
+	q.Params["task"] = task
+	q.Params["command"] = string(commandBytes)
+
+	reqPath := fmt.Sprintf("/v1/client/allocation/%s/exec", alloc.ID)
+
+	var conn *websocket.Conn
+
+	if nodeClient != nil {
+		conn, _, err = nodeClient.websocket(reqPath, q)
+		if _, ok := err.(net.Error); err != nil && !ok {
+			errCh <- err
+			return nil, nil
+		}
+	}
+
+	if conn == nil {
+		conn, _, err = a.client.websocket(reqPath, q)
+		if err != nil {
+			errCh <- err
+			return nil, nil
+		}
+	}
+
+	// Create the output channel
+	frames := make(chan *ExecStreamingOutput, 10)
+
+	go func() {
+		defer conn.Close()
+		for ctx.Err() == nil {
+
+			// Decode the next frame
+			var frame ExecStreamingOutput
+			err := conn.ReadJSON(&frame)
+			if websocket.IsCloseError(err, websocket.CloseNormalClosure) {
+				close(frames)
+				return
+			} else if err != nil {
+				errCh <- err
+				return
+			}
+
+			frames <- &frame
+		}
+	}()
+
+	var sendLock sync.Mutex
+	send := func(v *ExecStreamingInput) error {
+		sendLock.Lock()
+		defer sendLock.Unlock()
+
+		return conn.WriteJSON(v)
+	}
+
+	return send, frames
+
+}
+
 func (a *Allocations) Stats(alloc *Allocation, q *QueryOptions) (*AllocResourceUsage, error) {
 	var resp AllocResourceUsage
 	path := fmt.Sprintf("/v1/client/allocation/%s/stats", alloc.ID)
@@ -89,6 +311,36 @@ func (a *Allocations) Restart(alloc *Allocation, taskName string, q *QueryOption
 	return err
 }
 
+func (a *Allocations) Stop(alloc *Allocation, q *QueryOptions) (*AllocStopResponse, error) {
+	var resp AllocStopResponse
+	_, err := a.client.putQuery("/v1/allocation/"+alloc.ID+"/stop", nil, &resp, q)
+	return &resp, err
+}
+
+// AllocStopResponse is the response to an `AllocStopRequest`
+type AllocStopResponse struct {
+	// EvalID is the id of the follow up evalution for the rescheduled alloc.
+	EvalID string
+
+	WriteMeta
+}
+
+func (a *Allocations) Signal(alloc *Allocation, q *QueryOptions, task, signal string) error {
+	nodeClient, err := a.client.GetNodeClient(alloc.NodeID, q)
+	if err != nil {
+		return err
+	}
+
+	req := AllocSignalRequest{
+		Signal: signal,
+		Task:   task,
+	}
+
+	var resp GenericResponse
+	_, err = nodeClient.putQuery("/v1/client/allocation/"+alloc.ID+"/signal", &req, &resp, q)
+	return err
+}
+
 // Allocation is used for serialization of allocations.
 type Allocation struct {
 	ID                    string
@@ -155,28 +407,30 @@ type NodeScoreMeta struct {
 // AllocationListStub is used to return a subset of an allocation
 // during list operations.
 type AllocationListStub struct {
-	ID                 string
-	EvalID             string
-	Name               string
-	Namespace          string
-	NodeID             string
-	NodeName           string
-	JobID              string
-	JobType            string
-	JobVersion         uint64
-	TaskGroup          string
-	DesiredStatus      string
-	DesiredDescription string
-	ClientStatus       string
-	ClientDescription  string
-	TaskStates         map[string]*TaskState
-	DeploymentStatus   *AllocDeploymentStatus
-	FollowupEvalID     string
-	RescheduleTracker  *RescheduleTracker
-	CreateIndex        uint64
-	ModifyIndex        uint64
-	CreateTime         int64
-	ModifyTime         int64
+	ID                    string
+	EvalID                string
+	Name                  string
+	Namespace             string
+	NodeID                string
+	NodeName              string
+	JobID                 string
+	JobType               string
+	JobVersion            uint64
+	TaskGroup             string
+	DesiredStatus         string
+	DesiredDescription    string
+	ClientStatus          string
+	ClientDescription     string
+	TaskStates            map[string]*TaskState
+	DeploymentStatus      *AllocDeploymentStatus
+	FollowupEvalID        string
+	RescheduleTracker     *RescheduleTracker
+	PreemptedAllocations  []string
+	PreemptedByAllocation string
+	CreateIndex           uint64
+	ModifyIndex           uint64
+	CreateTime            int64
+	ModifyTime            int64
 }
 
 // AllocDeploymentStatus captures the status of the allocation as part of the
@@ -201,7 +455,8 @@ type AllocatedTaskResources struct {
 }
 
 type AllocatedSharedResources struct {
-	DiskMB int64
+	DiskMB   int64
+	Networks []*NetworkResource
 }
 
 type AllocatedCpuResources struct {
@@ -260,6 +515,17 @@ type AllocationRestartRequest struct {
 	TaskName string
 }
 
+type AllocSignalRequest struct {
+	Task   string
+	Signal string
+}
+
+// GenericResponse is used to respond to a request where no
+// specific response information is needed.
+type GenericResponse struct {
+	WriteMeta
+}
+
 // RescheduleTracker encapsulates previous reschedule events
 type RescheduleTracker struct {
 	Events []*RescheduleEvent
@@ -294,3 +560,42 @@ type DesiredTransition struct {
 func (d DesiredTransition) ShouldMigrate() bool {
 	return d.Migrate != nil && *d.Migrate
 }
+
+// ExecStreamingIOOperation represents a stream write operation: either appending data or close (exclusively)
+type ExecStreamingIOOperation struct {
+	Data  []byte `json:"data,omitempty"`
+	Close bool   `json:"close,omitempty"`
+}
+
+// TerminalSize represents the size of the terminal
+type TerminalSize struct {
+	Height int `json:"height,omitempty"`
+	Width  int `json:"width,omitempty"`
+}
+
+var execStreamingInputHeartbeat = ExecStreamingInput{}
+
+// ExecStreamingInput represents user input to be sent to nomad exec handler.
+//
+// At most one field should be set.
+type ExecStreamingInput struct {
+	Stdin   *ExecStreamingIOOperation `json:"stdin,omitempty"`
+	TTYSize *TerminalSize             `json:"tty_size,omitempty"`
+}
+
+// ExecStreamingExitResults captures the exit code of just completed nomad exec command
+type ExecStreamingExitResult struct {
+	ExitCode int `json:"exit_code"`
+}
+
+// ExecStreamingInput represents an output streaming entity, e.g. stdout/stderr update or termination
+//
+// At most one of these fields should be set: `Stdout`, `Stderr`, or `Result`.
+// If `Exited` is true, then `Result` is non-nil, and other fields are nil.
+type ExecStreamingOutput struct {
+	Stdout *ExecStreamingIOOperation `json:"stdout,omitempty"`
+	Stderr *ExecStreamingIOOperation `json:"stderr,omitempty"`
+
+	Exited bool                     `json:"exited,omitempty"`
+	Result *ExecStreamingExitResult `json:"result,omitempty"`
+}
diff --git a/vendor/github.com/hashicorp/nomad/api/api.go b/vendor/github.com/hashicorp/nomad/api/api.go
index 03ede6e5f1b9..3951ed13d63a 100644
--- a/vendor/github.com/hashicorp/nomad/api/api.go
+++ b/vendor/github.com/hashicorp/nomad/api/api.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/gorilla/websocket"
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	rootcerts "github.com/hashicorp/go-rootcerts"
 )
@@ -120,8 +121,11 @@ type Config struct {
 	// Namespace to use. If not provided the default namespace is used.
 	Namespace string
 
-	// httpClient is the client to use. Default will be used if not provided.
-	httpClient *http.Client
+	// HttpClient is the client to use. Default will be used if not provided.
+	//
+	// If set, it expected to be configured for tls already, and TLSConfig is ignored.
+	// You may use ConfigureTLS() function to aid with initialization.
+	HttpClient *http.Client
 
 	// HttpAuth is the auth info to use for http access.
 	HttpAuth *HttpBasicAuth
@@ -131,7 +135,9 @@ type Config struct {
 	WaitTime time.Duration
 
 	// TLSConfig provides the various TLS related configurations for the http
-	// client
+	// client.
+	//
+	// TLSConfig is ignored if HttpClient is set.
 	TLSConfig *TLSConfig
 }
 
@@ -142,12 +148,11 @@ func (c *Config) ClientConfig(region, address string, tlsEnabled bool) *Config {
 	if tlsEnabled {
 		scheme = "https"
 	}
-	defaultConfig := DefaultConfig()
 	config := &Config{
 		Address:    fmt.Sprintf("%s://%s", scheme, address),
 		Region:     region,
 		Namespace:  c.Namespace,
-		httpClient: defaultConfig.httpClient,
+		HttpClient: c.HttpClient,
 		SecretID:   c.SecretID,
 		HttpAuth:   c.HttpAuth,
 		WaitTime:   c.WaitTime,
@@ -173,12 +178,22 @@ type TLSConfig struct {
 	// the Nomad server SSL certificate.
 	CAPath string
 
+	// CACertPem is the PEM-encoded CA cert to use to verify the Nomad server
+	// SSL certificate.
+	CACertPEM []byte
+
 	// ClientCert is the path to the certificate for Nomad communication
 	ClientCert string
 
+	// ClientCertPEM is the PEM-encoded certificate for Nomad communication
+	ClientCertPEM []byte
+
 	// ClientKey is the path to the private key for Nomad communication
 	ClientKey string
 
+	// ClientKeyPEM is the PEM-encoded private key for Nomad communication
+	ClientKeyPEM []byte
+
 	// TLSServerName, if set, is used to set the SNI host when connecting via
 	// TLS.
 	TLSServerName string
@@ -197,19 +212,23 @@ func (t *TLSConfig) Copy() *TLSConfig {
 	return nt
 }
 
-// DefaultConfig returns a default configuration for the client
-func DefaultConfig() *Config {
-	config := &Config{
-		Address:    "http://127.0.0.1:4646",
-		httpClient: cleanhttp.DefaultClient(),
-		TLSConfig:  &TLSConfig{},
-	}
-	transport := config.httpClient.Transport.(*http.Transport)
+func defaultHttpClient() *http.Client {
+	httpClient := cleanhttp.DefaultClient()
+	transport := httpClient.Transport.(*http.Transport)
 	transport.TLSHandshakeTimeout = 10 * time.Second
 	transport.TLSClientConfig = &tls.Config{
 		MinVersion: tls.VersionTLS12,
 	}
 
+	return httpClient
+}
+
+// DefaultConfig returns a default configuration for the client
+func DefaultConfig() *Config {
+	config := &Config{
+		Address:   "http://127.0.0.1:4646",
+		TLSConfig: &TLSConfig{},
+	}
 	if addr := os.Getenv("NOMAD_ADDR"); addr != "" {
 		config.Address = addr
 	}
@@ -248,6 +267,9 @@ func DefaultConfig() *Config {
 	if v := os.Getenv("NOMAD_CLIENT_KEY"); v != "" {
 		config.TLSConfig.ClientKey = v
 	}
+	if v := os.Getenv("NOMAD_TLS_SERVER_NAME"); v != "" {
+		config.TLSConfig.TLSServerName = v
+	}
 	if v := os.Getenv("NOMAD_SKIP_VERIFY"); v != "" {
 		if insecure, err := strconv.ParseBool(v); err == nil {
 			config.TLSConfig.Insecure = insecure
@@ -259,49 +281,83 @@ func DefaultConfig() *Config {
 	return config
 }
 
-// SetTimeout is used to place a timeout for connecting to Nomad. A negative
-// duration is ignored, a duration of zero means no timeout, and any other value
-// will add a timeout.
-func (c *Config) SetTimeout(t time.Duration) error {
-	if c == nil {
-		return fmt.Errorf("nil config")
-	} else if c.httpClient == nil {
-		return fmt.Errorf("nil HTTP client")
-	} else if c.httpClient.Transport == nil {
-		return fmt.Errorf("nil HTTP client transport")
+// cloneWithTimeout returns a cloned httpClient with set timeout if positive;
+// otherwise, returns the same client
+func cloneWithTimeout(httpClient *http.Client, t time.Duration) (*http.Client, error) {
+	if httpClient == nil {
+		return nil, fmt.Errorf("nil HTTP client")
+	} else if httpClient.Transport == nil {
+		return nil, fmt.Errorf("nil HTTP client transport")
 	}
 
-	// Apply a timeout.
-	if t.Nanoseconds() >= 0 {
-		transport, ok := c.httpClient.Transport.(*http.Transport)
-		if !ok {
-			return fmt.Errorf("unexpected HTTP transport: %T", c.httpClient.Transport)
-		}
+	if t.Nanoseconds() < 0 {
+		return httpClient, nil
+	}
 
-		transport.DialContext = (&net.Dialer{
-			Timeout:   t,
-			KeepAlive: 30 * time.Second,
-		}).DialContext
+	tr, ok := httpClient.Transport.(*http.Transport)
+	if !ok {
+		return nil, fmt.Errorf("unexpected HTTP transport: %T", httpClient.Transport)
 	}
 
-	return nil
+	// copy all public fields, to avoid copying transient state and locks
+	ntr := &http.Transport{
+		Proxy:                  tr.Proxy,
+		DialContext:            tr.DialContext,
+		Dial:                   tr.Dial,
+		DialTLS:                tr.DialTLS,
+		TLSClientConfig:        tr.TLSClientConfig,
+		TLSHandshakeTimeout:    tr.TLSHandshakeTimeout,
+		DisableKeepAlives:      tr.DisableKeepAlives,
+		DisableCompression:     tr.DisableCompression,
+		MaxIdleConns:           tr.MaxIdleConns,
+		MaxIdleConnsPerHost:    tr.MaxIdleConnsPerHost,
+		MaxConnsPerHost:        tr.MaxConnsPerHost,
+		IdleConnTimeout:        tr.IdleConnTimeout,
+		ResponseHeaderTimeout:  tr.ResponseHeaderTimeout,
+		ExpectContinueTimeout:  tr.ExpectContinueTimeout,
+		TLSNextProto:           tr.TLSNextProto,
+		ProxyConnectHeader:     tr.ProxyConnectHeader,
+		MaxResponseHeaderBytes: tr.MaxResponseHeaderBytes,
+	}
+
+	// apply timeout
+	ntr.DialContext = (&net.Dialer{
+		Timeout:   t,
+		KeepAlive: 30 * time.Second,
+	}).DialContext
+
+	// clone http client with new transport
+	nc := *httpClient
+	nc.Transport = ntr
+	return &nc, nil
 }
 
 // ConfigureTLS applies a set of TLS configurations to the the HTTP client.
-func (c *Config) ConfigureTLS() error {
-	if c.TLSConfig == nil {
+func ConfigureTLS(httpClient *http.Client, tlsConfig *TLSConfig) error {
+	if tlsConfig == nil {
 		return nil
 	}
-	if c.httpClient == nil {
+	if httpClient == nil {
 		return fmt.Errorf("config HTTP Client must be set")
 	}
 
 	var clientCert tls.Certificate
 	foundClientCert := false
-	if c.TLSConfig.ClientCert != "" || c.TLSConfig.ClientKey != "" {
-		if c.TLSConfig.ClientCert != "" && c.TLSConfig.ClientKey != "" {
+	if tlsConfig.ClientCert != "" || tlsConfig.ClientKey != "" {
+		if tlsConfig.ClientCert != "" && tlsConfig.ClientKey != "" {
 			var err error
-			clientCert, err = tls.LoadX509KeyPair(c.TLSConfig.ClientCert, c.TLSConfig.ClientKey)
+			clientCert, err = tls.LoadX509KeyPair(tlsConfig.ClientCert, tlsConfig.ClientKey)
+			if err != nil {
+				return err
+			}
+			foundClientCert = true
+		} else {
+			return fmt.Errorf("Both client cert and client key must be provided")
+		}
+	} else if len(tlsConfig.ClientCertPEM) != 0 || len(tlsConfig.ClientKeyPEM) != 0 {
+		if len(tlsConfig.ClientCertPEM) != 0 && len(tlsConfig.ClientKeyPEM) != 0 {
+			var err error
+			clientCert, err = tls.X509KeyPair(tlsConfig.ClientCertPEM, tlsConfig.ClientKeyPEM)
 			if err != nil {
 				return err
 			}
@@ -311,22 +367,23 @@ func (c *Config) ConfigureTLS() error {
 		}
 	}
 
-	clientTLSConfig := c.httpClient.Transport.(*http.Transport).TLSClientConfig
+	clientTLSConfig := httpClient.Transport.(*http.Transport).TLSClientConfig
 	rootConfig := &rootcerts.Config{
-		CAFile: c.TLSConfig.CACert,
-		CAPath: c.TLSConfig.CAPath,
+		CAFile:        tlsConfig.CACert,
+		CAPath:        tlsConfig.CAPath,
+		CACertificate: tlsConfig.CACertPEM,
 	}
 	if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
 		return err
 	}
 
-	clientTLSConfig.InsecureSkipVerify = c.TLSConfig.Insecure
+	clientTLSConfig.InsecureSkipVerify = tlsConfig.Insecure
 
 	if foundClientCert {
 		clientTLSConfig.Certificates = []tls.Certificate{clientCert}
 	}
-	if c.TLSConfig.TLSServerName != "" {
-		clientTLSConfig.ServerName = c.TLSConfig.TLSServerName
+	if tlsConfig.TLSServerName != "" {
+		clientTLSConfig.ServerName = tlsConfig.TLSServerName
 	}
 
 	return nil
@@ -334,7 +391,8 @@ func (c *Config) ConfigureTLS() error {
 
 // Client provides a client to the Nomad API
 type Client struct {
-	config Config
+	httpClient *http.Client
+	config     Config
 }
 
 // NewClient returns a new client
@@ -348,17 +406,17 @@ func NewClient(config *Config) (*Client, error) {
 		return nil, fmt.Errorf("invalid address '%s': %v", config.Address, err)
 	}
 
-	if config.httpClient == nil {
-		config.httpClient = defConfig.httpClient
-	}
-
-	// Configure the TLS configurations
-	if err := config.ConfigureTLS(); err != nil {
-		return nil, err
+	httpClient := config.HttpClient
+	if httpClient == nil {
+		httpClient = defaultHttpClient()
+		if err := ConfigureTLS(httpClient, config.TLSConfig); err != nil {
+			return nil, err
+		}
 	}
 
 	client := &Client{
-		config: *config,
+		config:     *config,
+		httpClient: httpClient,
 	}
 	return client, nil
 }
@@ -420,15 +478,20 @@ func (c *Client) getNodeClientImpl(nodeID string, timeout time.Duration, q *Quer
 		// If the client is configured for a particular region use that
 		region = c.config.Region
 	default:
-		// No region information is given so use the default.
-		region = "global"
+		// No region information is given so use GlobalRegion as the default.
+		region = GlobalRegion
 	}
 
 	// Get an API client for the node
 	conf := c.config.ClientConfig(region, node.HTTPAddr, node.TLSEnabled)
 
-	// Set the timeout
-	conf.SetTimeout(timeout)
+	// set timeout - preserve old behavior where errors are ignored and use untimed one
+	httpClient, err := cloneWithTimeout(c.httpClient, timeout)
+	// on error, fallback to using current http client
+	if err != nil {
+		httpClient = c.httpClient
+	}
+	conf.HttpClient = httpClient
 
 	return NewClient(conf)
 }
@@ -554,10 +617,11 @@ func (c *Client) newRequest(method, path string) (*request, error) {
 		config: &c.config,
 		method: method,
 		url: &url.URL{
-			Scheme: base.Scheme,
-			User:   base.User,
-			Host:   base.Host,
-			Path:   u.Path,
+			Scheme:  base.Scheme,
+			User:    base.User,
+			Host:    base.Host,
+			Path:    u.Path,
+			RawPath: u.RawPath,
 		},
 		params: make(map[string][]string),
 	}
@@ -611,7 +675,7 @@ func (c *Client) doRequest(r *request) (time.Duration, *http.Response, error) {
 		return 0, nil, err
 	}
 	start := time.Now()
-	resp, err := c.config.httpClient.Do(req)
+	resp, err := c.httpClient.Do(req)
 	diff := time.Now().Sub(start)
 
 	// If the response is compressed, we swap the body's reader.
@@ -655,6 +719,72 @@ func (c *Client) rawQuery(endpoint string, q *QueryOptions) (io.ReadCloser, erro
 	return resp.Body, nil
 }
 
+// websocket makes a websocket request to the specific endpoint
+func (c *Client) websocket(endpoint string, q *QueryOptions) (*websocket.Conn, *http.Response, error) {
+
+	transport, ok := c.httpClient.Transport.(*http.Transport)
+	if !ok {
+		return nil, nil, fmt.Errorf("unsupported transport")
+	}
+	dialer := websocket.Dialer{
+		ReadBufferSize:   4096,
+		WriteBufferSize:  4096,
+		HandshakeTimeout: c.httpClient.Timeout,
+
+		// values to inherit from http client configuration
+		NetDial:         transport.Dial,
+		NetDialContext:  transport.DialContext,
+		Proxy:           transport.Proxy,
+		TLSClientConfig: transport.TLSClientConfig,
+	}
+
+	// build request object for header and parameters
+	r, err := c.newRequest("GET", endpoint)
+	if err != nil {
+		return nil, nil, err
+	}
+	r.setQueryOptions(q)
+
+	rhttp, err := r.toHTTP()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// convert scheme
+	wsScheme := ""
+	switch rhttp.URL.Scheme {
+	case "http":
+		wsScheme = "ws"
+	case "https":
+		wsScheme = "wss"
+	default:
+		return nil, nil, fmt.Errorf("unsupported scheme: %v", rhttp.URL.Scheme)
+	}
+	rhttp.URL.Scheme = wsScheme
+
+	conn, resp, err := dialer.Dial(rhttp.URL.String(), rhttp.Header)
+
+	// check resp status code, as it's more informative than handshake error we get from ws library
+	if resp != nil && resp.StatusCode != 101 {
+		var buf bytes.Buffer
+
+		if resp.Header.Get("Content-Encoding") == "gzip" {
+			greader, err := gzip.NewReader(resp.Body)
+			if err != nil {
+				return nil, nil, fmt.Errorf("Unexpected response code: %d", resp.StatusCode)
+			}
+			io.Copy(&buf, greader)
+		} else {
+			io.Copy(&buf, resp.Body)
+		}
+		resp.Body.Close()
+
+		return nil, nil, fmt.Errorf("Unexpected response code: %d (%s)", resp.StatusCode, buf.Bytes())
+	}
+
+	return conn, resp, err
+}
+
 // query is used to do a GET request against an endpoint
 // and deserialize the response into an interface using
 // standard Nomad conventions.
diff --git a/vendor/github.com/hashicorp/nomad/api/constraint.go b/vendor/github.com/hashicorp/nomad/api/constraint.go
index ec3a37a64148..3233a3bfdcd0 100644
--- a/vendor/github.com/hashicorp/nomad/api/constraint.go
+++ b/vendor/github.com/hashicorp/nomad/api/constraint.go
@@ -1,5 +1,18 @@
 package api
 
+const (
+	ConstraintDistinctProperty  = "distinct_property"
+	ConstraintDistinctHosts     = "distinct_hosts"
+	ConstraintRegex             = "regexp"
+	ConstraintVersion           = "version"
+	ConstraintSemver            = "semver"
+	ConstraintSetContains       = "set_contains"
+	ConstraintSetContainsAll    = "set_contains_all"
+	ConstraintSetContainsAny    = "set_contains_any"
+	ConstraintAttributeIsSet    = "is_set"
+	ConstraintAttributeIsNotSet = "is_not_set"
+)
+
 // Constraint is used to serialize a job placement constraint.
 type Constraint struct {
 	LTarget string
diff --git a/vendor/github.com/hashicorp/nomad/api/evaluations.go b/vendor/github.com/hashicorp/nomad/api/evaluations.go
index f8ec94329235..c8404dfc4c6a 100644
--- a/vendor/github.com/hashicorp/nomad/api/evaluations.go
+++ b/vendor/github.com/hashicorp/nomad/api/evaluations.go
@@ -80,6 +80,8 @@ type Evaluation struct {
 	SnapshotIndex        uint64
 	CreateIndex          uint64
 	ModifyIndex          uint64
+	CreateTime           int64
+	ModifyTime           int64
 }
 
 // EvalIndexSort is a wrapper to sort evaluations by CreateIndex.
diff --git a/vendor/github.com/hashicorp/nomad/api/fs.go b/vendor/github.com/hashicorp/nomad/api/fs.go
index 107e553030cf..e5340c9668ba 100644
--- a/vendor/github.com/hashicorp/nomad/api/fs.go
+++ b/vendor/github.com/hashicorp/nomad/api/fs.go
@@ -20,11 +20,12 @@ const (
 
 // AllocFileInfo holds information about a file inside the AllocDir
 type AllocFileInfo struct {
-	Name     string
-	IsDir    bool
-	Size     int64
-	FileMode string
-	ModTime  time.Time
+	Name        string
+	IsDir       bool
+	Size        int64
+	FileMode    string
+	ModTime     time.Time
+	ContentType string
 }
 
 // StreamFrame is used to frame data of a file when streaming
@@ -91,72 +92,24 @@ func (a *AllocFS) Stat(alloc *Allocation, path string, q *QueryOptions) (*AllocF
 // ReadAt is used to read bytes at a given offset until limit at the given path
 // in an allocation directory. If limit is <= 0, there is no limit.
 func (a *AllocFS) ReadAt(alloc *Allocation, path string, offset int64, limit int64, q *QueryOptions) (io.ReadCloser, error) {
-	nodeClient, err := a.client.GetNodeClientWithTimeout(alloc.NodeID, ClientConnTimeout, q)
-	if err != nil {
-		return nil, err
-	}
-
-	if q == nil {
-		q = &QueryOptions{}
-	}
-	if q.Params == nil {
-		q.Params = make(map[string]string)
-	}
-
-	q.Params["path"] = path
-	q.Params["offset"] = strconv.FormatInt(offset, 10)
-	q.Params["limit"] = strconv.FormatInt(limit, 10)
-
 	reqPath := fmt.Sprintf("/v1/client/fs/readat/%s", alloc.ID)
-	r, err := nodeClient.rawQuery(reqPath, q)
-	if err != nil {
-		// There was a networking error when talking directly to the client.
-		if _, ok := err.(net.Error); !ok {
-			return nil, err
-		}
 
-		// Try via the server
-		r, err = a.client.rawQuery(reqPath, q)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return r, nil
+	return queryClientNode(a.client, alloc, reqPath, q,
+		func(q *QueryOptions) {
+			q.Params["path"] = path
+			q.Params["offset"] = strconv.FormatInt(offset, 10)
+			q.Params["limit"] = strconv.FormatInt(limit, 10)
+		})
 }
 
 // Cat is used to read contents of a file at the given path in an allocation
 // directory
 func (a *AllocFS) Cat(alloc *Allocation, path string, q *QueryOptions) (io.ReadCloser, error) {
-	nodeClient, err := a.client.GetNodeClientWithTimeout(alloc.NodeID, ClientConnTimeout, q)
-	if err != nil {
-		return nil, err
-	}
-
-	if q == nil {
-		q = &QueryOptions{}
-	}
-	if q.Params == nil {
-		q.Params = make(map[string]string)
-	}
-
-	q.Params["path"] = path
 	reqPath := fmt.Sprintf("/v1/client/fs/cat/%s", alloc.ID)
-	r, err := nodeClient.rawQuery(reqPath, q)
-	if err != nil {
-		// There was a networking error when talking directly to the client.
-		if _, ok := err.(net.Error); !ok {
-			return nil, err
-		}
-
-		// Try via the server
-		r, err = a.client.rawQuery(reqPath, q)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return r, nil
+	return queryClientNode(a.client, alloc, reqPath, q,
+		func(q *QueryOptions) {
+			q.Params["path"] = path
+		})
 }
 
 // Stream streams the content of a file blocking on EOF.
@@ -171,38 +124,17 @@ func (a *AllocFS) Stream(alloc *Allocation, path, origin string, offset int64,
 	cancel <-chan struct{}, q *QueryOptions) (<-chan *StreamFrame, <-chan error) {
 
 	errCh := make(chan error, 1)
-	nodeClient, err := a.client.GetNodeClientWithTimeout(alloc.NodeID, ClientConnTimeout, q)
-	if err != nil {
-		errCh <- err
-		return nil, errCh
-	}
-
-	if q == nil {
-		q = &QueryOptions{}
-	}
-	if q.Params == nil {
-		q.Params = make(map[string]string)
-	}
-
-	q.Params["path"] = path
-	q.Params["offset"] = strconv.FormatInt(offset, 10)
-	q.Params["origin"] = origin
 
 	reqPath := fmt.Sprintf("/v1/client/fs/stream/%s", alloc.ID)
-	r, err := nodeClient.rawQuery(reqPath, q)
+	r, err := queryClientNode(a.client, alloc, reqPath, q,
+		func(q *QueryOptions) {
+			q.Params["path"] = path
+			q.Params["offset"] = strconv.FormatInt(offset, 10)
+			q.Params["origin"] = origin
+		})
 	if err != nil {
-		// There was a networking error when talking directly to the client.
-		if _, ok := err.(net.Error); !ok {
-			errCh <- err
-			return nil, errCh
-		}
-
-		// Try via the server
-		r, err = a.client.rawQuery(reqPath, q)
-		if err != nil {
-			errCh <- err
-			return nil, errCh
-		}
+		errCh <- err
+		return nil, errCh
 	}
 
 	// Create the output channel
@@ -243,6 +175,40 @@ func (a *AllocFS) Stream(alloc *Allocation, path, origin string, offset int64,
 	return frames, errCh
 }
 
+func queryClientNode(c *Client, alloc *Allocation, reqPath string, q *QueryOptions, customizeQ func(*QueryOptions)) (io.ReadCloser, error) {
+	nodeClient, _ := c.GetNodeClientWithTimeout(alloc.NodeID, ClientConnTimeout, q)
+
+	if q == nil {
+		q = &QueryOptions{}
+	}
+	if q.Params == nil {
+		q.Params = make(map[string]string)
+	}
+	if customizeQ != nil {
+		customizeQ(q)
+	}
+
+	var r io.ReadCloser
+	var err error
+
+	if nodeClient != nil {
+		r, err = nodeClient.rawQuery(reqPath, q)
+		if _, ok := err.(net.Error); err != nil && !ok {
+			// found a non networking error talking to client directly
+			return nil, err
+		}
+
+	}
+
+	// failed to query node, access through server directly
+	// or network error when talking to the client directly
+	if r == nil {
+		return c.rawQuery(reqPath, q)
+	}
+
+	return r, err
+}
+
 // Logs streams the content of a tasks logs blocking on EOF.
 // The parameters are:
 // * allocation: the allocation to stream from.
@@ -263,42 +229,20 @@ func (a *AllocFS) Logs(alloc *Allocation, follow bool, task, logType, origin str
 
 	errCh := make(chan error, 1)
 
-	nodeClient, err := a.client.GetNodeClientWithTimeout(alloc.NodeID, ClientConnTimeout, q)
+	reqPath := fmt.Sprintf("/v1/client/fs/logs/%s", alloc.ID)
+	r, err := queryClientNode(a.client, alloc, reqPath, q,
+		func(q *QueryOptions) {
+			q.Params["follow"] = strconv.FormatBool(follow)
+			q.Params["task"] = task
+			q.Params["type"] = logType
+			q.Params["origin"] = origin
+			q.Params["offset"] = strconv.FormatInt(offset, 10)
+		})
 	if err != nil {
 		errCh <- err
 		return nil, errCh
 	}
 
-	if q == nil {
-		q = &QueryOptions{}
-	}
-	if q.Params == nil {
-		q.Params = make(map[string]string)
-	}
-
-	q.Params["follow"] = strconv.FormatBool(follow)
-	q.Params["task"] = task
-	q.Params["type"] = logType
-	q.Params["origin"] = origin
-	q.Params["offset"] = strconv.FormatInt(offset, 10)
-
-	reqPath := fmt.Sprintf("/v1/client/fs/logs/%s", alloc.ID)
-	r, err := nodeClient.rawQuery(reqPath, q)
-	if err != nil {
-		// There was a networking error when talking directly to the client.
-		if _, ok := err.(net.Error); !ok {
-			errCh <- err
-			return nil, errCh
-		}
-
-		// Try via the server
-		r, err = a.client.rawQuery(reqPath, q)
-		if err != nil {
-			errCh <- err
-			return nil, errCh
-		}
-	}
-
 	// Create the output channel
 	frames := make(chan *StreamFrame, 10)
 
diff --git a/vendor/github.com/hashicorp/nomad/api/go.mod b/vendor/github.com/hashicorp/nomad/api/go.mod
index dd8d5f43f22e..75514eeb6250 100644
--- a/vendor/github.com/hashicorp/nomad/api/go.mod
+++ b/vendor/github.com/hashicorp/nomad/api/go.mod
@@ -5,9 +5,9 @@ go 1.12
 require (
 	github.com/docker/go-units v0.3.3
 	github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75
+	github.com/gorilla/websocket v1.4.1
 	github.com/hashicorp/go-cleanhttp v0.5.1
-	github.com/hashicorp/go-rootcerts v1.0.0
-	github.com/hashicorp/go-uuid v1.0.1
+	github.com/hashicorp/go-rootcerts v1.0.2
 	github.com/kr/pretty v0.1.0
 	github.com/mitchellh/go-testing-interface v1.0.0
 	github.com/stretchr/testify v1.3.0
diff --git a/vendor/github.com/hashicorp/nomad/api/go.sum b/vendor/github.com/hashicorp/nomad/api/go.sum
index c7297afe3956..b9745b0c08bb 100644
--- a/vendor/github.com/hashicorp/nomad/api/go.sum
+++ b/vendor/github.com/hashicorp/nomad/api/go.sum
@@ -4,12 +4,14 @@ github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 h1:f0n1xnMSmBLzVfsMMvriDyA75NB/oBgILX2GcHXIQzY=
 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
+github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM=
+github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-rootcerts v1.0.0 h1:Rqb66Oo1X/eSV1x66xbDccZjhJigjg0+e82kpwzSwCI=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
-github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1BE=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -17,6 +19,8 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mitchellh/go-homedir v1.0.0 h1:vKb8ShqSby24Yrqr/yDYkuFz8d0WUjys40rvnGC8aR0=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
diff --git a/vendor/github.com/hashicorp/nomad/api/jobs.go b/vendor/github.com/hashicorp/nomad/api/jobs.go
index aa74406d429d..e12709143aeb 100644
--- a/vendor/github.com/hashicorp/nomad/api/jobs.go
+++ b/vendor/github.com/hashicorp/nomad/api/jobs.go
@@ -25,6 +25,13 @@ const (
 
 	// DefaultNamespace is the default namespace.
 	DefaultNamespace = "default"
+
+	// For Job configuration, GlobalRegion is a sentinel region value
+	// that users may specify to indicate the job should be run on
+	// the region of the node that the job was submitted to.
+	// For Client configuration, if no region information is given,
+	// the client node will default to be part of the GlobalRegion.
+	GlobalRegion = "global"
 )
 
 const (
@@ -139,7 +146,7 @@ func (j *Jobs) PrefixList(prefix string) ([]*JobListStub, *QueryMeta, error) {
 // job given its unique ID.
 func (j *Jobs) Info(jobID string, q *QueryOptions) (*Job, *QueryMeta, error) {
 	var resp Job
-	qm, err := j.client.query("/v1/job/"+jobID, &resp, q)
+	qm, err := j.client.query("/v1/job/"+url.PathEscape(jobID), &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -150,7 +157,7 @@ func (j *Jobs) Info(jobID string, q *QueryOptions) (*Job, *QueryMeta, error) {
 // unique ID.
 func (j *Jobs) Versions(jobID string, diffs bool, q *QueryOptions) ([]*Job, []*JobDiff, *QueryMeta, error) {
 	var resp JobVersionsResponse
-	qm, err := j.client.query(fmt.Sprintf("/v1/job/%s/versions?diffs=%v", jobID, diffs), &resp, q)
+	qm, err := j.client.query(fmt.Sprintf("/v1/job/%s/versions?diffs=%v", url.PathEscape(jobID), diffs), &resp, q)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -160,7 +167,7 @@ func (j *Jobs) Versions(jobID string, diffs bool, q *QueryOptions) ([]*Job, []*J
 // Allocations is used to return the allocs for a given job ID.
 func (j *Jobs) Allocations(jobID string, allAllocs bool, q *QueryOptions) ([]*AllocationListStub, *QueryMeta, error) {
 	var resp []*AllocationListStub
-	u, err := url.Parse("/v1/job/" + jobID + "/allocations")
+	u, err := url.Parse("/v1/job/" + url.PathEscape(jobID) + "/allocations")
 	if err != nil {
 		return nil, nil, err
 	}
@@ -179,9 +186,17 @@ func (j *Jobs) Allocations(jobID string, allAllocs bool, q *QueryOptions) ([]*Al
 
 // Deployments is used to query the deployments associated with the given job
 // ID.
-func (j *Jobs) Deployments(jobID string, q *QueryOptions) ([]*Deployment, *QueryMeta, error) {
+func (j *Jobs) Deployments(jobID string, all bool, q *QueryOptions) ([]*Deployment, *QueryMeta, error) {
 	var resp []*Deployment
-	qm, err := j.client.query("/v1/job/"+jobID+"/deployments", &resp, q)
+	u, err := url.Parse("/v1/job/" + url.PathEscape(jobID) + "/deployments")
+	if err != nil {
+		return nil, nil, err
+	}
+
+	v := u.Query()
+	v.Add("all", strconv.FormatBool(all))
+	u.RawQuery = v.Encode()
+	qm, err := j.client.query(u.String(), &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -193,7 +208,7 @@ func (j *Jobs) Deployments(jobID string, q *QueryOptions) ([]*Deployment, *Query
 // the given job ID.
 func (j *Jobs) LatestDeployment(jobID string, q *QueryOptions) (*Deployment, *QueryMeta, error) {
 	var resp *Deployment
-	qm, err := j.client.query("/v1/job/"+jobID+"/deployment", &resp, q)
+	qm, err := j.client.query("/v1/job/"+url.PathEscape(jobID)+"/deployment", &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -204,7 +219,7 @@ func (j *Jobs) LatestDeployment(jobID string, q *QueryOptions) (*Deployment, *Qu
 // ID.
 func (j *Jobs) Evaluations(jobID string, q *QueryOptions) ([]*Evaluation, *QueryMeta, error) {
 	var resp []*Evaluation
-	qm, err := j.client.query("/v1/job/"+jobID+"/evaluations", &resp, q)
+	qm, err := j.client.query("/v1/job/"+url.PathEscape(jobID)+"/evaluations", &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -217,7 +232,7 @@ func (j *Jobs) Evaluations(jobID string, q *QueryOptions) ([]*Evaluation, *Query
 // eventually GC'ed from the system. Most callers should not specify purge.
 func (j *Jobs) Deregister(jobID string, purge bool, q *WriteOptions) (string, *WriteMeta, error) {
 	var resp JobDeregisterResponse
-	wm, err := j.client.delete(fmt.Sprintf("/v1/job/%v?purge=%t", jobID, purge), &resp, q)
+	wm, err := j.client.delete(fmt.Sprintf("/v1/job/%v?purge=%t", url.PathEscape(jobID), purge), &resp, q)
 	if err != nil {
 		return "", nil, err
 	}
@@ -227,7 +242,7 @@ func (j *Jobs) Deregister(jobID string, purge bool, q *WriteOptions) (string, *W
 // ForceEvaluate is used to force-evaluate an existing job.
 func (j *Jobs) ForceEvaluate(jobID string, q *WriteOptions) (string, *WriteMeta, error) {
 	var resp JobRegisterResponse
-	wm, err := j.client.write("/v1/job/"+jobID+"/evaluate", nil, &resp, q)
+	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/evaluate", nil, &resp, q)
 	if err != nil {
 		return "", nil, err
 	}
@@ -243,7 +258,7 @@ func (j *Jobs) EvaluateWithOpts(jobID string, opts EvalOptions, q *WriteOptions)
 	}
 
 	var resp JobRegisterResponse
-	wm, err := j.client.write("/v1/job/"+jobID+"/evaluate", req, &resp, q)
+	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/evaluate", req, &resp, q)
 	if err != nil {
 		return "", nil, err
 	}
@@ -253,7 +268,7 @@ func (j *Jobs) EvaluateWithOpts(jobID string, opts EvalOptions, q *WriteOptions)
 // PeriodicForce spawns a new instance of the periodic job and returns the eval ID
 func (j *Jobs) PeriodicForce(jobID string, q *WriteOptions) (string, *WriteMeta, error) {
 	var resp periodicForceResponse
-	wm, err := j.client.write("/v1/job/"+jobID+"/periodic/force", nil, &resp, q)
+	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/periodic/force", nil, &resp, q)
 	if err != nil {
 		return "", nil, err
 	}
@@ -286,7 +301,7 @@ func (j *Jobs) PlanOpts(job *Job, opts *PlanOptions, q *WriteOptions) (*JobPlanR
 	}
 
 	var resp JobPlanResponse
-	wm, err := j.client.write("/v1/job/"+*job.ID+"/plan", req, &resp, q)
+	wm, err := j.client.write("/v1/job/"+url.PathEscape(*job.ID)+"/plan", req, &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -295,7 +310,7 @@ func (j *Jobs) PlanOpts(job *Job, opts *PlanOptions, q *WriteOptions) (*JobPlanR
 
 func (j *Jobs) Summary(jobID string, q *QueryOptions) (*JobSummary, *QueryMeta, error) {
 	var resp JobSummary
-	qm, err := j.client.query("/v1/job/"+jobID+"/summary", &resp, q)
+	qm, err := j.client.query("/v1/job/"+url.PathEscape(jobID)+"/summary", &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -310,7 +325,7 @@ func (j *Jobs) Dispatch(jobID string, meta map[string]string,
 		Meta:    meta,
 		Payload: payload,
 	}
-	wm, err := j.client.write("/v1/job/"+jobID+"/dispatch", req, &resp, q)
+	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/dispatch", req, &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -330,7 +345,7 @@ func (j *Jobs) Revert(jobID string, version uint64, enforcePriorVersion *uint64,
 		EnforcePriorVersion: enforcePriorVersion,
 		VaultToken:          vaultToken,
 	}
-	wm, err := j.client.write("/v1/job/"+jobID+"/revert", req, &resp, q)
+	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/revert", req, &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -347,7 +362,7 @@ func (j *Jobs) Stable(jobID string, version uint64, stable bool,
 		JobVersion: version,
 		Stable:     stable,
 	}
-	wm, err := j.client.write("/v1/job/"+jobID+"/stable", req, &resp, q)
+	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/stable", req, &resp, q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -367,8 +382,9 @@ type UpdateStrategy struct {
 	MinHealthyTime   *time.Duration `mapstructure:"min_healthy_time"`
 	HealthyDeadline  *time.Duration `mapstructure:"healthy_deadline"`
 	ProgressDeadline *time.Duration `mapstructure:"progress_deadline"`
-	AutoRevert       *bool          `mapstructure:"auto_revert"`
 	Canary           *int           `mapstructure:"canary"`
+	AutoRevert       *bool          `mapstructure:"auto_revert"`
+	AutoPromote      *bool          `mapstructure:"auto_promote"`
 }
 
 // DefaultUpdateStrategy provides a baseline that can be used to upgrade
@@ -383,6 +399,7 @@ func DefaultUpdateStrategy() *UpdateStrategy {
 		ProgressDeadline: timeToPtr(10 * time.Minute),
 		AutoRevert:       boolToPtr(false),
 		Canary:           intToPtr(0),
+		AutoPromote:      boolToPtr(false),
 	}
 }
 
@@ -425,6 +442,10 @@ func (u *UpdateStrategy) Copy() *UpdateStrategy {
 		copy.Canary = intToPtr(*u.Canary)
 	}
 
+	if u.AutoPromote != nil {
+		copy.AutoPromote = boolToPtr(*u.AutoPromote)
+	}
+
 	return copy
 }
 
@@ -464,6 +485,10 @@ func (u *UpdateStrategy) Merge(o *UpdateStrategy) {
 	if o.Canary != nil {
 		u.Canary = intToPtr(*o.Canary)
 	}
+
+	if o.AutoPromote != nil {
+		u.AutoPromote = boolToPtr(*o.AutoPromote)
+	}
 }
 
 func (u *UpdateStrategy) Canonicalize() {
@@ -500,6 +525,10 @@ func (u *UpdateStrategy) Canonicalize() {
 	if u.Canary == nil {
 		u.Canary = d.Canary
 	}
+
+	if u.AutoPromote == nil {
+		u.AutoPromote = d.AutoPromote
+	}
 }
 
 // Empty returns whether the UpdateStrategy is empty or has user defined values.
@@ -536,6 +565,10 @@ func (u *UpdateStrategy) Empty() bool {
 		return false
 	}
 
+	if u.AutoPromote != nil && *u.AutoPromote {
+		return false
+	}
+
 	if u.Canary != nil && *u.Canary != 0 {
 		return false
 	}
@@ -678,7 +711,7 @@ func (j *Job) Canonicalize() {
 		j.Stop = boolToPtr(false)
 	}
 	if j.Region == nil {
-		j.Region = stringToPtr("global")
+		j.Region = stringToPtr(GlobalRegion)
 	}
 	if j.Namespace == nil {
 		j.Namespace = stringToPtr("default")
@@ -718,6 +751,8 @@ func (j *Job) Canonicalize() {
 	}
 	if j.Update != nil {
 		j.Update.Canonicalize()
+	} else if *j.Type == JobTypeService {
+		j.Update = DefaultUpdateStrategy()
 	}
 
 	for _, tg := range j.TaskGroups {
diff --git a/vendor/github.com/hashicorp/nomad/api/nodes.go b/vendor/github.com/hashicorp/nomad/api/nodes.go
index ed768760e689..4a264eb4d330 100644
--- a/vendor/github.com/hashicorp/nomad/api/nodes.go
+++ b/vendor/github.com/hashicorp/nomad/api/nodes.go
@@ -126,7 +126,7 @@ func (m *MonitorMessage) String() string {
 
 // MonitorDrain emits drain related events on the returned string channel. The
 // channel will be closed when all allocations on the draining node have
-// stopped or the context is canceled.
+// stopped, when an error occurs, or if the context is canceled.
 func (n *Nodes) MonitorDrain(ctx context.Context, nodeID string, index uint64, ignoreSys bool) <-chan *MonitorMessage {
 	outCh := make(chan *MonitorMessage, 8)
 	nodeCh := make(chan *MonitorMessage, 1)
@@ -335,7 +335,7 @@ func (n *Nodes) monitorDrainAllocs(ctx context.Context, nodeID string, ignoreSys
 
 		// Exit if all allocs are terminal
 		if runningAllocs == 0 {
-			msg := Messagef(MonitorMsgLevelInfo, "All allocations on node %q have stopped.", nodeID)
+			msg := Messagef(MonitorMsgLevelInfo, "All allocations on node %q have stopped", nodeID)
 			select {
 			case allocCh <- msg:
 			case <-ctx.Done():
@@ -436,6 +436,12 @@ type DriverInfo struct {
 	UpdateTime        time.Time
 }
 
+// HostVolumeInfo is used to return metadata about a given HostVolume.
+type HostVolumeInfo struct {
+	Path     string
+	ReadOnly bool
+}
+
 // Node is used to deserialize a node entry.
 type Node struct {
 	ID                    string
@@ -459,6 +465,7 @@ type Node struct {
 	StatusUpdatedAt       int64
 	Events                []*NodeEvent
 	Drivers               map[string]*DriverInfo
+	HostVolumes           map[string]*HostVolumeInfo
 	CreateIndex           uint64
 	ModifyIndex           uint64
 }
@@ -514,6 +521,9 @@ type DrainStrategy struct {
 	// ForceDeadline is the deadline time for the drain after which drains will
 	// be forced
 	ForceDeadline time.Time
+
+	// StartedAt is the time the drain process started
+	StartedAt time.Time
 }
 
 // DrainSpec describes a Node's drain behavior.
diff --git a/vendor/github.com/hashicorp/nomad/api/operator.go b/vendor/github.com/hashicorp/nomad/api/operator.go
index db6dffdd6b2a..72d8fbdd2484 100644
--- a/vendor/github.com/hashicorp/nomad/api/operator.go
+++ b/vendor/github.com/hashicorp/nomad/api/operator.go
@@ -139,7 +139,9 @@ type SchedulerSetConfigurationResponse struct {
 
 // PreemptionConfig specifies whether preemption is enabled based on scheduler type
 type PreemptionConfig struct {
-	SystemSchedulerEnabled bool
+	SystemSchedulerEnabled  bool
+	BatchSchedulerEnabled   bool
+	ServiceSchedulerEnabled bool
 }
 
 // SchedulerGetConfiguration is used to query the current Scheduler configuration.
diff --git a/vendor/github.com/hashicorp/nomad/api/resources.go b/vendor/github.com/hashicorp/nomad/api/resources.go
index c0c0a4fc7c73..cbd24c4bf813 100644
--- a/vendor/github.com/hashicorp/nomad/api/resources.go
+++ b/vendor/github.com/hashicorp/nomad/api/resources.go
@@ -86,11 +86,13 @@ func (r *Resources) Merge(other *Resources) {
 type Port struct {
 	Label string
 	Value int `mapstructure:"static"`
+	To    int `mapstructure:"to"`
 }
 
 // NetworkResource is used to describe required network
 // resources of a given task.
 type NetworkResource struct {
+	Mode          string
 	Device        string
 	CIDR          string
 	IP            string
@@ -105,6 +107,14 @@ func (n *NetworkResource) Canonicalize() {
 	}
 }
 
+func (n *NetworkResource) HasPorts() bool {
+	if n == nil {
+		return false
+	}
+
+	return len(n.ReservedPorts)+len(n.DynamicPorts) > 0
+}
+
 // NodeDeviceResource captures a set of devices sharing a common
 // vendor/type/device_name tuple.
 type NodeDeviceResource struct {
diff --git a/vendor/github.com/hashicorp/nomad/api/services.go b/vendor/github.com/hashicorp/nomad/api/services.go
new file mode 100644
index 000000000000..8630126ceb4a
--- /dev/null
+++ b/vendor/github.com/hashicorp/nomad/api/services.go
@@ -0,0 +1,179 @@
+package api
+
+import (
+	"fmt"
+	"time"
+)
+
+// CheckRestart describes if and when a task should be restarted based on
+// failing health checks.
+type CheckRestart struct {
+	Limit          int            `mapstructure:"limit"`
+	Grace          *time.Duration `mapstructure:"grace"`
+	IgnoreWarnings bool           `mapstructure:"ignore_warnings"`
+}
+
+// Canonicalize CheckRestart fields if not nil.
+func (c *CheckRestart) Canonicalize() {
+	if c == nil {
+		return
+	}
+
+	if c.Grace == nil {
+		c.Grace = timeToPtr(1 * time.Second)
+	}
+}
+
+// Copy returns a copy of CheckRestart or nil if unset.
+func (c *CheckRestart) Copy() *CheckRestart {
+	if c == nil {
+		return nil
+	}
+
+	nc := new(CheckRestart)
+	nc.Limit = c.Limit
+	if c.Grace != nil {
+		g := *c.Grace
+		nc.Grace = &g
+	}
+	nc.IgnoreWarnings = c.IgnoreWarnings
+	return nc
+}
+
+// Merge values from other CheckRestart over default values on this
+// CheckRestart and return merged copy.
+func (c *CheckRestart) Merge(o *CheckRestart) *CheckRestart {
+	if c == nil {
+		// Just return other
+		return o
+	}
+
+	nc := c.Copy()
+
+	if o == nil {
+		// Nothing to merge
+		return nc
+	}
+
+	if o.Limit > 0 {
+		nc.Limit = o.Limit
+	}
+
+	if o.Grace != nil {
+		nc.Grace = o.Grace
+	}
+
+	if o.IgnoreWarnings {
+		nc.IgnoreWarnings = o.IgnoreWarnings
+	}
+
+	return nc
+}
+
+// ServiceCheck represents the consul health check that Nomad registers.
+type ServiceCheck struct {
+	//FIXME Id is unused. Remove?
+	Id            string
+	Name          string
+	Type          string
+	Command       string
+	Args          []string
+	Path          string
+	Protocol      string
+	PortLabel     string `mapstructure:"port"`
+	AddressMode   string `mapstructure:"address_mode"`
+	Interval      time.Duration
+	Timeout       time.Duration
+	InitialStatus string `mapstructure:"initial_status"`
+	TLSSkipVerify bool   `mapstructure:"tls_skip_verify"`
+	Header        map[string][]string
+	Method        string
+	CheckRestart  *CheckRestart `mapstructure:"check_restart"`
+	GRPCService   string        `mapstructure:"grpc_service"`
+	GRPCUseTLS    bool          `mapstructure:"grpc_use_tls"`
+	TaskName      string        `mapstructure:"task"`
+}
+
+// Service represents a Consul service definition.
+type Service struct {
+	//FIXME Id is unused. Remove?
+	Id           string
+	Name         string
+	Tags         []string
+	CanaryTags   []string `mapstructure:"canary_tags"`
+	PortLabel    string   `mapstructure:"port"`
+	AddressMode  string   `mapstructure:"address_mode"`
+	Checks       []ServiceCheck
+	CheckRestart *CheckRestart `mapstructure:"check_restart"`
+	Connect      *ConsulConnect
+	Meta         map[string]string
+}
+
+// Canonicalize the Service by ensuring its name and address mode are set. Task
+// will be nil for group services.
+func (s *Service) Canonicalize(t *Task, tg *TaskGroup, job *Job) {
+	if s.Name == "" {
+		if t != nil {
+			s.Name = fmt.Sprintf("%s-%s-%s", *job.Name, *tg.Name, t.Name)
+		} else {
+			s.Name = fmt.Sprintf("%s-%s", *job.Name, *tg.Name)
+		}
+	}
+
+	// Default to AddressModeAuto
+	if s.AddressMode == "" {
+		s.AddressMode = "auto"
+	}
+
+	// Canonicalize CheckRestart on Checks and merge Service.CheckRestart
+	// into each check.
+	for i, check := range s.Checks {
+		s.Checks[i].CheckRestart = s.CheckRestart.Merge(check.CheckRestart)
+		s.Checks[i].CheckRestart.Canonicalize()
+	}
+}
+
+// ConsulConnect represents a Consul Connect jobspec stanza.
+type ConsulConnect struct {
+	Native         bool
+	SidecarService *ConsulSidecarService `mapstructure:"sidecar_service"`
+	SidecarTask    *SidecarTask          `mapstructure:"sidecar_task"`
+}
+
+// ConsulSidecarService represents a Consul Connect SidecarService jobspec
+// stanza.
+type ConsulSidecarService struct {
+	Tags  []string
+	Port  string
+	Proxy *ConsulProxy
+}
+
+// SidecarTask represents a subset of Task fields that can be set to override
+// the fields of the Task generated for the sidecar
+type SidecarTask struct {
+	Name          string
+	Driver        string
+	User          string
+	Config        map[string]interface{}
+	Env           map[string]string
+	Resources     *Resources
+	Meta          map[string]string
+	KillTimeout   *time.Duration `mapstructure:"kill_timeout"`
+	LogConfig     *LogConfig     `mapstructure:"logs"`
+	ShutdownDelay *time.Duration `mapstructure:"shutdown_delay"`
+	KillSignal    string         `mapstructure:"kill_signal"`
+}
+
+// ConsulProxy represents a Consul Connect sidecar proxy jobspec stanza.
+type ConsulProxy struct {
+	LocalServiceAddress string `mapstructure:"local_service_address"`
+	LocalServicePort    int    `mapstructure:"local_service_port"`
+	Upstreams           []*ConsulUpstream
+	Config              map[string]interface{}
+}
+
+// ConsulUpstream represents a Consul Connect upstream jobspec stanza.
+type ConsulUpstream struct {
+	DestinationName string `mapstructure:"destination_name"`
+	LocalBindPort   int    `mapstructure:"local_bind_port"`
+}
diff --git a/vendor/github.com/hashicorp/nomad/api/tasks.go b/vendor/github.com/hashicorp/nomad/api/tasks.go
index a55e90f45a18..f9ad7856bb42 100644
--- a/vendor/github.com/hashicorp/nomad/api/tasks.go
+++ b/vendor/github.com/hashicorp/nomad/api/tasks.go
@@ -274,124 +274,6 @@ func (s *Spread) Canonicalize() {
 	}
 }
 
-// CheckRestart describes if and when a task should be restarted based on
-// failing health checks.
-type CheckRestart struct {
-	Limit          int            `mapstructure:"limit"`
-	Grace          *time.Duration `mapstructure:"grace"`
-	IgnoreWarnings bool           `mapstructure:"ignore_warnings"`
-}
-
-// Canonicalize CheckRestart fields if not nil.
-func (c *CheckRestart) Canonicalize() {
-	if c == nil {
-		return
-	}
-
-	if c.Grace == nil {
-		c.Grace = timeToPtr(1 * time.Second)
-	}
-}
-
-// Copy returns a copy of CheckRestart or nil if unset.
-func (c *CheckRestart) Copy() *CheckRestart {
-	if c == nil {
-		return nil
-	}
-
-	nc := new(CheckRestart)
-	nc.Limit = c.Limit
-	if c.Grace != nil {
-		g := *c.Grace
-		nc.Grace = &g
-	}
-	nc.IgnoreWarnings = c.IgnoreWarnings
-	return nc
-}
-
-// Merge values from other CheckRestart over default values on this
-// CheckRestart and return merged copy.
-func (c *CheckRestart) Merge(o *CheckRestart) *CheckRestart {
-	if c == nil {
-		// Just return other
-		return o
-	}
-
-	nc := c.Copy()
-
-	if o == nil {
-		// Nothing to merge
-		return nc
-	}
-
-	if o.Limit > 0 {
-		nc.Limit = o.Limit
-	}
-
-	if o.Grace != nil {
-		nc.Grace = o.Grace
-	}
-
-	if o.IgnoreWarnings {
-		nc.IgnoreWarnings = o.IgnoreWarnings
-	}
-
-	return nc
-}
-
-// The ServiceCheck data model represents the consul health check that
-// Nomad registers for a Task
-type ServiceCheck struct {
-	Id            string
-	Name          string
-	Type          string
-	Command       string
-	Args          []string
-	Path          string
-	Protocol      string
-	PortLabel     string `mapstructure:"port"`
-	AddressMode   string `mapstructure:"address_mode"`
-	Interval      time.Duration
-	Timeout       time.Duration
-	InitialStatus string `mapstructure:"initial_status"`
-	TLSSkipVerify bool   `mapstructure:"tls_skip_verify"`
-	Header        map[string][]string
-	Method        string
-	CheckRestart  *CheckRestart `mapstructure:"check_restart"`
-	GRPCService   string        `mapstructure:"grpc_service"`
-	GRPCUseTLS    bool          `mapstructure:"grpc_use_tls"`
-}
-
-// The Service model represents a Consul service definition
-type Service struct {
-	Id           string
-	Name         string
-	Tags         []string
-	CanaryTags   []string `mapstructure:"canary_tags"`
-	PortLabel    string   `mapstructure:"port"`
-	AddressMode  string   `mapstructure:"address_mode"`
-	Checks       []ServiceCheck
-	CheckRestart *CheckRestart `mapstructure:"check_restart"`
-}
-
-func (s *Service) Canonicalize(t *Task, tg *TaskGroup, job *Job) {
-	if s.Name == "" {
-		s.Name = fmt.Sprintf("%s-%s-%s", *job.Name, *tg.Name, t.Name)
-	}
-
-	// Default to AddressModeAuto
-	if s.AddressMode == "" {
-		s.AddressMode = "auto"
-	}
-
-	// Canonicalize CheckRestart on Checks and merge Service.CheckRestart
-	// into each check.
-	for i, check := range s.Checks {
-		s.Checks[i].CheckRestart = s.CheckRestart.Merge(check.CheckRestart)
-		s.Checks[i].CheckRestart.Canonicalize()
-	}
-}
-
 // EphemeralDisk is an ephemeral disk object
 type EphemeralDisk struct {
 	Sticky  *bool
@@ -480,6 +362,38 @@ func (m *MigrateStrategy) Copy() *MigrateStrategy {
 	return nm
 }
 
+// VolumeRequest is a representation of a storage volume that a TaskGroup wishes to use.
+type VolumeRequest struct {
+	Name     string
+	Type     string
+	Source   string
+	ReadOnly bool `mapstructure:"read_only"`
+}
+
+const (
+	VolumeMountPropagationPrivate       = "private"
+	VolumeMountPropagationHostToTask    = "host-to-task"
+	VolumeMountPropagationBidirectional = "bidirectional"
+)
+
+// VolumeMount represents the relationship between a destination path in a task
+// and the task group volume that should be mounted there.
+type VolumeMount struct {
+	Volume          *string
+	Destination     *string
+	ReadOnly        *bool   `mapstructure:"read_only"`
+	PropagationMode *string `mapstructure:"propagation_mode"`
+}
+
+func (vm *VolumeMount) Canonicalize() {
+	if vm.PropagationMode == nil {
+		vm.PropagationMode = stringToPtr(VolumeMountPropagationPrivate)
+	}
+	if vm.ReadOnly == nil {
+		vm.ReadOnly = boolToPtr(false)
+	}
+}
+
 // TaskGroup is the unit of scheduling.
 type TaskGroup struct {
 	Name             *string
@@ -488,12 +402,16 @@ type TaskGroup struct {
 	Affinities       []*Affinity
 	Tasks            []*Task
 	Spreads          []*Spread
+	Volumes          map[string]*VolumeRequest
 	RestartPolicy    *RestartPolicy
 	ReschedulePolicy *ReschedulePolicy
 	EphemeralDisk    *EphemeralDisk
 	Update           *UpdateStrategy
 	Migrate          *MigrateStrategy
+	Networks         []*NetworkResource
 	Meta             map[string]string
+	Services         []*Service
+	ShutdownDelay    *time.Duration `mapstructure:"shutdown_delay"`
 }
 
 // NewTaskGroup creates a new TaskGroup.
@@ -504,6 +422,7 @@ func NewTaskGroup(name string, count int) *TaskGroup {
 	}
 }
 
+// Canonicalize sets defaults and merges settings that should be inherited from the job
 func (g *TaskGroup) Canonicalize(job *Job) {
 	if g.Name == nil {
 		g.Name = stringToPtr("")
@@ -563,13 +482,11 @@ func (g *TaskGroup) Canonicalize(job *Job) {
 	}
 
 	// Merge with default reschedule policy
-	if *job.Type == "service" {
-		defaultMigrateStrategy := &MigrateStrategy{}
-		defaultMigrateStrategy.Canonicalize()
-		if g.Migrate != nil {
-			defaultMigrateStrategy.Merge(g.Migrate)
-		}
-		g.Migrate = defaultMigrateStrategy
+	if g.Migrate == nil && *job.Type == "service" {
+		g.Migrate = &MigrateStrategy{}
+	}
+	if g.Migrate != nil {
+		g.Migrate.Canonicalize()
 	}
 
 	var defaultRestartPolicy *RestartPolicy
@@ -605,6 +522,12 @@ func (g *TaskGroup) Canonicalize(job *Job) {
 	for _, a := range g.Affinities {
 		a.Canonicalize()
 	}
+	for _, n := range g.Networks {
+		n.Canonicalize()
+	}
+	for _, s := range g.Services {
+		s.Canonicalize(nil, g, job)
+	}
 }
 
 // Constrain is used to add a constraint to a task group.
@@ -691,9 +614,11 @@ type Task struct {
 	Vault           *Vault
 	Templates       []*Template
 	DispatchPayload *DispatchPayloadConfig
+	VolumeMounts    []*VolumeMount
 	Leader          bool
 	ShutdownDelay   time.Duration `mapstructure:"shutdown_delay"`
 	KillSignal      string        `mapstructure:"kill_signal"`
+	Kind            string
 }
 
 func (t *Task) Canonicalize(tg *TaskGroup, job *Job) {
@@ -724,6 +649,9 @@ func (t *Task) Canonicalize(tg *TaskGroup, job *Job) {
 	for _, a := range t.Affinities {
 		a.Canonicalize()
 	}
+	for _, vm := range t.VolumeMounts {
+		vm.Canonicalize()
+	}
 }
 
 // TaskArtifact is used to download artifacts before running a task.
diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/region.go b/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/region.go
index 7ab0c21e1cd8..727c3b91044d 100644
--- a/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/region.go
+++ b/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/region.go
@@ -14,7 +14,8 @@ import (
 // is a widely used region, and is the most common one for some services like STS.
 const DefaultRegion = "us-east-1"
 
-var ec2MetadataBaseURL = "http://169.254.169.254"
+// This is nil by default, but is exposed in case it needs to be changed for tests.
+var ec2Endpoint *string
 
 /*
 It's impossible to mimic "normal" AWS behavior here because it's not consistent
@@ -54,7 +55,7 @@ func GetRegion(configuredRegion string) (string, error) {
 	}
 
 	metadata := ec2metadata.New(sess, &aws.Config{
-		Endpoint:                          aws.String(ec2MetadataBaseURL + "/latest"),
+		Endpoint:                          ec2Endpoint,
 		EC2MetadataDisableTimeoutOverride: aws.Bool(true),
 		HTTPClient: &http.Client{
 			Timeout: time.Second,
@@ -68,6 +69,5 @@ func GetRegion(configuredRegion string) (string, error) {
 	if err != nil {
 		return "", errwrap.Wrapf("unable to retrieve region from instance metadata: {{err}}", err)
 	}
-
 	return region, nil
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 6d346d48dc1b..af8f3b09e05b 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -278,6 +278,8 @@ github.com/google/uuid
 github.com/googleapis/gax-go/v2
 # github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75
 github.com/gorhill/cronexpr
+# github.com/gorilla/websocket v1.4.1
+github.com/gorilla/websocket
 # github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed
 github.com/hailocab/go-hostpool
 # github.com/hashicorp/consul-template v0.22.0
@@ -328,7 +330,7 @@ github.com/hashicorp/go-raftchunking
 github.com/hashicorp/go-raftchunking/types
 # github.com/hashicorp/go-retryablehttp v0.6.2
 github.com/hashicorp/go-retryablehttp
-# github.com/hashicorp/go-rootcerts v1.0.1
+# github.com/hashicorp/go-rootcerts v1.0.2
 github.com/hashicorp/go-rootcerts
 # github.com/hashicorp/go-sockaddr v1.0.2
 github.com/hashicorp/go-sockaddr
@@ -388,7 +390,7 @@ github.com/hashicorp/hcl/json/scanner
 github.com/hashicorp/hcl/json/token
 # github.com/hashicorp/logutils v1.0.0
 github.com/hashicorp/logutils
-# github.com/hashicorp/nomad/api v0.0.0-20190412184103-1c38ced33adf
+# github.com/hashicorp/nomad/api v0.0.0-20191220223628-edc62acd919d
 github.com/hashicorp/nomad/api
 github.com/hashicorp/nomad/api/contexts
 # github.com/hashicorp/raft v1.1.2-0.20191002163536-9c6bd3e3eb17
diff --git a/website/.editorconfig b/website/.editorconfig
new file mode 100644
index 000000000000..36bf83fdb5ad
--- /dev/null
+++ b/website/.editorconfig
@@ -0,0 +1,18 @@
+# This file is for unifying the coding style for different editors and IDEs
+# editorconfig.org
+
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+[Makefile]
+indent_style = tab
+
+[{*.md,*.json}]
+max_line_length = null
diff --git a/website/.eslintrc.js b/website/.eslintrc.js
new file mode 100644
index 000000000000..4431fc84d71b
--- /dev/null
+++ b/website/.eslintrc.js
@@ -0,0 +1,5 @@
+module.exports = {
+  ...require('@hashicorp/nextjs-scripts/.eslintrc.js'),
+  /* Specify overrides here */
+  ignorePatterns: ['public/']
+}
diff --git a/website/.gitignore b/website/.gitignore
new file mode 100644
index 000000000000..1d23ce1de18e
--- /dev/null
+++ b/website/.gitignore
@@ -0,0 +1,5 @@
+node_modules
+.DS_Store
+.next
+out
+.mdx-data
diff --git a/website/.node-version b/website/.node-version
deleted file mode 100644
index 348076b955bb..000000000000
--- a/website/.node-version
+++ /dev/null
@@ -1 +0,0 @@
-10.15.3
diff --git a/website/.npm-upgrade.json b/website/.npm-upgrade.json
new file mode 100644
index 000000000000..64068b68188e
--- /dev/null
+++ b/website/.npm-upgrade.json
@@ -0,0 +1,8 @@
+{
+  "ignore": {
+    "marked": {
+      "versions": "0.8.0",
+      "reason": "breaks IE"
+    }
+  }
+}
diff --git a/website/.prettierrc b/website/.prettierrc
deleted file mode 100644
index b2095be81e4e..000000000000
--- a/website/.prettierrc
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "semi": false,
-  "singleQuote": true
-}
diff --git a/website/Dockerfile b/website/Dockerfile
new file mode 100644
index 000000000000..182f4fb587e8
--- /dev/null
+++ b/website/Dockerfile
@@ -0,0 +1,7 @@
+FROM node:10.16.3-alpine
+RUN apk add --update --no-cache git make g++ automake autoconf libtool nasm libpng-dev
+
+COPY ./package.json /website/package.json
+COPY ./package-lock.json /website/package-lock.json
+WORKDIR /website
+RUN npm install
diff --git a/website/Gemfile b/website/Gemfile
deleted file mode 100644
index 426581c79882..000000000000
--- a/website/Gemfile
+++ /dev/null
@@ -1,9 +0,0 @@
-source "https://rubygems.org"
-
-gem 'middleman', '~> 4.2'
-gem 'middleman-hashicorp', git: 'https://github.com/carrot/middleman-hashicorp'
-# gem 'middleman-hashicorp', path: '/Users/jeff/Sites/middleman-hashicorp-carrot'
-gem 'builder'
-gem 'tzinfo-data', platforms: [:mswin, :mingw, :jruby]
-gem 'wdm', '~> 0.1', platforms: [:mswin, :mingw]
-gem 'middleman-dato'
diff --git a/website/Gemfile.lock b/website/Gemfile.lock
deleted file mode 100644
index 7c145fb54888..000000000000
--- a/website/Gemfile.lock
+++ /dev/null
@@ -1,175 +0,0 @@
-GIT
-  remote: https://github.com/carrot/middleman-hashicorp
-  revision: a1e3615e8f7d1c3c798d1ec7d7040ff1ba565c0f
-  specs:
-    middleman-hashicorp (0.3.28)
-      activesupport (~> 5.0)
-      middleman (~> 4.2)
-      middleman-dato
-      middleman-livereload (~> 3.4)
-      middleman-syntax (~> 3.0)
-      nokogiri (~> 1.8)
-      redcarpet (~> 3.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    activesupport (5.0.7.2)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    backports (3.15.0)
-    builder (3.2.3)
-    cacert (0.5.0)
-    coffee-script (2.4.1)
-      coffee-script-source
-      execjs
-    coffee-script-source (1.12.2)
-    concurrent-ruby (1.1.5)
-    contracts (0.13.0)
-    dato (0.7.7)
-      activesupport (>= 4.2.7)
-      addressable
-      cacert
-      dato_json_schema
-      dotenv
-      faraday (>= 0.9.0)
-      faraday_middleware (>= 0.9.0)
-      imgix (>= 0.3.1)
-      listen
-      mime-types
-      pusher-client
-      thor
-      toml
-    dato_json_schema (0.20.8)
-    dotenv (2.1.0)
-    em-websocket (0.5.1)
-      eventmachine (>= 0.12.9)
-      http_parser.rb (~> 0.6.0)
-    erubis (2.7.0)
-    eventmachine (1.2.7)
-    execjs (2.7.0)
-    faraday (0.17.0)
-      multipart-post (>= 1.2, < 3)
-    faraday_middleware (0.13.1)
-      faraday (>= 0.7.4, < 1.0)
-    fast_blank (1.0.0)
-    fastimage (2.1.7)
-    ffi (1.11.1)
-    haml (5.1.2)
-      temple (>= 0.8.0)
-      tilt
-    hamster (3.0.0)
-      concurrent-ruby (~> 1.0)
-    hashie (3.6.0)
-    http_parser.rb (0.6.0)
-    i18n (0.9.5)
-      concurrent-ruby (~> 1.0)
-    imgix (3.1.1)
-      addressable
-    json (2.2.0)
-    kramdown (1.17.0)
-    listen (3.0.8)
-      rb-fsevent (~> 0.9, >= 0.9.4)
-      rb-inotify (~> 0.9, >= 0.9.7)
-    memoist (0.16.0)
-    middleman (4.3.5)
-      coffee-script (~> 2.2)
-      haml (>= 4.0.5)
-      kramdown (~> 1.2)
-      middleman-cli (= 4.3.5)
-      middleman-core (= 4.3.5)
-    middleman-cli (4.3.5)
-      thor (>= 0.17.0, < 2.0)
-    middleman-core (4.3.5)
-      activesupport (>= 4.2, < 5.1)
-      addressable (~> 2.3)
-      backports (~> 3.6)
-      bundler
-      contracts (~> 0.13.0)
-      dotenv
-      erubis
-      execjs (~> 2.0)
-      fast_blank
-      fastimage (~> 2.0)
-      hamster (~> 3.0)
-      hashie (~> 3.4)
-      i18n (~> 0.9.0)
-      listen (~> 3.0.0)
-      memoist (~> 0.14)
-      padrino-helpers (~> 0.13.0)
-      parallel
-      rack (>= 1.4.5, < 3)
-      sassc (~> 2.0)
-      servolux
-      tilt (~> 2.0.9)
-      uglifier (~> 3.0)
-    middleman-dato (0.9.0)
-      activesupport
-      dato (>= 0.7.0)
-      dotenv (<= 2.1)
-      middleman-core (>= 4.1.10)
-    middleman-livereload (3.4.6)
-      em-websocket (~> 0.5.1)
-      middleman-core (>= 3.3)
-      rack-livereload (~> 0.3.15)
-    middleman-syntax (3.2.0)
-      middleman-core (>= 3.2)
-      rouge (~> 3.2)
-    mime-types (3.3)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2019.1009)
-    mini_portile2 (2.4.0)
-    minitest (5.12.2)
-    multipart-post (2.1.1)
-    nokogiri (1.10.4)
-      mini_portile2 (~> 2.4.0)
-    padrino-helpers (0.13.3.4)
-      i18n (~> 0.6, >= 0.6.7)
-      padrino-support (= 0.13.3.4)
-      tilt (>= 1.4.1, < 3)
-    padrino-support (0.13.3.4)
-      activesupport (>= 3.1)
-    parallel (1.18.0)
-    parslet (1.8.2)
-    public_suffix (4.0.1)
-    pusher-client (0.6.2)
-      json
-      websocket (~> 1.0)
-    rack (2.0.7)
-    rack-livereload (0.3.17)
-      rack
-    rb-fsevent (0.10.3)
-    rb-inotify (0.10.0)
-      ffi (~> 1.0)
-    redcarpet (3.5.0)
-    rouge (3.12.0)
-    sassc (2.2.1)
-      ffi (~> 1.9)
-    servolux (0.13.0)
-    temple (0.8.2)
-    thor (0.20.3)
-    thread_safe (0.3.6)
-    tilt (2.0.10)
-    toml (0.2.0)
-      parslet (~> 1.8.0)
-    tzinfo (1.2.5)
-      thread_safe (~> 0.1)
-    uglifier (3.2.0)
-      execjs (>= 0.3.0, < 3)
-    websocket (1.2.8)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  builder
-  bundler (= 2.0.1)
-  middleman (~> 4.2)
-  middleman-dato
-  middleman-hashicorp!
-  tzinfo-data
-  wdm (~> 0.1)
diff --git a/website/LICENSE.md b/website/LICENSE.md
deleted file mode 100644
index 3189f43a6556..000000000000
--- a/website/LICENSE.md
+++ /dev/null
@@ -1,10 +0,0 @@
-# Proprietary License
-
-This license is temporary while a more official one is drafted. However,
-this should make it clear:
-
-The text contents of this website are MPL 2.0 licensed.
-
-The design contents of this website are proprietary and may not be reproduced
-or reused in any way other than to run the website locally. The license for
-the design is owned solely by HashiCorp, Inc.
diff --git a/website/Makefile b/website/Makefile
index a85166658198..7d24096d2745 100644
--- a/website/Makefile
+++ b/website/Makefile
@@ -1,32 +1,56 @@
-configure-cache:
-	@mkdir -p tmp/cache .bundle
+# Default: run this if working on the website locally to run in watch mode.
+website:
+	@echo "==> Downloading latest Docker image..."
+	@docker pull hashicorp/vault-website
+	@echo "==> Starting website in Docker..."
+	@docker run \
+		--interactive \
+		--rm \
+		--tty \
+		--workdir "/website" \
+		--volume "$(shell pwd):/website" \
+		--volume "/website/node_modules" \
+		--publish "3000:3000" \
+		hashicorp/vault-website \
+		npm start
 
-build: configure-cache
+# This command will generate a static version of the website to the "out" folder.
+build:
+	@echo "==> Downloading latest Docker image..."
+	@docker pull hashicorp/vault-website
 	@echo "==> Starting build in Docker..."
 	@docker run \
 		--interactive \
 		--rm \
 		--tty \
-		--volume "$(shell pwd):/opt/buildhome/repo" \
-		--volume "$(shell pwd)/tmp/cache:/opt/buildhome/cache" \
-		--user buildbot:$(shell id -g) \
-		--env "ENV=production" \
-		netlify/build \
-		build "sh bootstrap.sh && middleman build --verbose"
+		--workdir "/website" \
+		--volume "$(shell pwd):/website" \
+		--volume "/website/node_modules" \
+		hashicorp/vault-website \
+		npm run static
+
+# If you are changing node dependencies locally, run this to generate a new
+# local Docker image with the dependency changes included.
+build-image:
+	@echo "==> Building Docker image..."
+	@docker build -t hashicorp-vault-website-local .
 
-website: configure-cache
+# Use this if you have run `build-image` to use the locally built image
+# rather than our CI-generated image to test dependency changes.
+website-local:
+	@echo "==> Downloading latest Docker image..."
+	@docker pull hashicorp/vault-website
 	@echo "==> Starting website in Docker..."
 	@docker run \
 		--interactive \
 		--rm \
 		--tty \
-		--volume "$(shell pwd):/opt/buildhome/repo" \
-		--volume "$(shell pwd)/tmp/cache:/opt/buildhome/cache" \
-		--user buildbot:$(shell id -g) \
-		--publish "4567:4567" \
-		--publish "35729:35729" \
-		--env "ENV=production" \
-		netlify/build \
-		build "sh bootstrap.sh && middleman"
+		--workdir "/website" \
+		--volume "$(shell pwd):/website" \
+		--volume "/website/node_modules" \
+		--publish "3000:3000" \
+		hashicorp-vault-website-local \
+		npm start
 
-.PHONY: configure-cache build website
+.DEFAULT_GOAL := website
+.PHONY: build build-image website website-local
diff --git a/website/README.md b/website/README.md
index 9815d0e9a025..99a452fb3d80 100644
--- a/website/README.md
+++ b/website/README.md
@@ -1,48 +1,73 @@
 # Vault Website
 
-This subdirectory contains the entire source for the [Vault Website][vault].
-This is a [Middleman][middleman] project, which builds a static site from these
-source files.
+[![Netlify Status](https://img.shields.io/netlify/f7fa8963-0022-4a0e-9ccf-f5385355906b?style=flat-square)](https://app.netlify.com/sites/vault-docs-platform/deploys)
 
-## Updating Navigation
+This subdirectory contains the entire source for the [Vault Website](https://vaultproject.io/). This is a [NextJS](https://nextjs.org/) project, which builds a static site from these source files.
 
-There are a couple different places on the website that present navigation interfaces with differing levels of detail.
+## Contributions Welcome!
 
-On the homepage, docs index page, and api docs index page, there are grids of major categories [that look like this](https://cl.ly/73df9722848d/Screen%20Shot%202018-11-09%20at%2011.40.56%20AM.png). These major category grids can be updated through [`data/docs_basic_categories.yml`](data/docs_basic_categories.yml) and [`data/api_basic_categories.yml`](data/api_basic_categories.yml).
+If you find a typo or you feel like you can improve the HTML, CSS, or JavaScript, we welcome contributions. Feel free to open issues or pull requests like any normal GitHub project, and we'll merge it in 🚀
 
-On the docs and api index pages, there are more detailed breakdowns of top-level documentation pages within each category [that look like this](https://cl.ly/b05cf42402eb/Screen%20Shot%202018-11-09%20at%2011.43.25%20AM.png). These more detailed category listings can be updated through [`data/docs_detailed_categories.yml`](data/docs_detailed_categories.yml) and [`data/api_detailed_categories.yml`](data/api_detailed_categories.yml).
+## Running the Site Locally
 
-Finally, within a given docs page, there is a sidebar which displays a fully nested version of all docs pages. This sidebar navigation can be updated through via middleman's layouts, found at [`source/layouts/docs.erb`](source/layouts/docs.erb) and [`source/layouts/api.erb`](source/layouts/api.erb). You will see within these files that it is no longer necessary to type out full nested html list item and link tags, you can simply add the documentation page's slug, defined as `sidebar_current` within the frontmatter of any docs markdown file. The sidebar nav component will go find the page by slug and render out its human-readable title and a link for you. This component does not allow broken links or nesting mistakes, so if you make a typo on the slug or put a page in the wrong category, the build will fail.
+The website can be run locally through node.js or Docker. If you choose to run through Docker, everything will be a little bit slower due to the additional overhead, so for frequent contributors it may be worth it to use node. Also if you are a vim user, it's also worth noting that vim's swapfile usage can cause issues for the live reload functionality. In order to avoid these issues, make sure you have run `:set backupcopy=yes` within vim.
 
-## Contributions Welcome!
+### With Docker
 
-If you find a typo or you feel like you can improve the HTML, CSS, or
-JavaScript, we welcome contributions. Feel free to open issues or pull requests
-like any normal GitHub project, and we'll merge it in.
+Running the site locally is simple. Provided you have Docker installed, clone this repo, run `make`, and then visit `http://localhost:3000`.
 
-## Running the Site Locally
+The docker image is pre-built with all the website dependencies installed, which is what makes it so quick and simple, but also means if you need to change dependencies and test the changes within Docker, you'll need a new image. If this is something you need to do, you can run `make build-image` to generate a local Docker image with updated dependencies, then `make website-local` to use that image and preview.
+
+### With Node
+
+If your local development environment has a supported version (v10.0.0+) of [node installed](https://nodejs.org/en/) you can run:
+
+- `npm install`
+- `npm start`
+
+and then visit `http://localhost:3000`.
+
+If you pull down new code from github, you should run `npm install` again. Otherwise, there's no need to re-run `npm install` each time the site is run, you can just run `npm start` to get it going.
+
+## Editing Content
+
+Documentation content is written in [Markdown](https://www.markdownguide.org/cheat-sheet/) and you'll find all files listed under the `/pages` directory.
+
+To create a new page with Markdown, create a file ending in `.mdx` in the `pages/` directory. The path in the pages directory will be the URL route. For example, `pages/hello/world.mdx` will be served from the `/hello/world` URL.
+
+This file can be standard Markdown and also supports [YAML frontmatter](https://middlemanapp.com/basics/frontmatter/). YAML frontmatter is optional, there are defaults for all keys.
+
+```yaml
+---
+title: 'My Title'
+description: "A thorough, yet succinct description of the page's contents"
+---
+
+```
+
+The significant keys in the YAML frontmatter are:
+
+- `title` `(string)` - This is the title of the page that will be set in the HTML title.
+- `description` `(string)` - This is a description of the page that will be set in the HTML description.
+
+> ⚠️Since `api` is a reserved directory within NextJS, all `/api/**` pages are listed under the `/pages/api-docs` path.
 
-When running the site locally, you can choose between running it directly on your machine, or running it through Docker. Docker has the advantage of requiring only Docker to be installed - no other dependencies are needed on your machine. However, Docker's overhead makes the site's compilation perform much slower than running it directly on your machine. If you are a frequent contributor, are bothered by the performance in Docker, or have no issues with installing ruby and node / already have them installed, it might be an advantage to try running the site directly on your machine. Instructions for both approaches are included below.
+### Editing Sidebars
 
-### Running the Site with Docker
+The structure of the sidebars are controlled by files in the [`/data` directory](data).
 
-First, make sure that [docker](docker) is installed. It can be installed in many ways, [the desktop app](docker-desktop) is the simplest. To run the site, clone this repo down, `cd` into the `website` directory, and run `make website`. If it is your first time running the site, the build will take a little longer as it needs to download a docker image and a bunch of dependencies, so maybe go grab a coffee. On subsequent runs, it will be faster as dependencies are cached.
+- Edit [this file](data/docs-navigation.js) to change the **docs** sidebar
+- Edit [this file](data/docs-navigation.js) to change the **api docs** sidebar
 
-### Running the Site Directly
+To nest sidebar items, you'll want to add a new `category` key/value accompanied by the appropriate embedded `content` values.
 
-This site requires a recent version of ruby as well as nodejs to be installed in order to run. There are [many ways to install ruby](https://www.ruby-lang.org/en/documentation/installation/), we recommend [rbenv](rbenv), which has very clear installation instructions in its readme, linked here, and installing ruby version `2.4.3`. Once ruby has been installed, you will need to install `bundler` as well, using `gem install bundler`. Node is quite easy to install [via universal binary](node) or [homebrew](homebrew) if you are a mac user.
+- `category` values will be **directory names** within the `pages` directory
+- `content` values will be **file names** within their appropriately nested directory.
 
-Once ruby and node have been installed, within this directory, you can run `sh bootstrap.sh` to install all the dependencies needed to run the site, then run `middleman` to start the dev server.
+### Creating New Pages
 
-### Browsing the Site Locally
+There is currently a small bug with new page creation - if you create a new page and link it up via subnav data while the server is running, it will report an error saying the page was not found. This can be resolved by restarting the server.
 
-Once you have the local dev server running, head to `http://localhost:4567` in your browser. Note that for some URLs, you may need to append
-".html" to make them work (in the navigation).
+### Deployment
 
-[middleman]: https://www.middlemanapp.com
-[vault]: https://www.vaultproject.io
-[docker]: https://www.docker.com/
-[docker-desktop]: https://www.docker.com/products/docker-desktop
-[rbenv]: https://github.com/rbenv/rbenv#installation
-[node]: https://nodejs.org/en/
-[homebrew]: https://brew.sh/
+This website is hosted on Netlify and configured to automatically deploy anytime you push code to the `stable-website` branch. Any time a pull request is submitted that changes files within the `website` folder, a deployment preview will appear in the github checks which can be used to validate the way docs changes will look live. Deployments from `stable-website` will look and behave the same way as deployment previews.
diff --git a/website/_redirects b/website/_redirects
new file mode 100644
index 000000000000..b1e7352a58f5
--- /dev/null
+++ b/website/_redirects
@@ -0,0 +1,186 @@
+/api/*  /api-docs/:splat 200
+/intro /intro/getting-started
+
+/api/secret/generic/index.html  /api/secret/kv
+/api/system/renew.html  /api/system/leases
+/api/system/revoke-force.html /api/system/leases
+/api/system/revoke-prefix.html  /api/system/leases
+/api/system/revoke.html /api/system/leases
+/docs/auth/aws-ec2.html /docs/auth/aws
+/docs/commands/environment.html  /docs/commands/#environment-variables
+/docs/commands/help.html  /docs/commands/path-help
+/docs/commands/read-write.html /docs/commands#reading-and-writing-data
+/docs/config/index.html /docs/configuration
+/docs/configuration/storage/google-cloud.html  /docs/configuration/storage/google-cloud-storage
+/docs/configuration/storage/spanner.html /docs/configuration/storage/google-cloud-spanner
+/docs/enterprise/auto-unseal/index.html /docs/concepts/seal.html
+/docs/enterprise/hsm/configuration.html  /docs/configuration/seal/pkcs11
+/docs/enterprise/ui/index.html  /docs/configuration/ui
+/docs/guides/generate-root.html /guides/operations/generate-root
+/docs/guides/index.html /guides
+/docs/guides/production.html  /guides/operations/production
+/docs/guides/replication.html /guides/operations/replication
+/docs/guides/upgrading/index.html      /docs/upgrading
+/docs/guides/upgrading/upgrade-to-0.5.0.html /docs/upgrading/upgrade-to-0.5.0
+/docs/guides/upgrading/upgrade-to-0.5.1.html /docs/upgrading/upgrade-to-0.5.1
+/docs/guides/upgrading/upgrade-to-0.6.0.html /docs/upgrading/upgrade-to-0.6.0
+/docs/guides/upgrading/upgrade-to-0.6.1.html /docs/upgrading/upgrade-to-0.6.1
+/docs/guides/upgrading/upgrade-to-0.6.2.html /docs/upgrading/upgrade-to-0.6.2
+/docs/guides/upgrading/upgrade-to-0.6.3.html /docs/upgrading/upgrade-to-0.6.3
+/docs/guides/upgrading/upgrade-to-0.6.4.html /docs/upgrading/upgrade-to-0.6.4
+/docs/guides/upgrading/upgrade-to-0.7.0.html /docs/upgrading/upgrade-to-0.7.0
+/guides/upgrading/upgrade-to-0.5.0.html /docs/upgrading/upgrade-to-0.5.0
+/guides/upgrading/upgrade-to-0.5.1.html /docs/upgrading/upgrade-to-0.5.1
+/guides/upgrading/upgrade-to-0.6.0.html /docs/upgrading/upgrade-to-0.6.0
+/guides/upgrading/upgrade-to-0.6.1.html /docs/upgrading/upgrade-to-0.6.1
+/guides/upgrading/upgrade-to-0.6.2.html /docs/upgrading/upgrade-to-0.6.2
+/guides/upgrading/upgrade-to-0.6.3.html /docs/upgrading/upgrade-to-0.6.3
+/guides/upgrading/upgrade-to-0.6.4.html /docs/upgrading/upgrade-to-0.6.4
+/guides/upgrading/upgrade-to-0.7.0.html /docs/upgrading/upgrade-to-0.7.0
+/guides/upgrading/upgrade-to-0.8.0.html /docs/upgrading/upgrade-to-0.8.0
+/guides/upgrading/upgrade-to-0.9.0.html /docs/upgrading/upgrade-to-0.9.0
+/guides/upgrading/upgrade-to-0.9.1.html /docs/upgrading/upgrade-to-0.9.1
+/guides/upgrading/upgrade-to-0.9.2.html /docs/upgrading/upgrade-to-0.9.2
+/guides/upgrading/upgrade-to-0.9.3.html /docs/upgrading/upgrade-to-0.9.3
+/guides/upgrading/upgrade-to-0.9.6.html /docs/upgrading/upgrade-to-0.9.6
+/guides/upgrading/upgrade-to-0.10.0.html /docs/upgrading/upgrade-to-0.10.0
+/guides/upgrading/upgrade-to-0.10.2.html /docs/upgrading/upgrade-to-0.10.2
+/guides/upgrading/upgrade-to-0.10.4.html /docs/upgrading/upgrade-to-0.10.4
+/guides/upgrading/upgrade-to-0.11.0.html /docs/upgrading/upgrade-to-0.11.0
+/guides/upgrading/upgrade-to-0.11.2.html /docs/upgrading/upgrade-to-0.11.2
+/docs/http/sys-audit.html /api/system/audit
+/docs/http/sys-auth.html  /api/system/auth
+/docs/http/sys-health.html  /api/system/health
+/docs/http/sys-init.html  /api/system/init
+/docs/http/sys-key-status.html  /api/system/key-status
+/docs/http/sys-leader.html  /api/system/leader
+/docs/http/sys-mounts.html  /api/system/mounts
+/docs/http/sys-policy.html  /api/system/policy
+/docs/http/sys-raw.html /api/system/raw
+/docs/http/sys-rekey.html /api/system/rekey
+/docs/http/sys-remount.html /api/system/remount
+/docs/http/sys-renew.html /api/system/leases
+/docs/http/sys-revoke-prefix.html /api/system/leases
+/docs/http/sys-revoke.html  /api/system/leases
+/docs/http/sys-rotate.html  /api/system/rotate
+/docs/http/sys-seal-status.html /api/system/seal-status
+/docs/http/sys-seal.html  /api/system/seal
+/docs/http/sys-unseal.html  /api/system/unseal
+/docs/install/install.html  /docs/install
+/docs/install/upgrade-to-0.5.1.html  /docs/upgrading/upgrade-to-0.5.1
+/docs/install/upgrade-to-0.5.html /docs/upgrading/upgrade-to-0.5.0
+/docs/install/upgrade-to-0.6.1.html  /docs/upgrading/upgrade-to-0.6.1
+/docs/install/upgrade-to-0.6.2.html  /docs/upgrading/upgrade-to-0.6.2
+/docs/install/upgrade-to-0.6.html /docs/upgrading/upgrade-to-0.6.0
+/docs/install/upgrade.html  /docs/upgrading
+/docs/secrets/custom.html /docs/plugin
+/docs/secrets/generic/index.html  /docs/secrets/kv
+/docs/vault-enterprise/hsm/behavior.html /docs/enterprise/hsm/behavior
+/docs/vault-enterprise/hsm/configuration.html  /docs/enterprise/hsm/configuration
+/docs/vault-enterprise/hsm/index.html /docs/enterprise/hsm
+/docs/vault-enterprise/hsm/security.html /docs/enterprise/hsm/security
+/docs/vault-enterprise/identity/index.html /docs/enterprise/identity
+/docs/vault-enterprise/index.html /docs/enterprise
+/docs/vault-enterprise/mfa/index.html /docs/enterprise/mfa
+/docs/vault-enterprise/mfa/mfa-duo.html /docs/enterprise/mfa/mfa-duo
+/docs/vault-enterprise/mfa/mfa-okta.html /docs/enterprise/mfa/mfa-okta
+/docs/vault-enterprise/mfa/mfa-pingid.html /docs/enterprise/mfa/mfa-pingid
+/docs/vault-enterprise/mfa/mfa-totp.html /docs/enterprise/mfa/mfa-totp
+/docs/vault-enterprise/replication/index.html  /docs/enterprise/replication
+/docs/vault-enterprise/ui/index.html  /docs/configuration/ui
+/guides/authentication.html /guides/identity/authentication
+/guides/configuration/authentication.html  /guides/identity/authentication
+/guides/configuration/generate-root.html /guides/operations/generate-root
+/guides/configuration/lease.html  /guides/identity/lease
+/guides/configuration/plugin-backends.html /guides/operations/plugin-backends
+/guides/configuration/policies.html /guides/identity/policies
+/guides/configuration/rekeying-and-rotating.html /guides/operations/rekeying-and-rotating
+/guides/cubbyhole.html  /guides/secret-mgmt/cubbyhole
+/guides/dynamic-secret.html /guides/secret-mgmt/dynamic-secret
+/guides/generate-root.html  /guides/operations/generate-root
+/guides/lease.html  /guides/identity/lease
+/guides/plugin-backends.html  /guides/operations/plugin-backends
+/guides/policies.html /guides/identity/policies
+/guides/production.html /guides/operations/production
+/guides/rekeying-and-rotating.html /guides/operations/rekeying-and-rotating
+/guides/replication.html  /guides/operations/replication
+/guides/static-secrets.html /guides/secret-mgmt/static-secrets
+/intro/getting-started/acl.html /intro/getting-started/policies
+/intro/getting-started/secret-backends.html  /intro/getting-started/secrets-engines
+
+/guides/getting-started/index.html              https://learn.hashicorp.com/vault
+
+/guides/operations/index.html                   https://learn.hashicorp.com/vault/?track=operations#operations
+/guides/operations/reference-architecture.html  https://learn.hashicorp.com/vault/operations/ops-reference-architecture
+/guides/operations/deployment-guide.html        https://learn.hashicorp.com/vault/operations/ops-deployment-guide
+/guides/operations/vault-ha-consul.html         https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul
+/guides/operations/production.html              https://learn.hashicorp.com/vault/operations/production-hardening
+/guides/operations/generate-root.html           https://learn.hashicorp.com/vault/operations/ops-generate-root
+/guides/operations/rekeying-and-rotating.html   https://learn.hashicorp.com/vault/operations/ops-rekeying-and-rotating
+/guides/operations/plugin-backends.html         https://learn.hashicorp.com/vault/developer/plugin-backends
+/guides/operations/replication.html             https://learn.hashicorp.com/vault/operations/ops-replication
+/guides/operations/disaster-recovery.html       https://learn.hashicorp.com/vault/operations/ops-disaster-recovery
+/guides/operations/mount-filter.html            https://learn.hashicorp.com/vault/operations/mount-filter
+/guides/operations/performance-nodes.html       https://learn.hashicorp.com/vault/operations/performance-standbys
+/guides/operations/multi-tenant.html            https://learn.hashicorp.com/vault/operations/namespaces
+/guides/operations/autounseal-aws-kms.html      https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms
+/guides/operations/seal-wrap.html               https://learn.hashicorp.com/vault/operations/ops-seal-wrap
+/guides/operations/monitoring.html              https://learn.hashicorp.com/vault/operations/monitoring
+
+# Identity
+/guides/identity/index.html                     https://learn.hashicorp.com/vault?track=identity-access-management#identity-access-management
+/guides/identity/secure-intro.html              https://learn.hashicorp.com/vault/identity-access-management/iam-secure-intro
+/guides/identity/policies.html                  https://learn.hashicorp.com/vault/identity-access-management/iam-policies
+/guides/identity/policy-templating.html         https://learn.hashicorp.com/vault/identity-access-management/policy-templating
+/guides/identity/authentication.html            https://learn.hashicorp.com/vault/identity-access-management/iam-authentication
+/guides/identity/approle-trusted-entities.html  https://learn.hashicorp.com/vault/identity-access-management/iam-approle-trusted-entities
+/guides/identity/lease.html                     https://learn.hashicorp.com/vault/secrets-management/sm-lease
+/guides/identity/identity.html                  https://learn.hashicorp.com/vault/identity-access-management/iam-identity
+/guides/identity/sentinel.html                  https://learn.hashicorp.com/vault/identity-access-management/iam-sentinel
+/guides/identity/control-groups.html            https://learn.hashicorp.com/vault/identity-access-management/iam-control-groups
+
+# Secret management
+/guides/secret-mgmt/index.html                  https://learn.hashicorp.com/vault/?track=secrets-management#secrets-management
+/guides/secret-mgmt/static-secrets.html         https://learn.hashicorp.com/vault/secrets-management/sm-static-secrets
+/guides/secret-mgmt/versioned-kv.html           https://learn.hashicorp.com/vault/secrets-management/sm-versioned-kv
+/guides/secret-mgmt/dynamic-secrets.html        https://learn.hashicorp.com/vault/secrets-management/sm-dynamic-secrets
+/guides/secret-mgmt/db-root-rotation.html       https://learn.hashicorp.com/vault/secrets-management/db-root-rotation
+/guides/secret-mgmt/cubbyhole.html              https://learn.hashicorp.com/vault/secrets-management/sm-cubbyhole
+/guides/secret-mgmt/ssh-otp.html                https://learn.hashicorp.com/vault/secrets-management/sm-ssh-otp
+/guides/secret-mgmt/pki-engine.html             https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine
+/guides/secret-mgmt/app-integration.html        https://learn.hashicorp.com/vault/developer/sm-app-integration
+
+# Encryption
+/guides/encryption/index.html                   https://learn.hashicorp.com/vault/?track=encryption-as-a-service#encryption-as-a-service
+/guides/encryption/transit.html                 https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit
+/guides/encryption/spring-demo.html             https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-spring-demo
+/guides/encryption/transit-rewrap.html          https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit-rewrap
+
+# Rearranged out of `guides` but still on `.io`
+/guides/partnerships/index.html /docs/partnerships
+/intro/use-cases.html /docs/use-cases
+/intro/vs/index.html  /docs/vs
+/intro/vs/chef-puppet-etc.html /docs/vs/chef-puppet-etc
+/intro/vs/consul.html /docs/vs/consul
+/intro/vs/custom.html /docs/vs/custom
+/intro/vs/dropbox.html /docs/vs/dropbox
+/intro/vs/hsm.html /docs/vs/hsm
+/intro/vs/index.html /docs/vs
+/intro/vs/keywhiz.html /docs/vs/keywhiz
+/intro/vs/kms.html /docs/vs/kms
+/intro/what-is-vault/index.html /docs/what-is-vault
+
+# Intro getting started content -> Learn
+/intro/index.html https://learn.hashicorp.com/vault/#getting-started
+/intro/getting-started/ https://learn.hashicorp.com/vault/getting-started/install
+/intro/getting-started/index.html https://learn.hashicorp.com/vault/getting-started/install
+/intro/getting-started/dev-server.html https://learn.hashicorp.com/vault/getting-started/dev-server
+/intro/getting-started/first-secret.html https://learn.hashicorp.com/vault/getting-started/first-secret
+/intro/getting-started/secrets-engines.html https://learn.hashicorp.com/vault/getting-started/secrets-engines
+/intro/getting-started/dynamic-secrets.html https://learn.hashicorp.com/vault/getting-started/dynamic-secrets
+/intro/getting-started/help.html https://learn.hashicorp.com/vault/getting-started/help
+/intro/getting-started/authentication.html https://learn.hashicorp.com/vault/getting-started/authentication
+/intro/getting-started/policies.html https://learn.hashicorp.com/vault/getting-started/policies
+/intro/getting-started/deploy.html https://learn.hashicorp.com/vault/getting-started/deploy
+/intro/getting-started/apis.html https://learn.hashicorp.com/vault/getting-started/apis
+/intro/getting-started/next-steps.html https://learn.hashicorp.com/vault/getting-started/next-steps
diff --git a/website/assets/app.js b/website/assets/app.js
deleted file mode 100644
index 6093c2a7c0ca..000000000000
--- a/website/assets/app.js
+++ /dev/null
@@ -1,57 +0,0 @@
-const cssStandards = require('spike-css-standards')
-const jsStandards = require('spike-js-standards')
-const preactPreset = require('babel-preset-preact')
-const extendRule = require('postcss-extend-rule')
-const webpack = require('webpack')
-
-/* eslint-disable-next-line */
-console.log(`Building assets for environment *${process.env.NODE_ENV}*`)
-
-const isProd =
-  process.env.NODE_ENV === 'production' ||
-  process.env.NODE_ENV === 'tmp-production'
-
-let utilServerUrl
-if (isProd) {
-  utilServerUrl = 'https://util.hashicorp.com'
-} else {
-  utilServerUrl = 'https://hashicorp-web-util-staging.herokuapp.com'
-}
-
-if (process.env.UTIL_SERVER) {
-  utilServerUrl = process.env.UTIL_SERVER
-
-  // remove trailing slash
-  utilServerUrl = utilServerUrl.replace(/\/$/, '')
-
-  /* eslint-disable-next-line */
-  console.log(`utilServerUrl=${utilServerUrl}`)
-}
-
-let segmentWriteKey
-if (isProd) {
-  segmentWriteKey = 'OdSFDq9PfujQpmkZf03dFpcUlywme4sC'
-} else {
-  segmentWriteKey = '0EXTgkNx0Ydje2PGXVbRhpKKoe5wtzcE'
-}
-
-module.exports = {
-  ignore: ['yarn.lock', '**/_*'],
-  entry: {
-    'js/main': './js/index.js',
-    'js/analytics.js': './js/analytics.js',
-    'js/consent-manager': './js/consent-manager.js'
-  },
-  postcss: cssStandards({
-    appendPlugins: [extendRule()]
-  }),
-  plugins: [
-    new webpack.DefinePlugin({
-      'process.env.NODE_ENV': JSON.stringify(process.env.NODE_ENV),
-      utilityServerRoot: JSON.stringify(utilServerUrl),
-      segmentWriteKey: JSON.stringify(segmentWriteKey)
-    })
-  ],
-  babel: jsStandards({ appendPresets: [preactPreset] }),
-  server: { open: false }
-}
diff --git a/website/assets/css/_fonts.css b/website/assets/css/_fonts.css
deleted file mode 100644
index 358b6f6bae12..000000000000
--- a/website/assets/css/_fonts.css
+++ /dev/null
@@ -1,83 +0,0 @@
-/* Logo Font (Klavika) */
-@font-face {
-  font-family: 'klavika-web';
-  src: url('/fonts/klavika/500.woff2') format('woff2'),
-    url('/fonts/klavika/500.woff') format('woff');
-  font-weight: 700;
-  font-style: normal;
-}
-
-/* Display Font (Gilmer) */
-@font-face {
-  font-family: 'gilmer-web';
-  src: url('/fonts/gilmer/gilmer-light.woff2') format('woff2'),
-    url('/fonts/gilmer/gilmer-light.woff') format('woff');
-  font-weight: 300;
-  font-style: normal;
-}
-
-@font-face {
-  font-family: 'gilmer-web';
-  src: url('/fonts/gilmer/gilmer-regular.woff2') format('woff2'),
-    url('/fonts/gilmer/gilmer-regular.woff') format('woff');
-  font-weight: 400;
-  font-style: normal;
-}
-
-@font-face {
-  font-family: 'gilmer-web';
-  src: url('/fonts/gilmer/gilmer-medium.woff2') format('woff2'),
-    url('/fonts/gilmer/gilmer-medium.woff') format('woff');
-  font-weight: 500;
-  font-style: normal;
-}
-
-@font-face {
-  font-family: 'gilmer-web';
-  src: url('/fonts/gilmer/gilmer-bold.woff2') format('woff2'),
-    url('/fonts/gilmer/gilmer-bold.woff') format('woff');
-  font-weight: 700;
-  font-style: normal;
-}
-
-/* Body Font (Metro) */
-@font-face {
-  font-family: 'metro-web';
-  src: url('/fonts/metro/metro-sans-book.woff2') format('woff2'),
-    url('/fonts/metro/metro-sans-book.woff') format('woff');
-  font-weight: 300;
-  font-style: normal;
-}
-
-@font-face {
-  font-family: 'metro-web';
-  src: url('/fonts/metro/metro-sans-regular.woff2') format('woff2'),
-    url('/fonts/metro/metro-sans-regular.woff') format('woff');
-  font-weight: 400;
-  font-style: normal;
-}
-
-@font-face {
-  font-family: 'metro-web';
-  src: url('/fonts/metro/metro-sans-semi-bold.woff2') format('woff2'),
-    url('/fonts/metro/metro-sans-semi-bold.woff') format('woff');
-  font-weight: 600;
-  font-style: normal;
-}
-
-@font-face {
-  font-family: 'metro-web';
-  src: url('/fonts/metro/metro-sans-bold.woff2') format('woff2'),
-    url('/fonts/metro/metro-sans-bold.woff') format('woff');
-  font-weight: 700;
-  font-style: normal;
-}
-
-/* Code Font (Deja Vu) */
-@font-face {
-  font-family: "dejavu-sans-mono-web";
-  src: url("/fonts/dejavu/DejaVuSansMono.woff2") format("woff2"),
-    url("/fonts/dejavu/DejaVuSansMono.woff") format("woff");
-  font-style: normal;
-  font-weight: 400;
-}
diff --git a/website/assets/css/_inner.css b/website/assets/css/_inner.css
deleted file mode 100644
index 897f57cc800f..000000000000
--- a/website/assets/css/_inner.css
+++ /dev/null
@@ -1,40 +0,0 @@
-.content-wrap {
-  display: flex;
-  flex-direction: column;
-  flex-wrap: wrap;
-  flex: 1 0 auto;
-  position: relative;
-  width: 100%;
-
-  @media (min-width: 940px) {
-    flex-direction: row;
-    margin-top: 72px;
-    margin-bottom: 72px;
-  }
-}
-
-#inner {
-  margin: 64px 0;
-  overflow: auto;
-  width: 100%;
-
-  @media (min-width: 940px) {
-    flex: 1;
-    margin: 0;
-  }
-
-  & .g-content {
-    @media (max-width: 939px) {
-      padding-left: 0;
-      padding-right: 0;
-    }
-
-    & > h1:first-child {
-      margin-top: 0;
-    }
-  }
-
-  & .g-section-header {
-    margin-bottom: 100px;
-  }
-}
diff --git a/website/assets/css/_print.css b/website/assets/css/_print.css
deleted file mode 100644
index 7bbb225aae86..000000000000
--- a/website/assets/css/_print.css
+++ /dev/null
@@ -1,133 +0,0 @@
-@media print {
-  *,
-  *:before,
-  *:after {
-    background: transparent !important;
-    box-shadow: none !important;
-    text-shadow: none !important;
-  }
-
-  /* Hide nav elements from print */
-  .g-mega-nav,
-  .g-product-subnav,
-  .g-footer,
-  .g-docs-sidenav {
-    display: none;
-  }
-
-  /* Add border around code blocks */
-  div.highlight {
-    border: 1px solid #ddd;
-    page-break-inside: avoid;
-
-    & pre.highlight {
-      margin: 0;
-    }
-  }
-
-  /* Hide anchor links */
-  .anchor {
-    display: none !important;
-  }
-
-  /* Display link address in brackets */
-  /* Some overrides here because of the way we handle link hover on screens */
-  a[href]:after {
-    content: ' (' attr(href) ')' !important;
-    font-size: 90%;
-    position: static !important;
-    opacity: 1 !important;
-    text-decoration: none !important;
-  }
-
-  .g-content {
-    & p code {
-      /* Restore background grey on inline code */
-      background: rgba(0, 0, 0, 0.05) !important;
-    }
-
-    & pre code {
-      color: black !important;
-
-      & span {
-        color: black !important;
-      }
-    }
-
-    & p {
-      page-break-inside: avoid !important;
-    }
-
-    /* Let code blocks wrap if needed */
-    & pre > code {
-      white-space: normal;
-    }
-  }
-
-  a,
-  a:visited {
-    text-decoration: underline !important;
-  }
-
-  abbr[title]:after {
-    content: ' (' attr(title) ')';
-  }
-
-  a[href^='#']:after,
-  a[href^='javascript:']:after {
-    content: '';
-  }
-
-  pre,
-  blockquote {
-    border: 1px solid #999;
-    page-break-inside: avoid;
-  }
-
-  thead {
-    display: table-header-group;
-  }
-
-  tr,
-  img {
-    page-break-inside: avoid;
-  }
-
-  img {
-    max-width: 100% !important;
-  }
-
-  p,
-  h2,
-  h3 {
-    orphans: 3;
-    widows: 3;
-    page-break-inside: avoid;
-  }
-
-  h2,
-  h3 {
-    page-break-after: avoid;
-  }
-
-  .label {
-    border: 1px solid #000;
-  }
-
-  .table,
-  #inner table {
-    border-collapse: collapse !important;
-  }
-
-  .table td,
-  #inner table td,
-  .table th,
-  #inner table th {
-    background-color: #fff !important;
-  }
-
-  .table-bordered th,
-  .table-bordered td {
-    border: 1px solid #ddd !important;
-  }
-}
diff --git a/website/assets/css/_secondary-nav.css b/website/assets/css/_secondary-nav.css
deleted file mode 100644
index bb9212307980..000000000000
--- a/website/assets/css/_secondary-nav.css
+++ /dev/null
@@ -1,113 +0,0 @@
-#secondary-nav {
-  width: 100%;
-  border-bottom: 1px solid var(--gray-9);
-
-  & .g-container {
-    display: flex;
-    flex-direction: column;
-    flex-wrap: nowrap;
-    justify-content: space-between;
-    margin: 0 auto;
-
-    @media (min-width: 768px) {
-      flex-direction: row;
-      align-items: center;
-      max-width: var(--medium-grid-max-width);
-    }
-
-    @media (min-width: 1120px) {
-      max-width: var(--site-max-width);
-    }
-  }
-
-  &.light {
-    background-color: var(--white);
-    color: var(--black);
-  }
-
-  &.dark {
-    background-color: var(--black);
-    color: var(--white);
-  }
-
-  & ul {
-    list-style: none;
-    padding: 0;
-    margin: 0;
-
-    & li {
-      display: inline-block;
-    }
-  }
-
-  & .breadcrumbs {
-    list-style: none;
-    padding: 0;
-    margin: 0;
-
-    & li {
-      font-size: 1.25em;
-      line-height: 1.6;
-      padding: .625em 0;
-
-      & + li:before {
-        content: "/\00a0";
-        font-weight: 300;
-        margin: 0 5px;
-      }
-
-      &:nth-child(odd) {
-        font-weight: 300;
-      }
-
-      &.active {
-        font-weight: bold;
-      }
-    }
-  }
-
-  & .doc-links {
-    & li {
-      font-size: .875em;
-      line-height: 1.7;
-      margin: 0 20px;
-      padding: 0 0 14px;
-
-      @media (min-width: 768px) {
-        padding: 32px 0;
-      }
-
-      &:first-child {
-        margin-left: 0;
-      }
-
-      &.active {
-        border-bottom: 3px solid #1563FF;
-
-        & a {
-          opacity: 0.7;
-        }
-      }
-
-      & a {
-        color: inherit;
-        cursor: pointer;
-        display: block;
-        text-decoration: none;
-        transition: opacity .25s ease;
-
-        &:hover {
-          opacity: 0.7s;
-        }
-
-        & svg {
-          position: relative;
-          top: 2px;
-          width: 14px;
-          height: 14px;
-          margin-right: 3px;
-        }
-      }
-    }
-  }
-}
diff --git a/website/assets/css/_section.css b/website/assets/css/_section.css
deleted file mode 100644
index 8092cd1d84ed..000000000000
--- a/website/assets/css/_section.css
+++ /dev/null
@@ -1,351 +0,0 @@
-@import '@hashicorp/hashi-global-styles/style';
-
-.g-section-block {
-  padding: 160px 0;
-
-  @media (max-width: 1119px) {
-    padding: 104px 0;
-  }
-
-  @media (max-width: 767px) {
-    padding: 80px 0;
-  }
-
-  &.theme-white-background-black-text:not(.divider-gray-line)
-    + .theme-white-background-black-text {
-    padding-top: 32px;
-  }
-
-  /*  Layout Styles */
-  &.layout-horizontal {
-    & > .g-container {
-      display: flex;
-      align-items: center;
-
-      & > * + * {
-        margin-left: 96px;
-      }
-    }
-
-    & .img-container {
-      flex-shrink: 0;
-
-      & img {
-        align-self: center;
-      }
-    }
-  }
-
-  &.layout-vertical {
-    & > .g-container {
-      & > * + * {
-        margin-top: 96px;
-
-        @media (max-width: 1119px) {
-          margin-top: 72px;
-        }
-
-        @media (max-width: 767px) {
-          margin-top: 56px;
-        }
-      }
-
-      & > .g-text-and-content + .g-text-and-content {
-        margin-top: 192px;
-
-        @media (max-width: 1119px) {
-          margin-top: 144px;
-        }
-
-        @media (max-width: 767px) {
-          margin-top: 112px;
-        }
-      }
-
-      & > .g-section-header {
-        & + * {
-          margin-top: 72px;
-
-          @media (max-width: 1119px) {
-            margin-top: 64px;
-          }
-
-          @media (max-width: 767px) {
-            margin-top: 40px;
-          }
-        }
-      }
-
-      & > * + .btn-container {
-        margin-top: 40px;
-
-        @media (max-width: 767px) {
-          margin-top: 32px;
-        }
-      }
-    }
-  }
-
-  /* TODO: remove this once new section header is out */
-  & .g-section-header {
-    margin: 0 auto;
-  }
-
-  /* Module styles */
-
-  & .btn-container {
-    display: flex;
-    flex-wrap: wrap;
-    justify-content: center;
-    margin: auto -8px -16px;
-
-    & > * {
-      margin: auto 8px 16px;
-    }
-  }
-
-  & .img-container {
-    display: flex;
-    justify-content: center;
-
-    & .g-container {
-      flex-shrink: 0;
-      width: 100%;
-    }
-
-    & img {
-      max-width: 100%;
-    }
-
-    & picture {
-      display: flex;
-      justify-content: center;
-      width: 100%;
-
-      & img {
-        object-fit: contain;
-        font-family: 'object-fit:contain';
-        flex-shrink: 0;
-      }
-    }
-  }
-
-  & .two-col-text-container {
-    & .g-container {
-      display: flex;
-      @media (max-width: 850px) {
-        flex-direction: column;
-      }
-    }
-
-    & .left,
-    & .right {
-      width: 48%;
-      flex-shrink: 0;
-
-      @media (max-width: 850px) {
-        width: 100%;
-      }
-
-      & > *:first-child {
-        margin-top: 0;
-      }
-    }
-
-    & .left {
-      margin-right: 4%;
-
-      @media (max-width: 850px) {
-        margin-right: 0;
-        margin-bottom: 32px;
-      }
-    }
-
-    & a {
-      font-weight: 600;
-      color: inherit;
-
-      &:hover {
-        border-bottom: 1px solid;
-        opacity: 0.8;
-      }
-    }
-
-    & h5 {
-      margin-bottom: 1em;
-    }
-
-    & ul {
-      list-style: none;
-      padding-left: 15px;
-
-      & li {
-        display: flex;
-        align-items: center;
-        margin-bottom: 5px;
-
-        &:before {
-          content: '';
-          width: 18px;
-          height: 18px;
-          background: url('/img/black-circle-white-check.svg') no-repeat;
-          background-size: 100%;
-          margin-right: 10px;
-        }
-      }
-    }
-  }
-
-  & .g-text-and-image {
-    & .imgwrap {
-      display: flex;
-
-      & picture {
-        display: flex;
-        justify-content: center;
-        width: 100%;
-
-        & img {
-          object-fit: contain;
-          font-family: 'object-fit:contain';
-          max-width: 350px;
-        }
-      }
-    }
-
-    & .text {
-      & h2 {
-        font-size: 1.5rem;
-      }
-
-      & a {
-        font-weight: 600;
-        color: white;
-        padding-bottom: 1px;
-
-        &:hover {
-          border-bottom: 1px solid;
-        }
-      }
-    }
-  }
-
-  & .small-text-tag {
-    text-align: center;
-    text-transform: uppercase;
-    color: #8d9096;
-    font-size: 0.9rem;
-    font-weight: 600;
-  }
-
-  & .g-logo-grid.large li {
-    background-color: white;
-  }
-
-  & .video-container {
-    max-width: 80%;
-    margin-left: auto;
-    margin-right: auto;
-  }
-
-  /* THEMES */
-  &.theme-terraform-purple-top-gradient {
-    color: white;
-    background: linear-gradient(to bottom, #1b212c, #000000);
-  }
-
-  &.theme-dark-blue {
-    color: white;
-    background: #1b212d;
-  }
-
-  &.theme-white-background-black-text {
-    background: white;
-    color: black;
-  }
-
-  &.theme-black-background-white-text {
-    background: var(--gray-1);
-    color: white;
-  }
-
-  &.theme-light-gray {
-    color: black;
-    background: #f3f4f6;
-  }
-
-  &.theme-default-blue-gradient {
-    background: url('/img/backgrounds/partner-cta-bg.svg');
-    background-position: center center;
-    background-size: cover;
-    color: var(--white);
-  }
-
-  &.theme-terraform-purple-gradient {
-    @extend %gradient-bg;
-    background: linear-gradient(to right, #695af0, #6b5cf3);
-
-    &::before {
-      background: linear-gradient(to right, #5b48e7, #6b5cf3);
-    }
-  }
-
-  &.theme-nomad-green-gradient {
-    @extend %gradient-bg;
-    background: linear-gradient(to right, #1dbe83, #1ec185);
-
-    &::before {
-      background: linear-gradient(to right, #20c78a, #17c185);
-    }
-  }
-
-  &.theme-terraform-purple-testimonial-split {
-    color: white;
-    position: relative;
-    overflow: hidden;
-
-    &:before {
-      content: '';
-      background: linear-gradient(to right, #695af0, #6b5cf3);
-      width: 100%;
-      height: 550px;
-      position: absolute;
-      top: 0;
-      left: 0;
-    }
-
-    & .g-container {
-      position: relative;
-    }
-  }
-
-  /* DIVIDERS */
-  &.divider-gray-line {
-    border-bottom: 1px solid #d9dbdd;
-  }
-
-  &.divider-dark-gray-line {
-    border-bottom: 1px solid #424242;
-  }
-
-  &.divider-black-down-arrow {
-    border-bottom: 1px solid #d0d2d5;
-    position: relative;
-
-    &:after {
-      content: '';
-      width: 82px;
-      height: 82px;
-      background: black url('/img/white-down-chevron.svg') 50% 55% no-repeat;
-      margin-top: 21px;
-      border-radius: 50%;
-      position: absolute;
-      bottom: -40px;
-      margin-left: auto;
-      margin-right: auto;
-      left: 0;
-      right: 0;
-      z-index: 2;
-    }
-  }
-}
diff --git a/website/assets/css/index.css b/website/assets/css/index.css
deleted file mode 100644
index 796c02967089..000000000000
--- a/website/assets/css/index.css
+++ /dev/null
@@ -1,60 +0,0 @@
-@import 'normalize.css';
-@import '_fonts';
-@import '@hashicorp/hashi-global-styles/style';
-
-/* NPM Preact Components */
-@import '@hashicorp/hashi-alert/dist/style.css';
-@import '@hashicorp/hashi-button/dist/style.css';
-@import '@hashicorp/hashi-case-study-slider/dist/style.css';
-@import '@hashicorp/hashi-code-block/dist/style.css';
-@import '@hashicorp/hashi-consent-manager/dist/style.css';
-@import '@hashicorp/hashi-content/dist/style.css';
-@import '@hashicorp/hashi-docs-sidenav/dist/style.css';
-@import '@hashicorp/hashi-docs-sitemap/dist/style.css';
-@import '@hashicorp/hashi-footer/dist/style.css';
-@import '@hashicorp/hashi-hero/dist/style.css';
-@import '@hashicorp/hashi-linked-text-summary-list/dist/style.css';
-@import '@hashicorp/hashi-logo-grid/dist/style.css';
-@import '@hashicorp/hashi-mega-nav/dist/style.css';
-@import '@hashicorp/hashi-nav/dist/style.css';
-@import '@hashicorp/hashi-newsletter-signup-form/dist/style.css';
-@import '@hashicorp/hashi-product-downloader/dist/style.css';
-@import '@hashicorp/hashi-product-subnav/dist/style.css';
-@import '@hashicorp/hashi-section-header/dist/style.css';
-@import '@hashicorp/hashi-split-cta/dist/style.css';
-@import '@hashicorp/hashi-text-and-content/dist/style.css';
-@import '@hashicorp/hashi-toggle/dist/style.css';
-@import '@hashicorp/hashi-use-cases/dist/style.css';
-@import '@hashicorp/hashi-vertical-text-block-list/dist/style.css';
-
-/* Local Preact Components */
-@import '../js/components/before-after-diagram/style.css';
-
-/* to be removed pending new components */
-@import '_inner';
-@import '_secondary-nav';
-
-/* Layout */
-@import '_section';
-
-/* Pages */
-@import 'pages/_docs';
-@import 'pages/_section_block';
-@import 'pages/_home';
-@import 'pages/_use_cases';
-@import 'pages/_downloads.css';
-
-/* Print styles */
-@import '_print';
-
-.g-text-and-content .image img {
-  width: 100%;
-}
-
-/* Hide Mega Nav on mobile */
-nav.g-mega-nav {
-  display: none;
-  @media (min-width: 1023px) {
-    display: block;
-  }
-}
diff --git a/website/assets/css/pages/_docs.css b/website/assets/css/pages/_docs.css
deleted file mode 100644
index 5ca548bf33cf..000000000000
--- a/website/assets/css/pages/_docs.css
+++ /dev/null
@@ -1,37 +0,0 @@
-#sidebar {
-  & .g-docs-sidebar {
-    margin-right: 25px;
-  }
-}
-
-#intro {
-  padding-bottom: 0px;
-
-  & .g-section-header {
-    margin-bottom: 48px;
-
-    & h3 {
-      margin: 1em auto 0 auto;
-      width: 85%;
-    }
-  }
-}
-
-#categories {
-  & .g-linked-text-summary-list {
-    padding-top: 12px;
-    padding-bottom: 12px;
-  }
-}
-
-#sitemap {
-  @media (max-width: 768px) {
-    display: none;
-  }
-}
-
-#get-started {
-  @media (max-width: 768px) {
-    display: none;
-  }
-}
diff --git a/website/assets/css/pages/_downloads.css b/website/assets/css/pages/_downloads.css
deleted file mode 100644
index 1e94be28bf8f..000000000000
--- a/website/assets/css/pages/_downloads.css
+++ /dev/null
@@ -1,25 +0,0 @@
-#download-vault {
-  & .content-wrap {
-    margin-bottom: 118px;
-
-    @media (max-width: 1199px) {
-      margin-bottom: 104px;
-    }
-
-    @media (max-width: 767px) {
-      margin-bottom: 0px;
-    }
-  }
-}
-
-#beta1-1-0 {
-  margin-bottom: 40px;
-
-  @media (max-width: 1199px) {
-    text-align: center;
-  }
-
-  & p:last-child {
-    margin: 0px;
-  }
-}
diff --git a/website/assets/css/pages/_home.css b/website/assets/css/pages/_home.css
deleted file mode 100644
index 12455b2b7ad5..000000000000
--- a/website/assets/css/pages/_home.css
+++ /dev/null
@@ -1,34 +0,0 @@
-@import '@hashicorp/hashi-global-styles/_typography.css';
-
-.g-split-cta h1 {
-  font-size: 2.5em;
-}
-
-#page-home {
-  & .g-section-block.page-wrap {
-    padding-top: 0;
-  }
-
-  & .g-logo-grid li img {
-    max-height: 50%;
-    max-width: 50%;
-  }
-
-  & .g-container.remove-bottom-padding {
-    padding-bottom: 0;
-  }
-
-  & .g-section-header.infrastructure {
-    /* Override default max-width */
-    max-width: 1050px;
-
-    & h2 {
-      max-width: 784px;
-      margin: 0 auto;
-    }
-  }
-
-  & .g-container.before-after {
-    padding-top: 50px;
-  }
-}
diff --git a/website/assets/css/pages/_section_block.css b/website/assets/css/pages/_section_block.css
deleted file mode 100644
index 0e1c044fc01e..000000000000
--- a/website/assets/css/pages/_section_block.css
+++ /dev/null
@@ -1,78 +0,0 @@
-.g-section-block {
-  & section {
-    padding-top: 96px;
-    padding-bottom: 96px;
-
-    @media (max-width: 768px) {
-      padding-top: 60px;
-      padding-bottom: 60px;
-    }
-
-    &.gray {
-      background: #f6f7fa;
-    }
-
-    &.black {
-      background: var(--black);
-      color: white;
-    }
-
-    &.no-pad {
-      padding: 0;
-    }
-
-    /* copied over from www, should be component-ized */
-    & > * + *,
-    & > .g-container > * + * {
-      margin-top: 96px;
-
-      @media (max-width: 1119px) {
-        margin-top: 72px;
-      }
-
-      @media (max-width: 767px) {
-        margin-top: 56px;
-      }
-    }
-
-    & > .g-section-header,
-    & > .g-container > .g-section-header {
-      & + * {
-        margin-top: 72px;
-
-        @media (max-width: 1119px) {
-          margin-top: 64px;
-        }
-
-        @media (max-width: 767px) {
-          margin-top: 40px;
-        }
-      }
-    }
-
-    & > * + .button-container,
-    & > .g-container > * + .button-container {
-      margin-top: 40px;
-
-      @media (max-width: 767px) {
-        margin-top: 32px;
-      }
-    }
-  }
-
-  & .button-container {
-    display: flex;
-    flex-wrap: wrap;
-    justify-content: center;
-    margin: auto -8px -16px;
-
-    & > * {
-      margin: auto 8px 16px;
-    }
-  }
-
-  /* Temporary Overrides */
-  & .g-section-header {
-    margin: 0 auto;
-  }
-}
diff --git a/website/assets/css/pages/_use_cases.css b/website/assets/css/pages/_use_cases.css
deleted file mode 100644
index 1d710196abfe..000000000000
--- a/website/assets/css/pages/_use_cases.css
+++ /dev/null
@@ -1,72 +0,0 @@
-@import '@hashicorp/hashi-global-styles/_variables.css';
-
-#use-cases {
-  & .g-section-block section.pad-bottom {
-    padding-bottom: 144px;
-  }
-
-  & .g-logo-grid li img {
-    max-height: 50%;
-    max-width: 50%;
-  }
-
-  & .g-section-block.page-wrap {
-    padding-top: 0;
-    padding-bottom: 0;
-  }
-
-  & .g-section-block.g-cta-section {
-    align-items: center;
-    background: var(--vault-gray-dark);
-    display: flex;
-    justify-content: center;
-    padding-left: 15px;
-    padding-right: 15px;
-    position: relative;
-    text-align: center;
-    color: var(--white);
-
-    & h2 {
-      margin-top: 0;
-    }
-
-    & .g-btn.white {
-      background: var(--white);
-      border: 2px solid var(--white);
-      color: var(--vault-gray-dark);
-
-      &:hover {
-        background-color: var(--vault-gray);
-        border-color: var(--vault-gray);
-        color: var(--white);
-
-        & path {
-          fill: var(--white);
-        }
-      }
-    }
-
-    & .g-btn.download svg {
-      margin: 0 4px -4px 0;
-    }
-
-    & .g-btn.download svg path {
-      transition: fill 0.25s ease;
-    }
-
-    & .g-btn + .g-btn {
-      margin-left: 18px;
-    }
-
-    & .g-btn.white-outline {
-      background: none;
-      border: 2px solid var(--white);
-      color: var(--white);
-
-      &:hover {
-        background-color: var(--white);
-        color: var(--vault-gray-dark);
-      }
-    }
-  }
-}
diff --git a/website/assets/files/press-kit.zip b/website/assets/files/press-kit.zip
deleted file mode 100644
index 9b61088fb817..000000000000
Binary files a/website/assets/files/press-kit.zip and /dev/null differ
diff --git a/website/assets/js/analytics.js b/website/assets/js/analytics.js
deleted file mode 100644
index 67898dc83534..000000000000
--- a/website/assets/js/analytics.js
+++ /dev/null
@@ -1,101 +0,0 @@
-import { each } from './utils'
-
-/* Segment's analytics.js provides a ready() function that is called once tracking is up and running */
-/* Some clients block analytics.js, so to prevent errors, we assign noop functions if window.analytics isn't present */
-window.analytics.ready(() => {
-  const analytics = window.analytics || {
-    trackLink: () => {},
-    track: () => {},
-    mock: true
-  }
-
-  // Track all button clicks
-  track(
-    '[data-ga-button]',
-    el => {
-      return {
-        event: 'Click',
-        category: 'Button',
-        label: el.getAttribute('data-ga-button')
-      }
-    },
-    true
-  )
-
-  // Track product subnav link clicks
-  track(
-    '[data-ga-product-subnav]',
-    el => {
-      return {
-        event: 'Click',
-        category: 'Product Subnav Navigation',
-        label: el.getAttribute('data-ga-product-subnav')
-      }
-    },
-    true
-  )
-
-  // Track meganav link clicks
-  track(
-    '[data-ga-meganav]',
-    el => {
-      return {
-        event: 'Click',
-        category: 'Meganav Navigation',
-        label: el.getAttribute('data-ga-meganav')
-      }
-    },
-    true
-  )
-
-  // Track footer link clicks
-  track(
-    '[data-ga-footer]',
-    el => {
-      return {
-        event: 'Click',
-        category: 'Footer Navigation',
-        label: el.getAttribute('data-ga-footer')
-      }
-    },
-    true
-  )
-
-  // Track outbound links
-  track(
-    'a[href^="http"]:not([href^="http://vaultproject.io"]):not([href^="https://vaultproject.io"]):not([href^="http://www.vaultproject.io"]):not([href^="https://www.vaultproject.io"])',
-    el => {
-      return {
-        event: `Outbound Link | ${window.location.pathname}`,
-        category: 'Outbound link',
-        label: el.href
-      }
-    },
-    true
-  )
-
-  // Note: Downloads are tracked from within the Product Downloader component
-
-  /**
-   * Wrapper for segment's track function that will track multiple elements,
-   * normalize parameters, and easily switch between tracking links or events.
-   * @param  {String} selector - query selector, multi element compatible
-   * @param  {Function} cb - optional function that should return params, and will receive the element as a parameter
-   * @param  {Boolean} [link=false] - if true, tracks a link click
-   */
-  function track(selector, cb, link = false) {
-    each(document.querySelectorAll(selector), el => {
-      let params = cb
-      if (typeof cb === 'function') params = cb(el)
-      const event = params.event
-      delete params.event
-      if (link) {
-        analytics.trackLink(el, event, params)
-      } else {
-        el.addEventListener('click', () => {
-          analytics.track(event, params)
-        })
-      }
-    })
-  }
-})
diff --git a/website/assets/js/components/before-after-diagram/alert-icon.js b/website/assets/js/components/before-after-diagram/alert-icon.js
deleted file mode 100644
index e953b37e1eed..000000000000
--- a/website/assets/js/components/before-after-diagram/alert-icon.js
+++ /dev/null
@@ -1,32 +0,0 @@
-const { h } = require('preact')
-
-module.exports = function AlertIcon() {
-  return (
-    <svg
-      width="24"
-      height="24"
-      viewBox="0 0 24 24"
-      fill="none"
-      xmlns="http://www.w3.org/2000/svg"
-    >
-      <path
-        fillRule="evenodd"
-        clipRule="evenodd"
-        d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z"
-        fill="white"
-        stroke="#E80134"
-        strokeWidth="2"
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M12 8V12"
-        stroke="#E80134"
-        strokeWidth="2"
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <circle cx="12" cy="16" r="1" fill="#E80134" />
-    </svg>
-  )
-}
diff --git a/website/assets/js/components/before-after-diagram/check-icon.js b/website/assets/js/components/before-after-diagram/check-icon.js
deleted file mode 100644
index 4fd17b59c721..000000000000
--- a/website/assets/js/components/before-after-diagram/check-icon.js
+++ /dev/null
@@ -1,27 +0,0 @@
-const { h } = require('preact')
-
-module.exports = function CheckIcon() {
-  return (
-    <svg
-      width="24"
-      height="24"
-      viewBox="0 0 24 24"
-      fill="none"
-      xmlns="http://www.w3.org/2000/svg"
-    >
-      <path
-        d="M12 23C5.92487 23 0.999999 18.0751 0.999999 12C1 5.92487 5.92487 0.999999 12 0.999999C18.0751 1 23 5.92487 23 12C23 18.0751 18.0751 23 12 23Z"
-        fill="black"
-        stroke="black"
-        strokeWidth="2"
-      />
-      <path
-        d="M16.6663 9.08203L10.2497 15.4987L7.33301 12.582"
-        stroke="white"
-        strokeWidth="2"
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-    </svg>
-  )
-}
diff --git a/website/assets/js/components/before-after-diagram/index.js b/website/assets/js/components/before-after-diagram/index.js
deleted file mode 100644
index 093a88305750..000000000000
--- a/website/assets/js/components/before-after-diagram/index.js
+++ /dev/null
@@ -1,94 +0,0 @@
-const { h, Component } = require('preact')
-const { decode } = require('reshape-preact-components')
-const marked = require('8fold-marked')
-const Image = require('@hashicorp/hashi-image').default
-const AlertIcon = require('./alert-icon')
-const CheckIcon = require('./check-icon')
-
-module.exports = class BeforeAfterDiagram extends Component {
-  render() {
-    const data = decode(this.props._data)
-    const markedOptions = this.generateMarkedOptions()
-
-    return (
-      <div class={`g-before-after-diagrams ${data.theme}`}>
-        <div class="before">
-          <div class="image">
-            <div>
-              <Image src={data.before_image.url} svg="true" />
-            </div>
-          </div>
-          <div class="content">
-            <span class="line">
-              <span />
-              <AlertIcon />
-              <span />
-            </span>
-            <div>
-              {data.before_headline && (
-                <h3
-                  className="g-type-display-3"
-                  dangerouslySetInnerHTML={{
-                    __html: marked.inlineLexer(data.before_headline, [])
-                  }}
-                />
-              )}
-              {data.before_content && (
-                <div
-                  dangerouslySetInnerHTML={{
-                    __html: marked(data.before_content, markedOptions)
-                  }}
-                />
-              )}
-            </div>
-          </div>
-        </div>
-        <div class="after">
-          <div class="image">
-            <div>
-              <Image src={data.after_image.url} svg="true" />
-            </div>
-          </div>
-          <div class="content">
-            <div class="line">
-              <CheckIcon />
-            </div>
-            <div>
-              {data.after_headline && (
-                <h3
-                  className="g-type-display-3"
-                  dangerouslySetInnerHTML={{
-                    __html: marked.inlineLexer(data.after_headline, [])
-                  }}
-                />
-              )}
-              {data.after_content && (
-                <div
-                  dangerouslySetInnerHTML={{
-                    __html: marked(data.after_content, markedOptions)
-                  }}
-                />
-              )}
-            </div>
-          </div>
-        </div>
-      </div>
-    )
-  }
-
-  generateMarkedOptions() {
-    const markedRenderer = new marked.Renderer()
-
-    markedRenderer.heading = function(text, level) {
-      return `<h${level} class="g-type-label">${text}</h${level}>`
-    }
-    markedRenderer.paragraph = function(text) {
-      return `<p class="g-type-body">${text}</p>`
-    }
-    markedRenderer.list = function(text) {
-      return `<ul class="g-type-body">${text}</ul>`
-    }
-
-    return { renderer: markedRenderer }
-  }
-}
diff --git a/website/assets/js/components/before-after-diagram/style.css b/website/assets/js/components/before-after-diagram/style.css
deleted file mode 100644
index 095b8acc6074..000000000000
--- a/website/assets/js/components/before-after-diagram/style.css
+++ /dev/null
@@ -1,418 +0,0 @@
-.g-before-after-diagrams {
-  display: flex;
-  flex-wrap: wrap;
-  margin: 0 -16px;
-  position: relative;
-
-  @media (max-width: 1023px) {
-    margin-left: -12px;
-    margin-right: -12px;
-  }
-
-  @media (max-width: 767px) {
-    flex-direction: column;
-    margin-left: 40px;
-    margin-right: 0;
-  }
-
-  & > div {
-    display: flex;
-    flex-direction: column;
-    margin: 0 16px;
-    position: relative;
-    width: calc(50% - 32px);
-
-    @media (max-width: 1023px) {
-      margin: 0 12px;
-      width: calc(50% - 24px);
-    }
-
-    @media (max-width: 767px) {
-      margin: 0;
-      width: 100%;
-    }
-  }
-
-  & .before {
-    @media (max-width: 767px) {
-      margin-bottom: 62px;
-    }
-
-    & li:before {
-      background: url('/img/icons/alert-triangle.svg');
-      height: 20px;
-      margin-top: 3px;
-      width: 20px;
-    }
-  }
-
-  & .after li:before {
-    background: url('/img/icons/check-circle.svg');
-    height: 18px;
-    margin-top: 4px;
-    width: 18px;
-  }
-
-  & .image {
-    align-items: center;
-    display: flex;
-    height: 320px;
-    justify-content: center;
-    margin-bottom: 96px;
-
-    @media (max-width: 767px) {
-      margin-bottom: 40px;
-    }
-
-    @media (max-width: 640px) {
-      height: 284px;
-    }
-
-    @media (max-width: 540px) {
-      height: 238px;
-    }
-
-    @media (max-width: 480px) {
-      height: 211px;
-    }
-
-    @media (max-width: 375px) {
-      height: 163px;
-    }
-
-    & div {
-      height: 100%;
-      text-align: center;
-      width: 100%;
-    }
-
-    & img,
-    & svg {
-      max-height: 100%;
-      max-width: 100%;
-    }
-  }
-
-  & .content {
-    border: 1px solid var(--gray-9);
-    padding: 24px 32px 20px;
-    position: relative;
-    flex-grow: 1;
-
-    @media (max-width: 1023px) {
-      padding-left: 24px;
-      padding-right: 24px;
-    }
-
-    @media (max-width: 767px) {
-      padding-left: 20px;
-      padding-right: 20px;
-    }
-
-    &:before,
-    &:after {
-      bottom: 100%;
-      border: solid transparent;
-      content: '';
-      height: 0;
-      left: 50%;
-      width: 0;
-      position: absolute;
-      pointer-events: none;
-    }
-
-    &:before {
-      border-color: rgba(229, 230, 235, 0);
-      border-bottom-color: var(--gray-9);
-      border-width: 18px;
-      margin-left: -18px;
-    }
-
-    &:after {
-      border-color: rgba(255, 255, 255, 0);
-      border-bottom-color: var(--white);
-      border-width: 17px;
-      margin-left: -17px;
-    }
-
-    & > div {
-      height: 100%;
-
-      &.line {
-        height: auto;
-      }
-
-      & > div {
-        @media (min-width: 768px) {
-          max-width: 480px;
-          margin: 0 auto;
-        }
-      }
-    }
-  }
-
-  & h3 {
-    border-bottom: 1px solid var(--gray-9);
-    color: var(--black);
-    margin: 0 0 24px;
-    padding-bottom: 24px;
-    text-align: center;
-  }
-
-  & h4 {
-    display: block;
-    font-size: 0.75rem;
-    font-weight: var(--font-weight-bold);
-    letter-spacing: 0.5px;
-    line-height: 1.125rem;
-    margin: 24px 0 26px;
-    text-transform: uppercase;
-  }
-
-  & ul {
-    list-style: none;
-    padding-left: 32px;
-    position: relative;
-  }
-
-  & li {
-    margin: 8px 0;
-
-    &:before {
-      background-repeat: no-repeat;
-      content: '';
-      left: 0;
-      position: absolute;
-    }
-  }
-
-  & .line {
-    padding: 0;
-    position: absolute;
-    right: 0;
-    top: -75px;
-    width: 100%;
-
-    @media (max-width: 767px) {
-      left: -28px;
-      height: 100%;
-      right: auto;
-      top: 28px;
-      width: auto;
-    }
-
-    & span {
-      display: block;
-      height: 1px;
-      position: absolute;
-      top: 12px;
-      width: calc(100% - 14px);
-
-      @media (max-width: 767px) {
-        width: 1px;
-      }
-
-      &:first-child {
-        background-image: linear-gradient(
-          90deg,
-          rgba(210, 212, 219, 0) 0%,
-          var(--gray-8) 100%
-        );
-        right: calc(50% + 20px);
-        width: calc(50% + 140px);
-
-        @media (max-width: 767px) {
-          background-image: linear-gradient(
-            180deg,
-            rgba(210, 212, 219, 0) 0%,
-            var(--gray-8) 100%
-          );
-          height: 245px;
-          right: auto;
-          top: -253px;
-          width: 1px;
-        }
-      }
-
-      &:last-child {
-        background-image: linear-gradient(
-          90deg,
-          var(--gray-8) 0%,
-          var(--black) 100%
-        );
-        left: calc(50% + 20px);
-
-        @media (max-width: 767px) {
-          background-image: linear-gradient(
-            180deg,
-            var(--gray-8) 0%,
-            var(--black) 100%
-          );
-          height: calc(100% + 375px);
-          left: auto;
-          top: 32px;
-        }
-
-        @media (max-width: 640px) {
-          height: calc(100% + 339px);
-        }
-
-        @media (max-width: 540px) {
-          height: calc(100% + 293px);
-        }
-
-        @media (max-width: 480px) {
-          height: calc(100% + 266px);
-        }
-
-        @media (max-width: 375px) {
-          height: calc(100% + 218px);
-        }
-
-        &:after {
-          border-color: transparent transparent transparent #000000;
-          border-style: solid;
-          border-width: 5.5px 0 5.5px 8px;
-          content: '';
-          height: 0;
-          position: absolute;
-          right: -8px;
-          top: -5px;
-          width: 0;
-
-          @media (max-width: 767px) {
-            transform: rotate(90deg);
-            top: auto;
-            bottom: -8px;
-            right: -4px;
-          }
-        }
-      }
-    }
-
-    & svg {
-      position: absolute;
-      left: 50%;
-      margin: 0 0 0 -11px;
-    }
-  }
-
-  /*
-   * TERRAFORM THEME
-   */
-  &.terraform {
-    & .line span {
-      &:first-child {
-        background-image: linear-gradient(
-          90deg,
-          rgba(95, 67, 233, 0) 0%,
-          var(--gray-8) 100%
-        );
-
-        @media (max-width: 767px) {
-          background-image: linear-gradient(
-            180deg,
-            rgba(95, 67, 233, 0) 0%,
-            var(--gray-8) 100%
-          );
-        }
-      }
-
-      &:last-child {
-        background-image: linear-gradient(
-          90deg,
-          var(--gray-8) 0%,
-          var(--terraform-purple) 100%
-        );
-
-        @media (max-width: 767px) {
-          background-image: linear-gradient(
-            180deg,
-            var(--gray-8) 0%,
-            var(--terraform-purple) 100%
-          );
-        }
-
-        &:after {
-          border-color: transparent transparent transparent
-            var(--terraform-purple);
-          border-style: solid;
-          border-width: 5.5px 0 5.5px 8px;
-        }
-      }
-    }
-    & .after {
-      & li:before {
-        background: url('/img/icons/check-circle-purple.svg');
-        height: 19px;
-      }
-
-      .line {
-        svg,
-        path:first-child {
-          fill: var(--terraform-purple);
-          stroke: var(--terraform-purple);
-        }
-      }
-    }
-  }
-
-  /*
-   * CONSUL THEME
-   */
-  &.consul {
-    & .line span {
-      &:first-child {
-        background-image: linear-gradient(
-          90deg,
-          rgba(95, 67, 233, 0) 0%,
-          var(--gray-8) 100%
-        );
-
-        @media (max-width: 767px) {
-          background-image: linear-gradient(
-            180deg,
-            rgba(95, 67, 233, 0) 0%,
-            var(--gray-8) 100%
-          );
-        }
-      }
-
-      &:last-child {
-        background-image: linear-gradient(
-          90deg,
-          var(--gray-8) 0%,
-          var(--consul-pink) 100%
-        );
-
-        @media (max-width: 767px) {
-          background-image: linear-gradient(
-            180deg,
-            var(--gray-8) 0%,
-            var(--consul-pink) 100%
-          );
-        }
-
-        &:after {
-          border-color: transparent transparent transparent var(--consul-pink);
-          border-style: solid;
-          border-width: 5.5px 0 5.5px 8px;
-        }
-      }
-    }
-    & .after {
-      & li:before {
-        background: url('/img/icons/check-circle-pink.svg');
-        height: 19px;
-      }
-
-      .line {
-        svg,
-        path:first-child {
-          fill: var(--consul-pink);
-          stroke: var(--consul-pink);
-        }
-      }
-    }
-  }
-}
diff --git a/website/assets/js/consent-manager.js b/website/assets/js/consent-manager.js
deleted file mode 100644
index 3656c0251c61..000000000000
--- a/website/assets/js/consent-manager.js
+++ /dev/null
@@ -1,65 +0,0 @@
-import { open, init } from '@hashicorp/hashi-consent-manager'
-
-window.openConsentManager = () => open()
-
-init({
-  version: 1,
-  container: '#consent-manager',
-  companyName: 'HashiCorp',
-  privacyPolicyLink: '/privacy',
-  segmentWriteKey: segmentWriteKey,
-  utilServerRoot: utilityServerRoot,
-  segmentServices: [
-    {
-      key: 'googleanalytics',
-      name: 'Google Analytics',
-      description:
-        'Google Analytics is a popular service for tracking web traffic. We use this data to determine what content our users find important so that we can dedicate more resources toward it.',
-      category: 'Analytics'
-    },
-    {
-      name: 'Marketo V2',
-      description:
-        'Marketo is a marketing automation tool that allows us to segment users into different categories based off of their behaviors.  We use this information to provide tailored information to users in our email campaigns.',
-      category: 'Email Marketing'
-    },
-    {
-      name: 'Hull',
-      description:
-        'Hull is a tool that we use to clean up analytics data and send it between different services. It does not add any javascript tracking code to this site.',
-      category: 'Analytics'
-    },
-    {
-      name: 'Hotjar',
-      description:
-        'Hotjar is a service that generates heatmaps of where users click on our sites. We use this information to ensure that our site is not confusing, and simple to use and navigate.',
-      category: 'Analytics'
-    }
-  ],
-  categories: [
-    {
-      name: 'Functional',
-      description:
-        'Functional services provide a utility to the website, such as the ability to log in, or to get live support. Disabling any of these scripts will cause that utility to be missing from the site.'
-    },
-    {
-      name: 'Analytics',
-      description:
-        'Analytics services keep track of page traffic and user behavior while browsing the site. We use this data internally to improve the usability and performance of the site. Disabling any of these scripts makes it more difficult for us to understand how our site is being used, and slower to improve it.'
-    },
-    {
-      name: 'Email Marketing',
-      description:
-        'Email Marketing services track user behavior while browsing the site. We use this data internally in our marketing efforts to provide users contextually relevant information based off of their behaviors. Disabling any of these scripts makes it more difficult for us to provide you contextually relevant information.'
-    }
-  ],
-  additionalServices: [
-    {
-      name: 'OptinMonster',
-      description:
-        "OptinMonster is a service that we use to show a prompt to sign up for our newsletter if it's perceived that you are interested in our content.",
-      category: 'Functional',
-      body: `var om597a24292a958,om597a24292a958_poll=function(){var e=0;return function(t,a){clearInterval(e),e=setInterval(t,a)}}();!function(e,t,a){if(e.getElementById(a))om597a24292a958_poll(function(){if(window.om_loaded&&!om597a24292a958)return(om597a24292a958=new OptinMonsterApp).init({s:"35109.597a24292a958",staging:0,dev:0,beta:0})},25);else{var n=!1,o=e.createElement("script");o.id=a,o.src="//a.optnmstr.com/app/js/api.min.js",o.async=!0,o.onload=o.onreadystatechange=function(){if(!(n||this.readyState&&"loaded"!==this.readyState&&"complete"!==this.readyState))try{n=om_loaded=!0,(om597a24292a958=new OptinMonsterApp).init({s:"35109.597a24292a958",staging:0,dev:0,beta:0}),o.onload=o.onreadystatechange=null}catch(e){}},(document.getElementsByTagName("head")[0]||document.documentElement).appendChild(o)}}(document,0,"omapi-script");`
-    }
-  ]
-})
diff --git a/website/assets/js/index.js b/website/assets/js/index.js
deleted file mode 100644
index 49a9a04017b0..000000000000
--- a/website/assets/js/index.js
+++ /dev/null
@@ -1,24 +0,0 @@
-// components
-import { each, initializeComponents } from './utils'
-// external components
-import nav from '@hashicorp/hashi-nav'
-import footer from '@hashicorp/hashi-footer'
-import newsletterSignupForm from '@hashicorp/hashi-newsletter-signup-form'
-import productSubnav from '@hashicorp/hashi-product-subnav'
-import megaNav from '@hashicorp/hashi-mega-nav'
-import productDownloader from '@hashicorp/hashi-product-downloader'
-import hero from '@hashicorp/hashi-hero'
-import docsSidenav from '@hashicorp/hashi-docs-sidenav'
-import consentManager from '@hashicorp/hashi-consent-manager'
-
-const components = initializeComponents({
-  nav,
-  footer,
-  newsletterSignupForm,
-  productSubnav,
-  megaNav,
-  productDownloader,
-  hero,
-  docsSidenav,
-  consentManager
-})
diff --git a/website/assets/js/utils.js b/website/assets/js/utils.js
deleted file mode 100644
index 46d2a92d2b53..000000000000
--- a/website/assets/js/utils.js
+++ /dev/null
@@ -1,70 +0,0 @@
-import { render } from 'preact'
-import { hydrateInitialState } from 'reshape-preact-components/lib/browser'
-
-// rehydrates and initializes top-level preact components
-export function initializeComponents(obj) {
-  const res = {}
-
-  for (let k in obj) {
-    const name = getName(k)
-    res[name] = []
-    each(document.querySelectorAll(`.g-${name}`), el => {
-      // do not initialize nested components
-      const matches = Object.keys(obj)
-        .map(getName)
-        .reduce((m, name) => {
-          const parent = findParent(el, `.g-${name}`)
-          if (parent) m.push(parent)
-          return m
-        }, [])
-      if (matches.length > 1) return
-      // if there's no data-state, don't try
-      if (!el.dataset.state || !el.dataset.state.length) {
-        return
-      }
-      // otherwise, initialize away
-      const vdom = hydrateInitialState(el.dataset.state, {
-        [`hashi-${name}`]: obj[k]
-      })
-
-      res[name].push(render(vdom, el.parentElement, el))
-    })
-  }
-
-  return res
-
-  function getName(s) {
-    return s.replace(/([A-Z])/g, '-$1').toLowerCase()
-  }
-}
-
-// iterates through a NodeList
-export function each(list, cb) {
-  for (let i = 0; i < list.length; i++) {
-    cb(list[i], i)
-  }
-}
-
-// polyfills object-fit in unsupported browsers
-export function fixObjectFit() {
-  if (Modernizr.objectfit) {
-    import('object-fit-images').then(ofi => {
-      ofi.default()
-    })
-  }
-}
-
-// given an element and selector, finds the closest parent element. doesn't
-// handle attribute selectors, just class, id, and element name
-export function findParent(el, selector) {
-  const firstChar = selector[0]
-  if (firstChar === '.') {
-    if (el.classList.contains(selector.substr(1))) return el
-  } else if (firstChar === '#') {
-    if (el.id === selector.substr(1)) return el
-  } else {
-    if (el.tagName.toLowerCase() === selector) return el
-  }
-  if (!el.parentNode.tagName) return undefined
-  return findParent(el.parentNode, selector)
-}
diff --git a/website/assets/package-lock.json b/website/assets/package-lock.json
deleted file mode 100644
index c91249a7d12e..000000000000
--- a/website/assets/package-lock.json
+++ /dev/null
@@ -1,11632 +0,0 @@
-{
-  "name": "middleman-spike-assets",
-  "version": "0.0.0",
-  "lockfileVersion": 1,
-  "requires": true,
-  "dependencies": {
-    "8fold-marked": {
-      "version": "0.3.9",
-      "resolved": "https://registry.npmjs.org/8fold-marked/-/8fold-marked-0.3.9.tgz",
-      "integrity": "sha512-OmVTXzmvQk/WuVZnOa+sT6wpkLrkPrjYanXS3X0ib1yk6315iwuPmvwKkOOdpqznYmavyT2ZCDOo6MeFe4xSog=="
-    },
-    "@babel/helper-module-imports": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.0.0.tgz",
-      "integrity": "sha512-aP/hlLq01DWNEiDg4Jn23i+CXxW/owM4WpDLFUbpjxe4NS3BhLVZQ5i7E0ZrxuQ/vwekIeciyamgB1UIYxxM6A==",
-      "requires": {
-        "@babel/types": "^7.0.0"
-      }
-    },
-    "@babel/runtime": {
-      "version": "7.6.3",
-      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.6.3.tgz",
-      "integrity": "sha512-kq6anf9JGjW8Nt5rYfEuGRaEAaH1mkv3Bbu6rYvLOpPh/RusSJXuKPEAoZ7L7gybZkchE8+NV5g9vKF4AGAtsA==",
-      "requires": {
-        "regenerator-runtime": "^0.13.2"
-      },
-      "dependencies": {
-        "regenerator-runtime": {
-          "version": "0.13.3",
-          "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.3.tgz",
-          "integrity": "sha512-naKIZz2GQ8JWh///G7L3X6LaQUAMp2lvb1rvwwsURe/VXwD6VMfr+/1NuNw3ag8v2kY1aQ/go5SNn79O9JU7yw=="
-        }
-      }
-    },
-    "@babel/types": {
-      "version": "7.6.3",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.6.3.tgz",
-      "integrity": "sha512-CqbcpTxMcpuQTMhjI37ZHVgjBkysg5icREQIEZ0eG1yCNwg3oy+5AaLiOKmjsCj6nqOsa6Hf0ObjRVwokb7srA==",
-      "requires": {
-        "esutils": "^2.0.2",
-        "lodash": "^4.17.13",
-        "to-fast-properties": "^2.0.0"
-      }
-    },
-    "@csstools/convert-colors": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/@csstools/convert-colors/-/convert-colors-1.4.0.tgz",
-      "integrity": "sha512-5a6wqoJV/xEdbRNKVo6I4hO3VjyDq//8q2f9I6PBAvMesJHFauXDorcNCsr9RzvsZnaWi5NYCcfyqP1QeFHFbw==",
-      "dev": true
-    },
-    "@emotion/babel-utils": {
-      "version": "0.6.10",
-      "resolved": "https://registry.npmjs.org/@emotion/babel-utils/-/babel-utils-0.6.10.tgz",
-      "integrity": "sha512-/fnkM/LTEp3jKe++T0KyTszVGWNKPNOUJfjNKLO17BzQ6QPxgbg3whayom1Qr2oLFH3V92tDymU+dT5q676uow==",
-      "requires": {
-        "@emotion/hash": "^0.6.6",
-        "@emotion/memoize": "^0.6.6",
-        "@emotion/serialize": "^0.9.1",
-        "convert-source-map": "^1.5.1",
-        "find-root": "^1.1.0",
-        "source-map": "^0.7.2"
-      },
-      "dependencies": {
-        "source-map": {
-          "version": "0.7.3",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.3.tgz",
-          "integrity": "sha512-CkCj6giN3S+n9qrYiBTX5gystlENnRW5jZeNLHpe6aue+SrHcG5VYwujhW9s4dY31mEGsxBDrHR6oI69fTXsaQ=="
-        }
-      }
-    },
-    "@emotion/hash": {
-      "version": "0.6.6",
-      "resolved": "https://registry.npmjs.org/@emotion/hash/-/hash-0.6.6.tgz",
-      "integrity": "sha512-ojhgxzUHZ7am3D2jHkMzPpsBAiB005GF5YU4ea+8DNPybMk01JJUM9V9YRlF/GE95tcOm8DxQvWA2jq19bGalQ=="
-    },
-    "@emotion/is-prop-valid": {
-      "version": "0.6.8",
-      "resolved": "https://registry.npmjs.org/@emotion/is-prop-valid/-/is-prop-valid-0.6.8.tgz",
-      "integrity": "sha512-IMSL7ekYhmFlILXcouA6ket3vV7u9BqStlXzbKOF9HBtpUPMMlHU+bBxrLOa2NvleVwNIxeq/zL8LafLbeUXcA==",
-      "requires": {
-        "@emotion/memoize": "^0.6.6"
-      }
-    },
-    "@emotion/memoize": {
-      "version": "0.6.6",
-      "resolved": "https://registry.npmjs.org/@emotion/memoize/-/memoize-0.6.6.tgz",
-      "integrity": "sha512-h4t4jFjtm1YV7UirAFuSuFGyLa+NNxjdkq6DpFLANNQY5rHueFZHVY+8Cu1HYVP6DrheB0kv4m5xPjo7eKT7yQ=="
-    },
-    "@emotion/serialize": {
-      "version": "0.9.1",
-      "resolved": "https://registry.npmjs.org/@emotion/serialize/-/serialize-0.9.1.tgz",
-      "integrity": "sha512-zTuAFtyPvCctHBEL8KZ5lJuwBanGSutFEncqLn/m9T1a6a93smBStK+bZzcNPgj4QS8Rkw9VTwJGhRIUVO8zsQ==",
-      "requires": {
-        "@emotion/hash": "^0.6.6",
-        "@emotion/memoize": "^0.6.6",
-        "@emotion/unitless": "^0.6.7",
-        "@emotion/utils": "^0.8.2"
-      }
-    },
-    "@emotion/stylis": {
-      "version": "0.7.1",
-      "resolved": "https://registry.npmjs.org/@emotion/stylis/-/stylis-0.7.1.tgz",
-      "integrity": "sha512-/SLmSIkN13M//53TtNxgxo57mcJk/UJIDFRKwOiLIBEyBHEcipgR6hNMQ/59Sl4VjCJ0Z/3zeAZyvnSLPG/1HQ=="
-    },
-    "@emotion/unitless": {
-      "version": "0.6.7",
-      "resolved": "https://registry.npmjs.org/@emotion/unitless/-/unitless-0.6.7.tgz",
-      "integrity": "sha512-Arj1hncvEVqQ2p7Ega08uHLr1JuRYBuO5cIvcA+WWEQ5+VmkOE3ZXzl04NbQxeQpWX78G7u6MqxKuNX3wvYZxg=="
-    },
-    "@emotion/utils": {
-      "version": "0.8.2",
-      "resolved": "https://registry.npmjs.org/@emotion/utils/-/utils-0.8.2.tgz",
-      "integrity": "sha512-rLu3wcBWH4P5q1CGoSSH/i9hrXs7SlbRLkoq9IGuoPYNGQvDJ3pt/wmOM+XgYjIDRMVIdkUWt0RsfzF50JfnCw=="
-    },
-    "@hashicorp-tmp/consent-manager": {
-      "version": "0.0.5",
-      "resolved": "https://registry.npmjs.org/@hashicorp-tmp/consent-manager/-/consent-manager-0.0.5.tgz",
-      "integrity": "sha1-hCmIISvxMgBN1Khth8A/MxJq7Ns=",
-      "requires": {
-        "@segment/top-domain": "^3.0.0",
-        "babel-runtime": "^6.26.0",
-        "emotion": "^9.1.2",
-        "isomorphic-fetch": "^2.2.1",
-        "js-cookie": "^2.2.0",
-        "lodash": "^4.17.5",
-        "nanoid": "^1.0.2",
-        "preact-compat": "^3.18.0",
-        "preact-emotion": "^9.1.3",
-        "preact-portal": "^1.1.3",
-        "prop-types": "^15.6.1"
-      }
-    },
-    "@hashicorp/hashi-alert": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-alert/-/hashi-alert-2.0.0.tgz",
-      "integrity": "sha512-NUcvdGGdojaNZJEZk8lWpEGDhwdqrpXWJ06LRWZWBzaOn+uJ0a1dTVG0QdtaCH9fEzr+ltOeMkcrzPOHRFJIHg=="
-    },
-    "@hashicorp/hashi-boolean-input": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-boolean-input/-/hashi-boolean-input-1.0.3.tgz",
-      "integrity": "sha512-VOu4sWH4y6n8XPZI96xFks70Kf/h3ESyoduDV9Eps9X+C3V6lF/oFP0g+Ys277YgegfJUNe/7jZvzkYO63O8lQ==",
-      "requires": {
-        "shortid": "2.2.14"
-      }
-    },
-    "@hashicorp/hashi-button": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-button/-/hashi-button-2.0.0.tgz",
-      "integrity": "sha512-4b7JtQgvVO/sDw5oyWDCZTnHzEsDtLLYwWOR9z2a0m7iDF/CgUWbR7xbXfnihpQJIkeCf9BV/MEm5com3n4zMg=="
-    },
-    "@hashicorp/hashi-case-study-slider": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-case-study-slider/-/hashi-case-study-slider-2.3.0.tgz",
-      "integrity": "sha512-pB/CXCtNqwU5WcR9VDyNTdYh4BJqj0ZtTQrNrYnoQ5g8OlggBBex/QASbnvaBCGkiXw5QDNHpkN6Lyc4iTHD+A=="
-    },
-    "@hashicorp/hashi-code-block": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-code-block/-/hashi-code-block-1.2.0.tgz",
-      "integrity": "sha512-CARAGd/4E8EudamMThp3X7mXpOzWBKIi4qYSGKzt6o52s1FNKpzp+sLqcw9cuPAx+dVY5YiU0NCk6XY8OeNPRw=="
-    },
-    "@hashicorp/hashi-consent-manager": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-consent-manager/-/hashi-consent-manager-2.0.0.tgz",
-      "integrity": "sha512-cLzebeDoj4VE4c/7hJ7ymTnhX0tSrjkna8weOIcHO/OiSZWhJXy45yUBitNo9MF1NDNUDFSJtZiG/7wB06ETtA=="
-    },
-    "@hashicorp/hashi-content": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-content/-/hashi-content-2.0.1.tgz",
-      "integrity": "sha512-4fspk/EaZGcIvo4u3Z+vcCRyepgKHcciL7bBaUsHicunphkjXXanUprrAjf9lH4yv9pUri66qC1CtMycVgrALg=="
-    },
-    "@hashicorp/hashi-docs-sidenav": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-docs-sidenav/-/hashi-docs-sidenav-2.0.0.tgz",
-      "integrity": "sha512-U02ykzvgSv6sy8gRCpzkJPpbdeAczFlSg82MpWbO9sTbBjXeEMWQW/f4MCTh+FyXFW0mCOlPRVTx7rW6mwGxTw=="
-    },
-    "@hashicorp/hashi-docs-sitemap": {
-      "version": "0.1.6",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-docs-sitemap/-/hashi-docs-sitemap-0.1.6.tgz",
-      "integrity": "sha512-jrRZ1Hq4TQXSptt45vEn4ZtOZC7iyQt9Abnif6iltLpPDJIqV/yl9wB7HLODI0Thw5SThIU6AABX0bLEwxuGJA=="
-    },
-    "@hashicorp/hashi-footer": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-footer/-/hashi-footer-2.0.2.tgz",
-      "integrity": "sha512-bZJ4Qt4EyN6+LXJNnUL3jH58PmSgKiokG9JlhcCSzBGTKsbha9m6xW+fHXdsguGmHUpWb2OBW8gBmSYHsF/vlw=="
-    },
-    "@hashicorp/hashi-ga-form-fields": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-ga-form-fields/-/hashi-ga-form-fields-1.0.2.tgz",
-      "integrity": "sha512-nKa5Z+5AiVgY44Q2iij35bybsjMHQdwsBGgm2tvY2vcFuj7GTCyJgA510Vvpvwz86mK+dYwgfJil+rti/b3O8w=="
-    },
-    "@hashicorp/hashi-global-styles": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-global-styles/-/hashi-global-styles-2.0.3.tgz",
-      "integrity": "sha512-p/QmdTmVyNSoBdqFjFkSkOYI0b452AUdKWcj8AevjqAz0nt+l2KSWAtwK1QLwjqvkx+7tp1/1SjmpRMMMxXY8Q=="
-    },
-    "@hashicorp/hashi-hero": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-hero/-/hashi-hero-4.0.0.tgz",
-      "integrity": "sha512-h5gVvlN9zG8szaW2mtm8Mpe052bsvdjNGYw+tM1KNRiI7zrIKy7it40Z2GUf77IWMqnbwpcq8nIjzjTnI0N9SQ=="
-    },
-    "@hashicorp/hashi-image": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-image/-/hashi-image-1.0.5.tgz",
-      "integrity": "sha512-OhInZTOole9Ei6bMghLhae3Imk87ggbrq2elI03k1AunVQQP+GRLhXNnghqjlDiK+GA872S7mP3X8Lg6e1plnQ=="
-    },
-    "@hashicorp/hashi-linked-text-summary-list": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-linked-text-summary-list/-/hashi-linked-text-summary-list-1.0.1.tgz",
-      "integrity": "sha512-IqlyJXusIsmEd8GNY+/0wornUhoGojiZaHPQzX3rplxoKOQWSDYxIPTZGJiHh9fh55dLs/skzii9BYDgPX337A=="
-    },
-    "@hashicorp/hashi-logo-grid": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-logo-grid/-/hashi-logo-grid-2.4.1.tgz",
-      "integrity": "sha512-8klunvdahv2CSt+U4E+gQ1GvFHk0fKwIezUyL4GsiBEy6iYl+CMzPNyv0DxwLH4cV0q6gg7ftDM8v2K6yyuZ1A=="
-    },
-    "@hashicorp/hashi-mega-nav": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-mega-nav/-/hashi-mega-nav-2.0.0.tgz",
-      "integrity": "sha512-fE+bRShjOouhZdCtxcrSsDThPR4Wk5qBCCV/qeWHcNykXq2BTh+8RaO1FAvqhk2oMdTNjT6y02aR1NqsOZIWGw==",
-      "requires": {
-        "@hashicorp/hashi-newsletter-signup-form": "^2.0.0"
-      }
-    },
-    "@hashicorp/hashi-nav": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-nav/-/hashi-nav-1.1.4.tgz",
-      "integrity": "sha512-q+gUSQpPN2Q/DhZmqO0/sXqFVx3hz12TPVtU/UDhsOuE5NTL36+21UP2/rrzvGzSobvk5mwXCpbJ9x2cj31aGA=="
-    },
-    "@hashicorp/hashi-newsletter-signup-form": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-newsletter-signup-form/-/hashi-newsletter-signup-form-2.0.0.tgz",
-      "integrity": "sha512-6KE17g2TmKF20ZE5zAzr9r7VZ3EEXgx15WC7lxoetmGEdO9n3IyqaoKhHwwqAun2wj7/cAxKmn922eh9gciQkQ==",
-      "requires": {
-        "@hashicorp/hashi-privacy-checkbox": "^1.1.1"
-      }
-    },
-    "@hashicorp/hashi-privacy-checkbox": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-privacy-checkbox/-/hashi-privacy-checkbox-1.1.1.tgz",
-      "integrity": "sha512-xk8R1LT8YfPo9meD2lw6hnzfsu38Qj8WROdZcG3mAYedMHGqTBQiRuR21pKfmDcc35wfA51Q7keZixnJeMNinw==",
-      "requires": {
-        "@hashicorp/hashi-boolean-input": "^1.0.3",
-        "@hashicorp/hashi-with-validation": "^1.0.2"
-      }
-    },
-    "@hashicorp/hashi-product-downloader": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-product-downloader/-/hashi-product-downloader-1.0.0.tgz",
-      "integrity": "sha512-cirU8IyczqwhZ2P0mxfVp1dE4BI7k4LMzP9kbfqaum5Kjw9Z1R0DP0FQ/gfn4X7pFu1T5yn9cAolttzO25aJAQ=="
-    },
-    "@hashicorp/hashi-product-subnav": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-product-subnav/-/hashi-product-subnav-1.0.1.tgz",
-      "integrity": "sha512-DGkDnhBCTfMdOIQLmeGnjvgofU+01p7BDDHK1UQEo5yoZPUlW/Zd4R3MkZNUmC/RT/XOzwEVRCEmg2Lv7L6MFg=="
-    },
-    "@hashicorp/hashi-section-header": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-section-header/-/hashi-section-header-5.0.0.tgz",
-      "integrity": "sha512-4Ttwu69COLVm8x/1I4nMSg3Mu8GO/bTJRIOOTQJ2sL+/UOLbiQcTLQ4LySFYRjAkLh2LQM8ntI0lm1bZzshwDg=="
-    },
-    "@hashicorp/hashi-split-cta": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-split-cta/-/hashi-split-cta-1.0.0.tgz",
-      "integrity": "sha512-+sQnHApjvS/+ALb/ja1D2iKxJZ238V0PpTfEBR7/mw5zPqYe6IjtgS/abFKaCRXa/zTAKB+ROFjMTh+BP7p3Mw=="
-    },
-    "@hashicorp/hashi-text-and-content": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-text-and-content/-/hashi-text-and-content-1.1.0.tgz",
-      "integrity": "sha512-klDwU8vxcdxm+tL1caroisjaKDmteN8EYOOM8dpN4+WPZcDH8QIc7SWLVCwcYbXiLQ+z+xi7I7gL5ZAgRf7qIg=="
-    },
-    "@hashicorp/hashi-toggle": {
-      "version": "0.2.3",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-toggle/-/hashi-toggle-0.2.3.tgz",
-      "integrity": "sha512-haUxsXZ+SyPmQvyOcbs72J3vM+oQS6xKYqauIJGLe5g/riJdfrsTWLbePMbgvuXs0piMbxft08q+DreYe4aang=="
-    },
-    "@hashicorp/hashi-use-cases": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-use-cases/-/hashi-use-cases-1.0.1.tgz",
-      "integrity": "sha512-P9YKeNy6L/Dg7VYVh7CgLs9mbqwtX+6N9lnXLg8UVxNCa6OJQCW+0x94JhrfE9eHZ0ITheg3sE62FTy0ujPvCw=="
-    },
-    "@hashicorp/hashi-vertical-text-block-list": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-vertical-text-block-list/-/hashi-vertical-text-block-list-1.0.0.tgz",
-      "integrity": "sha512-o5IDIx9vP4Va922yXjsoPv01s3hz/eFoo52qeMZID+zlxqJlODvHN1kLgiBrTX+4kkK3sDfQlmkkhzvm9KimnA=="
-    },
-    "@hashicorp/hashi-with-validation": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@hashicorp/hashi-with-validation/-/hashi-with-validation-1.0.2.tgz",
-      "integrity": "sha512-fiXm//tykjwQaH4THs/fBeGrPdUxMEON1jNkU8ZjPbJsV3FIaIi9TSWgZfMZq6tj49dAQ5ULWZF5DApI3ufp0w=="
-    },
-    "@hashicorp/js-utils": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@hashicorp/js-utils/-/js-utils-1.0.1.tgz",
-      "integrity": "sha512-W6Tnae6/bu3dbpaC7lzT5PTZDVKRh2Y5c6Aqt6i6CJQNIeT3b17N4gBpF9H7vJ2PuXnvvjGohgccmUnamfdiqQ=="
-    },
-    "@hashicorp/localstorage-polyfill": {
-      "version": "1.0.12",
-      "resolved": "https://registry.npmjs.org/@hashicorp/localstorage-polyfill/-/localstorage-polyfill-1.0.12.tgz",
-      "integrity": "sha512-wUWfaiEUo+2qcBjzYKwGpjqFsMCcD+Z4egF/2DHL13kvNZgbFMRBgSww0/bmOVq7ovhp3BnMRiHKZvcugRr1OQ=="
-    },
-    "@segment/in-eu": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/@segment/in-eu/-/in-eu-0.2.1.tgz",
-      "integrity": "sha512-7JKBw/l3S9J0ldo/n6XPfd3sT89f300KOCvmZsd8sryVZOWlE4L2LMKT538I34bjRdaOd1aJ52TsOAZUOLqxiQ==",
-      "requires": {
-        "jstz": "^2.0.0"
-      }
-    },
-    "@segment/top-domain": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/@segment/top-domain/-/top-domain-3.0.0.tgz",
-      "integrity": "sha1-AuWlpP1CqfbPiGsF6C8QQBKjw6c=",
-      "requires": {
-        "component-cookie": "^1.1.2",
-        "component-url": "^0.2.1"
-      }
-    },
-    "@types/q": {
-      "version": "1.5.2",
-      "resolved": "https://registry.npmjs.org/@types/q/-/q-1.5.2.tgz",
-      "integrity": "sha512-ce5d3q03Ex0sy4R14722Rmt6MT07Ua+k4FwDfdcToYJcMKNtRVQvJ6JCAPdAmAnbRb6CsX6aYb9m96NGod9uTw==",
-      "dev": true
-    },
-    "abbrev": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
-      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
-    },
-    "accepts": {
-      "version": "1.3.7",
-      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.7.tgz",
-      "integrity": "sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA==",
-      "dev": true,
-      "requires": {
-        "mime-types": "~2.1.24",
-        "negotiator": "0.6.2"
-      }
-    },
-    "acorn": {
-      "version": "5.7.3",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz",
-      "integrity": "sha512-T/zvzYRfbVojPWahDsE5evJdHb3oJoQfFbsrKM7w5Zcs++Tr257tia3BmMP8XYVjp1S9RZXQMh7gao96BlqZOw==",
-      "dev": true
-    },
-    "acorn-dynamic-import": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/acorn-dynamic-import/-/acorn-dynamic-import-2.0.2.tgz",
-      "integrity": "sha1-x1K9IQvvZ5UBtsbLf8hPj0cVjMQ=",
-      "dev": true,
-      "requires": {
-        "acorn": "^4.0.3"
-      },
-      "dependencies": {
-        "acorn": {
-          "version": "4.0.13",
-          "resolved": "https://registry.npmjs.org/acorn/-/acorn-4.0.13.tgz",
-          "integrity": "sha1-EFSVrlNh1pe9GVyCUZLhrX8lN4c=",
-          "dev": true
-        }
-      }
-    },
-    "acorn-walk": {
-      "version": "6.2.0",
-      "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-6.2.0.tgz",
-      "integrity": "sha512-7evsyfH1cLOCdAzZAd43Cic04yKydNx0cF+7tiA19p1XnLLPU4dpCQOqpjqwokFe//vS0QqfqqjCS2JkiIs0cA==",
-      "dev": true
-    },
-    "after": {
-      "version": "0.8.2",
-      "resolved": "https://registry.npmjs.org/after/-/after-0.8.2.tgz",
-      "integrity": "sha1-/ts5T58OAqqXaOcCvaI7UF+ufh8=",
-      "dev": true
-    },
-    "ajv": {
-      "version": "6.10.2",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz",
-      "integrity": "sha512-TXtUUEYHuaTEbLZWIKUr5pmBuhDLy+8KYtPYdcV8qC+pOZL+NKqYwvWSRrVXHn+ZmRRAu8vJTAznH7Oag6RVRw==",
-      "dev": true,
-      "requires": {
-        "fast-deep-equal": "^2.0.1",
-        "fast-json-stable-stringify": "^2.0.0",
-        "json-schema-traverse": "^0.4.1",
-        "uri-js": "^4.2.2"
-      }
-    },
-    "ajv-keywords": {
-      "version": "3.4.1",
-      "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.4.1.tgz",
-      "integrity": "sha512-RO1ibKvd27e6FEShVFfPALuHI3WjSVNeK5FIsmme/LYRNxjKuNj+Dt7bucLa6NdSv3JcVTyMlm9kGR84z1XpaQ==",
-      "dev": true
-    },
-    "align-text": {
-      "version": "0.1.4",
-      "resolved": "https://registry.npmjs.org/align-text/-/align-text-0.1.4.tgz",
-      "integrity": "sha1-DNkKVhCT810KmSVsIrcGlDP60Rc=",
-      "dev": true,
-      "requires": {
-        "kind-of": "^3.0.2",
-        "longest": "^1.0.1",
-        "repeat-string": "^1.5.2"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "3.2.2",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
-          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "alphanum-sort": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/alphanum-sort/-/alphanum-sort-1.0.2.tgz",
-      "integrity": "sha1-l6ERlkmyEa0zaR2fn0hqjsn74KM=",
-      "dev": true
-    },
-    "ansi-escapes": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-3.2.0.tgz",
-      "integrity": "sha512-cBhpre4ma+U0T1oM5fXg7Dy1Jw7zzwv7lt/GoCpr+hDQJoYnKVPLL4dCvSEFMmQurOQvSrwT7SL/DAlhBI97RQ==",
-      "dev": true
-    },
-    "ansi-regex": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
-      "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=",
-      "dev": true
-    },
-    "ansi-styles": {
-      "version": "3.2.1",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz",
-      "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
-      "requires": {
-        "color-convert": "^1.9.0"
-      }
-    },
-    "anymatch": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-2.0.0.tgz",
-      "integrity": "sha512-5teOsQWABXHHBFP9y3skS5P3d/WfWXpv3FUpy+LorMrNYaT9pI4oLMQX7jzQ2KklNpGpWHzdCXTDT2Y3XGlZBw==",
-      "dev": true,
-      "requires": {
-        "micromatch": "^3.1.4",
-        "normalize-path": "^2.1.1"
-      },
-      "dependencies": {
-        "normalize-path": {
-          "version": "2.1.1",
-          "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-2.1.1.tgz",
-          "integrity": "sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=",
-          "dev": true,
-          "requires": {
-            "remove-trailing-separator": "^1.0.1"
-          }
-        }
-      }
-    },
-    "argparse": {
-      "version": "1.0.10",
-      "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
-      "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
-      "requires": {
-        "sprintf-js": "~1.0.2"
-      }
-    },
-    "arr-diff": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/arr-diff/-/arr-diff-4.0.0.tgz",
-      "integrity": "sha1-1kYQdP6/7HHn4VI1dhoyml3HxSA=",
-      "dev": true
-    },
-    "arr-flatten": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/arr-flatten/-/arr-flatten-1.1.0.tgz",
-      "integrity": "sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg==",
-      "dev": true
-    },
-    "arr-union": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/arr-union/-/arr-union-3.1.0.tgz",
-      "integrity": "sha1-45sJrqne+Gao8gbiiK9jkZuuOcQ=",
-      "dev": true
-    },
-    "array-flatten": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
-      "integrity": "sha1-ml9pkFGx5wczKPKgCJaLZOopVdI=",
-      "dev": true
-    },
-    "array-unique": {
-      "version": "0.3.2",
-      "resolved": "https://registry.npmjs.org/array-unique/-/array-unique-0.3.2.tgz",
-      "integrity": "sha1-qJS3XUvE9s1nnvMkSp/Y9Gri1Cg=",
-      "dev": true
-    },
-    "arraybuffer.slice": {
-      "version": "0.0.7",
-      "resolved": "https://registry.npmjs.org/arraybuffer.slice/-/arraybuffer.slice-0.0.7.tgz",
-      "integrity": "sha512-wGUIVQXuehL5TCqQun8OW81jGzAWycqzFF8lFp+GOM5BXLYj3bKNsYC4daB7n6XjCqxQA/qgTJ+8ANR3acjrog==",
-      "dev": true
-    },
-    "asn1": {
-      "version": "0.2.4",
-      "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.4.tgz",
-      "integrity": "sha512-jxwzQpLQjSmWXgwaCZE9Nz+glAG01yF1QnWgbhGwHI5A6FRIEY6IVqtHhIepHqI7/kyEyQEagBC5mBEFlIYvdg==",
-      "dev": true,
-      "requires": {
-        "safer-buffer": "~2.1.0"
-      }
-    },
-    "asn1.js": {
-      "version": "4.10.1",
-      "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-4.10.1.tgz",
-      "integrity": "sha512-p32cOF5q0Zqs9uBiONKYLm6BClCoBCM5O9JfeUSlnQLBTxYdTK+pW+nXflm8UkKd2UYlEbYz5qEi0JuZR9ckSw==",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.0.0",
-        "inherits": "^2.0.1",
-        "minimalistic-assert": "^1.0.0"
-      }
-    },
-    "assert": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/assert/-/assert-1.5.0.tgz",
-      "integrity": "sha512-EDsgawzwoun2CZkCgtxJbv392v4nbk9XDD06zI+kQYoBM/3RBWLlEyJARDOmhAAosBjWACEkKL6S+lIZtcAubA==",
-      "dev": true,
-      "requires": {
-        "object-assign": "^4.1.1",
-        "util": "0.10.3"
-      },
-      "dependencies": {
-        "inherits": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.1.tgz",
-          "integrity": "sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE=",
-          "dev": true
-        },
-        "util": {
-          "version": "0.10.3",
-          "resolved": "https://registry.npmjs.org/util/-/util-0.10.3.tgz",
-          "integrity": "sha1-evsa/lCAUkZInj23/g7TeTNqwPk=",
-          "dev": true,
-          "requires": {
-            "inherits": "2.0.1"
-          }
-        }
-      }
-    },
-    "assert-plus": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz",
-      "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=",
-      "dev": true
-    },
-    "assign-symbols": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/assign-symbols/-/assign-symbols-1.0.0.tgz",
-      "integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=",
-      "dev": true
-    },
-    "async": {
-      "version": "1.5.2",
-      "resolved": "https://registry.npmjs.org/async/-/async-1.5.2.tgz",
-      "integrity": "sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=",
-      "dev": true
-    },
-    "async-each": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/async-each/-/async-each-1.0.3.tgz",
-      "integrity": "sha512-z/WhQ5FPySLdvREByI2vZiTWwCnF0moMJ1hK9YQwDTHKh6I7/uSckMetoRGb5UBZPC1z0jlw+n/XCgjeH7y1AQ==",
-      "dev": true
-    },
-    "async-each-series": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/async-each-series/-/async-each-series-0.1.1.tgz",
-      "integrity": "sha1-dhfBkXQB/Yykooqtzj266Yr+tDI=",
-      "dev": true
-    },
-    "async-limiter": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/async-limiter/-/async-limiter-1.0.1.tgz",
-      "integrity": "sha512-csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ==",
-      "dev": true
-    },
-    "asynckit": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
-      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k=",
-      "dev": true
-    },
-    "atob": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/atob/-/atob-2.1.2.tgz",
-      "integrity": "sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg==",
-      "dev": true
-    },
-    "autoprefixer": {
-      "version": "9.3.1",
-      "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-9.3.1.tgz",
-      "integrity": "sha512-DY9gOh8z3tnCbJ13JIWaeQsoYncTGdsrgCceBaQSIL4nvdrLxgbRSBPevg2XbX7u4QCSfLheSJEEIUUSlkbx6Q==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.3.3",
-        "caniuse-lite": "^1.0.30000898",
-        "normalize-range": "^0.1.2",
-        "num2fraction": "^1.2.2",
-        "postcss": "^7.0.5",
-        "postcss-value-parser": "^3.3.1"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "aws-sign2": {
-      "version": "0.7.0",
-      "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz",
-      "integrity": "sha1-tG6JCTSpWR8tL2+G1+ap8bP+dqg=",
-      "dev": true
-    },
-    "aws4": {
-      "version": "1.8.0",
-      "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.8.0.tgz",
-      "integrity": "sha512-ReZxvNHIOv88FlT7rxcXIIC0fPt4KZqZbOlivyWtXLt8ESx84zd3kMC6iK5jVeS2qt+g7ftS7ye4fi06X5rtRQ==",
-      "dev": true
-    },
-    "axios": {
-      "version": "0.19.0",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-0.19.0.tgz",
-      "integrity": "sha512-1uvKqKQta3KBxIz14F2v06AEHZ/dIoeKfbTRkK1E5oqjDnuEerLmYTgJB5AiQZHJcljpg1TuRzdjDR06qNk0DQ==",
-      "dev": true,
-      "requires": {
-        "follow-redirects": "1.5.10",
-        "is-buffer": "^2.0.2"
-      },
-      "dependencies": {
-        "is-buffer": {
-          "version": "2.0.4",
-          "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.4.tgz",
-          "integrity": "sha512-Kq1rokWXOPXWuaMAqZiJW4XxsmD9zGx9q4aePabbn3qCRGedtH7Cm+zV8WETitMfu1wdh+Rvd6w5egwSngUX2A==",
-          "dev": true
-        }
-      }
-    },
-    "babel-code-frame": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz",
-      "integrity": "sha1-Y/1D99weO7fONZR9uP42mj9Yx0s=",
-      "dev": true,
-      "requires": {
-        "chalk": "^1.1.3",
-        "esutils": "^2.0.2",
-        "js-tokens": "^3.0.2"
-      },
-      "dependencies": {
-        "ansi-styles": {
-          "version": "2.2.1",
-          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
-          "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=",
-          "dev": true
-        },
-        "chalk": {
-          "version": "1.1.3",
-          "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz",
-          "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=",
-          "dev": true,
-          "requires": {
-            "ansi-styles": "^2.2.1",
-            "escape-string-regexp": "^1.0.2",
-            "has-ansi": "^2.0.0",
-            "strip-ansi": "^3.0.0",
-            "supports-color": "^2.0.0"
-          }
-        },
-        "js-tokens": {
-          "version": "3.0.2",
-          "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz",
-          "integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls=",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
-          "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=",
-          "dev": true
-        }
-      }
-    },
-    "babel-core": {
-      "version": "6.26.3",
-      "resolved": "https://registry.npmjs.org/babel-core/-/babel-core-6.26.3.tgz",
-      "integrity": "sha512-6jyFLuDmeidKmUEb3NM+/yawG0M2bDZ9Z1qbZP59cyHLz8kYGKYwpJP0UwUKKUiTRNvxfLesJnTedqczP7cTDA==",
-      "dev": true,
-      "requires": {
-        "babel-code-frame": "^6.26.0",
-        "babel-generator": "^6.26.0",
-        "babel-helpers": "^6.24.1",
-        "babel-messages": "^6.23.0",
-        "babel-register": "^6.26.0",
-        "babel-runtime": "^6.26.0",
-        "babel-template": "^6.26.0",
-        "babel-traverse": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "babylon": "^6.18.0",
-        "convert-source-map": "^1.5.1",
-        "debug": "^2.6.9",
-        "json5": "^0.5.1",
-        "lodash": "^4.17.4",
-        "minimatch": "^3.0.4",
-        "path-is-absolute": "^1.0.1",
-        "private": "^0.1.8",
-        "slash": "^1.0.0",
-        "source-map": "^0.5.7"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        }
-      }
-    },
-    "babel-generator": {
-      "version": "6.26.1",
-      "resolved": "https://registry.npmjs.org/babel-generator/-/babel-generator-6.26.1.tgz",
-      "integrity": "sha512-HyfwY6ApZj7BYTcJURpM5tznulaBvyio7/0d4zFOeMPUmfxkCjHocCuoLa2SAGzBI8AREcH3eP3758F672DppA==",
-      "dev": true,
-      "requires": {
-        "babel-messages": "^6.23.0",
-        "babel-runtime": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "detect-indent": "^4.0.0",
-        "jsesc": "^1.3.0",
-        "lodash": "^4.17.4",
-        "source-map": "^0.5.7",
-        "trim-right": "^1.0.1"
-      }
-    },
-    "babel-helper-builder-binary-assignment-operator-visitor": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-builder-binary-assignment-operator-visitor/-/babel-helper-builder-binary-assignment-operator-visitor-6.24.1.tgz",
-      "integrity": "sha1-zORReto1b0IgvK6KAsKzRvmlZmQ=",
-      "dev": true,
-      "requires": {
-        "babel-helper-explode-assignable-expression": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-builder-react-jsx": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-helper-builder-react-jsx/-/babel-helper-builder-react-jsx-6.26.0.tgz",
-      "integrity": "sha1-Of+DE7dci2Xc7/HzHTg+D/KkCKA=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "esutils": "^2.0.2"
-      }
-    },
-    "babel-helper-call-delegate": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-call-delegate/-/babel-helper-call-delegate-6.24.1.tgz",
-      "integrity": "sha1-7Oaqzdx25Bw0YfiL/Fdb0Nqi340=",
-      "dev": true,
-      "requires": {
-        "babel-helper-hoist-variables": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-traverse": "^6.24.1",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-define-map": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-helper-define-map/-/babel-helper-define-map-6.26.0.tgz",
-      "integrity": "sha1-pfVtq0GiX5fstJjH66ypgZ+Vvl8=",
-      "dev": true,
-      "requires": {
-        "babel-helper-function-name": "^6.24.1",
-        "babel-runtime": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "lodash": "^4.17.4"
-      }
-    },
-    "babel-helper-explode-assignable-expression": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-explode-assignable-expression/-/babel-helper-explode-assignable-expression-6.24.1.tgz",
-      "integrity": "sha1-8luCz33BBDPFX3BZLVdGQArCLKo=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-traverse": "^6.24.1",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-function-name": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-function-name/-/babel-helper-function-name-6.24.1.tgz",
-      "integrity": "sha1-00dbjAPtmCQqJbSDUasYOZ01gKk=",
-      "dev": true,
-      "requires": {
-        "babel-helper-get-function-arity": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1",
-        "babel-traverse": "^6.24.1",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-get-function-arity": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-get-function-arity/-/babel-helper-get-function-arity-6.24.1.tgz",
-      "integrity": "sha1-j3eCqpNAfEHTqlCQj4mwMbG2hT0=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-hoist-variables": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-hoist-variables/-/babel-helper-hoist-variables-6.24.1.tgz",
-      "integrity": "sha1-HssnaJydJVE+rbyZFKc/VAi+enY=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-optimise-call-expression": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-optimise-call-expression/-/babel-helper-optimise-call-expression-6.24.1.tgz",
-      "integrity": "sha1-96E0J7qfc/j0+pk8VKl4gtEkQlc=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-regex": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-helper-regex/-/babel-helper-regex-6.26.0.tgz",
-      "integrity": "sha1-MlxZ+QL4LyS3T6zu0DY5VPZJXnI=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "lodash": "^4.17.4"
-      }
-    },
-    "babel-helper-remap-async-to-generator": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-remap-async-to-generator/-/babel-helper-remap-async-to-generator-6.24.1.tgz",
-      "integrity": "sha1-XsWBgnrXI/7N04HxySg5BnbkVRs=",
-      "dev": true,
-      "requires": {
-        "babel-helper-function-name": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1",
-        "babel-traverse": "^6.24.1",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helper-replace-supers": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helper-replace-supers/-/babel-helper-replace-supers-6.24.1.tgz",
-      "integrity": "sha1-v22/5Dk40XNpohPKiov3S2qQqxo=",
-      "dev": true,
-      "requires": {
-        "babel-helper-optimise-call-expression": "^6.24.1",
-        "babel-messages": "^6.23.0",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1",
-        "babel-traverse": "^6.24.1",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-helpers": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-helpers/-/babel-helpers-6.24.1.tgz",
-      "integrity": "sha1-NHHenK7DiOXIUOWX5Yom3fN2ArI=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1"
-      }
-    },
-    "babel-loader": {
-      "version": "7.1.5",
-      "resolved": "https://registry.npmjs.org/babel-loader/-/babel-loader-7.1.5.tgz",
-      "integrity": "sha512-iCHfbieL5d1LfOQeeVJEUyD9rTwBcP/fcEbRCfempxTDuqrKpu0AZjLAQHEQa3Yqyj9ORKe2iHfoj4rHLf7xpw==",
-      "dev": true,
-      "requires": {
-        "find-cache-dir": "^1.0.0",
-        "loader-utils": "^1.0.2",
-        "mkdirp": "^0.5.1"
-      }
-    },
-    "babel-messages": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/babel-messages/-/babel-messages-6.23.0.tgz",
-      "integrity": "sha1-8830cDhYA1sqKVHG7F7fbGLyYw4=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-check-es2015-constants": {
-      "version": "6.22.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-check-es2015-constants/-/babel-plugin-check-es2015-constants-6.22.0.tgz",
-      "integrity": "sha1-NRV7EBQm/S/9PaP3XH0ekYNbv4o=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-emotion": {
-      "version": "9.2.11",
-      "resolved": "https://registry.npmjs.org/babel-plugin-emotion/-/babel-plugin-emotion-9.2.11.tgz",
-      "integrity": "sha512-dgCImifnOPPSeXod2znAmgc64NhaaOjGEHROR/M+lmStb3841yK1sgaDYAYMnlvWNz8GnpwIPN0VmNpbWYZ+VQ==",
-      "requires": {
-        "@babel/helper-module-imports": "^7.0.0",
-        "@emotion/babel-utils": "^0.6.4",
-        "@emotion/hash": "^0.6.2",
-        "@emotion/memoize": "^0.6.1",
-        "@emotion/stylis": "^0.7.0",
-        "babel-plugin-macros": "^2.0.0",
-        "babel-plugin-syntax-jsx": "^6.18.0",
-        "convert-source-map": "^1.5.0",
-        "find-root": "^1.1.0",
-        "mkdirp": "^0.5.1",
-        "source-map": "^0.5.7",
-        "touch": "^2.0.1"
-      }
-    },
-    "babel-plugin-macros": {
-      "version": "2.6.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-macros/-/babel-plugin-macros-2.6.1.tgz",
-      "integrity": "sha512-6W2nwiXme6j1n2erPOnmRiWfObUhWH7Qw1LMi9XZy8cj+KtESu3T6asZvtk5bMQQjX8te35o7CFueiSdL/2NmQ==",
-      "requires": {
-        "@babel/runtime": "^7.4.2",
-        "cosmiconfig": "^5.2.0",
-        "resolve": "^1.10.0"
-      }
-    },
-    "babel-plugin-syntax-async-functions": {
-      "version": "6.13.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz",
-      "integrity": "sha1-ytnK0RkbWtY0vzCuCHI5HgZHvpU=",
-      "dev": true
-    },
-    "babel-plugin-syntax-dynamic-import": {
-      "version": "6.18.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-dynamic-import/-/babel-plugin-syntax-dynamic-import-6.18.0.tgz",
-      "integrity": "sha1-jWomIpyDdFqZgqRBBRVyyqF5sdo=",
-      "dev": true
-    },
-    "babel-plugin-syntax-exponentiation-operator": {
-      "version": "6.13.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-exponentiation-operator/-/babel-plugin-syntax-exponentiation-operator-6.13.0.tgz",
-      "integrity": "sha1-nufoM3KQ2pUoggGmpX9BcDF4MN4=",
-      "dev": true
-    },
-    "babel-plugin-syntax-jsx": {
-      "version": "6.18.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-jsx/-/babel-plugin-syntax-jsx-6.18.0.tgz",
-      "integrity": "sha1-CvMqmm4Tyno/1QaeYtew9Y0NiUY="
-    },
-    "babel-plugin-syntax-trailing-function-commas": {
-      "version": "6.22.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-trailing-function-commas/-/babel-plugin-syntax-trailing-function-commas-6.22.0.tgz",
-      "integrity": "sha1-ugNgk3+NBuQBgKQ/4NVhb/9TLPM=",
-      "dev": true
-    },
-    "babel-plugin-transform-async-to-generator": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-async-to-generator/-/babel-plugin-transform-async-to-generator-6.24.1.tgz",
-      "integrity": "sha1-ZTbjeK/2yx1VF6wOQOs+n8jQh2E=",
-      "dev": true,
-      "requires": {
-        "babel-helper-remap-async-to-generator": "^6.24.1",
-        "babel-plugin-syntax-async-functions": "^6.8.0",
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-arrow-functions": {
-      "version": "6.22.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-arrow-functions/-/babel-plugin-transform-es2015-arrow-functions-6.22.0.tgz",
-      "integrity": "sha1-RSaSy3EdX3ncf4XkQM5BufJE0iE=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-block-scoped-functions": {
-      "version": "6.22.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoped-functions/-/babel-plugin-transform-es2015-block-scoped-functions-6.22.0.tgz",
-      "integrity": "sha1-u8UbSflk1wy42OC5ToICRs46YUE=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-block-scoping": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoping/-/babel-plugin-transform-es2015-block-scoping-6.26.0.tgz",
-      "integrity": "sha1-1w9SmcEwjQXBL0Y4E7CgnnOxiV8=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.26.0",
-        "babel-template": "^6.26.0",
-        "babel-traverse": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "lodash": "^4.17.4"
-      }
-    },
-    "babel-plugin-transform-es2015-classes": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-classes/-/babel-plugin-transform-es2015-classes-6.24.1.tgz",
-      "integrity": "sha1-WkxYpQyclGHlZLSyo7+ryXolhNs=",
-      "dev": true,
-      "requires": {
-        "babel-helper-define-map": "^6.24.1",
-        "babel-helper-function-name": "^6.24.1",
-        "babel-helper-optimise-call-expression": "^6.24.1",
-        "babel-helper-replace-supers": "^6.24.1",
-        "babel-messages": "^6.23.0",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1",
-        "babel-traverse": "^6.24.1",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-computed-properties": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-computed-properties/-/babel-plugin-transform-es2015-computed-properties-6.24.1.tgz",
-      "integrity": "sha1-b+Ko0WiV1WNPTNmZttNICjCBWbM=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-destructuring": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-destructuring/-/babel-plugin-transform-es2015-destructuring-6.23.0.tgz",
-      "integrity": "sha1-mXux8auWf2gtKwh2/jWNYOdlxW0=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-duplicate-keys": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-duplicate-keys/-/babel-plugin-transform-es2015-duplicate-keys-6.24.1.tgz",
-      "integrity": "sha1-c+s9MQypaePvnskcU3QabxV2Qj4=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-for-of": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-for-of/-/babel-plugin-transform-es2015-for-of-6.23.0.tgz",
-      "integrity": "sha1-9HyVsrYT3x0+zC/bdXNiPHUkhpE=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-function-name": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-function-name/-/babel-plugin-transform-es2015-function-name-6.24.1.tgz",
-      "integrity": "sha1-g0yJhTvDaxrw86TF26qU/Y6sqos=",
-      "dev": true,
-      "requires": {
-        "babel-helper-function-name": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-literals": {
-      "version": "6.22.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-literals/-/babel-plugin-transform-es2015-literals-6.22.0.tgz",
-      "integrity": "sha1-T1SgLWzWbPkVKAAZox0xklN3yi4=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-modules-amd": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-amd/-/babel-plugin-transform-es2015-modules-amd-6.24.1.tgz",
-      "integrity": "sha1-Oz5UAXI5hC1tGcMBHEvS8AoA0VQ=",
-      "dev": true,
-      "requires": {
-        "babel-plugin-transform-es2015-modules-commonjs": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-modules-commonjs": {
-      "version": "6.26.2",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-commonjs/-/babel-plugin-transform-es2015-modules-commonjs-6.26.2.tgz",
-      "integrity": "sha512-CV9ROOHEdrjcwhIaJNBGMBCodN+1cfkwtM1SbUHmvyy35KGT7fohbpOxkE2uLz1o6odKK2Ck/tz47z+VqQfi9Q==",
-      "dev": true,
-      "requires": {
-        "babel-plugin-transform-strict-mode": "^6.24.1",
-        "babel-runtime": "^6.26.0",
-        "babel-template": "^6.26.0",
-        "babel-types": "^6.26.0"
-      }
-    },
-    "babel-plugin-transform-es2015-modules-systemjs": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-systemjs/-/babel-plugin-transform-es2015-modules-systemjs-6.24.1.tgz",
-      "integrity": "sha1-/4mhQrkRmpBhlfXxBuzzBdlAfSM=",
-      "dev": true,
-      "requires": {
-        "babel-helper-hoist-variables": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-modules-umd": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-umd/-/babel-plugin-transform-es2015-modules-umd-6.24.1.tgz",
-      "integrity": "sha1-rJl+YoXNGO1hdq22B9YCNErThGg=",
-      "dev": true,
-      "requires": {
-        "babel-plugin-transform-es2015-modules-amd": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-object-super": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-object-super/-/babel-plugin-transform-es2015-object-super-6.24.1.tgz",
-      "integrity": "sha1-JM72muIcuDp/hgPa0CH1cusnj40=",
-      "dev": true,
-      "requires": {
-        "babel-helper-replace-supers": "^6.24.1",
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-parameters": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-parameters/-/babel-plugin-transform-es2015-parameters-6.24.1.tgz",
-      "integrity": "sha1-V6w1GrScrxSpfNE7CfZv3wpiXys=",
-      "dev": true,
-      "requires": {
-        "babel-helper-call-delegate": "^6.24.1",
-        "babel-helper-get-function-arity": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-template": "^6.24.1",
-        "babel-traverse": "^6.24.1",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-shorthand-properties": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-shorthand-properties/-/babel-plugin-transform-es2015-shorthand-properties-6.24.1.tgz",
-      "integrity": "sha1-JPh11nIch2YbvZmkYi5R8U3jiqA=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-spread": {
-      "version": "6.22.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-spread/-/babel-plugin-transform-es2015-spread-6.22.0.tgz",
-      "integrity": "sha1-1taKmfia7cRTbIGlQujdnxdG+NE=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-sticky-regex": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-sticky-regex/-/babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz",
-      "integrity": "sha1-AMHNsaynERLN8M9hJsLta0V8zbw=",
-      "dev": true,
-      "requires": {
-        "babel-helper-regex": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-plugin-transform-es2015-template-literals": {
-      "version": "6.22.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-template-literals/-/babel-plugin-transform-es2015-template-literals-6.22.0.tgz",
-      "integrity": "sha1-qEs0UPfp+PH2g51taH2oS7EjbY0=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-typeof-symbol": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-typeof-symbol/-/babel-plugin-transform-es2015-typeof-symbol-6.23.0.tgz",
-      "integrity": "sha1-3sCfHN3/lLUqxz1QXITfWdzOs3I=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-es2015-unicode-regex": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-unicode-regex/-/babel-plugin-transform-es2015-unicode-regex-6.24.1.tgz",
-      "integrity": "sha1-04sS9C6nMj9yk4fxinxa4frrNek=",
-      "dev": true,
-      "requires": {
-        "babel-helper-regex": "^6.24.1",
-        "babel-runtime": "^6.22.0",
-        "regexpu-core": "^2.0.0"
-      }
-    },
-    "babel-plugin-transform-exponentiation-operator": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-exponentiation-operator/-/babel-plugin-transform-exponentiation-operator-6.24.1.tgz",
-      "integrity": "sha1-KrDJx/MJj6SJB3cruBP+QejeOg4=",
-      "dev": true,
-      "requires": {
-        "babel-helper-builder-binary-assignment-operator-visitor": "^6.24.1",
-        "babel-plugin-syntax-exponentiation-operator": "^6.8.0",
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-react-jsx": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-react-jsx/-/babel-plugin-transform-react-jsx-6.24.1.tgz",
-      "integrity": "sha1-hAoCjn30YN/DotKfDA2R9jduZqM=",
-      "dev": true,
-      "requires": {
-        "babel-helper-builder-react-jsx": "^6.24.1",
-        "babel-plugin-syntax-jsx": "^6.8.0",
-        "babel-runtime": "^6.22.0"
-      }
-    },
-    "babel-plugin-transform-regenerator": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-regenerator/-/babel-plugin-transform-regenerator-6.26.0.tgz",
-      "integrity": "sha1-4HA2lvveJ/Cj78rPi03KL3s6jy8=",
-      "dev": true,
-      "requires": {
-        "regenerator-transform": "^0.10.0"
-      }
-    },
-    "babel-plugin-transform-strict-mode": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/babel-plugin-transform-strict-mode/-/babel-plugin-transform-strict-mode-6.24.1.tgz",
-      "integrity": "sha1-1fr3qleKZbvlkc9e2uBKDGcCB1g=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.22.0",
-        "babel-types": "^6.24.1"
-      }
-    },
-    "babel-preset-env": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/babel-preset-env/-/babel-preset-env-1.7.0.tgz",
-      "integrity": "sha512-9OR2afuKDneX2/q2EurSftUYM0xGu4O2D9adAhVfADDhrYDaxXV0rBbevVYoY9n6nyX1PmQW/0jtpJvUNr9CHg==",
-      "dev": true,
-      "requires": {
-        "babel-plugin-check-es2015-constants": "^6.22.0",
-        "babel-plugin-syntax-trailing-function-commas": "^6.22.0",
-        "babel-plugin-transform-async-to-generator": "^6.22.0",
-        "babel-plugin-transform-es2015-arrow-functions": "^6.22.0",
-        "babel-plugin-transform-es2015-block-scoped-functions": "^6.22.0",
-        "babel-plugin-transform-es2015-block-scoping": "^6.23.0",
-        "babel-plugin-transform-es2015-classes": "^6.23.0",
-        "babel-plugin-transform-es2015-computed-properties": "^6.22.0",
-        "babel-plugin-transform-es2015-destructuring": "^6.23.0",
-        "babel-plugin-transform-es2015-duplicate-keys": "^6.22.0",
-        "babel-plugin-transform-es2015-for-of": "^6.23.0",
-        "babel-plugin-transform-es2015-function-name": "^6.22.0",
-        "babel-plugin-transform-es2015-literals": "^6.22.0",
-        "babel-plugin-transform-es2015-modules-amd": "^6.22.0",
-        "babel-plugin-transform-es2015-modules-commonjs": "^6.23.0",
-        "babel-plugin-transform-es2015-modules-systemjs": "^6.23.0",
-        "babel-plugin-transform-es2015-modules-umd": "^6.23.0",
-        "babel-plugin-transform-es2015-object-super": "^6.22.0",
-        "babel-plugin-transform-es2015-parameters": "^6.23.0",
-        "babel-plugin-transform-es2015-shorthand-properties": "^6.22.0",
-        "babel-plugin-transform-es2015-spread": "^6.22.0",
-        "babel-plugin-transform-es2015-sticky-regex": "^6.22.0",
-        "babel-plugin-transform-es2015-template-literals": "^6.22.0",
-        "babel-plugin-transform-es2015-typeof-symbol": "^6.23.0",
-        "babel-plugin-transform-es2015-unicode-regex": "^6.22.0",
-        "babel-plugin-transform-exponentiation-operator": "^6.22.0",
-        "babel-plugin-transform-regenerator": "^6.22.0",
-        "browserslist": "^3.2.6",
-        "invariant": "^2.2.2",
-        "semver": "^5.3.0"
-      },
-      "dependencies": {
-        "browserslist": {
-          "version": "3.2.8",
-          "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-3.2.8.tgz",
-          "integrity": "sha512-WHVocJYavUwVgVViC0ORikPHQquXwVh939TaelZ4WDqpWgTX/FsGhl/+P4qBUAGcRvtOgDgC+xftNWWp2RUTAQ==",
-          "dev": true,
-          "requires": {
-            "caniuse-lite": "^1.0.30000844",
-            "electron-to-chromium": "^1.3.47"
-          }
-        }
-      }
-    },
-    "babel-preset-preact": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/babel-preset-preact/-/babel-preset-preact-1.1.0.tgz",
-      "integrity": "sha1-NaxlWnOkm4Q4FjzgU4Fld+GYCGE=",
-      "dev": true,
-      "requires": {
-        "babel-plugin-syntax-jsx": "^6.0.2",
-        "babel-plugin-transform-react-jsx": "^6.0.2"
-      }
-    },
-    "babel-register": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-register/-/babel-register-6.26.0.tgz",
-      "integrity": "sha1-btAhFz4vy0htestFxgCahW9kcHE=",
-      "dev": true,
-      "requires": {
-        "babel-core": "^6.26.0",
-        "babel-runtime": "^6.26.0",
-        "core-js": "^2.5.0",
-        "home-or-tmp": "^2.0.0",
-        "lodash": "^4.17.4",
-        "mkdirp": "^0.5.1",
-        "source-map-support": "^0.4.15"
-      }
-    },
-    "babel-runtime": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
-      "integrity": "sha1-llxwWGaOgrVde/4E/yM3vItWR/4=",
-      "requires": {
-        "core-js": "^2.4.0",
-        "regenerator-runtime": "^0.11.0"
-      }
-    },
-    "babel-template": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-template/-/babel-template-6.26.0.tgz",
-      "integrity": "sha1-3gPi0WOWsGn0bdn/+FIfsaDjXgI=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.26.0",
-        "babel-traverse": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "babylon": "^6.18.0",
-        "lodash": "^4.17.4"
-      }
-    },
-    "babel-traverse": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz",
-      "integrity": "sha1-RqnL1+3MYsjlwGTi0tjQ9ANXZu4=",
-      "dev": true,
-      "requires": {
-        "babel-code-frame": "^6.26.0",
-        "babel-messages": "^6.23.0",
-        "babel-runtime": "^6.26.0",
-        "babel-types": "^6.26.0",
-        "babylon": "^6.18.0",
-        "debug": "^2.6.8",
-        "globals": "^9.18.0",
-        "invariant": "^2.2.2",
-        "lodash": "^4.17.4"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        }
-      }
-    },
-    "babel-types": {
-      "version": "6.26.0",
-      "resolved": "https://registry.npmjs.org/babel-types/-/babel-types-6.26.0.tgz",
-      "integrity": "sha1-o7Bz+Uq0nrb6Vc1lInozQ4BjJJc=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.26.0",
-        "esutils": "^2.0.2",
-        "lodash": "^4.17.4",
-        "to-fast-properties": "^1.0.3"
-      },
-      "dependencies": {
-        "to-fast-properties": {
-          "version": "1.0.3",
-          "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-1.0.3.tgz",
-          "integrity": "sha1-uDVx+k2MJbguIxsG46MFXeTKGkc=",
-          "dev": true
-        }
-      }
-    },
-    "babylon": {
-      "version": "6.18.0",
-      "resolved": "https://registry.npmjs.org/babylon/-/babylon-6.18.0.tgz",
-      "integrity": "sha512-q/UEjfGJ2Cm3oKV71DJz9d25TPnq5rhBVL2Q4fA5wcC3jcrdn7+SssEybFIxwAvvP+YCsCYNKughoF33GxgycQ==",
-      "dev": true
-    },
-    "babylon-walk": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/babylon-walk/-/babylon-walk-1.0.2.tgz",
-      "integrity": "sha1-OxWl3btIKni0zpwByLoYFwLZ1s4=",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.11.6",
-        "babel-types": "^6.15.0",
-        "lodash.clone": "^4.5.0"
-      }
-    },
-    "backo2": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/backo2/-/backo2-1.0.2.tgz",
-      "integrity": "sha1-MasayLEpNjRj41s+u2n038+6eUc=",
-      "dev": true
-    },
-    "balanced-match": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
-      "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=",
-      "dev": true
-    },
-    "base": {
-      "version": "0.11.2",
-      "resolved": "https://registry.npmjs.org/base/-/base-0.11.2.tgz",
-      "integrity": "sha512-5T6P4xPgpp0YDFvSWwEZ4NoE3aM4QBQXDzmVbraCkFj8zHM+mba8SyqB5DbZWyR7mYHo6Y7BdQo3MoA4m0TeQg==",
-      "dev": true,
-      "requires": {
-        "cache-base": "^1.0.1",
-        "class-utils": "^0.3.5",
-        "component-emitter": "^1.2.1",
-        "define-property": "^1.0.0",
-        "isobject": "^3.0.1",
-        "mixin-deep": "^1.2.0",
-        "pascalcase": "^0.1.1"
-      },
-      "dependencies": {
-        "define-property": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz",
-          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^1.0.0"
-          }
-        },
-        "is-accessor-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
-          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-data-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
-          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-descriptor": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
-          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
-          "dev": true,
-          "requires": {
-            "is-accessor-descriptor": "^1.0.0",
-            "is-data-descriptor": "^1.0.0",
-            "kind-of": "^6.0.2"
-          }
-        }
-      }
-    },
-    "base64-arraybuffer": {
-      "version": "0.1.5",
-      "resolved": "https://registry.npmjs.org/base64-arraybuffer/-/base64-arraybuffer-0.1.5.tgz",
-      "integrity": "sha1-c5JncZI7Whl0etZmqlzUv5xunOg=",
-      "dev": true
-    },
-    "base64-js": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.3.1.tgz",
-      "integrity": "sha512-mLQ4i2QO1ytvGWFWmcngKO//JXAQueZvwEKtjgQFM4jIK0kU+ytMfplL8j+n5mspOfjHwoAg+9yhb7BwAHm36g==",
-      "dev": true
-    },
-    "base64id": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/base64id/-/base64id-1.0.0.tgz",
-      "integrity": "sha1-R2iMuZu2gE8OBtPnY7HDLlfY5rY=",
-      "dev": true
-    },
-    "batch": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/batch/-/batch-0.6.1.tgz",
-      "integrity": "sha1-3DQxT05nkxgJP8dgJyUl+UvyXBY=",
-      "dev": true
-    },
-    "bcrypt-pbkdf": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz",
-      "integrity": "sha1-pDAdOJtqQ/m2f/PKEaP2Y342Dp4=",
-      "dev": true,
-      "requires": {
-        "tweetnacl": "^0.14.3"
-      }
-    },
-    "better-assert": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/better-assert/-/better-assert-1.0.2.tgz",
-      "integrity": "sha1-QIZrnhueC1W0gYlDEeaPr/rrxSI=",
-      "dev": true,
-      "requires": {
-        "callsite": "1.0.0"
-      }
-    },
-    "bfj": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/bfj/-/bfj-6.1.2.tgz",
-      "integrity": "sha512-BmBJa4Lip6BPRINSZ0BPEIfB1wUY/9rwbwvIHQA1KjX9om29B6id0wnWXq7m3bn5JrUVjeOTnVuhPT1FiHwPGw==",
-      "dev": true,
-      "requires": {
-        "bluebird": "^3.5.5",
-        "check-types": "^8.0.3",
-        "hoopy": "^0.1.4",
-        "tryer": "^1.0.1"
-      }
-    },
-    "big.js": {
-      "version": "5.2.2",
-      "resolved": "https://registry.npmjs.org/big.js/-/big.js-5.2.2.tgz",
-      "integrity": "sha512-vyL2OymJxmarO8gxMr0mhChsO9QGwhynfuu4+MHTAW6czfq9humCB7rKpUjDd9YUiDPU4mzpyupFSvOClAwbmQ==",
-      "dev": true
-    },
-    "binary-extensions": {
-      "version": "1.13.1",
-      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-1.13.1.tgz",
-      "integrity": "sha512-Un7MIEDdUC5gNpcGDV97op1Ywk748MpHcFTHoYs6qnj1Z3j7I53VG3nwZhKzoBZmbdRNnb6WRdFlwl7tSDuZGw==",
-      "dev": true
-    },
-    "blob": {
-      "version": "0.0.5",
-      "resolved": "https://registry.npmjs.org/blob/-/blob-0.0.5.tgz",
-      "integrity": "sha512-gaqbzQPqOoamawKg0LGVd7SzLgXS+JH61oWprSLH+P+abTczqJbhTR8CmJ2u9/bUYNmHTGJx/UEmn6doAvvuig==",
-      "dev": true
-    },
-    "bluebird": {
-      "version": "3.7.1",
-      "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.1.tgz",
-      "integrity": "sha512-DdmyoGCleJnkbp3nkbxTLJ18rjDsE4yCggEwKNXkeV123sPNfOCYeDoeuOY+F2FrSjO1YXcTU+dsy96KMy+gcg==",
-      "dev": true
-    },
-    "bn.js": {
-      "version": "4.11.8",
-      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.8.tgz",
-      "integrity": "sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA==",
-      "dev": true
-    },
-    "body-parser": {
-      "version": "1.19.0",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.19.0.tgz",
-      "integrity": "sha512-dhEPs72UPbDnAQJ9ZKMNTP6ptJaionhP5cBb541nXPlW60Jepo9RV/a4fX4XWW9CuFNK22krhrj1+rgzifNCsw==",
-      "dev": true,
-      "requires": {
-        "bytes": "3.1.0",
-        "content-type": "~1.0.4",
-        "debug": "2.6.9",
-        "depd": "~1.1.2",
-        "http-errors": "1.7.2",
-        "iconv-lite": "0.4.24",
-        "on-finished": "~2.3.0",
-        "qs": "6.7.0",
-        "raw-body": "2.4.0",
-        "type-is": "~1.6.17"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "http-errors": {
-          "version": "1.7.2",
-          "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.2.tgz",
-          "integrity": "sha512-uUQBt3H/cSIVfch6i1EuPNy/YsRSOUBXTVfZ+yR7Zjez3qjBz6i9+i4zjNaoqcoFVI4lQJ5plg63TvGfRSDCRg==",
-          "dev": true,
-          "requires": {
-            "depd": "~1.1.2",
-            "inherits": "2.0.3",
-            "setprototypeof": "1.1.1",
-            "statuses": ">= 1.5.0 < 2",
-            "toidentifier": "1.0.0"
-          }
-        },
-        "inherits": {
-          "version": "2.0.3",
-          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
-          "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=",
-          "dev": true
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        },
-        "qs": {
-          "version": "6.7.0",
-          "resolved": "https://registry.npmjs.org/qs/-/qs-6.7.0.tgz",
-          "integrity": "sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ==",
-          "dev": true
-        },
-        "raw-body": {
-          "version": "2.4.0",
-          "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.4.0.tgz",
-          "integrity": "sha512-4Oz8DUIwdvoa5qMJelxipzi/iJIi40O5cGV1wNYp5hvZP8ZN0T+jiNkL0QepXs+EsQ9XJ8ipEDoiH70ySUJP3Q==",
-          "dev": true,
-          "requires": {
-            "bytes": "3.1.0",
-            "http-errors": "1.7.2",
-            "iconv-lite": "0.4.24",
-            "unpipe": "1.0.0"
-          }
-        },
-        "statuses": {
-          "version": "1.5.0",
-          "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
-          "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=",
-          "dev": true
-        }
-      }
-    },
-    "boolbase": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz",
-      "integrity": "sha1-aN/1++YMUes3cl6p4+0xDcwed24=",
-      "dev": true
-    },
-    "brace-expansion": {
-      "version": "1.1.11",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
-      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
-      "dev": true,
-      "requires": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
-      }
-    },
-    "braces": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz",
-      "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==",
-      "dev": true,
-      "requires": {
-        "arr-flatten": "^1.1.0",
-        "array-unique": "^0.3.2",
-        "extend-shallow": "^2.0.1",
-        "fill-range": "^4.0.0",
-        "isobject": "^3.0.1",
-        "repeat-element": "^1.1.2",
-        "snapdragon": "^0.8.1",
-        "snapdragon-node": "^2.0.1",
-        "split-string": "^3.0.2",
-        "to-regex": "^3.0.1"
-      },
-      "dependencies": {
-        "extend-shallow": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
-          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
-          "dev": true,
-          "requires": {
-            "is-extendable": "^0.1.0"
-          }
-        }
-      }
-    },
-    "brorand": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/brorand/-/brorand-1.1.0.tgz",
-      "integrity": "sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=",
-      "dev": true
-    },
-    "browser-sync": {
-      "version": "2.26.7",
-      "resolved": "https://registry.npmjs.org/browser-sync/-/browser-sync-2.26.7.tgz",
-      "integrity": "sha512-lY3emme0OyvA2ujEMpRmyRy9LY6gHLuTr2/ABxhIm3lADOiRXzP4dgekvnDrQqZ/Ec2Fz19lEjm6kglSG5766w==",
-      "dev": true,
-      "requires": {
-        "browser-sync-client": "^2.26.6",
-        "browser-sync-ui": "^2.26.4",
-        "bs-recipes": "1.3.4",
-        "bs-snippet-injector": "^2.0.1",
-        "chokidar": "^2.0.4",
-        "connect": "3.6.6",
-        "connect-history-api-fallback": "^1",
-        "dev-ip": "^1.0.1",
-        "easy-extender": "^2.3.4",
-        "eazy-logger": "^3",
-        "etag": "^1.8.1",
-        "fresh": "^0.5.2",
-        "fs-extra": "3.0.1",
-        "http-proxy": "1.15.2",
-        "immutable": "^3",
-        "localtunnel": "1.9.2",
-        "micromatch": "^3.1.10",
-        "opn": "5.3.0",
-        "portscanner": "2.1.1",
-        "qs": "6.2.3",
-        "raw-body": "^2.3.2",
-        "resp-modifier": "6.0.2",
-        "rx": "4.1.0",
-        "send": "0.16.2",
-        "serve-index": "1.9.1",
-        "serve-static": "1.13.2",
-        "server-destroy": "1.0.1",
-        "socket.io": "2.1.1",
-        "ua-parser-js": "0.7.17",
-        "yargs": "6.4.0"
-      }
-    },
-    "browser-sync-client": {
-      "version": "2.26.6",
-      "resolved": "https://registry.npmjs.org/browser-sync-client/-/browser-sync-client-2.26.6.tgz",
-      "integrity": "sha512-mGrkZdNzttKdf/16I+y+2dTQxoMCIpKbVIMJ/uP8ZpnKu9f9qa/2CYVtLtbjZG8nsM14EwiCrjuFTGBEnT3Gjw==",
-      "dev": true,
-      "requires": {
-        "etag": "1.8.1",
-        "fresh": "0.5.2",
-        "mitt": "^1.1.3",
-        "rxjs": "^5.5.6"
-      }
-    },
-    "browser-sync-ui": {
-      "version": "2.26.4",
-      "resolved": "https://registry.npmjs.org/browser-sync-ui/-/browser-sync-ui-2.26.4.tgz",
-      "integrity": "sha512-u20P3EsZoM8Pt+puoi3BU3KlbQAH1lAcV+/O4saF26qokrBqIDotmGonfWwoRbUmdxZkM9MBmA0K39ZTG1h4sA==",
-      "dev": true,
-      "requires": {
-        "async-each-series": "0.1.1",
-        "connect-history-api-fallback": "^1",
-        "immutable": "^3",
-        "server-destroy": "1.0.1",
-        "socket.io-client": "^2.0.4",
-        "stream-throttle": "^0.1.3"
-      }
-    },
-    "browser-sync-webpack-plugin": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/browser-sync-webpack-plugin/-/browser-sync-webpack-plugin-1.2.0.tgz",
-      "integrity": "sha512-kPM7BjcZHRa5UjBIdyQbC4HoGprHoZpzlsPDb2P+UaCSmnjonLC3Z9vQBtSmJDghU0KuijkHZ/eLvKF1AyO7zg==",
-      "dev": true,
-      "requires": {
-        "lodash": "^4"
-      }
-    },
-    "browserify-aes": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/browserify-aes/-/browserify-aes-1.2.0.tgz",
-      "integrity": "sha512-+7CHXqGuspUn/Sl5aO7Ea0xWGAtETPXNSAjHo48JfLdPWcMng33Xe4znFvQweqc/uzk5zSOI3H52CYnjCfb5hA==",
-      "dev": true,
-      "requires": {
-        "buffer-xor": "^1.0.3",
-        "cipher-base": "^1.0.0",
-        "create-hash": "^1.1.0",
-        "evp_bytestokey": "^1.0.3",
-        "inherits": "^2.0.1",
-        "safe-buffer": "^5.0.1"
-      }
-    },
-    "browserify-cipher": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/browserify-cipher/-/browserify-cipher-1.0.1.tgz",
-      "integrity": "sha512-sPhkz0ARKbf4rRQt2hTpAHqn47X3llLkUGn+xEJzLjwY8LRs2p0v7ljvI5EyoRO/mexrNunNECisZs+gw2zz1w==",
-      "dev": true,
-      "requires": {
-        "browserify-aes": "^1.0.4",
-        "browserify-des": "^1.0.0",
-        "evp_bytestokey": "^1.0.0"
-      }
-    },
-    "browserify-des": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/browserify-des/-/browserify-des-1.0.2.tgz",
-      "integrity": "sha512-BioO1xf3hFwz4kc6iBhI3ieDFompMhrMlnDFC4/0/vd5MokpuAc3R+LYbwTA9A5Yc9pq9UYPqffKpW2ObuwX5A==",
-      "dev": true,
-      "requires": {
-        "cipher-base": "^1.0.1",
-        "des.js": "^1.0.0",
-        "inherits": "^2.0.1",
-        "safe-buffer": "^5.1.2"
-      }
-    },
-    "browserify-rsa": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/browserify-rsa/-/browserify-rsa-4.0.1.tgz",
-      "integrity": "sha1-IeCr+vbyApzy+vsTNWenAdQTVSQ=",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.1.0",
-        "randombytes": "^2.0.1"
-      }
-    },
-    "browserify-sign": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz",
-      "integrity": "sha1-qk62jl17ZYuqa/alfmMMvXqT0pg=",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.1.1",
-        "browserify-rsa": "^4.0.0",
-        "create-hash": "^1.1.0",
-        "create-hmac": "^1.1.2",
-        "elliptic": "^6.0.0",
-        "inherits": "^2.0.1",
-        "parse-asn1": "^5.0.0"
-      }
-    },
-    "browserify-zlib": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/browserify-zlib/-/browserify-zlib-0.2.0.tgz",
-      "integrity": "sha512-Z942RysHXmJrhqk88FmKBVq/v5tqmSkDz7p54G/MGyjMnCFFnC79XWNbg+Vta8W6Wb2qtSZTSxIGkJrRpCFEiA==",
-      "dev": true,
-      "requires": {
-        "pako": "~1.0.5"
-      }
-    },
-    "browserslist": {
-      "version": "4.7.2",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.7.2.tgz",
-      "integrity": "sha512-uZavT/gZXJd2UTi9Ov7/Z340WOSQ3+m1iBVRUknf+okKxonL9P83S3ctiBDtuRmRu8PiCHjqyueqQ9HYlJhxiw==",
-      "dev": true,
-      "requires": {
-        "caniuse-lite": "^1.0.30001004",
-        "electron-to-chromium": "^1.3.295",
-        "node-releases": "^1.1.38"
-      }
-    },
-    "bs-recipes": {
-      "version": "1.3.4",
-      "resolved": "https://registry.npmjs.org/bs-recipes/-/bs-recipes-1.3.4.tgz",
-      "integrity": "sha1-DS1NSKcYyMBEdp/cT4lZLci2lYU=",
-      "dev": true
-    },
-    "bs-snippet-injector": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/bs-snippet-injector/-/bs-snippet-injector-2.0.1.tgz",
-      "integrity": "sha1-YbU5PxH1JVntEgaTEANDtu2wTdU=",
-      "dev": true
-    },
-    "buffer": {
-      "version": "4.9.1",
-      "resolved": "https://registry.npmjs.org/buffer/-/buffer-4.9.1.tgz",
-      "integrity": "sha1-bRu2AbB6TvztlwlBMgkwJ8lbwpg=",
-      "dev": true,
-      "requires": {
-        "base64-js": "^1.0.2",
-        "ieee754": "^1.1.4",
-        "isarray": "^1.0.0"
-      },
-      "dependencies": {
-        "isarray": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
-          "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=",
-          "dev": true
-        }
-      }
-    },
-    "buffer-alloc": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/buffer-alloc/-/buffer-alloc-1.2.0.tgz",
-      "integrity": "sha512-CFsHQgjtW1UChdXgbyJGtnm+O/uLQeZdtbDo8mfUgYXCHSM1wgrVxXm6bSyrUuErEb+4sYVGCzASBRot7zyrow==",
-      "dev": true,
-      "requires": {
-        "buffer-alloc-unsafe": "^1.1.0",
-        "buffer-fill": "^1.0.0"
-      }
-    },
-    "buffer-alloc-unsafe": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/buffer-alloc-unsafe/-/buffer-alloc-unsafe-1.1.0.tgz",
-      "integrity": "sha512-TEM2iMIEQdJ2yjPJoSIsldnleVaAk1oW3DBVUykyOLsEsFmEc9kn+SFFPz+gl54KQNxlDnAwCXosOS9Okx2xAg==",
-      "dev": true
-    },
-    "buffer-fill": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/buffer-fill/-/buffer-fill-1.0.0.tgz",
-      "integrity": "sha1-+PeLdniYiO858gXNY39o5wISKyw=",
-      "dev": true
-    },
-    "buffer-xor": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/buffer-xor/-/buffer-xor-1.0.3.tgz",
-      "integrity": "sha1-JuYe0UIvtw3ULm42cp7VHYVf6Nk=",
-      "dev": true
-    },
-    "builtin-status-codes": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz",
-      "integrity": "sha1-hZgoeOIbmOHGZCXgPQF0eI9Wnug=",
-      "dev": true
-    },
-    "bytes": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.0.tgz",
-      "integrity": "sha512-zauLjrfCG+xvoyaqLoV8bLVXXNGC4JqlxFCutSDWA6fJrTo2ZuvLYTqZ7aHBLZSMOopbzwv8f+wZcVzfVTI2Dg==",
-      "dev": true
-    },
-    "cache-base": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz",
-      "integrity": "sha512-AKcdTnFSWATd5/GCPRxr2ChwIJ85CeyrEyjRHlKxQ56d4XJMGym0uAiKn0xbLOGOl3+yRpOTi484dVCEc5AUzQ==",
-      "dev": true,
-      "requires": {
-        "collection-visit": "^1.0.0",
-        "component-emitter": "^1.2.1",
-        "get-value": "^2.0.6",
-        "has-value": "^1.0.0",
-        "isobject": "^3.0.1",
-        "set-value": "^2.0.0",
-        "to-object-path": "^0.3.0",
-        "union-value": "^1.0.0",
-        "unset-value": "^1.0.0"
-      }
-    },
-    "caller-callsite": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/caller-callsite/-/caller-callsite-2.0.0.tgz",
-      "integrity": "sha1-hH4PzgoiN1CpoCfFSzNzGtMVQTQ=",
-      "requires": {
-        "callsites": "^2.0.0"
-      }
-    },
-    "caller-path": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/caller-path/-/caller-path-2.0.0.tgz",
-      "integrity": "sha1-Ro+DBE42mrIBD6xfBs7uFbsssfQ=",
-      "requires": {
-        "caller-callsite": "^2.0.0"
-      }
-    },
-    "callsite": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/callsite/-/callsite-1.0.0.tgz",
-      "integrity": "sha1-KAOY5dZkvXQDi28JBRU+borxvCA=",
-      "dev": true
-    },
-    "callsites": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/callsites/-/callsites-2.0.0.tgz",
-      "integrity": "sha1-BuuE8A7qQT2oav/vrL/7Ngk7PFA="
-    },
-    "camelcase": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-3.0.0.tgz",
-      "integrity": "sha1-MvxLn82vhF/N9+c7uXysImHwqwo=",
-      "dev": true
-    },
-    "caniuse-api": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/caniuse-api/-/caniuse-api-3.0.0.tgz",
-      "integrity": "sha512-bsTwuIg/BZZK/vreVTYYbSWoe2F+71P7K5QGEX+pT250DZbfU1MQ5prOKpPR+LL6uWKK3KMwMCAS74QB3Um1uw==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.0.0",
-        "caniuse-lite": "^1.0.0",
-        "lodash.memoize": "^4.1.2",
-        "lodash.uniq": "^4.5.0"
-      }
-    },
-    "caniuse-lite": {
-      "version": "1.0.30001006",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001006.tgz",
-      "integrity": "sha512-MXnUVX27aGs/QINz+QG1sWSLDr3P1A3Hq5EUWoIt0T7K24DuvMxZEnh3Y5aHlJW6Bz2aApJdSewdYLd8zQnUuw==",
-      "dev": true
-    },
-    "caseless": {
-      "version": "0.12.0",
-      "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz",
-      "integrity": "sha1-G2gcIf+EAzyCZUMJBolCDRhxUdw=",
-      "dev": true
-    },
-    "center-align": {
-      "version": "0.1.3",
-      "resolved": "https://registry.npmjs.org/center-align/-/center-align-0.1.3.tgz",
-      "integrity": "sha1-qg0yYptu6XIgBBHL1EYckHvCt60=",
-      "dev": true,
-      "requires": {
-        "align-text": "^0.1.3",
-        "lazy-cache": "^1.0.3"
-      }
-    },
-    "chalk": {
-      "version": "2.4.2",
-      "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
-      "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
-      "requires": {
-        "ansi-styles": "^3.2.1",
-        "escape-string-regexp": "^1.0.5",
-        "supports-color": "^5.3.0"
-      }
-    },
-    "chardet": {
-      "version": "0.4.2",
-      "resolved": "https://registry.npmjs.org/chardet/-/chardet-0.4.2.tgz",
-      "integrity": "sha1-tUc7M9yXxCTl2Y3IfVXU2KKci/I=",
-      "dev": true
-    },
-    "check-types": {
-      "version": "8.0.3",
-      "resolved": "https://registry.npmjs.org/check-types/-/check-types-8.0.3.tgz",
-      "integrity": "sha512-YpeKZngUmG65rLudJ4taU7VLkOCTMhNl/u4ctNC56LQS/zJTyNH0Lrtwm1tfTsbLlwvlfsA2d1c8vCf/Kh2KwQ==",
-      "dev": true
-    },
-    "chokidar": {
-      "version": "2.1.8",
-      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-2.1.8.tgz",
-      "integrity": "sha512-ZmZUazfOzf0Nve7duiCKD23PFSCs4JPoYyccjUFF3aQkQadqBhfzhjkwBH2mNOG9cTBwhamM37EIsIkZw3nRgg==",
-      "dev": true,
-      "requires": {
-        "anymatch": "^2.0.0",
-        "async-each": "^1.0.1",
-        "braces": "^2.3.2",
-        "fsevents": "^1.2.7",
-        "glob-parent": "^3.1.0",
-        "inherits": "^2.0.3",
-        "is-binary-path": "^1.0.0",
-        "is-glob": "^4.0.0",
-        "normalize-path": "^3.0.0",
-        "path-is-absolute": "^1.0.0",
-        "readdirp": "^2.2.1",
-        "upath": "^1.1.1"
-      }
-    },
-    "cipher-base": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz",
-      "integrity": "sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q==",
-      "dev": true,
-      "requires": {
-        "inherits": "^2.0.1",
-        "safe-buffer": "^5.0.1"
-      }
-    },
-    "class-utils": {
-      "version": "0.3.6",
-      "resolved": "https://registry.npmjs.org/class-utils/-/class-utils-0.3.6.tgz",
-      "integrity": "sha512-qOhPa/Fj7s6TY8H8esGu5QNpMMQxz79h+urzrNYN6mn+9BnxlDGf5QZ+XeCDsxSjPqsSR56XOZOJmpeurnLMeg==",
-      "dev": true,
-      "requires": {
-        "arr-union": "^3.1.0",
-        "define-property": "^0.2.5",
-        "isobject": "^3.0.0",
-        "static-extend": "^0.1.1"
-      },
-      "dependencies": {
-        "define-property": {
-          "version": "0.2.5",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
-          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^0.1.0"
-          }
-        }
-      }
-    },
-    "cli-cursor": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-2.1.0.tgz",
-      "integrity": "sha1-s12sN2R5+sw+lHR9QdDQ9SOP/LU=",
-      "dev": true,
-      "requires": {
-        "restore-cursor": "^2.0.0"
-      }
-    },
-    "cli-width": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/cli-width/-/cli-width-2.2.0.tgz",
-      "integrity": "sha1-/xnt6Kml5XkyQUewwR8PvLq+1jk=",
-      "dev": true
-    },
-    "cliui": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/cliui/-/cliui-3.2.0.tgz",
-      "integrity": "sha1-EgYBU3qRbSmUD5NNo7SNWFo5IT0=",
-      "dev": true,
-      "requires": {
-        "string-width": "^1.0.1",
-        "strip-ansi": "^3.0.1",
-        "wrap-ansi": "^2.0.0"
-      },
-      "dependencies": {
-        "is-fullwidth-code-point": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz",
-          "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=",
-          "dev": true,
-          "requires": {
-            "number-is-nan": "^1.0.0"
-          }
-        },
-        "string-width": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz",
-          "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=",
-          "dev": true,
-          "requires": {
-            "code-point-at": "^1.0.0",
-            "is-fullwidth-code-point": "^1.0.0",
-            "strip-ansi": "^3.0.0"
-          }
-        }
-      }
-    },
-    "clone": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/clone/-/clone-1.0.4.tgz",
-      "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4=",
-      "dev": true
-    },
-    "coa": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/coa/-/coa-2.0.2.tgz",
-      "integrity": "sha512-q5/jG+YQnSy4nRTV4F7lPepBJZ8qBNJJDBuJdoejDyLXgmL7IEo+Le2JDZudFTFt7mrCqIRaSjws4ygRCTCAXA==",
-      "dev": true,
-      "requires": {
-        "@types/q": "^1.5.1",
-        "chalk": "^2.4.1",
-        "q": "^1.1.2"
-      }
-    },
-    "code-frame": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/code-frame/-/code-frame-5.0.0.tgz",
-      "integrity": "sha1-QAMHB+xG4dmdXlLcnzV/ytkNmT0=",
-      "dev": true,
-      "requires": {
-        "left-pad": "^1.1.3"
-      }
-    },
-    "code-point-at": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.1.0.tgz",
-      "integrity": "sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=",
-      "dev": true
-    },
-    "collection-visit": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/collection-visit/-/collection-visit-1.0.0.tgz",
-      "integrity": "sha1-S8A3PBZLwykbTTaMgpzxqApZ3KA=",
-      "dev": true,
-      "requires": {
-        "map-visit": "^1.0.0",
-        "object-visit": "^1.0.0"
-      }
-    },
-    "color": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/color/-/color-3.1.2.tgz",
-      "integrity": "sha512-vXTJhHebByxZn3lDvDJYw4lR5+uB3vuoHsuYA5AKuxRVn5wzzIfQKGLBmgdVRHKTJYeK5rvJcHnrd0Li49CFpg==",
-      "dev": true,
-      "requires": {
-        "color-convert": "^1.9.1",
-        "color-string": "^1.5.2"
-      }
-    },
-    "color-contrast": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/color-contrast/-/color-contrast-0.0.1.tgz",
-      "integrity": "sha1-7/ruezhlrMlOH9HrB4zeX/deOPc=",
-      "requires": {
-        "onecolor": "^3.0.5"
-      }
-    },
-    "color-convert": {
-      "version": "1.9.3",
-      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz",
-      "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
-      "requires": {
-        "color-name": "1.1.3"
-      }
-    },
-    "color-name": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz",
-      "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU="
-    },
-    "color-string": {
-      "version": "1.5.3",
-      "resolved": "https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz",
-      "integrity": "sha512-dC2C5qeWoYkxki5UAXapdjqO672AM4vZuPGRQfO8b5HKuKGBbKWpITyDYN7TOFKvRW7kOgAn3746clDBMDJyQw==",
-      "dev": true,
-      "requires": {
-        "color-name": "^1.0.0",
-        "simple-swizzle": "^0.2.2"
-      }
-    },
-    "combined-stream": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
-      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
-      "dev": true,
-      "requires": {
-        "delayed-stream": "~1.0.0"
-      }
-    },
-    "commander": {
-      "version": "2.20.3",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
-      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==",
-      "dev": true
-    },
-    "commondir": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/commondir/-/commondir-1.0.1.tgz",
-      "integrity": "sha1-3dgA2gxmEnOTzKWVDqloo6rxJTs=",
-      "dev": true
-    },
-    "component-bind": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/component-bind/-/component-bind-1.0.0.tgz",
-      "integrity": "sha1-AMYIq33Nk4l8AAllGx06jh5zu9E=",
-      "dev": true
-    },
-    "component-cookie": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/component-cookie/-/component-cookie-1.1.4.tgz",
-      "integrity": "sha512-j6rzl+vHDTowvYz7Al3V0ud84O2l4YqGdA9qMj1W1nlZ5yWi7EhOd7ZSPzWFM25gZgv2OxWh6JlJYfsz2+XYow==",
-      "requires": {
-        "debug": "2.2.0"
-      }
-    },
-    "component-emitter": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.2.1.tgz",
-      "integrity": "sha1-E3kY1teCg/ffemt8WmPhQOaUJeY=",
-      "dev": true
-    },
-    "component-inherit": {
-      "version": "0.0.3",
-      "resolved": "https://registry.npmjs.org/component-inherit/-/component-inherit-0.0.3.tgz",
-      "integrity": "sha1-ZF/ErfWLcrZJ1crmUTVhnbJv8UM=",
-      "dev": true
-    },
-    "component-url": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/component-url/-/component-url-0.2.1.tgz",
-      "integrity": "sha1-Tk9HmcQ+rZ/TzpG1owXSICCP7kc="
-    },
-    "concat-map": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-      "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
-      "dev": true
-    },
-    "connect": {
-      "version": "3.6.6",
-      "resolved": "https://registry.npmjs.org/connect/-/connect-3.6.6.tgz",
-      "integrity": "sha1-Ce/2xVr3I24TcTWnJXSFi2eG9SQ=",
-      "dev": true,
-      "requires": {
-        "debug": "2.6.9",
-        "finalhandler": "1.1.0",
-        "parseurl": "~1.3.2",
-        "utils-merge": "1.0.1"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        }
-      }
-    },
-    "connect-history-api-fallback": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/connect-history-api-fallback/-/connect-history-api-fallback-1.6.0.tgz",
-      "integrity": "sha512-e54B99q/OUoH64zYYRf3HBP5z24G38h5D3qXu23JGRoigpX5Ss4r9ZnDk3g0Z8uQC2x2lPaJ+UlWBc1ZWBWdLg==",
-      "dev": true
-    },
-    "console-browserify": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/console-browserify/-/console-browserify-1.2.0.tgz",
-      "integrity": "sha512-ZMkYO/LkF17QvCPqM0gxw8yUzigAOZOSWSHg91FH6orS7vcEj5dVZTidN2fQ14yBSdg97RqhSNwLUXInd52OTA==",
-      "dev": true
-    },
-    "constants-browserify": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/constants-browserify/-/constants-browserify-1.0.0.tgz",
-      "integrity": "sha1-wguW2MYXdIqvHBYCF2DNJ/y4y3U=",
-      "dev": true
-    },
-    "content-disposition": {
-      "version": "0.5.3",
-      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.3.tgz",
-      "integrity": "sha512-ExO0774ikEObIAEV9kDo50o+79VCUdEB6n6lzKgGwupcVeRlhrj3qGAfwq8G6uBJjkqLrhT0qEYFcWng8z1z0g==",
-      "dev": true,
-      "requires": {
-        "safe-buffer": "5.1.2"
-      }
-    },
-    "content-type": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
-      "integrity": "sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==",
-      "dev": true
-    },
-    "convert-source-map": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.6.0.tgz",
-      "integrity": "sha512-eFu7XigvxdZ1ETfbgPBohgyQ/Z++C0eEhTor0qRwBw9unw+L0/6V8wkSuGgzdThkiS5lSpdptOQPD8Ak40a+7A==",
-      "requires": {
-        "safe-buffer": "~5.1.1"
-      }
-    },
-    "cookie": {
-      "version": "0.3.1",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz",
-      "integrity": "sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s=",
-      "dev": true
-    },
-    "cookie-signature": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
-      "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=",
-      "dev": true
-    },
-    "copy-descriptor": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz",
-      "integrity": "sha1-Z29us8OZl8LuGsOpJP1hJHSPV40=",
-      "dev": true
-    },
-    "core-js": {
-      "version": "2.6.10",
-      "resolved": "https://registry.npmjs.org/core-js/-/core-js-2.6.10.tgz",
-      "integrity": "sha512-I39t74+4t+zau64EN1fE5v2W31Adtc/REhzWN+gWRRXg6WH5qAsZm62DHpQ1+Yhe4047T55jvzz7MUqF/dBBlA=="
-    },
-    "core-util-is": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
-      "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=",
-      "dev": true
-    },
-    "cosmiconfig": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-5.2.1.tgz",
-      "integrity": "sha512-H65gsXo1SKjf8zmrJ67eJk8aIRKV5ff2D4uKZIBZShbhGSpEmsQOPW/SKMKYhSTrqR7ufy6RP69rPogdaPh/kA==",
-      "requires": {
-        "import-fresh": "^2.0.0",
-        "is-directory": "^0.3.1",
-        "js-yaml": "^3.13.1",
-        "parse-json": "^4.0.0"
-      }
-    },
-    "create-ecdh": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/create-ecdh/-/create-ecdh-4.0.3.tgz",
-      "integrity": "sha512-GbEHQPMOswGpKXM9kCWVrremUcBmjteUaQ01T9rkKCPDXfUHX0IoP9LpHYo2NPFampa4e+/pFDc3jQdxrxQLaw==",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.1.0",
-        "elliptic": "^6.0.0"
-      }
-    },
-    "create-emotion": {
-      "version": "9.2.12",
-      "resolved": "https://registry.npmjs.org/create-emotion/-/create-emotion-9.2.12.tgz",
-      "integrity": "sha512-P57uOF9NL2y98Xrbl2OuiDQUZ30GVmASsv5fbsjF4Hlraip2kyAvMm+2PoYUvFFw03Fhgtxk3RqZSm2/qHL9hA==",
-      "requires": {
-        "@emotion/hash": "^0.6.2",
-        "@emotion/memoize": "^0.6.1",
-        "@emotion/stylis": "^0.7.0",
-        "@emotion/unitless": "^0.6.2",
-        "csstype": "^2.5.2",
-        "stylis": "^3.5.0",
-        "stylis-rule-sheet": "^0.0.10"
-      }
-    },
-    "create-emotion-styled": {
-      "version": "9.2.8",
-      "resolved": "https://registry.npmjs.org/create-emotion-styled/-/create-emotion-styled-9.2.8.tgz",
-      "integrity": "sha512-2LrNM5MREWzI5hZK+LyiBHglwE18WE3AEbBQgpHQ1+zmyLSm/dJsUZBeFAwuIMb+TjNZP0KsMZlV776ufOtFdg==",
-      "requires": {
-        "@emotion/is-prop-valid": "^0.6.1"
-      }
-    },
-    "create-hash": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/create-hash/-/create-hash-1.2.0.tgz",
-      "integrity": "sha512-z00bCGNHDG8mHAkP7CtT1qVu+bFQUPjYq/4Iv3C3kWjTFV10zIjfSoeqXo9Asws8gwSHDGj/hl2u4OGIjapeCg==",
-      "dev": true,
-      "requires": {
-        "cipher-base": "^1.0.1",
-        "inherits": "^2.0.1",
-        "md5.js": "^1.3.4",
-        "ripemd160": "^2.0.1",
-        "sha.js": "^2.4.0"
-      }
-    },
-    "create-hmac": {
-      "version": "1.1.7",
-      "resolved": "https://registry.npmjs.org/create-hmac/-/create-hmac-1.1.7.tgz",
-      "integrity": "sha512-MJG9liiZ+ogc4TzUwuvbER1JRdgvUFSB5+VR/g5h82fGaIRWMWddtKBHi7/sVhfjQZ6SehlyhvQYrcYkaUIpLg==",
-      "dev": true,
-      "requires": {
-        "cipher-base": "^1.0.3",
-        "create-hash": "^1.1.0",
-        "inherits": "^2.0.1",
-        "ripemd160": "^2.0.0",
-        "safe-buffer": "^5.0.1",
-        "sha.js": "^2.4.8"
-      }
-    },
-    "cross-spawn": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-5.1.0.tgz",
-      "integrity": "sha1-6L0O/uWPz/b4+UUQoKVUu/ojVEk=",
-      "dev": true,
-      "requires": {
-        "lru-cache": "^4.0.1",
-        "shebang-command": "^1.2.0",
-        "which": "^1.2.9"
-      }
-    },
-    "crypto-browserify": {
-      "version": "3.12.0",
-      "resolved": "https://registry.npmjs.org/crypto-browserify/-/crypto-browserify-3.12.0.tgz",
-      "integrity": "sha512-fz4spIh+znjO2VjL+IdhEpRJ3YN6sMzITSBijk6FK2UvTqruSQW+/cCZTSNsMiZNvUeq0CqurF+dAbyiGOY6Wg==",
-      "dev": true,
-      "requires": {
-        "browserify-cipher": "^1.0.0",
-        "browserify-sign": "^4.0.0",
-        "create-ecdh": "^4.0.0",
-        "create-hash": "^1.1.0",
-        "create-hmac": "^1.1.0",
-        "diffie-hellman": "^5.0.0",
-        "inherits": "^2.0.1",
-        "pbkdf2": "^3.0.3",
-        "public-encrypt": "^4.0.0",
-        "randombytes": "^2.0.0",
-        "randomfill": "^1.0.3"
-      }
-    },
-    "css-color-function": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/css-color-function/-/css-color-function-1.3.3.tgz",
-      "integrity": "sha1-jtJMLAIFBzM5+voAS8jBQfzLKC4=",
-      "dev": true,
-      "requires": {
-        "balanced-match": "0.1.0",
-        "color": "^0.11.0",
-        "debug": "^3.1.0",
-        "rgb": "~0.1.0"
-      },
-      "dependencies": {
-        "balanced-match": {
-          "version": "0.1.0",
-          "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-0.1.0.tgz",
-          "integrity": "sha1-tQS9BYabOSWd0MXvw12EMXbczEo=",
-          "dev": true
-        },
-        "color": {
-          "version": "0.11.4",
-          "resolved": "https://registry.npmjs.org/color/-/color-0.11.4.tgz",
-          "integrity": "sha1-bXtcdPtl6EHNSHkq0e1eB7kE12Q=",
-          "dev": true,
-          "requires": {
-            "clone": "^1.0.2",
-            "color-convert": "^1.3.0",
-            "color-string": "^0.3.0"
-          }
-        },
-        "color-string": {
-          "version": "0.3.0",
-          "resolved": "https://registry.npmjs.org/color-string/-/color-string-0.3.0.tgz",
-          "integrity": "sha1-J9RvtnAlxcL6JZk7+/V55HhBuZE=",
-          "dev": true,
-          "requires": {
-            "color-name": "^1.0.0"
-          }
-        },
-        "debug": {
-          "version": "3.2.6",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.6.tgz",
-          "integrity": "sha512-mel+jf7nrtEl5Pn1Qx46zARXKDpBbvzezse7p7LqINmdoIk8PYP5SySaxEmYv6TZ0JyEKA1hsCId6DIhgITtWQ==",
-          "dev": true,
-          "requires": {
-            "ms": "^2.1.1"
-          }
-        },
-        "ms": {
-          "version": "2.1.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-          "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
-          "dev": true
-        }
-      }
-    },
-    "css-color-names": {
-      "version": "0.0.4",
-      "resolved": "https://registry.npmjs.org/css-color-names/-/css-color-names-0.0.4.tgz",
-      "integrity": "sha1-gIrcLnnPhHOAabZGyyDsJ762KeA=",
-      "dev": true
-    },
-    "css-declaration-sorter": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/css-declaration-sorter/-/css-declaration-sorter-4.0.1.tgz",
-      "integrity": "sha512-BcxQSKTSEEQUftYpBVnsH4SF05NTuBokb19/sBt6asXGKZ/6VP7PLG1CBCkFDYOnhXhPh0jMhO6xZ71oYHXHBA==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.1",
-        "timsort": "^0.3.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "css-select": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/css-select/-/css-select-2.0.2.tgz",
-      "integrity": "sha512-dSpYaDVoWaELjvZ3mS6IKZM/y2PMPa/XYoEfYNZePL4U/XgyxZNroHEHReDx/d+VgXh9VbCTtFqLkFbmeqeaRQ==",
-      "dev": true,
-      "requires": {
-        "boolbase": "^1.0.0",
-        "css-what": "^2.1.2",
-        "domutils": "^1.7.0",
-        "nth-check": "^1.0.2"
-      }
-    },
-    "css-select-base-adapter": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/css-select-base-adapter/-/css-select-base-adapter-0.1.1.tgz",
-      "integrity": "sha512-jQVeeRG70QI08vSTwf1jHxp74JoZsr2XSgETae8/xC8ovSnL2WF87GTLO86Sbwdt2lK4Umg4HnnwMO4YF3Ce7w==",
-      "dev": true
-    },
-    "css-tree": {
-      "version": "1.0.0-alpha.37",
-      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-1.0.0-alpha.37.tgz",
-      "integrity": "sha512-DMxWJg0rnz7UgxKT0Q1HU/L9BeJI0M6ksor0OgqOnF+aRCDWg/N2641HmVyU9KVIu0OVVWOb2IpC9A+BJRnejg==",
-      "dev": true,
-      "requires": {
-        "mdn-data": "2.0.4",
-        "source-map": "^0.6.1"
-      },
-      "dependencies": {
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        }
-      }
-    },
-    "css-unit-converter": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/css-unit-converter/-/css-unit-converter-1.1.1.tgz",
-      "integrity": "sha1-2bkoGtz9jO2TW9urqDeGiX9k6ZY=",
-      "dev": true
-    },
-    "css-what": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/css-what/-/css-what-2.1.3.tgz",
-      "integrity": "sha512-a+EPoD+uZiNfh+5fxw2nO9QwFa6nJe2Or35fGY6Ipw1R3R4AGz1d1TEZrCegvw2YTmZ0jXirGYlzxxpYSHwpEg==",
-      "dev": true
-    },
-    "cssesc": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-2.0.0.tgz",
-      "integrity": "sha512-MsCAG1z9lPdoO/IUMLSBWBSVxVtJ1395VGIQ+Fc2gNdkQ1hNDnQdw3YhA71WJCBW1vdwA0cAnk/DnW6bqoEUYg==",
-      "dev": true
-    },
-    "cssnano": {
-      "version": "4.1.7",
-      "resolved": "https://registry.npmjs.org/cssnano/-/cssnano-4.1.7.tgz",
-      "integrity": "sha512-AiXL90l+MDuQmRNyypG2P7ux7K4XklxYzNNUd5HXZCNcH8/N9bHPcpN97v8tXgRVeFL/Ed8iP8mVmAAu0ZpT7A==",
-      "dev": true,
-      "requires": {
-        "cosmiconfig": "^5.0.0",
-        "cssnano-preset-default": "^4.0.5",
-        "is-resolvable": "^1.0.0",
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "cssnano-preset-default": {
-      "version": "4.0.7",
-      "resolved": "https://registry.npmjs.org/cssnano-preset-default/-/cssnano-preset-default-4.0.7.tgz",
-      "integrity": "sha512-x0YHHx2h6p0fCl1zY9L9roD7rnlltugGu7zXSKQx6k2rYw0Hi3IqxcoAGF7u9Q5w1nt7vK0ulxV8Lo+EvllGsA==",
-      "dev": true,
-      "requires": {
-        "css-declaration-sorter": "^4.0.1",
-        "cssnano-util-raw-cache": "^4.0.1",
-        "postcss": "^7.0.0",
-        "postcss-calc": "^7.0.1",
-        "postcss-colormin": "^4.0.3",
-        "postcss-convert-values": "^4.0.1",
-        "postcss-discard-comments": "^4.0.2",
-        "postcss-discard-duplicates": "^4.0.2",
-        "postcss-discard-empty": "^4.0.1",
-        "postcss-discard-overridden": "^4.0.1",
-        "postcss-merge-longhand": "^4.0.11",
-        "postcss-merge-rules": "^4.0.3",
-        "postcss-minify-font-values": "^4.0.2",
-        "postcss-minify-gradients": "^4.0.2",
-        "postcss-minify-params": "^4.0.2",
-        "postcss-minify-selectors": "^4.0.2",
-        "postcss-normalize-charset": "^4.0.1",
-        "postcss-normalize-display-values": "^4.0.2",
-        "postcss-normalize-positions": "^4.0.2",
-        "postcss-normalize-repeat-style": "^4.0.2",
-        "postcss-normalize-string": "^4.0.2",
-        "postcss-normalize-timing-functions": "^4.0.2",
-        "postcss-normalize-unicode": "^4.0.1",
-        "postcss-normalize-url": "^4.0.1",
-        "postcss-normalize-whitespace": "^4.0.2",
-        "postcss-ordered-values": "^4.1.2",
-        "postcss-reduce-initial": "^4.0.3",
-        "postcss-reduce-transforms": "^4.0.2",
-        "postcss-svgo": "^4.0.2",
-        "postcss-unique-selectors": "^4.0.1"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "cssnano-util-get-arguments": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/cssnano-util-get-arguments/-/cssnano-util-get-arguments-4.0.0.tgz",
-      "integrity": "sha1-7ToIKZ8h11dBsg87gfGU7UnMFQ8=",
-      "dev": true
-    },
-    "cssnano-util-get-match": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/cssnano-util-get-match/-/cssnano-util-get-match-4.0.0.tgz",
-      "integrity": "sha1-wOTKB/U4a7F+xeUiULT1lhNlFW0=",
-      "dev": true
-    },
-    "cssnano-util-raw-cache": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/cssnano-util-raw-cache/-/cssnano-util-raw-cache-4.0.1.tgz",
-      "integrity": "sha512-qLuYtWK2b2Dy55I8ZX3ky1Z16WYsx544Q0UWViebptpwn/xDBmog2TLg4f+DBMg1rJ6JDWtn96WHbOKDWt1WQA==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "cssnano-util-same-parent": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/cssnano-util-same-parent/-/cssnano-util-same-parent-4.0.1.tgz",
-      "integrity": "sha512-WcKx5OY+KoSIAxBW6UBBRay1U6vkYheCdjyVNDm85zt5K9mHoGOfsOsqIszfAqrQQFIIKgjh2+FDgIj/zsl21Q==",
-      "dev": true
-    },
-    "csso": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/csso/-/csso-4.0.2.tgz",
-      "integrity": "sha512-kS7/oeNVXkHWxby5tHVxlhjizRCSv8QdU7hB2FpdAibDU8FjTAolhNjKNTiLzXtUrKT6HwClE81yXwEk1309wg==",
-      "dev": true,
-      "requires": {
-        "css-tree": "1.0.0-alpha.37"
-      }
-    },
-    "csstype": {
-      "version": "2.6.7",
-      "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.7.tgz",
-      "integrity": "sha512-9Mcn9sFbGBAdmimWb2gLVDtFJzeKtDGIr76TUqmjZrw9LFXBMSU70lcs+C0/7fyCd6iBDqmksUcCOUIkisPHsQ=="
-    },
-    "d": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/d/-/d-1.0.1.tgz",
-      "integrity": "sha512-m62ShEObQ39CfralilEQRjH6oAMtNCV1xJyEx5LpRYUVN+EviphDgUc/F3hnYbADmkiNs67Y+3ylmlG7Lnu+FA==",
-      "dev": true,
-      "requires": {
-        "es5-ext": "^0.10.50",
-        "type": "^1.0.1"
-      }
-    },
-    "dashdash": {
-      "version": "1.14.1",
-      "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz",
-      "integrity": "sha1-hTz6D3y+L+1d4gMmuN1YEDX24vA=",
-      "dev": true,
-      "requires": {
-        "assert-plus": "^1.0.0"
-      }
-    },
-    "debug": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz",
-      "integrity": "sha1-+HBX6ZWxofauaklgZkE3vFbwOdo=",
-      "requires": {
-        "ms": "0.7.1"
-      }
-    },
-    "decamelize": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
-      "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=",
-      "dev": true
-    },
-    "decode-uri-component": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz",
-      "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU="
-    },
-    "define-properties": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.1.3.tgz",
-      "integrity": "sha512-3MqfYKj2lLzdMSf8ZIZE/V+Zuy+BgD6f164e8K2w7dgnpKArBDerGYpM46IYYcjnkdPNMjPk9A6VFB8+3SKlXQ==",
-      "dev": true,
-      "requires": {
-        "object-keys": "^1.0.12"
-      }
-    },
-    "define-property": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/define-property/-/define-property-2.0.2.tgz",
-      "integrity": "sha512-jwK2UV4cnPpbcG7+VRARKTZPUWowwXA8bzH5NP6ud0oeAxyYPuGZUAC7hMugpCdz4BeSZl2Dl9k66CHJ/46ZYQ==",
-      "dev": true,
-      "requires": {
-        "is-descriptor": "^1.0.2",
-        "isobject": "^3.0.1"
-      },
-      "dependencies": {
-        "is-accessor-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
-          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-data-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
-          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-descriptor": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
-          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
-          "dev": true,
-          "requires": {
-            "is-accessor-descriptor": "^1.0.0",
-            "is-data-descriptor": "^1.0.0",
-            "kind-of": "^6.0.2"
-          }
-        }
-      }
-    },
-    "delayed-stream": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
-      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk=",
-      "dev": true
-    },
-    "depd": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
-      "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak=",
-      "dev": true
-    },
-    "des.js": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/des.js/-/des.js-1.0.0.tgz",
-      "integrity": "sha1-wHTS4qpqipoH29YfmhXCzYPsjsw=",
-      "dev": true,
-      "requires": {
-        "inherits": "^2.0.1",
-        "minimalistic-assert": "^1.0.0"
-      }
-    },
-    "destroy": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz",
-      "integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA=",
-      "dev": true
-    },
-    "detect-indent": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/detect-indent/-/detect-indent-4.0.0.tgz",
-      "integrity": "sha1-920GQ1LN9Docts5hnE7jqUdd4gg=",
-      "dev": true,
-      "requires": {
-        "repeating": "^2.0.0"
-      }
-    },
-    "dev-ip": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/dev-ip/-/dev-ip-1.0.1.tgz",
-      "integrity": "sha1-p2o+0YVb56ASu4rBbLgPPADcKPA=",
-      "dev": true
-    },
-    "diffie-hellman": {
-      "version": "5.0.3",
-      "resolved": "https://registry.npmjs.org/diffie-hellman/-/diffie-hellman-5.0.3.tgz",
-      "integrity": "sha512-kqag/Nl+f3GwyK25fhUMYj81BUOrZ9IuJsjIcDE5icNM9FJHAVm3VcUDxdLPoQtTuUylWm6ZIknYJwwaPxsUzg==",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.1.0",
-        "miller-rabin": "^4.0.0",
-        "randombytes": "^2.0.0"
-      }
-    },
-    "dom-serializer": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-0.2.1.tgz",
-      "integrity": "sha512-sK3ujri04WyjwQXVoK4PU3y8ula1stq10GJZpqHIUgoGZdsGzAGu65BnU3d08aTVSvO7mGPZUc0wTEDL+qGE0Q==",
-      "dev": true,
-      "requires": {
-        "domelementtype": "^2.0.1",
-        "entities": "^2.0.0"
-      },
-      "dependencies": {
-        "domelementtype": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-2.0.1.tgz",
-          "integrity": "sha512-5HOHUDsYZWV8FGWN0Njbr/Rn7f/eWSQi1v7+HsUVwXgn8nWWlL64zKDkS0n8ZmQ3mlWOMuXOnR+7Nx/5tMO5AQ==",
-          "dev": true
-        }
-      }
-    },
-    "domain-browser": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/domain-browser/-/domain-browser-1.2.0.tgz",
-      "integrity": "sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==",
-      "dev": true
-    },
-    "domelementtype": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-1.3.1.tgz",
-      "integrity": "sha512-BSKB+TSpMpFI/HOxCNr1O8aMOTZ8hT3pM3GQ0w/mWRmkhEDSFJkkyzz4XQsBV44BChwGkrDfMyjVD0eA2aFV3w==",
-      "dev": true
-    },
-    "domutils": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/domutils/-/domutils-1.7.0.tgz",
-      "integrity": "sha512-Lgd2XcJ/NjEw+7tFvfKxOzCYKZsdct5lczQ2ZaQY8Djz7pfAD3Gbp8ySJWtreII/vDlMVmxwa6pHmdxIYgttDg==",
-      "dev": true,
-      "requires": {
-        "dom-serializer": "0",
-        "domelementtype": "1"
-      }
-    },
-    "dot-prop": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
-      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
-      "dev": true,
-      "requires": {
-        "is-obj": "^1.0.0"
-      }
-    },
-    "duplexer": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/duplexer/-/duplexer-0.1.1.tgz",
-      "integrity": "sha1-rOb/gIwc5mtX0ev5eXessCM0z8E=",
-      "dev": true
-    },
-    "easy-extender": {
-      "version": "2.3.4",
-      "resolved": "https://registry.npmjs.org/easy-extender/-/easy-extender-2.3.4.tgz",
-      "integrity": "sha512-8cAwm6md1YTiPpOvDULYJL4ZS6WfM5/cTeVVh4JsvyYZAoqlRVUpHL9Gr5Fy7HA6xcSZicUia3DeAgO3Us8E+Q==",
-      "dev": true,
-      "requires": {
-        "lodash": "^4.17.10"
-      }
-    },
-    "eazy-logger": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/eazy-logger/-/eazy-logger-3.0.2.tgz",
-      "integrity": "sha1-oyWqXlPROiIliJsqxBE7K5Y29Pw=",
-      "dev": true,
-      "requires": {
-        "tfunk": "^3.0.1"
-      }
-    },
-    "ecc-jsbn": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz",
-      "integrity": "sha1-OoOpBOVDUyh4dMVkt1SThoSamMk=",
-      "dev": true,
-      "requires": {
-        "jsbn": "~0.1.0",
-        "safer-buffer": "^2.1.0"
-      }
-    },
-    "ee-first": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
-      "integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0=",
-      "dev": true
-    },
-    "ejs": {
-      "version": "2.7.1",
-      "resolved": "https://registry.npmjs.org/ejs/-/ejs-2.7.1.tgz",
-      "integrity": "sha512-kS/gEPzZs3Y1rRsbGX4UOSjtP/CeJP0CxSNZHYxGfVM/VgLcv0ZqM7C45YyTj2DI2g7+P9Dd24C+IMIg6D0nYQ==",
-      "dev": true
-    },
-    "electron-to-chromium": {
-      "version": "1.3.299",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.299.tgz",
-      "integrity": "sha512-aH3lKMQFPuNk4w7W3hQDqnjfYKJQLzbp5Adn6xgTz5547kKSGOmAU7cQWxH953L4ntZL4HsZ8XWqfcMTvTcEMw==",
-      "dev": true
-    },
-    "elliptic": {
-      "version": "6.5.1",
-      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.1.tgz",
-      "integrity": "sha512-xvJINNLbTeWQjrl6X+7eQCrIy/YPv5XCpKW6kB5mKvtnGILoLDcySuwomfdzt0BMdLNVnuRNTuzKNHj0bva1Cg==",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.4.0",
-        "brorand": "^1.0.1",
-        "hash.js": "^1.0.0",
-        "hmac-drbg": "^1.0.0",
-        "inherits": "^2.0.1",
-        "minimalistic-assert": "^1.0.0",
-        "minimalistic-crypto-utils": "^1.0.0"
-      }
-    },
-    "emojis-list": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/emojis-list/-/emojis-list-2.1.0.tgz",
-      "integrity": "sha1-TapNnbAPmBmIDHn6RXrlsJof04k=",
-      "dev": true
-    },
-    "emotion": {
-      "version": "9.2.12",
-      "resolved": "https://registry.npmjs.org/emotion/-/emotion-9.2.12.tgz",
-      "integrity": "sha512-hcx7jppaI8VoXxIWEhxpDW7I+B4kq9RNzQLmsrF6LY8BGKqe2N+gFAQr0EfuFucFlPs2A9HM4+xNj4NeqEWIOQ==",
-      "requires": {
-        "babel-plugin-emotion": "^9.2.11",
-        "create-emotion": "^9.2.12"
-      }
-    },
-    "encodeurl": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
-      "integrity": "sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k=",
-      "dev": true
-    },
-    "encoding": {
-      "version": "0.1.12",
-      "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.12.tgz",
-      "integrity": "sha1-U4tm8+5izRq1HsMjgp0flIDHS+s=",
-      "requires": {
-        "iconv-lite": "~0.4.13"
-      }
-    },
-    "engine.io": {
-      "version": "3.2.1",
-      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz",
-      "integrity": "sha512-+VlKzHzMhaU+GsCIg4AoXF1UdDFjHHwMmMKqMJNDNLlUlejz58FCy4LBqB2YVJskHGYl06BatYWKP2TVdVXE5w==",
-      "dev": true,
-      "requires": {
-        "accepts": "~1.3.4",
-        "base64id": "1.0.0",
-        "cookie": "0.3.1",
-        "debug": "~3.1.0",
-        "engine.io-parser": "~2.1.0",
-        "ws": "~3.3.1"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "3.1.0",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
-          "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "engine.io-parser": {
-          "version": "2.1.3",
-          "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-2.1.3.tgz",
-          "integrity": "sha512-6HXPre2O4Houl7c4g7Ic/XzPnHBvaEmN90vtRO9uLmwtRqQmTOw0QMevL1TOfL2Cpu1VzsaTmMotQgMdkzGkVA==",
-          "dev": true,
-          "requires": {
-            "after": "0.8.2",
-            "arraybuffer.slice": "~0.0.7",
-            "base64-arraybuffer": "0.1.5",
-            "blob": "0.0.5",
-            "has-binary2": "~1.0.2"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        },
-        "ws": {
-          "version": "3.3.3",
-          "resolved": "https://registry.npmjs.org/ws/-/ws-3.3.3.tgz",
-          "integrity": "sha512-nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==",
-          "dev": true,
-          "requires": {
-            "async-limiter": "~1.0.0",
-            "safe-buffer": "~5.1.0",
-            "ultron": "~1.1.0"
-          }
-        }
-      }
-    },
-    "engine.io-client": {
-      "version": "3.4.0",
-      "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-3.4.0.tgz",
-      "integrity": "sha512-a4J5QO2k99CM2a0b12IznnyQndoEvtA4UAldhGzKqnHf42I3Qs2W5SPnDvatZRcMaNZs4IevVicBPayxYt6FwA==",
-      "dev": true,
-      "requires": {
-        "component-emitter": "1.2.1",
-        "component-inherit": "0.0.3",
-        "debug": "~4.1.0",
-        "engine.io-parser": "~2.2.0",
-        "has-cors": "1.1.0",
-        "indexof": "0.0.1",
-        "parseqs": "0.0.5",
-        "parseuri": "0.0.5",
-        "ws": "~6.1.0",
-        "xmlhttprequest-ssl": "~1.5.4",
-        "yeast": "0.1.2"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "4.1.1",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
-          "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
-          "dev": true,
-          "requires": {
-            "ms": "^2.1.1"
-          }
-        },
-        "ms": {
-          "version": "2.1.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-          "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
-          "dev": true
-        }
-      }
-    },
-    "engine.io-parser": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-2.2.0.tgz",
-      "integrity": "sha512-6I3qD9iUxotsC5HEMuuGsKA0cXerGz+4uGcXQEkfBidgKf0amsjrrtwcbwK/nzpZBxclXlV7gGl9dgWvu4LF6w==",
-      "dev": true,
-      "requires": {
-        "after": "0.8.2",
-        "arraybuffer.slice": "~0.0.7",
-        "base64-arraybuffer": "0.1.5",
-        "blob": "0.0.5",
-        "has-binary2": "~1.0.2"
-      }
-    },
-    "enhanced-resolve": {
-      "version": "3.4.1",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-3.4.1.tgz",
-      "integrity": "sha1-BCHjOf1xQZs9oT0Smzl5BAIwR24=",
-      "dev": true,
-      "requires": {
-        "graceful-fs": "^4.1.2",
-        "memory-fs": "^0.4.0",
-        "object-assign": "^4.0.1",
-        "tapable": "^0.2.7"
-      }
-    },
-    "entities": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/entities/-/entities-2.0.0.tgz",
-      "integrity": "sha512-D9f7V0JSRwIxlRI2mjMqufDrRDnx8p+eEOz7aUM9SuvF8gsBzra0/6tbjl1m8eQHrZlYj6PxqE00hZ1SAIKPLw==",
-      "dev": true
-    },
-    "errno": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/errno/-/errno-0.1.7.tgz",
-      "integrity": "sha512-MfrRBDWzIWifgq6tJj60gkAwtLNb6sQPlcFrSOflcP1aFmmruKQ2wRnze/8V6kgyz7H3FF8Npzv78mZ7XLLflg==",
-      "dev": true,
-      "requires": {
-        "prr": "~1.0.1"
-      }
-    },
-    "error-ex": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz",
-      "integrity": "sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==",
-      "requires": {
-        "is-arrayish": "^0.2.1"
-      }
-    },
-    "es-abstract": {
-      "version": "1.16.0",
-      "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.16.0.tgz",
-      "integrity": "sha512-xdQnfykZ9JMEiasTAJZJdMWCQ1Vm00NBw79/AWi7ELfZuuPCSOMDZbT9mkOfSctVtfhb+sAAzrm+j//GjjLHLg==",
-      "dev": true,
-      "requires": {
-        "es-to-primitive": "^1.2.0",
-        "function-bind": "^1.1.1",
-        "has": "^1.0.3",
-        "has-symbols": "^1.0.0",
-        "is-callable": "^1.1.4",
-        "is-regex": "^1.0.4",
-        "object-inspect": "^1.6.0",
-        "object-keys": "^1.1.1",
-        "string.prototype.trimleft": "^2.1.0",
-        "string.prototype.trimright": "^2.1.0"
-      }
-    },
-    "es-to-primitive": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/es-to-primitive/-/es-to-primitive-1.2.0.tgz",
-      "integrity": "sha512-qZryBOJjV//LaxLTV6UC//WewneB3LcXOL9NP++ozKVXsIIIpm/2c13UDiD9Jp2eThsecw9m3jPqDwTyobcdbg==",
-      "dev": true,
-      "requires": {
-        "is-callable": "^1.1.4",
-        "is-date-object": "^1.0.1",
-        "is-symbol": "^1.0.2"
-      }
-    },
-    "es5-ext": {
-      "version": "0.10.52",
-      "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.52.tgz",
-      "integrity": "sha512-bWCbE9fbpYQY4CU6hJbJ1vSz70EClMlDgJ7BmwI+zEJhxrwjesZRPglGJlsZhu0334U3hI+gaspwksH9IGD6ag==",
-      "dev": true,
-      "requires": {
-        "es6-iterator": "~2.0.3",
-        "es6-symbol": "~3.1.2",
-        "next-tick": "~1.0.0"
-      }
-    },
-    "es6-iterator": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/es6-iterator/-/es6-iterator-2.0.3.tgz",
-      "integrity": "sha1-p96IkUGgWpSwhUQDstCg+/qY87c=",
-      "dev": true,
-      "requires": {
-        "d": "1",
-        "es5-ext": "^0.10.35",
-        "es6-symbol": "^3.1.1"
-      }
-    },
-    "es6-map": {
-      "version": "0.1.5",
-      "resolved": "https://registry.npmjs.org/es6-map/-/es6-map-0.1.5.tgz",
-      "integrity": "sha1-kTbgUD3MBqMBaQ8LsU/042TpSfA=",
-      "dev": true,
-      "requires": {
-        "d": "1",
-        "es5-ext": "~0.10.14",
-        "es6-iterator": "~2.0.1",
-        "es6-set": "~0.1.5",
-        "es6-symbol": "~3.1.1",
-        "event-emitter": "~0.3.5"
-      }
-    },
-    "es6-set": {
-      "version": "0.1.5",
-      "resolved": "https://registry.npmjs.org/es6-set/-/es6-set-0.1.5.tgz",
-      "integrity": "sha1-0rPsXU2ADO2BjbU40ol02wpzzLE=",
-      "dev": true,
-      "requires": {
-        "d": "1",
-        "es5-ext": "~0.10.14",
-        "es6-iterator": "~2.0.1",
-        "es6-symbol": "3.1.1",
-        "event-emitter": "~0.3.5"
-      },
-      "dependencies": {
-        "es6-symbol": {
-          "version": "3.1.1",
-          "resolved": "https://registry.npmjs.org/es6-symbol/-/es6-symbol-3.1.1.tgz",
-          "integrity": "sha1-vwDvT9q2uhtG7Le2KbTH7VcVzHc=",
-          "dev": true,
-          "requires": {
-            "d": "1",
-            "es5-ext": "~0.10.14"
-          }
-        }
-      }
-    },
-    "es6-symbol": {
-      "version": "3.1.3",
-      "resolved": "https://registry.npmjs.org/es6-symbol/-/es6-symbol-3.1.3.tgz",
-      "integrity": "sha512-NJ6Yn3FuDinBaBRWl/q5X/s4koRHBrgKAu+yGI6JCBeiu3qrcbJhwT2GeR/EXVfylRk8dpQVJoLEFhK+Mu31NA==",
-      "dev": true,
-      "requires": {
-        "d": "^1.0.1",
-        "ext": "^1.1.2"
-      }
-    },
-    "es6-weak-map": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/es6-weak-map/-/es6-weak-map-2.0.3.tgz",
-      "integrity": "sha512-p5um32HOTO1kP+w7PRnB+5lQ43Z6muuMuIMffvDN8ZB4GcnjLBV6zGStpbASIMk4DCAvEaamhe2zhyCb/QXXsA==",
-      "dev": true,
-      "requires": {
-        "d": "1",
-        "es5-ext": "^0.10.46",
-        "es6-iterator": "^2.0.3",
-        "es6-symbol": "^3.1.1"
-      }
-    },
-    "escape-html": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
-      "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=",
-      "dev": true
-    },
-    "escape-string-regexp": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz",
-      "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ="
-    },
-    "escope": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/escope/-/escope-3.6.0.tgz",
-      "integrity": "sha1-4Bl16BJ4GhY6ba392AOY3GTIicM=",
-      "dev": true,
-      "requires": {
-        "es6-map": "^0.1.3",
-        "es6-weak-map": "^2.0.1",
-        "esrecurse": "^4.1.0",
-        "estraverse": "^4.1.1"
-      }
-    },
-    "esprima": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
-      "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A=="
-    },
-    "esrecurse": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.2.1.tgz",
-      "integrity": "sha512-64RBB++fIOAXPw3P9cy89qfMlvZEXZkqqJkjqqXIvzP5ezRZjW+lPWjw35UX/3EhUPFYbg5ER4JYgDw4007/DQ==",
-      "dev": true,
-      "requires": {
-        "estraverse": "^4.1.0"
-      }
-    },
-    "estraverse": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz",
-      "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==",
-      "dev": true
-    },
-    "esutils": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
-      "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g=="
-    },
-    "etag": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
-      "integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=",
-      "dev": true
-    },
-    "event-emitter": {
-      "version": "0.3.5",
-      "resolved": "https://registry.npmjs.org/event-emitter/-/event-emitter-0.3.5.tgz",
-      "integrity": "sha1-34xp7vFkeSPHFXuc6DhAYQsCzDk=",
-      "dev": true,
-      "requires": {
-        "d": "1",
-        "es5-ext": "~0.10.14"
-      }
-    },
-    "eventemitter3": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-1.2.0.tgz",
-      "integrity": "sha1-HIaZHYFq0eUEdQ5zh0Ik7PO+xQg=",
-      "dev": true
-    },
-    "events": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/events/-/events-3.0.0.tgz",
-      "integrity": "sha512-Dc381HFWJzEOhQ+d8pkNon++bk9h6cdAoAj4iE6Q4y6xgTzySWXlKn05/TVNpjnfRqi/X0EpJEJohPjNI3zpVA==",
-      "dev": true
-    },
-    "evp_bytestokey": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/evp_bytestokey/-/evp_bytestokey-1.0.3.tgz",
-      "integrity": "sha512-/f2Go4TognH/KvCISP7OUsHn85hT9nUkxxA9BEWxFn+Oj9o8ZNLm/40hdlgSLyuOimsrTKLUMEorQexp/aPQeA==",
-      "dev": true,
-      "requires": {
-        "md5.js": "^1.3.4",
-        "safe-buffer": "^5.1.1"
-      }
-    },
-    "execa": {
-      "version": "0.7.0",
-      "resolved": "https://registry.npmjs.org/execa/-/execa-0.7.0.tgz",
-      "integrity": "sha1-lEvs00zEHuMqY6n68nrVpl/Fl3c=",
-      "dev": true,
-      "requires": {
-        "cross-spawn": "^5.0.1",
-        "get-stream": "^3.0.0",
-        "is-stream": "^1.1.0",
-        "npm-run-path": "^2.0.0",
-        "p-finally": "^1.0.0",
-        "signal-exit": "^3.0.0",
-        "strip-eof": "^1.0.0"
-      }
-    },
-    "expand-brackets": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/expand-brackets/-/expand-brackets-2.1.4.tgz",
-      "integrity": "sha1-t3c14xXOMPa27/D4OwQVGiJEliI=",
-      "dev": true,
-      "requires": {
-        "debug": "^2.3.3",
-        "define-property": "^0.2.5",
-        "extend-shallow": "^2.0.1",
-        "posix-character-classes": "^0.1.0",
-        "regex-not": "^1.0.0",
-        "snapdragon": "^0.8.1",
-        "to-regex": "^3.0.1"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "define-property": {
-          "version": "0.2.5",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
-          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^0.1.0"
-          }
-        },
-        "extend-shallow": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
-          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
-          "dev": true,
-          "requires": {
-            "is-extendable": "^0.1.0"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        }
-      }
-    },
-    "express": {
-      "version": "4.17.1",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
-      "integrity": "sha512-mHJ9O79RqluphRrcw2X/GTh3k9tVv8YcoyY4Kkh4WDMUYKRZUq0h1o0w2rrrxBqM7VoeUVqgb27xlEMXTnYt4g==",
-      "dev": true,
-      "requires": {
-        "accepts": "~1.3.7",
-        "array-flatten": "1.1.1",
-        "body-parser": "1.19.0",
-        "content-disposition": "0.5.3",
-        "content-type": "~1.0.4",
-        "cookie": "0.4.0",
-        "cookie-signature": "1.0.6",
-        "debug": "2.6.9",
-        "depd": "~1.1.2",
-        "encodeurl": "~1.0.2",
-        "escape-html": "~1.0.3",
-        "etag": "~1.8.1",
-        "finalhandler": "~1.1.2",
-        "fresh": "0.5.2",
-        "merge-descriptors": "1.0.1",
-        "methods": "~1.1.2",
-        "on-finished": "~2.3.0",
-        "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.7",
-        "proxy-addr": "~2.0.5",
-        "qs": "6.7.0",
-        "range-parser": "~1.2.1",
-        "safe-buffer": "5.1.2",
-        "send": "0.17.1",
-        "serve-static": "1.14.1",
-        "setprototypeof": "1.1.1",
-        "statuses": "~1.5.0",
-        "type-is": "~1.6.18",
-        "utils-merge": "1.0.1",
-        "vary": "~1.1.2"
-      },
-      "dependencies": {
-        "cookie": {
-          "version": "0.4.0",
-          "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
-          "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg==",
-          "dev": true
-        },
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "finalhandler": {
-          "version": "1.1.2",
-          "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.2.tgz",
-          "integrity": "sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==",
-          "dev": true,
-          "requires": {
-            "debug": "2.6.9",
-            "encodeurl": "~1.0.2",
-            "escape-html": "~1.0.3",
-            "on-finished": "~2.3.0",
-            "parseurl": "~1.3.3",
-            "statuses": "~1.5.0",
-            "unpipe": "~1.0.0"
-          }
-        },
-        "mime": {
-          "version": "1.6.0",
-          "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
-          "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
-          "dev": true
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        },
-        "qs": {
-          "version": "6.7.0",
-          "resolved": "https://registry.npmjs.org/qs/-/qs-6.7.0.tgz",
-          "integrity": "sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ==",
-          "dev": true
-        },
-        "send": {
-          "version": "0.17.1",
-          "resolved": "https://registry.npmjs.org/send/-/send-0.17.1.tgz",
-          "integrity": "sha512-BsVKsiGcQMFwT8UxypobUKyv7irCNRHk1T0G680vk88yf6LBByGcZJOTJCrTP2xVN6yI+XjPJcNuE3V4fT9sAg==",
-          "dev": true,
-          "requires": {
-            "debug": "2.6.9",
-            "depd": "~1.1.2",
-            "destroy": "~1.0.4",
-            "encodeurl": "~1.0.2",
-            "escape-html": "~1.0.3",
-            "etag": "~1.8.1",
-            "fresh": "0.5.2",
-            "http-errors": "~1.7.2",
-            "mime": "1.6.0",
-            "ms": "2.1.1",
-            "on-finished": "~2.3.0",
-            "range-parser": "~1.2.1",
-            "statuses": "~1.5.0"
-          },
-          "dependencies": {
-            "ms": {
-              "version": "2.1.1",
-              "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
-              "integrity": "sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg==",
-              "dev": true
-            }
-          }
-        },
-        "serve-static": {
-          "version": "1.14.1",
-          "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.14.1.tgz",
-          "integrity": "sha512-JMrvUwE54emCYWlTI+hGrGv5I8dEwmco/00EvkzIIsR7MqrHonbD9pO2MOfFnpFntl7ecpZs+3mW+XbQZu9QCg==",
-          "dev": true,
-          "requires": {
-            "encodeurl": "~1.0.2",
-            "escape-html": "~1.0.3",
-            "parseurl": "~1.3.3",
-            "send": "0.17.1"
-          }
-        },
-        "statuses": {
-          "version": "1.5.0",
-          "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
-          "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=",
-          "dev": true
-        }
-      }
-    },
-    "ext": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/ext/-/ext-1.1.2.tgz",
-      "integrity": "sha512-/KLjJdTNyDepCihrk4HQt57nAE1IRCEo5jUt+WgWGCr1oARhibDvmI2DMcSNWood1T9AUWwq+jaV1wvRqaXfnA==",
-      "dev": true,
-      "requires": {
-        "type": "^2.0.0"
-      },
-      "dependencies": {
-        "type": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/type/-/type-2.0.0.tgz",
-          "integrity": "sha512-KBt58xCHry4Cejnc2ISQAF7QY+ORngsWfxezO68+12hKV6lQY8P/psIkcbjeHWn7MqcgciWJyCCevFMJdIXpow==",
-          "dev": true
-        }
-      }
-    },
-    "extend": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
-      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==",
-      "dev": true
-    },
-    "extend-shallow": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-3.0.2.tgz",
-      "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
-      "dev": true,
-      "requires": {
-        "assign-symbols": "^1.0.0",
-        "is-extendable": "^1.0.1"
-      },
-      "dependencies": {
-        "is-extendable": {
-          "version": "1.0.1",
-          "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-1.0.1.tgz",
-          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
-          "dev": true,
-          "requires": {
-            "is-plain-object": "^2.0.4"
-          }
-        }
-      }
-    },
-    "external-editor": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/external-editor/-/external-editor-2.2.0.tgz",
-      "integrity": "sha512-bSn6gvGxKt+b7+6TKEv1ZycHleA7aHhRHyAqJyp5pbUFuYYNIzpZnQDk7AsYckyWdEnTeAnay0aCy2aV6iTk9A==",
-      "dev": true,
-      "requires": {
-        "chardet": "^0.4.0",
-        "iconv-lite": "^0.4.17",
-        "tmp": "^0.0.33"
-      }
-    },
-    "extglob": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/extglob/-/extglob-2.0.4.tgz",
-      "integrity": "sha512-Nmb6QXkELsuBr24CJSkilo6UHHgbekK5UiZgfE6UHD3Eb27YC6oD+bhcT+tJ6cl8dmsgdQxnWlcry8ksBIBLpw==",
-      "dev": true,
-      "requires": {
-        "array-unique": "^0.3.2",
-        "define-property": "^1.0.0",
-        "expand-brackets": "^2.1.4",
-        "extend-shallow": "^2.0.1",
-        "fragment-cache": "^0.2.1",
-        "regex-not": "^1.0.0",
-        "snapdragon": "^0.8.1",
-        "to-regex": "^3.0.1"
-      },
-      "dependencies": {
-        "define-property": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz",
-          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^1.0.0"
-          }
-        },
-        "extend-shallow": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
-          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
-          "dev": true,
-          "requires": {
-            "is-extendable": "^0.1.0"
-          }
-        },
-        "is-accessor-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
-          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-data-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
-          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-descriptor": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
-          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
-          "dev": true,
-          "requires": {
-            "is-accessor-descriptor": "^1.0.0",
-            "is-data-descriptor": "^1.0.0",
-            "kind-of": "^6.0.2"
-          }
-        }
-      }
-    },
-    "extsprintf": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz",
-      "integrity": "sha1-lpGEQOMEGnpBT4xS48V06zw+HgU=",
-      "dev": true
-    },
-    "fast-deep-equal": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz",
-      "integrity": "sha1-ewUhjd+WZ79/Nwv3/bLLFf3Qqkk=",
-      "dev": true
-    },
-    "fast-json-stable-stringify": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.0.0.tgz",
-      "integrity": "sha1-1RQsDK7msRifh9OnYREGT4bIu/I=",
-      "dev": true
-    },
-    "figures": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/figures/-/figures-2.0.0.tgz",
-      "integrity": "sha1-OrGi0qYsi/tDGgyUy3l6L84nyWI=",
-      "dev": true,
-      "requires": {
-        "escape-string-regexp": "^1.0.5"
-      }
-    },
-    "filesize": {
-      "version": "3.6.1",
-      "resolved": "https://registry.npmjs.org/filesize/-/filesize-3.6.1.tgz",
-      "integrity": "sha512-7KjR1vv6qnicaPMi1iiTcI85CyYwRO/PSFCu6SvqL8jN2Wjt/NIYQTFtFs7fSDCYOstUkEWIQGFUg5YZQfjlcg==",
-      "dev": true
-    },
-    "filewrap": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/filewrap/-/filewrap-1.0.0.tgz",
-      "integrity": "sha1-puPLOArzRz2i7dnJ+ymvqIeA/+U=",
-      "dev": true
-    },
-    "fill-range": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz",
-      "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=",
-      "dev": true,
-      "requires": {
-        "extend-shallow": "^2.0.1",
-        "is-number": "^3.0.0",
-        "repeat-string": "^1.6.1",
-        "to-regex-range": "^2.1.0"
-      },
-      "dependencies": {
-        "extend-shallow": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
-          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
-          "dev": true,
-          "requires": {
-            "is-extendable": "^0.1.0"
-          }
-        }
-      }
-    },
-    "finalhandler": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.0.tgz",
-      "integrity": "sha1-zgtoVbRYU+eRsvzGgARtiCU91/U=",
-      "dev": true,
-      "requires": {
-        "debug": "2.6.9",
-        "encodeurl": "~1.0.1",
-        "escape-html": "~1.0.3",
-        "on-finished": "~2.3.0",
-        "parseurl": "~1.3.2",
-        "statuses": "~1.3.1",
-        "unpipe": "~1.0.0"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        }
-      }
-    },
-    "find-cache-dir": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/find-cache-dir/-/find-cache-dir-1.0.0.tgz",
-      "integrity": "sha1-kojj6ePMN0hxfTnq3hfPcfww7m8=",
-      "dev": true,
-      "requires": {
-        "commondir": "^1.0.1",
-        "make-dir": "^1.0.0",
-        "pkg-dir": "^2.0.0"
-      }
-    },
-    "find-root": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/find-root/-/find-root-1.1.0.tgz",
-      "integrity": "sha512-NKfW6bec6GfKc0SGx1e07QZY9PE99u0Bft/0rzSD5k3sO/vwkVUpDUKVm5Gpp5Ue3YfShPFTX2070tDs5kB9Ng=="
-    },
-    "find-up": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/find-up/-/find-up-2.1.0.tgz",
-      "integrity": "sha1-RdG35QbHF93UgndaK3eSCjwMV6c=",
-      "dev": true,
-      "requires": {
-        "locate-path": "^2.0.0"
-      }
-    },
-    "flatten": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/flatten/-/flatten-1.0.3.tgz",
-      "integrity": "sha512-dVsPA/UwQ8+2uoFe5GHtiBMu48dWLTdsuEd7CKGlZlD78r1TTWBvDuFaFGKCo/ZfEr95Uk56vZoX86OsHkUeIg==",
-      "dev": true
-    },
-    "follow-redirects": {
-      "version": "1.5.10",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz",
-      "integrity": "sha512-0V5l4Cizzvqt5D44aTXbFZz+FtyXV1vrDN6qrelxtfYQKW0KO0W2T/hkE8xvGa/540LkZlkaUjO4ailYTFtHVQ==",
-      "dev": true,
-      "requires": {
-        "debug": "=3.1.0"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "3.1.0",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
-          "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        }
-      }
-    },
-    "for-in": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/for-in/-/for-in-1.0.2.tgz",
-      "integrity": "sha1-gQaNKVqBQuwKxybG4iAMMPttXoA=",
-      "dev": true
-    },
-    "forever-agent": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz",
-      "integrity": "sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=",
-      "dev": true
-    },
-    "form-data": {
-      "version": "2.3.3",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz",
-      "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==",
-      "dev": true,
-      "requires": {
-        "asynckit": "^0.4.0",
-        "combined-stream": "^1.0.6",
-        "mime-types": "^2.1.12"
-      }
-    },
-    "forwarded": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",
-      "integrity": "sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ=",
-      "dev": true
-    },
-    "fragment-cache": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/fragment-cache/-/fragment-cache-0.2.1.tgz",
-      "integrity": "sha1-QpD60n8T6Jvn8zeZxrxaCr//DRk=",
-      "dev": true,
-      "requires": {
-        "map-cache": "^0.2.2"
-      }
-    },
-    "fresh": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
-      "integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac=",
-      "dev": true
-    },
-    "fs-extra": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-3.0.1.tgz",
-      "integrity": "sha1-N5TzeMWLNC6n27sjCVEJxLO2IpE=",
-      "dev": true,
-      "requires": {
-        "graceful-fs": "^4.1.2",
-        "jsonfile": "^3.0.0",
-        "universalify": "^0.1.0"
-      }
-    },
-    "fs.realpath": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-      "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=",
-      "dev": true
-    },
-    "fsevents": {
-      "version": "1.2.9",
-      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-1.2.9.tgz",
-      "integrity": "sha512-oeyj2H3EjjonWcFjD5NvZNE9Rqe4UW+nQBU2HNeKw0koVLEFIhtyETyAakeAM3de7Z/SW5kcA+fZUait9EApnw==",
-      "dev": true,
-      "optional": true,
-      "requires": {
-        "nan": "^2.12.1",
-        "node-pre-gyp": "^0.12.0"
-      },
-      "dependencies": {
-        "abbrev": {
-          "version": "1.1.1",
-          "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
-          "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==",
-          "dev": true,
-          "optional": true
-        },
-        "ansi-regex": {
-          "version": "2.1.1",
-          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
-          "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=",
-          "dev": true,
-          "optional": true
-        },
-        "aproba": {
-          "version": "1.2.0",
-          "resolved": "https://registry.npmjs.org/aproba/-/aproba-1.2.0.tgz",
-          "integrity": "sha512-Y9J6ZjXtoYh8RnXVCMOU/ttDmk1aBjunq9vO0ta5x85WDQiQfUF9sIPBITdbiiIVcBo03Hi3jMxigBtsddlXRw==",
-          "dev": true,
-          "optional": true
-        },
-        "are-we-there-yet": {
-          "version": "1.1.5",
-          "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-1.1.5.tgz",
-          "integrity": "sha512-5hYdAkZlcG8tOLujVDTgCT+uPX0VnpAH28gWsLfzpXYm7wP6mp5Q/gYyR7YQ0cKVJcXJnl3j2kpBan13PtQf6w==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "delegates": "^1.0.0",
-            "readable-stream": "^2.0.6"
-          }
-        },
-        "balanced-match": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
-          "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=",
-          "dev": true,
-          "optional": true
-        },
-        "brace-expansion": {
-          "version": "1.1.11",
-          "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
-          "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "balanced-match": "^1.0.0",
-            "concat-map": "0.0.1"
-          }
-        },
-        "chownr": {
-          "version": "1.1.1",
-          "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.1.tgz",
-          "integrity": "sha512-j38EvO5+LHX84jlo6h4UzmOwi0UgW61WRyPtJz4qaadK5eY3BTS5TY/S1Stc3Uk2lIM6TPevAlULiEJwie860g==",
-          "dev": true,
-          "optional": true
-        },
-        "code-point-at": {
-          "version": "1.1.0",
-          "resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.1.0.tgz",
-          "integrity": "sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=",
-          "dev": true,
-          "optional": true
-        },
-        "concat-map": {
-          "version": "0.0.1",
-          "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-          "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
-          "dev": true,
-          "optional": true
-        },
-        "console-control-strings": {
-          "version": "1.1.0",
-          "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz",
-          "integrity": "sha1-PXz0Rk22RG6mRL9LOVB/mFEAjo4=",
-          "dev": true,
-          "optional": true
-        },
-        "core-util-is": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
-          "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=",
-          "dev": true,
-          "optional": true
-        },
-        "debug": {
-          "version": "4.1.1",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
-          "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "ms": "^2.1.1"
-          }
-        },
-        "deep-extend": {
-          "version": "0.6.0",
-          "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz",
-          "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==",
-          "dev": true,
-          "optional": true
-        },
-        "delegates": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz",
-          "integrity": "sha1-hMbhWbgZBP3KWaDvRM2HDTElD5o=",
-          "dev": true,
-          "optional": true
-        },
-        "detect-libc": {
-          "version": "1.0.3",
-          "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-1.0.3.tgz",
-          "integrity": "sha1-+hN8S9aY7fVc1c0CrFWfkaTEups=",
-          "dev": true,
-          "optional": true
-        },
-        "fs-minipass": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-1.2.5.tgz",
-          "integrity": "sha512-JhBl0skXjUPCFH7x6x61gQxrKyXsxB5gcgePLZCwfyCGGsTISMoIeObbrvVeP6Xmyaudw4TT43qV2Gz+iyd2oQ==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "minipass": "^2.2.1"
-          }
-        },
-        "fs.realpath": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-          "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=",
-          "dev": true,
-          "optional": true
-        },
-        "gauge": {
-          "version": "2.7.4",
-          "resolved": "https://registry.npmjs.org/gauge/-/gauge-2.7.4.tgz",
-          "integrity": "sha1-LANAXHU4w51+s3sxcCLjJfsBi/c=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "aproba": "^1.0.3",
-            "console-control-strings": "^1.0.0",
-            "has-unicode": "^2.0.0",
-            "object-assign": "^4.1.0",
-            "signal-exit": "^3.0.0",
-            "string-width": "^1.0.1",
-            "strip-ansi": "^3.0.1",
-            "wide-align": "^1.1.0"
-          }
-        },
-        "glob": {
-          "version": "7.1.3",
-          "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.3.tgz",
-          "integrity": "sha512-vcfuiIxogLV4DlGBHIUOwI0IbrJ8HWPc4MU7HzviGeNho/UJDfi6B5p3sHeWIQ0KGIU0Jpxi5ZHxemQfLkkAwQ==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "fs.realpath": "^1.0.0",
-            "inflight": "^1.0.4",
-            "inherits": "2",
-            "minimatch": "^3.0.4",
-            "once": "^1.3.0",
-            "path-is-absolute": "^1.0.0"
-          }
-        },
-        "has-unicode": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz",
-          "integrity": "sha1-4Ob+aijPUROIVeCG0Wkedx3iqLk=",
-          "dev": true,
-          "optional": true
-        },
-        "iconv-lite": {
-          "version": "0.4.24",
-          "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
-          "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "safer-buffer": ">= 2.1.2 < 3"
-          }
-        },
-        "ignore-walk": {
-          "version": "3.0.1",
-          "resolved": "https://registry.npmjs.org/ignore-walk/-/ignore-walk-3.0.1.tgz",
-          "integrity": "sha512-DTVlMx3IYPe0/JJcYP7Gxg7ttZZu3IInhuEhbchuqneY9wWe5Ojy2mXLBaQFUQmo0AW2r3qG7m1mg86js+gnlQ==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "minimatch": "^3.0.4"
-          }
-        },
-        "inflight": {
-          "version": "1.0.6",
-          "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
-          "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "once": "^1.3.0",
-            "wrappy": "1"
-          }
-        },
-        "inherits": {
-          "version": "2.0.3",
-          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
-          "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=",
-          "dev": true,
-          "optional": true
-        },
-        "ini": {
-          "version": "1.3.5",
-          "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz",
-          "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==",
-          "dev": true,
-          "optional": true
-        },
-        "is-fullwidth-code-point": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz",
-          "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "number-is-nan": "^1.0.0"
-          }
-        },
-        "isarray": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
-          "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=",
-          "dev": true,
-          "optional": true
-        },
-        "minimatch": {
-          "version": "3.0.4",
-          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-          "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "brace-expansion": "^1.1.7"
-          }
-        },
-        "minimist": {
-          "version": "0.0.8",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
-          "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=",
-          "dev": true,
-          "optional": true
-        },
-        "minipass": {
-          "version": "2.3.5",
-          "resolved": "https://registry.npmjs.org/minipass/-/minipass-2.3.5.tgz",
-          "integrity": "sha512-Gi1W4k059gyRbyVUZQ4mEqLm0YIUiGYfvxhF6SIlk3ui1WVxMTGfGdQ2SInh3PDrRTVvPKgULkpJtT4RH10+VA==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "safe-buffer": "^5.1.2",
-            "yallist": "^3.0.0"
-          }
-        },
-        "minizlib": {
-          "version": "1.2.1",
-          "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-1.2.1.tgz",
-          "integrity": "sha512-7+4oTUOWKg7AuL3vloEWekXY2/D20cevzsrNT2kGWm+39J9hGTCBv8VI5Pm5lXZ/o3/mdR4f8rflAPhnQb8mPA==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "minipass": "^2.2.1"
-          }
-        },
-        "mkdirp": {
-          "version": "0.5.1",
-          "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
-          "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "minimist": "0.0.8"
-          }
-        },
-        "ms": {
-          "version": "2.1.1",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
-          "integrity": "sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg==",
-          "dev": true,
-          "optional": true
-        },
-        "needle": {
-          "version": "2.3.0",
-          "resolved": "https://registry.npmjs.org/needle/-/needle-2.3.0.tgz",
-          "integrity": "sha512-QBZu7aAFR0522EyaXZM0FZ9GLpq6lvQ3uq8gteiDUp7wKdy0lSd2hPlgFwVuW1CBkfEs9PfDQsQzZghLs/psdg==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "debug": "^4.1.0",
-            "iconv-lite": "^0.4.4",
-            "sax": "^1.2.4"
-          }
-        },
-        "node-pre-gyp": {
-          "version": "0.12.0",
-          "resolved": "https://registry.npmjs.org/node-pre-gyp/-/node-pre-gyp-0.12.0.tgz",
-          "integrity": "sha512-4KghwV8vH5k+g2ylT+sLTjy5wmUOb9vPhnM8NHvRf9dHmnW/CndrFXy2aRPaPST6dugXSdHXfeaHQm77PIz/1A==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "detect-libc": "^1.0.2",
-            "mkdirp": "^0.5.1",
-            "needle": "^2.2.1",
-            "nopt": "^4.0.1",
-            "npm-packlist": "^1.1.6",
-            "npmlog": "^4.0.2",
-            "rc": "^1.2.7",
-            "rimraf": "^2.6.1",
-            "semver": "^5.3.0",
-            "tar": "^4"
-          }
-        },
-        "nopt": {
-          "version": "4.0.1",
-          "resolved": "https://registry.npmjs.org/nopt/-/nopt-4.0.1.tgz",
-          "integrity": "sha1-0NRoWv1UFRk8jHUFYC0NF81kR00=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "abbrev": "1",
-            "osenv": "^0.1.4"
-          }
-        },
-        "npm-bundled": {
-          "version": "1.0.6",
-          "resolved": "https://registry.npmjs.org/npm-bundled/-/npm-bundled-1.0.6.tgz",
-          "integrity": "sha512-8/JCaftHwbd//k6y2rEWp6k1wxVfpFzB6t1p825+cUb7Ym2XQfhwIC5KwhrvzZRJu+LtDE585zVaS32+CGtf0g==",
-          "dev": true,
-          "optional": true
-        },
-        "npm-packlist": {
-          "version": "1.4.1",
-          "resolved": "https://registry.npmjs.org/npm-packlist/-/npm-packlist-1.4.1.tgz",
-          "integrity": "sha512-+TcdO7HJJ8peiiYhvPxsEDhF3PJFGUGRcFsGve3vxvxdcpO2Z4Z7rkosRM0kWj6LfbK/P0gu3dzk5RU1ffvFcw==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "ignore-walk": "^3.0.1",
-            "npm-bundled": "^1.0.1"
-          }
-        },
-        "npmlog": {
-          "version": "4.1.2",
-          "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-4.1.2.tgz",
-          "integrity": "sha512-2uUqazuKlTaSI/dC8AzicUck7+IrEaOnN/e0jd3Xtt1KcGpwx30v50mL7oPyr/h9bL3E4aZccVwpwP+5W9Vjkg==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "are-we-there-yet": "~1.1.2",
-            "console-control-strings": "~1.1.0",
-            "gauge": "~2.7.3",
-            "set-blocking": "~2.0.0"
-          }
-        },
-        "number-is-nan": {
-          "version": "1.0.1",
-          "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz",
-          "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=",
-          "dev": true,
-          "optional": true
-        },
-        "object-assign": {
-          "version": "4.1.1",
-          "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-          "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM=",
-          "dev": true,
-          "optional": true
-        },
-        "once": {
-          "version": "1.4.0",
-          "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
-          "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "wrappy": "1"
-          }
-        },
-        "os-homedir": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/os-homedir/-/os-homedir-1.0.2.tgz",
-          "integrity": "sha1-/7xJiDNuDoM94MFox+8VISGqf7M=",
-          "dev": true,
-          "optional": true
-        },
-        "os-tmpdir": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz",
-          "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=",
-          "dev": true,
-          "optional": true
-        },
-        "osenv": {
-          "version": "0.1.5",
-          "resolved": "https://registry.npmjs.org/osenv/-/osenv-0.1.5.tgz",
-          "integrity": "sha512-0CWcCECdMVc2Rw3U5w9ZjqX6ga6ubk1xDVKxtBQPK7wis/0F2r9T6k4ydGYhecl7YUBxBVxhL5oisPsNxAPe2g==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "os-homedir": "^1.0.0",
-            "os-tmpdir": "^1.0.0"
-          }
-        },
-        "path-is-absolute": {
-          "version": "1.0.1",
-          "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
-          "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=",
-          "dev": true,
-          "optional": true
-        },
-        "process-nextick-args": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.0.tgz",
-          "integrity": "sha512-MtEC1TqN0EU5nephaJ4rAtThHtC86dNN9qCuEhtshvpVBkAW5ZO7BASN9REnF9eoXGcRub+pFuKEpOHE+HbEMw==",
-          "dev": true,
-          "optional": true
-        },
-        "rc": {
-          "version": "1.2.8",
-          "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
-          "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "deep-extend": "^0.6.0",
-            "ini": "~1.3.0",
-            "minimist": "^1.2.0",
-            "strip-json-comments": "~2.0.1"
-          },
-          "dependencies": {
-            "minimist": {
-              "version": "1.2.0",
-              "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
-              "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
-              "dev": true,
-              "optional": true
-            }
-          }
-        },
-        "readable-stream": {
-          "version": "2.3.6",
-          "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz",
-          "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "core-util-is": "~1.0.0",
-            "inherits": "~2.0.3",
-            "isarray": "~1.0.0",
-            "process-nextick-args": "~2.0.0",
-            "safe-buffer": "~5.1.1",
-            "string_decoder": "~1.1.1",
-            "util-deprecate": "~1.0.1"
-          }
-        },
-        "rimraf": {
-          "version": "2.6.3",
-          "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.6.3.tgz",
-          "integrity": "sha512-mwqeW5XsA2qAejG46gYdENaxXjx9onRNCfn7L0duuP4hCuTIi/QO7PDK07KJfp1d+izWPrzEJDcSqBa0OZQriA==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "glob": "^7.1.3"
-          }
-        },
-        "safe-buffer": {
-          "version": "5.1.2",
-          "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
-          "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
-          "dev": true,
-          "optional": true
-        },
-        "safer-buffer": {
-          "version": "2.1.2",
-          "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
-          "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
-          "dev": true,
-          "optional": true
-        },
-        "sax": {
-          "version": "1.2.4",
-          "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
-          "integrity": "sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==",
-          "dev": true,
-          "optional": true
-        },
-        "semver": {
-          "version": "5.7.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz",
-          "integrity": "sha512-Ya52jSX2u7QKghxeoFGpLwCtGlt7j0oY9DYb5apt9nPlJ42ID+ulTXESnt/qAQcoSERyZ5sl3LDIOw0nAn/5DA==",
-          "dev": true,
-          "optional": true
-        },
-        "set-blocking": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
-          "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=",
-          "dev": true,
-          "optional": true
-        },
-        "signal-exit": {
-          "version": "3.0.2",
-          "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.2.tgz",
-          "integrity": "sha1-tf3AjxKH6hF4Yo5BXiUTK3NkbG0=",
-          "dev": true,
-          "optional": true
-        },
-        "string-width": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz",
-          "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "code-point-at": "^1.0.0",
-            "is-fullwidth-code-point": "^1.0.0",
-            "strip-ansi": "^3.0.0"
-          }
-        },
-        "string_decoder": {
-          "version": "1.1.1",
-          "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
-          "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "safe-buffer": "~5.1.0"
-          }
-        },
-        "strip-ansi": {
-          "version": "3.0.1",
-          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz",
-          "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "ansi-regex": "^2.0.0"
-          }
-        },
-        "strip-json-comments": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz",
-          "integrity": "sha1-PFMZQukIwml8DsNEhYwobHygpgo=",
-          "dev": true,
-          "optional": true
-        },
-        "tar": {
-          "version": "4.4.8",
-          "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
-          "integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "chownr": "^1.1.1",
-            "fs-minipass": "^1.2.5",
-            "minipass": "^2.3.4",
-            "minizlib": "^1.1.1",
-            "mkdirp": "^0.5.0",
-            "safe-buffer": "^5.1.2",
-            "yallist": "^3.0.2"
-          }
-        },
-        "util-deprecate": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-          "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=",
-          "dev": true,
-          "optional": true
-        },
-        "wide-align": {
-          "version": "1.1.3",
-          "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.3.tgz",
-          "integrity": "sha512-QGkOQc8XL6Bt5PwnsExKBPuMKBxnGxWWW3fU55Xt4feHozMUhdUMaBCk290qpm/wG5u/RSKzwdAC4i51YigihA==",
-          "dev": true,
-          "optional": true,
-          "requires": {
-            "string-width": "^1.0.2 || 2"
-          }
-        },
-        "wrappy": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-          "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
-          "dev": true,
-          "optional": true
-        },
-        "yallist": {
-          "version": "3.0.3",
-          "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.0.3.tgz",
-          "integrity": "sha512-S+Zk8DEWE6oKpV+vI3qWkaK+jSbIK86pCwe2IF/xwIpQ8jEuxpw9NyaGjmp9+BoJv5FV2piqCDcoCtStppiq2A==",
-          "dev": true,
-          "optional": true
-        }
-      }
-    },
-    "function-bind": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz",
-      "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==",
-      "dev": true
-    },
-    "gather-stream": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/gather-stream/-/gather-stream-1.0.0.tgz",
-      "integrity": "sha1-szmUr0V6gRVwDUEPMXczy+egkEs=",
-      "dev": true
-    },
-    "get-caller-file": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-1.0.3.tgz",
-      "integrity": "sha512-3t6rVToeoZfYSGd8YoLFR2DJkiQrIiUrGcjvFX2mDw3bn6k2OtwHN0TNCLbBO+w8qTvimhDkv+LSscbJY1vE6w==",
-      "dev": true
-    },
-    "get-stream": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-3.0.0.tgz",
-      "integrity": "sha1-jpQ9E1jcN1VQVOy+LtsFqhdO3hQ=",
-      "dev": true
-    },
-    "get-value": {
-      "version": "2.0.6",
-      "resolved": "https://registry.npmjs.org/get-value/-/get-value-2.0.6.tgz",
-      "integrity": "sha1-3BXKHGcjh8p2vTesCjlbogQqLCg=",
-      "dev": true
-    },
-    "getpass": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz",
-      "integrity": "sha1-Xv+OPmhNVprkyysSgmBOi6YhSfo=",
-      "dev": true,
-      "requires": {
-        "assert-plus": "^1.0.0"
-      }
-    },
-    "glob": {
-      "version": "7.1.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.5.tgz",
-      "integrity": "sha512-J9dlskqUXK1OeTOYBEn5s8aMukWMwWfs+rPTn/jn50Ux4MNXVhubL1wu/j2t+H4NVI+cXEcCaYellqaPVGXNqQ==",
-      "dev": true,
-      "requires": {
-        "fs.realpath": "^1.0.0",
-        "inflight": "^1.0.4",
-        "inherits": "2",
-        "minimatch": "^3.0.4",
-        "once": "^1.3.0",
-        "path-is-absolute": "^1.0.0"
-      }
-    },
-    "glob-parent": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz",
-      "integrity": "sha1-nmr2KZ2NO9K9QEMIMr0RPfkGxa4=",
-      "dev": true,
-      "requires": {
-        "is-glob": "^3.1.0",
-        "path-dirname": "^1.0.0"
-      },
-      "dependencies": {
-        "is-glob": {
-          "version": "3.1.0",
-          "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-3.1.0.tgz",
-          "integrity": "sha1-e6WuJCF4BKxwcHuWkiVnSGzD6Eo=",
-          "dev": true,
-          "requires": {
-            "is-extglob": "^2.1.0"
-          }
-        }
-      }
-    },
-    "globals": {
-      "version": "9.18.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-9.18.0.tgz",
-      "integrity": "sha512-S0nG3CLEQiY/ILxqtztTWH/3iRRdyBLw6KMDxnKMchrtbj2OFmehVh0WUCfW3DUrIgx/qFrJPICrq4Z4sTR9UQ==",
-      "dev": true
-    },
-    "graceful-fs": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.3.tgz",
-      "integrity": "sha512-a30VEBm4PEdx1dRB7MFK7BejejvCvBronbLjht+sHuGYj8PHs7M/5Z+rt5lw551vZ7yfTCj4Vuyy3mSJytDWRQ==",
-      "dev": true
-    },
-    "gzip-size": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/gzip-size/-/gzip-size-5.1.1.tgz",
-      "integrity": "sha512-FNHi6mmoHvs1mxZAds4PpdCS6QG8B4C1krxJsMutgxl5t3+GlRTzzI3NEkifXx2pVsOvJdOGSmIgDhQ55FwdPA==",
-      "dev": true,
-      "requires": {
-        "duplexer": "^0.1.1",
-        "pify": "^4.0.1"
-      },
-      "dependencies": {
-        "pify": {
-          "version": "4.0.1",
-          "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
-          "integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g==",
-          "dev": true
-        }
-      }
-    },
-    "har-schema": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz",
-      "integrity": "sha1-qUwiJOvKwEeCoNkDVSHyRzW37JI=",
-      "dev": true
-    },
-    "har-validator": {
-      "version": "5.1.3",
-      "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.3.tgz",
-      "integrity": "sha512-sNvOCzEQNr/qrvJgc3UG/kD4QtlHycrzwS+6mfTrrSq97BvaYcPZZI1ZSqGSPR73Cxn4LKTD4PttRwfU7jWq5g==",
-      "dev": true,
-      "requires": {
-        "ajv": "^6.5.5",
-        "har-schema": "^2.0.0"
-      }
-    },
-    "has": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz",
-      "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==",
-      "dev": true,
-      "requires": {
-        "function-bind": "^1.1.1"
-      }
-    },
-    "has-ansi": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/has-ansi/-/has-ansi-2.0.0.tgz",
-      "integrity": "sha1-NPUEnOHs3ysGSa8+8k5F7TVBbZE=",
-      "dev": true,
-      "requires": {
-        "ansi-regex": "^2.0.0"
-      }
-    },
-    "has-binary2": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/has-binary2/-/has-binary2-1.0.3.tgz",
-      "integrity": "sha512-G1LWKhDSvhGeAQ8mPVQlqNcOB2sJdwATtZKl2pDKKHfpf/rYj24lkinxf69blJbnsvtqqNU+L3SL50vzZhXOnw==",
-      "dev": true,
-      "requires": {
-        "isarray": "2.0.1"
-      }
-    },
-    "has-cors": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/has-cors/-/has-cors-1.1.0.tgz",
-      "integrity": "sha1-XkdHk/fqmEPRu5nCPu9J/xJv/zk=",
-      "dev": true
-    },
-    "has-flag": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
-      "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0="
-    },
-    "has-symbols": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.0.tgz",
-      "integrity": "sha1-uhqPGvKg/DllD1yFA2dwQSIGO0Q=",
-      "dev": true
-    },
-    "has-value": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/has-value/-/has-value-1.0.0.tgz",
-      "integrity": "sha1-GLKB2lhbHFxR3vJMkw7SmgvmsXc=",
-      "dev": true,
-      "requires": {
-        "get-value": "^2.0.6",
-        "has-values": "^1.0.0",
-        "isobject": "^3.0.0"
-      }
-    },
-    "has-values": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/has-values/-/has-values-1.0.0.tgz",
-      "integrity": "sha1-lbC2P+whRmGab+V/51Yo1aOe/k8=",
-      "dev": true,
-      "requires": {
-        "is-number": "^3.0.0",
-        "kind-of": "^4.0.0"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "4.0.0",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz",
-          "integrity": "sha1-IIE989cSkosgc3hpGkUGb65y3Vc=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "hash-base": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.0.4.tgz",
-      "integrity": "sha1-X8hoaEfs1zSZQDMZprCj8/auSRg=",
-      "dev": true,
-      "requires": {
-        "inherits": "^2.0.1",
-        "safe-buffer": "^5.0.1"
-      }
-    },
-    "hash.js": {
-      "version": "1.1.7",
-      "resolved": "https://registry.npmjs.org/hash.js/-/hash.js-1.1.7.tgz",
-      "integrity": "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==",
-      "dev": true,
-      "requires": {
-        "inherits": "^2.0.3",
-        "minimalistic-assert": "^1.0.1"
-      }
-    },
-    "hex-color-regex": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/hex-color-regex/-/hex-color-regex-1.1.0.tgz",
-      "integrity": "sha512-l9sfDFsuqtOqKDsQdqrMRk0U85RZc0RtOR9yPI7mRVOa4FsR/BVnZ0shmQRM96Ji99kYZP/7hn1cedc1+ApsTQ==",
-      "dev": true
-    },
-    "highlight.js": {
-      "version": "9.15.10",
-      "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-9.15.10.tgz",
-      "integrity": "sha512-RoV7OkQm0T3os3Dd2VHLNMoaoDVx77Wygln3n9l5YV172XonWG6rgQD3XnF/BuFFZw9A0TJgmMSO8FEWQgvcXw=="
-    },
-    "hmac-drbg": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
-      "integrity": "sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=",
-      "dev": true,
-      "requires": {
-        "hash.js": "^1.0.3",
-        "minimalistic-assert": "^1.0.0",
-        "minimalistic-crypto-utils": "^1.0.1"
-      }
-    },
-    "hoek": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
-      "integrity": "sha512-QLg82fGkfnJ/4iy1xZ81/9SIJiq1NGFUMGs6ParyjBZr6jW2Ufj/snDqTHixNlHdPNwN2RLVD0Pi3igeK9+JfA==",
-      "dev": true
-    },
-    "home-or-tmp": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/home-or-tmp/-/home-or-tmp-2.0.0.tgz",
-      "integrity": "sha1-42w/LSyufXRqhX440Y1fMqeILbg=",
-      "dev": true,
-      "requires": {
-        "os-homedir": "^1.0.0",
-        "os-tmpdir": "^1.0.1"
-      }
-    },
-    "hoopy": {
-      "version": "0.1.4",
-      "resolved": "https://registry.npmjs.org/hoopy/-/hoopy-0.1.4.tgz",
-      "integrity": "sha512-HRcs+2mr52W0K+x8RzcLzuPPmVIKMSv97RGHy0Ea9y/mpcaK+xTrjICA04KAHi4GRzxliNqNJEFYWHghy3rSfQ==",
-      "dev": true
-    },
-    "hosted-git-info": {
-      "version": "2.8.5",
-      "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.5.tgz",
-      "integrity": "sha512-kssjab8CvdXfcXMXVcvsXum4Hwdq9XGtRD3TteMEvEbq0LXyiNQr6AprqKqfeaDXze7SxWvRxdpwE6ku7ikLkg==",
-      "dev": true
-    },
-    "hsl-regex": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/hsl-regex/-/hsl-regex-1.0.0.tgz",
-      "integrity": "sha1-1JMwx4ntgZ4nakwNJy3/owsY/m4=",
-      "dev": true
-    },
-    "hsla-regex": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/hsla-regex/-/hsla-regex-1.0.0.tgz",
-      "integrity": "sha1-wc56MWjIxmFAM6S194d/OyJfnDg=",
-      "dev": true
-    },
-    "html-comment-regex": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/html-comment-regex/-/html-comment-regex-1.1.2.tgz",
-      "integrity": "sha512-P+M65QY2JQ5Y0G9KKdlDpo0zK+/OHptU5AaBwUfAIDJZk1MYf32Frm84EcOytfJE0t5JvkAnKlmjsXDnWzCJmQ==",
-      "dev": true
-    },
-    "http-errors": {
-      "version": "1.7.3",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
-      "integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
-      "dev": true,
-      "requires": {
-        "depd": "~1.1.2",
-        "inherits": "2.0.4",
-        "setprototypeof": "1.1.1",
-        "statuses": ">= 1.5.0 < 2",
-        "toidentifier": "1.0.0"
-      },
-      "dependencies": {
-        "statuses": {
-          "version": "1.5.0",
-          "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
-          "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=",
-          "dev": true
-        }
-      }
-    },
-    "http-proxy": {
-      "version": "1.15.2",
-      "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.15.2.tgz",
-      "integrity": "sha1-ZC/cr/5S00SNK9o7AHnpQJBk2jE=",
-      "dev": true,
-      "requires": {
-        "eventemitter3": "1.x.x",
-        "requires-port": "1.x.x"
-      }
-    },
-    "http-signature": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz",
-      "integrity": "sha1-muzZJRFHcvPZW2WmCruPfBj7rOE=",
-      "dev": true,
-      "requires": {
-        "assert-plus": "^1.0.0",
-        "jsprim": "^1.2.2",
-        "sshpk": "^1.7.0"
-      }
-    },
-    "https-browserify": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/https-browserify/-/https-browserify-1.0.0.tgz",
-      "integrity": "sha1-7AbBDgo0wPL68Zn3/X/Hj//QPHM=",
-      "dev": true
-    },
-    "hygienist-middleware": {
-      "version": "0.1.3",
-      "resolved": "https://registry.npmjs.org/hygienist-middleware/-/hygienist-middleware-0.1.3.tgz",
-      "integrity": "sha1-Qr21zNwTfpXFWg0DFCPS9aRs3H4=",
-      "dev": true,
-      "requires": {
-        "minimatch": "3.0.3"
-      },
-      "dependencies": {
-        "minimatch": {
-          "version": "3.0.3",
-          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.3.tgz",
-          "integrity": "sha1-Kk5AkLlrLbBqnX3wEFWmKnfJt3Q=",
-          "dev": true,
-          "requires": {
-            "brace-expansion": "^1.0.0"
-          }
-        }
-      }
-    },
-    "iconv-lite": {
-      "version": "0.4.24",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
-      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
-      "requires": {
-        "safer-buffer": ">= 2.1.2 < 3"
-      }
-    },
-    "ieee754": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.1.13.tgz",
-      "integrity": "sha512-4vf7I2LYV/HaWerSo3XmlMkp5eZ83i+/CDluXi/IGTs/O1sejBNhTtnxzmRZfvOUqj7lZjqHkeTvpgSFDlWZTg==",
-      "dev": true
-    },
-    "immutability-helper": {
-      "version": "2.9.1",
-      "resolved": "https://registry.npmjs.org/immutability-helper/-/immutability-helper-2.9.1.tgz",
-      "integrity": "sha512-r/RmRG8xO06s/k+PIaif2r5rGc3j4Yhc01jSBfwPCXDLYZwp/yxralI37Df1mwmuzcCsen/E/ITKcTEvc1PQmQ==",
-      "requires": {
-        "invariant": "^2.2.0"
-      }
-    },
-    "immutable": {
-      "version": "3.8.2",
-      "resolved": "https://registry.npmjs.org/immutable/-/immutable-3.8.2.tgz",
-      "integrity": "sha1-wkOZUUVbs5kT2vKBN28VMOEErfM=",
-      "dev": true
-    },
-    "import-cwd": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/import-cwd/-/import-cwd-2.1.0.tgz",
-      "integrity": "sha1-qmzzbnInYShcs3HsZRn1PiQ1sKk=",
-      "dev": true,
-      "requires": {
-        "import-from": "^2.1.0"
-      }
-    },
-    "import-fresh": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-2.0.0.tgz",
-      "integrity": "sha1-2BNVwVYS04bGH53dOSLUMEgipUY=",
-      "requires": {
-        "caller-path": "^2.0.0",
-        "resolve-from": "^3.0.0"
-      }
-    },
-    "import-from": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/import-from/-/import-from-2.1.0.tgz",
-      "integrity": "sha1-M1238qev/VOqpHHUuAId7ja387E=",
-      "dev": true,
-      "requires": {
-        "resolve-from": "^3.0.0"
-      }
-    },
-    "indexes-of": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/indexes-of/-/indexes-of-1.0.1.tgz",
-      "integrity": "sha1-8w9xbI4r00bHtn0985FVZqfAVgc=",
-      "dev": true
-    },
-    "indexof": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/indexof/-/indexof-0.0.1.tgz",
-      "integrity": "sha1-gtwzbSMrkGIXnQWrMpOmYFn9Q10=",
-      "dev": true
-    },
-    "inflight": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
-      "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=",
-      "dev": true,
-      "requires": {
-        "once": "^1.3.0",
-        "wrappy": "1"
-      }
-    },
-    "inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
-      "dev": true
-    },
-    "inquirer": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/inquirer/-/inquirer-3.3.0.tgz",
-      "integrity": "sha512-h+xtnyk4EwKvFWHrUYsWErEVR+igKtLdchu+o0Z1RL7VU/jVMFbYir2bp6bAj8efFNxWqHX0dIss6fJQ+/+qeQ==",
-      "dev": true,
-      "requires": {
-        "ansi-escapes": "^3.0.0",
-        "chalk": "^2.0.0",
-        "cli-cursor": "^2.1.0",
-        "cli-width": "^2.0.0",
-        "external-editor": "^2.0.4",
-        "figures": "^2.0.0",
-        "lodash": "^4.3.0",
-        "mute-stream": "0.0.7",
-        "run-async": "^2.2.0",
-        "rx-lite": "^4.0.8",
-        "rx-lite-aggregates": "^4.0.8",
-        "string-width": "^2.1.0",
-        "strip-ansi": "^4.0.0",
-        "through": "^2.3.6"
-      },
-      "dependencies": {
-        "ansi-regex": {
-          "version": "3.0.0",
-          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
-          "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg=",
-          "dev": true
-        },
-        "strip-ansi": {
-          "version": "4.0.0",
-          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-4.0.0.tgz",
-          "integrity": "sha1-qEeQIusaw2iocTibY1JixQXuNo8=",
-          "dev": true,
-          "requires": {
-            "ansi-regex": "^3.0.0"
-          }
-        }
-      }
-    },
-    "interpret": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/interpret/-/interpret-1.2.0.tgz",
-      "integrity": "sha512-mT34yGKMNceBQUoVn7iCDKDntA7SC6gycMAWzGx1z/CMCTV7b2AAtXlo3nRyHZ1FelRkQbQjprHSYGwzLtkVbw==",
-      "dev": true
-    },
-    "invariant": {
-      "version": "2.2.4",
-      "resolved": "https://registry.npmjs.org/invariant/-/invariant-2.2.4.tgz",
-      "integrity": "sha512-phJfQVBuaJM5raOpJjSfkiD6BpbCE4Ns//LaXl6wGYtUBY83nWS6Rf9tXm2e8VaK60JEjYldbPif/A2B1C2gNA==",
-      "requires": {
-        "loose-envify": "^1.0.0"
-      }
-    },
-    "invert-kv": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/invert-kv/-/invert-kv-1.0.0.tgz",
-      "integrity": "sha1-EEqOSqym09jNFXqO+L+rLXo//bY=",
-      "dev": true
-    },
-    "ipaddr.js": {
-      "version": "1.9.0",
-      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.0.tgz",
-      "integrity": "sha512-M4Sjn6N/+O6/IXSJseKqHoFc+5FdGJ22sXqnjTpdZweHK64MzEPAyQZyEU3R/KRv2GLoa7nNtg/C2Ev6m7z+eA==",
-      "dev": true
-    },
-    "is-absolute-url": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/is-absolute-url/-/is-absolute-url-2.1.0.tgz",
-      "integrity": "sha1-UFMN+4T8yap9vnhS6Do3uTufKqY=",
-      "dev": true
-    },
-    "is-accessor-descriptor": {
-      "version": "0.1.6",
-      "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz",
-      "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
-      "dev": true,
-      "requires": {
-        "kind-of": "^3.0.2"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "3.2.2",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
-          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "is-arrayish": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz",
-      "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0="
-    },
-    "is-binary-path": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-1.0.1.tgz",
-      "integrity": "sha1-dfFmQrSA8YenEcgUFh/TpKdlWJg=",
-      "dev": true,
-      "requires": {
-        "binary-extensions": "^1.0.0"
-      }
-    },
-    "is-buffer": {
-      "version": "1.1.6",
-      "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-1.1.6.tgz",
-      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
-      "dev": true
-    },
-    "is-callable": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.1.4.tgz",
-      "integrity": "sha512-r5p9sxJjYnArLjObpjA4xu5EKI3CuKHkJXMhT7kwbpUyIFD1n5PMAsoPvWnvtZiNz7LjkYDRZhd7FlI0eMijEA==",
-      "dev": true
-    },
-    "is-color-stop": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/is-color-stop/-/is-color-stop-1.1.0.tgz",
-      "integrity": "sha1-z/9HGu5N1cnhWFmPvhKWe1za00U=",
-      "dev": true,
-      "requires": {
-        "css-color-names": "^0.0.4",
-        "hex-color-regex": "^1.1.0",
-        "hsl-regex": "^1.0.0",
-        "hsla-regex": "^1.0.0",
-        "rgb-regex": "^1.0.1",
-        "rgba-regex": "^1.0.0"
-      }
-    },
-    "is-data-descriptor": {
-      "version": "0.1.4",
-      "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz",
-      "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
-      "dev": true,
-      "requires": {
-        "kind-of": "^3.0.2"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "3.2.2",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
-          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "is-date-object": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/is-date-object/-/is-date-object-1.0.1.tgz",
-      "integrity": "sha1-mqIOtq7rv/d/vTPnTKAbM1gdOhY=",
-      "dev": true
-    },
-    "is-descriptor": {
-      "version": "0.1.6",
-      "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-0.1.6.tgz",
-      "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
-      "dev": true,
-      "requires": {
-        "is-accessor-descriptor": "^0.1.6",
-        "is-data-descriptor": "^0.1.4",
-        "kind-of": "^5.0.0"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "5.1.0",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz",
-          "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==",
-          "dev": true
-        }
-      }
-    },
-    "is-directory": {
-      "version": "0.3.1",
-      "resolved": "https://registry.npmjs.org/is-directory/-/is-directory-0.3.1.tgz",
-      "integrity": "sha1-YTObbyR1/Hcv2cnYP1yFddwVSuE="
-    },
-    "is-extendable": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz",
-      "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=",
-      "dev": true
-    },
-    "is-extglob": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
-      "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=",
-      "dev": true
-    },
-    "is-finite": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/is-finite/-/is-finite-1.0.2.tgz",
-      "integrity": "sha1-zGZ3aVYCvlUO8R6LSqYwU0K20Ko=",
-      "dev": true,
-      "requires": {
-        "number-is-nan": "^1.0.0"
-      }
-    },
-    "is-fullwidth-code-point": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-2.0.0.tgz",
-      "integrity": "sha1-o7MKXE8ZkYMWeqq5O+764937ZU8=",
-      "dev": true
-    },
-    "is-glob": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.1.tgz",
-      "integrity": "sha512-5G0tKtBTFImOqDnLB2hG6Bp2qcKEFduo4tZu9MT/H6NQv/ghhy30o55ufafxJ/LdH79LLs2Kfrn85TLKyA7BUg==",
-      "dev": true,
-      "requires": {
-        "is-extglob": "^2.1.1"
-      }
-    },
-    "is-number": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz",
-      "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=",
-      "dev": true,
-      "requires": {
-        "kind-of": "^3.0.2"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "3.2.2",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
-          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "is-number-like": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/is-number-like/-/is-number-like-1.0.8.tgz",
-      "integrity": "sha512-6rZi3ezCyFcn5L71ywzz2bS5b2Igl1En3eTlZlvKjpz1n3IZLAYMbKYAIQgFmEu0GENg92ziU/faEOA/aixjbA==",
-      "dev": true,
-      "requires": {
-        "lodash.isfinite": "^3.3.2"
-      }
-    },
-    "is-obj": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-1.0.1.tgz",
-      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8=",
-      "dev": true
-    },
-    "is-plain-object": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-2.0.4.tgz",
-      "integrity": "sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==",
-      "dev": true,
-      "requires": {
-        "isobject": "^3.0.1"
-      }
-    },
-    "is-promise": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-2.1.0.tgz",
-      "integrity": "sha1-eaKp7OfwlugPNtKy87wWwf9L8/o=",
-      "dev": true
-    },
-    "is-regex": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.0.4.tgz",
-      "integrity": "sha1-VRdIm1RwkbCTDglWVM7SXul+lJE=",
-      "dev": true,
-      "requires": {
-        "has": "^1.0.1"
-      }
-    },
-    "is-resolvable": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/is-resolvable/-/is-resolvable-1.1.0.tgz",
-      "integrity": "sha512-qgDYXFSR5WvEfuS5dMj6oTMEbrrSaM0CrFk2Yiq/gXnBvD9pMa2jGXxyhGLfvhZpuMZe18CJpFxAt3CRs42NMg==",
-      "dev": true
-    },
-    "is-stream": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-1.1.0.tgz",
-      "integrity": "sha1-EtSj3U5o4Lec6428hBc66A2RykQ="
-    },
-    "is-svg": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz",
-      "integrity": "sha512-gi4iHK53LR2ujhLVVj+37Ykh9GLqYHX6JOVXbLAucaG/Cqw9xwdFOjDM2qeifLs1sF1npXXFvDu0r5HNgCMrzQ==",
-      "dev": true,
-      "requires": {
-        "html-comment-regex": "^1.1.0"
-      }
-    },
-    "is-symbol": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/is-symbol/-/is-symbol-1.0.2.tgz",
-      "integrity": "sha512-HS8bZ9ox60yCJLH9snBpIwv9pYUAkcuLhSA1oero1UB5y9aiQpRA8y2ex945AOtCZL1lJDeIk3G5LthswI46Lw==",
-      "dev": true,
-      "requires": {
-        "has-symbols": "^1.0.0"
-      }
-    },
-    "is-typedarray": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz",
-      "integrity": "sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=",
-      "dev": true
-    },
-    "is-utf8": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/is-utf8/-/is-utf8-0.2.1.tgz",
-      "integrity": "sha1-Sw2hRCEE0bM2NA6AeX6GXPOffXI=",
-      "dev": true
-    },
-    "is-windows": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/is-windows/-/is-windows-1.0.2.tgz",
-      "integrity": "sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA==",
-      "dev": true
-    },
-    "is-wsl": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/is-wsl/-/is-wsl-1.1.0.tgz",
-      "integrity": "sha1-HxbkqiKwTRM2tmGIpmrzxgDDpm0=",
-      "dev": true
-    },
-    "isarray": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/isarray/-/isarray-2.0.1.tgz",
-      "integrity": "sha1-o32U7ZzaLVmGXJ92/llu4fM4dB4=",
-      "dev": true
-    },
-    "isbinaryfile": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/isbinaryfile/-/isbinaryfile-3.0.3.tgz",
-      "integrity": "sha512-8cJBL5tTd2OS0dM4jz07wQd5g0dCCqIhUxPIGtZfa5L6hWlvV5MHTITy/DBAsF+Oe2LS1X3krBUhNwaGUWpWxw==",
-      "dev": true,
-      "requires": {
-        "buffer-alloc": "^1.2.0"
-      }
-    },
-    "isemail": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/isemail/-/isemail-3.2.0.tgz",
-      "integrity": "sha512-zKqkK+O+dGqevc93KNsbZ/TqTUFd46MwWjYOoMrjIMZ51eU7DtQG3Wmd9SQQT7i7RVnuTPEiYEWHU3MSbxC1Tg==",
-      "dev": true,
-      "requires": {
-        "punycode": "2.x.x"
-      }
-    },
-    "isexe": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
-      "integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=",
-      "dev": true
-    },
-    "isnumeric": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/isnumeric/-/isnumeric-0.2.0.tgz",
-      "integrity": "sha1-ojR7o2DeGeM9D/1ZD933dVy/LmQ=",
-      "dev": true
-    },
-    "isobject": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/isobject/-/isobject-3.0.1.tgz",
-      "integrity": "sha1-TkMekrEalzFjaqH5yNHMvP2reN8=",
-      "dev": true
-    },
-    "isomorphic-fetch": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz",
-      "integrity": "sha1-YRrhrPFPXoH3KVB0coGf6XM1WKk=",
-      "requires": {
-        "node-fetch": "^1.0.1",
-        "whatwg-fetch": ">=0.10.0"
-      },
-      "dependencies": {
-        "node-fetch": {
-          "version": "1.7.3",
-          "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz",
-          "integrity": "sha512-NhZ4CsKx7cYm2vSrBAr2PvFOe6sWDf0UYLRqA6svUYg7+/TSfVAu49jYC4BvQ4Sms9SZgdqGBgroqfDhJdTyKQ==",
-          "requires": {
-            "encoding": "^0.1.11",
-            "is-stream": "^1.0.1"
-          }
-        }
-      }
-    },
-    "isstream": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz",
-      "integrity": "sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo=",
-      "dev": true
-    },
-    "items": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/items/-/items-2.1.2.tgz",
-      "integrity": "sha512-kezcEqgB97BGeZZYtX/MA8AG410ptURstvnz5RAgyFZ8wQFPMxHY8GpTq+/ZHKT3frSlIthUq7EvLt9xn3TvXg==",
-      "dev": true
-    },
-    "joi": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/joi/-/joi-12.0.0.tgz",
-      "integrity": "sha512-z0FNlV4NGgjQN1fdtHYXf5kmgludM65fG/JlXzU6+rwkt9U5UWuXVYnXa2FpK0u6+qBuCmrm5byPNuiiddAHvQ==",
-      "dev": true,
-      "requires": {
-        "hoek": "4.x.x",
-        "isemail": "3.x.x",
-        "topo": "2.x.x"
-      }
-    },
-    "js-cookie": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz",
-      "integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ=="
-    },
-    "js-tokens": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
-      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="
-    },
-    "js-yaml": {
-      "version": "3.13.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
-      "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==",
-      "requires": {
-        "argparse": "^1.0.7",
-        "esprima": "^4.0.0"
-      }
-    },
-    "jsbn": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz",
-      "integrity": "sha1-peZUwuWi3rXyAdls77yoDA7y9RM=",
-      "dev": true
-    },
-    "jsesc": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-1.3.0.tgz",
-      "integrity": "sha1-RsP+yMGJKxKwgz25vHYiF226s0s=",
-      "dev": true
-    },
-    "json-loader": {
-      "version": "0.5.7",
-      "resolved": "https://registry.npmjs.org/json-loader/-/json-loader-0.5.7.tgz",
-      "integrity": "sha512-QLPs8Dj7lnf3e3QYS1zkCo+4ZwqOiF9d/nZnYozTISxXWCfNs9yuky5rJw4/W34s7POaNlbZmQGaB5NiXCbP4w==",
-      "dev": true
-    },
-    "json-parse-better-errors": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/json-parse-better-errors/-/json-parse-better-errors-1.0.2.tgz",
-      "integrity": "sha512-mrqyZKfX5EhL7hvqcV6WG1yYjnjeuYDzDhhcAAUrq8Po85NBQBJP+ZDUT75qZQ98IkUoBqdkExkukOU7Ts2wrw=="
-    },
-    "json-schema": {
-      "version": "0.2.3",
-      "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz",
-      "integrity": "sha1-tIDIkuWaLwWVTOcnvT8qTogvnhM=",
-      "dev": true
-    },
-    "json-schema-traverse": {
-      "version": "0.4.1",
-      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
-      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
-      "dev": true
-    },
-    "json-stringify-safe": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz",
-      "integrity": "sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=",
-      "dev": true
-    },
-    "json5": {
-      "version": "0.5.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-0.5.1.tgz",
-      "integrity": "sha1-Hq3nrMASA0rYTiOWdn6tn6VJWCE=",
-      "dev": true
-    },
-    "jsonfile": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-3.0.1.tgz",
-      "integrity": "sha1-pezG9l9T9mLEQVx2daAzHQmS7GY=",
-      "dev": true,
-      "requires": {
-        "graceful-fs": "^4.1.6"
-      }
-    },
-    "jsprim": {
-      "version": "1.4.1",
-      "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.1.tgz",
-      "integrity": "sha1-MT5mvB5cwG5Di8G3SZwuXFastqI=",
-      "dev": true,
-      "requires": {
-        "assert-plus": "1.0.0",
-        "extsprintf": "1.3.0",
-        "json-schema": "0.2.3",
-        "verror": "1.10.0"
-      }
-    },
-    "jstz": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/jstz/-/jstz-2.1.1.tgz",
-      "integrity": "sha512-8hfl5RD6P7rEeIbzStBz3h4f+BQHfq/ABtoU6gXKQv5OcZhnmrIpG7e1pYaZ8hS9e0mp+bxUj08fnDUbKctYyA=="
-    },
-    "kind-of": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz",
-      "integrity": "sha512-s5kLOcnH0XqDO+FvuaLX8DDjZ18CGFk7VygH40QoKPUQhW4e2rvM0rwUq0t8IQDOwYSeLK01U90OjzBTme2QqA==",
-      "dev": true
-    },
-    "laggard": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/laggard/-/laggard-2.0.1.tgz",
-      "integrity": "sha512-XCUGeE3r3VWxM8CV9aw+GjG3v3vTInyCf3p9YUo1SCTkM4N93/JaRH/4Lpz0hDZnaEQsArtAbp+rYic3PdTpbg==",
-      "dev": true,
-      "requires": {
-        "minimist": "^1.2.0",
-        "pixrem": "^4.0.1",
-        "postcss": "^6.0.8",
-        "postcss-color-rgba-fallback": "^3.0.0",
-        "postcss-opacity": "^5.0.0",
-        "postcss-pseudoelements": "^5.0.0",
-        "postcss-reporter": "^5.0.0",
-        "postcss-vmin": "^3.0.0",
-        "postcss-will-change": "^2.0.0",
-        "read-file-stdin": "^0.2.0",
-        "write-file-stdout": "0.0.2"
-      },
-      "dependencies": {
-        "minimist": {
-          "version": "1.2.0",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
-          "dev": true
-        }
-      }
-    },
-    "lazy-cache": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/lazy-cache/-/lazy-cache-1.0.4.tgz",
-      "integrity": "sha1-odePw6UEdMuAhF07O24dpJpEbo4=",
-      "dev": true
-    },
-    "lcid": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/lcid/-/lcid-1.0.0.tgz",
-      "integrity": "sha1-MIrMr6C8SDo4Z7S28rlQYlHRuDU=",
-      "dev": true,
-      "requires": {
-        "invert-kv": "^1.0.0"
-      }
-    },
-    "left-pad": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
-      "integrity": "sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==",
-      "dev": true
-    },
-    "limiter": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/limiter/-/limiter-1.1.4.tgz",
-      "integrity": "sha512-XCpr5bElgDI65vVgstP8TWjv6/QKWm9GU5UG0Pr5sLQ3QLo8NVKsioe+Jed5/3vFOe3IQuqE7DKwTvKQkjTHvg==",
-      "dev": true
-    },
-    "load-json-file": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-1.1.0.tgz",
-      "integrity": "sha1-lWkFcI1YtLq0wiYbBPWfMcmTdMA=",
-      "dev": true,
-      "requires": {
-        "graceful-fs": "^4.1.2",
-        "parse-json": "^2.2.0",
-        "pify": "^2.0.0",
-        "pinkie-promise": "^2.0.0",
-        "strip-bom": "^2.0.0"
-      },
-      "dependencies": {
-        "parse-json": {
-          "version": "2.2.0",
-          "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-2.2.0.tgz",
-          "integrity": "sha1-9ID0BDTvgHQfhGkJn43qGPVaTck=",
-          "dev": true,
-          "requires": {
-            "error-ex": "^1.2.0"
-          }
-        },
-        "pify": {
-          "version": "2.3.0",
-          "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
-          "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw=",
-          "dev": true
-        }
-      }
-    },
-    "loader-runner": {
-      "version": "2.4.0",
-      "resolved": "https://registry.npmjs.org/loader-runner/-/loader-runner-2.4.0.tgz",
-      "integrity": "sha512-Jsmr89RcXGIwivFY21FcRrisYZfvLMTWx5kOLc+JTxtpBOG6xML0vzbc6SEQG2FO9/4Fc3wW4LVcB5DmGflaRw==",
-      "dev": true
-    },
-    "loader-utils": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz",
-      "integrity": "sha512-fkpz8ejdnEMG3s37wGL07iSBDg99O9D5yflE9RGNH3hRdx9SOwYfnGYdZOUIZitN8E+E2vkq3MUMYMvPYl5ZZA==",
-      "dev": true,
-      "requires": {
-        "big.js": "^5.2.2",
-        "emojis-list": "^2.0.0",
-        "json5": "^1.0.1"
-      },
-      "dependencies": {
-        "json5": {
-          "version": "1.0.1",
-          "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-          "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
-          "dev": true,
-          "requires": {
-            "minimist": "^1.2.0"
-          }
-        },
-        "minimist": {
-          "version": "1.2.0",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
-          "dev": true
-        }
-      }
-    },
-    "localtunnel": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/localtunnel/-/localtunnel-1.9.2.tgz",
-      "integrity": "sha512-NEKF7bDJE9U3xzJu3kbayF0WTvng6Pww7tzqNb/XtEARYwqw7CKEX7BvOMg98FtE9es2CRizl61gkV3hS8dqYg==",
-      "dev": true,
-      "requires": {
-        "axios": "0.19.0",
-        "debug": "4.1.1",
-        "openurl": "1.1.1",
-        "yargs": "6.6.0"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "4.1.1",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
-          "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
-          "dev": true,
-          "requires": {
-            "ms": "^2.1.1"
-          }
-        },
-        "is-fullwidth-code-point": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz",
-          "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=",
-          "dev": true,
-          "requires": {
-            "number-is-nan": "^1.0.0"
-          }
-        },
-        "ms": {
-          "version": "2.1.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-          "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
-          "dev": true
-        },
-        "string-width": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz",
-          "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=",
-          "dev": true,
-          "requires": {
-            "code-point-at": "^1.0.0",
-            "is-fullwidth-code-point": "^1.0.0",
-            "strip-ansi": "^3.0.0"
-          }
-        },
-        "yargs": {
-          "version": "6.6.0",
-          "resolved": "https://registry.npmjs.org/yargs/-/yargs-6.6.0.tgz",
-          "integrity": "sha1-eC7CHvQDNF+DCoCMo9UTr1YGUgg=",
-          "dev": true,
-          "requires": {
-            "camelcase": "^3.0.0",
-            "cliui": "^3.2.0",
-            "decamelize": "^1.1.1",
-            "get-caller-file": "^1.0.1",
-            "os-locale": "^1.4.0",
-            "read-pkg-up": "^1.0.1",
-            "require-directory": "^2.1.1",
-            "require-main-filename": "^1.0.1",
-            "set-blocking": "^2.0.0",
-            "string-width": "^1.0.2",
-            "which-module": "^1.0.0",
-            "y18n": "^3.2.1",
-            "yargs-parser": "^4.2.0"
-          }
-        }
-      }
-    },
-    "locate-path": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-2.0.0.tgz",
-      "integrity": "sha1-K1aLJl7slExtnA3pw9u7ygNUzY4=",
-      "dev": true,
-      "requires": {
-        "p-locate": "^2.0.0",
-        "path-exists": "^3.0.0"
-      }
-    },
-    "lodash": {
-      "version": "4.17.15",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-      "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A=="
-    },
-    "lodash.clone": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/lodash.clone/-/lodash.clone-4.5.0.tgz",
-      "integrity": "sha1-GVhwRQ9aExkkeN9Lw9I9LeoZB7Y=",
-      "dev": true
-    },
-    "lodash.difference": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/lodash.difference/-/lodash.difference-4.5.0.tgz",
-      "integrity": "sha1-nMtOUF1Ia5FlE0V3KIWi3yf9AXw=",
-      "dev": true
-    },
-    "lodash.isfinite": {
-      "version": "3.3.2",
-      "resolved": "https://registry.npmjs.org/lodash.isfinite/-/lodash.isfinite-3.3.2.tgz",
-      "integrity": "sha1-+4m2WpqAKBgz8LdHizpRBPiY67M=",
-      "dev": true
-    },
-    "lodash.memoize": {
-      "version": "4.1.2",
-      "resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz",
-      "integrity": "sha1-vMbEmkKihA7Zl/Mj6tpezRguC/4=",
-      "dev": true
-    },
-    "lodash.merge": {
-      "version": "4.6.2",
-      "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
-      "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
-      "dev": true
-    },
-    "lodash.reduce": {
-      "version": "4.6.0",
-      "resolved": "https://registry.npmjs.org/lodash.reduce/-/lodash.reduce-4.6.0.tgz",
-      "integrity": "sha1-8atrg5KZrUj3hKu/R2WW8DuRTTs=",
-      "dev": true
-    },
-    "lodash.union": {
-      "version": "4.6.0",
-      "resolved": "https://registry.npmjs.org/lodash.union/-/lodash.union-4.6.0.tgz",
-      "integrity": "sha1-SLtQiECfFvGCFmZkHETdGqrjzYg=",
-      "dev": true
-    },
-    "lodash.uniq": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/lodash.uniq/-/lodash.uniq-4.5.0.tgz",
-      "integrity": "sha1-0CJTc662Uq3BvILklFM5qEJ1R3M=",
-      "dev": true
-    },
-    "log-symbols": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-2.2.0.tgz",
-      "integrity": "sha512-VeIAFslyIerEJLXHziedo2basKbMKtTw3vfn5IzG0XTjhAVEJyNHnL2p7vc+wBDSdQuUpNw3M2u6xb9QsAY5Eg==",
-      "dev": true,
-      "requires": {
-        "chalk": "^2.0.1"
-      }
-    },
-    "longest": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/longest/-/longest-1.0.1.tgz",
-      "integrity": "sha1-MKCy2jj3N3DoKUoNIuZiXtd9AJc=",
-      "dev": true
-    },
-    "loose-envify": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz",
-      "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
-      "requires": {
-        "js-tokens": "^3.0.0 || ^4.0.0"
-      }
-    },
-    "lru-cache": {
-      "version": "4.1.5",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-4.1.5.tgz",
-      "integrity": "sha512-sWZlbEP2OsHNkXrMl5GYk/jKk70MBng6UU4YI/qGDYbgf6YbP4EvmqISbXCoJiRKs+1bSpFHVgQxvJ17F2li5g==",
-      "dev": true,
-      "requires": {
-        "pseudomap": "^1.0.2",
-        "yallist": "^2.1.2"
-      }
-    },
-    "make-dir": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-1.3.0.tgz",
-      "integrity": "sha512-2w31R7SJtieJJnQtGc7RVL2StM2vGYVfqUOvUDxH6bC6aJTxPxTF0GnIgCyu7tjockiUWAYQRbxa7vKn34s5sQ==",
-      "dev": true,
-      "requires": {
-        "pify": "^3.0.0"
-      }
-    },
-    "map-cache": {
-      "version": "0.2.2",
-      "resolved": "https://registry.npmjs.org/map-cache/-/map-cache-0.2.2.tgz",
-      "integrity": "sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8=",
-      "dev": true
-    },
-    "map-visit": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/map-visit/-/map-visit-1.0.0.tgz",
-      "integrity": "sha1-7Nyo8TFE5mDxtb1B8S80edmN+48=",
-      "dev": true,
-      "requires": {
-        "object-visit": "^1.0.0"
-      }
-    },
-    "marked": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/marked/-/marked-0.5.2.tgz",
-      "integrity": "sha512-fdZvBa7/vSQIZCi4uuwo2N3q+7jJURpMVCcbaX0S1Mg65WZ5ilXvC67MviJAsdjqqgD+CEq4RKo5AYGgINkVAA=="
-    },
-    "math-expression-evaluator": {
-      "version": "1.2.17",
-      "resolved": "https://registry.npmjs.org/math-expression-evaluator/-/math-expression-evaluator-1.2.17.tgz",
-      "integrity": "sha1-3oGf282E3M2PrlnGrreWFbnSZqw=",
-      "dev": true
-    },
-    "md5.js": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/md5.js/-/md5.js-1.3.5.tgz",
-      "integrity": "sha512-xitP+WxNPcTTOgnTJcrhM0xvdPepipPSf3I8EIpGKeFLjt3PlJLIDG3u8EX53ZIubkb+5U2+3rELYpEhHhzdkg==",
-      "dev": true,
-      "requires": {
-        "hash-base": "^3.0.0",
-        "inherits": "^2.0.1",
-        "safe-buffer": "^5.1.2"
-      }
-    },
-    "mdn-data": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.0.4.tgz",
-      "integrity": "sha512-iV3XNKw06j5Q7mi6h+9vbx23Tv7JkjEVgKHW4pimwyDGWm0OIQntJJ+u1C6mg6mK1EaTv42XQ7w76yuzH7M2cA==",
-      "dev": true
-    },
-    "media-typer": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
-      "integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=",
-      "dev": true
-    },
-    "mem": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/mem/-/mem-1.1.0.tgz",
-      "integrity": "sha1-Xt1StIXKHZAP5kiVUFOZoN+kX3Y=",
-      "dev": true,
-      "requires": {
-        "mimic-fn": "^1.0.0"
-      }
-    },
-    "memory-fs": {
-      "version": "0.4.1",
-      "resolved": "https://registry.npmjs.org/memory-fs/-/memory-fs-0.4.1.tgz",
-      "integrity": "sha1-OpoguEYlI+RHz7x+i7gO1me/xVI=",
-      "dev": true,
-      "requires": {
-        "errno": "^0.1.3",
-        "readable-stream": "^2.0.1"
-      }
-    },
-    "merge-descriptors": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
-      "integrity": "sha1-sAqqVW3YtEVoFQ7J0blT8/kMu2E=",
-      "dev": true
-    },
-    "methods": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
-      "integrity": "sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4=",
-      "dev": true
-    },
-    "micromatch": {
-      "version": "3.1.10",
-      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz",
-      "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==",
-      "dev": true,
-      "requires": {
-        "arr-diff": "^4.0.0",
-        "array-unique": "^0.3.2",
-        "braces": "^2.3.1",
-        "define-property": "^2.0.2",
-        "extend-shallow": "^3.0.2",
-        "extglob": "^2.0.4",
-        "fragment-cache": "^0.2.1",
-        "kind-of": "^6.0.2",
-        "nanomatch": "^1.2.9",
-        "object.pick": "^1.3.0",
-        "regex-not": "^1.0.0",
-        "snapdragon": "^0.8.1",
-        "to-regex": "^3.0.2"
-      }
-    },
-    "miller-rabin": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/miller-rabin/-/miller-rabin-4.0.1.tgz",
-      "integrity": "sha512-115fLhvZVqWwHPbClyntxEVfVDfl9DLLTuJvq3g2O/Oxi8AiNouAHvDSzHS0viUJc+V5vm3eq91Xwqn9dp4jRA==",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.0.0",
-        "brorand": "^1.0.1"
-      }
-    },
-    "mime": {
-      "version": "1.4.1",
-      "resolved": "https://registry.npmjs.org/mime/-/mime-1.4.1.tgz",
-      "integrity": "sha512-KI1+qOZu5DcW6wayYHSzR/tXKCDC5Om4s1z2QJjDULzLcmf3DvzS7oluY4HCTrc+9FiKmWUgeNLg7W3uIQvxtQ==",
-      "dev": true
-    },
-    "mime-db": {
-      "version": "1.40.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.40.0.tgz",
-      "integrity": "sha512-jYdeOMPy9vnxEqFRRo6ZvTZ8d9oPb+k18PKoYNYUe2stVEBPPwsln/qWzdbmaIvnhZ9v2P+CuecK+fpUfsV2mA==",
-      "dev": true
-    },
-    "mime-types": {
-      "version": "2.1.24",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.24.tgz",
-      "integrity": "sha512-WaFHS3MCl5fapm3oLxU4eYDw77IQM2ACcxQ9RIxfaC3ooc6PFuBMGZZsYpvoXS5D5QTWPieo1jjLdAm3TBP3cQ==",
-      "dev": true,
-      "requires": {
-        "mime-db": "1.40.0"
-      }
-    },
-    "mimic-fn": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-1.2.0.tgz",
-      "integrity": "sha512-jf84uxzwiuiIVKiOLpfYk7N46TSy8ubTonmneY9vrpHNAnp0QBt2BxWV9dO3/j+BoVAb+a5G6YDPW3M5HOdMWQ==",
-      "dev": true
-    },
-    "minimalistic-assert": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
-      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==",
-      "dev": true
-    },
-    "minimalistic-crypto-utils": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz",
-      "integrity": "sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=",
-      "dev": true
-    },
-    "minimatch": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
-      "dev": true,
-      "requires": {
-        "brace-expansion": "^1.1.7"
-      }
-    },
-    "minimist": {
-      "version": "0.0.8",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
-      "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0="
-    },
-    "mitt": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/mitt/-/mitt-1.2.0.tgz",
-      "integrity": "sha512-r6lj77KlwqLhIUku9UWYes7KJtsczvolZkzp8hbaDPPaE24OmWl5s539Mytlj22siEQKosZ26qCBgda2PKwoJw==",
-      "dev": true
-    },
-    "mixin-deep": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.2.tgz",
-      "integrity": "sha512-WRoDn//mXBiJ1H40rqa3vH0toePwSsGb45iInWlTySa+Uu4k3tYUSxa2v1KqAiLtvlrSzaExqS1gtk96A9zvEA==",
-      "dev": true,
-      "requires": {
-        "for-in": "^1.0.2",
-        "is-extendable": "^1.0.1"
-      },
-      "dependencies": {
-        "is-extendable": {
-          "version": "1.0.1",
-          "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-1.0.1.tgz",
-          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
-          "dev": true,
-          "requires": {
-            "is-plain-object": "^2.0.4"
-          }
-        }
-      }
-    },
-    "mkdirp": {
-      "version": "0.5.1",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
-      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
-      "requires": {
-        "minimist": "0.0.8"
-      }
-    },
-    "ms": {
-      "version": "0.7.1",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.1.tgz",
-      "integrity": "sha1-nNE8A62/8ltl7/3nzoZO6VIBcJg="
-    },
-    "mute-stream": {
-      "version": "0.0.7",
-      "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-0.0.7.tgz",
-      "integrity": "sha1-MHXOk7whuPq0PhvE2n6BFe0ee6s=",
-      "dev": true
-    },
-    "nan": {
-      "version": "2.14.0",
-      "resolved": "https://registry.npmjs.org/nan/-/nan-2.14.0.tgz",
-      "integrity": "sha512-INOFj37C7k3AfaNTtX8RhsTw7qRy7eLET14cROi9+5HAVbbHuIWUHEauBv5qT4Av2tWasiTY1Jw6puUNqRJXQg==",
-      "dev": true,
-      "optional": true
-    },
-    "nanoid": {
-      "version": "1.3.4",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-1.3.4.tgz",
-      "integrity": "sha512-4ug4BsuHxiVHoRUe1ud6rUFT3WUMmjXt1W0quL0CviZQANdan7D8kqN5/maw53hmAApY/jfzMRkC57BNNs60ZQ=="
-    },
-    "nanomatch": {
-      "version": "1.2.13",
-      "resolved": "https://registry.npmjs.org/nanomatch/-/nanomatch-1.2.13.tgz",
-      "integrity": "sha512-fpoe2T0RbHwBTBUOftAfBPaDEi06ufaUai0mE6Yn1kacc3SnTErfb/h+X94VXzI64rKFHYImXSvdwGGCmwOqCA==",
-      "dev": true,
-      "requires": {
-        "arr-diff": "^4.0.0",
-        "array-unique": "^0.3.2",
-        "define-property": "^2.0.2",
-        "extend-shallow": "^3.0.2",
-        "fragment-cache": "^0.2.1",
-        "is-windows": "^1.0.2",
-        "kind-of": "^6.0.2",
-        "object.pick": "^1.3.0",
-        "regex-not": "^1.0.0",
-        "snapdragon": "^0.8.1",
-        "to-regex": "^3.0.1"
-      }
-    },
-    "ncp": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/ncp/-/ncp-2.0.0.tgz",
-      "integrity": "sha1-GVoh1sRuNh0vsSgbo4uR6d9727M=",
-      "dev": true
-    },
-    "negotiator": {
-      "version": "0.6.2",
-      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.2.tgz",
-      "integrity": "sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw==",
-      "dev": true
-    },
-    "neo-async": {
-      "version": "2.6.1",
-      "resolved": "https://registry.npmjs.org/neo-async/-/neo-async-2.6.1.tgz",
-      "integrity": "sha512-iyam8fBuCUpWeKPGpaNMetEocMt364qkCsfL9JuhjXX6dRnguRVOfk2GZaDpPjcOKiiXCPINZC1GczQ7iTq3Zw==",
-      "dev": true
-    },
-    "next-tick": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/next-tick/-/next-tick-1.0.0.tgz",
-      "integrity": "sha1-yobR/ogoFpsBICCOPchCS524NCw=",
-      "dev": true
-    },
-    "node-fetch": {
-      "version": "2.6.0",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz",
-      "integrity": "sha512-8dG4H5ujfvFiqDmVu9fQ5bOHUC15JMjMY/Zumv26oOvvVJjM67KF8koCWIabKQ1GJIa9r2mMZscBq/TbdOcmNA==",
-      "dev": true
-    },
-    "node-libs-browser": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/node-libs-browser/-/node-libs-browser-2.2.1.tgz",
-      "integrity": "sha512-h/zcD8H9kaDZ9ALUWwlBUDo6TKF8a7qBSCSEGfjTVIYeqsioSKaAX+BN7NgiMGp6iSIXZ3PxgCu8KS3b71YK5Q==",
-      "dev": true,
-      "requires": {
-        "assert": "^1.1.1",
-        "browserify-zlib": "^0.2.0",
-        "buffer": "^4.3.0",
-        "console-browserify": "^1.1.0",
-        "constants-browserify": "^1.0.0",
-        "crypto-browserify": "^3.11.0",
-        "domain-browser": "^1.1.1",
-        "events": "^3.0.0",
-        "https-browserify": "^1.0.0",
-        "os-browserify": "^0.3.0",
-        "path-browserify": "0.0.1",
-        "process": "^0.11.10",
-        "punycode": "^1.2.4",
-        "querystring-es3": "^0.2.0",
-        "readable-stream": "^2.3.3",
-        "stream-browserify": "^2.0.1",
-        "stream-http": "^2.7.2",
-        "string_decoder": "^1.0.0",
-        "timers-browserify": "^2.0.4",
-        "tty-browserify": "0.0.0",
-        "url": "^0.11.0",
-        "util": "^0.11.0",
-        "vm-browserify": "^1.0.1"
-      },
-      "dependencies": {
-        "punycode": {
-          "version": "1.4.1",
-          "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.4.1.tgz",
-          "integrity": "sha1-wNWmOycYgArY4esPpSachN1BhF4=",
-          "dev": true
-        }
-      }
-    },
-    "node-releases": {
-      "version": "1.1.39",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.39.tgz",
-      "integrity": "sha512-8MRC/ErwNCHOlAFycy9OPca46fQYUjbJRDcZTHVWIGXIjYLM73k70vv3WkYutVnM4cCo4hE0MqBVVZjP6vjISA==",
-      "dev": true,
-      "requires": {
-        "semver": "^6.3.0"
-      },
-      "dependencies": {
-        "semver": {
-          "version": "6.3.0",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
-          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
-          "dev": true
-        }
-      }
-    },
-    "nopt": {
-      "version": "1.0.10",
-      "resolved": "https://registry.npmjs.org/nopt/-/nopt-1.0.10.tgz",
-      "integrity": "sha1-bd0hvSoxQXuScn3Vhfim83YI6+4=",
-      "requires": {
-        "abbrev": "1"
-      }
-    },
-    "normalize-package-data": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz",
-      "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==",
-      "dev": true,
-      "requires": {
-        "hosted-git-info": "^2.1.4",
-        "resolve": "^1.10.0",
-        "semver": "2 || 3 || 4 || 5",
-        "validate-npm-package-license": "^3.0.1"
-      }
-    },
-    "normalize-path": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
-      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
-      "dev": true
-    },
-    "normalize-range": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz",
-      "integrity": "sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=",
-      "dev": true
-    },
-    "normalize-url": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz",
-      "integrity": "sha512-U+JJi7duF1o+u2pynbp2zXDW2/PADgC30f0GsHZtRh+HOcXHnw137TrNlyxxRvWW5fjKd3bcLHPxofWuCjaeZg==",
-      "dev": true
-    },
-    "normalize.css": {
-      "version": "8.0.1",
-      "resolved": "https://registry.npmjs.org/normalize.css/-/normalize.css-8.0.1.tgz",
-      "integrity": "sha512-qizSNPO93t1YUuUhP22btGOo3chcvDFqFaj2TRybP0DMxkHOCTYwp3n34fel4a31ORXy4m1Xq0Gyqpb5m33qIg=="
-    },
-    "npm-run-path": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-2.0.2.tgz",
-      "integrity": "sha1-NakjLfo11wZ7TLLd8jV7GHFTbF8=",
-      "dev": true,
-      "requires": {
-        "path-key": "^2.0.0"
-      }
-    },
-    "nth-check": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz",
-      "integrity": "sha512-WeBOdju8SnzPN5vTUJYxYUxLeXpCaVP5i5e0LF8fg7WORF2Wd7wFX/pk0tYZk7s8T+J7VLy0Da6J1+wCT0AtHg==",
-      "dev": true,
-      "requires": {
-        "boolbase": "~1.0.0"
-      }
-    },
-    "num2fraction": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/num2fraction/-/num2fraction-1.2.2.tgz",
-      "integrity": "sha1-b2gragJ6Tp3fpFZM0lidHU5mnt4=",
-      "dev": true
-    },
-    "number-is-nan": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz",
-      "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=",
-      "dev": true
-    },
-    "oauth-sign": {
-      "version": "0.9.0",
-      "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz",
-      "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==",
-      "dev": true
-    },
-    "object-assign": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-      "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM="
-    },
-    "object-component": {
-      "version": "0.0.3",
-      "resolved": "https://registry.npmjs.org/object-component/-/object-component-0.0.3.tgz",
-      "integrity": "sha1-8MaapQ78lbhmwYb0AKM3acsvEpE=",
-      "dev": true
-    },
-    "object-copy": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/object-copy/-/object-copy-0.1.0.tgz",
-      "integrity": "sha1-fn2Fi3gb18mRpBupde04EnVOmYw=",
-      "dev": true,
-      "requires": {
-        "copy-descriptor": "^0.1.0",
-        "define-property": "^0.2.5",
-        "kind-of": "^3.0.3"
-      },
-      "dependencies": {
-        "define-property": {
-          "version": "0.2.5",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
-          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^0.1.0"
-          }
-        },
-        "kind-of": {
-          "version": "3.2.2",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
-          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "object-fit-images": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/object-fit-images/-/object-fit-images-3.2.4.tgz",
-      "integrity": "sha512-G+7LzpYfTfqUyrZlfrou/PLLLAPNC52FTy5y1CBywX+1/FkxIloOyQXBmZ3Zxa2AWO+lMF0JTuvqbr7G5e5CWg=="
-    },
-    "object-inspect": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.6.0.tgz",
-      "integrity": "sha512-GJzfBZ6DgDAmnuaM3104jR4s1Myxr3Y3zfIyN4z3UdqN69oSRacNK8UhnobDdC+7J2AHCjGwxQubNJfE70SXXQ==",
-      "dev": true
-    },
-    "object-keys": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/object-keys/-/object-keys-1.1.1.tgz",
-      "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==",
-      "dev": true
-    },
-    "object-path": {
-      "version": "0.9.2",
-      "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz",
-      "integrity": "sha1-D9mnT8X60a45aLWGvaXGMr1sBaU=",
-      "dev": true
-    },
-    "object-visit": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/object-visit/-/object-visit-1.0.1.tgz",
-      "integrity": "sha1-95xEk68MU3e1n+OdOV5BBC3QRbs=",
-      "dev": true,
-      "requires": {
-        "isobject": "^3.0.0"
-      }
-    },
-    "object.getownpropertydescriptors": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/object.getownpropertydescriptors/-/object.getownpropertydescriptors-2.0.3.tgz",
-      "integrity": "sha1-h1jIRvW0B62rDyNuCYbxSwUcqhY=",
-      "dev": true,
-      "requires": {
-        "define-properties": "^1.1.2",
-        "es-abstract": "^1.5.1"
-      }
-    },
-    "object.pick": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/object.pick/-/object.pick-1.3.0.tgz",
-      "integrity": "sha1-h6EKxMFpS9Lhy/U1kaZhQftd10c=",
-      "dev": true,
-      "requires": {
-        "isobject": "^3.0.1"
-      }
-    },
-    "object.values": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/object.values/-/object.values-1.1.0.tgz",
-      "integrity": "sha512-8mf0nKLAoFX6VlNVdhGj31SVYpaNFtUnuoOXWyFEstsWRgU837AK+JYM0iAxwkSzGRbwn8cbFmgbyxj1j4VbXg==",
-      "dev": true,
-      "requires": {
-        "define-properties": "^1.1.3",
-        "es-abstract": "^1.12.0",
-        "function-bind": "^1.1.1",
-        "has": "^1.0.3"
-      }
-    },
-    "objectfn": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/objectfn/-/objectfn-2.0.0.tgz",
-      "integrity": "sha1-P7ydLENpC/K0GLpeNIbjy7W5npU=",
-      "dev": true
-    },
-    "on-finished": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
-      "integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=",
-      "dev": true,
-      "requires": {
-        "ee-first": "1.1.1"
-      }
-    },
-    "once": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
-      "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=",
-      "dev": true,
-      "requires": {
-        "wrappy": "1"
-      }
-    },
-    "onecolor": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/onecolor/-/onecolor-3.1.0.tgz",
-      "integrity": "sha512-YZSypViXzu3ul5LMu/m6XjJ9ol8qAy9S2VjHl5E6UlhUH1KGKWabyEJifn0Jjpw23bYDzC2ucKMPGiH5kfwSGQ=="
-    },
-    "onetime": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/onetime/-/onetime-2.0.1.tgz",
-      "integrity": "sha1-BnQoIw/WdEOyeUsiu6UotoZ5YtQ=",
-      "dev": true,
-      "requires": {
-        "mimic-fn": "^1.0.0"
-      }
-    },
-    "opener": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/opener/-/opener-1.5.1.tgz",
-      "integrity": "sha512-goYSy5c2UXE4Ra1xixabeVh1guIX/ZV/YokJksb6q2lubWu6UbvPQ20p542/sFIll1nl8JnCyK9oBaOcCWXwvA==",
-      "dev": true
-    },
-    "openurl": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/openurl/-/openurl-1.1.1.tgz",
-      "integrity": "sha1-OHW0sO96UsFW8NtB1GCduw+Us4c=",
-      "dev": true
-    },
-    "opn": {
-      "version": "5.3.0",
-      "resolved": "https://registry.npmjs.org/opn/-/opn-5.3.0.tgz",
-      "integrity": "sha512-bYJHo/LOmoTd+pfiYhfZDnf9zekVJrY+cnS2a5F2x+w5ppvTqObojTP7WiFG+kVZs9Inw+qQ/lw7TroWwhdd2g==",
-      "dev": true,
-      "requires": {
-        "is-wsl": "^1.1.0"
-      }
-    },
-    "os-browserify": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/os-browserify/-/os-browserify-0.3.0.tgz",
-      "integrity": "sha1-hUNzx/XCMVkU/Jv8a9gjj92h7Cc=",
-      "dev": true
-    },
-    "os-homedir": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/os-homedir/-/os-homedir-1.0.2.tgz",
-      "integrity": "sha1-/7xJiDNuDoM94MFox+8VISGqf7M=",
-      "dev": true
-    },
-    "os-locale": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/os-locale/-/os-locale-1.4.0.tgz",
-      "integrity": "sha1-IPnxeuKe00XoveWDsT0gCYA8FNk=",
-      "dev": true,
-      "requires": {
-        "lcid": "^1.0.0"
-      }
-    },
-    "os-tmpdir": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz",
-      "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=",
-      "dev": true
-    },
-    "p-finally": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/p-finally/-/p-finally-1.0.0.tgz",
-      "integrity": "sha1-P7z7FbiZpEEjs0ttzBi3JDNqLK4=",
-      "dev": true
-    },
-    "p-limit": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-1.3.0.tgz",
-      "integrity": "sha512-vvcXsLAJ9Dr5rQOPk7toZQZJApBl2K4J6dANSsEuh6QI41JYcsS/qhTGa9ErIUUgK3WNQoJYvylxvjqmiqEA9Q==",
-      "dev": true,
-      "requires": {
-        "p-try": "^1.0.0"
-      }
-    },
-    "p-locate": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-2.0.0.tgz",
-      "integrity": "sha1-IKAQOyIqcMj9OcwuWAaA893l7EM=",
-      "dev": true,
-      "requires": {
-        "p-limit": "^1.1.0"
-      }
-    },
-    "p-try": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/p-try/-/p-try-1.0.0.tgz",
-      "integrity": "sha1-y8ec26+P1CKOE/Yh8rGiN8GyB7M=",
-      "dev": true
-    },
-    "pako": {
-      "version": "1.0.10",
-      "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.10.tgz",
-      "integrity": "sha512-0DTvPVU3ed8+HNXOu5Bs+o//Mbdj9VNQMUOe9oKCwh8l0GNwpTDMKCWbRjgtD291AWnkAgkqA/LOnQS8AmS1tw==",
-      "dev": true
-    },
-    "parse-asn1": {
-      "version": "5.1.5",
-      "resolved": "https://registry.npmjs.org/parse-asn1/-/parse-asn1-5.1.5.tgz",
-      "integrity": "sha512-jkMYn1dcJqF6d5CpU689bq7w/b5ALS9ROVSpQDPrZsqqesUJii9qutvoT5ltGedNXMO2e16YUWIghG9KxaViTQ==",
-      "dev": true,
-      "requires": {
-        "asn1.js": "^4.0.0",
-        "browserify-aes": "^1.0.0",
-        "create-hash": "^1.1.0",
-        "evp_bytestokey": "^1.0.0",
-        "pbkdf2": "^3.0.3",
-        "safe-buffer": "^5.1.1"
-      }
-    },
-    "parse-json": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-4.0.0.tgz",
-      "integrity": "sha1-vjX1Qlvh9/bHRxhPmKeIy5lHfuA=",
-      "requires": {
-        "error-ex": "^1.3.1",
-        "json-parse-better-errors": "^1.0.1"
-      }
-    },
-    "parse5": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/parse5/-/parse5-2.2.3.tgz",
-      "integrity": "sha1-DE/EHBAAxea5PUiwP4CDg3g06fY="
-    },
-    "parseqs": {
-      "version": "0.0.5",
-      "resolved": "https://registry.npmjs.org/parseqs/-/parseqs-0.0.5.tgz",
-      "integrity": "sha1-1SCKNzjkZ2bikbouoXNoSSGouJ0=",
-      "dev": true,
-      "requires": {
-        "better-assert": "~1.0.0"
-      }
-    },
-    "parseuri": {
-      "version": "0.0.5",
-      "resolved": "https://registry.npmjs.org/parseuri/-/parseuri-0.0.5.tgz",
-      "integrity": "sha1-gCBKUNTbt3m/3G6+J3jZDkvOMgo=",
-      "dev": true,
-      "requires": {
-        "better-assert": "~1.0.0"
-      }
-    },
-    "parseurl": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
-      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
-      "dev": true
-    },
-    "pascalcase": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/pascalcase/-/pascalcase-0.1.1.tgz",
-      "integrity": "sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=",
-      "dev": true
-    },
-    "path-browserify": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/path-browserify/-/path-browserify-0.0.1.tgz",
-      "integrity": "sha512-BapA40NHICOS+USX9SN4tyhq+A2RrN/Ws5F0Z5aMHDp98Fl86lX8Oti8B7uN93L4Ifv4fHOEA+pQw87gmMO/lQ==",
-      "dev": true
-    },
-    "path-dirname": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/path-dirname/-/path-dirname-1.0.2.tgz",
-      "integrity": "sha1-zDPSTVJeCZpTiMAzbG4yuRYGCeA=",
-      "dev": true
-    },
-    "path-exists": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-3.0.0.tgz",
-      "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=",
-      "dev": true
-    },
-    "path-is-absolute": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
-      "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=",
-      "dev": true
-    },
-    "path-key": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/path-key/-/path-key-2.0.1.tgz",
-      "integrity": "sha1-QRyttXTFoUDTpLGRDUDYDMn0C0A=",
-      "dev": true
-    },
-    "path-parse": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz",
-      "integrity": "sha512-GSmOT2EbHrINBf9SR7CDELwlJ8AENk3Qn7OikK4nFYAu3Ote2+JYNVvkpAEQm3/TLNEJFD/xZJjzyxg3KBWOzw=="
-    },
-    "path-to-regexp": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
-      "integrity": "sha1-32BBeABfUi8V60SQ5yR6G/qmf4w=",
-      "dev": true
-    },
-    "path-type": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/path-type/-/path-type-1.1.0.tgz",
-      "integrity": "sha1-WcRPfuSR2nBNpBXaWkBwuk+P5EE=",
-      "dev": true,
-      "requires": {
-        "graceful-fs": "^4.1.2",
-        "pify": "^2.0.0",
-        "pinkie-promise": "^2.0.0"
-      },
-      "dependencies": {
-        "pify": {
-          "version": "2.3.0",
-          "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
-          "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw=",
-          "dev": true
-        }
-      }
-    },
-    "pbkdf2": {
-      "version": "3.0.17",
-      "resolved": "https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.0.17.tgz",
-      "integrity": "sha512-U/il5MsrZp7mGg3mSQfn742na2T+1/vHDCG5/iTI3X9MKUuYUZVLQhyRsg06mCgDBTd57TxzgZt7P+fYfjRLtA==",
-      "dev": true,
-      "requires": {
-        "create-hash": "^1.1.2",
-        "create-hmac": "^1.1.4",
-        "ripemd160": "^2.0.1",
-        "safe-buffer": "^5.0.1",
-        "sha.js": "^2.4.8"
-      }
-    },
-    "performance-now": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz",
-      "integrity": "sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=",
-      "dev": true
-    },
-    "pify": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
-      "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY=",
-      "dev": true
-    },
-    "pinkie": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/pinkie/-/pinkie-2.0.4.tgz",
-      "integrity": "sha1-clVrgM+g1IqXToDnckjoDtT3+HA=",
-      "dev": true
-    },
-    "pinkie-promise": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/pinkie-promise/-/pinkie-promise-2.0.1.tgz",
-      "integrity": "sha1-ITXW36ejWMBprJsXh3YogihFD/o=",
-      "dev": true,
-      "requires": {
-        "pinkie": "^2.0.0"
-      }
-    },
-    "pixrem": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/pixrem/-/pixrem-4.0.1.tgz",
-      "integrity": "sha1-LaSh3m7EQjxfw3lOkwuB1EkOxoY=",
-      "dev": true,
-      "requires": {
-        "browserslist": "^2.0.0",
-        "postcss": "^6.0.0",
-        "reduce-css-calc": "^1.2.7"
-      },
-      "dependencies": {
-        "browserslist": {
-          "version": "2.11.3",
-          "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-2.11.3.tgz",
-          "integrity": "sha512-yWu5cXT7Av6mVwzWc8lMsJMHWn4xyjSuGYi4IozbVTLUOEYPSagUB8kiMDUHA1fS3zjr8nkxkn9jdvug4BBRmA==",
-          "dev": true,
-          "requires": {
-            "caniuse-lite": "^1.0.30000792",
-            "electron-to-chromium": "^1.3.30"
-          }
-        }
-      }
-    },
-    "pkg-dir": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-2.0.0.tgz",
-      "integrity": "sha1-9tXREJ4Z1j7fQo4L1X4Sd3YVM0s=",
-      "dev": true,
-      "requires": {
-        "find-up": "^2.1.0"
-      }
-    },
-    "popper.js": {
-      "version": "1.16.0",
-      "resolved": "https://registry.npmjs.org/popper.js/-/popper.js-1.16.0.tgz",
-      "integrity": "sha512-+G+EkOPoE5S/zChTpmBSSDYmhXJ5PsW8eMhH8cP/CQHMFPBG/kC9Y5IIw6qNYgdJ+/COf0ddY2li28iHaZRSjw=="
-    },
-    "portscanner": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/portscanner/-/portscanner-2.1.1.tgz",
-      "integrity": "sha1-6rtAnk3iSVD1oqUW01rnaTQ/u5Y=",
-      "dev": true,
-      "requires": {
-        "async": "1.5.2",
-        "is-number-like": "^1.0.3"
-      }
-    },
-    "posix-character-classes": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/posix-character-classes/-/posix-character-classes-0.1.1.tgz",
-      "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=",
-      "dev": true
-    },
-    "postcss": {
-      "version": "6.0.23",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz",
-      "integrity": "sha512-soOk1h6J3VMTZtVeVpv15/Hpdl2cBLX3CAw4TAbkpTJiNPk9YP/zWcD1ND+xEtvyuuvKzbxliTOIyvkSeSJ6ag==",
-      "requires": {
-        "chalk": "^2.4.1",
-        "source-map": "^0.6.1",
-        "supports-color": "^5.4.0"
-      },
-      "dependencies": {
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
-        }
-      }
-    },
-    "postcss-alias": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-alias/-/postcss-alias-2.0.0.tgz",
-      "integrity": "sha1-AY9Gwvv/gY4p+mr2evpL4r7NN20=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.6"
-      }
-    },
-    "postcss-attribute-case-insensitive": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-attribute-case-insensitive/-/postcss-attribute-case-insensitive-4.0.0.tgz",
-      "integrity": "sha512-K/zqdg0/UgUgC8qR0lDuxYzmowPpnvrrNC5YuoqzhHMubR9AuhsPlpVu3jjkLHgDAzR+ohD/m7//iGnN9WxbzQ==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.2",
-        "postcss-selector-parser": "^5.0.0-rc.3"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-calc": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-calc/-/postcss-calc-7.0.1.tgz",
-      "integrity": "sha512-oXqx0m6tb4N3JGdmeMSc/i91KppbYsFZKdH0xMOqK8V1rJlzrKlTdokz8ozUXLVejydRN6u2IddxpcijRj2FqQ==",
-      "dev": true,
-      "requires": {
-        "css-unit-converter": "^1.1.1",
-        "postcss": "^7.0.5",
-        "postcss-selector-parser": "^5.0.0-rc.4",
-        "postcss-value-parser": "^3.3.1"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-clearfix": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-clearfix/-/postcss-clearfix-2.0.1.tgz",
-      "integrity": "sha1-UXChmY8WfTGQoBc0RbY4DIxcB/I=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.6"
-      }
-    },
-    "postcss-color-function": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/postcss-color-function/-/postcss-color-function-4.1.0.tgz",
-      "integrity": "sha512-2/fuv6mP5Lt03XbRpVfMdGC8lRP1sykme+H1bR4ARyOmSMB8LPSjcL6EAI1iX6dqUF+jNEvKIVVXhan1w/oFDQ==",
-      "dev": true,
-      "requires": {
-        "css-color-function": "~1.3.3",
-        "postcss": "^6.0.23",
-        "postcss-message-helpers": "^2.0.0",
-        "postcss-value-parser": "^3.3.1"
-      }
-    },
-    "postcss-color-gray": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-color-gray/-/postcss-color-gray-5.0.0.tgz",
-      "integrity": "sha512-q6BuRnAGKM/ZRpfDascZlIZPjvwsRye7UDNalqVz3s7GDxMtqPY6+Q871liNxsonUw8oC61OG+PSaysYpl1bnw==",
-      "dev": true,
-      "requires": {
-        "@csstools/convert-colors": "^1.4.0",
-        "postcss": "^7.0.5",
-        "postcss-values-parser": "^2.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-color-hex-alpha": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-color-hex-alpha/-/postcss-color-hex-alpha-5.0.2.tgz",
-      "integrity": "sha512-8bIOzQMGdZVifoBQUJdw+yIY00omBd2EwkJXepQo9cjp1UOHHHoeRDeSzTP6vakEpaRc6GAIOfvcQR7jBYaG5Q==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.2",
-        "postcss-values-parser": "^2.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-color-hsl": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-color-hsl/-/postcss-color-hsl-2.0.0.tgz",
-      "integrity": "sha1-EnA2ZvoxBDDj8wpFTawThjF9WEQ=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.1",
-        "postcss-value-parser": "^3.3.0",
-        "units-css": "^0.4.0"
-      }
-    },
-    "postcss-color-hwb": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-color-hwb/-/postcss-color-hwb-3.0.0.tgz",
-      "integrity": "sha1-NAKxnvTYSXVAwftQcr6YY8qVVx4=",
-      "dev": true,
-      "requires": {
-        "color": "^1.0.3",
-        "postcss": "^6.0.1",
-        "postcss-message-helpers": "^2.0.0",
-        "reduce-function-call": "^1.0.2"
-      },
-      "dependencies": {
-        "color": {
-          "version": "1.0.3",
-          "resolved": "https://registry.npmjs.org/color/-/color-1.0.3.tgz",
-          "integrity": "sha1-5I6DLYXxTvaU+0aIEcLVz+cptV0=",
-          "dev": true,
-          "requires": {
-            "color-convert": "^1.8.2",
-            "color-string": "^1.4.0"
-          }
-        }
-      }
-    },
-    "postcss-color-rebeccapurple": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-color-rebeccapurple/-/postcss-color-rebeccapurple-4.0.1.tgz",
-      "integrity": "sha512-aAe3OhkS6qJXBbqzvZth2Au4V3KieR5sRQ4ptb2b2O8wgvB3SJBsdG+jsn2BZbbwekDG8nTfcCNKcSfe/lEy8g==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.2",
-        "postcss-values-parser": "^2.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-color-rgb": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-color-rgb/-/postcss-color-rgb-2.0.0.tgz",
-      "integrity": "sha1-FFOcinExSUtILg3RzCZf9lFLUmM=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.1",
-        "postcss-value-parser": "^3.3.0"
-      }
-    },
-    "postcss-color-rgba-fallback": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-color-rgba-fallback/-/postcss-color-rgba-fallback-3.0.0.tgz",
-      "integrity": "sha1-N9XJNToHoJJwkSqCYGu0Kg1wLAQ=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.6",
-        "postcss-value-parser": "^3.3.0",
-        "rgb-hex": "^2.1.0"
-      }
-    },
-    "postcss-colormin": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/postcss-colormin/-/postcss-colormin-4.0.3.tgz",
-      "integrity": "sha512-WyQFAdDZpExQh32j0U0feWisZ0dmOtPl44qYmJKkq9xFWY3p+4qnRzCHeNrkeRhwPHz9bQ3mo0/yVkaply0MNw==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.0.0",
-        "color": "^3.0.0",
-        "has": "^1.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-convert-values": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-convert-values/-/postcss-convert-values-4.0.1.tgz",
-      "integrity": "sha512-Kisdo1y77KUC0Jmn0OXU/COOJbzM8cImvw1ZFsBgBgMgb1iL23Zs/LXRe3r+EZqM3vGYKdQ2YJVQ5VkJI+zEJQ==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-custom-media": {
-      "version": "7.0.7",
-      "resolved": "https://registry.npmjs.org/postcss-custom-media/-/postcss-custom-media-7.0.7.tgz",
-      "integrity": "sha512-bWPCdZKdH60wKOTG4HKEgxWnZVjAIVNOJDvi3lkuTa90xo/K0YHa2ZnlKLC5e2qF8qCcMQXt0yzQITBp8d0OFA==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.5"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-custom-properties": {
-      "version": "8.0.9",
-      "resolved": "https://registry.npmjs.org/postcss-custom-properties/-/postcss-custom-properties-8.0.9.tgz",
-      "integrity": "sha512-/Lbn5GP2JkKhgUO2elMs4NnbUJcvHX4AaF5nuJDaNkd2chYW1KA5qtOGGgdkBEWcXtKSQfHXzT7C6grEVyb13w==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.5",
-        "postcss-values-parser": "^2.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-custom-selectors": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/postcss-custom-selectors/-/postcss-custom-selectors-5.1.2.tgz",
-      "integrity": "sha512-DSGDhqinCqXqlS4R7KGxL1OSycd1lydugJ1ky4iRXPHdBRiozyMHrdu0H3o7qNOCiZwySZTUI5MV0T8QhCLu+w==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.2",
-        "postcss-selector-parser": "^5.0.0-rc.3"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-discard-comments": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-discard-comments/-/postcss-discard-comments-4.0.2.tgz",
-      "integrity": "sha512-RJutN259iuRf3IW7GZyLM5Sw4GLTOH8FmsXBnv8Ab/Tc2k4SR4qbV4DNbyyY4+Sjo362SyDmW2DQ7lBSChrpkg==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-discard-duplicates": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-discard-duplicates/-/postcss-discard-duplicates-4.0.2.tgz",
-      "integrity": "sha512-ZNQfR1gPNAiXZhgENFfEglF93pciw0WxMkJeVmw8eF+JZBbMD7jp6C67GqJAXVZP2BWbOztKfbsdmMp/k8c6oQ==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-discard-empty": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-discard-empty/-/postcss-discard-empty-4.0.1.tgz",
-      "integrity": "sha512-B9miTzbznhDjTfjvipfHoqbWKwd0Mj+/fL5s1QOz06wufguil+Xheo4XpOnc4NqKYBCNqqEzgPv2aPBIJLox0w==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-discard-overridden": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-discard-overridden/-/postcss-discard-overridden-4.0.1.tgz",
-      "integrity": "sha512-IYY2bEDD7g1XM1IDEsUT4//iEYCxAmP5oDSFMVU/JVvT7gh+l4fmjciLqGgwjdWpQIdb0Che2VX00QObS5+cTg==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-easings": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-easings/-/postcss-easings-1.0.1.tgz",
-      "integrity": "sha512-zHRCKHinXtqpyrPPi3oojaf47v3eGcQHmG5zujWs1+9OWukIKi/rVEAm2KSh5y4swn66SNCZceGXcNi9GXo1cQ==",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.14",
-        "postcss-value-parser": "^3.3.0"
-      }
-    },
-    "postcss-extend-rule": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-extend-rule/-/postcss-extend-rule-2.0.0.tgz",
-      "integrity": "sha512-dgr1GJzW3lUBczZJO5Fm51rktn34Uc99xR1uQyC2Td8JPep/Y+TRx6TjK0yngikOd4LxV1xyuohMMpcaOBgrfA==",
-      "requires": {
-        "postcss": "^6.0.22",
-        "postcss-nesting": "^5.0.0"
-      }
-    },
-    "postcss-font-family-system-ui": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/postcss-font-family-system-ui/-/postcss-font-family-system-ui-4.1.0.tgz",
-      "integrity": "sha512-kLCAwdLBjF9ntnY4hYhTeDgZm8gxVzxaR9m3Wgy77CaSYwym6o14C9cz2HY5VVSgJa+ZfgtUmrn22g4HEKFxtQ==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.0.1",
-        "caniuse-lite": "^1.0.30000865",
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-font-variant": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-font-variant/-/postcss-font-variant-4.0.0.tgz",
-      "integrity": "sha512-M8BFYKOvCrI2aITzDad7kWuXXTm0YhGdP9Q8HanmN4EF1Hmcgs1KK5rSHylt/lUJe8yLxiSwWAHdScoEiIxztg==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.2"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-fontpath": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-fontpath/-/postcss-fontpath-1.0.0.tgz",
-      "integrity": "sha1-rQ7vwhk+Kc96NLjHUf9/6OdGmeU=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.0"
-      }
-    },
-    "postcss-hexrgba": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-hexrgba/-/postcss-hexrgba-1.0.2.tgz",
-      "integrity": "sha512-1+W/ChIJQNSqZU3glt1tZyQbzCB5x9H5NKRBbaX+ccyI5I8itY4/3H4kWh2R+teWdFTfGp0OveUTpblEWA6iAA==",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.7"
-      }
-    },
-    "postcss-image-set-polyfill": {
-      "version": "0.4.4",
-      "resolved": "https://registry.npmjs.org/postcss-image-set-polyfill/-/postcss-image-set-polyfill-0.4.4.tgz",
-      "integrity": "sha512-Mr5vXeUwxylX9amqyhXyiyqbzJgGS8quJ/d855EqU5S/DBILvoiR4pRnxLw9Ic2a5E0nB6gLOuMU0Wm/KhVW9A==",
-      "dev": true,
-      "requires": {
-        "postcss": "6.0.1",
-        "postcss-media-query-parser": "0.2.3",
-        "postcss-value-parser": "3.3.0"
-      },
-      "dependencies": {
-        "ansi-styles": {
-          "version": "2.2.1",
-          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
-          "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=",
-          "dev": true
-        },
-        "chalk": {
-          "version": "1.1.3",
-          "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz",
-          "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=",
-          "dev": true,
-          "requires": {
-            "ansi-styles": "^2.2.1",
-            "escape-string-regexp": "^1.0.2",
-            "has-ansi": "^2.0.0",
-            "strip-ansi": "^3.0.0",
-            "supports-color": "^2.0.0"
-          },
-          "dependencies": {
-            "supports-color": {
-              "version": "2.0.0",
-              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
-              "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=",
-              "dev": true
-            }
-          }
-        },
-        "has-flag": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-1.0.0.tgz",
-          "integrity": "sha1-nZ55MWXOAXoA8AQYxD+UKnsdEfo=",
-          "dev": true
-        },
-        "postcss": {
-          "version": "6.0.1",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-6.0.1.tgz",
-          "integrity": "sha1-AA29H47vIXqjaLmiEsX8QLKo8/I=",
-          "dev": true,
-          "requires": {
-            "chalk": "^1.1.3",
-            "source-map": "^0.5.6",
-            "supports-color": "^3.2.3"
-          }
-        },
-        "postcss-value-parser": {
-          "version": "3.3.0",
-          "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-3.3.0.tgz",
-          "integrity": "sha1-h/OPnxj3dKSrTIojL1xc6IcqnRU=",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "3.2.3",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-3.2.3.tgz",
-          "integrity": "sha1-ZawFBLOVQXHYpklGsq48u4pfVPY=",
-          "dev": true,
-          "requires": {
-            "has-flag": "^1.0.0"
-          }
-        }
-      }
-    },
-    "postcss-import": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/postcss-import/-/postcss-import-11.1.0.tgz",
-      "integrity": "sha512-5l327iI75POonjxkXgdRCUS+AlzAdBx4pOvMEhTKTCjb1p8IEeVR9yx3cPbmN7LIWJLbfnIXxAhoB4jpD0c/Cw==",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.1",
-        "postcss-value-parser": "^3.2.3",
-        "read-cache": "^1.0.0",
-        "resolve": "^1.1.7"
-      }
-    },
-    "postcss-input-style": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-input-style/-/postcss-input-style-1.0.0.tgz",
-      "integrity": "sha1-u/3IK595mz54yGOgJHZ1fib73GE=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.7"
-      }
-    },
-    "postcss-load-config": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-2.1.0.tgz",
-      "integrity": "sha512-4pV3JJVPLd5+RueiVVB+gFOAa7GWc25XQcMp86Zexzke69mKf6Nx9LRcQywdz7yZI9n1udOxmLuAwTBypypF8Q==",
-      "dev": true,
-      "requires": {
-        "cosmiconfig": "^5.0.0",
-        "import-cwd": "^2.0.0"
-      }
-    },
-    "postcss-loader": {
-      "version": "2.1.6",
-      "resolved": "https://registry.npmjs.org/postcss-loader/-/postcss-loader-2.1.6.tgz",
-      "integrity": "sha512-hgiWSc13xVQAq25cVw80CH0l49ZKlAnU1hKPOdRrNj89bokRr/bZF2nT+hebPPF9c9xs8c3gw3Fr2nxtmXYnNg==",
-      "dev": true,
-      "requires": {
-        "loader-utils": "^1.1.0",
-        "postcss": "^6.0.0",
-        "postcss-load-config": "^2.0.0",
-        "schema-utils": "^0.4.0"
-      }
-    },
-    "postcss-media-minmax": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-media-minmax/-/postcss-media-minmax-4.0.0.tgz",
-      "integrity": "sha512-fo9moya6qyxsjbFAYl97qKO9gyre3qvbMnkOZeZwlsW6XYFsvs2DMGDlchVLfAd8LHPZDxivu/+qW2SMQeTHBw==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.2"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-media-query-parser": {
-      "version": "0.2.3",
-      "resolved": "https://registry.npmjs.org/postcss-media-query-parser/-/postcss-media-query-parser-0.2.3.tgz",
-      "integrity": "sha1-J7Ocb02U+Bsac7j3Y1HGCeXO8kQ=",
-      "dev": true
-    },
-    "postcss-merge-longhand": {
-      "version": "4.0.11",
-      "resolved": "https://registry.npmjs.org/postcss-merge-longhand/-/postcss-merge-longhand-4.0.11.tgz",
-      "integrity": "sha512-alx/zmoeXvJjp7L4mxEMjh8lxVlDFX1gqWHzaaQewwMZiVhLo42TEClKaeHbRf6J7j82ZOdTJ808RtN0ZOZwvw==",
-      "dev": true,
-      "requires": {
-        "css-color-names": "0.0.4",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0",
-        "stylehacks": "^4.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-merge-rules": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/postcss-merge-rules/-/postcss-merge-rules-4.0.3.tgz",
-      "integrity": "sha512-U7e3r1SbvYzO0Jr3UT/zKBVgYYyhAz0aitvGIYOYK5CPmkNih+WDSsS5tvPrJ8YMQYlEMvsZIiqmn7HdFUaeEQ==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.0.0",
-        "caniuse-api": "^3.0.0",
-        "cssnano-util-same-parent": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-selector-parser": "^3.0.0",
-        "vendors": "^1.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "postcss-selector-parser": {
-          "version": "3.1.1",
-          "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-3.1.1.tgz",
-          "integrity": "sha1-T4dfSvsMllc9XPTXQBGu4lCn6GU=",
-          "dev": true,
-          "requires": {
-            "dot-prop": "^4.1.1",
-            "indexes-of": "^1.0.1",
-            "uniq": "^1.0.1"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-message-helpers": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-message-helpers/-/postcss-message-helpers-2.0.0.tgz",
-      "integrity": "sha1-pPL0+rbk/gAvCu0ABHjN9S+bpg4=",
-      "dev": true
-    },
-    "postcss-minify-font-values": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-minify-font-values/-/postcss-minify-font-values-4.0.2.tgz",
-      "integrity": "sha512-j85oO6OnRU9zPf04+PZv1LYIYOprWm6IA6zkXkrJXyRveDEuQggG6tvoy8ir8ZwjLxLuGfNkCZEQG7zan+Hbtg==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-minify-gradients": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-minify-gradients/-/postcss-minify-gradients-4.0.2.tgz",
-      "integrity": "sha512-qKPfwlONdcf/AndP1U8SJ/uzIJtowHlMaSioKzebAXSG4iJthlWC9iSWznQcX4f66gIWX44RSA841HTHj3wK+Q==",
-      "dev": true,
-      "requires": {
-        "cssnano-util-get-arguments": "^4.0.0",
-        "is-color-stop": "^1.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-minify-params": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-minify-params/-/postcss-minify-params-4.0.2.tgz",
-      "integrity": "sha512-G7eWyzEx0xL4/wiBBJxJOz48zAKV2WG3iZOqVhPet/9geefm/Px5uo1fzlHu+DOjT+m0Mmiz3jkQzVHe6wxAWg==",
-      "dev": true,
-      "requires": {
-        "alphanum-sort": "^1.0.0",
-        "browserslist": "^4.0.0",
-        "cssnano-util-get-arguments": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0",
-        "uniqs": "^2.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-minify-selectors": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-minify-selectors/-/postcss-minify-selectors-4.0.2.tgz",
-      "integrity": "sha512-D5S1iViljXBj9kflQo4YutWnJmwm8VvIsU1GeXJGiG9j8CIg9zs4voPMdQDUmIxetUOh60VilsNzCiAFTOqu3g==",
-      "dev": true,
-      "requires": {
-        "alphanum-sort": "^1.0.0",
-        "has": "^1.0.0",
-        "postcss": "^7.0.0",
-        "postcss-selector-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "postcss-selector-parser": {
-          "version": "3.1.1",
-          "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-3.1.1.tgz",
-          "integrity": "sha1-T4dfSvsMllc9XPTXQBGu4lCn6GU=",
-          "dev": true,
-          "requires": {
-            "dot-prop": "^4.1.1",
-            "indexes-of": "^1.0.1",
-            "uniq": "^1.0.1"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-nesting": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-nesting/-/postcss-nesting-5.0.0.tgz",
-      "integrity": "sha512-Yoe3w2mcVslnEJl5zLyz1yBxCFUpYu138apEEOCwS2HRdDw/TDxTwD1fXBrIarL8J1cPzHfVwO1m40B2/UpGCw==",
-      "requires": {
-        "postcss": "^6.0.21"
-      }
-    },
-    "postcss-normalize-charset": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-charset/-/postcss-normalize-charset-4.0.1.tgz",
-      "integrity": "sha512-gMXCrrlWh6G27U0hF3vNvR3w8I1s2wOBILvA87iNXaPvSNo5uZAMYsZG7XjCUf1eVxuPfyL4TJ7++SGZLc9A3g==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-display-values": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-display-values/-/postcss-normalize-display-values-4.0.2.tgz",
-      "integrity": "sha512-3F2jcsaMW7+VtRMAqf/3m4cPFhPD3EFRgNs18u+k3lTJJlVe7d0YPO+bnwqo2xg8YiRpDXJI2u8A0wqJxMsQuQ==",
-      "dev": true,
-      "requires": {
-        "cssnano-util-get-match": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-positions": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-positions/-/postcss-normalize-positions-4.0.2.tgz",
-      "integrity": "sha512-Dlf3/9AxpxE+NF1fJxYDeggi5WwV35MXGFnnoccP/9qDtFrTArZ0D0R+iKcg5WsUd8nUYMIl8yXDCtcrT8JrdA==",
-      "dev": true,
-      "requires": {
-        "cssnano-util-get-arguments": "^4.0.0",
-        "has": "^1.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-repeat-style": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-repeat-style/-/postcss-normalize-repeat-style-4.0.2.tgz",
-      "integrity": "sha512-qvigdYYMpSuoFs3Is/f5nHdRLJN/ITA7huIoCyqqENJe9PvPmLhNLMu7QTjPdtnVf6OcYYO5SHonx4+fbJE1+Q==",
-      "dev": true,
-      "requires": {
-        "cssnano-util-get-arguments": "^4.0.0",
-        "cssnano-util-get-match": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-string": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-string/-/postcss-normalize-string-4.0.2.tgz",
-      "integrity": "sha512-RrERod97Dnwqq49WNz8qo66ps0swYZDSb6rM57kN2J+aoyEAJfZ6bMx0sx/F9TIEX0xthPGCmeyiam/jXif0eA==",
-      "dev": true,
-      "requires": {
-        "has": "^1.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-timing-functions": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-timing-functions/-/postcss-normalize-timing-functions-4.0.2.tgz",
-      "integrity": "sha512-acwJY95edP762e++00Ehq9L4sZCEcOPyaHwoaFOhIwWCDfik6YvqsYNxckee65JHLKzuNSSmAdxwD2Cud1Z54A==",
-      "dev": true,
-      "requires": {
-        "cssnano-util-get-match": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-unicode": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-unicode/-/postcss-normalize-unicode-4.0.1.tgz",
-      "integrity": "sha512-od18Uq2wCYn+vZ/qCOeutvHjB5jm57ToxRaMeNuf0nWVHaP9Hua56QyMF6fs/4FSUnVIw0CBPsU0K4LnBPwYwg==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-url": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-url/-/postcss-normalize-url-4.0.1.tgz",
-      "integrity": "sha512-p5oVaF4+IHwu7VpMan/SSpmpYxcJMtkGppYf0VbdH5B6hN8YNmVyJLuY9FmLQTzY3fag5ESUUHDqM+heid0UVA==",
-      "dev": true,
-      "requires": {
-        "is-absolute-url": "^2.0.0",
-        "normalize-url": "^3.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-normalize-whitespace": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-normalize-whitespace/-/postcss-normalize-whitespace-4.0.2.tgz",
-      "integrity": "sha512-tO8QIgrsI3p95r8fyqKV+ufKlSHh9hMJqACqbv2XknufqEDhDvbguXGBBqxw9nsQoXWf0qOqppziKJKHMD4GtA==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-opacity": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-opacity/-/postcss-opacity-5.0.0.tgz",
-      "integrity": "sha512-n6LgHk5HWIsyEHgPqM2jwXrkh4SuH+cZOIWh4tUp4ug3P7FkzxiJuqrpEaBvNwH/dKs5PHjHL2vPeR+nLbs+Mw==",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.7"
-      }
-    },
-    "postcss-ordered-values": {
-      "version": "4.1.2",
-      "resolved": "https://registry.npmjs.org/postcss-ordered-values/-/postcss-ordered-values-4.1.2.tgz",
-      "integrity": "sha512-2fCObh5UanxvSxeXrtLtlwVThBvHn6MQcu4ksNT2tsaV2Fg76R2CV98W7wNSlX+5/pFwEyaDwKLLoEV7uRybAw==",
-      "dev": true,
-      "requires": {
-        "cssnano-util-get-arguments": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-position": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-position/-/postcss-position-1.0.0.tgz",
-      "integrity": "sha1-MMvu5Ajyam2+u/YSYcohDlSMd/8=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.7"
-      }
-    },
-    "postcss-property-lookup": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-property-lookup/-/postcss-property-lookup-2.0.0.tgz",
-      "integrity": "sha512-KUb53a7UZWDMVb0SRODOonc4H1wlbgQ0VfYwmJaR1xWPorhariEz0U7x0ri3W/imFs6HqLYWP7hl2yMvi5Ty+w==",
-      "dev": true,
-      "requires": {
-        "object-assign": "^4.0.1",
-        "postcss": "^6.0.6",
-        "tcomb": "^3.2.21"
-      }
-    },
-    "postcss-pseudo-class-any-link": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-pseudo-class-any-link/-/postcss-pseudo-class-any-link-6.0.0.tgz",
-      "integrity": "sha512-lgXW9sYJdLqtmw23otOzrtbDXofUdfYzNm4PIpNE322/swES3VU9XlXHeJS46zT2onFO7V1QFdD4Q9LiZj8mew==",
-      "dev": true,
-      "requires": {
-        "postcss": "^7.0.2",
-        "postcss-selector-parser": "^5.0.0-rc.3"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-pseudoelements": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-pseudoelements/-/postcss-pseudoelements-5.0.0.tgz",
-      "integrity": "sha1-7vGU6NUkZFylIKlJ6V5RjoEkAss=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.0"
-      }
-    },
-    "postcss-quantity-queries": {
-      "version": "0.5.0",
-      "resolved": "https://registry.npmjs.org/postcss-quantity-queries/-/postcss-quantity-queries-0.5.0.tgz",
-      "integrity": "sha1-UrZxf8yNmSWuZM/0M0CHD+FVFqs=",
-      "dev": true,
-      "requires": {
-        "balanced-match": "^0.4.2",
-        "postcss": "^6.0.0"
-      },
-      "dependencies": {
-        "balanced-match": {
-          "version": "0.4.2",
-          "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-0.4.2.tgz",
-          "integrity": "sha1-yz8+PHMtwPAe5wtAPzAuYddwmDg=",
-          "dev": true
-        }
-      }
-    },
-    "postcss-reduce-initial": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/postcss-reduce-initial/-/postcss-reduce-initial-4.0.3.tgz",
-      "integrity": "sha512-gKWmR5aUulSjbzOfD9AlJiHCGH6AEVLaM0AV+aSioxUDd16qXP1PCh8d1/BGVvpdWn8k/HiK7n6TjeoXN1F7DA==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.0.0",
-        "caniuse-api": "^3.0.0",
-        "has": "^1.0.0",
-        "postcss": "^7.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-reduce-transforms": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-reduce-transforms/-/postcss-reduce-transforms-4.0.2.tgz",
-      "integrity": "sha512-EEVig1Q2QJ4ELpJXMZR8Vt5DQx8/mo+dGWSR7vWXqcob2gQLyQGsionYcGKATXvQzMPn6DSN1vTN7yFximdIAg==",
-      "dev": true,
-      "requires": {
-        "cssnano-util-get-match": "^4.0.0",
-        "has": "^1.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-reporter": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-reporter/-/postcss-reporter-5.0.0.tgz",
-      "integrity": "sha512-rBkDbaHAu5uywbCR2XE8a25tats3xSOsGNx6mppK6Q9kSFGKc/FyAzfci+fWM2l+K402p1D0pNcfDGxeje5IKg==",
-      "dev": true,
-      "requires": {
-        "chalk": "^2.0.1",
-        "lodash": "^4.17.4",
-        "log-symbols": "^2.0.0",
-        "postcss": "^6.0.8"
-      }
-    },
-    "postcss-responsive-type": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-responsive-type/-/postcss-responsive-type-1.0.0.tgz",
-      "integrity": "sha1-uy1X2DC+uVhuxP2nmU8H43lTqtg=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.6"
-      }
-    },
-    "postcss-selector-matches": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-selector-matches/-/postcss-selector-matches-4.0.0.tgz",
-      "integrity": "sha512-LgsHwQR/EsRYSqlwdGzeaPKVT0Ml7LAT6E75T8W8xLJY62CE4S/l03BWIt3jT8Taq22kXP08s2SfTSzaraoPww==",
-      "dev": true,
-      "requires": {
-        "balanced-match": "^1.0.0",
-        "postcss": "^7.0.2"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-selector-not": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-selector-not/-/postcss-selector-not-4.0.0.tgz",
-      "integrity": "sha512-W+bkBZRhqJaYN8XAnbbZPLWMvZD1wKTu0UxtFKdhtGjWYmxhkUneoeOhRJKdAE5V7ZTlnbHfCR+6bNwK9e1dTQ==",
-      "dev": true,
-      "requires": {
-        "balanced-match": "^1.0.0",
-        "postcss": "^7.0.2"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-selector-parser": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-5.0.0.tgz",
-      "integrity": "sha512-w+zLE5Jhg6Liz8+rQOWEAwtwkyqpfnmsinXjXg6cY7YIONZZtgvE0v2O0uhQBs0peNomOJwWRKt6JBfTdTd3OQ==",
-      "dev": true,
-      "requires": {
-        "cssesc": "^2.0.0",
-        "indexes-of": "^1.0.1",
-        "uniq": "^1.0.1"
-      }
-    },
-    "postcss-svgo": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/postcss-svgo/-/postcss-svgo-4.0.2.tgz",
-      "integrity": "sha512-C6wyjo3VwFm0QgBy+Fu7gCYOkCmgmClghO+pjcxvrcBKtiKt0uCF+hvbMO1fyv5BMImRK90SMb+dwUnfbGd+jw==",
-      "dev": true,
-      "requires": {
-        "is-svg": "^3.0.0",
-        "postcss": "^7.0.0",
-        "postcss-value-parser": "^3.0.0",
-        "svgo": "^1.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-unique-selectors": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-unique-selectors/-/postcss-unique-selectors-4.0.1.tgz",
-      "integrity": "sha512-+JanVaryLo9QwZjKrmJgkI4Fn8SBgRO6WXQBJi7KiAVPlmxikB5Jzc4EvXMT2H0/m0RjrVVm9rGNhZddm/8Spg==",
-      "dev": true,
-      "requires": {
-        "alphanum-sort": "^1.0.0",
-        "postcss": "^7.0.0",
-        "uniqs": "^2.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "postcss-value-parser": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-3.3.1.tgz",
-      "integrity": "sha512-pISE66AbVkp4fDQ7VHBwRNXzAAKJjw4Vw7nWI/+Q3vuly7SNfgYXvm6i5IgFylHGK5sP/xHAbB7N49OS4gWNyQ==",
-      "dev": true
-    },
-    "postcss-values-parser": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/postcss-values-parser/-/postcss-values-parser-2.0.1.tgz",
-      "integrity": "sha512-2tLuBsA6P4rYTNKCXYG/71C7j1pU6pK503suYOmn4xYrQIzW+opD+7FAFNuGSdZC/3Qfy334QbeMu7MEb8gOxg==",
-      "dev": true,
-      "requires": {
-        "flatten": "^1.0.2",
-        "indexes-of": "^1.0.1",
-        "uniq": "^1.0.1"
-      }
-    },
-    "postcss-vmin": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-vmin/-/postcss-vmin-3.0.0.tgz",
-      "integrity": "sha1-bWrms+hP4/96TfHrhvOmmgfooUQ=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.0"
-      }
-    },
-    "postcss-will-change": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/postcss-will-change/-/postcss-will-change-2.0.0.tgz",
-      "integrity": "sha1-z/CRqHoDhrqx8yp8+n951rdz4QA=",
-      "dev": true,
-      "requires": {
-        "postcss": "^6.0.1"
-      }
-    },
-    "preact": {
-      "version": "8.5.3",
-      "resolved": "https://registry.npmjs.org/preact/-/preact-8.5.3.tgz",
-      "integrity": "sha512-O3kKP+1YdgqHOFsZF2a9JVdtqD+RPzCQc3rP+Ualf7V6rmRDchZ9MJbiGTT7LuyqFKZqlHSOyO/oMFmI2lVTsw=="
-    },
-    "preact-compat": {
-      "version": "3.19.0",
-      "resolved": "https://registry.npmjs.org/preact-compat/-/preact-compat-3.19.0.tgz",
-      "integrity": "sha512-f83A4hIhH8Uzhb9GbIcGk8SM19ffWlwP9mDaYwQdRnMdekZwcCA7eIAbeV4EMQaV9C0Yuy8iKgBAtyTKPZQt/Q==",
-      "requires": {
-        "immutability-helper": "^2.7.1",
-        "preact-context": "^1.1.3",
-        "preact-render-to-string": "^3.8.2",
-        "preact-transition-group": "^1.1.1",
-        "prop-types": "^15.6.2",
-        "standalone-react-addons-pure-render-mixin": "^0.1.1"
-      }
-    },
-    "preact-context": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/preact-context/-/preact-context-1.1.4.tgz",
-      "integrity": "sha512-gcCjPJ65R0MiW9hDu8W/3WAmyTElIvwLyEO6oLQiM6/TbLKLxCpBCWV8GJjx52TTEyUr60HLDcmoCXZlslelzQ=="
-    },
-    "preact-emotion": {
-      "version": "9.2.12",
-      "resolved": "https://registry.npmjs.org/preact-emotion/-/preact-emotion-9.2.12.tgz",
-      "integrity": "sha512-ngQNpZeQNpqIf1JmjJZV/zQWKccjW2+8GE862WqxdNQy+fRvPvswf0ns+qLVHtRZOffCtNw8VW0za6Fr3O3Vtg==",
-      "requires": {
-        "babel-plugin-emotion": "^9.2.11",
-        "create-emotion-styled": "^9.2.8"
-      }
-    },
-    "preact-portal": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/preact-portal/-/preact-portal-1.1.3.tgz",
-      "integrity": "sha512-rE0KG2b7ggIly4VVsSm7+WmQmG/EoUZzBOed2IbycyaFIArOvz+yab/8RBoDogA0JWZuTsbMTStR41Ghc+5m7Q=="
-    },
-    "preact-render-to-string": {
-      "version": "3.8.2",
-      "resolved": "https://registry.npmjs.org/preact-render-to-string/-/preact-render-to-string-3.8.2.tgz",
-      "integrity": "sha512-przuZPajiurStGgxMoJP0EJeC4xj5CgHv+M7GfF3YxAdhGgEWAkhOSE0xympAFN20uMayntBZpttIZqqLl77fw==",
-      "requires": {
-        "pretty-format": "^3.5.1"
-      }
-    },
-    "preact-transition-group": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/preact-transition-group/-/preact-transition-group-1.1.1.tgz",
-      "integrity": "sha1-8KSTJ+pRXs406ivoZMSn0p5dbhA="
-    },
-    "pretty-format": {
-      "version": "3.8.0",
-      "resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-3.8.0.tgz",
-      "integrity": "sha1-v77VbV6ad2ZF9LH/eqGjrE+jw4U="
-    },
-    "private": {
-      "version": "0.1.8",
-      "resolved": "https://registry.npmjs.org/private/-/private-0.1.8.tgz",
-      "integrity": "sha512-VvivMrbvd2nKkiG38qjULzlc+4Vx4wm/whI9pQD35YrARNnhxeiRktSOhSukRLFNlzg6Br/cJPet5J/u19r/mg==",
-      "dev": true
-    },
-    "process": {
-      "version": "0.11.10",
-      "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
-      "integrity": "sha1-czIwDoQBYb2j5podHZGn1LwW8YI=",
-      "dev": true
-    },
-    "process-nextick-args": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz",
-      "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==",
-      "dev": true
-    },
-    "promise-polyfill": {
-      "version": "8.1.3",
-      "resolved": "https://registry.npmjs.org/promise-polyfill/-/promise-polyfill-8.1.3.tgz",
-      "integrity": "sha512-MG5r82wBzh7pSKDRa9y+vllNHz3e3d4CNj1PQE4BQYxLme0gKYYBm9YENq+UkEikyZ0XbiGWxYlVw3Rl9O/U8g=="
-    },
-    "prop-types": {
-      "version": "15.7.2",
-      "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.7.2.tgz",
-      "integrity": "sha512-8QQikdH7//R2vurIJSutZ1smHYTcLpRWEOlHnzcWHmBYrOGUysKwSsrC89BCiFj3CbrfJ/nXFdJepOVrY1GCHQ==",
-      "requires": {
-        "loose-envify": "^1.4.0",
-        "object-assign": "^4.1.1",
-        "react-is": "^16.8.1"
-      }
-    },
-    "proxy-addr": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.5.tgz",
-      "integrity": "sha512-t/7RxHXPH6cJtP0pRG6smSr9QJidhB+3kXu0KgXnbGYMgzEnUxRQ4/LDdfOwZEMyIh3/xHb8PX3t+lfL9z+YVQ==",
-      "dev": true,
-      "requires": {
-        "forwarded": "~0.1.2",
-        "ipaddr.js": "1.9.0"
-      }
-    },
-    "prr": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/prr/-/prr-1.0.1.tgz",
-      "integrity": "sha1-0/wRS6BplaRexok/SEzrHXj19HY=",
-      "dev": true
-    },
-    "pseudomap": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/pseudomap/-/pseudomap-1.0.2.tgz",
-      "integrity": "sha1-8FKijacOYYkX7wqKw0wa5aaChrM=",
-      "dev": true
-    },
-    "psl": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/psl/-/psl-1.4.0.tgz",
-      "integrity": "sha512-HZzqCGPecFLyoRj5HLfuDSKYTJkAfB5thKBIkRHtGjWwY7p1dAyveIbXIq4tO0KYfDF2tHqPUgY9SDnGm00uFw==",
-      "dev": true
-    },
-    "public-encrypt": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/public-encrypt/-/public-encrypt-4.0.3.tgz",
-      "integrity": "sha512-zVpa8oKZSz5bTMTFClc1fQOnyyEzpl5ozpi1B5YcvBrdohMjH2rfsBtyXcuNuwjsDIXmBYlF2N5FlJYhR29t8Q==",
-      "dev": true,
-      "requires": {
-        "bn.js": "^4.1.0",
-        "browserify-rsa": "^4.0.0",
-        "create-hash": "^1.1.0",
-        "parse-asn1": "^5.0.0",
-        "randombytes": "^2.0.1",
-        "safe-buffer": "^5.1.2"
-      }
-    },
-    "punycode": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz",
-      "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
-      "dev": true
-    },
-    "q": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz",
-      "integrity": "sha1-fjL3W0E4EpHQRhHxvxQQmsAGUdc=",
-      "dev": true
-    },
-    "qs": {
-      "version": "6.2.3",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.2.3.tgz",
-      "integrity": "sha1-HPyyXBCpsrSDBT/zn138kjOQjP4=",
-      "dev": true
-    },
-    "query-string": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/query-string/-/query-string-5.1.1.tgz",
-      "integrity": "sha512-gjWOsm2SoGlgLEdAGt7a6slVOk9mGiXmPFMqrEhLQ68rhQuBnpfs3+EmlvqKyxnCo9/PPlF+9MtY02S1aFg+Jw==",
-      "requires": {
-        "decode-uri-component": "^0.2.0",
-        "object-assign": "^4.1.0",
-        "strict-uri-encode": "^1.0.0"
-      }
-    },
-    "querystring": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/querystring/-/querystring-0.2.0.tgz",
-      "integrity": "sha1-sgmEkgO7Jd+CDadW50cAWHhSFiA=",
-      "dev": true
-    },
-    "querystring-es3": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/querystring-es3/-/querystring-es3-0.2.1.tgz",
-      "integrity": "sha1-nsYfeQSYdXB9aUFFlv2Qek1xHnM=",
-      "dev": true
-    },
-    "randombytes": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
-      "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==",
-      "dev": true,
-      "requires": {
-        "safe-buffer": "^5.1.0"
-      }
-    },
-    "randomfill": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/randomfill/-/randomfill-1.0.4.tgz",
-      "integrity": "sha512-87lcbR8+MhcWcUiQ+9e+Rwx8MyR2P7qnt15ynUlbm3TU/fjbgz4GsvfSUDTemtCCtVCqb4ZcEFlyPNTh9bBTLw==",
-      "dev": true,
-      "requires": {
-        "randombytes": "^2.0.5",
-        "safe-buffer": "^5.1.0"
-      }
-    },
-    "range-parser": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
-      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
-      "dev": true
-    },
-    "raw-body": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.4.1.tgz",
-      "integrity": "sha512-9WmIKF6mkvA0SLmA2Knm9+qj89e+j1zqgyn8aXGd7+nAduPoqgI9lO57SAZNn/Byzo5P7JhXTyg9PzaJbH73bA==",
-      "dev": true,
-      "requires": {
-        "bytes": "3.1.0",
-        "http-errors": "1.7.3",
-        "iconv-lite": "0.4.24",
-        "unpipe": "1.0.0"
-      }
-    },
-    "react-is": {
-      "version": "16.11.0",
-      "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.11.0.tgz",
-      "integrity": "sha512-gbBVYR2p8mnriqAwWx9LbuUrShnAuSCNnuPGyc7GJrMVQtPDAh8iLpv7FRuMPFb56KkaVZIYSz1PrjI9q0QPCw=="
-    },
-    "read-cache": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz",
-      "integrity": "sha1-5mTvMRYRZsl1HNvo28+GtftY93Q=",
-      "dev": true,
-      "requires": {
-        "pify": "^2.3.0"
-      },
-      "dependencies": {
-        "pify": {
-          "version": "2.3.0",
-          "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
-          "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw=",
-          "dev": true
-        }
-      }
-    },
-    "read-file-stdin": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/read-file-stdin/-/read-file-stdin-0.2.1.tgz",
-      "integrity": "sha1-JezP86FTtoCa+ssj7hU4fbng7mE=",
-      "dev": true,
-      "requires": {
-        "gather-stream": "^1.0.0"
-      }
-    },
-    "read-pkg": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-1.1.0.tgz",
-      "integrity": "sha1-9f+qXs0pyzHAR0vKfXVra7KePyg=",
-      "dev": true,
-      "requires": {
-        "load-json-file": "^1.0.0",
-        "normalize-package-data": "^2.3.2",
-        "path-type": "^1.0.0"
-      }
-    },
-    "read-pkg-up": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/read-pkg-up/-/read-pkg-up-1.0.1.tgz",
-      "integrity": "sha1-nWPBMnbAZZGNV/ACpX9AobZD+wI=",
-      "dev": true,
-      "requires": {
-        "find-up": "^1.0.0",
-        "read-pkg": "^1.0.0"
-      },
-      "dependencies": {
-        "find-up": {
-          "version": "1.1.2",
-          "resolved": "https://registry.npmjs.org/find-up/-/find-up-1.1.2.tgz",
-          "integrity": "sha1-ay6YIrGizgpgq2TWEOzK1TyyTQ8=",
-          "dev": true,
-          "requires": {
-            "path-exists": "^2.0.0",
-            "pinkie-promise": "^2.0.0"
-          }
-        },
-        "path-exists": {
-          "version": "2.1.0",
-          "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-2.1.0.tgz",
-          "integrity": "sha1-D+tsZPD8UY2adU3V77YscCJ2H0s=",
-          "dev": true,
-          "requires": {
-            "pinkie-promise": "^2.0.0"
-          }
-        }
-      }
-    },
-    "readable-stream": {
-      "version": "2.3.6",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz",
-      "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==",
-      "dev": true,
-      "requires": {
-        "core-util-is": "~1.0.0",
-        "inherits": "~2.0.3",
-        "isarray": "~1.0.0",
-        "process-nextick-args": "~2.0.0",
-        "safe-buffer": "~5.1.1",
-        "string_decoder": "~1.1.1",
-        "util-deprecate": "~1.0.1"
-      },
-      "dependencies": {
-        "isarray": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
-          "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=",
-          "dev": true
-        }
-      }
-    },
-    "readdirp": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-2.2.1.tgz",
-      "integrity": "sha512-1JU/8q+VgFZyxwrJ+SVIOsh+KywWGpds3NTqikiKpDMZWScmAYyKIgqkO+ARvNWJfXeXR1zxz7aHF4u4CyH6vQ==",
-      "dev": true,
-      "requires": {
-        "graceful-fs": "^4.1.11",
-        "micromatch": "^3.1.10",
-        "readable-stream": "^2.0.2"
-      }
-    },
-    "reduce-css-calc": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/reduce-css-calc/-/reduce-css-calc-1.3.0.tgz",
-      "integrity": "sha1-dHyRTgSWFKTJz7umKYca0dKSdxY=",
-      "dev": true,
-      "requires": {
-        "balanced-match": "^0.4.2",
-        "math-expression-evaluator": "^1.2.14",
-        "reduce-function-call": "^1.0.1"
-      },
-      "dependencies": {
-        "balanced-match": {
-          "version": "0.4.2",
-          "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-0.4.2.tgz",
-          "integrity": "sha1-yz8+PHMtwPAe5wtAPzAuYddwmDg=",
-          "dev": true
-        }
-      }
-    },
-    "reduce-function-call": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/reduce-function-call/-/reduce-function-call-1.0.3.tgz",
-      "integrity": "sha512-Hl/tuV2VDgWgCSEeWMLwxLZqX7OK59eU1guxXsRKTAyeYimivsKdtcV4fu3r710tpG5GmDKDhQ0HSZLExnNmyQ==",
-      "dev": true,
-      "requires": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "regenerate": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.0.tgz",
-      "integrity": "sha512-1G6jJVDWrt0rK99kBjvEtziZNCICAuvIPkSiUFIQxVP06RCVpq3dmDo2oi6ABpYaDYaTRr67BEhL8r1wgEZZKg==",
-      "dev": true
-    },
-    "regenerator-runtime": {
-      "version": "0.11.1",
-      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz",
-      "integrity": "sha512-MguG95oij0fC3QV3URf4V2SDYGJhJnJGqvIIgdECeODCT98wSWDAJ94SSuVpYQUoTcGUIL6L4yNB7j1DFFHSBg=="
-    },
-    "regenerator-transform": {
-      "version": "0.10.1",
-      "resolved": "https://registry.npmjs.org/regenerator-transform/-/regenerator-transform-0.10.1.tgz",
-      "integrity": "sha512-PJepbvDbuK1xgIgnau7Y90cwaAmO/LCLMI2mPvaXq2heGMR3aWW5/BQvYrhJ8jgmQjXewXvBjzfqKcVOmhjZ6Q==",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.18.0",
-        "babel-types": "^6.19.0",
-        "private": "^0.1.6"
-      }
-    },
-    "regex-not": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/regex-not/-/regex-not-1.0.2.tgz",
-      "integrity": "sha512-J6SDjUgDxQj5NusnOtdFxDwN/+HWykR8GELwctJ7mdqhcyy1xEc4SRFHUXvxTp661YaVKAjfRLZ9cCqS6tn32A==",
-      "dev": true,
-      "requires": {
-        "extend-shallow": "^3.0.2",
-        "safe-regex": "^1.1.0"
-      }
-    },
-    "regexpu-core": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/regexpu-core/-/regexpu-core-2.0.0.tgz",
-      "integrity": "sha1-SdA4g3uNz4v6W5pCE5k45uoq4kA=",
-      "dev": true,
-      "requires": {
-        "regenerate": "^1.2.1",
-        "regjsgen": "^0.2.0",
-        "regjsparser": "^0.1.4"
-      }
-    },
-    "regjsgen": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/regjsgen/-/regjsgen-0.2.0.tgz",
-      "integrity": "sha1-bAFq3qxVT3WCP+N6wFuS1aTtsfc=",
-      "dev": true
-    },
-    "regjsparser": {
-      "version": "0.1.5",
-      "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.1.5.tgz",
-      "integrity": "sha1-fuj4Tcb6eS0/0K4ijSS9lJ6tIFw=",
-      "dev": true,
-      "requires": {
-        "jsesc": "~0.5.0"
-      },
-      "dependencies": {
-        "jsesc": {
-          "version": "0.5.0",
-          "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-0.5.0.tgz",
-          "integrity": "sha1-597mbjXW/Bb3EP6R1c9p9w8IkR0=",
-          "dev": true
-        }
-      }
-    },
-    "remove-trailing-separator": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/remove-trailing-separator/-/remove-trailing-separator-1.1.0.tgz",
-      "integrity": "sha1-wkvOKig62tW8P1jg1IJJuSN52O8=",
-      "dev": true
-    },
-    "repeat-element": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/repeat-element/-/repeat-element-1.1.3.tgz",
-      "integrity": "sha512-ahGq0ZnV5m5XtZLMb+vP76kcAM5nkLqk0lpqAuojSKGgQtn4eRi4ZZGm2olo2zKFH+sMsWaqOCW1dqAnOru72g==",
-      "dev": true
-    },
-    "repeat-string": {
-      "version": "1.6.1",
-      "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz",
-      "integrity": "sha1-jcrkcOHIirwtYA//Sndihtp15jc=",
-      "dev": true
-    },
-    "repeating": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/repeating/-/repeating-2.0.1.tgz",
-      "integrity": "sha1-UhTFOpJtNVJwdSf7q0FdvAjQbdo=",
-      "dev": true,
-      "requires": {
-        "is-finite": "^1.0.0"
-      }
-    },
-    "request": {
-      "version": "2.88.0",
-      "resolved": "https://registry.npmjs.org/request/-/request-2.88.0.tgz",
-      "integrity": "sha512-NAqBSrijGLZdM0WZNsInLJpkJokL72XYjUpnB0iwsRgxh7dB6COrHnTBNwN0E+lHDAJzu7kLAkDeY08z2/A0hg==",
-      "dev": true,
-      "requires": {
-        "aws-sign2": "~0.7.0",
-        "aws4": "^1.8.0",
-        "caseless": "~0.12.0",
-        "combined-stream": "~1.0.6",
-        "extend": "~3.0.2",
-        "forever-agent": "~0.6.1",
-        "form-data": "~2.3.2",
-        "har-validator": "~5.1.0",
-        "http-signature": "~1.2.0",
-        "is-typedarray": "~1.0.0",
-        "isstream": "~0.1.2",
-        "json-stringify-safe": "~5.0.1",
-        "mime-types": "~2.1.19",
-        "oauth-sign": "~0.9.0",
-        "performance-now": "^2.1.0",
-        "qs": "~6.5.2",
-        "safe-buffer": "^5.1.2",
-        "tough-cookie": "~2.4.3",
-        "tunnel-agent": "^0.6.0",
-        "uuid": "^3.3.2"
-      },
-      "dependencies": {
-        "qs": {
-          "version": "6.5.2",
-          "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz",
-          "integrity": "sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==",
-          "dev": true
-        }
-      }
-    },
-    "require-directory": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
-      "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=",
-      "dev": true
-    },
-    "require-main-filename": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-1.0.1.tgz",
-      "integrity": "sha1-l/cXtp1IeE9fUmpsWqj/3aBVpNE=",
-      "dev": true
-    },
-    "requires-port": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
-      "integrity": "sha1-kl0mAdOaxIXgkc8NpcbmlNw9yv8=",
-      "dev": true
-    },
-    "reshape": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/reshape/-/reshape-1.0.1.tgz",
-      "integrity": "sha512-QizKr2EpJlACyfGb9Ld3FlQVx8ZYPWygn4NyusZb4D0smhdQ3qeV6kK1xrAHBMTMDbRAM8PeBg8xRWfrwpK4vw==",
-      "dev": true,
-      "requires": {
-        "code-frame": "^5.0.0",
-        "joi": "^14.3.1",
-        "lodash.merge": "^4.6.1",
-        "reshape-code-gen": "^2.0.0",
-        "reshape-parser": "^1.0.0",
-        "when": "^3.7.8"
-      },
-      "dependencies": {
-        "hoek": {
-          "version": "6.1.3",
-          "resolved": "https://registry.npmjs.org/hoek/-/hoek-6.1.3.tgz",
-          "integrity": "sha512-YXXAAhmF9zpQbC7LEcREFtXfGq5K1fmd+4PHkBq8NUqmzW3G+Dq10bI/i0KucLRwss3YYFQ0fSfoxBZYiGUqtQ==",
-          "dev": true
-        },
-        "joi": {
-          "version": "14.3.1",
-          "resolved": "https://registry.npmjs.org/joi/-/joi-14.3.1.tgz",
-          "integrity": "sha512-LQDdM+pkOrpAn4Lp+neNIFV3axv1Vna3j38bisbQhETPMANYRbFJFUyOZcOClYvM/hppMhGWuKSFEK9vjrB+bQ==",
-          "dev": true,
-          "requires": {
-            "hoek": "6.x.x",
-            "isemail": "3.x.x",
-            "topo": "3.x.x"
-          }
-        },
-        "parse5": {
-          "version": "4.0.0",
-          "resolved": "https://registry.npmjs.org/parse5/-/parse5-4.0.0.tgz",
-          "integrity": "sha512-VrZ7eOd3T1Fk4XWNXMgiGBK/z0MG48BWG2uQNU4I72fkQuKUTZpl+u9k+CxEG0twMVzSmXEEz12z5Fnw1jIQFA==",
-          "dev": true
-        },
-        "reshape-parser": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/reshape-parser/-/reshape-parser-1.0.0.tgz",
-          "integrity": "sha1-RtIE+yD2i8hwvsZwljBSGcAXOHQ=",
-          "dev": true,
-          "requires": {
-            "parse5": "^4.0.0"
-          }
-        },
-        "topo": {
-          "version": "3.0.3",
-          "resolved": "https://registry.npmjs.org/topo/-/topo-3.0.3.tgz",
-          "integrity": "sha512-IgpPtvD4kjrJ7CRA3ov2FhWQADwv+Tdqbsf1ZnPUSAtCJ9e1Z44MmoSGDXGk4IppoZA7jd/QRkNddlLJWlUZsQ==",
-          "dev": true,
-          "requires": {
-            "hoek": "6.x.x"
-          }
-        }
-      }
-    },
-    "reshape-code-gen": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/reshape-code-gen/-/reshape-code-gen-2.0.0.tgz",
-      "integrity": "sha1-6oh2sI/p3XRwNa9ka6EMRzCOze4=",
-      "dev": true,
-      "requires": {
-        "objectfn": "^2.0.0",
-        "with": "^6.0.0"
-      }
-    },
-    "reshape-include": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/reshape-include/-/reshape-include-1.0.0.tgz",
-      "integrity": "sha1-L3XlfgFkR8Yz9Iy7DipcoRQnXRA=",
-      "dev": true,
-      "requires": {
-        "reshape-plugin-util": "^0.2.0"
-      }
-    },
-    "reshape-loader": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/reshape-loader/-/reshape-loader-1.3.0.tgz",
-      "integrity": "sha1-dSmC/V7IvV2G6mILsqlz+4zfcWk=",
-      "dev": true,
-      "requires": {
-        "reshape": "^1.0.0",
-        "reshape-include": "^1.0.0"
-      }
-    },
-    "reshape-parser": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/reshape-parser/-/reshape-parser-0.2.1.tgz",
-      "integrity": "sha1-PXExiMCuBbiZ41KHdKrMKu8Uc2g=",
-      "requires": {
-        "parse5": "^2.1.5"
-      }
-    },
-    "reshape-plugin-util": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/reshape-plugin-util/-/reshape-plugin-util-0.2.1.tgz",
-      "integrity": "sha1-KTWJWdWMnuvKJcNe/gzGJ4F88JI=",
-      "requires": {
-        "when": "^3.7.7"
-      }
-    },
-    "reshape-preact-components": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/reshape-preact-components/-/reshape-preact-components-0.6.0.tgz",
-      "integrity": "sha512-uovZiJI6CfSwPWBmDWY0HOFSmn078CuWBlQrPUn8ToRuohI+mPYboAqVWY8ddiP3+Y8JmpijMzzvfcWr9/A4OQ==",
-      "requires": {
-        "preact": "^8.1.0",
-        "preact-render-to-string": "^3.6.2",
-        "reshape-parser": "^0.2.1",
-        "reshape-plugin-util": "^0.2.1"
-      }
-    },
-    "resolve": {
-      "version": "1.12.0",
-      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.12.0.tgz",
-      "integrity": "sha512-B/dOmuoAik5bKcD6s6nXDCjzUKnaDvdkRyAk6rsmsKLipWj4797iothd7jmmUhWTfinVMU+wc56rYKsit2Qy4w==",
-      "requires": {
-        "path-parse": "^1.0.6"
-      }
-    },
-    "resolve-from": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-3.0.0.tgz",
-      "integrity": "sha1-six699nWiBvItuZTM17rywoYh0g="
-    },
-    "resolve-url": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/resolve-url/-/resolve-url-0.2.1.tgz",
-      "integrity": "sha1-LGN/53yJOv0qZj/iGqkIAGjiBSo=",
-      "dev": true
-    },
-    "resp-modifier": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/resp-modifier/-/resp-modifier-6.0.2.tgz",
-      "integrity": "sha1-sSTeXE+6/LpUH0j/pzlw9KpFa08=",
-      "dev": true,
-      "requires": {
-        "debug": "^2.2.0",
-        "minimatch": "^3.0.2"
-      }
-    },
-    "restore-cursor": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-2.0.0.tgz",
-      "integrity": "sha1-n37ih/gv0ybU/RYpI9YhKe7g368=",
-      "dev": true,
-      "requires": {
-        "onetime": "^2.0.0",
-        "signal-exit": "^3.0.2"
-      }
-    },
-    "ret": {
-      "version": "0.1.15",
-      "resolved": "https://registry.npmjs.org/ret/-/ret-0.1.15.tgz",
-      "integrity": "sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==",
-      "dev": true
-    },
-    "rgb": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/rgb/-/rgb-0.1.0.tgz",
-      "integrity": "sha1-vieykej+/+rBvZlylyG/pA/AN7U=",
-      "dev": true
-    },
-    "rgb-hex": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/rgb-hex/-/rgb-hex-2.1.0.tgz",
-      "integrity": "sha1-x3PF/iJoolV42SU5qCp6XOU77aY=",
-      "dev": true
-    },
-    "rgb-regex": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/rgb-regex/-/rgb-regex-1.0.1.tgz",
-      "integrity": "sha1-wODWiC3w4jviVKR16O3UGRX+rrE=",
-      "dev": true
-    },
-    "rgba-regex": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/rgba-regex/-/rgba-regex-1.0.0.tgz",
-      "integrity": "sha1-QzdOLiyglosO8VI0YLfXMP8i7rM=",
-      "dev": true
-    },
-    "right-align": {
-      "version": "0.1.3",
-      "resolved": "https://registry.npmjs.org/right-align/-/right-align-0.1.3.tgz",
-      "integrity": "sha1-YTObci/mo1FWiSENJOFMlhSGE+8=",
-      "dev": true,
-      "requires": {
-        "align-text": "^0.1.1"
-      }
-    },
-    "rimraf": {
-      "version": "2.7.1",
-      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz",
-      "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==",
-      "dev": true,
-      "requires": {
-        "glob": "^7.1.3"
-      }
-    },
-    "ripemd160": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-2.0.2.tgz",
-      "integrity": "sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA==",
-      "dev": true,
-      "requires": {
-        "hash-base": "^3.0.0",
-        "inherits": "^2.0.1"
-      }
-    },
-    "rucksack-css": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/rucksack-css/-/rucksack-css-1.0.2.tgz",
-      "integrity": "sha512-+ir3KHUb+IfCjqTsUruYZDKf95GZKhqucVridhNSuU9AsC7efqBhKtzJeMNZqc+EOND0LWBenG5ZCodKUPbL6g==",
-      "dev": true,
-      "requires": {
-        "autoprefixer": "^7.1.2",
-        "laggard": "^2.0.0",
-        "minimist": "^1.1.2",
-        "postcss": "^6.0.8",
-        "postcss-alias": "^2.0.0",
-        "postcss-clearfix": "^2.0.1",
-        "postcss-color-rgba-fallback": "^3.0.0",
-        "postcss-easings": "^1.0.0",
-        "postcss-fontpath": "^1.0.0",
-        "postcss-hexrgba": "^1.0.0",
-        "postcss-input-style": "^1.0.0",
-        "postcss-opacity": "^5.0.0",
-        "postcss-position": "^1.0.0",
-        "postcss-pseudoelements": "^5.0.0",
-        "postcss-quantity-queries": "^0.5.0",
-        "postcss-reporter": "^5.0.0",
-        "postcss-responsive-type": "^1.0.0",
-        "postcss-vmin": "^3.0.0",
-        "read-file-stdin": "^0.2.0",
-        "write-file-stdout": "^0.0.2"
-      },
-      "dependencies": {
-        "autoprefixer": {
-          "version": "7.2.6",
-          "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-7.2.6.tgz",
-          "integrity": "sha512-Iq8TRIB+/9eQ8rbGhcP7ct5cYb/3qjNYAR2SnzLCEcwF6rvVOax8+9+fccgXk4bEhQGjOZd5TLhsksmAdsbGqQ==",
-          "dev": true,
-          "requires": {
-            "browserslist": "^2.11.3",
-            "caniuse-lite": "^1.0.30000805",
-            "normalize-range": "^0.1.2",
-            "num2fraction": "^1.2.2",
-            "postcss": "^6.0.17",
-            "postcss-value-parser": "^3.2.3"
-          }
-        },
-        "browserslist": {
-          "version": "2.11.3",
-          "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-2.11.3.tgz",
-          "integrity": "sha512-yWu5cXT7Av6mVwzWc8lMsJMHWn4xyjSuGYi4IozbVTLUOEYPSagUB8kiMDUHA1fS3zjr8nkxkn9jdvug4BBRmA==",
-          "dev": true,
-          "requires": {
-            "caniuse-lite": "^1.0.30000792",
-            "electron-to-chromium": "^1.3.30"
-          }
-        },
-        "minimist": {
-          "version": "1.2.0",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
-          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
-          "dev": true
-        }
-      }
-    },
-    "run-async": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/run-async/-/run-async-2.3.0.tgz",
-      "integrity": "sha1-A3GrSuC91yDUFm19/aZP96RFpsA=",
-      "dev": true,
-      "requires": {
-        "is-promise": "^2.1.0"
-      }
-    },
-    "rx": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/rx/-/rx-4.1.0.tgz",
-      "integrity": "sha1-pfE/957zt0D+MKqAP7CfmIBdR4I=",
-      "dev": true
-    },
-    "rx-lite": {
-      "version": "4.0.8",
-      "resolved": "https://registry.npmjs.org/rx-lite/-/rx-lite-4.0.8.tgz",
-      "integrity": "sha1-Cx4Rr4vESDbwSmQH6S2kJGe3lEQ=",
-      "dev": true
-    },
-    "rx-lite-aggregates": {
-      "version": "4.0.8",
-      "resolved": "https://registry.npmjs.org/rx-lite-aggregates/-/rx-lite-aggregates-4.0.8.tgz",
-      "integrity": "sha1-dTuHqJoRyVRnxKwWJsTvxOBcZ74=",
-      "dev": true,
-      "requires": {
-        "rx-lite": "*"
-      }
-    },
-    "rxjs": {
-      "version": "5.5.12",
-      "resolved": "https://registry.npmjs.org/rxjs/-/rxjs-5.5.12.tgz",
-      "integrity": "sha512-xx2itnL5sBbqeeiVgNPVuQQ1nC8Jp2WfNJhXWHmElW9YmrpS9UVnNzhP3EH3HFqexO5Tlp8GhYY+WEcqcVMvGw==",
-      "dev": true,
-      "requires": {
-        "symbol-observable": "1.0.1"
-      }
-    },
-    "safe-buffer": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
-      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
-    },
-    "safe-regex": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/safe-regex/-/safe-regex-1.1.0.tgz",
-      "integrity": "sha1-QKNmnzsHfR6UPURinhV91IAjvy4=",
-      "dev": true,
-      "requires": {
-        "ret": "~0.1.10"
-      }
-    },
-    "safer-buffer": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
-      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
-    },
-    "sax": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
-      "integrity": "sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==",
-      "dev": true
-    },
-    "schema-utils": {
-      "version": "0.4.7",
-      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-0.4.7.tgz",
-      "integrity": "sha512-v/iwU6wvwGK8HbU9yi3/nhGzP0yGSuhQMzL6ySiec1FSrZZDkhm4noOSWzrNFo/jEc+SJY6jRTwuwbSXJPDUnQ==",
-      "dev": true,
-      "requires": {
-        "ajv": "^6.1.0",
-        "ajv-keywords": "^3.1.0"
-      }
-    },
-    "semver": {
-      "version": "5.7.1",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
-      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
-      "dev": true
-    },
-    "send": {
-      "version": "0.16.2",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.16.2.tgz",
-      "integrity": "sha512-E64YFPUssFHEFBvpbbjr44NCLtI1AohxQ8ZSiJjQLskAdKuriYEP6VyGEsRDH8ScozGpkaX1BGvhanqCwkcEZw==",
-      "dev": true,
-      "requires": {
-        "debug": "2.6.9",
-        "depd": "~1.1.2",
-        "destroy": "~1.0.4",
-        "encodeurl": "~1.0.2",
-        "escape-html": "~1.0.3",
-        "etag": "~1.8.1",
-        "fresh": "0.5.2",
-        "http-errors": "~1.6.2",
-        "mime": "1.4.1",
-        "ms": "2.0.0",
-        "on-finished": "~2.3.0",
-        "range-parser": "~1.2.0",
-        "statuses": "~1.4.0"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "http-errors": {
-          "version": "1.6.3",
-          "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.6.3.tgz",
-          "integrity": "sha1-i1VoC7S+KDoLW/TqLjhYC+HZMg0=",
-          "dev": true,
-          "requires": {
-            "depd": "~1.1.2",
-            "inherits": "2.0.3",
-            "setprototypeof": "1.1.0",
-            "statuses": ">= 1.4.0 < 2"
-          }
-        },
-        "inherits": {
-          "version": "2.0.3",
-          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
-          "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=",
-          "dev": true
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        },
-        "setprototypeof": {
-          "version": "1.1.0",
-          "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.0.tgz",
-          "integrity": "sha512-BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ==",
-          "dev": true
-        },
-        "statuses": {
-          "version": "1.4.0",
-          "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.4.0.tgz",
-          "integrity": "sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==",
-          "dev": true
-        }
-      }
-    },
-    "serve-index": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/serve-index/-/serve-index-1.9.1.tgz",
-      "integrity": "sha1-03aNabHn2C5c4FD/9bRTvqEqkjk=",
-      "dev": true,
-      "requires": {
-        "accepts": "~1.3.4",
-        "batch": "0.6.1",
-        "debug": "2.6.9",
-        "escape-html": "~1.0.3",
-        "http-errors": "~1.6.2",
-        "mime-types": "~2.1.17",
-        "parseurl": "~1.3.2"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "2.6.9",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "http-errors": {
-          "version": "1.6.3",
-          "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.6.3.tgz",
-          "integrity": "sha1-i1VoC7S+KDoLW/TqLjhYC+HZMg0=",
-          "dev": true,
-          "requires": {
-            "depd": "~1.1.2",
-            "inherits": "2.0.3",
-            "setprototypeof": "1.1.0",
-            "statuses": ">= 1.4.0 < 2"
-          }
-        },
-        "inherits": {
-          "version": "2.0.3",
-          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
-          "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=",
-          "dev": true
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        },
-        "setprototypeof": {
-          "version": "1.1.0",
-          "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.0.tgz",
-          "integrity": "sha512-BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ==",
-          "dev": true
-        },
-        "statuses": {
-          "version": "1.5.0",
-          "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
-          "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=",
-          "dev": true
-        }
-      }
-    },
-    "serve-static": {
-      "version": "1.13.2",
-      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.13.2.tgz",
-      "integrity": "sha512-p/tdJrO4U387R9oMjb1oj7qSMaMfmOyd4j9hOFoxZe2baQszgHcSWjuya/CiT5kgZZKRudHNOA0pYXOl8rQ5nw==",
-      "dev": true,
-      "requires": {
-        "encodeurl": "~1.0.2",
-        "escape-html": "~1.0.3",
-        "parseurl": "~1.3.2",
-        "send": "0.16.2"
-      }
-    },
-    "server-destroy": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/server-destroy/-/server-destroy-1.0.1.tgz",
-      "integrity": "sha1-8Tv5KOQrnD55OD5hzDmYtdFObN0=",
-      "dev": true
-    },
-    "set-blocking": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
-      "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=",
-      "dev": true
-    },
-    "set-value": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz",
-      "integrity": "sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==",
-      "dev": true,
-      "requires": {
-        "extend-shallow": "^2.0.1",
-        "is-extendable": "^0.1.1",
-        "is-plain-object": "^2.0.3",
-        "split-string": "^3.0.1"
-      },
-      "dependencies": {
-        "extend-shallow": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
-          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
-          "dev": true,
-          "requires": {
-            "is-extendable": "^0.1.0"
-          }
-        }
-      }
-    },
-    "setimmediate": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/setimmediate/-/setimmediate-1.0.5.tgz",
-      "integrity": "sha1-KQy7Iy4waULX1+qbg3Mqt4VvgoU=",
-      "dev": true
-    },
-    "setprototypeof": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz",
-      "integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw==",
-      "dev": true
-    },
-    "sha.js": {
-      "version": "2.4.11",
-      "resolved": "https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz",
-      "integrity": "sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==",
-      "dev": true,
-      "requires": {
-        "inherits": "^2.0.1",
-        "safe-buffer": "^5.0.1"
-      }
-    },
-    "shebang-command": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-1.2.0.tgz",
-      "integrity": "sha1-RKrGW2lbAzmJaMOfNj/uXer98eo=",
-      "dev": true,
-      "requires": {
-        "shebang-regex": "^1.0.0"
-      }
-    },
-    "shebang-regex": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-1.0.0.tgz",
-      "integrity": "sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=",
-      "dev": true
-    },
-    "shortid": {
-      "version": "2.2.14",
-      "resolved": "https://registry.npmjs.org/shortid/-/shortid-2.2.14.tgz",
-      "integrity": "sha512-4UnZgr9gDdA1kaKj/38IiudfC3KHKhDc1zi/HSxd9FQDR0VLwH3/y79tZJLsVYPsJgIjeHjqIWaWVRJUj9qZOQ==",
-      "requires": {
-        "nanoid": "^2.0.0"
-      },
-      "dependencies": {
-        "nanoid": {
-          "version": "2.1.6",
-          "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-2.1.6.tgz",
-          "integrity": "sha512-2NDzpiuEy3+H0AVtdt8LoFi7PnqkOnIzYmJQp7xsEU6VexLluHQwKREuiz57XaQC5006seIadPrIZJhyS2n7aw=="
-        }
-      }
-    },
-    "siema": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/siema/-/siema-1.5.1.tgz",
-      "integrity": "sha1-7/MSt36DQPpNgdXQU+u+uRE/+Ig="
-    },
-    "signal-exit": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.2.tgz",
-      "integrity": "sha1-tf3AjxKH6hF4Yo5BXiUTK3NkbG0=",
-      "dev": true
-    },
-    "simple-swizzle": {
-      "version": "0.2.2",
-      "resolved": "https://registry.npmjs.org/simple-swizzle/-/simple-swizzle-0.2.2.tgz",
-      "integrity": "sha1-pNprY1/8zMoz9w0Xy5JZLeleVXo=",
-      "dev": true,
-      "requires": {
-        "is-arrayish": "^0.3.1"
-      },
-      "dependencies": {
-        "is-arrayish": {
-          "version": "0.3.2",
-          "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.3.2.tgz",
-          "integrity": "sha512-eVRqCvVlZbuw3GrM63ovNSNAeA1K16kaR/LRY/92w0zxQ5/1YzwblUX652i4Xs9RwAGjW9d9y6X88t8OaAJfWQ==",
-          "dev": true
-        }
-      }
-    },
-    "slash": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/slash/-/slash-1.0.0.tgz",
-      "integrity": "sha1-xB8vbDn8FtHNF61LXYlhFK5HDVU=",
-      "dev": true
-    },
-    "slugify": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/slugify/-/slugify-1.3.5.tgz",
-      "integrity": "sha512-5VCnH7aS13b0UqWOs7Ef3E5rkhFe8Od+cp7wybFv5mv/sYSRkucZlJX0bamAJky7b2TTtGvrJBWVdpdEicsSrA=="
-    },
-    "snapdragon": {
-      "version": "0.8.2",
-      "resolved": "https://registry.npmjs.org/snapdragon/-/snapdragon-0.8.2.tgz",
-      "integrity": "sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==",
-      "dev": true,
-      "requires": {
-        "base": "^0.11.1",
-        "debug": "^2.2.0",
-        "define-property": "^0.2.5",
-        "extend-shallow": "^2.0.1",
-        "map-cache": "^0.2.2",
-        "source-map": "^0.5.6",
-        "source-map-resolve": "^0.5.0",
-        "use": "^3.1.0"
-      },
-      "dependencies": {
-        "define-property": {
-          "version": "0.2.5",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
-          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^0.1.0"
-          }
-        },
-        "extend-shallow": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
-          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
-          "dev": true,
-          "requires": {
-            "is-extendable": "^0.1.0"
-          }
-        }
-      }
-    },
-    "snapdragon-node": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/snapdragon-node/-/snapdragon-node-2.1.1.tgz",
-      "integrity": "sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==",
-      "dev": true,
-      "requires": {
-        "define-property": "^1.0.0",
-        "isobject": "^3.0.0",
-        "snapdragon-util": "^3.0.1"
-      },
-      "dependencies": {
-        "define-property": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz",
-          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^1.0.0"
-          }
-        },
-        "is-accessor-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
-          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-data-descriptor": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
-          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
-          "dev": true,
-          "requires": {
-            "kind-of": "^6.0.0"
-          }
-        },
-        "is-descriptor": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
-          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
-          "dev": true,
-          "requires": {
-            "is-accessor-descriptor": "^1.0.0",
-            "is-data-descriptor": "^1.0.0",
-            "kind-of": "^6.0.2"
-          }
-        }
-      }
-    },
-    "snapdragon-util": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/snapdragon-util/-/snapdragon-util-3.0.1.tgz",
-      "integrity": "sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==",
-      "dev": true,
-      "requires": {
-        "kind-of": "^3.2.0"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "3.2.2",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
-          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "socket.io": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz",
-      "integrity": "sha512-rORqq9c+7W0DAK3cleWNSyfv/qKXV99hV4tZe+gGLfBECw3XEhBy7x85F3wypA9688LKjtwO9pX9L33/xQI8yA==",
-      "dev": true,
-      "requires": {
-        "debug": "~3.1.0",
-        "engine.io": "~3.2.0",
-        "has-binary2": "~1.0.2",
-        "socket.io-adapter": "~1.1.0",
-        "socket.io-client": "2.1.1",
-        "socket.io-parser": "~3.2.0"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "3.1.0",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
-          "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "engine.io-client": {
-          "version": "3.2.1",
-          "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-3.2.1.tgz",
-          "integrity": "sha512-y5AbkytWeM4jQr7m/koQLc5AxpRKC1hEVUb/s1FUAWEJq5AzJJ4NLvzuKPuxtDi5Mq755WuDvZ6Iv2rXj4PTzw==",
-          "dev": true,
-          "requires": {
-            "component-emitter": "1.2.1",
-            "component-inherit": "0.0.3",
-            "debug": "~3.1.0",
-            "engine.io-parser": "~2.1.1",
-            "has-cors": "1.1.0",
-            "indexof": "0.0.1",
-            "parseqs": "0.0.5",
-            "parseuri": "0.0.5",
-            "ws": "~3.3.1",
-            "xmlhttprequest-ssl": "~1.5.4",
-            "yeast": "0.1.2"
-          }
-        },
-        "engine.io-parser": {
-          "version": "2.1.3",
-          "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-2.1.3.tgz",
-          "integrity": "sha512-6HXPre2O4Houl7c4g7Ic/XzPnHBvaEmN90vtRO9uLmwtRqQmTOw0QMevL1TOfL2Cpu1VzsaTmMotQgMdkzGkVA==",
-          "dev": true,
-          "requires": {
-            "after": "0.8.2",
-            "arraybuffer.slice": "~0.0.7",
-            "base64-arraybuffer": "0.1.5",
-            "blob": "0.0.5",
-            "has-binary2": "~1.0.2"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        },
-        "socket.io-client": {
-          "version": "2.1.1",
-          "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-2.1.1.tgz",
-          "integrity": "sha512-jxnFyhAuFxYfjqIgduQlhzqTcOEQSn+OHKVfAxWaNWa7ecP7xSNk2Dx/3UEsDcY7NcFafxvNvKPmmO7HTwTxGQ==",
-          "dev": true,
-          "requires": {
-            "backo2": "1.0.2",
-            "base64-arraybuffer": "0.1.5",
-            "component-bind": "1.0.0",
-            "component-emitter": "1.2.1",
-            "debug": "~3.1.0",
-            "engine.io-client": "~3.2.0",
-            "has-binary2": "~1.0.2",
-            "has-cors": "1.1.0",
-            "indexof": "0.0.1",
-            "object-component": "0.0.3",
-            "parseqs": "0.0.5",
-            "parseuri": "0.0.5",
-            "socket.io-parser": "~3.2.0",
-            "to-array": "0.1.4"
-          }
-        },
-        "socket.io-parser": {
-          "version": "3.2.0",
-          "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz",
-          "integrity": "sha512-FYiBx7rc/KORMJlgsXysflWx/RIvtqZbyGLlHZvjfmPTPeuD/I8MaW7cfFrj5tRltICJdgwflhfZ3NVVbVLFQA==",
-          "dev": true,
-          "requires": {
-            "component-emitter": "1.2.1",
-            "debug": "~3.1.0",
-            "isarray": "2.0.1"
-          }
-        },
-        "ws": {
-          "version": "3.3.3",
-          "resolved": "https://registry.npmjs.org/ws/-/ws-3.3.3.tgz",
-          "integrity": "sha512-nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==",
-          "dev": true,
-          "requires": {
-            "async-limiter": "~1.0.0",
-            "safe-buffer": "~5.1.0",
-            "ultron": "~1.1.0"
-          }
-        }
-      }
-    },
-    "socket.io-adapter": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-1.1.1.tgz",
-      "integrity": "sha1-KoBeihTWNyEk3ZFZrUUC+MsH8Gs=",
-      "dev": true
-    },
-    "socket.io-client": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-2.3.0.tgz",
-      "integrity": "sha512-cEQQf24gET3rfhxZ2jJ5xzAOo/xhZwK+mOqtGRg5IowZsMgwvHwnf/mCRapAAkadhM26y+iydgwsXGObBB5ZdA==",
-      "dev": true,
-      "requires": {
-        "backo2": "1.0.2",
-        "base64-arraybuffer": "0.1.5",
-        "component-bind": "1.0.0",
-        "component-emitter": "1.2.1",
-        "debug": "~4.1.0",
-        "engine.io-client": "~3.4.0",
-        "has-binary2": "~1.0.2",
-        "has-cors": "1.1.0",
-        "indexof": "0.0.1",
-        "object-component": "0.0.3",
-        "parseqs": "0.0.5",
-        "parseuri": "0.0.5",
-        "socket.io-parser": "~3.3.0",
-        "to-array": "0.1.4"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "4.1.1",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
-          "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
-          "dev": true,
-          "requires": {
-            "ms": "^2.1.1"
-          }
-        },
-        "ms": {
-          "version": "2.1.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-          "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
-          "dev": true
-        }
-      }
-    },
-    "socket.io-parser": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.0.tgz",
-      "integrity": "sha512-hczmV6bDgdaEbVqhAeVMM/jfUfzuEZHsQg6eOmLgJht6G3mPKMxYm75w2+qhAQZ+4X+1+ATZ+QFKeOZD5riHng==",
-      "dev": true,
-      "requires": {
-        "component-emitter": "1.2.1",
-        "debug": "~3.1.0",
-        "isarray": "2.0.1"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "3.1.0",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
-          "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
-          "dev": true,
-          "requires": {
-            "ms": "2.0.0"
-          }
-        },
-        "ms": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
-          "dev": true
-        }
-      }
-    },
-    "source-list-map": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/source-list-map/-/source-list-map-2.0.1.tgz",
-      "integrity": "sha512-qnQ7gVMxGNxsiL4lEuJwe/To8UnK7fAnmbGEEH8RpLouuKbeEm0lhbQVFIrNSuB+G7tVrAlVsZgETT5nljf+Iw==",
-      "dev": true
-    },
-    "source-loader": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/source-loader/-/source-loader-1.0.0.tgz",
-      "integrity": "sha512-gqPvbDNzfyQPXs1gMqfNV8IlKLpsifCO5J7xNRwv47eNvhOeM8eR0cemEJzmqhvjCap+EnCGk9Ao0b5xbzpNKA==",
-      "dev": true,
-      "requires": {
-        "is-binary-path": "^2.0.0"
-      },
-      "dependencies": {
-        "binary-extensions": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.0.0.tgz",
-          "integrity": "sha512-Phlt0plgpIIBOGTT/ehfFnbNlfsDEiqmzE2KRXoX1bLIlir4X/MR+zSyBEkL05ffWgnRSf/DXv+WrUAVr93/ow==",
-          "dev": true
-        },
-        "is-binary-path": {
-          "version": "2.1.0",
-          "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
-          "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
-          "dev": true,
-          "requires": {
-            "binary-extensions": "^2.0.0"
-          }
-        }
-      }
-    },
-    "source-map": {
-      "version": "0.5.7",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
-      "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w="
-    },
-    "source-map-resolve": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/source-map-resolve/-/source-map-resolve-0.5.2.tgz",
-      "integrity": "sha512-MjqsvNwyz1s0k81Goz/9vRBe9SZdB09Bdw+/zYyO+3CuPk6fouTaxscHkgtE8jKvf01kVfl8riHzERQ/kefaSA==",
-      "dev": true,
-      "requires": {
-        "atob": "^2.1.1",
-        "decode-uri-component": "^0.2.0",
-        "resolve-url": "^0.2.1",
-        "source-map-url": "^0.4.0",
-        "urix": "^0.1.0"
-      }
-    },
-    "source-map-support": {
-      "version": "0.4.18",
-      "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.4.18.tgz",
-      "integrity": "sha512-try0/JqxPLF9nOjvSta7tVondkP5dwgyLDjVoyMDlmjugT2lRZ1OfsrYTkCd2hkDnJTKRbO/Rl3orm8vlsUzbA==",
-      "dev": true,
-      "requires": {
-        "source-map": "^0.5.6"
-      }
-    },
-    "source-map-url": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/source-map-url/-/source-map-url-0.4.0.tgz",
-      "integrity": "sha1-PpNdfd1zYxuXZZlW1VEo6HtQhKM=",
-      "dev": true
-    },
-    "spdx-correct": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.1.0.tgz",
-      "integrity": "sha512-lr2EZCctC2BNR7j7WzJ2FpDznxky1sjfxvvYEyzxNyb6lZXHODmEoJeFu4JupYlkfha1KZpJyoqiJ7pgA1qq8Q==",
-      "dev": true,
-      "requires": {
-        "spdx-expression-parse": "^3.0.0",
-        "spdx-license-ids": "^3.0.0"
-      }
-    },
-    "spdx-exceptions": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.2.0.tgz",
-      "integrity": "sha512-2XQACfElKi9SlVb1CYadKDXvoajPgBVPn/gOQLrTvHdElaVhr7ZEbqJaRnJLVNeaI4cMEAgVCeBMKF6MWRDCRA==",
-      "dev": true
-    },
-    "spdx-expression-parse": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.0.tgz",
-      "integrity": "sha512-Yg6D3XpRD4kkOmTpdgbUiEJFKghJH03fiC1OPll5h/0sO6neh2jqRDVHOQ4o/LMea0tgCkbMgea5ip/e+MkWyg==",
-      "dev": true,
-      "requires": {
-        "spdx-exceptions": "^2.1.0",
-        "spdx-license-ids": "^3.0.0"
-      }
-    },
-    "spdx-license-ids": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.5.tgz",
-      "integrity": "sha512-J+FWzZoynJEXGphVIS+XEh3kFSjZX/1i9gFBaWQcB+/tmpe2qUsSBABpcxqxnAxFdiUFEgAX1bjYGQvIZmoz9Q==",
-      "dev": true
-    },
-    "spike": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/spike/-/spike-2.3.0.tgz",
-      "integrity": "sha1-ASu33YYzybt0wQ/baXMs6NXRMEk=",
-      "dev": true,
-      "requires": {
-        "argparse": "^1.0.10",
-        "chalk": "^2.4.1",
-        "inquirer": "^3.2.1",
-        "lodash.reduce": "^4.6.0",
-        "spike-core": "^2.3.0",
-        "universal-analytics": "^0.4.17"
-      }
-    },
-    "spike-core": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/spike-core/-/spike-core-2.3.0.tgz",
-      "integrity": "sha1-feQSdI0Nva5j7K1IVxBOgmK2d50=",
-      "dev": true,
-      "requires": {
-        "babel-core": "^6.26.0",
-        "babel-loader": "^7.1.5",
-        "browser-sync": "^2.24.6",
-        "browser-sync-webpack-plugin": "^1.2.0",
-        "filewrap": "^1.0.0",
-        "glob": "^7.1.2",
-        "hygienist-middleware": "^0.1.3",
-        "joi": "^12.0.0",
-        "lodash.difference": "^4.5.0",
-        "lodash.merge": "^4.6.0",
-        "lodash.union": "^4.6.0",
-        "micromatch": "^3.1.4",
-        "mkdirp": "^0.5.1",
-        "postcss-loader": "^2.1.6",
-        "reshape-loader": "^1.3.0",
-        "rimraf": "^2.6.2",
-        "source-loader": "^1.0.0",
-        "spike-util": "^1.3.0",
-        "sprout": "^1.2.1",
-        "webpack": "^3.12.0",
-        "when": "^3.7.8"
-      }
-    },
-    "spike-css-standards": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/spike-css-standards/-/spike-css-standards-4.1.1.tgz",
-      "integrity": "sha512-qPTiDzScHT/u3Ca3D2efFjXfwLkPJ1e0sXXg6bZF4anLVa67pxx5pmCm/mBFmUO1T/tbJy1cQtl4fzLomPG0gw==",
-      "dev": true,
-      "requires": {
-        "autoprefixer": "9.3.1",
-        "cssnano": "4.1.7",
-        "postcss-attribute-case-insensitive": "4.0.0",
-        "postcss-calc": "7.0.1",
-        "postcss-color-function": "^4.0.1",
-        "postcss-color-gray": "5.0.0",
-        "postcss-color-hex-alpha": "5.0.2",
-        "postcss-color-hsl": "^2.0.0",
-        "postcss-color-hwb": "^3.0.0",
-        "postcss-color-rebeccapurple": "4.0.1",
-        "postcss-color-rgb": "^2.0.0",
-        "postcss-custom-media": "7.0.7",
-        "postcss-custom-properties": "8.0.9",
-        "postcss-custom-selectors": "5.1.2",
-        "postcss-font-family-system-ui": "4.1.0",
-        "postcss-font-variant": "4.0.0",
-        "postcss-image-set-polyfill": "^0.4.4",
-        "postcss-import": "11.1.0",
-        "postcss-media-minmax": "4.0.0",
-        "postcss-nesting": "7.0.0",
-        "postcss-property-lookup": "^2.0.0",
-        "postcss-pseudo-class-any-link": "6.0.0",
-        "postcss-selector-matches": "4.0.0",
-        "postcss-selector-not": "4.0.0",
-        "rucksack-css": "^1.0.2"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "postcss-nesting": {
-          "version": "7.0.0",
-          "resolved": "https://registry.npmjs.org/postcss-nesting/-/postcss-nesting-7.0.0.tgz",
-          "integrity": "sha512-WSsbVd5Ampi3Y0nk/SKr5+K34n52PqMqEfswu6RtU4r7wA8vSD+gM8/D9qq4aJkHImwn1+9iEFTbjoWsQeqtaQ==",
-          "dev": true,
-          "requires": {
-            "postcss": "^7.0.2"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "spike-js-standards": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/spike-js-standards/-/spike-js-standards-2.1.0.tgz",
-      "integrity": "sha1-lIxXix7UIjqqqbxQbPP308OMMgM=",
-      "dev": true,
-      "requires": {
-        "babel-plugin-syntax-dynamic-import": "^6.18.0",
-        "babel-preset-env": "^1.7.0"
-      }
-    },
-    "spike-util": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/spike-util/-/spike-util-1.3.0.tgz",
-      "integrity": "sha512-q53KxrB41Kbyla+lFFyNcYmCygiaDxgr6/XIFvA03VOxmr+NZinNry9+LfkQY61SFhQmtxhPTcxe0gJOzn9iKw==",
-      "dev": true,
-      "requires": {
-        "filewrap": "1.0.0",
-        "glob": "^7.1.2",
-        "micromatch": "^3.0.4",
-        "when": "^3.7.7"
-      }
-    },
-    "split-string": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/split-string/-/split-string-3.1.0.tgz",
-      "integrity": "sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw==",
-      "dev": true,
-      "requires": {
-        "extend-shallow": "^3.0.0"
-      }
-    },
-    "sprintf-js": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
-      "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw="
-    },
-    "sprout": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/sprout/-/sprout-1.2.1.tgz",
-      "integrity": "sha1-4SHn986JSqdc2s+MBH9gl3B4bb0=",
-      "dev": true,
-      "requires": {
-        "argparse": "^1.0.2",
-        "ejs": "^2.3.1",
-        "isbinaryfile": "^3.0.0",
-        "joi": "^10.0.0",
-        "js-yaml": "^3.4.5",
-        "lodash": "^4.12.0",
-        "minimatch": "^3.0.0",
-        "mkdirp": "^0.5.1",
-        "ncp": "^2.0.0",
-        "readdirp": "^2.0.0",
-        "rimraf": "^2.5.2",
-        "underscore.string": "^3.1.1",
-        "when": "^3.7.7",
-        "which": "^1.2.8"
-      },
-      "dependencies": {
-        "isemail": {
-          "version": "2.2.1",
-          "resolved": "https://registry.npmjs.org/isemail/-/isemail-2.2.1.tgz",
-          "integrity": "sha1-A1PT2aYpUQgMJiwqoKQrjqjp4qY=",
-          "dev": true
-        },
-        "joi": {
-          "version": "10.6.0",
-          "resolved": "https://registry.npmjs.org/joi/-/joi-10.6.0.tgz",
-          "integrity": "sha512-hBF3LcqyAid+9X/pwg+eXjD2QBZI5eXnBFJYaAkH4SK3mp9QSRiiQnDYlmlz5pccMvnLcJRS4whhDOTCkmsAdQ==",
-          "dev": true,
-          "requires": {
-            "hoek": "4.x.x",
-            "isemail": "2.x.x",
-            "items": "2.x.x",
-            "topo": "2.x.x"
-          }
-        }
-      }
-    },
-    "sshpk": {
-      "version": "1.16.1",
-      "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.16.1.tgz",
-      "integrity": "sha512-HXXqVUq7+pcKeLqqZj6mHFUMvXtOJt1uoUx09pFW6011inTMxqI8BA8PM95myrIyyKwdnzjdFjLiE6KBPVtJIg==",
-      "dev": true,
-      "requires": {
-        "asn1": "~0.2.3",
-        "assert-plus": "^1.0.0",
-        "bcrypt-pbkdf": "^1.0.0",
-        "dashdash": "^1.12.0",
-        "ecc-jsbn": "~0.1.1",
-        "getpass": "^0.1.1",
-        "jsbn": "~0.1.0",
-        "safer-buffer": "^2.0.2",
-        "tweetnacl": "~0.14.0"
-      }
-    },
-    "stable": {
-      "version": "0.1.8",
-      "resolved": "https://registry.npmjs.org/stable/-/stable-0.1.8.tgz",
-      "integrity": "sha512-ji9qxRnOVfcuLDySj9qzhGSEFVobyt1kIOSkj1qZzYLzq7Tos/oUUWvotUPQLlrsidqsK6tBH89Bc9kL5zHA6w==",
-      "dev": true
-    },
-    "standalone-react-addons-pure-render-mixin": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/standalone-react-addons-pure-render-mixin/-/standalone-react-addons-pure-render-mixin-0.1.1.tgz",
-      "integrity": "sha1-PHQJ9MecQN6axyxhbPZ5qZTzdVE="
-    },
-    "static-extend": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/static-extend/-/static-extend-0.1.2.tgz",
-      "integrity": "sha1-YICcOcv/VTNyJv1eC1IPNB8ftcY=",
-      "dev": true,
-      "requires": {
-        "define-property": "^0.2.5",
-        "object-copy": "^0.1.0"
-      },
-      "dependencies": {
-        "define-property": {
-          "version": "0.2.5",
-          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
-          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
-          "dev": true,
-          "requires": {
-            "is-descriptor": "^0.1.0"
-          }
-        }
-      }
-    },
-    "statuses": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.3.1.tgz",
-      "integrity": "sha1-+vUbnrdKrvOzrPStX2Gr8ky3uT4=",
-      "dev": true
-    },
-    "stream-browserify": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/stream-browserify/-/stream-browserify-2.0.2.tgz",
-      "integrity": "sha512-nX6hmklHs/gr2FuxYDltq8fJA1GDlxKQCz8O/IM4atRqBH8OORmBNgfvW5gG10GT/qQ9u0CzIvr2X5Pkt6ntqg==",
-      "dev": true,
-      "requires": {
-        "inherits": "~2.0.1",
-        "readable-stream": "^2.0.2"
-      }
-    },
-    "stream-http": {
-      "version": "2.8.3",
-      "resolved": "https://registry.npmjs.org/stream-http/-/stream-http-2.8.3.tgz",
-      "integrity": "sha512-+TSkfINHDo4J+ZobQLWiMouQYB+UVYFttRA94FpEzzJ7ZdqcL4uUUQ7WkdkI4DSozGmgBUE/a47L+38PenXhUw==",
-      "dev": true,
-      "requires": {
-        "builtin-status-codes": "^3.0.0",
-        "inherits": "^2.0.1",
-        "readable-stream": "^2.3.6",
-        "to-arraybuffer": "^1.0.0",
-        "xtend": "^4.0.0"
-      }
-    },
-    "stream-throttle": {
-      "version": "0.1.3",
-      "resolved": "https://registry.npmjs.org/stream-throttle/-/stream-throttle-0.1.3.tgz",
-      "integrity": "sha1-rdV8jXzHOoFjDTHNVdOWHPr7qcM=",
-      "dev": true,
-      "requires": {
-        "commander": "^2.2.0",
-        "limiter": "^1.0.5"
-      }
-    },
-    "strftime": {
-      "version": "0.10.0",
-      "resolved": "https://registry.npmjs.org/strftime/-/strftime-0.10.0.tgz",
-      "integrity": "sha1-s/D6QZKVICpaKJ9ta+n0kJphcZM="
-    },
-    "strict-uri-encode": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/strict-uri-encode/-/strict-uri-encode-1.1.0.tgz",
-      "integrity": "sha1-J5siXfHVgrH1TmWt3UNS4Y+qBxM="
-    },
-    "string-width": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-2.1.1.tgz",
-      "integrity": "sha512-nOqH59deCq9SRHlxq1Aw85Jnt4w6KvLKqWVik6oA9ZklXLNIOlqg4F2yrT1MVaTjAqvVwdfeZ7w7aCvJD7ugkw==",
-      "dev": true,
-      "requires": {
-        "is-fullwidth-code-point": "^2.0.0",
-        "strip-ansi": "^4.0.0"
-      },
-      "dependencies": {
-        "ansi-regex": {
-          "version": "3.0.0",
-          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
-          "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg=",
-          "dev": true
-        },
-        "strip-ansi": {
-          "version": "4.0.0",
-          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-4.0.0.tgz",
-          "integrity": "sha1-qEeQIusaw2iocTibY1JixQXuNo8=",
-          "dev": true,
-          "requires": {
-            "ansi-regex": "^3.0.0"
-          }
-        }
-      }
-    },
-    "string.prototype.trimleft": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/string.prototype.trimleft/-/string.prototype.trimleft-2.1.0.tgz",
-      "integrity": "sha512-FJ6b7EgdKxxbDxc79cOlok6Afd++TTs5szo+zJTUyow3ycrRfJVE2pq3vcN53XexvKZu/DJMDfeI/qMiZTrjTw==",
-      "dev": true,
-      "requires": {
-        "define-properties": "^1.1.3",
-        "function-bind": "^1.1.1"
-      }
-    },
-    "string.prototype.trimright": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/string.prototype.trimright/-/string.prototype.trimright-2.1.0.tgz",
-      "integrity": "sha512-fXZTSV55dNBwv16uw+hh5jkghxSnc5oHq+5K/gXgizHwAvMetdAJlHqqoFC1FSDVPYWLkAKl2cxpUT41sV7nSg==",
-      "dev": true,
-      "requires": {
-        "define-properties": "^1.1.3",
-        "function-bind": "^1.1.1"
-      }
-    },
-    "string_decoder": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
-      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
-      "dev": true,
-      "requires": {
-        "safe-buffer": "~5.1.0"
-      }
-    },
-    "strip-ansi": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz",
-      "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=",
-      "dev": true,
-      "requires": {
-        "ansi-regex": "^2.0.0"
-      }
-    },
-    "strip-bom": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-2.0.0.tgz",
-      "integrity": "sha1-YhmoVhZSBJHzV4i9vxRHqZx+aw4=",
-      "dev": true,
-      "requires": {
-        "is-utf8": "^0.2.0"
-      }
-    },
-    "strip-eof": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/strip-eof/-/strip-eof-1.0.0.tgz",
-      "integrity": "sha1-u0P/VZim6wXYm1n80SnJgzE2Br8=",
-      "dev": true
-    },
-    "stylehacks": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/stylehacks/-/stylehacks-4.0.3.tgz",
-      "integrity": "sha512-7GlLk9JwlElY4Y6a/rmbH2MhVlTyVmiJd1PfTCqFaIBEGMYNsrO/v3SeGTdhBThLg4Z+NbOk/qFMwCa+J+3p/g==",
-      "dev": true,
-      "requires": {
-        "browserslist": "^4.0.0",
-        "postcss": "^7.0.0",
-        "postcss-selector-parser": "^3.0.0"
-      },
-      "dependencies": {
-        "postcss": {
-          "version": "7.0.21",
-          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz",
-          "integrity": "sha512-uIFtJElxJo29QC753JzhidoAhvp/e/Exezkdhfmt8AymWT6/5B7W1WmponYWkHk2eg6sONyTch0A3nkMPun3SQ==",
-          "dev": true,
-          "requires": {
-            "chalk": "^2.4.2",
-            "source-map": "^0.6.1",
-            "supports-color": "^6.1.0"
-          }
-        },
-        "postcss-selector-parser": {
-          "version": "3.1.1",
-          "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-3.1.1.tgz",
-          "integrity": "sha1-T4dfSvsMllc9XPTXQBGu4lCn6GU=",
-          "dev": true,
-          "requires": {
-            "dot-prop": "^4.1.1",
-            "indexes-of": "^1.0.1",
-            "uniq": "^1.0.1"
-          }
-        },
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "6.1.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
-          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
-          "dev": true,
-          "requires": {
-            "has-flag": "^3.0.0"
-          }
-        }
-      }
-    },
-    "stylis": {
-      "version": "3.5.4",
-      "resolved": "https://registry.npmjs.org/stylis/-/stylis-3.5.4.tgz",
-      "integrity": "sha512-8/3pSmthWM7lsPBKv7NXkzn2Uc9W7NotcwGNpJaa3k7WMM1XDCA4MgT5k/8BIexd5ydZdboXtU90XH9Ec4Bv/Q=="
-    },
-    "stylis-rule-sheet": {
-      "version": "0.0.10",
-      "resolved": "https://registry.npmjs.org/stylis-rule-sheet/-/stylis-rule-sheet-0.0.10.tgz",
-      "integrity": "sha512-nTbZoaqoBnmK+ptANthb10ZRZOGC+EmTLLUxeYIuHNkEKcmKgXX1XWKkUBT2Ac4es3NybooPe0SmvKdhKJZAuw=="
-    },
-    "supports-color": {
-      "version": "5.5.0",
-      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
-      "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
-      "requires": {
-        "has-flag": "^3.0.0"
-      }
-    },
-    "svgo": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/svgo/-/svgo-1.3.2.tgz",
-      "integrity": "sha512-yhy/sQYxR5BkC98CY7o31VGsg014AKLEPxdfhora76l36hD9Rdy5NZA/Ocn6yayNPgSamYdtX2rFJdcv07AYVw==",
-      "dev": true,
-      "requires": {
-        "chalk": "^2.4.1",
-        "coa": "^2.0.2",
-        "css-select": "^2.0.0",
-        "css-select-base-adapter": "^0.1.1",
-        "css-tree": "1.0.0-alpha.37",
-        "csso": "^4.0.2",
-        "js-yaml": "^3.13.1",
-        "mkdirp": "~0.5.1",
-        "object.values": "^1.1.0",
-        "sax": "~1.2.4",
-        "stable": "^0.1.8",
-        "unquote": "~1.1.1",
-        "util.promisify": "~1.0.0"
-      }
-    },
-    "symbol-observable": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/symbol-observable/-/symbol-observable-1.0.1.tgz",
-      "integrity": "sha1-g0D8RwLDEi310iKI+IKD9RPT/dQ=",
-      "dev": true
-    },
-    "tapable": {
-      "version": "0.2.9",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-0.2.9.tgz",
-      "integrity": "sha512-2wsvQ+4GwBvLPLWsNfLCDYGsW6xb7aeC6utq2Qh0PFwgEy7K7dsma9Jsmb2zSQj7GvYAyUGSntLtsv++GmgL1A==",
-      "dev": true
-    },
-    "tcomb": {
-      "version": "3.2.29",
-      "resolved": "https://registry.npmjs.org/tcomb/-/tcomb-3.2.29.tgz",
-      "integrity": "sha512-di2Hd1DB2Zfw6StGv861JoAF5h/uQVu/QJp2g8KVbtfKnoHdBQl5M32YWq6mnSYBQ1vFFrns5B1haWJL7rKaOQ==",
-      "dev": true
-    },
-    "tfunk": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/tfunk/-/tfunk-3.1.0.tgz",
-      "integrity": "sha1-OORBT8ZJd9h6/apy+sttKfgve1s=",
-      "dev": true,
-      "requires": {
-        "chalk": "^1.1.1",
-        "object-path": "^0.9.0"
-      },
-      "dependencies": {
-        "ansi-styles": {
-          "version": "2.2.1",
-          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
-          "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=",
-          "dev": true
-        },
-        "chalk": {
-          "version": "1.1.3",
-          "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz",
-          "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=",
-          "dev": true,
-          "requires": {
-            "ansi-styles": "^2.2.1",
-            "escape-string-regexp": "^1.0.2",
-            "has-ansi": "^2.0.0",
-            "strip-ansi": "^3.0.0",
-            "supports-color": "^2.0.0"
-          }
-        },
-        "supports-color": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
-          "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=",
-          "dev": true
-        }
-      }
-    },
-    "through": {
-      "version": "2.3.8",
-      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
-      "integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=",
-      "dev": true
-    },
-    "timers-browserify": {
-      "version": "2.0.11",
-      "resolved": "https://registry.npmjs.org/timers-browserify/-/timers-browserify-2.0.11.tgz",
-      "integrity": "sha512-60aV6sgJ5YEbzUdn9c8kYGIqOubPoUdqQCul3SBAsRCZ40s6Y5cMcrW4dt3/k/EsbLVJNl9n6Vz3fTc+k2GeKQ==",
-      "dev": true,
-      "requires": {
-        "setimmediate": "^1.0.4"
-      }
-    },
-    "timsort": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/timsort/-/timsort-0.3.0.tgz",
-      "integrity": "sha1-QFQRqOfmM5/mTbmiNN4R3DHgK9Q=",
-      "dev": true
-    },
-    "tippy.js": {
-      "version": "3.4.1",
-      "resolved": "https://registry.npmjs.org/tippy.js/-/tippy.js-3.4.1.tgz",
-      "integrity": "sha512-ZiyGP9WZyCCcjxKM4G88cm4U1r1ytjeMDGa5FSKPaPzwc/3yZJVZsb1ffcmqUMCpryRp5LNxRNGKLzbs11sb/Q==",
-      "requires": {
-        "popper.js": "^1.14.6"
-      }
-    },
-    "tmp": {
-      "version": "0.0.33",
-      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz",
-      "integrity": "sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==",
-      "dev": true,
-      "requires": {
-        "os-tmpdir": "~1.0.2"
-      }
-    },
-    "to-array": {
-      "version": "0.1.4",
-      "resolved": "https://registry.npmjs.org/to-array/-/to-array-0.1.4.tgz",
-      "integrity": "sha1-F+bBH3PdTz10zaek/zI46a2b+JA=",
-      "dev": true
-    },
-    "to-arraybuffer": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/to-arraybuffer/-/to-arraybuffer-1.0.1.tgz",
-      "integrity": "sha1-fSKbH8xjfkZsoIEYCDanqr/4P0M=",
-      "dev": true
-    },
-    "to-fast-properties": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-2.0.0.tgz",
-      "integrity": "sha1-3F5pjL0HkmW8c+A3doGk5Og/YW4="
-    },
-    "to-object-path": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/to-object-path/-/to-object-path-0.3.0.tgz",
-      "integrity": "sha1-KXWIt7Dn4KwI4E5nL4XB9JmeF68=",
-      "dev": true,
-      "requires": {
-        "kind-of": "^3.0.2"
-      },
-      "dependencies": {
-        "kind-of": {
-          "version": "3.2.2",
-          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
-          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
-          "dev": true,
-          "requires": {
-            "is-buffer": "^1.1.5"
-          }
-        }
-      }
-    },
-    "to-regex": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/to-regex/-/to-regex-3.0.2.tgz",
-      "integrity": "sha512-FWtleNAtZ/Ki2qtqej2CXTOayOH9bHDQF+Q48VpWyDXjbYxA4Yz8iDB31zXOBUlOHHKidDbqGVrTUvQMPmBGBw==",
-      "dev": true,
-      "requires": {
-        "define-property": "^2.0.2",
-        "extend-shallow": "^3.0.2",
-        "regex-not": "^1.0.2",
-        "safe-regex": "^1.1.0"
-      }
-    },
-    "to-regex-range": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz",
-      "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=",
-      "dev": true,
-      "requires": {
-        "is-number": "^3.0.0",
-        "repeat-string": "^1.6.1"
-      }
-    },
-    "toidentifier": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz",
-      "integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw==",
-      "dev": true
-    },
-    "topo": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/topo/-/topo-2.0.2.tgz",
-      "integrity": "sha1-zVYVdSU5BXwNwEkaYhw7xvvh0YI=",
-      "dev": true,
-      "requires": {
-        "hoek": "4.x.x"
-      }
-    },
-    "touch": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/touch/-/touch-2.0.2.tgz",
-      "integrity": "sha512-qjNtvsFXTRq7IuMLweVgFxmEuQ6gLbRs2jQxL80TtZ31dEKWYIxRXquij6w6VimyDek5hD3PytljHmEtAs2u0A==",
-      "requires": {
-        "nopt": "~1.0.10"
-      }
-    },
-    "tough-cookie": {
-      "version": "2.4.3",
-      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.4.3.tgz",
-      "integrity": "sha512-Q5srk/4vDM54WJsJio3XNn6K2sCG+CQ8G5Wz6bZhRZoAe/+TxjWB/GlFAnYEbkYVlON9FMk/fE3h2RLpPXo4lQ==",
-      "dev": true,
-      "requires": {
-        "psl": "^1.1.24",
-        "punycode": "^1.4.1"
-      },
-      "dependencies": {
-        "punycode": {
-          "version": "1.4.1",
-          "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.4.1.tgz",
-          "integrity": "sha1-wNWmOycYgArY4esPpSachN1BhF4=",
-          "dev": true
-        }
-      }
-    },
-    "trim-right": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/trim-right/-/trim-right-1.0.1.tgz",
-      "integrity": "sha1-yy4SAwZ+DI3h9hQJS5/kVwTqYAM=",
-      "dev": true
-    },
-    "tryer": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/tryer/-/tryer-1.0.1.tgz",
-      "integrity": "sha512-c3zayb8/kWWpycWYg87P71E1S1ZL6b6IJxfb5fvsUgsf0S2MVGaDhDXXjDMpdCpfWXqptc+4mXwmiy1ypXqRAA==",
-      "dev": true
-    },
-    "tty-browserify": {
-      "version": "0.0.0",
-      "resolved": "https://registry.npmjs.org/tty-browserify/-/tty-browserify-0.0.0.tgz",
-      "integrity": "sha1-oVe6QC2iTpv5V/mqadUk7tQpAaY=",
-      "dev": true
-    },
-    "tunnel-agent": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz",
-      "integrity": "sha1-J6XeoGs2sEoKmWZ3SykIaPD8QP0=",
-      "dev": true,
-      "requires": {
-        "safe-buffer": "^5.0.1"
-      }
-    },
-    "tweetnacl": {
-      "version": "0.14.5",
-      "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz",
-      "integrity": "sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q=",
-      "dev": true
-    },
-    "type": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/type/-/type-1.2.0.tgz",
-      "integrity": "sha512-+5nt5AAniqsCnu2cEQQdpzCAh33kVx8n0VoFidKpB1dVVLAN/F+bgVOqOJqOnEnrhp222clB5p3vUlD+1QAnfg==",
-      "dev": true
-    },
-    "type-is": {
-      "version": "1.6.18",
-      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
-      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
-      "dev": true,
-      "requires": {
-        "media-typer": "0.3.0",
-        "mime-types": "~2.1.24"
-      }
-    },
-    "ua-parser-js": {
-      "version": "0.7.17",
-      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz",
-      "integrity": "sha512-uRdSdu1oA1rncCQL7sCj8vSyZkgtL7faaw9Tc9rZ3mGgraQ7+Pdx7w5mnOSF3gw9ZNG6oc+KXfkon3bKuROm0g==",
-      "dev": true
-    },
-    "uglify-js": {
-      "version": "2.8.29",
-      "resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-2.8.29.tgz",
-      "integrity": "sha1-KcVzMUgFe7Th913zW3qcty5qWd0=",
-      "dev": true,
-      "requires": {
-        "source-map": "~0.5.1",
-        "uglify-to-browserify": "~1.0.0",
-        "yargs": "~3.10.0"
-      },
-      "dependencies": {
-        "camelcase": {
-          "version": "1.2.1",
-          "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-1.2.1.tgz",
-          "integrity": "sha1-m7UwTS4LVmmLLHWLCKPqqdqlijk=",
-          "dev": true
-        },
-        "cliui": {
-          "version": "2.1.0",
-          "resolved": "https://registry.npmjs.org/cliui/-/cliui-2.1.0.tgz",
-          "integrity": "sha1-S0dXYP+AJkx2LDoXGQMukcf+oNE=",
-          "dev": true,
-          "requires": {
-            "center-align": "^0.1.1",
-            "right-align": "^0.1.1",
-            "wordwrap": "0.0.2"
-          }
-        },
-        "window-size": {
-          "version": "0.1.0",
-          "resolved": "https://registry.npmjs.org/window-size/-/window-size-0.1.0.tgz",
-          "integrity": "sha1-VDjNLqk7IC76Ohn+iIeu58lPnJ0=",
-          "dev": true
-        },
-        "yargs": {
-          "version": "3.10.0",
-          "resolved": "https://registry.npmjs.org/yargs/-/yargs-3.10.0.tgz",
-          "integrity": "sha1-9+572FfdfB0tOMDnTvvWgdFDH9E=",
-          "dev": true,
-          "requires": {
-            "camelcase": "^1.0.2",
-            "cliui": "^2.1.0",
-            "decamelize": "^1.0.0",
-            "window-size": "0.1.0"
-          }
-        }
-      }
-    },
-    "uglify-to-browserify": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/uglify-to-browserify/-/uglify-to-browserify-1.0.2.tgz",
-      "integrity": "sha1-bgkk1r2mta/jSeOabWMoUKD4grc=",
-      "dev": true,
-      "optional": true
-    },
-    "uglifyjs-webpack-plugin": {
-      "version": "0.4.6",
-      "resolved": "https://registry.npmjs.org/uglifyjs-webpack-plugin/-/uglifyjs-webpack-plugin-0.4.6.tgz",
-      "integrity": "sha1-uVH0q7a9YX5m9j64kUmOORdj4wk=",
-      "dev": true,
-      "requires": {
-        "source-map": "^0.5.6",
-        "uglify-js": "^2.8.29",
-        "webpack-sources": "^1.0.1"
-      }
-    },
-    "ultron": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/ultron/-/ultron-1.1.1.tgz",
-      "integrity": "sha512-UIEXBNeYmKptWH6z8ZnqTeS8fV74zG0/eRU9VGkpzz+LIJNs8W/zM/L+7ctCkRrgbNnnR0xxw4bKOr0cW0N0Og==",
-      "dev": true
-    },
-    "underscore.string": {
-      "version": "3.3.5",
-      "resolved": "https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz",
-      "integrity": "sha512-g+dpmgn+XBneLmXXo+sGlW5xQEt4ErkS3mgeN2GFbremYeMBSJKr9Wf2KJplQVaiPY/f7FN6atosWYNm9ovrYg==",
-      "dev": true,
-      "requires": {
-        "sprintf-js": "^1.0.3",
-        "util-deprecate": "^1.0.2"
-      }
-    },
-    "unfetch": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/unfetch/-/unfetch-4.1.0.tgz",
-      "integrity": "sha512-crP/n3eAPUJxZXM9T80/yv0YhkTEx2K1D3h7D1AJM6fzsWZrxdyRuLN0JH/dkZh1LNH8LxCnBzoPFCPbb2iGpg=="
-    },
-    "union-value": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/union-value/-/union-value-1.0.1.tgz",
-      "integrity": "sha512-tJfXmxMeWYnczCVs7XAEvIV7ieppALdyepWMkHkwciRpZraG/xwT+s2JN8+pr1+8jCRf80FFzvr+MpQeeoF4Xg==",
-      "dev": true,
-      "requires": {
-        "arr-union": "^3.1.0",
-        "get-value": "^2.0.6",
-        "is-extendable": "^0.1.1",
-        "set-value": "^2.0.1"
-      }
-    },
-    "uniq": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/uniq/-/uniq-1.0.1.tgz",
-      "integrity": "sha1-sxxa6CVIRKOoKBVBzisEuGWnNP8=",
-      "dev": true
-    },
-    "uniqs": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/uniqs/-/uniqs-2.0.0.tgz",
-      "integrity": "sha1-/+3ks2slKQaW5uFl1KWe25mOawI=",
-      "dev": true
-    },
-    "units-css": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/units-css/-/units-css-0.4.0.tgz",
-      "integrity": "sha1-1iKGU6UZg9fBb/KPi53Dsf/tOgc=",
-      "dev": true,
-      "requires": {
-        "isnumeric": "^0.2.0",
-        "viewport-dimensions": "^0.2.0"
-      }
-    },
-    "universal-analytics": {
-      "version": "0.4.20",
-      "resolved": "https://registry.npmjs.org/universal-analytics/-/universal-analytics-0.4.20.tgz",
-      "integrity": "sha512-gE91dtMvNkjO+kWsPstHRtSwHXz0l2axqptGYp5ceg4MsuurloM0PU3pdOfpb5zBXUvyjT4PwhWK2m39uczZuw==",
-      "dev": true,
-      "requires": {
-        "debug": "^3.0.0",
-        "request": "^2.88.0",
-        "uuid": "^3.0.0"
-      },
-      "dependencies": {
-        "debug": {
-          "version": "3.2.6",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.6.tgz",
-          "integrity": "sha512-mel+jf7nrtEl5Pn1Qx46zARXKDpBbvzezse7p7LqINmdoIk8PYP5SySaxEmYv6TZ0JyEKA1hsCId6DIhgITtWQ==",
-          "dev": true,
-          "requires": {
-            "ms": "^2.1.1"
-          }
-        },
-        "ms": {
-          "version": "2.1.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-          "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
-          "dev": true
-        }
-      }
-    },
-    "universalify": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz",
-      "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==",
-      "dev": true
-    },
-    "unpipe": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
-      "integrity": "sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw=",
-      "dev": true
-    },
-    "unquote": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/unquote/-/unquote-1.1.1.tgz",
-      "integrity": "sha1-j97XMk7G6IoP+LkF58CYzcCG1UQ=",
-      "dev": true
-    },
-    "unset-value": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/unset-value/-/unset-value-1.0.0.tgz",
-      "integrity": "sha1-g3aHP30jNRef+x5vw6jtDfyKtVk=",
-      "dev": true,
-      "requires": {
-        "has-value": "^0.3.1",
-        "isobject": "^3.0.0"
-      },
-      "dependencies": {
-        "has-value": {
-          "version": "0.3.1",
-          "resolved": "https://registry.npmjs.org/has-value/-/has-value-0.3.1.tgz",
-          "integrity": "sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8=",
-          "dev": true,
-          "requires": {
-            "get-value": "^2.0.3",
-            "has-values": "^0.1.4",
-            "isobject": "^2.0.0"
-          },
-          "dependencies": {
-            "isobject": {
-              "version": "2.1.0",
-              "resolved": "https://registry.npmjs.org/isobject/-/isobject-2.1.0.tgz",
-              "integrity": "sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=",
-              "dev": true,
-              "requires": {
-                "isarray": "1.0.0"
-              }
-            }
-          }
-        },
-        "has-values": {
-          "version": "0.1.4",
-          "resolved": "https://registry.npmjs.org/has-values/-/has-values-0.1.4.tgz",
-          "integrity": "sha1-bWHeldkd/Km5oCCJrThL/49it3E=",
-          "dev": true
-        },
-        "isarray": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
-          "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=",
-          "dev": true
-        }
-      }
-    },
-    "upath": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/upath/-/upath-1.2.0.tgz",
-      "integrity": "sha512-aZwGpamFO61g3OlfT7OQCHqhGnW43ieH9WZeP7QxN/G/jS4jfqUkZxoryvJgVPEcrl5NL/ggHsSmLMHuH64Lhg==",
-      "dev": true
-    },
-    "uri-js": {
-      "version": "4.2.2",
-      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.2.2.tgz",
-      "integrity": "sha512-KY9Frmirql91X2Qgjry0Wd4Y+YTdrdZheS8TFwvkbLWf/G5KNJDCh6pKL5OZctEW4+0Baa5idK2ZQuELRwPznQ==",
-      "dev": true,
-      "requires": {
-        "punycode": "^2.1.0"
-      }
-    },
-    "urix": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/urix/-/urix-0.1.0.tgz",
-      "integrity": "sha1-2pN/emLiH+wf0Y1Js1wpNQZ6bHI=",
-      "dev": true
-    },
-    "url": {
-      "version": "0.11.0",
-      "resolved": "https://registry.npmjs.org/url/-/url-0.11.0.tgz",
-      "integrity": "sha1-ODjpfPxgUh63PFJajlW/3Z4uKPE=",
-      "dev": true,
-      "requires": {
-        "punycode": "1.3.2",
-        "querystring": "0.2.0"
-      },
-      "dependencies": {
-        "punycode": {
-          "version": "1.3.2",
-          "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.3.2.tgz",
-          "integrity": "sha1-llOgNvt8HuQjQvIyXM7v6jkmxI0=",
-          "dev": true
-        }
-      }
-    },
-    "use": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/use/-/use-3.1.1.tgz",
-      "integrity": "sha512-cwESVXlO3url9YWlFW/TA9cshCEhtu7IKJ/p5soJ/gGpj7vbvFrAY/eIioQ6Dw23KjZhYgiIo8HOs1nQ2vr/oQ==",
-      "dev": true
-    },
-    "util": {
-      "version": "0.11.1",
-      "resolved": "https://registry.npmjs.org/util/-/util-0.11.1.tgz",
-      "integrity": "sha512-HShAsny+zS2TZfaXxD9tYj4HQGlBezXZMZuM/S5PKLLoZkShZiGk9o5CzukI1LVHZvjdvZ2Sj1aW/Ndn2NB/HQ==",
-      "dev": true,
-      "requires": {
-        "inherits": "2.0.3"
-      },
-      "dependencies": {
-        "inherits": {
-          "version": "2.0.3",
-          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
-          "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=",
-          "dev": true
-        }
-      }
-    },
-    "util-deprecate": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-      "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=",
-      "dev": true
-    },
-    "util.promisify": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/util.promisify/-/util.promisify-1.0.0.tgz",
-      "integrity": "sha512-i+6qA2MPhvoKLuxnJNpXAGhg7HphQOSUq2LKMZD0m15EiskXUkMvKdF4Uui0WYeCUGea+o2cw/ZuwehtfsrNkA==",
-      "dev": true,
-      "requires": {
-        "define-properties": "^1.1.2",
-        "object.getownpropertydescriptors": "^2.0.3"
-      }
-    },
-    "utils-merge": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
-      "integrity": "sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM=",
-      "dev": true
-    },
-    "uuid": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.3.3.tgz",
-      "integrity": "sha512-pW0No1RGHgzlpHJO1nsVrHKpOEIxkGg1xB+v0ZmdNH5OAeAwzAVrCnI2/6Mtx+Uys6iaylxa+D3g4j63IKKjSQ==",
-      "dev": true
-    },
-    "validate-npm-package-license": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz",
-      "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==",
-      "dev": true,
-      "requires": {
-        "spdx-correct": "^3.0.0",
-        "spdx-expression-parse": "^3.0.0"
-      }
-    },
-    "vary": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
-      "integrity": "sha1-IpnwLG3tMNSllhsLn3RSShj2NPw=",
-      "dev": true
-    },
-    "vendors": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/vendors/-/vendors-1.0.3.tgz",
-      "integrity": "sha512-fOi47nsJP5Wqefa43kyWSg80qF+Q3XA6MUkgi7Hp1HQaKDQW4cQrK2D0P7mmbFtsV1N89am55Yru/nyEwRubcw==",
-      "dev": true
-    },
-    "verror": {
-      "version": "1.10.0",
-      "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",
-      "integrity": "sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=",
-      "dev": true,
-      "requires": {
-        "assert-plus": "^1.0.0",
-        "core-util-is": "1.0.2",
-        "extsprintf": "^1.2.0"
-      }
-    },
-    "viewport-dimensions": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/viewport-dimensions/-/viewport-dimensions-0.2.0.tgz",
-      "integrity": "sha1-3nQHR9tTh/0XJfUXXpG6x2r982w=",
-      "dev": true
-    },
-    "vm-browserify": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/vm-browserify/-/vm-browserify-1.1.0.tgz",
-      "integrity": "sha512-iq+S7vZJE60yejDYM0ek6zg308+UZsdtPExWP9VZoCFCz1zkJoXFnAX7aZfd/ZwrkidzdUZL0C/ryW+JwAiIGw==",
-      "dev": true
-    },
-    "watchpack": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-1.6.0.tgz",
-      "integrity": "sha512-i6dHe3EyLjMmDlU1/bGQpEw25XSjkJULPuAVKCbNRefQVq48yXKUpwg538F7AZTf9kyr57zj++pQFltUa5H7yA==",
-      "dev": true,
-      "requires": {
-        "chokidar": "^2.0.2",
-        "graceful-fs": "^4.1.2",
-        "neo-async": "^2.5.0"
-      }
-    },
-    "webpack": {
-      "version": "3.12.0",
-      "resolved": "https://registry.npmjs.org/webpack/-/webpack-3.12.0.tgz",
-      "integrity": "sha512-Sw7MdIIOv/nkzPzee4o0EdvCuPmxT98+vVpIvwtcwcF1Q4SDSNp92vwcKc4REe7NItH9f1S4ra9FuQ7yuYZ8bQ==",
-      "dev": true,
-      "requires": {
-        "acorn": "^5.0.0",
-        "acorn-dynamic-import": "^2.0.0",
-        "ajv": "^6.1.0",
-        "ajv-keywords": "^3.1.0",
-        "async": "^2.1.2",
-        "enhanced-resolve": "^3.4.0",
-        "escope": "^3.6.0",
-        "interpret": "^1.0.0",
-        "json-loader": "^0.5.4",
-        "json5": "^0.5.1",
-        "loader-runner": "^2.3.0",
-        "loader-utils": "^1.1.0",
-        "memory-fs": "~0.4.1",
-        "mkdirp": "~0.5.0",
-        "node-libs-browser": "^2.0.0",
-        "source-map": "^0.5.3",
-        "supports-color": "^4.2.1",
-        "tapable": "^0.2.7",
-        "uglifyjs-webpack-plugin": "^0.4.6",
-        "watchpack": "^1.4.0",
-        "webpack-sources": "^1.0.1",
-        "yargs": "^8.0.2"
-      },
-      "dependencies": {
-        "async": {
-          "version": "2.6.3",
-          "resolved": "https://registry.npmjs.org/async/-/async-2.6.3.tgz",
-          "integrity": "sha512-zflvls11DCy+dQWzTW2dzuilv8Z5X/pjfmZOWba6TNIVDm+2UDaJmXSOXlasHKfNBs8oo3M0aT50fDEWfKZjXg==",
-          "dev": true,
-          "requires": {
-            "lodash": "^4.17.14"
-          }
-        },
-        "camelcase": {
-          "version": "4.1.0",
-          "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-4.1.0.tgz",
-          "integrity": "sha1-1UVjW+HjPFQmScaRc+Xeas+uNN0=",
-          "dev": true
-        },
-        "has-flag": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-2.0.0.tgz",
-          "integrity": "sha1-6CB68cx7MNRGzHC3NLXovhj4jVE=",
-          "dev": true
-        },
-        "load-json-file": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-2.0.0.tgz",
-          "integrity": "sha1-eUfkIUmvgNaWy/eXvKq8/h/inKg=",
-          "dev": true,
-          "requires": {
-            "graceful-fs": "^4.1.2",
-            "parse-json": "^2.2.0",
-            "pify": "^2.0.0",
-            "strip-bom": "^3.0.0"
-          }
-        },
-        "os-locale": {
-          "version": "2.1.0",
-          "resolved": "https://registry.npmjs.org/os-locale/-/os-locale-2.1.0.tgz",
-          "integrity": "sha512-3sslG3zJbEYcaC4YVAvDorjGxc7tv6KVATnLPZONiljsUncvihe9BQoVCEs0RZ1kmf4Hk9OBqlZfJZWI4GanKA==",
-          "dev": true,
-          "requires": {
-            "execa": "^0.7.0",
-            "lcid": "^1.0.0",
-            "mem": "^1.1.0"
-          }
-        },
-        "parse-json": {
-          "version": "2.2.0",
-          "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-2.2.0.tgz",
-          "integrity": "sha1-9ID0BDTvgHQfhGkJn43qGPVaTck=",
-          "dev": true,
-          "requires": {
-            "error-ex": "^1.2.0"
-          }
-        },
-        "path-type": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/path-type/-/path-type-2.0.0.tgz",
-          "integrity": "sha1-8BLMuEFbcJb8LaoQVMPXI4lZTHM=",
-          "dev": true,
-          "requires": {
-            "pify": "^2.0.0"
-          }
-        },
-        "pify": {
-          "version": "2.3.0",
-          "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
-          "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw=",
-          "dev": true
-        },
-        "read-pkg": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-2.0.0.tgz",
-          "integrity": "sha1-jvHAYjxqbbDcZxPEv6xGMysjaPg=",
-          "dev": true,
-          "requires": {
-            "load-json-file": "^2.0.0",
-            "normalize-package-data": "^2.3.2",
-            "path-type": "^2.0.0"
-          }
-        },
-        "read-pkg-up": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/read-pkg-up/-/read-pkg-up-2.0.0.tgz",
-          "integrity": "sha1-a3KoBImE4MQeeVEP1en6mbO1Sb4=",
-          "dev": true,
-          "requires": {
-            "find-up": "^2.0.0",
-            "read-pkg": "^2.0.0"
-          }
-        },
-        "strip-bom": {
-          "version": "3.0.0",
-          "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-3.0.0.tgz",
-          "integrity": "sha1-IzTBjpx1n3vdVv3vfprj1YjmjtM=",
-          "dev": true
-        },
-        "supports-color": {
-          "version": "4.5.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-4.5.0.tgz",
-          "integrity": "sha1-vnoN5ITexcXN34s9WRJQRJEvY1s=",
-          "dev": true,
-          "requires": {
-            "has-flag": "^2.0.0"
-          }
-        },
-        "which-module": {
-          "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.0.tgz",
-          "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=",
-          "dev": true
-        },
-        "yargs": {
-          "version": "8.0.2",
-          "resolved": "https://registry.npmjs.org/yargs/-/yargs-8.0.2.tgz",
-          "integrity": "sha1-YpmpBVsc78lp/355wdkY3Osiw2A=",
-          "dev": true,
-          "requires": {
-            "camelcase": "^4.1.0",
-            "cliui": "^3.2.0",
-            "decamelize": "^1.1.1",
-            "get-caller-file": "^1.0.1",
-            "os-locale": "^2.0.0",
-            "read-pkg-up": "^2.0.0",
-            "require-directory": "^2.1.1",
-            "require-main-filename": "^1.0.1",
-            "set-blocking": "^2.0.0",
-            "string-width": "^2.0.0",
-            "which-module": "^2.0.0",
-            "y18n": "^3.2.1",
-            "yargs-parser": "^7.0.0"
-          }
-        },
-        "yargs-parser": {
-          "version": "7.0.0",
-          "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz",
-          "integrity": "sha1-jQrELxbqVd69MyyvTEA4s+P139k=",
-          "dev": true,
-          "requires": {
-            "camelcase": "^4.1.0"
-          }
-        }
-      }
-    },
-    "webpack-bundle-analyzer": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/webpack-bundle-analyzer/-/webpack-bundle-analyzer-3.6.0.tgz",
-      "integrity": "sha512-orUfvVYEfBMDXgEKAKVvab5iQ2wXneIEorGNsyuOyVYpjYrI7CUOhhXNDd3huMwQ3vNNWWlGP+hzflMFYNzi2g==",
-      "dev": true,
-      "requires": {
-        "acorn": "^6.0.7",
-        "acorn-walk": "^6.1.1",
-        "bfj": "^6.1.1",
-        "chalk": "^2.4.1",
-        "commander": "^2.18.0",
-        "ejs": "^2.6.1",
-        "express": "^4.16.3",
-        "filesize": "^3.6.1",
-        "gzip-size": "^5.0.0",
-        "lodash": "^4.17.15",
-        "mkdirp": "^0.5.1",
-        "opener": "^1.5.1",
-        "ws": "^6.0.0"
-      },
-      "dependencies": {
-        "acorn": {
-          "version": "6.3.0",
-          "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.3.0.tgz",
-          "integrity": "sha512-/czfa8BwS88b9gWQVhc8eknunSA2DoJpJyTQkhheIf5E48u1N0R4q/YxxsAeqRrmK9TQ/uYfgLDfZo91UlANIA==",
-          "dev": true
-        }
-      }
-    },
-    "webpack-sources": {
-      "version": "1.4.3",
-      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz",
-      "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==",
-      "dev": true,
-      "requires": {
-        "source-list-map": "^2.0.0",
-        "source-map": "~0.6.1"
-      },
-      "dependencies": {
-        "source-map": {
-          "version": "0.6.1",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-          "dev": true
-        }
-      }
-    },
-    "whatwg-fetch": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.0.0.tgz",
-      "integrity": "sha512-9GSJUgz1D4MfyKU7KRqwOjXCXTqWdFNvEr7eUBYchQiVc744mqK/MzXPNR2WsPkmkOa4ywfg8C2n8h+13Bey1Q=="
-    },
-    "when": {
-      "version": "3.7.8",
-      "resolved": "https://registry.npmjs.org/when/-/when-3.7.8.tgz",
-      "integrity": "sha1-xxMLan6gRpPoQs3J56Hyqjmjn4I="
-    },
-    "which": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz",
-      "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
-      "dev": true,
-      "requires": {
-        "isexe": "^2.0.0"
-      }
-    },
-    "which-module": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/which-module/-/which-module-1.0.0.tgz",
-      "integrity": "sha1-u6Y8qGGUiZT/MHc2CJ47lgJsKk8=",
-      "dev": true
-    },
-    "window-size": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/window-size/-/window-size-0.2.0.tgz",
-      "integrity": "sha1-tDFbtCFKPXBY6+7okuE/ok2YsHU=",
-      "dev": true
-    },
-    "with": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/with/-/with-6.0.0.tgz",
-      "integrity": "sha512-FrwIIWGUkHViaUXWmEvcwKy+eI0ajKh/Xq192o2kwFtSI7lS7xE5O1E2VNurhWE9ZLRDwr6GAAkKDsDIyStUuw==",
-      "dev": true,
-      "requires": {
-        "babel-runtime": "^6.11.6",
-        "babel-types": "^6.15.0",
-        "babylon": "^6.9.1",
-        "babylon-walk": "^1.0.2"
-      }
-    },
-    "wordwrap": {
-      "version": "0.0.2",
-      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.2.tgz",
-      "integrity": "sha1-t5Zpu0LstAn4PVg8rVLKF+qhZD8=",
-      "dev": true
-    },
-    "wrap-ansi": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-2.1.0.tgz",
-      "integrity": "sha1-2Pw9KE3QV5T+hJc8rs3Rz4JP3YU=",
-      "dev": true,
-      "requires": {
-        "string-width": "^1.0.1",
-        "strip-ansi": "^3.0.1"
-      },
-      "dependencies": {
-        "is-fullwidth-code-point": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz",
-          "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=",
-          "dev": true,
-          "requires": {
-            "number-is-nan": "^1.0.0"
-          }
-        },
-        "string-width": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz",
-          "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=",
-          "dev": true,
-          "requires": {
-            "code-point-at": "^1.0.0",
-            "is-fullwidth-code-point": "^1.0.0",
-            "strip-ansi": "^3.0.0"
-          }
-        }
-      }
-    },
-    "wrappy": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-      "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
-      "dev": true
-    },
-    "write-file-stdout": {
-      "version": "0.0.2",
-      "resolved": "https://registry.npmjs.org/write-file-stdout/-/write-file-stdout-0.0.2.tgz",
-      "integrity": "sha1-wlLXx8WxtAKJdjDjRTx7/mkNnKE=",
-      "dev": true
-    },
-    "ws": {
-      "version": "6.1.4",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-6.1.4.tgz",
-      "integrity": "sha512-eqZfL+NE/YQc1/ZynhojeV8q+H050oR8AZ2uIev7RU10svA9ZnJUddHcOUZTJLinZ9yEfdA2kSATS2qZK5fhJA==",
-      "dev": true,
-      "requires": {
-        "async-limiter": "~1.0.0"
-      }
-    },
-    "xmlhttprequest-ssl": {
-      "version": "1.5.5",
-      "resolved": "https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz",
-      "integrity": "sha1-wodrBhaKrcQOV9l+gRkayPQ5iz4=",
-      "dev": true
-    },
-    "xtend": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
-      "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==",
-      "dev": true
-    },
-    "y18n": {
-      "version": "3.2.1",
-      "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz",
-      "integrity": "sha1-bRX7qITAhnnA136I53WegR4H+kE=",
-      "dev": true
-    },
-    "yallist": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/yallist/-/yallist-2.1.2.tgz",
-      "integrity": "sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=",
-      "dev": true
-    },
-    "yargs": {
-      "version": "6.4.0",
-      "resolved": "https://registry.npmjs.org/yargs/-/yargs-6.4.0.tgz",
-      "integrity": "sha1-gW4ahm1VmMzzTlWW3c4i2S2kkNQ=",
-      "dev": true,
-      "requires": {
-        "camelcase": "^3.0.0",
-        "cliui": "^3.2.0",
-        "decamelize": "^1.1.1",
-        "get-caller-file": "^1.0.1",
-        "os-locale": "^1.4.0",
-        "read-pkg-up": "^1.0.1",
-        "require-directory": "^2.1.1",
-        "require-main-filename": "^1.0.1",
-        "set-blocking": "^2.0.0",
-        "string-width": "^1.0.2",
-        "which-module": "^1.0.0",
-        "window-size": "^0.2.0",
-        "y18n": "^3.2.1",
-        "yargs-parser": "^4.1.0"
-      },
-      "dependencies": {
-        "is-fullwidth-code-point": {
-          "version": "1.0.0",
-          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz",
-          "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=",
-          "dev": true,
-          "requires": {
-            "number-is-nan": "^1.0.0"
-          }
-        },
-        "string-width": {
-          "version": "1.0.2",
-          "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz",
-          "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=",
-          "dev": true,
-          "requires": {
-            "code-point-at": "^1.0.0",
-            "is-fullwidth-code-point": "^1.0.0",
-            "strip-ansi": "^3.0.0"
-          }
-        }
-      }
-    },
-    "yargs-parser": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-4.2.1.tgz",
-      "integrity": "sha1-KczqwNxPA8bIe0qfIX3RjJ90hxw=",
-      "dev": true,
-      "requires": {
-        "camelcase": "^3.0.0"
-      }
-    },
-    "yeast": {
-      "version": "0.1.2",
-      "resolved": "https://registry.npmjs.org/yeast/-/yeast-0.1.2.tgz",
-      "integrity": "sha1-AI4G2AlDIMNy28L47XagymyKxBk=",
-      "dev": true
-    }
-  }
-}
diff --git a/website/assets/package.json b/website/assets/package.json
deleted file mode 100644
index 32b70d376348..000000000000
--- a/website/assets/package.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
-  "name": "middleman-spike-assets",
-  "description": "simple config to use postcss and webpack for asset processing",
-  "version": "0.0.0",
-  "author": "Jeff Escalante",
-  "main": "app.js",
-  "dependencies": {
-    "8fold-marked": "^0.3.8",
-    "@hashicorp-tmp/consent-manager": "^0.0.5",
-    "@hashicorp/hashi-alert": "^2.0.0",
-    "@hashicorp/hashi-button": "^2.0.0",
-    "@hashicorp/hashi-case-study-slider": "^2.3.0",
-    "@hashicorp/hashi-code-block": "^1.2.0",
-    "@hashicorp/hashi-consent-manager": "^2.0.0",
-    "@hashicorp/hashi-content": "^2.0.1",
-    "@hashicorp/hashi-docs-sidenav": "^2.0.0",
-    "@hashicorp/hashi-docs-sitemap": "^0.1.6",
-    "@hashicorp/hashi-footer": "^2.0.2",
-    "@hashicorp/hashi-ga-form-fields": "1.0.2",
-    "@hashicorp/hashi-global-styles": "^2.0.3",
-    "@hashicorp/hashi-hero": "^4.0.0",
-    "@hashicorp/hashi-image": "1.0.5",
-    "@hashicorp/hashi-linked-text-summary-list": "^1.0.1",
-    "@hashicorp/hashi-logo-grid": "^2.4.1",
-    "@hashicorp/hashi-mega-nav": "2.0.0",
-    "@hashicorp/hashi-nav": "^1.1.2",
-    "@hashicorp/hashi-newsletter-signup-form": "^2.0.0",
-    "@hashicorp/hashi-product-downloader": "^1.0.0",
-    "@hashicorp/hashi-product-subnav": "^1.0.1",
-    "@hashicorp/hashi-section-header": "^5.0.0",
-    "@hashicorp/hashi-split-cta": "^1.0.0",
-    "@hashicorp/hashi-text-and-content": "^1.1.0",
-    "@hashicorp/hashi-toggle": "0.2.3",
-    "@hashicorp/hashi-use-cases": "^1.0.1",
-    "@hashicorp/hashi-vertical-text-block-list": "^1.0.0",
-    "@hashicorp/js-utils": "^1.0.0",
-    "@hashicorp/localstorage-polyfill": "^1.0.3",
-    "@segment/in-eu": "^0.2.1",
-    "@segment/top-domain": "^3.0.0",
-    "color-contrast": "^0.0.1",
-    "highlight.js": "^9.15.10",
-    "js-cookie": "^2.2.0",
-    "marked": "^0.5.1",
-    "normalize.css": "^8.0.0",
-    "object-assign": "^4.1.1",
-    "object-fit-images": "^3.2.4",
-    "postcss-extend-rule": "^2.0.0",
-    "preact": "^8.3.1",
-    "promise-polyfill": "^8.1.0",
-    "query-string": "^5.1.1",
-    "reshape-preact-components": "^0.6.0",
-    "siema": "^1.5.1",
-    "slugify": "^1.3.1",
-    "strftime": "^0.10.0",
-    "tippy.js": "^3.0.6",
-    "unfetch": "^4.0.1"
-  },
-  "devDependencies": {
-    "babel-preset-preact": "^1.1.0",
-    "babel-register": "^6.26.0",
-    "node-fetch": "^2.2.1",
-    "spike": "^2.3.0",
-    "spike-css-standards": "^4.0.0",
-    "spike-js-standards": "^2.1.0",
-    "webpack-bundle-analyzer": "^3.0.3"
-  }
-}
diff --git a/website/assets/reshape.js b/website/assets/reshape.js
deleted file mode 100644
index a59a40a81efe..000000000000
--- a/website/assets/reshape.js
+++ /dev/null
@@ -1,42 +0,0 @@
-const button = require('@hashicorp/hashi-button')
-const caseStudySlider = require('@hashicorp/hashi-case-study-slider')
-const consentManager = require('@hashicorp/hashi-consent-manager')
-const content = require('@hashicorp/hashi-content')
-const docsSidenav = require('@hashicorp/hashi-docs-sidenav')
-const docsSitemap = require('@hashicorp/hashi-docs-sitemap')
-const footer = require('@hashicorp/hashi-footer')
-const hero = require('@hashicorp/hashi-hero')
-const linkedTextSummaryList = require('@hashicorp/hashi-linked-text-summary-list')
-const megaNav = require('@hashicorp/hashi-mega-nav')
-const nav = require('@hashicorp/hashi-nav')
-const productDownloader = require('@hashicorp/hashi-product-downloader')
-const productSubnav = require('@hashicorp/hashi-product-subnav')
-const sectionHeader = require('@hashicorp/hashi-section-header')
-const splitCta = require('@hashicorp/hashi-split-cta')
-const textAndContent = require('@hashicorp/hashi-text-and-content')
-const useCases = require('@hashicorp/hashi-use-cases')
-const verticalTextBlockList = require('@hashicorp/hashi-vertical-text-block-list')
-
-const beforeAfterDiagram = require('./js/components/before-after-diagram')
-
-module.exports = {
-  'hashi-button': button,
-  'hashi-case-study-slider': caseStudySlider,
-  'hashi-consent-manager': consentManager,
-  'hashi-content': content,
-  'hashi-docs-sidenav': docsSidenav,
-  'hashi-docs-sitemap': docsSitemap,
-  'hashi-footer': footer,
-  'hashi-hero': hero,
-  'hashi-linked-text-summary-list': linkedTextSummaryList,
-  'hashi-mega-nav': megaNav,
-  'hashi-nav': nav,
-  'hashi-product-downloader': productDownloader,
-  'hashi-product-subnav': productSubnav,
-  'hashi-section-header': sectionHeader,
-  'hashi-split-cta': splitCta,
-  'hashi-text-and-content': textAndContent,
-  'hashi-use-cases': useCases,
-  'hashi-vertical-text-block-list': verticalTextBlockList,
-  'hashi-before-after': beforeAfterDiagram
-}
diff --git a/website/assets/yarn.lock b/website/assets/yarn.lock
deleted file mode 100644
index b468520e7fec..000000000000
--- a/website/assets/yarn.lock
+++ /dev/null
@@ -1,7314 +0,0 @@
-# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-# yarn lockfile v1
-
-
-"8fold-marked@^0.3.8":
-  version "0.3.9"
-  resolved "https://registry.yarnpkg.com/8fold-marked/-/8fold-marked-0.3.9.tgz#bb89c645612f8ccfaffac1ca6e3c11f168c9cf59"
-  integrity sha512-OmVTXzmvQk/WuVZnOa+sT6wpkLrkPrjYanXS3X0ib1yk6315iwuPmvwKkOOdpqznYmavyT2ZCDOo6MeFe4xSog==
-
-"@babel/helper-module-imports@7.0.0-beta.40":
-  version "7.0.0-beta.40"
-  resolved "https://registry.yarnpkg.com/@babel/helper-module-imports/-/helper-module-imports-7.0.0-beta.40.tgz#251cbb6404599282e8f7356a5b32c9381bef5d2d"
-  integrity sha512-QFOskAKWbqJSBbGIl/Y1igJI4mW0A+wD5NFqsgDJj85KSvj/dHM4wNGIeqCi85nN9aMa4DgTBBrzUK4zSMsN2Q==
-  dependencies:
-    "@babel/types" "7.0.0-beta.40"
-    lodash "^4.2.0"
-
-"@babel/types@7.0.0-beta.40":
-  version "7.0.0-beta.40"
-  resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.0.0-beta.40.tgz#25c3d7aae14126abe05fcb098c65a66b6d6b8c14"
-  integrity sha512-uXCGCzTgMZxcSUzutCPtZmXbVC+cvENgS2e0tRuhn+Y1hZnMb8IHP0Trq7Q2MB/eFmG5pKrAeTIUfQIe5kA4Tg==
-  dependencies:
-    esutils "^2.0.2"
-    lodash "^4.2.0"
-    to-fast-properties "^2.0.0"
-
-"@emotion/babel-utils@^0.5.3":
-  version "0.5.3"
-  resolved "https://registry.yarnpkg.com/@emotion/babel-utils/-/babel-utils-0.5.3.tgz#6be6dd7a480fdbdfb6cbba7f4f6d9361744b8d6e"
-  integrity sha1-a+bdekgP29+2y7p/T22TYXRLjW4=
-
-"@emotion/hash@^0.6.2":
-  version "0.6.3"
-  resolved "https://registry.yarnpkg.com/@emotion/hash/-/hash-0.6.3.tgz#0e7a5604626fc6c6d4ac4061a2f5ac80d50262a4"
-  integrity sha1-DnpWBGJvxsbUrEBhovWsgNUCYqQ=
-
-"@emotion/is-prop-valid@^0.6.1":
-  version "0.6.2"
-  resolved "https://registry.yarnpkg.com/@emotion/is-prop-valid/-/is-prop-valid-0.6.2.tgz#a76a16b174ff03f8e3a27faf6259bacd21a02adc"
-  integrity sha1-p2oWsXT/A/jjon+vYlm6zSGgKtw=
-  dependencies:
-    "@emotion/memoize" "^0.6.2"
-
-"@emotion/memoize@^0.6.1", "@emotion/memoize@^0.6.2":
-  version "0.6.2"
-  resolved "https://registry.yarnpkg.com/@emotion/memoize/-/memoize-0.6.2.tgz#138e00b332d519b4e307bded6159e5ba48aba3ae"
-  integrity sha1-E44AszLVGbTjB73tYVnlukiro64=
-
-"@emotion/stylis@^0.6.5":
-  version "0.6.8"
-  resolved "https://registry.yarnpkg.com/@emotion/stylis/-/stylis-0.6.8.tgz#6ad4e8d32b19b440efa4481bbbcb98a8c12765bb"
-  integrity sha1-atTo0ysZtEDvpEgbu8uYqMEnZbs=
-
-"@emotion/unitless@^0.6.2":
-  version "0.6.3"
-  resolved "https://registry.yarnpkg.com/@emotion/unitless/-/unitless-0.6.3.tgz#65682e68a82701c70eefb38d7f941a2c0bfa90de"
-  integrity sha1-ZWguaKgnAccO77ONf5QaLAv6kN4=
-
-"@hashicorp-tmp/consent-manager@^0.0.5":
-  version "0.0.5"
-  resolved "https://registry.yarnpkg.com/@hashicorp-tmp/consent-manager/-/consent-manager-0.0.5.tgz#842988212bf132004dd4a86d87c03f33126aecdb"
-  integrity sha1-hCmIISvxMgBN1Khth8A/MxJq7Ns=
-  dependencies:
-    "@segment/top-domain" "^3.0.0"
-    babel-runtime "^6.26.0"
-    emotion "^9.1.2"
-    isomorphic-fetch "^2.2.1"
-    js-cookie "^2.2.0"
-    lodash "^4.17.5"
-    nanoid "^1.0.2"
-    preact-compat "^3.18.0"
-    preact-emotion "^9.1.3"
-    preact-portal "^1.1.3"
-    prop-types "^15.6.1"
-
-"@hashicorp/hashi-alert@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-alert/-/hashi-alert-2.0.0.tgz#bd0d883aad85b6181bec5fd66b0af682efb8e0b4"
-  integrity sha512-NUcvdGGdojaNZJEZk8lWpEGDhwdqrpXWJ06LRWZWBzaOn+uJ0a1dTVG0QdtaCH9fEzr+ltOeMkcrzPOHRFJIHg==
-
-"@hashicorp/hashi-boolean-input@^1.0.3":
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-boolean-input/-/hashi-boolean-input-1.0.3.tgz#c5a83f72978618194c529aa673246a43397b32af"
-  integrity sha512-VOu4sWH4y6n8XPZI96xFks70Kf/h3ESyoduDV9Eps9X+C3V6lF/oFP0g+Ys277YgegfJUNe/7jZvzkYO63O8lQ==
-  dependencies:
-    shortid "2.2.14"
-
-"@hashicorp/hashi-button@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-button/-/hashi-button-2.0.0.tgz#007a94371d3e437a4dff3fdb8067844072467e87"
-  integrity sha512-4b7JtQgvVO/sDw5oyWDCZTnHzEsDtLLYwWOR9z2a0m7iDF/CgUWbR7xbXfnihpQJIkeCf9BV/MEm5com3n4zMg==
-
-"@hashicorp/hashi-case-study-slider@^2.3.0":
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-case-study-slider/-/hashi-case-study-slider-2.3.0.tgz#44e3c4bd97b20766ba23c40b0b8879cd37fe4c11"
-  integrity sha512-pB/CXCtNqwU5WcR9VDyNTdYh4BJqj0ZtTQrNrYnoQ5g8OlggBBex/QASbnvaBCGkiXw5QDNHpkN6Lyc4iTHD+A==
-
-"@hashicorp/hashi-code-block@^1.2.0":
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-code-block/-/hashi-code-block-1.2.0.tgz#ce8cb3cee1f03c2a477c851a0a806e45c7e5ee30"
-  integrity sha512-CARAGd/4E8EudamMThp3X7mXpOzWBKIi4qYSGKzt6o52s1FNKpzp+sLqcw9cuPAx+dVY5YiU0NCk6XY8OeNPRw==
-
-"@hashicorp/hashi-consent-manager@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-consent-manager/-/hashi-consent-manager-2.0.0.tgz#6e5e3425762ced938a7e6feb9cc6c5f7044cde0c"
-  integrity sha512-cLzebeDoj4VE4c/7hJ7ymTnhX0tSrjkna8weOIcHO/OiSZWhJXy45yUBitNo9MF1NDNUDFSJtZiG/7wB06ETtA==
-
-"@hashicorp/hashi-content@^2.0.1":
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-content/-/hashi-content-2.0.1.tgz#9c03c8b08e5944165a2bf51f89a258c33736010d"
-  integrity sha512-4fspk/EaZGcIvo4u3Z+vcCRyepgKHcciL7bBaUsHicunphkjXXanUprrAjf9lH4yv9pUri66qC1CtMycVgrALg==
-
-"@hashicorp/hashi-docs-sidenav@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-docs-sidenav/-/hashi-docs-sidenav-2.0.0.tgz#fdd93c55559c51c3844e04b96edea981e1b12c90"
-  integrity sha512-U02ykzvgSv6sy8gRCpzkJPpbdeAczFlSg82MpWbO9sTbBjXeEMWQW/f4MCTh+FyXFW0mCOlPRVTx7rW6mwGxTw==
-
-"@hashicorp/hashi-docs-sitemap@^0.1.6":
-  version "0.1.6"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-docs-sitemap/-/hashi-docs-sitemap-0.1.6.tgz#56d3f387b1b17bfcb2c53d81cdfb5ddacdbac949"
-  integrity sha512-jrRZ1Hq4TQXSptt45vEn4ZtOZC7iyQt9Abnif6iltLpPDJIqV/yl9wB7HLODI0Thw5SThIU6AABX0bLEwxuGJA==
-
-"@hashicorp/hashi-footer@^2.0.2":
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-footer/-/hashi-footer-2.0.2.tgz#682973d2f92661c481d496d311a31c11cbcb5c69"
-  integrity sha512-bZJ4Qt4EyN6+LXJNnUL3jH58PmSgKiokG9JlhcCSzBGTKsbha9m6xW+fHXdsguGmHUpWb2OBW8gBmSYHsF/vlw==
-
-"@hashicorp/hashi-ga-form-fields@1.0.2":
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-ga-form-fields/-/hashi-ga-form-fields-1.0.2.tgz#e9fb3b61a73a9f380bb14b04df600303f80d7042"
-  integrity sha512-nKa5Z+5AiVgY44Q2iij35bybsjMHQdwsBGgm2tvY2vcFuj7GTCyJgA510Vvpvwz86mK+dYwgfJil+rti/b3O8w==
-
-"@hashicorp/hashi-global-styles@^2.0.1":
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-global-styles/-/hashi-global-styles-2.0.1.tgz#516edcef0316cc74cc675cec0c7b0728eb960aa0"
-  integrity sha512-XPk1xNTCuExLewN68mhTuKcqrWXJql22xTR5HLRWyp3sT39wVMSMJ/IT+jpFLRMpM3eu+S6YiwRXvbj6rYBhWQ==
-
-"@hashicorp/hashi-hero@^4.0.0":
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-hero/-/hashi-hero-4.0.0.tgz#8a800115a045c85e57b8130869bd76c09124d70a"
-  integrity sha512-h5gVvlN9zG8szaW2mtm8Mpe052bsvdjNGYw+tM1KNRiI7zrIKy7it40Z2GUf77IWMqnbwpcq8nIjzjTnI0N9SQ==
-
-"@hashicorp/hashi-image@1.0.5":
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-image/-/hashi-image-1.0.5.tgz#a83747d3df6a134071c629d529ff0fcc06193bca"
-  integrity sha512-OhInZTOole9Ei6bMghLhae3Imk87ggbrq2elI03k1AunVQQP+GRLhXNnghqjlDiK+GA872S7mP3X8Lg6e1plnQ==
-
-"@hashicorp/hashi-linked-text-summary-list@^1.0.1":
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-linked-text-summary-list/-/hashi-linked-text-summary-list-1.0.1.tgz#4ec61188ab6e1829d197e71f2966664386ede9dc"
-  integrity sha512-IqlyJXusIsmEd8GNY+/0wornUhoGojiZaHPQzX3rplxoKOQWSDYxIPTZGJiHh9fh55dLs/skzii9BYDgPX337A==
-
-"@hashicorp/hashi-logo-grid@^2.4.1":
-  version "2.4.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-logo-grid/-/hashi-logo-grid-2.4.1.tgz#9345541a7a445a9cfa0faa3a4f479994273004ee"
-  integrity sha512-8klunvdahv2CSt+U4E+gQ1GvFHk0fKwIezUyL4GsiBEy6iYl+CMzPNyv0DxwLH4cV0q6gg7ftDM8v2K6yyuZ1A==
-
-"@hashicorp/hashi-mega-nav@2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-mega-nav/-/hashi-mega-nav-2.0.0.tgz#d0cba1b5ab1f60cf1b73df48327b9567d1ce8839"
-  integrity sha512-fE+bRShjOouhZdCtxcrSsDThPR4Wk5qBCCV/qeWHcNykXq2BTh+8RaO1FAvqhk2oMdTNjT6y02aR1NqsOZIWGw==
-  dependencies:
-    "@hashicorp/hashi-newsletter-signup-form" "^2.0.0"
-
-"@hashicorp/hashi-nav@^1.1.2":
-  version "1.1.4"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-nav/-/hashi-nav-1.1.4.tgz#19a2346051cabb9bab84a41c23fb0310c981795e"
-  integrity sha512-q+gUSQpPN2Q/DhZmqO0/sXqFVx3hz12TPVtU/UDhsOuE5NTL36+21UP2/rrzvGzSobvk5mwXCpbJ9x2cj31aGA==
-
-"@hashicorp/hashi-newsletter-signup-form@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-newsletter-signup-form/-/hashi-newsletter-signup-form-2.0.0.tgz#0da2fba671b6a595271211fa1ed56b598bd2e39d"
-  integrity sha512-6KE17g2TmKF20ZE5zAzr9r7VZ3EEXgx15WC7lxoetmGEdO9n3IyqaoKhHwwqAun2wj7/cAxKmn922eh9gciQkQ==
-  dependencies:
-    "@hashicorp/hashi-privacy-checkbox" "^1.1.1"
-
-"@hashicorp/hashi-privacy-checkbox@^1.1.1":
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-privacy-checkbox/-/hashi-privacy-checkbox-1.1.1.tgz#29ceb296ae8a68d8a439f5bee797cc661c17146d"
-  integrity sha512-xk8R1LT8YfPo9meD2lw6hnzfsu38Qj8WROdZcG3mAYedMHGqTBQiRuR21pKfmDcc35wfA51Q7keZixnJeMNinw==
-  dependencies:
-    "@hashicorp/hashi-boolean-input" "^1.0.3"
-    "@hashicorp/hashi-with-validation" "^1.0.2"
-
-"@hashicorp/hashi-product-downloader@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-product-downloader/-/hashi-product-downloader-1.0.0.tgz#c5be8a48f8a076caa97eaa145b24cee8ac14c675"
-  integrity sha512-cirU8IyczqwhZ2P0mxfVp1dE4BI7k4LMzP9kbfqaum5Kjw9Z1R0DP0FQ/gfn4X7pFu1T5yn9cAolttzO25aJAQ==
-
-"@hashicorp/hashi-product-subnav@^1.0.1":
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-product-subnav/-/hashi-product-subnav-1.0.1.tgz#c0db0211ea1f9546385695ab65cd8c413dbe4266"
-  integrity sha512-DGkDnhBCTfMdOIQLmeGnjvgofU+01p7BDDHK1UQEo5yoZPUlW/Zd4R3MkZNUmC/RT/XOzwEVRCEmg2Lv7L6MFg==
-
-"@hashicorp/hashi-section-header@^5.0.0":
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-section-header/-/hashi-section-header-5.0.0.tgz#3abc23b633efeb5c2fb25e7cc840eb3bfe6404a8"
-  integrity sha512-4Ttwu69COLVm8x/1I4nMSg3Mu8GO/bTJRIOOTQJ2sL+/UOLbiQcTLQ4LySFYRjAkLh2LQM8ntI0lm1bZzshwDg==
-
-"@hashicorp/hashi-split-cta@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-split-cta/-/hashi-split-cta-1.0.0.tgz#ff886602a6414576ac41241be73ce8d7fa31b076"
-  integrity sha512-+sQnHApjvS/+ALb/ja1D2iKxJZ238V0PpTfEBR7/mw5zPqYe6IjtgS/abFKaCRXa/zTAKB+ROFjMTh+BP7p3Mw==
-
-"@hashicorp/hashi-text-and-content@^1.1.0":
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-text-and-content/-/hashi-text-and-content-1.1.0.tgz#bcfcd1421de2591e2eb71c2098aadb9c36a5720d"
-  integrity sha512-klDwU8vxcdxm+tL1caroisjaKDmteN8EYOOM8dpN4+WPZcDH8QIc7SWLVCwcYbXiLQ+z+xi7I7gL5ZAgRf7qIg==
-
-"@hashicorp/hashi-toggle@0.2.3":
-  version "0.2.3"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-toggle/-/hashi-toggle-0.2.3.tgz#e9203df22064a9a4a0d43fc2f98cc6baf1f739e2"
-  integrity sha512-haUxsXZ+SyPmQvyOcbs72J3vM+oQS6xKYqauIJGLe5g/riJdfrsTWLbePMbgvuXs0piMbxft08q+DreYe4aang==
-
-"@hashicorp/hashi-use-cases@^1.0.1":
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-use-cases/-/hashi-use-cases-1.0.1.tgz#ad6e58bace966cdc4bf333f1b588e5c0ae3f901f"
-  integrity sha512-P9YKeNy6L/Dg7VYVh7CgLs9mbqwtX+6N9lnXLg8UVxNCa6OJQCW+0x94JhrfE9eHZ0ITheg3sE62FTy0ujPvCw==
-
-"@hashicorp/hashi-vertical-text-block-list@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-vertical-text-block-list/-/hashi-vertical-text-block-list-1.0.0.tgz#83f15730d7c6192cfb705f5ebef0eabbf77fa7ff"
-  integrity sha512-o5IDIx9vP4Va922yXjsoPv01s3hz/eFoo52qeMZID+zlxqJlODvHN1kLgiBrTX+4kkK3sDfQlmkkhzvm9KimnA==
-
-"@hashicorp/hashi-with-validation@^1.0.2":
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/@hashicorp/hashi-with-validation/-/hashi-with-validation-1.0.2.tgz#7190bcfebc39f98779f5cb3fa8695a4b84bf864f"
-  integrity sha512-fiXm//tykjwQaH4THs/fBeGrPdUxMEON1jNkU8ZjPbJsV3FIaIi9TSWgZfMZq6tj49dAQ5ULWZF5DApI3ufp0w==
-
-"@hashicorp/js-utils@^1.0.0":
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@hashicorp/js-utils/-/js-utils-1.0.1.tgz#09da53b53a06b1adb99030dcecaa1c7d0b66ae43"
-  integrity sha512-W6Tnae6/bu3dbpaC7lzT5PTZDVKRh2Y5c6Aqt6i6CJQNIeT3b17N4gBpF9H7vJ2PuXnvvjGohgccmUnamfdiqQ==
-
-"@hashicorp/localstorage-polyfill@^1.0.3":
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/@hashicorp/localstorage-polyfill/-/localstorage-polyfill-1.0.4.tgz#94de26d6d689dd7dda3d9be8cd6f74c50e86ae83"
-  integrity sha512-6hP6jUuZ6aMDfJURiF79nVVAdYjLsFPFbhMe3XLGcy/67L+hQaAIZqmvYtdZGsh2Fszc2Yk0Lr22CweEHeFBsw==
-
-"@segment/in-eu@^0.2.1":
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/@segment/in-eu/-/in-eu-0.2.1.tgz#ee03e0126e0082b9abec9a33e6c2902fd3ad7f47"
-  integrity sha512-7JKBw/l3S9J0ldo/n6XPfd3sT89f300KOCvmZsd8sryVZOWlE4L2LMKT538I34bjRdaOd1aJ52TsOAZUOLqxiQ==
-  dependencies:
-    jstz "^2.0.0"
-
-"@segment/top-domain@^3.0.0":
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/@segment/top-domain/-/top-domain-3.0.0.tgz#02e5a5a4fd42a9f6cf886b05e82f104012a3c3a7"
-  integrity sha1-AuWlpP1CqfbPiGsF6C8QQBKjw6c=
-  dependencies:
-    component-cookie "^1.1.2"
-    component-url "^0.2.1"
-
-abbrev@1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/abbrev/-/abbrev-1.1.1.tgz#f8f2c887ad10bf67f634f005b6987fed3179aac8"
-  integrity sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==
-
-accepts@~1.3.4, accepts@~1.3.5:
-  version "1.3.5"
-  resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.3.5.tgz#eb777df6011723a3b14e8a72c0805c8e86746bd2"
-  integrity sha1-63d99gEXI6OxTopywIBcjoZ0a9I=
-  dependencies:
-    mime-types "~2.1.18"
-    negotiator "0.6.1"
-
-acorn-dynamic-import@^2.0.0:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/acorn-dynamic-import/-/acorn-dynamic-import-2.0.2.tgz#c752bd210bef679501b6c6cb7fc84f8f47158cc4"
-  integrity sha1-x1K9IQvvZ5UBtsbLf8hPj0cVjMQ=
-  dependencies:
-    acorn "^4.0.3"
-
-acorn@^4.0.3:
-  version "4.0.13"
-  resolved "https://registry.yarnpkg.com/acorn/-/acorn-4.0.13.tgz#105495ae5361d697bd195c825192e1ad7f253787"
-  integrity sha1-EFSVrlNh1pe9GVyCUZLhrX8lN4c=
-
-acorn@^5.0.0:
-  version "5.6.2"
-  resolved "https://registry.yarnpkg.com/acorn/-/acorn-5.6.2.tgz#b1da1d7be2ac1b4a327fb9eab851702c5045b4e7"
-  integrity sha512-zUzo1E5dI2Ey8+82egfnttyMlMZ2y0D8xOCO3PNPPlYXpl8NZvF6Qk9L9BEtJs+43FqEmfBViDqc5d1ckRDguw==
-
-acorn@^5.7.3:
-  version "5.7.3"
-  resolved "https://registry.yarnpkg.com/acorn/-/acorn-5.7.3.tgz#67aa231bf8812974b85235a96771eb6bd07ea279"
-  integrity sha512-T/zvzYRfbVojPWahDsE5evJdHb3oJoQfFbsrKM7w5Zcs++Tr257tia3BmMP8XYVjp1S9RZXQMh7gao96BlqZOw==
-
-after@0.8.2:
-  version "0.8.2"
-  resolved "https://registry.yarnpkg.com/after/-/after-0.8.2.tgz#fedb394f9f0e02aa9768e702bda23b505fae7e1f"
-  integrity sha1-/ts5T58OAqqXaOcCvaI7UF+ufh8=
-
-ajv-keywords@^3.1.0:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/ajv-keywords/-/ajv-keywords-3.2.0.tgz#e86b819c602cf8821ad637413698f1dec021847a"
-  integrity sha1-6GuBnGAs+IIa1jdBNpjx3sAhhHo=
-
-ajv@^5.1.0:
-  version "5.5.2"
-  resolved "https://registry.yarnpkg.com/ajv/-/ajv-5.5.2.tgz#73b5eeca3fab653e3d3f9422b341ad42205dc965"
-  integrity sha1-c7Xuyj+rZT49P5Qis0GtQiBdyWU=
-  dependencies:
-    co "^4.6.0"
-    fast-deep-equal "^1.0.0"
-    fast-json-stable-stringify "^2.0.0"
-    json-schema-traverse "^0.3.0"
-
-ajv@^6.1.0:
-  version "6.5.0"
-  resolved "https://registry.yarnpkg.com/ajv/-/ajv-6.5.0.tgz#4c8affdf80887d8f132c9c52ab8a2dc4d0b7b24c"
-  integrity sha512-VDUX1oSajablmiyFyED9L1DFndg0P9h7p1F+NO8FkIzei6EPrR6Zu1n18rd5P8PqaSRd/FrWv3G1TVBqpM83gA==
-  dependencies:
-    fast-deep-equal "^2.0.1"
-    fast-json-stable-stringify "^2.0.0"
-    json-schema-traverse "^0.3.0"
-    uri-js "^4.2.1"
-
-align-text@^0.1.1, align-text@^0.1.3:
-  version "0.1.4"
-  resolved "https://registry.yarnpkg.com/align-text/-/align-text-0.1.4.tgz#0cd90a561093f35d0a99256c22b7069433fad117"
-  integrity sha1-DNkKVhCT810KmSVsIrcGlDP60Rc=
-  dependencies:
-    kind-of "^3.0.2"
-    longest "^1.0.1"
-    repeat-string "^1.5.2"
-
-alphanum-sort@^1.0.1, alphanum-sort@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/alphanum-sort/-/alphanum-sort-1.0.2.tgz#97a1119649b211ad33691d9f9f486a8ec9fbe0a3"
-  integrity sha1-l6ERlkmyEa0zaR2fn0hqjsn74KM=
-
-ansi-escapes@^3.0.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/ansi-escapes/-/ansi-escapes-3.1.0.tgz#f73207bb81207d75fd6c83f125af26eea378ca30"
-  integrity sha512-UgAb8H9D41AQnu/PbWlCofQVcnV4Gs2bBJi9eZPxfU/hgglFh3SMDMENRIqdr7H6XFnXdoknctFByVsCOotTVw==
-
-ansi-regex@^2.0.0:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-2.1.1.tgz#c3b33ab5ee360d86e0e628f0468ae7ef27d654df"
-  integrity sha1-w7M6te42DYbg5ijwRorn7yfWVN8=
-
-ansi-regex@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-3.0.0.tgz#ed0317c322064f79466c02966bddb605ab37d998"
-  integrity sha1-7QMXwyIGT3lGbAKWa922Bas32Zg=
-
-ansi-styles@^2.2.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-2.2.1.tgz#b432dd3358b634cf75e1e4664368240533c1ddbe"
-  integrity sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=
-
-ansi-styles@^3.2.1:
-  version "3.2.1"
-  resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-3.2.1.tgz#41fbb20243e50b12be0f04b8dedbf07520ce841d"
-  integrity sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==
-  dependencies:
-    color-convert "^1.9.0"
-
-anymatch@^1.3.0:
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/anymatch/-/anymatch-1.3.2.tgz#553dcb8f91e3c889845dfdba34c77721b90b9d7a"
-  integrity sha512-0XNayC8lTHQ2OI8aljNCN3sSx6hsr/1+rlcDAotXJR7C1oZZHCNsfpbKwMjRA3Uqb5tF1Rae2oloTr4xpq+WjA==
-  dependencies:
-    micromatch "^2.1.5"
-    normalize-path "^2.0.0"
-
-anymatch@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/anymatch/-/anymatch-2.0.0.tgz#bcb24b4f37934d9aa7ac17b4adaf89e7c76ef2eb"
-  integrity sha512-5teOsQWABXHHBFP9y3skS5P3d/WfWXpv3FUpy+LorMrNYaT9pI4oLMQX7jzQ2KklNpGpWHzdCXTDT2Y3XGlZBw==
-  dependencies:
-    micromatch "^3.1.4"
-    normalize-path "^2.1.1"
-
-aproba@^1.0.3:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/aproba/-/aproba-1.2.0.tgz#6802e6264efd18c790a1b0d517f0f2627bf2c94a"
-  integrity sha512-Y9J6ZjXtoYh8RnXVCMOU/ttDmk1aBjunq9vO0ta5x85WDQiQfUF9sIPBITdbiiIVcBo03Hi3jMxigBtsddlXRw==
-
-are-we-there-yet@~1.1.2:
-  version "1.1.5"
-  resolved "https://registry.yarnpkg.com/are-we-there-yet/-/are-we-there-yet-1.1.5.tgz#4b35c2944f062a8bfcda66410760350fe9ddfc21"
-  integrity sha512-5hYdAkZlcG8tOLujVDTgCT+uPX0VnpAH28gWsLfzpXYm7wP6mp5Q/gYyR7YQ0cKVJcXJnl3j2kpBan13PtQf6w==
-  dependencies:
-    delegates "^1.0.0"
-    readable-stream "^2.0.6"
-
-argparse@^1.0.10, argparse@^1.0.2, argparse@^1.0.7:
-  version "1.0.10"
-  resolved "https://registry.yarnpkg.com/argparse/-/argparse-1.0.10.tgz#bcd6791ea5ae09725e17e5ad988134cd40b3d911"
-  integrity sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==
-  dependencies:
-    sprintf-js "~1.0.2"
-
-arr-diff@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/arr-diff/-/arr-diff-2.0.0.tgz#8f3b827f955a8bd669697e4a4256ac3ceae356cf"
-  integrity sha1-jzuCf5Vai9ZpaX5KQlasPOrjVs8=
-  dependencies:
-    arr-flatten "^1.0.1"
-
-arr-diff@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/arr-diff/-/arr-diff-4.0.0.tgz#d6461074febfec71e7e15235761a329a5dc7c520"
-  integrity sha1-1kYQdP6/7HHn4VI1dhoyml3HxSA=
-
-arr-flatten@^1.0.1, arr-flatten@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/arr-flatten/-/arr-flatten-1.1.0.tgz#36048bbff4e7b47e136644316c99669ea5ae91f1"
-  integrity sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg==
-
-arr-union@^3.1.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/arr-union/-/arr-union-3.1.0.tgz#e39b09aea9def866a8f206e288af63919bae39c4"
-  integrity sha1-45sJrqne+Gao8gbiiK9jkZuuOcQ=
-
-array-flatten@1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/array-flatten/-/array-flatten-1.1.1.tgz#9a5f699051b1e7073328f2a008968b64ea2955d2"
-  integrity sha1-ml9pkFGx5wczKPKgCJaLZOopVdI=
-
-array-unique@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/array-unique/-/array-unique-0.2.1.tgz#a1d97ccafcbc2625cc70fadceb36a50c58b01a53"
-  integrity sha1-odl8yvy8JiXMcPrc6zalDFiwGlM=
-
-array-unique@^0.3.2:
-  version "0.3.2"
-  resolved "https://registry.yarnpkg.com/array-unique/-/array-unique-0.3.2.tgz#a894b75d4bc4f6cd679ef3244a9fd8f46ae2d428"
-  integrity sha1-qJS3XUvE9s1nnvMkSp/Y9Gri1Cg=
-
-arraybuffer.slice@~0.0.7:
-  version "0.0.7"
-  resolved "https://registry.yarnpkg.com/arraybuffer.slice/-/arraybuffer.slice-0.0.7.tgz#3bbc4275dd584cc1b10809b89d4e8b63a69e7675"
-  integrity sha512-wGUIVQXuehL5TCqQun8OW81jGzAWycqzFF8lFp+GOM5BXLYj3bKNsYC4daB7n6XjCqxQA/qgTJ+8ANR3acjrog==
-
-asap@~2.0.3:
-  version "2.0.6"
-  resolved "https://registry.yarnpkg.com/asap/-/asap-2.0.6.tgz#e50347611d7e690943208bbdafebcbc2fb866d46"
-  integrity sha1-5QNHYR1+aQlDIIu9r+vLwvuGbUY=
-
-asn1.js@^4.0.0:
-  version "4.10.1"
-  resolved "https://registry.yarnpkg.com/asn1.js/-/asn1.js-4.10.1.tgz#b9c2bf5805f1e64aadeed6df3a2bfafb5a73f5a0"
-  integrity sha512-p32cOF5q0Zqs9uBiONKYLm6BClCoBCM5O9JfeUSlnQLBTxYdTK+pW+nXflm8UkKd2UYlEbYz5qEi0JuZR9ckSw==
-  dependencies:
-    bn.js "^4.0.0"
-    inherits "^2.0.1"
-    minimalistic-assert "^1.0.0"
-
-asn1@~0.2.3:
-  version "0.2.3"
-  resolved "https://registry.yarnpkg.com/asn1/-/asn1-0.2.3.tgz#dac8787713c9966849fc8180777ebe9c1ddf3b86"
-  integrity sha1-2sh4dxPJlmhJ/IGAd36+nB3fO4Y=
-
-assert-plus@1.0.0, assert-plus@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/assert-plus/-/assert-plus-1.0.0.tgz#f12e0f3c5d77b0b1cdd9146942e4e96c1e4dd525"
-  integrity sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=
-
-assert@^1.1.1:
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/assert/-/assert-1.4.1.tgz#99912d591836b5a6f5b345c0f07eefc08fc65d91"
-  integrity sha1-mZEtWRg2tab1s0XA8H7vwI/GXZE=
-  dependencies:
-    util "0.10.3"
-
-assign-symbols@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/assign-symbols/-/assign-symbols-1.0.0.tgz#59667f41fadd4f20ccbc2bb96b8d4f7f78ec0367"
-  integrity sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=
-
-async-each-series@0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/async-each-series/-/async-each-series-0.1.1.tgz#7617c1917401fd8ca4a28aadce3dbae98afeb432"
-  integrity sha1-dhfBkXQB/Yykooqtzj266Yr+tDI=
-
-async-each@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/async-each/-/async-each-1.0.1.tgz#19d386a1d9edc6e7c1c85d388aedbcc56d33602d"
-  integrity sha1-GdOGodntxufByF04iu28xW0zYC0=
-
-async-limiter@~1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/async-limiter/-/async-limiter-1.0.0.tgz#78faed8c3d074ab81f22b4e985d79e8738f720f8"
-  integrity sha512-jp/uFnooOiO+L211eZOoSyzpOITMXx1rBITauYykG3BRYPu8h0UcxsPNB04RR5vo4Tyz3+ay17tR6JVf9qzYWg==
-
-async@1.5.2:
-  version "1.5.2"
-  resolved "https://registry.yarnpkg.com/async/-/async-1.5.2.tgz#ec6a61ae56480c0c3cb241c95618e20892f9672a"
-  integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
-
-async@^2.1.2:
-  version "2.6.1"
-  resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610"
-  integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==
-  dependencies:
-    lodash "^4.17.10"
-
-asynckit@^0.4.0:
-  version "0.4.0"
-  resolved "https://registry.yarnpkg.com/asynckit/-/asynckit-0.4.0.tgz#c79ed97f7f34cb8f2ba1bc9790bcc366474b4b79"
-  integrity sha1-x57Zf380y48robyXkLzDZkdLS3k=
-
-atob@^2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/atob/-/atob-2.1.1.tgz#ae2d5a729477f289d60dd7f96a6314a22dd6c22a"
-  integrity sha1-ri1acpR38onWDdf5amMUoi3Wwio=
-
-autoprefixer@^6.3.1:
-  version "6.7.7"
-  resolved "https://registry.yarnpkg.com/autoprefixer/-/autoprefixer-6.7.7.tgz#1dbd1c835658e35ce3f9984099db00585c782014"
-  integrity sha1-Hb0cg1ZY41zj+ZhAmdsAWFx4IBQ=
-  dependencies:
-    browserslist "^1.7.6"
-    caniuse-db "^1.0.30000634"
-    normalize-range "^0.1.2"
-    num2fraction "^1.2.2"
-    postcss "^5.2.16"
-    postcss-value-parser "^3.2.3"
-
-autoprefixer@^7.1.2:
-  version "7.2.6"
-  resolved "https://registry.yarnpkg.com/autoprefixer/-/autoprefixer-7.2.6.tgz#256672f86f7c735da849c4f07d008abb056067dc"
-  integrity sha512-Iq8TRIB+/9eQ8rbGhcP7ct5cYb/3qjNYAR2SnzLCEcwF6rvVOax8+9+fccgXk4bEhQGjOZd5TLhsksmAdsbGqQ==
-  dependencies:
-    browserslist "^2.11.3"
-    caniuse-lite "^1.0.30000805"
-    normalize-range "^0.1.2"
-    num2fraction "^1.2.2"
-    postcss "^6.0.17"
-    postcss-value-parser "^3.2.3"
-
-autoprefixer@^8.3.0:
-  version "8.6.1"
-  resolved "https://registry.yarnpkg.com/autoprefixer/-/autoprefixer-8.6.1.tgz#cb186e6c904cd54a4af7bda078fd27a1fddc7be5"
-  integrity sha512-DqvyCbff+kvfrZgoDHIRK28svWSSFE/Y86FXUd9zflJ+aU7rr+6JCSuhNf1evSPzh+42GdI39BuIjixN5W/EPQ==
-  dependencies:
-    browserslist "^3.2.8"
-    caniuse-lite "^1.0.30000850"
-    normalize-range "^0.1.2"
-    num2fraction "^1.2.2"
-    postcss "^6.0.22"
-    postcss-value-parser "^3.2.3"
-
-aws-sign2@~0.7.0:
-  version "0.7.0"
-  resolved "https://registry.yarnpkg.com/aws-sign2/-/aws-sign2-0.7.0.tgz#b46e890934a9591f2d2f6f86d7e6a9f1b3fe76a8"
-  integrity sha1-tG6JCTSpWR8tL2+G1+ap8bP+dqg=
-
-aws4@^1.6.0:
-  version "1.7.0"
-  resolved "https://registry.yarnpkg.com/aws4/-/aws4-1.7.0.tgz#d4d0e9b9dbfca77bf08eeb0a8a471550fe39e289"
-  integrity sha512-32NDda82rhwD9/JBCCkB+MRYDp0oSvlo2IL6rQWA10PQi7tDUM3eqMSltXmY+Oyl/7N3P3qNtAlv7X0d9bI28w==
-
-axios@0.17.1:
-  version "0.17.1"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-0.17.1.tgz#2d8e3e5d0bdbd7327f91bc814f5c57660f81824d"
-  integrity sha1-LY4+XQvb1zJ/kbyBT1xXZg+Bgk0=
-  dependencies:
-    follow-redirects "^1.2.5"
-    is-buffer "^1.1.5"
-
-babel-code-frame@^6.26.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-code-frame/-/babel-code-frame-6.26.0.tgz#63fd43f7dc1e3bb7ce35947db8fe369a3f58c74b"
-  integrity sha1-Y/1D99weO7fONZR9uP42mj9Yx0s=
-  dependencies:
-    chalk "^1.1.3"
-    esutils "^2.0.2"
-    js-tokens "^3.0.2"
-
-babel-core@^6.26.0:
-  version "6.26.3"
-  resolved "https://registry.yarnpkg.com/babel-core/-/babel-core-6.26.3.tgz#b2e2f09e342d0f0c88e2f02e067794125e75c207"
-  integrity sha512-6jyFLuDmeidKmUEb3NM+/yawG0M2bDZ9Z1qbZP59cyHLz8kYGKYwpJP0UwUKKUiTRNvxfLesJnTedqczP7cTDA==
-  dependencies:
-    babel-code-frame "^6.26.0"
-    babel-generator "^6.26.0"
-    babel-helpers "^6.24.1"
-    babel-messages "^6.23.0"
-    babel-register "^6.26.0"
-    babel-runtime "^6.26.0"
-    babel-template "^6.26.0"
-    babel-traverse "^6.26.0"
-    babel-types "^6.26.0"
-    babylon "^6.18.0"
-    convert-source-map "^1.5.1"
-    debug "^2.6.9"
-    json5 "^0.5.1"
-    lodash "^4.17.4"
-    minimatch "^3.0.4"
-    path-is-absolute "^1.0.1"
-    private "^0.1.8"
-    slash "^1.0.0"
-    source-map "^0.5.7"
-
-babel-generator@^6.26.0:
-  version "6.26.1"
-  resolved "https://registry.yarnpkg.com/babel-generator/-/babel-generator-6.26.1.tgz#1844408d3b8f0d35a404ea7ac180f087a601bd90"
-  integrity sha512-HyfwY6ApZj7BYTcJURpM5tznulaBvyio7/0d4zFOeMPUmfxkCjHocCuoLa2SAGzBI8AREcH3eP3758F672DppA==
-  dependencies:
-    babel-messages "^6.23.0"
-    babel-runtime "^6.26.0"
-    babel-types "^6.26.0"
-    detect-indent "^4.0.0"
-    jsesc "^1.3.0"
-    lodash "^4.17.4"
-    source-map "^0.5.7"
-    trim-right "^1.0.1"
-
-babel-helper-builder-binary-assignment-operator-visitor@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-builder-binary-assignment-operator-visitor/-/babel-helper-builder-binary-assignment-operator-visitor-6.24.1.tgz#cce4517ada356f4220bcae8a02c2b346f9a56664"
-  integrity sha1-zORReto1b0IgvK6KAsKzRvmlZmQ=
-  dependencies:
-    babel-helper-explode-assignable-expression "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-helper-builder-react-jsx@^6.24.1:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-helper-builder-react-jsx/-/babel-helper-builder-react-jsx-6.26.0.tgz#39ff8313b75c8b65dceff1f31d383e0ff2a408a0"
-  integrity sha1-Of+DE7dci2Xc7/HzHTg+D/KkCKA=
-  dependencies:
-    babel-runtime "^6.26.0"
-    babel-types "^6.26.0"
-    esutils "^2.0.2"
-
-babel-helper-call-delegate@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-call-delegate/-/babel-helper-call-delegate-6.24.1.tgz#ece6aacddc76e41c3461f88bfc575bd0daa2df8d"
-  integrity sha1-7Oaqzdx25Bw0YfiL/Fdb0Nqi340=
-  dependencies:
-    babel-helper-hoist-variables "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-traverse "^6.24.1"
-    babel-types "^6.24.1"
-
-babel-helper-define-map@^6.24.1:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-helper-define-map/-/babel-helper-define-map-6.26.0.tgz#a5f56dab41a25f97ecb498c7ebaca9819f95be5f"
-  integrity sha1-pfVtq0GiX5fstJjH66ypgZ+Vvl8=
-  dependencies:
-    babel-helper-function-name "^6.24.1"
-    babel-runtime "^6.26.0"
-    babel-types "^6.26.0"
-    lodash "^4.17.4"
-
-babel-helper-explode-assignable-expression@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-explode-assignable-expression/-/babel-helper-explode-assignable-expression-6.24.1.tgz#f25b82cf7dc10433c55f70592d5746400ac22caa"
-  integrity sha1-8luCz33BBDPFX3BZLVdGQArCLKo=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-traverse "^6.24.1"
-    babel-types "^6.24.1"
-
-babel-helper-function-name@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-function-name/-/babel-helper-function-name-6.24.1.tgz#d3475b8c03ed98242a25b48351ab18399d3580a9"
-  integrity sha1-00dbjAPtmCQqJbSDUasYOZ01gKk=
-  dependencies:
-    babel-helper-get-function-arity "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-    babel-traverse "^6.24.1"
-    babel-types "^6.24.1"
-
-babel-helper-get-function-arity@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-get-function-arity/-/babel-helper-get-function-arity-6.24.1.tgz#8f7782aa93407c41d3aa50908f89b031b1b6853d"
-  integrity sha1-j3eCqpNAfEHTqlCQj4mwMbG2hT0=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-helper-hoist-variables@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-hoist-variables/-/babel-helper-hoist-variables-6.24.1.tgz#1ecb27689c9d25513eadbc9914a73f5408be7a76"
-  integrity sha1-HssnaJydJVE+rbyZFKc/VAi+enY=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-helper-optimise-call-expression@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-optimise-call-expression/-/babel-helper-optimise-call-expression-6.24.1.tgz#f7a13427ba9f73f8f4fa993c54a97882d1244257"
-  integrity sha1-96E0J7qfc/j0+pk8VKl4gtEkQlc=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-helper-regex@^6.24.1:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-helper-regex/-/babel-helper-regex-6.26.0.tgz#325c59f902f82f24b74faceed0363954f6495e72"
-  integrity sha1-MlxZ+QL4LyS3T6zu0DY5VPZJXnI=
-  dependencies:
-    babel-runtime "^6.26.0"
-    babel-types "^6.26.0"
-    lodash "^4.17.4"
-
-babel-helper-remap-async-to-generator@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-remap-async-to-generator/-/babel-helper-remap-async-to-generator-6.24.1.tgz#5ec581827ad723fecdd381f1c928390676e4551b"
-  integrity sha1-XsWBgnrXI/7N04HxySg5BnbkVRs=
-  dependencies:
-    babel-helper-function-name "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-    babel-traverse "^6.24.1"
-    babel-types "^6.24.1"
-
-babel-helper-replace-supers@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helper-replace-supers/-/babel-helper-replace-supers-6.24.1.tgz#bf6dbfe43938d17369a213ca8a8bf74b6a90ab1a"
-  integrity sha1-v22/5Dk40XNpohPKiov3S2qQqxo=
-  dependencies:
-    babel-helper-optimise-call-expression "^6.24.1"
-    babel-messages "^6.23.0"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-    babel-traverse "^6.24.1"
-    babel-types "^6.24.1"
-
-babel-helpers@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-helpers/-/babel-helpers-6.24.1.tgz#3471de9caec388e5c850e597e58a26ddf37602b2"
-  integrity sha1-NHHenK7DiOXIUOWX5Yom3fN2ArI=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-
-babel-loader@^7.1.5:
-  version "7.1.5"
-  resolved "https://registry.yarnpkg.com/babel-loader/-/babel-loader-7.1.5.tgz#e3ee0cd7394aa557e013b02d3e492bfd07aa6d68"
-  integrity sha512-iCHfbieL5d1LfOQeeVJEUyD9rTwBcP/fcEbRCfempxTDuqrKpu0AZjLAQHEQa3Yqyj9ORKe2iHfoj4rHLf7xpw==
-  dependencies:
-    find-cache-dir "^1.0.0"
-    loader-utils "^1.0.2"
-    mkdirp "^0.5.1"
-
-babel-messages@^6.23.0:
-  version "6.23.0"
-  resolved "https://registry.yarnpkg.com/babel-messages/-/babel-messages-6.23.0.tgz#f3cdf4703858035b2a2951c6ec5edf6c62f2630e"
-  integrity sha1-8830cDhYA1sqKVHG7F7fbGLyYw4=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-check-es2015-constants@^6.22.0:
-  version "6.22.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-check-es2015-constants/-/babel-plugin-check-es2015-constants-6.22.0.tgz#35157b101426fd2ffd3da3f75c7d1e91835bbf8a"
-  integrity sha1-NRV7EBQm/S/9PaP3XH0ekYNbv4o=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-emotion@^9.2.0:
-  version "9.2.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-emotion/-/babel-plugin-emotion-9.2.0.tgz#43543dd02c7b5cd89d464aeedef864edb754b852"
-  integrity sha1-Q1Q90Cx7XNidRkru3vhk7bdUuFI=
-  dependencies:
-    "@babel/helper-module-imports" "7.0.0-beta.40"
-    "@emotion/babel-utils" "^0.5.3"
-    "@emotion/hash" "^0.6.2"
-    "@emotion/memoize" "^0.6.1"
-    "@emotion/stylis" "^0.6.5"
-    babel-plugin-macros "^2.0.0"
-    babel-plugin-syntax-jsx "^6.18.0"
-    convert-source-map "^1.5.0"
-    find-root "^1.1.0"
-    mkdirp "^0.5.1"
-    source-map "^0.5.7"
-    touch "^1.0.0"
-
-babel-plugin-macros@^2.0.0:
-  version "2.2.2"
-  resolved "https://registry.yarnpkg.com/babel-plugin-macros/-/babel-plugin-macros-2.2.2.tgz#049c93f4b934453688a6ec38bba529c55bf0fa1f"
-  integrity sha512-wq6DYqjNmSPskGyhOeRIbmuvLtsHTfc6ROtGqapTttIGL1RoQmM3V5N8aJiDxPaw3/fveIsVspF51E3V7qTOMQ==
-  dependencies:
-    cosmiconfig "^4.0.0"
-
-babel-plugin-syntax-async-functions@^6.8.0:
-  version "6.13.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"
-  integrity sha1-ytnK0RkbWtY0vzCuCHI5HgZHvpU=
-
-babel-plugin-syntax-dynamic-import@^6.18.0:
-  version "6.18.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-dynamic-import/-/babel-plugin-syntax-dynamic-import-6.18.0.tgz#8d6a26229c83745a9982a441051572caa179b1da"
-  integrity sha1-jWomIpyDdFqZgqRBBRVyyqF5sdo=
-
-babel-plugin-syntax-exponentiation-operator@^6.8.0:
-  version "6.13.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-exponentiation-operator/-/babel-plugin-syntax-exponentiation-operator-6.13.0.tgz#9ee7e8337290da95288201a6a57f4170317830de"
-  integrity sha1-nufoM3KQ2pUoggGmpX9BcDF4MN4=
-
-babel-plugin-syntax-jsx@^6.0.2, babel-plugin-syntax-jsx@^6.18.0, babel-plugin-syntax-jsx@^6.8.0:
-  version "6.18.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-jsx/-/babel-plugin-syntax-jsx-6.18.0.tgz#0af32a9a6e13ca7a3fd5069e62d7b0f58d0d8946"
-  integrity sha1-CvMqmm4Tyno/1QaeYtew9Y0NiUY=
-
-babel-plugin-syntax-trailing-function-commas@^6.22.0:
-  version "6.22.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-trailing-function-commas/-/babel-plugin-syntax-trailing-function-commas-6.22.0.tgz#ba0360937f8d06e40180a43fe0d5616fff532cf3"
-  integrity sha1-ugNgk3+NBuQBgKQ/4NVhb/9TLPM=
-
-babel-plugin-transform-async-to-generator@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-async-to-generator/-/babel-plugin-transform-async-to-generator-6.24.1.tgz#6536e378aff6cb1d5517ac0e40eb3e9fc8d08761"
-  integrity sha1-ZTbjeK/2yx1VF6wOQOs+n8jQh2E=
-  dependencies:
-    babel-helper-remap-async-to-generator "^6.24.1"
-    babel-plugin-syntax-async-functions "^6.8.0"
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-arrow-functions@^6.22.0:
-  version "6.22.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-arrow-functions/-/babel-plugin-transform-es2015-arrow-functions-6.22.0.tgz#452692cb711d5f79dc7f85e440ce41b9f244d221"
-  integrity sha1-RSaSy3EdX3ncf4XkQM5BufJE0iE=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-block-scoped-functions@^6.22.0:
-  version "6.22.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-block-scoped-functions/-/babel-plugin-transform-es2015-block-scoped-functions-6.22.0.tgz#bbc51b49f964d70cb8d8e0b94e820246ce3a6141"
-  integrity sha1-u8UbSflk1wy42OC5ToICRs46YUE=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-block-scoping@^6.23.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-block-scoping/-/babel-plugin-transform-es2015-block-scoping-6.26.0.tgz#d70f5299c1308d05c12f463813b0a09e73b1895f"
-  integrity sha1-1w9SmcEwjQXBL0Y4E7CgnnOxiV8=
-  dependencies:
-    babel-runtime "^6.26.0"
-    babel-template "^6.26.0"
-    babel-traverse "^6.26.0"
-    babel-types "^6.26.0"
-    lodash "^4.17.4"
-
-babel-plugin-transform-es2015-classes@^6.23.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-classes/-/babel-plugin-transform-es2015-classes-6.24.1.tgz#5a4c58a50c9c9461e564b4b2a3bfabc97a2584db"
-  integrity sha1-WkxYpQyclGHlZLSyo7+ryXolhNs=
-  dependencies:
-    babel-helper-define-map "^6.24.1"
-    babel-helper-function-name "^6.24.1"
-    babel-helper-optimise-call-expression "^6.24.1"
-    babel-helper-replace-supers "^6.24.1"
-    babel-messages "^6.23.0"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-    babel-traverse "^6.24.1"
-    babel-types "^6.24.1"
-
-babel-plugin-transform-es2015-computed-properties@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-computed-properties/-/babel-plugin-transform-es2015-computed-properties-6.24.1.tgz#6fe2a8d16895d5634f4cd999b6d3480a308159b3"
-  integrity sha1-b+Ko0WiV1WNPTNmZttNICjCBWbM=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-
-babel-plugin-transform-es2015-destructuring@^6.23.0:
-  version "6.23.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-destructuring/-/babel-plugin-transform-es2015-destructuring-6.23.0.tgz#997bb1f1ab967f682d2b0876fe358d60e765c56d"
-  integrity sha1-mXux8auWf2gtKwh2/jWNYOdlxW0=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-duplicate-keys@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-duplicate-keys/-/babel-plugin-transform-es2015-duplicate-keys-6.24.1.tgz#73eb3d310ca969e3ef9ec91c53741a6f1576423e"
-  integrity sha1-c+s9MQypaePvnskcU3QabxV2Qj4=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-plugin-transform-es2015-for-of@^6.23.0:
-  version "6.23.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-for-of/-/babel-plugin-transform-es2015-for-of-6.23.0.tgz#f47c95b2b613df1d3ecc2fdb7573623c75248691"
-  integrity sha1-9HyVsrYT3x0+zC/bdXNiPHUkhpE=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-function-name@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-function-name/-/babel-plugin-transform-es2015-function-name-6.24.1.tgz#834c89853bc36b1af0f3a4c5dbaa94fd8eacaa8b"
-  integrity sha1-g0yJhTvDaxrw86TF26qU/Y6sqos=
-  dependencies:
-    babel-helper-function-name "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-plugin-transform-es2015-literals@^6.22.0:
-  version "6.22.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-literals/-/babel-plugin-transform-es2015-literals-6.22.0.tgz#4f54a02d6cd66cf915280019a31d31925377ca2e"
-  integrity sha1-T1SgLWzWbPkVKAAZox0xklN3yi4=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-modules-amd@^6.22.0, babel-plugin-transform-es2015-modules-amd@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-modules-amd/-/babel-plugin-transform-es2015-modules-amd-6.24.1.tgz#3b3e54017239842d6d19c3011c4bd2f00a00d154"
-  integrity sha1-Oz5UAXI5hC1tGcMBHEvS8AoA0VQ=
-  dependencies:
-    babel-plugin-transform-es2015-modules-commonjs "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-
-babel-plugin-transform-es2015-modules-commonjs@^6.23.0, babel-plugin-transform-es2015-modules-commonjs@^6.24.1:
-  version "6.26.2"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-modules-commonjs/-/babel-plugin-transform-es2015-modules-commonjs-6.26.2.tgz#58a793863a9e7ca870bdc5a881117ffac27db6f3"
-  integrity sha512-CV9ROOHEdrjcwhIaJNBGMBCodN+1cfkwtM1SbUHmvyy35KGT7fohbpOxkE2uLz1o6odKK2Ck/tz47z+VqQfi9Q==
-  dependencies:
-    babel-plugin-transform-strict-mode "^6.24.1"
-    babel-runtime "^6.26.0"
-    babel-template "^6.26.0"
-    babel-types "^6.26.0"
-
-babel-plugin-transform-es2015-modules-systemjs@^6.23.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-modules-systemjs/-/babel-plugin-transform-es2015-modules-systemjs-6.24.1.tgz#ff89a142b9119a906195f5f106ecf305d9407d23"
-  integrity sha1-/4mhQrkRmpBhlfXxBuzzBdlAfSM=
-  dependencies:
-    babel-helper-hoist-variables "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-
-babel-plugin-transform-es2015-modules-umd@^6.23.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-modules-umd/-/babel-plugin-transform-es2015-modules-umd-6.24.1.tgz#ac997e6285cd18ed6176adb607d602344ad38468"
-  integrity sha1-rJl+YoXNGO1hdq22B9YCNErThGg=
-  dependencies:
-    babel-plugin-transform-es2015-modules-amd "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-
-babel-plugin-transform-es2015-object-super@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-object-super/-/babel-plugin-transform-es2015-object-super-6.24.1.tgz#24cef69ae21cb83a7f8603dad021f572eb278f8d"
-  integrity sha1-JM72muIcuDp/hgPa0CH1cusnj40=
-  dependencies:
-    babel-helper-replace-supers "^6.24.1"
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-parameters@^6.23.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-parameters/-/babel-plugin-transform-es2015-parameters-6.24.1.tgz#57ac351ab49caf14a97cd13b09f66fdf0a625f2b"
-  integrity sha1-V6w1GrScrxSpfNE7CfZv3wpiXys=
-  dependencies:
-    babel-helper-call-delegate "^6.24.1"
-    babel-helper-get-function-arity "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-template "^6.24.1"
-    babel-traverse "^6.24.1"
-    babel-types "^6.24.1"
-
-babel-plugin-transform-es2015-shorthand-properties@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-shorthand-properties/-/babel-plugin-transform-es2015-shorthand-properties-6.24.1.tgz#24f875d6721c87661bbd99a4622e51f14de38aa0"
-  integrity sha1-JPh11nIch2YbvZmkYi5R8U3jiqA=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-plugin-transform-es2015-spread@^6.22.0:
-  version "6.22.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-spread/-/babel-plugin-transform-es2015-spread-6.22.0.tgz#d6d68a99f89aedc4536c81a542e8dd9f1746f8d1"
-  integrity sha1-1taKmfia7cRTbIGlQujdnxdG+NE=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-sticky-regex@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-sticky-regex/-/babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz#00c1cdb1aca71112cdf0cf6126c2ed6b457ccdbc"
-  integrity sha1-AMHNsaynERLN8M9hJsLta0V8zbw=
-  dependencies:
-    babel-helper-regex "^6.24.1"
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-plugin-transform-es2015-template-literals@^6.22.0:
-  version "6.22.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-template-literals/-/babel-plugin-transform-es2015-template-literals-6.22.0.tgz#a84b3450f7e9f8f1f6839d6d687da84bb1236d8d"
-  integrity sha1-qEs0UPfp+PH2g51taH2oS7EjbY0=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-typeof-symbol@^6.23.0:
-  version "6.23.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-typeof-symbol/-/babel-plugin-transform-es2015-typeof-symbol-6.23.0.tgz#dec09f1cddff94b52ac73d505c84df59dcceb372"
-  integrity sha1-3sCfHN3/lLUqxz1QXITfWdzOs3I=
-  dependencies:
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-es2015-unicode-regex@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-es2015-unicode-regex/-/babel-plugin-transform-es2015-unicode-regex-6.24.1.tgz#d38b12f42ea7323f729387f18a7c5ae1faeb35e9"
-  integrity sha1-04sS9C6nMj9yk4fxinxa4frrNek=
-  dependencies:
-    babel-helper-regex "^6.24.1"
-    babel-runtime "^6.22.0"
-    regexpu-core "^2.0.0"
-
-babel-plugin-transform-exponentiation-operator@^6.22.0:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-exponentiation-operator/-/babel-plugin-transform-exponentiation-operator-6.24.1.tgz#2ab0c9c7f3098fa48907772bb813fe41e8de3a0e"
-  integrity sha1-KrDJx/MJj6SJB3cruBP+QejeOg4=
-  dependencies:
-    babel-helper-builder-binary-assignment-operator-visitor "^6.24.1"
-    babel-plugin-syntax-exponentiation-operator "^6.8.0"
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-react-jsx@^6.0.2:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-react-jsx/-/babel-plugin-transform-react-jsx-6.24.1.tgz#840a028e7df460dfc3a2d29f0c0d91f6376e66a3"
-  integrity sha1-hAoCjn30YN/DotKfDA2R9jduZqM=
-  dependencies:
-    babel-helper-builder-react-jsx "^6.24.1"
-    babel-plugin-syntax-jsx "^6.8.0"
-    babel-runtime "^6.22.0"
-
-babel-plugin-transform-regenerator@^6.22.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-regenerator/-/babel-plugin-transform-regenerator-6.26.0.tgz#e0703696fbde27f0a3efcacf8b4dca2f7b3a8f2f"
-  integrity sha1-4HA2lvveJ/Cj78rPi03KL3s6jy8=
-  dependencies:
-    regenerator-transform "^0.10.0"
-
-babel-plugin-transform-strict-mode@^6.24.1:
-  version "6.24.1"
-  resolved "https://registry.yarnpkg.com/babel-plugin-transform-strict-mode/-/babel-plugin-transform-strict-mode-6.24.1.tgz#d5faf7aa578a65bbe591cf5edae04a0c67020758"
-  integrity sha1-1fr3qleKZbvlkc9e2uBKDGcCB1g=
-  dependencies:
-    babel-runtime "^6.22.0"
-    babel-types "^6.24.1"
-
-babel-preset-env@^1.7.0:
-  version "1.7.0"
-  resolved "https://registry.yarnpkg.com/babel-preset-env/-/babel-preset-env-1.7.0.tgz#dea79fa4ebeb883cd35dab07e260c1c9c04df77a"
-  integrity sha512-9OR2afuKDneX2/q2EurSftUYM0xGu4O2D9adAhVfADDhrYDaxXV0rBbevVYoY9n6nyX1PmQW/0jtpJvUNr9CHg==
-  dependencies:
-    babel-plugin-check-es2015-constants "^6.22.0"
-    babel-plugin-syntax-trailing-function-commas "^6.22.0"
-    babel-plugin-transform-async-to-generator "^6.22.0"
-    babel-plugin-transform-es2015-arrow-functions "^6.22.0"
-    babel-plugin-transform-es2015-block-scoped-functions "^6.22.0"
-    babel-plugin-transform-es2015-block-scoping "^6.23.0"
-    babel-plugin-transform-es2015-classes "^6.23.0"
-    babel-plugin-transform-es2015-computed-properties "^6.22.0"
-    babel-plugin-transform-es2015-destructuring "^6.23.0"
-    babel-plugin-transform-es2015-duplicate-keys "^6.22.0"
-    babel-plugin-transform-es2015-for-of "^6.23.0"
-    babel-plugin-transform-es2015-function-name "^6.22.0"
-    babel-plugin-transform-es2015-literals "^6.22.0"
-    babel-plugin-transform-es2015-modules-amd "^6.22.0"
-    babel-plugin-transform-es2015-modules-commonjs "^6.23.0"
-    babel-plugin-transform-es2015-modules-systemjs "^6.23.0"
-    babel-plugin-transform-es2015-modules-umd "^6.23.0"
-    babel-plugin-transform-es2015-object-super "^6.22.0"
-    babel-plugin-transform-es2015-parameters "^6.23.0"
-    babel-plugin-transform-es2015-shorthand-properties "^6.22.0"
-    babel-plugin-transform-es2015-spread "^6.22.0"
-    babel-plugin-transform-es2015-sticky-regex "^6.22.0"
-    babel-plugin-transform-es2015-template-literals "^6.22.0"
-    babel-plugin-transform-es2015-typeof-symbol "^6.23.0"
-    babel-plugin-transform-es2015-unicode-regex "^6.22.0"
-    babel-plugin-transform-exponentiation-operator "^6.22.0"
-    babel-plugin-transform-regenerator "^6.22.0"
-    browserslist "^3.2.6"
-    invariant "^2.2.2"
-    semver "^5.3.0"
-
-babel-preset-preact@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/babel-preset-preact/-/babel-preset-preact-1.1.0.tgz#35ac655a73a49b8438163ce053816577e1980861"
-  integrity sha1-NaxlWnOkm4Q4FjzgU4Fld+GYCGE=
-  dependencies:
-    babel-plugin-syntax-jsx "^6.0.2"
-    babel-plugin-transform-react-jsx "^6.0.2"
-
-babel-register@^6.26.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-register/-/babel-register-6.26.0.tgz#6ed021173e2fcb486d7acb45c6009a856f647071"
-  integrity sha1-btAhFz4vy0htestFxgCahW9kcHE=
-  dependencies:
-    babel-core "^6.26.0"
-    babel-runtime "^6.26.0"
-    core-js "^2.5.0"
-    home-or-tmp "^2.0.0"
-    lodash "^4.17.4"
-    mkdirp "^0.5.1"
-    source-map-support "^0.4.15"
-
-babel-runtime@^6.11.6, babel-runtime@^6.18.0, babel-runtime@^6.22.0, babel-runtime@^6.26.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-runtime/-/babel-runtime-6.26.0.tgz#965c7058668e82b55d7bfe04ff2337bc8b5647fe"
-  integrity sha1-llxwWGaOgrVde/4E/yM3vItWR/4=
-  dependencies:
-    core-js "^2.4.0"
-    regenerator-runtime "^0.11.0"
-
-babel-template@^6.24.1, babel-template@^6.26.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-template/-/babel-template-6.26.0.tgz#de03e2d16396b069f46dd9fff8521fb1a0e35e02"
-  integrity sha1-3gPi0WOWsGn0bdn/+FIfsaDjXgI=
-  dependencies:
-    babel-runtime "^6.26.0"
-    babel-traverse "^6.26.0"
-    babel-types "^6.26.0"
-    babylon "^6.18.0"
-    lodash "^4.17.4"
-
-babel-traverse@^6.24.1, babel-traverse@^6.26.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-traverse/-/babel-traverse-6.26.0.tgz#46a9cbd7edcc62c8e5c064e2d2d8d0f4035766ee"
-  integrity sha1-RqnL1+3MYsjlwGTi0tjQ9ANXZu4=
-  dependencies:
-    babel-code-frame "^6.26.0"
-    babel-messages "^6.23.0"
-    babel-runtime "^6.26.0"
-    babel-types "^6.26.0"
-    babylon "^6.18.0"
-    debug "^2.6.8"
-    globals "^9.18.0"
-    invariant "^2.2.2"
-    lodash "^4.17.4"
-
-babel-types@^6.15.0, babel-types@^6.19.0, babel-types@^6.24.1, babel-types@^6.26.0:
-  version "6.26.0"
-  resolved "https://registry.yarnpkg.com/babel-types/-/babel-types-6.26.0.tgz#a3b073f94ab49eb6fa55cd65227a334380632497"
-  integrity sha1-o7Bz+Uq0nrb6Vc1lInozQ4BjJJc=
-  dependencies:
-    babel-runtime "^6.26.0"
-    esutils "^2.0.2"
-    lodash "^4.17.4"
-    to-fast-properties "^1.0.3"
-
-babylon-walk@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/babylon-walk/-/babylon-walk-1.0.2.tgz#3b15a5ddbb482a78b4ce9c01c8ba181702d9d6ce"
-  integrity sha1-OxWl3btIKni0zpwByLoYFwLZ1s4=
-  dependencies:
-    babel-runtime "^6.11.6"
-    babel-types "^6.15.0"
-    lodash.clone "^4.5.0"
-
-babylon@^6.18.0, babylon@^6.9.1:
-  version "6.18.0"
-  resolved "https://registry.yarnpkg.com/babylon/-/babylon-6.18.0.tgz#af2f3b88fa6f5c1e4c634d1a0f8eac4f55b395e3"
-  integrity sha512-q/UEjfGJ2Cm3oKV71DJz9d25TPnq5rhBVL2Q4fA5wcC3jcrdn7+SssEybFIxwAvvP+YCsCYNKughoF33GxgycQ==
-
-backo2@1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/backo2/-/backo2-1.0.2.tgz#31ab1ac8b129363463e35b3ebb69f4dfcfba7947"
-  integrity sha1-MasayLEpNjRj41s+u2n038+6eUc=
-
-balanced-match@0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-0.1.0.tgz#b504bd05869b39259dd0c5efc35d843176dccc4a"
-  integrity sha1-tQS9BYabOSWd0MXvw12EMXbczEo=
-
-balanced-match@^0.4.2:
-  version "0.4.2"
-  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-0.4.2.tgz#cb3f3e3c732dc0f01ee70b403f302e61d7709838"
-  integrity sha1-yz8+PHMtwPAe5wtAPzAuYddwmDg=
-
-balanced-match@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"
-  integrity sha1-ibTRmasr7kneFk6gK4nORi1xt2c=
-
-base64-arraybuffer@0.1.5:
-  version "0.1.5"
-  resolved "https://registry.yarnpkg.com/base64-arraybuffer/-/base64-arraybuffer-0.1.5.tgz#73926771923b5a19747ad666aa5cd4bf9c6e9ce8"
-  integrity sha1-c5JncZI7Whl0etZmqlzUv5xunOg=
-
-base64-js@^1.0.2:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.3.0.tgz#cab1e6118f051095e58b5281aea8c1cd22bfc0e3"
-  integrity sha512-ccav/yGvoa80BQDljCxsmmQ3Xvx60/UpBIij5QN21W3wBi/hhIC9OoO+KLpu9IJTS9j4DRVJ3aDDF9cMSoa2lw==
-
-base64id@1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/base64id/-/base64id-1.0.0.tgz#47688cb99bb6804f0e06d3e763b1c32e57d8e6b6"
-  integrity sha1-R2iMuZu2gE8OBtPnY7HDLlfY5rY=
-
-base@^0.11.1:
-  version "0.11.2"
-  resolved "https://registry.yarnpkg.com/base/-/base-0.11.2.tgz#7bde5ced145b6d551a90db87f83c558b4eb48a8f"
-  integrity sha512-5T6P4xPgpp0YDFvSWwEZ4NoE3aM4QBQXDzmVbraCkFj8zHM+mba8SyqB5DbZWyR7mYHo6Y7BdQo3MoA4m0TeQg==
-  dependencies:
-    cache-base "^1.0.1"
-    class-utils "^0.3.5"
-    component-emitter "^1.2.1"
-    define-property "^1.0.0"
-    isobject "^3.0.1"
-    mixin-deep "^1.2.0"
-    pascalcase "^0.1.1"
-
-batch@0.6.1:
-  version "0.6.1"
-  resolved "https://registry.yarnpkg.com/batch/-/batch-0.6.1.tgz#dc34314f4e679318093fc760272525f94bf25c16"
-  integrity sha1-3DQxT05nkxgJP8dgJyUl+UvyXBY=
-
-bcrypt-pbkdf@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.1.tgz#63bc5dcb61331b92bc05fd528953c33462a06f8d"
-  integrity sha1-Y7xdy2EzG5K8Bf1SiVPDNGKgb40=
-  dependencies:
-    tweetnacl "^0.14.3"
-
-better-assert@~1.0.0:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/better-assert/-/better-assert-1.0.2.tgz#40866b9e1b9e0b55b481894311e68faffaebc522"
-  integrity sha1-QIZrnhueC1W0gYlDEeaPr/rrxSI=
-  dependencies:
-    callsite "1.0.0"
-
-bfj@^6.1.1:
-  version "6.1.1"
-  resolved "https://registry.yarnpkg.com/bfj/-/bfj-6.1.1.tgz#05a3b7784fbd72cfa3c22e56002ef99336516c48"
-  integrity sha512-+GUNvzHR4nRyGybQc2WpNJL4MJazMuvf92ueIyA0bIkPRwhhQu3IfZQ2PSoVPpCBJfmoSdOxu5rnotfFLlvYRQ==
-  dependencies:
-    bluebird "^3.5.1"
-    check-types "^7.3.0"
-    hoopy "^0.1.2"
-    tryer "^1.0.0"
-
-big.js@^3.1.3:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/big.js/-/big.js-3.2.0.tgz#a5fc298b81b9e0dca2e458824784b65c52ba588e"
-  integrity sha512-+hN/Zh2D08Mx65pZ/4g5bsmNiZUuChDiQfTUQ7qJr4/kuopCr88xZsAXv6mBoZEsUI4OuGHlX59qE94K2mMW8Q==
-
-binary-extensions@^1.0.0:
-  version "1.11.0"
-  resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-1.11.0.tgz#46aa1751fb6a2f93ee5e689bb1087d4b14c6c205"
-  integrity sha1-RqoXUftqL5PuXmibsQh9SxTGwgU=
-
-blob@0.0.4:
-  version "0.0.4"
-  resolved "https://registry.yarnpkg.com/blob/-/blob-0.0.4.tgz#bcf13052ca54463f30f9fc7e95b9a47630a94921"
-  integrity sha1-vPEwUspURj8w+fx+lbmkdjCpSSE=
-
-bluebird@^3.5.1:
-  version "3.5.1"
-  resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.5.1.tgz#d9551f9de98f1fcda1e683d17ee91a0602ee2eb9"
-  integrity sha512-MKiLiV+I1AA596t9w1sQJ8jkiSr5+ZKi0WKrYGUn6d1Fx+Ij4tIj+m2WMQSGczs5jZVxV339chE8iwk6F64wjA==
-
-bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1, bn.js@^4.4.0:
-  version "4.11.8"
-  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.8.tgz#2cde09eb5ee341f484746bb0309b3253b1b1442f"
-  integrity sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA==
-
-body-parser@1.18.2:
-  version "1.18.2"
-  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.18.2.tgz#87678a19d84b47d859b83199bd59bce222b10454"
-  integrity sha1-h2eKGdhLR9hZuDGZvVm84iKxBFQ=
-  dependencies:
-    bytes "3.0.0"
-    content-type "~1.0.4"
-    debug "2.6.9"
-    depd "~1.1.1"
-    http-errors "~1.6.2"
-    iconv-lite "0.4.19"
-    on-finished "~2.3.0"
-    qs "6.5.1"
-    raw-body "2.3.2"
-    type-is "~1.6.15"
-
-boom@4.x.x:
-  version "4.3.1"
-  resolved "https://registry.yarnpkg.com/boom/-/boom-4.3.1.tgz#4f8a3005cb4a7e3889f749030fd25b96e01d2e31"
-  integrity sha1-T4owBctKfjiJ90kDD9JbluAdLjE=
-  dependencies:
-    hoek "4.x.x"
-
-boom@5.x.x:
-  version "5.2.0"
-  resolved "https://registry.yarnpkg.com/boom/-/boom-5.2.0.tgz#5dd9da6ee3a5f302077436290cb717d3f4a54e02"
-  integrity sha512-Z5BTk6ZRe4tXXQlkqftmsAUANpXmuwlsF5Oov8ThoMbQRzdGTA1ngYRW160GexgOgjsFOKJz0LYhoNi+2AMBUw==
-  dependencies:
-    hoek "4.x.x"
-
-brace-expansion@^1.0.0, brace-expansion@^1.1.7:
-  version "1.1.11"
-  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
-  integrity sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==
-  dependencies:
-    balanced-match "^1.0.0"
-    concat-map "0.0.1"
-
-braces@^1.8.2:
-  version "1.8.5"
-  resolved "https://registry.yarnpkg.com/braces/-/braces-1.8.5.tgz#ba77962e12dff969d6b76711e914b737857bf6a7"
-  integrity sha1-uneWLhLf+WnWt2cR6RS3N4V79qc=
-  dependencies:
-    expand-range "^1.8.1"
-    preserve "^0.2.0"
-    repeat-element "^1.1.2"
-
-braces@^2.3.0, braces@^2.3.1:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/braces/-/braces-2.3.2.tgz#5979fd3f14cd531565e5fa2df1abfff1dfaee729"
-  integrity sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==
-  dependencies:
-    arr-flatten "^1.1.0"
-    array-unique "^0.3.2"
-    extend-shallow "^2.0.1"
-    fill-range "^4.0.0"
-    isobject "^3.0.1"
-    repeat-element "^1.1.2"
-    snapdragon "^0.8.1"
-    snapdragon-node "^2.0.1"
-    split-string "^3.0.2"
-    to-regex "^3.0.1"
-
-brorand@^1.0.1:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f"
-  integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=
-
-browser-sync-ui@v1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/browser-sync-ui/-/browser-sync-ui-1.0.1.tgz#9740527b26d1d7ace259acc0c79e5b5e37d0fdf2"
-  integrity sha512-RIxmwVVcUFhRd1zxp7m2FfLnXHf59x4Gtj8HFwTA//3VgYI3AKkaQAuDL8KDJnE59XqCshxZa13JYuIWtZlKQg==
-  dependencies:
-    async-each-series "0.1.1"
-    connect-history-api-fallback "^1.1.0"
-    immutable "^3.7.6"
-    server-destroy "1.0.1"
-    socket.io-client "2.0.4"
-    stream-throttle "^0.1.3"
-
-browser-sync-webpack-plugin@^1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/browser-sync-webpack-plugin/-/browser-sync-webpack-plugin-1.2.0.tgz#33358dde35121f12cbdab46d4453e67b8357726a"
-  integrity sha512-kPM7BjcZHRa5UjBIdyQbC4HoGprHoZpzlsPDb2P+UaCSmnjonLC3Z9vQBtSmJDghU0KuijkHZ/eLvKF1AyO7zg==
-  dependencies:
-    lodash "^4"
-
-browser-sync@^2.24.6:
-  version "2.24.7"
-  resolved "https://registry.yarnpkg.com/browser-sync/-/browser-sync-2.24.7.tgz#0f93bcaabfb84a35a5c98e07682c9e45c6251a93"
-  integrity sha512-NqXek0cPNEayQm77VGnD+qrwcVBTKMIQ9bdP6IWDRUTU1Bk7tZeq5QR3OG5Rr36Rao1t+Vx1QnfolHvvr5qsTA==
-  dependencies:
-    browser-sync-ui v1.0.1
-    bs-recipes "1.3.4"
-    chokidar "1.7.0"
-    connect "3.6.6"
-    connect-history-api-fallback "^1.5.0"
-    dev-ip "^1.0.1"
-    easy-extender "^2.3.4"
-    eazy-logger "3.0.2"
-    etag "^1.8.1"
-    fresh "^0.5.2"
-    fs-extra "3.0.1"
-    http-proxy "1.15.2"
-    immutable "3.8.2"
-    localtunnel "1.9.0"
-    micromatch "2.3.11"
-    opn "5.3.0"
-    portscanner "2.1.1"
-    qs "6.2.3"
-    raw-body "^2.3.2"
-    resp-modifier "6.0.2"
-    rx "4.1.0"
-    serve-index "1.9.1"
-    serve-static "1.13.2"
-    server-destroy "1.0.1"
-    socket.io "2.1.1"
-    ua-parser-js "0.7.17"
-    yargs "6.4.0"
-
-browserify-aes@^1.0.0, browserify-aes@^1.0.4:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/browserify-aes/-/browserify-aes-1.2.0.tgz#326734642f403dabc3003209853bb70ad428ef48"
-  integrity sha512-+7CHXqGuspUn/Sl5aO7Ea0xWGAtETPXNSAjHo48JfLdPWcMng33Xe4znFvQweqc/uzk5zSOI3H52CYnjCfb5hA==
-  dependencies:
-    buffer-xor "^1.0.3"
-    cipher-base "^1.0.0"
-    create-hash "^1.1.0"
-    evp_bytestokey "^1.0.3"
-    inherits "^2.0.1"
-    safe-buffer "^5.0.1"
-
-browserify-cipher@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/browserify-cipher/-/browserify-cipher-1.0.1.tgz#8d6474c1b870bfdabcd3bcfcc1934a10e94f15f0"
-  integrity sha512-sPhkz0ARKbf4rRQt2hTpAHqn47X3llLkUGn+xEJzLjwY8LRs2p0v7ljvI5EyoRO/mexrNunNECisZs+gw2zz1w==
-  dependencies:
-    browserify-aes "^1.0.4"
-    browserify-des "^1.0.0"
-    evp_bytestokey "^1.0.0"
-
-browserify-des@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/browserify-des/-/browserify-des-1.0.1.tgz#3343124db6d7ad53e26a8826318712bdc8450f9c"
-  integrity sha512-zy0Cobe3hhgpiOM32Tj7KQ3Vl91m0njwsjzZQK1L+JDf11dzP9qIvjreVinsvXrgfjhStXwUWAEpB9D7Gwmayw==
-  dependencies:
-    cipher-base "^1.0.1"
-    des.js "^1.0.0"
-    inherits "^2.0.1"
-
-browserify-rsa@^4.0.0:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/browserify-rsa/-/browserify-rsa-4.0.1.tgz#21e0abfaf6f2029cf2fafb133567a701d4135524"
-  integrity sha1-IeCr+vbyApzy+vsTNWenAdQTVSQ=
-  dependencies:
-    bn.js "^4.1.0"
-    randombytes "^2.0.1"
-
-browserify-sign@^4.0.0:
-  version "4.0.4"
-  resolved "https://registry.yarnpkg.com/browserify-sign/-/browserify-sign-4.0.4.tgz#aa4eb68e5d7b658baa6bf6a57e630cbd7a93d298"
-  integrity sha1-qk62jl17ZYuqa/alfmMMvXqT0pg=
-  dependencies:
-    bn.js "^4.1.1"
-    browserify-rsa "^4.0.0"
-    create-hash "^1.1.0"
-    create-hmac "^1.1.2"
-    elliptic "^6.0.0"
-    inherits "^2.0.1"
-    parse-asn1 "^5.0.0"
-
-browserify-zlib@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/browserify-zlib/-/browserify-zlib-0.2.0.tgz#2869459d9aa3be245fe8fe2ca1f46e2e7f54d73f"
-  integrity sha512-Z942RysHXmJrhqk88FmKBVq/v5tqmSkDz7p54G/MGyjMnCFFnC79XWNbg+Vta8W6Wb2qtSZTSxIGkJrRpCFEiA==
-  dependencies:
-    pako "~1.0.5"
-
-browserslist@^1.3.6, browserslist@^1.5.2, browserslist@^1.7.6:
-  version "1.7.7"
-  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-1.7.7.tgz#0bd76704258be829b2398bb50e4b62d1a166b0b9"
-  integrity sha1-C9dnBCWL6CmyOYu1Dkti0aFmsLk=
-  dependencies:
-    caniuse-db "^1.0.30000639"
-    electron-to-chromium "^1.2.7"
-
-browserslist@^2.0.0, browserslist@^2.11.3:
-  version "2.11.3"
-  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-2.11.3.tgz#fe36167aed1bbcde4827ebfe71347a2cc70b99b2"
-  integrity sha512-yWu5cXT7Av6mVwzWc8lMsJMHWn4xyjSuGYi4IozbVTLUOEYPSagUB8kiMDUHA1fS3zjr8nkxkn9jdvug4BBRmA==
-  dependencies:
-    caniuse-lite "^1.0.30000792"
-    electron-to-chromium "^1.3.30"
-
-browserslist@^3.2.6, browserslist@^3.2.8:
-  version "3.2.8"
-  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-3.2.8.tgz#b0005361d6471f0f5952797a76fc985f1f978fc6"
-  integrity sha512-WHVocJYavUwVgVViC0ORikPHQquXwVh939TaelZ4WDqpWgTX/FsGhl/+P4qBUAGcRvtOgDgC+xftNWWp2RUTAQ==
-  dependencies:
-    caniuse-lite "^1.0.30000844"
-    electron-to-chromium "^1.3.47"
-
-bs-recipes@1.3.4:
-  version "1.3.4"
-  resolved "https://registry.yarnpkg.com/bs-recipes/-/bs-recipes-1.3.4.tgz#0d2d4d48a718c8c044769fdc4f89592dc8b69585"
-  integrity sha1-DS1NSKcYyMBEdp/cT4lZLci2lYU=
-
-buffer-xor@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/buffer-xor/-/buffer-xor-1.0.3.tgz#26e61ed1422fb70dd42e6e36729ed51d855fe8d9"
-  integrity sha1-JuYe0UIvtw3ULm42cp7VHYVf6Nk=
-
-buffer@^4.3.0:
-  version "4.9.1"
-  resolved "https://registry.yarnpkg.com/buffer/-/buffer-4.9.1.tgz#6d1bb601b07a4efced97094132093027c95bc298"
-  integrity sha1-bRu2AbB6TvztlwlBMgkwJ8lbwpg=
-  dependencies:
-    base64-js "^1.0.2"
-    ieee754 "^1.1.4"
-    isarray "^1.0.0"
-
-builtin-modules@^1.0.0:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/builtin-modules/-/builtin-modules-1.1.1.tgz#270f076c5a72c02f5b65a47df94c5fe3a278892f"
-  integrity sha1-Jw8HbFpywC9bZaR9+Uxf46J4iS8=
-
-builtin-status-codes@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz#85982878e21b98e1c66425e03d0174788f569ee8"
-  integrity sha1-hZgoeOIbmOHGZCXgPQF0eI9Wnug=
-
-bytes@3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/bytes/-/bytes-3.0.0.tgz#d32815404d689699f85a4ea4fa8755dd13a96048"
-  integrity sha1-0ygVQE1olpn4Wk6k+odV3ROpYEg=
-
-cache-base@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/cache-base/-/cache-base-1.0.1.tgz#0a7f46416831c8b662ee36fe4e7c59d76f666ab2"
-  integrity sha512-AKcdTnFSWATd5/GCPRxr2ChwIJ85CeyrEyjRHlKxQ56d4XJMGym0uAiKn0xbLOGOl3+yRpOTi484dVCEc5AUzQ==
-  dependencies:
-    collection-visit "^1.0.0"
-    component-emitter "^1.2.1"
-    get-value "^2.0.6"
-    has-value "^1.0.0"
-    isobject "^3.0.1"
-    set-value "^2.0.0"
-    to-object-path "^0.3.0"
-    union-value "^1.0.0"
-    unset-value "^1.0.0"
-
-callsite@1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/callsite/-/callsite-1.0.0.tgz#280398e5d664bd74038b6f0905153e6e8af1bc20"
-  integrity sha1-KAOY5dZkvXQDi28JBRU+borxvCA=
-
-camelcase@^1.0.2:
-  version "1.2.1"
-  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-1.2.1.tgz#9bb5304d2e0b56698b2c758b08a3eaa9daa58a39"
-  integrity sha1-m7UwTS4LVmmLLHWLCKPqqdqlijk=
-
-camelcase@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-3.0.0.tgz#32fc4b9fcdaf845fcdf7e73bb97cac2261f0ab0a"
-  integrity sha1-MvxLn82vhF/N9+c7uXysImHwqwo=
-
-camelcase@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-4.1.0.tgz#d545635be1e33c542649c69173e5de6acfae34dd"
-  integrity sha1-1UVjW+HjPFQmScaRc+Xeas+uNN0=
-
-caniuse-api@^1.5.2:
-  version "1.6.1"
-  resolved "https://registry.yarnpkg.com/caniuse-api/-/caniuse-api-1.6.1.tgz#b534e7c734c4f81ec5fbe8aca2ad24354b962c6c"
-  integrity sha1-tTTnxzTE+B7F++isoq0kNUuWLGw=
-  dependencies:
-    browserslist "^1.3.6"
-    caniuse-db "^1.0.30000529"
-    lodash.memoize "^4.1.2"
-    lodash.uniq "^4.5.0"
-
-caniuse-db@^1.0.30000529, caniuse-db@^1.0.30000634, caniuse-db@^1.0.30000639:
-  version "1.0.30000851"
-  resolved "https://registry.yarnpkg.com/caniuse-db/-/caniuse-db-1.0.30000851.tgz#8a0d3ca4dde72068560acc98bacf75a359e8d3e3"
-  integrity sha1-ig08pN3nIGhWCsyYus91o1no0+M=
-
-caniuse-lite@^1.0.30000792, caniuse-lite@^1.0.30000805, caniuse-lite@^1.0.30000844, caniuse-lite@^1.0.30000850:
-  version "1.0.30000851"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30000851.tgz#3b498aebf9f92cf6cff4ab54d13b557c0b590533"
-  integrity sha512-Y1ecA1cL9wg0vni8t33nBw/poX8ypm+2c3fbwAESj8cm4ufK9CBFQ1+nUK8Dp5dtFo5Fc3JzkI5DKmQbuIo6hQ==
-
-caseless@~0.12.0:
-  version "0.12.0"
-  resolved "https://registry.yarnpkg.com/caseless/-/caseless-0.12.0.tgz#1b681c21ff84033c826543090689420d187151dc"
-  integrity sha1-G2gcIf+EAzyCZUMJBolCDRhxUdw=
-
-center-align@^0.1.1:
-  version "0.1.3"
-  resolved "https://registry.yarnpkg.com/center-align/-/center-align-0.1.3.tgz#aa0d32629b6ee972200411cbd4461c907bc2b7ad"
-  integrity sha1-qg0yYptu6XIgBBHL1EYckHvCt60=
-  dependencies:
-    align-text "^0.1.3"
-    lazy-cache "^1.0.3"
-
-chalk@^1.1.1, chalk@^1.1.3:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/chalk/-/chalk-1.1.3.tgz#a8115c55e4a702fe4d150abd3872822a7e09fc98"
-  integrity sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=
-  dependencies:
-    ansi-styles "^2.2.1"
-    escape-string-regexp "^1.0.2"
-    has-ansi "^2.0.0"
-    strip-ansi "^3.0.0"
-    supports-color "^2.0.0"
-
-chalk@^2.0.0, chalk@^2.0.1, chalk@^2.4.1:
-  version "2.4.1"
-  resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.4.1.tgz#18c49ab16a037b6eb0152cc83e3471338215b66e"
-  integrity sha512-ObN6h1v2fTJSmUXoS3nMQ92LbDK9be4TV+6G+omQlGJFdcUX5heKi1LZ1YnRMIgwTLEj3E24bT6tYni50rlCfQ==
-  dependencies:
-    ansi-styles "^3.2.1"
-    escape-string-regexp "^1.0.5"
-    supports-color "^5.3.0"
-
-chardet@^0.4.0:
-  version "0.4.2"
-  resolved "https://registry.yarnpkg.com/chardet/-/chardet-0.4.2.tgz#b5473b33dc97c424e5d98dc87d55d4d8a29c8bf2"
-  integrity sha1-tUc7M9yXxCTl2Y3IfVXU2KKci/I=
-
-check-types@^7.3.0:
-  version "7.3.0"
-  resolved "https://registry.yarnpkg.com/check-types/-/check-types-7.3.0.tgz#468f571a4435c24248f5fd0cb0e8d87c3c341e7d"
-  integrity sha1-Ro9XGkQ1wkJI9f0MsOjYfDw0Hn0=
-
-chokidar@1.7.0:
-  version "1.7.0"
-  resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-1.7.0.tgz#798e689778151c8076b4b360e5edd28cda2bb468"
-  integrity sha1-eY5ol3gVHIB2tLNg5e3SjNortGg=
-  dependencies:
-    anymatch "^1.3.0"
-    async-each "^1.0.0"
-    glob-parent "^2.0.0"
-    inherits "^2.0.1"
-    is-binary-path "^1.0.0"
-    is-glob "^2.0.0"
-    path-is-absolute "^1.0.0"
-    readdirp "^2.0.0"
-  optionalDependencies:
-    fsevents "^1.0.0"
-
-chokidar@^2.0.2:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-2.0.3.tgz#dcbd4f6cbb2a55b4799ba8a840ac527e5f4b1176"
-  integrity sha512-zW8iXYZtXMx4kux/nuZVXjkLP+CyIK5Al5FHnj1OgTKGZfp4Oy6/ymtMSKFv3GD8DviEmUPmJg9eFdJ/JzudMg==
-  dependencies:
-    anymatch "^2.0.0"
-    async-each "^1.0.0"
-    braces "^2.3.0"
-    glob-parent "^3.1.0"
-    inherits "^2.0.1"
-    is-binary-path "^1.0.0"
-    is-glob "^4.0.0"
-    normalize-path "^2.1.1"
-    path-is-absolute "^1.0.0"
-    readdirp "^2.0.0"
-    upath "^1.0.0"
-  optionalDependencies:
-    fsevents "^1.1.2"
-
-chownr@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/chownr/-/chownr-1.0.1.tgz#e2a75042a9551908bebd25b8523d5f9769d79181"
-  integrity sha1-4qdQQqlVGQi+vSW4Uj1fl2nXkYE=
-
-cipher-base@^1.0.0, cipher-base@^1.0.1, cipher-base@^1.0.3:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/cipher-base/-/cipher-base-1.0.4.tgz#8760e4ecc272f4c363532f926d874aae2c1397de"
-  integrity sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q==
-  dependencies:
-    inherits "^2.0.1"
-    safe-buffer "^5.0.1"
-
-clap@^1.0.9:
-  version "1.2.3"
-  resolved "https://registry.yarnpkg.com/clap/-/clap-1.2.3.tgz#4f36745b32008492557f46412d66d50cb99bce51"
-  integrity sha512-4CoL/A3hf90V3VIEjeuhSvlGFEHKzOz+Wfc2IVZc+FaUgU0ZQafJTP49fvnULipOPcAfqhyI2duwQyns6xqjYA==
-  dependencies:
-    chalk "^1.1.3"
-
-class-utils@^0.3.5:
-  version "0.3.6"
-  resolved "https://registry.yarnpkg.com/class-utils/-/class-utils-0.3.6.tgz#f93369ae8b9a7ce02fd41faad0ca83033190c463"
-  integrity sha512-qOhPa/Fj7s6TY8H8esGu5QNpMMQxz79h+urzrNYN6mn+9BnxlDGf5QZ+XeCDsxSjPqsSR56XOZOJmpeurnLMeg==
-  dependencies:
-    arr-union "^3.1.0"
-    define-property "^0.2.5"
-    isobject "^3.0.0"
-    static-extend "^0.1.1"
-
-cli-cursor@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/cli-cursor/-/cli-cursor-2.1.0.tgz#b35dac376479facc3e94747d41d0d0f5238ffcb5"
-  integrity sha1-s12sN2R5+sw+lHR9QdDQ9SOP/LU=
-  dependencies:
-    restore-cursor "^2.0.0"
-
-cli-width@^2.0.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/cli-width/-/cli-width-2.2.0.tgz#ff19ede8a9a5e579324147b0c11f0fbcbabed639"
-  integrity sha1-/xnt6Kml5XkyQUewwR8PvLq+1jk=
-
-cliui@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/cliui/-/cliui-2.1.0.tgz#4b475760ff80264c762c3a1719032e91c7fea0d1"
-  integrity sha1-S0dXYP+AJkx2LDoXGQMukcf+oNE=
-  dependencies:
-    center-align "^0.1.1"
-    right-align "^0.1.1"
-    wordwrap "0.0.2"
-
-cliui@^3.2.0:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/cliui/-/cliui-3.2.0.tgz#120601537a916d29940f934da3b48d585a39213d"
-  integrity sha1-EgYBU3qRbSmUD5NNo7SNWFo5IT0=
-  dependencies:
-    string-width "^1.0.1"
-    strip-ansi "^3.0.1"
-    wrap-ansi "^2.0.0"
-
-clone@^1.0.2:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/clone/-/clone-1.0.4.tgz#da309cc263df15994c688ca902179ca3c7cd7c7e"
-  integrity sha1-2jCcwmPfFZlMaIypAheco8fNfH4=
-
-co@^4.6.0:
-  version "4.6.0"
-  resolved "https://registry.yarnpkg.com/co/-/co-4.6.0.tgz#6ea6bdf3d853ae54ccb8e47bfa0bf3f9031fb184"
-  integrity sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ=
-
-coa@~1.0.1:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/coa/-/coa-1.0.4.tgz#a9ef153660d6a86a8bdec0289a5c684d217432fd"
-  integrity sha1-qe8VNmDWqGqL3sAomlxoTSF0Mv0=
-  dependencies:
-    q "^1.1.2"
-
-code-frame@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/code-frame/-/code-frame-5.0.0.tgz#40030707ec46e1d99d5e52dc9f357fcad90d993d"
-  integrity sha1-QAMHB+xG4dmdXlLcnzV/ytkNmT0=
-  dependencies:
-    left-pad "^1.1.3"
-
-code-point-at@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/code-point-at/-/code-point-at-1.1.0.tgz#0d070b4d043a5bea33a2f1a40e2edb3d9a4ccf77"
-  integrity sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=
-
-collection-visit@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/collection-visit/-/collection-visit-1.0.0.tgz#4bc0373c164bc3291b4d368c829cf1a80a59dca0"
-  integrity sha1-S8A3PBZLwykbTTaMgpzxqApZ3KA=
-  dependencies:
-    map-visit "^1.0.0"
-    object-visit "^1.0.0"
-
-color-contrast@^0.0.1:
-  version "0.0.1"
-  resolved "https://registry.yarnpkg.com/color-contrast/-/color-contrast-0.0.1.tgz#effaee7b3865acc94e1fd1eb078cde5ff75e38f7"
-  integrity sha1-7/ruezhlrMlOH9HrB4zeX/deOPc=
-  dependencies:
-    onecolor "^3.0.5"
-
-color-convert@^1.3.0, color-convert@^1.8.2, color-convert@^1.9.0, color-convert@^1.9.1:
-  version "1.9.1"
-  resolved "https://registry.yarnpkg.com/color-convert/-/color-convert-1.9.1.tgz#c1261107aeb2f294ebffec9ed9ecad529a6097ed"
-  integrity sha512-mjGanIiwQJskCC18rPR6OmrZ6fm2Lc7PeGFYwCmy5J34wC6F1PzdGL6xeMfmgicfYcNLGuVFA3WzXtIDCQSZxQ==
-  dependencies:
-    color-name "^1.1.1"
-
-color-name@^1.0.0, color-name@^1.1.1:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/color-name/-/color-name-1.1.3.tgz#a7d0558bd89c42f795dd42328f740831ca53bc25"
-  integrity sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=
-
-color-string@^0.3.0:
-  version "0.3.0"
-  resolved "https://registry.yarnpkg.com/color-string/-/color-string-0.3.0.tgz#27d46fb67025c5c2fa25993bfbf579e47841b991"
-  integrity sha1-J9RvtnAlxcL6JZk7+/V55HhBuZE=
-  dependencies:
-    color-name "^1.0.0"
-
-color-string@^1.4.0, color-string@^1.5.2:
-  version "1.5.2"
-  resolved "https://registry.yarnpkg.com/color-string/-/color-string-1.5.2.tgz#26e45814bc3c9a7cbd6751648a41434514a773a9"
-  integrity sha1-JuRYFLw8mny9Z1FkikFDRRSnc6k=
-  dependencies:
-    color-name "^1.0.0"
-    simple-swizzle "^0.2.2"
-
-color@^0.11.0:
-  version "0.11.4"
-  resolved "https://registry.yarnpkg.com/color/-/color-0.11.4.tgz#6d7b5c74fb65e841cd48792ad1ed5e07b904d764"
-  integrity sha1-bXtcdPtl6EHNSHkq0e1eB7kE12Q=
-  dependencies:
-    clone "^1.0.2"
-    color-convert "^1.3.0"
-    color-string "^0.3.0"
-
-color@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/color/-/color-1.0.3.tgz#e48e832d85f14ef694fb468811c2d5cfe729b55d"
-  integrity sha1-5I6DLYXxTvaU+0aIEcLVz+cptV0=
-  dependencies:
-    color-convert "^1.8.2"
-    color-string "^1.4.0"
-
-color@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/color/-/color-2.0.1.tgz#e4ed78a3c4603d0891eba5430b04b86314f4c839"
-  integrity sha512-ubUCVVKfT7r2w2D3qtHakj8mbmKms+tThR8gI8zEYCbUBl8/voqFGt3kgBqGwXAopgXybnkuOq+qMYCRrp4cXw==
-  dependencies:
-    color-convert "^1.9.1"
-    color-string "^1.5.2"
-
-colormin@^1.0.5:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/colormin/-/colormin-1.1.2.tgz#ea2f7420a72b96881a38aae59ec124a6f7298133"
-  integrity sha1-6i90IKcrlogaOKrlnsEkpvcpgTM=
-  dependencies:
-    color "^0.11.0"
-    css-color-names "0.0.4"
-    has "^1.0.1"
-
-colors@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/colors/-/colors-1.1.2.tgz#168a4701756b6a7f51a12ce0c97bfa28c084ed63"
-  integrity sha1-FopHAXVran9RoSzgyXv6KMCE7WM=
-
-combined-stream@1.0.6, combined-stream@~1.0.5:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/combined-stream/-/combined-stream-1.0.6.tgz#723e7df6e801ac5613113a7e445a9b69cb632818"
-  integrity sha1-cj599ugBrFYTETp+RFqbactjKBg=
-  dependencies:
-    delayed-stream "~1.0.0"
-
-commander@^2.18.0:
-  version "2.18.0"
-  resolved "https://registry.yarnpkg.com/commander/-/commander-2.18.0.tgz#2bf063ddee7c7891176981a2cc798e5754bc6970"
-  integrity sha512-6CYPa+JP2ftfRU2qkDK+UTVeQYosOg/2GbcjIcKPHfinyOLPVGXu/ovN86RP49Re5ndJK1N0kuiidFFuepc4ZQ==
-
-commander@^2.2.0:
-  version "2.15.1"
-  resolved "https://registry.yarnpkg.com/commander/-/commander-2.15.1.tgz#df46e867d0fc2aec66a34662b406a9ccafff5b0f"
-  integrity sha512-VlfT9F3V0v+jr4yxPc5gg9s62/fIVWsd2Bk2iD435um1NlGMYdVCq+MjcXnhYq2icNOizHr1kK+5TI6H0Hy0ag==
-
-commondir@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/commondir/-/commondir-1.0.1.tgz#ddd800da0c66127393cca5950ea968a3aaf1253b"
-  integrity sha1-3dgA2gxmEnOTzKWVDqloo6rxJTs=
-
-component-bind@1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/component-bind/-/component-bind-1.0.0.tgz#00c608ab7dcd93897c0009651b1d3a8e1e73bbd1"
-  integrity sha1-AMYIq33Nk4l8AAllGx06jh5zu9E=
-
-component-cookie@^1.1.2:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/component-cookie/-/component-cookie-1.1.3.tgz#053e14a3bd7748154f55724fd39a60c01994ebed"
-  integrity sha1-BT4Uo713SBVPVXJP05pgwBmU6+0=
-  dependencies:
-    debug "*"
-
-component-emitter@1.2.1, component-emitter@^1.2.1:
-  version "1.2.1"
-  resolved "https://registry.yarnpkg.com/component-emitter/-/component-emitter-1.2.1.tgz#137918d6d78283f7df7a6b7c5a63e140e69425e6"
-  integrity sha1-E3kY1teCg/ffemt8WmPhQOaUJeY=
-
-component-inherit@0.0.3:
-  version "0.0.3"
-  resolved "https://registry.yarnpkg.com/component-inherit/-/component-inherit-0.0.3.tgz#645fc4adf58b72b649d5cae65135619db26ff143"
-  integrity sha1-ZF/ErfWLcrZJ1crmUTVhnbJv8UM=
-
-component-url@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/component-url/-/component-url-0.2.1.tgz#4e4f4799c43ead9fd3ce91b5a305d220208fee47"
-  integrity sha1-Tk9HmcQ+rZ/TzpG1owXSICCP7kc=
-
-concat-map@0.0.1:
-  version "0.0.1"
-  resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
-  integrity sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=
-
-connect-history-api-fallback@^1.1.0, connect-history-api-fallback@^1.5.0:
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/connect-history-api-fallback/-/connect-history-api-fallback-1.5.0.tgz#b06873934bc5e344fef611a196a6faae0aee015a"
-  integrity sha1-sGhzk0vF40T+9hGhlqb6rgruAVo=
-
-connect@3.6.6:
-  version "3.6.6"
-  resolved "https://registry.yarnpkg.com/connect/-/connect-3.6.6.tgz#09eff6c55af7236e137135a72574858b6786f524"
-  integrity sha1-Ce/2xVr3I24TcTWnJXSFi2eG9SQ=
-  dependencies:
-    debug "2.6.9"
-    finalhandler "1.1.0"
-    parseurl "~1.3.2"
-    utils-merge "1.0.1"
-
-console-browserify@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/console-browserify/-/console-browserify-1.1.0.tgz#f0241c45730a9fc6323b206dbf38edc741d0bb10"
-  integrity sha1-8CQcRXMKn8YyOyBtvzjtx0HQuxA=
-  dependencies:
-    date-now "^0.1.4"
-
-console-control-strings@^1.0.0, console-control-strings@~1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/console-control-strings/-/console-control-strings-1.1.0.tgz#3d7cf4464db6446ea644bf4b39507f9851008e8e"
-  integrity sha1-PXz0Rk22RG6mRL9LOVB/mFEAjo4=
-
-constants-browserify@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/constants-browserify/-/constants-browserify-1.0.0.tgz#c20b96d8c617748aaf1c16021760cd27fcb8cb75"
-  integrity sha1-wguW2MYXdIqvHBYCF2DNJ/y4y3U=
-
-content-disposition@0.5.2:
-  version "0.5.2"
-  resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.2.tgz#0cf68bb9ddf5f2be7961c3a85178cb85dba78cb4"
-  integrity sha1-DPaLud318r55YcOoUXjLhdunjLQ=
-
-content-type@~1.0.4:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b"
-  integrity sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==
-
-convert-source-map@^1.5.0, convert-source-map@^1.5.1:
-  version "1.5.1"
-  resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-1.5.1.tgz#b8278097b9bc229365de5c62cf5fcaed8b5599e5"
-  integrity sha1-uCeAl7m8IpNl3lxiz1/K7YtVmeU=
-
-cookie-signature@1.0.6:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.6.tgz#e303a882b342cc3ee8ca513a79999734dab3ae2c"
-  integrity sha1-4wOogrNCzD7oylE6eZmXNNqzriw=
-
-cookie@0.3.1:
-  version "0.3.1"
-  resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.3.1.tgz#e7e0a1f9ef43b4c8ba925c5c5a96e806d16873bb"
-  integrity sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s=
-
-copy-descriptor@^0.1.0:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/copy-descriptor/-/copy-descriptor-0.1.1.tgz#676f6eb3c39997c2ee1ac3a924fd6124748f578d"
-  integrity sha1-Z29us8OZl8LuGsOpJP1hJHSPV40=
-
-core-js@^1.0.0:
-  version "1.2.7"
-  resolved "https://registry.yarnpkg.com/core-js/-/core-js-1.2.7.tgz#652294c14651db28fa93bd2d5ff2983a4f08c636"
-  integrity sha1-ZSKUwUZR2yj6k70tX/KYOk8IxjY=
-
-core-js@^2.4.0, core-js@^2.5.0:
-  version "2.5.7"
-  resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.5.7.tgz#f972608ff0cead68b841a16a932d0b183791814e"
-  integrity sha512-RszJCAxg/PP6uzXVXL6BsxSXx/B05oJAQ2vkJRjyjrEcNVycaqOmNb5OTxZPE3xa5gwZduqza6L9JOCenh/Ecw==
-
-core-util-is@1.0.2, core-util-is@~1.0.0:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7"
-  integrity sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=
-
-cosmiconfig@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/cosmiconfig/-/cosmiconfig-4.0.0.tgz#760391549580bbd2df1e562bc177b13c290972dc"
-  integrity sha512-6e5vDdrXZD+t5v0L8CrurPeybg4Fmf+FCSYxXKYVAqLUtyCSbuyqE059d0kDthTNRzKVjL7QMgNpEUlsoYH3iQ==
-  dependencies:
-    is-directory "^0.3.1"
-    js-yaml "^3.9.0"
-    parse-json "^4.0.0"
-    require-from-string "^2.0.1"
-
-create-ecdh@^4.0.0:
-  version "4.0.3"
-  resolved "https://registry.yarnpkg.com/create-ecdh/-/create-ecdh-4.0.3.tgz#c9111b6f33045c4697f144787f9254cdc77c45ff"
-  integrity sha512-GbEHQPMOswGpKXM9kCWVrremUcBmjteUaQ01T9rkKCPDXfUHX0IoP9LpHYo2NPFampa4e+/pFDc3jQdxrxQLaw==
-  dependencies:
-    bn.js "^4.1.0"
-    elliptic "^6.0.0"
-
-create-emotion-styled@^9.2.1:
-  version "9.2.1"
-  resolved "https://registry.yarnpkg.com/create-emotion-styled/-/create-emotion-styled-9.2.1.tgz#73eb9ac73e5c915d8035942bde7e8e012ed7e97b"
-  integrity sha1-c+uaxz5ckV2ANZQr3n6OAS7X6Xs=
-  dependencies:
-    "@emotion/is-prop-valid" "^0.6.1"
-
-create-emotion@^9.2.1:
-  version "9.2.1"
-  resolved "https://registry.yarnpkg.com/create-emotion/-/create-emotion-9.2.1.tgz#1316189d53bf65cf191a59d3ac6ecb6f4e13e020"
-  integrity sha1-ExYYnVO/Zc8ZGlnTrG7Lb04T4CA=
-  dependencies:
-    "@emotion/hash" "^0.6.2"
-    "@emotion/memoize" "^0.6.1"
-    "@emotion/stylis" "^0.6.5"
-    "@emotion/unitless" "^0.6.2"
-    csstype "^2.5.2"
-    stylis "^3.5.0"
-    stylis-rule-sheet "^0.0.10"
-
-create-hash@^1.1.0, create-hash@^1.1.2:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/create-hash/-/create-hash-1.2.0.tgz#889078af11a63756bcfb59bd221996be3a9ef196"
-  integrity sha512-z00bCGNHDG8mHAkP7CtT1qVu+bFQUPjYq/4Iv3C3kWjTFV10zIjfSoeqXo9Asws8gwSHDGj/hl2u4OGIjapeCg==
-  dependencies:
-    cipher-base "^1.0.1"
-    inherits "^2.0.1"
-    md5.js "^1.3.4"
-    ripemd160 "^2.0.1"
-    sha.js "^2.4.0"
-
-create-hmac@^1.1.0, create-hmac@^1.1.2, create-hmac@^1.1.4:
-  version "1.1.7"
-  resolved "https://registry.yarnpkg.com/create-hmac/-/create-hmac-1.1.7.tgz#69170c78b3ab957147b2b8b04572e47ead2243ff"
-  integrity sha512-MJG9liiZ+ogc4TzUwuvbER1JRdgvUFSB5+VR/g5h82fGaIRWMWddtKBHi7/sVhfjQZ6SehlyhvQYrcYkaUIpLg==
-  dependencies:
-    cipher-base "^1.0.3"
-    create-hash "^1.1.0"
-    inherits "^2.0.1"
-    ripemd160 "^2.0.0"
-    safe-buffer "^5.0.1"
-    sha.js "^2.4.8"
-
-cross-spawn@^5.0.1:
-  version "5.1.0"
-  resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-5.1.0.tgz#e8bd0efee58fcff6f8f94510a0a554bbfa235449"
-  integrity sha1-6L0O/uWPz/b4+UUQoKVUu/ojVEk=
-  dependencies:
-    lru-cache "^4.0.1"
-    shebang-command "^1.2.0"
-    which "^1.2.9"
-
-cryptiles@3.x.x:
-  version "3.1.2"
-  resolved "https://registry.yarnpkg.com/cryptiles/-/cryptiles-3.1.2.tgz#a89fbb220f5ce25ec56e8c4aa8a4fd7b5b0d29fe"
-  integrity sha1-qJ+7Ig9c4l7FboxKqKT9e1sNKf4=
-  dependencies:
-    boom "5.x.x"
-
-crypto-browserify@^3.11.0:
-  version "3.12.0"
-  resolved "https://registry.yarnpkg.com/crypto-browserify/-/crypto-browserify-3.12.0.tgz#396cf9f3137f03e4b8e532c58f698254e00f80ec"
-  integrity sha512-fz4spIh+znjO2VjL+IdhEpRJ3YN6sMzITSBijk6FK2UvTqruSQW+/cCZTSNsMiZNvUeq0CqurF+dAbyiGOY6Wg==
-  dependencies:
-    browserify-cipher "^1.0.0"
-    browserify-sign "^4.0.0"
-    create-ecdh "^4.0.0"
-    create-hash "^1.1.0"
-    create-hmac "^1.1.0"
-    diffie-hellman "^5.0.0"
-    inherits "^2.0.1"
-    pbkdf2 "^3.0.3"
-    public-encrypt "^4.0.0"
-    randombytes "^2.0.0"
-    randomfill "^1.0.3"
-
-css-color-function@~1.3.3:
-  version "1.3.3"
-  resolved "https://registry.yarnpkg.com/css-color-function/-/css-color-function-1.3.3.tgz#8ed24c2c0205073339fafa004bc8c141fccb282e"
-  integrity sha1-jtJMLAIFBzM5+voAS8jBQfzLKC4=
-  dependencies:
-    balanced-match "0.1.0"
-    color "^0.11.0"
-    debug "^3.1.0"
-    rgb "~0.1.0"
-
-css-color-names@0.0.4:
-  version "0.0.4"
-  resolved "https://registry.yarnpkg.com/css-color-names/-/css-color-names-0.0.4.tgz#808adc2e79cf84738069b646cb20ec27beb629e0"
-  integrity sha1-gIrcLnnPhHOAabZGyyDsJ762KeA=
-
-css-unit-converter@^1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/css-unit-converter/-/css-unit-converter-1.1.1.tgz#d9b9281adcfd8ced935bdbaba83786897f64e996"
-  integrity sha1-2bkoGtz9jO2TW9urqDeGiX9k6ZY=
-
-cssnano@^3.7.4:
-  version "3.10.0"
-  resolved "https://registry.yarnpkg.com/cssnano/-/cssnano-3.10.0.tgz#4f38f6cea2b9b17fa01490f23f1dc68ea65c1c38"
-  integrity sha1-Tzj2zqK5sX+gFJDyPx3GjqZcHDg=
-  dependencies:
-    autoprefixer "^6.3.1"
-    decamelize "^1.1.2"
-    defined "^1.0.0"
-    has "^1.0.1"
-    object-assign "^4.0.1"
-    postcss "^5.0.14"
-    postcss-calc "^5.2.0"
-    postcss-colormin "^2.1.8"
-    postcss-convert-values "^2.3.4"
-    postcss-discard-comments "^2.0.4"
-    postcss-discard-duplicates "^2.0.1"
-    postcss-discard-empty "^2.0.1"
-    postcss-discard-overridden "^0.1.1"
-    postcss-discard-unused "^2.2.1"
-    postcss-filter-plugins "^2.0.0"
-    postcss-merge-idents "^2.1.5"
-    postcss-merge-longhand "^2.0.1"
-    postcss-merge-rules "^2.0.3"
-    postcss-minify-font-values "^1.0.2"
-    postcss-minify-gradients "^1.0.1"
-    postcss-minify-params "^1.0.4"
-    postcss-minify-selectors "^2.0.4"
-    postcss-normalize-charset "^1.1.0"
-    postcss-normalize-url "^3.0.7"
-    postcss-ordered-values "^2.1.0"
-    postcss-reduce-idents "^2.2.2"
-    postcss-reduce-initial "^1.0.0"
-    postcss-reduce-transforms "^1.0.3"
-    postcss-svgo "^2.1.1"
-    postcss-unique-selectors "^2.0.2"
-    postcss-value-parser "^3.2.3"
-    postcss-zindex "^2.0.1"
-
-csso@~2.3.1:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/csso/-/csso-2.3.2.tgz#ddd52c587033f49e94b71fc55569f252e8ff5f85"
-  integrity sha1-3dUsWHAz9J6Utx/FVWnyUuj/X4U=
-  dependencies:
-    clap "^1.0.9"
-    source-map "^0.5.3"
-
-csstype@^2.5.2:
-  version "2.5.3"
-  resolved "https://registry.yarnpkg.com/csstype/-/csstype-2.5.3.tgz#2504152e6e1cc59b32098b7f5d6a63f16294c1f7"
-  integrity sha512-G5HnoK8nOiAq3DXIEoY2n/8Vb7Lgrms+jGJl8E4EJpQEeVONEnPFJSl8IK505wPBoxxtrtHhrRm4WX2GgdqarA==
-
-d@1:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/d/-/d-1.0.0.tgz#754bb5bfe55451da69a58b94d45f4c5b0462d58f"
-  integrity sha1-dUu1v+VUUdpppYuU1F9MWwRi1Y8=
-  dependencies:
-    es5-ext "^0.10.9"
-
-dashdash@^1.12.0:
-  version "1.14.1"
-  resolved "https://registry.yarnpkg.com/dashdash/-/dashdash-1.14.1.tgz#853cfa0f7cbe2fed5de20326b8dd581035f6e2f0"
-  integrity sha1-hTz6D3y+L+1d4gMmuN1YEDX24vA=
-  dependencies:
-    assert-plus "^1.0.0"
-
-date-now@^0.1.4:
-  version "0.1.4"
-  resolved "https://registry.yarnpkg.com/date-now/-/date-now-0.1.4.tgz#eaf439fd4d4848ad74e5cc7dbef200672b9e345b"
-  integrity sha1-6vQ5/U1ISK105cx9vvIAZyueNFs=
-
-debug@*, debug@^3.0.0, debug@^3.1.0, debug@~3.1.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/debug/-/debug-3.1.0.tgz#5bb5a0672628b64149566ba16819e61518c67261"
-  integrity sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==
-  dependencies:
-    ms "2.0.0"
-
-debug@2.6.8:
-  version "2.6.8"
-  resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.8.tgz#e731531ca2ede27d188222427da17821d68ff4fc"
-  integrity sha1-5zFTHKLt4n0YgiJCfaF4IdaP9Pw=
-  dependencies:
-    ms "2.0.0"
-
-debug@2.6.9, debug@^2.1.2, debug@^2.2.0, debug@^2.3.3, debug@^2.6.8, debug@^2.6.9, debug@~2.6.4:
-  version "2.6.9"
-  resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.9.tgz#5d128515df134ff327e90a4c93f4e077a536341f"
-  integrity sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==
-  dependencies:
-    ms "2.0.0"
-
-decamelize@^1.0.0, decamelize@^1.1.1, decamelize@^1.1.2:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/decamelize/-/decamelize-1.2.0.tgz#f6534d15148269b20352e7bee26f501f9a191290"
-  integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=
-
-decode-uri-component@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545"
-  integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=
-
-deep-extend@^0.6.0:
-  version "0.6.0"
-  resolved "https://registry.yarnpkg.com/deep-extend/-/deep-extend-0.6.0.tgz#c4fa7c95404a17a9c3e8ca7e1537312b736330ac"
-  integrity sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==
-
-define-property@^0.2.5:
-  version "0.2.5"
-  resolved "https://registry.yarnpkg.com/define-property/-/define-property-0.2.5.tgz#c35b1ef918ec3c990f9a5bc57be04aacec5c8116"
-  integrity sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=
-  dependencies:
-    is-descriptor "^0.1.0"
-
-define-property@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/define-property/-/define-property-1.0.0.tgz#769ebaaf3f4a63aad3af9e8d304c9bbe79bfb0e6"
-  integrity sha1-dp66rz9KY6rTr56NMEybvnm/sOY=
-  dependencies:
-    is-descriptor "^1.0.0"
-
-define-property@^2.0.2:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/define-property/-/define-property-2.0.2.tgz#d459689e8d654ba77e02a817f8710d702cb16e9d"
-  integrity sha512-jwK2UV4cnPpbcG7+VRARKTZPUWowwXA8bzH5NP6ud0oeAxyYPuGZUAC7hMugpCdz4BeSZl2Dl9k66CHJ/46ZYQ==
-  dependencies:
-    is-descriptor "^1.0.2"
-    isobject "^3.0.1"
-
-defined@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/defined/-/defined-1.0.0.tgz#c98d9bcef75674188e110969151199e39b1fa693"
-  integrity sha1-yY2bzvdWdBiOEQlpFRGZ45sfppM=
-
-delayed-stream@~1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-1.0.0.tgz#df3ae199acadfb7d440aaae0b29e2272b24ec619"
-  integrity sha1-3zrhmayt+31ECqrgsp4icrJOxhk=
-
-delegates@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/delegates/-/delegates-1.0.0.tgz#84c6e159b81904fdca59a0ef44cd870d31250f9a"
-  integrity sha1-hMbhWbgZBP3KWaDvRM2HDTElD5o=
-
-depd@1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.1.tgz#5783b4e1c459f06fa5ca27f991f3d06e7a310359"
-  integrity sha1-V4O04cRZ8G+lyif5kfPQbnoxA1k=
-
-depd@~1.1.1, depd@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.2.tgz#9bcd52e14c097763e749b274c4346ed2e560b5a9"
-  integrity sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak=
-
-des.js@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/des.js/-/des.js-1.0.0.tgz#c074d2e2aa6a8a9a07dbd61f9a15c2cd83ec8ecc"
-  integrity sha1-wHTS4qpqipoH29YfmhXCzYPsjsw=
-  dependencies:
-    inherits "^2.0.1"
-    minimalistic-assert "^1.0.0"
-
-destroy@~1.0.4:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/destroy/-/destroy-1.0.4.tgz#978857442c44749e4206613e37946205826abd80"
-  integrity sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA=
-
-detect-indent@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/detect-indent/-/detect-indent-4.0.0.tgz#f76d064352cdf43a1cb6ce619c4ee3a9475de208"
-  integrity sha1-920GQ1LN9Docts5hnE7jqUdd4gg=
-  dependencies:
-    repeating "^2.0.0"
-
-detect-libc@^1.0.2:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/detect-libc/-/detect-libc-1.0.3.tgz#fa137c4bd698edf55cd5cd02ac559f91a4c4ba9b"
-  integrity sha1-+hN8S9aY7fVc1c0CrFWfkaTEups=
-
-dev-ip@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/dev-ip/-/dev-ip-1.0.1.tgz#a76a3ed1855be7a012bb8ac16cb80f3c00dc28f0"
-  integrity sha1-p2o+0YVb56ASu4rBbLgPPADcKPA=
-
-diffie-hellman@^5.0.0:
-  version "5.0.3"
-  resolved "https://registry.yarnpkg.com/diffie-hellman/-/diffie-hellman-5.0.3.tgz#40e8ee98f55a2149607146921c63e1ae5f3d2875"
-  integrity sha512-kqag/Nl+f3GwyK25fhUMYj81BUOrZ9IuJsjIcDE5icNM9FJHAVm3VcUDxdLPoQtTuUylWm6ZIknYJwwaPxsUzg==
-  dependencies:
-    bn.js "^4.1.0"
-    miller-rabin "^4.0.0"
-    randombytes "^2.0.0"
-
-domain-browser@^1.1.1:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/domain-browser/-/domain-browser-1.2.0.tgz#3d31f50191a6749dd1375a7f522e823d42e54eda"
-  integrity sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==
-
-duplexer@^0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/duplexer/-/duplexer-0.1.1.tgz#ace6ff808c1ce66b57d1ebf97977acb02334cfc1"
-  integrity sha1-rOb/gIwc5mtX0ev5eXessCM0z8E=
-
-easy-extender@^2.3.4:
-  version "2.3.4"
-  resolved "https://registry.yarnpkg.com/easy-extender/-/easy-extender-2.3.4.tgz#298789b64f9aaba62169c77a2b3b64b4c9589b8f"
-  integrity sha512-8cAwm6md1YTiPpOvDULYJL4ZS6WfM5/cTeVVh4JsvyYZAoqlRVUpHL9Gr5Fy7HA6xcSZicUia3DeAgO3Us8E+Q==
-  dependencies:
-    lodash "^4.17.10"
-
-eazy-logger@3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/eazy-logger/-/eazy-logger-3.0.2.tgz#a325aa5e53d13a2225889b2ac4113b2b9636f4fc"
-  integrity sha1-oyWqXlPROiIliJsqxBE7K5Y29Pw=
-  dependencies:
-    tfunk "^3.0.1"
-
-ecc-jsbn@~0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/ecc-jsbn/-/ecc-jsbn-0.1.1.tgz#0fc73a9ed5f0d53c38193398523ef7e543777505"
-  integrity sha1-D8c6ntXw1Tw4GTOYUj735UN3dQU=
-  dependencies:
-    jsbn "~0.1.0"
-
-ee-first@1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/ee-first/-/ee-first-1.1.1.tgz#590c61156b0ae2f4f0255732a158b266bc56b21d"
-  integrity sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0=
-
-ejs@^2.3.1, ejs@^2.6.1:
-  version "2.6.1"
-  resolved "https://registry.yarnpkg.com/ejs/-/ejs-2.6.1.tgz#498ec0d495655abc6f23cd61868d926464071aa0"
-  integrity sha512-0xy4A/twfrRCnkhfk8ErDi5DqdAsAqeGxht4xkCUrsvhhbQNs7E+4jV0CN7+NKIY0aHE72+XvqtBIXzD31ZbXQ==
-
-electron-to-chromium@^1.2.7, electron-to-chromium@^1.3.30, electron-to-chromium@^1.3.47:
-  version "1.3.48"
-  resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.3.48.tgz#d3b0d8593814044e092ece2108fc3ac9aea4b900"
-  integrity sha1-07DYWTgUBE4JLs4hCPw6ya6kuQA=
-
-elliptic@^6.0.0:
-  version "6.4.0"
-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.4.0.tgz#cac9af8762c85836187003c8dfe193e5e2eae5df"
-  integrity sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8=
-  dependencies:
-    bn.js "^4.4.0"
-    brorand "^1.0.1"
-    hash.js "^1.0.0"
-    hmac-drbg "^1.0.0"
-    inherits "^2.0.1"
-    minimalistic-assert "^1.0.0"
-    minimalistic-crypto-utils "^1.0.0"
-
-emojis-list@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/emojis-list/-/emojis-list-2.1.0.tgz#4daa4d9db00f9819880c79fa457ae5b09a1fd389"
-  integrity sha1-TapNnbAPmBmIDHn6RXrlsJof04k=
-
-emotion@^9.1.2:
-  version "9.2.1"
-  resolved "https://registry.yarnpkg.com/emotion/-/emotion-9.2.1.tgz#d2aa77b22945d9f40ea9b5ac6bdac42cec35610a"
-  integrity sha1-0qp3silF2fQOqbWsa9rELOw1YQo=
-  dependencies:
-    babel-plugin-emotion "^9.2.0"
-    create-emotion "^9.2.1"
-
-encodeurl@~1.0.1, encodeurl@~1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-1.0.2.tgz#ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59"
-  integrity sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k=
-
-encoding@^0.1.11:
-  version "0.1.12"
-  resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.12.tgz#538b66f3ee62cd1ab51ec323829d1f9480c74beb"
-  integrity sha1-U4tm8+5izRq1HsMjgp0flIDHS+s=
-  dependencies:
-    iconv-lite "~0.4.13"
-
-engine.io-client@~3.1.0:
-  version "3.1.6"
-  resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-3.1.6.tgz#5bdeb130f8b94a50ac5cbeb72583e7a4a063ddfd"
-  integrity sha512-hnuHsFluXnsKOndS4Hv6SvUrgdYx1pk2NqfaDMW+GWdgfU3+/V25Cj7I8a0x92idSpa5PIhJRKxPvp9mnoLsfg==
-  dependencies:
-    component-emitter "1.2.1"
-    component-inherit "0.0.3"
-    debug "~3.1.0"
-    engine.io-parser "~2.1.1"
-    has-cors "1.1.0"
-    indexof "0.0.1"
-    parseqs "0.0.5"
-    parseuri "0.0.5"
-    ws "~3.3.1"
-    xmlhttprequest-ssl "~1.5.4"
-    yeast "0.1.2"
-
-engine.io-client@~3.2.0:
-  version "3.2.1"
-  resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-3.2.1.tgz#6f54c0475de487158a1a7c77d10178708b6add36"
-  integrity sha512-y5AbkytWeM4jQr7m/koQLc5AxpRKC1hEVUb/s1FUAWEJq5AzJJ4NLvzuKPuxtDi5Mq755WuDvZ6Iv2rXj4PTzw==
-  dependencies:
-    component-emitter "1.2.1"
-    component-inherit "0.0.3"
-    debug "~3.1.0"
-    engine.io-parser "~2.1.1"
-    has-cors "1.1.0"
-    indexof "0.0.1"
-    parseqs "0.0.5"
-    parseuri "0.0.5"
-    ws "~3.3.1"
-    xmlhttprequest-ssl "~1.5.4"
-    yeast "0.1.2"
-
-engine.io-parser@~2.1.0, engine.io-parser@~2.1.1:
-  version "2.1.2"
-  resolved "https://registry.yarnpkg.com/engine.io-parser/-/engine.io-parser-2.1.2.tgz#4c0f4cff79aaeecbbdcfdea66a823c6085409196"
-  integrity sha512-dInLFzr80RijZ1rGpx1+56/uFoH7/7InhH3kZt+Ms6hT8tNx3NGW/WNSA/f8As1WkOfkuyb3tnRyuXGxusclMw==
-  dependencies:
-    after "0.8.2"
-    arraybuffer.slice "~0.0.7"
-    base64-arraybuffer "0.1.5"
-    blob "0.0.4"
-    has-binary2 "~1.0.2"
-
-engine.io@~3.2.0:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/engine.io/-/engine.io-3.2.0.tgz#54332506f42f2edc71690d2f2a42349359f3bf7d"
-  integrity sha512-mRbgmAtQ4GAlKwuPnnAvXXwdPhEx+jkc0OBCLrXuD/CRvwNK3AxRSnqK4FSqmAMRRHryVJP8TopOvmEaA64fKw==
-  dependencies:
-    accepts "~1.3.4"
-    base64id "1.0.0"
-    cookie "0.3.1"
-    debug "~3.1.0"
-    engine.io-parser "~2.1.0"
-    ws "~3.3.1"
-
-enhanced-resolve@^3.4.0:
-  version "3.4.1"
-  resolved "https://registry.yarnpkg.com/enhanced-resolve/-/enhanced-resolve-3.4.1.tgz#0421e339fd71419b3da13d129b3979040230476e"
-  integrity sha1-BCHjOf1xQZs9oT0Smzl5BAIwR24=
-  dependencies:
-    graceful-fs "^4.1.2"
-    memory-fs "^0.4.0"
-    object-assign "^4.0.1"
-    tapable "^0.2.7"
-
-errno@^0.1.3:
-  version "0.1.7"
-  resolved "https://registry.yarnpkg.com/errno/-/errno-0.1.7.tgz#4684d71779ad39af177e3f007996f7c67c852618"
-  integrity sha512-MfrRBDWzIWifgq6tJj60gkAwtLNb6sQPlcFrSOflcP1aFmmruKQ2wRnze/8V6kgyz7H3FF8Npzv78mZ7XLLflg==
-  dependencies:
-    prr "~1.0.1"
-
-error-ex@^1.2.0, error-ex@^1.3.1:
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/error-ex/-/error-ex-1.3.1.tgz#f855a86ce61adc4e8621c3cda21e7a7612c3a8dc"
-  integrity sha1-+FWobOYa3E6GIcPNoh56dhLDqNw=
-  dependencies:
-    is-arrayish "^0.2.1"
-
-es5-ext@^0.10.14, es5-ext@^0.10.35, es5-ext@^0.10.9, es5-ext@~0.10.14:
-  version "0.10.45"
-  resolved "https://registry.yarnpkg.com/es5-ext/-/es5-ext-0.10.45.tgz#0bfdf7b473da5919d5adf3bd25ceb754fccc3653"
-  integrity sha512-FkfM6Vxxfmztilbxxz5UKSD4ICMf5tSpRFtDNtkAhOxZ0EKtX6qwmXNyH/sFyIbX2P/nU5AMiA9jilWsUGJzCQ==
-  dependencies:
-    es6-iterator "~2.0.3"
-    es6-symbol "~3.1.1"
-    next-tick "1"
-
-es6-iterator@^2.0.1, es6-iterator@~2.0.1, es6-iterator@~2.0.3:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/es6-iterator/-/es6-iterator-2.0.3.tgz#a7de889141a05a94b0854403b2d0a0fbfa98f3b7"
-  integrity sha1-p96IkUGgWpSwhUQDstCg+/qY87c=
-  dependencies:
-    d "1"
-    es5-ext "^0.10.35"
-    es6-symbol "^3.1.1"
-
-es6-map@^0.1.3:
-  version "0.1.5"
-  resolved "https://registry.yarnpkg.com/es6-map/-/es6-map-0.1.5.tgz#9136e0503dcc06a301690f0bb14ff4e364e949f0"
-  integrity sha1-kTbgUD3MBqMBaQ8LsU/042TpSfA=
-  dependencies:
-    d "1"
-    es5-ext "~0.10.14"
-    es6-iterator "~2.0.1"
-    es6-set "~0.1.5"
-    es6-symbol "~3.1.1"
-    event-emitter "~0.3.5"
-
-es6-set@~0.1.5:
-  version "0.1.5"
-  resolved "https://registry.yarnpkg.com/es6-set/-/es6-set-0.1.5.tgz#d2b3ec5d4d800ced818db538d28974db0a73ccb1"
-  integrity sha1-0rPsXU2ADO2BjbU40ol02wpzzLE=
-  dependencies:
-    d "1"
-    es5-ext "~0.10.14"
-    es6-iterator "~2.0.1"
-    es6-symbol "3.1.1"
-    event-emitter "~0.3.5"
-
-es6-symbol@3.1.1, es6-symbol@^3.1.1, es6-symbol@~3.1.1:
-  version "3.1.1"
-  resolved "https://registry.yarnpkg.com/es6-symbol/-/es6-symbol-3.1.1.tgz#bf00ef4fdab6ba1b46ecb7b629b4c7ed5715cc77"
-  integrity sha1-vwDvT9q2uhtG7Le2KbTH7VcVzHc=
-  dependencies:
-    d "1"
-    es5-ext "~0.10.14"
-
-es6-weak-map@^2.0.1:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/es6-weak-map/-/es6-weak-map-2.0.2.tgz#5e3ab32251ffd1538a1f8e5ffa1357772f92d96f"
-  integrity sha1-XjqzIlH/0VOKH45f+hNXdy+S2W8=
-  dependencies:
-    d "1"
-    es5-ext "^0.10.14"
-    es6-iterator "^2.0.1"
-    es6-symbol "^3.1.1"
-
-escape-html@~1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988"
-  integrity sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=
-
-escape-string-regexp@^1.0.2, escape-string-regexp@^1.0.5:
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz#1b61c0562190a8dff6ae3bb2cf0200ca130b86d4"
-  integrity sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=
-
-escope@^3.6.0:
-  version "3.6.0"
-  resolved "https://registry.yarnpkg.com/escope/-/escope-3.6.0.tgz#e01975e812781a163a6dadfdd80398dc64c889c3"
-  integrity sha1-4Bl16BJ4GhY6ba392AOY3GTIicM=
-  dependencies:
-    es6-map "^0.1.3"
-    es6-weak-map "^2.0.1"
-    esrecurse "^4.1.0"
-    estraverse "^4.1.1"
-
-esprima@^2.6.0:
-  version "2.7.3"
-  resolved "https://registry.yarnpkg.com/esprima/-/esprima-2.7.3.tgz#96e3b70d5779f6ad49cd032673d1c312767ba581"
-  integrity sha1-luO3DVd59q1JzQMmc9HDEnZ7pYE=
-
-esprima@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/esprima/-/esprima-4.0.0.tgz#4499eddcd1110e0b218bacf2fa7f7f59f55ca804"
-  integrity sha512-oftTcaMu/EGrEIu904mWteKIv8vMuOgGYo7EhVJJN00R/EED9DCua/xxHRdYnKtcECzVg7xOWhflvJMnqcFZjw==
-
-esrecurse@^4.1.0:
-  version "4.2.1"
-  resolved "https://registry.yarnpkg.com/esrecurse/-/esrecurse-4.2.1.tgz#007a3b9fdbc2b3bb87e4879ea19c92fdbd3942cf"
-  integrity sha512-64RBB++fIOAXPw3P9cy89qfMlvZEXZkqqJkjqqXIvzP5ezRZjW+lPWjw35UX/3EhUPFYbg5ER4JYgDw4007/DQ==
-  dependencies:
-    estraverse "^4.1.0"
-
-estraverse@^4.1.0, estraverse@^4.1.1:
-  version "4.2.0"
-  resolved "https://registry.yarnpkg.com/estraverse/-/estraverse-4.2.0.tgz#0dee3fed31fcd469618ce7342099fc1afa0bdb13"
-  integrity sha1-De4/7TH81GlhjOc0IJn8GvoL2xM=
-
-esutils@^2.0.2:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/esutils/-/esutils-2.0.2.tgz#0abf4f1caa5bcb1f7a9d8acc6dea4faaa04bac9b"
-  integrity sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=
-
-etag@^1.8.1, etag@~1.8.1:
-  version "1.8.1"
-  resolved "https://registry.yarnpkg.com/etag/-/etag-1.8.1.tgz#41ae2eeb65efa62268aebfea83ac7d79299b0887"
-  integrity sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=
-
-event-emitter@~0.3.5:
-  version "0.3.5"
-  resolved "https://registry.yarnpkg.com/event-emitter/-/event-emitter-0.3.5.tgz#df8c69eef1647923c7157b9ce83840610b02cc39"
-  integrity sha1-34xp7vFkeSPHFXuc6DhAYQsCzDk=
-  dependencies:
-    d "1"
-    es5-ext "~0.10.14"
-
-eventemitter3@1.x.x:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/eventemitter3/-/eventemitter3-1.2.0.tgz#1c86991d816ad1e504750e73874224ecf3bec508"
-  integrity sha1-HIaZHYFq0eUEdQ5zh0Ik7PO+xQg=
-
-events@^1.0.0:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/events/-/events-1.1.1.tgz#9ebdb7635ad099c70dcc4c2a1f5004288e8bd924"
-  integrity sha1-nr23Y1rQmccNzEwqH1AEKI6L2SQ=
-
-evp_bytestokey@^1.0.0, evp_bytestokey@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/evp_bytestokey/-/evp_bytestokey-1.0.3.tgz#7fcbdb198dc71959432efe13842684e0525acb02"
-  integrity sha512-/f2Go4TognH/KvCISP7OUsHn85hT9nUkxxA9BEWxFn+Oj9o8ZNLm/40hdlgSLyuOimsrTKLUMEorQexp/aPQeA==
-  dependencies:
-    md5.js "^1.3.4"
-    safe-buffer "^5.1.1"
-
-execa@^0.7.0:
-  version "0.7.0"
-  resolved "https://registry.yarnpkg.com/execa/-/execa-0.7.0.tgz#944becd34cc41ee32a63a9faf27ad5a65fc59777"
-  integrity sha1-lEvs00zEHuMqY6n68nrVpl/Fl3c=
-  dependencies:
-    cross-spawn "^5.0.1"
-    get-stream "^3.0.0"
-    is-stream "^1.1.0"
-    npm-run-path "^2.0.0"
-    p-finally "^1.0.0"
-    signal-exit "^3.0.0"
-    strip-eof "^1.0.0"
-
-expand-brackets@^0.1.4:
-  version "0.1.5"
-  resolved "https://registry.yarnpkg.com/expand-brackets/-/expand-brackets-0.1.5.tgz#df07284e342a807cd733ac5af72411e581d1177b"
-  integrity sha1-3wcoTjQqgHzXM6xa9yQR5YHRF3s=
-  dependencies:
-    is-posix-bracket "^0.1.0"
-
-expand-brackets@^2.1.4:
-  version "2.1.4"
-  resolved "https://registry.yarnpkg.com/expand-brackets/-/expand-brackets-2.1.4.tgz#b77735e315ce30f6b6eff0f83b04151a22449622"
-  integrity sha1-t3c14xXOMPa27/D4OwQVGiJEliI=
-  dependencies:
-    debug "^2.3.3"
-    define-property "^0.2.5"
-    extend-shallow "^2.0.1"
-    posix-character-classes "^0.1.0"
-    regex-not "^1.0.0"
-    snapdragon "^0.8.1"
-    to-regex "^3.0.1"
-
-expand-range@^1.8.1:
-  version "1.8.2"
-  resolved "https://registry.yarnpkg.com/expand-range/-/expand-range-1.8.2.tgz#a299effd335fe2721ebae8e257ec79644fc85337"
-  integrity sha1-opnv/TNf4nIeuujiV+x5ZE/IUzc=
-  dependencies:
-    fill-range "^2.1.0"
-
-express@^4.16.3:
-  version "4.16.3"
-  resolved "http://registry.npmjs.org/express/-/express-4.16.3.tgz#6af8a502350db3246ecc4becf6b5a34d22f7ed53"
-  integrity sha1-avilAjUNsyRuzEvs9rWjTSL37VM=
-  dependencies:
-    accepts "~1.3.5"
-    array-flatten "1.1.1"
-    body-parser "1.18.2"
-    content-disposition "0.5.2"
-    content-type "~1.0.4"
-    cookie "0.3.1"
-    cookie-signature "1.0.6"
-    debug "2.6.9"
-    depd "~1.1.2"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    finalhandler "1.1.1"
-    fresh "0.5.2"
-    merge-descriptors "1.0.1"
-    methods "~1.1.2"
-    on-finished "~2.3.0"
-    parseurl "~1.3.2"
-    path-to-regexp "0.1.7"
-    proxy-addr "~2.0.3"
-    qs "6.5.1"
-    range-parser "~1.2.0"
-    safe-buffer "5.1.1"
-    send "0.16.2"
-    serve-static "1.13.2"
-    setprototypeof "1.1.0"
-    statuses "~1.4.0"
-    type-is "~1.6.16"
-    utils-merge "1.0.1"
-    vary "~1.1.2"
-
-extend-shallow@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/extend-shallow/-/extend-shallow-2.0.1.tgz#51af7d614ad9a9f610ea1bafbb989d6b1c56890f"
-  integrity sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=
-  dependencies:
-    is-extendable "^0.1.0"
-
-extend-shallow@^3.0.0, extend-shallow@^3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/extend-shallow/-/extend-shallow-3.0.2.tgz#26a71aaf073b39fb2127172746131c2704028db8"
-  integrity sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=
-  dependencies:
-    assign-symbols "^1.0.0"
-    is-extendable "^1.0.1"
-
-extend@~3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.1.tgz#a755ea7bc1adfcc5a31ce7e762dbaadc5e636444"
-  integrity sha1-p1Xqe8Gt/MWjHOfnYtuq3F5jZEQ=
-
-external-editor@^2.0.4:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/external-editor/-/external-editor-2.2.0.tgz#045511cfd8d133f3846673d1047c154e214ad3d5"
-  integrity sha512-bSn6gvGxKt+b7+6TKEv1ZycHleA7aHhRHyAqJyp5pbUFuYYNIzpZnQDk7AsYckyWdEnTeAnay0aCy2aV6iTk9A==
-  dependencies:
-    chardet "^0.4.0"
-    iconv-lite "^0.4.17"
-    tmp "^0.0.33"
-
-extglob@^0.3.1:
-  version "0.3.2"
-  resolved "https://registry.yarnpkg.com/extglob/-/extglob-0.3.2.tgz#2e18ff3d2f49ab2765cec9023f011daa8d8349a1"
-  integrity sha1-Lhj/PS9JqydlzskCPwEdqo2DSaE=
-  dependencies:
-    is-extglob "^1.0.0"
-
-extglob@^2.0.4:
-  version "2.0.4"
-  resolved "https://registry.yarnpkg.com/extglob/-/extglob-2.0.4.tgz#ad00fe4dc612a9232e8718711dc5cb5ab0285543"
-  integrity sha512-Nmb6QXkELsuBr24CJSkilo6UHHgbekK5UiZgfE6UHD3Eb27YC6oD+bhcT+tJ6cl8dmsgdQxnWlcry8ksBIBLpw==
-  dependencies:
-    array-unique "^0.3.2"
-    define-property "^1.0.0"
-    expand-brackets "^2.1.4"
-    extend-shallow "^2.0.1"
-    fragment-cache "^0.2.1"
-    regex-not "^1.0.0"
-    snapdragon "^0.8.1"
-    to-regex "^3.0.1"
-
-extsprintf@1.3.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/extsprintf/-/extsprintf-1.3.0.tgz#96918440e3041a7a414f8c52e3c574eb3c3e1e05"
-  integrity sha1-lpGEQOMEGnpBT4xS48V06zw+HgU=
-
-extsprintf@^1.2.0:
-  version "1.4.0"
-  resolved "https://registry.yarnpkg.com/extsprintf/-/extsprintf-1.4.0.tgz#e2689f8f356fad62cca65a3a91c5df5f9551692f"
-  integrity sha1-4mifjzVvrWLMplo6kcXfX5VRaS8=
-
-fast-deep-equal@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-1.1.0.tgz#c053477817c86b51daa853c81e059b733d023614"
-  integrity sha1-wFNHeBfIa1HaqFPIHgWbcz0CNhQ=
-
-fast-deep-equal@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz#7b05218ddf9667bf7f370bf7fdb2cb15fdd0aa49"
-  integrity sha1-ewUhjd+WZ79/Nwv3/bLLFf3Qqkk=
-
-fast-json-stable-stringify@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/fast-json-stable-stringify/-/fast-json-stable-stringify-2.0.0.tgz#d5142c0caee6b1189f87d3a76111064f86c8bbf2"
-  integrity sha1-1RQsDK7msRifh9OnYREGT4bIu/I=
-
-fbjs@^0.8.16:
-  version "0.8.16"
-  resolved "https://registry.yarnpkg.com/fbjs/-/fbjs-0.8.16.tgz#5e67432f550dc41b572bf55847b8aca64e5337db"
-  integrity sha1-XmdDL1UNxBtXK/VYR7ispk5TN9s=
-  dependencies:
-    core-js "^1.0.0"
-    isomorphic-fetch "^2.1.1"
-    loose-envify "^1.0.0"
-    object-assign "^4.1.0"
-    promise "^7.1.1"
-    setimmediate "^1.0.5"
-    ua-parser-js "^0.7.9"
-
-figures@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/figures/-/figures-2.0.0.tgz#3ab1a2d2a62c8bfb431a0c94cb797a2fce27c962"
-  integrity sha1-OrGi0qYsi/tDGgyUy3l6L84nyWI=
-  dependencies:
-    escape-string-regexp "^1.0.5"
-
-filename-regex@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/filename-regex/-/filename-regex-2.0.1.tgz#c1c4b9bee3e09725ddb106b75c1e301fe2f18b26"
-  integrity sha1-wcS5vuPglyXdsQa3XB4wH+LxiyY=
-
-filesize@^3.6.1:
-  version "3.6.1"
-  resolved "https://registry.yarnpkg.com/filesize/-/filesize-3.6.1.tgz#090bb3ee01b6f801a8a8be99d31710b3422bb317"
-  integrity sha512-7KjR1vv6qnicaPMi1iiTcI85CyYwRO/PSFCu6SvqL8jN2Wjt/NIYQTFtFs7fSDCYOstUkEWIQGFUg5YZQfjlcg==
-
-filewrap@1.0.0, filewrap@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/filewrap/-/filewrap-1.0.0.tgz#a6e3cb380af3473da2edd9c9fb29afa88780ffe5"
-  integrity sha1-puPLOArzRz2i7dnJ+ymvqIeA/+U=
-
-fill-range@^2.1.0:
-  version "2.2.4"
-  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-2.2.4.tgz#eb1e773abb056dcd8df2bfdf6af59b8b3a936565"
-  integrity sha512-cnrcCbj01+j2gTG921VZPnHbjmdAf8oQV/iGeV2kZxGSyfYjjTyY79ErsK1WJWMpw6DaApEX72binqJE+/d+5Q==
-  dependencies:
-    is-number "^2.1.0"
-    isobject "^2.0.0"
-    randomatic "^3.0.0"
-    repeat-element "^1.1.2"
-    repeat-string "^1.5.2"
-
-fill-range@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-4.0.0.tgz#d544811d428f98eb06a63dc402d2403c328c38f7"
-  integrity sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=
-  dependencies:
-    extend-shallow "^2.0.1"
-    is-number "^3.0.0"
-    repeat-string "^1.6.1"
-    to-regex-range "^2.1.0"
-
-finalhandler@1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/finalhandler/-/finalhandler-1.1.0.tgz#ce0b6855b45853e791b2fcc680046d88253dd7f5"
-  integrity sha1-zgtoVbRYU+eRsvzGgARtiCU91/U=
-  dependencies:
-    debug "2.6.9"
-    encodeurl "~1.0.1"
-    escape-html "~1.0.3"
-    on-finished "~2.3.0"
-    parseurl "~1.3.2"
-    statuses "~1.3.1"
-    unpipe "~1.0.0"
-
-finalhandler@1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/finalhandler/-/finalhandler-1.1.1.tgz#eebf4ed840079c83f4249038c9d703008301b105"
-  integrity sha512-Y1GUDo39ez4aHAw7MysnUD5JzYX+WaIj8I57kO3aEPT1fFRL4sr7mjei97FgnwhAyyzRYmQZaTHb2+9uZ1dPtg==
-  dependencies:
-    debug "2.6.9"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    on-finished "~2.3.0"
-    parseurl "~1.3.2"
-    statuses "~1.4.0"
-    unpipe "~1.0.0"
-
-find-cache-dir@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/find-cache-dir/-/find-cache-dir-1.0.0.tgz#9288e3e9e3cc3748717d39eade17cf71fc30ee6f"
-  integrity sha1-kojj6ePMN0hxfTnq3hfPcfww7m8=
-  dependencies:
-    commondir "^1.0.1"
-    make-dir "^1.0.0"
-    pkg-dir "^2.0.0"
-
-find-root@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/find-root/-/find-root-1.1.0.tgz#abcfc8ba76f708c42a97b3d685b7e9450bfb9ce4"
-  integrity sha512-NKfW6bec6GfKc0SGx1e07QZY9PE99u0Bft/0rzSD5k3sO/vwkVUpDUKVm5Gpp5Ue3YfShPFTX2070tDs5kB9Ng==
-
-find-up@^1.0.0:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/find-up/-/find-up-1.1.2.tgz#6b2e9822b1a2ce0a60ab64d610eccad53cb24d0f"
-  integrity sha1-ay6YIrGizgpgq2TWEOzK1TyyTQ8=
-  dependencies:
-    path-exists "^2.0.0"
-    pinkie-promise "^2.0.0"
-
-find-up@^2.0.0, find-up@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/find-up/-/find-up-2.1.0.tgz#45d1b7e506c717ddd482775a2b77920a3c0c57a7"
-  integrity sha1-RdG35QbHF93UgndaK3eSCjwMV6c=
-  dependencies:
-    locate-path "^2.0.0"
-
-flatten@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/flatten/-/flatten-1.0.2.tgz#dae46a9d78fbe25292258cc1e780a41d95c03782"
-  integrity sha1-2uRqnXj74lKSJYzB54CkHZXAN4I=
-
-follow-redirects@^1.2.5:
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.5.0.tgz#234f49cf770b7f35b40e790f636ceba0c3a0ab77"
-  integrity sha512-fdrt472/9qQ6Kgjvb935ig6vJCuofpBUD14f9Vb+SLlm7xIe4Qva5gey8EKtv8lp7ahE1wilg3xL1znpVGtZIA==
-  dependencies:
-    debug "^3.1.0"
-
-for-in@^1.0.1, for-in@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/for-in/-/for-in-1.0.2.tgz#81068d295a8142ec0ac726c6e2200c30fb6d5e80"
-  integrity sha1-gQaNKVqBQuwKxybG4iAMMPttXoA=
-
-for-own@^0.1.4:
-  version "0.1.5"
-  resolved "https://registry.yarnpkg.com/for-own/-/for-own-0.1.5.tgz#5265c681a4f294dabbf17c9509b6763aa84510ce"
-  integrity sha1-UmXGgaTylNq78XyVCbZ2OqhFEM4=
-  dependencies:
-    for-in "^1.0.1"
-
-forever-agent@~0.6.1:
-  version "0.6.1"
-  resolved "https://registry.yarnpkg.com/forever-agent/-/forever-agent-0.6.1.tgz#fbc71f0c41adeb37f96c577ad1ed42d8fdacca91"
-  integrity sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=
-
-form-data@~2.3.1:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.3.2.tgz#4970498be604c20c005d4f5c23aecd21d6b49099"
-  integrity sha1-SXBJi+YEwgwAXU9cI67NIda0kJk=
-  dependencies:
-    asynckit "^0.4.0"
-    combined-stream "1.0.6"
-    mime-types "^2.1.12"
-
-forwarded@~0.1.2:
-  version "0.1.2"
-  resolved "https://registry.yarnpkg.com/forwarded/-/forwarded-0.1.2.tgz#98c23dab1175657b8c0573e8ceccd91b0ff18c84"
-  integrity sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ=
-
-fragment-cache@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/fragment-cache/-/fragment-cache-0.2.1.tgz#4290fad27f13e89be7f33799c6bc5a0abfff0d19"
-  integrity sha1-QpD60n8T6Jvn8zeZxrxaCr//DRk=
-  dependencies:
-    map-cache "^0.2.2"
-
-fresh@0.5.2, fresh@^0.5.2:
-  version "0.5.2"
-  resolved "https://registry.yarnpkg.com/fresh/-/fresh-0.5.2.tgz#3d8cadd90d976569fa835ab1f8e4b23a105605a7"
-  integrity sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac=
-
-fs-extra@3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-3.0.1.tgz#3794f378c58b342ea7dbbb23095109c4b3b62291"
-  integrity sha1-N5TzeMWLNC6n27sjCVEJxLO2IpE=
-  dependencies:
-    graceful-fs "^4.1.2"
-    jsonfile "^3.0.0"
-    universalify "^0.1.0"
-
-fs-minipass@^1.2.5:
-  version "1.2.5"
-  resolved "https://registry.yarnpkg.com/fs-minipass/-/fs-minipass-1.2.5.tgz#06c277218454ec288df77ada54a03b8702aacb9d"
-  integrity sha512-JhBl0skXjUPCFH7x6x61gQxrKyXsxB5gcgePLZCwfyCGGsTISMoIeObbrvVeP6Xmyaudw4TT43qV2Gz+iyd2oQ==
-  dependencies:
-    minipass "^2.2.1"
-
-fs.realpath@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f"
-  integrity sha1-FQStJSMVjKpA20onh8sBQRmU6k8=
-
-fsevents@^1.0.0, fsevents@^1.1.2:
-  version "1.2.4"
-  resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-1.2.4.tgz#f41dcb1af2582af3692da36fc55cbd8e1041c426"
-  integrity sha512-z8H8/diyk76B7q5wg+Ud0+CqzcAF3mBBI/bA5ne5zrRUUIvNkJY//D3BqyH571KuAC4Nr7Rw7CjWX4r0y9DvNg==
-  dependencies:
-    nan "^2.9.2"
-    node-pre-gyp "^0.10.0"
-
-function-bind@^1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d"
-  integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==
-
-gather-stream@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/gather-stream/-/gather-stream-1.0.0.tgz#b33994af457a8115700d410f317733cbe7a0904b"
-  integrity sha1-szmUr0V6gRVwDUEPMXczy+egkEs=
-
-gauge@~2.7.3:
-  version "2.7.4"
-  resolved "https://registry.yarnpkg.com/gauge/-/gauge-2.7.4.tgz#2c03405c7538c39d7eb37b317022e325fb018bf7"
-  integrity sha1-LANAXHU4w51+s3sxcCLjJfsBi/c=
-  dependencies:
-    aproba "^1.0.3"
-    console-control-strings "^1.0.0"
-    has-unicode "^2.0.0"
-    object-assign "^4.1.0"
-    signal-exit "^3.0.0"
-    string-width "^1.0.1"
-    strip-ansi "^3.0.1"
-    wide-align "^1.1.0"
-
-get-caller-file@^1.0.1:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/get-caller-file/-/get-caller-file-1.0.2.tgz#f702e63127e7e231c160a80c1554acb70d5047e5"
-  integrity sha1-9wLmMSfn4jHBYKgMFVSstw1QR+U=
-
-get-stream@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/get-stream/-/get-stream-3.0.0.tgz#8e943d1358dc37555054ecbe2edb05aa174ede14"
-  integrity sha1-jpQ9E1jcN1VQVOy+LtsFqhdO3hQ=
-
-get-value@^2.0.3, get-value@^2.0.6:
-  version "2.0.6"
-  resolved "https://registry.yarnpkg.com/get-value/-/get-value-2.0.6.tgz#dc15ca1c672387ca76bd37ac0a395ba2042a2c28"
-  integrity sha1-3BXKHGcjh8p2vTesCjlbogQqLCg=
-
-getpass@^0.1.1:
-  version "0.1.7"
-  resolved "https://registry.yarnpkg.com/getpass/-/getpass-0.1.7.tgz#5eff8e3e684d569ae4cb2b1282604e8ba62149fa"
-  integrity sha1-Xv+OPmhNVprkyysSgmBOi6YhSfo=
-  dependencies:
-    assert-plus "^1.0.0"
-
-glob-base@^0.3.0:
-  version "0.3.0"
-  resolved "https://registry.yarnpkg.com/glob-base/-/glob-base-0.3.0.tgz#dbb164f6221b1c0b1ccf82aea328b497df0ea3c4"
-  integrity sha1-27Fk9iIbHAscz4Kuoyi0l98Oo8Q=
-  dependencies:
-    glob-parent "^2.0.0"
-    is-glob "^2.0.0"
-
-glob-parent@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-2.0.0.tgz#81383d72db054fcccf5336daa902f182f6edbb28"
-  integrity sha1-gTg9ctsFT8zPUzbaqQLxgvbtuyg=
-  dependencies:
-    is-glob "^2.0.0"
-
-glob-parent@^3.1.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-3.1.0.tgz#9e6af6299d8d3bd2bd40430832bd113df906c5ae"
-  integrity sha1-nmr2KZ2NO9K9QEMIMr0RPfkGxa4=
-  dependencies:
-    is-glob "^3.1.0"
-    path-dirname "^1.0.0"
-
-glob@^7.0.5, glob@^7.1.2:
-  version "7.1.2"
-  resolved "https://registry.yarnpkg.com/glob/-/glob-7.1.2.tgz#c19c9df9a028702d678612384a6552404c636d15"
-  integrity sha512-MJTUg1kjuLeQCJ+ccE4Vpa6kKVXkPYJ2mOCQyUuKLcLQsdrMCpBPUi8qVE6+YuaJkozeA9NusTAw3hLr8Xe5EQ==
-  dependencies:
-    fs.realpath "^1.0.0"
-    inflight "^1.0.4"
-    inherits "2"
-    minimatch "^3.0.4"
-    once "^1.3.0"
-    path-is-absolute "^1.0.0"
-
-globals@^9.18.0:
-  version "9.18.0"
-  resolved "https://registry.yarnpkg.com/globals/-/globals-9.18.0.tgz#aa3896b3e69b487f17e31ed2143d69a8e30c2d8a"
-  integrity sha512-S0nG3CLEQiY/ILxqtztTWH/3iRRdyBLw6KMDxnKMchrtbj2OFmehVh0WUCfW3DUrIgx/qFrJPICrq4Z4sTR9UQ==
-
-graceful-fs@^4.1.2, graceful-fs@^4.1.6:
-  version "4.1.11"
-  resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.1.11.tgz#0e8bdfe4d1ddb8854d64e04ea7c00e2a026e5658"
-  integrity sha1-Dovf5NHduIVNZOBOp8AOKgJuVlg=
-
-gzip-size@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/gzip-size/-/gzip-size-5.0.0.tgz#a55ecd99222f4c48fd8c01c625ce3b349d0a0e80"
-  integrity sha512-5iI7omclyqrnWw4XbXAmGhPsABkSIDQonv2K0h61lybgofWa6iZyvrI3r2zsJH4P8Nb64fFVzlvfhs0g7BBxAA==
-  dependencies:
-    duplexer "^0.1.1"
-    pify "^3.0.0"
-
-har-schema@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/har-schema/-/har-schema-2.0.0.tgz#a94c2224ebcac04782a0d9035521f24735b7ec92"
-  integrity sha1-qUwiJOvKwEeCoNkDVSHyRzW37JI=
-
-har-validator@~5.0.3:
-  version "5.0.3"
-  resolved "https://registry.yarnpkg.com/har-validator/-/har-validator-5.0.3.tgz#ba402c266194f15956ef15e0fcf242993f6a7dfd"
-  integrity sha1-ukAsJmGU8VlW7xXg/PJCmT9qff0=
-  dependencies:
-    ajv "^5.1.0"
-    har-schema "^2.0.0"
-
-has-ansi@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/has-ansi/-/has-ansi-2.0.0.tgz#34f5049ce1ecdf2b0649af3ef24e45ed35416d91"
-  integrity sha1-NPUEnOHs3ysGSa8+8k5F7TVBbZE=
-  dependencies:
-    ansi-regex "^2.0.0"
-
-has-binary2@~1.0.2:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/has-binary2/-/has-binary2-1.0.3.tgz#7776ac627f3ea77250cfc332dab7ddf5e4f5d11d"
-  integrity sha512-G1LWKhDSvhGeAQ8mPVQlqNcOB2sJdwATtZKl2pDKKHfpf/rYj24lkinxf69blJbnsvtqqNU+L3SL50vzZhXOnw==
-  dependencies:
-    isarray "2.0.1"
-
-has-cors@1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/has-cors/-/has-cors-1.1.0.tgz#5e474793f7ea9843d1bb99c23eef49ff126fff39"
-  integrity sha1-XkdHk/fqmEPRu5nCPu9J/xJv/zk=
-
-has-flag@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-1.0.0.tgz#9d9e793165ce017a00f00418c43f942a7b1d11fa"
-  integrity sha1-nZ55MWXOAXoA8AQYxD+UKnsdEfo=
-
-has-flag@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-2.0.0.tgz#e8207af1cc7b30d446cc70b734b5e8be18f88d51"
-  integrity sha1-6CB68cx7MNRGzHC3NLXovhj4jVE=
-
-has-flag@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-3.0.0.tgz#b5d454dc2199ae225699f3467e5a07f3b955bafd"
-  integrity sha1-tdRU3CGZriJWmfNGfloH87lVuv0=
-
-has-unicode@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/has-unicode/-/has-unicode-2.0.1.tgz#e0e6fe6a28cf51138855e086d1691e771de2a8b9"
-  integrity sha1-4Ob+aijPUROIVeCG0Wkedx3iqLk=
-
-has-value@^0.3.1:
-  version "0.3.1"
-  resolved "https://registry.yarnpkg.com/has-value/-/has-value-0.3.1.tgz#7b1f58bada62ca827ec0a2078025654845995e1f"
-  integrity sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8=
-  dependencies:
-    get-value "^2.0.3"
-    has-values "^0.1.4"
-    isobject "^2.0.0"
-
-has-value@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/has-value/-/has-value-1.0.0.tgz#18b281da585b1c5c51def24c930ed29a0be6b177"
-  integrity sha1-GLKB2lhbHFxR3vJMkw7SmgvmsXc=
-  dependencies:
-    get-value "^2.0.6"
-    has-values "^1.0.0"
-    isobject "^3.0.0"
-
-has-values@^0.1.4:
-  version "0.1.4"
-  resolved "https://registry.yarnpkg.com/has-values/-/has-values-0.1.4.tgz#6d61de95d91dfca9b9a02089ad384bff8f62b771"
-  integrity sha1-bWHeldkd/Km5oCCJrThL/49it3E=
-
-has-values@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/has-values/-/has-values-1.0.0.tgz#95b0b63fec2146619a6fe57fe75628d5a39efe4f"
-  integrity sha1-lbC2P+whRmGab+V/51Yo1aOe/k8=
-  dependencies:
-    is-number "^3.0.0"
-    kind-of "^4.0.0"
-
-has@^1.0.1:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/has/-/has-1.0.3.tgz#722d7cbfc1f6aa8241f16dd814e011e1f41e8796"
-  integrity sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==
-  dependencies:
-    function-bind "^1.1.1"
-
-hash-base@^3.0.0:
-  version "3.0.4"
-  resolved "https://registry.yarnpkg.com/hash-base/-/hash-base-3.0.4.tgz#5fc8686847ecd73499403319a6b0a3f3f6ae4918"
-  integrity sha1-X8hoaEfs1zSZQDMZprCj8/auSRg=
-  dependencies:
-    inherits "^2.0.1"
-    safe-buffer "^5.0.1"
-
-hash.js@^1.0.0, hash.js@^1.0.3:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/hash.js/-/hash.js-1.1.3.tgz#340dedbe6290187151c1ea1d777a3448935df846"
-  integrity sha512-/UETyP0W22QILqS+6HowevwhEFJ3MBJnwTf75Qob9Wz9t0DPuisL8kW8YZMK62dHAKE1c1p+gY1TtOLY+USEHA==
-  dependencies:
-    inherits "^2.0.3"
-    minimalistic-assert "^1.0.0"
-
-hawk@~6.0.2:
-  version "6.0.2"
-  resolved "https://registry.yarnpkg.com/hawk/-/hawk-6.0.2.tgz#af4d914eb065f9b5ce4d9d11c1cb2126eecc3038"
-  integrity sha512-miowhl2+U7Qle4vdLqDdPt9m09K6yZhkLDTWGoUiUzrQCn+mHHSmfJgAyGaLRZbPmTqfFFjRV1QWCW0VWUJBbQ==
-  dependencies:
-    boom "4.x.x"
-    cryptiles "3.x.x"
-    hoek "4.x.x"
-    sntp "2.x.x"
-
-highlight.js@^9.15.10:
-  version "9.16.2"
-  resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.16.2.tgz#68368d039ffe1c6211bcc07e483daf95de3e403e"
-  integrity sha512-feMUrVLZvjy0oC7FVJQcSQRqbBq9kwqnYE4+Kj9ZjbHh3g+BisiPgF49NyQbVLNdrL/qqZr3Ca9yOKwgn2i/tw==
-
-hmac-drbg@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1"
-  integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=
-  dependencies:
-    hash.js "^1.0.3"
-    minimalistic-assert "^1.0.0"
-    minimalistic-crypto-utils "^1.0.1"
-
-hoek@4.x.x:
-  version "4.2.1"
-  resolved "https://registry.yarnpkg.com/hoek/-/hoek-4.2.1.tgz#9634502aa12c445dd5a7c5734b572bb8738aacbb"
-  integrity sha512-QLg82fGkfnJ/4iy1xZ81/9SIJiq1NGFUMGs6ParyjBZr6jW2Ufj/snDqTHixNlHdPNwN2RLVD0Pi3igeK9+JfA==
-
-home-or-tmp@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/home-or-tmp/-/home-or-tmp-2.0.0.tgz#e36c3f2d2cae7d746a857e38d18d5f32a7882db8"
-  integrity sha1-42w/LSyufXRqhX440Y1fMqeILbg=
-  dependencies:
-    os-homedir "^1.0.0"
-    os-tmpdir "^1.0.1"
-
-hoopy@^0.1.2:
-  version "0.1.4"
-  resolved "https://registry.yarnpkg.com/hoopy/-/hoopy-0.1.4.tgz#609207d661100033a9a9402ad3dea677381c1b1d"
-  integrity sha512-HRcs+2mr52W0K+x8RzcLzuPPmVIKMSv97RGHy0Ea9y/mpcaK+xTrjICA04KAHi4GRzxliNqNJEFYWHghy3rSfQ==
-
-hosted-git-info@^2.1.4:
-  version "2.6.0"
-  resolved "https://registry.yarnpkg.com/hosted-git-info/-/hosted-git-info-2.6.0.tgz#23235b29ab230c576aab0d4f13fc046b0b038222"
-  integrity sha512-lIbgIIQA3lz5XaB6vxakj6sDHADJiZadYEJB+FgA+C4nubM1NwcuvUr9EJPmnH1skZqpqUzWborWo8EIUi0Sdw==
-
-html-comment-regex@^1.1.0:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/html-comment-regex/-/html-comment-regex-1.1.1.tgz#668b93776eaae55ebde8f3ad464b307a4963625e"
-  integrity sha1-ZouTd26q5V696POtRkswekljYl4=
-
-http-errors@1.6.2:
-  version "1.6.2"
-  resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.6.2.tgz#0a002cc85707192a7e7946ceedc11155f60ec736"
-  integrity sha1-CgAsyFcHGSp+eUbO7cERVfYOxzY=
-  dependencies:
-    depd "1.1.1"
-    inherits "2.0.3"
-    setprototypeof "1.0.3"
-    statuses ">= 1.3.1 < 2"
-
-http-errors@1.6.3, http-errors@~1.6.2:
-  version "1.6.3"
-  resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.6.3.tgz#8b55680bb4be283a0b5bf4ea2e38580be1d9320d"
-  integrity sha1-i1VoC7S+KDoLW/TqLjhYC+HZMg0=
-  dependencies:
-    depd "~1.1.2"
-    inherits "2.0.3"
-    setprototypeof "1.1.0"
-    statuses ">= 1.4.0 < 2"
-
-http-proxy@1.15.2:
-  version "1.15.2"
-  resolved "https://registry.yarnpkg.com/http-proxy/-/http-proxy-1.15.2.tgz#642fdcaffe52d3448d2bda3b0079e9409064da31"
-  integrity sha1-ZC/cr/5S00SNK9o7AHnpQJBk2jE=
-  dependencies:
-    eventemitter3 "1.x.x"
-    requires-port "1.x.x"
-
-http-signature@~1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/http-signature/-/http-signature-1.2.0.tgz#9aecd925114772f3d95b65a60abb8f7c18fbace1"
-  integrity sha1-muzZJRFHcvPZW2WmCruPfBj7rOE=
-  dependencies:
-    assert-plus "^1.0.0"
-    jsprim "^1.2.2"
-    sshpk "^1.7.0"
-
-https-browserify@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/https-browserify/-/https-browserify-1.0.0.tgz#ec06c10e0a34c0f2faf199f7fd7fc78fffd03c73"
-  integrity sha1-7AbBDgo0wPL68Zn3/X/Hj//QPHM=
-
-hygienist-middleware@^0.1.3:
-  version "0.1.3"
-  resolved "https://registry.yarnpkg.com/hygienist-middleware/-/hygienist-middleware-0.1.3.tgz#42bdb5ccdc137e95c55a0d031423d2f5a46cdc7e"
-  integrity sha1-Qr21zNwTfpXFWg0DFCPS9aRs3H4=
-  dependencies:
-    minimatch "3.0.3"
-
-iconv-lite@0.4.19:
-  version "0.4.19"
-  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.19.tgz#f7468f60135f5e5dad3399c0a81be9a1603a082b"
-  integrity sha512-oTZqweIP51xaGPI4uPa56/Pri/480R+mo7SeU+YETByQNhDG55ycFyNLIgta9vXhILrxXDmF7ZGhqZIcuN0gJQ==
-
-iconv-lite@0.4.23, iconv-lite@^0.4.17, iconv-lite@^0.4.4, iconv-lite@~0.4.13:
-  version "0.4.23"
-  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.23.tgz#297871f63be507adcfbfca715d0cd0eed84e9a63"
-  integrity sha512-neyTUVFtahjf0mB3dZT77u+8O0QB89jFdnBkd5P1JgYPbPaia3gXXOVL2fq8VyU2gMMD7SaN7QukTB/pmXYvDA==
-  dependencies:
-    safer-buffer ">= 2.1.2 < 3"
-
-ieee754@^1.1.4:
-  version "1.1.11"
-  resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.1.11.tgz#c16384ffe00f5b7835824e67b6f2bd44a5229455"
-  integrity sha512-VhDzCKN7K8ufStx/CLj5/PDTMgph+qwN5Pkd5i0sGnVwk56zJ0lkT8Qzi1xqWLS0Wp29DgDtNeS7v8/wMoZeHg==
-
-ignore-walk@^3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/ignore-walk/-/ignore-walk-3.0.1.tgz#a83e62e7d272ac0e3b551aaa82831a19b69f82f8"
-  integrity sha512-DTVlMx3IYPe0/JJcYP7Gxg7ttZZu3IInhuEhbchuqneY9wWe5Ojy2mXLBaQFUQmo0AW2r3qG7m1mg86js+gnlQ==
-  dependencies:
-    minimatch "^3.0.4"
-
-immutability-helper@^2.1.2:
-  version "2.7.0"
-  resolved "https://registry.yarnpkg.com/immutability-helper/-/immutability-helper-2.7.0.tgz#4ea9916cc8f45142ec3e3f0fce75fa5d66fa1b38"
-  integrity sha512-8GODapwCoeBIoBkaldNiaJwfD6Hgp5TL4SrOl6jDip5JLmcnlfVlLEC6MRqa1WzFiwZ6xq6GC0AaBtoboDvkyQ==
-  dependencies:
-    invariant "^2.2.0"
-
-immutable@3.8.2, immutable@^3.7.6:
-  version "3.8.2"
-  resolved "https://registry.yarnpkg.com/immutable/-/immutable-3.8.2.tgz#c2439951455bb39913daf281376f1530e104adf3"
-  integrity sha1-wkOZUUVbs5kT2vKBN28VMOEErfM=
-
-import-cwd@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/import-cwd/-/import-cwd-2.1.0.tgz#aa6cf36e722761285cb371ec6519f53e2435b0a9"
-  integrity sha1-qmzzbnInYShcs3HsZRn1PiQ1sKk=
-  dependencies:
-    import-from "^2.1.0"
-
-import-from@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/import-from/-/import-from-2.1.0.tgz#335db7f2a7affd53aaa471d4b8021dee36b7f3b1"
-  integrity sha1-M1238qev/VOqpHHUuAId7ja387E=
-  dependencies:
-    resolve-from "^3.0.0"
-
-indexes-of@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/indexes-of/-/indexes-of-1.0.1.tgz#f30f716c8e2bd346c7b67d3df3915566a7c05607"
-  integrity sha1-8w9xbI4r00bHtn0985FVZqfAVgc=
-
-indexof@0.0.1:
-  version "0.0.1"
-  resolved "https://registry.yarnpkg.com/indexof/-/indexof-0.0.1.tgz#82dc336d232b9062179d05ab3293a66059fd435d"
-  integrity sha1-gtwzbSMrkGIXnQWrMpOmYFn9Q10=
-
-inflight@^1.0.4:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/inflight/-/inflight-1.0.6.tgz#49bd6331d7d02d0c09bc910a1075ba8165b56df9"
-  integrity sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=
-  dependencies:
-    once "^1.3.0"
-    wrappy "1"
-
-inherits@2, inherits@2.0.3, inherits@^2.0.1, inherits@^2.0.3, inherits@~2.0.1, inherits@~2.0.3:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.3.tgz#633c2c83e3da42a502f52466022480f4208261de"
-  integrity sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=
-
-inherits@2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.1.tgz#b17d08d326b4423e568eff719f91b0b1cbdf69f1"
-  integrity sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE=
-
-ini@~1.3.0:
-  version "1.3.5"
-  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
-  integrity sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==
-
-inquirer@^3.2.1:
-  version "3.3.0"
-  resolved "https://registry.yarnpkg.com/inquirer/-/inquirer-3.3.0.tgz#9dd2f2ad765dcab1ff0443b491442a20ba227dc9"
-  integrity sha512-h+xtnyk4EwKvFWHrUYsWErEVR+igKtLdchu+o0Z1RL7VU/jVMFbYir2bp6bAj8efFNxWqHX0dIss6fJQ+/+qeQ==
-  dependencies:
-    ansi-escapes "^3.0.0"
-    chalk "^2.0.0"
-    cli-cursor "^2.1.0"
-    cli-width "^2.0.0"
-    external-editor "^2.0.4"
-    figures "^2.0.0"
-    lodash "^4.3.0"
-    mute-stream "0.0.7"
-    run-async "^2.2.0"
-    rx-lite "^4.0.8"
-    rx-lite-aggregates "^4.0.8"
-    string-width "^2.1.0"
-    strip-ansi "^4.0.0"
-    through "^2.3.6"
-
-interpret@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/interpret/-/interpret-1.1.0.tgz#7ed1b1410c6a0e0f78cf95d3b8440c63f78b8614"
-  integrity sha1-ftGxQQxqDg94z5XTuEQMY/eLhhQ=
-
-invariant@^2.2.0, invariant@^2.2.2:
-  version "2.2.4"
-  resolved "https://registry.yarnpkg.com/invariant/-/invariant-2.2.4.tgz#610f3c92c9359ce1db616e538008d23ff35158e6"
-  integrity sha512-phJfQVBuaJM5raOpJjSfkiD6BpbCE4Ns//LaXl6wGYtUBY83nWS6Rf9tXm2e8VaK60JEjYldbPif/A2B1C2gNA==
-  dependencies:
-    loose-envify "^1.0.0"
-
-invert-kv@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/invert-kv/-/invert-kv-1.0.0.tgz#104a8e4aaca6d3d8cd157a8ef8bfab2d7a3ffdb6"
-  integrity sha1-EEqOSqym09jNFXqO+L+rLXo//bY=
-
-ipaddr.js@1.6.0:
-  version "1.6.0"
-  resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-1.6.0.tgz#e3fa357b773da619f26e95f049d055c72796f86b"
-  integrity sha1-4/o1e3c9phnybpXwSdBVxyeW+Gs=
-
-is-absolute-url@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/is-absolute-url/-/is-absolute-url-2.1.0.tgz#50530dfb84fcc9aa7dbe7852e83a37b93b9f2aa6"
-  integrity sha1-UFMN+4T8yap9vnhS6Do3uTufKqY=
-
-is-accessor-descriptor@^0.1.6:
-  version "0.1.6"
-  resolved "https://registry.yarnpkg.com/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz#a9e12cb3ae8d876727eeef3843f8a0897b5c98d6"
-  integrity sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=
-  dependencies:
-    kind-of "^3.0.2"
-
-is-accessor-descriptor@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz#169c2f6d3df1f992618072365c9b0ea1f6878656"
-  integrity sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==
-  dependencies:
-    kind-of "^6.0.0"
-
-is-arrayish@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/is-arrayish/-/is-arrayish-0.2.1.tgz#77c99840527aa8ecb1a8ba697b80645a7a926a9d"
-  integrity sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0=
-
-is-arrayish@^0.3.1:
-  version "0.3.1"
-  resolved "https://registry.yarnpkg.com/is-arrayish/-/is-arrayish-0.3.1.tgz#c2dfc386abaa0c3e33c48db3fe87059e69065efd"
-  integrity sha1-wt/DhquqDD4zxI2z/ocFnmkGXv0=
-
-is-binary-path@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/is-binary-path/-/is-binary-path-1.0.1.tgz#75f16642b480f187a711c814161fd3a4a7655898"
-  integrity sha1-dfFmQrSA8YenEcgUFh/TpKdlWJg=
-  dependencies:
-    binary-extensions "^1.0.0"
-
-is-binary-path@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/is-binary-path/-/is-binary-path-2.0.0.tgz#0e61cea6974b24dda8bcc8366ce58a69265d1a36"
-  integrity sha1-DmHOppdLJN2ovMg2bOWKaSZdGjY=
-  dependencies:
-    binary-extensions "^1.0.0"
-
-is-buffer@^1.1.5:
-  version "1.1.6"
-  resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-1.1.6.tgz#efaa2ea9daa0d7ab2ea13a97b2b8ad51fefbe8be"
-  integrity sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==
-
-is-builtin-module@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/is-builtin-module/-/is-builtin-module-1.0.0.tgz#540572d34f7ac3119f8f76c30cbc1b1e037affbe"
-  integrity sha1-VAVy0096wxGfj3bDDLwbHgN6/74=
-  dependencies:
-    builtin-modules "^1.0.0"
-
-is-data-descriptor@^0.1.4:
-  version "0.1.4"
-  resolved "https://registry.yarnpkg.com/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz#0b5ee648388e2c860282e793f1856fec3f301b56"
-  integrity sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=
-  dependencies:
-    kind-of "^3.0.2"
-
-is-data-descriptor@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz#d84876321d0e7add03990406abbbbd36ba9268c7"
-  integrity sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==
-  dependencies:
-    kind-of "^6.0.0"
-
-is-descriptor@^0.1.0:
-  version "0.1.6"
-  resolved "https://registry.yarnpkg.com/is-descriptor/-/is-descriptor-0.1.6.tgz#366d8240dde487ca51823b1ab9f07a10a78251ca"
-  integrity sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==
-  dependencies:
-    is-accessor-descriptor "^0.1.6"
-    is-data-descriptor "^0.1.4"
-    kind-of "^5.0.0"
-
-is-descriptor@^1.0.0, is-descriptor@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/is-descriptor/-/is-descriptor-1.0.2.tgz#3b159746a66604b04f8c81524ba365c5f14d86ec"
-  integrity sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==
-  dependencies:
-    is-accessor-descriptor "^1.0.0"
-    is-data-descriptor "^1.0.0"
-    kind-of "^6.0.2"
-
-is-directory@^0.3.1:
-  version "0.3.1"
-  resolved "https://registry.yarnpkg.com/is-directory/-/is-directory-0.3.1.tgz#61339b6f2475fc772fd9c9d83f5c8575dc154ae1"
-  integrity sha1-YTObbyR1/Hcv2cnYP1yFddwVSuE=
-
-is-dotfile@^1.0.0:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/is-dotfile/-/is-dotfile-1.0.3.tgz#a6a2f32ffd2dfb04f5ca25ecd0f6b83cf798a1e1"
-  integrity sha1-pqLzL/0t+wT1yiXs0Pa4PPeYoeE=
-
-is-equal-shallow@^0.1.3:
-  version "0.1.3"
-  resolved "https://registry.yarnpkg.com/is-equal-shallow/-/is-equal-shallow-0.1.3.tgz#2238098fc221de0bcfa5d9eac4c45d638aa1c534"
-  integrity sha1-IjgJj8Ih3gvPpdnqxMRdY4qhxTQ=
-  dependencies:
-    is-primitive "^2.0.0"
-
-is-extendable@^0.1.0, is-extendable@^0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/is-extendable/-/is-extendable-0.1.1.tgz#62b110e289a471418e3ec36a617d472e301dfc89"
-  integrity sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=
-
-is-extendable@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/is-extendable/-/is-extendable-1.0.1.tgz#a7470f9e426733d81bd81e1155264e3a3507cab4"
-  integrity sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==
-  dependencies:
-    is-plain-object "^2.0.4"
-
-is-extglob@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/is-extglob/-/is-extglob-1.0.0.tgz#ac468177c4943405a092fc8f29760c6ffc6206c0"
-  integrity sha1-rEaBd8SUNAWgkvyPKXYMb/xiBsA=
-
-is-extglob@^2.1.0, is-extglob@^2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/is-extglob/-/is-extglob-2.1.1.tgz#a88c02535791f02ed37c76a1b9ea9773c833f8c2"
-  integrity sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=
-
-is-finite@^1.0.0:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/is-finite/-/is-finite-1.0.2.tgz#cc6677695602be550ef11e8b4aa6305342b6d0aa"
-  integrity sha1-zGZ3aVYCvlUO8R6LSqYwU0K20Ko=
-  dependencies:
-    number-is-nan "^1.0.0"
-
-is-fullwidth-code-point@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz#ef9e31386f031a7f0d643af82fde50c457ef00cb"
-  integrity sha1-754xOG8DGn8NZDr4L95QxFfvAMs=
-  dependencies:
-    number-is-nan "^1.0.0"
-
-is-fullwidth-code-point@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/is-fullwidth-code-point/-/is-fullwidth-code-point-2.0.0.tgz#a3b30a5c4f199183167aaab93beefae3ddfb654f"
-  integrity sha1-o7MKXE8ZkYMWeqq5O+764937ZU8=
-
-is-glob@^2.0.0, is-glob@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/is-glob/-/is-glob-2.0.1.tgz#d096f926a3ded5600f3fdfd91198cb0888c2d863"
-  integrity sha1-0Jb5JqPe1WAPP9/ZEZjLCIjC2GM=
-  dependencies:
-    is-extglob "^1.0.0"
-
-is-glob@^3.1.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/is-glob/-/is-glob-3.1.0.tgz#7ba5ae24217804ac70707b96922567486cc3e84a"
-  integrity sha1-e6WuJCF4BKxwcHuWkiVnSGzD6Eo=
-  dependencies:
-    is-extglob "^2.1.0"
-
-is-glob@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/is-glob/-/is-glob-4.0.0.tgz#9521c76845cc2610a85203ddf080a958c2ffabc0"
-  integrity sha1-lSHHaEXMJhCoUgPd8ICpWML/q8A=
-  dependencies:
-    is-extglob "^2.1.1"
-
-is-number-like@^1.0.3:
-  version "1.0.8"
-  resolved "https://registry.yarnpkg.com/is-number-like/-/is-number-like-1.0.8.tgz#2e129620b50891042e44e9bbbb30593e75cfbbe3"
-  integrity sha512-6rZi3ezCyFcn5L71ywzz2bS5b2Igl1En3eTlZlvKjpz1n3IZLAYMbKYAIQgFmEu0GENg92ziU/faEOA/aixjbA==
-  dependencies:
-    lodash.isfinite "^3.3.2"
-
-is-number@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/is-number/-/is-number-2.1.0.tgz#01fcbbb393463a548f2f466cce16dece49db908f"
-  integrity sha1-Afy7s5NGOlSPL0ZszhbezknbkI8=
-  dependencies:
-    kind-of "^3.0.2"
-
-is-number@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/is-number/-/is-number-3.0.0.tgz#24fd6201a4782cf50561c810276afc7d12d71195"
-  integrity sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=
-  dependencies:
-    kind-of "^3.0.2"
-
-is-number@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/is-number/-/is-number-4.0.0.tgz#0026e37f5454d73e356dfe6564699867c6a7f0ff"
-  integrity sha512-rSklcAIlf1OmFdyAqbnWTLVelsQ58uvZ66S/ZyawjWqIviTWCjg2PzVGw8WUA+nNuPTqb4wgA+NszrJ+08LlgQ==
-
-is-odd@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/is-odd/-/is-odd-2.0.0.tgz#7646624671fd7ea558ccd9a2795182f2958f1b24"
-  integrity sha512-OTiixgpZAT1M4NHgS5IguFp/Vz2VI3U7Goh4/HA1adtwyLtSBrxYlcSYkhpAE07s4fKEcjrFxyvtQBND4vFQyQ==
-  dependencies:
-    is-number "^4.0.0"
-
-is-plain-obj@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-plain-obj/-/is-plain-obj-1.1.0.tgz#71a50c8429dfca773c92a390a4a03b39fcd51d3e"
-  integrity sha1-caUMhCnfync8kqOQpKA7OfzVHT4=
-
-is-plain-object@^2.0.1, is-plain-object@^2.0.3, is-plain-object@^2.0.4:
-  version "2.0.4"
-  resolved "https://registry.yarnpkg.com/is-plain-object/-/is-plain-object-2.0.4.tgz#2c163b3fafb1b606d9d17928f05c2a1c38e07677"
-  integrity sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==
-  dependencies:
-    isobject "^3.0.1"
-
-is-posix-bracket@^0.1.0:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/is-posix-bracket/-/is-posix-bracket-0.1.1.tgz#3334dc79774368e92f016e6fbc0a88f5cd6e6bc4"
-  integrity sha1-MzTceXdDaOkvAW5vvAqI9c1ua8Q=
-
-is-primitive@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/is-primitive/-/is-primitive-2.0.0.tgz#207bab91638499c07b2adf240a41a87210034575"
-  integrity sha1-IHurkWOEmcB7Kt8kCkGochADRXU=
-
-is-promise@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/is-promise/-/is-promise-2.1.0.tgz#79a2a9ece7f096e80f36d2b2f3bc16c1ff4bf3fa"
-  integrity sha1-eaKp7OfwlugPNtKy87wWwf9L8/o=
-
-is-stream@^1.0.1, is-stream@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-1.1.0.tgz#12d4a3dd4e68e0b79ceb8dbc84173ae80d91ca44"
-  integrity sha1-EtSj3U5o4Lec6428hBc66A2RykQ=
-
-is-svg@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/is-svg/-/is-svg-2.1.0.tgz#cf61090da0d9efbcab8722deba6f032208dbb0e9"
-  integrity sha1-z2EJDaDZ77yrhyLeum8DIgjbsOk=
-  dependencies:
-    html-comment-regex "^1.1.0"
-
-is-typedarray@~1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/is-typedarray/-/is-typedarray-1.0.0.tgz#e479c80858df0c1b11ddda6940f96011fcda4a9a"
-  integrity sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=
-
-is-utf8@^0.2.0:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/is-utf8/-/is-utf8-0.2.1.tgz#4b0da1442104d1b336340e80797e865cf39f7d72"
-  integrity sha1-Sw2hRCEE0bM2NA6AeX6GXPOffXI=
-
-is-windows@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/is-windows/-/is-windows-1.0.2.tgz#d1850eb9791ecd18e6182ce12a30f396634bb19d"
-  integrity sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA==
-
-is-wsl@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-wsl/-/is-wsl-1.1.0.tgz#1f16e4aa22b04d1336b66188a66af3c600c3a66d"
-  integrity sha1-HxbkqiKwTRM2tmGIpmrzxgDDpm0=
-
-isarray@1.0.0, isarray@^1.0.0, isarray@~1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/isarray/-/isarray-1.0.0.tgz#bb935d48582cba168c06834957a54a3e07124f11"
-  integrity sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=
-
-isarray@2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/isarray/-/isarray-2.0.1.tgz#a37d94ed9cda2d59865c9f76fe596ee1f338741e"
-  integrity sha1-o32U7ZzaLVmGXJ92/llu4fM4dB4=
-
-isbinaryfile@^3.0.0:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/isbinaryfile/-/isbinaryfile-3.0.2.tgz#4a3e974ec0cba9004d3fc6cde7209ea69368a621"
-  integrity sha1-Sj6XTsDLqQBNP8bN5yCeppNopiE=
-
-isemail@2.x.x:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/isemail/-/isemail-2.2.1.tgz#0353d3d9a62951080c262c2aa0a42b8ea8e9e2a6"
-  integrity sha1-A1PT2aYpUQgMJiwqoKQrjqjp4qY=
-
-isemail@3.x.x:
-  version "3.1.2"
-  resolved "https://registry.yarnpkg.com/isemail/-/isemail-3.1.2.tgz#937cf919002077999a73ea8b1951d590e84e01dd"
-  integrity sha512-zfRhJn9rFSGhzU5tGZqepRSAj3+g6oTOHxMGGriWNJZzyLPUK8H7VHpqKntegnW8KLyGA9zwuNaCoopl40LTpg==
-  dependencies:
-    punycode "2.x.x"
-
-isexe@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/isexe/-/isexe-2.0.0.tgz#e8fbf374dc556ff8947a10dcb0572d633f2cfa10"
-  integrity sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=
-
-isnumeric@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/isnumeric/-/isnumeric-0.2.0.tgz#a2347ba360de19e33d0ffd590fddf7755cbf2e64"
-  integrity sha1-ojR7o2DeGeM9D/1ZD933dVy/LmQ=
-
-isobject@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/isobject/-/isobject-2.1.0.tgz#f065561096a3f1da2ef46272f815c840d87e0c89"
-  integrity sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=
-  dependencies:
-    isarray "1.0.0"
-
-isobject@^3.0.0, isobject@^3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/isobject/-/isobject-3.0.1.tgz#4e431e92b11a9731636aa1f9c8d1ccbcfdab78df"
-  integrity sha1-TkMekrEalzFjaqH5yNHMvP2reN8=
-
-isomorphic-fetch@^2.1.1, isomorphic-fetch@^2.2.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz#611ae1acf14f5e81f729507472819fe9733558a9"
-  integrity sha1-YRrhrPFPXoH3KVB0coGf6XM1WKk=
-  dependencies:
-    node-fetch "^1.0.1"
-    whatwg-fetch ">=0.10.0"
-
-isstream@~0.1.2:
-  version "0.1.2"
-  resolved "https://registry.yarnpkg.com/isstream/-/isstream-0.1.2.tgz#47e63f7af55afa6f92e1500e690eb8b8529c099a"
-  integrity sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo=
-
-items@2.x.x:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/items/-/items-2.1.1.tgz#8bd16d9c83b19529de5aea321acaada78364a198"
-  integrity sha1-i9FtnIOxlSneWuoyGsqtp4NkoZg=
-
-joi@^10.0.0:
-  version "10.6.0"
-  resolved "https://registry.yarnpkg.com/joi/-/joi-10.6.0.tgz#52587f02d52b8b75cdb0c74f0b164a191a0e1fc2"
-  integrity sha512-hBF3LcqyAid+9X/pwg+eXjD2QBZI5eXnBFJYaAkH4SK3mp9QSRiiQnDYlmlz5pccMvnLcJRS4whhDOTCkmsAdQ==
-  dependencies:
-    hoek "4.x.x"
-    isemail "2.x.x"
-    items "2.x.x"
-    topo "2.x.x"
-
-joi@^12.0.0:
-  version "12.0.0"
-  resolved "https://registry.yarnpkg.com/joi/-/joi-12.0.0.tgz#46f55e68f4d9628f01bbb695902c8b307ad8d33a"
-  integrity sha512-z0FNlV4NGgjQN1fdtHYXf5kmgludM65fG/JlXzU6+rwkt9U5UWuXVYnXa2FpK0u6+qBuCmrm5byPNuiiddAHvQ==
-  dependencies:
-    hoek "4.x.x"
-    isemail "3.x.x"
-    topo "2.x.x"
-
-js-base64@^2.1.9:
-  version "2.4.5"
-  resolved "https://registry.yarnpkg.com/js-base64/-/js-base64-2.4.5.tgz#e293cd3c7c82f070d700fc7a1ca0a2e69f101f92"
-  integrity sha512-aUnNwqMOXw3yvErjMPSQu6qIIzUmT1e5KcU1OZxRDU1g/am6mzBvcrmLAYwzmB59BHPrh5/tKaiF4OPhqRWESQ==
-
-js-cookie@^2.2.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/js-cookie/-/js-cookie-2.2.0.tgz#1b2c279a6eece380a12168b92485265b35b1effb"
-  integrity sha1-Gywnmm7s44ChIWi5JIUmWzWx7/s=
-
-js-tokens@^3.0.0, js-tokens@^3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-3.0.2.tgz#9866df395102130e38f7f996bceb65443209c25b"
-  integrity sha1-mGbfOVECEw449/mWvOtlRDIJwls=
-
-js-yaml@^3.4.5, js-yaml@^3.9.0:
-  version "3.12.0"
-  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.12.0.tgz#eaed656ec8344f10f527c6bfa1b6e2244de167d1"
-  integrity sha512-PIt2cnwmPfL4hKNwqeiuz4bKfnzHTBv6HyVgjahA6mPLwPDzjDWrplJBMjHUFxku/N3FlmrbyPclad+I+4mJ3A==
-  dependencies:
-    argparse "^1.0.7"
-    esprima "^4.0.0"
-
-js-yaml@~3.7.0:
-  version "3.7.0"
-  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.7.0.tgz#5c967ddd837a9bfdca5f2de84253abe8a1c03b80"
-  integrity sha1-XJZ93YN6m/3KXy3oQlOr6KHAO4A=
-  dependencies:
-    argparse "^1.0.7"
-    esprima "^2.6.0"
-
-jsbn@~0.1.0:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/jsbn/-/jsbn-0.1.1.tgz#a5e654c2e5a2deb5f201d96cefbca80c0ef2f513"
-  integrity sha1-peZUwuWi3rXyAdls77yoDA7y9RM=
-
-jsesc@^1.3.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/jsesc/-/jsesc-1.3.0.tgz#46c3fec8c1892b12b0833db9bc7622176dbab34b"
-  integrity sha1-RsP+yMGJKxKwgz25vHYiF226s0s=
-
-jsesc@~0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/jsesc/-/jsesc-0.5.0.tgz#e7dee66e35d6fc16f710fe91d5cf69f70f08911d"
-  integrity sha1-597mbjXW/Bb3EP6R1c9p9w8IkR0=
-
-json-loader@^0.5.4:
-  version "0.5.7"
-  resolved "https://registry.yarnpkg.com/json-loader/-/json-loader-0.5.7.tgz#dca14a70235ff82f0ac9a3abeb60d337a365185d"
-  integrity sha512-QLPs8Dj7lnf3e3QYS1zkCo+4ZwqOiF9d/nZnYozTISxXWCfNs9yuky5rJw4/W34s7POaNlbZmQGaB5NiXCbP4w==
-
-json-parse-better-errors@^1.0.1:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/json-parse-better-errors/-/json-parse-better-errors-1.0.2.tgz#bb867cfb3450e69107c131d1c514bab3dc8bcaa9"
-  integrity sha512-mrqyZKfX5EhL7hvqcV6WG1yYjnjeuYDzDhhcAAUrq8Po85NBQBJP+ZDUT75qZQ98IkUoBqdkExkukOU7Ts2wrw==
-
-json-schema-traverse@^0.3.0:
-  version "0.3.1"
-  resolved "https://registry.yarnpkg.com/json-schema-traverse/-/json-schema-traverse-0.3.1.tgz#349a6d44c53a51de89b40805c5d5e59b417d3340"
-  integrity sha1-NJptRMU6Ud6JtAgFxdXlm0F9M0A=
-
-json-schema@0.2.3:
-  version "0.2.3"
-  resolved "https://registry.yarnpkg.com/json-schema/-/json-schema-0.2.3.tgz#b480c892e59a2f05954ce727bd3f2a4e882f9e13"
-  integrity sha1-tIDIkuWaLwWVTOcnvT8qTogvnhM=
-
-json-stringify-safe@~5.0.1:
-  version "5.0.1"
-  resolved "https://registry.yarnpkg.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz#1296a2d58fd45f19a0f6ce01d65701e2c735b6eb"
-  integrity sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=
-
-json5@^0.5.0, json5@^0.5.1:
-  version "0.5.1"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-0.5.1.tgz#1eade7acc012034ad84e2396767ead9fa5495821"
-  integrity sha1-Hq3nrMASA0rYTiOWdn6tn6VJWCE=
-
-jsonfile@^3.0.0:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/jsonfile/-/jsonfile-3.0.1.tgz#a5ecc6f65f53f662c4415c7675a0331d0992ec66"
-  integrity sha1-pezG9l9T9mLEQVx2daAzHQmS7GY=
-  optionalDependencies:
-    graceful-fs "^4.1.6"
-
-jsprim@^1.2.2:
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/jsprim/-/jsprim-1.4.1.tgz#313e66bc1e5cc06e438bc1b7499c2e5c56acb6a2"
-  integrity sha1-MT5mvB5cwG5Di8G3SZwuXFastqI=
-  dependencies:
-    assert-plus "1.0.0"
-    extsprintf "1.3.0"
-    json-schema "0.2.3"
-    verror "1.10.0"
-
-jstz@^2.0.0:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/jstz/-/jstz-2.1.1.tgz#fff3373a518fa7cce69299930466f5a2b980389d"
-  integrity sha512-8hfl5RD6P7rEeIbzStBz3h4f+BQHfq/ABtoU6gXKQv5OcZhnmrIpG7e1pYaZ8hS9e0mp+bxUj08fnDUbKctYyA==
-
-kind-of@^3.0.2, kind-of@^3.0.3, kind-of@^3.2.0:
-  version "3.2.2"
-  resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-3.2.2.tgz#31ea21a734bab9bbb0f32466d893aea51e4a3c64"
-  integrity sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=
-  dependencies:
-    is-buffer "^1.1.5"
-
-kind-of@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-4.0.0.tgz#20813df3d712928b207378691a45066fae72dd57"
-  integrity sha1-IIE989cSkosgc3hpGkUGb65y3Vc=
-  dependencies:
-    is-buffer "^1.1.5"
-
-kind-of@^5.0.0:
-  version "5.1.0"
-  resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-5.1.0.tgz#729c91e2d857b7a419a1f9aa65685c4c33f5845d"
-  integrity sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==
-
-kind-of@^6.0.0, kind-of@^6.0.2:
-  version "6.0.2"
-  resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-6.0.2.tgz#01146b36a6218e64e58f3a8d66de5d7fc6f6d051"
-  integrity sha512-s5kLOcnH0XqDO+FvuaLX8DDjZ18CGFk7VygH40QoKPUQhW4e2rvM0rwUq0t8IQDOwYSeLK01U90OjzBTme2QqA==
-
-laggard@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/laggard/-/laggard-2.0.1.tgz#b34e87a5687788b9537e34c1b0560fed8f8c0cd9"
-  integrity sha512-XCUGeE3r3VWxM8CV9aw+GjG3v3vTInyCf3p9YUo1SCTkM4N93/JaRH/4Lpz0hDZnaEQsArtAbp+rYic3PdTpbg==
-  dependencies:
-    minimist "^1.2.0"
-    pixrem "^4.0.1"
-    postcss "^6.0.8"
-    postcss-color-rgba-fallback "^3.0.0"
-    postcss-opacity "^5.0.0"
-    postcss-pseudoelements "^5.0.0"
-    postcss-reporter "^5.0.0"
-    postcss-vmin "^3.0.0"
-    postcss-will-change "^2.0.0"
-    read-file-stdin "^0.2.0"
-    write-file-stdout "0.0.2"
-
-lazy-cache@^1.0.3:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/lazy-cache/-/lazy-cache-1.0.4.tgz#a1d78fc3a50474cb80845d3b3b6e1da49a446e8e"
-  integrity sha1-odePw6UEdMuAhF07O24dpJpEbo4=
-
-lcid@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/lcid/-/lcid-1.0.0.tgz#308accafa0bc483a3867b4b6f2b9506251d1b835"
-  integrity sha1-MIrMr6C8SDo4Z7S28rlQYlHRuDU=
-  dependencies:
-    invert-kv "^1.0.0"
-
-left-pad@^1.1.3:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.3.0.tgz#5b8a3a7765dfe001261dde915589e782f8c94d1e"
-  integrity sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==
-
-limiter@^1.0.5:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/limiter/-/limiter-1.1.3.tgz#32e2eb55b2324076943e5d04c1185ffb387968ef"
-  integrity sha512-zrycnIMsLw/3ZxTbW7HCez56rcFGecWTx5OZNplzcXUUmJLmoYArC6qdJzmAN5BWiNXGcpjhF9RQ1HSv5zebEw==
-
-load-json-file@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-1.1.0.tgz#956905708d58b4bab4c2261b04f59f31c99374c0"
-  integrity sha1-lWkFcI1YtLq0wiYbBPWfMcmTdMA=
-  dependencies:
-    graceful-fs "^4.1.2"
-    parse-json "^2.2.0"
-    pify "^2.0.0"
-    pinkie-promise "^2.0.0"
-    strip-bom "^2.0.0"
-
-load-json-file@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-2.0.0.tgz#7947e42149af80d696cbf797bcaabcfe1fe29ca8"
-  integrity sha1-eUfkIUmvgNaWy/eXvKq8/h/inKg=
-  dependencies:
-    graceful-fs "^4.1.2"
-    parse-json "^2.2.0"
-    pify "^2.0.0"
-    strip-bom "^3.0.0"
-
-loader-runner@^2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/loader-runner/-/loader-runner-2.3.0.tgz#f482aea82d543e07921700d5a46ef26fdac6b8a2"
-  integrity sha1-9IKuqC1UPgeSFwDVpG7yb9rGuKI=
-
-loader-utils@^1.0.2, loader-utils@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/loader-utils/-/loader-utils-1.1.0.tgz#c98aef488bcceda2ffb5e2de646d6a754429f5cd"
-  integrity sha1-yYrvSIvM7aL/teLeZG1qdUQp9c0=
-  dependencies:
-    big.js "^3.1.3"
-    emojis-list "^2.0.0"
-    json5 "^0.5.0"
-
-localtunnel@1.9.0:
-  version "1.9.0"
-  resolved "https://registry.yarnpkg.com/localtunnel/-/localtunnel-1.9.0.tgz#8ffecdcf8c8a14f62df1056cf9d54acbb0bb9a8f"
-  integrity sha512-wCIiIHJ8kKIcWkTQE3m1VRABvsH2ZuOkiOpZUofUCf6Q42v3VIZ+Q0YfX1Z4sYDRj0muiKL1bLvz1FeoxsPO0w==
-  dependencies:
-    axios "0.17.1"
-    debug "2.6.8"
-    openurl "1.1.1"
-    yargs "6.6.0"
-
-locate-path@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/locate-path/-/locate-path-2.0.0.tgz#2b568b265eec944c6d9c0de9c3dbbbca0354cd8e"
-  integrity sha1-K1aLJl7slExtnA3pw9u7ygNUzY4=
-  dependencies:
-    p-locate "^2.0.0"
-    path-exists "^3.0.0"
-
-lodash.clone@^4.5.0:
-  version "4.5.0"
-  resolved "https://registry.yarnpkg.com/lodash.clone/-/lodash.clone-4.5.0.tgz#195870450f5a13192478df4bc3d23d2dea1907b6"
-  integrity sha1-GVhwRQ9aExkkeN9Lw9I9LeoZB7Y=
-
-lodash.difference@^4.5.0:
-  version "4.5.0"
-  resolved "https://registry.yarnpkg.com/lodash.difference/-/lodash.difference-4.5.0.tgz#9ccb4e505d486b91651345772885a2df27fd017c"
-  integrity sha1-nMtOUF1Ia5FlE0V3KIWi3yf9AXw=
-
-lodash.isfinite@^3.3.2:
-  version "3.3.2"
-  resolved "https://registry.yarnpkg.com/lodash.isfinite/-/lodash.isfinite-3.3.2.tgz#fb89b65a9a80281833f0b7478b3a5104f898ebb3"
-  integrity sha1-+4m2WpqAKBgz8LdHizpRBPiY67M=
-
-lodash.memoize@^4.1.2:
-  version "4.1.2"
-  resolved "https://registry.yarnpkg.com/lodash.memoize/-/lodash.memoize-4.1.2.tgz#bcc6c49a42a2840ed997f323eada5ecd182e0bfe"
-  integrity sha1-vMbEmkKihA7Zl/Mj6tpezRguC/4=
-
-lodash.merge@^4.6.0, lodash.merge@^4.6.1:
-  version "4.6.1"
-  resolved "https://registry.yarnpkg.com/lodash.merge/-/lodash.merge-4.6.1.tgz#adc25d9cb99b9391c59624f379fbba60d7111d54"
-  integrity sha512-AOYza4+Hf5z1/0Hztxpm2/xiPZgi/cjMqdnKTUWTBSKchJlxXXuUSxCCl8rJlf4g6yww/j6mA8nC8Hw/EZWxKQ==
-
-lodash.reduce@^4.6.0:
-  version "4.6.0"
-  resolved "https://registry.yarnpkg.com/lodash.reduce/-/lodash.reduce-4.6.0.tgz#f1ab6b839299ad48f784abbf476596f03b914d3b"
-  integrity sha1-8atrg5KZrUj3hKu/R2WW8DuRTTs=
-
-lodash.union@^4.6.0:
-  version "4.6.0"
-  resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
-  integrity sha1-SLtQiECfFvGCFmZkHETdGqrjzYg=
-
-lodash.uniq@^4.5.0:
-  version "4.5.0"
-  resolved "https://registry.yarnpkg.com/lodash.uniq/-/lodash.uniq-4.5.0.tgz#d0225373aeb652adc1bc82e4945339a842754773"
-  integrity sha1-0CJTc662Uq3BvILklFM5qEJ1R3M=
-
-lodash@^4, lodash@^4.12.0, lodash@^4.17.10, lodash@^4.17.4, lodash@^4.17.5, lodash@^4.2.0, lodash@^4.3.0:
-  version "4.17.10"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7"
-  integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg==
-
-log-symbols@^2.0.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/log-symbols/-/log-symbols-2.2.0.tgz#5740e1c5d6f0dfda4ad9323b5332107ef6b4c40a"
-  integrity sha512-VeIAFslyIerEJLXHziedo2basKbMKtTw3vfn5IzG0XTjhAVEJyNHnL2p7vc+wBDSdQuUpNw3M2u6xb9QsAY5Eg==
-  dependencies:
-    chalk "^2.0.1"
-
-longest@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097"
-  integrity sha1-MKCy2jj3N3DoKUoNIuZiXtd9AJc=
-
-loose-envify@^1.0.0, loose-envify@^1.3.1:
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/loose-envify/-/loose-envify-1.3.1.tgz#d1a8ad33fa9ce0e713d65fdd0ac8b748d478c848"
-  integrity sha1-0aitM/qc4OcT1l/dCsi3SNR4yEg=
-  dependencies:
-    js-tokens "^3.0.0"
-
-lru-cache@^4.0.1:
-  version "4.1.3"
-  resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-4.1.3.tgz#a1175cf3496dfc8436c156c334b4955992bce69c"
-  integrity sha512-fFEhvcgzuIoJVUF8fYr5KR0YqxD238zgObTps31YdADwPPAp82a4M8TrckkWyx7ekNlf9aBcVn81cFwwXngrJA==
-  dependencies:
-    pseudomap "^1.0.2"
-    yallist "^2.1.2"
-
-make-dir@^1.0.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/make-dir/-/make-dir-1.3.0.tgz#79c1033b80515bd6d24ec9933e860ca75ee27f0c"
-  integrity sha512-2w31R7SJtieJJnQtGc7RVL2StM2vGYVfqUOvUDxH6bC6aJTxPxTF0GnIgCyu7tjockiUWAYQRbxa7vKn34s5sQ==
-  dependencies:
-    pify "^3.0.0"
-
-map-cache@^0.2.2:
-  version "0.2.2"
-  resolved "https://registry.yarnpkg.com/map-cache/-/map-cache-0.2.2.tgz#c32abd0bd6525d9b051645bb4f26ac5dc98a0dbf"
-  integrity sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8=
-
-map-visit@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/map-visit/-/map-visit-1.0.0.tgz#ecdca8f13144e660f1b5bd41f12f3479d98dfb8f"
-  integrity sha1-7Nyo8TFE5mDxtb1B8S80edmN+48=
-  dependencies:
-    object-visit "^1.0.0"
-
-marked@^0.5.1:
-  version "0.5.1"
-  resolved "https://registry.yarnpkg.com/marked/-/marked-0.5.1.tgz#062f43b88b02ee80901e8e8d8e6a620ddb3aa752"
-  integrity sha512-iUkBZegCZou4AdwbKTwSW/lNDcz5OuRSl3qdcl31Ia0B2QPG0Jn+tKblh/9/eP9/6+4h27vpoh8wel/vQOV0vw==
-
-math-expression-evaluator@^1.2.14:
-  version "1.2.17"
-  resolved "https://registry.yarnpkg.com/math-expression-evaluator/-/math-expression-evaluator-1.2.17.tgz#de819fdbcd84dccd8fae59c6aeb79615b9d266ac"
-  integrity sha1-3oGf282E3M2PrlnGrreWFbnSZqw=
-
-math-random@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/math-random/-/math-random-1.0.1.tgz#8b3aac588b8a66e4975e3cdea67f7bb329601fac"
-  integrity sha1-izqsWIuKZuSXXjzepn97sylgH6w=
-
-md5.js@^1.3.4:
-  version "1.3.4"
-  resolved "https://registry.yarnpkg.com/md5.js/-/md5.js-1.3.4.tgz#e9bdbde94a20a5ac18b04340fc5764d5b09d901d"
-  integrity sha1-6b296UogpawYsENA/Fdk1bCdkB0=
-  dependencies:
-    hash-base "^3.0.0"
-    inherits "^2.0.1"
-
-media-typer@0.3.0:
-  version "0.3.0"
-  resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748"
-  integrity sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=
-
-mem@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/mem/-/mem-1.1.0.tgz#5edd52b485ca1d900fe64895505399a0dfa45f76"
-  integrity sha1-Xt1StIXKHZAP5kiVUFOZoN+kX3Y=
-  dependencies:
-    mimic-fn "^1.0.0"
-
-memory-fs@^0.4.0, memory-fs@~0.4.1:
-  version "0.4.1"
-  resolved "https://registry.yarnpkg.com/memory-fs/-/memory-fs-0.4.1.tgz#3a9a20b8462523e447cfbc7e8bb80ed667bfc552"
-  integrity sha1-OpoguEYlI+RHz7x+i7gO1me/xVI=
-  dependencies:
-    errno "^0.1.3"
-    readable-stream "^2.0.1"
-
-merge-descriptors@1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.1.tgz#b00aaa556dd8b44568150ec9d1b953f3f90cbb61"
-  integrity sha1-sAqqVW3YtEVoFQ7J0blT8/kMu2E=
-
-methods@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/methods/-/methods-1.1.2.tgz#5529a4d67654134edcc5266656835b0f851afcee"
-  integrity sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4=
-
-micromatch@2.3.11, micromatch@^2.1.5:
-  version "2.3.11"
-  resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-2.3.11.tgz#86677c97d1720b363431d04d0d15293bd38c1565"
-  integrity sha1-hmd8l9FyCzY0MdBNDRUpO9OMFWU=
-  dependencies:
-    arr-diff "^2.0.0"
-    array-unique "^0.2.1"
-    braces "^1.8.2"
-    expand-brackets "^0.1.4"
-    extglob "^0.3.1"
-    filename-regex "^2.0.0"
-    is-extglob "^1.0.0"
-    is-glob "^2.0.1"
-    kind-of "^3.0.2"
-    normalize-path "^2.0.1"
-    object.omit "^2.0.0"
-    parse-glob "^3.0.4"
-    regex-cache "^0.4.2"
-
-micromatch@^3.0.4, micromatch@^3.1.4:
-  version "3.1.10"
-  resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-3.1.10.tgz#70859bc95c9840952f359a068a3fc49f9ecfac23"
-  integrity sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==
-  dependencies:
-    arr-diff "^4.0.0"
-    array-unique "^0.3.2"
-    braces "^2.3.1"
-    define-property "^2.0.2"
-    extend-shallow "^3.0.2"
-    extglob "^2.0.4"
-    fragment-cache "^0.2.1"
-    kind-of "^6.0.2"
-    nanomatch "^1.2.9"
-    object.pick "^1.3.0"
-    regex-not "^1.0.0"
-    snapdragon "^0.8.1"
-    to-regex "^3.0.2"
-
-miller-rabin@^4.0.0:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/miller-rabin/-/miller-rabin-4.0.1.tgz#f080351c865b0dc562a8462966daa53543c78a4d"
-  integrity sha512-115fLhvZVqWwHPbClyntxEVfVDfl9DLLTuJvq3g2O/Oxi8AiNouAHvDSzHS0viUJc+V5vm3eq91Xwqn9dp4jRA==
-  dependencies:
-    bn.js "^4.0.0"
-    brorand "^1.0.1"
-
-mime-db@~1.33.0:
-  version "1.33.0"
-  resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.33.0.tgz#a3492050a5cb9b63450541e39d9788d2272783db"
-  integrity sha512-BHJ/EKruNIqJf/QahvxwQZXKygOQ256myeN/Ew+THcAa5q+PjyTTMMeNQC4DZw5AwfvelsUrA6B67NKMqXDbzQ==
-
-mime-types@^2.1.12, mime-types@~2.1.17, mime-types@~2.1.18:
-  version "2.1.18"
-  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.18.tgz#6f323f60a83d11146f831ff11fd66e2fe5503bb8"
-  integrity sha512-lc/aahn+t4/SWV/qcmumYjymLsWfN3ELhpmVuUFjgsORruuZPVSwAQryq+HHGvO/SI2KVX26bx+En+zhM8g8hQ==
-  dependencies:
-    mime-db "~1.33.0"
-
-mime@1.4.1:
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/mime/-/mime-1.4.1.tgz#121f9ebc49e3766f311a76e1fa1c8003c4b03aa6"
-  integrity sha512-KI1+qOZu5DcW6wayYHSzR/tXKCDC5Om4s1z2QJjDULzLcmf3DvzS7oluY4HCTrc+9FiKmWUgeNLg7W3uIQvxtQ==
-
-mimic-fn@^1.0.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/mimic-fn/-/mimic-fn-1.2.0.tgz#820c86a39334640e99516928bd03fca88057d022"
-  integrity sha512-jf84uxzwiuiIVKiOLpfYk7N46TSy8ubTonmneY9vrpHNAnp0QBt2BxWV9dO3/j+BoVAb+a5G6YDPW3M5HOdMWQ==
-
-minimalistic-assert@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7"
-  integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
-
-minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a"
-  integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
-
-minimatch@3.0.3:
-  version "3.0.3"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.3.tgz#2a4e4090b96b2db06a9d7df01055a62a77c9b774"
-  integrity sha1-Kk5AkLlrLbBqnX3wEFWmKnfJt3Q=
-  dependencies:
-    brace-expansion "^1.0.0"
-
-minimatch@^3.0.0, minimatch@^3.0.2, minimatch@^3.0.4:
-  version "3.0.4"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
-  integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
-  dependencies:
-    brace-expansion "^1.1.7"
-
-minimist@0.0.8:
-  version "0.0.8"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"
-  integrity sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=
-
-minimist@^1.1.2, minimist@^1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284"
-  integrity sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=
-
-minipass@^2.2.1, minipass@^2.3.3:
-  version "2.3.3"
-  resolved "https://registry.yarnpkg.com/minipass/-/minipass-2.3.3.tgz#a7dcc8b7b833f5d368759cce544dccb55f50f233"
-  integrity sha512-/jAn9/tEX4gnpyRATxgHEOV6xbcyxgT7iUnxo9Y3+OB0zX00TgKIv/2FZCf5brBbICcwbLqVv2ImjvWWrQMSYw==
-  dependencies:
-    safe-buffer "^5.1.2"
-    yallist "^3.0.0"
-
-minizlib@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/minizlib/-/minizlib-1.1.0.tgz#11e13658ce46bc3a70a267aac58359d1e0c29ceb"
-  integrity sha512-4T6Ur/GctZ27nHfpt9THOdRZNgyJ9FZchYO1ceg5S8Q3DNLCKYy44nCZzgCJgcvx2UM8czmqak5BCxJMrq37lA==
-  dependencies:
-    minipass "^2.2.1"
-
-mixin-deep@^1.2.0:
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/mixin-deep/-/mixin-deep-1.3.1.tgz#a49e7268dce1a0d9698e45326c5626df3543d0fe"
-  integrity sha512-8ZItLHeEgaqEvd5lYBXfm4EZSFCX29Jb9K+lAHhDKzReKBQKj3R+7NOF6tjqYi9t4oI8VUfaWITJQm86wnXGNQ==
-  dependencies:
-    for-in "^1.0.2"
-    is-extendable "^1.0.1"
-
-mkdirp@^0.5.0, mkdirp@^0.5.1, mkdirp@~0.5.0, mkdirp@~0.5.1:
-  version "0.5.1"
-  resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.1.tgz#30057438eac6cf7f8c4767f38648d6697d75c903"
-  integrity sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=
-  dependencies:
-    minimist "0.0.8"
-
-ms@2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8"
-  integrity sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=
-
-mute-stream@0.0.7:
-  version "0.0.7"
-  resolved "https://registry.yarnpkg.com/mute-stream/-/mute-stream-0.0.7.tgz#3075ce93bc21b8fab43e1bc4da7e8115ed1e7bab"
-  integrity sha1-MHXOk7whuPq0PhvE2n6BFe0ee6s=
-
-nan@^2.9.2:
-  version "2.10.0"
-  resolved "https://registry.yarnpkg.com/nan/-/nan-2.10.0.tgz#96d0cd610ebd58d4b4de9cc0c6828cda99c7548f"
-  integrity sha512-bAdJv7fBLhWC+/Bls0Oza+mvTaNQtP+1RyhhhvD95pgUJz6XM5IzgmxOkItJ9tkoCiplvAnXI1tNmmUD/eScyA==
-
-nanoid@^1.0.2:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-1.0.3.tgz#3ff31779301f481baa52a6a31a67c8f6e91949d2"
-  integrity sha512-l5PWjXxZa6DTMzCO3uXNnnNxuqSUeTxNEMWsSr+5QUbC7g00Z4d6tSp8r0RQpY5h49KjwsMxmehLIfmuLv+6CQ==
-
-nanoid@^2.0.0:
-  version "2.1.6"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-2.1.6.tgz#0665418f692e54cf44f34d4010761f3240a03314"
-  integrity sha512-2NDzpiuEy3+H0AVtdt8LoFi7PnqkOnIzYmJQp7xsEU6VexLluHQwKREuiz57XaQC5006seIadPrIZJhyS2n7aw==
-
-nanomatch@^1.2.9:
-  version "1.2.9"
-  resolved "https://registry.yarnpkg.com/nanomatch/-/nanomatch-1.2.9.tgz#879f7150cb2dab7a471259066c104eee6e0fa7c2"
-  integrity sha512-n8R9bS8yQ6eSXaV6jHUpKzD8gLsin02w1HSFiegwrs9E098Ylhw5jdyKPaYqvHknHaSCKTPp7C8dGCQ0q9koXA==
-  dependencies:
-    arr-diff "^4.0.0"
-    array-unique "^0.3.2"
-    define-property "^2.0.2"
-    extend-shallow "^3.0.2"
-    fragment-cache "^0.2.1"
-    is-odd "^2.0.0"
-    is-windows "^1.0.2"
-    kind-of "^6.0.2"
-    object.pick "^1.3.0"
-    regex-not "^1.0.0"
-    snapdragon "^0.8.1"
-    to-regex "^3.0.1"
-
-ncp@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/ncp/-/ncp-2.0.0.tgz#195a21d6c46e361d2fb1281ba38b91e9df7bdbb3"
-  integrity sha1-GVoh1sRuNh0vsSgbo4uR6d9727M=
-
-needle@^2.2.0:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/needle/-/needle-2.2.1.tgz#b5e325bd3aae8c2678902fa296f729455d1d3a7d"
-  integrity sha512-t/ZswCM9JTWjAdXS9VpvqhI2Ct2sL2MdY4fUXqGJaGBk13ge99ObqRksRTbBE56K+wxUXwwfZYOuZHifFW9q+Q==
-  dependencies:
-    debug "^2.1.2"
-    iconv-lite "^0.4.4"
-    sax "^1.2.4"
-
-negotiator@0.6.1:
-  version "0.6.1"
-  resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.1.tgz#2b327184e8992101177b28563fb5e7102acd0ca9"
-  integrity sha1-KzJxhOiZIQEXeyhWP7XnECrNDKk=
-
-neo-async@^2.5.0:
-  version "2.5.1"
-  resolved "https://registry.yarnpkg.com/neo-async/-/neo-async-2.5.1.tgz#acb909e327b1e87ec9ef15f41b8a269512ad41ee"
-  integrity sha512-3KL3fvuRkZ7s4IFOMfztb7zJp3QaVWnBeGoJlgB38XnCRPj/0tLzzLG5IB8NYOHbJ8g8UGrgZv44GLDk6CxTxA==
-
-next-tick@1:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/next-tick/-/next-tick-1.0.0.tgz#ca86d1fe8828169b0120208e3dc8424b9db8342c"
-  integrity sha1-yobR/ogoFpsBICCOPchCS524NCw=
-
-node-fetch@^1.0.1:
-  version "1.7.3"
-  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-1.7.3.tgz#980f6f72d85211a5347c6b2bc18c5b84c3eb47ef"
-  integrity sha512-NhZ4CsKx7cYm2vSrBAr2PvFOe6sWDf0UYLRqA6svUYg7+/TSfVAu49jYC4BvQ4Sms9SZgdqGBgroqfDhJdTyKQ==
-  dependencies:
-    encoding "^0.1.11"
-    is-stream "^1.0.1"
-
-node-fetch@^2.2.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.2.1.tgz#1fe551e0ded6c45b3b3b937d0fb46f76df718d1e"
-  integrity sha512-ObXBpNCD3A/vYQiQtEWl7DuqjAXjfptYFuGHLdPl5U19/6kJuZV+8uMHLrkj3wJrJoyfg4nhgyFixZdaZoAiEQ==
-
-node-libs-browser@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/node-libs-browser/-/node-libs-browser-2.1.0.tgz#5f94263d404f6e44767d726901fff05478d600df"
-  integrity sha512-5AzFzdoIMb89hBGMZglEegffzgRg+ZFoUmisQ8HI4j1KDdpx13J0taNp2y9xPbur6W61gepGDDotGBVQ7mfUCg==
-  dependencies:
-    assert "^1.1.1"
-    browserify-zlib "^0.2.0"
-    buffer "^4.3.0"
-    console-browserify "^1.1.0"
-    constants-browserify "^1.0.0"
-    crypto-browserify "^3.11.0"
-    domain-browser "^1.1.1"
-    events "^1.0.0"
-    https-browserify "^1.0.0"
-    os-browserify "^0.3.0"
-    path-browserify "0.0.0"
-    process "^0.11.10"
-    punycode "^1.2.4"
-    querystring-es3 "^0.2.0"
-    readable-stream "^2.3.3"
-    stream-browserify "^2.0.1"
-    stream-http "^2.7.2"
-    string_decoder "^1.0.0"
-    timers-browserify "^2.0.4"
-    tty-browserify "0.0.0"
-    url "^0.11.0"
-    util "^0.10.3"
-    vm-browserify "0.0.4"
-
-node-pre-gyp@^0.10.0:
-  version "0.10.0"
-  resolved "https://registry.yarnpkg.com/node-pre-gyp/-/node-pre-gyp-0.10.0.tgz#6e4ef5bb5c5203c6552448828c852c40111aac46"
-  integrity sha512-G7kEonQLRbcA/mOoFoxvlMrw6Q6dPf92+t/l0DFSMuSlDoWaI9JWIyPwK0jyE1bph//CUEL65/Fz1m2vJbmjQQ==
-  dependencies:
-    detect-libc "^1.0.2"
-    mkdirp "^0.5.1"
-    needle "^2.2.0"
-    nopt "^4.0.1"
-    npm-packlist "^1.1.6"
-    npmlog "^4.0.2"
-    rc "^1.1.7"
-    rimraf "^2.6.1"
-    semver "^5.3.0"
-    tar "^4"
-
-nopt@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/nopt/-/nopt-4.0.1.tgz#d0d4685afd5415193c8c7505602d0d17cd64474d"
-  integrity sha1-0NRoWv1UFRk8jHUFYC0NF81kR00=
-  dependencies:
-    abbrev "1"
-    osenv "^0.1.4"
-
-nopt@~1.0.10:
-  version "1.0.10"
-  resolved "https://registry.yarnpkg.com/nopt/-/nopt-1.0.10.tgz#6ddd21bd2a31417b92727dd585f8a6f37608ebee"
-  integrity sha1-bd0hvSoxQXuScn3Vhfim83YI6+4=
-  dependencies:
-    abbrev "1"
-
-normalize-package-data@^2.3.2:
-  version "2.4.0"
-  resolved "https://registry.yarnpkg.com/normalize-package-data/-/normalize-package-data-2.4.0.tgz#12f95a307d58352075a04907b84ac8be98ac012f"
-  integrity sha512-9jjUFbTPfEy3R/ad/2oNbKtW9Hgovl5O1FvFWKkKblNXoN/Oou6+9+KKohPK13Yc3/TyunyWhJp6gvRNR/PPAw==
-  dependencies:
-    hosted-git-info "^2.1.4"
-    is-builtin-module "^1.0.0"
-    semver "2 || 3 || 4 || 5"
-    validate-npm-package-license "^3.0.1"
-
-normalize-path@^2.0.0, normalize-path@^2.0.1, normalize-path@^2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/normalize-path/-/normalize-path-2.1.1.tgz#1ab28b556e198363a8c1a6f7e6fa20137fe6aed9"
-  integrity sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=
-  dependencies:
-    remove-trailing-separator "^1.0.1"
-
-normalize-range@^0.1.2:
-  version "0.1.2"
-  resolved "https://registry.yarnpkg.com/normalize-range/-/normalize-range-0.1.2.tgz#2d10c06bdfd312ea9777695a4d28439456b75942"
-  integrity sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=
-
-normalize-url@^1.4.0:
-  version "1.9.1"
-  resolved "https://registry.yarnpkg.com/normalize-url/-/normalize-url-1.9.1.tgz#2cc0d66b31ea23036458436e3620d85954c66c3c"
-  integrity sha1-LMDWazHqIwNkWENuNiDYWVTGbDw=
-  dependencies:
-    object-assign "^4.0.1"
-    prepend-http "^1.0.0"
-    query-string "^4.1.0"
-    sort-keys "^1.0.0"
-
-normalize.css@^8.0.0:
-  version "8.0.0"
-  resolved "https://registry.yarnpkg.com/normalize.css/-/normalize.css-8.0.0.tgz#14ac5e461612538a4ce9be90a7da23f86e718493"
-  integrity sha512-iXcbM3NWr0XkNyfiSBsoPezi+0V92P9nj84yVV1/UZxRUrGczgX/X91KMAGM0omWLY2+2Q1gKD/XRn4gQRDB2A==
-
-npm-bundled@^1.0.1:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/npm-bundled/-/npm-bundled-1.0.3.tgz#7e71703d973af3370a9591bafe3a63aca0be2308"
-  integrity sha512-ByQ3oJ/5ETLyglU2+8dBObvhfWXX8dtPZDMePCahptliFX2iIuhyEszyFk401PZUNQH20vvdW5MLjJxkwU80Ow==
-
-npm-packlist@^1.1.6:
-  version "1.1.10"
-  resolved "https://registry.yarnpkg.com/npm-packlist/-/npm-packlist-1.1.10.tgz#1039db9e985727e464df066f4cf0ab6ef85c398a"
-  integrity sha512-AQC0Dyhzn4EiYEfIUjCdMl0JJ61I2ER9ukf/sLxJUcZHfo+VyEfz2rMJgLZSS1v30OxPQe1cN0LZA1xbcaVfWA==
-  dependencies:
-    ignore-walk "^3.0.1"
-    npm-bundled "^1.0.1"
-
-npm-run-path@^2.0.0:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/npm-run-path/-/npm-run-path-2.0.2.tgz#35a9232dfa35d7067b4cb2ddf2357b1871536c5f"
-  integrity sha1-NakjLfo11wZ7TLLd8jV7GHFTbF8=
-  dependencies:
-    path-key "^2.0.0"
-
-npmlog@^4.0.2:
-  version "4.1.2"
-  resolved "https://registry.yarnpkg.com/npmlog/-/npmlog-4.1.2.tgz#08a7f2a8bf734604779a9efa4ad5cc717abb954b"
-  integrity sha512-2uUqazuKlTaSI/dC8AzicUck7+IrEaOnN/e0jd3Xtt1KcGpwx30v50mL7oPyr/h9bL3E4aZccVwpwP+5W9Vjkg==
-  dependencies:
-    are-we-there-yet "~1.1.2"
-    console-control-strings "~1.1.0"
-    gauge "~2.7.3"
-    set-blocking "~2.0.0"
-
-num2fraction@^1.2.2:
-  version "1.2.2"
-  resolved "https://registry.yarnpkg.com/num2fraction/-/num2fraction-1.2.2.tgz#6f682b6a027a4e9ddfa4564cd2589d1d4e669ede"
-  integrity sha1-b2gragJ6Tp3fpFZM0lidHU5mnt4=
-
-number-is-nan@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/number-is-nan/-/number-is-nan-1.0.1.tgz#097b602b53422a522c1afb8790318336941a011d"
-  integrity sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=
-
-oauth-sign@~0.8.2:
-  version "0.8.2"
-  resolved "https://registry.yarnpkg.com/oauth-sign/-/oauth-sign-0.8.2.tgz#46a6ab7f0aead8deae9ec0565780b7d4efeb9d43"
-  integrity sha1-Rqarfwrq2N6unsBWV4C31O/rnUM=
-
-object-assign@^4.0.1, object-assign@^4.1.0, object-assign@^4.1.1:
-  version "4.1.1"
-  resolved "https://registry.yarnpkg.com/object-assign/-/object-assign-4.1.1.tgz#2109adc7965887cfc05cbbd442cac8bfbb360863"
-  integrity sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM=
-
-object-component@0.0.3:
-  version "0.0.3"
-  resolved "https://registry.yarnpkg.com/object-component/-/object-component-0.0.3.tgz#f0c69aa50efc95b866c186f400a33769cb2f1291"
-  integrity sha1-8MaapQ78lbhmwYb0AKM3acsvEpE=
-
-object-copy@^0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/object-copy/-/object-copy-0.1.0.tgz#7e7d858b781bd7c991a41ba975ed3812754e998c"
-  integrity sha1-fn2Fi3gb18mRpBupde04EnVOmYw=
-  dependencies:
-    copy-descriptor "^0.1.0"
-    define-property "^0.2.5"
-    kind-of "^3.0.3"
-
-object-fit-images@^3.2.4:
-  version "3.2.4"
-  resolved "https://registry.yarnpkg.com/object-fit-images/-/object-fit-images-3.2.4.tgz#6c299d38fdf207746e5d2d46c2877f6f25d15b52"
-  integrity sha512-G+7LzpYfTfqUyrZlfrou/PLLLAPNC52FTy5y1CBywX+1/FkxIloOyQXBmZ3Zxa2AWO+lMF0JTuvqbr7G5e5CWg==
-
-object-path@^0.9.0:
-  version "0.9.2"
-  resolved "https://registry.yarnpkg.com/object-path/-/object-path-0.9.2.tgz#0fd9a74fc5fad1ae3968b586bda5c632bd6c05a5"
-  integrity sha1-D9mnT8X60a45aLWGvaXGMr1sBaU=
-
-object-visit@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/object-visit/-/object-visit-1.0.1.tgz#f79c4493af0c5377b59fe39d395e41042dd045bb"
-  integrity sha1-95xEk68MU3e1n+OdOV5BBC3QRbs=
-  dependencies:
-    isobject "^3.0.0"
-
-object.omit@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/object.omit/-/object.omit-2.0.1.tgz#1a9c744829f39dbb858c76ca3579ae2a54ebd1fa"
-  integrity sha1-Gpx0SCnznbuFjHbKNXmuKlTr0fo=
-  dependencies:
-    for-own "^0.1.4"
-    is-extendable "^0.1.1"
-
-object.pick@^1.3.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/object.pick/-/object.pick-1.3.0.tgz#87a10ac4c1694bd2e1cbf53591a66141fb5dd747"
-  integrity sha1-h6EKxMFpS9Lhy/U1kaZhQftd10c=
-  dependencies:
-    isobject "^3.0.1"
-
-objectfn@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/objectfn/-/objectfn-2.0.0.tgz#3fbc9d2c43690bf2b418ba5e3486e3cbb5b99e95"
-  integrity sha1-P7ydLENpC/K0GLpeNIbjy7W5npU=
-
-on-finished@~2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/on-finished/-/on-finished-2.3.0.tgz#20f1336481b083cd75337992a16971aa2d906947"
-  integrity sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=
-  dependencies:
-    ee-first "1.1.1"
-
-once@^1.3.0:
-  version "1.4.0"
-  resolved "https://registry.yarnpkg.com/once/-/once-1.4.0.tgz#583b1aa775961d4b113ac17d9c50baef9dd76bd1"
-  integrity sha1-WDsap3WWHUsROsF9nFC6753Xa9E=
-  dependencies:
-    wrappy "1"
-
-onecolor@^3.0.5:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/onecolor/-/onecolor-3.1.0.tgz#b72522270a49569ac20d244b3cd40fe157fda4d2"
-  integrity sha512-YZSypViXzu3ul5LMu/m6XjJ9ol8qAy9S2VjHl5E6UlhUH1KGKWabyEJifn0Jjpw23bYDzC2ucKMPGiH5kfwSGQ==
-
-onetime@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/onetime/-/onetime-2.0.1.tgz#067428230fd67443b2794b22bba528b6867962d4"
-  integrity sha1-BnQoIw/WdEOyeUsiu6UotoZ5YtQ=
-  dependencies:
-    mimic-fn "^1.0.0"
-
-opener@^1.5.1:
-  version "1.5.1"
-  resolved "https://registry.yarnpkg.com/opener/-/opener-1.5.1.tgz#6d2f0e77f1a0af0032aca716c2c1fbb8e7e8abed"
-  integrity sha512-goYSy5c2UXE4Ra1xixabeVh1guIX/ZV/YokJksb6q2lubWu6UbvPQ20p542/sFIll1nl8JnCyK9oBaOcCWXwvA==
-
-openurl@1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/openurl/-/openurl-1.1.1.tgz#3875b4b0ef7a52c156f0db41d4609dbb0f94b387"
-  integrity sha1-OHW0sO96UsFW8NtB1GCduw+Us4c=
-
-opn@5.3.0:
-  version "5.3.0"
-  resolved "https://registry.yarnpkg.com/opn/-/opn-5.3.0.tgz#64871565c863875f052cfdf53d3e3cb5adb53b1c"
-  integrity sha512-bYJHo/LOmoTd+pfiYhfZDnf9zekVJrY+cnS2a5F2x+w5ppvTqObojTP7WiFG+kVZs9Inw+qQ/lw7TroWwhdd2g==
-  dependencies:
-    is-wsl "^1.1.0"
-
-os-browserify@^0.3.0:
-  version "0.3.0"
-  resolved "https://registry.yarnpkg.com/os-browserify/-/os-browserify-0.3.0.tgz#854373c7f5c2315914fc9bfc6bd8238fdda1ec27"
-  integrity sha1-hUNzx/XCMVkU/Jv8a9gjj92h7Cc=
-
-os-homedir@^1.0.0:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/os-homedir/-/os-homedir-1.0.2.tgz#ffbc4988336e0e833de0c168c7ef152121aa7fb3"
-  integrity sha1-/7xJiDNuDoM94MFox+8VISGqf7M=
-
-os-locale@^1.4.0:
-  version "1.4.0"
-  resolved "https://registry.yarnpkg.com/os-locale/-/os-locale-1.4.0.tgz#20f9f17ae29ed345e8bde583b13d2009803c14d9"
-  integrity sha1-IPnxeuKe00XoveWDsT0gCYA8FNk=
-  dependencies:
-    lcid "^1.0.0"
-
-os-locale@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/os-locale/-/os-locale-2.1.0.tgz#42bc2900a6b5b8bd17376c8e882b65afccf24bf2"
-  integrity sha512-3sslG3zJbEYcaC4YVAvDorjGxc7tv6KVATnLPZONiljsUncvihe9BQoVCEs0RZ1kmf4Hk9OBqlZfJZWI4GanKA==
-  dependencies:
-    execa "^0.7.0"
-    lcid "^1.0.0"
-    mem "^1.1.0"
-
-os-tmpdir@^1.0.0, os-tmpdir@^1.0.1, os-tmpdir@~1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/os-tmpdir/-/os-tmpdir-1.0.2.tgz#bbe67406c79aa85c5cfec766fe5734555dfa1274"
-  integrity sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=
-
-osenv@^0.1.4:
-  version "0.1.5"
-  resolved "https://registry.yarnpkg.com/osenv/-/osenv-0.1.5.tgz#85cdfafaeb28e8677f416e287592b5f3f49ea410"
-  integrity sha512-0CWcCECdMVc2Rw3U5w9ZjqX6ga6ubk1xDVKxtBQPK7wis/0F2r9T6k4ydGYhecl7YUBxBVxhL5oisPsNxAPe2g==
-  dependencies:
-    os-homedir "^1.0.0"
-    os-tmpdir "^1.0.0"
-
-p-finally@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/p-finally/-/p-finally-1.0.0.tgz#3fbcfb15b899a44123b34b6dcc18b724336a2cae"
-  integrity sha1-P7z7FbiZpEEjs0ttzBi3JDNqLK4=
-
-p-limit@^1.1.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/p-limit/-/p-limit-1.3.0.tgz#b86bd5f0c25690911c7590fcbfc2010d54b3ccb8"
-  integrity sha512-vvcXsLAJ9Dr5rQOPk7toZQZJApBl2K4J6dANSsEuh6QI41JYcsS/qhTGa9ErIUUgK3WNQoJYvylxvjqmiqEA9Q==
-  dependencies:
-    p-try "^1.0.0"
-
-p-locate@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/p-locate/-/p-locate-2.0.0.tgz#20a0103b222a70c8fd39cc2e580680f3dde5ec43"
-  integrity sha1-IKAQOyIqcMj9OcwuWAaA893l7EM=
-  dependencies:
-    p-limit "^1.1.0"
-
-p-try@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/p-try/-/p-try-1.0.0.tgz#cbc79cdbaf8fd4228e13f621f2b1a237c1b207b3"
-  integrity sha1-y8ec26+P1CKOE/Yh8rGiN8GyB7M=
-
-pako@~1.0.5:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/pako/-/pako-1.0.6.tgz#0101211baa70c4bca4a0f63f2206e97b7dfaf258"
-  integrity sha512-lQe48YPsMJAig+yngZ87Lus+NF+3mtu7DVOBu6b/gHO1YpKwIj5AWjZ/TOS7i46HD/UixzWb1zeWDZfGZ3iYcg==
-
-parse-asn1@^5.0.0:
-  version "5.1.1"
-  resolved "https://registry.yarnpkg.com/parse-asn1/-/parse-asn1-5.1.1.tgz#f6bf293818332bd0dab54efb16087724745e6ca8"
-  integrity sha512-KPx7flKXg775zZpnp9SxJlz00gTd4BmJ2yJufSc44gMCRrRQ7NSzAcSJQfifuOLgW6bEi+ftrALtsgALeB2Adw==
-  dependencies:
-    asn1.js "^4.0.0"
-    browserify-aes "^1.0.0"
-    create-hash "^1.1.0"
-    evp_bytestokey "^1.0.0"
-    pbkdf2 "^3.0.3"
-
-parse-glob@^3.0.4:
-  version "3.0.4"
-  resolved "https://registry.yarnpkg.com/parse-glob/-/parse-glob-3.0.4.tgz#b2c376cfb11f35513badd173ef0bb6e3a388391c"
-  integrity sha1-ssN2z7EfNVE7rdFz7wu246OIORw=
-  dependencies:
-    glob-base "^0.3.0"
-    is-dotfile "^1.0.0"
-    is-extglob "^1.0.0"
-    is-glob "^2.0.0"
-
-parse-json@^2.2.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/parse-json/-/parse-json-2.2.0.tgz#f480f40434ef80741f8469099f8dea18f55a4dc9"
-  integrity sha1-9ID0BDTvgHQfhGkJn43qGPVaTck=
-  dependencies:
-    error-ex "^1.2.0"
-
-parse-json@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/parse-json/-/parse-json-4.0.0.tgz#be35f5425be1f7f6c747184f98a788cb99477ee0"
-  integrity sha1-vjX1Qlvh9/bHRxhPmKeIy5lHfuA=
-  dependencies:
-    error-ex "^1.3.1"
-    json-parse-better-errors "^1.0.1"
-
-parse5@^2.1.5:
-  version "2.2.3"
-  resolved "https://registry.yarnpkg.com/parse5/-/parse5-2.2.3.tgz#0c4fc41c1000c5e6b93d48b03f8083837834e9f6"
-  integrity sha1-DE/EHBAAxea5PUiwP4CDg3g06fY=
-
-parse5@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/parse5/-/parse5-4.0.0.tgz#6d78656e3da8d78b4ec0b906f7c08ef1dfe3f608"
-  integrity sha512-VrZ7eOd3T1Fk4XWNXMgiGBK/z0MG48BWG2uQNU4I72fkQuKUTZpl+u9k+CxEG0twMVzSmXEEz12z5Fnw1jIQFA==
-
-parseqs@0.0.5:
-  version "0.0.5"
-  resolved "https://registry.yarnpkg.com/parseqs/-/parseqs-0.0.5.tgz#d5208a3738e46766e291ba2ea173684921a8b89d"
-  integrity sha1-1SCKNzjkZ2bikbouoXNoSSGouJ0=
-  dependencies:
-    better-assert "~1.0.0"
-
-parseuri@0.0.5:
-  version "0.0.5"
-  resolved "https://registry.yarnpkg.com/parseuri/-/parseuri-0.0.5.tgz#80204a50d4dbb779bfdc6ebe2778d90e4bce320a"
-  integrity sha1-gCBKUNTbt3m/3G6+J3jZDkvOMgo=
-  dependencies:
-    better-assert "~1.0.0"
-
-parseurl@~1.3.2:
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/parseurl/-/parseurl-1.3.2.tgz#fc289d4ed8993119460c156253262cdc8de65bf3"
-  integrity sha1-/CidTtiZMRlGDBViUyYs3I3mW/M=
-
-pascalcase@^0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/pascalcase/-/pascalcase-0.1.1.tgz#b363e55e8006ca6fe21784d2db22bd15d7917f14"
-  integrity sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=
-
-path-browserify@0.0.0:
-  version "0.0.0"
-  resolved "https://registry.yarnpkg.com/path-browserify/-/path-browserify-0.0.0.tgz#a0b870729aae214005b7d5032ec2cbbb0fb4451a"
-  integrity sha1-oLhwcpquIUAFt9UDLsLLuw+0RRo=
-
-path-dirname@^1.0.0:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/path-dirname/-/path-dirname-1.0.2.tgz#cc33d24d525e099a5388c0336c6e32b9160609e0"
-  integrity sha1-zDPSTVJeCZpTiMAzbG4yuRYGCeA=
-
-path-exists@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-2.1.0.tgz#0feb6c64f0fc518d9a754dd5efb62c7022761f4b"
-  integrity sha1-D+tsZPD8UY2adU3V77YscCJ2H0s=
-  dependencies:
-    pinkie-promise "^2.0.0"
-
-path-exists@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-3.0.0.tgz#ce0ebeaa5f78cb18925ea7d810d7b59b010fd515"
-  integrity sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=
-
-path-is-absolute@^1.0.0, path-is-absolute@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/path-is-absolute/-/path-is-absolute-1.0.1.tgz#174b9268735534ffbc7ace6bf53a5a9e1b5c5f5f"
-  integrity sha1-F0uSaHNVNP+8es5r9TpanhtcX18=
-
-path-key@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/path-key/-/path-key-2.0.1.tgz#411cadb574c5a140d3a4b1910d40d80cc9f40b40"
-  integrity sha1-QRyttXTFoUDTpLGRDUDYDMn0C0A=
-
-path-parse@^1.0.5:
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/path-parse/-/path-parse-1.0.5.tgz#3c1adf871ea9cd6c9431b6ea2bd74a0ff055c4c1"
-  integrity sha1-PBrfhx6pzWyUMbbqK9dKD/BVxME=
-
-path-to-regexp@0.1.7:
-  version "0.1.7"
-  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.7.tgz#df604178005f522f15eb4490e7247a1bfaa67f8c"
-  integrity sha1-32BBeABfUi8V60SQ5yR6G/qmf4w=
-
-path-type@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/path-type/-/path-type-1.1.0.tgz#59c44f7ee491da704da415da5a4070ba4f8fe441"
-  integrity sha1-WcRPfuSR2nBNpBXaWkBwuk+P5EE=
-  dependencies:
-    graceful-fs "^4.1.2"
-    pify "^2.0.0"
-    pinkie-promise "^2.0.0"
-
-path-type@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/path-type/-/path-type-2.0.0.tgz#f012ccb8415b7096fc2daa1054c3d72389594c73"
-  integrity sha1-8BLMuEFbcJb8LaoQVMPXI4lZTHM=
-  dependencies:
-    pify "^2.0.0"
-
-pbkdf2@^3.0.3:
-  version "3.0.16"
-  resolved "https://registry.yarnpkg.com/pbkdf2/-/pbkdf2-3.0.16.tgz#7404208ec6b01b62d85bf83853a8064f8d9c2a5c"
-  integrity sha512-y4CXP3thSxqf7c0qmOF+9UeOTrifiVTIM+u7NWlq+PRsHbr7r7dpCmvzrZxa96JJUNi0Y5w9VqG5ZNeCVMoDcA==
-  dependencies:
-    create-hash "^1.1.2"
-    create-hmac "^1.1.4"
-    ripemd160 "^2.0.1"
-    safe-buffer "^5.0.1"
-    sha.js "^2.4.8"
-
-performance-now@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/performance-now/-/performance-now-2.1.0.tgz#6309f4e0e5fa913ec1c69307ae364b4b377c9e7b"
-  integrity sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=
-
-pify@^2.0.0, pify@^2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/pify/-/pify-2.3.0.tgz#ed141a6ac043a849ea588498e7dca8b15330e90c"
-  integrity sha1-7RQaasBDqEnqWISY59yosVMw6Qw=
-
-pify@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/pify/-/pify-3.0.0.tgz#e5a4acd2c101fdf3d9a4d07f0dbc4db49dd28176"
-  integrity sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY=
-
-pinkie-promise@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/pinkie-promise/-/pinkie-promise-2.0.1.tgz#2135d6dfa7a358c069ac9b178776288228450ffa"
-  integrity sha1-ITXW36ejWMBprJsXh3YogihFD/o=
-  dependencies:
-    pinkie "^2.0.0"
-
-pinkie@^2.0.0:
-  version "2.0.4"
-  resolved "https://registry.yarnpkg.com/pinkie/-/pinkie-2.0.4.tgz#72556b80cfa0d48a974e80e77248e80ed4f7f870"
-  integrity sha1-clVrgM+g1IqXToDnckjoDtT3+HA=
-
-pixrem@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/pixrem/-/pixrem-4.0.1.tgz#2da4a1de6ec4423c5fc3794e930b81d4490ec686"
-  integrity sha1-LaSh3m7EQjxfw3lOkwuB1EkOxoY=
-  dependencies:
-    browserslist "^2.0.0"
-    postcss "^6.0.0"
-    reduce-css-calc "^1.2.7"
-
-pkg-dir@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/pkg-dir/-/pkg-dir-2.0.0.tgz#f6d5d1109e19d63edf428e0bd57e12777615334b"
-  integrity sha1-9tXREJ4Z1j7fQo4L1X4Sd3YVM0s=
-  dependencies:
-    find-up "^2.1.0"
-
-popper.js@^1.14.4:
-  version "1.14.4"
-  resolved "https://registry.yarnpkg.com/popper.js/-/popper.js-1.14.4.tgz#8eec1d8ff02a5a3a152dd43414a15c7b79fd69b6"
-  integrity sha1-juwdj/AqWjoVLdQ0FKFce3n9abY=
-
-portscanner@2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/portscanner/-/portscanner-2.1.1.tgz#eabb409e4de24950f5a2a516d35ae769343fbb96"
-  integrity sha1-6rtAnk3iSVD1oqUW01rnaTQ/u5Y=
-  dependencies:
-    async "1.5.2"
-    is-number-like "^1.0.3"
-
-posix-character-classes@^0.1.0:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/posix-character-classes/-/posix-character-classes-0.1.1.tgz#01eac0fe3b5af71a2a6c02feabb8c1fef7e00eab"
-  integrity sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=
-
-postcss-alias@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-alias/-/postcss-alias-2.0.0.tgz#018f46c2fbff818e29fa6af67afa4be2becd376d"
-  integrity sha1-AY9Gwvv/gY4p+mr2evpL4r7NN20=
-  dependencies:
-    postcss "^6.0.6"
-
-postcss-attribute-case-insensitive@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-attribute-case-insensitive/-/postcss-attribute-case-insensitive-2.0.0.tgz#94dc422c8f90997f16bd33a3654bbbec084963b4"
-  integrity sha1-lNxCLI+QmX8WvTOjZUu77AhJY7Q=
-  dependencies:
-    postcss "^6.0.0"
-    postcss-selector-parser "^2.2.3"
-
-postcss-calc@^5.2.0:
-  version "5.3.1"
-  resolved "https://registry.yarnpkg.com/postcss-calc/-/postcss-calc-5.3.1.tgz#77bae7ca928ad85716e2fda42f261bf7c1d65b5e"
-  integrity sha1-d7rnypKK2FcW4v2kLyYb98HWW14=
-  dependencies:
-    postcss "^5.0.2"
-    postcss-message-helpers "^2.0.0"
-    reduce-css-calc "^1.2.6"
-
-postcss-calc@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-calc/-/postcss-calc-6.0.1.tgz#3d24171bbf6e7629d422a436ebfe6dd9511f4330"
-  integrity sha1-PSQXG79udinUIqQ26/5t2VEfQzA=
-  dependencies:
-    css-unit-converter "^1.1.1"
-    postcss "^6.0.0"
-    postcss-selector-parser "^2.2.2"
-    reduce-css-calc "^2.0.0"
-
-postcss-clearfix@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-clearfix/-/postcss-clearfix-2.0.1.tgz#5170a1998f167d3190a0173445b6380c8c5c07f2"
-  integrity sha1-UXChmY8WfTGQoBc0RbY4DIxcB/I=
-  dependencies:
-    postcss "^6.0.6"
-
-postcss-color-function@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-color-function/-/postcss-color-function-4.0.1.tgz#402b3f2cebc3f6947e618fb6be3654fbecef6444"
-  integrity sha1-QCs/LOvD9pR+YY+2vjZU++zvZEQ=
-  dependencies:
-    css-color-function "~1.3.3"
-    postcss "^6.0.1"
-    postcss-message-helpers "^2.0.0"
-    postcss-value-parser "^3.3.0"
-
-postcss-color-gray@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-color-gray/-/postcss-color-gray-4.1.0.tgz#e5581ed57eaa826fb652ca11b1e2b7b136a9f9df"
-  integrity sha512-L4iLKQLdqChz6ZOgGb6dRxkBNw78JFYcJmBz1orHpZoeLtuhDDGegRtX9gSyfoCIM7rWZ3VNOyiqqvk83BEN+w==
-  dependencies:
-    color "^2.0.1"
-    postcss "^6.0.14"
-    postcss-message-helpers "^2.0.0"
-    reduce-function-call "^1.0.2"
-
-postcss-color-hex-alpha@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-color-hex-alpha/-/postcss-color-hex-alpha-3.0.0.tgz#1e53e6c8acb237955e8fd08b7ecdb1b8b8309f95"
-  integrity sha1-HlPmyKyyN5Vej9CLfs2xuLgwn5U=
-  dependencies:
-    color "^1.0.3"
-    postcss "^6.0.1"
-    postcss-message-helpers "^2.0.0"
-
-postcss-color-hsl@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-color-hsl/-/postcss-color-hsl-2.0.0.tgz#12703666fa310430e3f30a454dac1386317d5844"
-  integrity sha1-EnA2ZvoxBDDj8wpFTawThjF9WEQ=
-  dependencies:
-    postcss "^6.0.1"
-    postcss-value-parser "^3.3.0"
-    units-css "^0.4.0"
-
-postcss-color-hwb@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-color-hwb/-/postcss-color-hwb-3.0.0.tgz#3402b19ef4d8497540c1fb5072be9863ca95571e"
-  integrity sha1-NAKxnvTYSXVAwftQcr6YY8qVVx4=
-  dependencies:
-    color "^1.0.3"
-    postcss "^6.0.1"
-    postcss-message-helpers "^2.0.0"
-    reduce-function-call "^1.0.2"
-
-postcss-color-rebeccapurple@^3.0.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-color-rebeccapurple/-/postcss-color-rebeccapurple-3.1.0.tgz#ce1269ecc2d0d8bf92aab44bd884e633124c33ec"
-  integrity sha512-212hJUk9uSsbwO5ECqVjmh/iLsmiVL1xy9ce9TVf+X3cK/ZlUIlaMdoxje/YpsL9cmUH3I7io+/G2LyWx5rg1g==
-  dependencies:
-    postcss "^6.0.22"
-    postcss-values-parser "^1.5.0"
-
-postcss-color-rgb@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-color-rgb/-/postcss-color-rgb-2.0.0.tgz#14539c8a7131494b482e0dd1cc265ff6514b5263"
-  integrity sha1-FFOcinExSUtILg3RzCZf9lFLUmM=
-  dependencies:
-    postcss "^6.0.1"
-    postcss-value-parser "^3.3.0"
-
-postcss-color-rgba-fallback@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-color-rgba-fallback/-/postcss-color-rgba-fallback-3.0.0.tgz#37d5c9353a07a09270912a82606bb42a0d702c04"
-  integrity sha1-N9XJNToHoJJwkSqCYGu0Kg1wLAQ=
-  dependencies:
-    postcss "^6.0.6"
-    postcss-value-parser "^3.3.0"
-    rgb-hex "^2.1.0"
-
-postcss-colormin@^2.1.8:
-  version "2.2.2"
-  resolved "https://registry.yarnpkg.com/postcss-colormin/-/postcss-colormin-2.2.2.tgz#6631417d5f0e909a3d7ec26b24c8a8d1e4f96e4b"
-  integrity sha1-ZjFBfV8OkJo9fsJrJMio0eT5bks=
-  dependencies:
-    colormin "^1.0.5"
-    postcss "^5.0.13"
-    postcss-value-parser "^3.2.3"
-
-postcss-convert-values@^2.3.4:
-  version "2.6.1"
-  resolved "https://registry.yarnpkg.com/postcss-convert-values/-/postcss-convert-values-2.6.1.tgz#bbd8593c5c1fd2e3d1c322bb925dcae8dae4d62d"
-  integrity sha1-u9hZPFwf0uPRwyK7kl3K6Nrk1i0=
-  dependencies:
-    postcss "^5.0.11"
-    postcss-value-parser "^3.1.2"
-
-postcss-custom-media@^6.0.0:
-  version "6.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-custom-media/-/postcss-custom-media-6.0.0.tgz#be532784110ecb295044fb5395a18006eb21a737"
-  integrity sha1-vlMnhBEOyylQRPtTlaGABushpzc=
-  dependencies:
-    postcss "^6.0.1"
-
-postcss-custom-properties@^7.0.0:
-  version "7.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-custom-properties/-/postcss-custom-properties-7.0.0.tgz#24dc4fbe6d6ed550ea4fd3b11204660e9ffa3b33"
-  integrity sha512-dl/CNaM6z2RBa0vZZqsV6Hunj4HD6Spu7FcAkiVp5B2tgm6xReKKYzI7x7QNx3wTMBNj5v+ylfVcQGMW4xdkHw==
-  dependencies:
-    balanced-match "^1.0.0"
-    postcss "^6.0.18"
-
-postcss-custom-selectors@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-custom-selectors/-/postcss-custom-selectors-4.0.1.tgz#781382f94c52e727ef5ca4776ea2adf49a611382"
-  integrity sha1-eBOC+UxS5yfvXKR3bqKt9JphE4I=
-  dependencies:
-    postcss "^6.0.1"
-    postcss-selector-matches "^3.0.0"
-
-postcss-discard-comments@^2.0.4:
-  version "2.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-discard-comments/-/postcss-discard-comments-2.0.4.tgz#befe89fafd5b3dace5ccce51b76b81514be00e3d"
-  integrity sha1-vv6J+v1bPazlzM5Rt2uBUUvgDj0=
-  dependencies:
-    postcss "^5.0.14"
-
-postcss-discard-duplicates@^2.0.1:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-discard-duplicates/-/postcss-discard-duplicates-2.1.0.tgz#b9abf27b88ac188158a5eb12abcae20263b91932"
-  integrity sha1-uavye4isGIFYpesSq8riAmO5GTI=
-  dependencies:
-    postcss "^5.0.4"
-
-postcss-discard-empty@^2.0.1:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-discard-empty/-/postcss-discard-empty-2.1.0.tgz#d2b4bd9d5ced5ebd8dcade7640c7d7cd7f4f92b5"
-  integrity sha1-0rS9nVztXr2Nyt52QMfXzX9PkrU=
-  dependencies:
-    postcss "^5.0.14"
-
-postcss-discard-overridden@^0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/postcss-discard-overridden/-/postcss-discard-overridden-0.1.1.tgz#8b1eaf554f686fb288cd874c55667b0aa3668d58"
-  integrity sha1-ix6vVU9ob7KIzYdMVWZ7CqNmjVg=
-  dependencies:
-    postcss "^5.0.16"
-
-postcss-discard-unused@^2.2.1:
-  version "2.2.3"
-  resolved "https://registry.yarnpkg.com/postcss-discard-unused/-/postcss-discard-unused-2.2.3.tgz#bce30b2cc591ffc634322b5fb3464b6d934f4433"
-  integrity sha1-vOMLLMWR/8Y0Mitfs0ZLbZNPRDM=
-  dependencies:
-    postcss "^5.0.14"
-    uniqs "^2.0.0"
-
-postcss-easings@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-easings/-/postcss-easings-1.0.1.tgz#a7b9ebddabe5f8589e245256bd565408ea3366c3"
-  integrity sha512-zHRCKHinXtqpyrPPi3oojaf47v3eGcQHmG5zujWs1+9OWukIKi/rVEAm2KSh5y4swn66SNCZceGXcNi9GXo1cQ==
-  dependencies:
-    postcss "^6.0.14"
-    postcss-value-parser "^3.3.0"
-
-postcss-extend-rule@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-extend-rule/-/postcss-extend-rule-2.0.0.tgz#031fe6f608cf6efd20cb58b11f343b164c18d370"
-  integrity sha512-dgr1GJzW3lUBczZJO5Fm51rktn34Uc99xR1uQyC2Td8JPep/Y+TRx6TjK0yngikOd4LxV1xyuohMMpcaOBgrfA==
-  dependencies:
-    postcss "^6.0.22"
-    postcss-nesting "^5.0.0"
-
-postcss-filter-plugins@^2.0.0:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/postcss-filter-plugins/-/postcss-filter-plugins-2.0.3.tgz#82245fdf82337041645e477114d8e593aa18b8ec"
-  integrity sha512-T53GVFsdinJhgwm7rg1BzbeBRomOg9y5MBVhGcsV0CxurUdVj1UlPdKtn7aqYA/c/QVkzKMjq2bSV5dKG5+AwQ==
-  dependencies:
-    postcss "^5.0.4"
-
-postcss-font-family-system-ui@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-font-family-system-ui/-/postcss-font-family-system-ui-3.0.0.tgz#675fe7a9e029669f05f8dba2e44c2225ede80623"
-  integrity sha512-58G/hTxMSSKlIRpcPUjlyo6hV2MEzvcVO2m4L/T7Bb2fJTG4DYYfQjQeRvuimKQh1V1sOzCIz99g+H2aFNtlQw==
-  dependencies:
-    postcss "^6.0"
-
-postcss-font-variant@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-font-variant/-/postcss-font-variant-3.0.0.tgz#08ccc88f6050ba82ed8ef2cc76c0c6a6b41f183e"
-  integrity sha1-CMzIj2BQuoLtjvLMdsDGprQfGD4=
-  dependencies:
-    postcss "^6.0.1"
-
-postcss-fontpath@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-fontpath/-/postcss-fontpath-1.0.0.tgz#ad0eefc2193e29cf7a34b8c751ff7fe8e74699e5"
-  integrity sha1-rQ7vwhk+Kc96NLjHUf9/6OdGmeU=
-  dependencies:
-    postcss "^6.0.0"
-
-postcss-hexrgba@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-hexrgba/-/postcss-hexrgba-1.0.1.tgz#d82256b7b5116e5f582026fce549fec21db816e0"
-  integrity sha512-zFJ5XEoh6aD1clOCxHx2D2Vj2dzcr86t5OXgZKB0K2z0LWZlWhdVJV1lpJBRX075qhTSbKqqjemUHU+TSy9Buw==
-  dependencies:
-    postcss "^6.0.7"
-
-postcss-image-set-polyfill@^0.4.4:
-  version "0.4.4"
-  resolved "https://registry.yarnpkg.com/postcss-image-set-polyfill/-/postcss-image-set-polyfill-0.4.4.tgz#5acdebd25aeb237dde0791c524b68947400995f8"
-  integrity sha512-Mr5vXeUwxylX9amqyhXyiyqbzJgGS8quJ/d855EqU5S/DBILvoiR4pRnxLw9Ic2a5E0nB6gLOuMU0Wm/KhVW9A==
-  dependencies:
-    postcss "6.0.1"
-    postcss-media-query-parser "0.2.3"
-    postcss-value-parser "3.3.0"
-
-postcss-import@^11.0.0:
-  version "11.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-import/-/postcss-import-11.1.0.tgz#55c9362c9192994ec68865d224419df1db2981f0"
-  integrity sha512-5l327iI75POonjxkXgdRCUS+AlzAdBx4pOvMEhTKTCjb1p8IEeVR9yx3cPbmN7LIWJLbfnIXxAhoB4jpD0c/Cw==
-  dependencies:
-    postcss "^6.0.1"
-    postcss-value-parser "^3.2.3"
-    read-cache "^1.0.0"
-    resolve "^1.1.7"
-
-postcss-input-style@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-input-style/-/postcss-input-style-1.0.0.tgz#bbfdc82b9f799b3e78c863a02476757e26fbdc61"
-  integrity sha1-u/3IK595mz54yGOgJHZ1fib73GE=
-  dependencies:
-    postcss "^6.0.7"
-
-postcss-load-config@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-load-config/-/postcss-load-config-2.0.0.tgz#f1312ddbf5912cd747177083c5ef7a19d62ee484"
-  integrity sha512-V5JBLzw406BB8UIfsAWSK2KSwIJ5yoEIVFb4gVkXci0QdKgA24jLmHZ/ghe/GgX0lJ0/D1uUK1ejhzEY94MChQ==
-  dependencies:
-    cosmiconfig "^4.0.0"
-    import-cwd "^2.0.0"
-
-postcss-loader@^2.1.6:
-  version "2.1.6"
-  resolved "https://registry.yarnpkg.com/postcss-loader/-/postcss-loader-2.1.6.tgz#1d7dd7b17c6ba234b9bed5af13e0bea40a42d740"
-  integrity sha512-hgiWSc13xVQAq25cVw80CH0l49ZKlAnU1hKPOdRrNj89bokRr/bZF2nT+hebPPF9c9xs8c3gw3Fr2nxtmXYnNg==
-  dependencies:
-    loader-utils "^1.1.0"
-    postcss "^6.0.0"
-    postcss-load-config "^2.0.0"
-    schema-utils "^0.4.0"
-
-postcss-media-minmax@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-media-minmax/-/postcss-media-minmax-3.0.0.tgz#675256037a43ef40bc4f0760bfd06d4dc69d48d2"
-  integrity sha1-Z1JWA3pD70C8Twdgv9BtTcadSNI=
-  dependencies:
-    postcss "^6.0.1"
-
-postcss-media-query-parser@0.2.3:
-  version "0.2.3"
-  resolved "https://registry.yarnpkg.com/postcss-media-query-parser/-/postcss-media-query-parser-0.2.3.tgz#27b39c6f4d94f81b1a73b8f76351c609e5cef244"
-  integrity sha1-J7Ocb02U+Bsac7j3Y1HGCeXO8kQ=
-
-postcss-merge-idents@^2.1.5:
-  version "2.1.7"
-  resolved "https://registry.yarnpkg.com/postcss-merge-idents/-/postcss-merge-idents-2.1.7.tgz#4c5530313c08e1d5b3bbf3d2bbc747e278eea270"
-  integrity sha1-TFUwMTwI4dWzu/PSu8dH4njuonA=
-  dependencies:
-    has "^1.0.1"
-    postcss "^5.0.10"
-    postcss-value-parser "^3.1.1"
-
-postcss-merge-longhand@^2.0.1:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/postcss-merge-longhand/-/postcss-merge-longhand-2.0.2.tgz#23d90cd127b0a77994915332739034a1a4f3d658"
-  integrity sha1-I9kM0Sewp3mUkVMyc5A0oaTz1lg=
-  dependencies:
-    postcss "^5.0.4"
-
-postcss-merge-rules@^2.0.3:
-  version "2.1.2"
-  resolved "https://registry.yarnpkg.com/postcss-merge-rules/-/postcss-merge-rules-2.1.2.tgz#d1df5dfaa7b1acc3be553f0e9e10e87c61b5f721"
-  integrity sha1-0d9d+qexrMO+VT8OnhDofGG19yE=
-  dependencies:
-    browserslist "^1.5.2"
-    caniuse-api "^1.5.2"
-    postcss "^5.0.4"
-    postcss-selector-parser "^2.2.2"
-    vendors "^1.0.0"
-
-postcss-message-helpers@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-message-helpers/-/postcss-message-helpers-2.0.0.tgz#a4f2f4fab6e4fe002f0aed000478cdf52f9ba60e"
-  integrity sha1-pPL0+rbk/gAvCu0ABHjN9S+bpg4=
-
-postcss-minify-font-values@^1.0.2:
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/postcss-minify-font-values/-/postcss-minify-font-values-1.0.5.tgz#4b58edb56641eba7c8474ab3526cafd7bbdecb69"
-  integrity sha1-S1jttWZB66fIR0qzUmyv17vey2k=
-  dependencies:
-    object-assign "^4.0.1"
-    postcss "^5.0.4"
-    postcss-value-parser "^3.0.2"
-
-postcss-minify-gradients@^1.0.1:
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/postcss-minify-gradients/-/postcss-minify-gradients-1.0.5.tgz#5dbda11373703f83cfb4a3ea3881d8d75ff5e6e1"
-  integrity sha1-Xb2hE3NwP4PPtKPqOIHY11/15uE=
-  dependencies:
-    postcss "^5.0.12"
-    postcss-value-parser "^3.3.0"
-
-postcss-minify-params@^1.0.4:
-  version "1.2.2"
-  resolved "https://registry.yarnpkg.com/postcss-minify-params/-/postcss-minify-params-1.2.2.tgz#ad2ce071373b943b3d930a3fa59a358c28d6f1f3"
-  integrity sha1-rSzgcTc7lDs9kwo/pZo1jCjW8fM=
-  dependencies:
-    alphanum-sort "^1.0.1"
-    postcss "^5.0.2"
-    postcss-value-parser "^3.0.2"
-    uniqs "^2.0.0"
-
-postcss-minify-selectors@^2.0.4:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/postcss-minify-selectors/-/postcss-minify-selectors-2.1.1.tgz#b2c6a98c0072cf91b932d1a496508114311735bf"
-  integrity sha1-ssapjAByz5G5MtGkllCBFDEXNb8=
-  dependencies:
-    alphanum-sort "^1.0.2"
-    has "^1.0.1"
-    postcss "^5.0.14"
-    postcss-selector-parser "^2.0.0"
-
-postcss-nesting@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-nesting/-/postcss-nesting-5.0.0.tgz#973e3a7dc6426543affc0b0beb367c3b2a8d9923"
-  integrity sha512-Yoe3w2mcVslnEJl5zLyz1yBxCFUpYu138apEEOCwS2HRdDw/TDxTwD1fXBrIarL8J1cPzHfVwO1m40B2/UpGCw==
-  dependencies:
-    postcss "^6.0.21"
-
-postcss-normalize-charset@^1.1.0:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/postcss-normalize-charset/-/postcss-normalize-charset-1.1.1.tgz#ef9ee71212d7fe759c78ed162f61ed62b5cb93f1"
-  integrity sha1-757nEhLX/nWceO0WL2HtYrXLk/E=
-  dependencies:
-    postcss "^5.0.5"
-
-postcss-normalize-url@^3.0.7:
-  version "3.0.8"
-  resolved "https://registry.yarnpkg.com/postcss-normalize-url/-/postcss-normalize-url-3.0.8.tgz#108f74b3f2fcdaf891a2ffa3ea4592279fc78222"
-  integrity sha1-EI90s/L82viRov+j6kWSJ5/HgiI=
-  dependencies:
-    is-absolute-url "^2.0.0"
-    normalize-url "^1.4.0"
-    postcss "^5.0.14"
-    postcss-value-parser "^3.2.3"
-
-postcss-opacity@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-opacity/-/postcss-opacity-5.0.0.tgz#6ea6deef4d5fc28dd4cf7af97dba2807b3e07c4c"
-  integrity sha512-n6LgHk5HWIsyEHgPqM2jwXrkh4SuH+cZOIWh4tUp4ug3P7FkzxiJuqrpEaBvNwH/dKs5PHjHL2vPeR+nLbs+Mw==
-  dependencies:
-    postcss "^6.0.7"
-
-postcss-ordered-values@^2.1.0:
-  version "2.2.3"
-  resolved "https://registry.yarnpkg.com/postcss-ordered-values/-/postcss-ordered-values-2.2.3.tgz#eec6c2a67b6c412a8db2042e77fe8da43f95c11d"
-  integrity sha1-7sbCpntsQSqNsgQud/6NpD+VwR0=
-  dependencies:
-    postcss "^5.0.4"
-    postcss-value-parser "^3.0.1"
-
-postcss-position@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-position/-/postcss-position-1.0.0.tgz#30cbeee408f26a6dbebbf61261ca210e548c77ff"
-  integrity sha1-MMvu5Ajyam2+u/YSYcohDlSMd/8=
-  dependencies:
-    postcss "^6.0.7"
-
-postcss-property-lookup@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-property-lookup/-/postcss-property-lookup-2.0.0.tgz#c995d1df42a75420f2aea834c2cbe296b2c15922"
-  integrity sha512-KUb53a7UZWDMVb0SRODOonc4H1wlbgQ0VfYwmJaR1xWPorhariEz0U7x0ri3W/imFs6HqLYWP7hl2yMvi5Ty+w==
-  dependencies:
-    object-assign "^4.0.1"
-    postcss "^6.0.6"
-    tcomb "^3.2.21"
-
-postcss-pseudo-class-any-link@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-pseudo-class-any-link/-/postcss-pseudo-class-any-link-4.0.0.tgz#9152a0613d3450720513e8892854bae42d0ee68e"
-  integrity sha1-kVKgYT00UHIFE+iJKFS65C0O5o4=
-  dependencies:
-    postcss "^6.0.1"
-    postcss-selector-parser "^2.2.3"
-
-postcss-pseudoelements@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-pseudoelements/-/postcss-pseudoelements-5.0.0.tgz#eef194e8d524645ca520a949e95e518e812402cb"
-  integrity sha1-7vGU6NUkZFylIKlJ6V5RjoEkAss=
-  dependencies:
-    postcss "^6.0.0"
-
-postcss-quantity-queries@^0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/postcss-quantity-queries/-/postcss-quantity-queries-0.5.0.tgz#52b6717fcc8d9925ae64cff43340870fe15516ab"
-  integrity sha1-UrZxf8yNmSWuZM/0M0CHD+FVFqs=
-  dependencies:
-    balanced-match "^0.4.2"
-    postcss "^6.0.0"
-
-postcss-reduce-idents@^2.2.2:
-  version "2.4.0"
-  resolved "https://registry.yarnpkg.com/postcss-reduce-idents/-/postcss-reduce-idents-2.4.0.tgz#c2c6d20cc958284f6abfbe63f7609bf409059ad3"
-  integrity sha1-wsbSDMlYKE9qv75j92Cb9AkFmtM=
-  dependencies:
-    postcss "^5.0.4"
-    postcss-value-parser "^3.0.2"
-
-postcss-reduce-initial@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-reduce-initial/-/postcss-reduce-initial-1.0.1.tgz#68f80695f045d08263a879ad240df8dd64f644ea"
-  integrity sha1-aPgGlfBF0IJjqHmtJA343WT2ROo=
-  dependencies:
-    postcss "^5.0.4"
-
-postcss-reduce-transforms@^1.0.3:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-reduce-transforms/-/postcss-reduce-transforms-1.0.4.tgz#ff76f4d8212437b31c298a42d2e1444025771ae1"
-  integrity sha1-/3b02CEkN7McKYpC0uFEQCV3GuE=
-  dependencies:
-    has "^1.0.1"
-    postcss "^5.0.8"
-    postcss-value-parser "^3.0.1"
-
-postcss-reporter@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-reporter/-/postcss-reporter-5.0.0.tgz#a14177fd1342829d291653f2786efd67110332c3"
-  integrity sha512-rBkDbaHAu5uywbCR2XE8a25tats3xSOsGNx6mppK6Q9kSFGKc/FyAzfci+fWM2l+K402p1D0pNcfDGxeje5IKg==
-  dependencies:
-    chalk "^2.0.1"
-    lodash "^4.17.4"
-    log-symbols "^2.0.0"
-    postcss "^6.0.8"
-
-postcss-responsive-type@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-responsive-type/-/postcss-responsive-type-1.0.0.tgz#bb2d57d830beb9586ec4fda7994f07e37953aad8"
-  integrity sha1-uy1X2DC+uVhuxP2nmU8H43lTqtg=
-  dependencies:
-    postcss "^6.0.6"
-
-postcss-selector-matches@^3.0.0, postcss-selector-matches@^3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-selector-matches/-/postcss-selector-matches-3.0.1.tgz#e5634011e13950881861bbdd58c2d0111ffc96ab"
-  integrity sha1-5WNAEeE5UIgYYbvdWMLQER/8lqs=
-  dependencies:
-    balanced-match "^0.4.2"
-    postcss "^6.0.1"
-
-postcss-selector-not@^3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-selector-not/-/postcss-selector-not-3.0.1.tgz#2e4db2f0965336c01e7cec7db6c60dff767335d9"
-  integrity sha1-Lk2y8JZTNsAefOx9tsYN/3ZzNdk=
-  dependencies:
-    balanced-match "^0.4.2"
-    postcss "^6.0.1"
-
-postcss-selector-parser@^2.0.0, postcss-selector-parser@^2.2.2, postcss-selector-parser@^2.2.3:
-  version "2.2.3"
-  resolved "https://registry.yarnpkg.com/postcss-selector-parser/-/postcss-selector-parser-2.2.3.tgz#f9437788606c3c9acee16ffe8d8b16297f27bb90"
-  integrity sha1-+UN3iGBsPJrO4W/+jYsWKX8nu5A=
-  dependencies:
-    flatten "^1.0.2"
-    indexes-of "^1.0.1"
-    uniq "^1.0.1"
-
-postcss-svgo@^2.1.1:
-  version "2.1.6"
-  resolved "https://registry.yarnpkg.com/postcss-svgo/-/postcss-svgo-2.1.6.tgz#b6df18aa613b666e133f08adb5219c2684ac108d"
-  integrity sha1-tt8YqmE7Zm4TPwittSGcJoSsEI0=
-  dependencies:
-    is-svg "^2.0.0"
-    postcss "^5.0.14"
-    postcss-value-parser "^3.2.3"
-    svgo "^0.7.0"
-
-postcss-unique-selectors@^2.0.2:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/postcss-unique-selectors/-/postcss-unique-selectors-2.0.2.tgz#981d57d29ddcb33e7b1dfe1fd43b8649f933ca1d"
-  integrity sha1-mB1X0p3csz57Hf4f1DuGSfkzyh0=
-  dependencies:
-    alphanum-sort "^1.0.1"
-    postcss "^5.0.4"
-    uniqs "^2.0.0"
-
-postcss-value-parser@3.3.0, postcss-value-parser@^3.0.1, postcss-value-parser@^3.0.2, postcss-value-parser@^3.1.1, postcss-value-parser@^3.1.2, postcss-value-parser@^3.2.3, postcss-value-parser@^3.3.0:
-  version "3.3.0"
-  resolved "https://registry.yarnpkg.com/postcss-value-parser/-/postcss-value-parser-3.3.0.tgz#87f38f9f18f774a4ab4c8a232f5c5ce8872a9d15"
-  integrity sha1-h/OPnxj3dKSrTIojL1xc6IcqnRU=
-
-postcss-values-parser@^1.5.0:
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/postcss-values-parser/-/postcss-values-parser-1.5.0.tgz#5d9fa63e2bcb0179ce48f3235303765eb89f3047"
-  integrity sha512-3M3p+2gMp0AH3da530TlX8kiO1nxdTnc3C6vr8dMxRLIlh8UYkz0/wcwptSXjhtx2Fr0TySI7a+BHDQ8NL7LaQ==
-  dependencies:
-    flatten "^1.0.2"
-    indexes-of "^1.0.1"
-    uniq "^1.0.1"
-
-postcss-vmin@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-vmin/-/postcss-vmin-3.0.0.tgz#6d6ae6b3e84fe3ff7a4df1eb86f3a69a07e8a144"
-  integrity sha1-bWrms+hP4/96TfHrhvOmmgfooUQ=
-  dependencies:
-    postcss "^6.0.0"
-
-postcss-will-change@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-will-change/-/postcss-will-change-2.0.0.tgz#cff091a87a0386bab1f32a7cfa7f79d6b773e100"
-  integrity sha1-z/CRqHoDhrqx8yp8+n951rdz4QA=
-  dependencies:
-    postcss "^6.0.1"
-
-postcss-zindex@^2.0.1:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/postcss-zindex/-/postcss-zindex-2.2.0.tgz#d2109ddc055b91af67fc4cb3b025946639d2af22"
-  integrity sha1-0hCd3AVbka9n/EyzsCWUZjnSryI=
-  dependencies:
-    has "^1.0.1"
-    postcss "^5.0.4"
-    uniqs "^2.0.0"
-
-postcss@6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/postcss/-/postcss-6.0.1.tgz#000dbd1f8eef217aa368b9a212c5fc40b2a8f3f2"
-  integrity sha1-AA29H47vIXqjaLmiEsX8QLKo8/I=
-  dependencies:
-    chalk "^1.1.3"
-    source-map "^0.5.6"
-    supports-color "^3.2.3"
-
-postcss@^5.0.10, postcss@^5.0.11, postcss@^5.0.12, postcss@^5.0.13, postcss@^5.0.14, postcss@^5.0.16, postcss@^5.0.2, postcss@^5.0.4, postcss@^5.0.5, postcss@^5.0.8, postcss@^5.2.16:
-  version "5.2.18"
-  resolved "https://registry.yarnpkg.com/postcss/-/postcss-5.2.18.tgz#badfa1497d46244f6390f58b319830d9107853c5"
-  integrity sha512-zrUjRRe1bpXKsX1qAJNJjqZViErVuyEkMTRrwu4ud4sbTtIBRmtaYDrHmcGgmrbsW3MHfmtIf+vJumgQn+PrXg==
-  dependencies:
-    chalk "^1.1.3"
-    js-base64 "^2.1.9"
-    source-map "^0.5.6"
-    supports-color "^3.2.3"
-
-postcss@^6.0, postcss@^6.0.0, postcss@^6.0.1, postcss@^6.0.14, postcss@^6.0.17, postcss@^6.0.18, postcss@^6.0.21, postcss@^6.0.22, postcss@^6.0.6, postcss@^6.0.7, postcss@^6.0.8:
-  version "6.0.22"
-  resolved "https://registry.yarnpkg.com/postcss/-/postcss-6.0.22.tgz#e23b78314905c3b90cbd61702121e7a78848f2a3"
-  integrity sha512-Toc9lLoUASwGqxBSJGTVcOQiDqjK+Z2XlWBg+IgYwQMY9vA2f7iMpXVc1GpPcfTSyM5lkxNo0oDwDRO+wm7XHA==
-  dependencies:
-    chalk "^2.4.1"
-    source-map "^0.6.1"
-    supports-color "^5.4.0"
-
-preact-compat@^3.18.0:
-  version "3.18.0"
-  resolved "https://registry.yarnpkg.com/preact-compat/-/preact-compat-3.18.0.tgz#ca430cc1f67193fb9feaf7c510832957b2ebe701"
-  integrity sha512-4ygl49bkMyPEx2ZwkNDh2AhUa62g2lwJYIsQU4IR5zW4d4QIyucmZFr/hu2+aeFP4YVR8nVZg1KWMETpP32UkA==
-  dependencies:
-    immutability-helper "^2.1.2"
-    preact-render-to-string "^3.6.0"
-    preact-transition-group "^1.1.0"
-    prop-types "^15.5.8"
-    standalone-react-addons-pure-render-mixin "^0.1.1"
-
-preact-emotion@^9.1.3:
-  version "9.2.1"
-  resolved "https://registry.yarnpkg.com/preact-emotion/-/preact-emotion-9.2.1.tgz#3664cbc9dce8dbf991de5b49a5ec93e23ea242d9"
-  integrity sha1-NmTLydzo2/mR3ltJpeyT4j6iQtk=
-  dependencies:
-    babel-plugin-emotion "^9.2.0"
-    create-emotion-styled "^9.2.1"
-
-preact-portal@^1.1.3:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/preact-portal/-/preact-portal-1.1.3.tgz#22cdd3ecf6ad9aaa3f830607a9c6591de90aedb7"
-  integrity sha512-rE0KG2b7ggIly4VVsSm7+WmQmG/EoUZzBOed2IbycyaFIArOvz+yab/8RBoDogA0JWZuTsbMTStR41Ghc+5m7Q==
-
-preact-render-to-string@^3.6.0, preact-render-to-string@^3.6.2:
-  version "3.7.0"
-  resolved "https://registry.yarnpkg.com/preact-render-to-string/-/preact-render-to-string-3.7.0.tgz#7db4177454bc01395e0d01d6ac07bc5e838e31ee"
-  integrity sha1-fbQXdFS8ATleDQHWrAe8XoOOMe4=
-  dependencies:
-    pretty-format "^3.5.1"
-
-preact-transition-group@^1.1.0:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/preact-transition-group/-/preact-transition-group-1.1.1.tgz#f0a49327ea515ece34ea2be864c4a7d29e5d6e10"
-  integrity sha1-8KSTJ+pRXs406ivoZMSn0p5dbhA=
-
-preact@^8.1.0:
-  version "8.2.9"
-  resolved "https://registry.yarnpkg.com/preact/-/preact-8.2.9.tgz#813ba9dd45e5d97c5ea0d6c86d375b3be711cc40"
-  integrity sha512-ThuGXBmJS3VsT+jIP+eQufD3L8pRw/PY3FoCys6O9Pu6aF12Pn9zAJDX99TfwRAFOCEKm/P0lwiPTbqKMJp0fA==
-
-preact@^8.3.1:
-  version "8.3.1"
-  resolved "https://registry.yarnpkg.com/preact/-/preact-8.3.1.tgz#ed34f79d09edc5efd32a378a3416ef5dc531e3ac"
-  integrity sha512-s8H1Y8O9e+mOBo3UP1jvWqArPmjCba2lrrGLlq/0kN1XuIINUbYtf97iiXKxCuG3eYwmppPKnyW2DBrNj/TuTg==
-
-prepend-http@^1.0.0:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/prepend-http/-/prepend-http-1.0.4.tgz#d4f4562b0ce3696e41ac52d0e002e57a635dc6dc"
-  integrity sha1-1PRWKwzjaW5BrFLQ4ALlemNdxtw=
-
-preserve@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/preserve/-/preserve-0.2.0.tgz#815ed1f6ebc65926f865b310c0713bcb3315ce4b"
-  integrity sha1-gV7R9uvGWSb4ZbMQwHE7yzMVzks=
-
-pretty-format@^3.5.1:
-  version "3.8.0"
-  resolved "https://registry.yarnpkg.com/pretty-format/-/pretty-format-3.8.0.tgz#bfbed56d5e9a776645f4b1ff7aa1a3ac4fa3c385"
-  integrity sha1-v77VbV6ad2ZF9LH/eqGjrE+jw4U=
-
-private@^0.1.6, private@^0.1.8:
-  version "0.1.8"
-  resolved "https://registry.yarnpkg.com/private/-/private-0.1.8.tgz#2381edb3689f7a53d653190060fcf822d2f368ff"
-  integrity sha512-VvivMrbvd2nKkiG38qjULzlc+4Vx4wm/whI9pQD35YrARNnhxeiRktSOhSukRLFNlzg6Br/cJPet5J/u19r/mg==
-
-process-nextick-args@~2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/process-nextick-args/-/process-nextick-args-2.0.0.tgz#a37d732f4271b4ab1ad070d35508e8290788ffaa"
-  integrity sha512-MtEC1TqN0EU5nephaJ4rAtThHtC86dNN9qCuEhtshvpVBkAW5ZO7BASN9REnF9eoXGcRub+pFuKEpOHE+HbEMw==
-
-process@^0.11.10:
-  version "0.11.10"
-  resolved "https://registry.yarnpkg.com/process/-/process-0.11.10.tgz#7332300e840161bda3e69a1d1d91a7d4bc16f182"
-  integrity sha1-czIwDoQBYb2j5podHZGn1LwW8YI=
-
-promise-polyfill@^8.1.0:
-  version "8.1.0"
-  resolved "https://registry.yarnpkg.com/promise-polyfill/-/promise-polyfill-8.1.0.tgz#30059da54d1358ce905ac581f287e184aedf995d"
-  integrity sha512-OzSf6gcCUQ01byV4BgwyUCswlaQQ6gzXc23aLQWhicvfX9kfsUiUhgt3CCQej8jDnl8/PhGF31JdHX2/MzF3WA==
-
-promise@^7.1.1:
-  version "7.3.1"
-  resolved "https://registry.yarnpkg.com/promise/-/promise-7.3.1.tgz#064b72602b18f90f29192b8b1bc418ffd1ebd3bf"
-  integrity sha512-nolQXZ/4L+bP/UGlkfaIujX9BKxGwmQ9OT4mOt5yvy8iK1h3wqTEJCijzGANTCCl9nWjY41juyAn2K3Q1hLLTg==
-  dependencies:
-    asap "~2.0.3"
-
-prop-types@^15.5.8, prop-types@^15.6.1:
-  version "15.6.1"
-  resolved "https://registry.yarnpkg.com/prop-types/-/prop-types-15.6.1.tgz#36644453564255ddda391191fb3a125cbdf654ca"
-  integrity sha512-4ec7bY1Y66LymSUOH/zARVYObB23AT2h8cf6e/O6ZALB/N0sqZFEx7rq6EYPX2MkOdKORuooI/H5k9TlR4q7kQ==
-  dependencies:
-    fbjs "^0.8.16"
-    loose-envify "^1.3.1"
-    object-assign "^4.1.1"
-
-proxy-addr@~2.0.3:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/proxy-addr/-/proxy-addr-2.0.3.tgz#355f262505a621646b3130a728eb647e22055341"
-  integrity sha512-jQTChiCJteusULxjBp8+jftSQE5Obdl3k4cnmLA6WXtK6XFuWRnvVL7aCiBqaLPM8c4ph0S4tKna8XvmIwEnXQ==
-  dependencies:
-    forwarded "~0.1.2"
-    ipaddr.js "1.6.0"
-
-prr@~1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/prr/-/prr-1.0.1.tgz#d3fc114ba06995a45ec6893f484ceb1d78f5f476"
-  integrity sha1-0/wRS6BplaRexok/SEzrHXj19HY=
-
-pseudomap@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/pseudomap/-/pseudomap-1.0.2.tgz#f052a28da70e618917ef0a8ac34c1ae5a68286b3"
-  integrity sha1-8FKijacOYYkX7wqKw0wa5aaChrM=
-
-public-encrypt@^4.0.0:
-  version "4.0.2"
-  resolved "https://registry.yarnpkg.com/public-encrypt/-/public-encrypt-4.0.2.tgz#46eb9107206bf73489f8b85b69d91334c6610994"
-  integrity sha512-4kJ5Esocg8X3h8YgJsKAuoesBgB7mqH3eowiDzMUPKiRDDE7E/BqqZD1hnTByIaAFiwAw246YEltSq7tdrOH0Q==
-  dependencies:
-    bn.js "^4.1.0"
-    browserify-rsa "^4.0.0"
-    create-hash "^1.1.0"
-    parse-asn1 "^5.0.0"
-    randombytes "^2.0.1"
-
-punycode@1.3.2:
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/punycode/-/punycode-1.3.2.tgz#9653a036fb7c1ee42342f2325cceefea3926c48d"
-  integrity sha1-llOgNvt8HuQjQvIyXM7v6jkmxI0=
-
-punycode@2.x.x, punycode@^2.1.0:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.1.1.tgz#b58b010ac40c22c5657616c8d2c2c02c7bf479ec"
-  integrity sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==
-
-punycode@^1.2.4, punycode@^1.4.1:
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/punycode/-/punycode-1.4.1.tgz#c0d5a63b2718800ad8e1eb0fa5269c84dd41845e"
-  integrity sha1-wNWmOycYgArY4esPpSachN1BhF4=
-
-q@^1.1.2:
-  version "1.5.1"
-  resolved "https://registry.yarnpkg.com/q/-/q-1.5.1.tgz#7e32f75b41381291d04611f1bf14109ac00651d7"
-  integrity sha1-fjL3W0E4EpHQRhHxvxQQmsAGUdc=
-
-qs@6.2.3:
-  version "6.2.3"
-  resolved "https://registry.yarnpkg.com/qs/-/qs-6.2.3.tgz#1cfcb25c10a9b2b483053ff39f5dfc9233908cfe"
-  integrity sha1-HPyyXBCpsrSDBT/zn138kjOQjP4=
-
-qs@6.5.1:
-  version "6.5.1"
-  resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.1.tgz#349cdf6eef89ec45c12d7d5eb3fc0c870343a6d8"
-  integrity sha512-eRzhrN1WSINYCDCbrz796z37LOe3m5tmW7RQf6oBntukAG1nmovJvhnwHHRMAfeoItc1m2Hk02WER2aQ/iqs+A==
-
-qs@~6.5.1:
-  version "6.5.2"
-  resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.2.tgz#cb3ae806e8740444584ef154ce8ee98d403f3e36"
-  integrity sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==
-
-query-string@^4.1.0:
-  version "4.3.4"
-  resolved "https://registry.yarnpkg.com/query-string/-/query-string-4.3.4.tgz#bbb693b9ca915c232515b228b1a02b609043dbeb"
-  integrity sha1-u7aTucqRXCMlFbIosaArYJBD2+s=
-  dependencies:
-    object-assign "^4.1.0"
-    strict-uri-encode "^1.0.0"
-
-query-string@^5.1.1:
-  version "5.1.1"
-  resolved "https://registry.yarnpkg.com/query-string/-/query-string-5.1.1.tgz#a78c012b71c17e05f2e3fa2319dd330682efb3cb"
-  integrity sha512-gjWOsm2SoGlgLEdAGt7a6slVOk9mGiXmPFMqrEhLQ68rhQuBnpfs3+EmlvqKyxnCo9/PPlF+9MtY02S1aFg+Jw==
-  dependencies:
-    decode-uri-component "^0.2.0"
-    object-assign "^4.1.0"
-    strict-uri-encode "^1.0.0"
-
-querystring-es3@^0.2.0:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/querystring-es3/-/querystring-es3-0.2.1.tgz#9ec61f79049875707d69414596fd907a4d711e73"
-  integrity sha1-nsYfeQSYdXB9aUFFlv2Qek1xHnM=
-
-querystring@0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/querystring/-/querystring-0.2.0.tgz#b209849203bb25df820da756e747005878521620"
-  integrity sha1-sgmEkgO7Jd+CDadW50cAWHhSFiA=
-
-randomatic@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/randomatic/-/randomatic-3.0.0.tgz#d35490030eb4f7578de292ce6dfb04a91a128923"
-  integrity sha512-VdxFOIEY3mNO5PtSRkkle/hPJDHvQhK21oa73K4yAc9qmp6N429gAyF1gZMOTMeS0/AYzaV/2Trcef+NaIonSA==
-  dependencies:
-    is-number "^4.0.0"
-    kind-of "^6.0.0"
-    math-random "^1.0.1"
-
-randombytes@^2.0.0, randombytes@^2.0.1, randombytes@^2.0.5:
-  version "2.0.6"
-  resolved "https://registry.yarnpkg.com/randombytes/-/randombytes-2.0.6.tgz#d302c522948588848a8d300c932b44c24231da80"
-  integrity sha512-CIQ5OFxf4Jou6uOKe9t1AOgqpeU5fd70A8NPdHSGeYXqXsPe6peOwI0cUl88RWZ6sP1vPMV3avd/R6cZ5/sP1A==
-  dependencies:
-    safe-buffer "^5.1.0"
-
-randomfill@^1.0.3:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/randomfill/-/randomfill-1.0.4.tgz#c92196fc86ab42be983f1bf31778224931d61458"
-  integrity sha512-87lcbR8+MhcWcUiQ+9e+Rwx8MyR2P7qnt15ynUlbm3TU/fjbgz4GsvfSUDTemtCCtVCqb4ZcEFlyPNTh9bBTLw==
-  dependencies:
-    randombytes "^2.0.5"
-    safe-buffer "^5.1.0"
-
-range-parser@~1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
-  integrity sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4=
-
-raw-body@2.3.2:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.3.2.tgz#bcd60c77d3eb93cde0050295c3f379389bc88f89"
-  integrity sha1-vNYMd9Prk83gBQKVw/N5OJvIj4k=
-  dependencies:
-    bytes "3.0.0"
-    http-errors "1.6.2"
-    iconv-lite "0.4.19"
-    unpipe "1.0.0"
-
-raw-body@^2.3.2:
-  version "2.3.3"
-  resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.3.3.tgz#1b324ece6b5706e153855bc1148c65bb7f6ea0c3"
-  integrity sha512-9esiElv1BrZoI3rCDuOuKCBRbuApGGaDPQfjSflGxdy4oyzqghxu6klEkkVIvBje+FF0BX9coEv8KqW6X/7njw==
-  dependencies:
-    bytes "3.0.0"
-    http-errors "1.6.3"
-    iconv-lite "0.4.23"
-    unpipe "1.0.0"
-
-rc@^1.1.7:
-  version "1.2.8"
-  resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
-  integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==
-  dependencies:
-    deep-extend "^0.6.0"
-    ini "~1.3.0"
-    minimist "^1.2.0"
-    strip-json-comments "~2.0.1"
-
-read-cache@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/read-cache/-/read-cache-1.0.0.tgz#e664ef31161166c9751cdbe8dbcf86b5fb58f774"
-  integrity sha1-5mTvMRYRZsl1HNvo28+GtftY93Q=
-  dependencies:
-    pify "^2.3.0"
-
-read-file-stdin@^0.2.0:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/read-file-stdin/-/read-file-stdin-0.2.1.tgz#25eccff3a153b6809afacb23ee15387db9e0ee61"
-  integrity sha1-JezP86FTtoCa+ssj7hU4fbng7mE=
-  dependencies:
-    gather-stream "^1.0.0"
-
-read-pkg-up@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/read-pkg-up/-/read-pkg-up-1.0.1.tgz#9d63c13276c065918d57f002a57f40a1b643fb02"
-  integrity sha1-nWPBMnbAZZGNV/ACpX9AobZD+wI=
-  dependencies:
-    find-up "^1.0.0"
-    read-pkg "^1.0.0"
-
-read-pkg-up@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/read-pkg-up/-/read-pkg-up-2.0.0.tgz#6b72a8048984e0c41e79510fd5e9fa99b3b549be"
-  integrity sha1-a3KoBImE4MQeeVEP1en6mbO1Sb4=
-  dependencies:
-    find-up "^2.0.0"
-    read-pkg "^2.0.0"
-
-read-pkg@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/read-pkg/-/read-pkg-1.1.0.tgz#f5ffaa5ecd29cb31c0474bca7d756b6bb29e3f28"
-  integrity sha1-9f+qXs0pyzHAR0vKfXVra7KePyg=
-  dependencies:
-    load-json-file "^1.0.0"
-    normalize-package-data "^2.3.2"
-    path-type "^1.0.0"
-
-read-pkg@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/read-pkg/-/read-pkg-2.0.0.tgz#8ef1c0623c6a6db0dc6713c4bfac46332b2368f8"
-  integrity sha1-jvHAYjxqbbDcZxPEv6xGMysjaPg=
-  dependencies:
-    load-json-file "^2.0.0"
-    normalize-package-data "^2.3.2"
-    path-type "^2.0.0"
-
-readable-stream@^2.0.1, readable-stream@^2.0.2, readable-stream@^2.0.6, readable-stream@^2.3.3, readable-stream@^2.3.6:
-  version "2.3.6"
-  resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.6.tgz#b11c27d88b8ff1fbe070643cf94b0c79ae1b0aaf"
-  integrity sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==
-  dependencies:
-    core-util-is "~1.0.0"
-    inherits "~2.0.3"
-    isarray "~1.0.0"
-    process-nextick-args "~2.0.0"
-    safe-buffer "~5.1.1"
-    string_decoder "~1.1.1"
-    util-deprecate "~1.0.1"
-
-readdirp@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/readdirp/-/readdirp-2.1.0.tgz#4ed0ad060df3073300c48440373f72d1cc642d78"
-  integrity sha1-TtCtBg3zBzMAxIRANz9y0cxkLXg=
-  dependencies:
-    graceful-fs "^4.1.2"
-    minimatch "^3.0.2"
-    readable-stream "^2.0.2"
-    set-immediate-shim "^1.0.1"
-
-reduce-css-calc@^1.2.6, reduce-css-calc@^1.2.7:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/reduce-css-calc/-/reduce-css-calc-1.3.0.tgz#747c914e049614a4c9cfbba629871ad1d2927716"
-  integrity sha1-dHyRTgSWFKTJz7umKYca0dKSdxY=
-  dependencies:
-    balanced-match "^0.4.2"
-    math-expression-evaluator "^1.2.14"
-    reduce-function-call "^1.0.1"
-
-reduce-css-calc@^2.0.0:
-  version "2.1.4"
-  resolved "https://registry.yarnpkg.com/reduce-css-calc/-/reduce-css-calc-2.1.4.tgz#c20e9cda8445ad73d4ff4bea960c6f8353791708"
-  integrity sha512-i/vWQbyd3aJRmip9OVSN9V6nIjLf/gg/ctxb0CpvHWtcRysFl/ngDBQD+rqavxdw/doScA3GMBXhzkHQ4GCzFQ==
-  dependencies:
-    css-unit-converter "^1.1.1"
-    postcss-value-parser "^3.3.0"
-
-reduce-function-call@^1.0.1, reduce-function-call@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/reduce-function-call/-/reduce-function-call-1.0.2.tgz#5a200bf92e0e37751752fe45b0ab330fd4b6be99"
-  integrity sha1-WiAL+S4ON3UXUv5FsKszD9S2vpk=
-  dependencies:
-    balanced-match "^0.4.2"
-
-regenerate@^1.2.1:
-  version "1.4.0"
-  resolved "https://registry.yarnpkg.com/regenerate/-/regenerate-1.4.0.tgz#4a856ec4b56e4077c557589cae85e7a4c8869a11"
-  integrity sha512-1G6jJVDWrt0rK99kBjvEtziZNCICAuvIPkSiUFIQxVP06RCVpq3dmDo2oi6ABpYaDYaTRr67BEhL8r1wgEZZKg==
-
-regenerator-runtime@^0.11.0:
-  version "0.11.1"
-  resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz#be05ad7f9bf7d22e056f9726cee5017fbf19e2e9"
-  integrity sha512-MguG95oij0fC3QV3URf4V2SDYGJhJnJGqvIIgdECeODCT98wSWDAJ94SSuVpYQUoTcGUIL6L4yNB7j1DFFHSBg==
-
-regenerator-transform@^0.10.0:
-  version "0.10.1"
-  resolved "https://registry.yarnpkg.com/regenerator-transform/-/regenerator-transform-0.10.1.tgz#1e4996837231da8b7f3cf4114d71b5691a0680dd"
-  integrity sha512-PJepbvDbuK1xgIgnau7Y90cwaAmO/LCLMI2mPvaXq2heGMR3aWW5/BQvYrhJ8jgmQjXewXvBjzfqKcVOmhjZ6Q==
-  dependencies:
-    babel-runtime "^6.18.0"
-    babel-types "^6.19.0"
-    private "^0.1.6"
-
-regex-cache@^0.4.2:
-  version "0.4.4"
-  resolved "https://registry.yarnpkg.com/regex-cache/-/regex-cache-0.4.4.tgz#75bdc58a2a1496cec48a12835bc54c8d562336dd"
-  integrity sha512-nVIZwtCjkC9YgvWkpM55B5rBhBYRZhAaJbgcFYXXsHnbZ9UZI9nnVWYZpBlCqv9ho2eZryPnWrZGsOdPwVWXWQ==
-  dependencies:
-    is-equal-shallow "^0.1.3"
-
-regex-not@^1.0.0, regex-not@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/regex-not/-/regex-not-1.0.2.tgz#1f4ece27e00b0b65e0247a6810e6a85d83a5752c"
-  integrity sha512-J6SDjUgDxQj5NusnOtdFxDwN/+HWykR8GELwctJ7mdqhcyy1xEc4SRFHUXvxTp661YaVKAjfRLZ9cCqS6tn32A==
-  dependencies:
-    extend-shallow "^3.0.2"
-    safe-regex "^1.1.0"
-
-regexpu-core@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/regexpu-core/-/regexpu-core-2.0.0.tgz#49d038837b8dcf8bfa5b9a42139938e6ea2ae240"
-  integrity sha1-SdA4g3uNz4v6W5pCE5k45uoq4kA=
-  dependencies:
-    regenerate "^1.2.1"
-    regjsgen "^0.2.0"
-    regjsparser "^0.1.4"
-
-regjsgen@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/regjsgen/-/regjsgen-0.2.0.tgz#6c016adeac554f75823fe37ac05b92d5a4edb1f7"
-  integrity sha1-bAFq3qxVT3WCP+N6wFuS1aTtsfc=
-
-regjsparser@^0.1.4:
-  version "0.1.5"
-  resolved "https://registry.yarnpkg.com/regjsparser/-/regjsparser-0.1.5.tgz#7ee8f84dc6fa792d3fd0ae228d24bd949ead205c"
-  integrity sha1-fuj4Tcb6eS0/0K4ijSS9lJ6tIFw=
-  dependencies:
-    jsesc "~0.5.0"
-
-remove-trailing-separator@^1.0.1:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/remove-trailing-separator/-/remove-trailing-separator-1.1.0.tgz#c24bce2a283adad5bc3f58e0d48249b92379d8ef"
-  integrity sha1-wkvOKig62tW8P1jg1IJJuSN52O8=
-
-repeat-element@^1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/repeat-element/-/repeat-element-1.1.2.tgz#ef089a178d1483baae4d93eb98b4f9e4e11d990a"
-  integrity sha1-7wiaF40Ug7quTZPrmLT55OEdmQo=
-
-repeat-string@^1.5.2, repeat-string@^1.6.1:
-  version "1.6.1"
-  resolved "https://registry.yarnpkg.com/repeat-string/-/repeat-string-1.6.1.tgz#8dcae470e1c88abc2d600fff4a776286da75e637"
-  integrity sha1-jcrkcOHIirwtYA//Sndihtp15jc=
-
-repeating@^2.0.0:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/repeating/-/repeating-2.0.1.tgz#5214c53a926d3552707527fbab415dbc08d06dda"
-  integrity sha1-UhTFOpJtNVJwdSf7q0FdvAjQbdo=
-  dependencies:
-    is-finite "^1.0.0"
-
-request@2.86.0:
-  version "2.86.0"
-  resolved "https://registry.yarnpkg.com/request/-/request-2.86.0.tgz#2b9497f449b0a32654c081a5cf426bbfb5bf5b69"
-  integrity sha512-BQZih67o9r+Ys94tcIW4S7Uu8pthjrQVxhsZ/weOwHbDfACxvIyvnAbzFQxjy1jMtvFSzv5zf4my6cZsJBbVzw==
-  dependencies:
-    aws-sign2 "~0.7.0"
-    aws4 "^1.6.0"
-    caseless "~0.12.0"
-    combined-stream "~1.0.5"
-    extend "~3.0.1"
-    forever-agent "~0.6.1"
-    form-data "~2.3.1"
-    har-validator "~5.0.3"
-    hawk "~6.0.2"
-    http-signature "~1.2.0"
-    is-typedarray "~1.0.0"
-    isstream "~0.1.2"
-    json-stringify-safe "~5.0.1"
-    mime-types "~2.1.17"
-    oauth-sign "~0.8.2"
-    performance-now "^2.1.0"
-    qs "~6.5.1"
-    safe-buffer "^5.1.1"
-    tough-cookie "~2.3.3"
-    tunnel-agent "^0.6.0"
-    uuid "^3.1.0"
-
-require-directory@^2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/require-directory/-/require-directory-2.1.1.tgz#8c64ad5fd30dab1c976e2344ffe7f792a6a6df42"
-  integrity sha1-jGStX9MNqxyXbiNE/+f3kqam30I=
-
-require-from-string@^2.0.1:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/require-from-string/-/require-from-string-2.0.2.tgz#89a7fdd938261267318eafe14f9c32e598c36909"
-  integrity sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==
-
-require-main-filename@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/require-main-filename/-/require-main-filename-1.0.1.tgz#97f717b69d48784f5f526a6c5aa8ffdda055a4d1"
-  integrity sha1-l/cXtp1IeE9fUmpsWqj/3aBVpNE=
-
-requires-port@1.x.x:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/requires-port/-/requires-port-1.0.0.tgz#925d2601d39ac485e091cf0da5c6e694dc3dcaff"
-  integrity sha1-kl0mAdOaxIXgkc8NpcbmlNw9yv8=
-
-reshape-code-gen@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/reshape-code-gen/-/reshape-code-gen-2.0.0.tgz#ea8876b08fe9dd747035af646ba10c47308ecdee"
-  integrity sha1-6oh2sI/p3XRwNa9ka6EMRzCOze4=
-  dependencies:
-    objectfn "^2.0.0"
-    with "^6.0.0"
-
-reshape-include@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/reshape-include/-/reshape-include-1.0.0.tgz#2f75e57e016447c633f48cbb0e2a5ca114275d10"
-  integrity sha1-L3XlfgFkR8Yz9Iy7DipcoRQnXRA=
-  dependencies:
-    reshape-plugin-util "^0.2.0"
-
-reshape-loader@^1.3.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/reshape-loader/-/reshape-loader-1.3.0.tgz#752982fd5ec8bd5d86ea620bb2a973fb8cdf7169"
-  integrity sha1-dSmC/V7IvV2G6mILsqlz+4zfcWk=
-  dependencies:
-    reshape "^1.0.0"
-    reshape-include "^1.0.0"
-
-reshape-parser@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/reshape-parser/-/reshape-parser-0.2.1.tgz#3d713188c0ae05b899e3528774aacc2aef147368"
-  integrity sha1-PXExiMCuBbiZ41KHdKrMKu8Uc2g=
-  dependencies:
-    parse5 "^2.1.5"
-
-reshape-parser@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/reshape-parser/-/reshape-parser-1.0.0.tgz#46d204fb20f68bc870bec67096305219c0173874"
-  integrity sha1-RtIE+yD2i8hwvsZwljBSGcAXOHQ=
-  dependencies:
-    parse5 "^4.0.0"
-
-reshape-plugin-util@^0.2.0, reshape-plugin-util@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/reshape-plugin-util/-/reshape-plugin-util-0.2.1.tgz#29358959d58c9eebca25c35efe0cc627817cf092"
-  integrity sha1-KTWJWdWMnuvKJcNe/gzGJ4F88JI=
-  dependencies:
-    when "^3.7.7"
-
-reshape-preact-components@^0.6.0:
-  version "0.6.0"
-  resolved "https://registry.yarnpkg.com/reshape-preact-components/-/reshape-preact-components-0.6.0.tgz#55361dc6375e607e1a72f1b6287766ae09ebfae3"
-  integrity sha512-uovZiJI6CfSwPWBmDWY0HOFSmn078CuWBlQrPUn8ToRuohI+mPYboAqVWY8ddiP3+Y8JmpijMzzvfcWr9/A4OQ==
-  dependencies:
-    preact "^8.1.0"
-    preact-render-to-string "^3.6.2"
-    reshape-parser "^0.2.1"
-    reshape-plugin-util "^0.2.1"
-
-reshape@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/reshape/-/reshape-1.0.0.tgz#b739e784b9a89ffde1eac2f928824639d999e29f"
-  integrity sha1-tznnhLmon/3h6sL5KIJGOdmZ4p8=
-  dependencies:
-    code-frame "^5.0.0"
-    joi "^12.0.0"
-    lodash.merge "^4.6.1"
-    reshape-code-gen "^2.0.0"
-    reshape-parser "^1.0.0"
-    when "^3.7.8"
-
-resolve-from@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/resolve-from/-/resolve-from-3.0.0.tgz#b22c7af7d9d6881bc8b6e653335eebcb0a188748"
-  integrity sha1-six699nWiBvItuZTM17rywoYh0g=
-
-resolve-url@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/resolve-url/-/resolve-url-0.2.1.tgz#2c637fe77c893afd2a663fe21aa9080068e2052a"
-  integrity sha1-LGN/53yJOv0qZj/iGqkIAGjiBSo=
-
-resolve@^1.1.7:
-  version "1.7.1"
-  resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.7.1.tgz#aadd656374fd298aee895bc026b8297418677fd3"
-  integrity sha512-c7rwLofp8g1U+h1KNyHL/jicrKg1Ek4q+Lr33AL65uZTinUZHe30D5HlyN5V9NW0JX1D5dXQ4jqW5l7Sy/kGfw==
-  dependencies:
-    path-parse "^1.0.5"
-
-resp-modifier@6.0.2:
-  version "6.0.2"
-  resolved "https://registry.yarnpkg.com/resp-modifier/-/resp-modifier-6.0.2.tgz#b124de5c4fbafcba541f48ffa73970f4aa456b4f"
-  integrity sha1-sSTeXE+6/LpUH0j/pzlw9KpFa08=
-  dependencies:
-    debug "^2.2.0"
-    minimatch "^3.0.2"
-
-restore-cursor@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/restore-cursor/-/restore-cursor-2.0.0.tgz#9f7ee287f82fd326d4fd162923d62129eee0dfaf"
-  integrity sha1-n37ih/gv0ybU/RYpI9YhKe7g368=
-  dependencies:
-    onetime "^2.0.0"
-    signal-exit "^3.0.2"
-
-ret@~0.1.10:
-  version "0.1.15"
-  resolved "https://registry.yarnpkg.com/ret/-/ret-0.1.15.tgz#b8a4825d5bdb1fc3f6f53c2bc33f81388681c7bc"
-  integrity sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==
-
-rgb-hex@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/rgb-hex/-/rgb-hex-2.1.0.tgz#c773c5fe2268a25578d92539a82a7a5ce53beda6"
-  integrity sha1-x3PF/iJoolV42SU5qCp6XOU77aY=
-
-rgb@~0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/rgb/-/rgb-0.1.0.tgz#be27b291e8feffeac1bd99729721bfa40fc037b5"
-  integrity sha1-vieykej+/+rBvZlylyG/pA/AN7U=
-
-right-align@^0.1.1:
-  version "0.1.3"
-  resolved "https://registry.yarnpkg.com/right-align/-/right-align-0.1.3.tgz#61339b722fe6a3515689210d24e14c96148613ef"
-  integrity sha1-YTObci/mo1FWiSENJOFMlhSGE+8=
-  dependencies:
-    align-text "^0.1.1"
-
-rimraf@^2.5.2, rimraf@^2.6.1, rimraf@^2.6.2:
-  version "2.6.2"
-  resolved "https://registry.yarnpkg.com/rimraf/-/rimraf-2.6.2.tgz#2ed8150d24a16ea8651e6d6ef0f47c4158ce7a36"
-  integrity sha512-lreewLK/BlghmxtfH36YYVg1i8IAce4TI7oao75I1g245+6BctqTVQiBP3YUJ9C6DQOXJmkYR9X9fCLtCOJc5w==
-  dependencies:
-    glob "^7.0.5"
-
-ripemd160@^2.0.0, ripemd160@^2.0.1:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/ripemd160/-/ripemd160-2.0.2.tgz#a1c1a6f624751577ba5d07914cbc92850585890c"
-  integrity sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA==
-  dependencies:
-    hash-base "^3.0.0"
-    inherits "^2.0.1"
-
-rucksack-css@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/rucksack-css/-/rucksack-css-1.0.2.tgz#77808b4097b35acfb92e70dc89b65aa232f5169f"
-  integrity sha512-+ir3KHUb+IfCjqTsUruYZDKf95GZKhqucVridhNSuU9AsC7efqBhKtzJeMNZqc+EOND0LWBenG5ZCodKUPbL6g==
-  dependencies:
-    autoprefixer "^7.1.2"
-    laggard "^2.0.0"
-    minimist "^1.1.2"
-    postcss "^6.0.8"
-    postcss-alias "^2.0.0"
-    postcss-clearfix "^2.0.1"
-    postcss-color-rgba-fallback "^3.0.0"
-    postcss-easings "^1.0.0"
-    postcss-fontpath "^1.0.0"
-    postcss-hexrgba "^1.0.0"
-    postcss-input-style "^1.0.0"
-    postcss-opacity "^5.0.0"
-    postcss-position "^1.0.0"
-    postcss-pseudoelements "^5.0.0"
-    postcss-quantity-queries "^0.5.0"
-    postcss-reporter "^5.0.0"
-    postcss-responsive-type "^1.0.0"
-    postcss-vmin "^3.0.0"
-    read-file-stdin "^0.2.0"
-    write-file-stdout "^0.0.2"
-
-run-async@^2.2.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/run-async/-/run-async-2.3.0.tgz#0371ab4ae0bdd720d4166d7dfda64ff7a445a6c0"
-  integrity sha1-A3GrSuC91yDUFm19/aZP96RFpsA=
-  dependencies:
-    is-promise "^2.1.0"
-
-rx-lite-aggregates@^4.0.8:
-  version "4.0.8"
-  resolved "https://registry.yarnpkg.com/rx-lite-aggregates/-/rx-lite-aggregates-4.0.8.tgz#753b87a89a11c95467c4ac1626c4efc4e05c67be"
-  integrity sha1-dTuHqJoRyVRnxKwWJsTvxOBcZ74=
-  dependencies:
-    rx-lite "*"
-
-rx-lite@*, rx-lite@^4.0.8:
-  version "4.0.8"
-  resolved "https://registry.yarnpkg.com/rx-lite/-/rx-lite-4.0.8.tgz#0b1e11af8bc44836f04a6407e92da42467b79444"
-  integrity sha1-Cx4Rr4vESDbwSmQH6S2kJGe3lEQ=
-
-rx@4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/rx/-/rx-4.1.0.tgz#a5f13ff79ef3b740fe30aa803fb09f98805d4782"
-  integrity sha1-pfE/957zt0D+MKqAP7CfmIBdR4I=
-
-safe-buffer@5.1.1:
-  version "5.1.1"
-  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
-  integrity sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg==
-
-safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@^5.1.2, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
-  version "5.1.2"
-  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d"
-  integrity sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==
-
-safe-regex@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-1.1.0.tgz#40a3669f3b077d1e943d44629e157dd48023bf2e"
-  integrity sha1-QKNmnzsHfR6UPURinhV91IAjvy4=
-  dependencies:
-    ret "~0.1.10"
-
-"safer-buffer@>= 2.1.2 < 3", safer-buffer@^2.0.2:
-  version "2.1.2"
-  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
-  integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==
-
-sax@^1.2.4, sax@~1.2.1:
-  version "1.2.4"
-  resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.4.tgz#2816234e2378bddc4e5354fab5caa895df7100d9"
-  integrity sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==
-
-schema-utils@^0.4.0:
-  version "0.4.5"
-  resolved "https://registry.yarnpkg.com/schema-utils/-/schema-utils-0.4.5.tgz#21836f0608aac17b78f9e3e24daff14a5ca13a3e"
-  integrity sha512-yYrjb9TX2k/J1Y5UNy3KYdZq10xhYcF8nMpAW6o3hy6Q8WSIEf9lJHG/ePnOBfziPM3fvQwfOwa13U/Fh8qTfA==
-  dependencies:
-    ajv "^6.1.0"
-    ajv-keywords "^3.1.0"
-
-"semver@2 || 3 || 4 || 5", semver@^5.3.0:
-  version "5.5.0"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-5.5.0.tgz#dc4bbc7a6ca9d916dee5d43516f0092b58f7b8ab"
-  integrity sha512-4SJ3dm0WAwWy/NVeioZh5AntkdJoWKxHxcmyP622fOkgHa4z3R0TdBJICINyaSDE6uNwVc8gZr+ZinwZAH4xIA==
-
-send@0.16.2:
-  version "0.16.2"
-  resolved "https://registry.yarnpkg.com/send/-/send-0.16.2.tgz#6ecca1e0f8c156d141597559848df64730a6bbc1"
-  integrity sha512-E64YFPUssFHEFBvpbbjr44NCLtI1AohxQ8ZSiJjQLskAdKuriYEP6VyGEsRDH8ScozGpkaX1BGvhanqCwkcEZw==
-  dependencies:
-    debug "2.6.9"
-    depd "~1.1.2"
-    destroy "~1.0.4"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    fresh "0.5.2"
-    http-errors "~1.6.2"
-    mime "1.4.1"
-    ms "2.0.0"
-    on-finished "~2.3.0"
-    range-parser "~1.2.0"
-    statuses "~1.4.0"
-
-serve-index@1.9.1:
-  version "1.9.1"
-  resolved "https://registry.yarnpkg.com/serve-index/-/serve-index-1.9.1.tgz#d3768d69b1e7d82e5ce050fff5b453bea12a9239"
-  integrity sha1-03aNabHn2C5c4FD/9bRTvqEqkjk=
-  dependencies:
-    accepts "~1.3.4"
-    batch "0.6.1"
-    debug "2.6.9"
-    escape-html "~1.0.3"
-    http-errors "~1.6.2"
-    mime-types "~2.1.17"
-    parseurl "~1.3.2"
-
-serve-static@1.13.2:
-  version "1.13.2"
-  resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.13.2.tgz#095e8472fd5b46237db50ce486a43f4b86c6cec1"
-  integrity sha512-p/tdJrO4U387R9oMjb1oj7qSMaMfmOyd4j9hOFoxZe2baQszgHcSWjuya/CiT5kgZZKRudHNOA0pYXOl8rQ5nw==
-  dependencies:
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    parseurl "~1.3.2"
-    send "0.16.2"
-
-server-destroy@1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/server-destroy/-/server-destroy-1.0.1.tgz#f13bf928e42b9c3e79383e61cc3998b5d14e6cdd"
-  integrity sha1-8Tv5KOQrnD55OD5hzDmYtdFObN0=
-
-set-blocking@^2.0.0, set-blocking@~2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-2.0.0.tgz#045f9782d011ae9a6803ddd382b24392b3d890f7"
-  integrity sha1-BF+XgtARrppoA93TgrJDkrPYkPc=
-
-set-immediate-shim@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/set-immediate-shim/-/set-immediate-shim-1.0.1.tgz#4b2b1b27eb808a9f8dcc481a58e5e56f599f3f61"
-  integrity sha1-SysbJ+uAip+NzEgaWOXlb1mfP2E=
-
-set-value@^0.4.3:
-  version "0.4.3"
-  resolved "https://registry.yarnpkg.com/set-value/-/set-value-0.4.3.tgz#7db08f9d3d22dc7f78e53af3c3bf4666ecdfccf1"
-  integrity sha1-fbCPnT0i3H945Trzw79GZuzfzPE=
-  dependencies:
-    extend-shallow "^2.0.1"
-    is-extendable "^0.1.1"
-    is-plain-object "^2.0.1"
-    to-object-path "^0.3.0"
-
-set-value@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/set-value/-/set-value-2.0.0.tgz#71ae4a88f0feefbbf52d1ea604f3fb315ebb6274"
-  integrity sha512-hw0yxk9GT/Hr5yJEYnHNKYXkIA8mVJgd9ditYZCe16ZczcaELYYcfvaXesNACk2O8O0nTiPQcQhGUQj8JLzeeg==
-  dependencies:
-    extend-shallow "^2.0.1"
-    is-extendable "^0.1.1"
-    is-plain-object "^2.0.3"
-    split-string "^3.0.1"
-
-setimmediate@^1.0.4, setimmediate@^1.0.5:
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/setimmediate/-/setimmediate-1.0.5.tgz#290cbb232e306942d7d7ea9b83732ab7856f8285"
-  integrity sha1-KQy7Iy4waULX1+qbg3Mqt4VvgoU=
-
-setprototypeof@1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.0.3.tgz#66567e37043eeb4f04d91bd658c0cbefb55b8e04"
-  integrity sha1-ZlZ+NwQ+608E2RvWWMDL77VbjgQ=
-
-setprototypeof@1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.1.0.tgz#d0bd85536887b6fe7c0d818cb962d9d91c54e656"
-  integrity sha512-BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ==
-
-sha.js@^2.4.0, sha.js@^2.4.8:
-  version "2.4.11"
-  resolved "https://registry.yarnpkg.com/sha.js/-/sha.js-2.4.11.tgz#37a5cf0b81ecbc6943de109ba2960d1b26584ae7"
-  integrity sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==
-  dependencies:
-    inherits "^2.0.1"
-    safe-buffer "^5.0.1"
-
-shebang-command@^1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/shebang-command/-/shebang-command-1.2.0.tgz#44aac65b695b03398968c39f363fee5deafdf1ea"
-  integrity sha1-RKrGW2lbAzmJaMOfNj/uXer98eo=
-  dependencies:
-    shebang-regex "^1.0.0"
-
-shebang-regex@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3"
-  integrity sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=
-
-shortid@2.2.14:
-  version "2.2.14"
-  resolved "https://registry.yarnpkg.com/shortid/-/shortid-2.2.14.tgz#80db6aafcbc3e3a46850b3c88d39e051b84c8d18"
-  integrity sha512-4UnZgr9gDdA1kaKj/38IiudfC3KHKhDc1zi/HSxd9FQDR0VLwH3/y79tZJLsVYPsJgIjeHjqIWaWVRJUj9qZOQ==
-  dependencies:
-    nanoid "^2.0.0"
-
-siema@^1.5.1:
-  version "1.5.1"
-  resolved "https://registry.yarnpkg.com/siema/-/siema-1.5.1.tgz#eff312b77e8340fa4d81d5d053ebbeb9113ff888"
-  integrity sha1-7/MSt36DQPpNgdXQU+u+uRE/+Ig=
-
-signal-exit@^3.0.0, signal-exit@^3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.2.tgz#b5fdc08f1287ea1178628e415e25132b73646c6d"
-  integrity sha1-tf3AjxKH6hF4Yo5BXiUTK3NkbG0=
-
-simple-swizzle@^0.2.2:
-  version "0.2.2"
-  resolved "https://registry.yarnpkg.com/simple-swizzle/-/simple-swizzle-0.2.2.tgz#a4da6b635ffcccca33f70d17cb92592de95e557a"
-  integrity sha1-pNprY1/8zMoz9w0Xy5JZLeleVXo=
-  dependencies:
-    is-arrayish "^0.3.1"
-
-slash@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/slash/-/slash-1.0.0.tgz#c41f2f6c39fc16d1cd17ad4b5d896114ae470d55"
-  integrity sha1-xB8vbDn8FtHNF61LXYlhFK5HDVU=
-
-slugify@^1.3.1:
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/slugify/-/slugify-1.3.1.tgz#f572127e8535329fbc6c1edb74ab856b61ad7de2"
-  integrity sha512-6BwyhjF5tG5P8s+0DPNyJmBSBePG6iMyhjvIW5zGdA3tFik9PtK+yNkZgTeiroCRGZYgkHftFA62tGVK1EI9Kw==
-
-snapdragon-node@^2.0.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/snapdragon-node/-/snapdragon-node-2.1.1.tgz#6c175f86ff14bdb0724563e8f3c1b021a286853b"
-  integrity sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==
-  dependencies:
-    define-property "^1.0.0"
-    isobject "^3.0.0"
-    snapdragon-util "^3.0.1"
-
-snapdragon-util@^3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/snapdragon-util/-/snapdragon-util-3.0.1.tgz#f956479486f2acd79700693f6f7b805e45ab56e2"
-  integrity sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==
-  dependencies:
-    kind-of "^3.2.0"
-
-snapdragon@^0.8.1:
-  version "0.8.2"
-  resolved "https://registry.yarnpkg.com/snapdragon/-/snapdragon-0.8.2.tgz#64922e7c565b0e14204ba1aa7d6964278d25182d"
-  integrity sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==
-  dependencies:
-    base "^0.11.1"
-    debug "^2.2.0"
-    define-property "^0.2.5"
-    extend-shallow "^2.0.1"
-    map-cache "^0.2.2"
-    source-map "^0.5.6"
-    source-map-resolve "^0.5.0"
-    use "^3.1.0"
-
-sntp@2.x.x:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/sntp/-/sntp-2.1.0.tgz#2c6cec14fedc2222739caf9b5c3d85d1cc5a2cc8"
-  integrity sha512-FL1b58BDrqS3A11lJ0zEdnJ3UOKqVxawAkF3k7F0CVN7VQ34aZrV+G8BZ1WC9ZL7NyrwsW0oviwsWDgRuVYtJg==
-  dependencies:
-    hoek "4.x.x"
-
-socket.io-adapter@~1.1.0:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/socket.io-adapter/-/socket.io-adapter-1.1.1.tgz#2a805e8a14d6372124dd9159ad4502f8cb07f06b"
-  integrity sha1-KoBeihTWNyEk3ZFZrUUC+MsH8Gs=
-
-socket.io-client@2.0.4:
-  version "2.0.4"
-  resolved "https://registry.yarnpkg.com/socket.io-client/-/socket.io-client-2.0.4.tgz#0918a552406dc5e540b380dcd97afc4a64332f8e"
-  integrity sha1-CRilUkBtxeVAs4Dc2Xr8SmQzL44=
-  dependencies:
-    backo2 "1.0.2"
-    base64-arraybuffer "0.1.5"
-    component-bind "1.0.0"
-    component-emitter "1.2.1"
-    debug "~2.6.4"
-    engine.io-client "~3.1.0"
-    has-cors "1.1.0"
-    indexof "0.0.1"
-    object-component "0.0.3"
-    parseqs "0.0.5"
-    parseuri "0.0.5"
-    socket.io-parser "~3.1.1"
-    to-array "0.1.4"
-
-socket.io-client@2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/socket.io-client/-/socket.io-client-2.1.1.tgz#dcb38103436ab4578ddb026638ae2f21b623671f"
-  integrity sha512-jxnFyhAuFxYfjqIgduQlhzqTcOEQSn+OHKVfAxWaNWa7ecP7xSNk2Dx/3UEsDcY7NcFafxvNvKPmmO7HTwTxGQ==
-  dependencies:
-    backo2 "1.0.2"
-    base64-arraybuffer "0.1.5"
-    component-bind "1.0.0"
-    component-emitter "1.2.1"
-    debug "~3.1.0"
-    engine.io-client "~3.2.0"
-    has-binary2 "~1.0.2"
-    has-cors "1.1.0"
-    indexof "0.0.1"
-    object-component "0.0.3"
-    parseqs "0.0.5"
-    parseuri "0.0.5"
-    socket.io-parser "~3.2.0"
-    to-array "0.1.4"
-
-socket.io-parser@~3.1.1:
-  version "3.1.3"
-  resolved "https://registry.yarnpkg.com/socket.io-parser/-/socket.io-parser-3.1.3.tgz#ed2da5ee79f10955036e3da413bfd7f1e4d86c8e"
-  integrity sha512-g0a2HPqLguqAczs3dMECuA1RgoGFPyvDqcbaDEdCWY9g59kdUAz3YRmaJBNKXflrHNwB7Q12Gkf/0CZXfdHR7g==
-  dependencies:
-    component-emitter "1.2.1"
-    debug "~3.1.0"
-    has-binary2 "~1.0.2"
-    isarray "2.0.1"
-
-socket.io-parser@~3.2.0:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/socket.io-parser/-/socket.io-parser-3.2.0.tgz#e7c6228b6aa1f814e6148aea325b51aa9499e077"
-  integrity sha512-FYiBx7rc/KORMJlgsXysflWx/RIvtqZbyGLlHZvjfmPTPeuD/I8MaW7cfFrj5tRltICJdgwflhfZ3NVVbVLFQA==
-  dependencies:
-    component-emitter "1.2.1"
-    debug "~3.1.0"
-    isarray "2.0.1"
-
-socket.io@2.1.1:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/socket.io/-/socket.io-2.1.1.tgz#a069c5feabee3e6b214a75b40ce0652e1cfb9980"
-  integrity sha512-rORqq9c+7W0DAK3cleWNSyfv/qKXV99hV4tZe+gGLfBECw3XEhBy7x85F3wypA9688LKjtwO9pX9L33/xQI8yA==
-  dependencies:
-    debug "~3.1.0"
-    engine.io "~3.2.0"
-    has-binary2 "~1.0.2"
-    socket.io-adapter "~1.1.0"
-    socket.io-client "2.1.1"
-    socket.io-parser "~3.2.0"
-
-sort-keys@^1.0.0:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/sort-keys/-/sort-keys-1.1.2.tgz#441b6d4d346798f1b4e49e8920adfba0e543f9ad"
-  integrity sha1-RBttTTRnmPG05J6JIK37oOVD+a0=
-  dependencies:
-    is-plain-obj "^1.0.0"
-
-source-list-map@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/source-list-map/-/source-list-map-2.0.0.tgz#aaa47403f7b245a92fbc97ea08f250d6087ed085"
-  integrity sha512-I2UmuJSRr/T8jisiROLU3A3ltr+swpniSmNPI4Ml3ZCX6tVnDsuZzK7F2hl5jTqbZBWCEKlj5HRQiPExXLgE8A==
-
-source-loader@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/source-loader/-/source-loader-1.0.0.tgz#dbe890d46c8429fa7ac358c7e648f7f03cbe8738"
-  integrity sha512-gqPvbDNzfyQPXs1gMqfNV8IlKLpsifCO5J7xNRwv47eNvhOeM8eR0cemEJzmqhvjCap+EnCGk9Ao0b5xbzpNKA==
-  dependencies:
-    is-binary-path "^2.0.0"
-
-source-map-resolve@^0.5.0:
-  version "0.5.2"
-  resolved "https://registry.yarnpkg.com/source-map-resolve/-/source-map-resolve-0.5.2.tgz#72e2cc34095543e43b2c62b2c4c10d4a9054f259"
-  integrity sha512-MjqsvNwyz1s0k81Goz/9vRBe9SZdB09Bdw+/zYyO+3CuPk6fouTaxscHkgtE8jKvf01kVfl8riHzERQ/kefaSA==
-  dependencies:
-    atob "^2.1.1"
-    decode-uri-component "^0.2.0"
-    resolve-url "^0.2.1"
-    source-map-url "^0.4.0"
-    urix "^0.1.0"
-
-source-map-support@^0.4.15:
-  version "0.4.18"
-  resolved "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.4.18.tgz#0286a6de8be42641338594e97ccea75f0a2c585f"
-  integrity sha512-try0/JqxPLF9nOjvSta7tVondkP5dwgyLDjVoyMDlmjugT2lRZ1OfsrYTkCd2hkDnJTKRbO/Rl3orm8vlsUzbA==
-  dependencies:
-    source-map "^0.5.6"
-
-source-map-url@^0.4.0:
-  version "0.4.0"
-  resolved "https://registry.yarnpkg.com/source-map-url/-/source-map-url-0.4.0.tgz#3e935d7ddd73631b97659956d55128e87b5084a3"
-  integrity sha1-PpNdfd1zYxuXZZlW1VEo6HtQhKM=
-
-source-map@^0.5.3, source-map@^0.5.6, source-map@^0.5.7, source-map@~0.5.1:
-  version "0.5.7"
-  resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.5.7.tgz#8a039d2d1021d22d1ea14c80d8ea468ba2ef3fcc"
-  integrity sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=
-
-source-map@^0.6.1, source-map@~0.6.1:
-  version "0.6.1"
-  resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.6.1.tgz#74722af32e9614e9c287a8d0bbde48b5e2f1a263"
-  integrity sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==
-
-spdx-correct@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/spdx-correct/-/spdx-correct-3.0.0.tgz#05a5b4d7153a195bc92c3c425b69f3b2a9524c82"
-  integrity sha512-N19o9z5cEyc8yQQPukRCZ9EUmb4HUpnrmaL/fxS2pBo2jbfcFRVuFZ/oFC+vZz0MNNk0h80iMn5/S6qGZOL5+g==
-  dependencies:
-    spdx-expression-parse "^3.0.0"
-    spdx-license-ids "^3.0.0"
-
-spdx-exceptions@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/spdx-exceptions/-/spdx-exceptions-2.1.0.tgz#2c7ae61056c714a5b9b9b2b2af7d311ef5c78fe9"
-  integrity sha512-4K1NsmrlCU1JJgUrtgEeTVyfx8VaYea9J9LvARxhbHtVtohPs/gFGG5yy49beySjlIMhhXZ4QqujIZEfS4l6Cg==
-
-spdx-expression-parse@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/spdx-expression-parse/-/spdx-expression-parse-3.0.0.tgz#99e119b7a5da00e05491c9fa338b7904823b41d0"
-  integrity sha512-Yg6D3XpRD4kkOmTpdgbUiEJFKghJH03fiC1OPll5h/0sO6neh2jqRDVHOQ4o/LMea0tgCkbMgea5ip/e+MkWyg==
-  dependencies:
-    spdx-exceptions "^2.1.0"
-    spdx-license-ids "^3.0.0"
-
-spdx-license-ids@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/spdx-license-ids/-/spdx-license-ids-3.0.0.tgz#7a7cd28470cc6d3a1cfe6d66886f6bc430d3ac87"
-  integrity sha512-2+EPwgbnmOIl8HjGBXXMd9NAu02vLjOO1nWw4kmeRDFyHn+M/ETfHxQUK0oXg8ctgVnl9t3rosNVsZ1jG61nDA==
-
-spike-core@^2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/spike-core/-/spike-core-2.3.0.tgz#7de412748d0dbdae63ecad4857104e8262b6779d"
-  integrity sha1-feQSdI0Nva5j7K1IVxBOgmK2d50=
-  dependencies:
-    babel-core "^6.26.0"
-    babel-loader "^7.1.5"
-    browser-sync "^2.24.6"
-    browser-sync-webpack-plugin "^1.2.0"
-    filewrap "^1.0.0"
-    glob "^7.1.2"
-    hygienist-middleware "^0.1.3"
-    joi "^12.0.0"
-    lodash.difference "^4.5.0"
-    lodash.merge "^4.6.0"
-    lodash.union "^4.6.0"
-    micromatch "^3.1.4"
-    mkdirp "^0.5.1"
-    postcss-loader "^2.1.6"
-    reshape-loader "^1.3.0"
-    rimraf "^2.6.2"
-    source-loader "^1.0.0"
-    spike-util "^1.3.0"
-    sprout "^1.2.1"
-    webpack "^3.12.0"
-    when "^3.7.8"
-
-spike-css-standards@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/spike-css-standards/-/spike-css-standards-4.0.0.tgz#e952353f50ee609b8a9c043e43c4c1eb362080bd"
-  integrity sha1-6VI1P1DuYJuKnAQ+Q8TB6zYggL0=
-  dependencies:
-    autoprefixer "^8.3.0"
-    cssnano "^3.7.4"
-    postcss-attribute-case-insensitive "^2.0.0"
-    postcss-calc "^6.0.1"
-    postcss-color-function "^4.0.1"
-    postcss-color-gray "^4.1.0"
-    postcss-color-hex-alpha "^3.0.0"
-    postcss-color-hsl "^2.0.0"
-    postcss-color-hwb "^3.0.0"
-    postcss-color-rebeccapurple "^3.0.0"
-    postcss-color-rgb "^2.0.0"
-    postcss-custom-media "^6.0.0"
-    postcss-custom-properties "^7.0.0"
-    postcss-custom-selectors "^4.0.1"
-    postcss-font-family-system-ui "^3.0.0"
-    postcss-font-variant "^3.0.0"
-    postcss-image-set-polyfill "^0.4.4"
-    postcss-import "^11.0.0"
-    postcss-media-minmax "^3.0.0"
-    postcss-nesting "^5.0.0"
-    postcss-property-lookup "^2.0.0"
-    postcss-pseudo-class-any-link "^4.0.0"
-    postcss-selector-matches "^3.0.1"
-    postcss-selector-not "^3.0.1"
-    rucksack-css "^1.0.2"
-
-spike-js-standards@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/spike-js-standards/-/spike-js-standards-2.1.0.tgz#948c578b1ed4223aaaa9bc506cf3f7d3c38c3203"
-  integrity sha1-lIxXix7UIjqqqbxQbPP308OMMgM=
-  dependencies:
-    babel-plugin-syntax-dynamic-import "^6.18.0"
-    babel-preset-env "^1.7.0"
-
-spike-util@^1.3.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/spike-util/-/spike-util-1.3.0.tgz#140a141ddb4beb0f02c63192074e24c4eb91d680"
-  integrity sha512-q53KxrB41Kbyla+lFFyNcYmCygiaDxgr6/XIFvA03VOxmr+NZinNry9+LfkQY61SFhQmtxhPTcxe0gJOzn9iKw==
-  dependencies:
-    filewrap "1.0.0"
-    glob "^7.1.2"
-    micromatch "^3.0.4"
-    when "^3.7.7"
-
-spike@^2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/spike/-/spike-2.3.0.tgz#012bb7dd8633c9bb74c10fdb69732ce8d5d13049"
-  integrity sha1-ASu33YYzybt0wQ/baXMs6NXRMEk=
-  dependencies:
-    argparse "^1.0.10"
-    chalk "^2.4.1"
-    inquirer "^3.2.1"
-    lodash.reduce "^4.6.0"
-    spike-core "^2.3.0"
-    universal-analytics "^0.4.17"
-
-split-string@^3.0.1, split-string@^3.0.2:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/split-string/-/split-string-3.1.0.tgz#7cb09dda3a86585705c64b39a6466038682e8fe2"
-  integrity sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw==
-  dependencies:
-    extend-shallow "^3.0.0"
-
-sprintf-js@^1.0.3:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.1.1.tgz#36be78320afe5801f6cea3ee78b6e5aab940ea0c"
-  integrity sha1-Nr54Mgr+WAH2zqPueLblqrlA6gw=
-
-sprintf-js@~1.0.2:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
-  integrity sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=
-
-sprout@^1.2.1:
-  version "1.2.1"
-  resolved "https://registry.yarnpkg.com/sprout/-/sprout-1.2.1.tgz#e121e7f7ce894aa75cdacf8c047f609770786dbd"
-  integrity sha1-4SHn986JSqdc2s+MBH9gl3B4bb0=
-  dependencies:
-    argparse "^1.0.2"
-    ejs "^2.3.1"
-    isbinaryfile "^3.0.0"
-    joi "^10.0.0"
-    js-yaml "^3.4.5"
-    lodash "^4.12.0"
-    minimatch "^3.0.0"
-    mkdirp "^0.5.1"
-    ncp "^2.0.0"
-    readdirp "^2.0.0"
-    rimraf "^2.5.2"
-    underscore.string "^3.1.1"
-    when "^3.7.7"
-    which "^1.2.8"
-
-sshpk@^1.7.0:
-  version "1.14.2"
-  resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.14.2.tgz#c6fc61648a3d9c4e764fd3fcdf4ea105e492ba98"
-  integrity sha1-xvxhZIo9nE52T9P8306hBeSSupg=
-  dependencies:
-    asn1 "~0.2.3"
-    assert-plus "^1.0.0"
-    dashdash "^1.12.0"
-    getpass "^0.1.1"
-    safer-buffer "^2.0.2"
-  optionalDependencies:
-    bcrypt-pbkdf "^1.0.0"
-    ecc-jsbn "~0.1.1"
-    jsbn "~0.1.0"
-    tweetnacl "~0.14.0"
-
-standalone-react-addons-pure-render-mixin@^0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/standalone-react-addons-pure-render-mixin/-/standalone-react-addons-pure-render-mixin-0.1.1.tgz#3c7409f4c79c40de9ac72c616cf679a994f37551"
-  integrity sha1-PHQJ9MecQN6axyxhbPZ5qZTzdVE=
-
-static-extend@^0.1.1:
-  version "0.1.2"
-  resolved "https://registry.yarnpkg.com/static-extend/-/static-extend-0.1.2.tgz#60809c39cbff55337226fd5e0b520f341f1fb5c6"
-  integrity sha1-YICcOcv/VTNyJv1eC1IPNB8ftcY=
-  dependencies:
-    define-property "^0.2.5"
-    object-copy "^0.1.0"
-
-"statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2":
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c"
-  integrity sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=
-
-statuses@~1.3.1:
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.3.1.tgz#faf51b9eb74aaef3b3acf4ad5f61abf24cb7b93e"
-  integrity sha1-+vUbnrdKrvOzrPStX2Gr8ky3uT4=
-
-statuses@~1.4.0:
-  version "1.4.0"
-  resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.4.0.tgz#bb73d446da2796106efcc1b601a253d6c46bd087"
-  integrity sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==
-
-stream-browserify@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/stream-browserify/-/stream-browserify-2.0.1.tgz#66266ee5f9bdb9940a4e4514cafb43bb71e5c9db"
-  integrity sha1-ZiZu5fm9uZQKTkUUyvtDu3Hlyds=
-  dependencies:
-    inherits "~2.0.1"
-    readable-stream "^2.0.2"
-
-stream-http@^2.7.2:
-  version "2.8.3"
-  resolved "https://registry.yarnpkg.com/stream-http/-/stream-http-2.8.3.tgz#b2d242469288a5a27ec4fe8933acf623de6514fc"
-  integrity sha512-+TSkfINHDo4J+ZobQLWiMouQYB+UVYFttRA94FpEzzJ7ZdqcL4uUUQ7WkdkI4DSozGmgBUE/a47L+38PenXhUw==
-  dependencies:
-    builtin-status-codes "^3.0.0"
-    inherits "^2.0.1"
-    readable-stream "^2.3.6"
-    to-arraybuffer "^1.0.0"
-    xtend "^4.0.0"
-
-stream-throttle@^0.1.3:
-  version "0.1.3"
-  resolved "https://registry.yarnpkg.com/stream-throttle/-/stream-throttle-0.1.3.tgz#add57c8d7cc73a81630d31cd55d3961cfafba9c3"
-  integrity sha1-rdV8jXzHOoFjDTHNVdOWHPr7qcM=
-  dependencies:
-    commander "^2.2.0"
-    limiter "^1.0.5"
-
-strftime@^0.10.0:
-  version "0.10.0"
-  resolved "https://registry.yarnpkg.com/strftime/-/strftime-0.10.0.tgz#b3f0fa419295202a5a289f6d6be9f4909a617193"
-  integrity sha1-s/D6QZKVICpaKJ9ta+n0kJphcZM=
-
-strict-uri-encode@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/strict-uri-encode/-/strict-uri-encode-1.1.0.tgz#279b225df1d582b1f54e65addd4352e18faa0713"
-  integrity sha1-J5siXfHVgrH1TmWt3UNS4Y+qBxM=
-
-string-width@^1.0.1, string-width@^1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/string-width/-/string-width-1.0.2.tgz#118bdf5b8cdc51a2a7e70d211e07e2b0b9b107d3"
-  integrity sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=
-  dependencies:
-    code-point-at "^1.0.0"
-    is-fullwidth-code-point "^1.0.0"
-    strip-ansi "^3.0.0"
-
-"string-width@^1.0.2 || 2", string-width@^2.0.0, string-width@^2.1.0:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/string-width/-/string-width-2.1.1.tgz#ab93f27a8dc13d28cac815c462143a6d9012ae9e"
-  integrity sha512-nOqH59deCq9SRHlxq1Aw85Jnt4w6KvLKqWVik6oA9ZklXLNIOlqg4F2yrT1MVaTjAqvVwdfeZ7w7aCvJD7ugkw==
-  dependencies:
-    is-fullwidth-code-point "^2.0.0"
-    strip-ansi "^4.0.0"
-
-string_decoder@^1.0.0, string_decoder@~1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-1.1.1.tgz#9cf1611ba62685d7030ae9e4ba34149c3af03fc8"
-  integrity sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==
-  dependencies:
-    safe-buffer "~5.1.0"
-
-strip-ansi@^3.0.0, strip-ansi@^3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-3.0.1.tgz#6a385fb8853d952d5ff05d0e8aaf94278dc63dcf"
-  integrity sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=
-  dependencies:
-    ansi-regex "^2.0.0"
-
-strip-ansi@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-4.0.0.tgz#a8479022eb1ac368a871389b635262c505ee368f"
-  integrity sha1-qEeQIusaw2iocTibY1JixQXuNo8=
-  dependencies:
-    ansi-regex "^3.0.0"
-
-strip-bom@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/strip-bom/-/strip-bom-2.0.0.tgz#6219a85616520491f35788bdbf1447a99c7e6b0e"
-  integrity sha1-YhmoVhZSBJHzV4i9vxRHqZx+aw4=
-  dependencies:
-    is-utf8 "^0.2.0"
-
-strip-bom@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/strip-bom/-/strip-bom-3.0.0.tgz#2334c18e9c759f7bdd56fdef7e9ae3d588e68ed3"
-  integrity sha1-IzTBjpx1n3vdVv3vfprj1YjmjtM=
-
-strip-eof@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/strip-eof/-/strip-eof-1.0.0.tgz#bb43ff5598a6eb05d89b59fcd129c983313606bf"
-  integrity sha1-u0P/VZim6wXYm1n80SnJgzE2Br8=
-
-strip-json-comments@~2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-2.0.1.tgz#3c531942e908c2697c0ec344858c286c7ca0a60a"
-  integrity sha1-PFMZQukIwml8DsNEhYwobHygpgo=
-
-stylis-rule-sheet@^0.0.10:
-  version "0.0.10"
-  resolved "https://registry.yarnpkg.com/stylis-rule-sheet/-/stylis-rule-sheet-0.0.10.tgz#44e64a2b076643f4b52e5ff71efc04d8c3c4a430"
-  integrity sha512-nTbZoaqoBnmK+ptANthb10ZRZOGC+EmTLLUxeYIuHNkEKcmKgXX1XWKkUBT2Ac4es3NybooPe0SmvKdhKJZAuw==
-
-stylis@^3.5.0:
-  version "3.5.0"
-  resolved "https://registry.yarnpkg.com/stylis/-/stylis-3.5.0.tgz#016fa239663d77f868fef5b67cf201c4b7c701e1"
-  integrity sha512-pP7yXN6dwMzAR29Q0mBrabPCe0/mNO1MSr93bhay+hcZondvMMTpeGyd8nbhYJdyperNT2DRxONQuUGcJr5iPw==
-
-supports-color@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-2.0.0.tgz#535d045ce6b6363fa40117084629995e9df324c7"
-  integrity sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=
-
-supports-color@^3.2.3:
-  version "3.2.3"
-  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-3.2.3.tgz#65ac0504b3954171d8a64946b2ae3cbb8a5f54f6"
-  integrity sha1-ZawFBLOVQXHYpklGsq48u4pfVPY=
-  dependencies:
-    has-flag "^1.0.0"
-
-supports-color@^4.2.1:
-  version "4.5.0"
-  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-4.5.0.tgz#be7a0de484dec5c5cddf8b3d59125044912f635b"
-  integrity sha1-vnoN5ITexcXN34s9WRJQRJEvY1s=
-  dependencies:
-    has-flag "^2.0.0"
-
-supports-color@^5.3.0, supports-color@^5.4.0:
-  version "5.4.0"
-  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-5.4.0.tgz#1c6b337402c2137605efe19f10fec390f6faab54"
-  integrity sha512-zjaXglF5nnWpsq470jSv6P9DwPvgLkuapYmfDm3JWOm0vkNTVF2tI4UrN2r6jH1qM/uc/WtxYY1hYoA2dOKj5w==
-  dependencies:
-    has-flag "^3.0.0"
-
-svgo@^0.7.0:
-  version "0.7.2"
-  resolved "https://registry.yarnpkg.com/svgo/-/svgo-0.7.2.tgz#9f5772413952135c6fefbf40afe6a4faa88b4bb5"
-  integrity sha1-n1dyQTlSE1xv779Ar+ak+qiLS7U=
-  dependencies:
-    coa "~1.0.1"
-    colors "~1.1.2"
-    csso "~2.3.1"
-    js-yaml "~3.7.0"
-    mkdirp "~0.5.1"
-    sax "~1.2.1"
-    whet.extend "~0.9.9"
-
-tapable@^0.2.7:
-  version "0.2.8"
-  resolved "https://registry.yarnpkg.com/tapable/-/tapable-0.2.8.tgz#99372a5c999bf2df160afc0d74bed4f47948cd22"
-  integrity sha1-mTcqXJmb8t8WCvwNdL7U9HlIzSI=
-
-tar@^4:
-  version "4.4.4"
-  resolved "https://registry.yarnpkg.com/tar/-/tar-4.4.4.tgz#ec8409fae9f665a4355cc3b4087d0820232bb8cd"
-  integrity sha512-mq9ixIYfNF9SK0IS/h2HKMu8Q2iaCuhDDsZhdEag/FHv8fOaYld4vN7ouMgcSSt5WKZzPs8atclTcJm36OTh4w==
-  dependencies:
-    chownr "^1.0.1"
-    fs-minipass "^1.2.5"
-    minipass "^2.3.3"
-    minizlib "^1.1.0"
-    mkdirp "^0.5.0"
-    safe-buffer "^5.1.2"
-    yallist "^3.0.2"
-
-tcomb@^3.2.21:
-  version "3.2.27"
-  resolved "https://registry.yarnpkg.com/tcomb/-/tcomb-3.2.27.tgz#f4928bfc536b959d21a47e5f5f1ca2b2e4b7188a"
-  integrity sha512-XWdJW7F/M3YzXhDEUP8ycmNWoYymBtsHwCHoda0YF44RthJsls95TqDrmpAlC1sB/KXaCvkdBlcNRq+AaV6klA==
-
-tfunk@^3.0.1:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/tfunk/-/tfunk-3.1.0.tgz#38e4414fc64977d87afdaa72facb6d29f82f7b5b"
-  integrity sha1-OORBT8ZJd9h6/apy+sttKfgve1s=
-  dependencies:
-    chalk "^1.1.1"
-    object-path "^0.9.0"
-
-through@^2.3.6:
-  version "2.3.8"
-  resolved "https://registry.yarnpkg.com/through/-/through-2.3.8.tgz#0dd4c9ffaabc357960b1b724115d7e0e86a2e1f5"
-  integrity sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=
-
-timers-browserify@^2.0.4:
-  version "2.0.10"
-  resolved "https://registry.yarnpkg.com/timers-browserify/-/timers-browserify-2.0.10.tgz#1d28e3d2aadf1d5a5996c4e9f95601cd053480ae"
-  integrity sha512-YvC1SV1XdOUaL6gx5CoGroT3Gu49pK9+TZ38ErPldOWW4j49GI1HKs9DV+KGq/w6y+LZ72W1c8cKz2vzY+qpzg==
-  dependencies:
-    setimmediate "^1.0.4"
-
-tippy.js@^3.0.6:
-  version "3.0.6"
-  resolved "https://registry.yarnpkg.com/tippy.js/-/tippy.js-3.0.6.tgz#ad29361e96129de582bf4088f00ea8413632ceb4"
-  integrity sha512-/paH+Kf3Caj0J+AlB1Kdg2KFAZ8yJeXZ8hPiwDBfxOLZg3YxDUa2OpMi3ODK8TXSMoPqcGUExCVcc46AmGCxjQ==
-  dependencies:
-    popper.js "^1.14.4"
-
-tmp@^0.0.33:
-  version "0.0.33"
-  resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.0.33.tgz#6d34335889768d21b2bcda0aa277ced3b1bfadf9"
-  integrity sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==
-  dependencies:
-    os-tmpdir "~1.0.2"
-
-to-array@0.1.4:
-  version "0.1.4"
-  resolved "https://registry.yarnpkg.com/to-array/-/to-array-0.1.4.tgz#17e6c11f73dd4f3d74cda7a4ff3238e9ad9bf890"
-  integrity sha1-F+bBH3PdTz10zaek/zI46a2b+JA=
-
-to-arraybuffer@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/to-arraybuffer/-/to-arraybuffer-1.0.1.tgz#7d229b1fcc637e466ca081180836a7aabff83f43"
-  integrity sha1-fSKbH8xjfkZsoIEYCDanqr/4P0M=
-
-to-fast-properties@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/to-fast-properties/-/to-fast-properties-1.0.3.tgz#b83571fa4d8c25b82e231b06e3a3055de4ca1a47"
-  integrity sha1-uDVx+k2MJbguIxsG46MFXeTKGkc=
-
-to-fast-properties@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/to-fast-properties/-/to-fast-properties-2.0.0.tgz#dc5e698cbd079265bc73e0377681a4e4e83f616e"
-  integrity sha1-3F5pjL0HkmW8c+A3doGk5Og/YW4=
-
-to-object-path@^0.3.0:
-  version "0.3.0"
-  resolved "https://registry.yarnpkg.com/to-object-path/-/to-object-path-0.3.0.tgz#297588b7b0e7e0ac08e04e672f85c1f4999e17af"
-  integrity sha1-KXWIt7Dn4KwI4E5nL4XB9JmeF68=
-  dependencies:
-    kind-of "^3.0.2"
-
-to-regex-range@^2.1.0:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/to-regex-range/-/to-regex-range-2.1.1.tgz#7c80c17b9dfebe599e27367e0d4dd5590141db38"
-  integrity sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=
-  dependencies:
-    is-number "^3.0.0"
-    repeat-string "^1.6.1"
-
-to-regex@^3.0.1, to-regex@^3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/to-regex/-/to-regex-3.0.2.tgz#13cfdd9b336552f30b51f33a8ae1b42a7a7599ce"
-  integrity sha512-FWtleNAtZ/Ki2qtqej2CXTOayOH9bHDQF+Q48VpWyDXjbYxA4Yz8iDB31zXOBUlOHHKidDbqGVrTUvQMPmBGBw==
-  dependencies:
-    define-property "^2.0.2"
-    extend-shallow "^3.0.2"
-    regex-not "^1.0.2"
-    safe-regex "^1.1.0"
-
-topo@2.x.x:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/topo/-/topo-2.0.2.tgz#cd5615752539057c0dc0491a621c3bc6fbe1d182"
-  integrity sha1-zVYVdSU5BXwNwEkaYhw7xvvh0YI=
-  dependencies:
-    hoek "4.x.x"
-
-touch@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/touch/-/touch-1.0.0.tgz#449cbe2dbae5a8c8038e30d71fa0ff464947c4de"
-  integrity sha1-RJy+LbrlqMgDjjDXH6D/RklHxN4=
-  dependencies:
-    nopt "~1.0.10"
-
-tough-cookie@~2.3.3:
-  version "2.3.4"
-  resolved "https://registry.yarnpkg.com/tough-cookie/-/tough-cookie-2.3.4.tgz#ec60cee38ac675063ffc97a5c18970578ee83655"
-  integrity sha512-TZ6TTfI5NtZnuyy/Kecv+CnoROnyXn2DN97LontgQpCwsX2XyLYCC0ENhYkehSOwAp8rTQKc/NUIF7BkQ5rKLA==
-  dependencies:
-    punycode "^1.4.1"
-
-trim-right@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/trim-right/-/trim-right-1.0.1.tgz#cb2e1203067e0c8de1f614094b9fe45704ea6003"
-  integrity sha1-yy4SAwZ+DI3h9hQJS5/kVwTqYAM=
-
-tryer@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/tryer/-/tryer-1.0.0.tgz#027b69fa823225e551cace3ef03b11f6ab37c1d7"
-  integrity sha1-Antp+oIyJeVRys4+8DsR9qs3wdc=
-
-tty-browserify@0.0.0:
-  version "0.0.0"
-  resolved "https://registry.yarnpkg.com/tty-browserify/-/tty-browserify-0.0.0.tgz#a157ba402da24e9bf957f9aa69d524eed42901a6"
-  integrity sha1-oVe6QC2iTpv5V/mqadUk7tQpAaY=
-
-tunnel-agent@^0.6.0:
-  version "0.6.0"
-  resolved "https://registry.yarnpkg.com/tunnel-agent/-/tunnel-agent-0.6.0.tgz#27a5dea06b36b04a0a9966774b290868f0fc40fd"
-  integrity sha1-J6XeoGs2sEoKmWZ3SykIaPD8QP0=
-  dependencies:
-    safe-buffer "^5.0.1"
-
-tweetnacl@^0.14.3, tweetnacl@~0.14.0:
-  version "0.14.5"
-  resolved "https://registry.yarnpkg.com/tweetnacl/-/tweetnacl-0.14.5.tgz#5ae68177f192d4456269d108afa93ff8743f4f64"
-  integrity sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q=
-
-type-is@~1.6.15, type-is@~1.6.16:
-  version "1.6.16"
-  resolved "https://registry.yarnpkg.com/type-is/-/type-is-1.6.16.tgz#f89ce341541c672b25ee7ae3c73dee3b2be50194"
-  integrity sha512-HRkVv/5qY2G6I8iab9cI7v1bOIdhm94dVjQCPFElW9W+3GeDOSHmy2EBYe4VTApuzolPcmgFTN3ftVJRKR2J9Q==
-  dependencies:
-    media-typer "0.3.0"
-    mime-types "~2.1.18"
-
-ua-parser-js@0.7.17:
-  version "0.7.17"
-  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.17.tgz#e9ec5f9498b9ec910e7ae3ac626a805c4d09ecac"
-  integrity sha512-uRdSdu1oA1rncCQL7sCj8vSyZkgtL7faaw9Tc9rZ3mGgraQ7+Pdx7w5mnOSF3gw9ZNG6oc+KXfkon3bKuROm0g==
-
-ua-parser-js@^0.7.9:
-  version "0.7.18"
-  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.18.tgz#a7bfd92f56edfb117083b69e31d2aa8882d4b1ed"
-  integrity sha512-LtzwHlVHwFGTptfNSgezHp7WUlwiqb0gA9AALRbKaERfxwJoiX0A73QbTToxteIAuIaFshhgIZfqK8s7clqgnA==
-
-uglify-js@^2.8.29:
-  version "2.8.29"
-  resolved "https://registry.yarnpkg.com/uglify-js/-/uglify-js-2.8.29.tgz#29c5733148057bb4e1f75df35b7a9cb72e6a59dd"
-  integrity sha1-KcVzMUgFe7Th913zW3qcty5qWd0=
-  dependencies:
-    source-map "~0.5.1"
-    yargs "~3.10.0"
-  optionalDependencies:
-    uglify-to-browserify "~1.0.0"
-
-uglify-to-browserify@~1.0.0:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/uglify-to-browserify/-/uglify-to-browserify-1.0.2.tgz#6e0924d6bda6b5afe349e39a6d632850a0f882b7"
-  integrity sha1-bgkk1r2mta/jSeOabWMoUKD4grc=
-
-uglifyjs-webpack-plugin@^0.4.6:
-  version "0.4.6"
-  resolved "https://registry.yarnpkg.com/uglifyjs-webpack-plugin/-/uglifyjs-webpack-plugin-0.4.6.tgz#b951f4abb6bd617e66f63eb891498e391763e309"
-  integrity sha1-uVH0q7a9YX5m9j64kUmOORdj4wk=
-  dependencies:
-    source-map "^0.5.6"
-    uglify-js "^2.8.29"
-    webpack-sources "^1.0.1"
-
-ultron@~1.1.0:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/ultron/-/ultron-1.1.1.tgz#9fe1536a10a664a65266a1e3ccf85fd36302bc9c"
-  integrity sha512-UIEXBNeYmKptWH6z8ZnqTeS8fV74zG0/eRU9VGkpzz+LIJNs8W/zM/L+7ctCkRrgbNnnR0xxw4bKOr0cW0N0Og==
-
-underscore.string@^3.1.1:
-  version "3.3.4"
-  resolved "https://registry.yarnpkg.com/underscore.string/-/underscore.string-3.3.4.tgz#2c2a3f9f83e64762fdc45e6ceac65142864213db"
-  integrity sha1-LCo/n4PmR2L9xF5s6sZRQoZCE9s=
-  dependencies:
-    sprintf-js "^1.0.3"
-    util-deprecate "^1.0.2"
-
-unfetch@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/unfetch/-/unfetch-4.0.1.tgz#8750c4c7497ade75d40387d7dbc4ba024416b8f6"
-  integrity sha512-HzDM9NgldcRvHVDb/O9vKoUszVij30Yw5ePjOZJig8nF/YisG7QN/9CBXZ8dsHLouXMeLZ82r+Jod9M2wFkEbQ==
-
-union-value@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/union-value/-/union-value-1.0.0.tgz#5c71c34cb5bad5dcebe3ea0cd08207ba5aa1aea4"
-  integrity sha1-XHHDTLW61dzr4+oM0IIHulqhrqQ=
-  dependencies:
-    arr-union "^3.1.0"
-    get-value "^2.0.6"
-    is-extendable "^0.1.1"
-    set-value "^0.4.3"
-
-uniq@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/uniq/-/uniq-1.0.1.tgz#b31c5ae8254844a3a8281541ce2b04b865a734ff"
-  integrity sha1-sxxa6CVIRKOoKBVBzisEuGWnNP8=
-
-uniqs@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/uniqs/-/uniqs-2.0.0.tgz#ffede4b36b25290696e6e165d4a59edb998e6b02"
-  integrity sha1-/+3ks2slKQaW5uFl1KWe25mOawI=
-
-units-css@^0.4.0:
-  version "0.4.0"
-  resolved "https://registry.yarnpkg.com/units-css/-/units-css-0.4.0.tgz#d6228653a51983d7c16ff28f8b9dc3b1ffed3a07"
-  integrity sha1-1iKGU6UZg9fBb/KPi53Dsf/tOgc=
-  dependencies:
-    isnumeric "^0.2.0"
-    viewport-dimensions "^0.2.0"
-
-universal-analytics@^0.4.17:
-  version "0.4.17"
-  resolved "https://registry.yarnpkg.com/universal-analytics/-/universal-analytics-0.4.17.tgz#b57a07e37446ebe4f32872b2152a44cbc5cc4b73"
-  integrity sha512-N2JFymxv4q2N5Wmftc5JCcM5t1tp+sc1kqeDRhDL4XLY5X6PBZ0kav2wvVUZJJMvmSq3WXrmzDu062p+cSFYfQ==
-  dependencies:
-    debug "^3.0.0"
-    request "2.86.0"
-    uuid "^3.0.0"
-
-universalify@^0.1.0:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.1.1.tgz#fa71badd4437af4c148841e3b3b165f9e9e590b7"
-  integrity sha1-+nG63UQ3r0wUiEHjs7Fl+enlkLc=
-
-unpipe@1.0.0, unpipe@~1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/unpipe/-/unpipe-1.0.0.tgz#b2bf4ee8514aae6165b4817829d21b2ef49904ec"
-  integrity sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw=
-
-unset-value@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/unset-value/-/unset-value-1.0.0.tgz#8376873f7d2335179ffb1e6fc3a8ed0dfc8ab559"
-  integrity sha1-g3aHP30jNRef+x5vw6jtDfyKtVk=
-  dependencies:
-    has-value "^0.3.1"
-    isobject "^3.0.0"
-
-upath@^1.0.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/upath/-/upath-1.1.0.tgz#35256597e46a581db4793d0ce47fa9aebfc9fabd"
-  integrity sha512-bzpH/oBhoS/QI/YtbkqCg6VEiPYjSZtrHQM6/QnJS6OL9pKUFLqb3aFh4Scvwm45+7iAgiMkLhSbaZxUqmrprw==
-
-uri-js@^4.2.1:
-  version "4.2.2"
-  resolved "https://registry.yarnpkg.com/uri-js/-/uri-js-4.2.2.tgz#94c540e1ff772956e2299507c010aea6c8838eb0"
-  integrity sha512-KY9Frmirql91X2Qgjry0Wd4Y+YTdrdZheS8TFwvkbLWf/G5KNJDCh6pKL5OZctEW4+0Baa5idK2ZQuELRwPznQ==
-  dependencies:
-    punycode "^2.1.0"
-
-urix@^0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/urix/-/urix-0.1.0.tgz#da937f7a62e21fec1fd18d49b35c2935067a6c72"
-  integrity sha1-2pN/emLiH+wf0Y1Js1wpNQZ6bHI=
-
-url@^0.11.0:
-  version "0.11.0"
-  resolved "https://registry.yarnpkg.com/url/-/url-0.11.0.tgz#3838e97cfc60521eb73c525a8e55bfdd9e2e28f1"
-  integrity sha1-ODjpfPxgUh63PFJajlW/3Z4uKPE=
-  dependencies:
-    punycode "1.3.2"
-    querystring "0.2.0"
-
-use@^3.1.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/use/-/use-3.1.0.tgz#14716bf03fdfefd03040aef58d8b4b85f3a7c544"
-  integrity sha512-6UJEQM/L+mzC3ZJNM56Q4DFGLX/evKGRg15UJHGB9X5j5Z3AFbgZvjUh2yq/UJUY4U5dh7Fal++XbNg1uzpRAw==
-  dependencies:
-    kind-of "^6.0.2"
-
-util-deprecate@^1.0.2, util-deprecate@~1.0.1:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
-  integrity sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=
-
-util@0.10.3:
-  version "0.10.3"
-  resolved "https://registry.yarnpkg.com/util/-/util-0.10.3.tgz#7afb1afe50805246489e3db7fe0ed379336ac0f9"
-  integrity sha1-evsa/lCAUkZInj23/g7TeTNqwPk=
-  dependencies:
-    inherits "2.0.1"
-
-util@^0.10.3:
-  version "0.10.4"
-  resolved "https://registry.yarnpkg.com/util/-/util-0.10.4.tgz#3aa0125bfe668a4672de58857d3ace27ecb76901"
-  integrity sha512-0Pm9hTQ3se5ll1XihRic3FDIku70C+iHUdT/W926rSgHV5QgXsYbKZN8MSC3tJtSkhuROzvsQjAaFENRXr+19A==
-  dependencies:
-    inherits "2.0.3"
-
-utils-merge@1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.1.tgz#9f95710f50a267947b2ccc124741c1028427e713"
-  integrity sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM=
-
-uuid@^3.0.0, uuid@^3.1.0:
-  version "3.2.1"
-  resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.2.1.tgz#12c528bb9d58d0b9265d9a2f6f0fe8be17ff1f14"
-  integrity sha512-jZnMwlb9Iku/O3smGWvZhauCf6cvvpKi4BKRiliS3cxnI+Gz9j5MEpTz2UFuXiKPJocb7gnsLHwiS05ige5BEA==
-
-validate-npm-package-license@^3.0.1:
-  version "3.0.3"
-  resolved "https://registry.yarnpkg.com/validate-npm-package-license/-/validate-npm-package-license-3.0.3.tgz#81643bcbef1bdfecd4623793dc4648948ba98338"
-  integrity sha512-63ZOUnL4SIXj4L0NixR3L1lcjO38crAbgrTpl28t8jjrfuiOBL5Iygm+60qPs/KsZGzPNg6Smnc/oY16QTjF0g==
-  dependencies:
-    spdx-correct "^3.0.0"
-    spdx-expression-parse "^3.0.0"
-
-vary@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc"
-  integrity sha1-IpnwLG3tMNSllhsLn3RSShj2NPw=
-
-vendors@^1.0.0:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/vendors/-/vendors-1.0.2.tgz#7fcb5eef9f5623b156bcea89ec37d63676f21801"
-  integrity sha512-w/hry/368nO21AN9QljsaIhb9ZiZtZARoVH5f3CsFbawdLdayCgKRPup7CggujvySMxx0I91NOyxdVENohprLQ==
-
-verror@1.10.0:
-  version "1.10.0"
-  resolved "https://registry.yarnpkg.com/verror/-/verror-1.10.0.tgz#3a105ca17053af55d6e270c1f8288682e18da400"
-  integrity sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=
-  dependencies:
-    assert-plus "^1.0.0"
-    core-util-is "1.0.2"
-    extsprintf "^1.2.0"
-
-viewport-dimensions@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/viewport-dimensions/-/viewport-dimensions-0.2.0.tgz#de740747db5387fd1725f5175e91bac76afdf36c"
-  integrity sha1-3nQHR9tTh/0XJfUXXpG6x2r982w=
-
-vm-browserify@0.0.4:
-  version "0.0.4"
-  resolved "https://registry.yarnpkg.com/vm-browserify/-/vm-browserify-0.0.4.tgz#5d7ea45bbef9e4a6ff65f95438e0a87c357d5a73"
-  integrity sha1-XX6kW7755Kb/ZflUOOCofDV9WnM=
-  dependencies:
-    indexof "0.0.1"
-
-watchpack@^1.4.0:
-  version "1.6.0"
-  resolved "https://registry.yarnpkg.com/watchpack/-/watchpack-1.6.0.tgz#4bc12c2ebe8aa277a71f1d3f14d685c7b446cd00"
-  integrity sha512-i6dHe3EyLjMmDlU1/bGQpEw25XSjkJULPuAVKCbNRefQVq48yXKUpwg538F7AZTf9kyr57zj++pQFltUa5H7yA==
-  dependencies:
-    chokidar "^2.0.2"
-    graceful-fs "^4.1.2"
-    neo-async "^2.5.0"
-
-webpack-bundle-analyzer@^3.0.3:
-  version "3.0.3"
-  resolved "https://registry.yarnpkg.com/webpack-bundle-analyzer/-/webpack-bundle-analyzer-3.0.3.tgz#dbc7fff8f52058b6714a20fddf309d0790e3e0a0"
-  integrity sha512-naLWiRfmtH4UJgtUktRTLw6FdoZJ2RvCR9ePbwM9aRMsS/KjFerkPZG9epEvXRAw5d5oPdrs9+3p+afNjxW8Xw==
-  dependencies:
-    acorn "^5.7.3"
-    bfj "^6.1.1"
-    chalk "^2.4.1"
-    commander "^2.18.0"
-    ejs "^2.6.1"
-    express "^4.16.3"
-    filesize "^3.6.1"
-    gzip-size "^5.0.0"
-    lodash "^4.17.10"
-    mkdirp "^0.5.1"
-    opener "^1.5.1"
-    ws "^6.0.0"
-
-webpack-sources@^1.0.1:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/webpack-sources/-/webpack-sources-1.1.0.tgz#a101ebae59d6507354d71d8013950a3a8b7a5a54"
-  integrity sha512-aqYp18kPphgoO5c/+NaUvEeACtZjMESmDChuD3NBciVpah3XpMEU9VAAtIaB1BsfJWWTSdv8Vv1m3T0aRk2dUw==
-  dependencies:
-    source-list-map "^2.0.0"
-    source-map "~0.6.1"
-
-webpack@^3.12.0:
-  version "3.12.0"
-  resolved "https://registry.yarnpkg.com/webpack/-/webpack-3.12.0.tgz#3f9e34360370602fcf639e97939db486f4ec0d74"
-  integrity sha512-Sw7MdIIOv/nkzPzee4o0EdvCuPmxT98+vVpIvwtcwcF1Q4SDSNp92vwcKc4REe7NItH9f1S4ra9FuQ7yuYZ8bQ==
-  dependencies:
-    acorn "^5.0.0"
-    acorn-dynamic-import "^2.0.0"
-    ajv "^6.1.0"
-    ajv-keywords "^3.1.0"
-    async "^2.1.2"
-    enhanced-resolve "^3.4.0"
-    escope "^3.6.0"
-    interpret "^1.0.0"
-    json-loader "^0.5.4"
-    json5 "^0.5.1"
-    loader-runner "^2.3.0"
-    loader-utils "^1.1.0"
-    memory-fs "~0.4.1"
-    mkdirp "~0.5.0"
-    node-libs-browser "^2.0.0"
-    source-map "^0.5.3"
-    supports-color "^4.2.1"
-    tapable "^0.2.7"
-    uglifyjs-webpack-plugin "^0.4.6"
-    watchpack "^1.4.0"
-    webpack-sources "^1.0.1"
-    yargs "^8.0.2"
-
-whatwg-fetch@>=0.10.0:
-  version "2.0.4"
-  resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.4.tgz#dde6a5df315f9d39991aa17621853d720b85566f"
-  integrity sha512-dcQ1GWpOD/eEQ97k66aiEVpNnapVj90/+R+SXTPYGHpYBBypfKJEQjLrvMZ7YXbKm21gXd4NcuxUTjiv1YtLng==
-
-when@^3.7.7, when@^3.7.8:
-  version "3.7.8"
-  resolved "https://registry.yarnpkg.com/when/-/when-3.7.8.tgz#c7130b6a7ea04693e842cdc9e7a1f2aa39a39f82"
-  integrity sha1-xxMLan6gRpPoQs3J56Hyqjmjn4I=
-
-whet.extend@~0.9.9:
-  version "0.9.9"
-  resolved "https://registry.yarnpkg.com/whet.extend/-/whet.extend-0.9.9.tgz#f877d5bf648c97e5aa542fadc16d6a259b9c11a1"
-  integrity sha1-+HfVv2SMl+WqVC+twW1qJZucEaE=
-
-which-module@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/which-module/-/which-module-1.0.0.tgz#bba63ca861948994ff307736089e3b96026c2a4f"
-  integrity sha1-u6Y8qGGUiZT/MHc2CJ47lgJsKk8=
-
-which-module@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/which-module/-/which-module-2.0.0.tgz#d9ef07dce77b9902b8a3a8fa4b31c3e3f7e6e87a"
-  integrity sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=
-
-which@^1.2.8, which@^1.2.9:
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/which/-/which-1.3.1.tgz#a45043d54f5805316da8d62f9f50918d3da70b0a"
-  integrity sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==
-  dependencies:
-    isexe "^2.0.0"
-
-wide-align@^1.1.0:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/wide-align/-/wide-align-1.1.3.tgz#ae074e6bdc0c14a431e804e624549c633b000457"
-  integrity sha512-QGkOQc8XL6Bt5PwnsExKBPuMKBxnGxWWW3fU55Xt4feHozMUhdUMaBCk290qpm/wG5u/RSKzwdAC4i51YigihA==
-  dependencies:
-    string-width "^1.0.2 || 2"
-
-window-size@0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/window-size/-/window-size-0.1.0.tgz#5438cd2ea93b202efa3a19fe8887aee7c94f9c9d"
-  integrity sha1-VDjNLqk7IC76Ohn+iIeu58lPnJ0=
-
-window-size@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/window-size/-/window-size-0.2.0.tgz#b4315bb4214a3d7058ebeee892e13fa24d98b075"
-  integrity sha1-tDFbtCFKPXBY6+7okuE/ok2YsHU=
-
-with@^6.0.0:
-  version "6.0.0"
-  resolved "https://registry.yarnpkg.com/with/-/with-6.0.0.tgz#00223660fa0d0aeb4776965e61f902410c4c9d86"
-  integrity sha512-FrwIIWGUkHViaUXWmEvcwKy+eI0ajKh/Xq192o2kwFtSI7lS7xE5O1E2VNurhWE9ZLRDwr6GAAkKDsDIyStUuw==
-  dependencies:
-    babel-runtime "^6.11.6"
-    babel-types "^6.15.0"
-    babylon "^6.9.1"
-    babylon-walk "^1.0.2"
-
-wordwrap@0.0.2:
-  version "0.0.2"
-  resolved "https://registry.yarnpkg.com/wordwrap/-/wordwrap-0.0.2.tgz#b79669bb42ecb409f83d583cad52ca17eaa1643f"
-  integrity sha1-t5Zpu0LstAn4PVg8rVLKF+qhZD8=
-
-wrap-ansi@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-2.1.0.tgz#d8fc3d284dd05794fe84973caecdd1cf824fdd85"
-  integrity sha1-2Pw9KE3QV5T+hJc8rs3Rz4JP3YU=
-  dependencies:
-    string-width "^1.0.1"
-    strip-ansi "^3.0.1"
-
-wrappy@1:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/wrappy/-/wrappy-1.0.2.tgz#b5243d8f3ec1aa35f1364605bc0d1036e30ab69f"
-  integrity sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=
-
-write-file-stdout@0.0.2, write-file-stdout@^0.0.2:
-  version "0.0.2"
-  resolved "https://registry.yarnpkg.com/write-file-stdout/-/write-file-stdout-0.0.2.tgz#c252d7c7c5b1b402897630e3453c7bfe690d9ca1"
-  integrity sha1-wlLXx8WxtAKJdjDjRTx7/mkNnKE=
-
-ws@^6.0.0:
-  version "6.0.0"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-6.0.0.tgz#eaa494aded00ac4289d455bac8d84c7c651cef35"
-  integrity sha512-c2UlYcAZp1VS8AORtpq6y4RJIkJ9dQz18W32SpR/qXGfLDZ2jU4y4wKvvZwqbi7U6gxFQTeE+urMbXU/tsDy4w==
-  dependencies:
-    async-limiter "~1.0.0"
-
-ws@~3.3.1:
-  version "3.3.3"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-3.3.3.tgz#f1cf84fe2d5e901ebce94efaece785f187a228f2"
-  integrity sha512-nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==
-  dependencies:
-    async-limiter "~1.0.0"
-    safe-buffer "~5.1.0"
-    ultron "~1.1.0"
-
-xmlhttprequest-ssl@~1.5.4:
-  version "1.5.5"
-  resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz#c2876b06168aadc40e57d97e81191ac8f4398b3e"
-  integrity sha1-wodrBhaKrcQOV9l+gRkayPQ5iz4=
-
-xtend@^4.0.0:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"
-  integrity sha1-pcbVMr5lbiPbgg77lDofBJmNY68=
-
-y18n@^3.2.1:
-  version "3.2.1"
-  resolved "https://registry.yarnpkg.com/y18n/-/y18n-3.2.1.tgz#6d15fba884c08679c0d77e88e7759e811e07fa41"
-  integrity sha1-bRX7qITAhnnA136I53WegR4H+kE=
-
-yallist@^2.1.2:
-  version "2.1.2"
-  resolved "https://registry.yarnpkg.com/yallist/-/yallist-2.1.2.tgz#1c11f9218f076089a47dd512f93c6699a6a81d52"
-  integrity sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=
-
-yallist@^3.0.0, yallist@^3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/yallist/-/yallist-3.0.2.tgz#8452b4bb7e83c7c188d8041c1a837c773d6d8bb9"
-  integrity sha1-hFK0u36Dx8GI2AQcGoN8dz1ti7k=
-
-yargs-parser@^4.1.0, yargs-parser@^4.2.0:
-  version "4.2.1"
-  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-4.2.1.tgz#29cceac0dc4f03c6c87b4a9f217dd18c9f74871c"
-  integrity sha1-KczqwNxPA8bIe0qfIX3RjJ90hxw=
-  dependencies:
-    camelcase "^3.0.0"
-
-yargs-parser@^7.0.0:
-  version "7.0.0"
-  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-7.0.0.tgz#8d0ac42f16ea55debd332caf4c4038b3e3f5dfd9"
-  integrity sha1-jQrELxbqVd69MyyvTEA4s+P139k=
-  dependencies:
-    camelcase "^4.1.0"
-
-yargs@6.4.0:
-  version "6.4.0"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-6.4.0.tgz#816e1a866d5598ccf34e5596ddce22d92da490d4"
-  integrity sha1-gW4ahm1VmMzzTlWW3c4i2S2kkNQ=
-  dependencies:
-    camelcase "^3.0.0"
-    cliui "^3.2.0"
-    decamelize "^1.1.1"
-    get-caller-file "^1.0.1"
-    os-locale "^1.4.0"
-    read-pkg-up "^1.0.1"
-    require-directory "^2.1.1"
-    require-main-filename "^1.0.1"
-    set-blocking "^2.0.0"
-    string-width "^1.0.2"
-    which-module "^1.0.0"
-    window-size "^0.2.0"
-    y18n "^3.2.1"
-    yargs-parser "^4.1.0"
-
-yargs@6.6.0:
-  version "6.6.0"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-6.6.0.tgz#782ec21ef403345f830a808ca3d513af56065208"
-  integrity sha1-eC7CHvQDNF+DCoCMo9UTr1YGUgg=
-  dependencies:
-    camelcase "^3.0.0"
-    cliui "^3.2.0"
-    decamelize "^1.1.1"
-    get-caller-file "^1.0.1"
-    os-locale "^1.4.0"
-    read-pkg-up "^1.0.1"
-    require-directory "^2.1.1"
-    require-main-filename "^1.0.1"
-    set-blocking "^2.0.0"
-    string-width "^1.0.2"
-    which-module "^1.0.0"
-    y18n "^3.2.1"
-    yargs-parser "^4.2.0"
-
-yargs@^8.0.2:
-  version "8.0.2"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-8.0.2.tgz#6299a9055b1cefc969ff7e79c1d918dceb22c360"
-  integrity sha1-YpmpBVsc78lp/355wdkY3Osiw2A=
-  dependencies:
-    camelcase "^4.1.0"
-    cliui "^3.2.0"
-    decamelize "^1.1.1"
-    get-caller-file "^1.0.1"
-    os-locale "^2.0.0"
-    read-pkg-up "^2.0.0"
-    require-directory "^2.1.1"
-    require-main-filename "^1.0.1"
-    set-blocking "^2.0.0"
-    string-width "^2.0.0"
-    which-module "^2.0.0"
-    y18n "^3.2.1"
-    yargs-parser "^7.0.0"
-
-yargs@~3.10.0:
-  version "3.10.0"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-3.10.0.tgz#f7ee7bd857dd7c1d2d38c0e74efbd681d1431fd1"
-  integrity sha1-9+572FfdfB0tOMDnTvvWgdFDH9E=
-  dependencies:
-    camelcase "^1.0.2"
-    cliui "^2.1.0"
-    decamelize "^1.0.0"
-    window-size "0.1.0"
-
-yeast@0.1.2:
-  version "0.1.2"
-  resolved "https://registry.yarnpkg.com/yeast/-/yeast-0.1.2.tgz#008e06d8094320c372dbc2f8ed76a0ca6c8ac419"
-  integrity sha1-AI4G2AlDIMNy28L47XagymyKxBk=
diff --git a/website/babel.config.js b/website/babel.config.js
new file mode 100644
index 000000000000..d6135ffb49fe
--- /dev/null
+++ b/website/babel.config.js
@@ -0,0 +1,4 @@
+module.exports = {
+  presets: ['next/babel'],
+  plugins: ['import-glob-array']
+}
diff --git a/website/bootstrap.sh b/website/bootstrap.sh
deleted file mode 100644
index 78bb8b73e59f..000000000000
--- a/website/bootstrap.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-echo "==> installing bundler and middleman"
-gem install bundler middleman --no-ri --no-rdoc
-echo "==> installing ruby dependencies"
-bundle
-echo "==> installing node dependencies"
-cd assets && npm install
diff --git a/website/components/before-after-diagram/img/alert-icon.svg b/website/components/before-after-diagram/img/alert-icon.svg
new file mode 100644
index 000000000000..072e687cde2b
--- /dev/null
+++ b/website/components/before-after-diagram/img/alert-icon.svg
@@ -0,0 +1 @@
+<svg width="24" height="24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12 22c5.523 0 10-4.477 10-10S17.523 2 12 2 2 6.477 2 12s4.477 10 10 10z" fill="#fff" stroke="#E80134"/><path d="M12 8v4" stroke="#E80134"/><circle cx="12" cy="16" r="1" fill="#E80134"/></svg>
\ No newline at end of file
diff --git a/website/components/before-after-diagram/img/alert-triangle.svg b/website/components/before-after-diagram/img/alert-triangle.svg
new file mode 100644
index 000000000000..c3e948346f42
--- /dev/null
+++ b/website/components/before-after-diagram/img/alert-triangle.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="none"><path stroke="#D2D4DB" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M8.575 4.048L1.517 15.832a1.667 1.667 0 001.425 2.5h14.116a1.667 1.667 0 001.425-2.5L11.425 4.048a1.667 1.667 0 00-2.85 0z" clip-rule="evenodd"/><path stroke="#E80134" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M10 8.332v3.333"/><circle cx="10" cy="15.001" fill="#E80134" r=".833"/></svg>
\ No newline at end of file
diff --git a/website/components/before-after-diagram/img/check-circle-blue.svg b/website/components/before-after-diagram/img/check-circle-blue.svg
new file mode 100644
index 000000000000..d2965895550c
--- /dev/null
+++ b/website/components/before-after-diagram/img/check-circle-blue.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="19" fill="none"><path stroke="#D2D4DB" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M15.75 9.928v.698a7.5 7.5 0 11-4.447-6.855"/><path stroke="#1563FF"   stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M16.5 3.875l-8.25 8.25L6 9.875"/></svg>
\ No newline at end of file
diff --git a/website/components/before-after-diagram/img/check-circle.svg b/website/components/before-after-diagram/img/check-circle.svg
new file mode 100644
index 000000000000..e029eaacc5dc
--- /dev/null
+++ b/website/components/before-after-diagram/img/check-circle.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" fill="none"><path  stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M15.75 9.053v.698a7.5 7.5 0 11-4.447-6.855"/><path  stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M16.5 3l-8.25 8.25L6 9"/></svg>
diff --git a/website/components/before-after-diagram/img/check-icon.svg b/website/components/before-after-diagram/img/check-icon.svg
new file mode 100644
index 000000000000..98e39a99d3fc
--- /dev/null
+++ b/website/components/before-after-diagram/img/check-icon.svg
@@ -0,0 +1 @@
+<svg width="24" height="24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12 23C5.925 23 1 18.075 1 12S5.925 1 12 1s11 4.925 11 11-4.925 11-11 11z" fill="#000" stroke="#000"/><path d="M16.666 9.082l-6.416 6.417-2.917-2.917" stroke="#fff"/></svg>
\ No newline at end of file
diff --git a/website/components/before-after-diagram/index.jsx b/website/components/before-after-diagram/index.jsx
new file mode 100644
index 000000000000..ccbe50f2006a
--- /dev/null
+++ b/website/components/before-after-diagram/index.jsx
@@ -0,0 +1,108 @@
+import marked from 'marked'
+import Image from '@hashicorp/react-image'
+import alertIcon from './img/alert-icon.svg?include'
+import checkIcon from './img/check-icon.svg?include'
+
+function BeforeAfterDiagram(props) {
+  const markedOptions = generateMarkedOptions()
+  const {
+    theme,
+    beforeHeadline,
+    beforeContent,
+    beforeImage,
+    afterHeadline,
+    afterContent,
+    afterImage
+  } = props
+  return (
+    <div className={`g-before-after-diagrams ${theme}`}>
+      <div className="before">
+        <div className="image">
+          <div>
+            <Image {...beforeImage} />
+          </div>
+        </div>
+        <div className="content">
+          <span className="line">
+            <span />
+            <div
+              dangerouslySetInnerHTML={{
+                __html: alertIcon
+              }}
+            />
+            <span />
+          </span>
+          <div>
+            {beforeHeadline && (
+              <h3
+                className="g-type-display-3"
+                dangerouslySetInnerHTML={{
+                  __html: marked.inlineLexer(beforeHeadline, [])
+                }}
+              />
+            )}
+            {beforeContent && (
+              <div
+                className="g-type-body-small"
+                dangerouslySetInnerHTML={{
+                  __html: marked(beforeContent, markedOptions)
+                }}
+              />
+            )}
+          </div>
+        </div>
+      </div>
+      <div className="after">
+        <div className="image">
+          <div>
+            <Image {...afterImage} />
+          </div>
+        </div>
+        <div className="content">
+          <div className="line">
+            <div
+              dangerouslySetInnerHTML={{
+                __html: checkIcon
+              }}
+            />
+          </div>
+          <div>
+            {afterHeadline && (
+              <h3
+                className="g-type-display-3"
+                dangerouslySetInnerHTML={{
+                  __html: marked.inlineLexer(afterHeadline, [])
+                }}
+              />
+            )}
+            {afterContent && (
+              <div
+                dangerouslySetInnerHTML={{
+                  __html: marked(afterContent, markedOptions)
+                }}
+              />
+            )}
+          </div>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+export default BeforeAfterDiagram
+
+function generateMarkedOptions() {
+  const markedRenderer = new marked.Renderer()
+
+  markedRenderer.heading = function(text, level) {
+    return `<h${level} class="g-type-label">${text}</h${level}>`
+  }
+  markedRenderer.paragraph = function(text) {
+    return `<p class="g-type-body-small">${text}</p>`
+  }
+  markedRenderer.list = function(text) {
+    return `<ul class="g-type-body-small">${text}</ul>`
+  }
+
+  return { renderer: markedRenderer }
+}
diff --git a/website/components/before-after-diagram/style.css b/website/components/before-after-diagram/style.css
new file mode 100644
index 000000000000..385f97629a8f
--- /dev/null
+++ b/website/components/before-after-diagram/style.css
@@ -0,0 +1,307 @@
+.g-before-after-diagrams {
+  display: flex;
+  flex-wrap: wrap;
+  margin: 0 -16px;
+  position: relative;
+
+  @media (max-width: 1023px) {
+    margin-left: -12px;
+    margin-right: -12px;
+  }
+
+  @media (max-width: 767px) {
+    flex-direction: column;
+    margin-left: 40px;
+    margin-right: 0;
+  }
+
+  & > div {
+    display: flex;
+    flex-direction: column;
+    margin: 0 16px;
+    position: relative;
+    width: calc(50% - 32px);
+
+    @media (max-width: 1023px) {
+      margin: 0 12px;
+      width: calc(50% - 24px);
+    }
+
+    @media (max-width: 767px) {
+      margin: 0;
+      width: 100%;
+    }
+  }
+
+  & .before {
+    @media (max-width: 767px) {
+      margin-bottom: 62px;
+    }
+
+    & li:before {
+      background: url('/img/icons/alert-triangle.svg');
+      height: 20px;
+      margin-top: 3px;
+      width: 20px;
+    }
+  }
+
+  & .after li:before {
+    background: url('/img/icons/check-circle.svg');
+    height: 18px;
+    margin-top: 4px;
+    width: 18px;
+  }
+
+  & .image {
+    align-items: center;
+    display: flex;
+    height: 320px;
+    justify-content: center;
+    margin-bottom: 96px;
+
+    @media (max-width: 767px) {
+      margin-bottom: 40px;
+    }
+
+    @media (max-width: 640px) {
+      height: 284px;
+    }
+
+    @media (max-width: 540px) {
+      height: 238px;
+    }
+
+    @media (max-width: 480px) {
+      height: 211px;
+    }
+
+    @media (max-width: 375px) {
+      height: 163px;
+    }
+
+    & div {
+      height: 100%;
+      text-align: center;
+      width: 100%;
+    }
+
+    & img,
+    & svg {
+      max-height: 100%;
+      max-width: 100%;
+    }
+  }
+
+  & .content {
+    border: 1px solid var(--DEPRECATED-gray-9);
+    padding: 24px 32px 20px;
+    position: relative;
+    flex-grow: 1;
+
+    @media (max-width: 1023px) {
+      padding-left: 24px;
+      padding-right: 24px;
+    }
+
+    @media (max-width: 767px) {
+      padding-left: 20px;
+      padding-right: 20px;
+    }
+
+    &:before,
+    &:after {
+      bottom: 100%;
+      border: solid transparent;
+      content: '';
+      height: 0;
+      left: 50%;
+      width: 0;
+      position: absolute;
+      pointer-events: none;
+    }
+
+    &:before {
+      border-color: rgba(229, 230, 235, 0);
+      border-bottom-color: var(--DEPRECATED-gray-9);
+      border-width: 18px;
+      margin-left: -18px;
+    }
+
+    &:after {
+      border-color: rgba(255, 255, 255, 0);
+      border-bottom-color: var(--white);
+      border-width: 17px;
+      margin-left: -17px;
+    }
+
+    & > div {
+      height: 100%;
+
+      &.line {
+        height: auto;
+      }
+
+      & > div {
+        @media (min-width: 768px) {
+          max-width: 480px;
+          margin: 0 auto;
+        }
+      }
+    }
+  }
+
+  & h3 {
+    border-bottom: 1px solid var(--DEPRECATED-gray-9);
+    color: var(--black);
+    margin: 0 0 24px;
+    padding-bottom: 24px;
+    text-align: center;
+  }
+
+  & h4 {
+    display: block;
+    margin: 24px 0 26px;
+    text-transform: uppercase;
+  }
+
+  & ul {
+    list-style: none;
+    padding-left: 32px;
+    position: relative;
+  }
+
+  & li {
+    margin: 8px 0;
+
+    &:before {
+      background-repeat: no-repeat;
+      content: '';
+      left: 0;
+      position: absolute;
+    }
+  }
+
+  & .line {
+    padding: 0;
+    position: absolute;
+    right: 0;
+    top: -75px;
+    width: 100%;
+
+    @media (max-width: 767px) {
+      left: -28px;
+      height: 100%;
+      right: auto;
+      top: 28px;
+      width: auto;
+    }
+
+    & span {
+      display: block;
+      height: 1px;
+      position: absolute;
+      top: 12px;
+      width: calc(100% - 14px);
+
+      @media (max-width: 767px) {
+        width: 1px;
+      }
+
+      &:first-child {
+        background-image: linear-gradient(
+          90deg,
+          rgba(210, 212, 219, 0) 0%,
+          var(--DEPRECATED-gray-8) 100%
+        );
+        right: calc(50% + 20px);
+        width: calc(50% + 140px);
+
+        @media (max-width: 767px) {
+          background-image: linear-gradient(
+            180deg,
+            rgba(210, 212, 219, 0) 0%,
+            var(--DEPRECATED-gray-8) 100%
+          );
+          height: 245px;
+          right: auto;
+          top: -253px;
+          width: 1px;
+        }
+      }
+
+      &:last-child {
+        background-image: linear-gradient(
+          90deg,
+          var(--DEPRECATED-gray-8) 0%,
+          var(--black) 100%
+        );
+        left: calc(50% + 20px);
+
+        @media (max-width: 767px) {
+          background-image: linear-gradient(
+            180deg,
+            var(--DEPRECATED-gray-8) 0%,
+            var(--black) 100%
+          );
+          height: calc(100% + 375px);
+          left: auto;
+          top: 32px;
+        }
+
+        @media (max-width: 640px) {
+          height: calc(100% + 339px);
+        }
+
+        @media (max-width: 540px) {
+          height: calc(100% + 293px);
+        }
+
+        @media (max-width: 480px) {
+          height: calc(100% + 266px);
+        }
+
+        @media (max-width: 375px) {
+          height: calc(100% + 218px);
+        }
+
+        &:after {
+          border-color: transparent transparent transparent #000000;
+          border-style: solid;
+          border-width: 5.5px 0 5.5px 8px;
+          content: '';
+          height: 0;
+          position: absolute;
+          right: -8px;
+          top: -5px;
+          width: 0;
+
+          @media (max-width: 767px) {
+            transform: rotate(90deg);
+            top: auto;
+            bottom: -8px;
+            right: -4px;
+          }
+        }
+      }
+    }
+
+    & svg {
+      position: absolute;
+      left: 50%;
+      margin: 0 0 0 -11px;
+    }
+  }
+
+  /*
+   * VAULT THEME
+   */
+  &.vault {
+    & .after {
+      & li:before {
+        background: url('/img/icons/check-circle-blue.svg');
+        height: 19px;
+      }
+    }
+  }
+}
diff --git a/website/components/default-head-tags/index.jsx b/website/components/default-head-tags/index.jsx
new file mode 100644
index 000000000000..8b74d581872a
--- /dev/null
+++ b/website/components/default-head-tags/index.jsx
@@ -0,0 +1,65 @@
+import Head from 'next/head'
+
+export default function DefaultHeadTags() {
+  return (
+    <Head>
+      <title key="title">Vault by HashiCorp</title>
+      <meta charSet="utf-8" />
+      <meta httpEquiv="x-ua-compatible" content="ie=edge" />
+      {/* ref: https://www.phpied.com/minimum-viable-sharing-meta-tags/ */}
+      <meta property="og:locale" content="en_US" />
+      <meta property="og:type" content="website" />
+      <meta
+        property="og:site_name"
+        content="Vault by HashiCorp"
+        key="og-name"
+      />
+      <meta name="twitter:site" content="@HashiCorp" />
+      <meta name="twitter:card" content="summary_large_image" />
+      <meta
+        property="article:publisher"
+        content="https://www.facebook.com/HashiCorp/"
+      />
+      <meta
+        name="description"
+        property="og:description"
+        content="Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, auditing, and provides secrets as a service through a unified API."
+        key="description"
+      />
+      <meta
+        property="og:image"
+        content="https://www.vaultproject.io/img/og-image.png"
+        key="image"
+      />
+      <link
+        sizes="16x16"
+        type="image/png"
+        rel="icon"
+        href="https://www.datocms-assets.com/2885/1527033389-favicon.png?h=16&w=16"
+      />
+      <link
+        sizes="32x32"
+        type="image/png"
+        rel="icon"
+        href="https://www.datocms-assets.com/2885/1527033389-favicon.png?h=32&w=32"
+      />
+      <link
+        sizes="96x96"
+        type="image/png"
+        rel="icon"
+        href="https://www.datocms-assets.com/2885/1527033389-favicon.png?h=96&w=96"
+      />
+      <link
+        sizes="192x192"
+        type="image/png"
+        rel="icon"
+        href="https://www.datocms-assets.com/2885/1527033389-favicon.png?h=192&w=192"
+      />
+      <link rel="stylesheet" href="/css/nprogress.css"></link>
+      <link
+        href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700&display=swap"
+        rel="stylesheet"
+      />
+    </Head>
+  )
+}
diff --git a/website/components/docs-page/img/github-icon.svg b/website/components/docs-page/img/github-icon.svg
new file mode 100644
index 000000000000..db631454102e
--- /dev/null
+++ b/website/components/docs-page/img/github-icon.svg
@@ -0,0 +1 @@
+<svg width="23" height="22" xmlns="http://www.w3.org/2000/svg"><path d="M11.608.342C5.535.342.61 5.162.61 11.108c0 4.757 3.152 8.792 7.523 10.215.55.1.751-.233.751-.518 0-.256-.01-.933-.015-1.831-3.06.65-3.705-1.444-3.705-1.444-.5-1.243-1.222-1.574-1.222-1.574-.998-.668.076-.655.076-.655 1.104.076 1.685 1.11 1.685 1.11.981 1.645 2.575 1.17 3.201.894.1-.695.385-1.17.699-1.439-2.443-.271-5.011-1.195-5.011-5.32 0-1.176.429-2.137 1.132-2.89-.113-.272-.49-1.367.108-2.849 0 0 .924-.289 3.025 1.104.877-.24 1.819-.358 2.754-.363.934.005 1.875.124 2.754.363 2.1-1.393 3.022-1.104 3.022-1.104.6 1.482.222 2.577.11 2.85.705.752 1.13 1.713 1.13 2.888 0 4.136-2.572 5.046-5.022 5.313.394.332.746.99.746 1.994 0 1.438-.013 2.6-.013 2.953 0 .288.198.623.756.518 4.368-1.427 7.516-5.46 7.516-10.215 0-5.946-4.925-10.766-11-10.766" fill="#161514" fill-rule="evenodd"/></svg>
\ No newline at end of file
diff --git a/website/components/docs-page/index.jsx b/website/components/docs-page/index.jsx
new file mode 100644
index 000000000000..6670c9834549
--- /dev/null
+++ b/website/components/docs-page/index.jsx
@@ -0,0 +1,60 @@
+import DocsSidenav from '@hashicorp/react-docs-sidenav'
+import Content from '@hashicorp/react-content'
+import InlineSvg from '@hashicorp/react-inline-svg'
+import githubIcon from './img/github-icon.svg?include'
+import Link from 'next/link'
+import Head from 'next/head'
+
+export default function DocsPage({
+  children,
+  path,
+  orderData,
+  frontMatter,
+  category,
+  pageMeta
+}) {
+  return (
+    <div id="p-docs">
+      <Head>
+        <title key="title">{pageMeta.page_title} | Vault by HashiCorp</title>
+        {pageMeta.description && (
+          <meta
+            name="description"
+            property="og:description"
+            content={pageMeta.description}
+            key="description"
+          />
+        )}
+      </Head>
+      <div className="content-wrap g-container">
+        <div id="sidebar" role="complementary">
+          <div className="nav docs-nav">
+            <DocsSidenav
+              currentPage={path}
+              category={category}
+              order={orderData}
+              data={frontMatter}
+              Link={Link}
+            />
+          </div>
+        </div>
+
+        <div id="inner" role="main">
+          <Content product="vault" content={children} />
+        </div>
+      </div>
+      <div id="edit-this-page" className="g-container">
+        <a
+          href={`https://github.com/hashicorp/vault/blob/master/website/pages/${pageMeta.__resourcePath}`}
+        >
+          <InlineSvg src={githubIcon} />
+          <span>Edit this page</span>
+        </a>
+      </div>
+    </div>
+  )
+}
+
+export async function getInitialProps({ asPath }) {
+  return { path: asPath }
+}
diff --git a/website/components/docs-page/style.css b/website/components/docs-page/style.css
new file mode 100644
index 000000000000..567f033bfba6
--- /dev/null
+++ b/website/components/docs-page/style.css
@@ -0,0 +1,77 @@
+#p-docs {
+  & .content-wrap {
+    display: flex;
+    flex-direction: column;
+    flex-wrap: wrap;
+    flex: 1 0 auto;
+    position: relative;
+    width: 100%;
+
+    @media (min-width: 940px) {
+      flex-direction: row;
+      margin-top: 72px;
+      margin-bottom: 24px;
+    }
+  }
+
+  & #inner {
+    margin: 64px 0;
+    overflow: auto;
+    width: 100%;
+
+    @media (min-width: 940px) {
+      flex: 1;
+      margin: 0;
+    }
+
+    & .g-content {
+      @media (max-width: 939px) {
+        padding-left: 0;
+        padding-right: 0;
+      }
+
+      & > h1:first-child {
+        margin-top: 0;
+      }
+    }
+
+    & .g-section-header {
+      margin-bottom: 100px;
+    }
+
+    /* TODO: this should be applied in global styles, temporary override here */
+    & pre,
+    & code {
+      font-size: 0.875em;
+    }
+
+    & pre code {
+      font-size: 1em;
+    }
+  }
+
+  & #edit-this-page {
+    margin-bottom: 48px;
+    display: flex;
+    justify-content: flex-end;
+
+    & a {
+      color: var(--gray-1);
+      display: flex;
+      align-items: center;
+      opacity: 0.5;
+      transition: opacity 0.4s ease;
+      padding-right: 32px;
+
+      &:hover {
+        opacity: 1;
+      }
+
+      & > div {
+        margin-right: 9px;
+        width: 23px;
+        height: 22px;
+      }
+    }
+  }
+}
diff --git a/website/components/subnav/img/carat.svg b/website/components/subnav/img/carat.svg
new file mode 100644
index 000000000000..3fb2ab403469
--- /dev/null
+++ b/website/components/subnav/img/carat.svg
@@ -0,0 +1 @@
+<svg width="8" height="5" fill="none"><path stroke="#000" d="M1 1l3 3 3-3"/></svg>
\ No newline at end of file
diff --git a/website/components/subnav/img/download.svg b/website/components/subnav/img/download.svg
new file mode 100644
index 000000000000..2160eee3014f
--- /dev/null
+++ b/website/components/subnav/img/download.svg
@@ -0,0 +1 @@
+<svg width="14" height="16"><path d="M6.734 11.047a.667.667 0 00.944 0l2.666-2.666a.666.666 0 10-.943-.943L7.873 8.967V1.243a.666.666 0 10-1.334 0v7.724L5.011 7.438a.666.666 0 10-.943.943l2.666 2.666zm7.139.196v2c0 1.102-.897 2-2 2H2.54c-1.103 0-2-.898-2-2v-2a.666.666 0 111.333 0v2c0 .367.299.666.667.666h9.333a.667.667 0 00.667-.666v-2a.666.666 0 111.333 0z"/></svg>
\ No newline at end of file
diff --git a/website/components/subnav/img/github.svg b/website/components/subnav/img/github.svg
new file mode 100644
index 000000000000..16be531142df
--- /dev/null
+++ b/website/components/subnav/img/github.svg
@@ -0,0 +1 @@
+<svg width="20" height="20"><path d="M9.97.271C4.464.271 0 4.736 0 10.241c0 4.404 2.875 8.134 6.789 9.48.49.061.673-.245.673-.49V17.52c-2.753.612-3.364-1.345-3.364-1.345-.428-1.162-1.101-1.468-1.101-1.468-.917-.612.061-.612.061-.612.979.061 1.53 1.04 1.53 1.04.917 1.529 2.323 1.1 2.874.856a2.13 2.13 0 01.611-1.345C5.872 14.4 3.547 13.544 3.547 9.69c0-1.1.367-1.957 1.04-2.69-.061-.184-.428-1.224.122-2.57 0 0 .857-.244 2.753 1.04.795-.244 1.651-.306 2.507-.306.857 0 1.713.123 2.508.306 1.896-1.284 2.752-1.04 2.752-1.04.55 1.346.184 2.386.123 2.63a3.956 3.956 0 011.04 2.692c0 3.853-2.325 4.648-4.527 4.893.367.305.673.917.673 1.834v2.753c0 .244.184.55.673.489A9.98 9.98 0 0020 10.241C19.939 4.736 15.474.27 9.97.27z"/></svg>
\ No newline at end of file
diff --git a/website/components/subnav/index.jsx b/website/components/subnav/index.jsx
new file mode 100644
index 000000000000..3812830a06bc
--- /dev/null
+++ b/website/components/subnav/index.jsx
@@ -0,0 +1,203 @@
+import React, { Component } from 'react'
+import Link from 'next/link'
+import LinkWrap from '@hashicorp/react-link-wrap'
+import InlineSvg from '@hashicorp/react-inline-svg'
+import caratIcon from './img/carat.svg?include'
+import downloadIcon from './img/download.svg?include'
+import githubIcon from './img/github.svg?include'
+
+class ProductSubnav extends Component {
+  constructor(props) {
+    super(props)
+
+    this.state = {
+      fixNav: true,
+      menuOpen: false
+    }
+
+    this.toggleMenu = this.toggleMenu.bind(this)
+    this.openSubmenu = this.openSubmenu.bind(this)
+    this.closeSubmenu = this.closeSubmenu.bind(this)
+  }
+
+  toggleMenu() {
+    this.setState({ menuOpen: !this.state.menuOpen })
+  }
+
+  openSubmenu(e) {
+    const dropdown = e.currentTarget.nextElementSibling
+    dropdown && dropdown.classList.add('open')
+  }
+
+  closeSubmenu(e) {
+    e.currentTarget.parentElement.classList.remove('open')
+  }
+
+  render() {
+    const {
+      rootUrl,
+      buttonText,
+      hideDownloadIcon,
+      buttonExternal,
+      links
+    } = this.props
+    const currentProduct = {
+      slug: 'vault',
+      siteUrl: 'https://www.vaultproject.io',
+      downloadUrl: '/downloads',
+      githubUrl: 'https://github.com/hashicorp/vault',
+      colorLogo: {
+        url: 'https://www.datocms-assets.com/2885/1509990185-vault-dark.svg',
+        alt: 'Vault Logo'
+      }
+    }
+
+    return (
+      <div className={`g-product-subnav ${currentProduct.slug}`}>
+        <div className={`wrapper${this.state.fixed ? ' fixed' : ''}`}>
+          <div className="g-container">
+            <div className="logo-wrapper">
+              <div className="logo">
+                <Link href="/">
+                  <a
+                    data-ga-product-subnav={`Product logo | ${currentProduct.slug}`}
+                  >
+                    <img
+                      src={currentProduct.colorLogo.url}
+                      alt={currentProduct.colorLogo.alt}
+                    />
+                    <h4>
+                      {currentProduct.slug.charAt(0).toUpperCase() +
+                        currentProduct.slug.slice(1)}
+                    </h4>
+                  </a>
+                </Link>
+              </div>
+            </div>
+            <div
+              className={`toggle${currentProduct.downloadUrl ? ' center' : ''}${
+                this.state.menuOpen ? ' open' : ''
+              }`}
+            >
+              <span onClick={this.toggleMenu}>
+                <InlineSvg src={caratIcon} />
+              </span>
+            </div>
+            <div
+              className={`links-wrapper${this.state.menuOpen ? ' open' : ''}`}
+            >
+              <div className="links g-type-body-small-strong">
+                <ul>
+                  {links.map(link => {
+                    if (link.title === '|')
+                      return <li className="divider" key="divider" />
+                    return link.links ? (
+                      <li className="dropdown" key={link.title}>
+                        <span onClick={this.openSubmenu}>
+                          {link.title}
+                          <InlineSvg src={caratIcon} />
+                        </span>
+                        <ul>
+                          <li className="close" onClick={this.closeSubmenu}>
+                            <span>
+                              <InlineSvg src={caratIcon} /> Back
+                            </span>
+                          </li>
+                          <li className="name">{link.title}</li>
+                          {link.links.map(sublink => (
+                            <li key={sublink.title}>
+                              <LinkWrap
+                                Link={Link}
+                                href={resolveLocalUrl(rootUrl, sublink.url)}
+                                {...(sublink.external && {
+                                  rel: 'noopener',
+                                  target: '_blank'
+                                })}
+                                data-ga-product-subnav={`Subnav sublink | ${sublink.title}`}
+                              >
+                                {sublink.title}
+                              </LinkWrap>
+                            </li>
+                          ))}
+                        </ul>
+                      </li>
+                    ) : (
+                      <li key={link.url}>
+                        <LinkWrap
+                          Link={Link}
+                          href={resolveLocalUrl(rootUrl, link.url)}
+                          onClick={this.toggleMenu}
+                          {...(link.external && {
+                            rel: 'noopener',
+                            target: '_blank'
+                          })}
+                          data-ga-product-subnav={`Subnav link | ${link.title}`}
+                        >
+                          {link.title}
+                        </LinkWrap>
+                      </li>
+                    )
+                  })}
+                </ul>
+                <div className="ctas-mobile">
+                  {currentProduct.githubUrl && (
+                    <a className="github g-btn" href={currentProduct.githubUrl}>
+                      <InlineSvg src={githubIcon} /> GitHub
+                    </a>
+                  )}
+                  {currentProduct.downloadUrl && (
+                    <LinkWrap
+                      Link={Link}
+                      className="download g-btn variant-primary brand-vault background-light"
+                      href={resolveLocalUrl(
+                        rootUrl,
+                        currentProduct.downloadUrl
+                      )}
+                      data-ga-product-subnav={`Download mobile | ${currentProduct.slug}`}
+                      {...(buttonExternal && {
+                        rel: 'noopener',
+                        target: '_blank'
+                      })}
+                    >
+                      {!hideDownloadIcon && <InlineSvg src={downloadIcon} />}
+                      <span>{buttonText || 'Download'}</span>
+                    </LinkWrap>
+                  )}
+                </div>
+              </div>
+            </div>
+            <div className="ctas">
+              {currentProduct.githubUrl && (
+                <a className="github" href={currentProduct.githubUrl}>
+                  <InlineSvg src={githubIcon} />
+                </a>
+              )}
+              {currentProduct.downloadUrl && (
+                <LinkWrap
+                  Link={Link}
+                  className="download g-btn variant-primary brand-vault background-light"
+                  href={resolveLocalUrl(rootUrl, currentProduct.downloadUrl)}
+                  data-ga-product-subnav={`Download desktop | ${currentProduct.slug}`}
+                  {...(buttonExternal && { rel: 'noopener', target: '_blank' })}
+                >
+                  {!hideDownloadIcon && <InlineSvg src={downloadIcon} />}
+                  <span>{buttonText || 'Download'}</span>
+                </LinkWrap>
+              )}
+            </div>
+          </div>
+        </div>
+      </div>
+    )
+  }
+}
+
+// This function ensures that if the root url is the same as the link's url,
+// we strip the root and resolve from a relative path, so as to not redirect
+// from the local dev environment to production unexpectedly.
+function resolveLocalUrl(rootUrl, url) {
+  const urlRegex = new RegExp(`^(?:http(?:s)*://)?(?:www.)?${rootUrl}`)
+  return url.replace(/\.html$/, '').replace(urlRegex, '')
+}
+
+export default ProductSubnav
diff --git a/website/components/subnav/style.css b/website/components/subnav/style.css
new file mode 100644
index 000000000000..9abf9fe5b3ff
--- /dev/null
+++ b/website/components/subnav/style.css
@@ -0,0 +1,554 @@
+.g-product-subnav {
+  position: relative;
+  z-index: 75;
+  font-size: 0.875rem;
+  line-height: 1.25rem;
+  font-family: var(--font-body);
+
+  @media (max-width: 1140px) {
+    height: 64px;
+  }
+
+  @media (max-width: 767px) {
+    height: 54px;
+  }
+
+  & .wrapper {
+    padding: 25px 0;
+
+    @media (max-width: 1140px) {
+      background-color: var(--white);
+      padding: 0;
+    }
+
+    &.fixed {
+      @media (max-width: 1140px) {
+        position: fixed;
+        top: 0;
+        left: 0;
+        width: 100%;
+      }
+    }
+  }
+
+  & .g-container {
+    display: flex;
+    align-items: center;
+    height: 100%;
+
+    @media (max-width: 1140px) {
+      justify-content: space-between;
+      height: 64px;
+    }
+
+    @media (max-width: 767px) {
+      height: 54px;
+    }
+  }
+
+  & .dropdown {
+    cursor: pointer;
+
+    @media (min-width: 1140px) {
+      position: relative;
+    }
+
+    &:hover ul {
+      @media (min-width: 1140px) {
+        visibility: visible;
+        opacity: 1;
+      }
+    }
+
+    & ul {
+      display: flex;
+      flex-direction: column;
+      position: absolute;
+      top: 100%;
+      left: 0;
+      visibility: hidden;
+      opacity: 0;
+      list-style: none;
+      background: var(--white);
+      color: var(--DEPRECATED-gray-1);
+      box-shadow: 0px 8px 24px rgba(0, 0, 0, 0.08);
+      min-width: 180px;
+      margin: 0 0 0 -18px;
+      padding: 0;
+      border-radius: 2px;
+      z-index: 4;
+    }
+  }
+
+  & .logo {
+    padding-bottom: 10px;
+    margin-bottom: -13px;
+    margin-right: 32px;
+
+    @media (max-width: 1140px) {
+      margin-right: 0;
+      width: auto;
+    }
+
+    & > a {
+      align-items: center;
+      color: var(--black);
+      display: flex;
+
+      & > img {
+        width: 45px;
+        height: 45px;
+
+        @media (max-width: 1140px) {
+          width: 30px;
+          height: 30px;
+        }
+      }
+
+      & > svg {
+        margin-left: 10px;
+
+        & path {
+          stroke: var(--DEPRECATED-gray-5);
+        }
+
+        @media (max-width: 1140px) {
+          display: none;
+        }
+      }
+    }
+
+    & h4 {
+      display: flex;
+      align-items: center;
+      font-family: var(--font-klavika);
+      font-size: 2.2rem;
+      margin: 0;
+      padding: 6px 0 6px 10px;
+      font-weight: var(--font-weight-bold);
+
+      @media (max-width: 1140px) {
+        font-size: 1.8em;
+      }
+    }
+  }
+
+  & .toggle {
+    display: none;
+
+    @media (max-width: 1140px) {
+      align-items: center;
+      display: flex;
+      position: absolute;
+      right: 20px;
+    }
+
+    &.center {
+      height: 100%;
+      justify-content: center;
+      left: 0;
+      position: absolute;
+      top: 0;
+      width: 100%;
+
+      @media (max-width: 767px) {
+        position: relative;
+      }
+    }
+
+    &.open svg {
+      transform: rotate(-180deg);
+    }
+
+    & span {
+      cursor: pointer;
+      padding: 5px;
+      line-height: 0;
+    }
+
+    & svg {
+      width: 14px;
+      height: 9px;
+      transition: 0.25s ease;
+      transition-property: transform;
+    }
+
+    & path {
+      stroke: var(--brand);
+    }
+  }
+
+  & .links-wrapper {
+    background-color: var(--white);
+    margin-left: auto;
+    margin-right: 32px;
+
+    @media (max-width: 1140px) {
+      position: absolute;
+      top: 100%;
+      left: 0;
+      height: 0;
+      overflow: hidden;
+      transition: 0.25s ease;
+      transition-property: height;
+      z-index: 4;
+      width: 100%;
+    }
+
+    &.open {
+      @media (max-width: 1140px) {
+        overflow-y: visible;
+        height: 100vh;
+      }
+    }
+  }
+
+  & .links {
+    display: flex;
+    font-weight: var(--font-weight-bold);
+    position: relative;
+
+    @media (max-width: 1140px) {
+      display: block;
+      position: absolute;
+      top: 0;
+      left: 0;
+      width: 100%;
+      padding: 10px 24px;
+      overflow-x: hidden;
+    }
+
+    & ul a,
+    & ul span {
+      color: inherit;
+      padding: 0 0 8px;
+      transition: 0.25s ease;
+      transition-property: border-bottom-color;
+
+      @media (max-width: 1140px) {
+        display: block;
+        padding: 12px 0;
+        border-bottom: 1px solid var(--DEPRECATED-gray-9);
+      }
+    }
+
+    & span {
+      @media (max-width: 1140px) {
+        display: flex;
+        justify-content: space-between;
+        align-items: center;
+      }
+    }
+
+    & > ul {
+      list-style: none;
+      padding: 0;
+      margin: 0;
+      display: flex;
+      flex-direction: row;
+      justify-content: space-between;
+      align-items: center;
+
+      @media (max-width: 1140px) {
+        flex-direction: column;
+        justify-content: flex-start;
+        font-size: 1.125rem;
+        line-height: 1.75rem;
+        font-weight: normal;
+      }
+
+      & + ul {
+        @media (min-width: 1140px) {
+          border-left: 1px solid var(--DEPRECATED-gray-8);
+          padding-left: 24px;
+          margin-left: 24px;
+        }
+
+        @media (min-width: 1200px) {
+          padding-left: 32px;
+          margin-left: 32px;
+        }
+      }
+
+      & > li {
+        margin-right: 35px;
+
+        @media (max-width: 1140px) {
+          margin-right: 28px;
+        }
+
+        @media (max-width: 1140px) {
+          margin-right: 0;
+        }
+
+        &:last-child {
+          @media (min-width: 1140px) {
+            margin-right: 0;
+          }
+        }
+
+        & > a,
+        & > span {
+          @media (min-width: 1140px) {
+            border-bottom: 2px solid transparent;
+          }
+        }
+
+        & .selected,
+        & > a:hover {
+          @media (min-width: 1140px) {
+            border-bottom-color: var(--brand);
+          }
+        }
+      }
+    }
+
+    & .dropdown {
+      & > span > div {
+        margin: -2px 0 0 8px;
+        float: right;
+
+        @media (max-width: 1140px) {
+          display: inline-block;
+          float: none;
+          margin: 0;
+          transform: rotate(-90deg);
+          width: 12px;
+        }
+      }
+
+      & path {
+        stroke: var(--DEPRECATED-gray-6);
+
+        @media (max-width: 1140px) {
+          stroke: var(--DEPRECATED-gray-1);
+        }
+      }
+
+      & ul {
+        transition: 0.25s ease;
+        transition-property: left, opacity, visibility;
+        margin: 6px 0 0 -23px;
+        padding: 15px 29px 15px 24px;
+
+        @media (max-width: 1140px) {
+          visibility: visible;
+          opacity: 1;
+          position: absolute;
+          top: 0;
+          bottom: 0;
+          left: 100%;
+          padding: 10px 24px;
+          margin: 0;
+          width: 100%;
+          box-shadow: none;
+        }
+
+        &.open {
+          @media (max-width: 1140px) {
+            left: 0;
+          }
+        }
+      }
+
+      & li {
+        @media (min-width: 1140px) {
+          margin: 9px 0;
+        }
+
+        &.close,
+        &.name {
+          @media (min-width: 1140px) {
+            display: none;
+          }
+        }
+
+        &.close {
+          & span {
+            justify-content: flex-start;
+          }
+
+          & div {
+            display: inline-block;
+          }
+
+          & svg {
+            margin: 2px 12px 3px 0;
+            transform: rotate(90deg);
+          }
+        }
+
+        &.name {
+          border: none;
+          color: var(--DEPRECATED-gray-5);
+          font-weight: var(--font-weight-bold);
+          font-size: 0.75rem;
+          letter-spacing: 0.03125rem;
+          text-transform: uppercase;
+          padding: 24px 0 12px;
+        }
+
+        & a,
+        & span {
+          white-space: nowrap;
+
+          @media (min-width: 1140px) {
+            border: none;
+          }
+
+          &:hover {
+            @media (min-width: 1140px) {
+              color: var(--DEPRECATED-gray-3);
+            }
+          }
+        }
+      }
+    }
+  }
+
+  & .divider {
+    border-left: 1px solid #d2d4db;
+    width: 1px;
+    height: 100%;
+  }
+
+  & .ctas-mobile,
+  & .ctas {
+    & .download,
+    & .github {
+      font-size: 0.875rem;
+      border-radius: 2px;
+      display: flex;
+      align-items: center;
+
+      & > div {
+        line-height: 0;
+      }
+    }
+
+    & .download {
+      color: var(--white);
+      border: none;
+
+      & path {
+        fill: var(--white);
+      }
+    }
+
+    & .github {
+      border: 1px solid var(--DEPRECATED-gray-8);
+      transition: 0.25s ease;
+      transition-property: transform;
+      color: inherit;
+
+      & path {
+        fill: var(--DEPRECATED-gray-1);
+      }
+    }
+  }
+
+  & .ctas {
+    display: flex;
+
+    & .github {
+      padding: 7px;
+      height: 2.25rem;
+      width: 2.25rem;
+
+      @media (max-width: 1140px) {
+        display: none;
+      }
+
+      &:hover {
+        transform: translateY(-1px);
+
+        & path {
+          fill: var(--DEPRECATED-gray-3);
+        }
+      }
+    }
+
+    & .download {
+      margin-left: 16px;
+      padding: 10px 15px 10px 12px;
+      white-space: nowrap;
+
+      @media (max-width: 1140px) {
+        background: none;
+        color: inherit;
+        padding: 0;
+        border-bottom: 2px solid transparent;
+        margin-left: 0;
+      }
+
+      &:hover {
+        @media (max-width: 1140px) {
+          color: var(--DEPRECATED-gray-5);
+          transform: none;
+        }
+
+        &:after {
+          @media (max-width: 1140px) {
+            display: none;
+          }
+        }
+      }
+
+      & div {
+        margin-right: 8px;
+        line-height: 0;
+
+        @media (max-width: 767px) {
+          display: none;
+        }
+      }
+
+      & path {
+        fill: var(--white);
+
+        @media (max-width: 1140px) {
+          fill: var(--brand);
+        }
+      }
+
+      & span {
+        line-height: 1em;
+      }
+    }
+  }
+
+  & .ctas-mobile {
+    margin: 56px 0 28px;
+
+    @media (min-width: 1140px) {
+      display: none;
+    }
+
+    & a {
+      display: flex;
+      align-items: center;
+      justify-content: center;
+
+      & + a {
+        margin-top: 16px;
+      }
+
+      &.github {
+        padding: 13px;
+        background: transparent;
+
+        & > div {
+          line-height: 0;
+        }
+      }
+
+      &.download {
+        padding: 14px;
+      }
+
+      & svg {
+        margin-right: 8px;
+      }
+    }
+  }
+}
diff --git a/website/components/use-case-cta-section/index.jsx b/website/components/use-case-cta-section/index.jsx
new file mode 100644
index 000000000000..8f6156c04007
--- /dev/null
+++ b/website/components/use-case-cta-section/index.jsx
@@ -0,0 +1,23 @@
+export default function UseCaseCtaSection() {
+  return (
+    <section className="g-section-block g-cta-section">
+      <div>
+        <h2>Ready to get started?</h2>
+        <a className="g-btn white download" href="/downloads.html">
+          <svg
+            xmlns="http://www.w3.org/2000/svg"
+            width="20"
+            height="22"
+            viewBox="0 0 20 22"
+          >
+            <path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"></path>
+          </svg>
+          Download
+        </a>
+        <a className="g-btn white-outline" href="/docs">
+          Explore Docs
+        </a>
+      </div>
+    </section>
+  )
+}
diff --git a/website/components/use-case-cta-section/style.css b/website/components/use-case-cta-section/style.css
new file mode 100644
index 000000000000..4392c4272402
--- /dev/null
+++ b/website/components/use-case-cta-section/style.css
@@ -0,0 +1,49 @@
+.g-section-block.g-cta-section {
+  -webkit-box-align: center;
+  align-items: center;
+  background: var(--gray-2);
+  display: -webkit-box;
+  display: flex;
+  -webkit-box-pack: center;
+  justify-content: center;
+  padding-left: 15px;
+  padding-right: 15px;
+  position: relative;
+  text-align: center;
+  color: var(--white);
+
+  & .g-btn.white {
+    background: var(--white);
+    border: 2px solid var(--white);
+    color: var(--gray-2);
+
+    &:hover {
+      background-color: var(--gray-1);
+      border-color: var(--gray-1);
+      color: var(--white);
+
+      & path {
+        fill: var(--white);
+      }
+    }
+  }
+
+  & .g-btn.white-outline {
+    background: none;
+    border: 2px solid var(--white);
+    color: var(--white);
+
+    &:hover {
+      background-color: var(--white);
+      color: var(--gray-2);
+    }
+  }
+
+  & .g-btn.download svg {
+    margin: 0 4px -4px 0;
+  }
+
+  & .g-btn + .g-btn {
+    margin-left: 18px;
+  }
+}
diff --git a/website/config.rb b/website/config.rb
deleted file mode 100644
index 4ce61f78f1fc..000000000000
--- a/website/config.rb
+++ /dev/null
@@ -1,182 +0,0 @@
-set :product_name, "Vault"
-set :base_url, "https://www.vaultproject.io/"
-
-# Middleware for rendering preact components
-use ReshapeMiddleware, component_file: "assets/reshape.js"
-
-activate :hashicorp do |h|
-  h.name         = "vault"
-  h.version      = "1.3.1"
-  h.github_slug  = "hashicorp/vault"
-  h.website_root = "website"
-  h.releases_enabled = true
-  h.datocms_api_key = '78d2968c99a076419fbb'
-end
-
-# Netlify redirects/headers
-proxy '_redirects', 'netlify-redirects', ignore: true
-
-helpers do
-  # Formats and filters a category of docs for the sidebar component
-  def get_sidebar_data(category)
-    sitemap.resources.select { |resource|
-      !!Regexp.new("^#{category}").match(resource.path)
-    }.map { |resource|
-      {
-        path: resource.path,
-        data: resource.data.to_hash.tap { |a| a.delete 'description'; a }
-      }
-    }
-  end
-
-  # Returns the FQDN of the image URL.
-  # @param [String] path
-  # @return [String]
-  def image_url(path)
-    File.join(config[:base_url], "/img/#{path}")
-  end
-
-  # Get the title for the page.
-  #
-  # @param [Middleman::Page] page
-  #
-  # @return [String]
-  def title_for(page)
-    if page && page.data.page_title
-      return "#{page.data.page_title} - Vault by HashiCorp"
-    end
-
-     "Vault by HashiCorp"
-   end
-
-  # Get the description for the page
-  #
-  # @param [Middleman::Page] page
-  #
-  # @return [String]
-  def description_for(page)
-    description = (page.data.description || "")
-      .gsub('"', '')
-      .gsub(/\n+/, ' ')
-      .squeeze(' ')
-
-    return escape_html(description)
-  end
-
-  # This helps by setting the "active" class for sidebar nav elements
-  # if the YAML frontmatter matches the expected value.
-  def sidebar_current(expected)
-    current = current_page.data.sidebar_current || ""
-    if current.start_with?(expected)
-      return " class=\"active\""
-    else
-      return ""
-    end
-  end
-
-  # Returns the id for this page.
-  # @return [String]
-  def body_id_for(page)
-    if !(name = page.data.sidebar_current).blank?
-      return "page-#{name.strip}"
-    end
-    if page.url == "/" || page.url == "/index.html"
-      return "page-home"
-    end
-    if page.path.include? "use-cases"
-      return "use-cases"
-    end
-    if !(title = page.data.page_title).blank?
-      return title
-        .downcase
-        .gsub('"', '')
-        .gsub(/[^\w]+/, '-')
-        .gsub(/_+/, '-')
-        .squeeze('-')
-        .squeeze(' ')
-    end
-    return ""
-  end
-
-  # Returns the list of classes for this page.
-  # @return [String]
-  def body_classes_for(page)
-    classes = []
-
-    if !(layout = page.data.layout).blank?
-      classes << "layout-#{page.data.layout}"
-    end
-
-    if !(title = page.data.page_title).blank?
-      title = title
-        .downcase
-        .gsub('"', '')
-        .gsub(/[^\w]+/, '-')
-        .gsub(/_+/, '-')
-        .squeeze('-')
-        .squeeze(' ')
-      classes << "page-#{title}"
-    end
-
-    return classes.join(" ")
-  end
-
-  # Returns data / attributes used by the product subnav component.
-  # @return [Object]
-  def getSubNavData
-    return {
-      current_path: current_page.path,
-      products: dato.enterprise_products.map(&:to_hash),
-      subnav: {
-        tdm_focused_links: [
-          {
-            title: "Intro",
-            url: "/intro"
-          },
-          {
-            item_type: "dropdown_link",
-            title: "Use Cases",
-            links: [{
-              title: "Secrets Management",
-              url: "/use-cases/secrets-management"
-            },
-            {
-              title: "Data Encryption",
-              url: "/use-cases/data-encryption"
-            }, {
-              title: "Identity-based Access",
-              url: "/use-cases/identity-based-access"
-            }]
-          },
-          {
-            title: "Enterprise",
-            url: "https://www.hashicorp.com/products/vault/enterprise"
-          },
-          {
-            title: "Whitepaper",
-            url: "https://www.hashicorp.com/resources/unlocking-the-cloud-operating-model-security?utm_source=vaultsubnav"
-          }
-        ],
-        practitioner_focused_links: [
-          {
-            title: "Learn",
-            url: "https://learn.hashicorp.com/vault"
-          },
-          {
-            title: "Docs",
-            url: "/docs"
-          },
-          {
-            title: "API",
-            url: "/api"
-          },
-          {
-            title: "Community",
-            url: "/community"
-          }
-        ],
-        product: dato.vault_product_page.subnav.product.to_hash
-      }
-    }
-  end
-end
diff --git a/website/data/api-navigation.js b/website/data/api-navigation.js
new file mode 100644
index 000000000000..4178d7b4379f
--- /dev/null
+++ b/website/data/api-navigation.js
@@ -0,0 +1,153 @@
+// The root folder for this documentation category is `pages/api-docs`
+//
+// - A string refers to the name of a file
+// - A "category" value refers to the name of a directory
+// - All directories must have an "index.mdx" file to serve as
+//   the landing page for the category
+
+export default [
+  'index',
+  'libraries',
+  'relatedtools',
+  '------------',
+  {
+    category: 'secret',
+    content: [
+      { category: 'ad' },
+      { category: 'alicloud' },
+      { category: 'aws' },
+      { category: 'azure' },
+      { category: 'consul' },
+      { category: 'cubbyhole' },
+      {
+        category: 'databases',
+        content: [
+          'cassandra',
+          'elasticdb',
+          'influxdb',
+          'hanadb',
+          'mongodb',
+          'mssql',
+          'mysql-maria',
+          'postgresql',
+          'oracle'
+        ]
+      },
+      { category: 'gcp' },
+      { category: 'gcpkms' },
+      { category: 'kmip' },
+      {
+        category: 'kv',
+        content: ['kv-v1', 'kv-v2']
+      },
+      {
+        category: 'identity',
+        content: [
+          'entity',
+          'entity-alias',
+          'group',
+          'group-alias',
+          'tokens',
+          'lookup'
+        ]
+      },
+      { category: 'nomad' },
+      { category: 'pki' },
+      { category: 'rabbitmq' },
+      { category: 'ssh' },
+      { category: 'totp' },
+      { category: 'transit' },
+      '-----------------------',
+      { category: 'cassandra' },
+      { category: 'mongodb' },
+      { category: 'mssql' },
+      { category: 'mysql' },
+      { category: 'postgresql' }
+    ]
+  },
+  {
+    category: 'auth',
+    content: [
+      { category: 'alicloud' },
+      { category: 'approle' },
+      { category: 'aws' },
+      { category: 'azure' },
+      { category: 'cf' },
+      { category: 'github' },
+      { category: 'gcp' },
+      { category: 'jwt' },
+      { category: 'kerberos' },
+      { category: 'kubernetes' },
+      { category: 'ldap' },
+      { category: 'oci' },
+      { category: 'okta' },
+      { category: 'radius' },
+      { category: 'cert' },
+      { category: 'token' },
+      { category: 'userpass' },
+      { category: 'app-id' }
+    ]
+  },
+  {
+    category: 'system',
+    content: [
+      'audit',
+      'audit-hash',
+      'auth',
+      'capabilities',
+      'capabilities-accessor',
+      'capabilities-self',
+      'config-auditing',
+      'config-control-group',
+      'config-cors',
+      'config-state',
+      'config-ui',
+      'control-group',
+      'generate-root',
+      'health',
+      'host-info',
+      'init',
+      'internal-specs-openapi',
+      'internal-ui-mounts',
+      'key-status',
+      'leader',
+      'leases',
+      'license',
+      'metrics',
+      {
+        category: 'mfa',
+        content: ['duo', 'okta', 'pingid', 'totp']
+      },
+      'mounts',
+      'namespaces',
+      'plugins-reload-backend',
+      'plugins-catalog',
+      'policy',
+      'policies',
+      'pprof',
+      'raw',
+      'rekey',
+      'rekey-recovery-key',
+      'remount',
+      {
+        category: 'replication',
+        content: ['replication-performance', 'replication-dr']
+      },
+      'rotate',
+      'seal',
+      'seal-status',
+      'sealwrap-rewrap',
+      'step-down',
+      {
+        category: 'storage',
+        content: ['raft']
+      },
+      'tools',
+      'unseal',
+      'wrapping-lookup',
+      'wrapping-rewrap',
+      'wrapping-unwrap',
+      'wrapping-wrap'
+    ]
+  }
+]
diff --git a/website/data/api_basic_categories.yml b/website/data/api_basic_categories.yml
deleted file mode 100644
index e7f72a644634..000000000000
--- a/website/data/api_basic_categories.yml
+++ /dev/null
@@ -1,16 +0,0 @@
--
-  title: "Overview"
-  description: "Topics related to developing applications with the Vault API, including client libraries and related tools."
-  link: "/api/overview"
--
-  title: "Secrets Engines"
-  description: "Functions related to managing secrets and secrets engines."
-  link: "/api/secret"
--
-  title: "Auth Methods"
-  description: "Functions related to configuring how users and applications authenticate into Vault."
-  link: "/api/auth"
--
-  title: "System Backends"
-  description: "Functions related to managing Vault's configuration, including replication, storage, and managing Vault's unseal processes."
-  link: "/api/system"
diff --git a/website/data/api_detailed_categories.yml b/website/data/api_detailed_categories.yml
deleted file mode 100644
index 030e8dcbb67d..000000000000
--- a/website/data/api_detailed_categories.yml
+++ /dev/null
@@ -1,92 +0,0 @@
--
-  title: "Auth Methods"
-  docs:
-    - api/auth/index.html
-    - api/auth/approle/index.html
-    - api/auth/alicloud/index.html
-    - api/auth/aws/index.html
-    - api/auth/azure/index.html
-    - api/auth/github/index.html
-    - api/auth/gcp/index.html
-    - api/auth/jwt/index.html
-    - api/auth/kubernetes/index.html
-    - api/auth/ldap/index.html
-    - api/auth/okta/index.html
-    - api/auth/cf/index.html
-    - api/auth/oci/index.html
-    - api/auth/radius/index.html
-    - api/auth/cert/index.html
-    - api/auth/token/index.html
-    - api/auth/userpass/index.html
--
-  title: "Secret Engines"
-  docs:
-    - api/secret/index.html
-    - api/secret/ad/index.html
-    - api/secret/alicloud/index.html
-    - api/secret/aws/index.html
-    - api/secret/azure/index.html
-    - api/secret/consul/index.html
-    - api/secret/cubbyhole/index.html
-    - api/secret/databases/index.html
-    - api/secret/gcp/index.html
-    - api/secret/gcpkms/index.html
-    - api/secret/kmip/index.html
-    - api/secret/kv/index.html
-    - api/secret/identity/index.html
-    - api/secret/nomad/index.html
-    - api/secret/pki/index.html
-    - api/secret/rabbitmq/index.html
-    - api/secret/ssh/index.html
-    - api/secret/totp/index.html
-    - api/secret/transit/index.html
--
-  title: "System Backends"
-  docs:
-    - api/system/index.html
-    - api/system/audit.html
-    - api/system/audit-hash.html
-    - api/system/auth.html
-    - api/system/capabilities.html
-    - api/system/capabilities-accessor.html
-    - api/system/capabilities-self.html
-    - api/system/config-auditing.html
-    - api/system/config-control-group.html
-    - api/system/config-cors.html
-    - api/system/config-state.html
-    - api/system/config-ui.html
-    - api/system/control-group.html
-    - api/system/generate-recovery-token.html
-    - api/system/generate-root.html
-    - api/system/health.html
-    - api/system/host-info.html
-    - api/system/init.html
-    - api/system/internal-specs-openapi.html
-    - api/system/internal-ui-mounts.html
-    - api/system/key-status.html
-    - api/system/leader.html
-    - api/system/leases.html
-    - api/system/license.html
-    - api/system/namespaces.html
-    - api/system/mfa/index.html
-    - api/system/mounts.html
-    - api/system/plugins-reload-backend.html
-    - api/system/plugins-catalog.html
-    - api/system/policy.html
-    - api/system/policies.html
-    - api/system/pprof.html
-    - api/system/raw.html
-    - api/system/rekey.html
-    - api/system/rekey-recovery-key.html
-    - api/system/remount.html
-    - api/system/replication/index.html
-    - api/system/rotate.html
-    - api/system/seal.html
-    - api/system/seal-status.html
-    - api/system/step-down.html
-    - api/system/tools.html
-    - api/system/unseal.html
-    - api/system/wrapping-lookup.html
-    - api/system/wrapping-rewrap.html
-    - api/system/wrapping-unwrap.html
-    - api/system/wrapping-wrap.html
diff --git a/website/data/docs-navigation.js b/website/data/docs-navigation.js
new file mode 100644
index 000000000000..33b23241d1a3
--- /dev/null
+++ b/website/data/docs-navigation.js
@@ -0,0 +1,391 @@
+// The root folder for this documentation category is `pages/docs`
+//
+// - A string refers to the name of a file
+// - A "category" value refers to the name of a directory
+// - All directories must have an "index.mdx" file to serve as
+//   the landing page for the category
+
+export default [
+  {
+    category: 'install'
+  },
+  {
+    category: 'internals',
+    content: [
+      'architecture',
+      'high-availability',
+      'security',
+      'telemetry',
+      'token',
+      'rotation',
+      'replication',
+      'plugins'
+    ]
+  },
+  {
+    category: 'concepts',
+    content: [
+      'dev-server',
+      'seal',
+      'lease',
+      'auth',
+      'tokens',
+      'response-wrapping',
+      'policies',
+      'ha',
+      'pgp-gpg-keybase',
+      'recovery-mode'
+    ]
+  },
+  {
+    category: 'configuration',
+    content: [
+      {
+        category: 'listener',
+        content: ['tcp']
+      },
+      {
+        category: 'seal',
+        content: [
+          'alicloudkms',
+          'awskms',
+          'azurekeyvault',
+          'gcpckms',
+          'ocikms',
+          'pkcs11',
+          'transit'
+        ]
+      },
+      {
+        category: 'storage',
+        content: [
+          'azure',
+          'cassandra',
+          'cockroachdb',
+          'consul',
+          'couchdb',
+          'dynamodb',
+          'etcd',
+          'filesystem',
+          'foundationdb',
+          'google-cloud-spanner',
+          'google-cloud-storage',
+          'in-memory',
+          'manta',
+          'mssql',
+          'mysql',
+          'oci-object-storage',
+          'postgresql',
+          'raft',
+          's3',
+          'swift',
+          'zookeeper'
+        ]
+      },
+      {
+        category: 'service-registration',
+        content: ['consul']
+      },
+      'telemetry',
+      { category: 'ui' },
+      { category: 'entropy-augmentation' }
+    ]
+  },
+  {
+    category: 'commands',
+    content: [
+      'agent',
+      {
+        category: 'audit',
+        content: ['disable', 'enable', 'list']
+      },
+      {
+        category: 'auth',
+        content: ['disable', 'enable', 'help', 'list', 'tune']
+      },
+      'debug',
+      'delete',
+      {
+        category: 'kv',
+        content: [
+          'delete',
+          'destroy',
+          'enable-versioning',
+          'get',
+          'list',
+          'metadata',
+          'patch',
+          'put',
+          'rollback',
+          'undelete'
+        ]
+      },
+      {
+        category: 'lease',
+        content: ['renew', 'revoke']
+      },
+      'list',
+      'login',
+      'namespace',
+      {
+        category: 'operator',
+        content: [
+          'generate-root',
+          'init',
+          'key-status',
+          'migrate',
+          'rekey',
+          'rotate',
+          'seal',
+          'step-down',
+          'unseal'
+        ]
+      },
+      'path-help',
+      {
+        category: 'plugin',
+        content: ['deregister', 'info', 'list', 'register']
+      },
+      {
+        category: 'policy',
+        content: ['delete', 'fmt', 'list', 'read', 'write']
+      },
+      'read',
+      {
+        category: 'secrets',
+        content: ['disable', 'enable', 'list', 'move', 'tune']
+      },
+      'server',
+      'ssh',
+      'status',
+      {
+        category: 'token',
+        content: ['capabilities', 'create', 'lookup', 'renew', 'revoke']
+      },
+      'unwrap',
+      'version',
+      'write',
+      'token-helper'
+    ]
+  },
+  {
+    category: 'agent',
+    content: [
+      {
+        category: 'autoauth',
+        content: [
+          {
+            category: 'methods',
+            content: [
+              'alicloud',
+              'approle',
+              'aws',
+              'azure',
+              'cert',
+              'cf',
+              'gcp',
+              'jwt',
+              'kubernetes'
+            ]
+          },
+          {
+            category: 'sinks',
+            content: ['file']
+          }
+        ]
+      },
+      { category: 'caching' },
+      { category: 'template' }
+    ]
+  },
+  '----------------',
+  {
+    category: 'secrets',
+    content: [
+      { category: 'ad' },
+      { category: 'alicloud' },
+      { category: 'aws' },
+      { category: 'azure' },
+      { category: 'consul' },
+      { category: 'cubbyhole' },
+      {
+        category: 'databases',
+        content: [
+          'cassandra',
+          'elasticdb',
+          'influxdb',
+          'hanadb',
+          'mongodb',
+          'mssql',
+          'mysql-maria',
+          'postgresql',
+          'oracle',
+          'custom'
+        ]
+      },
+      { category: 'gcp' },
+      { category: 'gcpkms' },
+      { category: 'kmip' },
+      {
+        category: 'kv',
+        content: ['kv-v1', 'kv-v2']
+      },
+      { category: 'identity' },
+      { category: 'nomad' },
+      { category: 'pki' },
+      { category: 'rabbitmq' },
+      {
+        category: 'ssh',
+        content: [
+          'signed-ssh-certificates',
+          'one-time-ssh-passwords',
+          'dynamic-ssh-keys'
+        ]
+      },
+      { category: 'totp' },
+      { category: 'transit' },
+      '------------------------',
+      { category: 'cassandra' },
+      { category: 'mongodb' },
+      { category: 'mssql' },
+      { category: 'mysql' },
+      { category: 'postgresql' }
+    ]
+  },
+  {
+    category: 'auth',
+    content: [
+      'approle',
+      'alicloud',
+      'aws',
+      'azure',
+      'cf',
+      'gcp',
+      'jwt',
+      'kerberos',
+      'kubernetes',
+      'github',
+      'ldap',
+      'oci',
+      'okta',
+      'radius',
+      'cert',
+      'token',
+      'userpass',
+      '---------',
+      'app-id',
+      'mfa'
+    ]
+  },
+  {
+    category: 'audit',
+    content: ['file', 'syslog', 'socket']
+  },
+  {
+    category: 'plugin'
+  },
+  '----------------',
+  {
+    category: 'what-is-vault'
+  },
+  {
+    category: 'use-cases'
+  },
+  {
+    category: 'partnerships'
+  },
+  {
+    category: 'vs',
+    content: [
+      'chef-puppet-etc',
+      'hsm',
+      'dropbox',
+      'consul',
+      'kms',
+      'keywhiz',
+      'custom'
+    ]
+  },
+  '----------------',
+  {
+    category: 'platform',
+    content: [
+      {
+        category: 'k8s',
+        content: [
+          {
+            category: 'helm',
+            content: ['run', 'configuration', 'examples']
+          },
+          {
+            category: 'injector',
+            content: ['installation', 'examples']
+          }
+        ]
+      },
+      {
+        category: 'aws-mp',
+        content: ['run']
+      }
+    ]
+  },
+  '----------------',
+  {
+    category: 'upgrading',
+    content: [
+      'plugins',
+      'upgrade-to-0.5.0',
+      'upgrade-to-0.5.1',
+      'upgrade-to-0.6.0',
+      'upgrade-to-0.6.1',
+      'upgrade-to-0.6.2',
+      'upgrade-to-0.6.3',
+      'upgrade-to-0.6.4',
+      'upgrade-to-0.7.0',
+      'upgrade-to-0.8.0',
+      'upgrade-to-0.9.0',
+      'upgrade-to-0.9.1',
+      'upgrade-to-0.9.2',
+      'upgrade-to-0.9.3',
+      'upgrade-to-0.9.6',
+      'upgrade-to-0.10.0',
+      'upgrade-to-0.10.2',
+      'upgrade-to-0.10.4',
+      'upgrade-to-0.11.0',
+      'upgrade-to-0.11.2',
+      'upgrade-to-0.11.6',
+      'upgrade-to-1.0.0',
+      'upgrade-to-1.1.0',
+      'upgrade-to-1.1.1',
+      'upgrade-to-1.1.2',
+      'upgrade-to-1.2.0',
+      'upgrade-to-1.2.1',
+      'upgrade-to-1.2.4',
+      'upgrade-to-1.3.0'
+    ]
+  },
+  '----------------',
+  {
+    category: 'enterprise',
+    content: [
+      { category: 'replication' },
+      {
+        category: 'hsm',
+        content: ['behavior', 'security']
+      },
+      { category: 'entropy-augmentation' },
+      { category: 'sealwrap' },
+      { category: 'namespaces' },
+      { category: 'performance-standby' },
+      { category: 'control-groups' },
+      {
+        category: 'mfa',
+        content: ['mfa-duo', 'mfa-okta', 'mfa-pingid', 'mfa-totp']
+      },
+      {
+        category: 'sentinel',
+        content: ['examples', 'properties']
+      }
+    ]
+  }
+]
diff --git a/website/data/docs_basic_categories.yml b/website/data/docs_basic_categories.yml
deleted file mode 100644
index c4563eedb54f..000000000000
--- a/website/data/docs_basic_categories.yml
+++ /dev/null
@@ -1,48 +0,0 @@
--
-  description: "Installing Vault and Vault Enterprise."
-  link: "/docs/install"
-  title: "Installing Vault"
--
-  description: "Technical details about Vault's architecture, cryptographic components, and security model."
-  link: "/docs/internals"
-  title: Internals
--
-  description: "Foundational concepts critical to understanding how Vault operates."
-  link: "/docs/concepts"
-  title: "Concepts"
--
-  description: "Managing Vault via its Command Line Interface (CLI)."
-  link: "/docs/commands"
-  title: "Commands (CLI)"
--
-  description: "Deploying Vault systems and configuring components such as storage and unseal interfaces."
-  link: "/docs/configuration"
-  title: Configuration
--
-  description: "Configuring the Vault binary as a client daemon for performing security operations."
-  link: "/docs/agent"
-  title: "Vault Agent"
--
-  description: "Engines for performing security operations using secrets stored within Vault."
-  link: "/docs/secrets"
-  title: "Secret Engines"
--
-  description: "Methods for configuring how users and applications authenticate into Vault."
-  link: "/docs/auth"
-  title: "Auth Methods"
--
-  description: "Devices for capturing audit logs monitoring activity within Vault."
-  link: "/docs/audit"
-  title: "Audit Devices"
--
-  description: "Configuring how Vault operates with external systems and applications via plugins."
-  link: "/docs/plugin"
-  title: "Plugin Backends"
--
-  description: "Topics related to running Vault on specific platforms (such as Kubernetes)."
-  link: "/docs/platform"
-  title: "Platforms"
--
-  description: "Topics related to Vault Enterprise, Vault's premium varient for professional teams and organizations."
-  link: "/docs/enterprise"
-  title: "Vault Enterprise"
diff --git a/website/data/docs_detailed_categories.yml b/website/data/docs_detailed_categories.yml
deleted file mode 100644
index 4c53061ee2d3..000000000000
--- a/website/data/docs_detailed_categories.yml
+++ /dev/null
@@ -1,146 +0,0 @@
--
-  title: "Installing Vault"
-  docs:
-    - docs/install/index.html
--
-  title: Internals
-  docs:
-    - docs/internals/index.html
-    - docs/internals/architecture.html
-    - docs/internals/high-availability.html
-    - docs/internals/security.html
-    - docs/internals/telemetry.html
-    - docs/internals/token.html
-    - docs/internals/rotation.html
-    - docs/internals/replication.html
-    - docs/internals/plugins.html
--
-  title: "Concepts"
-  docs:
-    - docs/concepts/index.html
-    - docs/concepts/dev-server.html
-    - docs/concepts/seal.html
-    - docs/concepts/lease.html
-    - docs/concepts/auth.html
-    - docs/concepts/tokens.html
-    - docs/concepts/response-wrapping.html
-    - docs/concepts/policies.html
-    - docs/concepts/ha.html
-    - docs/concepts/pgp-gpg-keybase.html
-    - docs/concepts/recovery-mode.html
--
-  title: Configuration
-  docs:
-    - docs/configuration/index.html
-    - docs/configuration/telemetry.html
-    - docs/configuration/seal/index.html
-    - docs/configuration/listener/index.html
-    - docs/configuration/ui/index.html
--
-  title: "CLI Commands"
-  docs:
-    - docs/commands/index.html
-    - docs/commands/agent.html
-    - docs/commands/audit/index.html
-    - docs/commands/auth/index.html
-    - docs/commands/debug.html
-    - docs/commands/delete.html
-    - docs/commands/lease/index.html
-    - docs/commands/list.html
-    - docs/commands/login.html
-    - docs/commands/namespace.html
-    - docs/commands/operator/index.html
-    - docs/commands/path-help.html
-    - docs/commands/plugin/index.html
-    - docs/commands/policy/index.html
-    - docs/commands/read.html
-    - docs/commands/secrets/index.html
-    - docs/commands/server.html
-    - docs/commands/ssh.html
-    - docs/commands/status.html
-    - docs/commands/token/index.html
-    - docs/commands/unwrap.html
-    - docs/commands/write.html
-    - docs/commands/token-helper.html
--
-  title: "Vault Agent"
-  docs:
-    - docs/agent/index.html
-    - docs/agent/autoauth/index.html
-    - docs/agent/caching/index.html
--
-  title: "Secret Engines"
-  docs:
-    - docs/secrets/index.html
-    - docs/secrets/ad/index.html
-    - docs/secrets/alicloud/index.html
-    - docs/secrets/aws/index.html
-    - docs/secrets/azure/index.html
-    - docs/secrets/consul/index.html
-    - docs/secrets/cubbyhole/index.html
-    - docs/secrets/databases/index.html
-    - docs/secrets/gcp/index.html
-    - docs/secrets/gcpkms/index.html
-    - docs/secrets/kmip/index.html
-    - docs/secrets/kv/index.html
-    - docs/secrets/identity/index.html
-    - docs/secrets/nomad/index.html
-    - docs/secrets/pki/index.html
-    - docs/secrets/rabbitmq/index.html
-    - docs/secrets/ssh/index.html
-    - docs/secrets/totp/index.html
-    - docs/secrets/transit/index.html
-    - docs/secrets/cassandra/index.html
-    - docs/secrets/mongodb/index.html
-    - docs/secrets/mssql/index.html
-    - docs/secrets/mysql/index.html
-    - docs/secrets/postgresql/index.html
--
-  title: "Auth Methods"
-  docs:
-    - docs/auth/index.html
-    - docs/auth/approle.html
-    - docs/auth/alicloud.html
-    - docs/auth/aws.html
-    - docs/auth/azure.html
-    - docs/auth/gcp.html
-    - docs/auth/jwt.html
-    - docs/auth/kubernetes.html
-    - docs/auth/github.html
-    - docs/auth/ldap.html
-    - docs/auth/oci.html
-    - docs/auth/okta.html
-    - docs/auth/cf.html
-    - docs/auth/radius.html
-    - docs/auth/cert.html
-    - docs/auth/token.html
-    - docs/auth/userpass.html
-    - docs/auth/app-id.html
-    - docs/auth/mfa.html
--
-  title: "Audit Devices"
-  docs:
-    - docs/audit/index.html
-    - docs/audit/file.html
-    - docs/audit/syslog.html
-    - docs/audit/socket.html
--
-  title: "Plugin Backends"
-  docs:
-    - docs/plugin/index.html
--
-  title: "Platforms"
-  docs:
-    - docs/platform/k8s/index.html
-    - docs/platform/aws-mp/index.html
--
-  title: "Vault Enterprise"
-  docs:
-    - docs/enterprise/replication/index.html
-    - docs/enterprise/hsm/index.html
-    - docs/enterprise/sealwrap/index.html
-    - docs/enterprise/namespaces/index.html
-    - docs/enterprise/performance-standby/index.html
-    - docs/enterprise/control-groups/index.html
-    - docs/enterprise/mfa/index.html
-    - docs/enterprise/sentinel/index.html
diff --git a/website/data/guides-navigation.js b/website/data/guides-navigation.js
new file mode 100644
index 000000000000..7b05be6c3efa
--- /dev/null
+++ b/website/data/guides-navigation.js
@@ -0,0 +1,55 @@
+export default [
+  {
+    category: 'getting-started'
+  },
+  {
+    category: 'operations',
+    content: [
+      'reference-architecture',
+      'vault-ha-consul',
+      'production',
+      'generate-root',
+      'rekeying-and-rotating',
+      'plugin-backends',
+      '--------------',
+      'replication',
+      'disaster-recovery',
+      'mount-filter',
+      'multi-tenant',
+      'autounseal-aws-kms',
+      'seal-wrap',
+      'monitoring'
+    ]
+  },
+  {
+    category: 'identity',
+    content: [
+      'secure-intro',
+      'policies',
+      'authentication',
+      'approle-trusted-entities',
+      'lease',
+      'identity',
+      '--------------',
+      'sentinel',
+      'control-groups'
+    ]
+  },
+  {
+    category: 'secret-mgmt',
+    content: [
+      'static-secrets',
+      'versioned-kv',
+      'dynamic-secrets',
+      'db-root-rotation',
+      'cubbyhole',
+      'ssh-otp',
+      'pki-engine',
+      'app-integration'
+    ]
+  },
+  {
+    category: 'encryption',
+    content: ['transit', 'spring-demo', 'transit-rewrap']
+  }
+]
diff --git a/website/data/intro-navigation.js b/website/data/intro-navigation.js
new file mode 100644
index 000000000000..80037720f3f3
--- /dev/null
+++ b/website/data/intro-navigation.js
@@ -0,0 +1,24 @@
+// The root folder for this documentation category is `pages/intro`
+//
+// - A string refers to the name of a file
+// - A "category" value refers to the name of a directory
+// - All directories must have an "index.mdx" file to serve as
+//   the landing page for the category
+
+export default [
+  {
+    category: 'getting-started',
+    content: [
+      'dev-server',
+      'first-secret',
+      'secrets-engines',
+      'dynamic-secrets',
+      'help',
+      'authentication',
+      'policies',
+      'deploy',
+      'apis',
+      'next-steps'
+    ]
+  }
+]
diff --git a/website/data/subnav.js b/website/data/subnav.js
new file mode 100644
index 000000000000..66430a4a114c
--- /dev/null
+++ b/website/data/subnav.js
@@ -0,0 +1,28 @@
+export default [
+  { title: 'Overview', url: '/intro/getting-started' },
+  {
+    title: 'Use Cases',
+    links: [
+      { title: 'Secrets Management', url: '/use-cases/secrets-management' },
+      { title: 'Data Encryption', url: '/use-cases/data-encryption' },
+      {
+        title: 'Identity-based Access',
+        url: '/use-cases/identity-based-access'
+      }
+    ]
+  },
+  {
+    title: 'Enterprise',
+    url: 'https://www.hashicorp.com/products/vault/enterprise'
+  },
+  {
+    title: 'Whitepaper',
+    url:
+      'https://www.hashicorp.com/resources/unlocking-the-cloud-operating-model-security?utm_source=vaultsubnav'
+  },
+  { title: '|' },
+  { title: 'Learn', url: 'https://learn.hashicorp.com/vault' },
+  { title: 'Docs', url: '/docs' },
+  { title: 'API', url: '/api-docs' },
+  { title: 'Community', url: '/community' }
+]
diff --git a/website/data/version.js b/website/data/version.js
new file mode 100644
index 000000000000..ba5516dedc17
--- /dev/null
+++ b/website/data/version.js
@@ -0,0 +1 @@
+export const VERSION = '1.3.1'
diff --git a/website/deploy/main.tf b/website/deploy/main.tf
deleted file mode 100644
index 4719abf7d46d..000000000000
--- a/website/deploy/main.tf
+++ /dev/null
@@ -1,66 +0,0 @@
-locals {
-  github_parts = ["${split("/", var.github_repo)}"]
-  github_full  = "${var.github_repo}"
-  github_org   = "${local.github_parts[0]}"
-  github_repo  = "${local.github_parts[1]}"
-}
-
-/*
--------------------------------------------------------------------
-GitHub Resources
--------------------------------------------------------------------
-*/
-
-provider "github" {
-  organization = "${local.github_org}"
-  version      = "~>2.0.0"
-}
-
-// Configure the repository with the dynamically created Netlify key.
-resource "github_repository_deploy_key" "key" {
-  title      = "Netlify"
-  repository = "${local.github_repo}"
-  key        = "${netlify_deploy_key.key.public_key}"
-  read_only  = false
-}
-
-// Create a webhook that triggers Netlify builds on push.
-resource "github_repository_webhook" "main" {
-  repository = "${local.github_repo}"
-  events     = ["delete", "push", "pull_request"]
-
-  configuration {
-    content_type = "json"
-    url          = "https://api.netlify.com/hooks/github"
-    insecure_ssl = false
-  }
-
-  depends_on = ["netlify_site.main"]
-}
-
-/*
--------------------------------------------------------------------
-Netlify Resources
--------------------------------------------------------------------
-*/
-
-provider "netlify" {
-  version = "~> 0.1.0"
-}
-
-// A new, unique deploy key for this specific website
-resource "netlify_deploy_key" "key" {}
-
-resource "netlify_site" "main" {
-  name          = "${var.name}"
-  custom_domain = "${var.custom_site_domain}"
-
-  repo {
-    repo_branch   = "${var.github_branch}"
-    command       = "cd website && bundle && cd assets && npm i && cd .. && middleman build --verbose"
-    deploy_key_id = "${netlify_deploy_key.key.id}"
-    dir           = "website/build"
-    provider      = "github"
-    repo_path     = "${local.github_full}"
-  }
-}
diff --git a/website/deploy/variables.tf b/website/deploy/variables.tf
deleted file mode 100644
index 894815cc7f28..000000000000
--- a/website/deploy/variables.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-variable "name" {
-  default     = "vault-www"
-  description = "Name of the website in slug format."
-}
-
-variable "github_repo" {
-  default     = "hashicorp/vault"
-  description = "GitHub repository of the provider in 'org/name' format."
-}
-
-variable "github_branch" {
-  default     = "stable-website"
-  description = "GitHub branch which netlify will continuously deploy."
-}
-
-variable "custom_site_domain" {
-  default     = "www.vaultproject.io"
-  description = "The custom domain to use for the Netlify site."
-}
diff --git a/website/layouts/api.jsx b/website/layouts/api.jsx
new file mode 100644
index 000000000000..24a206d72a32
--- /dev/null
+++ b/website/layouts/api.jsx
@@ -0,0 +1,23 @@
+import DocsPage, { getInitialProps } from '../components/docs-page'
+import orderData from '../data/api-navigation.js'
+import { frontMatter } from '../pages/api-docs/**/*.mdx'
+
+function ApiLayoutWrapper(pageMeta) {
+  function ApiLayout(props) {
+    return (
+      <DocsPage
+        {...props}
+        orderData={orderData}
+        frontMatter={frontMatter}
+        category="api-docs"
+        pageMeta={pageMeta}
+      />
+    )
+  }
+
+  ApiLayout.getInitialProps = getInitialProps
+
+  return ApiLayout
+}
+
+export default ApiLayoutWrapper
diff --git a/website/layouts/docs.jsx b/website/layouts/docs.jsx
new file mode 100644
index 000000000000..c6ce5be2bb84
--- /dev/null
+++ b/website/layouts/docs.jsx
@@ -0,0 +1,23 @@
+import DocsPage, { getInitialProps } from '../components/docs-page'
+import orderData from '../data/docs-navigation.js'
+import { frontMatter } from '../pages/docs/**/*.mdx'
+
+function DocsLayoutWrapper(pageMeta) {
+  function DocsLayout(props) {
+    return (
+      <DocsPage
+        {...props}
+        orderData={orderData}
+        frontMatter={frontMatter}
+        category="docs"
+        pageMeta={pageMeta}
+      />
+    )
+  }
+
+  DocsLayout.getInitialProps = getInitialProps
+
+  return DocsLayout
+}
+
+export default DocsLayoutWrapper
diff --git a/website/layouts/guides.jsx b/website/layouts/guides.jsx
new file mode 100644
index 000000000000..52e75ff0e5af
--- /dev/null
+++ b/website/layouts/guides.jsx
@@ -0,0 +1,23 @@
+import DocsPage, { getInitialProps } from '../components/docs-page'
+import orderData from '../data/guides-navigation.js'
+import { frontMatter } from '../pages/guides/**/*.mdx'
+
+function GuidesLayoutWrapper(pageMeta) {
+  function GuidesLayout(props) {
+    return (
+      <DocsPage
+        {...props}
+        orderData={orderData}
+        frontMatter={frontMatter}
+        category="guides"
+        pageMeta={pageMeta}
+      />
+    )
+  }
+
+  GuidesLayout.getInitialProps = getInitialProps
+
+  return GuidesLayout
+}
+
+export default GuidesLayoutWrapper
diff --git a/website/layouts/intro.jsx b/website/layouts/intro.jsx
new file mode 100644
index 000000000000..c96a4dd66846
--- /dev/null
+++ b/website/layouts/intro.jsx
@@ -0,0 +1,23 @@
+import DocsPage, { getInitialProps } from '../components/docs-page'
+import orderData from '../data/intro-navigation.js'
+import { frontMatter } from '../pages/intro/**/*.mdx'
+
+function IntroLayoutWrapper(pageMeta) {
+  function IntroLayout(props) {
+    return (
+      <DocsPage
+        {...props}
+        orderData={orderData}
+        frontMatter={frontMatter}
+        category="intro"
+        pageMeta={pageMeta}
+      />
+    )
+  }
+
+  IntroLayout.getInitialProps = getInitialProps
+
+  return IntroLayout
+}
+
+export default IntroLayoutWrapper
diff --git a/website/lib/bugsnag.js b/website/lib/bugsnag.js
new file mode 100644
index 000000000000..d8b7143114de
--- /dev/null
+++ b/website/lib/bugsnag.js
@@ -0,0 +1,17 @@
+import React from 'react'
+import bugsnag from '@bugsnag/js'
+import bugsnagReact from '@bugsnag/plugin-react'
+
+const apiKey =
+  typeof window === 'undefined'
+    ? 'fb2dc40bb48b17140628754eac6c1b11'
+    : '07ff2d76ce27aded8833bf4804b73350'
+
+const bugsnagClient = bugsnag({
+  apiKey,
+  releaseStage: process.env.NODE_ENV || 'development'
+})
+
+bugsnagClient.use(bugsnagReact, React)
+
+export default bugsnagClient
diff --git a/website/lib/consent-manager-config.js b/website/lib/consent-manager-config.js
new file mode 100644
index 000000000000..de55948685f1
--- /dev/null
+++ b/website/lib/consent-manager-config.js
@@ -0,0 +1,76 @@
+const isProd = process.env.NODE_ENV === 'production'
+
+const segmentWriteKey = isProd
+  ? 'OdSFDq9PfujQpmkZf03dFpcUlywme4sC'
+  : '0EXTgkNx0Ydje2PGXVbRhpKKoe5wtzcE'
+
+// TODO: refactor into web components
+let utilityServerRoot = isProd
+  ? 'https://util.hashicorp.com'
+  : 'https://hashicorp-web-util-staging.herokuapp.com'
+
+if (process.env.UTIL_SERVER) {
+  utilityServerRoot = process.env.UTIL_SERVER.replace(/\/$/, '')
+}
+
+// Consent manager configuration
+export default {
+  version: 3,
+  container: '#consent-manager',
+  companyName: 'HashiCorp',
+  privacyPolicyLink: '/privacy',
+  segmentWriteKey: segmentWriteKey,
+  utilServerRoot: utilityServerRoot,
+  segmentServices: [
+    {
+      key: 'googleanalytics',
+      name: 'Google Analytics',
+      description:
+        'Google Analytics is a popular service for tracking web traffic. We use this data to determine what content our users find important so that we can dedicate more resources toward it.',
+      category: 'Analytics'
+    },
+    {
+      name: 'Hotjar',
+      description:
+        'Hotjar is a service that generates heatmaps of where users click on our sites. We use this information to ensure that our site is not confusing, and simple to use and navigate.',
+      category: 'Analytics'
+    },
+    {
+      name: 'LinkedIn Insight Tag',
+      description:
+        'This small script allows us to see how effective our linkedin campaigns are by showing which users have clicked through to our site.',
+      category: 'Analytics'
+    },
+    {
+      name: 'Marketo V2',
+      description:
+        'Marketo is a marketing automation tool that allows us to segment users into different categories based off of their behaviors.  We use this information to provide tailored information to users in our email campaigns.'
+    }
+  ],
+  categories: [
+    {
+      name: 'Functional',
+      description:
+        'Functional services provide a utility to the website, such as the ability to log in, or to get live support. Disabling any of these scripts will cause that utility to be missing from the site.'
+    },
+    {
+      name: 'Analytics',
+      description:
+        'Analytics services keep track of page traffic and user behavior while browsing the site. We use this data internally to improve the usability and performance of the site. Disabling any of these scripts makes it more difficult for us to understand how our site is being used, and slower to improve it.'
+    },
+    {
+      name: 'Email Marketing',
+      description:
+        'Email Marketing services track user behavior while browsing the site. We use this data internally in our marketing efforts to provide users contextually relevant information based off of their behaviors. Disabling any of these scripts makes it more difficult for us to provide you contextually relevant information.'
+    }
+  ],
+  additionalServices: [
+    {
+      name: 'OptinMonster',
+      description:
+        "OptinMonster is a service that we use to show a prompt to sign up for our newsletter if it's perceived that you are interested in our content.",
+      category: 'Functional',
+      body: `var om598c8e3a6e43d,om598c8e3a6e43d_poll=function(){var r=0;return function(n,l){clearInterval(r),r=setInterval(n,l)}}();!function(e,t,n){if(e.getElementById(n)){om598c8e3a6e43d_poll(function(){if(window['om_loaded']){if(!om598c8e3a6e43d){om598c8e3a6e43d=new OptinMonsterApp();return om598c8e3a6e43d.init({"s":"35109.598c8e3a6e43d","staging":0,"dev":0,"beta":0});}}},25);return;}var d=false,o=e.createElement(t);o.id=n,o.src="https://a.optnmstr.com/app/js/api.min.js",o.async=true,o.onload=o.onreadystatechange=function(){if(!d){if(!this.readyState||this.readyState==="loaded"||this.readyState==="complete"){try{d=om_loaded=true;om598c8e3a6e43d=new OptinMonsterApp();om598c8e3a6e43d.init({"s":"35109.598c8e3a6e43d","staging":0,"dev":0,"beta":0});o.onload=o.onreadystatechange=null;}catch(t){}}}};(document.getElementsByTagName("head")[0]||document.documentElement).appendChild(o)}(document,"script","omapi-script");`
+    }
+  ]
+}
diff --git a/website/lib/polyfills.js b/website/lib/polyfills.js
new file mode 100644
index 000000000000..8046a6c963cb
--- /dev/null
+++ b/website/lib/polyfills.js
@@ -0,0 +1,10 @@
+// If you run into issues with features missing in IE11, you likely need to
+// make additions to this file for those features.
+// See https://github.com/zloirock/core-js
+import 'core-js/fn/array'
+import 'core-js/fn/object/assign'
+import 'core-js/fn/string/ends-with'
+import 'core-js/fn/string/includes'
+import 'core-js/fn/string/repeat'
+import 'core-js/fn/string/starts-with'
+import 'core-js/fn/symbol'
diff --git a/website/netlify.toml b/website/netlify.toml
new file mode 100644
index 000000000000..bfccbd340227
--- /dev/null
+++ b/website/netlify.toml
@@ -0,0 +1,13 @@
+
+# This file sets configuration for Netlify
+# ref: https://www.netlify.com/docs/netlify-toml-reference/
+
+[build]
+  publish = "out"
+  command = "npm run static"
+
+[context.production]
+  environment = { HASHI_ENV = "production", NODE_ENV = "production"}
+
+[context.deploy-preview]
+  environment = { HASHI_ENV = "staging" }
diff --git a/website/next.config.js b/website/next.config.js
new file mode 100644
index 000000000000..c37e607244de
--- /dev/null
+++ b/website/next.config.js
@@ -0,0 +1,47 @@
+const withHashicorp = require('@hashicorp/nextjs-scripts')
+const path = require('path')
+
+module.exports = withHashicorp({
+  defaultLayout: true,
+  transpileModules: ['is-absolute-url', '@hashicorp/react-mega-nav'],
+  mdx: { resolveIncludes: path.join(__dirname, 'pages') }
+})({
+  experimental: {
+    css: true,
+    granularChunks: true,
+    rewrites: () => [
+      {
+        source: '/api/:path*',
+        destination: '/api-docs/:path*'
+      }
+    ],
+    redirects: () => [
+      {
+        source: '/intro',
+        destination: '/intro/getting-started',
+        permanent: false
+      }
+    ]
+  },
+  exportTrailingSlash: true,
+  webpack(config) {
+    // Add polyfills
+    const originalEntry = config.entry
+    config.entry = async () => {
+      const entries = await originalEntry()
+      let polyEntry = entries['static/runtime/polyfills.js']
+      if (polyEntry && !polyEntry.includes('./lib/polyfills.js')) {
+        if (!Array.isArray(polyEntry)) {
+          entries['static/runtime/polyfills.js'] = [polyEntry]
+        }
+        entries['static/runtime/polyfills.js'].unshift('./lib/polyfills.js')
+      }
+      return entries
+    }
+
+    return config
+  },
+  env: {
+    HASHI_ENV: process.env.HASHI_ENV
+  }
+})
diff --git a/website/package-lock.json b/website/package-lock.json
new file mode 100644
index 000000000000..44c5e47c1999
--- /dev/null
+++ b/website/package-lock.json
@@ -0,0 +1,18295 @@
+{
+  "name": "vault-docs-platform",
+  "version": "0.0.1",
+  "lockfileVersion": 1,
+  "requires": true,
+  "dependencies": {
+    "@ampproject/toolbox-core": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@ampproject/toolbox-core/-/toolbox-core-1.1.1.tgz",
+      "integrity": "sha512-jcuVJUnGDRUEJgMYO6QVdf1dBy/oLZX3NjN2hYG48biFcPCvXevuv4xYFZMJsnsHSvXKg8y0qB8rANNyhTUN/A==",
+      "requires": {
+        "node-fetch": "2.6.0"
+      }
+    },
+    "@ampproject/toolbox-optimizer": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@ampproject/toolbox-optimizer/-/toolbox-optimizer-1.1.1.tgz",
+      "integrity": "sha512-LTtTM5FSOrWuTJ6mOwPfZmpUDI6polrNz3tX2EmDmDkjDK+43vSpq1OHtukivIFHafdixJuoeki5dF3PC/ZoWw==",
+      "requires": {
+        "@ampproject/toolbox-core": "^1.1.1",
+        "@ampproject/toolbox-runtime-version": "^1.1.1",
+        "@ampproject/toolbox-script-csp": "^1.1.1",
+        "css": "2.2.4",
+        "parse5": "5.1.0",
+        "parse5-htmlparser2-tree-adapter": "5.1.0"
+      },
+      "dependencies": {
+        "parse5": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/parse5/-/parse5-5.1.0.tgz",
+          "integrity": "sha512-fxNG2sQjHvlVAYmzBZS9YlDp6PTSSDwa98vkD4QgVDDCAo84z5X1t5XyJQ62ImdLXx5NdIIfihey6xpum9/gRQ=="
+        }
+      }
+    },
+    "@ampproject/toolbox-runtime-version": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@ampproject/toolbox-runtime-version/-/toolbox-runtime-version-1.1.1.tgz",
+      "integrity": "sha512-ibmw5p+0Sz+wingbX/Dyboe8a0+XDkMfFGSM7KFE0h2z3Op9MADup8ZPLeHT54Z7cYKmB6ob60FVHtQQDhEXNw==",
+      "requires": {
+        "@ampproject/toolbox-core": "^1.1.1"
+      }
+    },
+    "@ampproject/toolbox-script-csp": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@ampproject/toolbox-script-csp/-/toolbox-script-csp-1.1.1.tgz",
+      "integrity": "sha512-gACGfsVKinCy/977FSrlVgo6jxTZ0lcTCvCnRlNwvSOcxJVm+jJR3sP7/F43fpak9Gsq/EwFaatfnNMbunPc+w=="
+    },
+    "@apollo/react-common": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/@apollo/react-common/-/react-common-3.1.3.tgz",
+      "integrity": "sha512-Q7ZjDOeqjJf/AOGxUMdGxKF+JVClRXrYBGVq+SuVFqANRpd68MxtVV2OjCWavsFAN0eqYnRqRUrl7vtUCiJqeg==",
+      "requires": {
+        "ts-invariant": "^0.4.4",
+        "tslib": "^1.10.0"
+      }
+    },
+    "@apollo/react-components": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/@apollo/react-components/-/react-components-3.1.3.tgz",
+      "integrity": "sha512-H0l2JKDQMz+LkM93QK7j3ThbNXkWQCduN3s3eKxFN3Rdg7rXsrikJWvx2wQ868jmqy0VhwJbS1vYdRLdh114uQ==",
+      "requires": {
+        "@apollo/react-common": "^3.1.3",
+        "@apollo/react-hooks": "^3.1.3",
+        "prop-types": "^15.7.2",
+        "ts-invariant": "^0.4.4",
+        "tslib": "^1.10.0"
+      }
+    },
+    "@apollo/react-hoc": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/@apollo/react-hoc/-/react-hoc-3.1.3.tgz",
+      "integrity": "sha512-oCPma0uBVPTcYTR5sOvtMbpaWll4xDBvYfKr6YkDorUcQVeNzFu1LK1kmQjJP64bKsaziKYji5ibFaeCnVptmA==",
+      "requires": {
+        "@apollo/react-common": "^3.1.3",
+        "@apollo/react-components": "^3.1.3",
+        "hoist-non-react-statics": "^3.3.0",
+        "ts-invariant": "^0.4.4",
+        "tslib": "^1.10.0"
+      }
+    },
+    "@apollo/react-hooks": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/@apollo/react-hooks/-/react-hooks-3.1.3.tgz",
+      "integrity": "sha512-reIRO9xKdfi+B4gT/o/hnXuopUnm7WED/ru8VQydPw+C/KG/05Ssg1ZdxFKHa3oxwiTUIDnevtccIH35POanbA==",
+      "requires": {
+        "@apollo/react-common": "^3.1.3",
+        "@wry/equality": "^0.1.9",
+        "ts-invariant": "^0.4.4",
+        "tslib": "^1.10.0"
+      }
+    },
+    "@apollo/react-ssr": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/@apollo/react-ssr/-/react-ssr-3.1.3.tgz",
+      "integrity": "sha512-fUTmEYHxSTX1GA43B8vICxXXplpcEBnDwn0IgdAc3eG0p2YK97ZrJDRFCJ5vD7fyDZsrYhMf+rAI3sd+H2SS+A==",
+      "requires": {
+        "@apollo/react-common": "^3.1.3",
+        "@apollo/react-hooks": "^3.1.3",
+        "tslib": "^1.10.0"
+      }
+    },
+    "@babel/code-frame": {
+      "version": "7.5.5",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.5.5.tgz",
+      "integrity": "sha512-27d4lZoomVyo51VegxI20xZPuSHusqbQag/ztrBC7wegWoQ1nLREPVSKSW8byhTlzTKyNE4ifaTA6lCp7JjpFw==",
+      "requires": {
+        "@babel/highlight": "^7.0.0"
+      }
+    },
+    "@babel/core": {
+      "version": "7.7.7",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.7.7.tgz",
+      "integrity": "sha512-jlSjuj/7z138NLZALxVgrx13AOtqip42ATZP7+kYl53GvDV6+4dCek1mVUo8z8c8Xnw/mx2q3d9HWh3griuesQ==",
+      "requires": {
+        "@babel/code-frame": "^7.5.5",
+        "@babel/generator": "^7.7.7",
+        "@babel/helpers": "^7.7.4",
+        "@babel/parser": "^7.7.7",
+        "@babel/template": "^7.7.4",
+        "@babel/traverse": "^7.7.4",
+        "@babel/types": "^7.7.4",
+        "convert-source-map": "^1.7.0",
+        "debug": "^4.1.0",
+        "json5": "^2.1.0",
+        "lodash": "^4.17.13",
+        "resolve": "^1.3.2",
+        "semver": "^5.4.1",
+        "source-map": "^0.5.0"
+      },
+      "dependencies": {
+        "@babel/generator": {
+          "version": "7.7.7",
+          "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.7.7.tgz",
+          "integrity": "sha512-/AOIBpHh/JU1l0ZFS4kiRCBnLi6OTHzh0RPk3h9isBxkkqELtQNFi1Vr/tiG9p1yfoUdKVwISuXWQR+hwwM4VQ==",
+          "requires": {
+            "@babel/types": "^7.7.4",
+            "jsesc": "^2.5.1",
+            "lodash": "^4.17.13",
+            "source-map": "^0.5.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.7.7",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.7.7.tgz",
+          "integrity": "sha512-WtTZMZAZLbeymhkd/sEaPD8IQyGAhmuTuvTzLiCFM7iXiVdY0gc0IaI+cW0fh1BnSMbJSzXX6/fHllgHKwHhXw=="
+        }
+      }
+    },
+    "@babel/generator": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.7.4.tgz",
+      "integrity": "sha512-m5qo2WgdOJeyYngKImbkyQrnUN1mPceaG5BV+G0E3gWsa4l/jCSryWJdM2x8OuGAOyh+3d5pVYfZWCiNFtynxg==",
+      "requires": {
+        "@babel/types": "^7.7.4",
+        "jsesc": "^2.5.1",
+        "lodash": "^4.17.13",
+        "source-map": "^0.5.0"
+      }
+    },
+    "@babel/helper-annotate-as-pure": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-annotate-as-pure/-/helper-annotate-as-pure-7.7.4.tgz",
+      "integrity": "sha512-2BQmQgECKzYKFPpiycoF9tlb5HA4lrVyAmLLVK177EcQAqjVLciUb2/R+n1boQ9y5ENV3uz2ZqiNw7QMBBw1Og==",
+      "requires": {
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-builder-binary-assignment-operator-visitor": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-builder-binary-assignment-operator-visitor/-/helper-builder-binary-assignment-operator-visitor-7.8.3.tgz",
+      "integrity": "sha512-5eFOm2SyFPK4Rh3XMMRDjN7lBH0orh3ss0g3rTYZnBQ+r6YPj7lgDyCvPphynHvUrobJmeMignBr6Acw9mAPlw==",
+      "requires": {
+        "@babel/helper-explode-assignable-expression": "^7.8.3",
+        "@babel/types": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        }
+      }
+    },
+    "@babel/helper-builder-react-jsx": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-builder-react-jsx/-/helper-builder-react-jsx-7.7.4.tgz",
+      "integrity": "sha512-kvbfHJNN9dg4rkEM4xn1s8d1/h6TYNvajy9L1wx4qLn9HFg0IkTsQi4rfBe92nxrPUFcMsHoMV+8rU7MJb3fCA==",
+      "requires": {
+        "@babel/types": "^7.7.4",
+        "esutils": "^2.0.0"
+      }
+    },
+    "@babel/helper-call-delegate": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-call-delegate/-/helper-call-delegate-7.7.4.tgz",
+      "integrity": "sha512-8JH9/B7J7tCYJ2PpWVpw9JhPuEVHztagNVuQAFBVFYluRMlpG7F1CgKEgGeL6KFqcsIa92ZYVj6DSc0XwmN1ZA==",
+      "requires": {
+        "@babel/helper-hoist-variables": "^7.7.4",
+        "@babel/traverse": "^7.7.4",
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-create-class-features-plugin": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-create-class-features-plugin/-/helper-create-class-features-plugin-7.7.4.tgz",
+      "integrity": "sha512-l+OnKACG4uiDHQ/aJT8dwpR+LhCJALxL0mJ6nzjB25e5IPwqV1VOsY7ah6UB1DG+VOXAIMtuC54rFJGiHkxjgA==",
+      "requires": {
+        "@babel/helper-function-name": "^7.7.4",
+        "@babel/helper-member-expression-to-functions": "^7.7.4",
+        "@babel/helper-optimise-call-expression": "^7.7.4",
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/helper-replace-supers": "^7.7.4",
+        "@babel/helper-split-export-declaration": "^7.7.4"
+      }
+    },
+    "@babel/helper-create-regexp-features-plugin": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-create-regexp-features-plugin/-/helper-create-regexp-features-plugin-7.8.3.tgz",
+      "integrity": "sha512-Gcsm1OHCUr9o9TcJln57xhWHtdXbA2pgQ58S0Lxlks0WMGNXuki4+GLfX0p+L2ZkINUGZvfkz8rzoqJQSthI+Q==",
+      "requires": {
+        "@babel/helper-regex": "^7.8.3",
+        "regexpu-core": "^4.6.0"
+      },
+      "dependencies": {
+        "jsesc": {
+          "version": "0.5.0",
+          "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-0.5.0.tgz",
+          "integrity": "sha1-597mbjXW/Bb3EP6R1c9p9w8IkR0="
+        },
+        "regexpu-core": {
+          "version": "4.6.0",
+          "resolved": "https://registry.npmjs.org/regexpu-core/-/regexpu-core-4.6.0.tgz",
+          "integrity": "sha512-YlVaefl8P5BnFYOITTNzDvan1ulLOiXJzCNZxduTIosN17b87h3bvG9yHMoHaRuo88H4mQ06Aodj5VtYGGGiTg==",
+          "requires": {
+            "regenerate": "^1.4.0",
+            "regenerate-unicode-properties": "^8.1.0",
+            "regjsgen": "^0.5.0",
+            "regjsparser": "^0.6.0",
+            "unicode-match-property-ecmascript": "^1.0.4",
+            "unicode-match-property-value-ecmascript": "^1.1.0"
+          }
+        },
+        "regjsgen": {
+          "version": "0.5.1",
+          "resolved": "https://registry.npmjs.org/regjsgen/-/regjsgen-0.5.1.tgz",
+          "integrity": "sha512-5qxzGZjDs9w4tzT3TPhCJqWdCc3RLYwy9J2NB0nm5Lz+S273lvWcpjaTGHsT1dc6Hhfq41uSEOw8wBmxrKOuyg=="
+        },
+        "regjsparser": {
+          "version": "0.6.2",
+          "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.6.2.tgz",
+          "integrity": "sha512-E9ghzUtoLwDekPT0DYCp+c4h+bvuUpe6rRHCTYn6eGoqj1LgKXxT6I0Il4WbjhQkOghzi/V+y03bPKvbllL93Q==",
+          "requires": {
+            "jsesc": "~0.5.0"
+          }
+        }
+      }
+    },
+    "@babel/helper-define-map": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-define-map/-/helper-define-map-7.7.4.tgz",
+      "integrity": "sha512-v5LorqOa0nVQUvAUTUF3KPastvUt/HzByXNamKQ6RdJRTV7j8rLL+WB5C/MzzWAwOomxDhYFb1wLLxHqox86lg==",
+      "requires": {
+        "@babel/helper-function-name": "^7.7.4",
+        "@babel/types": "^7.7.4",
+        "lodash": "^4.17.13"
+      }
+    },
+    "@babel/helper-explode-assignable-expression": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-explode-assignable-expression/-/helper-explode-assignable-expression-7.8.3.tgz",
+      "integrity": "sha512-N+8eW86/Kj147bO9G2uclsg5pwfs/fqqY5rwgIL7eTBklgXjcOJ3btzS5iM6AitJcftnY7pm2lGsrJVYLGjzIw==",
+      "requires": {
+        "@babel/traverse": "^7.8.3",
+        "@babel/types": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/code-frame": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.8.3.tgz",
+          "integrity": "sha512-a9gxpmdXtZEInkCSHUJDLHZVBgb1QS0jhss4cPP93EW7s+uC5bikET2twEF3KV+7rDblJcmNvTR7VJejqd2C2g==",
+          "requires": {
+            "@babel/highlight": "^7.8.3"
+          }
+        },
+        "@babel/generator": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.8.3.tgz",
+          "integrity": "sha512-WjoPk8hRpDRqqzRpvaR8/gDUPkrnOOeuT2m8cNICJtZH6mwaCo3v0OKMI7Y6SM1pBtyijnLtAL0HDi41pf41ug==",
+          "requires": {
+            "@babel/types": "^7.8.3",
+            "jsesc": "^2.5.1",
+            "lodash": "^4.17.13",
+            "source-map": "^0.5.0"
+          }
+        },
+        "@babel/helper-function-name": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.8.3.tgz",
+          "integrity": "sha512-BCxgX1BC2hD/oBlIFUgOCQDOPV8nSINxCwM3o93xP4P9Fq6aV5sgv2cOOITDMtCfQ+3PvHp3l689XZvAM9QyOA==",
+          "requires": {
+            "@babel/helper-get-function-arity": "^7.8.3",
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-get-function-arity": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.8.3.tgz",
+          "integrity": "sha512-FVDR+Gd9iLjUMY1fzE2SR0IuaJToR4RkCDARVfsBBPSP53GEqSFjD8gNyxg246VUyc/ALRxFaAK8rVG7UT7xRA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-split-export-declaration": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.8.3.tgz",
+          "integrity": "sha512-3x3yOeyBhW851hroze7ElzdkeRXQYQbFIb7gLK1WQYsw2GWDay5gAJNw1sWJ0VFP6z5J1whqeXH/WCdCjZv6dA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/highlight": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.8.3.tgz",
+          "integrity": "sha512-PX4y5xQUvy0fnEVHrYOarRPXVWafSjTW9T0Hab8gVIawpl2Sj0ORyrygANq+KjcNlSSTw0YCLSNA8OyZ1I4yEg==",
+          "requires": {
+            "chalk": "^2.0.0",
+            "esutils": "^2.0.2",
+            "js-tokens": "^4.0.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.8.3.tgz",
+          "integrity": "sha512-/V72F4Yp/qmHaTALizEm9Gf2eQHV3QyTL3K0cNfijwnMnb1L+LDlAubb/ZnSdGAVzVSWakujHYs1I26x66sMeQ=="
+        },
+        "@babel/template": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.8.3.tgz",
+          "integrity": "sha512-04m87AcQgAFdvuoyiQ2kgELr2tV8B4fP/xJAVUL3Yb3bkNdMedD3d0rlSQr3PegP0cms3eHjl1F7PWlvWbU8FQ==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/traverse": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.8.3.tgz",
+          "integrity": "sha512-we+a2lti+eEImHmEXp7bM9cTxGzxPmBiVJlLVD+FuuQMeeO7RaDbutbgeheDkw+Xe3mCfJHnGOWLswT74m2IPg==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/generator": "^7.8.3",
+            "@babel/helper-function-name": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3",
+            "debug": "^4.1.0",
+            "globals": "^11.1.0",
+            "lodash": "^4.17.13"
+          }
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/helper-function-name": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.7.4.tgz",
+      "integrity": "sha512-AnkGIdiBhEuiwdoMnKm7jfPfqItZhgRaZfMg1XX3bS25INOnLPjPG1Ppnajh8eqgt5kPJnfqrRHqFqmjKDZLzQ==",
+      "requires": {
+        "@babel/helper-get-function-arity": "^7.7.4",
+        "@babel/template": "^7.7.4",
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-get-function-arity": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.7.4.tgz",
+      "integrity": "sha512-QTGKEdCkjgzgfJ3bAyRwF4yyT3pg+vDgan8DSivq1eS0gwi+KGKE5x8kRcbeFTb/673mkO5SN1IZfmCfA5o+EA==",
+      "requires": {
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-hoist-variables": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.7.4.tgz",
+      "integrity": "sha512-wQC4xyvc1Jo/FnLirL6CEgPgPCa8M74tOdjWpRhQYapz5JC7u3NYU1zCVoVAGCE3EaIP9T1A3iW0WLJ+reZlpQ==",
+      "requires": {
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-member-expression-to-functions": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.7.4.tgz",
+      "integrity": "sha512-9KcA1X2E3OjXl/ykfMMInBK+uVdfIVakVe7W7Lg3wfXUNyS3Q1HWLFRwZIjhqiCGbslummPDnmb7vIekS0C1vw==",
+      "requires": {
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-module-imports": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.7.4.tgz",
+      "integrity": "sha512-dGcrX6K9l8258WFjyDLJwuVKxR4XZfU0/vTUgOQYWEnRD8mgr+p4d6fCUMq/ys0h4CCt/S5JhbvtyErjWouAUQ==",
+      "requires": {
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-module-transforms": {
+      "version": "7.7.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.7.5.tgz",
+      "integrity": "sha512-A7pSxyJf1gN5qXVcidwLWydjftUN878VkalhXX5iQDuGyiGK3sOrrKKHF4/A4fwHtnsotv/NipwAeLzY4KQPvw==",
+      "requires": {
+        "@babel/helper-module-imports": "^7.7.4",
+        "@babel/helper-simple-access": "^7.7.4",
+        "@babel/helper-split-export-declaration": "^7.7.4",
+        "@babel/template": "^7.7.4",
+        "@babel/types": "^7.7.4",
+        "lodash": "^4.17.13"
+      }
+    },
+    "@babel/helper-optimise-call-expression": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.7.4.tgz",
+      "integrity": "sha512-VB7gWZ2fDkSuqW6b1AKXkJWO5NyNI3bFL/kK79/30moK57blr6NbH8xcl2XcKCwOmJosftWunZqfO84IGq3ZZg==",
+      "requires": {
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-plugin-utils": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.0.0.tgz",
+      "integrity": "sha512-CYAOUCARwExnEixLdB6sDm2dIJ/YgEAKDM1MOeMeZu9Ld/bDgVo8aiWrXwcY7OBh+1Ea2uUcVRcxKk0GJvW7QA=="
+    },
+    "@babel/helper-regex": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-regex/-/helper-regex-7.8.3.tgz",
+      "integrity": "sha512-BWt0QtYv/cg/NecOAZMdcn/waj/5P26DR4mVLXfFtDokSR6fyuG0Pj+e2FqtSME+MqED1khnSMulkmGl8qWiUQ==",
+      "requires": {
+        "lodash": "^4.17.13"
+      }
+    },
+    "@babel/helper-remap-async-to-generator": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-remap-async-to-generator/-/helper-remap-async-to-generator-7.8.3.tgz",
+      "integrity": "sha512-kgwDmw4fCg7AVgS4DukQR/roGp+jP+XluJE5hsRZwxCYGg+Rv9wSGErDWhlI90FODdYfd4xG4AQRiMDjjN0GzA==",
+      "requires": {
+        "@babel/helper-annotate-as-pure": "^7.8.3",
+        "@babel/helper-wrap-function": "^7.8.3",
+        "@babel/template": "^7.8.3",
+        "@babel/traverse": "^7.8.3",
+        "@babel/types": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/code-frame": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.8.3.tgz",
+          "integrity": "sha512-a9gxpmdXtZEInkCSHUJDLHZVBgb1QS0jhss4cPP93EW7s+uC5bikET2twEF3KV+7rDblJcmNvTR7VJejqd2C2g==",
+          "requires": {
+            "@babel/highlight": "^7.8.3"
+          }
+        },
+        "@babel/generator": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.8.3.tgz",
+          "integrity": "sha512-WjoPk8hRpDRqqzRpvaR8/gDUPkrnOOeuT2m8cNICJtZH6mwaCo3v0OKMI7Y6SM1pBtyijnLtAL0HDi41pf41ug==",
+          "requires": {
+            "@babel/types": "^7.8.3",
+            "jsesc": "^2.5.1",
+            "lodash": "^4.17.13",
+            "source-map": "^0.5.0"
+          }
+        },
+        "@babel/helper-annotate-as-pure": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-annotate-as-pure/-/helper-annotate-as-pure-7.8.3.tgz",
+          "integrity": "sha512-6o+mJrZBxOoEX77Ezv9zwW7WV8DdluouRKNY/IR5u/YTMuKHgugHOzYWlYvYLpLA9nPsQCAAASpCIbjI9Mv+Uw==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-function-name": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.8.3.tgz",
+          "integrity": "sha512-BCxgX1BC2hD/oBlIFUgOCQDOPV8nSINxCwM3o93xP4P9Fq6aV5sgv2cOOITDMtCfQ+3PvHp3l689XZvAM9QyOA==",
+          "requires": {
+            "@babel/helper-get-function-arity": "^7.8.3",
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-get-function-arity": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.8.3.tgz",
+          "integrity": "sha512-FVDR+Gd9iLjUMY1fzE2SR0IuaJToR4RkCDARVfsBBPSP53GEqSFjD8gNyxg246VUyc/ALRxFaAK8rVG7UT7xRA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-split-export-declaration": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.8.3.tgz",
+          "integrity": "sha512-3x3yOeyBhW851hroze7ElzdkeRXQYQbFIb7gLK1WQYsw2GWDay5gAJNw1sWJ0VFP6z5J1whqeXH/WCdCjZv6dA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/highlight": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.8.3.tgz",
+          "integrity": "sha512-PX4y5xQUvy0fnEVHrYOarRPXVWafSjTW9T0Hab8gVIawpl2Sj0ORyrygANq+KjcNlSSTw0YCLSNA8OyZ1I4yEg==",
+          "requires": {
+            "chalk": "^2.0.0",
+            "esutils": "^2.0.2",
+            "js-tokens": "^4.0.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.8.3.tgz",
+          "integrity": "sha512-/V72F4Yp/qmHaTALizEm9Gf2eQHV3QyTL3K0cNfijwnMnb1L+LDlAubb/ZnSdGAVzVSWakujHYs1I26x66sMeQ=="
+        },
+        "@babel/template": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.8.3.tgz",
+          "integrity": "sha512-04m87AcQgAFdvuoyiQ2kgELr2tV8B4fP/xJAVUL3Yb3bkNdMedD3d0rlSQr3PegP0cms3eHjl1F7PWlvWbU8FQ==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/traverse": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.8.3.tgz",
+          "integrity": "sha512-we+a2lti+eEImHmEXp7bM9cTxGzxPmBiVJlLVD+FuuQMeeO7RaDbutbgeheDkw+Xe3mCfJHnGOWLswT74m2IPg==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/generator": "^7.8.3",
+            "@babel/helper-function-name": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3",
+            "debug": "^4.1.0",
+            "globals": "^11.1.0",
+            "lodash": "^4.17.13"
+          }
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/helper-replace-supers": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.7.4.tgz",
+      "integrity": "sha512-pP0tfgg9hsZWo5ZboYGuBn/bbYT/hdLPVSS4NMmiRJdwWhP0IznPwN9AE1JwyGsjSPLC364I0Qh5p+EPkGPNpg==",
+      "requires": {
+        "@babel/helper-member-expression-to-functions": "^7.7.4",
+        "@babel/helper-optimise-call-expression": "^7.7.4",
+        "@babel/traverse": "^7.7.4",
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-simple-access": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.7.4.tgz",
+      "integrity": "sha512-zK7THeEXfan7UlWsG2A6CI/L9jVnI5+xxKZOdej39Y0YtDYKx9raHk5F2EtK9K8DHRTihYwg20ADt9S36GR78A==",
+      "requires": {
+        "@babel/template": "^7.7.4",
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-split-export-declaration": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.7.4.tgz",
+      "integrity": "sha512-guAg1SXFcVr04Guk9eq0S4/rWS++sbmyqosJzVs8+1fH5NI+ZcmkaSkc7dmtAFbHFva6yRJnjW3yAcGxjueDug==",
+      "requires": {
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/helper-wrap-function": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-wrap-function/-/helper-wrap-function-7.8.3.tgz",
+      "integrity": "sha512-LACJrbUET9cQDzb6kG7EeD7+7doC3JNvUgTEQOx2qaO1fKlzE/Bf05qs9w1oXQMmXlPO65lC3Tq9S6gZpTErEQ==",
+      "requires": {
+        "@babel/helper-function-name": "^7.8.3",
+        "@babel/template": "^7.8.3",
+        "@babel/traverse": "^7.8.3",
+        "@babel/types": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/code-frame": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.8.3.tgz",
+          "integrity": "sha512-a9gxpmdXtZEInkCSHUJDLHZVBgb1QS0jhss4cPP93EW7s+uC5bikET2twEF3KV+7rDblJcmNvTR7VJejqd2C2g==",
+          "requires": {
+            "@babel/highlight": "^7.8.3"
+          }
+        },
+        "@babel/generator": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.8.3.tgz",
+          "integrity": "sha512-WjoPk8hRpDRqqzRpvaR8/gDUPkrnOOeuT2m8cNICJtZH6mwaCo3v0OKMI7Y6SM1pBtyijnLtAL0HDi41pf41ug==",
+          "requires": {
+            "@babel/types": "^7.8.3",
+            "jsesc": "^2.5.1",
+            "lodash": "^4.17.13",
+            "source-map": "^0.5.0"
+          }
+        },
+        "@babel/helper-function-name": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.8.3.tgz",
+          "integrity": "sha512-BCxgX1BC2hD/oBlIFUgOCQDOPV8nSINxCwM3o93xP4P9Fq6aV5sgv2cOOITDMtCfQ+3PvHp3l689XZvAM9QyOA==",
+          "requires": {
+            "@babel/helper-get-function-arity": "^7.8.3",
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-get-function-arity": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.8.3.tgz",
+          "integrity": "sha512-FVDR+Gd9iLjUMY1fzE2SR0IuaJToR4RkCDARVfsBBPSP53GEqSFjD8gNyxg246VUyc/ALRxFaAK8rVG7UT7xRA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-split-export-declaration": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.8.3.tgz",
+          "integrity": "sha512-3x3yOeyBhW851hroze7ElzdkeRXQYQbFIb7gLK1WQYsw2GWDay5gAJNw1sWJ0VFP6z5J1whqeXH/WCdCjZv6dA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/highlight": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.8.3.tgz",
+          "integrity": "sha512-PX4y5xQUvy0fnEVHrYOarRPXVWafSjTW9T0Hab8gVIawpl2Sj0ORyrygANq+KjcNlSSTw0YCLSNA8OyZ1I4yEg==",
+          "requires": {
+            "chalk": "^2.0.0",
+            "esutils": "^2.0.2",
+            "js-tokens": "^4.0.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.8.3.tgz",
+          "integrity": "sha512-/V72F4Yp/qmHaTALizEm9Gf2eQHV3QyTL3K0cNfijwnMnb1L+LDlAubb/ZnSdGAVzVSWakujHYs1I26x66sMeQ=="
+        },
+        "@babel/template": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.8.3.tgz",
+          "integrity": "sha512-04m87AcQgAFdvuoyiQ2kgELr2tV8B4fP/xJAVUL3Yb3bkNdMedD3d0rlSQr3PegP0cms3eHjl1F7PWlvWbU8FQ==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/traverse": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.8.3.tgz",
+          "integrity": "sha512-we+a2lti+eEImHmEXp7bM9cTxGzxPmBiVJlLVD+FuuQMeeO7RaDbutbgeheDkw+Xe3mCfJHnGOWLswT74m2IPg==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/generator": "^7.8.3",
+            "@babel/helper-function-name": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3",
+            "debug": "^4.1.0",
+            "globals": "^11.1.0",
+            "lodash": "^4.17.13"
+          }
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/helpers": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.7.4.tgz",
+      "integrity": "sha512-ak5NGZGJ6LV85Q1Zc9gn2n+ayXOizryhjSUBTdu5ih1tlVCJeuQENzc4ItyCVhINVXvIT/ZQ4mheGIsfBkpskg==",
+      "requires": {
+        "@babel/template": "^7.7.4",
+        "@babel/traverse": "^7.7.4",
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/highlight": {
+      "version": "7.5.0",
+      "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.5.0.tgz",
+      "integrity": "sha512-7dV4eu9gBxoM0dAnj/BCFDW9LFU0zvTrkq0ugM7pnHEgguOEeOz1so2ZghEdzviYzQEED0r4EAgpsBChKy1TRQ==",
+      "requires": {
+        "chalk": "^2.0.0",
+        "esutils": "^2.0.2",
+        "js-tokens": "^4.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/parser": {
+      "version": "7.7.5",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.7.5.tgz",
+      "integrity": "sha512-KNlOe9+/nk4i29g0VXgl8PEXIRms5xKLJeuZ6UptN0fHv+jDiriG+y94X6qAgWTR0h3KaoM1wK5G5h7MHFRSig=="
+    },
+    "@babel/plugin-proposal-async-generator-functions": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-async-generator-functions/-/plugin-proposal-async-generator-functions-7.8.3.tgz",
+      "integrity": "sha512-NZ9zLv848JsV3hs8ryEh7Uaz/0KsmPLqv0+PdkDJL1cJy0K4kOCFa8zc1E3mp+RHPQcpdfb/6GovEsW4VDrOMw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/helper-remap-async-to-generator": "^7.8.3",
+        "@babel/plugin-syntax-async-generators": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-proposal-class-properties": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-class-properties/-/plugin-proposal-class-properties-7.7.4.tgz",
+      "integrity": "sha512-EcuXeV4Hv1X3+Q1TsuOmyyxeTRiSqurGJ26+I/FW1WbymmRRapVORm6x1Zl3iDIHyRxEs+VXWp6qnlcfcJSbbw==",
+      "requires": {
+        "@babel/helper-create-class-features-plugin": "^7.7.4",
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-proposal-dynamic-import": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-dynamic-import/-/plugin-proposal-dynamic-import-7.8.3.tgz",
+      "integrity": "sha512-NyaBbyLFXFLT9FP+zk0kYlUlA8XtCUbehs67F0nnEg7KICgMc2mNkIeu9TYhKzyXMkrapZFwAhXLdnt4IYHy1w==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/plugin-syntax-dynamic-import": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/plugin-syntax-dynamic-import": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-dynamic-import/-/plugin-syntax-dynamic-import-7.8.3.tgz",
+          "integrity": "sha512-5gdGbFon+PszYzqs83S3E5mpi7/y/8M9eC90MRTZfduQOYW76ig6SOSPNe41IG5LoP3FGBn2N0RjVDSQiS94kQ==",
+          "requires": {
+            "@babel/helper-plugin-utils": "^7.8.0"
+          }
+        }
+      }
+    },
+    "@babel/plugin-proposal-json-strings": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-json-strings/-/plugin-proposal-json-strings-7.8.3.tgz",
+      "integrity": "sha512-KGhQNZ3TVCQG/MjRbAUwuH+14y9q0tpxs1nWWs3pbSleRdDro9SAMMDyye8HhY1gqZ7/NqIc8SKhya0wRDgP1Q==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/plugin-syntax-json-strings": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-proposal-nullish-coalescing-operator": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-nullish-coalescing-operator/-/plugin-proposal-nullish-coalescing-operator-7.7.4.tgz",
+      "integrity": "sha512-TbYHmr1Gl1UC7Vo2HVuj/Naci5BEGNZ0AJhzqD2Vpr6QPFWpUmBRLrIDjedzx7/CShq0bRDS2gI4FIs77VHLVQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-syntax-nullish-coalescing-operator": "^7.7.4"
+      }
+    },
+    "@babel/plugin-proposal-object-rest-spread": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-object-rest-spread/-/plugin-proposal-object-rest-spread-7.7.4.tgz",
+      "integrity": "sha512-rnpnZR3/iWKmiQyJ3LKJpSwLDcX/nSXhdLk4Aq/tXOApIvyu7qoabrige0ylsAJffaUC51WiBu209Q0U+86OWQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-syntax-object-rest-spread": "^7.7.4"
+      }
+    },
+    "@babel/plugin-proposal-optional-catch-binding": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-optional-catch-binding/-/plugin-proposal-optional-catch-binding-7.8.3.tgz",
+      "integrity": "sha512-0gkX7J7E+AtAw9fcwlVQj8peP61qhdg/89D5swOkjYbkboA2CVckn3kiyum1DE0wskGb7KJJxBdyEBApDLLVdw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/plugin-syntax-optional-catch-binding": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-proposal-optional-chaining": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-optional-chaining/-/plugin-proposal-optional-chaining-7.7.4.tgz",
+      "integrity": "sha512-JmgaS+ygAWDR/STPe3/7y0lNlHgS+19qZ9aC06nYLwQ/XB7c0q5Xs+ksFU3EDnp9EiEsO0dnRAOKeyLHTZuW3A==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-syntax-optional-chaining": "^7.7.4"
+      }
+    },
+    "@babel/plugin-proposal-unicode-property-regex": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-unicode-property-regex/-/plugin-proposal-unicode-property-regex-7.8.3.tgz",
+      "integrity": "sha512-1/1/rEZv2XGweRwwSkLpY+s60za9OZ1hJs4YDqFHCw0kYWYwL5IFljVY1MYBL+weT1l9pokDO2uhSTLVxzoHkQ==",
+      "requires": {
+        "@babel/helper-create-regexp-features-plugin": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-syntax-async-generators": {
+      "version": "7.8.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-async-generators/-/plugin-syntax-async-generators-7.8.4.tgz",
+      "integrity": "sha512-tycmZxkGfZaxhMRbXlPXuVFpdWlXpir2W4AMhSJgRKzk/eDlIXOhb2LHWoLpDF7TEHylV5zNhykX6KAgHJmTNw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-syntax-class-properties": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-class-properties/-/plugin-syntax-class-properties-7.7.4.tgz",
+      "integrity": "sha512-JH3v5ZOeKT0qqdJ9BeBcZTFQiJOMax8RopSr1bH6ASkZKo2qWsvBML7W1mp89sszBRDBBRO8snqcByGdrMTdMg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-syntax-dynamic-import": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-dynamic-import/-/plugin-syntax-dynamic-import-7.2.0.tgz",
+      "integrity": "sha512-mVxuJ0YroI/h/tbFTPGZR8cv6ai+STMKNBq0f8hFxsxWjl94qqhsb+wXbpNMDPU3cfR1TIsVFzU3nXyZMqyK4w==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-syntax-flow": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-flow/-/plugin-syntax-flow-7.7.4.tgz",
+      "integrity": "sha512-2AMAWl5PsmM5KPkB22cvOkUyWk6MjUaqhHNU5nSPUl/ns3j5qLfw2SuYP5RbVZ0tfLvePr4zUScbICtDP2CUNw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-syntax-json-strings": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-json-strings/-/plugin-syntax-json-strings-7.8.3.tgz",
+      "integrity": "sha512-lY6kdGpWHvjoe2vk4WrAapEuBR69EMxZl+RoGRhrFGNYVK8mOPAW8VfbT/ZgrFbXlDNiiaxQnAtgVCZ6jv30EA==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-syntax-jsx": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.7.4.tgz",
+      "integrity": "sha512-wuy6fiMe9y7HeZBWXYCGt2RGxZOj0BImZ9EyXJVnVGBKO/Br592rbR3rtIQn0eQhAk9vqaKP5n8tVqEFBQMfLg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-syntax-nullish-coalescing-operator": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-nullish-coalescing-operator/-/plugin-syntax-nullish-coalescing-operator-7.8.3.tgz",
+      "integrity": "sha512-aSff4zPII1u2QD7y+F8oDsz19ew4IGEJg9SVW+bqwpwtfFleiQDMdzA/R+UlWDzfnHFCxxleFT0PMIrR36XLNQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-syntax-object-rest-spread": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-object-rest-spread/-/plugin-syntax-object-rest-spread-7.7.4.tgz",
+      "integrity": "sha512-mObR+r+KZq0XhRVS2BrBKBpr5jqrqzlPvS9C9vuOf5ilSwzloAl7RPWLrgKdWS6IreaVrjHxTjtyqFiOisaCwg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-syntax-optional-catch-binding": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-optional-catch-binding/-/plugin-syntax-optional-catch-binding-7.8.3.tgz",
+      "integrity": "sha512-6VPD0Pc1lpTqw0aKoeRTMiB+kWhAoT24PA+ksWSBrFtl5SIRVpZlwN3NNPQjehA2E/91FV3RjLWoVTglWcSV3Q==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-syntax-optional-chaining": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-optional-chaining/-/plugin-syntax-optional-chaining-7.8.3.tgz",
+      "integrity": "sha512-KoK9ErH1MBlCPxV0VANkXW2/dw4vlbGDrFgz8bmUsBGYkFRcbRwMh6cIJubdPrkxRwuGdtCk0v/wPTKbQgBjkg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.0"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-syntax-top-level-await": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-top-level-await/-/plugin-syntax-top-level-await-7.8.3.tgz",
+      "integrity": "sha512-kwj1j9lL/6Wd0hROD3b/OZZ7MSrZLqqn9RAZ5+cYYsflQ9HZBIKCUkr3+uL1MEJ1NePiUbf98jjiMQSv0NMR9g==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-syntax-typescript": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-typescript/-/plugin-syntax-typescript-7.8.3.tgz",
+      "integrity": "sha512-GO1MQ/SGGGoiEXY0e0bSpHimJvxqB7lktLLIq2pv8xG7WZ8IMEle74jIe1FhprHBWjwjZtXHkycDLZXIWM5Wfg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-arrow-functions": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-arrow-functions/-/plugin-transform-arrow-functions-7.7.4.tgz",
+      "integrity": "sha512-zUXy3e8jBNPiffmqkHRNDdZM2r8DWhCB7HhcoyZjiK1TxYEluLHAvQuYnTT+ARqRpabWqy/NHkO6e3MsYB5YfA==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-async-to-generator": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-async-to-generator/-/plugin-transform-async-to-generator-7.8.3.tgz",
+      "integrity": "sha512-imt9tFLD9ogt56Dd5CI/6XgpukMwd/fLGSrix2httihVe7LOGVPhyhMh1BU5kDM7iHD08i8uUtmV2sWaBFlHVQ==",
+      "requires": {
+        "@babel/helper-module-imports": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/helper-remap-async-to-generator": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-module-imports": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.8.3.tgz",
+          "integrity": "sha512-R0Bx3jippsbAEtzkpZ/6FIiuzOURPcMjHp+Z6xPe6DtApDJx+w7UYyOLanZqO8+wKR9G10s/FmHXvxaMd9s6Kg==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        }
+      }
+    },
+    "@babel/plugin-transform-block-scoped-functions": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-block-scoped-functions/-/plugin-transform-block-scoped-functions-7.7.4.tgz",
+      "integrity": "sha512-kqtQzwtKcpPclHYjLK//3lH8OFsCDuDJBaFhVwf8kqdnF6MN4l618UDlcA7TfRs3FayrHj+svYnSX8MC9zmUyQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-block-scoping": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-block-scoping/-/plugin-transform-block-scoping-7.7.4.tgz",
+      "integrity": "sha512-2VBe9u0G+fDt9B5OV5DQH4KBf5DoiNkwFKOz0TCvBWvdAN2rOykCTkrL+jTLxfCAm76l9Qo5OqL7HBOx2dWggg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "lodash": "^4.17.13"
+      }
+    },
+    "@babel/plugin-transform-classes": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-classes/-/plugin-transform-classes-7.7.4.tgz",
+      "integrity": "sha512-sK1mjWat7K+buWRuImEzjNf68qrKcrddtpQo3swi9j7dUcG6y6R6+Di039QN2bD1dykeswlagupEmpOatFHHUg==",
+      "requires": {
+        "@babel/helper-annotate-as-pure": "^7.7.4",
+        "@babel/helper-define-map": "^7.7.4",
+        "@babel/helper-function-name": "^7.7.4",
+        "@babel/helper-optimise-call-expression": "^7.7.4",
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/helper-replace-supers": "^7.7.4",
+        "@babel/helper-split-export-declaration": "^7.7.4",
+        "globals": "^11.1.0"
+      }
+    },
+    "@babel/plugin-transform-computed-properties": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-computed-properties/-/plugin-transform-computed-properties-7.7.4.tgz",
+      "integrity": "sha512-bSNsOsZnlpLLyQew35rl4Fma3yKWqK3ImWMSC/Nc+6nGjC9s5NFWAer1YQ899/6s9HxO2zQC1WoFNfkOqRkqRQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-destructuring": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-destructuring/-/plugin-transform-destructuring-7.7.4.tgz",
+      "integrity": "sha512-4jFMXI1Cu2aXbcXXl8Lr6YubCn6Oc7k9lLsu8v61TZh+1jny2BWmdtvY9zSUlLdGUvcy9DMAWyZEOqjsbeg/wA==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-dotall-regex": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-dotall-regex/-/plugin-transform-dotall-regex-7.8.3.tgz",
+      "integrity": "sha512-kLs1j9Nn4MQoBYdRXH6AeaXMbEJFaFu/v1nQkvib6QzTj8MZI5OQzqmD83/2jEM1z0DLilra5aWO5YpyC0ALIw==",
+      "requires": {
+        "@babel/helper-create-regexp-features-plugin": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-duplicate-keys": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-duplicate-keys/-/plugin-transform-duplicate-keys-7.8.3.tgz",
+      "integrity": "sha512-s8dHiBUbcbSgipS4SMFuWGqCvyge5V2ZeAWzR6INTVC3Ltjig/Vw1G2Gztv0vU/hRG9X8IvKvYdoksnUfgXOEQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-exponentiation-operator": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-exponentiation-operator/-/plugin-transform-exponentiation-operator-7.8.3.tgz",
+      "integrity": "sha512-zwIpuIymb3ACcInbksHaNcR12S++0MDLKkiqXHl3AzpgdKlFNhog+z/K0+TGW+b0w5pgTq4H6IwV/WhxbGYSjQ==",
+      "requires": {
+        "@babel/helper-builder-binary-assignment-operator-visitor": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-flow-strip-types": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-flow-strip-types/-/plugin-transform-flow-strip-types-7.7.4.tgz",
+      "integrity": "sha512-w9dRNlHY5ElNimyMYy0oQowvQpwt/PRHI0QS98ZJCTZU2bvSnKXo5zEiD5u76FBPigTm8TkqzmnUTg16T7qbkA==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-syntax-flow": "^7.7.4"
+      }
+    },
+    "@babel/plugin-transform-for-of": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-for-of/-/plugin-transform-for-of-7.7.4.tgz",
+      "integrity": "sha512-zZ1fD1B8keYtEcKF+M1TROfeHTKnijcVQm0yO/Yu1f7qoDoxEIc/+GX6Go430Bg84eM/xwPFp0+h4EbZg7epAA==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-function-name": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-function-name/-/plugin-transform-function-name-7.7.4.tgz",
+      "integrity": "sha512-E/x09TvjHNhsULs2IusN+aJNRV5zKwxu1cpirZyRPw+FyyIKEHPXTsadj48bVpc1R5Qq1B5ZkzumuFLytnbT6g==",
+      "requires": {
+        "@babel/helper-function-name": "^7.7.4",
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-literals": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-literals/-/plugin-transform-literals-7.7.4.tgz",
+      "integrity": "sha512-X2MSV7LfJFm4aZfxd0yLVFrEXAgPqYoDG53Br/tCKiKYfX0MjVjQeWPIhPHHsCqzwQANq+FLN786fF5rgLS+gw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-member-expression-literals": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-member-expression-literals/-/plugin-transform-member-expression-literals-7.7.4.tgz",
+      "integrity": "sha512-9VMwMO7i69LHTesL0RdGy93JU6a+qOPuvB4F4d0kR0zyVjJRVJRaoaGjhtki6SzQUu8yen/vxPKN6CWnCUw6bA==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-modules-amd": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-amd/-/plugin-transform-modules-amd-7.8.3.tgz",
+      "integrity": "sha512-MadJiU3rLKclzT5kBH4yxdry96odTUwuqrZM+GllFI/VhxfPz+k9MshJM+MwhfkCdxxclSbSBbUGciBngR+kEQ==",
+      "requires": {
+        "@babel/helper-module-transforms": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "babel-plugin-dynamic-import-node": "^2.3.0"
+      },
+      "dependencies": {
+        "@babel/code-frame": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.8.3.tgz",
+          "integrity": "sha512-a9gxpmdXtZEInkCSHUJDLHZVBgb1QS0jhss4cPP93EW7s+uC5bikET2twEF3KV+7rDblJcmNvTR7VJejqd2C2g==",
+          "requires": {
+            "@babel/highlight": "^7.8.3"
+          }
+        },
+        "@babel/helper-module-imports": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.8.3.tgz",
+          "integrity": "sha512-R0Bx3jippsbAEtzkpZ/6FIiuzOURPcMjHp+Z6xPe6DtApDJx+w7UYyOLanZqO8+wKR9G10s/FmHXvxaMd9s6Kg==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-module-transforms": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.8.3.tgz",
+          "integrity": "sha512-C7NG6B7vfBa/pwCOshpMbOYUmrYQDfCpVL/JCRu0ek8B5p8kue1+BCXpg2vOYs7w5ACB9GTOBYQ5U6NwrMg+3Q==",
+          "requires": {
+            "@babel/helper-module-imports": "^7.8.3",
+            "@babel/helper-simple-access": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3",
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3",
+            "lodash": "^4.17.13"
+          }
+        },
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/helper-simple-access": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.8.3.tgz",
+          "integrity": "sha512-VNGUDjx5cCWg4vvCTR8qQ7YJYZ+HBjxOgXEl7ounz+4Sn7+LMD3CFrCTEU6/qXKbA2nKg21CwhhBzO0RpRbdCw==",
+          "requires": {
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-split-export-declaration": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.8.3.tgz",
+          "integrity": "sha512-3x3yOeyBhW851hroze7ElzdkeRXQYQbFIb7gLK1WQYsw2GWDay5gAJNw1sWJ0VFP6z5J1whqeXH/WCdCjZv6dA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/highlight": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.8.3.tgz",
+          "integrity": "sha512-PX4y5xQUvy0fnEVHrYOarRPXVWafSjTW9T0Hab8gVIawpl2Sj0ORyrygANq+KjcNlSSTw0YCLSNA8OyZ1I4yEg==",
+          "requires": {
+            "chalk": "^2.0.0",
+            "esutils": "^2.0.2",
+            "js-tokens": "^4.0.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.8.3.tgz",
+          "integrity": "sha512-/V72F4Yp/qmHaTALizEm9Gf2eQHV3QyTL3K0cNfijwnMnb1L+LDlAubb/ZnSdGAVzVSWakujHYs1I26x66sMeQ=="
+        },
+        "@babel/template": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.8.3.tgz",
+          "integrity": "sha512-04m87AcQgAFdvuoyiQ2kgELr2tV8B4fP/xJAVUL3Yb3bkNdMedD3d0rlSQr3PegP0cms3eHjl1F7PWlvWbU8FQ==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/plugin-transform-modules-commonjs": {
+      "version": "7.7.5",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-commonjs/-/plugin-transform-modules-commonjs-7.7.5.tgz",
+      "integrity": "sha512-9Cq4zTFExwFhQI6MT1aFxgqhIsMWQWDVwOgLzl7PTWJHsNaqFvklAU+Oz6AQLAS0dJKTwZSOCo20INwktxpi3Q==",
+      "requires": {
+        "@babel/helper-module-transforms": "^7.7.5",
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/helper-simple-access": "^7.7.4",
+        "babel-plugin-dynamic-import-node": "^2.3.0"
+      }
+    },
+    "@babel/plugin-transform-modules-systemjs": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.8.3.tgz",
+      "integrity": "sha512-8cESMCJjmArMYqa9AO5YuMEkE4ds28tMpZcGZB/jl3n0ZzlsxOAi3mC+SKypTfT8gjMupCnd3YiXCkMjj2jfOg==",
+      "requires": {
+        "@babel/helper-hoist-variables": "^7.8.3",
+        "@babel/helper-module-transforms": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "babel-plugin-dynamic-import-node": "^2.3.0"
+      },
+      "dependencies": {
+        "@babel/code-frame": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.8.3.tgz",
+          "integrity": "sha512-a9gxpmdXtZEInkCSHUJDLHZVBgb1QS0jhss4cPP93EW7s+uC5bikET2twEF3KV+7rDblJcmNvTR7VJejqd2C2g==",
+          "requires": {
+            "@babel/highlight": "^7.8.3"
+          }
+        },
+        "@babel/helper-hoist-variables": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.8.3.tgz",
+          "integrity": "sha512-ky1JLOjcDUtSc+xkt0xhYff7Z6ILTAHKmZLHPxAhOP0Nd77O+3nCsd6uSVYur6nJnCI029CrNbYlc0LoPfAPQg==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-module-imports": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.8.3.tgz",
+          "integrity": "sha512-R0Bx3jippsbAEtzkpZ/6FIiuzOURPcMjHp+Z6xPe6DtApDJx+w7UYyOLanZqO8+wKR9G10s/FmHXvxaMd9s6Kg==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-module-transforms": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.8.3.tgz",
+          "integrity": "sha512-C7NG6B7vfBa/pwCOshpMbOYUmrYQDfCpVL/JCRu0ek8B5p8kue1+BCXpg2vOYs7w5ACB9GTOBYQ5U6NwrMg+3Q==",
+          "requires": {
+            "@babel/helper-module-imports": "^7.8.3",
+            "@babel/helper-simple-access": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3",
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3",
+            "lodash": "^4.17.13"
+          }
+        },
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/helper-simple-access": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.8.3.tgz",
+          "integrity": "sha512-VNGUDjx5cCWg4vvCTR8qQ7YJYZ+HBjxOgXEl7ounz+4Sn7+LMD3CFrCTEU6/qXKbA2nKg21CwhhBzO0RpRbdCw==",
+          "requires": {
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-split-export-declaration": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.8.3.tgz",
+          "integrity": "sha512-3x3yOeyBhW851hroze7ElzdkeRXQYQbFIb7gLK1WQYsw2GWDay5gAJNw1sWJ0VFP6z5J1whqeXH/WCdCjZv6dA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/highlight": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.8.3.tgz",
+          "integrity": "sha512-PX4y5xQUvy0fnEVHrYOarRPXVWafSjTW9T0Hab8gVIawpl2Sj0ORyrygANq+KjcNlSSTw0YCLSNA8OyZ1I4yEg==",
+          "requires": {
+            "chalk": "^2.0.0",
+            "esutils": "^2.0.2",
+            "js-tokens": "^4.0.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.8.3.tgz",
+          "integrity": "sha512-/V72F4Yp/qmHaTALizEm9Gf2eQHV3QyTL3K0cNfijwnMnb1L+LDlAubb/ZnSdGAVzVSWakujHYs1I26x66sMeQ=="
+        },
+        "@babel/template": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.8.3.tgz",
+          "integrity": "sha512-04m87AcQgAFdvuoyiQ2kgELr2tV8B4fP/xJAVUL3Yb3bkNdMedD3d0rlSQr3PegP0cms3eHjl1F7PWlvWbU8FQ==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/plugin-transform-modules-umd": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-umd/-/plugin-transform-modules-umd-7.8.3.tgz",
+      "integrity": "sha512-evhTyWhbwbI3/U6dZAnx/ePoV7H6OUG+OjiJFHmhr9FPn0VShjwC2kdxqIuQ/+1P50TMrneGzMeyMTFOjKSnAw==",
+      "requires": {
+        "@babel/helper-module-transforms": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/code-frame": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.8.3.tgz",
+          "integrity": "sha512-a9gxpmdXtZEInkCSHUJDLHZVBgb1QS0jhss4cPP93EW7s+uC5bikET2twEF3KV+7rDblJcmNvTR7VJejqd2C2g==",
+          "requires": {
+            "@babel/highlight": "^7.8.3"
+          }
+        },
+        "@babel/helper-module-imports": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.8.3.tgz",
+          "integrity": "sha512-R0Bx3jippsbAEtzkpZ/6FIiuzOURPcMjHp+Z6xPe6DtApDJx+w7UYyOLanZqO8+wKR9G10s/FmHXvxaMd9s6Kg==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-module-transforms": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.8.3.tgz",
+          "integrity": "sha512-C7NG6B7vfBa/pwCOshpMbOYUmrYQDfCpVL/JCRu0ek8B5p8kue1+BCXpg2vOYs7w5ACB9GTOBYQ5U6NwrMg+3Q==",
+          "requires": {
+            "@babel/helper-module-imports": "^7.8.3",
+            "@babel/helper-simple-access": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3",
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3",
+            "lodash": "^4.17.13"
+          }
+        },
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/helper-simple-access": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.8.3.tgz",
+          "integrity": "sha512-VNGUDjx5cCWg4vvCTR8qQ7YJYZ+HBjxOgXEl7ounz+4Sn7+LMD3CFrCTEU6/qXKbA2nKg21CwhhBzO0RpRbdCw==",
+          "requires": {
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-split-export-declaration": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.8.3.tgz",
+          "integrity": "sha512-3x3yOeyBhW851hroze7ElzdkeRXQYQbFIb7gLK1WQYsw2GWDay5gAJNw1sWJ0VFP6z5J1whqeXH/WCdCjZv6dA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/highlight": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.8.3.tgz",
+          "integrity": "sha512-PX4y5xQUvy0fnEVHrYOarRPXVWafSjTW9T0Hab8gVIawpl2Sj0ORyrygANq+KjcNlSSTw0YCLSNA8OyZ1I4yEg==",
+          "requires": {
+            "chalk": "^2.0.0",
+            "esutils": "^2.0.2",
+            "js-tokens": "^4.0.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.8.3.tgz",
+          "integrity": "sha512-/V72F4Yp/qmHaTALizEm9Gf2eQHV3QyTL3K0cNfijwnMnb1L+LDlAubb/ZnSdGAVzVSWakujHYs1I26x66sMeQ=="
+        },
+        "@babel/template": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.8.3.tgz",
+          "integrity": "sha512-04m87AcQgAFdvuoyiQ2kgELr2tV8B4fP/xJAVUL3Yb3bkNdMedD3d0rlSQr3PegP0cms3eHjl1F7PWlvWbU8FQ==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/plugin-transform-named-capturing-groups-regex": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-named-capturing-groups-regex/-/plugin-transform-named-capturing-groups-regex-7.8.3.tgz",
+      "integrity": "sha512-f+tF/8UVPU86TrCb06JoPWIdDpTNSGGcAtaD9mLP0aYGA0OS0j7j7DHJR0GTFrUZPUU6loZhbsVZgTh0N+Qdnw==",
+      "requires": {
+        "@babel/helper-create-regexp-features-plugin": "^7.8.3"
+      }
+    },
+    "@babel/plugin-transform-new-target": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-new-target/-/plugin-transform-new-target-7.8.3.tgz",
+      "integrity": "sha512-QuSGysibQpyxexRyui2vca+Cmbljo8bcRckgzYV4kRIsHpVeyeC3JDO63pY+xFZ6bWOBn7pfKZTqV4o/ix9sFw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-object-super": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-object-super/-/plugin-transform-object-super-7.7.4.tgz",
+      "integrity": "sha512-ho+dAEhC2aRnff2JCA0SAK7V2R62zJd/7dmtoe7MHcso4C2mS+vZjn1Pb1pCVZvJs1mgsvv5+7sT+m3Bysb6eg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/helper-replace-supers": "^7.7.4"
+      }
+    },
+    "@babel/plugin-transform-parameters": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-parameters/-/plugin-transform-parameters-7.7.4.tgz",
+      "integrity": "sha512-VJwhVePWPa0DqE9vcfptaJSzNDKrWU/4FbYCjZERtmqEs05g3UMXnYMZoXja7JAJ7Y7sPZipwm/pGApZt7wHlw==",
+      "requires": {
+        "@babel/helper-call-delegate": "^7.7.4",
+        "@babel/helper-get-function-arity": "^7.7.4",
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-property-literals": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-property-literals/-/plugin-transform-property-literals-7.7.4.tgz",
+      "integrity": "sha512-MatJhlC4iHsIskWYyawl53KuHrt+kALSADLQQ/HkhTjX954fkxIEh4q5slL4oRAnsm/eDoZ4q0CIZpcqBuxhJQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-react-display-name": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-display-name/-/plugin-transform-react-display-name-7.7.4.tgz",
+      "integrity": "sha512-sBbIvqYkthai0X0vkD2xsAwluBp+LtNHH+/V4a5ydifmTtb8KOVOlrMIk/MYmIc4uTYDnjZUHQildYNo36SRJw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-react-jsx": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx/-/plugin-transform-react-jsx-7.7.4.tgz",
+      "integrity": "sha512-LixU4BS95ZTEAZdPaIuyg/k8FiiqN9laQ0dMHB4MlpydHY53uQdWCUrwjLr5o6ilS6fAgZey4Q14XBjl5tL6xw==",
+      "requires": {
+        "@babel/helper-builder-react-jsx": "^7.7.4",
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-syntax-jsx": "^7.7.4"
+      }
+    },
+    "@babel/plugin-transform-react-jsx-self": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-self/-/plugin-transform-react-jsx-self-7.8.3.tgz",
+      "integrity": "sha512-01OT7s5oa0XTLf2I8XGsL8+KqV9lx3EZV+jxn/L2LQ97CGKila2YMroTkCEIE0HV/FF7CMSRsIAybopdN9NTdg==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/plugin-syntax-jsx": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/plugin-syntax-jsx": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.8.3.tgz",
+          "integrity": "sha512-WxdW9xyLgBdefoo0Ynn3MRSkhe5tFVxxKNVdnZSh318WrG2e2jH+E9wd/++JsqcLJZPfz87njQJ8j2Upjm0M0A==",
+          "requires": {
+            "@babel/helper-plugin-utils": "^7.8.3"
+          }
+        }
+      }
+    },
+    "@babel/plugin-transform-react-jsx-source": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-source/-/plugin-transform-react-jsx-source-7.8.3.tgz",
+      "integrity": "sha512-PLMgdMGuVDtRS/SzjNEQYUT8f4z1xb2BAT54vM1X5efkVuYBf5WyGUMbpmARcfq3NaglIwz08UVQK4HHHbC6ag==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/plugin-syntax-jsx": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/plugin-syntax-jsx": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.8.3.tgz",
+          "integrity": "sha512-WxdW9xyLgBdefoo0Ynn3MRSkhe5tFVxxKNVdnZSh318WrG2e2jH+E9wd/++JsqcLJZPfz87njQJ8j2Upjm0M0A==",
+          "requires": {
+            "@babel/helper-plugin-utils": "^7.8.3"
+          }
+        }
+      }
+    },
+    "@babel/plugin-transform-regenerator": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-regenerator/-/plugin-transform-regenerator-7.8.3.tgz",
+      "integrity": "sha512-qt/kcur/FxrQrzFR432FGZznkVAjiyFtCOANjkAKwCbt465L6ZCiUQh2oMYGU3Wo8LRFJxNDFwWn106S5wVUNA==",
+      "requires": {
+        "regenerator-transform": "^0.14.0"
+      }
+    },
+    "@babel/plugin-transform-reserved-words": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-reserved-words/-/plugin-transform-reserved-words-7.8.3.tgz",
+      "integrity": "sha512-mwMxcycN3omKFDjDQUl+8zyMsBfjRFr0Zn/64I41pmjv4NJuqcYlEtezwYtw9TFd9WR1vN5kiM+O0gMZzO6L0A==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-runtime": {
+      "version": "7.6.2",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-runtime/-/plugin-transform-runtime-7.6.2.tgz",
+      "integrity": "sha512-cqULw/QB4yl73cS5Y0TZlQSjDvNkzDbu0FurTZyHlJpWE5T3PCMdnyV+xXoH1opr1ldyHODe3QAX3OMAii5NxA==",
+      "requires": {
+        "@babel/helper-module-imports": "^7.0.0",
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "resolve": "^1.8.1",
+        "semver": "^5.5.1"
+      }
+    },
+    "@babel/plugin-transform-shorthand-properties": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-shorthand-properties/-/plugin-transform-shorthand-properties-7.7.4.tgz",
+      "integrity": "sha512-q+suddWRfIcnyG5YiDP58sT65AJDZSUhXQDZE3r04AuqD6d/XLaQPPXSBzP2zGerkgBivqtQm9XKGLuHqBID6Q==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-spread": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-spread/-/plugin-transform-spread-7.7.4.tgz",
+      "integrity": "sha512-8OSs0FLe5/80cndziPlg4R0K6HcWSM0zyNhHhLsmw/Nc5MaA49cAsnoJ/t/YZf8qkG7fD+UjTRaApVDB526d7Q==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-sticky-regex": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-sticky-regex/-/plugin-transform-sticky-regex-7.8.3.tgz",
+      "integrity": "sha512-9Spq0vGCD5Bb4Z/ZXXSK5wbbLFMG085qd2vhL1JYu1WcQ5bXqZBAYRzU1d+p79GcHs2szYv5pVQCX13QgldaWw==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/helper-regex": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-template-literals": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-template-literals/-/plugin-transform-template-literals-7.7.4.tgz",
+      "integrity": "sha512-sA+KxLwF3QwGj5abMHkHgshp9+rRz+oY9uoRil4CyLtgEuE/88dpkeWgNk5qKVsJE9iSfly3nvHapdRiIS2wnQ==",
+      "requires": {
+        "@babel/helper-annotate-as-pure": "^7.7.4",
+        "@babel/helper-plugin-utils": "^7.0.0"
+      }
+    },
+    "@babel/plugin-transform-typeof-symbol": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-typeof-symbol/-/plugin-transform-typeof-symbol-7.8.3.tgz",
+      "integrity": "sha512-3TrkKd4LPqm4jHs6nPtSDI/SV9Cm5PRJkHLUgTcqRQQTMAZ44ZaAdDZJtvWFSaRcvT0a1rTmJ5ZA5tDKjleF3g==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/plugin-transform-typescript": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-typescript/-/plugin-transform-typescript-7.8.3.tgz",
+      "integrity": "sha512-Ebj230AxcrKGZPKIp4g4TdQLrqX95TobLUWKd/CwG7X1XHUH1ZpkpFvXuXqWbtGRWb7uuEWNlrl681wsOArAdQ==",
+      "requires": {
+        "@babel/helper-create-class-features-plugin": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3",
+        "@babel/plugin-syntax-typescript": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/code-frame": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.8.3.tgz",
+          "integrity": "sha512-a9gxpmdXtZEInkCSHUJDLHZVBgb1QS0jhss4cPP93EW7s+uC5bikET2twEF3KV+7rDblJcmNvTR7VJejqd2C2g==",
+          "requires": {
+            "@babel/highlight": "^7.8.3"
+          }
+        },
+        "@babel/generator": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.8.3.tgz",
+          "integrity": "sha512-WjoPk8hRpDRqqzRpvaR8/gDUPkrnOOeuT2m8cNICJtZH6mwaCo3v0OKMI7Y6SM1pBtyijnLtAL0HDi41pf41ug==",
+          "requires": {
+            "@babel/types": "^7.8.3",
+            "jsesc": "^2.5.1",
+            "lodash": "^4.17.13",
+            "source-map": "^0.5.0"
+          }
+        },
+        "@babel/helper-create-class-features-plugin": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-create-class-features-plugin/-/helper-create-class-features-plugin-7.8.3.tgz",
+          "integrity": "sha512-qmp4pD7zeTxsv0JNecSBsEmG1ei2MqwJq4YQcK3ZWm/0t07QstWfvuV/vm3Qt5xNMFETn2SZqpMx2MQzbtq+KA==",
+          "requires": {
+            "@babel/helper-function-name": "^7.8.3",
+            "@babel/helper-member-expression-to-functions": "^7.8.3",
+            "@babel/helper-optimise-call-expression": "^7.8.3",
+            "@babel/helper-plugin-utils": "^7.8.3",
+            "@babel/helper-replace-supers": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3"
+          }
+        },
+        "@babel/helper-function-name": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.8.3.tgz",
+          "integrity": "sha512-BCxgX1BC2hD/oBlIFUgOCQDOPV8nSINxCwM3o93xP4P9Fq6aV5sgv2cOOITDMtCfQ+3PvHp3l689XZvAM9QyOA==",
+          "requires": {
+            "@babel/helper-get-function-arity": "^7.8.3",
+            "@babel/template": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-get-function-arity": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.8.3.tgz",
+          "integrity": "sha512-FVDR+Gd9iLjUMY1fzE2SR0IuaJToR4RkCDARVfsBBPSP53GEqSFjD8gNyxg246VUyc/ALRxFaAK8rVG7UT7xRA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-member-expression-to-functions": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.8.3.tgz",
+          "integrity": "sha512-fO4Egq88utkQFjbPrSHGmGLFqmrshs11d46WI+WZDESt7Wu7wN2G2Iu+NMMZJFDOVRHAMIkB5SNh30NtwCA7RA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-optimise-call-expression": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.8.3.tgz",
+          "integrity": "sha512-Kag20n86cbO2AvHca6EJsvqAd82gc6VMGule4HwebwMlwkpXuVqrNRj6CkCV2sKxgi9MyAUnZVnZ6lJ1/vKhHQ==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        },
+        "@babel/helper-replace-supers": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.8.3.tgz",
+          "integrity": "sha512-xOUssL6ho41U81etpLoT2RTdvdus4VfHamCuAm4AHxGr+0it5fnwoVdwUJ7GFEqCsQYzJUhcbsN9wB9apcYKFA==",
+          "requires": {
+            "@babel/helper-member-expression-to-functions": "^7.8.3",
+            "@babel/helper-optimise-call-expression": "^7.8.3",
+            "@babel/traverse": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/helper-split-export-declaration": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.8.3.tgz",
+          "integrity": "sha512-3x3yOeyBhW851hroze7ElzdkeRXQYQbFIb7gLK1WQYsw2GWDay5gAJNw1sWJ0VFP6z5J1whqeXH/WCdCjZv6dA==",
+          "requires": {
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/highlight": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.8.3.tgz",
+          "integrity": "sha512-PX4y5xQUvy0fnEVHrYOarRPXVWafSjTW9T0Hab8gVIawpl2Sj0ORyrygANq+KjcNlSSTw0YCLSNA8OyZ1I4yEg==",
+          "requires": {
+            "chalk": "^2.0.0",
+            "esutils": "^2.0.2",
+            "js-tokens": "^4.0.0"
+          }
+        },
+        "@babel/parser": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.8.3.tgz",
+          "integrity": "sha512-/V72F4Yp/qmHaTALizEm9Gf2eQHV3QyTL3K0cNfijwnMnb1L+LDlAubb/ZnSdGAVzVSWakujHYs1I26x66sMeQ=="
+        },
+        "@babel/template": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.8.3.tgz",
+          "integrity": "sha512-04m87AcQgAFdvuoyiQ2kgELr2tV8B4fP/xJAVUL3Yb3bkNdMedD3d0rlSQr3PegP0cms3eHjl1F7PWlvWbU8FQ==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3"
+          }
+        },
+        "@babel/traverse": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.8.3.tgz",
+          "integrity": "sha512-we+a2lti+eEImHmEXp7bM9cTxGzxPmBiVJlLVD+FuuQMeeO7RaDbutbgeheDkw+Xe3mCfJHnGOWLswT74m2IPg==",
+          "requires": {
+            "@babel/code-frame": "^7.8.3",
+            "@babel/generator": "^7.8.3",
+            "@babel/helper-function-name": "^7.8.3",
+            "@babel/helper-split-export-declaration": "^7.8.3",
+            "@babel/parser": "^7.8.3",
+            "@babel/types": "^7.8.3",
+            "debug": "^4.1.0",
+            "globals": "^11.1.0",
+            "lodash": "^4.17.13"
+          }
+        },
+        "@babel/types": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.8.3.tgz",
+          "integrity": "sha512-jBD+G8+LWpMBBWvVcdr4QysjUE4mU/syrhN17o1u3gx0/WzJB1kwiVZAXRtWbsIPOwW8pF/YJV5+nmetPzepXg==",
+          "requires": {
+            "esutils": "^2.0.2",
+            "lodash": "^4.17.13",
+            "to-fast-properties": "^2.0.0"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "@babel/plugin-transform-unicode-regex": {
+      "version": "7.8.3",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-unicode-regex/-/plugin-transform-unicode-regex-7.8.3.tgz",
+      "integrity": "sha512-+ufgJjYdmWfSQ+6NS9VGUR2ns8cjJjYbrbi11mZBTaWm+Fui/ncTLFF28Ei1okavY+xkojGr1eJxNsWYeA5aZw==",
+      "requires": {
+        "@babel/helper-create-regexp-features-plugin": "^7.8.3",
+        "@babel/helper-plugin-utils": "^7.8.3"
+      },
+      "dependencies": {
+        "@babel/helper-plugin-utils": {
+          "version": "7.8.3",
+          "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.8.3.tgz",
+          "integrity": "sha512-j+fq49Xds2smCUNYmEHF9kGNkhbet6yVIBp4e6oeQpH1RUs/Ir06xUKzDjDkGcaaokPiTNs2JBWHjaE4csUkZQ=="
+        }
+      }
+    },
+    "@babel/preset-env": {
+      "version": "7.7.1",
+      "resolved": "https://registry.npmjs.org/@babel/preset-env/-/preset-env-7.7.1.tgz",
+      "integrity": "sha512-/93SWhi3PxcVTDpSqC+Dp4YxUu3qZ4m7I76k0w73wYfn7bGVuRIO4QUz95aJksbS+AD1/mT1Ie7rbkT0wSplaA==",
+      "requires": {
+        "@babel/helper-module-imports": "^7.7.0",
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-proposal-async-generator-functions": "^7.7.0",
+        "@babel/plugin-proposal-dynamic-import": "^7.7.0",
+        "@babel/plugin-proposal-json-strings": "^7.2.0",
+        "@babel/plugin-proposal-object-rest-spread": "^7.6.2",
+        "@babel/plugin-proposal-optional-catch-binding": "^7.2.0",
+        "@babel/plugin-proposal-unicode-property-regex": "^7.7.0",
+        "@babel/plugin-syntax-async-generators": "^7.2.0",
+        "@babel/plugin-syntax-dynamic-import": "^7.2.0",
+        "@babel/plugin-syntax-json-strings": "^7.2.0",
+        "@babel/plugin-syntax-object-rest-spread": "^7.2.0",
+        "@babel/plugin-syntax-optional-catch-binding": "^7.2.0",
+        "@babel/plugin-syntax-top-level-await": "^7.7.0",
+        "@babel/plugin-transform-arrow-functions": "^7.2.0",
+        "@babel/plugin-transform-async-to-generator": "^7.7.0",
+        "@babel/plugin-transform-block-scoped-functions": "^7.2.0",
+        "@babel/plugin-transform-block-scoping": "^7.6.3",
+        "@babel/plugin-transform-classes": "^7.7.0",
+        "@babel/plugin-transform-computed-properties": "^7.2.0",
+        "@babel/plugin-transform-destructuring": "^7.6.0",
+        "@babel/plugin-transform-dotall-regex": "^7.7.0",
+        "@babel/plugin-transform-duplicate-keys": "^7.5.0",
+        "@babel/plugin-transform-exponentiation-operator": "^7.2.0",
+        "@babel/plugin-transform-for-of": "^7.4.4",
+        "@babel/plugin-transform-function-name": "^7.7.0",
+        "@babel/plugin-transform-literals": "^7.2.0",
+        "@babel/plugin-transform-member-expression-literals": "^7.2.0",
+        "@babel/plugin-transform-modules-amd": "^7.5.0",
+        "@babel/plugin-transform-modules-commonjs": "^7.7.0",
+        "@babel/plugin-transform-modules-systemjs": "^7.7.0",
+        "@babel/plugin-transform-modules-umd": "^7.7.0",
+        "@babel/plugin-transform-named-capturing-groups-regex": "^7.7.0",
+        "@babel/plugin-transform-new-target": "^7.4.4",
+        "@babel/plugin-transform-object-super": "^7.5.5",
+        "@babel/plugin-transform-parameters": "^7.4.4",
+        "@babel/plugin-transform-property-literals": "^7.2.0",
+        "@babel/plugin-transform-regenerator": "^7.7.0",
+        "@babel/plugin-transform-reserved-words": "^7.2.0",
+        "@babel/plugin-transform-shorthand-properties": "^7.2.0",
+        "@babel/plugin-transform-spread": "^7.6.2",
+        "@babel/plugin-transform-sticky-regex": "^7.2.0",
+        "@babel/plugin-transform-template-literals": "^7.4.4",
+        "@babel/plugin-transform-typeof-symbol": "^7.2.0",
+        "@babel/plugin-transform-unicode-regex": "^7.7.0",
+        "@babel/types": "^7.7.1",
+        "browserslist": "^4.6.0",
+        "core-js-compat": "^3.1.1",
+        "invariant": "^2.2.2",
+        "js-levenshtein": "^1.1.3",
+        "semver": "^5.5.0"
+      }
+    },
+    "@babel/preset-modules": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/@babel/preset-modules/-/preset-modules-0.1.1.tgz",
+      "integrity": "sha512-x/kt2aAZlgcFnP3P851fkkb2s4FmTiyGic58pkWMaRK9Am3u9KkH1ttHGjwlsKu7/TVJsLEBXZnjUxqsid3tww==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-proposal-unicode-property-regex": "^7.4.4",
+        "@babel/plugin-transform-dotall-regex": "^7.4.4",
+        "@babel/types": "^7.4.4",
+        "esutils": "^2.0.2"
+      }
+    },
+    "@babel/preset-react": {
+      "version": "7.7.0",
+      "resolved": "https://registry.npmjs.org/@babel/preset-react/-/preset-react-7.7.0.tgz",
+      "integrity": "sha512-IXXgSUYBPHUGhUkH+89TR6faMcBtuMW0h5OHbMuVbL3/5wK2g6a2M2BBpkLa+Kw0sAHiZ9dNVgqJMDP/O4GRBA==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-transform-react-display-name": "^7.0.0",
+        "@babel/plugin-transform-react-jsx": "^7.7.0",
+        "@babel/plugin-transform-react-jsx-self": "^7.0.0",
+        "@babel/plugin-transform-react-jsx-source": "^7.0.0"
+      }
+    },
+    "@babel/preset-typescript": {
+      "version": "7.7.2",
+      "resolved": "https://registry.npmjs.org/@babel/preset-typescript/-/preset-typescript-7.7.2.tgz",
+      "integrity": "sha512-1B4HthAelaLGfNRyrWqJtBEjXX1ulThCrLQ5B2VOtEAznWFIFXFJahgXImqppy66lx/Oh+cOSCQdJzZqh2Jh5g==",
+      "requires": {
+        "@babel/helper-plugin-utils": "^7.0.0",
+        "@babel/plugin-transform-typescript": "^7.7.2"
+      }
+    },
+    "@babel/runtime": {
+      "version": "7.7.7",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.7.7.tgz",
+      "integrity": "sha512-uCnC2JEVAu8AKB5do1WRIsvrdJ0flYx/A/9f/6chdacnEZ7LmavjdsDXr5ksYBegxtuTPR5Va9/+13QF/kFkCA==",
+      "requires": {
+        "regenerator-runtime": "^0.13.2"
+      }
+    },
+    "@babel/runtime-corejs2": {
+      "version": "7.7.2",
+      "resolved": "https://registry.npmjs.org/@babel/runtime-corejs2/-/runtime-corejs2-7.7.2.tgz",
+      "integrity": "sha512-GfVnHchOBvIMsweQ13l4jd9lT4brkevnavnVOej5g2y7PpTRY+R4pcQlCjWMZoUla5rMLFzaS/Ll2s59cB1TqQ==",
+      "requires": {
+        "core-js": "^2.6.5",
+        "regenerator-runtime": "^0.13.2"
+      }
+    },
+    "@babel/runtime-corejs3": {
+      "version": "7.7.7",
+      "resolved": "https://registry.npmjs.org/@babel/runtime-corejs3/-/runtime-corejs3-7.7.7.tgz",
+      "integrity": "sha512-kr3W3Fw8mB/CTru2M5zIRQZZgC/9zOxNSoJ/tVCzjPt3H1/p5uuGbz6WwmaQy/TLQcW31rUhUUWKY28sXFRelA==",
+      "requires": {
+        "core-js-pure": "^3.0.0",
+        "regenerator-runtime": "^0.13.2"
+      }
+    },
+    "@babel/template": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.7.4.tgz",
+      "integrity": "sha512-qUzihgVPguAzXCK7WXw8pqs6cEwi54s3E+HrejlkuWO6ivMKx9hZl3Y2fSXp9i5HgyWmj7RKP+ulaYnKM4yYxw==",
+      "requires": {
+        "@babel/code-frame": "^7.0.0",
+        "@babel/parser": "^7.7.4",
+        "@babel/types": "^7.7.4"
+      }
+    },
+    "@babel/traverse": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.7.4.tgz",
+      "integrity": "sha512-P1L58hQyupn8+ezVA2z5KBm4/Zr4lCC8dwKCMYzsa5jFMDMQAzaBNy9W5VjB+KAmBjb40U7a/H6ao+Xo+9saIw==",
+      "requires": {
+        "@babel/code-frame": "^7.5.5",
+        "@babel/generator": "^7.7.4",
+        "@babel/helper-function-name": "^7.7.4",
+        "@babel/helper-split-export-declaration": "^7.7.4",
+        "@babel/parser": "^7.7.4",
+        "@babel/types": "^7.7.4",
+        "debug": "^4.1.0",
+        "globals": "^11.1.0",
+        "lodash": "^4.17.13"
+      }
+    },
+    "@babel/types": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.7.4.tgz",
+      "integrity": "sha512-cz5Ji23KCi4T+YIE/BolWosrJuSmoZeN1EFnRtBwF+KKLi8GG/Z2c2hOJJeCXPk4mwk4QFvTmwIodJowXgttRA==",
+      "requires": {
+        "esutils": "^2.0.2",
+        "lodash": "^4.17.13",
+        "to-fast-properties": "^2.0.0"
+      }
+    },
+    "@bugsnag/browser": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/@bugsnag/browser/-/browser-6.5.0.tgz",
+      "integrity": "sha512-BBUK4XlCkzRsAwFbdAOBPSa353EqDmGuVvbnXom0xG1D2IySGyNmYdPBproTRNKp+h0XuCkXeBrjsyC9Wph6+g=="
+    },
+    "@bugsnag/js": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/@bugsnag/js/-/js-6.5.0.tgz",
+      "integrity": "sha512-iY0e3BOjDkTV6YssVeAC/TfP27RRdqZoZWJGKBU1mTdfKdNb0aSkR8DsU5UTriwY900ughNVONLQm87ecHyNUQ==",
+      "requires": {
+        "@bugsnag/browser": "^6.5.0",
+        "@bugsnag/node": "^6.5.0"
+      }
+    },
+    "@bugsnag/node": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/@bugsnag/node/-/node-6.5.0.tgz",
+      "integrity": "sha512-qW6+MYeXxcUA1nYzfeO637PzwPhKP89udYrIRXhhTLFIZwMyyFRes9Fok4M6RGN6VKP6H4zpQrzMc6/dU08Jxw==",
+      "requires": {
+        "byline": "^5.0.0",
+        "error-stack-parser": "^2.0.2",
+        "iserror": "^0.0.2",
+        "pump": "^3.0.0",
+        "stack-generator": "^2.0.3"
+      }
+    },
+    "@bugsnag/plugin-react": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/@bugsnag/plugin-react/-/plugin-react-6.5.0.tgz",
+      "integrity": "sha512-kbyFSnQ4QLGjN04t9MbuD5KLWI2qQpjrgKrJvJNKM8xyeVIJYpkjx//TsDzG4ujNFVkwaP3bT48j85rf4EJNqA=="
+    },
+    "@csstools/convert-colors": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/@csstools/convert-colors/-/convert-colors-1.4.0.tgz",
+      "integrity": "sha512-5a6wqoJV/xEdbRNKVo6I4hO3VjyDq//8q2f9I6PBAvMesJHFauXDorcNCsr9RzvsZnaWi5NYCcfyqP1QeFHFbw=="
+    },
+    "@csstools/normalize.css": {
+      "version": "10.1.0",
+      "resolved": "https://registry.npmjs.org/@csstools/normalize.css/-/normalize.css-10.1.0.tgz",
+      "integrity": "sha512-ij4wRiunFfaJxjB0BdrYHIH8FxBJpOwNPhhAcunlmPdXudL1WQV1qoP9un6JsEBAgQH+7UXyyjh0g7jTxXK6tg=="
+    },
+    "@graphql-codegen/core": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@graphql-codegen/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-yKFqTO+OdsJ4MhHgN5D38Nc1EoLgBP0MQJeKYxyvYwKdYrxoyPGVNe15Tmn/HG/WrPyzg0bu9Je6CaNg8O+EQg==",
+      "requires": {
+        "@graphql-codegen/plugin-helpers": "1.10.0",
+        "@graphql-toolkit/common": "0.8.1",
+        "@graphql-toolkit/schema-merging": "0.8.1",
+        "tslib": "1.10.0"
+      }
+    },
+    "@graphql-codegen/fragment-matcher": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@graphql-codegen/fragment-matcher/-/fragment-matcher-1.10.0.tgz",
+      "integrity": "sha512-6jl/Jyd2SC+ttOaDeNqdvDoYvdOdElZdVpbvyV8QrauLQKhhts72kMroymBcNnyi1ETo/TUUCqHHmeWCKEIgWg==",
+      "requires": {
+        "@graphql-codegen/plugin-helpers": "1.10.0"
+      }
+    },
+    "@graphql-codegen/plugin-helpers": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@graphql-codegen/plugin-helpers/-/plugin-helpers-1.10.0.tgz",
+      "integrity": "sha512-+cJjd8x0eqzOEGNn4fsubSG0i4hTzAdAw3fm2/01PJajWWg/z6yImR0FvSqjrKcuWI1tcbEB0+LX3GoxzW1EGg==",
+      "requires": {
+        "@graphql-toolkit/common": "0.8.1",
+        "camel-case": "4.1.1",
+        "common-tags": "1.8.0",
+        "constant-case": "3.0.3",
+        "import-from": "3.0.0",
+        "lower-case": "2.0.1",
+        "pascal-case": "3.1.1",
+        "tslib": "1.10.0",
+        "upper-case": "2.0.1"
+      }
+    },
+    "@graphql-codegen/typescript": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@graphql-codegen/typescript/-/typescript-1.10.0.tgz",
+      "integrity": "sha512-5hWU7+YNpW+xy7nGYh9No4STrZAvuIL9DFVbPqToJupfTLOZlmrOCw3Q60zUesdjOSk56EWk7M+5lfy128pv5A==",
+      "requires": {
+        "@graphql-codegen/plugin-helpers": "1.10.0",
+        "@graphql-codegen/visitor-plugin-common": "1.10.0",
+        "auto-bind": "4.0.0",
+        "tslib": "1.10.0"
+      }
+    },
+    "@graphql-codegen/visitor-plugin-common": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@graphql-codegen/visitor-plugin-common/-/visitor-plugin-common-1.10.0.tgz",
+      "integrity": "sha512-V+ChfifppuiBax9Mt2weC/ba6GLSZPdCVaoL3Q3g72mzsbkZm+l5CIcjQy84X98z8jIaeHEaQironfhIrYC09A==",
+      "requires": {
+        "@graphql-codegen/plugin-helpers": "1.10.0",
+        "auto-bind": "4.0.0",
+        "dependency-graph": "0.8.1",
+        "graphql-tag": "2.10.1",
+        "relay-compiler": "8.0.0",
+        "tslib": "1.10.0"
+      }
+    },
+    "@graphql-toolkit/code-file-loader": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/code-file-loader/-/code-file-loader-0.7.5.tgz",
+      "integrity": "sha512-nJVkmcvYRfcx+wxJR7hyjmko4gEZSJOhp0UEPny3LOf4PIDUvDvtsKmz1P4J2RIRph9wieEG0jgkLoEvqE7vCA==",
+      "requires": {
+        "@graphql-toolkit/common": "0.7.5",
+        "@graphql-toolkit/graphql-tag-pluck": "0.7.5",
+        "tslib": "1.10.0"
+      },
+      "dependencies": {
+        "@graphql-toolkit/common": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.7.5.tgz",
+          "integrity": "sha512-pu7tKY6KW7+4noJQPCbIxKzv54tSl/FME9wU0rNSwcr4O3By+pv7VCYXxkhCSnftJcXsXAuAcdjcV2CBsjnZNg==",
+          "requires": {
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "aggregate-error": "3.0.1",
+            "is-glob": "4.0.1",
+            "lodash": "4.17.15"
+          }
+        }
+      }
+    },
+    "@graphql-toolkit/common": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.8.1.tgz",
+      "integrity": "sha512-07ZMQnvsBkzR0XBHghPq9RUkpPSs6vifocV6vyhyW423QtjpJASNn1bTj5yxJy05p71hHr/iWtYHS1ClLuigvQ==",
+      "requires": {
+        "@kamilkisiela/graphql-tools": "4.0.6",
+        "aggregate-error": "3.0.1",
+        "lodash": "4.17.15"
+      }
+    },
+    "@graphql-toolkit/core": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/core/-/core-0.7.5.tgz",
+      "integrity": "sha512-KKiWCZuFeuVHs3lvmVhx1savsov9J1PHXKebMl2DsK1+Yg/IuA7KjS2vWXQzRwBl6u/JeLDDK628hsfj8V2zKg==",
+      "requires": {
+        "@graphql-toolkit/common": "0.7.5",
+        "@graphql-toolkit/schema-merging": "0.7.5",
+        "aggregate-error": "3.0.1",
+        "globby": "10.0.1",
+        "graphql-import": "0.7.1",
+        "is-glob": "4.0.1",
+        "tslib": "^1.9.3",
+        "valid-url": "1.0.9"
+      },
+      "dependencies": {
+        "@graphql-toolkit/common": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.7.5.tgz",
+          "integrity": "sha512-pu7tKY6KW7+4noJQPCbIxKzv54tSl/FME9wU0rNSwcr4O3By+pv7VCYXxkhCSnftJcXsXAuAcdjcV2CBsjnZNg==",
+          "requires": {
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "aggregate-error": "3.0.1",
+            "is-glob": "4.0.1",
+            "lodash": "4.17.15"
+          }
+        },
+        "@graphql-toolkit/schema-merging": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/schema-merging/-/schema-merging-0.7.5.tgz",
+          "integrity": "sha512-6HJb0bFqkJn45MMWLpt1K0kPJlbyGUaXFuBMY+yQ6fr70U01VjWc/RpXm9JO9FzlpzmtaMGd2HcsWC+7mAddtg==",
+          "requires": {
+            "@graphql-toolkit/common": "0.7.5",
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "deepmerge": "4.2.2",
+            "tslib": "1.10.0"
+          }
+        }
+      }
+    },
+    "@graphql-toolkit/file-loading": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/file-loading/-/file-loading-0.7.5.tgz",
+      "integrity": "sha512-T0iVpepkn/P7tS9EgVlHrKuX1RgMZGU9/PjGQyiFDgJzvctSYly8RsWe+bN4temPxoB/KHSWuNuNMpKHm+dQsw==",
+      "requires": {
+        "@graphql-toolkit/common": "0.7.5",
+        "@kamilkisiela/graphql-tools": "4.0.6",
+        "globby": "10.0.1"
+      },
+      "dependencies": {
+        "@graphql-toolkit/common": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.7.5.tgz",
+          "integrity": "sha512-pu7tKY6KW7+4noJQPCbIxKzv54tSl/FME9wU0rNSwcr4O3By+pv7VCYXxkhCSnftJcXsXAuAcdjcV2CBsjnZNg==",
+          "requires": {
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "aggregate-error": "3.0.1",
+            "is-glob": "4.0.1",
+            "lodash": "4.17.15"
+          }
+        }
+      }
+    },
+    "@graphql-toolkit/graphql-file-loader": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/graphql-file-loader/-/graphql-file-loader-0.7.5.tgz",
+      "integrity": "sha512-KGvUyPfxwenRBgMvHP5WGQ3JHgAp0UCRdwQkXJtIEh9GmZJ6WVNOw2ZUMAeVTSeE/5LdQURYlFwgtWlFU++g5A==",
+      "requires": {
+        "@graphql-toolkit/common": "0.7.5",
+        "graphql-import": "0.7.1",
+        "tslib": "1.10.0"
+      },
+      "dependencies": {
+        "@graphql-toolkit/common": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.7.5.tgz",
+          "integrity": "sha512-pu7tKY6KW7+4noJQPCbIxKzv54tSl/FME9wU0rNSwcr4O3By+pv7VCYXxkhCSnftJcXsXAuAcdjcV2CBsjnZNg==",
+          "requires": {
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "aggregate-error": "3.0.1",
+            "is-glob": "4.0.1",
+            "lodash": "4.17.15"
+          }
+        }
+      }
+    },
+    "@graphql-toolkit/graphql-tag-pluck": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/graphql-tag-pluck/-/graphql-tag-pluck-0.7.5.tgz",
+      "integrity": "sha512-dvbdwTivzWP66wtqSSJnr6Wesgk6zSo1M8XQGuMtsHmgbhXWwrlGYvz7CEUn0cIFKpi5cpyduKZG8Xy3UX6sIQ==",
+      "requires": {
+        "@babel/parser": "7.7.7",
+        "@babel/traverse": "7.7.4",
+        "@babel/types": "7.7.4",
+        "vue-template-compiler": "^2.6.10"
+      },
+      "dependencies": {
+        "@babel/parser": {
+          "version": "7.7.7",
+          "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.7.7.tgz",
+          "integrity": "sha512-WtTZMZAZLbeymhkd/sEaPD8IQyGAhmuTuvTzLiCFM7iXiVdY0gc0IaI+cW0fh1BnSMbJSzXX6/fHllgHKwHhXw=="
+        }
+      }
+    },
+    "@graphql-toolkit/json-file-loader": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/json-file-loader/-/json-file-loader-0.7.5.tgz",
+      "integrity": "sha512-JRoqNV4FBsV0t2qo3nb++wfWgQzfToEERrnJc11EWCXgMkn0jMfWFHYru+gqCvSvzcoa3fymD3ceDUxZ4ERlgw==",
+      "requires": {
+        "@graphql-toolkit/common": "0.7.5",
+        "tslib": "1.10.0"
+      },
+      "dependencies": {
+        "@graphql-toolkit/common": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.7.5.tgz",
+          "integrity": "sha512-pu7tKY6KW7+4noJQPCbIxKzv54tSl/FME9wU0rNSwcr4O3By+pv7VCYXxkhCSnftJcXsXAuAcdjcV2CBsjnZNg==",
+          "requires": {
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "aggregate-error": "3.0.1",
+            "is-glob": "4.0.1",
+            "lodash": "4.17.15"
+          }
+        }
+      }
+    },
+    "@graphql-toolkit/schema-merging": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/schema-merging/-/schema-merging-0.8.1.tgz",
+      "integrity": "sha512-t7MALXHgru2YkCALsGe2HeTQCkm7sKg9sLO1GveJ41k3up9iW968nCENRyq+TmgIn7+OKAzfaHMUnB6hG+a+wQ==",
+      "requires": {
+        "@graphql-toolkit/common": "0.8.1",
+        "@kamilkisiela/graphql-tools": "4.0.6",
+        "deepmerge": "4.2.2",
+        "tslib": "1.10.0"
+      }
+    },
+    "@graphql-toolkit/url-loader": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/@graphql-toolkit/url-loader/-/url-loader-0.7.5.tgz",
+      "integrity": "sha512-Fc+BsTPhnQXe8CGI2hyUnhTu7EKsZ2q6GuKadUe1Ft3FSb4Rm8dJd0JdFgPWw6M5f1CNxaT5dR06P3yNyeO9MA==",
+      "requires": {
+        "@graphql-toolkit/common": "0.7.5",
+        "cross-fetch": "3.0.4",
+        "tslib": "1.10.0",
+        "valid-url": "1.0.9"
+      },
+      "dependencies": {
+        "@graphql-toolkit/common": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.7.5.tgz",
+          "integrity": "sha512-pu7tKY6KW7+4noJQPCbIxKzv54tSl/FME9wU0rNSwcr4O3By+pv7VCYXxkhCSnftJcXsXAuAcdjcV2CBsjnZNg==",
+          "requires": {
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "aggregate-error": "3.0.1",
+            "is-glob": "4.0.1",
+            "lodash": "4.17.15"
+          }
+        },
+        "cross-fetch": {
+          "version": "3.0.4",
+          "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-3.0.4.tgz",
+          "integrity": "sha512-MSHgpjQqgbT/94D4CyADeNoYh52zMkCX4pcJvPP5WqPsLFMKjr2TCMg381ox5qI0ii2dPwaLx/00477knXqXVw==",
+          "requires": {
+            "node-fetch": "2.6.0",
+            "whatwg-fetch": "3.0.0"
+          }
+        }
+      }
+    },
+    "@hapi/address": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/@hapi/address/-/address-2.1.4.tgz",
+      "integrity": "sha512-QD1PhQk+s31P1ixsX0H0Suoupp3VMXzIVMSwobR3F3MSUO2YCV0B7xqLcUw/Bh8yuvd3LhpyqLQWTNcRmp6IdQ=="
+    },
+    "@hapi/bourne": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/@hapi/bourne/-/bourne-1.3.2.tgz",
+      "integrity": "sha512-1dVNHT76Uu5N3eJNTYcvxee+jzX4Z9lfciqRRHCU27ihbUcYi+iSc2iml5Ke1LXe1SyJCLA0+14Jh4tXJgOppA=="
+    },
+    "@hapi/hoek": {
+      "version": "8.5.0",
+      "resolved": "https://registry.npmjs.org/@hapi/hoek/-/hoek-8.5.0.tgz",
+      "integrity": "sha512-7XYT10CZfPsH7j9F1Jmg1+d0ezOux2oM2GfArAzLwWe4mE2Dr3hVjsAL6+TFY49RRJlCdJDMw3nJsLFroTc8Kw=="
+    },
+    "@hapi/joi": {
+      "version": "15.1.1",
+      "resolved": "https://registry.npmjs.org/@hapi/joi/-/joi-15.1.1.tgz",
+      "integrity": "sha512-entf8ZMOK8sc+8YfeOlM8pCfg3b5+WZIKBfUaaJT8UsjAAPjartzxIYm3TIbjvA4u+u++KbcXD38k682nVHDAQ==",
+      "requires": {
+        "@hapi/address": "2.x.x",
+        "@hapi/bourne": "1.x.x",
+        "@hapi/hoek": "8.x.x",
+        "@hapi/topo": "3.x.x"
+      }
+    },
+    "@hapi/topo": {
+      "version": "3.1.6",
+      "resolved": "https://registry.npmjs.org/@hapi/topo/-/topo-3.1.6.tgz",
+      "integrity": "sha512-tAag0jEcjwH+P2quUfipd7liWCNX2F8NvYjQp2wtInsZxnMlypdw0FtAOLxtvvkO+GSRRbmNi8m/5y42PQJYCQ==",
+      "requires": {
+        "@hapi/hoek": "^8.3.0"
+      }
+    },
+    "@hashicorp/js-utils": {
+      "version": "1.0.8-alpha.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/js-utils/-/js-utils-1.0.8-alpha.0.tgz",
+      "integrity": "sha512-Sa51DV8GPlvmrcRP9t7HlOysqEZeZ4xrCC2Jga7olONKaDfw+Jip1+ihJFeBszMaa9nvu2uB0Kxpxn0W9w9s2w=="
+    },
+    "@hashicorp/localstorage-polyfill": {
+      "version": "1.0.12",
+      "resolved": "https://registry.npmjs.org/@hashicorp/localstorage-polyfill/-/localstorage-polyfill-1.0.12.tgz",
+      "integrity": "sha512-wUWfaiEUo+2qcBjzYKwGpjqFsMCcD+Z4egF/2DHL13kvNZgbFMRBgSww0/bmOVq7ovhp3BnMRiHKZvcugRr1OQ=="
+    },
+    "@hashicorp/nextjs-scripts": {
+      "version": "6.0.0-1",
+      "resolved": "https://registry.npmjs.org/@hashicorp/nextjs-scripts/-/nextjs-scripts-6.0.0-1.tgz",
+      "integrity": "sha512-tR5o3wDkY2LBDjd8Nuj49F2TNDvJ0luEeGHeDLmV3Oa9/FHxACdg5u61JG6GKg18AeAzrBA9n+J6Mb/LuPCS0g==",
+      "requires": {
+        "@graphql-codegen/core": "^1.8.3",
+        "@graphql-codegen/fragment-matcher": "^1.8.3",
+        "@graphql-codegen/typescript": "^1.8.3",
+        "@hashicorp/remark-plugins": "^1.0.0",
+        "@next/bundle-analyzer": "^9.1.3",
+        "@typescript-eslint/eslint-plugin": "^2.7.0",
+        "@typescript-eslint/parser": "^2.7.0",
+        "@zeit/next-css": "^1.0.1",
+        "apollo-cache-inmemory": "^1.6.3",
+        "apollo-client": "^2.6.4",
+        "apollo-link": "^1.2.13",
+        "apollo-link-error": "^1.1.12",
+        "apollo-link-http": "^1.5.16",
+        "babel-eslint": "^10.0.3",
+        "chalk": "^3.0.0",
+        "debug": "^4.1.1",
+        "ejs": "^2.7.1",
+        "eslint": "^6.6.0",
+        "eslint-config-prettier": "^6.5.0",
+        "eslint-plugin-jsx-a11y": "^6.2.3",
+        "eslint-plugin-react": "^7.16.0",
+        "fs-extra": "^8.1.0",
+        "glob": "^7.1.6",
+        "graphql": "^14.5.8",
+        "graphql-request": "^1.8.2",
+        "graphql-tag-pluck": "^0.8.7",
+        "graphql-toolkit": "^0.7.1",
+        "husky": "^3.0.9",
+        "inquirer": "^7.0.0",
+        "lint-staged": "^9.4.2",
+        "next-mdx-enhanced": "^2.2.1",
+        "next-optimized-images": "^2.5.4",
+        "next-plugin-graphql": "0.0.2",
+        "next-routes": "^1.4.2",
+        "next-transpile-modules": "^2.3.1",
+        "node-fetch": "^2.6.0",
+        "open": "^7.0.0",
+        "postcss-flexbugs-fixes": "^4.1.0",
+        "postcss-normalize": "^8.0.1",
+        "postcss-preset-env": "^6.7.0",
+        "prettier": "^1.19.1",
+        "pretty-quick": "^2.0.1",
+        "react": "^16.11.0",
+        "react-apollo": "^3.1.2",
+        "react-dom": "^16.11.0",
+        "readdirp": "^3.2.0",
+        "rehype-highlight": "^3.1.0",
+        "signale": "^1.4.0",
+        "stringify-object": "^3.3.0",
+        "typescript": "^3.7.2",
+        "typewriter": "^7.0.0"
+      },
+      "dependencies": {
+        "cross-spawn": {
+          "version": "6.0.5",
+          "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
+          "integrity": "sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==",
+          "requires": {
+            "nice-try": "^1.0.4",
+            "path-key": "^2.0.1",
+            "semver": "^5.5.0",
+            "shebang-command": "^1.2.0",
+            "which": "^1.2.9"
+          }
+        },
+        "execa": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/execa/-/execa-1.0.0.tgz",
+          "integrity": "sha512-adbxcyWV46qiHyvSp50TKt05tB4tK3HcmF7/nxfAdhnox83seTDbwnaqKO4sXRy7roHAIFqJP/Rw/AuEbX61LA==",
+          "requires": {
+            "cross-spawn": "^6.0.0",
+            "get-stream": "^4.0.0",
+            "is-stream": "^1.1.0",
+            "npm-run-path": "^2.0.0",
+            "p-finally": "^1.0.0",
+            "signal-exit": "^3.0.0",
+            "strip-eof": "^1.0.0"
+          }
+        },
+        "get-stdin": {
+          "version": "7.0.0",
+          "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-7.0.0.tgz",
+          "integrity": "sha512-zRKcywvrXlXsA0v0i9Io4KDRaAw7+a1ZpjRwl9Wox8PFlVCCHra7E9c4kqXCoCM9nR5tBkaTTZRBoCm60bFqTQ=="
+        },
+        "get-stream": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-4.1.0.tgz",
+          "integrity": "sha512-GMat4EJ5161kIy2HevLlr4luNjBgvmj413KaQA7jt4V8B4RDsfpHk7WQ9GVqfYyyx8OS/L66Kox+rJRNklLK7w==",
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        },
+        "husky": {
+          "version": "3.1.0",
+          "resolved": "https://registry.npmjs.org/husky/-/husky-3.1.0.tgz",
+          "integrity": "sha512-FJkPoHHB+6s4a+jwPqBudBDvYZsoQW5/HBuMSehC8qDiCe50kpcxeqFoDSlow+9I6wg47YxBoT3WxaURlrDIIQ==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "ci-info": "^2.0.0",
+            "cosmiconfig": "^5.2.1",
+            "execa": "^1.0.0",
+            "get-stdin": "^7.0.0",
+            "opencollective-postinstall": "^2.0.2",
+            "pkg-dir": "^4.2.0",
+            "please-upgrade-node": "^3.2.0",
+            "read-pkg": "^5.2.0",
+            "run-node": "^1.0.0",
+            "slash": "^3.0.0"
+          },
+          "dependencies": {
+            "chalk": {
+              "version": "2.4.2",
+              "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+              "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+              "requires": {
+                "ansi-styles": "^3.2.1",
+                "escape-string-regexp": "^1.0.5",
+                "supports-color": "^5.3.0"
+              }
+            }
+          }
+        },
+        "parse-json": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-5.0.0.tgz",
+          "integrity": "sha512-OOY5b7PAEFV0E2Fir1KOkxchnZNCdowAJgQ5NuxjpBKTRP3pQhwkrkxqQjeoKJ+fO7bCpmIZaogI4eZGDMEGOw==",
+          "requires": {
+            "@babel/code-frame": "^7.0.0",
+            "error-ex": "^1.3.1",
+            "json-parse-better-errors": "^1.0.1",
+            "lines-and-columns": "^1.1.6"
+          }
+        },
+        "read-pkg": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-5.2.0.tgz",
+          "integrity": "sha512-Ug69mNOpfvKDAc2Q8DRpMjjzdtrnv9HcSMX+4VsZxD1aZ6ZzrIE7rlzXBtWTyhULSMKg076AW6WR5iZpD0JiOg==",
+          "requires": {
+            "@types/normalize-package-data": "^2.4.0",
+            "normalize-package-data": "^2.5.0",
+            "parse-json": "^5.0.0",
+            "type-fest": "^0.6.0"
+          }
+        },
+        "type-fest": {
+          "version": "0.6.0",
+          "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.6.0.tgz",
+          "integrity": "sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg=="
+        }
+      }
+    },
+    "@hashicorp/react-alert": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-alert/-/react-alert-2.0.0.tgz",
+      "integrity": "sha512-9CvkSJ2Onvy+1sXg0n0E3V4X0tl4u9wmp10ISQ4Wh55tstVeBBj/WhqBg8+MZlm9Ib9K903J2A3aDSWBo6k44w=="
+    },
+    "@hashicorp/react-button": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-button/-/react-button-2.1.3.tgz",
+      "integrity": "sha512-4R9JhdHV/TIwq1wh8Pqj43TiyEoB+7b1GLlrszK2Y4cxV1jvCZV10LmQRu7eu5yih9zj7c0OF52yOKVJi5YXYA==",
+      "requires": {
+        "@hashicorp/react-global-styles": "^4.0.8",
+        "@hashicorp/react-inline-svg": "^1.0.0"
+      }
+    },
+    "@hashicorp/react-case-study-slider": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-case-study-slider/-/react-case-study-slider-2.0.4.tgz",
+      "integrity": "sha512-G5DGZsoTb2NtsHl6SPGLofyCPfjWGB8JjFsk4pO62OTgNZpLHPaGqWc0Ve9fcM/eo2k0BOt56oPdPB62vxdkhQ==",
+      "requires": {
+        "@hashicorp/react-button": "^2.1.2",
+        "@hashicorp/react-image": "^2.0.1",
+        "marked": "^0.7.0"
+      },
+      "dependencies": {
+        "@hashicorp/react-button": {
+          "version": "2.1.2",
+          "resolved": "https://registry.npmjs.org/@hashicorp/react-button/-/react-button-2.1.2.tgz",
+          "integrity": "sha512-kLLr8FAbrIavSa4z4OyCFxgVx44quLa/d5c5eHif3lxerRUYRIbK4XhCkHTaqQ2y+S14cajjqIK+32+H/hyKdQ==",
+          "requires": {
+            "@hashicorp/react-global-styles": "^4.0.7",
+            "@hashicorp/react-inline-svg": "^1.0.0"
+          }
+        }
+      }
+    },
+    "@hashicorp/react-checkbox-input": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-checkbox-input/-/react-checkbox-input-2.0.0.tgz",
+      "integrity": "sha512-DlJVJjV2jcS+2aG80qpeL1B9InvLQvxSMvjX9T8VVnZNnTu+CCQQuND5pW6aNQCRRvypPYXAe+FAsnOjKJDepA==",
+      "requires": {
+        "uuid": "^3.3.2"
+      }
+    },
+    "@hashicorp/react-code-block": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-code-block/-/react-code-block-1.2.3.tgz",
+      "integrity": "sha512-xATSLzPb31S2WhheMy+FPe45BsTC7837zL1QKr7hfBnzIogR9a4sv+qDb4+gwwxtgHG0FrTAnWhLLiBaFvnDGA==",
+      "requires": {
+        "@tippy.js/react": "^2.1.2",
+        "highlight.js": "^9.15.6"
+      }
+    },
+    "@hashicorp/react-consent-manager": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-consent-manager/-/react-consent-manager-2.0.3.tgz",
+      "integrity": "sha512-pxww6l7EJ8ZcwjZuNkqxA/JxpZrmnH+pidz1yJj9ChLWmNMrE4nAD08Rw5Sc22NcL/h0RQwRMLPhaCKrsmbeSg==",
+      "requires": {
+        "@hashicorp/react-button": "^2.1.2",
+        "@hashicorp/react-toggle": "^1.0.1",
+        "@segment/in-eu": "^0.2.1",
+        "js-cookie": "^2.2.0",
+        "object-assign": "^4.1.1",
+        "unfetch": "^4.1.0"
+      },
+      "dependencies": {
+        "@hashicorp/react-button": {
+          "version": "2.1.2",
+          "resolved": "https://registry.npmjs.org/@hashicorp/react-button/-/react-button-2.1.2.tgz",
+          "integrity": "sha512-kLLr8FAbrIavSa4z4OyCFxgVx44quLa/d5c5eHif3lxerRUYRIbK4XhCkHTaqQ2y+S14cajjqIK+32+H/hyKdQ==",
+          "requires": {
+            "@hashicorp/react-global-styles": "^4.0.7",
+            "@hashicorp/react-inline-svg": "^1.0.0"
+          }
+        }
+      }
+    },
+    "@hashicorp/react-content": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-content/-/react-content-2.1.1.tgz",
+      "integrity": "sha512-HwqOB7lw3VVIBTIoWURE0m4Jf7DnISVL0y3MVclTlRBHCSvNVUIsdYObWDGjnKoT7cIC9uj8DZmN02s2ySfNCw=="
+    },
+    "@hashicorp/react-docs-sidenav": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-docs-sidenav/-/react-docs-sidenav-2.2.2.tgz",
+      "integrity": "sha512-AIG2R10LnzNMesbxmJkR0G2DoMP2i2zfAeJGe0LgZwy8IT+aK5Vsus1BePfVtDj0aGVY0XLSh3ZhBqkLCZ9mzw==",
+      "requires": {
+        "@hashicorp/react-link-wrap": "^0.0.3",
+        "fuzzysearch": "^1.0.3"
+      }
+    },
+    "@hashicorp/react-docs-sitemap": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-docs-sitemap/-/react-docs-sitemap-1.0.0.tgz",
+      "integrity": "sha512-hMmGfwNUBJjZE/hW6+dfCDwwfqqye+BIIcQgpoiHTrv6y9bPprPAQ6k5NRhBGtpkP1My4C5MQVQKBwHt+jIa/Q=="
+    },
+    "@hashicorp/react-footer": {
+      "version": "3.1.6",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-footer/-/react-footer-3.1.6.tgz",
+      "integrity": "sha512-S6X7jXwHQJLsucBID7cV+f4wyRCmoE1FxzAQNgbWv0JWoafNruRGarEnAfKO2vTnjVBifhrQwtFjfivzhBpRaw==",
+      "requires": {
+        "@hashicorp/react-newsletter-signup-form": "^2.0.3"
+      }
+    },
+    "@hashicorp/react-global-styles": {
+      "version": "4.0.8",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-global-styles/-/react-global-styles-4.0.8.tgz",
+      "integrity": "sha512-Qwi1pbt8DcKx2dYgPJj6cblPXfm8M9/A3SdyvaUiutAacntaXJKPOJOjs93xrcumE4/VeA4HyQzby95ssWdf8Q=="
+    },
+    "@hashicorp/react-hero": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-hero/-/react-hero-3.0.0.tgz",
+      "integrity": "sha512-FyWBYEw/Wd6pm+0q1qBwo+AaYTxMzHINXulIBgGFKGqiFUqt/hrek6G7DlRjEf/nkI0mS+P76nMmHusfnkvdtg==",
+      "requires": {
+        "@hashicorp/js-utils": "^1.0.8-alpha.0",
+        "@hashicorp/localstorage-polyfill": "^1.0.12",
+        "@hashicorp/react-alert": "^2.0.0",
+        "@hashicorp/react-button": "^2.1.2",
+        "@hashicorp/react-image": "^2.0.1",
+        "@hashicorp/react-text-input": "^2.0.0",
+        "formik": "^1.5.8",
+        "marked": "^0.7.0",
+        "promise-polyfill": "^8.1.0",
+        "query-string": "^5.1.1"
+      }
+    },
+    "@hashicorp/react-image": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-image/-/react-image-2.0.1.tgz",
+      "integrity": "sha512-c9M6XzcjUBx/qLyAXaKAB5ZcXVv28OEzFg/a/SGIqGhqQtGPYHg5rmNRFdx8LyXv+Ojei+5zRx3uPMYO2NtZ7g==",
+      "requires": {
+        "object-assign": "^4.1.1",
+        "query-string": "5.1.1"
+      }
+    },
+    "@hashicorp/react-inline-svg": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-inline-svg/-/react-inline-svg-1.0.0.tgz",
+      "integrity": "sha512-xzo9ubozATeW+irl93rkmtQulNNctgYzxUXxFn1Lcy9Y8L7bkLz7CROotv7TiUohkTCHPMzP4aBC8JPfTS1crw=="
+    },
+    "@hashicorp/react-link-wrap": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-link-wrap/-/react-link-wrap-0.0.3.tgz",
+      "integrity": "sha512-BLH7SLMJZee8md+YU7seiOh0zpa7y8sEhEATYpK2ieFanXAQEgU58lNSC/V3ZdkSXrfyplftYuOj0E3APtE1pg==",
+      "requires": {
+        "is-absolute-url": "^3.0.3"
+      }
+    },
+    "@hashicorp/react-logo-grid": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-logo-grid/-/react-logo-grid-2.0.5.tgz",
+      "integrity": "sha512-A16ok2VmV3djuqirW8rvsjwFtxXrvMopv8zr14/l0qOhU+HMFf7v2eyp7i5vTX11F/3gdwR/QGrTYi0IcaoiEA==",
+      "requires": {
+        "@hashicorp/react-button": "^2.1.2",
+        "@hashicorp/react-image": "^2.0.1",
+        "@tippy.js/react": "^2.1.2"
+      },
+      "dependencies": {
+        "@hashicorp/react-button": {
+          "version": "2.1.2",
+          "resolved": "https://registry.npmjs.org/@hashicorp/react-button/-/react-button-2.1.2.tgz",
+          "integrity": "sha512-kLLr8FAbrIavSa4z4OyCFxgVx44quLa/d5c5eHif3lxerRUYRIbK4XhCkHTaqQ2y+S14cajjqIK+32+H/hyKdQ==",
+          "requires": {
+            "@hashicorp/react-global-styles": "^4.0.7",
+            "@hashicorp/react-inline-svg": "^1.0.0"
+          }
+        }
+      }
+    },
+    "@hashicorp/react-mega-nav": {
+      "version": "4.0.0-0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-mega-nav/-/react-mega-nav-4.0.0-0.tgz",
+      "integrity": "sha512-nCJPFhUVXCvDx83pSxnPyT+Rx3ZGa8L0hi3K0fdtoaEDLxnIVQprqI26llG1MEMCw1LPcmphz6b3BdB7m1NtwA==",
+      "requires": {
+        "@hashicorp/react-inline-svg": "^1.0.0"
+      }
+    },
+    "@hashicorp/react-newsletter-signup-form": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-newsletter-signup-form/-/react-newsletter-signup-form-2.0.3.tgz",
+      "integrity": "sha512-Rs/cjIfk01l/+iRNdZTKIrzMX+Fyem6WNfhmiBebdb/xNPgyNZi3zSz6dCHvM26zoqFzWGJHXXVP3cgUgFkFfA==",
+      "requires": {
+        "@hashicorp/localstorage-polyfill": "^1.0.12",
+        "@hashicorp/react-button": "^2.1.2",
+        "@hashicorp/react-checkbox-input": "^2.0.0",
+        "@hashicorp/react-text-input": "^2.0.0",
+        "formik": "^1.5.8",
+        "js-cookie": "^2.2.0",
+        "promise-polyfill": "^8.1.0",
+        "query-string": "^5.1.1",
+        "unfetch": "^4.1.0"
+      }
+    },
+    "@hashicorp/react-product-downloader": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-product-downloader/-/react-product-downloader-2.0.1.tgz",
+      "integrity": "sha512-4CjPkbu8W1NkXjQpy6TLOFzfS/rlIXS/MsU6r4cmEpiBlBFIl+JOI0b3eXSqZCBNcAZphDQ1Qb3FPLkshzq/pg=="
+    },
+    "@hashicorp/react-section-header": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-section-header/-/react-section-header-2.0.0.tgz",
+      "integrity": "sha512-8fK09b5RHw0wWxE5yjuyyH9XzxyAnx0tI4Fw1OCIMoazgk6YsFdUKQyk7V76fgJ/JAWhaxo1h43h0aS1UbNj8w==",
+      "requires": {
+        "@hashicorp/js-utils": "^1.0.9-alpha.0",
+        "marked": "^0.7.0"
+      },
+      "dependencies": {
+        "@hashicorp/js-utils": {
+          "version": "1.0.9-alpha.0",
+          "resolved": "https://registry.npmjs.org/@hashicorp/js-utils/-/js-utils-1.0.9-alpha.0.tgz",
+          "integrity": "sha512-/Mgw6ufzjsysw5U0v7c0tCXMQeE4BSbGeasDaTuh1r6jQ+2Cokl1XhPqKqXn4+xkcx3CIVdyoUYOSLmgzutn3Q=="
+        }
+      }
+    },
+    "@hashicorp/react-text-and-content": {
+      "version": "3.0.9",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-text-and-content/-/react-text-and-content-3.0.9.tgz",
+      "integrity": "sha512-Nl5Pkwzxwse0D8FkVUTWUA5ZGvYn5UhRfcxbS25mwFxQ0pXK0Hr/JJoDw31SSAl9nWX3nrzCUsOHvJVEm+y1Xg==",
+      "requires": {
+        "@hashicorp/react-button": "^2.1.2",
+        "@hashicorp/react-code-block": "^1.2.3",
+        "@hashicorp/react-image": "^2.0.1",
+        "@hashicorp/react-logo-grid": "^2.0.5",
+        "marked": "^0.7.0"
+      },
+      "dependencies": {
+        "@hashicorp/react-button": {
+          "version": "2.1.2",
+          "resolved": "https://registry.npmjs.org/@hashicorp/react-button/-/react-button-2.1.2.tgz",
+          "integrity": "sha512-kLLr8FAbrIavSa4z4OyCFxgVx44quLa/d5c5eHif3lxerRUYRIbK4XhCkHTaqQ2y+S14cajjqIK+32+H/hyKdQ==",
+          "requires": {
+            "@hashicorp/react-global-styles": "^4.0.7",
+            "@hashicorp/react-inline-svg": "^1.0.0"
+          }
+        }
+      }
+    },
+    "@hashicorp/react-text-input": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-text-input/-/react-text-input-2.0.0.tgz",
+      "integrity": "sha512-tB2zgFglrWjuHmqZkYcFy/gMhbdribwI7rsTZ6JbQSei0EoM1rTSJ4G1Ru5RSh72DeqSJoYKeFkiqtFVz/Vhcg==",
+      "requires": {
+        "uuid": "^3.3.2"
+      }
+    },
+    "@hashicorp/react-toggle": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-toggle/-/react-toggle-1.0.1.tgz",
+      "integrity": "sha512-KW7HBPKHdzk+R34pAFuqkcdKRCe04Qvv6xJw8FCeieuq/mBMd4dI+ZNSEbm68+STUKoiq5OAp2dWzAF/iwmKqg=="
+    },
+    "@hashicorp/react-use-cases": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-use-cases/-/react-use-cases-1.0.3.tgz",
+      "integrity": "sha512-x969ggH+8DRxs/YrR+UzsVhnvPKpXwovfnfyVv8Pbr5wSu5h3sUhRJgjHEuYOd/xoolR57QsUu4V95lYk848LA==",
+      "requires": {
+        "@hashicorp/react-image": "^2.0.1",
+        "marked": "^0.7.0"
+      }
+    },
+    "@hashicorp/react-vertical-text-block-list": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@hashicorp/react-vertical-text-block-list/-/react-vertical-text-block-list-2.0.1.tgz",
+      "integrity": "sha512-QWpqIRoLE2alpna1i6uQiak6KbAtsyR4pxi+tryZ6Rg7tv+9SIaynG+XAn4fdQxrM8XOQxL6bRShJ7bucKBg1w==",
+      "requires": {
+        "@hashicorp/react-image": "^2.0.1",
+        "@hashicorp/react-link-wrap": "^0.0.3",
+        "marked": "^0.7.0"
+      }
+    },
+    "@hashicorp/remark-plugins": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@hashicorp/remark-plugins/-/remark-plugins-1.0.0.tgz",
+      "integrity": "sha512-n5aYzZ9c02yJzJFZwINoynBEVnswcWuP268uCkoOaqeg4dIKDMSfrnqrwQSKRVFHwOaAGoUIqFEtLj5FfMwbXA==",
+      "requires": {
+        "github-slugger": "^1.2.1",
+        "remark": "^11.0.1",
+        "remark-autolink-headings": "^5.2.1",
+        "remark-slug": "^5.1.2",
+        "to-vfile": "^6.0.0",
+        "unist-util-flatmap": "^1.0.0",
+        "unist-util-is": "^4.0.0",
+        "unist-util-visit": "^2.0.0"
+      }
+    },
+    "@kamilkisiela/graphql-tools": {
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/@kamilkisiela/graphql-tools/-/graphql-tools-4.0.6.tgz",
+      "integrity": "sha512-IPWa+dOFCE4zaCsrJrAMp7yWXnfOZLNhqoMEOmn958WkLM0mmsDc/W/Rh7/7xopIT6P0oizb6/N1iH5HnNXOUA==",
+      "requires": {
+        "apollo-link": "^1.2.3",
+        "apollo-utilities": "^1.0.1",
+        "deprecated-decorator": "^0.1.6",
+        "iterall": "^1.1.3",
+        "uuid": "^3.1.0"
+      }
+    },
+    "@mdx-js/loader": {
+      "version": "1.5.3",
+      "resolved": "https://registry.npmjs.org/@mdx-js/loader/-/loader-1.5.3.tgz",
+      "integrity": "sha512-m3bT9b9xY8wU1sQwHhSuFiIwFm0LP7onDpm2rb3xikHzXNY7yfL1/lV9XF4iecSmd86/4I1L6RKE61Dq1jLqjA==",
+      "requires": {
+        "@mdx-js/mdx": "^1.5.3",
+        "@mdx-js/react": "^1.5.3",
+        "loader-utils": "1.2.3"
+      }
+    },
+    "@mdx-js/mdx": {
+      "version": "1.5.3",
+      "resolved": "https://registry.npmjs.org/@mdx-js/mdx/-/mdx-1.5.3.tgz",
+      "integrity": "sha512-XxnOvyCQKri52tgaCXbV5NWnZGqgRsRifa/yJrxwWa6QG3vdFiEi/xokBHBf/62RCKRK4+QmbM4dSl0fgWIRNA==",
+      "requires": {
+        "@babel/core": "7.7.4",
+        "@babel/plugin-syntax-jsx": "7.7.4",
+        "@babel/plugin-syntax-object-rest-spread": "7.7.4",
+        "@mdx-js/util": "^1.5.3",
+        "babel-plugin-apply-mdx-type-prop": "^1.5.3",
+        "babel-plugin-extract-import-names": "^1.5.3",
+        "camelcase-css": "2.0.1",
+        "detab": "2.0.2",
+        "hast-util-raw": "5.0.1",
+        "lodash.uniq": "4.5.0",
+        "mdast-util-to-hast": "6.0.2",
+        "remark-mdx": "^1.5.3",
+        "remark-parse": "7.0.2",
+        "remark-squeeze-paragraphs": "3.0.4",
+        "style-to-object": "0.3.0",
+        "unified": "8.4.2",
+        "unist-builder": "1.0.4",
+        "unist-util-visit": "2.0.1"
+      },
+      "dependencies": {
+        "@babel/core": {
+          "version": "7.7.4",
+          "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.7.4.tgz",
+          "integrity": "sha512-+bYbx56j4nYBmpsWtnPUsKW3NdnYxbqyfrP2w9wILBuHzdfIKz9prieZK0DFPyIzkjYVUe4QkusGL07r5pXznQ==",
+          "requires": {
+            "@babel/code-frame": "^7.5.5",
+            "@babel/generator": "^7.7.4",
+            "@babel/helpers": "^7.7.4",
+            "@babel/parser": "^7.7.4",
+            "@babel/template": "^7.7.4",
+            "@babel/traverse": "^7.7.4",
+            "@babel/types": "^7.7.4",
+            "convert-source-map": "^1.7.0",
+            "debug": "^4.1.0",
+            "json5": "^2.1.0",
+            "lodash": "^4.17.13",
+            "resolve": "^1.3.2",
+            "semver": "^5.4.1",
+            "source-map": "^0.5.0"
+          }
+        }
+      }
+    },
+    "@mdx-js/react": {
+      "version": "1.5.3",
+      "resolved": "https://registry.npmjs.org/@mdx-js/react/-/react-1.5.3.tgz",
+      "integrity": "sha512-5bVLUsZybjmeYL8l4Uh/ysE8vMn0Vb0GKzki/LicaDHJvXr/N4Tjj0gT4tk1OzhcC5nGQAQGIyQMW5pvIjp9XQ=="
+    },
+    "@mdx-js/util": {
+      "version": "1.5.3",
+      "resolved": "https://registry.npmjs.org/@mdx-js/util/-/util-1.5.3.tgz",
+      "integrity": "sha512-OXeOtHO+eN50QlIkm4Vj4vqNGtowv4FH9L21WvcbEM0eeZrb7aANiFTN70lBQEXcucxCMRkd/6IA9LxhotZEQw=="
+    },
+    "@mrmlnc/readdir-enhanced": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@mrmlnc/readdir-enhanced/-/readdir-enhanced-2.2.1.tgz",
+      "integrity": "sha512-bPHp6Ji8b41szTOcaP63VlnbbO5Ny6dwAATtY6JTjh5N2OLrb5Qk/Th5cRkRQhkWCt+EJsYrNB0MiL+Gpn6e3g==",
+      "requires": {
+        "call-me-maybe": "^1.0.1",
+        "glob-to-regexp": "^0.3.0"
+      }
+    },
+    "@next/bundle-analyzer": {
+      "version": "9.1.7",
+      "resolved": "https://registry.npmjs.org/@next/bundle-analyzer/-/bundle-analyzer-9.1.7.tgz",
+      "integrity": "sha512-UUMrZ2I3Ol9aPwEhzTu/tcINIZ8qMMhd9zkNmxyf7FPQOTsduJlbOfaTd4O4aM4aoolQ52Fb3UAJ0GxzlpG8Kg==",
+      "requires": {
+        "webpack-bundle-analyzer": "3.3.2"
+      }
+    },
+    "@nodelib/fs.scandir": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.3.tgz",
+      "integrity": "sha512-eGmwYQn3gxo4r7jdQnkrrN6bY478C3P+a/y72IJukF8LjB6ZHeB3c+Ehacj3sYeSmUXGlnA67/PmbM9CVwL7Dw==",
+      "requires": {
+        "@nodelib/fs.stat": "2.0.3",
+        "run-parallel": "^1.1.9"
+      },
+      "dependencies": {
+        "@nodelib/fs.stat": {
+          "version": "2.0.3",
+          "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.3.tgz",
+          "integrity": "sha512-bQBFruR2TAwoevBEd/NWMoAAtNGzTRgdrqnYCc7dhzfoNvqPzLyqlEQnzZ3kVnNrSp25iyxE00/3h2fqGAGArA=="
+        }
+      }
+    },
+    "@nodelib/fs.stat": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-1.1.3.tgz",
+      "integrity": "sha512-shAmDyaQC4H92APFoIaVDHCx5bStIocgvbwQyxPRrbUY20V1EYTbSDchWbuwlMG3V17cprZhA6+78JfB+3DTPw=="
+    },
+    "@nodelib/fs.walk": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.4.tgz",
+      "integrity": "sha512-1V9XOY4rDW0rehzbrcqAmHnz8e7SKvX27gh8Gt2WgB0+pdzdiLV83p72kZPU+jvMbS1qU5mauP2iOvO8rhmurQ==",
+      "requires": {
+        "@nodelib/fs.scandir": "2.1.3",
+        "fastq": "^1.6.0"
+      }
+    },
+    "@samverschueren/stream-to-observable": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/@samverschueren/stream-to-observable/-/stream-to-observable-0.3.0.tgz",
+      "integrity": "sha512-MI4Xx6LHs4Webyvi6EbspgyAb4D2Q2VtnCQ1blOJcoLS6mVa8lNN2rkIy1CVxfTUpoyIbCTkXES1rLXztFD1lg==",
+      "requires": {
+        "any-observable": "^0.3.0"
+      }
+    },
+    "@segment/in-eu": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/@segment/in-eu/-/in-eu-0.2.1.tgz",
+      "integrity": "sha512-7JKBw/l3S9J0ldo/n6XPfd3sT89f300KOCvmZsd8sryVZOWlE4L2LMKT538I34bjRdaOd1aJ52TsOAZUOLqxiQ==",
+      "requires": {
+        "jstz": "^2.0.0"
+      }
+    },
+    "@segment/loosely-validate-event": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@segment/loosely-validate-event/-/loosely-validate-event-2.0.0.tgz",
+      "integrity": "sha512-ZMCSfztDBqwotkl848ODgVcAmN4OItEWDCkshcKz0/W6gGSQayuuCtWV/MlodFivAZD793d6UgANd6wCXUfrIw==",
+      "requires": {
+        "component-type": "^1.2.1",
+        "join-component": "^1.1.0"
+      }
+    },
+    "@sindresorhus/is": {
+      "version": "0.14.0",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-0.14.0.tgz",
+      "integrity": "sha512-9NET910DNaIPngYnLLPeg+Ogzqsi9uM4mSboU5y6p8S5DzMTVEsJZrawi+BoDNUVBa2DhJqQYUFvMDfgU062LQ=="
+    },
+    "@szmarczak/http-timer": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@szmarczak/http-timer/-/http-timer-1.1.2.tgz",
+      "integrity": "sha512-XIB2XbzHTN6ieIjfIMV9hlVcfPU26s2vafYWQcZHWXHOxiaRZYEDKEwdl129Zyg50+foYV2jCgtrqSA6qNuNSA==",
+      "requires": {
+        "defer-to-connect": "^1.0.1"
+      }
+    },
+    "@tippy.js/react": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/@tippy.js/react/-/react-2.2.3.tgz",
+      "integrity": "sha512-5XYvbQujzDj9r00JYEz/cBtm6DutjOdv2azdco53B+eWF7FDBCQfkLVn87wimfEpmGK0vqRQv/cwFxFcoOP98Q==",
+      "requires": {
+        "prop-types": "^15.6.2",
+        "tippy.js": "^4.3.4"
+      }
+    },
+    "@types/color-name": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@types/color-name/-/color-name-1.1.1.tgz",
+      "integrity": "sha512-rr+OQyAjxze7GgWrSaJwydHStIhHq2lvY3BOC2Mj7KnzI7XK0Uw1TOOdI9lDoajEbSWLiYgoo4f1R51erQfhPQ=="
+    },
+    "@types/eslint-visitor-keys": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@types/eslint-visitor-keys/-/eslint-visitor-keys-1.0.0.tgz",
+      "integrity": "sha512-OCutwjDZ4aFS6PB1UZ988C4YgwlBHJd6wCeQqaLdmadZ/7e+w79+hbMUFC1QXDNCmdyoRfAFdm0RypzwR+Qpag=="
+    },
+    "@types/events": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@types/events/-/events-3.0.0.tgz",
+      "integrity": "sha512-EaObqwIvayI5a8dCzhFrjKzVwKLxjoG9T6Ppd5CEo07LRKfQ8Yokw54r5+Wq7FaBQ+yXRvQAYPrHwya1/UFt9g=="
+    },
+    "@types/glob": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@types/glob/-/glob-7.1.1.tgz",
+      "integrity": "sha512-1Bh06cbWJUHMC97acuD6UMG29nMt0Aqz1vF3guLfG+kHHJhy3AyohZFFxYk2f7Q1SQIrNwvncxAE0N/9s70F2w==",
+      "requires": {
+        "@types/events": "*",
+        "@types/minimatch": "*",
+        "@types/node": "*"
+      }
+    },
+    "@types/json-schema": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.4.tgz",
+      "integrity": "sha512-8+KAKzEvSUdeo+kmqnKrqgeE+LcA0tjYWFY7RPProVYwnqDjukzO+3b6dLD56rYX5TdWejnEOLJYOIeh4CXKuA=="
+    },
+    "@types/minimatch": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/@types/minimatch/-/minimatch-3.0.3.tgz",
+      "integrity": "sha512-tHq6qdbT9U1IRSGf14CL0pUlULksvY9OZ+5eEgl1N7t+OA3tGvNpxJCzuKQlsNgCVwbAs670L1vcVQi8j9HjnA=="
+    },
+    "@types/node": {
+      "version": "13.1.4",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-13.1.4.tgz",
+      "integrity": "sha512-Lue/mlp2egZJoHXZr4LndxDAd7i/7SQYhV0EjWfb/a4/OZ6tuVwMCVPiwkU5nsEipxEf7hmkSU7Em5VQ8P5NGA=="
+    },
+    "@types/normalize-package-data": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@types/normalize-package-data/-/normalize-package-data-2.4.0.tgz",
+      "integrity": "sha512-f5j5b/Gf71L+dbqxIpQ4Z2WlmI/mPJ0fOkGGmFgtb6sAu97EPczzbS3/tJKxmcYDj55OX6ssqwDAWOHIYDRDGA=="
+    },
+    "@types/parse-json": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz",
+      "integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==",
+      "dev": true
+    },
+    "@types/q": {
+      "version": "1.5.2",
+      "resolved": "https://registry.npmjs.org/@types/q/-/q-1.5.2.tgz",
+      "integrity": "sha512-ce5d3q03Ex0sy4R14722Rmt6MT07Ua+k4FwDfdcToYJcMKNtRVQvJ6JCAPdAmAnbRb6CsX6aYb9m96NGod9uTw=="
+    },
+    "@types/unist": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@types/unist/-/unist-2.0.3.tgz",
+      "integrity": "sha512-FvUupuM3rlRsRtCN+fDudtmytGO6iHJuuRKS1Ss0pG5z8oX0diNEw94UEL7hgDbpN94rgaK5R7sWm6RrSkZuAQ=="
+    },
+    "@types/zen-observable": {
+      "version": "0.8.0",
+      "resolved": "https://registry.npmjs.org/@types/zen-observable/-/zen-observable-0.8.0.tgz",
+      "integrity": "sha512-te5lMAWii1uEJ4FwLjzdlbw3+n0FZNOvFXHxQDKeT0dilh7HOzdMzV2TrJVUzq8ep7J4Na8OUYPRLSQkJHAlrg=="
+    },
+    "@typescript-eslint/eslint-plugin": {
+      "version": "2.15.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-2.15.0.tgz",
+      "integrity": "sha512-XRJFznI5v4K1WvIrWmjFjBAdQWaUTz4xJEdqR7+wAFsv6Q9dP3mOlE6BMNT3pdlp9eF1+bC5m5LZTmLMqffCVw==",
+      "requires": {
+        "@typescript-eslint/experimental-utils": "2.15.0",
+        "eslint-utils": "^1.4.3",
+        "functional-red-black-tree": "^1.0.1",
+        "regexpp": "^3.0.0",
+        "tsutils": "^3.17.1"
+      }
+    },
+    "@typescript-eslint/experimental-utils": {
+      "version": "2.15.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-2.15.0.tgz",
+      "integrity": "sha512-Qkxu5zndY5hqlcQkmA88gfLvqQulMpX/TN91XC7OuXsRf4XG5xLGie0sbpX97o/oeccjeZYRMipIsjKk/tjDHA==",
+      "requires": {
+        "@types/json-schema": "^7.0.3",
+        "@typescript-eslint/typescript-estree": "2.15.0",
+        "eslint-scope": "^5.0.0"
+      }
+    },
+    "@typescript-eslint/parser": {
+      "version": "2.15.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-2.15.0.tgz",
+      "integrity": "sha512-6iSgQsqAYTaHw59t0tdjzZJluRAjswdGltzKEdLtcJOxR2UVTPHYvZRqkAVGCkaMVb6Fpa60NnuozNCvsSpA9g==",
+      "requires": {
+        "@types/eslint-visitor-keys": "^1.0.0",
+        "@typescript-eslint/experimental-utils": "2.15.0",
+        "@typescript-eslint/typescript-estree": "2.15.0",
+        "eslint-visitor-keys": "^1.1.0"
+      }
+    },
+    "@typescript-eslint/typescript-estree": {
+      "version": "2.15.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-2.15.0.tgz",
+      "integrity": "sha512-L6Pog+w3VZzXkAdyqA0VlwybF8WcwZX+mufso86CMxSdWmcizJ38lgBdpqTbc9bo92iyi0rOvmATKiwl+amjxg==",
+      "requires": {
+        "debug": "^4.1.1",
+        "eslint-visitor-keys": "^1.1.0",
+        "glob": "^7.1.6",
+        "is-glob": "^4.0.1",
+        "lodash.unescape": "4.0.1",
+        "semver": "^6.3.0",
+        "tsutils": "^3.17.1"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+        }
+      }
+    },
+    "@webassemblyjs/ast": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.8.5.tgz",
+      "integrity": "sha512-aJMfngIZ65+t71C3y2nBBg5FFG0Okt9m0XEgWZ7Ywgn1oMAT8cNwx00Uv1cQyHtidq0Xn94R4TAywO+LCQ+ZAQ==",
+      "requires": {
+        "@webassemblyjs/helper-module-context": "1.8.5",
+        "@webassemblyjs/helper-wasm-bytecode": "1.8.5",
+        "@webassemblyjs/wast-parser": "1.8.5"
+      }
+    },
+    "@webassemblyjs/floating-point-hex-parser": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.8.5.tgz",
+      "integrity": "sha512-9p+79WHru1oqBh9ewP9zW95E3XAo+90oth7S5Re3eQnECGq59ly1Ri5tsIipKGpiStHsUYmY3zMLqtk3gTcOtQ=="
+    },
+    "@webassemblyjs/helper-api-error": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-api-error/-/helper-api-error-1.8.5.tgz",
+      "integrity": "sha512-Za/tnzsvnqdaSPOUXHyKJ2XI7PDX64kWtURyGiJJZKVEdFOsdKUCPTNEVFZq3zJ2R0G5wc2PZ5gvdTRFgm81zA=="
+    },
+    "@webassemblyjs/helper-buffer": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-buffer/-/helper-buffer-1.8.5.tgz",
+      "integrity": "sha512-Ri2R8nOS0U6G49Q86goFIPNgjyl6+oE1abW1pS84BuhP1Qcr5JqMwRFT3Ah3ADDDYGEgGs1iyb1DGX+kAi/c/Q=="
+    },
+    "@webassemblyjs/helper-code-frame": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-code-frame/-/helper-code-frame-1.8.5.tgz",
+      "integrity": "sha512-VQAadSubZIhNpH46IR3yWO4kZZjMxN1opDrzePLdVKAZ+DFjkGD/rf4v1jap744uPVU6yjL/smZbRIIJTOUnKQ==",
+      "requires": {
+        "@webassemblyjs/wast-printer": "1.8.5"
+      }
+    },
+    "@webassemblyjs/helper-fsm": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-fsm/-/helper-fsm-1.8.5.tgz",
+      "integrity": "sha512-kRuX/saORcg8se/ft6Q2UbRpZwP4y7YrWsLXPbbmtepKr22i8Z4O3V5QE9DbZK908dh5Xya4Un57SDIKwB9eow=="
+    },
+    "@webassemblyjs/helper-module-context": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-module-context/-/helper-module-context-1.8.5.tgz",
+      "integrity": "sha512-/O1B236mN7UNEU4t9X7Pj38i4VoU8CcMHyy3l2cV/kIF4U5KoHXDVqcDuOs1ltkac90IM4vZdHc52t1x8Yfs3g==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "mamacro": "^0.0.3"
+      }
+    },
+    "@webassemblyjs/helper-wasm-bytecode": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-bytecode/-/helper-wasm-bytecode-1.8.5.tgz",
+      "integrity": "sha512-Cu4YMYG3Ddl72CbmpjU/wbP6SACcOPVbHN1dI4VJNJVgFwaKf1ppeFJrwydOG3NDHxVGuCfPlLZNyEdIYlQ6QQ=="
+    },
+    "@webassemblyjs/helper-wasm-section": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-section/-/helper-wasm-section-1.8.5.tgz",
+      "integrity": "sha512-VV083zwR+VTrIWWtgIUpqfvVdK4ff38loRmrdDBgBT8ADXYsEZ5mPQ4Nde90N3UYatHdYoDIFb7oHzMncI02tA==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/helper-buffer": "1.8.5",
+        "@webassemblyjs/helper-wasm-bytecode": "1.8.5",
+        "@webassemblyjs/wasm-gen": "1.8.5"
+      }
+    },
+    "@webassemblyjs/ieee754": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/ieee754/-/ieee754-1.8.5.tgz",
+      "integrity": "sha512-aaCvQYrvKbY/n6wKHb/ylAJr27GglahUO89CcGXMItrOBqRarUMxWLJgxm9PJNuKULwN5n1csT9bYoMeZOGF3g==",
+      "requires": {
+        "@xtuc/ieee754": "^1.2.0"
+      }
+    },
+    "@webassemblyjs/leb128": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/leb128/-/leb128-1.8.5.tgz",
+      "integrity": "sha512-plYUuUwleLIziknvlP8VpTgO4kqNaH57Y3JnNa6DLpu/sGcP6hbVdfdX5aHAV716pQBKrfuU26BJK29qY37J7A==",
+      "requires": {
+        "@xtuc/long": "4.2.2"
+      }
+    },
+    "@webassemblyjs/utf8": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/utf8/-/utf8-1.8.5.tgz",
+      "integrity": "sha512-U7zgftmQriw37tfD934UNInokz6yTmn29inT2cAetAsaU9YeVCveWEwhKL1Mg4yS7q//NGdzy79nlXh3bT8Kjw=="
+    },
+    "@webassemblyjs/wasm-edit": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-edit/-/wasm-edit-1.8.5.tgz",
+      "integrity": "sha512-A41EMy8MWw5yvqj7MQzkDjU29K7UJq1VrX2vWLzfpRHt3ISftOXqrtojn7nlPsZ9Ijhp5NwuODuycSvfAO/26Q==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/helper-buffer": "1.8.5",
+        "@webassemblyjs/helper-wasm-bytecode": "1.8.5",
+        "@webassemblyjs/helper-wasm-section": "1.8.5",
+        "@webassemblyjs/wasm-gen": "1.8.5",
+        "@webassemblyjs/wasm-opt": "1.8.5",
+        "@webassemblyjs/wasm-parser": "1.8.5",
+        "@webassemblyjs/wast-printer": "1.8.5"
+      }
+    },
+    "@webassemblyjs/wasm-gen": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-gen/-/wasm-gen-1.8.5.tgz",
+      "integrity": "sha512-BCZBT0LURC0CXDzj5FXSc2FPTsxwp3nWcqXQdOZE4U7h7i8FqtFK5Egia6f9raQLpEKT1VL7zr4r3+QX6zArWg==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/helper-wasm-bytecode": "1.8.5",
+        "@webassemblyjs/ieee754": "1.8.5",
+        "@webassemblyjs/leb128": "1.8.5",
+        "@webassemblyjs/utf8": "1.8.5"
+      }
+    },
+    "@webassemblyjs/wasm-opt": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-opt/-/wasm-opt-1.8.5.tgz",
+      "integrity": "sha512-HKo2mO/Uh9A6ojzu7cjslGaHaUU14LdLbGEKqTR7PBKwT6LdPtLLh9fPY33rmr5wcOMrsWDbbdCHq4hQUdd37Q==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/helper-buffer": "1.8.5",
+        "@webassemblyjs/wasm-gen": "1.8.5",
+        "@webassemblyjs/wasm-parser": "1.8.5"
+      }
+    },
+    "@webassemblyjs/wasm-parser": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-parser/-/wasm-parser-1.8.5.tgz",
+      "integrity": "sha512-pi0SYE9T6tfcMkthwcgCpL0cM9nRYr6/6fjgDtL6q/ZqKHdMWvxitRi5JcZ7RI4SNJJYnYNaWy5UUrHQy998lw==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/helper-api-error": "1.8.5",
+        "@webassemblyjs/helper-wasm-bytecode": "1.8.5",
+        "@webassemblyjs/ieee754": "1.8.5",
+        "@webassemblyjs/leb128": "1.8.5",
+        "@webassemblyjs/utf8": "1.8.5"
+      }
+    },
+    "@webassemblyjs/wast-parser": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-parser/-/wast-parser-1.8.5.tgz",
+      "integrity": "sha512-daXC1FyKWHF1i11obK086QRlsMsY4+tIOKgBqI1lxAnkp9xe9YMcgOxm9kLe+ttjs5aWV2KKE1TWJCN57/Btsg==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/floating-point-hex-parser": "1.8.5",
+        "@webassemblyjs/helper-api-error": "1.8.5",
+        "@webassemblyjs/helper-code-frame": "1.8.5",
+        "@webassemblyjs/helper-fsm": "1.8.5",
+        "@xtuc/long": "4.2.2"
+      }
+    },
+    "@webassemblyjs/wast-printer": {
+      "version": "1.8.5",
+      "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-printer/-/wast-printer-1.8.5.tgz",
+      "integrity": "sha512-w0U0pD4EhlnvRyeJzBqaVSJAo9w/ce7/WPogeXLzGkO6hzhr4GnQIZ4W4uUt5b9ooAaXPtnXlj0gzsXEOUNYMg==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/wast-parser": "1.8.5",
+        "@xtuc/long": "4.2.2"
+      }
+    },
+    "@wry/context": {
+      "version": "0.4.4",
+      "resolved": "https://registry.npmjs.org/@wry/context/-/context-0.4.4.tgz",
+      "integrity": "sha512-LrKVLove/zw6h2Md/KZyWxIkFM6AoyKp71OqpH9Hiip1csjPVoD3tPxlbQUNxEnHENks3UGgNpSBCAfq9KWuag==",
+      "requires": {
+        "@types/node": ">=6",
+        "tslib": "^1.9.3"
+      }
+    },
+    "@wry/equality": {
+      "version": "0.1.9",
+      "resolved": "https://registry.npmjs.org/@wry/equality/-/equality-0.1.9.tgz",
+      "integrity": "sha512-mB6ceGjpMGz1ZTza8HYnrPGos2mC6So4NhS1PtZ8s4Qt0K7fBiIGhpSxUbQmhwcSWE3no+bYxmI2OL6KuXYmoQ==",
+      "requires": {
+        "tslib": "^1.9.3"
+      }
+    },
+    "@xtuc/ieee754": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@xtuc/ieee754/-/ieee754-1.2.0.tgz",
+      "integrity": "sha512-DX8nKgqcGwsc0eJSqYt5lwP4DH5FlHnmuWWBRy7X0NcaGR0ZtuyeESgMwTYVEtxmsNGY+qit4QYT/MIYTOTPeA=="
+    },
+    "@xtuc/long": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@xtuc/long/-/long-4.2.2.tgz",
+      "integrity": "sha512-NuHqBY1PB/D8xU6s/thBgOAiAP7HOYDQ32+BFZILJ8ivkUkAHQnWfn6WhL79Owj1qmUnoN/YPhktdIoucipkAQ=="
+    },
+    "@zeit/next-css": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@zeit/next-css/-/next-css-1.0.1.tgz",
+      "integrity": "sha512-yfHPRy/ne/5SddVClsoy+fpU7e0Cs1gkWA67/wm2uIu+9rznF45yQLxHEt5dPGF3h6IiIh7ZtIgA8VV8YKq87A==",
+      "requires": {
+        "css-loader": "1.0.0",
+        "extracted-loader": "1.0.4",
+        "find-up": "2.1.0",
+        "ignore-loader": "0.1.2",
+        "mini-css-extract-plugin": "0.4.3",
+        "postcss-loader": "3.0.0"
+      }
+    },
+    "accepts": {
+      "version": "1.3.7",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.7.tgz",
+      "integrity": "sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA==",
+      "requires": {
+        "mime-types": "~2.1.24",
+        "negotiator": "0.6.2"
+      }
+    },
+    "acorn": {
+      "version": "6.4.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz",
+      "integrity": "sha512-gac8OEcQ2Li1dxIEWGZzsp2BitJxwkwcOm0zHAJLcPJaVvm58FRnk6RkuLRpU1EujipU2ZFODv2P9DLMfnV8mw=="
+    },
+    "acorn-jsx": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.1.0.tgz",
+      "integrity": "sha512-tMUqwBWfLFbJbizRmEcWSLw6HnFzfdJs2sOJEOwwtVPMoH/0Ay+E703oZz78VSXZiiDcZrQ5XKjPIUQixhmgVw=="
+    },
+    "acorn-walk": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-6.2.0.tgz",
+      "integrity": "sha512-7evsyfH1cLOCdAzZAd43Cic04yKydNx0cF+7tiA19p1XnLLPU4dpCQOqpjqwokFe//vS0QqfqqjCS2JkiIs0cA=="
+    },
+    "aggregate-error": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/aggregate-error/-/aggregate-error-3.0.1.tgz",
+      "integrity": "sha512-quoaXsZ9/BLNae5yiNoUz+Nhkwz83GhWwtYFglcjEQB2NDHCIpApbqXxIFnm4Pq/Nvhrsq5sYJFyohrrxnTGAA==",
+      "requires": {
+        "clean-stack": "^2.0.0",
+        "indent-string": "^4.0.0"
+      }
+    },
+    "ajv": {
+      "version": "6.10.2",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz",
+      "integrity": "sha512-TXtUUEYHuaTEbLZWIKUr5pmBuhDLy+8KYtPYdcV8qC+pOZL+NKqYwvWSRrVXHn+ZmRRAu8vJTAznH7Oag6RVRw==",
+      "requires": {
+        "fast-deep-equal": "^2.0.1",
+        "fast-json-stable-stringify": "^2.0.0",
+        "json-schema-traverse": "^0.4.1",
+        "uri-js": "^4.2.2"
+      }
+    },
+    "ajv-errors": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/ajv-errors/-/ajv-errors-1.0.1.tgz",
+      "integrity": "sha512-DCRfO/4nQ+89p/RK43i8Ezd41EqdGIU4ld7nGF8OQ14oc/we5rEntLCUa7+jrn3nn83BosfwZA0wb4pon2o8iQ=="
+    },
+    "ajv-keywords": {
+      "version": "3.4.1",
+      "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.4.1.tgz",
+      "integrity": "sha512-RO1ibKvd27e6FEShVFfPALuHI3WjSVNeK5FIsmme/LYRNxjKuNj+Dt7bucLa6NdSv3JcVTyMlm9kGR84z1XpaQ=="
+    },
+    "amphtml-validator": {
+      "version": "1.0.23",
+      "resolved": "https://registry.npmjs.org/amphtml-validator/-/amphtml-validator-1.0.23.tgz",
+      "integrity": "sha1-26DDhUKJVjwK2qwpLNTWCW7k18g=",
+      "requires": {
+        "colors": "1.1.2",
+        "commander": "2.9.0",
+        "promise": "7.1.1"
+      },
+      "dependencies": {
+        "commander": {
+          "version": "2.9.0",
+          "resolved": "https://registry.npmjs.org/commander/-/commander-2.9.0.tgz",
+          "integrity": "sha1-nJkJQXbhIkDLItbFFGCYQA/g99Q=",
+          "requires": {
+            "graceful-readlink": ">= 1.0.0"
+          }
+        },
+        "promise": {
+          "version": "7.1.1",
+          "resolved": "https://registry.npmjs.org/promise/-/promise-7.1.1.tgz",
+          "integrity": "sha1-SJZUxpJha4qlWwck+oCbt9tJxb8=",
+          "requires": {
+            "asap": "~2.0.3"
+          }
+        }
+      }
+    },
+    "analytics-node": {
+      "version": "3.4.0-beta.1",
+      "resolved": "https://registry.npmjs.org/analytics-node/-/analytics-node-3.4.0-beta.1.tgz",
+      "integrity": "sha512-+0F/y4Asc5S2qhWcYss+iCob6TTXQktwbqlIk02gcZaRxpekCbnTbJu/rcaRooVHxqp9WSzUXiWCesJYPJETZQ==",
+      "requires": {
+        "@segment/loosely-validate-event": "^2.0.0",
+        "axios": "^0.18.1",
+        "axios-retry": "^3.0.2",
+        "lodash.isstring": "^4.0.1",
+        "md5": "^2.2.1",
+        "ms": "^2.0.0",
+        "remove-trailing-slash": "^0.1.0",
+        "uuid": "^3.2.1"
+      }
+    },
+    "ansi-colors": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-3.2.4.tgz",
+      "integrity": "sha512-hHUXGagefjN2iRrID63xckIvotOXOojhQKWIPUZ4mNUZ9nLZW+7FMNoE1lOkEhNWYsx/7ysGIuJYCiMAA9FnrA=="
+    },
+    "ansi-escapes": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-4.3.0.tgz",
+      "integrity": "sha512-EiYhwo0v255HUL6eDyuLrXEkTi7WwVCLAw+SeOQ7M7qdun1z1pum4DEm/nuqIVbPvi9RPPc9k9LbyBv6H0DwVg==",
+      "requires": {
+        "type-fest": "^0.8.1"
+      }
+    },
+    "ansi-html": {
+      "version": "0.0.7",
+      "resolved": "https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz",
+      "integrity": "sha1-gTWEAhliqenm/QOflA0S9WynhZ4="
+    },
+    "ansi-regex": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
+      "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8="
+    },
+    "ansi-styles": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz",
+      "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+      "requires": {
+        "color-convert": "^1.9.0"
+      }
+    },
+    "any-observable": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/any-observable/-/any-observable-0.3.0.tgz",
+      "integrity": "sha512-/FQM1EDkTsf63Ub2C6O7GuYFDsSXUwsaZDurV0np41ocwq0jthUAYCmhBX9f+KwlaCgIuWyr/4WlUQUBfKfZog=="
+    },
+    "anymatch": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.1.tgz",
+      "integrity": "sha512-mM8522psRCqzV+6LhomX5wgp25YVibjh8Wj23I5RPkPppSVSjyKD2A2mBJmWGa+KN7f2D6LNh9jkBCeyLktzjg==",
+      "requires": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      }
+    },
+    "apollo-cache": {
+      "version": "1.3.4",
+      "resolved": "https://registry.npmjs.org/apollo-cache/-/apollo-cache-1.3.4.tgz",
+      "integrity": "sha512-7X5aGbqaOWYG+SSkCzJNHTz2ZKDcyRwtmvW4mGVLRqdQs+HxfXS4dUS2CcwrAj449se6tZ6NLUMnjko4KMt3KA==",
+      "requires": {
+        "apollo-utilities": "^1.3.3",
+        "tslib": "^1.10.0"
+      }
+    },
+    "apollo-cache-inmemory": {
+      "version": "1.6.5",
+      "resolved": "https://registry.npmjs.org/apollo-cache-inmemory/-/apollo-cache-inmemory-1.6.5.tgz",
+      "integrity": "sha512-koB76JUDJaycfejHmrXBbWIN9pRKM0Z9CJGQcBzIOtmte1JhEBSuzsOUu7NQgiXKYI4iGoMREcnaWffsosZynA==",
+      "requires": {
+        "apollo-cache": "^1.3.4",
+        "apollo-utilities": "^1.3.3",
+        "optimism": "^0.10.0",
+        "ts-invariant": "^0.4.0",
+        "tslib": "^1.10.0"
+      }
+    },
+    "apollo-client": {
+      "version": "2.6.8",
+      "resolved": "https://registry.npmjs.org/apollo-client/-/apollo-client-2.6.8.tgz",
+      "integrity": "sha512-0zvJtAcONiozpa5z5zgou83iEKkBaXhhSSXJebFHRXs100SecDojyUWKjwTtBPn9HbM6o5xrvC5mo9VQ5fgAjw==",
+      "requires": {
+        "@types/zen-observable": "^0.8.0",
+        "apollo-cache": "1.3.4",
+        "apollo-link": "^1.0.0",
+        "apollo-utilities": "1.3.3",
+        "symbol-observable": "^1.0.2",
+        "ts-invariant": "^0.4.0",
+        "tslib": "^1.10.0",
+        "zen-observable": "^0.8.0"
+      }
+    },
+    "apollo-link": {
+      "version": "1.2.13",
+      "resolved": "https://registry.npmjs.org/apollo-link/-/apollo-link-1.2.13.tgz",
+      "integrity": "sha512-+iBMcYeevMm1JpYgwDEIDt/y0BB7VWyvlm/7x+TIPNLHCTCMgcEgDuW5kH86iQZWo0I7mNwQiTOz+/3ShPFmBw==",
+      "requires": {
+        "apollo-utilities": "^1.3.0",
+        "ts-invariant": "^0.4.0",
+        "tslib": "^1.9.3",
+        "zen-observable-ts": "^0.8.20"
+      }
+    },
+    "apollo-link-error": {
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/apollo-link-error/-/apollo-link-error-1.1.12.tgz",
+      "integrity": "sha512-psNmHyuy3valGikt/XHJfe0pKJnRX19tLLs6P6EHRxg+6q6JMXNVLYPaQBkL0FkwdTCB0cbFJAGRYCBviG8TDA==",
+      "requires": {
+        "apollo-link": "^1.2.13",
+        "apollo-link-http-common": "^0.2.15",
+        "tslib": "^1.9.3"
+      }
+    },
+    "apollo-link-http": {
+      "version": "1.5.16",
+      "resolved": "https://registry.npmjs.org/apollo-link-http/-/apollo-link-http-1.5.16.tgz",
+      "integrity": "sha512-IA3xA/OcrOzINRZEECI6IdhRp/Twom5X5L9jMehfzEo2AXdeRwAMlH5LuvTZHgKD8V1MBnXdM6YXawXkTDSmJw==",
+      "requires": {
+        "apollo-link": "^1.2.13",
+        "apollo-link-http-common": "^0.2.15",
+        "tslib": "^1.9.3"
+      }
+    },
+    "apollo-link-http-common": {
+      "version": "0.2.15",
+      "resolved": "https://registry.npmjs.org/apollo-link-http-common/-/apollo-link-http-common-0.2.15.tgz",
+      "integrity": "sha512-+Heey4S2IPsPyTf8Ag3PugUupASJMW894iVps6hXbvwtg1aHSNMXUYO5VG7iRHkPzqpuzT4HMBanCTXPjtGzxg==",
+      "requires": {
+        "apollo-link": "^1.2.13",
+        "ts-invariant": "^0.4.0",
+        "tslib": "^1.9.3"
+      }
+    },
+    "apollo-utilities": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/apollo-utilities/-/apollo-utilities-1.3.3.tgz",
+      "integrity": "sha512-F14aX2R/fKNYMvhuP2t9GD9fggID7zp5I96MF5QeKYWDWTrkRdHRp4+SVfXUVN+cXOaB/IebfvRtzPf25CM0zw==",
+      "requires": {
+        "@wry/equality": "^0.1.2",
+        "fast-json-stable-stringify": "^2.0.0",
+        "ts-invariant": "^0.4.0",
+        "tslib": "^1.10.0"
+      }
+    },
+    "aproba": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/aproba/-/aproba-1.2.0.tgz",
+      "integrity": "sha512-Y9J6ZjXtoYh8RnXVCMOU/ttDmk1aBjunq9vO0ta5x85WDQiQfUF9sIPBITdbiiIVcBo03Hi3jMxigBtsddlXRw=="
+    },
+    "arch": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/arch/-/arch-2.1.1.tgz",
+      "integrity": "sha512-BLM56aPo9vLLFVa8+/+pJLnrZ7QGGTVHWsCwieAWT9o9K8UeGaQbzZbGoabWLOo2ksBCztoXdqBZBplqLDDCSg=="
+    },
+    "archive-type": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/archive-type/-/archive-type-4.0.0.tgz",
+      "integrity": "sha1-+S5yIzBW38aWlHJ0nCZ72wRrHXA=",
+      "requires": {
+        "file-type": "^4.2.0"
+      },
+      "dependencies": {
+        "file-type": {
+          "version": "4.4.0",
+          "resolved": "https://registry.npmjs.org/file-type/-/file-type-4.4.0.tgz",
+          "integrity": "sha1-G2AOX8ofvcboDApwxxyNul95BsU="
+        }
+      }
+    },
+    "argparse": {
+      "version": "1.0.10",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
+      "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+      "requires": {
+        "sprintf-js": "~1.0.2"
+      }
+    },
+    "aria-query": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/aria-query/-/aria-query-3.0.0.tgz",
+      "integrity": "sha1-ZbP8wcoRVajJrmTW7uKX8V1RM8w=",
+      "requires": {
+        "ast-types-flow": "0.0.7",
+        "commander": "^2.11.0"
+      }
+    },
+    "arr-diff": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/arr-diff/-/arr-diff-4.0.0.tgz",
+      "integrity": "sha1-1kYQdP6/7HHn4VI1dhoyml3HxSA="
+    },
+    "arr-flatten": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/arr-flatten/-/arr-flatten-1.1.0.tgz",
+      "integrity": "sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg=="
+    },
+    "arr-rotate": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/arr-rotate/-/arr-rotate-1.0.0.tgz",
+      "integrity": "sha512-yOzOZcR9Tn7enTF66bqKorGGH0F36vcPaSWg8fO0c0UYb3LX3VMXj5ZxEqQLNOecAhlRJ7wYZja5i4jTlnbIfQ=="
+    },
+    "arr-union": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/arr-union/-/arr-union-3.1.0.tgz",
+      "integrity": "sha1-45sJrqne+Gao8gbiiK9jkZuuOcQ="
+    },
+    "array-differ": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/array-differ/-/array-differ-3.0.0.tgz",
+      "integrity": "sha512-THtfYS6KtME/yIAhKjZ2ul7XI96lQGHRputJQHO80LAWQnuGP4iCIN8vdMRboGbIEYBwU33q8Tch1os2+X0kMg=="
+    },
+    "array-find-index": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/array-find-index/-/array-find-index-1.0.2.tgz",
+      "integrity": "sha1-3wEKoSh+Fku9pvlyOwqWoexBh6E="
+    },
+    "array-flatten": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
+      "integrity": "sha1-ml9pkFGx5wczKPKgCJaLZOopVdI="
+    },
+    "array-includes": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/array-includes/-/array-includes-3.1.1.tgz",
+      "integrity": "sha512-c2VXaCHl7zPsvpkFsw4nxvFie4fh1ur9bpcgsVkIjqn0H/Xwdg+7fv3n2r/isyS8EBj5b06M9kHyZuIr4El6WQ==",
+      "requires": {
+        "define-properties": "^1.1.3",
+        "es-abstract": "^1.17.0",
+        "is-string": "^1.0.5"
+      },
+      "dependencies": {
+        "es-abstract": {
+          "version": "1.17.0",
+          "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.17.0.tgz",
+          "integrity": "sha512-yYkE07YF+6SIBmg1MsJ9dlub5L48Ek7X0qz+c/CPCHS9EBXfESorzng4cJQjJW5/pB6vDF41u7F8vUhLVDqIug==",
+          "requires": {
+            "es-to-primitive": "^1.2.1",
+            "function-bind": "^1.1.1",
+            "has": "^1.0.3",
+            "has-symbols": "^1.0.1",
+            "is-callable": "^1.1.5",
+            "is-regex": "^1.0.5",
+            "object-inspect": "^1.7.0",
+            "object-keys": "^1.1.1",
+            "object.assign": "^4.1.0",
+            "string.prototype.trimleft": "^2.1.1",
+            "string.prototype.trimright": "^2.1.1"
+          }
+        },
+        "is-callable": {
+          "version": "1.1.5",
+          "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.1.5.tgz",
+          "integrity": "sha512-ESKv5sMCJB2jnHTWZ3O5itG+O128Hsus4K4Qh1h2/cgn2vbgnLSVqfV46AeJA9D5EeeLa9w81KUXMtn34zhX+Q=="
+        },
+        "is-regex": {
+          "version": "1.0.5",
+          "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.0.5.tgz",
+          "integrity": "sha512-vlKW17SNq44owv5AQR3Cq0bQPEb8+kF3UKZ2fiZNOWtztYE5i0CzCZxFDwO58qAOWtxdBRVO/V5Qin1wjCqFYQ==",
+          "requires": {
+            "has": "^1.0.3"
+          }
+        },
+        "string.prototype.trimleft": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/string.prototype.trimleft/-/string.prototype.trimleft-2.1.1.tgz",
+          "integrity": "sha512-iu2AGd3PuP5Rp7x2kEZCrB2Nf41ehzh+goo8TV7z8/XDBbsvc6HQIlUl9RjkZ4oyrW1XM5UwlGl1oVEaDjg6Ag==",
+          "requires": {
+            "define-properties": "^1.1.3",
+            "function-bind": "^1.1.1"
+          }
+        },
+        "string.prototype.trimright": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/string.prototype.trimright/-/string.prototype.trimright-2.1.1.tgz",
+          "integrity": "sha512-qFvWL3/+QIgZXVmJBfpHmxLB7xsUXz6HsUmP8+5dRaC3Q7oKUv9Vo6aMCRZC1smrtyECFsIT30PqBJ1gTjAs+g==",
+          "requires": {
+            "define-properties": "^1.1.3",
+            "function-bind": "^1.1.1"
+          }
+        }
+      }
+    },
+    "array-union": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/array-union/-/array-union-2.1.0.tgz",
+      "integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw=="
+    },
+    "array-uniq": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
+      "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY="
+    },
+    "array-unique": {
+      "version": "0.3.2",
+      "resolved": "https://registry.npmjs.org/array-unique/-/array-unique-0.3.2.tgz",
+      "integrity": "sha1-qJS3XUvE9s1nnvMkSp/Y9Gri1Cg="
+    },
+    "arrify": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/arrify/-/arrify-1.0.1.tgz",
+      "integrity": "sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0="
+    },
+    "asap": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/asap/-/asap-2.0.6.tgz",
+      "integrity": "sha1-5QNHYR1+aQlDIIu9r+vLwvuGbUY="
+    },
+    "asn1.js": {
+      "version": "4.10.1",
+      "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-4.10.1.tgz",
+      "integrity": "sha512-p32cOF5q0Zqs9uBiONKYLm6BClCoBCM5O9JfeUSlnQLBTxYdTK+pW+nXflm8UkKd2UYlEbYz5qEi0JuZR9ckSw==",
+      "requires": {
+        "bn.js": "^4.0.0",
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
+    "assert": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/assert/-/assert-1.5.0.tgz",
+      "integrity": "sha512-EDsgawzwoun2CZkCgtxJbv392v4nbk9XDD06zI+kQYoBM/3RBWLlEyJARDOmhAAosBjWACEkKL6S+lIZtcAubA==",
+      "requires": {
+        "object-assign": "^4.1.1",
+        "util": "0.10.3"
+      },
+      "dependencies": {
+        "inherits": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.1.tgz",
+          "integrity": "sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE="
+        },
+        "util": {
+          "version": "0.10.3",
+          "resolved": "https://registry.npmjs.org/util/-/util-0.10.3.tgz",
+          "integrity": "sha1-evsa/lCAUkZInj23/g7TeTNqwPk=",
+          "requires": {
+            "inherits": "2.0.1"
+          }
+        }
+      }
+    },
+    "assign-symbols": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/assign-symbols/-/assign-symbols-1.0.0.tgz",
+      "integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c="
+    },
+    "ast-types-flow": {
+      "version": "0.0.7",
+      "resolved": "https://registry.npmjs.org/ast-types-flow/-/ast-types-flow-0.0.7.tgz",
+      "integrity": "sha1-9wtzXGvKGlycItmCw+Oef+ujva0="
+    },
+    "astral-regex": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-1.0.0.tgz",
+      "integrity": "sha512-+Ryf6g3BKoRc7jfp7ad8tM4TtMiaWvbF/1/sQcZPkkS7ag3D5nMBCe2UfOTONtAkaG0tO0ij3C5Lwmf1EiyjHg=="
+    },
+    "async-each": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/async-each/-/async-each-1.0.3.tgz",
+      "integrity": "sha512-z/WhQ5FPySLdvREByI2vZiTWwCnF0moMJ1hK9YQwDTHKh6I7/uSckMetoRGb5UBZPC1z0jlw+n/XCgjeH7y1AQ=="
+    },
+    "async-limiter": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/async-limiter/-/async-limiter-1.0.1.tgz",
+      "integrity": "sha512-csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ=="
+    },
+    "async-retry": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/async-retry/-/async-retry-1.2.3.tgz",
+      "integrity": "sha512-tfDb02Th6CE6pJUF2gjW5ZVjsgwlucVXOEQMvEX9JgSJMs9gAX+Nz3xRuJBKuUYjTSYORqvDBORdAQ3LU59g7Q==",
+      "requires": {
+        "retry": "0.12.0"
+      }
+    },
+    "async-sema": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/async-sema/-/async-sema-3.0.0.tgz",
+      "integrity": "sha512-zyCMBDl4m71feawrxYcVbHxv/UUkqm4nKJiLu3+l9lfiQha6jQ/9dxhrXLnzzBXVFqCTDwiUkZOz9XFbdEGQsg=="
+    },
+    "atob": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/atob/-/atob-2.1.2.tgz",
+      "integrity": "sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg=="
+    },
+    "auto-bind": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/auto-bind/-/auto-bind-4.0.0.tgz",
+      "integrity": "sha512-Hdw8qdNiqdJ8LqT0iK0sVzkFbzg6fhnQqqfWhBDxcHZvU75+B+ayzTy8x+k5Ix0Y92XOhOUlx74ps+bA6BeYMQ=="
+    },
+    "autodll-webpack-plugin": {
+      "version": "0.4.2",
+      "resolved": "https://registry.npmjs.org/autodll-webpack-plugin/-/autodll-webpack-plugin-0.4.2.tgz",
+      "integrity": "sha512-JLrV3ErBNKVkmhi0celM6PJkgYEtztFnXwsNBApjinpVHtIP3g/m2ZZSOvsAe7FoByfJzDhpOXBKFbH3k2UNjw==",
+      "requires": {
+        "bluebird": "^3.5.0",
+        "del": "^3.0.0",
+        "find-cache-dir": "^1.0.0",
+        "lodash": "^4.17.4",
+        "make-dir": "^1.0.0",
+        "memory-fs": "^0.4.1",
+        "read-pkg": "^2.0.0",
+        "tapable": "^1.0.0",
+        "webpack-merge": "^4.1.0",
+        "webpack-sources": "^1.0.1"
+      },
+      "dependencies": {
+        "array-union": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
+          "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
+          "requires": {
+            "array-uniq": "^1.0.1"
+          }
+        },
+        "del": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/del/-/del-3.0.0.tgz",
+          "integrity": "sha1-U+z2mf/LyzljdpGrE7rxYIGXZuU=",
+          "requires": {
+            "globby": "^6.1.0",
+            "is-path-cwd": "^1.0.0",
+            "is-path-in-cwd": "^1.0.0",
+            "p-map": "^1.1.1",
+            "pify": "^3.0.0",
+            "rimraf": "^2.2.8"
+          }
+        },
+        "globby": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/globby/-/globby-6.1.0.tgz",
+          "integrity": "sha1-9abXDoOV4hyFj7BInWTfAkJNUGw=",
+          "requires": {
+            "array-union": "^1.0.1",
+            "glob": "^7.0.3",
+            "object-assign": "^4.0.1",
+            "pify": "^2.0.0",
+            "pinkie-promise": "^2.0.0"
+          },
+          "dependencies": {
+            "pify": {
+              "version": "2.3.0",
+              "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
+              "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw="
+            }
+          }
+        },
+        "is-path-cwd": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-path-cwd/-/is-path-cwd-1.0.0.tgz",
+          "integrity": "sha1-0iXsIxMuie3Tj9p2dHLmLmXxEG0="
+        },
+        "p-map": {
+          "version": "1.2.0",
+          "resolved": "https://registry.npmjs.org/p-map/-/p-map-1.2.0.tgz",
+          "integrity": "sha512-r6zKACMNhjPJMTl8KcFH4li//gkrXWfbD6feV8l6doRHlzljFWGJ2AP6iKaCJXyZmAUMOPtvbW7EXkbWO/pLEA=="
+        },
+        "pify": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+          "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+        }
+      }
+    },
+    "autoprefixer": {
+      "version": "9.7.3",
+      "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-9.7.3.tgz",
+      "integrity": "sha512-8T5Y1C5Iyj6PgkPSFd0ODvK9DIleuPKUPYniNxybS47g2k2wFgLZ46lGQHlBuGKIAEV8fbCDfKCCRS1tvOgc3Q==",
+      "requires": {
+        "browserslist": "^4.8.0",
+        "caniuse-lite": "^1.0.30001012",
+        "chalk": "^2.4.2",
+        "normalize-range": "^0.1.2",
+        "num2fraction": "^1.2.2",
+        "postcss": "^7.0.23",
+        "postcss-value-parser": "^4.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "6.1.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+              "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss-value-parser": {
+          "version": "4.0.2",
+          "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.0.2.tgz",
+          "integrity": "sha512-LmeoohTpp/K4UiyQCwuGWlONxXamGzCMtFxLq4W1nZVGIQLYvMCJx3yAF9qyyuFpflABI9yVdtJAqbihOsCsJQ=="
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "axios": {
+      "version": "0.18.1",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-0.18.1.tgz",
+      "integrity": "sha512-0BfJq4NSfQXd+SkFdrvFbG7addhYSBA2mQwISr46pD6E5iqkWg02RAs8vyTT/j0RTnoYmeXauBuSv1qKwR179g==",
+      "requires": {
+        "follow-redirects": "1.5.10",
+        "is-buffer": "^2.0.2"
+      },
+      "dependencies": {
+        "is-buffer": {
+          "version": "2.0.4",
+          "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.4.tgz",
+          "integrity": "sha512-Kq1rokWXOPXWuaMAqZiJW4XxsmD9zGx9q4aePabbn3qCRGedtH7Cm+zV8WETitMfu1wdh+Rvd6w5egwSngUX2A=="
+        }
+      }
+    },
+    "axios-retry": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/axios-retry/-/axios-retry-3.1.2.tgz",
+      "integrity": "sha512-+X0mtJ3S0mmia1kTVi1eA3DAC+oWnT2A29g3CpkzcBPMT6vJm+hn/WiV9wPt/KXLHVmg5zev9mWqkPx7bHMovg==",
+      "requires": {
+        "is-retry-allowed": "^1.1.0"
+      }
+    },
+    "axobject-query": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-2.1.1.tgz",
+      "integrity": "sha512-lF98xa/yvy6j3fBHAgQXIYl+J4eZadOSqsPojemUqClzNbBV38wWGpUbQbVEyf4eUF5yF7eHmGgGA2JiHyjeqw==",
+      "requires": {
+        "@babel/runtime": "^7.7.4",
+        "@babel/runtime-corejs3": "^7.7.4"
+      }
+    },
+    "babel-code-frame": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz",
+      "integrity": "sha1-Y/1D99weO7fONZR9uP42mj9Yx0s=",
+      "requires": {
+        "chalk": "^1.1.3",
+        "esutils": "^2.0.2",
+        "js-tokens": "^3.0.2"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
+          "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4="
+        },
+        "chalk": {
+          "version": "1.1.3",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz",
+          "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=",
+          "requires": {
+            "ansi-styles": "^2.2.1",
+            "escape-string-regexp": "^1.0.2",
+            "has-ansi": "^2.0.0",
+            "strip-ansi": "^3.0.0",
+            "supports-color": "^2.0.0"
+          }
+        },
+        "js-tokens": {
+          "version": "3.0.2",
+          "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz",
+          "integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls="
+        },
+        "supports-color": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
+          "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc="
+        }
+      }
+    },
+    "babel-core": {
+      "version": "7.0.0-bridge.0",
+      "resolved": "https://registry.npmjs.org/babel-core/-/babel-core-7.0.0-bridge.0.tgz",
+      "integrity": "sha512-poPX9mZH/5CSanm50Q+1toVci6pv5KSRv/5TWCwtzQS5XEwn40BcCrgIeMFWP9CKKIniKXNxoIOnOq4VVlGXhg=="
+    },
+    "babel-eslint": {
+      "version": "10.0.3",
+      "resolved": "https://registry.npmjs.org/babel-eslint/-/babel-eslint-10.0.3.tgz",
+      "integrity": "sha512-z3U7eMY6r/3f3/JB9mTsLjyxrv0Yb1zb8PCWCLpguxfCzBIZUwy23R1t/XKewP+8mEN2Ck8Dtr4q20z6ce6SoA==",
+      "requires": {
+        "@babel/code-frame": "^7.0.0",
+        "@babel/parser": "^7.0.0",
+        "@babel/traverse": "^7.0.0",
+        "@babel/types": "^7.0.0",
+        "eslint-visitor-keys": "^1.0.0",
+        "resolve": "^1.12.0"
+      }
+    },
+    "babel-loader": {
+      "version": "8.0.6",
+      "resolved": "https://registry.npmjs.org/babel-loader/-/babel-loader-8.0.6.tgz",
+      "integrity": "sha512-4BmWKtBOBm13uoUwd08UwjZlaw3O9GWf456R9j+5YykFZ6LUIjIKLc0zEZf+hauxPOJs96C8k6FvYD09vWzhYw==",
+      "requires": {
+        "find-cache-dir": "^2.0.0",
+        "loader-utils": "^1.0.2",
+        "mkdirp": "^0.5.1",
+        "pify": "^4.0.1"
+      },
+      "dependencies": {
+        "find-cache-dir": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/find-cache-dir/-/find-cache-dir-2.1.0.tgz",
+          "integrity": "sha512-Tq6PixE0w/VMFfCgbONnkiQIVol/JJL7nRMi20fqzA4NRs9AfeqMGeRdPi3wIhYkxjeBaWh2rxwapn5Tu3IqOQ==",
+          "requires": {
+            "commondir": "^1.0.1",
+            "make-dir": "^2.0.0",
+            "pkg-dir": "^3.0.0"
+          }
+        },
+        "find-up": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz",
+          "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==",
+          "requires": {
+            "locate-path": "^3.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz",
+          "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==",
+          "requires": {
+            "p-locate": "^3.0.0",
+            "path-exists": "^3.0.0"
+          }
+        },
+        "make-dir": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-2.1.0.tgz",
+          "integrity": "sha512-LS9X+dc8KLxXCb8dni79fLIIUA5VyZoyjSMCwTluaXA0o27cCK0bhXkpgw+sTXVpPy/lSO57ilRixqk0vDmtRA==",
+          "requires": {
+            "pify": "^4.0.1",
+            "semver": "^5.6.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz",
+          "integrity": "sha512-WGR+xHecKTr7EbUEhyLSh5Dube9JtdiG78ufaeLxTgpudf/20KqyMioIUZJAezlTIi6evxuoUs9YXc11cU+yzQ==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz",
+          "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==",
+          "requires": {
+            "p-limit": "^2.0.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        },
+        "pify": {
+          "version": "4.0.1",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
+          "integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g=="
+        },
+        "pkg-dir": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-3.0.0.tgz",
+          "integrity": "sha512-/E57AYkoeQ25qkxMj5PBOVgF8Kiu/h7cYS30Z5+R7WaiCCBfLq58ZI/dSeaEKb9WVJV5n/03QwrN3IeWIFllvw==",
+          "requires": {
+            "find-up": "^3.0.0"
+          }
+        }
+      }
+    },
+    "babel-plugin-apply-mdx-type-prop": {
+      "version": "1.5.3",
+      "resolved": "https://registry.npmjs.org/babel-plugin-apply-mdx-type-prop/-/babel-plugin-apply-mdx-type-prop-1.5.3.tgz",
+      "integrity": "sha512-9G+V0R8Jx56nHdEnWvRmSN//rFXMDiBZynu9JPuu3KVUhZhaJMgx5CTiXcdR2P//c85Q/IuwPbH0vIGrjdSq8A==",
+      "requires": {
+        "@babel/helper-plugin-utils": "7.0.0",
+        "@mdx-js/util": "^1.5.3"
+      }
+    },
+    "babel-plugin-dynamic-import-node": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-dynamic-import-node/-/babel-plugin-dynamic-import-node-2.3.0.tgz",
+      "integrity": "sha512-o6qFkpeQEBxcqt0XYlWzAVxNCSCZdUgcR8IRlhD/8DylxjjO4foPcvTW0GGKa/cVt3rvxZ7o5ippJ+/0nvLhlQ==",
+      "requires": {
+        "object.assign": "^4.1.0"
+      }
+    },
+    "babel-plugin-extract-import-names": {
+      "version": "1.5.3",
+      "resolved": "https://registry.npmjs.org/babel-plugin-extract-import-names/-/babel-plugin-extract-import-names-1.5.3.tgz",
+      "integrity": "sha512-UPgDHjNb4hr2xYRWO8C8JPX7GO+q3gluKd3pkcmVcd1gn9bdO7/yE5FKnYe1UkCPY7PhEUOpEzHCSuIy3GMpsQ==",
+      "requires": {
+        "@babel/helper-plugin-utils": "7.0.0"
+      }
+    },
+    "babel-plugin-import-glob-array": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-import-glob-array/-/babel-plugin-import-glob-array-0.2.0.tgz",
+      "integrity": "sha512-z7JhHOQ2hq4MBaNL9aAtDsilS12V01QNbhlZzPBIAkTymXmJhvkZVQIDvb6CJrfFN7wy9ScOTpwhv9RsvGSEWg==",
+      "requires": {
+        "glob": "^7.1.3",
+        "is-glob": "^4.0.0"
+      }
+    },
+    "babel-plugin-syntax-jsx": {
+      "version": "6.18.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-jsx/-/babel-plugin-syntax-jsx-6.18.0.tgz",
+      "integrity": "sha1-CvMqmm4Tyno/1QaeYtew9Y0NiUY="
+    },
+    "babel-plugin-syntax-trailing-function-commas": {
+      "version": "7.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-trailing-function-commas/-/babel-plugin-syntax-trailing-function-commas-7.0.0-beta.0.tgz",
+      "integrity": "sha512-Xj9XuRuz3nTSbaTXWv3itLOcxyF4oPD8douBBmj7U9BBC6nEBYfyOJYQMf/8PJAFotC62UY5dFfIGEPr7WswzQ=="
+    },
+    "babel-plugin-transform-define": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-define/-/babel-plugin-transform-define-2.0.0.tgz",
+      "integrity": "sha512-0dv5RNRUlUKxGYIIErl01lpvi8b7W2R04Qcl1mCj70ahwZcgiklfXnFlh4FGnRh6aayCfSZKdhiMryVzcq5Dmg==",
+      "requires": {
+        "lodash": "^4.17.11",
+        "traverse": "0.6.6"
+      }
+    },
+    "babel-plugin-transform-react-remove-prop-types": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-react-remove-prop-types/-/babel-plugin-transform-react-remove-prop-types-0.4.24.tgz",
+      "integrity": "sha512-eqj0hVcJUR57/Ug2zE1Yswsw4LhuqqHhD+8v120T1cl3kjg76QwtyBrdIk4WVwK+lAhBJVYCd/v+4nc4y+8JsA=="
+    },
+    "babel-preset-fbjs": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/babel-preset-fbjs/-/babel-preset-fbjs-3.3.0.tgz",
+      "integrity": "sha512-7QTLTCd2gwB2qGoi5epSULMHugSVgpcVt5YAeiFO9ABLrutDQzKfGwzxgZHLpugq8qMdg/DhRZDZ5CLKxBkEbw==",
+      "requires": {
+        "@babel/plugin-proposal-class-properties": "^7.0.0",
+        "@babel/plugin-proposal-object-rest-spread": "^7.0.0",
+        "@babel/plugin-syntax-class-properties": "^7.0.0",
+        "@babel/plugin-syntax-flow": "^7.0.0",
+        "@babel/plugin-syntax-jsx": "^7.0.0",
+        "@babel/plugin-syntax-object-rest-spread": "^7.0.0",
+        "@babel/plugin-transform-arrow-functions": "^7.0.0",
+        "@babel/plugin-transform-block-scoped-functions": "^7.0.0",
+        "@babel/plugin-transform-block-scoping": "^7.0.0",
+        "@babel/plugin-transform-classes": "^7.0.0",
+        "@babel/plugin-transform-computed-properties": "^7.0.0",
+        "@babel/plugin-transform-destructuring": "^7.0.0",
+        "@babel/plugin-transform-flow-strip-types": "^7.0.0",
+        "@babel/plugin-transform-for-of": "^7.0.0",
+        "@babel/plugin-transform-function-name": "^7.0.0",
+        "@babel/plugin-transform-literals": "^7.0.0",
+        "@babel/plugin-transform-member-expression-literals": "^7.0.0",
+        "@babel/plugin-transform-modules-commonjs": "^7.0.0",
+        "@babel/plugin-transform-object-super": "^7.0.0",
+        "@babel/plugin-transform-parameters": "^7.0.0",
+        "@babel/plugin-transform-property-literals": "^7.0.0",
+        "@babel/plugin-transform-react-display-name": "^7.0.0",
+        "@babel/plugin-transform-react-jsx": "^7.0.0",
+        "@babel/plugin-transform-shorthand-properties": "^7.0.0",
+        "@babel/plugin-transform-spread": "^7.0.0",
+        "@babel/plugin-transform-template-literals": "^7.0.0",
+        "babel-plugin-syntax-trailing-function-commas": "^7.0.0-beta.0"
+      }
+    },
+    "babel-runtime": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
+      "integrity": "sha1-llxwWGaOgrVde/4E/yM3vItWR/4=",
+      "requires": {
+        "core-js": "^2.4.0",
+        "regenerator-runtime": "^0.11.0"
+      },
+      "dependencies": {
+        "regenerator-runtime": {
+          "version": "0.11.1",
+          "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz",
+          "integrity": "sha512-MguG95oij0fC3QV3URf4V2SDYGJhJnJGqvIIgdECeODCT98wSWDAJ94SSuVpYQUoTcGUIL6L4yNB7j1DFFHSBg=="
+        }
+      }
+    },
+    "babel-types": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-types/-/babel-types-6.26.0.tgz",
+      "integrity": "sha1-o7Bz+Uq0nrb6Vc1lInozQ4BjJJc=",
+      "requires": {
+        "babel-runtime": "^6.26.0",
+        "esutils": "^2.0.2",
+        "lodash": "^4.17.4",
+        "to-fast-properties": "^1.0.3"
+      },
+      "dependencies": {
+        "to-fast-properties": {
+          "version": "1.0.3",
+          "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-1.0.3.tgz",
+          "integrity": "sha1-uDVx+k2MJbguIxsG46MFXeTKGkc="
+        }
+      }
+    },
+    "bail": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/bail/-/bail-1.0.4.tgz",
+      "integrity": "sha512-S8vuDB4w6YpRhICUDET3guPlQpaJl7od94tpZ0Fvnyp+MKW/HyDTcRDck+29C9g+d/qQHnddRH3+94kZdrW0Ww=="
+    },
+    "balanced-match": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
+      "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c="
+    },
+    "base": {
+      "version": "0.11.2",
+      "resolved": "https://registry.npmjs.org/base/-/base-0.11.2.tgz",
+      "integrity": "sha512-5T6P4xPgpp0YDFvSWwEZ4NoE3aM4QBQXDzmVbraCkFj8zHM+mba8SyqB5DbZWyR7mYHo6Y7BdQo3MoA4m0TeQg==",
+      "requires": {
+        "cache-base": "^1.0.1",
+        "class-utils": "^0.3.5",
+        "component-emitter": "^1.2.1",
+        "define-property": "^1.0.0",
+        "isobject": "^3.0.1",
+        "mixin-deep": "^1.2.0",
+        "pascalcase": "^0.1.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz",
+          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+          "requires": {
+            "is-descriptor": "^1.0.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
+          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-data-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
+          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-descriptor": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
+          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
+          "requires": {
+            "is-accessor-descriptor": "^1.0.0",
+            "is-data-descriptor": "^1.0.0",
+            "kind-of": "^6.0.2"
+          }
+        }
+      }
+    },
+    "base64-js": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.3.1.tgz",
+      "integrity": "sha512-mLQ4i2QO1ytvGWFWmcngKO//JXAQueZvwEKtjgQFM4jIK0kU+ytMfplL8j+n5mspOfjHwoAg+9yhb7BwAHm36g=="
+    },
+    "bfj": {
+      "version": "6.1.2",
+      "resolved": "https://registry.npmjs.org/bfj/-/bfj-6.1.2.tgz",
+      "integrity": "sha512-BmBJa4Lip6BPRINSZ0BPEIfB1wUY/9rwbwvIHQA1KjX9om29B6id0wnWXq7m3bn5JrUVjeOTnVuhPT1FiHwPGw==",
+      "requires": {
+        "bluebird": "^3.5.5",
+        "check-types": "^8.0.3",
+        "hoopy": "^0.1.4",
+        "tryer": "^1.0.1"
+      }
+    },
+    "big.js": {
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/big.js/-/big.js-5.2.2.tgz",
+      "integrity": "sha512-vyL2OymJxmarO8gxMr0mhChsO9QGwhynfuu4+MHTAW6czfq9humCB7rKpUjDd9YUiDPU4mzpyupFSvOClAwbmQ=="
+    },
+    "bin-build": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/bin-build/-/bin-build-3.0.0.tgz",
+      "integrity": "sha512-jcUOof71/TNAI2uM5uoUaDq2ePcVBQ3R/qhxAz1rX7UfvduAL/RXD3jXzvn8cVcDJdGVkiR1shal3OH0ImpuhA==",
+      "requires": {
+        "decompress": "^4.0.0",
+        "download": "^6.2.2",
+        "execa": "^0.7.0",
+        "p-map-series": "^1.0.0",
+        "tempfile": "^2.0.0"
+      }
+    },
+    "bin-check": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bin-check/-/bin-check-4.1.0.tgz",
+      "integrity": "sha512-b6weQyEUKsDGFlACWSIOfveEnImkJyK/FGW6FAG42loyoquvjdtOIqO6yBFzHyqyVVhNgNkQxxx09SFLK28YnA==",
+      "requires": {
+        "execa": "^0.7.0",
+        "executable": "^4.1.0"
+      }
+    },
+    "bin-version": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/bin-version/-/bin-version-3.1.0.tgz",
+      "integrity": "sha512-Mkfm4iE1VFt4xd4vH+gx+0/71esbfus2LsnCGe8Pi4mndSPyT+NGES/Eg99jx8/lUGWfu3z2yuB/bt5UB+iVbQ==",
+      "requires": {
+        "execa": "^1.0.0",
+        "find-versions": "^3.0.0"
+      },
+      "dependencies": {
+        "cross-spawn": {
+          "version": "6.0.5",
+          "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
+          "integrity": "sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==",
+          "requires": {
+            "nice-try": "^1.0.4",
+            "path-key": "^2.0.1",
+            "semver": "^5.5.0",
+            "shebang-command": "^1.2.0",
+            "which": "^1.2.9"
+          }
+        },
+        "execa": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/execa/-/execa-1.0.0.tgz",
+          "integrity": "sha512-adbxcyWV46qiHyvSp50TKt05tB4tK3HcmF7/nxfAdhnox83seTDbwnaqKO4sXRy7roHAIFqJP/Rw/AuEbX61LA==",
+          "requires": {
+            "cross-spawn": "^6.0.0",
+            "get-stream": "^4.0.0",
+            "is-stream": "^1.1.0",
+            "npm-run-path": "^2.0.0",
+            "p-finally": "^1.0.0",
+            "signal-exit": "^3.0.0",
+            "strip-eof": "^1.0.0"
+          }
+        },
+        "get-stream": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-4.1.0.tgz",
+          "integrity": "sha512-GMat4EJ5161kIy2HevLlr4luNjBgvmj413KaQA7jt4V8B4RDsfpHk7WQ9GVqfYyyx8OS/L66Kox+rJRNklLK7w==",
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        }
+      }
+    },
+    "bin-version-check": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/bin-version-check/-/bin-version-check-4.0.0.tgz",
+      "integrity": "sha512-sR631OrhC+1f8Cvs8WyVWOA33Y8tgwjETNPyyD/myRBXLkfS/vl74FmH/lFcRl9KY3zwGh7jFhvyk9vV3/3ilQ==",
+      "requires": {
+        "bin-version": "^3.0.0",
+        "semver": "^5.6.0",
+        "semver-truncate": "^1.1.2"
+      }
+    },
+    "bin-wrapper": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bin-wrapper/-/bin-wrapper-4.1.0.tgz",
+      "integrity": "sha512-hfRmo7hWIXPkbpi0ZltboCMVrU+0ClXR/JgbCKKjlDjQf6igXa7OwdqNcFWQZPZTgiY7ZpzE3+LjjkLiTN2T7Q==",
+      "requires": {
+        "bin-check": "^4.1.0",
+        "bin-version-check": "^4.0.0",
+        "download": "^7.1.0",
+        "import-lazy": "^3.1.0",
+        "os-filter-obj": "^2.0.0",
+        "pify": "^4.0.1"
+      },
+      "dependencies": {
+        "@sindresorhus/is": {
+          "version": "0.7.0",
+          "resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-0.7.0.tgz",
+          "integrity": "sha512-ONhaKPIufzzrlNbqtWFFd+jlnemX6lJAgq9ZeiZtS7I1PIf/la7CW4m83rTXRnVnsMbW2k56pGYu7AUFJD9Pow=="
+        },
+        "cacheable-request": {
+          "version": "2.1.4",
+          "resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-2.1.4.tgz",
+          "integrity": "sha1-DYCIAbY0KtM8kd+dC0TcCbkeXD0=",
+          "requires": {
+            "clone-response": "1.0.2",
+            "get-stream": "3.0.0",
+            "http-cache-semantics": "3.8.1",
+            "keyv": "3.0.0",
+            "lowercase-keys": "1.0.0",
+            "normalize-url": "2.0.1",
+            "responselike": "1.0.2"
+          },
+          "dependencies": {
+            "lowercase-keys": {
+              "version": "1.0.0",
+              "resolved": "https://registry.npmjs.org/lowercase-keys/-/lowercase-keys-1.0.0.tgz",
+              "integrity": "sha1-TjNms55/VFfjXxMkvfb4jQv8cwY="
+            }
+          }
+        },
+        "download": {
+          "version": "7.1.0",
+          "resolved": "https://registry.npmjs.org/download/-/download-7.1.0.tgz",
+          "integrity": "sha512-xqnBTVd/E+GxJVrX5/eUJiLYjCGPwMpdL+jGhGU57BvtcA7wwhtHVbXBeUk51kOpW3S7Jn3BQbN9Q1R1Km2qDQ==",
+          "requires": {
+            "archive-type": "^4.0.0",
+            "caw": "^2.0.1",
+            "content-disposition": "^0.5.2",
+            "decompress": "^4.2.0",
+            "ext-name": "^5.0.0",
+            "file-type": "^8.1.0",
+            "filenamify": "^2.0.0",
+            "get-stream": "^3.0.0",
+            "got": "^8.3.1",
+            "make-dir": "^1.2.0",
+            "p-event": "^2.1.0",
+            "pify": "^3.0.0"
+          },
+          "dependencies": {
+            "pify": {
+              "version": "3.0.0",
+              "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+              "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+            }
+          }
+        },
+        "file-type": {
+          "version": "8.1.0",
+          "resolved": "https://registry.npmjs.org/file-type/-/file-type-8.1.0.tgz",
+          "integrity": "sha512-qyQ0pzAy78gVoJsmYeNgl8uH8yKhr1lVhW7JbzJmnlRi0I4R2eEDEJZVKG8agpDnLpacwNbDhLNG/LMdxHD2YQ=="
+        },
+        "got": {
+          "version": "8.3.2",
+          "resolved": "https://registry.npmjs.org/got/-/got-8.3.2.tgz",
+          "integrity": "sha512-qjUJ5U/hawxosMryILofZCkm3C84PLJS/0grRIpjAwu+Lkxxj5cxeCU25BG0/3mDSpXKTyZr8oh8wIgLaH0QCw==",
+          "requires": {
+            "@sindresorhus/is": "^0.7.0",
+            "cacheable-request": "^2.1.1",
+            "decompress-response": "^3.3.0",
+            "duplexer3": "^0.1.4",
+            "get-stream": "^3.0.0",
+            "into-stream": "^3.1.0",
+            "is-retry-allowed": "^1.1.0",
+            "isurl": "^1.0.0-alpha5",
+            "lowercase-keys": "^1.0.0",
+            "mimic-response": "^1.0.0",
+            "p-cancelable": "^0.4.0",
+            "p-timeout": "^2.0.1",
+            "pify": "^3.0.0",
+            "safe-buffer": "^5.1.1",
+            "timed-out": "^4.0.1",
+            "url-parse-lax": "^3.0.0",
+            "url-to-options": "^1.0.1"
+          },
+          "dependencies": {
+            "pify": {
+              "version": "3.0.0",
+              "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+              "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+            }
+          }
+        },
+        "http-cache-semantics": {
+          "version": "3.8.1",
+          "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz",
+          "integrity": "sha512-5ai2iksyV8ZXmnZhHH4rWPoxxistEexSi5936zIQ1bnNTW5VnA85B6P/VpXiRM017IgRvb2kKo1a//y+0wSp3w=="
+        },
+        "is-plain-obj": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-1.1.0.tgz",
+          "integrity": "sha1-caUMhCnfync8kqOQpKA7OfzVHT4="
+        },
+        "keyv": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/keyv/-/keyv-3.0.0.tgz",
+          "integrity": "sha512-eguHnq22OE3uVoSYG0LVWNP+4ppamWr9+zWBe1bsNcovIMy6huUJFPgy4mGwCd/rnl3vOLGW1MTlu4c57CT1xA==",
+          "requires": {
+            "json-buffer": "3.0.0"
+          }
+        },
+        "normalize-url": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz",
+          "integrity": "sha512-D6MUW4K/VzoJ4rJ01JFKxDrtY1v9wrgzCX5f2qj/lzH1m/lW6MhUZFKerVsnyjOhOsYzI9Kqqak+10l4LvLpMw==",
+          "requires": {
+            "prepend-http": "^2.0.0",
+            "query-string": "^5.0.1",
+            "sort-keys": "^2.0.0"
+          }
+        },
+        "p-cancelable": {
+          "version": "0.4.1",
+          "resolved": "https://registry.npmjs.org/p-cancelable/-/p-cancelable-0.4.1.tgz",
+          "integrity": "sha512-HNa1A8LvB1kie7cERyy21VNeHb2CWJJYqyyC2o3klWFfMGlFmWv2Z7sFgZH8ZiaYL95ydToKTFVXgMV/Os0bBQ=="
+        },
+        "p-event": {
+          "version": "2.3.1",
+          "resolved": "https://registry.npmjs.org/p-event/-/p-event-2.3.1.tgz",
+          "integrity": "sha512-NQCqOFhbpVTMX4qMe8PF8lbGtzZ+LCiN7pcNrb/413Na7+TRoe1xkKUzuWa/YEJdGQ0FvKtj35EEbDoVPO2kbA==",
+          "requires": {
+            "p-timeout": "^2.0.1"
+          }
+        },
+        "p-timeout": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/p-timeout/-/p-timeout-2.0.1.tgz",
+          "integrity": "sha512-88em58dDVB/KzPEx1X0N3LwFfYZPyDc4B6eF38M1rk9VTZMbxXXgjugz8mmwpS9Ox4BDZ+t6t3QP5+/gazweIA==",
+          "requires": {
+            "p-finally": "^1.0.0"
+          }
+        },
+        "pify": {
+          "version": "4.0.1",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
+          "integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g=="
+        },
+        "sort-keys": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/sort-keys/-/sort-keys-2.0.0.tgz",
+          "integrity": "sha1-ZYU1WEhh7JfXMNbPQYIuH1ZoQSg=",
+          "requires": {
+            "is-plain-obj": "^1.0.0"
+          }
+        }
+      }
+    },
+    "binary-extensions": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.0.0.tgz",
+      "integrity": "sha512-Phlt0plgpIIBOGTT/ehfFnbNlfsDEiqmzE2KRXoX1bLIlir4X/MR+zSyBEkL05ffWgnRSf/DXv+WrUAVr93/ow=="
+    },
+    "bindings": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz",
+      "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==",
+      "optional": true,
+      "requires": {
+        "file-uri-to-path": "1.0.0"
+      }
+    },
+    "bl": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-1.2.2.tgz",
+      "integrity": "sha512-e8tQYnZodmebYDWGH7KMRvtzKXaJHx3BbilrgZCfvyLUYdKpK1t5PSPmpkny/SgiTSCnjfLW7v5rlONXVFkQEA==",
+      "requires": {
+        "readable-stream": "^2.3.5",
+        "safe-buffer": "^5.1.1"
+      }
+    },
+    "bluebird": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz",
+      "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg=="
+    },
+    "bn.js": {
+      "version": "4.11.8",
+      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.8.tgz",
+      "integrity": "sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA=="
+    },
+    "body-parser": {
+      "version": "1.19.0",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.19.0.tgz",
+      "integrity": "sha512-dhEPs72UPbDnAQJ9ZKMNTP6ptJaionhP5cBb541nXPlW60Jepo9RV/a4fX4XWW9CuFNK22krhrj1+rgzifNCsw==",
+      "requires": {
+        "bytes": "3.1.0",
+        "content-type": "~1.0.4",
+        "debug": "2.6.9",
+        "depd": "~1.1.2",
+        "http-errors": "1.7.2",
+        "iconv-lite": "0.4.24",
+        "on-finished": "~2.3.0",
+        "qs": "6.7.0",
+        "raw-body": "2.4.0",
+        "type-is": "~1.6.17"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "boolbase": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz",
+      "integrity": "sha1-aN/1++YMUes3cl6p4+0xDcwed24="
+    },
+    "brace-expansion": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "requires": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "braces": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz",
+      "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==",
+      "requires": {
+        "arr-flatten": "^1.1.0",
+        "array-unique": "^0.3.2",
+        "extend-shallow": "^2.0.1",
+        "fill-range": "^4.0.0",
+        "isobject": "^3.0.1",
+        "repeat-element": "^1.1.2",
+        "snapdragon": "^0.8.1",
+        "snapdragon-node": "^2.0.1",
+        "split-string": "^3.0.2",
+        "to-regex": "^3.0.1"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+          "requires": {
+            "is-extendable": "^0.1.0"
+          }
+        }
+      }
+    },
+    "brorand": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/brorand/-/brorand-1.1.0.tgz",
+      "integrity": "sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8="
+    },
+    "browserify-aes": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/browserify-aes/-/browserify-aes-1.2.0.tgz",
+      "integrity": "sha512-+7CHXqGuspUn/Sl5aO7Ea0xWGAtETPXNSAjHo48JfLdPWcMng33Xe4znFvQweqc/uzk5zSOI3H52CYnjCfb5hA==",
+      "requires": {
+        "buffer-xor": "^1.0.3",
+        "cipher-base": "^1.0.0",
+        "create-hash": "^1.1.0",
+        "evp_bytestokey": "^1.0.3",
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "browserify-cipher": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/browserify-cipher/-/browserify-cipher-1.0.1.tgz",
+      "integrity": "sha512-sPhkz0ARKbf4rRQt2hTpAHqn47X3llLkUGn+xEJzLjwY8LRs2p0v7ljvI5EyoRO/mexrNunNECisZs+gw2zz1w==",
+      "requires": {
+        "browserify-aes": "^1.0.4",
+        "browserify-des": "^1.0.0",
+        "evp_bytestokey": "^1.0.0"
+      }
+    },
+    "browserify-des": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/browserify-des/-/browserify-des-1.0.2.tgz",
+      "integrity": "sha512-BioO1xf3hFwz4kc6iBhI3ieDFompMhrMlnDFC4/0/vd5MokpuAc3R+LYbwTA9A5Yc9pq9UYPqffKpW2ObuwX5A==",
+      "requires": {
+        "cipher-base": "^1.0.1",
+        "des.js": "^1.0.0",
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.1.2"
+      }
+    },
+    "browserify-rsa": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/browserify-rsa/-/browserify-rsa-4.0.1.tgz",
+      "integrity": "sha1-IeCr+vbyApzy+vsTNWenAdQTVSQ=",
+      "requires": {
+        "bn.js": "^4.1.0",
+        "randombytes": "^2.0.1"
+      }
+    },
+    "browserify-sign": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz",
+      "integrity": "sha1-qk62jl17ZYuqa/alfmMMvXqT0pg=",
+      "requires": {
+        "bn.js": "^4.1.1",
+        "browserify-rsa": "^4.0.0",
+        "create-hash": "^1.1.0",
+        "create-hmac": "^1.1.2",
+        "elliptic": "^6.0.0",
+        "inherits": "^2.0.1",
+        "parse-asn1": "^5.0.0"
+      }
+    },
+    "browserify-zlib": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/browserify-zlib/-/browserify-zlib-0.2.0.tgz",
+      "integrity": "sha512-Z942RysHXmJrhqk88FmKBVq/v5tqmSkDz7p54G/MGyjMnCFFnC79XWNbg+Vta8W6Wb2qtSZTSxIGkJrRpCFEiA==",
+      "requires": {
+        "pako": "~1.0.5"
+      }
+    },
+    "browserslist": {
+      "version": "4.8.2",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.8.2.tgz",
+      "integrity": "sha512-+M4oeaTplPm/f1pXDw84YohEv7B1i/2Aisei8s4s6k3QsoSHa7i5sz8u/cGQkkatCPxMASKxPualR4wwYgVboA==",
+      "requires": {
+        "caniuse-lite": "^1.0.30001015",
+        "electron-to-chromium": "^1.3.322",
+        "node-releases": "^1.1.42"
+      }
+    },
+    "bser": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/bser/-/bser-2.1.1.tgz",
+      "integrity": "sha512-gQxTNE/GAfIIrmHLUE3oJyp5FO6HRBfhjnw4/wMmA63ZGDJnWBmgY/lyQBpnDUkGmAhbSe39tx2d/iTOAfglwQ==",
+      "requires": {
+        "node-int64": "^0.4.0"
+      }
+    },
+    "buffer": {
+      "version": "5.4.3",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.4.3.tgz",
+      "integrity": "sha512-zvj65TkFeIt3i6aj5bIvJDzjjQQGs4o/sNoezg1F1kYap9Nu2jcUdpwzRSJTHMMzG0H7bZkn4rNQpImhuxWX2A==",
+      "requires": {
+        "base64-js": "^1.0.2",
+        "ieee754": "^1.1.4"
+      }
+    },
+    "buffer-alloc": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/buffer-alloc/-/buffer-alloc-1.2.0.tgz",
+      "integrity": "sha512-CFsHQgjtW1UChdXgbyJGtnm+O/uLQeZdtbDo8mfUgYXCHSM1wgrVxXm6bSyrUuErEb+4sYVGCzASBRot7zyrow==",
+      "requires": {
+        "buffer-alloc-unsafe": "^1.1.0",
+        "buffer-fill": "^1.0.0"
+      }
+    },
+    "buffer-alloc-unsafe": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/buffer-alloc-unsafe/-/buffer-alloc-unsafe-1.1.0.tgz",
+      "integrity": "sha512-TEM2iMIEQdJ2yjPJoSIsldnleVaAk1oW3DBVUykyOLsEsFmEc9kn+SFFPz+gl54KQNxlDnAwCXosOS9Okx2xAg=="
+    },
+    "buffer-crc32": {
+      "version": "0.2.13",
+      "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz",
+      "integrity": "sha1-DTM+PwDqxQqhRUq9MO+MKl2ackI="
+    },
+    "buffer-fill": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/buffer-fill/-/buffer-fill-1.0.0.tgz",
+      "integrity": "sha1-+PeLdniYiO858gXNY39o5wISKyw="
+    },
+    "buffer-from": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz",
+      "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A=="
+    },
+    "buffer-json": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/buffer-json/-/buffer-json-2.0.0.tgz",
+      "integrity": "sha512-+jjPFVqyfF1esi9fvfUs3NqM0pH1ziZ36VP4hmA/y/Ssfo/5w5xHKfTw9BwQjoJ1w/oVtpLomqwUHKdefGyuHw=="
+    },
+    "buffer-xor": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/buffer-xor/-/buffer-xor-1.0.3.tgz",
+      "integrity": "sha1-JuYe0UIvtw3ULm42cp7VHYVf6Nk="
+    },
+    "builtin-status-codes": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz",
+      "integrity": "sha1-hZgoeOIbmOHGZCXgPQF0eI9Wnug="
+    },
+    "byline": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/byline/-/byline-5.0.0.tgz",
+      "integrity": "sha1-dBxSFkaOrcRXsDQQEYrXfejB3bE="
+    },
+    "bytes": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.0.tgz",
+      "integrity": "sha512-zauLjrfCG+xvoyaqLoV8bLVXXNGC4JqlxFCutSDWA6fJrTo2ZuvLYTqZ7aHBLZSMOopbzwv8f+wZcVzfVTI2Dg=="
+    },
+    "cacache": {
+      "version": "12.0.3",
+      "resolved": "https://registry.npmjs.org/cacache/-/cacache-12.0.3.tgz",
+      "integrity": "sha512-kqdmfXEGFepesTuROHMs3MpFLWrPkSSpRqOw80RCflZXy/khxaArvFrQ7uJxSUduzAufc6G0g1VUCOZXxWavPw==",
+      "requires": {
+        "bluebird": "^3.5.5",
+        "chownr": "^1.1.1",
+        "figgy-pudding": "^3.5.1",
+        "glob": "^7.1.4",
+        "graceful-fs": "^4.1.15",
+        "infer-owner": "^1.0.3",
+        "lru-cache": "^5.1.1",
+        "mississippi": "^3.0.0",
+        "mkdirp": "^0.5.1",
+        "move-concurrently": "^1.0.1",
+        "promise-inflight": "^1.0.1",
+        "rimraf": "^2.6.3",
+        "ssri": "^6.0.1",
+        "unique-filename": "^1.1.1",
+        "y18n": "^4.0.0"
+      },
+      "dependencies": {
+        "lru-cache": {
+          "version": "5.1.1",
+          "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
+          "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==",
+          "requires": {
+            "yallist": "^3.0.2"
+          }
+        },
+        "yallist": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
+          "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="
+        }
+      }
+    },
+    "cache-base": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz",
+      "integrity": "sha512-AKcdTnFSWATd5/GCPRxr2ChwIJ85CeyrEyjRHlKxQ56d4XJMGym0uAiKn0xbLOGOl3+yRpOTi484dVCEc5AUzQ==",
+      "requires": {
+        "collection-visit": "^1.0.0",
+        "component-emitter": "^1.2.1",
+        "get-value": "^2.0.6",
+        "has-value": "^1.0.0",
+        "isobject": "^3.0.1",
+        "set-value": "^2.0.0",
+        "to-object-path": "^0.3.0",
+        "union-value": "^1.0.0",
+        "unset-value": "^1.0.0"
+      }
+    },
+    "cache-loader": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/cache-loader/-/cache-loader-4.1.0.tgz",
+      "integrity": "sha512-ftOayxve0PwKzBF/GLsZNC9fJBXl8lkZE3TOsjkboHfVHVkL39iUEs1FO07A33mizmci5Dudt38UZrrYXDtbhw==",
+      "requires": {
+        "buffer-json": "^2.0.0",
+        "find-cache-dir": "^3.0.0",
+        "loader-utils": "^1.2.3",
+        "mkdirp": "^0.5.1",
+        "neo-async": "^2.6.1",
+        "schema-utils": "^2.0.0"
+      },
+      "dependencies": {
+        "find-cache-dir": {
+          "version": "3.2.0",
+          "resolved": "https://registry.npmjs.org/find-cache-dir/-/find-cache-dir-3.2.0.tgz",
+          "integrity": "sha512-1JKclkYYsf1q9WIJKLZa9S9muC+08RIjzAlLrK4QcYLJMS6mk9yombQ9qf+zJ7H9LS800k0s44L4sDq9VYzqyg==",
+          "requires": {
+            "commondir": "^1.0.1",
+            "make-dir": "^3.0.0",
+            "pkg-dir": "^4.1.0"
+          }
+        },
+        "make-dir": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-3.0.0.tgz",
+          "integrity": "sha512-grNJDhb8b1Jm1qeqW5R/O63wUo4UXo2v2HMic6YT9i/HBlF93S8jkMgH7yugvY9ABDShH4VZMn8I+U8+fCNegw==",
+          "requires": {
+            "semver": "^6.0.0"
+          }
+        },
+        "schema-utils": {
+          "version": "2.6.4",
+          "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-2.6.4.tgz",
+          "integrity": "sha512-VNjcaUxVnEeun6B2fiiUDjXXBtD4ZSH7pdbfIu1pOFwgptDPLMo/z9jr4sUfsjFVPqDCEin/F7IYlq7/E6yDbQ==",
+          "requires": {
+            "ajv": "^6.10.2",
+            "ajv-keywords": "^3.4.1"
+          }
+        },
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+        }
+      }
+    },
+    "cacheable-request": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-6.1.0.tgz",
+      "integrity": "sha512-Oj3cAGPCqOZX7Rz64Uny2GYAZNliQSqfbePrgAQ1wKAihYmCUnraBtJtKcGR4xz7wF+LoJC+ssFZvv5BgF9Igg==",
+      "requires": {
+        "clone-response": "^1.0.2",
+        "get-stream": "^5.1.0",
+        "http-cache-semantics": "^4.0.0",
+        "keyv": "^3.0.0",
+        "lowercase-keys": "^2.0.0",
+        "normalize-url": "^4.1.0",
+        "responselike": "^1.0.2"
+      },
+      "dependencies": {
+        "get-stream": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.1.0.tgz",
+          "integrity": "sha512-EXr1FOzrzTfGeL0gQdeFEvOMm2mzMOglyiOXSTpPC+iAjAKftbr3jpCMWynogwYnM+eSj9sHGc6wjIcDvYiygw==",
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        },
+        "lowercase-keys": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/lowercase-keys/-/lowercase-keys-2.0.0.tgz",
+          "integrity": "sha512-tqNXrS78oMOE73NMxK4EMLQsQowWf8jKooH9g7xPavRT706R6bkQJ6DY2Te7QukaZsulxa30wQ7bk0pm4XiHmA=="
+        }
+      }
+    },
+    "call-me-maybe": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/call-me-maybe/-/call-me-maybe-1.0.1.tgz",
+      "integrity": "sha1-JtII6onje1y95gJQoV8DHBak1ms="
+    },
+    "caller-callsite": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/caller-callsite/-/caller-callsite-2.0.0.tgz",
+      "integrity": "sha1-hH4PzgoiN1CpoCfFSzNzGtMVQTQ=",
+      "requires": {
+        "callsites": "^2.0.0"
+      }
+    },
+    "caller-path": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/caller-path/-/caller-path-2.0.0.tgz",
+      "integrity": "sha1-Ro+DBE42mrIBD6xfBs7uFbsssfQ=",
+      "requires": {
+        "caller-callsite": "^2.0.0"
+      }
+    },
+    "callsites": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/callsites/-/callsites-2.0.0.tgz",
+      "integrity": "sha1-BuuE8A7qQT2oav/vrL/7Ngk7PFA="
+    },
+    "camel-case": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/camel-case/-/camel-case-4.1.1.tgz",
+      "integrity": "sha512-7fa2WcG4fYFkclIvEmxBbTvmibwF2/agfEBc6q3lOpVu0A13ltLsA+Hr/8Hp6kp5f+G7hKi6t8lys6XxP+1K6Q==",
+      "requires": {
+        "pascal-case": "^3.1.1",
+        "tslib": "^1.10.0"
+      }
+    },
+    "camelcase": {
+      "version": "5.3.1",
+      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz",
+      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg=="
+    },
+    "camelcase-css": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/camelcase-css/-/camelcase-css-2.0.1.tgz",
+      "integrity": "sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA=="
+    },
+    "camelcase-keys": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/camelcase-keys/-/camelcase-keys-2.1.0.tgz",
+      "integrity": "sha1-MIvur/3ygRkFHvodkyITyRuPkuc=",
+      "requires": {
+        "camelcase": "^2.0.0",
+        "map-obj": "^1.0.0"
+      },
+      "dependencies": {
+        "camelcase": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-2.1.1.tgz",
+          "integrity": "sha1-fB0W1nmhu+WcoCys7PsBHiAfWh8="
+        }
+      }
+    },
+    "caniuse-lite": {
+      "version": "1.0.30001015",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001015.tgz",
+      "integrity": "sha512-/xL2AbW/XWHNu1gnIrO8UitBGoFthcsDgU9VLK1/dpsoxbaD5LscHozKze05R6WLsBvLhqv78dAPozMFQBYLbQ=="
+    },
+    "caw": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/caw/-/caw-2.0.1.tgz",
+      "integrity": "sha512-Cg8/ZSBEa8ZVY9HspcGUYaK63d/bN7rqS3CYCzEGUxuYv6UlmcjzDUz2fCFFHyTvUW5Pk0I+3hkA3iXlIj6guA==",
+      "requires": {
+        "get-proxy": "^2.0.0",
+        "isurl": "^1.0.0-alpha5",
+        "tunnel-agent": "^0.6.0",
+        "url-to-options": "^1.0.1"
+      }
+    },
+    "ccount": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/ccount/-/ccount-1.0.4.tgz",
+      "integrity": "sha512-fpZ81yYfzentuieinmGnphk0pLkOTMm6MZdVqwd77ROvhko6iujLNGrHH5E7utq3ygWklwfmwuG+A7P+NpqT6w=="
+    },
+    "chalk": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-3.0.0.tgz",
+      "integrity": "sha512-4D3B6Wf41KOYRFdszmDqMCGq5VV/uMAB273JILmO+3jAlh8X4qDtdtgCR3fxtbLEMzSx22QdhnDcJvu2u1fVwg==",
+      "requires": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "4.2.1",
+          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.2.1.tgz",
+          "integrity": "sha512-9VGjrMsG1vePxcSweQsN20KY/c4zN0h9fLjqAbwbPfahM3t+NL+M9HC8xeXG2I8pX5NoamTGNuomEUFI7fcUjA==",
+          "requires": {
+            "@types/color-name": "^1.1.1",
+            "color-convert": "^2.0.1"
+          }
+        },
+        "color-convert": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+          "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+          "requires": {
+            "color-name": "~1.1.4"
+          }
+        },
+        "color-name": {
+          "version": "1.1.4",
+          "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+          "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
+        },
+        "has-flag": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+          "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ=="
+        },
+        "supports-color": {
+          "version": "7.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.1.0.tgz",
+          "integrity": "sha512-oRSIpR8pxT1Wr2FquTNnGet79b3BWljqOuoW/h4oBhxJ/HUbX5nX6JSruTkvXDCFMwDPvsaTTbvMLKZWSy0R5g==",
+          "requires": {
+            "has-flag": "^4.0.0"
+          }
+        }
+      }
+    },
+    "character-entities": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/character-entities/-/character-entities-1.2.3.tgz",
+      "integrity": "sha512-yB4oYSAa9yLcGyTbB4ItFwHw43QHdH129IJ5R+WvxOkWlyFnR5FAaBNnUq4mcxsTVZGh28bHoeTHMKXH1wZf3w=="
+    },
+    "character-entities-html4": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/character-entities-html4/-/character-entities-html4-1.1.3.tgz",
+      "integrity": "sha512-SwnyZ7jQBCRHELk9zf2CN5AnGEc2nA+uKMZLHvcqhpPprjkYhiLn0DywMHgN5ttFZuITMATbh68M6VIVKwJbcg=="
+    },
+    "character-entities-legacy": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/character-entities-legacy/-/character-entities-legacy-1.1.3.tgz",
+      "integrity": "sha512-YAxUpPoPwxYFsslbdKkhrGnXAtXoHNgYjlBM3WMXkWGTl5RsY3QmOyhwAgL8Nxm9l5LBThXGawxKPn68y6/fww=="
+    },
+    "character-reference-invalid": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/character-reference-invalid/-/character-reference-invalid-1.1.3.tgz",
+      "integrity": "sha512-VOq6PRzQBam/8Jm6XBGk2fNEnHXAdGd6go0rtd4weAGECBamHDwwCQSOT12TACIYUZegUXnV6xBXqUssijtxIg=="
+    },
+    "chardet": {
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/chardet/-/chardet-0.7.0.tgz",
+      "integrity": "sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA=="
+    },
+    "charenc": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/charenc/-/charenc-0.0.2.tgz",
+      "integrity": "sha1-wKHS86cJLgN3S/qD8UwPxXkKhmc="
+    },
+    "check-types": {
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/check-types/-/check-types-8.0.3.tgz",
+      "integrity": "sha512-YpeKZngUmG65rLudJ4taU7VLkOCTMhNl/u4ctNC56LQS/zJTyNH0Lrtwm1tfTsbLlwvlfsA2d1c8vCf/Kh2KwQ=="
+    },
+    "chokidar": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.3.1.tgz",
+      "integrity": "sha512-4QYCEWOcK3OJrxwvyyAOxFuhpvOVCYkr33LPfFNBjAD/w3sEzWsp2BUOkI4l9bHvWioAd0rc6NlHUOEaWkTeqg==",
+      "requires": {
+        "anymatch": "~3.1.1",
+        "braces": "~3.0.2",
+        "fsevents": "~2.1.2",
+        "glob-parent": "~5.1.0",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.3.0"
+      },
+      "dependencies": {
+        "braces": {
+          "version": "3.0.2",
+          "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
+          "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+          "requires": {
+            "fill-range": "^7.0.1"
+          }
+        },
+        "fill-range": {
+          "version": "7.0.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
+          "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        },
+        "glob-parent": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz",
+          "integrity": "sha512-qjtRgnIVmOfnKUE3NJAQEdk+lKrxfw8t5ke7SXtfMTHcjsBfOfWXCQfdb30zfDoZQ2IRSIiidmjtbHZPZ++Ihw==",
+          "requires": {
+            "is-glob": "^4.0.1"
+          }
+        },
+        "is-number": {
+          "version": "7.0.0",
+          "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+          "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng=="
+        },
+        "to-regex-range": {
+          "version": "5.0.1",
+          "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+          "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+          "requires": {
+            "is-number": "^7.0.0"
+          }
+        }
+      }
+    },
+    "chownr": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.3.tgz",
+      "integrity": "sha512-i70fVHhmV3DtTl6nqvZOnIjbY0Pe4kAUjwHj8z0zAdgBtYrJyYwLKCCuRBQ5ppkyL0AkN7HKRnETdmdp1zqNXw=="
+    },
+    "chrome-trace-event": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/chrome-trace-event/-/chrome-trace-event-1.0.2.tgz",
+      "integrity": "sha512-9e/zx1jw7B4CO+c/RXoCsfg/x1AfUBioy4owYH0bJprEYAx5hRFLRhWBqHAG57D0ZM4H7vxbP7bPe0VwhQRYDQ==",
+      "requires": {
+        "tslib": "^1.9.0"
+      }
+    },
+    "ci-info": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ci-info/-/ci-info-2.0.0.tgz",
+      "integrity": "sha512-5tK7EtrZ0N+OLFMthtqOj4fI2Jeb88C4CAZPu25LDVUgXJ0A3Js4PMGqrn0JU1W0Mh1/Z8wZzYPxqUrXeBboCQ=="
+    },
+    "cipher-base": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz",
+      "integrity": "sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q==",
+      "requires": {
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "class-utils": {
+      "version": "0.3.6",
+      "resolved": "https://registry.npmjs.org/class-utils/-/class-utils-0.3.6.tgz",
+      "integrity": "sha512-qOhPa/Fj7s6TY8H8esGu5QNpMMQxz79h+urzrNYN6mn+9BnxlDGf5QZ+XeCDsxSjPqsSR56XOZOJmpeurnLMeg==",
+      "requires": {
+        "arr-union": "^3.1.0",
+        "define-property": "^0.2.5",
+        "isobject": "^3.0.0",
+        "static-extend": "^0.1.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "0.2.5",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        }
+      }
+    },
+    "clean-stack": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/clean-stack/-/clean-stack-2.2.0.tgz",
+      "integrity": "sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A=="
+    },
+    "cli-cursor": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-3.1.0.tgz",
+      "integrity": "sha512-I/zHAwsKf9FqGoXM4WWRACob9+SNukZTd94DWF57E4toouRulbCxcUh6RKUEOQlYTHJnzkPMySvPNaaSLNfLZw==",
+      "requires": {
+        "restore-cursor": "^3.1.0"
+      }
+    },
+    "cli-spinners": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/cli-spinners/-/cli-spinners-1.3.1.tgz",
+      "integrity": "sha512-1QL4544moEsDVH9T/l6Cemov/37iv1RtoKf7NJ04A60+4MREXNfx/QvavbH6QoGdsD4N4Mwy49cmaINR/o2mdg=="
+    },
+    "cli-truncate": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/cli-truncate/-/cli-truncate-0.2.1.tgz",
+      "integrity": "sha1-nxXPuwcFAFNpIWxiasfQWrkN1XQ=",
+      "requires": {
+        "slice-ansi": "0.0.4",
+        "string-width": "^1.0.1"
+      },
+      "dependencies": {
+        "is-fullwidth-code-point": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz",
+          "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=",
+          "requires": {
+            "number-is-nan": "^1.0.0"
+          }
+        },
+        "slice-ansi": {
+          "version": "0.0.4",
+          "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-0.0.4.tgz",
+          "integrity": "sha1-7b+JA/ZvfOL46v1s7tZeJkyDGzU="
+        },
+        "string-width": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz",
+          "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=",
+          "requires": {
+            "code-point-at": "^1.0.0",
+            "is-fullwidth-code-point": "^1.0.0",
+            "strip-ansi": "^3.0.0"
+          }
+        }
+      }
+    },
+    "cli-width": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/cli-width/-/cli-width-2.2.0.tgz",
+      "integrity": "sha1-/xnt6Kml5XkyQUewwR8PvLq+1jk="
+    },
+    "cliui": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-5.0.0.tgz",
+      "integrity": "sha512-PYeGSEmmHM6zvoef2w8TPzlrnNpXIjTipYK780YswmIP9vjxmd6Y2a3CB2Ks6/AU8NHjZugXvo8w3oWM2qnwXA==",
+      "requires": {
+        "string-width": "^3.1.0",
+        "strip-ansi": "^5.2.0",
+        "wrap-ansi": "^5.1.0"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+          "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          }
+        }
+      }
+    },
+    "clone": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/clone/-/clone-1.0.4.tgz",
+      "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4="
+    },
+    "clone-response": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/clone-response/-/clone-response-1.0.2.tgz",
+      "integrity": "sha1-0dyXOSAxTfZ/vrlCI7TuNQI56Ws=",
+      "requires": {
+        "mimic-response": "^1.0.0"
+      }
+    },
+    "coa": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/coa/-/coa-2.0.2.tgz",
+      "integrity": "sha512-q5/jG+YQnSy4nRTV4F7lPepBJZ8qBNJJDBuJdoejDyLXgmL7IEo+Le2JDZudFTFt7mrCqIRaSjws4ygRCTCAXA==",
+      "requires": {
+        "@types/q": "^1.5.1",
+        "chalk": "^2.4.1",
+        "q": "^1.1.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "code-point-at": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.1.0.tgz",
+      "integrity": "sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c="
+    },
+    "collapse-white-space": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/collapse-white-space/-/collapse-white-space-1.0.5.tgz",
+      "integrity": "sha512-703bOOmytCYAX9cXYqoikYIx6twmFCXsnzRQheBcTG3nzKYBR4P/+wkYeH+Mvj7qUz8zZDtdyzbxfnEi/kYzRQ=="
+    },
+    "collection-visit": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/collection-visit/-/collection-visit-1.0.0.tgz",
+      "integrity": "sha1-S8A3PBZLwykbTTaMgpzxqApZ3KA=",
+      "requires": {
+        "map-visit": "^1.0.0",
+        "object-visit": "^1.0.0"
+      }
+    },
+    "color-convert": {
+      "version": "1.9.3",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz",
+      "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+      "requires": {
+        "color-name": "1.1.3"
+      }
+    },
+    "color-name": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz",
+      "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU="
+    },
+    "colors": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/colors/-/colors-1.1.2.tgz",
+      "integrity": "sha1-FopHAXVran9RoSzgyXv6KMCE7WM="
+    },
+    "comma-separated-tokens": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/comma-separated-tokens/-/comma-separated-tokens-1.0.7.tgz",
+      "integrity": "sha512-Jrx3xsP4pPv4AwJUDWY9wOXGtwPXARej6Xd99h4TUGotmf8APuquKMpK+dnD3UgyxK7OEWaisjZz+3b5jtL6xQ=="
+    },
+    "commander": {
+      "version": "2.20.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
+      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
+    },
+    "common-tags": {
+      "version": "1.8.0",
+      "resolved": "https://registry.npmjs.org/common-tags/-/common-tags-1.8.0.tgz",
+      "integrity": "sha512-6P6g0uetGpW/sdyUy/iQQCbFF0kWVMSIVSyYz7Zgjcgh8mgw8PQzDNZeyZ5DQ2gM7LBoZPHmnjz8rUthkBG5tw=="
+    },
+    "commondir": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/commondir/-/commondir-1.0.1.tgz",
+      "integrity": "sha1-3dgA2gxmEnOTzKWVDqloo6rxJTs="
+    },
+    "component-emitter": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.3.0.tgz",
+      "integrity": "sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg=="
+    },
+    "component-type": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/component-type/-/component-type-1.2.1.tgz",
+      "integrity": "sha1-ikeQFwAjjk/DIml3EjAibyS0Fak="
+    },
+    "compressible": {
+      "version": "2.0.18",
+      "resolved": "https://registry.npmjs.org/compressible/-/compressible-2.0.18.tgz",
+      "integrity": "sha512-AF3r7P5dWxL8MxyITRMlORQNaOA2IkAFaTr4k7BUumjPtRpGDTZpl0Pb1XCO6JeDCBdp126Cgs9sMxqSjgYyRg==",
+      "requires": {
+        "mime-db": ">= 1.43.0 < 2"
+      },
+      "dependencies": {
+        "mime-db": {
+          "version": "1.43.0",
+          "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.43.0.tgz",
+          "integrity": "sha512-+5dsGEEovYbT8UY9yD7eE4XTc4UwJ1jBYlgaQQF38ENsKR3wj/8q8RFZrF9WIZpB2V1ArTVFUva8sAul1NzRzQ=="
+        }
+      }
+    },
+    "compression": {
+      "version": "1.7.4",
+      "resolved": "https://registry.npmjs.org/compression/-/compression-1.7.4.tgz",
+      "integrity": "sha512-jaSIDzP9pZVS4ZfQ+TzvtiWhdpFhE2RDHz8QJkpX9SIpLq88VueF5jJw6t+6CUQcAoA6t+x89MLrWAqpfDE8iQ==",
+      "requires": {
+        "accepts": "~1.3.5",
+        "bytes": "3.0.0",
+        "compressible": "~2.0.16",
+        "debug": "2.6.9",
+        "on-headers": "~1.0.2",
+        "safe-buffer": "5.1.2",
+        "vary": "~1.1.2"
+      },
+      "dependencies": {
+        "bytes": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.0.0.tgz",
+          "integrity": "sha1-0ygVQE1olpn4Wk6k+odV3ROpYEg="
+        },
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "concat-map": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+      "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s="
+    },
+    "concat-stream": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.2.tgz",
+      "integrity": "sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==",
+      "requires": {
+        "buffer-from": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^2.2.2",
+        "typedarray": "^0.0.6"
+      }
+    },
+    "conf": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/conf/-/conf-5.0.0.tgz",
+      "integrity": "sha512-lRNyt+iRD4plYaOSVTxu1zPWpaH0EOxgFIR1l3mpC/DGZ7XzhoGFMKmbl54LAgXcSu6knqWgOwdINkqm58N85A==",
+      "requires": {
+        "ajv": "^6.10.0",
+        "dot-prop": "^5.0.0",
+        "env-paths": "^2.2.0",
+        "json-schema-typed": "^7.0.0",
+        "make-dir": "^3.0.0",
+        "pkg-up": "^3.0.1",
+        "write-file-atomic": "^3.0.0"
+      },
+      "dependencies": {
+        "make-dir": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-3.0.0.tgz",
+          "integrity": "sha512-grNJDhb8b1Jm1qeqW5R/O63wUo4UXo2v2HMic6YT9i/HBlF93S8jkMgH7yugvY9ABDShH4VZMn8I+U8+fCNegw==",
+          "requires": {
+            "semver": "^6.0.0"
+          }
+        },
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+        }
+      }
+    },
+    "config-chain": {
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/config-chain/-/config-chain-1.1.12.tgz",
+      "integrity": "sha512-a1eOIcu8+7lUInge4Rpf/n4Krkf3Dd9lqhljRzII1/Zno/kRtUWnznPO3jOKBmTEktkt3fkxisUcivoj0ebzoA==",
+      "requires": {
+        "ini": "^1.3.4",
+        "proto-list": "~1.2.1"
+      }
+    },
+    "console-browserify": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/console-browserify/-/console-browserify-1.2.0.tgz",
+      "integrity": "sha512-ZMkYO/LkF17QvCPqM0gxw8yUzigAOZOSWSHg91FH6orS7vcEj5dVZTidN2fQ14yBSdg97RqhSNwLUXInd52OTA=="
+    },
+    "console-stream": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/console-stream/-/console-stream-0.1.1.tgz",
+      "integrity": "sha1-oJX+B7IEZZVfL6/Si11yvM2UnUQ="
+    },
+    "constant-case": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/constant-case/-/constant-case-3.0.3.tgz",
+      "integrity": "sha512-FXtsSnnrFYpzDmvwDGQW+l8XK3GV1coLyBN0eBz16ZUzGaZcT2ANVCJmLeuw2GQgxKHQIe9e0w2dzkSfaRlUmA==",
+      "requires": {
+        "no-case": "^3.0.3",
+        "tslib": "^1.10.0",
+        "upper-case": "^2.0.1"
+      }
+    },
+    "constants-browserify": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/constants-browserify/-/constants-browserify-1.0.0.tgz",
+      "integrity": "sha1-wguW2MYXdIqvHBYCF2DNJ/y4y3U="
+    },
+    "content-disposition": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.3.tgz",
+      "integrity": "sha512-ExO0774ikEObIAEV9kDo50o+79VCUdEB6n6lzKgGwupcVeRlhrj3qGAfwq8G6uBJjkqLrhT0qEYFcWng8z1z0g==",
+      "requires": {
+        "safe-buffer": "5.1.2"
+      }
+    },
+    "content-type": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
+      "integrity": "sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA=="
+    },
+    "convert-source-map": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.7.0.tgz",
+      "integrity": "sha512-4FJkXzKXEDB1snCFZlLP4gpC3JILicCpGbzG9f9G7tGqGCzETQ2hWPrcinA9oU4wtf2biUaEH5065UnMeR33oA==",
+      "requires": {
+        "safe-buffer": "~5.1.1"
+      }
+    },
+    "cookie": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
+      "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg=="
+    },
+    "cookie-signature": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
+      "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw="
+    },
+    "copy-concurrently": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/copy-concurrently/-/copy-concurrently-1.0.5.tgz",
+      "integrity": "sha512-f2domd9fsVDFtaFcbaRZuYXwtdmnzqbADSwhSWYxYB/Q8zsdUUFMXVRwXGDMWmbEzAn1kdRrtI1T/KTFOL4X2A==",
+      "requires": {
+        "aproba": "^1.1.1",
+        "fs-write-stream-atomic": "^1.0.8",
+        "iferr": "^0.1.5",
+        "mkdirp": "^0.5.1",
+        "rimraf": "^2.5.4",
+        "run-queue": "^1.0.0"
+      }
+    },
+    "copy-descriptor": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz",
+      "integrity": "sha1-Z29us8OZl8LuGsOpJP1hJHSPV40="
+    },
+    "core-js": {
+      "version": "2.6.11",
+      "resolved": "https://registry.npmjs.org/core-js/-/core-js-2.6.11.tgz",
+      "integrity": "sha512-5wjnpaT/3dV+XB4borEsnAYQchn00XSgTAWKDkEqv+K8KevjbzmofK6hfJ9TZIlpj2N0xQpazy7PiRQiWHqzWg=="
+    },
+    "core-js-compat": {
+      "version": "3.6.4",
+      "resolved": "https://registry.npmjs.org/core-js-compat/-/core-js-compat-3.6.4.tgz",
+      "integrity": "sha512-zAa3IZPvsJ0slViBQ2z+vgyyTuhd3MFn1rBQjZSKVEgB0UMYhUkCj9jJUVPgGTGqWvsBVmfnruXgTcNyTlEiSA==",
+      "requires": {
+        "browserslist": "^4.8.3",
+        "semver": "7.0.0"
+      },
+      "dependencies": {
+        "browserslist": {
+          "version": "4.8.3",
+          "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.8.3.tgz",
+          "integrity": "sha512-iU43cMMknxG1ClEZ2MDKeonKE1CCrFVkQK2AqO2YWFmvIrx4JWrvQ4w4hQez6EpVI8rHTtqh/ruHHDHSOKxvUg==",
+          "requires": {
+            "caniuse-lite": "^1.0.30001017",
+            "electron-to-chromium": "^1.3.322",
+            "node-releases": "^1.1.44"
+          }
+        },
+        "caniuse-lite": {
+          "version": "1.0.30001021",
+          "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001021.tgz",
+          "integrity": "sha512-wuMhT7/hwkgd8gldgp2jcrUjOU9RXJ4XxGumQeOsUr91l3WwmM68Cpa/ymCnWEDqakwFXhuDQbaKNHXBPgeE9g=="
+        },
+        "node-releases": {
+          "version": "1.1.45",
+          "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.45.tgz",
+          "integrity": "sha512-cXvGSfhITKI8qsV116u2FTzH5EWZJfgG7d4cpqwF8I8+1tWpD6AsvvGRKq2onR0DNj1jfqsjkXZsm14JMS7Cyg==",
+          "requires": {
+            "semver": "^6.3.0"
+          },
+          "dependencies": {
+            "semver": {
+              "version": "6.3.0",
+              "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+              "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+            }
+          }
+        },
+        "semver": {
+          "version": "7.0.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-7.0.0.tgz",
+          "integrity": "sha512-+GB6zVA9LWh6zovYQLALHwv5rb2PHGlJi3lfiqIHxR0uuwCgefcOJc59v9fv1w8GbStwxuuqqAjI9NMAOOgq1A=="
+        }
+      }
+    },
+    "core-js-pure": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/core-js-pure/-/core-js-pure-3.6.2.tgz",
+      "integrity": "sha512-PRasaCPjjCB65au2dMBPtxuIR6LM8MVNdbIbN57KxcDV1FAYQWlF0pqje/HC2sM6nm/s9KqSTkMTU75pozaghA=="
+    },
+    "core-util-is": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
+      "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac="
+    },
+    "cosmiconfig": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-5.2.1.tgz",
+      "integrity": "sha512-H65gsXo1SKjf8zmrJ67eJk8aIRKV5ff2D4uKZIBZShbhGSpEmsQOPW/SKMKYhSTrqR7ufy6RP69rPogdaPh/kA==",
+      "requires": {
+        "import-fresh": "^2.0.0",
+        "is-directory": "^0.3.1",
+        "js-yaml": "^3.13.1",
+        "parse-json": "^4.0.0"
+      },
+      "dependencies": {
+        "parse-json": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-4.0.0.tgz",
+          "integrity": "sha1-vjX1Qlvh9/bHRxhPmKeIy5lHfuA=",
+          "requires": {
+            "error-ex": "^1.3.1",
+            "json-parse-better-errors": "^1.0.1"
+          }
+        }
+      }
+    },
+    "create-ecdh": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/create-ecdh/-/create-ecdh-4.0.3.tgz",
+      "integrity": "sha512-GbEHQPMOswGpKXM9kCWVrremUcBmjteUaQ01T9rkKCPDXfUHX0IoP9LpHYo2NPFampa4e+/pFDc3jQdxrxQLaw==",
+      "requires": {
+        "bn.js": "^4.1.0",
+        "elliptic": "^6.0.0"
+      }
+    },
+    "create-hash": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/create-hash/-/create-hash-1.2.0.tgz",
+      "integrity": "sha512-z00bCGNHDG8mHAkP7CtT1qVu+bFQUPjYq/4Iv3C3kWjTFV10zIjfSoeqXo9Asws8gwSHDGj/hl2u4OGIjapeCg==",
+      "requires": {
+        "cipher-base": "^1.0.1",
+        "inherits": "^2.0.1",
+        "md5.js": "^1.3.4",
+        "ripemd160": "^2.0.1",
+        "sha.js": "^2.4.0"
+      }
+    },
+    "create-hmac": {
+      "version": "1.1.7",
+      "resolved": "https://registry.npmjs.org/create-hmac/-/create-hmac-1.1.7.tgz",
+      "integrity": "sha512-MJG9liiZ+ogc4TzUwuvbER1JRdgvUFSB5+VR/g5h82fGaIRWMWddtKBHi7/sVhfjQZ6SehlyhvQYrcYkaUIpLg==",
+      "requires": {
+        "cipher-base": "^1.0.3",
+        "create-hash": "^1.1.0",
+        "inherits": "^2.0.1",
+        "ripemd160": "^2.0.0",
+        "safe-buffer": "^5.0.1",
+        "sha.js": "^2.4.8"
+      }
+    },
+    "create-react-context": {
+      "version": "0.2.3",
+      "resolved": "https://registry.npmjs.org/create-react-context/-/create-react-context-0.2.3.tgz",
+      "integrity": "sha512-CQBmD0+QGgTaxDL3OX1IDXYqjkp2It4RIbcb99jS6AEg27Ga+a9G3JtK6SIu0HBwPLZlmwt9F7UwWA4Bn92Rag==",
+      "requires": {
+        "fbjs": "^0.8.0",
+        "gud": "^1.0.0"
+      },
+      "dependencies": {
+        "core-js": {
+          "version": "1.2.7",
+          "resolved": "https://registry.npmjs.org/core-js/-/core-js-1.2.7.tgz",
+          "integrity": "sha1-ZSKUwUZR2yj6k70tX/KYOk8IxjY="
+        },
+        "fbjs": {
+          "version": "0.8.17",
+          "resolved": "https://registry.npmjs.org/fbjs/-/fbjs-0.8.17.tgz",
+          "integrity": "sha1-xNWY6taUkRJlPWWIsBpc3Nn5D90=",
+          "requires": {
+            "core-js": "^1.0.0",
+            "isomorphic-fetch": "^2.1.1",
+            "loose-envify": "^1.0.0",
+            "object-assign": "^4.1.0",
+            "promise": "^7.1.1",
+            "setimmediate": "^1.0.5",
+            "ua-parser-js": "^0.7.18"
+          }
+        }
+      }
+    },
+    "cross-fetch": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-2.2.2.tgz",
+      "integrity": "sha1-pH/09/xxLauo9qaVoRyUhEDUVyM=",
+      "requires": {
+        "node-fetch": "2.1.2",
+        "whatwg-fetch": "2.0.4"
+      },
+      "dependencies": {
+        "node-fetch": {
+          "version": "2.1.2",
+          "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.1.2.tgz",
+          "integrity": "sha1-q4hOjn5X44qUR1POxwb3iNF2i7U="
+        },
+        "whatwg-fetch": {
+          "version": "2.0.4",
+          "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-2.0.4.tgz",
+          "integrity": "sha512-dcQ1GWpOD/eEQ97k66aiEVpNnapVj90/+R+SXTPYGHpYBBypfKJEQjLrvMZ7YXbKm21gXd4NcuxUTjiv1YtLng=="
+        }
+      }
+    },
+    "cross-spawn": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-5.1.0.tgz",
+      "integrity": "sha1-6L0O/uWPz/b4+UUQoKVUu/ojVEk=",
+      "requires": {
+        "lru-cache": "^4.0.1",
+        "shebang-command": "^1.2.0",
+        "which": "^1.2.9"
+      }
+    },
+    "crypt": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/crypt/-/crypt-0.0.2.tgz",
+      "integrity": "sha1-iNf/fsDfuG9xPch7u0LQRNPmxBs="
+    },
+    "crypto-browserify": {
+      "version": "3.12.0",
+      "resolved": "https://registry.npmjs.org/crypto-browserify/-/crypto-browserify-3.12.0.tgz",
+      "integrity": "sha512-fz4spIh+znjO2VjL+IdhEpRJ3YN6sMzITSBijk6FK2UvTqruSQW+/cCZTSNsMiZNvUeq0CqurF+dAbyiGOY6Wg==",
+      "requires": {
+        "browserify-cipher": "^1.0.0",
+        "browserify-sign": "^4.0.0",
+        "create-ecdh": "^4.0.0",
+        "create-hash": "^1.1.0",
+        "create-hmac": "^1.1.0",
+        "diffie-hellman": "^5.0.0",
+        "inherits": "^2.0.1",
+        "pbkdf2": "^3.0.3",
+        "public-encrypt": "^4.0.0",
+        "randombytes": "^2.0.0",
+        "randomfill": "^1.0.3"
+      }
+    },
+    "css": {
+      "version": "2.2.4",
+      "resolved": "https://registry.npmjs.org/css/-/css-2.2.4.tgz",
+      "integrity": "sha512-oUnjmWpy0niI3x/mPL8dVEI1l7MnG3+HHyRPHf+YFSbK+svOhXpmSOcDURUh2aOCgl2grzrOPt1nHLuCVFULLw==",
+      "requires": {
+        "inherits": "^2.0.3",
+        "source-map": "^0.6.1",
+        "source-map-resolve": "^0.5.2",
+        "urix": "^0.1.0"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "css-blank-pseudo": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/css-blank-pseudo/-/css-blank-pseudo-0.1.4.tgz",
+      "integrity": "sha512-LHz35Hr83dnFeipc7oqFDmsjHdljj3TQtxGGiNWSOsTLIAubSm4TEz8qCaKFpk7idaQ1GfWscF4E6mgpBysA1w==",
+      "requires": {
+        "postcss": "^7.0.5"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "css-has-pseudo": {
+      "version": "0.10.0",
+      "resolved": "https://registry.npmjs.org/css-has-pseudo/-/css-has-pseudo-0.10.0.tgz",
+      "integrity": "sha512-Z8hnfsZu4o/kt+AuFzeGpLVhFOGO9mluyHBaA2bA8aCGTwah5sT3WV/fTHH8UNZUytOIImuGPrl/prlb4oX4qQ==",
+      "requires": {
+        "postcss": "^7.0.6",
+        "postcss-selector-parser": "^5.0.0-rc.4"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "css-loader": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/css-loader/-/css-loader-1.0.0.tgz",
+      "integrity": "sha512-tMXlTYf3mIMt3b0dDCOQFJiVvxbocJ5Ho577WiGPYPZcqVEO218L2iU22pDXzkTZCLDE+9AmGSUkWxeh/nZReA==",
+      "requires": {
+        "babel-code-frame": "^6.26.0",
+        "css-selector-tokenizer": "^0.7.0",
+        "icss-utils": "^2.1.0",
+        "loader-utils": "^1.0.2",
+        "lodash.camelcase": "^4.3.0",
+        "postcss": "^6.0.23",
+        "postcss-modules-extract-imports": "^1.2.0",
+        "postcss-modules-local-by-default": "^1.2.0",
+        "postcss-modules-scope": "^1.1.0",
+        "postcss-modules-values": "^1.3.0",
+        "postcss-value-parser": "^3.3.0",
+        "source-list-map": "^2.0.0"
+      }
+    },
+    "css-prefers-color-scheme": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/css-prefers-color-scheme/-/css-prefers-color-scheme-3.1.1.tgz",
+      "integrity": "sha512-MTu6+tMs9S3EUqzmqLXEcgNRbNkkD/TGFvowpeoWJn5Vfq7FMgsmRQs9X5NXAURiOBmOxm/lLjsDNXDE6k9bhg==",
+      "requires": {
+        "postcss": "^7.0.5"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "css-select": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/css-select/-/css-select-2.1.0.tgz",
+      "integrity": "sha512-Dqk7LQKpwLoH3VovzZnkzegqNSuAziQyNZUcrdDM401iY+R5NkGBXGmtO05/yaXQziALuPogeG0b7UAgjnTJTQ==",
+      "requires": {
+        "boolbase": "^1.0.0",
+        "css-what": "^3.2.1",
+        "domutils": "^1.7.0",
+        "nth-check": "^1.0.2"
+      }
+    },
+    "css-select-base-adapter": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/css-select-base-adapter/-/css-select-base-adapter-0.1.1.tgz",
+      "integrity": "sha512-jQVeeRG70QI08vSTwf1jHxp74JoZsr2XSgETae8/xC8ovSnL2WF87GTLO86Sbwdt2lK4Umg4HnnwMO4YF3Ce7w=="
+    },
+    "css-selector-tokenizer": {
+      "version": "0.7.1",
+      "resolved": "https://registry.npmjs.org/css-selector-tokenizer/-/css-selector-tokenizer-0.7.1.tgz",
+      "integrity": "sha512-xYL0AMZJ4gFzJQsHUKa5jiWWi2vH77WVNg7JYRyewwj6oPh4yb/y6Y9ZCw9dsj/9UauMhtuxR+ogQd//EdEVNA==",
+      "requires": {
+        "cssesc": "^0.1.0",
+        "fastparse": "^1.1.1",
+        "regexpu-core": "^1.0.0"
+      }
+    },
+    "css-tree": {
+      "version": "1.0.0-alpha.37",
+      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-1.0.0-alpha.37.tgz",
+      "integrity": "sha512-DMxWJg0rnz7UgxKT0Q1HU/L9BeJI0M6ksor0OgqOnF+aRCDWg/N2641HmVyU9KVIu0OVVWOb2IpC9A+BJRnejg==",
+      "requires": {
+        "mdn-data": "2.0.4",
+        "source-map": "^0.6.1"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "css-what": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/css-what/-/css-what-3.2.1.tgz",
+      "integrity": "sha512-WwOrosiQTvyms+Ti5ZC5vGEK0Vod3FTt1ca+payZqvKuGJF+dq7bG63DstxtN0dpm6FxY27a/zS3Wten+gEtGw=="
+    },
+    "cssdb": {
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/cssdb/-/cssdb-4.4.0.tgz",
+      "integrity": "sha512-LsTAR1JPEM9TpGhl/0p3nQecC2LJ0kD8X5YARu1hk/9I1gril5vDtMZyNxcEpxxDj34YNck/ucjuoUd66K03oQ=="
+    },
+    "cssesc": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-0.1.0.tgz",
+      "integrity": "sha1-yBSQPkViM3GgR3tAEJqq++6t27Q="
+    },
+    "cssnano-preset-simple": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/cssnano-preset-simple/-/cssnano-preset-simple-1.0.2.tgz",
+      "integrity": "sha512-FhAjiyAJoQOfvOZVSaNYkmmg2KE/SmaJVBNqglvvZ4QgwtTMVOaggozmRwfyO2QfeyKstRCpeRglziWym0Q9/w==",
+      "requires": {
+        "postcss": "^7.0.18"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.26",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.26.tgz",
+          "integrity": "sha512-IY4oRjpXWYshuTDFxMVkJDtWIk2LhsTlu8bZnbEJA4+bYT16Lvpo8Qv6EvDumhYRgzjZl489pmsY3qVgJQ08nA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "cssnano-simple": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/cssnano-simple/-/cssnano-simple-1.0.0.tgz",
+      "integrity": "sha512-B7u9vvtXEqeU2rzdt+Kfw5O9Nd46R7KNjJoP7Y5lGQs6c7n1Et5Ilofh2W9OjBV/ZiJV5+7j9ShWgiYNtH/57A==",
+      "requires": {
+        "cssnano-preset-simple": "^1.0.0",
+        "postcss": "^7.0.18"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.26",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.26.tgz",
+          "integrity": "sha512-IY4oRjpXWYshuTDFxMVkJDtWIk2LhsTlu8bZnbEJA4+bYT16Lvpo8Qv6EvDumhYRgzjZl489pmsY3qVgJQ08nA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "csso": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/csso/-/csso-4.0.2.tgz",
+      "integrity": "sha512-kS7/oeNVXkHWxby5tHVxlhjizRCSv8QdU7hB2FpdAibDU8FjTAolhNjKNTiLzXtUrKT6HwClE81yXwEk1309wg==",
+      "requires": {
+        "css-tree": "1.0.0-alpha.37"
+      }
+    },
+    "currently-unhandled": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/currently-unhandled/-/currently-unhandled-0.4.1.tgz",
+      "integrity": "sha1-mI3zP+qxke95mmE2nddsF635V+o=",
+      "requires": {
+        "array-find-index": "^1.0.1"
+      }
+    },
+    "cyclist": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/cyclist/-/cyclist-1.0.1.tgz",
+      "integrity": "sha1-WW6WmP0MgOEgOMK4LW6xs1tiJNk="
+    },
+    "damerau-levenshtein": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/damerau-levenshtein/-/damerau-levenshtein-1.0.5.tgz",
+      "integrity": "sha512-CBCRqFnpu715iPmw1KrdOrzRqbdFwQTwAWyyyYS42+iAgHCuXZ+/TdMgQkUENPomxEz9z1BEzuQU2Xw0kUuAgA=="
+    },
+    "date-fns": {
+      "version": "1.30.1",
+      "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-1.30.1.tgz",
+      "integrity": "sha512-hBSVCvSmWC+QypYObzwGOd9wqdDpOt+0wl0KbU+R+uuZBS1jN8VsD1ss3irQDknRj5NvxiTF6oj/nDRnN/UQNw=="
+    },
+    "de-indent": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/de-indent/-/de-indent-1.0.2.tgz",
+      "integrity": "sha1-sgOOhG3DO6pXlhKNCAS0VbjB4h0=",
+      "optional": true
+    },
+    "debug": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
+      "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
+      "requires": {
+        "ms": "^2.1.1"
+      }
+    },
+    "decamelize": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
+      "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA="
+    },
+    "decode-uri-component": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz",
+      "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU="
+    },
+    "decompress": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz",
+      "integrity": "sha1-eu3YVCflqS2s/lVnSnxQXpbQH50=",
+      "requires": {
+        "decompress-tar": "^4.0.0",
+        "decompress-tarbz2": "^4.0.0",
+        "decompress-targz": "^4.0.0",
+        "decompress-unzip": "^4.0.1",
+        "graceful-fs": "^4.1.10",
+        "make-dir": "^1.0.0",
+        "pify": "^2.3.0",
+        "strip-dirs": "^2.0.0"
+      }
+    },
+    "decompress-response": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/decompress-response/-/decompress-response-3.3.0.tgz",
+      "integrity": "sha1-gKTdMjdIOEv6JICDYirt7Jgq3/M=",
+      "requires": {
+        "mimic-response": "^1.0.0"
+      }
+    },
+    "decompress-tar": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz",
+      "integrity": "sha512-JdJMaCrGpB5fESVyxwpCx4Jdj2AagLmv3y58Qy4GE6HMVjWz1FeVQk1Ct4Kye7PftcdOo/7U7UKzYBJgqnGeUQ==",
+      "requires": {
+        "file-type": "^5.2.0",
+        "is-stream": "^1.1.0",
+        "tar-stream": "^1.5.2"
+      },
+      "dependencies": {
+        "file-type": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/file-type/-/file-type-5.2.0.tgz",
+          "integrity": "sha1-LdvqfHP/42No365J3DOMBYwritY="
+        }
+      }
+    },
+    "decompress-tarbz2": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/decompress-tarbz2/-/decompress-tarbz2-4.1.1.tgz",
+      "integrity": "sha512-s88xLzf1r81ICXLAVQVzaN6ZmX4A6U4z2nMbOwobxkLoIIfjVMBg7TeguTUXkKeXni795B6y5rnvDw7rxhAq9A==",
+      "requires": {
+        "decompress-tar": "^4.1.0",
+        "file-type": "^6.1.0",
+        "is-stream": "^1.1.0",
+        "seek-bzip": "^1.0.5",
+        "unbzip2-stream": "^1.0.9"
+      },
+      "dependencies": {
+        "file-type": {
+          "version": "6.2.0",
+          "resolved": "https://registry.npmjs.org/file-type/-/file-type-6.2.0.tgz",
+          "integrity": "sha512-YPcTBDV+2Tm0VqjybVd32MHdlEGAtuxS3VAYsumFokDSMG+ROT5wawGlnHDoz7bfMcMDt9hxuXvXwoKUx2fkOg=="
+        }
+      }
+    },
+    "decompress-targz": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/decompress-targz/-/decompress-targz-4.1.1.tgz",
+      "integrity": "sha512-4z81Znfr6chWnRDNfFNqLwPvm4db3WuZkqV+UgXQzSngG3CEKdBkw5jrv3axjjL96glyiiKjsxJG3X6WBZwX3w==",
+      "requires": {
+        "decompress-tar": "^4.1.1",
+        "file-type": "^5.2.0",
+        "is-stream": "^1.1.0"
+      },
+      "dependencies": {
+        "file-type": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/file-type/-/file-type-5.2.0.tgz",
+          "integrity": "sha1-LdvqfHP/42No365J3DOMBYwritY="
+        }
+      }
+    },
+    "decompress-unzip": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/decompress-unzip/-/decompress-unzip-4.0.1.tgz",
+      "integrity": "sha1-3qrM39FK6vhVePczroIQ+bSEj2k=",
+      "requires": {
+        "file-type": "^3.8.0",
+        "get-stream": "^2.2.0",
+        "pify": "^2.3.0",
+        "yauzl": "^2.4.2"
+      },
+      "dependencies": {
+        "file-type": {
+          "version": "3.9.0",
+          "resolved": "https://registry.npmjs.org/file-type/-/file-type-3.9.0.tgz",
+          "integrity": "sha1-JXoHg4TR24CHvESdEH1SpSZyuek="
+        },
+        "get-stream": {
+          "version": "2.3.1",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-2.3.1.tgz",
+          "integrity": "sha1-Xzj5PzRgCWZu4BUKBUFn+Rvdld4=",
+          "requires": {
+            "object-assign": "^4.0.1",
+            "pinkie-promise": "^2.0.0"
+          }
+        }
+      }
+    },
+    "dedent": {
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/dedent/-/dedent-0.7.0.tgz",
+      "integrity": "sha1-JJXduvbrh0q7Dhvp3yLS5aVEMmw="
+    },
+    "deep-extend": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz",
+      "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA=="
+    },
+    "deep-is": {
+      "version": "0.1.3",
+      "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.3.tgz",
+      "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ="
+    },
+    "deepmerge": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.2.2.tgz",
+      "integrity": "sha512-FJ3UgI4gIl+PHZm53knsuSFpE+nESMr7M4v9QcgB7S63Kj/6WqMiFQJpBBYz1Pt+66bZpP3Q7Lye0Oo9MPKEdg=="
+    },
+    "defaults": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/defaults/-/defaults-1.0.3.tgz",
+      "integrity": "sha1-xlYFHpgX2f8I7YgUd/P+QBnz730=",
+      "requires": {
+        "clone": "^1.0.2"
+      }
+    },
+    "defer-to-connect": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/defer-to-connect/-/defer-to-connect-1.1.1.tgz",
+      "integrity": "sha512-J7thop4u3mRTkYRQ+Vpfwy2G5Ehoy82I14+14W4YMDLKdWloI9gSzRbV30s/NckQGVJtPkWNcW4oMAUigTdqiQ=="
+    },
+    "define-properties": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.1.3.tgz",
+      "integrity": "sha512-3MqfYKj2lLzdMSf8ZIZE/V+Zuy+BgD6f164e8K2w7dgnpKArBDerGYpM46IYYcjnkdPNMjPk9A6VFB8+3SKlXQ==",
+      "requires": {
+        "object-keys": "^1.0.12"
+      }
+    },
+    "define-property": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/define-property/-/define-property-2.0.2.tgz",
+      "integrity": "sha512-jwK2UV4cnPpbcG7+VRARKTZPUWowwXA8bzH5NP6ud0oeAxyYPuGZUAC7hMugpCdz4BeSZl2Dl9k66CHJ/46ZYQ==",
+      "requires": {
+        "is-descriptor": "^1.0.2",
+        "isobject": "^3.0.1"
+      },
+      "dependencies": {
+        "is-accessor-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
+          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-data-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
+          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-descriptor": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
+          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
+          "requires": {
+            "is-accessor-descriptor": "^1.0.0",
+            "is-data-descriptor": "^1.0.0",
+            "kind-of": "^6.0.2"
+          }
+        }
+      }
+    },
+    "del": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/del/-/del-5.1.0.tgz",
+      "integrity": "sha512-wH9xOVHnczo9jN2IW68BabcecVPxacIA3g/7z6vhSU/4stOKQzeCRK0yD0A24WiAAUJmmVpWqrERcTxnLo3AnA==",
+      "requires": {
+        "globby": "^10.0.1",
+        "graceful-fs": "^4.2.2",
+        "is-glob": "^4.0.1",
+        "is-path-cwd": "^2.2.0",
+        "is-path-inside": "^3.0.1",
+        "p-map": "^3.0.0",
+        "rimraf": "^3.0.0",
+        "slash": "^3.0.0"
+      },
+      "dependencies": {
+        "rimraf": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.0.tgz",
+          "integrity": "sha512-NDGVxTsjqfunkds7CqsOiEnxln4Bo7Nddl3XhS4pXg5OzwkLqJ971ZVAAnB+DDLnF76N+VnDEiBHaVV8I06SUg==",
+          "requires": {
+            "glob": "^7.1.3"
+          }
+        }
+      }
+    },
+    "depd": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
+      "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
+    },
+    "dependency-graph": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/dependency-graph/-/dependency-graph-0.8.1.tgz",
+      "integrity": "sha512-g213uqF8fyk40W8SBjm079n3CZB4qSpCrA2ye1fLGzH/4HEgB6tzuW2CbLE7leb4t45/6h44Ud59Su1/ROTfqw=="
+    },
+    "deprecated-decorator": {
+      "version": "0.1.6",
+      "resolved": "https://registry.npmjs.org/deprecated-decorator/-/deprecated-decorator-0.1.6.tgz",
+      "integrity": "sha1-AJZjF7ehL+kvPMgx91g68ym4bDc="
+    },
+    "des.js": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/des.js/-/des.js-1.0.1.tgz",
+      "integrity": "sha512-Q0I4pfFrv2VPd34/vfLrFOoRmlYj3OV50i7fskps1jZWK1kApMWWT9G6RRUeYedLcBDIhnSDaUvJMb3AhUlaEA==",
+      "requires": {
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
+    "destroy": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz",
+      "integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
+    },
+    "detab": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/detab/-/detab-2.0.2.tgz",
+      "integrity": "sha512-Q57yPrxScy816TTE1P/uLRXLDKjXhvYTbfxS/e6lPD+YrqghbsMlGB9nQzj/zVtSPaF0DFPSdO916EWO4sQUyQ==",
+      "requires": {
+        "repeat-string": "^1.5.4"
+      }
+    },
+    "devalue": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/devalue/-/devalue-2.0.1.tgz",
+      "integrity": "sha512-I2TiqT5iWBEyB8GRfTDP0hiLZ0YeDJZ+upDxjBfOC2lebO5LezQMv7QvIUTzdb64jQyAKLf1AHADtGN+jw6v8Q=="
+    },
+    "diffie-hellman": {
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/diffie-hellman/-/diffie-hellman-5.0.3.tgz",
+      "integrity": "sha512-kqag/Nl+f3GwyK25fhUMYj81BUOrZ9IuJsjIcDE5icNM9FJHAVm3VcUDxdLPoQtTuUylWm6ZIknYJwwaPxsUzg==",
+      "requires": {
+        "bn.js": "^4.1.0",
+        "miller-rabin": "^4.0.0",
+        "randombytes": "^2.0.0"
+      }
+    },
+    "dir-glob": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz",
+      "integrity": "sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==",
+      "requires": {
+        "path-type": "^4.0.0"
+      },
+      "dependencies": {
+        "path-type": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz",
+          "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw=="
+        }
+      }
+    },
+    "doctrine": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz",
+      "integrity": "sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==",
+      "requires": {
+        "esutils": "^2.0.2"
+      }
+    },
+    "dom-serializer": {
+      "version": "0.2.2",
+      "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-0.2.2.tgz",
+      "integrity": "sha512-2/xPb3ORsQ42nHYiSunXkDjPLBaEj/xTwUO4B7XCZQTRk7EBtTOPaygh10YAAh2OI1Qrp6NWfpAhzswj0ydt9g==",
+      "requires": {
+        "domelementtype": "^2.0.1",
+        "entities": "^2.0.0"
+      },
+      "dependencies": {
+        "domelementtype": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-2.0.1.tgz",
+          "integrity": "sha512-5HOHUDsYZWV8FGWN0Njbr/Rn7f/eWSQi1v7+HsUVwXgn8nWWlL64zKDkS0n8ZmQ3mlWOMuXOnR+7Nx/5tMO5AQ=="
+        }
+      }
+    },
+    "domain-browser": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/domain-browser/-/domain-browser-1.2.0.tgz",
+      "integrity": "sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA=="
+    },
+    "domelementtype": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-1.3.1.tgz",
+      "integrity": "sha512-BSKB+TSpMpFI/HOxCNr1O8aMOTZ8hT3pM3GQ0w/mWRmkhEDSFJkkyzz4XQsBV44BChwGkrDfMyjVD0eA2aFV3w=="
+    },
+    "domutils": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/domutils/-/domutils-1.7.0.tgz",
+      "integrity": "sha512-Lgd2XcJ/NjEw+7tFvfKxOzCYKZsdct5lczQ2ZaQY8Djz7pfAD3Gbp8ySJWtreII/vDlMVmxwa6pHmdxIYgttDg==",
+      "requires": {
+        "dom-serializer": "0",
+        "domelementtype": "1"
+      }
+    },
+    "dot-prop": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-5.2.0.tgz",
+      "integrity": "sha512-uEUyaDKoSQ1M4Oq8l45hSE26SnTxL6snNnqvK/VWx5wJhmff5z0FUVJDKDanor/6w3kzE3i7XZOk+7wC0EXr1A==",
+      "requires": {
+        "is-obj": "^2.0.0"
+      },
+      "dependencies": {
+        "is-obj": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-2.0.0.tgz",
+          "integrity": "sha512-drqDG3cbczxxEJRoOXcOjtdp1J/lyp1mNn0xaznRs8+muBhgQcrnbspox5X5fOw0HnMnbfDzvnEMEtqDEJEo8w=="
+        }
+      }
+    },
+    "download": {
+      "version": "6.2.5",
+      "resolved": "https://registry.npmjs.org/download/-/download-6.2.5.tgz",
+      "integrity": "sha512-DpO9K1sXAST8Cpzb7kmEhogJxymyVUd5qz/vCOSyvwtp2Klj2XcDt5YUuasgxka44SxF0q5RriKIwJmQHG2AuA==",
+      "requires": {
+        "caw": "^2.0.0",
+        "content-disposition": "^0.5.2",
+        "decompress": "^4.0.0",
+        "ext-name": "^5.0.0",
+        "file-type": "5.2.0",
+        "filenamify": "^2.0.0",
+        "get-stream": "^3.0.0",
+        "got": "^7.0.0",
+        "make-dir": "^1.0.0",
+        "p-event": "^1.0.0",
+        "pify": "^3.0.0"
+      },
+      "dependencies": {
+        "file-type": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/file-type/-/file-type-5.2.0.tgz",
+          "integrity": "sha1-LdvqfHP/42No365J3DOMBYwritY="
+        },
+        "got": {
+          "version": "7.1.0",
+          "resolved": "https://registry.npmjs.org/got/-/got-7.1.0.tgz",
+          "integrity": "sha512-Y5WMo7xKKq1muPsxD+KmrR8DH5auG7fBdDVueZwETwV6VytKyU9OX/ddpq2/1hp1vIPvVb4T81dKQz3BivkNLw==",
+          "requires": {
+            "decompress-response": "^3.2.0",
+            "duplexer3": "^0.1.4",
+            "get-stream": "^3.0.0",
+            "is-plain-obj": "^1.1.0",
+            "is-retry-allowed": "^1.0.0",
+            "is-stream": "^1.0.0",
+            "isurl": "^1.0.0-alpha5",
+            "lowercase-keys": "^1.0.0",
+            "p-cancelable": "^0.3.0",
+            "p-timeout": "^1.1.1",
+            "safe-buffer": "^5.0.1",
+            "timed-out": "^4.0.0",
+            "url-parse-lax": "^1.0.0",
+            "url-to-options": "^1.0.1"
+          }
+        },
+        "is-plain-obj": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-1.1.0.tgz",
+          "integrity": "sha1-caUMhCnfync8kqOQpKA7OfzVHT4="
+        },
+        "p-cancelable": {
+          "version": "0.3.0",
+          "resolved": "https://registry.npmjs.org/p-cancelable/-/p-cancelable-0.3.0.tgz",
+          "integrity": "sha512-RVbZPLso8+jFeq1MfNvgXtCRED2raz/dKpacfTNxsx6pLEpEomM7gah6VeHSYV3+vo0OAi4MkArtQcWWXuQoyw=="
+        },
+        "pify": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+          "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+        },
+        "prepend-http": {
+          "version": "1.0.4",
+          "resolved": "https://registry.npmjs.org/prepend-http/-/prepend-http-1.0.4.tgz",
+          "integrity": "sha1-1PRWKwzjaW5BrFLQ4ALlemNdxtw="
+        },
+        "url-parse-lax": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/url-parse-lax/-/url-parse-lax-1.0.0.tgz",
+          "integrity": "sha1-evjzA2Rem9eaJy56FKxovAYJ2nM=",
+          "requires": {
+            "prepend-http": "^1.0.1"
+          }
+        }
+      }
+    },
+    "duplexer": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/duplexer/-/duplexer-0.1.1.tgz",
+      "integrity": "sha1-rOb/gIwc5mtX0ev5eXessCM0z8E="
+    },
+    "duplexer3": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz",
+      "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI="
+    },
+    "duplexify": {
+      "version": "3.7.1",
+      "resolved": "https://registry.npmjs.org/duplexify/-/duplexify-3.7.1.tgz",
+      "integrity": "sha512-07z8uv2wMyS51kKhD1KsdXJg5WQ6t93RneqRxUHnskXVtlYYkLqM0gqStQZ3pj073g687jPCHrqNfCzawLYh5g==",
+      "requires": {
+        "end-of-stream": "^1.0.0",
+        "inherits": "^2.0.1",
+        "readable-stream": "^2.0.0",
+        "stream-shift": "^1.0.0"
+      }
+    },
+    "ee-first": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
+      "integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0="
+    },
+    "ejs": {
+      "version": "2.7.4",
+      "resolved": "https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz",
+      "integrity": "sha512-7vmuyh5+kuUyJKePhQfRQBhXV5Ce+RnaeeQArKu1EAMpL3WbgMt5WG6uQZpEVvYSSsxMXRKOewtDk9RaTKXRlA=="
+    },
+    "electron-to-chromium": {
+      "version": "1.3.322",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.322.tgz",
+      "integrity": "sha512-Tc8JQEfGQ1MzfSzI/bTlSr7btJv/FFO7Yh6tanqVmIWOuNCu6/D1MilIEgLtmWqIrsv+o4IjpLAhgMBr/ncNAA=="
+    },
+    "elegant-spinner": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/elegant-spinner/-/elegant-spinner-1.0.1.tgz",
+      "integrity": "sha1-2wQ1IcldfjA/2PNFvtwzSc+wcp4="
+    },
+    "elliptic": {
+      "version": "6.5.2",
+      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz",
+      "integrity": "sha512-f4x70okzZbIQl/NSRLkI/+tteV/9WqL98zx+SQ69KbXxmVrmjwsNUPn/gYJJ0sHvEak24cZgHIPegRePAtA/xw==",
+      "requires": {
+        "bn.js": "^4.4.0",
+        "brorand": "^1.0.1",
+        "hash.js": "^1.0.0",
+        "hmac-drbg": "^1.0.0",
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0",
+        "minimalistic-crypto-utils": "^1.0.0"
+      }
+    },
+    "emoji-regex": {
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-7.0.3.tgz",
+      "integrity": "sha512-CwBLREIQ7LvYFB0WyRvwhq5N5qPhc6PMjD6bYggFlI5YyDgl+0vxq5VHbMOFqLg7hfWzmu8T5Z1QofhmTIhItA=="
+    },
+    "emojis-list": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/emojis-list/-/emojis-list-2.1.0.tgz",
+      "integrity": "sha1-TapNnbAPmBmIDHn6RXrlsJof04k="
+    },
+    "encodeurl": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
+      "integrity": "sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k="
+    },
+    "encoding": {
+      "version": "0.1.12",
+      "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.12.tgz",
+      "integrity": "sha1-U4tm8+5izRq1HsMjgp0flIDHS+s=",
+      "requires": {
+        "iconv-lite": "~0.4.13"
+      }
+    },
+    "end-of-stream": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
+      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
+      "requires": {
+        "once": "^1.4.0"
+      }
+    },
+    "enhanced-resolve": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-4.1.1.tgz",
+      "integrity": "sha512-98p2zE+rL7/g/DzMHMTF4zZlCgeVdJ7yr6xzEpJRYwFYrGi9ANdn5DnJURg6RpBkyk60XYDnWIv51VfIhfNGuA==",
+      "requires": {
+        "graceful-fs": "^4.1.2",
+        "memory-fs": "^0.5.0",
+        "tapable": "^1.0.0"
+      },
+      "dependencies": {
+        "memory-fs": {
+          "version": "0.5.0",
+          "resolved": "https://registry.npmjs.org/memory-fs/-/memory-fs-0.5.0.tgz",
+          "integrity": "sha512-jA0rdU5KoQMC0e6ppoNRtpp6vjFq6+NY7r8hywnC7V+1Xj/MtHwGIbB1QaK/dunyjWteJzmkpd7ooeWg10T7GA==",
+          "requires": {
+            "errno": "^0.1.3",
+            "readable-stream": "^2.0.1"
+          }
+        }
+      }
+    },
+    "entities": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-2.0.0.tgz",
+      "integrity": "sha512-D9f7V0JSRwIxlRI2mjMqufDrRDnx8p+eEOz7aUM9SuvF8gsBzra0/6tbjl1m8eQHrZlYj6PxqE00hZ1SAIKPLw=="
+    },
+    "env-paths": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.0.tgz",
+      "integrity": "sha512-6u0VYSCo/OW6IoD5WCLLy9JUGARbamfSavcNXry/eu8aHVFei6CD3Sw+VGX5alea1i9pgPHW0mbu6Xj0uBh7gA=="
+    },
+    "errno": {
+      "version": "0.1.7",
+      "resolved": "https://registry.npmjs.org/errno/-/errno-0.1.7.tgz",
+      "integrity": "sha512-MfrRBDWzIWifgq6tJj60gkAwtLNb6sQPlcFrSOflcP1aFmmruKQ2wRnze/8V6kgyz7H3FF8Npzv78mZ7XLLflg==",
+      "requires": {
+        "prr": "~1.0.1"
+      }
+    },
+    "error-ex": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz",
+      "integrity": "sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==",
+      "requires": {
+        "is-arrayish": "^0.2.1"
+      }
+    },
+    "error-stack-parser": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/error-stack-parser/-/error-stack-parser-2.0.4.tgz",
+      "integrity": "sha512-fZ0KkoxSjLFmhW5lHbUT3tLwy3nX1qEzMYo8koY1vrsAco53CMT1djnBSeC/wUjTEZRhZl9iRw7PaMaxfJ4wzQ==",
+      "requires": {
+        "stackframe": "^1.1.0"
+      }
+    },
+    "es-abstract": {
+      "version": "1.16.3",
+      "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.16.3.tgz",
+      "integrity": "sha512-WtY7Fx5LiOnSYgF5eg/1T+GONaGmpvpPdCpSnYij+U2gDTL0UPfWrhDw7b2IYb+9NQJsYpCA0wOQvZfsd6YwRw==",
+      "requires": {
+        "es-to-primitive": "^1.2.1",
+        "function-bind": "^1.1.1",
+        "has": "^1.0.3",
+        "has-symbols": "^1.0.1",
+        "is-callable": "^1.1.4",
+        "is-regex": "^1.0.4",
+        "object-inspect": "^1.7.0",
+        "object-keys": "^1.1.1",
+        "string.prototype.trimleft": "^2.1.0",
+        "string.prototype.trimright": "^2.1.0"
+      }
+    },
+    "es-to-primitive": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/es-to-primitive/-/es-to-primitive-1.2.1.tgz",
+      "integrity": "sha512-QCOllgZJtaUo9miYBcLChTUaHNjJF3PYs1VidD7AwiEj1kYxKeQTctLAezAOH5ZKRH0g2IgPn6KwB4IT8iRpvA==",
+      "requires": {
+        "is-callable": "^1.1.4",
+        "is-date-object": "^1.0.1",
+        "is-symbol": "^1.0.2"
+      }
+    },
+    "escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
+    },
+    "escape-string-regexp": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz",
+      "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ="
+    },
+    "eslint": {
+      "version": "6.8.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-6.8.0.tgz",
+      "integrity": "sha512-K+Iayyo2LtyYhDSYwz5D5QdWw0hCacNzyq1Y821Xna2xSJj7cijoLLYmLxTQgcgZ9mC61nryMy9S7GRbYpI5Ig==",
+      "requires": {
+        "@babel/code-frame": "^7.0.0",
+        "ajv": "^6.10.0",
+        "chalk": "^2.1.0",
+        "cross-spawn": "^6.0.5",
+        "debug": "^4.0.1",
+        "doctrine": "^3.0.0",
+        "eslint-scope": "^5.0.0",
+        "eslint-utils": "^1.4.3",
+        "eslint-visitor-keys": "^1.1.0",
+        "espree": "^6.1.2",
+        "esquery": "^1.0.1",
+        "esutils": "^2.0.2",
+        "file-entry-cache": "^5.0.1",
+        "functional-red-black-tree": "^1.0.1",
+        "glob-parent": "^5.0.0",
+        "globals": "^12.1.0",
+        "ignore": "^4.0.6",
+        "import-fresh": "^3.0.0",
+        "imurmurhash": "^0.1.4",
+        "inquirer": "^7.0.0",
+        "is-glob": "^4.0.0",
+        "js-yaml": "^3.13.1",
+        "json-stable-stringify-without-jsonify": "^1.0.1",
+        "levn": "^0.3.0",
+        "lodash": "^4.17.14",
+        "minimatch": "^3.0.4",
+        "mkdirp": "^0.5.1",
+        "natural-compare": "^1.4.0",
+        "optionator": "^0.8.3",
+        "progress": "^2.0.0",
+        "regexpp": "^2.0.1",
+        "semver": "^6.1.2",
+        "strip-ansi": "^5.2.0",
+        "strip-json-comments": "^3.0.1",
+        "table": "^5.2.3",
+        "text-table": "^0.2.0",
+        "v8-compile-cache": "^2.0.3"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+          "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "cross-spawn": {
+          "version": "6.0.5",
+          "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
+          "integrity": "sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==",
+          "requires": {
+            "nice-try": "^1.0.4",
+            "path-key": "^2.0.1",
+            "semver": "^5.5.0",
+            "shebang-command": "^1.2.0",
+            "which": "^1.2.9"
+          },
+          "dependencies": {
+            "semver": {
+              "version": "5.7.1",
+              "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+              "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+            }
+          }
+        },
+        "glob-parent": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz",
+          "integrity": "sha512-qjtRgnIVmOfnKUE3NJAQEdk+lKrxfw8t5ke7SXtfMTHcjsBfOfWXCQfdb30zfDoZQ2IRSIiidmjtbHZPZ++Ihw==",
+          "requires": {
+            "is-glob": "^4.0.1"
+          }
+        },
+        "globals": {
+          "version": "12.3.0",
+          "resolved": "https://registry.npmjs.org/globals/-/globals-12.3.0.tgz",
+          "integrity": "sha512-wAfjdLgFsPZsklLJvOBUBmzYE8/CwhEqSBEMRXA3qxIiNtyqvjYurAtIfDh6chlEPUfmTY3MnZh5Hfh4q0UlIw==",
+          "requires": {
+            "type-fest": "^0.8.1"
+          }
+        },
+        "import-fresh": {
+          "version": "3.2.1",
+          "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.2.1.tgz",
+          "integrity": "sha512-6e1q1cnWP2RXD9/keSkxHScg508CdXqXWgWBaETNhyuBFz+kUZlKboh+ISK+bU++DmbHimVBrOz/zzPe0sZ3sQ==",
+          "requires": {
+            "parent-module": "^1.0.0",
+            "resolve-from": "^4.0.0"
+          }
+        },
+        "regexpp": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-2.0.1.tgz",
+          "integrity": "sha512-lv0M6+TkDVniA3aD1Eg0DVpfU/booSu7Eev3TDO/mZKHBfVjgCGTV4t4buppESEYDtkArYFOxTJWv6S5C+iaNw=="
+        },
+        "resolve-from": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
+          "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g=="
+        },
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          }
+        }
+      }
+    },
+    "eslint-config-prettier": {
+      "version": "6.9.0",
+      "resolved": "https://registry.npmjs.org/eslint-config-prettier/-/eslint-config-prettier-6.9.0.tgz",
+      "integrity": "sha512-k4E14HBtcLv0uqThaI6I/n1LEqROp8XaPu6SO9Z32u5NlGRC07Enu1Bh2KEFw4FNHbekH8yzbIU9kUGxbiGmCA==",
+      "requires": {
+        "get-stdin": "^6.0.0"
+      }
+    },
+    "eslint-plugin-eslint-plugin": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-eslint-plugin/-/eslint-plugin-eslint-plugin-2.1.0.tgz",
+      "integrity": "sha512-kT3A/ZJftt28gbl/Cv04qezb/NQ1dwYIbi8lyf806XMxkus7DvOVCLIfTXMrorp322Pnoez7+zabXH29tADIDg=="
+    },
+    "eslint-plugin-jsx-a11y": {
+      "version": "6.2.3",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jsx-a11y/-/eslint-plugin-jsx-a11y-6.2.3.tgz",
+      "integrity": "sha512-CawzfGt9w83tyuVekn0GDPU9ytYtxyxyFZ3aSWROmnRRFQFT2BiPJd7jvRdzNDi6oLWaS2asMeYSNMjWTV4eNg==",
+      "requires": {
+        "@babel/runtime": "^7.4.5",
+        "aria-query": "^3.0.0",
+        "array-includes": "^3.0.3",
+        "ast-types-flow": "^0.0.7",
+        "axobject-query": "^2.0.2",
+        "damerau-levenshtein": "^1.0.4",
+        "emoji-regex": "^7.0.2",
+        "has": "^1.0.3",
+        "jsx-ast-utils": "^2.2.1"
+      }
+    },
+    "eslint-plugin-react": {
+      "version": "7.17.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react/-/eslint-plugin-react-7.17.0.tgz",
+      "integrity": "sha512-ODB7yg6lxhBVMeiH1c7E95FLD4E/TwmFjltiU+ethv7KPdCwgiFuOZg9zNRHyufStTDLl/dEFqI2Q1VPmCd78A==",
+      "requires": {
+        "array-includes": "^3.0.3",
+        "doctrine": "^2.1.0",
+        "eslint-plugin-eslint-plugin": "^2.1.0",
+        "has": "^1.0.3",
+        "jsx-ast-utils": "^2.2.3",
+        "object.entries": "^1.1.0",
+        "object.fromentries": "^2.0.1",
+        "object.values": "^1.1.0",
+        "prop-types": "^15.7.2",
+        "resolve": "^1.13.1"
+      },
+      "dependencies": {
+        "doctrine": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-2.1.0.tgz",
+          "integrity": "sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==",
+          "requires": {
+            "esutils": "^2.0.2"
+          }
+        }
+      }
+    },
+    "eslint-scope": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-5.0.0.tgz",
+      "integrity": "sha512-oYrhJW7S0bxAFDvWqzvMPRm6pcgcnWc4QnofCAqRTRfQC0JcwenzGglTtsLyIuuWFfkqDG9vz67cnttSd53djw==",
+      "requires": {
+        "esrecurse": "^4.1.0",
+        "estraverse": "^4.1.1"
+      }
+    },
+    "eslint-utils": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.4.3.tgz",
+      "integrity": "sha512-fbBN5W2xdY45KulGXmLHZ3c3FHfVYmKg0IrAKGOkT/464PQsx2UeIzfz1RmEci+KLm1bBaAzZAh8+/E+XAeZ8Q==",
+      "requires": {
+        "eslint-visitor-keys": "^1.1.0"
+      }
+    },
+    "eslint-visitor-keys": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-1.1.0.tgz",
+      "integrity": "sha512-8y9YjtM1JBJU/A9Kc+SbaOV4y29sSWckBwMHa+FGtVj5gN/sbnKDf6xJUl+8g7FAij9LVaP8C24DUiH/f/2Z9A=="
+    },
+    "espree": {
+      "version": "6.1.2",
+      "resolved": "https://registry.npmjs.org/espree/-/espree-6.1.2.tgz",
+      "integrity": "sha512-2iUPuuPP+yW1PZaMSDM9eyVf8D5P0Hi8h83YtZ5bPc/zHYjII5khoixIUTMO794NOY8F/ThF1Bo8ncZILarUTA==",
+      "requires": {
+        "acorn": "^7.1.0",
+        "acorn-jsx": "^5.1.0",
+        "eslint-visitor-keys": "^1.1.0"
+      },
+      "dependencies": {
+        "acorn": {
+          "version": "7.1.0",
+          "resolved": "https://registry.npmjs.org/acorn/-/acorn-7.1.0.tgz",
+          "integrity": "sha512-kL5CuoXA/dgxlBbVrflsflzQ3PAas7RYZB52NOm/6839iVYJgKMJ3cQJD+t2i5+qFa8h3MDpEOJiS64E8JLnSQ=="
+        }
+      }
+    },
+    "esprima": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
+      "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A=="
+    },
+    "esquery": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.0.1.tgz",
+      "integrity": "sha512-SmiyZ5zIWH9VM+SRUReLS5Q8a7GxtRdxEBVZpm98rJM7Sb+A9DVCndXfkeFUd3byderg+EbDkfnevfCwynWaNA==",
+      "requires": {
+        "estraverse": "^4.0.0"
+      }
+    },
+    "esrecurse": {
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.2.1.tgz",
+      "integrity": "sha512-64RBB++fIOAXPw3P9cy89qfMlvZEXZkqqJkjqqXIvzP5ezRZjW+lPWjw35UX/3EhUPFYbg5ER4JYgDw4007/DQ==",
+      "requires": {
+        "estraverse": "^4.1.0"
+      }
+    },
+    "estraverse": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz",
+      "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw=="
+    },
+    "esutils": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
+      "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g=="
+    },
+    "etag": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
+      "integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc="
+    },
+    "events": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/events/-/events-3.1.0.tgz",
+      "integrity": "sha512-Rv+u8MLHNOdMjTAFeT3nCjHn2aGlx435FP/sDHNaRhDEMwyI/aB22Kj2qIN8R0cw3z28psEQLYwxVKLsKrMgWg=="
+    },
+    "evp_bytestokey": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/evp_bytestokey/-/evp_bytestokey-1.0.3.tgz",
+      "integrity": "sha512-/f2Go4TognH/KvCISP7OUsHn85hT9nUkxxA9BEWxFn+Oj9o8ZNLm/40hdlgSLyuOimsrTKLUMEorQexp/aPQeA==",
+      "requires": {
+        "md5.js": "^1.3.4",
+        "safe-buffer": "^5.1.1"
+      }
+    },
+    "exec-buffer": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/exec-buffer/-/exec-buffer-3.2.0.tgz",
+      "integrity": "sha512-wsiD+2Tp6BWHoVv3B+5Dcx6E7u5zky+hUwOHjuH2hKSLR3dvRmX8fk8UD8uqQixHs4Wk6eDmiegVrMPjKj7wpA==",
+      "requires": {
+        "execa": "^0.7.0",
+        "p-finally": "^1.0.0",
+        "pify": "^3.0.0",
+        "rimraf": "^2.5.4",
+        "tempfile": "^2.0.0"
+      },
+      "dependencies": {
+        "pify": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+          "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+        }
+      }
+    },
+    "execa": {
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/execa/-/execa-0.7.0.tgz",
+      "integrity": "sha1-lEvs00zEHuMqY6n68nrVpl/Fl3c=",
+      "requires": {
+        "cross-spawn": "^5.0.1",
+        "get-stream": "^3.0.0",
+        "is-stream": "^1.1.0",
+        "npm-run-path": "^2.0.0",
+        "p-finally": "^1.0.0",
+        "signal-exit": "^3.0.0",
+        "strip-eof": "^1.0.0"
+      }
+    },
+    "executable": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/executable/-/executable-4.1.1.tgz",
+      "integrity": "sha512-8iA79xD3uAch729dUG8xaaBBFGaEa0wdD2VkYLFHwlqosEj/jT66AzcreRDSgV7ehnNLBW2WR5jIXwGKjVdTLg==",
+      "requires": {
+        "pify": "^2.2.0"
+      }
+    },
+    "expand-brackets": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/expand-brackets/-/expand-brackets-2.1.4.tgz",
+      "integrity": "sha1-t3c14xXOMPa27/D4OwQVGiJEliI=",
+      "requires": {
+        "debug": "^2.3.3",
+        "define-property": "^0.2.5",
+        "extend-shallow": "^2.0.1",
+        "posix-character-classes": "^0.1.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "define-property": {
+          "version": "0.2.5",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "extend-shallow": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+          "requires": {
+            "is-extendable": "^0.1.0"
+          }
+        },
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "express": {
+      "version": "4.17.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
+      "integrity": "sha512-mHJ9O79RqluphRrcw2X/GTh3k9tVv8YcoyY4Kkh4WDMUYKRZUq0h1o0w2rrrxBqM7VoeUVqgb27xlEMXTnYt4g==",
+      "requires": {
+        "accepts": "~1.3.7",
+        "array-flatten": "1.1.1",
+        "body-parser": "1.19.0",
+        "content-disposition": "0.5.3",
+        "content-type": "~1.0.4",
+        "cookie": "0.4.0",
+        "cookie-signature": "1.0.6",
+        "debug": "2.6.9",
+        "depd": "~1.1.2",
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "finalhandler": "~1.1.2",
+        "fresh": "0.5.2",
+        "merge-descriptors": "1.0.1",
+        "methods": "~1.1.2",
+        "on-finished": "~2.3.0",
+        "parseurl": "~1.3.3",
+        "path-to-regexp": "0.1.7",
+        "proxy-addr": "~2.0.5",
+        "qs": "6.7.0",
+        "range-parser": "~1.2.1",
+        "safe-buffer": "5.1.2",
+        "send": "0.17.1",
+        "serve-static": "1.14.1",
+        "setprototypeof": "1.1.1",
+        "statuses": "~1.5.0",
+        "type-is": "~1.6.18",
+        "utils-merge": "1.0.1",
+        "vary": "~1.1.2"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "ext-list": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/ext-list/-/ext-list-2.2.2.tgz",
+      "integrity": "sha512-u+SQgsubraE6zItfVA0tBuCBhfU9ogSRnsvygI7wht9TS510oLkBRXBsqopeUG/GBOIQyKZO9wjTqIu/sf5zFA==",
+      "requires": {
+        "mime-db": "^1.28.0"
+      }
+    },
+    "ext-name": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/ext-name/-/ext-name-5.0.0.tgz",
+      "integrity": "sha512-yblEwXAbGv1VQDmow7s38W77hzAgJAO50ztBLMcUyUBfxv1HC+LGwtiEN+Co6LtlqT/5uwVOxsD4TNIilWhwdQ==",
+      "requires": {
+        "ext-list": "^2.0.0",
+        "sort-keys-length": "^1.0.0"
+      }
+    },
+    "extend": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g=="
+    },
+    "extend-shallow": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-3.0.2.tgz",
+      "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=",
+      "requires": {
+        "assign-symbols": "^1.0.0",
+        "is-extendable": "^1.0.1"
+      },
+      "dependencies": {
+        "is-extendable": {
+          "version": "1.0.1",
+          "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-1.0.1.tgz",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        }
+      }
+    },
+    "external-editor": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/external-editor/-/external-editor-3.1.0.tgz",
+      "integrity": "sha512-hMQ4CX1p1izmuLYyZqLMO/qGNw10wSv9QDCPfzXfyFrOaCSSoRfqE1Kf1s5an66J5JZC62NewG+mK49jOCtQew==",
+      "requires": {
+        "chardet": "^0.7.0",
+        "iconv-lite": "^0.4.24",
+        "tmp": "^0.0.33"
+      }
+    },
+    "extglob": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/extglob/-/extglob-2.0.4.tgz",
+      "integrity": "sha512-Nmb6QXkELsuBr24CJSkilo6UHHgbekK5UiZgfE6UHD3Eb27YC6oD+bhcT+tJ6cl8dmsgdQxnWlcry8ksBIBLpw==",
+      "requires": {
+        "array-unique": "^0.3.2",
+        "define-property": "^1.0.0",
+        "expand-brackets": "^2.1.4",
+        "extend-shallow": "^2.0.1",
+        "fragment-cache": "^0.2.1",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz",
+          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+          "requires": {
+            "is-descriptor": "^1.0.0"
+          }
+        },
+        "extend-shallow": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+          "requires": {
+            "is-extendable": "^0.1.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
+          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-data-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
+          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-descriptor": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
+          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
+          "requires": {
+            "is-accessor-descriptor": "^1.0.0",
+            "is-data-descriptor": "^1.0.0",
+            "kind-of": "^6.0.2"
+          }
+        }
+      }
+    },
+    "extracted-loader": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/extracted-loader/-/extracted-loader-1.0.4.tgz",
+      "integrity": "sha512-G8A0hT/WCWIjesZm7BwbWdST5dQ08GNnCpTrJT/k/FYzuiJwlV1gyWjnuoizOzAR4jpEYXG2J++JyEKN/EB26Q=="
+    },
+    "fast-deep-equal": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz",
+      "integrity": "sha1-ewUhjd+WZ79/Nwv3/bLLFf3Qqkk="
+    },
+    "fast-glob": {
+      "version": "2.2.7",
+      "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-2.2.7.tgz",
+      "integrity": "sha512-g1KuQwHOZAmOZMuBtHdxDtju+T2RT8jgCC9aANsbpdiDDTSnjgfuVsIBNKbUeJI3oKMRExcfNDtJl4OhbffMsw==",
+      "requires": {
+        "@mrmlnc/readdir-enhanced": "^2.2.1",
+        "@nodelib/fs.stat": "^1.1.2",
+        "glob-parent": "^3.1.0",
+        "is-glob": "^4.0.0",
+        "merge2": "^1.2.3",
+        "micromatch": "^3.1.10"
+      }
+    },
+    "fast-json-stable-stringify": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.0.0.tgz",
+      "integrity": "sha1-1RQsDK7msRifh9OnYREGT4bIu/I="
+    },
+    "fast-levenshtein": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz",
+      "integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc="
+    },
+    "fastparse": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/fastparse/-/fastparse-1.1.2.tgz",
+      "integrity": "sha512-483XLLxTVIwWK3QTrMGRqUfUpoOs/0hbQrl2oz4J0pAcm3A3bu84wxTFqGqkJzewCLdME38xJLJAxBABfQT8sQ=="
+    },
+    "fastq": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.6.0.tgz",
+      "integrity": "sha512-jmxqQ3Z/nXoeyDmWAzF9kH1aGZSis6e/SbfPmJpUnyZ0ogr6iscHQaml4wsEepEWSdtmpy+eVXmCRIMpxaXqOA==",
+      "requires": {
+        "reusify": "^1.0.0"
+      }
+    },
+    "fault": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/fault/-/fault-1.0.3.tgz",
+      "integrity": "sha512-sfFuP4X0hzrbGKjAUNXYvNqsZ5F6ohx/dZ9I0KQud/aiZNwg263r5L9yGB0clvXHCkzXh5W3t7RSHchggYIFmA==",
+      "requires": {
+        "format": "^0.2.2"
+      }
+    },
+    "fb-watchman": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/fb-watchman/-/fb-watchman-2.0.1.tgz",
+      "integrity": "sha512-DkPJKQeY6kKwmuMretBhr7G6Vodr7bFwDYTXIkfG1gjvNpaxBTQV3PbXg6bR1c1UP4jPOX0jHUbbHANL9vRjVg==",
+      "requires": {
+        "bser": "2.1.1"
+      }
+    },
+    "fbjs": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fbjs/-/fbjs-1.0.0.tgz",
+      "integrity": "sha512-MUgcMEJaFhCaF1QtWGnmq9ZDRAzECTCRAF7O6UZIlAlkTs1SasiX9aP0Iw7wfD2mJ7wDTNfg2w7u5fSCwJk1OA==",
+      "requires": {
+        "core-js": "^2.4.1",
+        "fbjs-css-vars": "^1.0.0",
+        "isomorphic-fetch": "^2.1.1",
+        "loose-envify": "^1.0.0",
+        "object-assign": "^4.1.0",
+        "promise": "^7.1.1",
+        "setimmediate": "^1.0.5",
+        "ua-parser-js": "^0.7.18"
+      }
+    },
+    "fbjs-css-vars": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/fbjs-css-vars/-/fbjs-css-vars-1.0.2.tgz",
+      "integrity": "sha512-b2XGFAFdWZWg0phtAWLHCk836A1Xann+I+Dgd3Gk64MHKZO44FfoD1KxyvbSh0qZsIoXQGGlVztIY+oitJPpRQ=="
+    },
+    "fd-slicer": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.1.0.tgz",
+      "integrity": "sha1-JcfInLH5B3+IkbvmHY85Dq4lbx4=",
+      "requires": {
+        "pend": "~1.2.0"
+      }
+    },
+    "figgy-pudding": {
+      "version": "3.5.1",
+      "resolved": "https://registry.npmjs.org/figgy-pudding/-/figgy-pudding-3.5.1.tgz",
+      "integrity": "sha512-vNKxJHTEKNThjfrdJwHc7brvM6eVevuO5nTj6ez8ZQ1qbXTvGthucRF7S4vf2cr71QVnT70V34v0S1DyQsti0w=="
+    },
+    "figures": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/figures/-/figures-3.1.0.tgz",
+      "integrity": "sha512-ravh8VRXqHuMvZt/d8GblBeqDMkdJMBdv/2KntFH+ra5MXkO7nxNKpzQ3n6QD/2da1kH0aWmNISdvhM7gl2gVg==",
+      "requires": {
+        "escape-string-regexp": "^1.0.5"
+      }
+    },
+    "file-entry-cache": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-5.0.1.tgz",
+      "integrity": "sha512-bCg29ictuBaKUwwArK4ouCaqDgLZcysCFLmM/Yn/FDoqndh/9vNuQfXRDvTuXKLxfD/JtZQGKFT8MGcJBK644g==",
+      "requires": {
+        "flat-cache": "^2.0.1"
+      }
+    },
+    "file-loader": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/file-loader/-/file-loader-3.0.1.tgz",
+      "integrity": "sha512-4sNIOXgtH/9WZq4NvlfU3Opn5ynUsqBwSLyM+I7UOwdGigTBYfVVQEwe/msZNX/j4pCJTIM14Fsw66Svo1oVrw==",
+      "requires": {
+        "loader-utils": "^1.0.2",
+        "schema-utils": "^1.0.0"
+      }
+    },
+    "file-type": {
+      "version": "10.11.0",
+      "resolved": "https://registry.npmjs.org/file-type/-/file-type-10.11.0.tgz",
+      "integrity": "sha512-uzk64HRpUZyTGZtVuvrjP0FYxzQrBf4rojot6J65YMEbwBLB0CWm0CLojVpwpmFmxcE/lkvYICgfcGozbBq6rw=="
+    },
+    "file-uri-to-path": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz",
+      "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==",
+      "optional": true
+    },
+    "filename-reserved-regex": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/filename-reserved-regex/-/filename-reserved-regex-2.0.0.tgz",
+      "integrity": "sha1-q/c9+rc10EVECr/qLZHzieu/oik="
+    },
+    "filenamify": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/filenamify/-/filenamify-2.1.0.tgz",
+      "integrity": "sha512-ICw7NTT6RsDp2rnYKVd8Fu4cr6ITzGy3+u4vUujPkabyaz+03F24NWEX7fs5fp+kBonlaqPH8fAO2NM+SXt/JA==",
+      "requires": {
+        "filename-reserved-regex": "^2.0.0",
+        "strip-outer": "^1.0.0",
+        "trim-repeated": "^1.0.0"
+      }
+    },
+    "filesize": {
+      "version": "3.6.1",
+      "resolved": "https://registry.npmjs.org/filesize/-/filesize-3.6.1.tgz",
+      "integrity": "sha512-7KjR1vv6qnicaPMi1iiTcI85CyYwRO/PSFCu6SvqL8jN2Wjt/NIYQTFtFs7fSDCYOstUkEWIQGFUg5YZQfjlcg=="
+    },
+    "fill-range": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz",
+      "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=",
+      "requires": {
+        "extend-shallow": "^2.0.1",
+        "is-number": "^3.0.0",
+        "repeat-string": "^1.6.1",
+        "to-regex-range": "^2.1.0"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+          "requires": {
+            "is-extendable": "^0.1.0"
+          }
+        }
+      }
+    },
+    "finalhandler": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.2.tgz",
+      "integrity": "sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==",
+      "requires": {
+        "debug": "2.6.9",
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "on-finished": "~2.3.0",
+        "parseurl": "~1.3.3",
+        "statuses": "~1.5.0",
+        "unpipe": "~1.0.0"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "find-cache-dir": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/find-cache-dir/-/find-cache-dir-1.0.0.tgz",
+      "integrity": "sha1-kojj6ePMN0hxfTnq3hfPcfww7m8=",
+      "requires": {
+        "commondir": "^1.0.1",
+        "make-dir": "^1.0.0",
+        "pkg-dir": "^2.0.0"
+      },
+      "dependencies": {
+        "pkg-dir": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-2.0.0.tgz",
+          "integrity": "sha1-9tXREJ4Z1j7fQo4L1X4Sd3YVM0s=",
+          "requires": {
+            "find-up": "^2.1.0"
+          }
+        }
+      }
+    },
+    "find-up": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-2.1.0.tgz",
+      "integrity": "sha1-RdG35QbHF93UgndaK3eSCjwMV6c=",
+      "requires": {
+        "locate-path": "^2.0.0"
+      }
+    },
+    "find-versions": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/find-versions/-/find-versions-3.2.0.tgz",
+      "integrity": "sha512-P8WRou2S+oe222TOCHitLy8zj+SIsVJh52VP4lvXkaFVnOFFdoWv1H1Jjvel1aI6NCFOAaeAVm8qrI0odiLcww==",
+      "requires": {
+        "semver-regex": "^2.0.0"
+      }
+    },
+    "flat-cache": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-2.0.1.tgz",
+      "integrity": "sha512-LoQe6yDuUMDzQAEH8sgmh4Md6oZnc/7PjtwjNFSzveXqSHt6ka9fPBuso7IGf9Rz4uqnSnWiFH2B/zj24a5ReA==",
+      "requires": {
+        "flatted": "^2.0.0",
+        "rimraf": "2.6.3",
+        "write": "1.0.3"
+      }
+    },
+    "flatted": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-2.0.1.tgz",
+      "integrity": "sha512-a1hQMktqW9Nmqr5aktAux3JMNqaucxGcjtjWnZLHX7yyPCmlSV3M54nGYbqT8K+0GhF3NBgmJCc3ma+WOgX8Jg=="
+    },
+    "flatten": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/flatten/-/flatten-1.0.3.tgz",
+      "integrity": "sha512-dVsPA/UwQ8+2uoFe5GHtiBMu48dWLTdsuEd7CKGlZlD78r1TTWBvDuFaFGKCo/ZfEr95Uk56vZoX86OsHkUeIg=="
+    },
+    "flush-write-stream": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/flush-write-stream/-/flush-write-stream-1.1.1.tgz",
+      "integrity": "sha512-3Z4XhFZ3992uIq0XOqb9AreonueSYphE6oYbpt5+3u06JWklbsPkNv3ZKkP9Bz/r+1MWCaMoSQ28P85+1Yc77w==",
+      "requires": {
+        "inherits": "^2.0.3",
+        "readable-stream": "^2.3.6"
+      }
+    },
+    "follow-redirects": {
+      "version": "1.5.10",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz",
+      "integrity": "sha512-0V5l4Cizzvqt5D44aTXbFZz+FtyXV1vrDN6qrelxtfYQKW0KO0W2T/hkE8xvGa/540LkZlkaUjO4ailYTFtHVQ==",
+      "requires": {
+        "debug": "=3.1.0"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "3.1.0",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
+          "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "for-in": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/for-in/-/for-in-1.0.2.tgz",
+      "integrity": "sha1-gQaNKVqBQuwKxybG4iAMMPttXoA="
+    },
+    "fork-ts-checker-webpack-plugin": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/fork-ts-checker-webpack-plugin/-/fork-ts-checker-webpack-plugin-3.1.1.tgz",
+      "integrity": "sha512-DuVkPNrM12jR41KM2e+N+styka0EgLkTnXmNcXdgOM37vtGeY+oCBK/Jx0hzSeEU6memFCtWb4htrHPMDfwwUQ==",
+      "requires": {
+        "babel-code-frame": "^6.22.0",
+        "chalk": "^2.4.1",
+        "chokidar": "^3.3.0",
+        "micromatch": "^3.1.10",
+        "minimatch": "^3.0.4",
+        "semver": "^5.6.0",
+        "tapable": "^1.0.0",
+        "worker-rpc": "^0.1.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "format": {
+      "version": "0.2.2",
+      "resolved": "https://registry.npmjs.org/format/-/format-0.2.2.tgz",
+      "integrity": "sha1-1hcBB+nv3E7TDJ3DkBbflCtctYs="
+    },
+    "formik": {
+      "version": "1.5.8",
+      "resolved": "https://registry.npmjs.org/formik/-/formik-1.5.8.tgz",
+      "integrity": "sha512-fNvPe+ddbh+7xiByT25vuso2p2hseG/Yvuj211fV1DbCjljUEG9OpgRpcb7g7O3kxHX/q31cbZDzMxJXPWSNwA==",
+      "requires": {
+        "create-react-context": "^0.2.2",
+        "deepmerge": "^2.1.1",
+        "hoist-non-react-statics": "^3.3.0",
+        "lodash": "^4.17.14",
+        "lodash-es": "^4.17.14",
+        "prop-types": "^15.6.1",
+        "react-fast-compare": "^2.0.1",
+        "tiny-warning": "^1.0.2",
+        "tslib": "^1.9.3"
+      },
+      "dependencies": {
+        "deepmerge": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-2.2.1.tgz",
+          "integrity": "sha512-R9hc1Xa/NOBi9WRVUWg19rl1UB7Tt4kuPd+thNJgFZoxXsTz7ncaPaeIm+40oSGuP33DfMb4sZt1QIGiJzC4EA=="
+        }
+      }
+    },
+    "forwarded": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",
+      "integrity": "sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ="
+    },
+    "fragment-cache": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/fragment-cache/-/fragment-cache-0.2.1.tgz",
+      "integrity": "sha1-QpD60n8T6Jvn8zeZxrxaCr//DRk=",
+      "requires": {
+        "map-cache": "^0.2.2"
+      }
+    },
+    "fresh": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
+      "integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac="
+    },
+    "from2": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/from2/-/from2-2.3.0.tgz",
+      "integrity": "sha1-i/tVAr3kpNNs/e6gB/zKIdfjgq8=",
+      "requires": {
+        "inherits": "^2.0.1",
+        "readable-stream": "^2.0.0"
+      }
+    },
+    "fs-constants": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
+      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow=="
+    },
+    "fs-extra": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-8.1.0.tgz",
+      "integrity": "sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==",
+      "requires": {
+        "graceful-fs": "^4.2.0",
+        "jsonfile": "^4.0.0",
+        "universalify": "^0.1.0"
+      }
+    },
+    "fs-write-stream-atomic": {
+      "version": "1.0.10",
+      "resolved": "https://registry.npmjs.org/fs-write-stream-atomic/-/fs-write-stream-atomic-1.0.10.tgz",
+      "integrity": "sha1-tH31NJPvkR33VzHnCp3tAYnbQMk=",
+      "requires": {
+        "graceful-fs": "^4.1.2",
+        "iferr": "^0.1.5",
+        "imurmurhash": "^0.1.4",
+        "readable-stream": "1 || 2"
+      }
+    },
+    "fs.realpath": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
+      "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8="
+    },
+    "fsevents": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.1.2.tgz",
+      "integrity": "sha512-R4wDiBwZ0KzpgOWetKDug1FZcYhqYnUYKtfZYt4mD5SBz76q0KR4Q9o7GIPamsVPGmW3EYPPJ0dOOjvx32ldZA==",
+      "optional": true
+    },
+    "function-bind": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz",
+      "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A=="
+    },
+    "functional-red-black-tree": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/functional-red-black-tree/-/functional-red-black-tree-1.0.1.tgz",
+      "integrity": "sha1-GwqzvVU7Kg1jmdKcDj6gslIHgyc="
+    },
+    "fuse.js": {
+      "version": "3.4.6",
+      "resolved": "https://registry.npmjs.org/fuse.js/-/fuse.js-3.4.6.tgz",
+      "integrity": "sha512-H6aJY4UpLFwxj1+5nAvufom5b2BT2v45P1MkPvdGIK8fWjQx/7o6tTT1+ALV0yawQvbmvCF0ufl2et8eJ7v7Cg=="
+    },
+    "fuzzysearch": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/fuzzysearch/-/fuzzysearch-1.0.3.tgz",
+      "integrity": "sha1-3/yA9tawQiPyImqnndGUIxCW0Ag="
+    },
+    "get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg=="
+    },
+    "get-own-enumerable-property-symbols": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/get-own-enumerable-property-symbols/-/get-own-enumerable-property-symbols-3.0.2.tgz",
+      "integrity": "sha512-I0UBV/XOz1XkIJHEUDMZAbzCThU/H8DxmSfmdGcKPnVhu2VfFqr34jr9777IyaTYvxjedWhqVIilEDsCdP5G6g=="
+    },
+    "get-proxy": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/get-proxy/-/get-proxy-2.1.0.tgz",
+      "integrity": "sha512-zmZIaQTWnNQb4R4fJUEp/FC51eZsc6EkErspy3xtIYStaq8EB/hDIWipxsal+E8rz0qD7f2sL/NA9Xee4RInJw==",
+      "requires": {
+        "npm-conf": "^1.1.0"
+      }
+    },
+    "get-stdin": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-6.0.0.tgz",
+      "integrity": "sha512-jp4tHawyV7+fkkSKyvjuLZswblUtz+SQKzSWnBbii16BuZksJlU1wuBYXY75r+duh/llF1ur6oNwi+2ZzjKZ7g=="
+    },
+    "get-stream": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-3.0.0.tgz",
+      "integrity": "sha1-jpQ9E1jcN1VQVOy+LtsFqhdO3hQ="
+    },
+    "get-value": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/get-value/-/get-value-2.0.6.tgz",
+      "integrity": "sha1-3BXKHGcjh8p2vTesCjlbogQqLCg="
+    },
+    "github-slugger": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/github-slugger/-/github-slugger-1.2.1.tgz",
+      "integrity": "sha512-SsZUjg/P03KPzQBt7OxJPasGw6NRO5uOgiZ5RGXVud5iSIZ0eNZeNp5rTwCxtavrRUa/A77j8mePVc5lEvk0KQ==",
+      "requires": {
+        "emoji-regex": ">=6.0.0 <=6.1.1"
+      },
+      "dependencies": {
+        "emoji-regex": {
+          "version": "6.1.1",
+          "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-6.1.1.tgz",
+          "integrity": "sha1-xs0OwbBkLio8Z6ETfvxeeW2k+I4="
+        }
+      }
+    },
+    "glob": {
+      "version": "7.1.6",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz",
+      "integrity": "sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==",
+      "requires": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.0.4",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      }
+    },
+    "glob-parent": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz",
+      "integrity": "sha1-nmr2KZ2NO9K9QEMIMr0RPfkGxa4=",
+      "requires": {
+        "is-glob": "^3.1.0",
+        "path-dirname": "^1.0.0"
+      },
+      "dependencies": {
+        "is-glob": {
+          "version": "3.1.0",
+          "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-3.1.0.tgz",
+          "integrity": "sha1-e6WuJCF4BKxwcHuWkiVnSGzD6Eo=",
+          "requires": {
+            "is-extglob": "^2.1.0"
+          }
+        }
+      }
+    },
+    "glob-to-regexp": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/glob-to-regexp/-/glob-to-regexp-0.3.0.tgz",
+      "integrity": "sha1-jFoUlNIGbFcMw7/kSWF1rMTVAqs="
+    },
+    "globals": {
+      "version": "11.12.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
+      "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA=="
+    },
+    "globby": {
+      "version": "10.0.1",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-10.0.1.tgz",
+      "integrity": "sha512-sSs4inE1FB2YQiymcmTv6NWENryABjUNPeWhOvmn4SjtKybglsyPZxFB3U1/+L1bYi0rNZDqCLlHyLYDl1Pq5A==",
+      "requires": {
+        "@types/glob": "^7.1.1",
+        "array-union": "^2.1.0",
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.0.3",
+        "glob": "^7.1.3",
+        "ignore": "^5.1.1",
+        "merge2": "^1.2.3",
+        "slash": "^3.0.0"
+      },
+      "dependencies": {
+        "@nodelib/fs.stat": {
+          "version": "2.0.3",
+          "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.3.tgz",
+          "integrity": "sha512-bQBFruR2TAwoevBEd/NWMoAAtNGzTRgdrqnYCc7dhzfoNvqPzLyqlEQnzZ3kVnNrSp25iyxE00/3h2fqGAGArA=="
+        },
+        "braces": {
+          "version": "3.0.2",
+          "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
+          "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+          "requires": {
+            "fill-range": "^7.0.1"
+          }
+        },
+        "fast-glob": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.1.1.tgz",
+          "integrity": "sha512-nTCREpBY8w8r+boyFYAx21iL6faSsQynliPHM4Uf56SbkyohCNxpVPEH9xrF5TXKy+IsjkPUHDKiUkzBVRXn9g==",
+          "requires": {
+            "@nodelib/fs.stat": "^2.0.2",
+            "@nodelib/fs.walk": "^1.2.3",
+            "glob-parent": "^5.1.0",
+            "merge2": "^1.3.0",
+            "micromatch": "^4.0.2"
+          }
+        },
+        "fill-range": {
+          "version": "7.0.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
+          "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        },
+        "glob-parent": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz",
+          "integrity": "sha512-qjtRgnIVmOfnKUE3NJAQEdk+lKrxfw8t5ke7SXtfMTHcjsBfOfWXCQfdb30zfDoZQ2IRSIiidmjtbHZPZ++Ihw==",
+          "requires": {
+            "is-glob": "^4.0.1"
+          }
+        },
+        "ignore": {
+          "version": "5.1.4",
+          "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.1.4.tgz",
+          "integrity": "sha512-MzbUSahkTW1u7JpKKjY7LCARd1fU5W2rLdxlM4kdkayuCwZImjkpluF9CM1aLewYJguPDqewLam18Y6AU69A8A=="
+        },
+        "is-number": {
+          "version": "7.0.0",
+          "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+          "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng=="
+        },
+        "micromatch": {
+          "version": "4.0.2",
+          "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz",
+          "integrity": "sha512-y7FpHSbMUMoyPbYUSzO6PaZ6FyRnQOpHuKwbo1G+Knck95XVU4QAiKdGEnj5wwoS7PlOgthX/09u5iFJ+aYf5Q==",
+          "requires": {
+            "braces": "^3.0.1",
+            "picomatch": "^2.0.5"
+          }
+        },
+        "to-regex-range": {
+          "version": "5.0.1",
+          "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+          "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+          "requires": {
+            "is-number": "^7.0.0"
+          }
+        }
+      }
+    },
+    "got": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/got/-/got-9.6.0.tgz",
+      "integrity": "sha512-R7eWptXuGYxwijs0eV+v3o6+XH1IqVK8dJOEecQfTmkncw9AV4dcw/Dhxi8MdlqPthxxpZyizMzyg8RTmEsG+Q==",
+      "requires": {
+        "@sindresorhus/is": "^0.14.0",
+        "@szmarczak/http-timer": "^1.1.2",
+        "cacheable-request": "^6.0.0",
+        "decompress-response": "^3.3.0",
+        "duplexer3": "^0.1.4",
+        "get-stream": "^4.1.0",
+        "lowercase-keys": "^1.0.1",
+        "mimic-response": "^1.0.1",
+        "p-cancelable": "^1.0.0",
+        "to-readable-stream": "^1.0.0",
+        "url-parse-lax": "^3.0.0"
+      },
+      "dependencies": {
+        "get-stream": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-4.1.0.tgz",
+          "integrity": "sha512-GMat4EJ5161kIy2HevLlr4luNjBgvmj413KaQA7jt4V8B4RDsfpHk7WQ9GVqfYyyx8OS/L66Kox+rJRNklLK7w==",
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        }
+      }
+    },
+    "graceful-fs": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.3.tgz",
+      "integrity": "sha512-a30VEBm4PEdx1dRB7MFK7BejejvCvBronbLjht+sHuGYj8PHs7M/5Z+rt5lw551vZ7yfTCj4Vuyy3mSJytDWRQ=="
+    },
+    "graceful-readlink": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/graceful-readlink/-/graceful-readlink-1.0.1.tgz",
+      "integrity": "sha1-TK+tdrxi8C+gObL5Tpo906ORpyU="
+    },
+    "graphql": {
+      "version": "14.5.8",
+      "resolved": "https://registry.npmjs.org/graphql/-/graphql-14.5.8.tgz",
+      "integrity": "sha512-MMwmi0zlVLQKLdGiMfWkgQD7dY/TUKt4L+zgJ/aR0Howebod3aNgP5JkgvAULiR2HPVZaP2VEElqtdidHweLkg==",
+      "requires": {
+        "iterall": "^1.2.2"
+      }
+    },
+    "graphql-import": {
+      "version": "0.7.1",
+      "resolved": "https://registry.npmjs.org/graphql-import/-/graphql-import-0.7.1.tgz",
+      "integrity": "sha512-YpwpaPjRUVlw2SN3OPljpWbVRWAhMAyfSba5U47qGMOSsPLi2gYeJtngGpymjm9nk57RFWEpjqwh4+dpYuFAPw==",
+      "requires": {
+        "lodash": "^4.17.4",
+        "resolve-from": "^4.0.0"
+      },
+      "dependencies": {
+        "resolve-from": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
+          "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g=="
+        }
+      }
+    },
+    "graphql-request": {
+      "version": "1.8.2",
+      "resolved": "https://registry.npmjs.org/graphql-request/-/graphql-request-1.8.2.tgz",
+      "integrity": "sha512-dDX2M+VMsxXFCmUX0Vo0TopIZIX4ggzOtiCsThgtrKR4niiaagsGTDIHj3fsOMFETpa064vzovI+4YV4QnMbcg==",
+      "requires": {
+        "cross-fetch": "2.2.2"
+      }
+    },
+    "graphql-tag": {
+      "version": "2.10.1",
+      "resolved": "https://registry.npmjs.org/graphql-tag/-/graphql-tag-2.10.1.tgz",
+      "integrity": "sha512-jApXqWBzNXQ8jYa/HLkZJaVw9jgwNqZkywa2zfFn16Iv1Zb7ELNHkJaXHR7Quvd5SIGsy6Ny7SUKATgnu05uEg=="
+    },
+    "graphql-tag-pluck": {
+      "version": "0.8.7",
+      "resolved": "https://registry.npmjs.org/graphql-tag-pluck/-/graphql-tag-pluck-0.8.7.tgz",
+      "integrity": "sha512-yuWcQislvBPHorFQzmZ9/yY0nPD1rn1kBNOr6iPXzT+iJ/i/pciq8Z7ilnVJAGKaJXV58ovD+AWWYYjX6IFF9g==",
+      "requires": {
+        "@babel/parser": "^7.4.4",
+        "@babel/traverse": "^7.4.4",
+        "@babel/types": "^7.4.4",
+        "source-map-support": "^0.5.12"
+      }
+    },
+    "graphql-toolkit": {
+      "version": "0.7.5",
+      "resolved": "https://registry.npmjs.org/graphql-toolkit/-/graphql-toolkit-0.7.5.tgz",
+      "integrity": "sha512-8fagZhEP+bygbcW9uhYIzR7BVZLtobCJmO26fgbqJcnRqsFuclSg2fcrNJbeSGjefrEWHnFcgYcQehbSE8oW9g==",
+      "requires": {
+        "@graphql-toolkit/code-file-loader": "0.7.5",
+        "@graphql-toolkit/common": "0.7.5",
+        "@graphql-toolkit/core": "0.7.5",
+        "@graphql-toolkit/file-loading": "0.7.5",
+        "@graphql-toolkit/graphql-file-loader": "0.7.5",
+        "@graphql-toolkit/json-file-loader": "0.7.5",
+        "@graphql-toolkit/schema-merging": "0.7.5",
+        "@graphql-toolkit/url-loader": "0.7.5"
+      },
+      "dependencies": {
+        "@graphql-toolkit/common": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/common/-/common-0.7.5.tgz",
+          "integrity": "sha512-pu7tKY6KW7+4noJQPCbIxKzv54tSl/FME9wU0rNSwcr4O3By+pv7VCYXxkhCSnftJcXsXAuAcdjcV2CBsjnZNg==",
+          "requires": {
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "aggregate-error": "3.0.1",
+            "is-glob": "4.0.1",
+            "lodash": "4.17.15"
+          }
+        },
+        "@graphql-toolkit/schema-merging": {
+          "version": "0.7.5",
+          "resolved": "https://registry.npmjs.org/@graphql-toolkit/schema-merging/-/schema-merging-0.7.5.tgz",
+          "integrity": "sha512-6HJb0bFqkJn45MMWLpt1K0kPJlbyGUaXFuBMY+yQ6fr70U01VjWc/RpXm9JO9FzlpzmtaMGd2HcsWC+7mAddtg==",
+          "requires": {
+            "@graphql-toolkit/common": "0.7.5",
+            "@kamilkisiela/graphql-tools": "4.0.6",
+            "deepmerge": "4.2.2",
+            "tslib": "1.10.0"
+          }
+        }
+      }
+    },
+    "gray-matter": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/gray-matter/-/gray-matter-4.0.2.tgz",
+      "integrity": "sha512-7hB/+LxrOjq/dd8APlK0r24uL/67w7SkYnfwhNFwg/VDIGWGmduTDYf3WNstLW2fbbmRwrDGCVSJ2isuf2+4Hw==",
+      "requires": {
+        "js-yaml": "^3.11.0",
+        "kind-of": "^6.0.2",
+        "section-matter": "^1.0.0",
+        "strip-bom-string": "^1.0.0"
+      }
+    },
+    "gud": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/gud/-/gud-1.0.0.tgz",
+      "integrity": "sha512-zGEOVKFM5sVPPrYs7J5/hYEw2Pof8KCyOwyhG8sAF26mCAeUFAcYPu1mwB7hhpIP29zOIBaDqwuHdLp0jvZXjw=="
+    },
+    "gzip-size": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/gzip-size/-/gzip-size-5.1.1.tgz",
+      "integrity": "sha512-FNHi6mmoHvs1mxZAds4PpdCS6QG8B4C1krxJsMutgxl5t3+GlRTzzI3NEkifXx2pVsOvJdOGSmIgDhQ55FwdPA==",
+      "requires": {
+        "duplexer": "^0.1.1",
+        "pify": "^4.0.1"
+      },
+      "dependencies": {
+        "pify": {
+          "version": "4.0.1",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
+          "integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g=="
+        }
+      }
+    },
+    "handlebars": {
+      "version": "4.5.3",
+      "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz",
+      "integrity": "sha512-3yPecJoJHK/4c6aZhSvxOyG4vJKDshV36VHp0iVCDVh7o9w2vwi3NSnL2MMPj3YdduqaBcu7cGbggJQM0br9xA==",
+      "requires": {
+        "neo-async": "^2.6.0",
+        "optimist": "^0.6.1",
+        "source-map": "^0.6.1",
+        "uglify-js": "^3.1.4"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "has": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz",
+      "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==",
+      "requires": {
+        "function-bind": "^1.1.1"
+      }
+    },
+    "has-ansi": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/has-ansi/-/has-ansi-2.0.0.tgz",
+      "integrity": "sha1-NPUEnOHs3ysGSa8+8k5F7TVBbZE=",
+      "requires": {
+        "ansi-regex": "^2.0.0"
+      }
+    },
+    "has-flag": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
+      "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0="
+    },
+    "has-symbol-support-x": {
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/has-symbol-support-x/-/has-symbol-support-x-1.4.2.tgz",
+      "integrity": "sha512-3ToOva++HaW+eCpgqZrCfN51IPB+7bJNVT6CUATzueB5Heb8o6Nam0V3HG5dlDvZU1Gn5QLcbahiKw/XVk5JJw=="
+    },
+    "has-symbols": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.1.tgz",
+      "integrity": "sha512-PLcsoqu++dmEIZB+6totNFKq/7Do+Z0u4oT0zKOJNl3lYK6vGwwu2hjHs+68OEZbTjiUE9bgOABXbP/GvrS0Kg=="
+    },
+    "has-to-string-tag-x": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/has-to-string-tag-x/-/has-to-string-tag-x-1.4.1.tgz",
+      "integrity": "sha512-vdbKfmw+3LoOYVr+mtxHaX5a96+0f3DljYd8JOqvOLsf5mw2Otda2qCDT9qRqLAhrjyQ0h7ual5nOiASpsGNFw==",
+      "requires": {
+        "has-symbol-support-x": "^1.4.1"
+      }
+    },
+    "has-value": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/has-value/-/has-value-1.0.0.tgz",
+      "integrity": "sha1-GLKB2lhbHFxR3vJMkw7SmgvmsXc=",
+      "requires": {
+        "get-value": "^2.0.6",
+        "has-values": "^1.0.0",
+        "isobject": "^3.0.0"
+      }
+    },
+    "has-values": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/has-values/-/has-values-1.0.0.tgz",
+      "integrity": "sha1-lbC2P+whRmGab+V/51Yo1aOe/k8=",
+      "requires": {
+        "is-number": "^3.0.0",
+        "kind-of": "^4.0.0"
+      },
+      "dependencies": {
+        "kind-of": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz",
+          "integrity": "sha1-IIE989cSkosgc3hpGkUGb65y3Vc=",
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "hash-base": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.0.4.tgz",
+      "integrity": "sha1-X8hoaEfs1zSZQDMZprCj8/auSRg=",
+      "requires": {
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "hash.js": {
+      "version": "1.1.7",
+      "resolved": "https://registry.npmjs.org/hash.js/-/hash.js-1.1.7.tgz",
+      "integrity": "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==",
+      "requires": {
+        "inherits": "^2.0.3",
+        "minimalistic-assert": "^1.0.1"
+      }
+    },
+    "hast-to-hyperscript": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/hast-to-hyperscript/-/hast-to-hyperscript-7.0.4.tgz",
+      "integrity": "sha512-vmwriQ2H0RPS9ho4Kkbf3n3lY436QKLq6VaGA1pzBh36hBi3tm1DO9bR+kaJIbpT10UqaANDkMjxvjVfr+cnOA==",
+      "requires": {
+        "comma-separated-tokens": "^1.0.0",
+        "property-information": "^5.3.0",
+        "space-separated-tokens": "^1.0.0",
+        "style-to-object": "^0.2.1",
+        "unist-util-is": "^3.0.0",
+        "web-namespaces": "^1.1.2"
+      },
+      "dependencies": {
+        "style-to-object": {
+          "version": "0.2.3",
+          "resolved": "https://registry.npmjs.org/style-to-object/-/style-to-object-0.2.3.tgz",
+          "integrity": "sha512-1d/k4EY2N7jVLOqf2j04dTc37TPOv/hHxZmvpg8Pdh8UYydxeu/C1W1U4vD8alzf5V2Gt7rLsmkr4dxAlDm9ng==",
+          "requires": {
+            "inline-style-parser": "0.1.1"
+          }
+        },
+        "unist-util-is": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-3.0.0.tgz",
+          "integrity": "sha512-sVZZX3+kspVNmLWBPAB6r+7D9ZgAFPNWm66f7YNb420RlQSbn+n8rG8dGZSkrER7ZIXGQYNm5pqC3v3HopH24A=="
+        }
+      }
+    },
+    "hast-util-from-parse5": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/hast-util-from-parse5/-/hast-util-from-parse5-5.0.2.tgz",
+      "integrity": "sha512-YXFjoRS7ES7PEoLx6uihtSfKTO1s3z/tzGiV5cVpsUiihduogFXubNRCzTIW3yOOGO1nws9CxPq4MbwD39Uo+w==",
+      "requires": {
+        "ccount": "^1.0.3",
+        "hastscript": "^5.0.0",
+        "property-information": "^5.0.0",
+        "web-namespaces": "^1.1.2",
+        "xtend": "^4.0.1"
+      }
+    },
+    "hast-util-is-element": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/hast-util-is-element/-/hast-util-is-element-1.0.3.tgz",
+      "integrity": "sha512-C62CVn7jbjp89yOhhy7vrkSaB7Vk906Gtcw/Ihd+Iufnq+2pwOZjdPmpzpKLWJXPJBMDX3wXg4FqmdOayPcewA=="
+    },
+    "hast-util-parse-selector": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/hast-util-parse-selector/-/hast-util-parse-selector-2.2.3.tgz",
+      "integrity": "sha512-nxbeqjQNxsvo/uYYAw9kij6td05YVUlf1qti09rVfbWSLT5H6wo3c+USIwX6nzXWk5kFZzXnEqO82856r0aM2Q=="
+    },
+    "hast-util-raw": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/hast-util-raw/-/hast-util-raw-5.0.1.tgz",
+      "integrity": "sha512-iHo7G6BjRc/GU1Yun5CIEXjil0wVnIbz11C6k0JdDichSDMtYi2+NNtk6YN7EOP0JfPstX30d3pRLfaJv5CkdA==",
+      "requires": {
+        "hast-util-from-parse5": "^5.0.0",
+        "hast-util-to-parse5": "^5.0.0",
+        "html-void-elements": "^1.0.1",
+        "parse5": "^5.0.0",
+        "unist-util-position": "^3.0.0",
+        "web-namespaces": "^1.0.0",
+        "xtend": "^4.0.1",
+        "zwitch": "^1.0.0"
+      }
+    },
+    "hast-util-to-parse5": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/hast-util-to-parse5/-/hast-util-to-parse5-5.1.1.tgz",
+      "integrity": "sha512-ivCeAd5FCXr7bapJIVsWMnx/EmbjkkW2TU2hd1prq+jGwiaUoK+FcpjyPNwsC5ogzCwWO669tOqIovGeLc/ntg==",
+      "requires": {
+        "hast-to-hyperscript": "^7.0.0",
+        "property-information": "^5.0.0",
+        "web-namespaces": "^1.0.0",
+        "xtend": "^4.0.1",
+        "zwitch": "^1.0.0"
+      }
+    },
+    "hast-util-to-text": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/hast-util-to-text/-/hast-util-to-text-1.0.1.tgz",
+      "integrity": "sha512-Xvp9fWiWVb4WaHc1E1g6dtyYlcVwyjRT0CC9oXtVUNhbmIB1gqRVBuBIFJgrFkYxdo+T3UIl5i5ipPGaPRnUOw==",
+      "requires": {
+        "hast-util-is-element": "^1.0.2",
+        "repeat-string": "^1.6.1",
+        "unist-util-find-after": "^2.0.3"
+      }
+    },
+    "hastscript": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/hastscript/-/hastscript-5.1.1.tgz",
+      "integrity": "sha512-xHo1Hkcqd0LlWNuDL3/BxwhgAGp3d7uEvCMgCTrBY+zsOooPPH+8KAvW8PCgl+GB8H3H44nfSaF0A4BQ+4xlYg==",
+      "requires": {
+        "comma-separated-tokens": "^1.0.0",
+        "hast-util-parse-selector": "^2.0.0",
+        "property-information": "^5.0.0",
+        "space-separated-tokens": "^1.0.0"
+      }
+    },
+    "he": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/he/-/he-1.2.0.tgz",
+      "integrity": "sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==",
+      "optional": true
+    },
+    "highlight.js": {
+      "version": "9.17.1",
+      "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-9.17.1.tgz",
+      "integrity": "sha512-TA2/doAur5Ol8+iM3Ov7qy3jYcr/QiJ2eDTdRF4dfbjG7AaaB99J5G+zSl11ljbl6cIcahgPY6SKb3sC3EJ0fw==",
+      "requires": {
+        "handlebars": "^4.5.3"
+      }
+    },
+    "hmac-drbg": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
+      "integrity": "sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=",
+      "requires": {
+        "hash.js": "^1.0.3",
+        "minimalistic-assert": "^1.0.0",
+        "minimalistic-crypto-utils": "^1.0.1"
+      }
+    },
+    "hoist-non-react-statics": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/hoist-non-react-statics/-/hoist-non-react-statics-3.3.1.tgz",
+      "integrity": "sha512-wbg3bpgA/ZqWrZuMOeJi8+SKMhr7X9TesL/rXMjTzh0p0JUBo3II8DHboYbuIXWRlttrUFxwcu/5kygrCw8fJw==",
+      "requires": {
+        "react-is": "^16.7.0"
+      }
+    },
+    "hoopy": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/hoopy/-/hoopy-0.1.4.tgz",
+      "integrity": "sha512-HRcs+2mr52W0K+x8RzcLzuPPmVIKMSv97RGHy0Ea9y/mpcaK+xTrjICA04KAHi4GRzxliNqNJEFYWHghy3rSfQ=="
+    },
+    "hosted-git-info": {
+      "version": "2.8.5",
+      "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.5.tgz",
+      "integrity": "sha512-kssjab8CvdXfcXMXVcvsXum4Hwdq9XGtRD3TteMEvEbq0LXyiNQr6AprqKqfeaDXze7SxWvRxdpwE6ku7ikLkg=="
+    },
+    "html-comment-regex": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/html-comment-regex/-/html-comment-regex-1.1.2.tgz",
+      "integrity": "sha512-P+M65QY2JQ5Y0G9KKdlDpo0zK+/OHptU5AaBwUfAIDJZk1MYf32Frm84EcOytfJE0t5JvkAnKlmjsXDnWzCJmQ=="
+    },
+    "html-entities": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-1.2.1.tgz",
+      "integrity": "sha1-DfKTUfByEWNRXfueVUPl9u7VFi8="
+    },
+    "html-void-elements": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/html-void-elements/-/html-void-elements-1.0.4.tgz",
+      "integrity": "sha512-yMk3naGPLrfvUV9TdDbuYXngh/TpHbA6TrOw3HL9kS8yhwx7i309BReNg7CbAJXGE+UMJ6je5OqJ7lC63o6YuQ=="
+    },
+    "http-cache-semantics": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.0.3.tgz",
+      "integrity": "sha512-TcIMG3qeVLgDr1TEd2XvHaTnMPwYQUQMIBLy+5pLSDKYFc7UIqj39w8EGzZkaxoLv/l2K8HaI0t5AVA+YYgUew=="
+    },
+    "http-errors": {
+      "version": "1.7.2",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.2.tgz",
+      "integrity": "sha512-uUQBt3H/cSIVfch6i1EuPNy/YsRSOUBXTVfZ+yR7Zjez3qjBz6i9+i4zjNaoqcoFVI4lQJ5plg63TvGfRSDCRg==",
+      "requires": {
+        "depd": "~1.1.2",
+        "inherits": "2.0.3",
+        "setprototypeof": "1.1.1",
+        "statuses": ">= 1.5.0 < 2",
+        "toidentifier": "1.0.0"
+      },
+      "dependencies": {
+        "inherits": {
+          "version": "2.0.3",
+          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
+          "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
+        }
+      }
+    },
+    "https-browserify": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/https-browserify/-/https-browserify-1.0.0.tgz",
+      "integrity": "sha1-7AbBDgo0wPL68Zn3/X/Hj//QPHM="
+    },
+    "husky": {
+      "version": "4.0.10",
+      "resolved": "https://registry.npmjs.org/husky/-/husky-4.0.10.tgz",
+      "integrity": "sha512-Ptm4k2DqOwxeK/kzu5RaJmNRoGvESrgDXObFcZ8aJZcyXyMBHhM2FqZj6zYKdetadmP3wCwxEHCBuB9xGlRp8A==",
+      "dev": true,
+      "requires": {
+        "chalk": "^3.0.0",
+        "ci-info": "^2.0.0",
+        "cosmiconfig": "^6.0.0",
+        "opencollective-postinstall": "^2.0.2",
+        "pkg-dir": "^4.2.0",
+        "please-upgrade-node": "^3.2.0",
+        "slash": "^3.0.0",
+        "which-pm-runs": "^1.0.0"
+      },
+      "dependencies": {
+        "cosmiconfig": {
+          "version": "6.0.0",
+          "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-6.0.0.tgz",
+          "integrity": "sha512-xb3ZL6+L8b9JLLCx3ZdoZy4+2ECphCMo2PwqgP1tlfVq6M6YReyzBJtvWWtbDSpNr9hn96pkCiZqUcFEc+54Qg==",
+          "dev": true,
+          "requires": {
+            "@types/parse-json": "^4.0.0",
+            "import-fresh": "^3.1.0",
+            "parse-json": "^5.0.0",
+            "path-type": "^4.0.0",
+            "yaml": "^1.7.2"
+          }
+        },
+        "import-fresh": {
+          "version": "3.2.1",
+          "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.2.1.tgz",
+          "integrity": "sha512-6e1q1cnWP2RXD9/keSkxHScg508CdXqXWgWBaETNhyuBFz+kUZlKboh+ISK+bU++DmbHimVBrOz/zzPe0sZ3sQ==",
+          "dev": true,
+          "requires": {
+            "parent-module": "^1.0.0",
+            "resolve-from": "^4.0.0"
+          }
+        },
+        "parse-json": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-5.0.0.tgz",
+          "integrity": "sha512-OOY5b7PAEFV0E2Fir1KOkxchnZNCdowAJgQ5NuxjpBKTRP3pQhwkrkxqQjeoKJ+fO7bCpmIZaogI4eZGDMEGOw==",
+          "dev": true,
+          "requires": {
+            "@babel/code-frame": "^7.0.0",
+            "error-ex": "^1.3.1",
+            "json-parse-better-errors": "^1.0.1",
+            "lines-and-columns": "^1.1.6"
+          }
+        },
+        "path-type": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz",
+          "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
+          "dev": true
+        },
+        "resolve-from": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
+          "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==",
+          "dev": true
+        }
+      }
+    },
+    "iconv-lite": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "requires": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      }
+    },
+    "icss-replace-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/icss-replace-symbols/-/icss-replace-symbols-1.1.0.tgz",
+      "integrity": "sha1-Bupvg2ead0njhs/h/oEq5dsiPe0="
+    },
+    "icss-utils": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/icss-utils/-/icss-utils-2.1.0.tgz",
+      "integrity": "sha1-g/Cg7DeL8yRheLbCrZE28TWxyWI=",
+      "requires": {
+        "postcss": "^6.0.1"
+      }
+    },
+    "ieee754": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.1.13.tgz",
+      "integrity": "sha512-4vf7I2LYV/HaWerSo3XmlMkp5eZ83i+/CDluXi/IGTs/O1sejBNhTtnxzmRZfvOUqj7lZjqHkeTvpgSFDlWZTg=="
+    },
+    "iferr": {
+      "version": "0.1.5",
+      "resolved": "https://registry.npmjs.org/iferr/-/iferr-0.1.5.tgz",
+      "integrity": "sha1-xg7taebY/bazEEofy8ocGS3FtQE="
+    },
+    "ignore": {
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-4.0.6.tgz",
+      "integrity": "sha512-cyFDKrqc/YdcWFniJhzI42+AzS+gNwmUzOSFcRCQYwySuBBBy/KjuxWLZ/FHEH6Moq1NizMOBWyTcv8O4OZIMg=="
+    },
+    "ignore-loader": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/ignore-loader/-/ignore-loader-0.1.2.tgz",
+      "integrity": "sha1-2B8kA3bQuk8Nd4lyw60lh0EXpGM="
+    },
+    "imagemin": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/imagemin/-/imagemin-6.1.0.tgz",
+      "integrity": "sha512-8ryJBL1CN5uSHpiBMX0rJw79C9F9aJqMnjGnrd/1CafegpNuA81RBAAru/jQQEOWlOJJlpRnlcVFF6wq+Ist0A==",
+      "requires": {
+        "file-type": "^10.7.0",
+        "globby": "^8.0.1",
+        "make-dir": "^1.0.0",
+        "p-pipe": "^1.1.0",
+        "pify": "^4.0.1",
+        "replace-ext": "^1.0.0"
+      },
+      "dependencies": {
+        "array-union": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
+          "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
+          "requires": {
+            "array-uniq": "^1.0.1"
+          }
+        },
+        "dir-glob": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-2.0.0.tgz",
+          "integrity": "sha512-37qirFDz8cA5fimp9feo43fSuRo2gHwaIn6dXL8Ber1dGwUosDrGZeCCXq57WnIqE4aQ+u3eQZzsk1yOzhdwag==",
+          "requires": {
+            "arrify": "^1.0.1",
+            "path-type": "^3.0.0"
+          }
+        },
+        "globby": {
+          "version": "8.0.2",
+          "resolved": "https://registry.npmjs.org/globby/-/globby-8.0.2.tgz",
+          "integrity": "sha512-yTzMmKygLp8RUpG1Ymu2VXPSJQZjNAZPD4ywgYEaG7e4tBJeUQBO8OpXrf1RCNcEs5alsoJYPAMiIHP0cmeC7w==",
+          "requires": {
+            "array-union": "^1.0.1",
+            "dir-glob": "2.0.0",
+            "fast-glob": "^2.0.2",
+            "glob": "^7.1.2",
+            "ignore": "^3.3.5",
+            "pify": "^3.0.0",
+            "slash": "^1.0.0"
+          },
+          "dependencies": {
+            "pify": {
+              "version": "3.0.0",
+              "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+              "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+            }
+          }
+        },
+        "ignore": {
+          "version": "3.3.10",
+          "resolved": "https://registry.npmjs.org/ignore/-/ignore-3.3.10.tgz",
+          "integrity": "sha512-Pgs951kaMm5GXP7MOvxERINe3gsaVjUWFm+UZPSq9xYriQAksyhg0csnS0KXSNRD5NmNdapXEpjxG49+AKh/ug=="
+        },
+        "path-type": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/path-type/-/path-type-3.0.0.tgz",
+          "integrity": "sha512-T2ZUsdZFHgA3u4e5PfPbjd7HDDpxPnQb5jN0SrDsjNSuVXHJqtwTnWqG0B1jZrgmJ/7lj1EmVIByWt1gxGkWvg==",
+          "requires": {
+            "pify": "^3.0.0"
+          },
+          "dependencies": {
+            "pify": {
+              "version": "3.0.0",
+              "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+              "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+            }
+          }
+        },
+        "pify": {
+          "version": "4.0.1",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
+          "integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g=="
+        },
+        "slash": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/slash/-/slash-1.0.0.tgz",
+          "integrity": "sha1-xB8vbDn8FtHNF61LXYlhFK5HDVU="
+        }
+      }
+    },
+    "imagemin-mozjpeg": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/imagemin-mozjpeg/-/imagemin-mozjpeg-8.0.0.tgz",
+      "integrity": "sha512-+EciPiIjCb8JWjQNr1q8sYWYf7GDCNDxPYnkD11TNIjjWNzaV+oTg4DpOPQjl5ZX/KRCPMEgS79zLYAQzLitIA==",
+      "requires": {
+        "execa": "^1.0.0",
+        "is-jpg": "^2.0.0",
+        "mozjpeg": "^6.0.0"
+      },
+      "dependencies": {
+        "cross-spawn": {
+          "version": "6.0.5",
+          "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
+          "integrity": "sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==",
+          "requires": {
+            "nice-try": "^1.0.4",
+            "path-key": "^2.0.1",
+            "semver": "^5.5.0",
+            "shebang-command": "^1.2.0",
+            "which": "^1.2.9"
+          }
+        },
+        "execa": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/execa/-/execa-1.0.0.tgz",
+          "integrity": "sha512-adbxcyWV46qiHyvSp50TKt05tB4tK3HcmF7/nxfAdhnox83seTDbwnaqKO4sXRy7roHAIFqJP/Rw/AuEbX61LA==",
+          "requires": {
+            "cross-spawn": "^6.0.0",
+            "get-stream": "^4.0.0",
+            "is-stream": "^1.1.0",
+            "npm-run-path": "^2.0.0",
+            "p-finally": "^1.0.0",
+            "signal-exit": "^3.0.0",
+            "strip-eof": "^1.0.0"
+          }
+        },
+        "get-stream": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-4.1.0.tgz",
+          "integrity": "sha512-GMat4EJ5161kIy2HevLlr4luNjBgvmj413KaQA7jt4V8B4RDsfpHk7WQ9GVqfYyyx8OS/L66Kox+rJRNklLK7w==",
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        }
+      }
+    },
+    "imagemin-optipng": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/imagemin-optipng/-/imagemin-optipng-7.1.0.tgz",
+      "integrity": "sha512-JNORTZ6j6untH7e5gF4aWdhDCxe3ODsSLKs/f7Grewy3ebZpl1ZsU+VUTPY4rzeHgaFA8GSWOoA8V2M3OixWZQ==",
+      "requires": {
+        "exec-buffer": "^3.0.0",
+        "is-png": "^2.0.0",
+        "optipng-bin": "^6.0.0"
+      }
+    },
+    "imagemin-svgo": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/imagemin-svgo/-/imagemin-svgo-7.0.0.tgz",
+      "integrity": "sha512-+iGJFaPIMx8TjFW6zN+EkOhlqcemdL7F3N3Y0wODvV2kCUBuUtZK7DRZc1+Zfu4U2W/lTMUyx2G8YMOrZntIWg==",
+      "requires": {
+        "is-svg": "^3.0.0",
+        "svgo": "^1.0.5"
+      }
+    },
+    "img-loader": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/img-loader/-/img-loader-3.0.1.tgz",
+      "integrity": "sha512-0jDJqexgzOuq3zlXwFTBKJlMcaP1uXyl5t4Qu6b1IgXb3IwBDjPfVylBC8vHFIIESDw/S+5QkBbtBrt4T8wESA==",
+      "requires": {
+        "loader-utils": "^1.1.0"
+      }
+    },
+    "immutable": {
+      "version": "3.7.6",
+      "resolved": "https://registry.npmjs.org/immutable/-/immutable-3.7.6.tgz",
+      "integrity": "sha1-E7TTyxK++hVIKib+Gy665kAHHks="
+    },
+    "import-cwd": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/import-cwd/-/import-cwd-2.1.0.tgz",
+      "integrity": "sha1-qmzzbnInYShcs3HsZRn1PiQ1sKk=",
+      "requires": {
+        "import-from": "^2.1.0"
+      },
+      "dependencies": {
+        "import-from": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/import-from/-/import-from-2.1.0.tgz",
+          "integrity": "sha1-M1238qev/VOqpHHUuAId7ja387E=",
+          "requires": {
+            "resolve-from": "^3.0.0"
+          }
+        },
+        "resolve-from": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-3.0.0.tgz",
+          "integrity": "sha1-six699nWiBvItuZTM17rywoYh0g="
+        }
+      }
+    },
+    "import-fresh": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-2.0.0.tgz",
+      "integrity": "sha1-2BNVwVYS04bGH53dOSLUMEgipUY=",
+      "requires": {
+        "caller-path": "^2.0.0",
+        "resolve-from": "^3.0.0"
+      },
+      "dependencies": {
+        "resolve-from": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-3.0.0.tgz",
+          "integrity": "sha1-six699nWiBvItuZTM17rywoYh0g="
+        }
+      }
+    },
+    "import-from": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/import-from/-/import-from-3.0.0.tgz",
+      "integrity": "sha512-CiuXOFFSzkU5x/CR0+z7T91Iht4CXgfCxVOFRhh2Zyhg5wOpWvvDLQUsWl+gcN+QscYBjez8hDCt85O7RLDttQ==",
+      "requires": {
+        "resolve-from": "^5.0.0"
+      }
+    },
+    "import-lazy": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/import-lazy/-/import-lazy-3.1.0.tgz",
+      "integrity": "sha512-8/gvXvX2JMn0F+CDlSC4l6kOmVaLOO3XLkksI7CI3Ud95KDYJuYur2b9P/PUt/i/pDAMd/DulQsNbbbmRRsDIQ=="
+    },
+    "imurmurhash": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
+      "integrity": "sha1-khi5srkoojixPcT7a21XbyMUU+o="
+    },
+    "indent-string": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-4.0.0.tgz",
+      "integrity": "sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg=="
+    },
+    "indexes-of": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/indexes-of/-/indexes-of-1.0.1.tgz",
+      "integrity": "sha1-8w9xbI4r00bHtn0985FVZqfAVgc="
+    },
+    "infer-owner": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/infer-owner/-/infer-owner-1.0.4.tgz",
+      "integrity": "sha512-IClj+Xz94+d7irH5qRyfJonOdfTzuDaifE6ZPWfx0N0+/ATZCbuTPq2prFl526urkQd90WyUKIh1DfBQ2hMz9A=="
+    },
+    "inflight": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
+      "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=",
+      "requires": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
+    },
+    "ini": {
+      "version": "1.3.5",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz",
+      "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw=="
+    },
+    "ink": {
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/ink/-/ink-2.6.0.tgz",
+      "integrity": "sha512-nD/wlSuB6WnFsFB0nUcOJdy28YvvDer3eo+gezjvZqojGA4Rx5sQpacvN//Aai83DRgwrRTyKBl5aciOcfP3zQ==",
+      "requires": {
+        "ansi-escapes": "^4.2.1",
+        "arrify": "^2.0.1",
+        "auto-bind": "^3.0.0",
+        "chalk": "^3.0.0",
+        "cli-cursor": "^3.1.0",
+        "cli-truncate": "^2.0.0",
+        "is-ci": "^2.0.0",
+        "lodash.throttle": "^4.1.1",
+        "log-update": "^3.0.0",
+        "prop-types": "^15.6.2",
+        "react-reconciler": "^0.24.0",
+        "scheduler": "^0.18.0",
+        "signal-exit": "^3.0.2",
+        "slice-ansi": "^3.0.0",
+        "string-length": "^3.1.0",
+        "widest-line": "^3.1.0",
+        "wrap-ansi": "^6.2.0",
+        "yoga-layout-prebuilt": "^1.9.3"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz",
+          "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg=="
+        },
+        "ansi-styles": {
+          "version": "4.2.1",
+          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.2.1.tgz",
+          "integrity": "sha512-9VGjrMsG1vePxcSweQsN20KY/c4zN0h9fLjqAbwbPfahM3t+NL+M9HC8xeXG2I8pX5NoamTGNuomEUFI7fcUjA==",
+          "requires": {
+            "@types/color-name": "^1.1.1",
+            "color-convert": "^2.0.1"
+          }
+        },
+        "arrify": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/arrify/-/arrify-2.0.1.tgz",
+          "integrity": "sha512-3duEwti880xqi4eAMN8AyR4a0ByT90zoYdLlevfrvU43vb0YZwZVfxOgxWrLXXXpyugL0hNZc9G6BiB5B3nUug=="
+        },
+        "astral-regex": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-2.0.0.tgz",
+          "integrity": "sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ=="
+        },
+        "auto-bind": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/auto-bind/-/auto-bind-3.0.0.tgz",
+          "integrity": "sha512-v0A231a/lfOo6kxQtmEkdBfTApvC21aJYukA8pkKnoTvVqh3Wmm7/Rwy4GBCHTTHVoLVA5qsBDDvf1XY1nIV2g=="
+        },
+        "cli-truncate": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/cli-truncate/-/cli-truncate-2.1.0.tgz",
+          "integrity": "sha512-n8fOixwDD6b/ObinzTrp1ZKFzbgvKZvuz/TvejnLn1aQfC6r52XEx85FmuC+3HI+JM7coBRXUvNqEU2PHVrHpg==",
+          "requires": {
+            "slice-ansi": "^3.0.0",
+            "string-width": "^4.2.0"
+          }
+        },
+        "color-convert": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+          "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+          "requires": {
+            "color-name": "~1.1.4"
+          }
+        },
+        "color-name": {
+          "version": "1.1.4",
+          "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+          "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
+        },
+        "emoji-regex": {
+          "version": "8.0.0",
+          "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+          "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="
+        },
+        "is-fullwidth-code-point": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+          "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="
+        },
+        "log-update": {
+          "version": "3.3.0",
+          "resolved": "https://registry.npmjs.org/log-update/-/log-update-3.3.0.tgz",
+          "integrity": "sha512-YSKm5n+YjZoGZT5lfmOqasVH1fIH9xQA9A81Y48nZ99PxAP62vdCCtua+Gcu6oTn0nqtZd/LwRV+Vflo53ZDWA==",
+          "requires": {
+            "ansi-escapes": "^3.2.0",
+            "cli-cursor": "^2.1.0",
+            "wrap-ansi": "^5.0.0"
+          },
+          "dependencies": {
+            "ansi-escapes": {
+              "version": "3.2.0",
+              "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-3.2.0.tgz",
+              "integrity": "sha512-cBhpre4ma+U0T1oM5fXg7Dy1Jw7zzwv7lt/GoCpr+hDQJoYnKVPLL4dCvSEFMmQurOQvSrwT7SL/DAlhBI97RQ=="
+            },
+            "ansi-regex": {
+              "version": "4.1.0",
+              "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+              "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+            },
+            "ansi-styles": {
+              "version": "3.2.1",
+              "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz",
+              "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+              "requires": {
+                "color-convert": "^1.9.0"
+              }
+            },
+            "cli-cursor": {
+              "version": "2.1.0",
+              "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-2.1.0.tgz",
+              "integrity": "sha1-s12sN2R5+sw+lHR9QdDQ9SOP/LU=",
+              "requires": {
+                "restore-cursor": "^2.0.0"
+              }
+            },
+            "color-convert": {
+              "version": "1.9.3",
+              "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz",
+              "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+              "requires": {
+                "color-name": "1.1.3"
+              }
+            },
+            "color-name": {
+              "version": "1.1.3",
+              "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz",
+              "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU="
+            },
+            "emoji-regex": {
+              "version": "7.0.3",
+              "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-7.0.3.tgz",
+              "integrity": "sha512-CwBLREIQ7LvYFB0WyRvwhq5N5qPhc6PMjD6bYggFlI5YyDgl+0vxq5VHbMOFqLg7hfWzmu8T5Z1QofhmTIhItA=="
+            },
+            "is-fullwidth-code-point": {
+              "version": "2.0.0",
+              "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-2.0.0.tgz",
+              "integrity": "sha1-o7MKXE8ZkYMWeqq5O+764937ZU8="
+            },
+            "string-width": {
+              "version": "3.1.0",
+              "resolved": "https://registry.npmjs.org/string-width/-/string-width-3.1.0.tgz",
+              "integrity": "sha512-vafcv6KjVZKSgz06oM/H6GDBrAtz8vdhQakGjFIvNrHA6y3HCF1CInLy+QLq8dTJPQ1b+KDUqDFctkdRW44e1w==",
+              "requires": {
+                "emoji-regex": "^7.0.1",
+                "is-fullwidth-code-point": "^2.0.0",
+                "strip-ansi": "^5.1.0"
+              }
+            },
+            "strip-ansi": {
+              "version": "5.2.0",
+              "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+              "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+              "requires": {
+                "ansi-regex": "^4.1.0"
+              }
+            },
+            "wrap-ansi": {
+              "version": "5.1.0",
+              "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-5.1.0.tgz",
+              "integrity": "sha512-QC1/iN/2/RPVJ5jYK8BGttj5z83LmSKmvbvrXPNCLZSEb32KKVDJDl/MOt2N01qU2H/FkzEa9PKto1BqDjtd7Q==",
+              "requires": {
+                "ansi-styles": "^3.2.0",
+                "string-width": "^3.0.0",
+                "strip-ansi": "^5.0.0"
+              }
+            }
+          }
+        },
+        "onetime": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/onetime/-/onetime-2.0.1.tgz",
+          "integrity": "sha1-BnQoIw/WdEOyeUsiu6UotoZ5YtQ=",
+          "requires": {
+            "mimic-fn": "^1.0.0"
+          }
+        },
+        "restore-cursor": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-2.0.0.tgz",
+          "integrity": "sha1-n37ih/gv0ybU/RYpI9YhKe7g368=",
+          "requires": {
+            "onetime": "^2.0.0",
+            "signal-exit": "^3.0.2"
+          }
+        },
+        "slice-ansi": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-3.0.0.tgz",
+          "integrity": "sha512-pSyv7bSTC7ig9Dcgbw9AuRNUb5k5V6oDudjZoMBSr13qpLBG7tB+zgCkARjq7xIUgdz5P1Qe8u+rSGdouOOIyQ==",
+          "requires": {
+            "ansi-styles": "^4.0.0",
+            "astral-regex": "^2.0.0",
+            "is-fullwidth-code-point": "^3.0.0"
+          }
+        },
+        "string-width": {
+          "version": "4.2.0",
+          "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.0.tgz",
+          "integrity": "sha512-zUz5JD+tgqtuDjMhwIg5uFVV3dtqZ9yQJlZVfq4I01/K5Paj5UHj7VyrQOJvzawSVlKpObApbfD0Ed6yJc+1eg==",
+          "requires": {
+            "emoji-regex": "^8.0.0",
+            "is-fullwidth-code-point": "^3.0.0",
+            "strip-ansi": "^6.0.0"
+          }
+        },
+        "strip-ansi": {
+          "version": "6.0.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz",
+          "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==",
+          "requires": {
+            "ansi-regex": "^5.0.0"
+          }
+        },
+        "wrap-ansi": {
+          "version": "6.2.0",
+          "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
+          "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+          "requires": {
+            "ansi-styles": "^4.0.0",
+            "string-width": "^4.1.0",
+            "strip-ansi": "^6.0.0"
+          }
+        }
+      }
+    },
+    "ink-link": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/ink-link/-/ink-link-1.0.0.tgz",
+      "integrity": "sha512-oIyGm7UYz5e9j9xc3zgzkYBYLCcRKg/deA3jieXqQT6F4mnhdlTQfLv8zfNt+IMsouPEEKuLPZGE5no5SAIEPQ==",
+      "requires": {
+        "prop-types": "^15.7.2",
+        "terminal-link": "^1.2.0"
+      }
+    },
+    "ink-select-input": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/ink-select-input/-/ink-select-input-3.1.2.tgz",
+      "integrity": "sha512-PaLraGx8A54GhSkTNzZI8bgY0elAoa1jSPPe5Q52B5VutcBoJc4HE3ICDwsEGJ88l1Hw6AWjpeoqrq82a8uQPA==",
+      "requires": {
+        "arr-rotate": "^1.0.0",
+        "figures": "^2.0.0",
+        "lodash.isequal": "^4.5.0",
+        "prop-types": "^15.5.10"
+      },
+      "dependencies": {
+        "figures": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/figures/-/figures-2.0.0.tgz",
+          "integrity": "sha1-OrGi0qYsi/tDGgyUy3l6L84nyWI=",
+          "requires": {
+            "escape-string-regexp": "^1.0.5"
+          }
+        }
+      }
+    },
+    "ink-spinner": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/ink-spinner/-/ink-spinner-3.0.1.tgz",
+      "integrity": "sha512-AVR4Z/NXDQ7dT5ltWcCzFS9Dd4T8eaO//E2UO8VYNiJcZpPCSJ11o5A0UVPcMlZxGbGD6ikUFDR3ZgPUQk5haQ==",
+      "requires": {
+        "cli-spinners": "^1.0.0",
+        "prop-types": "^15.5.10"
+      }
+    },
+    "ink-text-input": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/ink-text-input/-/ink-text-input-3.2.1.tgz",
+      "integrity": "sha512-gU5Q3+xq0koDsTEkW0U6k3nNXjN4r9g/b6goo/jHlK2g4R5M6d22KnLEO6yFDYHQO1D27aTdSUk4HH+Nz8lQKg==",
+      "requires": {
+        "prop-types": "^15.5.10"
+      }
+    },
+    "inline-style-parser": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/inline-style-parser/-/inline-style-parser-0.1.1.tgz",
+      "integrity": "sha512-7NXolsK4CAS5+xvdj5OMMbI962hU/wvwoxk+LWR9Ek9bVtyuuYScDN6eS0rUm6TxApFpw7CX1o4uJzcd4AyD3Q=="
+    },
+    "inquirer": {
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/inquirer/-/inquirer-7.0.3.tgz",
+      "integrity": "sha512-+OiOVeVydu4hnCGLCSX+wedovR/Yzskv9BFqUNNKq9uU2qg7LCcCo3R86S2E7WLo0y/x2pnEZfZe1CoYnORUAw==",
+      "requires": {
+        "ansi-escapes": "^4.2.1",
+        "chalk": "^2.4.2",
+        "cli-cursor": "^3.1.0",
+        "cli-width": "^2.0.0",
+        "external-editor": "^3.0.3",
+        "figures": "^3.0.0",
+        "lodash": "^4.17.15",
+        "mute-stream": "0.0.8",
+        "run-async": "^2.2.0",
+        "rxjs": "^6.5.3",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^5.1.0",
+        "through": "^2.3.6"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz",
+          "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg=="
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "emoji-regex": {
+          "version": "8.0.0",
+          "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+          "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="
+        },
+        "is-fullwidth-code-point": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+          "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="
+        },
+        "string-width": {
+          "version": "4.2.0",
+          "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.0.tgz",
+          "integrity": "sha512-zUz5JD+tgqtuDjMhwIg5uFVV3dtqZ9yQJlZVfq4I01/K5Paj5UHj7VyrQOJvzawSVlKpObApbfD0Ed6yJc+1eg==",
+          "requires": {
+            "emoji-regex": "^8.0.0",
+            "is-fullwidth-code-point": "^3.0.0",
+            "strip-ansi": "^6.0.0"
+          },
+          "dependencies": {
+            "strip-ansi": {
+              "version": "6.0.0",
+              "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz",
+              "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==",
+              "requires": {
+                "ansi-regex": "^5.0.0"
+              }
+            }
+          }
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          },
+          "dependencies": {
+            "ansi-regex": {
+              "version": "4.1.0",
+              "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+              "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+            }
+          }
+        }
+      }
+    },
+    "into-stream": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/into-stream/-/into-stream-3.1.0.tgz",
+      "integrity": "sha1-lvsKk2wSur1v8XUqF9BWFqvQlMY=",
+      "requires": {
+        "from2": "^2.1.1",
+        "p-is-promise": "^1.1.0"
+      }
+    },
+    "invariant": {
+      "version": "2.2.4",
+      "resolved": "https://registry.npmjs.org/invariant/-/invariant-2.2.4.tgz",
+      "integrity": "sha512-phJfQVBuaJM5raOpJjSfkiD6BpbCE4Ns//LaXl6wGYtUBY83nWS6Rf9tXm2e8VaK60JEjYldbPif/A2B1C2gNA==",
+      "requires": {
+        "loose-envify": "^1.0.0"
+      }
+    },
+    "ipaddr.js": {
+      "version": "1.9.0",
+      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.0.tgz",
+      "integrity": "sha512-M4Sjn6N/+O6/IXSJseKqHoFc+5FdGJ22sXqnjTpdZweHK64MzEPAyQZyEU3R/KRv2GLoa7nNtg/C2Ev6m7z+eA=="
+    },
+    "is-absolute-url": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/is-absolute-url/-/is-absolute-url-3.0.3.tgz",
+      "integrity": "sha512-opmNIX7uFnS96NtPmhWQgQx6/NYFgsUXYMllcfzwWKUMwfo8kku1TvE6hkNcH+Q1ts5cMVrsY7j0bxXQDciu9Q=="
+    },
+    "is-accessor-descriptor": {
+      "version": "0.1.6",
+      "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz",
+      "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=",
+      "requires": {
+        "kind-of": "^3.0.2"
+      },
+      "dependencies": {
+        "kind-of": {
+          "version": "3.2.2",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "is-alphabetical": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/is-alphabetical/-/is-alphabetical-1.0.3.tgz",
+      "integrity": "sha512-eEMa6MKpHFzw38eKm56iNNi6GJ7lf6aLLio7Kr23sJPAECscgRtZvOBYybejWDQ2bM949Y++61PY+udzj5QMLA=="
+    },
+    "is-alphanumeric": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/is-alphanumeric/-/is-alphanumeric-1.0.0.tgz",
+      "integrity": "sha1-Spzvcdr0wAHB2B1j0UDPU/1oifQ="
+    },
+    "is-alphanumerical": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/is-alphanumerical/-/is-alphanumerical-1.0.3.tgz",
+      "integrity": "sha512-A1IGAPO5AW9vSh7omxIlOGwIqEvpW/TA+DksVOPM5ODuxKlZS09+TEM1E3275lJqO2oJ38vDpeAL3DCIiHE6eA==",
+      "requires": {
+        "is-alphabetical": "^1.0.0",
+        "is-decimal": "^1.0.0"
+      }
+    },
+    "is-arrayish": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz",
+      "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0="
+    },
+    "is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "requires": {
+        "binary-extensions": "^2.0.0"
+      }
+    },
+    "is-buffer": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-1.1.6.tgz",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w=="
+    },
+    "is-callable": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.1.4.tgz",
+      "integrity": "sha512-r5p9sxJjYnArLjObpjA4xu5EKI3CuKHkJXMhT7kwbpUyIFD1n5PMAsoPvWnvtZiNz7LjkYDRZhd7FlI0eMijEA=="
+    },
+    "is-ci": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-ci/-/is-ci-2.0.0.tgz",
+      "integrity": "sha512-YfJT7rkpQB0updsdHLGWrvhBJfcfzNNawYDNIyQXJz0IViGf75O8EBPKSdvw2rF+LGCsX4FZ8tcr3b19LcZq4w==",
+      "requires": {
+        "ci-info": "^2.0.0"
+      }
+    },
+    "is-data-descriptor": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz",
+      "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=",
+      "requires": {
+        "kind-of": "^3.0.2"
+      },
+      "dependencies": {
+        "kind-of": {
+          "version": "3.2.2",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "is-date-object": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-date-object/-/is-date-object-1.0.1.tgz",
+      "integrity": "sha1-mqIOtq7rv/d/vTPnTKAbM1gdOhY="
+    },
+    "is-decimal": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/is-decimal/-/is-decimal-1.0.3.tgz",
+      "integrity": "sha512-bvLSwoDg2q6Gf+E2LEPiklHZxxiSi3XAh4Mav65mKqTfCO1HM3uBs24TjEH8iJX3bbDdLXKJXBTmGzuTUuAEjQ=="
+    },
+    "is-descriptor": {
+      "version": "0.1.6",
+      "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-0.1.6.tgz",
+      "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==",
+      "requires": {
+        "is-accessor-descriptor": "^0.1.6",
+        "is-data-descriptor": "^0.1.4",
+        "kind-of": "^5.0.0"
+      },
+      "dependencies": {
+        "kind-of": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz",
+          "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw=="
+        }
+      }
+    },
+    "is-directory": {
+      "version": "0.3.1",
+      "resolved": "https://registry.npmjs.org/is-directory/-/is-directory-0.3.1.tgz",
+      "integrity": "sha1-YTObbyR1/Hcv2cnYP1yFddwVSuE="
+    },
+    "is-docker": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-docker/-/is-docker-2.0.0.tgz",
+      "integrity": "sha512-pJEdRugimx4fBMra5z2/5iRdZ63OhYV0vr0Dwm5+xtW4D1FvRkB8hamMIhnWfyJeDdyr/aa7BDyNbtG38VxgoQ=="
+    },
+    "is-extendable": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz",
+      "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik="
+    },
+    "is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI="
+    },
+    "is-finite": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/is-finite/-/is-finite-1.0.2.tgz",
+      "integrity": "sha1-zGZ3aVYCvlUO8R6LSqYwU0K20Ko=",
+      "requires": {
+        "number-is-nan": "^1.0.0"
+      }
+    },
+    "is-fullwidth-code-point": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-2.0.0.tgz",
+      "integrity": "sha1-o7MKXE8ZkYMWeqq5O+764937ZU8="
+    },
+    "is-glob": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.1.tgz",
+      "integrity": "sha512-5G0tKtBTFImOqDnLB2hG6Bp2qcKEFduo4tZu9MT/H6NQv/ghhy30o55ufafxJ/LdH79LLs2Kfrn85TLKyA7BUg==",
+      "requires": {
+        "is-extglob": "^2.1.1"
+      }
+    },
+    "is-hexadecimal": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/is-hexadecimal/-/is-hexadecimal-1.0.3.tgz",
+      "integrity": "sha512-zxQ9//Q3D/34poZf8fiy3m3XVpbQc7ren15iKqrTtLPwkPD/t3Scy9Imp63FujULGxuK0ZlCwoo5xNpktFgbOA=="
+    },
+    "is-jpg": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-jpg/-/is-jpg-2.0.0.tgz",
+      "integrity": "sha1-LhmX+m6RZuqsAkLarkQ0A+TvHZc="
+    },
+    "is-natural-number": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/is-natural-number/-/is-natural-number-4.0.1.tgz",
+      "integrity": "sha1-q5124dtM7VHjXeDHLr7PCfc0zeg="
+    },
+    "is-number": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz",
+      "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=",
+      "requires": {
+        "kind-of": "^3.0.2"
+      },
+      "dependencies": {
+        "kind-of": {
+          "version": "3.2.2",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "is-obj": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-1.0.1.tgz",
+      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8="
+    },
+    "is-object": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-object/-/is-object-1.0.1.tgz",
+      "integrity": "sha1-iVJojF7C/9awPsyF52ngKQMINHA="
+    },
+    "is-observable": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/is-observable/-/is-observable-1.1.0.tgz",
+      "integrity": "sha512-NqCa4Sa2d+u7BWc6CukaObG3Fh+CU9bvixbpcXYhy2VvYS7vVGIdAgnIS5Ks3A/cqk4rebLJ9s8zBstT2aKnIA==",
+      "requires": {
+        "symbol-observable": "^1.1.0"
+      }
+    },
+    "is-path-cwd": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/is-path-cwd/-/is-path-cwd-2.2.0.tgz",
+      "integrity": "sha512-w942bTcih8fdJPJmQHFzkS76NEP8Kzzvmw92cXsazb8intwLqPibPPdXf4ANdKV3rYMuuQYGIWtvz9JilB3NFQ=="
+    },
+    "is-path-in-cwd": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-path-in-cwd/-/is-path-in-cwd-1.0.1.tgz",
+      "integrity": "sha512-FjV1RTW48E7CWM7eE/J2NJvAEEVektecDBVBE5Hh3nM1Jd0kvhHtX68Pr3xsDf857xt3Y4AkwVULK1Vku62aaQ==",
+      "requires": {
+        "is-path-inside": "^1.0.0"
+      },
+      "dependencies": {
+        "is-path-inside": {
+          "version": "1.0.1",
+          "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-1.0.1.tgz",
+          "integrity": "sha1-jvW33lBDej/cprToZe96pVy0gDY=",
+          "requires": {
+            "path-is-inside": "^1.0.1"
+          }
+        }
+      }
+    },
+    "is-path-inside": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.2.tgz",
+      "integrity": "sha512-/2UGPSgmtqwo1ktx8NDHjuPwZWmHhO+gj0f93EkhLB5RgW9RZevWYYlIkS6zePc6U2WpOdQYIwHe9YC4DWEBVg=="
+    },
+    "is-plain-obj": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-2.0.0.tgz",
+      "integrity": "sha512-EYisGhpgSCwspmIuRHGjROWTon2Xp8Z7U03Wubk/bTL5TTRC5R1rGVgyjzBrk9+ULdH6cRD06KRcw/xfqhVYKQ=="
+    },
+    "is-plain-object": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-2.0.4.tgz",
+      "integrity": "sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==",
+      "requires": {
+        "isobject": "^3.0.1"
+      }
+    },
+    "is-png": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-png/-/is-png-2.0.0.tgz",
+      "integrity": "sha512-4KPGizaVGj2LK7xwJIz8o5B2ubu1D/vcQsgOGFEDlpcvgZHto4gBnyd0ig7Ws+67ixmwKoNmu0hYnpo6AaKb5g=="
+    },
+    "is-promise": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-2.1.0.tgz",
+      "integrity": "sha1-eaKp7OfwlugPNtKy87wWwf9L8/o="
+    },
+    "is-regex": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.0.4.tgz",
+      "integrity": "sha1-VRdIm1RwkbCTDglWVM7SXul+lJE=",
+      "requires": {
+        "has": "^1.0.1"
+      }
+    },
+    "is-regexp": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/is-regexp/-/is-regexp-1.0.0.tgz",
+      "integrity": "sha1-/S2INUXEa6xaYz57mgnof6LLUGk="
+    },
+    "is-retry-allowed": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/is-retry-allowed/-/is-retry-allowed-1.2.0.tgz",
+      "integrity": "sha512-RUbUeKwvm3XG2VYamhJL1xFktgjvPzL0Hq8C+6yrWIswDy3BIXGqCxhxkc30N9jqK311gVU137K8Ei55/zVJRg=="
+    },
+    "is-stream": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-1.1.0.tgz",
+      "integrity": "sha1-EtSj3U5o4Lec6428hBc66A2RykQ="
+    },
+    "is-string": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/is-string/-/is-string-1.0.5.tgz",
+      "integrity": "sha512-buY6VNRjhQMiF1qWDouloZlQbRhDPCebwxSjxMjxgemYT46YMd2NR0/H+fBhEfWX4A/w9TBJ+ol+okqJKFE6vQ=="
+    },
+    "is-svg": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz",
+      "integrity": "sha512-gi4iHK53LR2ujhLVVj+37Ykh9GLqYHX6JOVXbLAucaG/Cqw9xwdFOjDM2qeifLs1sF1npXXFvDu0r5HNgCMrzQ==",
+      "requires": {
+        "html-comment-regex": "^1.1.0"
+      }
+    },
+    "is-symbol": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/is-symbol/-/is-symbol-1.0.3.tgz",
+      "integrity": "sha512-OwijhaRSgqvhm/0ZdAcXNZt9lYdKFpcRDT5ULUuYXPoT794UNOdU+gpT6Rzo7b4V2HUl/op6GqY894AZwv9faQ==",
+      "requires": {
+        "has-symbols": "^1.0.1"
+      }
+    },
+    "is-typedarray": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz",
+      "integrity": "sha1-5HnICFjfDBsR3dppQPlgEfzaSpo="
+    },
+    "is-utf8": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/is-utf8/-/is-utf8-0.2.1.tgz",
+      "integrity": "sha1-Sw2hRCEE0bM2NA6AeX6GXPOffXI="
+    },
+    "is-whitespace-character": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/is-whitespace-character/-/is-whitespace-character-1.0.3.tgz",
+      "integrity": "sha512-SNPgMLz9JzPccD3nPctcj8sZlX9DAMJSKH8bP7Z6bohCwuNgX8xbWr1eTAYXX9Vpi/aSn8Y1akL9WgM3t43YNQ=="
+    },
+    "is-windows": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/is-windows/-/is-windows-1.0.2.tgz",
+      "integrity": "sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA=="
+    },
+    "is-word-character": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/is-word-character/-/is-word-character-1.0.3.tgz",
+      "integrity": "sha512-0wfcrFgOOOBdgRNT9H33xe6Zi6yhX/uoc4U8NBZGeQQB0ctU1dnlNTyL9JM2646bHDTpsDm1Brb3VPoCIMrd/A=="
+    },
+    "is-wsl": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-wsl/-/is-wsl-2.1.1.tgz",
+      "integrity": "sha512-umZHcSrwlDHo2TGMXv0DZ8dIUGunZ2Iv68YZnrmCiBPkZ4aaOhtv7pXJKeki9k3qJ3RJr0cDyitcl5wEH3AYog=="
+    },
+    "isarray": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
+      "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE="
+    },
+    "iserror": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/iserror/-/iserror-0.0.2.tgz",
+      "integrity": "sha1-vVNFH+L2aLnyQCwZZnh6qix8C/U="
+    },
+    "isexe": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
+      "integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA="
+    },
+    "isobject": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/isobject/-/isobject-3.0.1.tgz",
+      "integrity": "sha1-TkMekrEalzFjaqH5yNHMvP2reN8="
+    },
+    "isomorphic-fetch": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz",
+      "integrity": "sha1-YRrhrPFPXoH3KVB0coGf6XM1WKk=",
+      "requires": {
+        "node-fetch": "^1.0.1",
+        "whatwg-fetch": ">=0.10.0"
+      },
+      "dependencies": {
+        "node-fetch": {
+          "version": "1.7.3",
+          "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz",
+          "integrity": "sha512-NhZ4CsKx7cYm2vSrBAr2PvFOe6sWDf0UYLRqA6svUYg7+/TSfVAu49jYC4BvQ4Sms9SZgdqGBgroqfDhJdTyKQ==",
+          "requires": {
+            "encoding": "^0.1.11",
+            "is-stream": "^1.0.1"
+          }
+        }
+      }
+    },
+    "isomorphic-unfetch": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/isomorphic-unfetch/-/isomorphic-unfetch-3.0.0.tgz",
+      "integrity": "sha512-V0tmJSYfkKokZ5mgl0cmfQMTb7MLHsBMngTkbLY0eXvKqiVRRoZP04Ly+KhKrJfKtzC9E6Pp15Jo+bwh7Vi2XQ==",
+      "requires": {
+        "node-fetch": "^2.2.0",
+        "unfetch": "^4.0.0"
+      }
+    },
+    "isurl": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/isurl/-/isurl-1.0.0.tgz",
+      "integrity": "sha512-1P/yWsxPlDtn7QeRD+ULKQPaIaN6yF368GZ2vDfv0AL0NwpStafjWCDDdn0k8wgFMWpVAqG7oJhxHnlud42i9w==",
+      "requires": {
+        "has-to-string-tag-x": "^1.2.0",
+        "is-object": "^1.0.1"
+      }
+    },
+    "iterall": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/iterall/-/iterall-1.3.0.tgz",
+      "integrity": "sha512-QZ9qOMdF+QLHxy1QIpUHUU1D5pS2CG2P69LF6L6CPjPYA/XMOmKV3PZpawHoAjHNyB0swdVTRxdYT4tbBbxqwg=="
+    },
+    "jest-worker": {
+      "version": "24.9.0",
+      "resolved": "https://registry.npmjs.org/jest-worker/-/jest-worker-24.9.0.tgz",
+      "integrity": "sha512-51PE4haMSXcHohnSMdM42anbvZANYTqMrr52tVKPqqsPJMzoP6FYYDVqahX/HrAoKEKz3uUPzSvKs9A3qR4iVw==",
+      "requires": {
+        "merge-stream": "^2.0.0",
+        "supports-color": "^6.1.0"
+      },
+      "dependencies": {
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "join-component": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/join-component/-/join-component-1.1.0.tgz",
+      "integrity": "sha1-uEF7dQZho5K+4sJTfGiyqdSXfNU="
+    },
+    "js-cookie": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz",
+      "integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ=="
+    },
+    "js-levenshtein": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/js-levenshtein/-/js-levenshtein-1.1.6.tgz",
+      "integrity": "sha512-X2BB11YZtrRqY4EnQcLX5Rh373zbK4alC1FW7D7MBhL2gtcC17cTnr6DmfHZeS0s2rTHjUTMMHfG7gO8SSdw+g=="
+    },
+    "js-tokens": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="
+    },
+    "js-yaml": {
+      "version": "3.13.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
+      "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==",
+      "requires": {
+        "argparse": "^1.0.7",
+        "esprima": "^4.0.0"
+      }
+    },
+    "jsesc": {
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-2.5.2.tgz",
+      "integrity": "sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA=="
+    },
+    "json-buffer": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.0.tgz",
+      "integrity": "sha1-Wx85evx11ne96Lz8Dkfh+aPZqJg="
+    },
+    "json-parse-better-errors": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json-parse-better-errors/-/json-parse-better-errors-1.0.2.tgz",
+      "integrity": "sha512-mrqyZKfX5EhL7hvqcV6WG1yYjnjeuYDzDhhcAAUrq8Po85NBQBJP+ZDUT75qZQ98IkUoBqdkExkukOU7Ts2wrw=="
+    },
+    "json-schema-traverse": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
+      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg=="
+    },
+    "json-schema-typed": {
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/json-schema-typed/-/json-schema-typed-7.0.3.tgz",
+      "integrity": "sha512-7DE8mpG+/fVw+dTpjbxnx47TaMnDfOI1jwft9g1VybltZCduyRQPJPvc+zzKY9WPHxhPWczyFuYa6I8Mw4iU5A=="
+    },
+    "json-stable-stringify": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/json-stable-stringify/-/json-stable-stringify-1.0.1.tgz",
+      "integrity": "sha1-mnWdOcXy/1A/1TAGRu1EX4jE+a8=",
+      "requires": {
+        "jsonify": "~0.0.0"
+      }
+    },
+    "json-stable-stringify-without-jsonify": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz",
+      "integrity": "sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE="
+    },
+    "json5": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.1.1.tgz",
+      "integrity": "sha512-l+3HXD0GEI3huGq1njuqtzYK8OYJyXMkOLtQ53pjWh89tvWS2h6l+1zMkYWqlb57+SiQodKZyvMEFb2X+KrFhQ==",
+      "requires": {
+        "minimist": "^1.2.0"
+      }
+    },
+    "jsonfile": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-4.0.0.tgz",
+      "integrity": "sha1-h3Gq4HmbZAdrdmQPygWPnBDjPss=",
+      "requires": {
+        "graceful-fs": "^4.1.6"
+      }
+    },
+    "jsonify": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/jsonify/-/jsonify-0.0.0.tgz",
+      "integrity": "sha1-LHS27kHZPKUbe1qu6PUDYx0lKnM="
+    },
+    "jstz": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/jstz/-/jstz-2.1.1.tgz",
+      "integrity": "sha512-8hfl5RD6P7rEeIbzStBz3h4f+BQHfq/ABtoU6gXKQv5OcZhnmrIpG7e1pYaZ8hS9e0mp+bxUj08fnDUbKctYyA=="
+    },
+    "jsx-ast-utils": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/jsx-ast-utils/-/jsx-ast-utils-2.2.3.tgz",
+      "integrity": "sha512-EdIHFMm+1BPynpKOpdPqiOsvnIrInRGJD7bzPZdPkjitQEqpdpUuFpq4T0npZFKTiB3RhWFdGN+oqOJIdhDhQA==",
+      "requires": {
+        "array-includes": "^3.0.3",
+        "object.assign": "^4.1.0"
+      }
+    },
+    "keyv": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/keyv/-/keyv-3.1.0.tgz",
+      "integrity": "sha512-9ykJ/46SN/9KPM/sichzQ7OvXyGDYKGTaDlKMGCAlg2UK8KRy4jb0d8sFc+0Tt0YYnThq8X2RZgCg74RPxgcVA==",
+      "requires": {
+        "json-buffer": "3.0.0"
+      }
+    },
+    "kind-of": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz",
+      "integrity": "sha512-s5kLOcnH0XqDO+FvuaLX8DDjZ18CGFk7VygH40QoKPUQhW4e2rvM0rwUq0t8IQDOwYSeLK01U90OjzBTme2QqA=="
+    },
+    "latest-version": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/latest-version/-/latest-version-5.1.0.tgz",
+      "integrity": "sha512-weT+r0kTkRQdCdYCNtkMwWXQTMEswKrFBkm4ckQOMVhhqhIMI1UT2hMj+1iigIhgSZm5gTmrRXBNoGUgaTY1xA==",
+      "requires": {
+        "package-json": "^6.3.0"
+      }
+    },
+    "launch-editor": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/launch-editor/-/launch-editor-2.2.1.tgz",
+      "integrity": "sha512-On+V7K2uZK6wK7x691ycSUbLD/FyKKelArkbaAMSSJU8JmqmhwN2+mnJDNINuJWSrh2L0kDk+ZQtbC/gOWUwLw==",
+      "requires": {
+        "chalk": "^2.3.0",
+        "shell-quote": "^1.6.1"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "levn": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/levn/-/levn-0.3.0.tgz",
+      "integrity": "sha1-OwmSTt+fCDwEkP3UwLxEIeBHZO4=",
+      "requires": {
+        "prelude-ls": "~1.1.2",
+        "type-check": "~0.3.2"
+      }
+    },
+    "lines-and-columns": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.1.6.tgz",
+      "integrity": "sha1-HADHQ7QzzQpOgHWPe2SldEDZ/wA="
+    },
+    "lint-staged": {
+      "version": "9.5.0",
+      "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-9.5.0.tgz",
+      "integrity": "sha512-nawMob9cb/G1J98nb8v3VC/E8rcX1rryUYXVZ69aT9kde6YWX+uvNOEHY5yf2gcWcTJGiD0kqXmCnS3oD75GIA==",
+      "requires": {
+        "chalk": "^2.4.2",
+        "commander": "^2.20.0",
+        "cosmiconfig": "^5.2.1",
+        "debug": "^4.1.1",
+        "dedent": "^0.7.0",
+        "del": "^5.0.0",
+        "execa": "^2.0.3",
+        "listr": "^0.14.3",
+        "log-symbols": "^3.0.0",
+        "micromatch": "^4.0.2",
+        "normalize-path": "^3.0.0",
+        "please-upgrade-node": "^3.1.1",
+        "string-argv": "^0.3.0",
+        "stringify-object": "^3.3.0"
+      },
+      "dependencies": {
+        "braces": {
+          "version": "3.0.2",
+          "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
+          "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+          "requires": {
+            "fill-range": "^7.0.1"
+          }
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "cross-spawn": {
+          "version": "7.0.1",
+          "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.1.tgz",
+          "integrity": "sha512-u7v4o84SwFpD32Z8IIcPZ6z1/ie24O6RU3RbtL5Y316l3KuHVPx9ItBgWQ6VlfAFnRnTtMUrsQ9MUUTuEZjogg==",
+          "requires": {
+            "path-key": "^3.1.0",
+            "shebang-command": "^2.0.0",
+            "which": "^2.0.1"
+          }
+        },
+        "execa": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/execa/-/execa-2.1.0.tgz",
+          "integrity": "sha512-Y/URAVapfbYy2Xp/gb6A0E7iR8xeqOCXsuuaoMn7A5PzrXUK84E1gyiEfq0wQd/GHA6GsoHWwhNq8anb0mleIw==",
+          "requires": {
+            "cross-spawn": "^7.0.0",
+            "get-stream": "^5.0.0",
+            "is-stream": "^2.0.0",
+            "merge-stream": "^2.0.0",
+            "npm-run-path": "^3.0.0",
+            "onetime": "^5.1.0",
+            "p-finally": "^2.0.0",
+            "signal-exit": "^3.0.2",
+            "strip-final-newline": "^2.0.0"
+          }
+        },
+        "fill-range": {
+          "version": "7.0.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
+          "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        },
+        "get-stream": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.1.0.tgz",
+          "integrity": "sha512-EXr1FOzrzTfGeL0gQdeFEvOMm2mzMOglyiOXSTpPC+iAjAKftbr3jpCMWynogwYnM+eSj9sHGc6wjIcDvYiygw==",
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        },
+        "is-number": {
+          "version": "7.0.0",
+          "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+          "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng=="
+        },
+        "is-stream": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.0.tgz",
+          "integrity": "sha512-XCoy+WlUr7d1+Z8GgSuXmpuUFC9fOhRXglJMx+dwLKTkL44Cjd4W1Z5P+BQZpr+cR93aGP4S/s7Ftw6Nd/kiEw=="
+        },
+        "micromatch": {
+          "version": "4.0.2",
+          "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz",
+          "integrity": "sha512-y7FpHSbMUMoyPbYUSzO6PaZ6FyRnQOpHuKwbo1G+Knck95XVU4QAiKdGEnj5wwoS7PlOgthX/09u5iFJ+aYf5Q==",
+          "requires": {
+            "braces": "^3.0.1",
+            "picomatch": "^2.0.5"
+          }
+        },
+        "npm-run-path": {
+          "version": "3.1.0",
+          "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-3.1.0.tgz",
+          "integrity": "sha512-Dbl4A/VfiVGLgQv29URL9xshU8XDY1GeLy+fsaZ1AA8JDSfjvr5P5+pzRbWqRSBxk6/DW7MIh8lTM/PaGnP2kg==",
+          "requires": {
+            "path-key": "^3.0.0"
+          }
+        },
+        "p-finally": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/p-finally/-/p-finally-2.0.1.tgz",
+          "integrity": "sha512-vpm09aKwq6H9phqRQzecoDpD8TmVyGw70qmWlyq5onxY7tqyTTFVvxMykxQSQKILBSFlbXpypIw2T1Ml7+DDtw=="
+        },
+        "path-key": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+          "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q=="
+        },
+        "shebang-command": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+          "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+          "requires": {
+            "shebang-regex": "^3.0.0"
+          }
+        },
+        "shebang-regex": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+          "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A=="
+        },
+        "to-regex-range": {
+          "version": "5.0.1",
+          "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+          "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+          "requires": {
+            "is-number": "^7.0.0"
+          }
+        },
+        "which": {
+          "version": "2.0.2",
+          "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+          "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+          "requires": {
+            "isexe": "^2.0.0"
+          }
+        }
+      }
+    },
+    "listr": {
+      "version": "0.14.3",
+      "resolved": "https://registry.npmjs.org/listr/-/listr-0.14.3.tgz",
+      "integrity": "sha512-RmAl7su35BFd/xoMamRjpIE4j3v+L28o8CT5YhAXQJm1fD+1l9ngXY8JAQRJ+tFK2i5njvi0iRUKV09vPwA0iA==",
+      "requires": {
+        "@samverschueren/stream-to-observable": "^0.3.0",
+        "is-observable": "^1.1.0",
+        "is-promise": "^2.1.0",
+        "is-stream": "^1.1.0",
+        "listr-silent-renderer": "^1.1.1",
+        "listr-update-renderer": "^0.5.0",
+        "listr-verbose-renderer": "^0.5.0",
+        "p-map": "^2.0.0",
+        "rxjs": "^6.3.3"
+      },
+      "dependencies": {
+        "p-map": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/p-map/-/p-map-2.1.0.tgz",
+          "integrity": "sha512-y3b8Kpd8OAN444hxfBbFfj1FY/RjtTd8tzYwhUqNYXx0fXx2iX4maP4Qr6qhIKbQXI02wTLAda4fYUbDagTUFw=="
+        }
+      }
+    },
+    "listr-silent-renderer": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/listr-silent-renderer/-/listr-silent-renderer-1.1.1.tgz",
+      "integrity": "sha1-kktaN1cVN3C/Go4/v3S4u/P5JC4="
+    },
+    "listr-update-renderer": {
+      "version": "0.5.0",
+      "resolved": "https://registry.npmjs.org/listr-update-renderer/-/listr-update-renderer-0.5.0.tgz",
+      "integrity": "sha512-tKRsZpKz8GSGqoI/+caPmfrypiaq+OQCbd+CovEC24uk1h952lVj5sC7SqyFUm+OaJ5HN/a1YLt5cit2FMNsFA==",
+      "requires": {
+        "chalk": "^1.1.3",
+        "cli-truncate": "^0.2.1",
+        "elegant-spinner": "^1.0.1",
+        "figures": "^1.7.0",
+        "indent-string": "^3.0.0",
+        "log-symbols": "^1.0.2",
+        "log-update": "^2.3.0",
+        "strip-ansi": "^3.0.1"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
+          "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4="
+        },
+        "chalk": {
+          "version": "1.1.3",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz",
+          "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=",
+          "requires": {
+            "ansi-styles": "^2.2.1",
+            "escape-string-regexp": "^1.0.2",
+            "has-ansi": "^2.0.0",
+            "strip-ansi": "^3.0.0",
+            "supports-color": "^2.0.0"
+          }
+        },
+        "figures": {
+          "version": "1.7.0",
+          "resolved": "https://registry.npmjs.org/figures/-/figures-1.7.0.tgz",
+          "integrity": "sha1-y+Hjr/zxzUS4DK3+0o3Hk6lwHS4=",
+          "requires": {
+            "escape-string-regexp": "^1.0.5",
+            "object-assign": "^4.1.0"
+          }
+        },
+        "indent-string": {
+          "version": "3.2.0",
+          "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-3.2.0.tgz",
+          "integrity": "sha1-Sl/W0nzDMvN+VBmlBNu4NxBckok="
+        },
+        "log-symbols": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-1.0.2.tgz",
+          "integrity": "sha1-N2/3tY6jCGoPCfrMdGF+ylAeGhg=",
+          "requires": {
+            "chalk": "^1.0.0"
+          }
+        },
+        "supports-color": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
+          "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc="
+        }
+      }
+    },
+    "listr-verbose-renderer": {
+      "version": "0.5.0",
+      "resolved": "https://registry.npmjs.org/listr-verbose-renderer/-/listr-verbose-renderer-0.5.0.tgz",
+      "integrity": "sha512-04PDPqSlsqIOaaaGZ+41vq5FejI9auqTInicFRndCBgE3bXG8D6W1I+mWhk+1nqbHmyhla/6BUrd5OSiHwKRXw==",
+      "requires": {
+        "chalk": "^2.4.1",
+        "cli-cursor": "^2.1.0",
+        "date-fns": "^1.27.2",
+        "figures": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "cli-cursor": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-2.1.0.tgz",
+          "integrity": "sha1-s12sN2R5+sw+lHR9QdDQ9SOP/LU=",
+          "requires": {
+            "restore-cursor": "^2.0.0"
+          }
+        },
+        "figures": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/figures/-/figures-2.0.0.tgz",
+          "integrity": "sha1-OrGi0qYsi/tDGgyUy3l6L84nyWI=",
+          "requires": {
+            "escape-string-regexp": "^1.0.5"
+          }
+        },
+        "onetime": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/onetime/-/onetime-2.0.1.tgz",
+          "integrity": "sha1-BnQoIw/WdEOyeUsiu6UotoZ5YtQ=",
+          "requires": {
+            "mimic-fn": "^1.0.0"
+          }
+        },
+        "restore-cursor": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-2.0.0.tgz",
+          "integrity": "sha1-n37ih/gv0ybU/RYpI9YhKe7g368=",
+          "requires": {
+            "onetime": "^2.0.0",
+            "signal-exit": "^3.0.2"
+          }
+        }
+      }
+    },
+    "load-json-file": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-2.0.0.tgz",
+      "integrity": "sha1-eUfkIUmvgNaWy/eXvKq8/h/inKg=",
+      "requires": {
+        "graceful-fs": "^4.1.2",
+        "parse-json": "^2.2.0",
+        "pify": "^2.0.0",
+        "strip-bom": "^3.0.0"
+      }
+    },
+    "loader-runner": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/loader-runner/-/loader-runner-2.4.0.tgz",
+      "integrity": "sha512-Jsmr89RcXGIwivFY21FcRrisYZfvLMTWx5kOLc+JTxtpBOG6xML0vzbc6SEQG2FO9/4Fc3wW4LVcB5DmGflaRw=="
+    },
+    "loader-utils": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz",
+      "integrity": "sha512-fkpz8ejdnEMG3s37wGL07iSBDg99O9D5yflE9RGNH3hRdx9SOwYfnGYdZOUIZitN8E+E2vkq3MUMYMvPYl5ZZA==",
+      "requires": {
+        "big.js": "^5.2.2",
+        "emojis-list": "^2.0.0",
+        "json5": "^1.0.1"
+      },
+      "dependencies": {
+        "json5": {
+          "version": "1.0.1",
+          "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
+          "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+          "requires": {
+            "minimist": "^1.2.0"
+          }
+        }
+      }
+    },
+    "locate-path": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-2.0.0.tgz",
+      "integrity": "sha1-K1aLJl7slExtnA3pw9u7ygNUzY4=",
+      "requires": {
+        "p-locate": "^2.0.0",
+        "path-exists": "^3.0.0"
+      }
+    },
+    "lodash": {
+      "version": "4.17.15",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
+      "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A=="
+    },
+    "lodash-es": {
+      "version": "4.17.15",
+      "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.15.tgz",
+      "integrity": "sha512-rlrc3yU3+JNOpZ9zj5pQtxnx2THmvRykwL4Xlxoa8I9lHBlVbbyPhgyPMioxVZ4NqyxaVVtaJnzsyOidQIhyyQ=="
+    },
+    "lodash._reinterpolate": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz",
+      "integrity": "sha1-DM8tiRZq8Ds2Y8eWU4t1rG4RTZ0="
+    },
+    "lodash.camelcase": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/lodash.camelcase/-/lodash.camelcase-4.3.0.tgz",
+      "integrity": "sha1-soqmKIorn8ZRA1x3EfZathkDMaY="
+    },
+    "lodash.curry": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/lodash.curry/-/lodash.curry-4.1.1.tgz",
+      "integrity": "sha1-JI42By7ekGUB11lmIAqG2riyMXA="
+    },
+    "lodash.isequal": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/lodash.isequal/-/lodash.isequal-4.5.0.tgz",
+      "integrity": "sha1-QVxEePK8wwEgwizhDtMib30+GOA="
+    },
+    "lodash.isstring": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz",
+      "integrity": "sha1-1SfftUVuynzJu5XV2ur4i6VKVFE="
+    },
+    "lodash.template": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/lodash.template/-/lodash.template-4.5.0.tgz",
+      "integrity": "sha512-84vYFxIkmidUiFxidA/KjjH9pAycqW+h980j7Fuz5qxRtO9pgB7MDFTdys1N7A5mcucRiDyEq4fusljItR1T/A==",
+      "requires": {
+        "lodash._reinterpolate": "^3.0.0",
+        "lodash.templatesettings": "^4.0.0"
+      }
+    },
+    "lodash.templatesettings": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/lodash.templatesettings/-/lodash.templatesettings-4.2.0.tgz",
+      "integrity": "sha512-stgLz+i3Aa9mZgnjr/O+v9ruKZsPsndy7qPZOchbqk2cnTU1ZaldKK+v7m54WoKIyxiuMZTKT2H81F8BeAc3ZQ==",
+      "requires": {
+        "lodash._reinterpolate": "^3.0.0"
+      }
+    },
+    "lodash.throttle": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/lodash.throttle/-/lodash.throttle-4.1.1.tgz",
+      "integrity": "sha1-wj6RtxAkKscMN/HhzaknTMOb8vQ="
+    },
+    "lodash.unescape": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/lodash.unescape/-/lodash.unescape-4.0.1.tgz",
+      "integrity": "sha1-vyJJiGzlFM2hEvrpIYzcBlIR/Jw="
+    },
+    "lodash.uniq": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/lodash.uniq/-/lodash.uniq-4.5.0.tgz",
+      "integrity": "sha1-0CJTc662Uq3BvILklFM5qEJ1R3M="
+    },
+    "log-symbols": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-3.0.0.tgz",
+      "integrity": "sha512-dSkNGuI7iG3mfvDzUuYZyvk5dD9ocYCYzNU6CYDE6+Xqd+gwme6Z00NS3dUh8mq/73HaEtT7m6W+yUPtU6BZnQ==",
+      "requires": {
+        "chalk": "^2.4.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "log-update": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/log-update/-/log-update-2.3.0.tgz",
+      "integrity": "sha1-iDKP19HOeTiykoN0bwsbwSayRwg=",
+      "requires": {
+        "ansi-escapes": "^3.0.0",
+        "cli-cursor": "^2.0.0",
+        "wrap-ansi": "^3.0.1"
+      },
+      "dependencies": {
+        "ansi-escapes": {
+          "version": "3.2.0",
+          "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-3.2.0.tgz",
+          "integrity": "sha512-cBhpre4ma+U0T1oM5fXg7Dy1Jw7zzwv7lt/GoCpr+hDQJoYnKVPLL4dCvSEFMmQurOQvSrwT7SL/DAlhBI97RQ=="
+        },
+        "ansi-regex": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
+          "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
+        },
+        "cli-cursor": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-2.1.0.tgz",
+          "integrity": "sha1-s12sN2R5+sw+lHR9QdDQ9SOP/LU=",
+          "requires": {
+            "restore-cursor": "^2.0.0"
+          }
+        },
+        "onetime": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/onetime/-/onetime-2.0.1.tgz",
+          "integrity": "sha1-BnQoIw/WdEOyeUsiu6UotoZ5YtQ=",
+          "requires": {
+            "mimic-fn": "^1.0.0"
+          }
+        },
+        "restore-cursor": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-2.0.0.tgz",
+          "integrity": "sha1-n37ih/gv0ybU/RYpI9YhKe7g368=",
+          "requires": {
+            "onetime": "^2.0.0",
+            "signal-exit": "^3.0.2"
+          }
+        },
+        "string-width": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/string-width/-/string-width-2.1.1.tgz",
+          "integrity": "sha512-nOqH59deCq9SRHlxq1Aw85Jnt4w6KvLKqWVik6oA9ZklXLNIOlqg4F2yrT1MVaTjAqvVwdfeZ7w7aCvJD7ugkw==",
+          "requires": {
+            "is-fullwidth-code-point": "^2.0.0",
+            "strip-ansi": "^4.0.0"
+          }
+        },
+        "strip-ansi": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-4.0.0.tgz",
+          "integrity": "sha1-qEeQIusaw2iocTibY1JixQXuNo8=",
+          "requires": {
+            "ansi-regex": "^3.0.0"
+          }
+        },
+        "wrap-ansi": {
+          "version": "3.0.1",
+          "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-3.0.1.tgz",
+          "integrity": "sha1-KIoE2H7aXChuBg3+jxNc6NAH+Lo=",
+          "requires": {
+            "string-width": "^2.1.1",
+            "strip-ansi": "^4.0.0"
+          }
+        }
+      }
+    },
+    "logalot": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/logalot/-/logalot-2.1.0.tgz",
+      "integrity": "sha1-X46MkNME7fElMJUaVVSruMXj9VI=",
+      "requires": {
+        "figures": "^1.3.5",
+        "squeak": "^1.0.0"
+      },
+      "dependencies": {
+        "figures": {
+          "version": "1.7.0",
+          "resolved": "https://registry.npmjs.org/figures/-/figures-1.7.0.tgz",
+          "integrity": "sha1-y+Hjr/zxzUS4DK3+0o3Hk6lwHS4=",
+          "requires": {
+            "escape-string-regexp": "^1.0.5",
+            "object-assign": "^4.1.0"
+          }
+        }
+      }
+    },
+    "longest": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/longest/-/longest-1.0.1.tgz",
+      "integrity": "sha1-MKCy2jj3N3DoKUoNIuZiXtd9AJc="
+    },
+    "longest-streak": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/longest-streak/-/longest-streak-2.0.3.tgz",
+      "integrity": "sha512-9lz5IVdpwsKLMzQi0MQ+oD9EA0mIGcWYP7jXMTZVXP8D42PwuAk+M/HBFYQoxt1G5OR8m7aSIgb1UymfWGBWEw=="
+    },
+    "loose-envify": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz",
+      "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
+      "requires": {
+        "js-tokens": "^3.0.0 || ^4.0.0"
+      }
+    },
+    "loud-rejection": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/loud-rejection/-/loud-rejection-1.6.0.tgz",
+      "integrity": "sha1-W0b4AUft7leIcPCG0Eghz5mOVR8=",
+      "requires": {
+        "currently-unhandled": "^0.4.1",
+        "signal-exit": "^3.0.0"
+      }
+    },
+    "lower-case": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/lower-case/-/lower-case-2.0.1.tgz",
+      "integrity": "sha512-LiWgfDLLb1dwbFQZsSglpRj+1ctGnayXz3Uv0/WO8n558JycT5fg6zkNcnW0G68Nn0aEldTFeEfmjCfmqry/rQ==",
+      "requires": {
+        "tslib": "^1.10.0"
+      }
+    },
+    "lowercase-keys": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/lowercase-keys/-/lowercase-keys-1.0.1.tgz",
+      "integrity": "sha512-G2Lj61tXDnVFFOi8VZds+SoQjtQC3dgokKdDG2mTm1tx4m50NUHBOZSBwQQHyy0V12A0JTG4icfZQH+xPyh8VA=="
+    },
+    "lowlight": {
+      "version": "1.13.0",
+      "resolved": "https://registry.npmjs.org/lowlight/-/lowlight-1.13.0.tgz",
+      "integrity": "sha512-bFXLa+UO1eM3zieFAcNqf6rTQ1D5ERFv64/euQbbH/LT3U9XXwH6tOrgUAGWDsQ1QgN3ZhgOcv8p3/S+qKGdTQ==",
+      "requires": {
+        "fault": "^1.0.2",
+        "highlight.js": "~9.16.0"
+      },
+      "dependencies": {
+        "highlight.js": {
+          "version": "9.16.2",
+          "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-9.16.2.tgz",
+          "integrity": "sha512-feMUrVLZvjy0oC7FVJQcSQRqbBq9kwqnYE4+Kj9ZjbHh3g+BisiPgF49NyQbVLNdrL/qqZr3Ca9yOKwgn2i/tw=="
+        }
+      }
+    },
+    "lpad-align": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/lpad-align/-/lpad-align-1.1.2.tgz",
+      "integrity": "sha1-IfYArBwwlcPG5JfuZyce4ISB/p4=",
+      "requires": {
+        "get-stdin": "^4.0.1",
+        "indent-string": "^2.1.0",
+        "longest": "^1.0.0",
+        "meow": "^3.3.0"
+      },
+      "dependencies": {
+        "get-stdin": {
+          "version": "4.0.1",
+          "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-4.0.1.tgz",
+          "integrity": "sha1-uWjGsKBDhDJJAui/Gl3zJXmkUP4="
+        },
+        "indent-string": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-2.1.0.tgz",
+          "integrity": "sha1-ji1INIdCEhtKghi3oTfppSBJ3IA=",
+          "requires": {
+            "repeating": "^2.0.0"
+          }
+        }
+      }
+    },
+    "lru-cache": {
+      "version": "4.1.5",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-4.1.5.tgz",
+      "integrity": "sha512-sWZlbEP2OsHNkXrMl5GYk/jKk70MBng6UU4YI/qGDYbgf6YbP4EvmqISbXCoJiRKs+1bSpFHVgQxvJ17F2li5g==",
+      "requires": {
+        "pseudomap": "^1.0.2",
+        "yallist": "^2.1.2"
+      }
+    },
+    "make-dir": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-1.3.0.tgz",
+      "integrity": "sha512-2w31R7SJtieJJnQtGc7RVL2StM2vGYVfqUOvUDxH6bC6aJTxPxTF0GnIgCyu7tjockiUWAYQRbxa7vKn34s5sQ==",
+      "requires": {
+        "pify": "^3.0.0"
+      },
+      "dependencies": {
+        "pify": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+          "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+        }
+      }
+    },
+    "mamacro": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/mamacro/-/mamacro-0.0.3.tgz",
+      "integrity": "sha512-qMEwh+UujcQ+kbz3T6V+wAmO2U8veoq2w+3wY8MquqwVA3jChfwY+Tk52GZKDfACEPjuZ7r2oJLejwpt8jtwTA=="
+    },
+    "map-cache": {
+      "version": "0.2.2",
+      "resolved": "https://registry.npmjs.org/map-cache/-/map-cache-0.2.2.tgz",
+      "integrity": "sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8="
+    },
+    "map-obj": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/map-obj/-/map-obj-1.0.1.tgz",
+      "integrity": "sha1-2TPOuSBdgr3PSIb2dCvcK03qFG0="
+    },
+    "map-visit": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/map-visit/-/map-visit-1.0.0.tgz",
+      "integrity": "sha1-7Nyo8TFE5mDxtb1B8S80edmN+48=",
+      "requires": {
+        "object-visit": "^1.0.0"
+      }
+    },
+    "markdown-escapes": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/markdown-escapes/-/markdown-escapes-1.0.3.tgz",
+      "integrity": "sha512-XUi5HJhhV5R74k8/0H2oCbCiYf/u4cO/rX8tnGkRvrqhsr5BRNU6Mg0yt/8UIx1iIS8220BNJsDb7XnILhLepw=="
+    },
+    "markdown-table": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/markdown-table/-/markdown-table-1.1.3.tgz",
+      "integrity": "sha512-1RUZVgQlpJSPWYbFSpmudq5nHY1doEIv89gBtF0s4gW1GF2XorxcA/70M5vq7rLv0a6mhOUccRsqkwhwLCIQ2Q=="
+    },
+    "marked": {
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-0.7.0.tgz",
+      "integrity": "sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg=="
+    },
+    "md5": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/md5/-/md5-2.2.1.tgz",
+      "integrity": "sha1-U6s41f48iJG6RlMp6iP6wFQBJvk=",
+      "requires": {
+        "charenc": "~0.0.1",
+        "crypt": "~0.0.1",
+        "is-buffer": "~1.1.1"
+      }
+    },
+    "md5.js": {
+      "version": "1.3.5",
+      "resolved": "https://registry.npmjs.org/md5.js/-/md5.js-1.3.5.tgz",
+      "integrity": "sha512-xitP+WxNPcTTOgnTJcrhM0xvdPepipPSf3I8EIpGKeFLjt3PlJLIDG3u8EX53ZIubkb+5U2+3rELYpEhHhzdkg==",
+      "requires": {
+        "hash-base": "^3.0.0",
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.1.2"
+      }
+    },
+    "mdast-squeeze-paragraphs": {
+      "version": "3.0.5",
+      "resolved": "https://registry.npmjs.org/mdast-squeeze-paragraphs/-/mdast-squeeze-paragraphs-3.0.5.tgz",
+      "integrity": "sha512-xX6Vbe348Y/rukQlG4W3xH+7v4ZlzUbSY4HUIQCuYrF2DrkcHx584mCaFxkWoDZKNUfyLZItHC9VAqX3kIP7XA==",
+      "requires": {
+        "unist-util-remove": "^1.0.0"
+      }
+    },
+    "mdast-util-compact": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/mdast-util-compact/-/mdast-util-compact-1.0.4.tgz",
+      "integrity": "sha512-3YDMQHI5vRiS2uygEFYaqckibpJtKq5Sj2c8JioeOQBU6INpKbdWzfyLqFFnDwEcEnRFIdMsguzs5pC1Jp4Isg==",
+      "requires": {
+        "unist-util-visit": "^1.1.0"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-1.4.1.tgz",
+          "integrity": "sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==",
+          "requires": {
+            "unist-util-visit-parents": "^2.0.0"
+          }
+        }
+      }
+    },
+    "mdast-util-definitions": {
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/mdast-util-definitions/-/mdast-util-definitions-1.2.5.tgz",
+      "integrity": "sha512-CJXEdoLfiISCDc2JB6QLb79pYfI6+GcIH+W2ox9nMc7od0Pz+bovcHsiq29xAQY6ayqe/9CsK2VzkSJdg1pFYA==",
+      "requires": {
+        "unist-util-visit": "^1.0.0"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-1.4.1.tgz",
+          "integrity": "sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==",
+          "requires": {
+            "unist-util-visit-parents": "^2.0.0"
+          }
+        }
+      }
+    },
+    "mdast-util-to-hast": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-6.0.2.tgz",
+      "integrity": "sha512-GjcOimC9qHI0yNFAQdBesrZXzUkRdFleQlcoU8+TVNfDW6oLUazUx8MgUoTaUyCJzBOnE5AOgqhpURrSlf0QwQ==",
+      "requires": {
+        "collapse-white-space": "^1.0.0",
+        "detab": "^2.0.0",
+        "mdast-util-definitions": "^1.2.0",
+        "mdurl": "^1.0.1",
+        "trim": "0.0.1",
+        "trim-lines": "^1.0.0",
+        "unist-builder": "^1.0.1",
+        "unist-util-generated": "^1.1.0",
+        "unist-util-position": "^3.0.0",
+        "unist-util-visit": "^1.1.0",
+        "xtend": "^4.0.1"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-1.4.1.tgz",
+          "integrity": "sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==",
+          "requires": {
+            "unist-util-visit-parents": "^2.0.0"
+          }
+        }
+      }
+    },
+    "mdast-util-to-string": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/mdast-util-to-string/-/mdast-util-to-string-1.0.7.tgz",
+      "integrity": "sha512-P+gdtssCoHOX+eJUrrC30Sixqao86ZPlVjR5NEAoy0U79Pfxb1Y0Gntei0+GrnQD4T04X9xA8tcugp90cSmNow=="
+    },
+    "mdn-data": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.0.4.tgz",
+      "integrity": "sha512-iV3XNKw06j5Q7mi6h+9vbx23Tv7JkjEVgKHW4pimwyDGWm0OIQntJJ+u1C6mg6mK1EaTv42XQ7w76yuzH7M2cA=="
+    },
+    "mdurl": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-1.0.1.tgz",
+      "integrity": "sha1-/oWy7HWlkDfyrf7BAP1sYBdhFS4="
+    },
+    "media-typer": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
+      "integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g="
+    },
+    "memory-fs": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/memory-fs/-/memory-fs-0.4.1.tgz",
+      "integrity": "sha1-OpoguEYlI+RHz7x+i7gO1me/xVI=",
+      "requires": {
+        "errno": "^0.1.3",
+        "readable-stream": "^2.0.1"
+      }
+    },
+    "meow": {
+      "version": "3.7.0",
+      "resolved": "https://registry.npmjs.org/meow/-/meow-3.7.0.tgz",
+      "integrity": "sha1-cstmi0JSKCkKu/qFaJJYcwioAfs=",
+      "requires": {
+        "camelcase-keys": "^2.0.0",
+        "decamelize": "^1.1.2",
+        "loud-rejection": "^1.0.0",
+        "map-obj": "^1.0.1",
+        "minimist": "^1.1.3",
+        "normalize-package-data": "^2.3.4",
+        "object-assign": "^4.0.1",
+        "read-pkg-up": "^1.0.1",
+        "redent": "^1.0.0",
+        "trim-newlines": "^1.0.0"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "1.1.2",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-1.1.2.tgz",
+          "integrity": "sha1-ay6YIrGizgpgq2TWEOzK1TyyTQ8=",
+          "requires": {
+            "path-exists": "^2.0.0",
+            "pinkie-promise": "^2.0.0"
+          }
+        },
+        "load-json-file": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-1.1.0.tgz",
+          "integrity": "sha1-lWkFcI1YtLq0wiYbBPWfMcmTdMA=",
+          "requires": {
+            "graceful-fs": "^4.1.2",
+            "parse-json": "^2.2.0",
+            "pify": "^2.0.0",
+            "pinkie-promise": "^2.0.0",
+            "strip-bom": "^2.0.0"
+          }
+        },
+        "path-exists": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-2.1.0.tgz",
+          "integrity": "sha1-D+tsZPD8UY2adU3V77YscCJ2H0s=",
+          "requires": {
+            "pinkie-promise": "^2.0.0"
+          }
+        },
+        "path-type": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/path-type/-/path-type-1.1.0.tgz",
+          "integrity": "sha1-WcRPfuSR2nBNpBXaWkBwuk+P5EE=",
+          "requires": {
+            "graceful-fs": "^4.1.2",
+            "pify": "^2.0.0",
+            "pinkie-promise": "^2.0.0"
+          }
+        },
+        "read-pkg": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-1.1.0.tgz",
+          "integrity": "sha1-9f+qXs0pyzHAR0vKfXVra7KePyg=",
+          "requires": {
+            "load-json-file": "^1.0.0",
+            "normalize-package-data": "^2.3.2",
+            "path-type": "^1.0.0"
+          }
+        },
+        "read-pkg-up": {
+          "version": "1.0.1",
+          "resolved": "https://registry.npmjs.org/read-pkg-up/-/read-pkg-up-1.0.1.tgz",
+          "integrity": "sha1-nWPBMnbAZZGNV/ACpX9AobZD+wI=",
+          "requires": {
+            "find-up": "^1.0.0",
+            "read-pkg": "^1.0.0"
+          }
+        },
+        "strip-bom": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-2.0.0.tgz",
+          "integrity": "sha1-YhmoVhZSBJHzV4i9vxRHqZx+aw4=",
+          "requires": {
+            "is-utf8": "^0.2.0"
+          }
+        }
+      }
+    },
+    "merge-descriptors": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
+      "integrity": "sha1-sAqqVW3YtEVoFQ7J0blT8/kMu2E="
+    },
+    "merge-stream": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/merge-stream/-/merge-stream-2.0.0.tgz",
+      "integrity": "sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w=="
+    },
+    "merge2": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.3.0.tgz",
+      "integrity": "sha512-2j4DAdlBOkiSZIsaXk4mTE3sRS02yBHAtfy127xRV3bQUFqXkjHCHLW6Scv7DwNRbIWNHH8zpnz9zMaKXIdvYw=="
+    },
+    "methods": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
+      "integrity": "sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4="
+    },
+    "microevent.ts": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/microevent.ts/-/microevent.ts-0.1.1.tgz",
+      "integrity": "sha512-jo1OfR4TaEwd5HOrt5+tAZ9mqT4jmpNAusXtyfNzqVm9uiSYFZlKM1wYL4oU7azZW/PxQW53wM0S6OR1JHNa2g=="
+    },
+    "micromatch": {
+      "version": "3.1.10",
+      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz",
+      "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==",
+      "requires": {
+        "arr-diff": "^4.0.0",
+        "array-unique": "^0.3.2",
+        "braces": "^2.3.1",
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "extglob": "^2.0.4",
+        "fragment-cache": "^0.2.1",
+        "kind-of": "^6.0.2",
+        "nanomatch": "^1.2.9",
+        "object.pick": "^1.3.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.2"
+      }
+    },
+    "miller-rabin": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/miller-rabin/-/miller-rabin-4.0.1.tgz",
+      "integrity": "sha512-115fLhvZVqWwHPbClyntxEVfVDfl9DLLTuJvq3g2O/Oxi8AiNouAHvDSzHS0viUJc+V5vm3eq91Xwqn9dp4jRA==",
+      "requires": {
+        "bn.js": "^4.0.0",
+        "brorand": "^1.0.1"
+      }
+    },
+    "mime": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
+      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg=="
+    },
+    "mime-db": {
+      "version": "1.42.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.42.0.tgz",
+      "integrity": "sha512-UbfJCR4UAVRNgMpfImz05smAXK7+c+ZntjaA26ANtkXLlOe947Aag5zdIcKQULAiF9Cq4WxBi9jUs5zkA84bYQ=="
+    },
+    "mime-types": {
+      "version": "2.1.25",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.25.tgz",
+      "integrity": "sha512-5KhStqB5xpTAeGqKBAMgwaYMnQik7teQN4IAzC7npDv6kzeU6prfkR67bc87J1kWMPGkoaZSq1npmexMgkmEVg==",
+      "requires": {
+        "mime-db": "1.42.0"
+      }
+    },
+    "mimic-fn": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-1.2.0.tgz",
+      "integrity": "sha512-jf84uxzwiuiIVKiOLpfYk7N46TSy8ubTonmneY9vrpHNAnp0QBt2BxWV9dO3/j+BoVAb+a5G6YDPW3M5HOdMWQ=="
+    },
+    "mimic-response": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/mimic-response/-/mimic-response-1.0.1.tgz",
+      "integrity": "sha512-j5EctnkH7amfV/q5Hgmoal1g2QHFJRraOtmx0JpIqkxhBhI/lJSl1nMpQ45hVarwNETOoWEimndZ4QK0RHxuxQ=="
+    },
+    "mini-css-extract-plugin": {
+      "version": "0.4.3",
+      "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-0.4.3.tgz",
+      "integrity": "sha512-Mxs0nxzF1kxPv4TRi2NimewgXlJqh0rGE30vviCU2WHrpbta6wklnUV9dr9FUtoAHmB3p3LeXEC+ZjgHvB0Dzg==",
+      "requires": {
+        "loader-utils": "^1.1.0",
+        "schema-utils": "^1.0.0",
+        "webpack-sources": "^1.1.0"
+      }
+    },
+    "minimalistic-assert": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
+      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="
+    },
+    "minimalistic-crypto-utils": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz",
+      "integrity": "sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo="
+    },
+    "minimatch": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
+      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "requires": {
+        "brace-expansion": "^1.1.7"
+      }
+    },
+    "minimist": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+      "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ="
+    },
+    "mississippi": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/mississippi/-/mississippi-3.0.0.tgz",
+      "integrity": "sha512-x471SsVjUtBRtcvd4BzKE9kFC+/2TeWgKCgw0bZcw1b9l2X3QX5vCWgF+KaZaYm87Ss//rHnWryupDrgLvmSkA==",
+      "requires": {
+        "concat-stream": "^1.5.0",
+        "duplexify": "^3.4.2",
+        "end-of-stream": "^1.1.0",
+        "flush-write-stream": "^1.0.0",
+        "from2": "^2.1.0",
+        "parallel-transform": "^1.1.0",
+        "pump": "^3.0.0",
+        "pumpify": "^1.3.3",
+        "stream-each": "^1.1.0",
+        "through2": "^2.0.0"
+      }
+    },
+    "mixin-deep": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.2.tgz",
+      "integrity": "sha512-WRoDn//mXBiJ1H40rqa3vH0toePwSsGb45iInWlTySa+Uu4k3tYUSxa2v1KqAiLtvlrSzaExqS1gtk96A9zvEA==",
+      "requires": {
+        "for-in": "^1.0.2",
+        "is-extendable": "^1.0.1"
+      },
+      "dependencies": {
+        "is-extendable": {
+          "version": "1.0.1",
+          "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-1.0.1.tgz",
+          "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+          "requires": {
+            "is-plain-object": "^2.0.4"
+          }
+        }
+      }
+    },
+    "mkdirp": {
+      "version": "0.5.1",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
+      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
+      "requires": {
+        "minimist": "0.0.8"
+      },
+      "dependencies": {
+        "minimist": {
+          "version": "0.0.8",
+          "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
+          "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0="
+        }
+      }
+    },
+    "move-concurrently": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/move-concurrently/-/move-concurrently-1.0.1.tgz",
+      "integrity": "sha1-viwAX9oy4LKa8fBdfEszIUxwH5I=",
+      "requires": {
+        "aproba": "^1.1.1",
+        "copy-concurrently": "^1.0.0",
+        "fs-write-stream-atomic": "^1.0.8",
+        "mkdirp": "^0.5.1",
+        "rimraf": "^2.5.4",
+        "run-queue": "^1.0.3"
+      }
+    },
+    "mozjpeg": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/mozjpeg/-/mozjpeg-6.0.1.tgz",
+      "integrity": "sha512-9Z59pJMi8ni+IUvSH5xQwK5tNLw7p3dwDNCZ3o1xE+of3G5Hc/yOz6Ue/YuLiBXU3ZB5oaHPURyPdqfBX/QYJA==",
+      "requires": {
+        "bin-build": "^3.0.0",
+        "bin-wrapper": "^4.0.0",
+        "logalot": "^2.1.0"
+      }
+    },
+    "mri": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/mri/-/mri-1.1.4.tgz",
+      "integrity": "sha512-6y7IjGPm8AzlvoUrwAaw1tLnUBudaS3752vcd8JtrpGGQn+rXIe63LFVHm/YMwtqAuh+LJPCFdlLYPWM1nYn6w=="
+    },
+    "ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "multimatch": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/multimatch/-/multimatch-4.0.0.tgz",
+      "integrity": "sha512-lDmx79y1z6i7RNx0ZGCPq1bzJ6ZoDDKbvh7jxr9SJcWLkShMzXrHbYVpTdnhNM5MXpDUxCQ4DgqVttVXlBgiBQ==",
+      "requires": {
+        "@types/minimatch": "^3.0.3",
+        "array-differ": "^3.0.0",
+        "array-union": "^2.1.0",
+        "arrify": "^2.0.1",
+        "minimatch": "^3.0.4"
+      },
+      "dependencies": {
+        "arrify": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/arrify/-/arrify-2.0.1.tgz",
+          "integrity": "sha512-3duEwti880xqi4eAMN8AyR4a0ByT90zoYdLlevfrvU43vb0YZwZVfxOgxWrLXXXpyugL0hNZc9G6BiB5B3nUug=="
+        }
+      }
+    },
+    "mute-stream": {
+      "version": "0.0.8",
+      "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-0.0.8.tgz",
+      "integrity": "sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA=="
+    },
+    "nan": {
+      "version": "2.14.0",
+      "resolved": "https://registry.npmjs.org/nan/-/nan-2.14.0.tgz",
+      "integrity": "sha512-INOFj37C7k3AfaNTtX8RhsTw7qRy7eLET14cROi9+5HAVbbHuIWUHEauBv5qT4Av2tWasiTY1Jw6puUNqRJXQg==",
+      "optional": true
+    },
+    "nanomatch": {
+      "version": "1.2.13",
+      "resolved": "https://registry.npmjs.org/nanomatch/-/nanomatch-1.2.13.tgz",
+      "integrity": "sha512-fpoe2T0RbHwBTBUOftAfBPaDEi06ufaUai0mE6Yn1kacc3SnTErfb/h+X94VXzI64rKFHYImXSvdwGGCmwOqCA==",
+      "requires": {
+        "arr-diff": "^4.0.0",
+        "array-unique": "^0.3.2",
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "fragment-cache": "^0.2.1",
+        "is-windows": "^1.0.2",
+        "kind-of": "^6.0.2",
+        "object.pick": "^1.3.0",
+        "regex-not": "^1.0.0",
+        "snapdragon": "^0.8.1",
+        "to-regex": "^3.0.1"
+      }
+    },
+    "native-url": {
+      "version": "0.2.4",
+      "resolved": "https://registry.npmjs.org/native-url/-/native-url-0.2.4.tgz",
+      "integrity": "sha512-McE+8BrgMw2ANypdYX9s1L+aUkbWDCEtsBGIbs8TfKBfQrFcZ2jMXX9LxGjOIOtoRXkwLTSlz38XHm8J3U6hgQ==",
+      "requires": {
+        "querystring": "^0.2.0"
+      }
+    },
+    "natural-compare": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz",
+      "integrity": "sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc="
+    },
+    "negotiator": {
+      "version": "0.6.2",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.2.tgz",
+      "integrity": "sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw=="
+    },
+    "neo-async": {
+      "version": "2.6.1",
+      "resolved": "https://registry.npmjs.org/neo-async/-/neo-async-2.6.1.tgz",
+      "integrity": "sha512-iyam8fBuCUpWeKPGpaNMetEocMt364qkCsfL9JuhjXX6dRnguRVOfk2GZaDpPjcOKiiXCPINZC1GczQ7iTq3Zw=="
+    },
+    "next": {
+      "version": "9.2.0",
+      "resolved": "https://registry.npmjs.org/next/-/next-9.2.0.tgz",
+      "integrity": "sha512-c4gyJotZHuvq9dslum+Z2Z21jjb9qWMYybV+IS9yEg7hTjs8OyKU59snyJ1Bi0ul84OdyLOZ4ytjch9zMw9lEQ==",
+      "requires": {
+        "@ampproject/toolbox-optimizer": "1.1.1",
+        "@babel/core": "7.7.2",
+        "@babel/plugin-proposal-class-properties": "7.7.0",
+        "@babel/plugin-proposal-nullish-coalescing-operator": "7.7.4",
+        "@babel/plugin-proposal-object-rest-spread": "7.6.2",
+        "@babel/plugin-proposal-optional-chaining": "7.7.4",
+        "@babel/plugin-syntax-dynamic-import": "7.2.0",
+        "@babel/plugin-transform-modules-commonjs": "7.7.0",
+        "@babel/plugin-transform-runtime": "7.6.2",
+        "@babel/preset-env": "7.7.1",
+        "@babel/preset-modules": "0.1.1",
+        "@babel/preset-react": "7.7.0",
+        "@babel/preset-typescript": "7.7.2",
+        "@babel/runtime": "7.7.2",
+        "@babel/runtime-corejs2": "7.7.2",
+        "amphtml-validator": "1.0.23",
+        "async-retry": "1.2.3",
+        "async-sema": "3.0.0",
+        "autodll-webpack-plugin": "0.4.2",
+        "babel-core": "7.0.0-bridge.0",
+        "babel-loader": "8.0.6",
+        "babel-plugin-syntax-jsx": "6.18.0",
+        "babel-plugin-transform-define": "2.0.0",
+        "babel-plugin-transform-react-remove-prop-types": "0.4.24",
+        "browserslist": "4.8.3",
+        "cache-loader": "4.1.0",
+        "chalk": "2.4.2",
+        "ci-info": "2.0.0",
+        "compression": "1.7.4",
+        "conf": "5.0.0",
+        "content-type": "1.0.4",
+        "cookie": "0.4.0",
+        "css-loader": "3.3.0",
+        "cssnano-simple": "1.0.0",
+        "devalue": "2.0.1",
+        "etag": "1.8.1",
+        "file-loader": "4.2.0",
+        "find-up": "4.0.0",
+        "fork-ts-checker-webpack-plugin": "3.1.1",
+        "fresh": "0.5.2",
+        "gzip-size": "5.1.1",
+        "ignore-loader": "0.1.2",
+        "is-docker": "2.0.0",
+        "is-wsl": "2.1.1",
+        "jest-worker": "24.9.0",
+        "json5": "2.1.1",
+        "launch-editor": "2.2.1",
+        "loader-utils": "1.2.3",
+        "lodash.curry": "4.1.1",
+        "lru-cache": "5.1.1",
+        "mini-css-extract-plugin": "0.8.0",
+        "mkdirp": "0.5.1",
+        "native-url": "0.2.4",
+        "node-fetch": "2.6.0",
+        "object-assign": "4.1.1",
+        "ora": "3.4.0",
+        "path-to-regexp": "6.1.0",
+        "pnp-webpack-plugin": "1.5.0",
+        "postcss-flexbugs-fixes": "4.1.0",
+        "postcss-loader": "3.0.0",
+        "postcss-preset-env": "6.7.0",
+        "prop-types": "15.7.2",
+        "prop-types-exact": "1.2.0",
+        "raw-body": "2.4.0",
+        "react-error-overlay": "5.1.6",
+        "react-is": "16.8.6",
+        "send": "0.17.1",
+        "source-map": "0.6.1",
+        "string-hash": "1.1.3",
+        "strip-ansi": "5.2.0",
+        "style-loader": "1.0.0",
+        "styled-jsx": "3.2.4",
+        "terser": "4.4.2",
+        "thread-loader": "2.1.3",
+        "unfetch": "4.1.0",
+        "url": "0.11.0",
+        "url-polyfill": "1.1.7",
+        "use-subscription": "1.1.1",
+        "watchpack": "2.0.0-beta.5",
+        "webpack": "4.41.2",
+        "webpack-dev-middleware": "3.7.0",
+        "webpack-hot-middleware": "2.25.0",
+        "webpack-sources": "1.4.3",
+        "whatwg-fetch": "3.0.0"
+      },
+      "dependencies": {
+        "@babel/core": {
+          "version": "7.7.2",
+          "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.7.2.tgz",
+          "integrity": "sha512-eeD7VEZKfhK1KUXGiyPFettgF3m513f8FoBSWiQ1xTvl1RAopLs42Wp9+Ze911I6H0N9lNqJMDgoZT7gHsipeQ==",
+          "requires": {
+            "@babel/code-frame": "^7.5.5",
+            "@babel/generator": "^7.7.2",
+            "@babel/helpers": "^7.7.0",
+            "@babel/parser": "^7.7.2",
+            "@babel/template": "^7.7.0",
+            "@babel/traverse": "^7.7.2",
+            "@babel/types": "^7.7.2",
+            "convert-source-map": "^1.7.0",
+            "debug": "^4.1.0",
+            "json5": "^2.1.0",
+            "lodash": "^4.17.13",
+            "resolve": "^1.3.2",
+            "semver": "^5.4.1",
+            "source-map": "^0.5.0"
+          },
+          "dependencies": {
+            "source-map": {
+              "version": "0.5.7",
+              "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
+              "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w="
+            }
+          }
+        },
+        "@babel/plugin-proposal-class-properties": {
+          "version": "7.7.0",
+          "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-class-properties/-/plugin-proposal-class-properties-7.7.0.tgz",
+          "integrity": "sha512-tufDcFA1Vj+eWvwHN+jvMN6QsV5o+vUlytNKrbMiCeDL0F2j92RURzUsUMWE5EJkLyWxjdUslCsMQa9FWth16A==",
+          "requires": {
+            "@babel/helper-create-class-features-plugin": "^7.7.0",
+            "@babel/helper-plugin-utils": "^7.0.0"
+          }
+        },
+        "@babel/plugin-proposal-object-rest-spread": {
+          "version": "7.6.2",
+          "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-object-rest-spread/-/plugin-proposal-object-rest-spread-7.6.2.tgz",
+          "integrity": "sha512-LDBXlmADCsMZV1Y9OQwMc0MyGZ8Ta/zlD9N67BfQT8uYwkRswiu2hU6nJKrjrt/58aH/vqfQlR/9yId/7A2gWw==",
+          "requires": {
+            "@babel/helper-plugin-utils": "^7.0.0",
+            "@babel/plugin-syntax-object-rest-spread": "^7.2.0"
+          }
+        },
+        "@babel/plugin-transform-modules-commonjs": {
+          "version": "7.7.0",
+          "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-commonjs/-/plugin-transform-modules-commonjs-7.7.0.tgz",
+          "integrity": "sha512-KEMyWNNWnjOom8vR/1+d+Ocz/mILZG/eyHHO06OuBQ2aNhxT62fr4y6fGOplRx+CxCSp3IFwesL8WdINfY/3kg==",
+          "requires": {
+            "@babel/helper-module-transforms": "^7.7.0",
+            "@babel/helper-plugin-utils": "^7.0.0",
+            "@babel/helper-simple-access": "^7.7.0",
+            "babel-plugin-dynamic-import-node": "^2.3.0"
+          }
+        },
+        "@babel/runtime": {
+          "version": "7.7.2",
+          "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.7.2.tgz",
+          "integrity": "sha512-JONRbXbTXc9WQE2mAZd1p0Z3DZ/6vaQIkgYMSTP3KjRCyd7rCZCcfhCyX+YjwcKxcZ82UrxbRD358bpExNgrjw==",
+          "requires": {
+            "regenerator-runtime": "^0.13.2"
+          }
+        },
+        "ansi-regex": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+          "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+        },
+        "browserslist": {
+          "version": "4.8.3",
+          "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.8.3.tgz",
+          "integrity": "sha512-iU43cMMknxG1ClEZ2MDKeonKE1CCrFVkQK2AqO2YWFmvIrx4JWrvQ4w4hQez6EpVI8rHTtqh/ruHHDHSOKxvUg==",
+          "requires": {
+            "caniuse-lite": "^1.0.30001017",
+            "electron-to-chromium": "^1.3.322",
+            "node-releases": "^1.1.44"
+          }
+        },
+        "caniuse-lite": {
+          "version": "1.0.30001021",
+          "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001021.tgz",
+          "integrity": "sha512-wuMhT7/hwkgd8gldgp2jcrUjOU9RXJ4XxGumQeOsUr91l3WwmM68Cpa/ymCnWEDqakwFXhuDQbaKNHXBPgeE9g=="
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "css-loader": {
+          "version": "3.3.0",
+          "resolved": "https://registry.npmjs.org/css-loader/-/css-loader-3.3.0.tgz",
+          "integrity": "sha512-x9Y1vvHe5RR+4tzwFdWExPueK00uqFTCw7mZy+9aE/X1SKWOArm5luaOrtJ4d05IpOwJ6S86b/tVcIdhw1Bu4A==",
+          "requires": {
+            "camelcase": "^5.3.1",
+            "cssesc": "^3.0.0",
+            "icss-utils": "^4.1.1",
+            "loader-utils": "^1.2.3",
+            "normalize-path": "^3.0.0",
+            "postcss": "^7.0.23",
+            "postcss-modules-extract-imports": "^2.0.0",
+            "postcss-modules-local-by-default": "^3.0.2",
+            "postcss-modules-scope": "^2.1.1",
+            "postcss-modules-values": "^3.0.0",
+            "postcss-value-parser": "^4.0.2",
+            "schema-utils": "^2.6.0"
+          }
+        },
+        "cssesc": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz",
+          "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg=="
+        },
+        "file-loader": {
+          "version": "4.2.0",
+          "resolved": "https://registry.npmjs.org/file-loader/-/file-loader-4.2.0.tgz",
+          "integrity": "sha512-+xZnaK5R8kBJrHK0/6HRlrKNamvVS5rjyuju+rnyxRGuwUJwpAMsVzUl5dz6rK8brkzjV6JpcFNjp6NqV0g1OQ==",
+          "requires": {
+            "loader-utils": "^1.2.3",
+            "schema-utils": "^2.0.0"
+          }
+        },
+        "find-up": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.0.0.tgz",
+          "integrity": "sha512-zoH7ZWPkRdgwYCDVoQTzqjG8JSPANhtvLhh4KVUHyKnaUJJrNeFmWIkTcNuJmR3GLMEmGYEf2S2bjgx26JTF+Q==",
+          "requires": {
+            "locate-path": "^5.0.0"
+          }
+        },
+        "icss-utils": {
+          "version": "4.1.1",
+          "resolved": "https://registry.npmjs.org/icss-utils/-/icss-utils-4.1.1.tgz",
+          "integrity": "sha512-4aFq7wvWyMHKgxsH8QQtGpvbASCf+eM3wPRLI6R+MgAnTCZ6STYsRvttLvRWK0Nfif5piF394St3HeJDaljGPA==",
+          "requires": {
+            "postcss": "^7.0.14"
+          }
+        },
+        "is-plain-obj": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-1.1.0.tgz",
+          "integrity": "sha1-caUMhCnfync8kqOQpKA7OfzVHT4="
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "lru-cache": {
+          "version": "5.1.1",
+          "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
+          "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==",
+          "requires": {
+            "yallist": "^3.0.2"
+          }
+        },
+        "mini-css-extract-plugin": {
+          "version": "0.8.0",
+          "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-0.8.0.tgz",
+          "integrity": "sha512-MNpRGbNA52q6U92i0qbVpQNsgk7LExy41MdAlG84FeytfDOtRIf/mCHdEgG8rpTKOaNKiqUnZdlptF469hxqOw==",
+          "requires": {
+            "loader-utils": "^1.1.0",
+            "normalize-url": "1.9.1",
+            "schema-utils": "^1.0.0",
+            "webpack-sources": "^1.1.0"
+          },
+          "dependencies": {
+            "schema-utils": {
+              "version": "1.0.0",
+              "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-1.0.0.tgz",
+              "integrity": "sha512-i27Mic4KovM/lnGsy8whRCHhc7VicJajAjTrYg11K9zfZXnYIt4k5F+kZkwjnrhKzLic/HLU4j11mjsz2G/75g==",
+              "requires": {
+                "ajv": "^6.1.0",
+                "ajv-errors": "^1.0.0",
+                "ajv-keywords": "^3.1.0"
+              }
+            }
+          }
+        },
+        "node-releases": {
+          "version": "1.1.45",
+          "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.45.tgz",
+          "integrity": "sha512-cXvGSfhITKI8qsV116u2FTzH5EWZJfgG7d4cpqwF8I8+1tWpD6AsvvGRKq2onR0DNj1jfqsjkXZsm14JMS7Cyg==",
+          "requires": {
+            "semver": "^6.3.0"
+          },
+          "dependencies": {
+            "semver": {
+              "version": "6.3.0",
+              "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+              "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+            }
+          }
+        },
+        "normalize-url": {
+          "version": "1.9.1",
+          "resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz",
+          "integrity": "sha1-LMDWazHqIwNkWENuNiDYWVTGbDw=",
+          "requires": {
+            "object-assign": "^4.0.1",
+            "prepend-http": "^1.0.0",
+            "query-string": "^4.1.0",
+            "sort-keys": "^1.0.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz",
+          "integrity": "sha512-WGR+xHecKTr7EbUEhyLSh5Dube9JtdiG78ufaeLxTgpudf/20KqyMioIUZJAezlTIi6evxuoUs9YXc11cU+yzQ==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        },
+        "path-to-regexp": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.1.0.tgz",
+          "integrity": "sha512-h9DqehX3zZZDCEm+xbfU0ZmwCGFCAAraPJWMXJ4+v32NjZJilVg3k1TcKsRgIb8IQ/izZSaydDc1OhJCZvs2Dw=="
+        },
+        "postcss": {
+          "version": "7.0.26",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.26.tgz",
+          "integrity": "sha512-IY4oRjpXWYshuTDFxMVkJDtWIk2LhsTlu8bZnbEJA4+bYT16Lvpo8Qv6EvDumhYRgzjZl489pmsY3qVgJQ08nA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "6.1.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+              "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss-modules-extract-imports": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/postcss-modules-extract-imports/-/postcss-modules-extract-imports-2.0.0.tgz",
+          "integrity": "sha512-LaYLDNS4SG8Q5WAWqIJgdHPJrDDr/Lv775rMBFUbgjTz6j34lUznACHcdRWroPvXANP2Vj7yNK57vp9eFqzLWQ==",
+          "requires": {
+            "postcss": "^7.0.5"
+          }
+        },
+        "postcss-modules-local-by-default": {
+          "version": "3.0.2",
+          "resolved": "https://registry.npmjs.org/postcss-modules-local-by-default/-/postcss-modules-local-by-default-3.0.2.tgz",
+          "integrity": "sha512-jM/V8eqM4oJ/22j0gx4jrp63GSvDH6v86OqyTHHUvk4/k1vceipZsaymiZ5PvocqZOl5SFHiFJqjs3la0wnfIQ==",
+          "requires": {
+            "icss-utils": "^4.1.1",
+            "postcss": "^7.0.16",
+            "postcss-selector-parser": "^6.0.2",
+            "postcss-value-parser": "^4.0.0"
+          }
+        },
+        "postcss-modules-scope": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/postcss-modules-scope/-/postcss-modules-scope-2.1.1.tgz",
+          "integrity": "sha512-OXRUPecnHCg8b9xWvldG/jUpRIGPNRka0r4D4j0ESUU2/5IOnpsjfPPmDprM3Ih8CgZ8FXjWqaniK5v4rWt3oQ==",
+          "requires": {
+            "postcss": "^7.0.6",
+            "postcss-selector-parser": "^6.0.0"
+          }
+        },
+        "postcss-modules-values": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/postcss-modules-values/-/postcss-modules-values-3.0.0.tgz",
+          "integrity": "sha512-1//E5jCBrZ9DmRX+zCtmQtRSV6PV42Ix7Bzj9GbwJceduuf7IqP8MgeTXuRDHOWj2m0VzZD5+roFWDuU8RQjcg==",
+          "requires": {
+            "icss-utils": "^4.0.0",
+            "postcss": "^7.0.6"
+          }
+        },
+        "postcss-selector-parser": {
+          "version": "6.0.2",
+          "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.2.tgz",
+          "integrity": "sha512-36P2QR59jDTOAiIkqEprfJDsoNrvwFei3eCqKd1Y0tUsBimsq39BLp7RD+JWny3WgB1zGhJX8XVePwm9k4wdBg==",
+          "requires": {
+            "cssesc": "^3.0.0",
+            "indexes-of": "^1.0.1",
+            "uniq": "^1.0.1"
+          }
+        },
+        "postcss-value-parser": {
+          "version": "4.0.2",
+          "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.0.2.tgz",
+          "integrity": "sha512-LmeoohTpp/K4UiyQCwuGWlONxXamGzCMtFxLq4W1nZVGIQLYvMCJx3yAF9qyyuFpflABI9yVdtJAqbihOsCsJQ=="
+        },
+        "prepend-http": {
+          "version": "1.0.4",
+          "resolved": "https://registry.npmjs.org/prepend-http/-/prepend-http-1.0.4.tgz",
+          "integrity": "sha1-1PRWKwzjaW5BrFLQ4ALlemNdxtw="
+        },
+        "query-string": {
+          "version": "4.3.4",
+          "resolved": "https://registry.npmjs.org/query-string/-/query-string-4.3.4.tgz",
+          "integrity": "sha1-u7aTucqRXCMlFbIosaArYJBD2+s=",
+          "requires": {
+            "object-assign": "^4.1.0",
+            "strict-uri-encode": "^1.0.0"
+          }
+        },
+        "react-is": {
+          "version": "16.8.6",
+          "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.8.6.tgz",
+          "integrity": "sha512-aUk3bHfZ2bRSVFFbbeVS4i+lNPZr3/WM5jT2J5omUVV1zzcs1nAaf3l51ctA5FFvCRbhrH0bdAsRRQddFJZPtA=="
+        },
+        "schema-utils": {
+          "version": "2.6.4",
+          "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-2.6.4.tgz",
+          "integrity": "sha512-VNjcaUxVnEeun6B2fiiUDjXXBtD4ZSH7pdbfIu1pOFwgptDPLMo/z9jr4sUfsjFVPqDCEin/F7IYlq7/E6yDbQ==",
+          "requires": {
+            "ajv": "^6.10.2",
+            "ajv-keywords": "^3.4.1"
+          }
+        },
+        "sort-keys": {
+          "version": "1.1.2",
+          "resolved": "https://registry.npmjs.org/sort-keys/-/sort-keys-1.1.2.tgz",
+          "integrity": "sha1-RBttTTRnmPG05J6JIK37oOVD+a0=",
+          "requires": {
+            "is-plain-obj": "^1.0.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          }
+        },
+        "yallist": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
+          "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="
+        }
+      }
+    },
+    "next-mdx-enhanced": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/next-mdx-enhanced/-/next-mdx-enhanced-2.3.0.tgz",
+      "integrity": "sha512-KnM7qyJ2QKig4lD+Ob1m7q/w/m//XjNg+hIOnDOmQKxro9Ip/g9oynPWuI9KpUFQjzAQRfsoiI72xcOHOq6ypA==",
+      "requires": {
+        "@mdx-js/loader": "^1.5.1",
+        "debug": "^4.1.1",
+        "fs-extra": "^8.1.0",
+        "glob": "^7.1.6",
+        "gray-matter": "^4.0.2",
+        "loader-utils": "^1.2.3",
+        "prebuild-webpack-plugin": "1.1.0",
+        "stringify-object": "^3.3.0"
+      }
+    },
+    "next-optimized-images": {
+      "version": "2.5.4",
+      "resolved": "https://registry.npmjs.org/next-optimized-images/-/next-optimized-images-2.5.4.tgz",
+      "integrity": "sha512-Vv/1NM1oeBm7ry2bfUzhqDtd5kHEuluEX0E6pdguVqrWIxa5WJzX4JwWlUR7OxD3BECa5uA13C0XkCtjG1Sdtg==",
+      "requires": {
+        "chalk": "^2.4.2",
+        "figures": "^3.0.0",
+        "file-loader": "^3.0.1",
+        "imagemin": "^6.1.0",
+        "img-loader": "^3.0.1",
+        "raw-loader": "^2.0.0",
+        "url-loader": "^1.1.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "next-plugin-graphql": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/next-plugin-graphql/-/next-plugin-graphql-0.0.2.tgz",
+      "integrity": "sha512-PgRqONNSF+lTyrtraNC7wJWNYq1U4v4jgIHmvTXYvdtYEz7oeuNNqk3N8mlunV2WzntpSFSe0BCdinRN25tkmQ==",
+      "requires": {
+        "graphql-tag": "^2.10.0"
+      }
+    },
+    "next-routes": {
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/next-routes/-/next-routes-1.4.2.tgz",
+      "integrity": "sha512-1Ljs0BEV9IGcJLKxC/WZUtmftSvmkY6DlI8fVs8dClCoR82QRzBGRka/L/XB76wE5814MMeP9qVJYQil0FE9QQ==",
+      "requires": {
+        "path-to-regexp": "^2.1.0"
+      },
+      "dependencies": {
+        "path-to-regexp": {
+          "version": "2.4.0",
+          "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-2.4.0.tgz",
+          "integrity": "sha512-G6zHoVqC6GGTQkZwF4lkuEyMbVOjoBKAEybQUypI1WTkqinCOrq2x6U2+phkJ1XsEMTy4LjtwPI7HW+NVrRR2w=="
+        }
+      }
+    },
+    "next-transpile-modules": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/next-transpile-modules/-/next-transpile-modules-2.3.1.tgz",
+      "integrity": "sha512-euNOBAk/CXZA6binwL47+QpcxAmK1pzH2zjF7XnRN55f2iuN/ecpUw5p3x4bikFu0yDPtSLS92nv9fcgcCo0vg=="
+    },
+    "nice-try": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/nice-try/-/nice-try-1.0.5.tgz",
+      "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ=="
+    },
+    "no-case": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/no-case/-/no-case-3.0.3.tgz",
+      "integrity": "sha512-ehY/mVQCf9BL0gKfsJBvFJen+1V//U+0HQMPrWct40ixE4jnv0bfvxDbWtAHL9EcaPEOJHVVYKoQn1TlZUB8Tw==",
+      "requires": {
+        "lower-case": "^2.0.1",
+        "tslib": "^1.10.0"
+      }
+    },
+    "node-fetch": {
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz",
+      "integrity": "sha512-8dG4H5ujfvFiqDmVu9fQ5bOHUC15JMjMY/Zumv26oOvvVJjM67KF8koCWIabKQ1GJIa9r2mMZscBq/TbdOcmNA=="
+    },
+    "node-int64": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/node-int64/-/node-int64-0.4.0.tgz",
+      "integrity": "sha1-h6kGXNs1XTGC2PlM4RGIuCXGijs="
+    },
+    "node-libs-browser": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/node-libs-browser/-/node-libs-browser-2.2.1.tgz",
+      "integrity": "sha512-h/zcD8H9kaDZ9ALUWwlBUDo6TKF8a7qBSCSEGfjTVIYeqsioSKaAX+BN7NgiMGp6iSIXZ3PxgCu8KS3b71YK5Q==",
+      "requires": {
+        "assert": "^1.1.1",
+        "browserify-zlib": "^0.2.0",
+        "buffer": "^4.3.0",
+        "console-browserify": "^1.1.0",
+        "constants-browserify": "^1.0.0",
+        "crypto-browserify": "^3.11.0",
+        "domain-browser": "^1.1.1",
+        "events": "^3.0.0",
+        "https-browserify": "^1.0.0",
+        "os-browserify": "^0.3.0",
+        "path-browserify": "0.0.1",
+        "process": "^0.11.10",
+        "punycode": "^1.2.4",
+        "querystring-es3": "^0.2.0",
+        "readable-stream": "^2.3.3",
+        "stream-browserify": "^2.0.1",
+        "stream-http": "^2.7.2",
+        "string_decoder": "^1.0.0",
+        "timers-browserify": "^2.0.4",
+        "tty-browserify": "0.0.0",
+        "url": "^0.11.0",
+        "util": "^0.11.0",
+        "vm-browserify": "^1.0.1"
+      },
+      "dependencies": {
+        "buffer": {
+          "version": "4.9.2",
+          "resolved": "https://registry.npmjs.org/buffer/-/buffer-4.9.2.tgz",
+          "integrity": "sha512-xq+q3SRMOxGivLhBNaUdC64hDTQwejJ+H0T/NB1XMtTVEwNTrfFF3gAxiyW0Bu/xWEGhjVKgUcMhCrUy2+uCWg==",
+          "requires": {
+            "base64-js": "^1.0.2",
+            "ieee754": "^1.1.4",
+            "isarray": "^1.0.0"
+          }
+        },
+        "punycode": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.4.1.tgz",
+          "integrity": "sha1-wNWmOycYgArY4esPpSachN1BhF4="
+        }
+      }
+    },
+    "node-machine-id": {
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/node-machine-id/-/node-machine-id-1.1.12.tgz",
+      "integrity": "sha512-QNABxbrPa3qEIfrE6GOJ7BYIuignnJw7iQ2YPbc3Nla1HzRJjXzZOiikfF8m7eAMfichLt3M4VgLOetqgDmgGQ=="
+    },
+    "node-releases": {
+      "version": "1.1.42",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.42.tgz",
+      "integrity": "sha512-OQ/ESmUqGawI2PRX+XIRao44qWYBBfN54ImQYdWVTQqUckuejOg76ysSqDBK8NG3zwySRVnX36JwDQ6x+9GxzA==",
+      "requires": {
+        "semver": "^6.3.0"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+        }
+      }
+    },
+    "normalize-package-data": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz",
+      "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==",
+      "requires": {
+        "hosted-git-info": "^2.1.4",
+        "resolve": "^1.10.0",
+        "semver": "2 || 3 || 4 || 5",
+        "validate-npm-package-license": "^3.0.1"
+      }
+    },
+    "normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA=="
+    },
+    "normalize-range": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz",
+      "integrity": "sha1-LRDAa9/TEuqXd2laTShDlFa3WUI="
+    },
+    "normalize-url": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz",
+      "integrity": "sha512-2s47yzUxdexf1OhyRi4Em83iQk0aPvwTddtFz4hnSSw9dCEsLEGf6SwIO8ss/19S9iBb5sJaOuTvTGDeZI00BQ=="
+    },
+    "npm-conf": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/npm-conf/-/npm-conf-1.1.3.tgz",
+      "integrity": "sha512-Yic4bZHJOt9RCFbRP3GgpqhScOY4HH3V2P8yBj6CeYq118Qr+BLXqT2JvpJ00mryLESpgOxf5XlFv4ZjXxLScw==",
+      "requires": {
+        "config-chain": "^1.1.11",
+        "pify": "^3.0.0"
+      },
+      "dependencies": {
+        "pify": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+          "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+        }
+      }
+    },
+    "npm-run-path": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-2.0.2.tgz",
+      "integrity": "sha1-NakjLfo11wZ7TLLd8jV7GHFTbF8=",
+      "requires": {
+        "path-key": "^2.0.0"
+      }
+    },
+    "nprogress": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/nprogress/-/nprogress-0.2.0.tgz",
+      "integrity": "sha1-y480xTIT2JVyP8urkH6UIq28r7E="
+    },
+    "nth-check": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz",
+      "integrity": "sha512-WeBOdju8SnzPN5vTUJYxYUxLeXpCaVP5i5e0LF8fg7WORF2Wd7wFX/pk0tYZk7s8T+J7VLy0Da6J1+wCT0AtHg==",
+      "requires": {
+        "boolbase": "~1.0.0"
+      }
+    },
+    "nullthrows": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/nullthrows/-/nullthrows-1.1.1.tgz",
+      "integrity": "sha512-2vPPEi+Z7WqML2jZYddDIfy5Dqb0r2fze2zTxNNknZaFpVHU3mFB3R+DWeJWGVx0ecvttSGlJTI+WG+8Z4cDWw=="
+    },
+    "num2fraction": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/num2fraction/-/num2fraction-1.2.2.tgz",
+      "integrity": "sha1-b2gragJ6Tp3fpFZM0lidHU5mnt4="
+    },
+    "number-is-nan": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz",
+      "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0="
+    },
+    "object-assign": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+      "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM="
+    },
+    "object-copy": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/object-copy/-/object-copy-0.1.0.tgz",
+      "integrity": "sha1-fn2Fi3gb18mRpBupde04EnVOmYw=",
+      "requires": {
+        "copy-descriptor": "^0.1.0",
+        "define-property": "^0.2.5",
+        "kind-of": "^3.0.3"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "0.2.5",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "kind-of": {
+          "version": "3.2.2",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "object-inspect": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.7.0.tgz",
+      "integrity": "sha512-a7pEHdh1xKIAgTySUGgLMx/xwDZskN1Ud6egYYN3EdRW4ZMPNEDUTF+hwy2LUC+Bl+SyLXANnwz/jyh/qutKUw=="
+    },
+    "object-keys": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/object-keys/-/object-keys-1.1.1.tgz",
+      "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA=="
+    },
+    "object-visit": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/object-visit/-/object-visit-1.0.1.tgz",
+      "integrity": "sha1-95xEk68MU3e1n+OdOV5BBC3QRbs=",
+      "requires": {
+        "isobject": "^3.0.0"
+      }
+    },
+    "object.assign": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/object.assign/-/object.assign-4.1.0.tgz",
+      "integrity": "sha512-exHJeq6kBKj58mqGyTQ9DFvrZC/eR6OwxzoM9YRoGBqrXYonaFyGiFMuc9VZrXf7DarreEwMpurG3dd+CNyW5w==",
+      "requires": {
+        "define-properties": "^1.1.2",
+        "function-bind": "^1.1.1",
+        "has-symbols": "^1.0.0",
+        "object-keys": "^1.0.11"
+      }
+    },
+    "object.entries": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/object.entries/-/object.entries-1.1.1.tgz",
+      "integrity": "sha512-ilqR7BgdyZetJutmDPfXCDffGa0/Yzl2ivVNpbx/g4UeWrCdRnFDUBrKJGLhGieRHDATnyZXWBeCb29k9CJysQ==",
+      "requires": {
+        "define-properties": "^1.1.3",
+        "es-abstract": "^1.17.0-next.1",
+        "function-bind": "^1.1.1",
+        "has": "^1.0.3"
+      },
+      "dependencies": {
+        "es-abstract": {
+          "version": "1.17.0",
+          "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.17.0.tgz",
+          "integrity": "sha512-yYkE07YF+6SIBmg1MsJ9dlub5L48Ek7X0qz+c/CPCHS9EBXfESorzng4cJQjJW5/pB6vDF41u7F8vUhLVDqIug==",
+          "requires": {
+            "es-to-primitive": "^1.2.1",
+            "function-bind": "^1.1.1",
+            "has": "^1.0.3",
+            "has-symbols": "^1.0.1",
+            "is-callable": "^1.1.5",
+            "is-regex": "^1.0.5",
+            "object-inspect": "^1.7.0",
+            "object-keys": "^1.1.1",
+            "object.assign": "^4.1.0",
+            "string.prototype.trimleft": "^2.1.1",
+            "string.prototype.trimright": "^2.1.1"
+          }
+        },
+        "is-callable": {
+          "version": "1.1.5",
+          "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.1.5.tgz",
+          "integrity": "sha512-ESKv5sMCJB2jnHTWZ3O5itG+O128Hsus4K4Qh1h2/cgn2vbgnLSVqfV46AeJA9D5EeeLa9w81KUXMtn34zhX+Q=="
+        },
+        "is-regex": {
+          "version": "1.0.5",
+          "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.0.5.tgz",
+          "integrity": "sha512-vlKW17SNq44owv5AQR3Cq0bQPEb8+kF3UKZ2fiZNOWtztYE5i0CzCZxFDwO58qAOWtxdBRVO/V5Qin1wjCqFYQ==",
+          "requires": {
+            "has": "^1.0.3"
+          }
+        },
+        "string.prototype.trimleft": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/string.prototype.trimleft/-/string.prototype.trimleft-2.1.1.tgz",
+          "integrity": "sha512-iu2AGd3PuP5Rp7x2kEZCrB2Nf41ehzh+goo8TV7z8/XDBbsvc6HQIlUl9RjkZ4oyrW1XM5UwlGl1oVEaDjg6Ag==",
+          "requires": {
+            "define-properties": "^1.1.3",
+            "function-bind": "^1.1.1"
+          }
+        },
+        "string.prototype.trimright": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/string.prototype.trimright/-/string.prototype.trimright-2.1.1.tgz",
+          "integrity": "sha512-qFvWL3/+QIgZXVmJBfpHmxLB7xsUXz6HsUmP8+5dRaC3Q7oKUv9Vo6aMCRZC1smrtyECFsIT30PqBJ1gTjAs+g==",
+          "requires": {
+            "define-properties": "^1.1.3",
+            "function-bind": "^1.1.1"
+          }
+        }
+      }
+    },
+    "object.fromentries": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/object.fromentries/-/object.fromentries-2.0.2.tgz",
+      "integrity": "sha512-r3ZiBH7MQppDJVLx6fhD618GKNG40CZYH9wgwdhKxBDDbQgjeWGGd4AtkZad84d291YxvWe7bJGuE65Anh0dxQ==",
+      "requires": {
+        "define-properties": "^1.1.3",
+        "es-abstract": "^1.17.0-next.1",
+        "function-bind": "^1.1.1",
+        "has": "^1.0.3"
+      },
+      "dependencies": {
+        "es-abstract": {
+          "version": "1.17.0",
+          "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.17.0.tgz",
+          "integrity": "sha512-yYkE07YF+6SIBmg1MsJ9dlub5L48Ek7X0qz+c/CPCHS9EBXfESorzng4cJQjJW5/pB6vDF41u7F8vUhLVDqIug==",
+          "requires": {
+            "es-to-primitive": "^1.2.1",
+            "function-bind": "^1.1.1",
+            "has": "^1.0.3",
+            "has-symbols": "^1.0.1",
+            "is-callable": "^1.1.5",
+            "is-regex": "^1.0.5",
+            "object-inspect": "^1.7.0",
+            "object-keys": "^1.1.1",
+            "object.assign": "^4.1.0",
+            "string.prototype.trimleft": "^2.1.1",
+            "string.prototype.trimright": "^2.1.1"
+          }
+        },
+        "is-callable": {
+          "version": "1.1.5",
+          "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.1.5.tgz",
+          "integrity": "sha512-ESKv5sMCJB2jnHTWZ3O5itG+O128Hsus4K4Qh1h2/cgn2vbgnLSVqfV46AeJA9D5EeeLa9w81KUXMtn34zhX+Q=="
+        },
+        "is-regex": {
+          "version": "1.0.5",
+          "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.0.5.tgz",
+          "integrity": "sha512-vlKW17SNq44owv5AQR3Cq0bQPEb8+kF3UKZ2fiZNOWtztYE5i0CzCZxFDwO58qAOWtxdBRVO/V5Qin1wjCqFYQ==",
+          "requires": {
+            "has": "^1.0.3"
+          }
+        },
+        "string.prototype.trimleft": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/string.prototype.trimleft/-/string.prototype.trimleft-2.1.1.tgz",
+          "integrity": "sha512-iu2AGd3PuP5Rp7x2kEZCrB2Nf41ehzh+goo8TV7z8/XDBbsvc6HQIlUl9RjkZ4oyrW1XM5UwlGl1oVEaDjg6Ag==",
+          "requires": {
+            "define-properties": "^1.1.3",
+            "function-bind": "^1.1.1"
+          }
+        },
+        "string.prototype.trimright": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/string.prototype.trimright/-/string.prototype.trimright-2.1.1.tgz",
+          "integrity": "sha512-qFvWL3/+QIgZXVmJBfpHmxLB7xsUXz6HsUmP8+5dRaC3Q7oKUv9Vo6aMCRZC1smrtyECFsIT30PqBJ1gTjAs+g==",
+          "requires": {
+            "define-properties": "^1.1.3",
+            "function-bind": "^1.1.1"
+          }
+        }
+      }
+    },
+    "object.getownpropertydescriptors": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/object.getownpropertydescriptors/-/object.getownpropertydescriptors-2.0.3.tgz",
+      "integrity": "sha1-h1jIRvW0B62rDyNuCYbxSwUcqhY=",
+      "requires": {
+        "define-properties": "^1.1.2",
+        "es-abstract": "^1.5.1"
+      }
+    },
+    "object.pick": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/object.pick/-/object.pick-1.3.0.tgz",
+      "integrity": "sha1-h6EKxMFpS9Lhy/U1kaZhQftd10c=",
+      "requires": {
+        "isobject": "^3.0.1"
+      }
+    },
+    "object.values": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/object.values/-/object.values-1.1.0.tgz",
+      "integrity": "sha512-8mf0nKLAoFX6VlNVdhGj31SVYpaNFtUnuoOXWyFEstsWRgU837AK+JYM0iAxwkSzGRbwn8cbFmgbyxj1j4VbXg==",
+      "requires": {
+        "define-properties": "^1.1.3",
+        "es-abstract": "^1.12.0",
+        "function-bind": "^1.1.1",
+        "has": "^1.0.3"
+      }
+    },
+    "on-finished": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
+      "integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=",
+      "requires": {
+        "ee-first": "1.1.1"
+      }
+    },
+    "on-headers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
+      "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA=="
+    },
+    "once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=",
+      "requires": {
+        "wrappy": "1"
+      }
+    },
+    "onetime": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/onetime/-/onetime-5.1.0.tgz",
+      "integrity": "sha512-5NcSkPHhwTVFIQN+TUqXoS5+dlElHXdpAWu9I0HP20YOtIi+aZ0Ct82jdlILDxjLEAWwvm+qj1m6aEtsDVmm6Q==",
+      "requires": {
+        "mimic-fn": "^2.1.0"
+      },
+      "dependencies": {
+        "mimic-fn": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-2.1.0.tgz",
+          "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg=="
+        }
+      }
+    },
+    "open": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/open/-/open-7.0.0.tgz",
+      "integrity": "sha512-K6EKzYqnwQzk+/dzJAQSBORub3xlBTxMz+ntpZpH/LyCa1o6KjXhuN+2npAaI9jaSmU3R1Q8NWf4KUWcyytGsQ==",
+      "requires": {
+        "is-wsl": "^2.1.0"
+      }
+    },
+    "opencollective-postinstall": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/opencollective-postinstall/-/opencollective-postinstall-2.0.2.tgz",
+      "integrity": "sha512-pVOEP16TrAO2/fjej1IdOyupJY8KDUM1CvsaScRbw6oddvpQoOfGk4ywha0HKKVAD6RkW4x6Q+tNBwhf3Bgpuw=="
+    },
+    "opener": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/opener/-/opener-1.5.1.tgz",
+      "integrity": "sha512-goYSy5c2UXE4Ra1xixabeVh1guIX/ZV/YokJksb6q2lubWu6UbvPQ20p542/sFIll1nl8JnCyK9oBaOcCWXwvA=="
+    },
+    "optimism": {
+      "version": "0.10.3",
+      "resolved": "https://registry.npmjs.org/optimism/-/optimism-0.10.3.tgz",
+      "integrity": "sha512-9A5pqGoQk49H6Vhjb9kPgAeeECfUDF6aIICbMDL23kDLStBn1MWk3YvcZ4xWF9CsSf6XEgvRLkXy4xof/56vVw==",
+      "requires": {
+        "@wry/context": "^0.4.0"
+      }
+    },
+    "optimist": {
+      "version": "0.6.1",
+      "resolved": "https://registry.npmjs.org/optimist/-/optimist-0.6.1.tgz",
+      "integrity": "sha1-2j6nRob6IaGaERwybpDrFaAZZoY=",
+      "requires": {
+        "minimist": "~0.0.1",
+        "wordwrap": "~0.0.2"
+      },
+      "dependencies": {
+        "minimist": {
+          "version": "0.0.10",
+          "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz",
+          "integrity": "sha1-3j+YVD2/lggr5IrRoMfNqDYwHc8="
+        }
+      }
+    },
+    "optionator": {
+      "version": "0.8.3",
+      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.8.3.tgz",
+      "integrity": "sha512-+IW9pACdk3XWmmTXG8m3upGUJst5XRGzxMRjXzAuJ1XnIFNvfhjjIuYkDvysnPQ7qzqVzLt78BCruntqRhWQbA==",
+      "requires": {
+        "deep-is": "~0.1.3",
+        "fast-levenshtein": "~2.0.6",
+        "levn": "~0.3.0",
+        "prelude-ls": "~1.1.2",
+        "type-check": "~0.3.2",
+        "word-wrap": "~1.2.3"
+      }
+    },
+    "optipng-bin": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/optipng-bin/-/optipng-bin-6.0.0.tgz",
+      "integrity": "sha512-95bB4y8IaTsa/8x6QH4bLUuyvyOoGBCLDA7wOgDL8UFqJpSUh1Hob8JRJhit+wC1ZLN3tQ7mFt7KuBj0x8F2Wg==",
+      "requires": {
+        "bin-build": "^3.0.0",
+        "bin-wrapper": "^4.0.0",
+        "logalot": "^2.0.0"
+      }
+    },
+    "ora": {
+      "version": "3.4.0",
+      "resolved": "https://registry.npmjs.org/ora/-/ora-3.4.0.tgz",
+      "integrity": "sha512-eNwHudNbO1folBP3JsZ19v9azXWtQZjICdr3Q0TDPIaeBQ3mXLrh54wM+er0+hSp+dWKf+Z8KM58CYzEyIYxYg==",
+      "requires": {
+        "chalk": "^2.4.2",
+        "cli-cursor": "^2.1.0",
+        "cli-spinners": "^2.0.0",
+        "log-symbols": "^2.2.0",
+        "strip-ansi": "^5.2.0",
+        "wcwidth": "^1.0.1"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+          "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+        },
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "cli-cursor": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-2.1.0.tgz",
+          "integrity": "sha1-s12sN2R5+sw+lHR9QdDQ9SOP/LU=",
+          "requires": {
+            "restore-cursor": "^2.0.0"
+          }
+        },
+        "cli-spinners": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/cli-spinners/-/cli-spinners-2.2.0.tgz",
+          "integrity": "sha512-tgU3fKwzYjiLEQgPMD9Jt+JjHVL9kW93FiIMX/l7rivvOD4/LL0Mf7gda3+4U2KJBloybwgj5KEoQgGRioMiKQ=="
+        },
+        "log-symbols": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-2.2.0.tgz",
+          "integrity": "sha512-VeIAFslyIerEJLXHziedo2basKbMKtTw3vfn5IzG0XTjhAVEJyNHnL2p7vc+wBDSdQuUpNw3M2u6xb9QsAY5Eg==",
+          "requires": {
+            "chalk": "^2.0.1"
+          }
+        },
+        "onetime": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/onetime/-/onetime-2.0.1.tgz",
+          "integrity": "sha1-BnQoIw/WdEOyeUsiu6UotoZ5YtQ=",
+          "requires": {
+            "mimic-fn": "^1.0.0"
+          }
+        },
+        "restore-cursor": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-2.0.0.tgz",
+          "integrity": "sha1-n37ih/gv0ybU/RYpI9YhKe7g368=",
+          "requires": {
+            "onetime": "^2.0.0",
+            "signal-exit": "^3.0.2"
+          }
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          }
+        }
+      }
+    },
+    "os-browserify": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/os-browserify/-/os-browserify-0.3.0.tgz",
+      "integrity": "sha1-hUNzx/XCMVkU/Jv8a9gjj92h7Cc="
+    },
+    "os-filter-obj": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/os-filter-obj/-/os-filter-obj-2.0.0.tgz",
+      "integrity": "sha512-uksVLsqG3pVdzzPvmAHpBK0wKxYItuzZr7SziusRPoz67tGV8rL1szZ6IdeUrbqLjGDwApBtN29eEE3IqGHOjg==",
+      "requires": {
+        "arch": "^2.1.0"
+      }
+    },
+    "os-tmpdir": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz",
+      "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ="
+    },
+    "p-cancelable": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/p-cancelable/-/p-cancelable-1.1.0.tgz",
+      "integrity": "sha512-s73XxOZ4zpt1edZYZzvhqFa6uvQc1vwUa0K0BdtIZgQMAJj9IbebH+JkgKZc9h+B05PKHLOTl4ajG1BmNrVZlw=="
+    },
+    "p-event": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/p-event/-/p-event-1.3.0.tgz",
+      "integrity": "sha1-jmtPT2XHK8W2/ii3XtqHT5akoIU=",
+      "requires": {
+        "p-timeout": "^1.1.1"
+      }
+    },
+    "p-finally": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/p-finally/-/p-finally-1.0.0.tgz",
+      "integrity": "sha1-P7z7FbiZpEEjs0ttzBi3JDNqLK4="
+    },
+    "p-is-promise": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/p-is-promise/-/p-is-promise-1.1.0.tgz",
+      "integrity": "sha1-nJRWmJ6fZYgBewQ01WCXZ1w9oF4="
+    },
+    "p-limit": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-1.3.0.tgz",
+      "integrity": "sha512-vvcXsLAJ9Dr5rQOPk7toZQZJApBl2K4J6dANSsEuh6QI41JYcsS/qhTGa9ErIUUgK3WNQoJYvylxvjqmiqEA9Q==",
+      "requires": {
+        "p-try": "^1.0.0"
+      }
+    },
+    "p-locate": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-2.0.0.tgz",
+      "integrity": "sha1-IKAQOyIqcMj9OcwuWAaA893l7EM=",
+      "requires": {
+        "p-limit": "^1.1.0"
+      }
+    },
+    "p-map": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/p-map/-/p-map-3.0.0.tgz",
+      "integrity": "sha512-d3qXVTF/s+W+CdJ5A29wywV2n8CQQYahlgz2bFiA+4eVNJbHJodPZ+/gXwPGh0bOqA+j8S+6+ckmvLGPk1QpxQ==",
+      "requires": {
+        "aggregate-error": "^3.0.0"
+      }
+    },
+    "p-map-series": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/p-map-series/-/p-map-series-1.0.0.tgz",
+      "integrity": "sha1-v5j+V1cFZYqeE1G++4WuTB8Hvco=",
+      "requires": {
+        "p-reduce": "^1.0.0"
+      }
+    },
+    "p-pipe": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/p-pipe/-/p-pipe-1.2.0.tgz",
+      "integrity": "sha1-SxoROZoRUgpneQ7loMHViB1r7+k="
+    },
+    "p-reduce": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/p-reduce/-/p-reduce-1.0.0.tgz",
+      "integrity": "sha1-GMKw3ZNqRpClKfgjH1ig/bakffo="
+    },
+    "p-timeout": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/p-timeout/-/p-timeout-1.2.1.tgz",
+      "integrity": "sha1-XrOzU7f86Z8QGhA4iAuwVOu+o4Y=",
+      "requires": {
+        "p-finally": "^1.0.0"
+      }
+    },
+    "p-try": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-1.0.0.tgz",
+      "integrity": "sha1-y8ec26+P1CKOE/Yh8rGiN8GyB7M="
+    },
+    "package-json": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/package-json/-/package-json-6.5.0.tgz",
+      "integrity": "sha512-k3bdm2n25tkyxcjSKzB5x8kfVxlMdgsbPr0GkZcwHsLpba6cBjqCt1KlcChKEvxHIcTB1FVMuwoijZ26xex5MQ==",
+      "requires": {
+        "got": "^9.6.0",
+        "registry-auth-token": "^4.0.0",
+        "registry-url": "^5.0.0",
+        "semver": "^6.2.0"
+      },
+      "dependencies": {
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+        }
+      }
+    },
+    "pako": {
+      "version": "1.0.10",
+      "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.10.tgz",
+      "integrity": "sha512-0DTvPVU3ed8+HNXOu5Bs+o//Mbdj9VNQMUOe9oKCwh8l0GNwpTDMKCWbRjgtD291AWnkAgkqA/LOnQS8AmS1tw=="
+    },
+    "parallel-transform": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/parallel-transform/-/parallel-transform-1.2.0.tgz",
+      "integrity": "sha512-P2vSmIu38uIlvdcU7fDkyrxj33gTUy/ABO5ZUbGowxNCopBq/OoD42bP4UmMrJoPyk4Uqf0mu3mtWBhHCZD8yg==",
+      "requires": {
+        "cyclist": "^1.0.1",
+        "inherits": "^2.0.3",
+        "readable-stream": "^2.1.5"
+      }
+    },
+    "parent-module": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
+      "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==",
+      "requires": {
+        "callsites": "^3.0.0"
+      },
+      "dependencies": {
+        "callsites": {
+          "version": "3.1.0",
+          "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
+          "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ=="
+        }
+      }
+    },
+    "parse-asn1": {
+      "version": "5.1.5",
+      "resolved": "https://registry.npmjs.org/parse-asn1/-/parse-asn1-5.1.5.tgz",
+      "integrity": "sha512-jkMYn1dcJqF6d5CpU689bq7w/b5ALS9ROVSpQDPrZsqqesUJii9qutvoT5ltGedNXMO2e16YUWIghG9KxaViTQ==",
+      "requires": {
+        "asn1.js": "^4.0.0",
+        "browserify-aes": "^1.0.0",
+        "create-hash": "^1.1.0",
+        "evp_bytestokey": "^1.0.0",
+        "pbkdf2": "^3.0.3",
+        "safe-buffer": "^5.1.1"
+      }
+    },
+    "parse-entities": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/parse-entities/-/parse-entities-1.2.2.tgz",
+      "integrity": "sha512-NzfpbxW/NPrzZ/yYSoQxyqUZMZXIdCfE0OIN4ESsnptHJECoUk3FZktxNuzQf4tjt5UEopnxpYJbvYuxIFDdsg==",
+      "requires": {
+        "character-entities": "^1.0.0",
+        "character-entities-legacy": "^1.0.0",
+        "character-reference-invalid": "^1.0.0",
+        "is-alphanumerical": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-hexadecimal": "^1.0.0"
+      }
+    },
+    "parse-json": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-2.2.0.tgz",
+      "integrity": "sha1-9ID0BDTvgHQfhGkJn43qGPVaTck=",
+      "requires": {
+        "error-ex": "^1.2.0"
+      }
+    },
+    "parse5": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/parse5/-/parse5-5.1.1.tgz",
+      "integrity": "sha512-ugq4DFI0Ptb+WWjAdOK16+u/nHfiIrcE+sh8kZMaM0WllQKLI9rOUq6c2b7cwPkXdzfQESqvoqK6ug7U/Yyzug=="
+    },
+    "parse5-htmlparser2-tree-adapter": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/parse5-htmlparser2-tree-adapter/-/parse5-htmlparser2-tree-adapter-5.1.0.tgz",
+      "integrity": "sha512-OrI4DNmghGcwDB3XN8FKKN7g5vBmau91uqj+VYuwuj/r6GhFBMBNymsM+Z9z+Z1p4HHgI0UuQirQRgh3W5d88g==",
+      "requires": {
+        "parse5": "^5.1.0"
+      }
+    },
+    "parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="
+    },
+    "pascal-case": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/pascal-case/-/pascal-case-3.1.1.tgz",
+      "integrity": "sha512-XIeHKqIrsquVTQL2crjq3NfJUxmdLasn3TYOU0VBM+UX2a6ztAWBlJQBePLGY7VHW8+2dRadeIPK5+KImwTxQA==",
+      "requires": {
+        "no-case": "^3.0.3",
+        "tslib": "^1.10.0"
+      }
+    },
+    "pascalcase": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/pascalcase/-/pascalcase-0.1.1.tgz",
+      "integrity": "sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ="
+    },
+    "path-browserify": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/path-browserify/-/path-browserify-0.0.1.tgz",
+      "integrity": "sha512-BapA40NHICOS+USX9SN4tyhq+A2RrN/Ws5F0Z5aMHDp98Fl86lX8Oti8B7uN93L4Ifv4fHOEA+pQw87gmMO/lQ=="
+    },
+    "path-dirname": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/path-dirname/-/path-dirname-1.0.2.tgz",
+      "integrity": "sha1-zDPSTVJeCZpTiMAzbG4yuRYGCeA="
+    },
+    "path-exists": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-3.0.0.tgz",
+      "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU="
+    },
+    "path-is-absolute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18="
+    },
+    "path-is-inside": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/path-is-inside/-/path-is-inside-1.0.2.tgz",
+      "integrity": "sha1-NlQX3t5EQw0cEa9hAn+s8HS9/FM="
+    },
+    "path-key": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-2.0.1.tgz",
+      "integrity": "sha1-QRyttXTFoUDTpLGRDUDYDMn0C0A="
+    },
+    "path-parse": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz",
+      "integrity": "sha512-GSmOT2EbHrINBf9SR7CDELwlJ8AENk3Qn7OikK4nFYAu3Ote2+JYNVvkpAEQm3/TLNEJFD/xZJjzyxg3KBWOzw=="
+    },
+    "path-to-regexp": {
+      "version": "0.1.7",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
+      "integrity": "sha1-32BBeABfUi8V60SQ5yR6G/qmf4w="
+    },
+    "path-type": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/path-type/-/path-type-2.0.0.tgz",
+      "integrity": "sha1-8BLMuEFbcJb8LaoQVMPXI4lZTHM=",
+      "requires": {
+        "pify": "^2.0.0"
+      }
+    },
+    "pbkdf2": {
+      "version": "3.0.17",
+      "resolved": "https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.0.17.tgz",
+      "integrity": "sha512-U/il5MsrZp7mGg3mSQfn742na2T+1/vHDCG5/iTI3X9MKUuYUZVLQhyRsg06mCgDBTd57TxzgZt7P+fYfjRLtA==",
+      "requires": {
+        "create-hash": "^1.1.2",
+        "create-hmac": "^1.1.4",
+        "ripemd160": "^2.0.1",
+        "safe-buffer": "^5.0.1",
+        "sha.js": "^2.4.8"
+      }
+    },
+    "pend": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/pend/-/pend-1.2.0.tgz",
+      "integrity": "sha1-elfrVQpng/kRUzH89GY9XI4AelA="
+    },
+    "picomatch": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.1.1.tgz",
+      "integrity": "sha512-OYMyqkKzK7blWO/+XZYP6w8hH0LDvkBvdvKukti+7kqYFCiEAk+gI3DWnryapc0Dau05ugGTy0foQ6mqn4AHYA=="
+    },
+    "pify": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
+      "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw="
+    },
+    "pinkie": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/pinkie/-/pinkie-2.0.4.tgz",
+      "integrity": "sha1-clVrgM+g1IqXToDnckjoDtT3+HA="
+    },
+    "pinkie-promise": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/pinkie-promise/-/pinkie-promise-2.0.1.tgz",
+      "integrity": "sha1-ITXW36ejWMBprJsXh3YogihFD/o=",
+      "requires": {
+        "pinkie": "^2.0.0"
+      }
+    },
+    "pkg-conf": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/pkg-conf/-/pkg-conf-2.1.0.tgz",
+      "integrity": "sha1-ISZRTKbyq/69FoWW3xi6V4Z/AFg=",
+      "requires": {
+        "find-up": "^2.0.0",
+        "load-json-file": "^4.0.0"
+      },
+      "dependencies": {
+        "load-json-file": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-4.0.0.tgz",
+          "integrity": "sha1-L19Fq5HjMhYjT9U62rZo607AmTs=",
+          "requires": {
+            "graceful-fs": "^4.1.2",
+            "parse-json": "^4.0.0",
+            "pify": "^3.0.0",
+            "strip-bom": "^3.0.0"
+          }
+        },
+        "parse-json": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-4.0.0.tgz",
+          "integrity": "sha1-vjX1Qlvh9/bHRxhPmKeIy5lHfuA=",
+          "requires": {
+            "error-ex": "^1.3.1",
+            "json-parse-better-errors": "^1.0.1"
+          }
+        },
+        "pify": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-3.0.0.tgz",
+          "integrity": "sha1-5aSs0sEB/fPZpNB/DbxNtJ3SgXY="
+        }
+      }
+    },
+    "pkg-dir": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-4.2.0.tgz",
+      "integrity": "sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==",
+      "requires": {
+        "find-up": "^4.0.0"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+          "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+          "requires": {
+            "locate-path": "^5.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.1.tgz",
+          "integrity": "sha512-85Tk+90UCVWvbDavCLKPOLC9vvY8OwEX/RtKF+/1OADJMVlFfEHOiMTPVyxg7mk/dKa+ipdHm0OUkTvCpMTuwg==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w=="
+        }
+      }
+    },
+    "pkg-up": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/pkg-up/-/pkg-up-3.1.0.tgz",
+      "integrity": "sha512-nDywThFk1i4BQK4twPQ6TA4RT8bDY96yeuCVBWL3ePARCiEKDRSrNGbFIgUJpLp+XeIR65v8ra7WuJOFUBtkMA==",
+      "requires": {
+        "find-up": "^3.0.0"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz",
+          "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==",
+          "requires": {
+            "locate-path": "^3.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz",
+          "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==",
+          "requires": {
+            "p-locate": "^3.0.0",
+            "path-exists": "^3.0.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz",
+          "integrity": "sha512-WGR+xHecKTr7EbUEhyLSh5Dube9JtdiG78ufaeLxTgpudf/20KqyMioIUZJAezlTIi6evxuoUs9YXc11cU+yzQ==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz",
+          "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==",
+          "requires": {
+            "p-limit": "^2.0.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        }
+      }
+    },
+    "please-upgrade-node": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/please-upgrade-node/-/please-upgrade-node-3.2.0.tgz",
+      "integrity": "sha512-gQR3WpIgNIKwBMVLkpMUeR3e1/E1y42bqDQZfql+kDeXd8COYfM8PQA4X6y7a8u9Ua9FHmsrrmirW2vHs45hWg==",
+      "requires": {
+        "semver-compare": "^1.0.0"
+      }
+    },
+    "pnp-webpack-plugin": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/pnp-webpack-plugin/-/pnp-webpack-plugin-1.5.0.tgz",
+      "integrity": "sha512-jd9olUr9D7do+RN8Wspzhpxhgp1n6Vd0NtQ4SFkmIACZoEL1nkyAdW9Ygrinjec0vgDcWjscFQQ1gDW8rsfKTg==",
+      "requires": {
+        "ts-pnp": "^1.1.2"
+      }
+    },
+    "popper.js": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/popper.js/-/popper.js-1.16.0.tgz",
+      "integrity": "sha512-+G+EkOPoE5S/zChTpmBSSDYmhXJ5PsW8eMhH8cP/CQHMFPBG/kC9Y5IIw6qNYgdJ+/COf0ddY2li28iHaZRSjw=="
+    },
+    "posix-character-classes": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/posix-character-classes/-/posix-character-classes-0.1.1.tgz",
+      "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs="
+    },
+    "postcss": {
+      "version": "6.0.23",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz",
+      "integrity": "sha512-soOk1h6J3VMTZtVeVpv15/Hpdl2cBLX3CAw4TAbkpTJiNPk9YP/zWcD1ND+xEtvyuuvKzbxliTOIyvkSeSJ6ag==",
+      "requires": {
+        "chalk": "^2.4.1",
+        "source-map": "^0.6.1",
+        "supports-color": "^5.4.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "postcss-attribute-case-insensitive": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-attribute-case-insensitive/-/postcss-attribute-case-insensitive-4.0.1.tgz",
+      "integrity": "sha512-L2YKB3vF4PetdTIthQVeT+7YiSzMoNMLLYxPXXppOOP7NoazEAy45sh2LvJ8leCQjfBcfkYQs8TtCcQjeZTp8A==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-selector-parser": "^5.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-browser-comments": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-browser-comments/-/postcss-browser-comments-3.0.0.tgz",
+      "integrity": "sha512-qfVjLfq7HFd2e0HW4s1dvU8X080OZdG46fFbIBFjW7US7YPDcWfRvdElvwMJr2LI6hMmD+7LnH2HcmXTs+uOig==",
+      "requires": {
+        "postcss": "^7"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.26",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.26.tgz",
+          "integrity": "sha512-IY4oRjpXWYshuTDFxMVkJDtWIk2LhsTlu8bZnbEJA4+bYT16Lvpo8Qv6EvDumhYRgzjZl489pmsY3qVgJQ08nA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-color-functional-notation": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-color-functional-notation/-/postcss-color-functional-notation-2.0.1.tgz",
+      "integrity": "sha512-ZBARCypjEDofW4P6IdPVTLhDNXPRn8T2s1zHbZidW6rPaaZvcnCS2soYFIQJrMZSxiePJ2XIYTlcb2ztr/eT2g==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-color-gray": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-color-gray/-/postcss-color-gray-5.0.0.tgz",
+      "integrity": "sha512-q6BuRnAGKM/ZRpfDascZlIZPjvwsRye7UDNalqVz3s7GDxMtqPY6+Q871liNxsonUw8oC61OG+PSaysYpl1bnw==",
+      "requires": {
+        "@csstools/convert-colors": "^1.4.0",
+        "postcss": "^7.0.5",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-color-hex-alpha": {
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/postcss-color-hex-alpha/-/postcss-color-hex-alpha-5.0.3.tgz",
+      "integrity": "sha512-PF4GDel8q3kkreVXKLAGNpHKilXsZ6xuu+mOQMHWHLPNyjiUBOr75sp5ZKJfmv1MCus5/DWUGcK9hm6qHEnXYw==",
+      "requires": {
+        "postcss": "^7.0.14",
+        "postcss-values-parser": "^2.0.1"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-color-mod-function": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/postcss-color-mod-function/-/postcss-color-mod-function-3.0.3.tgz",
+      "integrity": "sha512-YP4VG+xufxaVtzV6ZmhEtc+/aTXH3d0JLpnYfxqTvwZPbJhWqp8bSY3nfNzNRFLgB4XSaBA82OE4VjOOKpCdVQ==",
+      "requires": {
+        "@csstools/convert-colors": "^1.4.0",
+        "postcss": "^7.0.2",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-color-rebeccapurple": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-color-rebeccapurple/-/postcss-color-rebeccapurple-4.0.1.tgz",
+      "integrity": "sha512-aAe3OhkS6qJXBbqzvZth2Au4V3KieR5sRQ4ptb2b2O8wgvB3SJBsdG+jsn2BZbbwekDG8nTfcCNKcSfe/lEy8g==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-custom-media": {
+      "version": "7.0.8",
+      "resolved": "https://registry.npmjs.org/postcss-custom-media/-/postcss-custom-media-7.0.8.tgz",
+      "integrity": "sha512-c9s5iX0Ge15o00HKbuRuTqNndsJUbaXdiNsksnVH8H4gdc+zbLzr/UasOwNG6CTDpLFekVY4672eWdiiWu2GUg==",
+      "requires": {
+        "postcss": "^7.0.14"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-custom-properties": {
+      "version": "8.0.11",
+      "resolved": "https://registry.npmjs.org/postcss-custom-properties/-/postcss-custom-properties-8.0.11.tgz",
+      "integrity": "sha512-nm+o0eLdYqdnJ5abAJeXp4CEU1c1k+eB2yMCvhgzsds/e0umabFrN6HoTy/8Q4K5ilxERdl/JD1LO5ANoYBeMA==",
+      "requires": {
+        "postcss": "^7.0.17",
+        "postcss-values-parser": "^2.0.1"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-custom-selectors": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/postcss-custom-selectors/-/postcss-custom-selectors-5.1.2.tgz",
+      "integrity": "sha512-DSGDhqinCqXqlS4R7KGxL1OSycd1lydugJ1ky4iRXPHdBRiozyMHrdu0H3o7qNOCiZwySZTUI5MV0T8QhCLu+w==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-selector-parser": "^5.0.0-rc.3"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-dir-pseudo-class": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-dir-pseudo-class/-/postcss-dir-pseudo-class-5.0.0.tgz",
+      "integrity": "sha512-3pm4oq8HYWMZePJY+5ANriPs3P07q+LW6FAdTlkFH2XqDdP4HeeJYMOzn0HYLhRSjBO3fhiqSwwU9xEULSrPgw==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-selector-parser": "^5.0.0-rc.3"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-double-position-gradients": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-double-position-gradients/-/postcss-double-position-gradients-1.0.0.tgz",
+      "integrity": "sha512-G+nV8EnQq25fOI8CH/B6krEohGWnF5+3A6H/+JEpOncu5dCnkS1QQ6+ct3Jkaepw1NGVqqOZH6lqrm244mCftA==",
+      "requires": {
+        "postcss": "^7.0.5",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-env-function": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/postcss-env-function/-/postcss-env-function-2.0.2.tgz",
+      "integrity": "sha512-rwac4BuZlITeUbiBq60h/xbLzXY43qOsIErngWa4l7Mt+RaSkT7QBjXVGTcBHupykkblHMDrBFh30zchYPaOUw==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-flexbugs-fixes": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-flexbugs-fixes/-/postcss-flexbugs-fixes-4.1.0.tgz",
+      "integrity": "sha512-jr1LHxQvStNNAHlgco6PzY308zvLklh7SJVYuWUwyUQncofaAlD2l+P/gxKHOdqWKe7xJSkVLFF/2Tp+JqMSZA==",
+      "requires": {
+        "postcss": "^7.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-focus-visible": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-focus-visible/-/postcss-focus-visible-4.0.0.tgz",
+      "integrity": "sha512-Z5CkWBw0+idJHSV6+Bgf2peDOFf/x4o+vX/pwcNYrWpXFrSfTkQ3JQ1ojrq9yS+upnAlNRHeg8uEwFTgorjI8g==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-focus-within": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-focus-within/-/postcss-focus-within-3.0.0.tgz",
+      "integrity": "sha512-W0APui8jQeBKbCGZudW37EeMCjDeVxKgiYfIIEo8Bdh5SpB9sxds/Iq8SEuzS0Q4YFOlG7EPFulbbxujpkrV2w==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-font-variant": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-font-variant/-/postcss-font-variant-4.0.0.tgz",
+      "integrity": "sha512-M8BFYKOvCrI2aITzDad7kWuXXTm0YhGdP9Q8HanmN4EF1Hmcgs1KK5rSHylt/lUJe8yLxiSwWAHdScoEiIxztg==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-gap-properties": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-gap-properties/-/postcss-gap-properties-2.0.0.tgz",
+      "integrity": "sha512-QZSqDaMgXCHuHTEzMsS2KfVDOq7ZFiknSpkrPJY6jmxbugUPTuSzs/vuE5I3zv0WAS+3vhrlqhijiprnuQfzmg==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-image-set-function": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-image-set-function/-/postcss-image-set-function-3.0.1.tgz",
+      "integrity": "sha512-oPTcFFip5LZy8Y/whto91L9xdRHCWEMs3e1MdJxhgt4jy2WYXfhkng59fH5qLXSCPN8k4n94p1Czrfe5IOkKUw==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-initial": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/postcss-initial/-/postcss-initial-3.0.2.tgz",
+      "integrity": "sha512-ugA2wKonC0xeNHgirR4D3VWHs2JcU08WAi1KFLVcnb7IN89phID6Qtg2RIctWbnvp1TM2BOmDtX8GGLCKdR8YA==",
+      "requires": {
+        "lodash.template": "^4.5.0",
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-lab-function": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-lab-function/-/postcss-lab-function-2.0.1.tgz",
+      "integrity": "sha512-whLy1IeZKY+3fYdqQFuDBf8Auw+qFuVnChWjmxm/UhHWqNHZx+B99EwxTvGYmUBqe3Fjxs4L1BoZTJmPu6usVg==",
+      "requires": {
+        "@csstools/convert-colors": "^1.4.0",
+        "postcss": "^7.0.2",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-load-config": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-2.1.0.tgz",
+      "integrity": "sha512-4pV3JJVPLd5+RueiVVB+gFOAa7GWc25XQcMp86Zexzke69mKf6Nx9LRcQywdz7yZI9n1udOxmLuAwTBypypF8Q==",
+      "requires": {
+        "cosmiconfig": "^5.0.0",
+        "import-cwd": "^2.0.0"
+      }
+    },
+    "postcss-loader": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-loader/-/postcss-loader-3.0.0.tgz",
+      "integrity": "sha512-cLWoDEY5OwHcAjDnkyRQzAXfs2jrKjXpO/HQFcc5b5u/r7aa471wdmChmwfnv7x2u840iat/wi0lQ5nbRgSkUA==",
+      "requires": {
+        "loader-utils": "^1.1.0",
+        "postcss": "^7.0.0",
+        "postcss-load-config": "^2.0.0",
+        "schema-utils": "^1.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-logical": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-logical/-/postcss-logical-3.0.0.tgz",
+      "integrity": "sha512-1SUKdJc2vuMOmeItqGuNaC+N8MzBWFWEkAnRnLpFYj1tGGa7NqyVBujfRtgNa2gXR+6RkGUiB2O5Vmh7E2RmiA==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-media-minmax": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-media-minmax/-/postcss-media-minmax-4.0.0.tgz",
+      "integrity": "sha512-fo9moya6qyxsjbFAYl97qKO9gyre3qvbMnkOZeZwlsW6XYFsvs2DMGDlchVLfAd8LHPZDxivu/+qW2SMQeTHBw==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-modules-extract-imports": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/postcss-modules-extract-imports/-/postcss-modules-extract-imports-1.2.1.tgz",
+      "integrity": "sha512-6jt9XZwUhwmRUhb/CkyJY020PYaPJsCyt3UjbaWo6XEbH/94Hmv6MP7fG2C5NDU/BcHzyGYxNtHvM+LTf9HrYw==",
+      "requires": {
+        "postcss": "^6.0.1"
+      }
+    },
+    "postcss-modules-local-by-default": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/postcss-modules-local-by-default/-/postcss-modules-local-by-default-1.2.0.tgz",
+      "integrity": "sha1-99gMOYxaOT+nlkRmvRlQCn1hwGk=",
+      "requires": {
+        "css-selector-tokenizer": "^0.7.0",
+        "postcss": "^6.0.1"
+      }
+    },
+    "postcss-modules-scope": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-modules-scope/-/postcss-modules-scope-1.1.0.tgz",
+      "integrity": "sha1-1upkmUx5+XtipytCb75gVqGUu5A=",
+      "requires": {
+        "css-selector-tokenizer": "^0.7.0",
+        "postcss": "^6.0.1"
+      }
+    },
+    "postcss-modules-values": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/postcss-modules-values/-/postcss-modules-values-1.3.0.tgz",
+      "integrity": "sha1-7P+p1+GSUYOJ9CrQ6D9yrsRW6iA=",
+      "requires": {
+        "icss-replace-symbols": "^1.1.0",
+        "postcss": "^6.0.1"
+      }
+    },
+    "postcss-nesting": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-nesting/-/postcss-nesting-7.0.1.tgz",
+      "integrity": "sha512-FrorPb0H3nuVq0Sff7W2rnc3SmIcruVC6YwpcS+k687VxyxO33iE1amna7wHuRVzM8vfiYofXSBHNAZ3QhLvYg==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-normalize": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-normalize/-/postcss-normalize-8.0.1.tgz",
+      "integrity": "sha512-rt9JMS/m9FHIRroDDBGSMsyW1c0fkvOJPy62ggxSHUldJO7B195TqFMqIf+lY5ezpDcYOV4j86aUp3/XbxzCCQ==",
+      "requires": {
+        "@csstools/normalize.css": "^10.1.0",
+        "browserslist": "^4.6.2",
+        "postcss": "^7.0.17",
+        "postcss-browser-comments": "^3.0.0",
+        "sanitize.css": "^10.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.26",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.26.tgz",
+          "integrity": "sha512-IY4oRjpXWYshuTDFxMVkJDtWIk2LhsTlu8bZnbEJA4+bYT16Lvpo8Qv6EvDumhYRgzjZl489pmsY3qVgJQ08nA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-overflow-shorthand": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-overflow-shorthand/-/postcss-overflow-shorthand-2.0.0.tgz",
+      "integrity": "sha512-aK0fHc9CBNx8jbzMYhshZcEv8LtYnBIRYQD5i7w/K/wS9c2+0NSR6B3OVMu5y0hBHYLcMGjfU+dmWYNKH0I85g==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-page-break": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-page-break/-/postcss-page-break-2.0.0.tgz",
+      "integrity": "sha512-tkpTSrLpfLfD9HvgOlJuigLuk39wVTbbd8RKcy8/ugV2bNBUW3xU+AIqyxhDrQr1VUj1RmyJrBn1YWrqUm9zAQ==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-place": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-place/-/postcss-place-4.0.1.tgz",
+      "integrity": "sha512-Zb6byCSLkgRKLODj/5mQugyuj9bvAAw9LqJJjgwz5cYryGeXfFZfSXoP1UfveccFmeq0b/2xxwcTEVScnqGxBg==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-values-parser": "^2.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-preset-env": {
+      "version": "6.7.0",
+      "resolved": "https://registry.npmjs.org/postcss-preset-env/-/postcss-preset-env-6.7.0.tgz",
+      "integrity": "sha512-eU4/K5xzSFwUFJ8hTdTQzo2RBLbDVt83QZrAvI07TULOkmyQlnYlpwep+2yIK+K+0KlZO4BvFcleOCCcUtwchg==",
+      "requires": {
+        "autoprefixer": "^9.6.1",
+        "browserslist": "^4.6.4",
+        "caniuse-lite": "^1.0.30000981",
+        "css-blank-pseudo": "^0.1.4",
+        "css-has-pseudo": "^0.10.0",
+        "css-prefers-color-scheme": "^3.1.1",
+        "cssdb": "^4.4.0",
+        "postcss": "^7.0.17",
+        "postcss-attribute-case-insensitive": "^4.0.1",
+        "postcss-color-functional-notation": "^2.0.1",
+        "postcss-color-gray": "^5.0.0",
+        "postcss-color-hex-alpha": "^5.0.3",
+        "postcss-color-mod-function": "^3.0.3",
+        "postcss-color-rebeccapurple": "^4.0.1",
+        "postcss-custom-media": "^7.0.8",
+        "postcss-custom-properties": "^8.0.11",
+        "postcss-custom-selectors": "^5.1.2",
+        "postcss-dir-pseudo-class": "^5.0.0",
+        "postcss-double-position-gradients": "^1.0.0",
+        "postcss-env-function": "^2.0.2",
+        "postcss-focus-visible": "^4.0.0",
+        "postcss-focus-within": "^3.0.0",
+        "postcss-font-variant": "^4.0.0",
+        "postcss-gap-properties": "^2.0.0",
+        "postcss-image-set-function": "^3.0.1",
+        "postcss-initial": "^3.0.0",
+        "postcss-lab-function": "^2.0.1",
+        "postcss-logical": "^3.0.0",
+        "postcss-media-minmax": "^4.0.0",
+        "postcss-nesting": "^7.0.0",
+        "postcss-overflow-shorthand": "^2.0.0",
+        "postcss-page-break": "^2.0.0",
+        "postcss-place": "^4.0.1",
+        "postcss-pseudo-class-any-link": "^6.0.0",
+        "postcss-replace-overflow-wrap": "^3.0.0",
+        "postcss-selector-matches": "^4.0.0",
+        "postcss-selector-not": "^4.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-pseudo-class-any-link": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-pseudo-class-any-link/-/postcss-pseudo-class-any-link-6.0.0.tgz",
+      "integrity": "sha512-lgXW9sYJdLqtmw23otOzrtbDXofUdfYzNm4PIpNE322/swES3VU9XlXHeJS46zT2onFO7V1QFdD4Q9LiZj8mew==",
+      "requires": {
+        "postcss": "^7.0.2",
+        "postcss-selector-parser": "^5.0.0-rc.3"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-replace-overflow-wrap": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-replace-overflow-wrap/-/postcss-replace-overflow-wrap-3.0.0.tgz",
+      "integrity": "sha512-2T5hcEHArDT6X9+9dVSPQdo7QHzG4XKclFT8rU5TzJPDN7RIRTbO9c4drUISOVemLj03aezStHCR2AIcr8XLpw==",
+      "requires": {
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-selector-matches": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-selector-matches/-/postcss-selector-matches-4.0.0.tgz",
+      "integrity": "sha512-LgsHwQR/EsRYSqlwdGzeaPKVT0Ml7LAT6E75T8W8xLJY62CE4S/l03BWIt3jT8Taq22kXP08s2SfTSzaraoPww==",
+      "requires": {
+        "balanced-match": "^1.0.0",
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-selector-not": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-selector-not/-/postcss-selector-not-4.0.0.tgz",
+      "integrity": "sha512-W+bkBZRhqJaYN8XAnbbZPLWMvZD1wKTu0UxtFKdhtGjWYmxhkUneoeOhRJKdAE5V7ZTlnbHfCR+6bNwK9e1dTQ==",
+      "requires": {
+        "balanced-match": "^1.0.0",
+        "postcss": "^7.0.2"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          },
+          "dependencies": {
+            "supports-color": {
+              "version": "5.5.0",
+              "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+              "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+              "requires": {
+                "has-flag": "^3.0.0"
+              }
+            }
+          }
+        },
+        "postcss": {
+          "version": "7.0.24",
+          "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.24.tgz",
+          "integrity": "sha512-Xl0XvdNWg+CblAXzNvbSOUvgJXwSjmbAKORqyw9V2AlHrm1js2gFw9y3jibBAhpKZi8b5JzJCVh/FyzPsTtgTA==",
+          "requires": {
+            "chalk": "^2.4.2",
+            "source-map": "^0.6.1",
+            "supports-color": "^6.1.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        },
+        "supports-color": {
+          "version": "6.1.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+          "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+          "requires": {
+            "has-flag": "^3.0.0"
+          }
+        }
+      }
+    },
+    "postcss-selector-parser": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-5.0.0.tgz",
+      "integrity": "sha512-w+zLE5Jhg6Liz8+rQOWEAwtwkyqpfnmsinXjXg6cY7YIONZZtgvE0v2O0uhQBs0peNomOJwWRKt6JBfTdTd3OQ==",
+      "requires": {
+        "cssesc": "^2.0.0",
+        "indexes-of": "^1.0.1",
+        "uniq": "^1.0.1"
+      },
+      "dependencies": {
+        "cssesc": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-2.0.0.tgz",
+          "integrity": "sha512-MsCAG1z9lPdoO/IUMLSBWBSVxVtJ1395VGIQ+Fc2gNdkQ1hNDnQdw3YhA71WJCBW1vdwA0cAnk/DnW6bqoEUYg=="
+        }
+      }
+    },
+    "postcss-value-parser": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-3.3.1.tgz",
+      "integrity": "sha512-pISE66AbVkp4fDQ7VHBwRNXzAAKJjw4Vw7nWI/+Q3vuly7SNfgYXvm6i5IgFylHGK5sP/xHAbB7N49OS4gWNyQ=="
+    },
+    "postcss-values-parser": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-values-parser/-/postcss-values-parser-2.0.1.tgz",
+      "integrity": "sha512-2tLuBsA6P4rYTNKCXYG/71C7j1pU6pK503suYOmn4xYrQIzW+opD+7FAFNuGSdZC/3Qfy334QbeMu7MEb8gOxg==",
+      "requires": {
+        "flatten": "^1.0.2",
+        "indexes-of": "^1.0.1",
+        "uniq": "^1.0.1"
+      }
+    },
+    "prebuild-webpack-plugin": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/prebuild-webpack-plugin/-/prebuild-webpack-plugin-1.1.0.tgz",
+      "integrity": "sha512-/IdXyCP+7Ij/5ndsKsySTTlwsijwx8cafuU8BOisUiVIMsVjsZniJH/PiThBFG1vU1HI+/+pBwgQSIJ/GkZ7kA==",
+      "requires": {
+        "debug": "^4.1.1",
+        "glob": "^7.1.4",
+        "minimatch": "^3.0.4"
+      }
+    },
+    "prelude-ls": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.1.2.tgz",
+      "integrity": "sha1-IZMqVJ9eUv/ZqCf1cOBL5iqX2lQ="
+    },
+    "prepend-http": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/prepend-http/-/prepend-http-2.0.0.tgz",
+      "integrity": "sha1-6SQ0v6XqjBn0HN/UAddBo8gZ2Jc="
+    },
+    "prettier": {
+      "version": "1.19.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-1.19.1.tgz",
+      "integrity": "sha512-s7PoyDv/II1ObgQunCbB9PdLmUcBZcnWOcxDh7O0N/UwDEsHyqkW+Qh28jW+mVuCdx7gLB0BotYI1Y6uI9iyew=="
+    },
+    "pretty-quick": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/pretty-quick/-/pretty-quick-2.0.1.tgz",
+      "integrity": "sha512-y7bJt77XadjUr+P1uKqZxFWLddvj3SKY6EU4BuQtMxmmEFSMpbN132pUWdSG1g1mtUfO0noBvn7wBf0BVeomHg==",
+      "requires": {
+        "chalk": "^2.4.2",
+        "execa": "^2.1.0",
+        "find-up": "^4.1.0",
+        "ignore": "^5.1.4",
+        "mri": "^1.1.4",
+        "multimatch": "^4.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "cross-spawn": {
+          "version": "7.0.1",
+          "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.1.tgz",
+          "integrity": "sha512-u7v4o84SwFpD32Z8IIcPZ6z1/ie24O6RU3RbtL5Y316l3KuHVPx9ItBgWQ6VlfAFnRnTtMUrsQ9MUUTuEZjogg==",
+          "requires": {
+            "path-key": "^3.1.0",
+            "shebang-command": "^2.0.0",
+            "which": "^2.0.1"
+          }
+        },
+        "execa": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/execa/-/execa-2.1.0.tgz",
+          "integrity": "sha512-Y/URAVapfbYy2Xp/gb6A0E7iR8xeqOCXsuuaoMn7A5PzrXUK84E1gyiEfq0wQd/GHA6GsoHWwhNq8anb0mleIw==",
+          "requires": {
+            "cross-spawn": "^7.0.0",
+            "get-stream": "^5.0.0",
+            "is-stream": "^2.0.0",
+            "merge-stream": "^2.0.0",
+            "npm-run-path": "^3.0.0",
+            "onetime": "^5.1.0",
+            "p-finally": "^2.0.0",
+            "signal-exit": "^3.0.2",
+            "strip-final-newline": "^2.0.0"
+          }
+        },
+        "find-up": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+          "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+          "requires": {
+            "locate-path": "^5.0.0",
+            "path-exists": "^4.0.0"
+          }
+        },
+        "get-stream": {
+          "version": "5.1.0",
+          "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.1.0.tgz",
+          "integrity": "sha512-EXr1FOzrzTfGeL0gQdeFEvOMm2mzMOglyiOXSTpPC+iAjAKftbr3jpCMWynogwYnM+eSj9sHGc6wjIcDvYiygw==",
+          "requires": {
+            "pump": "^3.0.0"
+          }
+        },
+        "ignore": {
+          "version": "5.1.4",
+          "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.1.4.tgz",
+          "integrity": "sha512-MzbUSahkTW1u7JpKKjY7LCARd1fU5W2rLdxlM4kdkayuCwZImjkpluF9CM1aLewYJguPDqewLam18Y6AU69A8A=="
+        },
+        "is-stream": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.0.tgz",
+          "integrity": "sha512-XCoy+WlUr7d1+Z8GgSuXmpuUFC9fOhRXglJMx+dwLKTkL44Cjd4W1Z5P+BQZpr+cR93aGP4S/s7Ftw6Nd/kiEw=="
+        },
+        "locate-path": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+          "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+          "requires": {
+            "p-locate": "^4.1.0"
+          }
+        },
+        "npm-run-path": {
+          "version": "3.1.0",
+          "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-3.1.0.tgz",
+          "integrity": "sha512-Dbl4A/VfiVGLgQv29URL9xshU8XDY1GeLy+fsaZ1AA8JDSfjvr5P5+pzRbWqRSBxk6/DW7MIh8lTM/PaGnP2kg==",
+          "requires": {
+            "path-key": "^3.0.0"
+          }
+        },
+        "p-finally": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/p-finally/-/p-finally-2.0.1.tgz",
+          "integrity": "sha512-vpm09aKwq6H9phqRQzecoDpD8TmVyGw70qmWlyq5onxY7tqyTTFVvxMykxQSQKILBSFlbXpypIw2T1Ml7+DDtw=="
+        },
+        "p-limit": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz",
+          "integrity": "sha512-WGR+xHecKTr7EbUEhyLSh5Dube9JtdiG78ufaeLxTgpudf/20KqyMioIUZJAezlTIi6evxuoUs9YXc11cU+yzQ==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+          "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+          "requires": {
+            "p-limit": "^2.2.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        },
+        "path-exists": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+          "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w=="
+        },
+        "path-key": {
+          "version": "3.1.1",
+          "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+          "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q=="
+        },
+        "shebang-command": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+          "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+          "requires": {
+            "shebang-regex": "^3.0.0"
+          }
+        },
+        "shebang-regex": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+          "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A=="
+        },
+        "which": {
+          "version": "2.0.2",
+          "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+          "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+          "requires": {
+            "isexe": "^2.0.0"
+          }
+        }
+      }
+    },
+    "private": {
+      "version": "0.1.8",
+      "resolved": "https://registry.npmjs.org/private/-/private-0.1.8.tgz",
+      "integrity": "sha512-VvivMrbvd2nKkiG38qjULzlc+4Vx4wm/whI9pQD35YrARNnhxeiRktSOhSukRLFNlzg6Br/cJPet5J/u19r/mg=="
+    },
+    "process": {
+      "version": "0.11.10",
+      "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
+      "integrity": "sha1-czIwDoQBYb2j5podHZGn1LwW8YI="
+    },
+    "process-nextick-args": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz",
+      "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag=="
+    },
+    "progress": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
+      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA=="
+    },
+    "promise": {
+      "version": "7.3.1",
+      "resolved": "https://registry.npmjs.org/promise/-/promise-7.3.1.tgz",
+      "integrity": "sha512-nolQXZ/4L+bP/UGlkfaIujX9BKxGwmQ9OT4mOt5yvy8iK1h3wqTEJCijzGANTCCl9nWjY41juyAn2K3Q1hLLTg==",
+      "requires": {
+        "asap": "~2.0.3"
+      }
+    },
+    "promise-inflight": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/promise-inflight/-/promise-inflight-1.0.1.tgz",
+      "integrity": "sha1-mEcocL8igTL8vdhoEputEsPAKeM="
+    },
+    "promise-polyfill": {
+      "version": "8.1.3",
+      "resolved": "https://registry.npmjs.org/promise-polyfill/-/promise-polyfill-8.1.3.tgz",
+      "integrity": "sha512-MG5r82wBzh7pSKDRa9y+vllNHz3e3d4CNj1PQE4BQYxLme0gKYYBm9YENq+UkEikyZ0XbiGWxYlVw3Rl9O/U8g=="
+    },
+    "prop-types": {
+      "version": "15.7.2",
+      "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.7.2.tgz",
+      "integrity": "sha512-8QQikdH7//R2vurIJSutZ1smHYTcLpRWEOlHnzcWHmBYrOGUysKwSsrC89BCiFj3CbrfJ/nXFdJepOVrY1GCHQ==",
+      "requires": {
+        "loose-envify": "^1.4.0",
+        "object-assign": "^4.1.1",
+        "react-is": "^16.8.1"
+      }
+    },
+    "prop-types-exact": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/prop-types-exact/-/prop-types-exact-1.2.0.tgz",
+      "integrity": "sha512-K+Tk3Kd9V0odiXFP9fwDHUYRyvK3Nun3GVyPapSIs5OBkITAm15W0CPFD/YKTkMUAbc0b9CUwRQp2ybiBIq+eA==",
+      "requires": {
+        "has": "^1.0.3",
+        "object.assign": "^4.1.0",
+        "reflect.ownkeys": "^0.2.0"
+      }
+    },
+    "property-information": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/property-information/-/property-information-5.3.0.tgz",
+      "integrity": "sha512-IslotQn1hBCZDY7SaJ3zmCjVea219VTwmOk6Pu3z9haU9m4+T8GwaDubur+6NMHEU+Fjs/6/p66z6QULPkcL1w==",
+      "requires": {
+        "xtend": "^4.0.1"
+      }
+    },
+    "proto-list": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/proto-list/-/proto-list-1.2.4.tgz",
+      "integrity": "sha1-IS1b/hMYMGpCD2QCuOJv85ZHqEk="
+    },
+    "proxy-addr": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.5.tgz",
+      "integrity": "sha512-t/7RxHXPH6cJtP0pRG6smSr9QJidhB+3kXu0KgXnbGYMgzEnUxRQ4/LDdfOwZEMyIh3/xHb8PX3t+lfL9z+YVQ==",
+      "requires": {
+        "forwarded": "~0.1.2",
+        "ipaddr.js": "1.9.0"
+      }
+    },
+    "prr": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/prr/-/prr-1.0.1.tgz",
+      "integrity": "sha1-0/wRS6BplaRexok/SEzrHXj19HY="
+    },
+    "pseudomap": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/pseudomap/-/pseudomap-1.0.2.tgz",
+      "integrity": "sha1-8FKijacOYYkX7wqKw0wa5aaChrM="
+    },
+    "public-encrypt": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/public-encrypt/-/public-encrypt-4.0.3.tgz",
+      "integrity": "sha512-zVpa8oKZSz5bTMTFClc1fQOnyyEzpl5ozpi1B5YcvBrdohMjH2rfsBtyXcuNuwjsDIXmBYlF2N5FlJYhR29t8Q==",
+      "requires": {
+        "bn.js": "^4.1.0",
+        "browserify-rsa": "^4.0.0",
+        "create-hash": "^1.1.0",
+        "parse-asn1": "^5.0.0",
+        "randombytes": "^2.0.1",
+        "safe-buffer": "^5.1.2"
+      }
+    },
+    "pump": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
+      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
+      "requires": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
+    "pumpify": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/pumpify/-/pumpify-1.5.1.tgz",
+      "integrity": "sha512-oClZI37HvuUJJxSKKrC17bZ9Cu0ZYhEAGPsPUy9KlMUmv9dKX2o77RUmq7f3XjIxbwyGwYzbzQ1L2Ks8sIradQ==",
+      "requires": {
+        "duplexify": "^3.6.0",
+        "inherits": "^2.0.3",
+        "pump": "^2.0.0"
+      },
+      "dependencies": {
+        "pump": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/pump/-/pump-2.0.1.tgz",
+          "integrity": "sha512-ruPMNRkN3MHP1cWJc9OWr+T/xDP0jhXYCLfJcBuX54hhfIBnaQmAUMfDcG4DM5UMWByBbJY69QSphm3jtDKIkA==",
+          "requires": {
+            "end-of-stream": "^1.1.0",
+            "once": "^1.3.1"
+          }
+        }
+      }
+    },
+    "punycode": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz",
+      "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A=="
+    },
+    "q": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz",
+      "integrity": "sha1-fjL3W0E4EpHQRhHxvxQQmsAGUdc="
+    },
+    "qs": {
+      "version": "6.7.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.7.0.tgz",
+      "integrity": "sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ=="
+    },
+    "query-string": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/query-string/-/query-string-5.1.1.tgz",
+      "integrity": "sha512-gjWOsm2SoGlgLEdAGt7a6slVOk9mGiXmPFMqrEhLQ68rhQuBnpfs3+EmlvqKyxnCo9/PPlF+9MtY02S1aFg+Jw==",
+      "requires": {
+        "decode-uri-component": "^0.2.0",
+        "object-assign": "^4.1.0",
+        "strict-uri-encode": "^1.0.0"
+      }
+    },
+    "querystring": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/querystring/-/querystring-0.2.0.tgz",
+      "integrity": "sha1-sgmEkgO7Jd+CDadW50cAWHhSFiA="
+    },
+    "querystring-es3": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/querystring-es3/-/querystring-es3-0.2.1.tgz",
+      "integrity": "sha1-nsYfeQSYdXB9aUFFlv2Qek1xHnM="
+    },
+    "randombytes": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
+      "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==",
+      "requires": {
+        "safe-buffer": "^5.1.0"
+      }
+    },
+    "randomfill": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/randomfill/-/randomfill-1.0.4.tgz",
+      "integrity": "sha512-87lcbR8+MhcWcUiQ+9e+Rwx8MyR2P7qnt15ynUlbm3TU/fjbgz4GsvfSUDTemtCCtVCqb4ZcEFlyPNTh9bBTLw==",
+      "requires": {
+        "randombytes": "^2.0.5",
+        "safe-buffer": "^5.1.0"
+      }
+    },
+    "range-parser": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
+      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="
+    },
+    "raw-body": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.4.0.tgz",
+      "integrity": "sha512-4Oz8DUIwdvoa5qMJelxipzi/iJIi40O5cGV1wNYp5hvZP8ZN0T+jiNkL0QepXs+EsQ9XJ8ipEDoiH70ySUJP3Q==",
+      "requires": {
+        "bytes": "3.1.0",
+        "http-errors": "1.7.2",
+        "iconv-lite": "0.4.24",
+        "unpipe": "1.0.0"
+      }
+    },
+    "raw-loader": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/raw-loader/-/raw-loader-2.0.0.tgz",
+      "integrity": "sha512-kZnO5MoIyrojfrPWqrhFNLZemIAX8edMOCp++yC5RKxzFB3m92DqKNhKlU6+FvpOhWtvyh3jOaD7J6/9tpdIKg==",
+      "requires": {
+        "loader-utils": "^1.1.0",
+        "schema-utils": "^1.0.0"
+      }
+    },
+    "rc": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
+      "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==",
+      "requires": {
+        "deep-extend": "^0.6.0",
+        "ini": "~1.3.0",
+        "minimist": "^1.2.0",
+        "strip-json-comments": "~2.0.1"
+      },
+      "dependencies": {
+        "strip-json-comments": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz",
+          "integrity": "sha1-PFMZQukIwml8DsNEhYwobHygpgo="
+        }
+      }
+    },
+    "react": {
+      "version": "16.12.0",
+      "resolved": "https://registry.npmjs.org/react/-/react-16.12.0.tgz",
+      "integrity": "sha512-fglqy3k5E+81pA8s+7K0/T3DBCF0ZDOher1elBFzF7O6arXJgzyu/FW+COxFvAWXJoJN9KIZbT2LXlukwphYTA==",
+      "requires": {
+        "loose-envify": "^1.1.0",
+        "object-assign": "^4.1.1",
+        "prop-types": "^15.6.2"
+      }
+    },
+    "react-apollo": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/react-apollo/-/react-apollo-3.1.3.tgz",
+      "integrity": "sha512-orCZNoAkgveaK5b75y7fw1MSqSHOU/Wuu9rRFOGmRQBSQVZjvV4DI+hj604rHmuN9+WDABxb5W48wTa0F/xNZQ==",
+      "requires": {
+        "@apollo/react-common": "^3.1.3",
+        "@apollo/react-components": "^3.1.3",
+        "@apollo/react-hoc": "^3.1.3",
+        "@apollo/react-hooks": "^3.1.3",
+        "@apollo/react-ssr": "^3.1.3"
+      }
+    },
+    "react-dom": {
+      "version": "16.12.0",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-16.12.0.tgz",
+      "integrity": "sha512-LMxFfAGrcS3kETtQaCkTKjMiifahaMySFDn71fZUNpPHZQEzmk/GiAeIT8JSOrHB23fnuCOMruL2a8NYlw+8Gw==",
+      "requires": {
+        "loose-envify": "^1.1.0",
+        "object-assign": "^4.1.1",
+        "prop-types": "^15.6.2",
+        "scheduler": "^0.18.0"
+      }
+    },
+    "react-error-overlay": {
+      "version": "5.1.6",
+      "resolved": "https://registry.npmjs.org/react-error-overlay/-/react-error-overlay-5.1.6.tgz",
+      "integrity": "sha512-X1Y+0jR47ImDVr54Ab6V9eGk0Hnu7fVWGeHQSOXHf/C2pF9c6uy3gef8QUeuUiWlNb0i08InPSE5a/KJzNzw1Q=="
+    },
+    "react-fast-compare": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/react-fast-compare/-/react-fast-compare-2.0.4.tgz",
+      "integrity": "sha512-suNP+J1VU1MWFKcyt7RtjiSWUjvidmQSlqu+eHslq+342xCbGTYmC0mEhPCOHxlW0CywylOC1u2DFAT+bv4dBw=="
+    },
+    "react-is": {
+      "version": "16.12.0",
+      "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.12.0.tgz",
+      "integrity": "sha512-rPCkf/mWBtKc97aLL9/txD8DZdemK0vkA3JMLShjlJB3Pj3s+lpf1KaBzMfQrAmhMQB0n1cU/SUGgKKBCe837Q=="
+    },
+    "react-reconciler": {
+      "version": "0.24.0",
+      "resolved": "https://registry.npmjs.org/react-reconciler/-/react-reconciler-0.24.0.tgz",
+      "integrity": "sha512-gAGnwWkf+NOTig9oOowqid9O0HjTDC+XVGBCAmJYYJ2A2cN/O4gDdIuuUQjv8A4v6GDwVfJkagpBBLW5OW9HSw==",
+      "requires": {
+        "loose-envify": "^1.1.0",
+        "object-assign": "^4.1.1",
+        "prop-types": "^15.6.2",
+        "scheduler": "^0.18.0"
+      }
+    },
+    "read-pkg": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-2.0.0.tgz",
+      "integrity": "sha1-jvHAYjxqbbDcZxPEv6xGMysjaPg=",
+      "requires": {
+        "load-json-file": "^2.0.0",
+        "normalize-package-data": "^2.3.2",
+        "path-type": "^2.0.0"
+      }
+    },
+    "readable-stream": {
+      "version": "2.3.6",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz",
+      "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==",
+      "requires": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "readdirp": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.3.0.tgz",
+      "integrity": "sha512-zz0pAkSPOXXm1viEwygWIPSPkcBYjW1xU5j/JBh5t9bGCJwa6f9+BJa6VaB2g+b55yVrmXzqkyLf4xaWYM0IkQ==",
+      "requires": {
+        "picomatch": "^2.0.7"
+      }
+    },
+    "redent": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/redent/-/redent-1.0.0.tgz",
+      "integrity": "sha1-z5Fqsf1fHxbfsggi3W7H9zDCr94=",
+      "requires": {
+        "indent-string": "^2.1.0",
+        "strip-indent": "^1.0.1"
+      },
+      "dependencies": {
+        "indent-string": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-2.1.0.tgz",
+          "integrity": "sha1-ji1INIdCEhtKghi3oTfppSBJ3IA=",
+          "requires": {
+            "repeating": "^2.0.0"
+          }
+        }
+      }
+    },
+    "reflect.ownkeys": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/reflect.ownkeys/-/reflect.ownkeys-0.2.0.tgz",
+      "integrity": "sha1-dJrO7H8/34tj+SegSAnpDFwLNGA="
+    },
+    "regenerate": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.0.tgz",
+      "integrity": "sha512-1G6jJVDWrt0rK99kBjvEtziZNCICAuvIPkSiUFIQxVP06RCVpq3dmDo2oi6ABpYaDYaTRr67BEhL8r1wgEZZKg=="
+    },
+    "regenerate-unicode-properties": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/regenerate-unicode-properties/-/regenerate-unicode-properties-8.1.0.tgz",
+      "integrity": "sha512-LGZzkgtLY79GeXLm8Dp0BVLdQlWICzBnJz/ipWUgo59qBaZ+BHtq51P2q1uVZlppMuUAT37SDk39qUbjTWB7bA==",
+      "requires": {
+        "regenerate": "^1.4.0"
+      }
+    },
+    "regenerator-runtime": {
+      "version": "0.13.3",
+      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.3.tgz",
+      "integrity": "sha512-naKIZz2GQ8JWh///G7L3X6LaQUAMp2lvb1rvwwsURe/VXwD6VMfr+/1NuNw3ag8v2kY1aQ/go5SNn79O9JU7yw=="
+    },
+    "regenerator-transform": {
+      "version": "0.14.1",
+      "resolved": "https://registry.npmjs.org/regenerator-transform/-/regenerator-transform-0.14.1.tgz",
+      "integrity": "sha512-flVuee02C3FKRISbxhXl9mGzdbWUVHubl1SMaknjxkFB1/iqpJhArQUvRxOOPEc/9tAiX0BaQ28FJH10E4isSQ==",
+      "requires": {
+        "private": "^0.1.6"
+      }
+    },
+    "regex-not": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/regex-not/-/regex-not-1.0.2.tgz",
+      "integrity": "sha512-J6SDjUgDxQj5NusnOtdFxDwN/+HWykR8GELwctJ7mdqhcyy1xEc4SRFHUXvxTp661YaVKAjfRLZ9cCqS6tn32A==",
+      "requires": {
+        "extend-shallow": "^3.0.2",
+        "safe-regex": "^1.1.0"
+      }
+    },
+    "regexpp": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-3.0.0.tgz",
+      "integrity": "sha512-Z+hNr7RAVWxznLPuA7DIh8UNX1j9CDrUQxskw9IrBE1Dxue2lyXT+shqEIeLUjrokxIP8CMy1WkjgG3rTsd5/g=="
+    },
+    "regexpu-core": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/regexpu-core/-/regexpu-core-1.0.0.tgz",
+      "integrity": "sha1-hqdj9Y7k18L2sQLkdkBQ3n7ZDGs=",
+      "requires": {
+        "regenerate": "^1.2.1",
+        "regjsgen": "^0.2.0",
+        "regjsparser": "^0.1.4"
+      }
+    },
+    "registry-auth-token": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/registry-auth-token/-/registry-auth-token-4.0.0.tgz",
+      "integrity": "sha512-lpQkHxd9UL6tb3k/aHAVfnVtn+Bcs9ob5InuFLLEDqSqeq+AljB8GZW9xY0x7F+xYwEcjKe07nyoxzEYz6yvkw==",
+      "requires": {
+        "rc": "^1.2.8",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "registry-url": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/registry-url/-/registry-url-5.1.0.tgz",
+      "integrity": "sha512-8acYXXTI0AkQv6RAOjE3vOaIXZkT9wo4LOFbBKYQEEnnMNBpKqdUrI6S4NT0KPIo/WVvJ5tE/X5LF/TQUf0ekw==",
+      "requires": {
+        "rc": "^1.2.8"
+      }
+    },
+    "regjsgen": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/regjsgen/-/regjsgen-0.2.0.tgz",
+      "integrity": "sha1-bAFq3qxVT3WCP+N6wFuS1aTtsfc="
+    },
+    "regjsparser": {
+      "version": "0.1.5",
+      "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.1.5.tgz",
+      "integrity": "sha1-fuj4Tcb6eS0/0K4ijSS9lJ6tIFw=",
+      "requires": {
+        "jsesc": "~0.5.0"
+      },
+      "dependencies": {
+        "jsesc": {
+          "version": "0.5.0",
+          "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-0.5.0.tgz",
+          "integrity": "sha1-597mbjXW/Bb3EP6R1c9p9w8IkR0="
+        }
+      }
+    },
+    "rehype-highlight": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/rehype-highlight/-/rehype-highlight-3.1.0.tgz",
+      "integrity": "sha512-5MzqLWUUMS4II+jWisOzF4mIgXJxt+QI3yvXLO/tTdzXuwYMGA7vRR3H60BiGOtlL30N/2267oefm+zdh8lePw==",
+      "requires": {
+        "hast-util-to-text": "^1.0.0",
+        "lowlight": "^1.10.0",
+        "unist-util-visit": "^1.1.0"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-1.4.1.tgz",
+          "integrity": "sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==",
+          "requires": {
+            "unist-util-visit-parents": "^2.0.0"
+          }
+        }
+      }
+    },
+    "relay-compiler": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/relay-compiler/-/relay-compiler-8.0.0.tgz",
+      "integrity": "sha512-JrS3Bv6+6S0KloHmXUyTcrdFRpI3NxWdiVQC146vD5jgay9EM464lyf9bEUsCol3na4JUrad4aQ/r+4wWxG1kw==",
+      "requires": {
+        "@babel/core": "^7.0.0",
+        "@babel/generator": "^7.5.0",
+        "@babel/parser": "^7.0.0",
+        "@babel/runtime": "^7.0.0",
+        "@babel/traverse": "^7.0.0",
+        "@babel/types": "^7.0.0",
+        "babel-preset-fbjs": "^3.3.0",
+        "chalk": "^2.4.1",
+        "fast-glob": "^2.2.2",
+        "fb-watchman": "^2.0.0",
+        "fbjs": "^1.0.0",
+        "immutable": "~3.7.6",
+        "nullthrows": "^1.1.1",
+        "relay-runtime": "8.0.0",
+        "signedsource": "^1.0.0",
+        "yargs": "^14.2.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "relay-runtime": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/relay-runtime/-/relay-runtime-8.0.0.tgz",
+      "integrity": "sha512-lOaZ7K/weTuCIt3pWHkxUG8s7iohI4IyYj65YV4sB9iX6W0uMvt626BFJ4GvNXFmd+OrgNnXcvx1mqRFqJaV8A==",
+      "requires": {
+        "@babel/runtime": "^7.0.0",
+        "fbjs": "^1.0.0"
+      }
+    },
+    "remark": {
+      "version": "11.0.2",
+      "resolved": "https://registry.npmjs.org/remark/-/remark-11.0.2.tgz",
+      "integrity": "sha512-bh+eJgn8wgmbHmIBOuwJFdTVRVpl3fcVP6HxmpPWO0ULGP9Qkh6INJh0N5Uy7GqlV7DQYGoqaKiEIpM5LLvJ8w==",
+      "requires": {
+        "remark-parse": "^7.0.0",
+        "remark-stringify": "^7.0.0",
+        "unified": "^8.2.0"
+      }
+    },
+    "remark-autolink-headings": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/remark-autolink-headings/-/remark-autolink-headings-5.2.1.tgz",
+      "integrity": "sha512-pAsIVtbYWIkCDoR/hXJQAjXRnzQ5hjQzmiz2eQnZMIQbsiut3x5xEQYF+urpNEQSUG1/I+9wp2sSERgaxiaBdQ==",
+      "requires": {
+        "extend": "^3.0.2",
+        "unist-util-visit": "^1.0.1"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-1.4.1.tgz",
+          "integrity": "sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==",
+          "requires": {
+            "unist-util-visit-parents": "^2.0.0"
+          }
+        }
+      }
+    },
+    "remark-mdx": {
+      "version": "1.5.3",
+      "resolved": "https://registry.npmjs.org/remark-mdx/-/remark-mdx-1.5.3.tgz",
+      "integrity": "sha512-7WqfwdyER3k0gNiikzw9y+AQskAm6PX2qEF97vhuZ9y8/MatVKoWGCPX4VCYAN0qlM1X6ty761rbMWMy5OmgyA==",
+      "requires": {
+        "@babel/core": "7.7.4",
+        "@babel/helper-plugin-utils": "7.0.0",
+        "@babel/plugin-proposal-object-rest-spread": "7.7.4",
+        "@babel/plugin-syntax-jsx": "7.7.4",
+        "@mdx-js/util": "^1.5.3",
+        "is-alphabetical": "1.0.3",
+        "remark-parse": "7.0.2",
+        "unified": "8.4.2"
+      },
+      "dependencies": {
+        "@babel/core": {
+          "version": "7.7.4",
+          "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.7.4.tgz",
+          "integrity": "sha512-+bYbx56j4nYBmpsWtnPUsKW3NdnYxbqyfrP2w9wILBuHzdfIKz9prieZK0DFPyIzkjYVUe4QkusGL07r5pXznQ==",
+          "requires": {
+            "@babel/code-frame": "^7.5.5",
+            "@babel/generator": "^7.7.4",
+            "@babel/helpers": "^7.7.4",
+            "@babel/parser": "^7.7.4",
+            "@babel/template": "^7.7.4",
+            "@babel/traverse": "^7.7.4",
+            "@babel/types": "^7.7.4",
+            "convert-source-map": "^1.7.0",
+            "debug": "^4.1.0",
+            "json5": "^2.1.0",
+            "lodash": "^4.17.13",
+            "resolve": "^1.3.2",
+            "semver": "^5.4.1",
+            "source-map": "^0.5.0"
+          }
+        }
+      }
+    },
+    "remark-parse": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/remark-parse/-/remark-parse-7.0.2.tgz",
+      "integrity": "sha512-9+my0lQS80IQkYXsMA8Sg6m9QfXYJBnXjWYN5U+kFc5/n69t+XZVXU/ZBYr3cYH8FheEGf1v87rkFDhJ8bVgMA==",
+      "requires": {
+        "collapse-white-space": "^1.0.2",
+        "is-alphabetical": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-whitespace-character": "^1.0.0",
+        "is-word-character": "^1.0.0",
+        "markdown-escapes": "^1.0.0",
+        "parse-entities": "^1.1.0",
+        "repeat-string": "^1.5.4",
+        "state-toggle": "^1.0.0",
+        "trim": "0.0.1",
+        "trim-trailing-lines": "^1.0.0",
+        "unherit": "^1.0.4",
+        "unist-util-remove-position": "^1.0.0",
+        "vfile-location": "^2.0.0",
+        "xtend": "^4.0.1"
+      }
+    },
+    "remark-slug": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/remark-slug/-/remark-slug-5.1.2.tgz",
+      "integrity": "sha512-DWX+Kd9iKycqyD+/B+gEFO3jjnt7Yg1O05lygYSNTe5i5PIxxxPjp5qPBDxPIzp5wreF7+1ROCwRgjEcqmzr3A==",
+      "requires": {
+        "github-slugger": "^1.0.0",
+        "mdast-util-to-string": "^1.0.0",
+        "unist-util-visit": "^1.0.0"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-1.4.1.tgz",
+          "integrity": "sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==",
+          "requires": {
+            "unist-util-visit-parents": "^2.0.0"
+          }
+        }
+      }
+    },
+    "remark-squeeze-paragraphs": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/remark-squeeze-paragraphs/-/remark-squeeze-paragraphs-3.0.4.tgz",
+      "integrity": "sha512-Wmz5Yj9q+W1oryo8BV17JrOXZgUKVcpJ2ApE2pwnoHwhFKSk4Wp2PmFNbmJMgYSqAdFwfkoe+TSYop5Fy8wMgA==",
+      "requires": {
+        "mdast-squeeze-paragraphs": "^3.0.0"
+      }
+    },
+    "remark-stringify": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/remark-stringify/-/remark-stringify-7.0.4.tgz",
+      "integrity": "sha512-qck+8NeA1D0utk1ttKcWAoHRrJxERYQzkHDyn+pF5Z4whX1ug98uCNPPSeFgLSaNERRxnD6oxIug6DzZQth6Pg==",
+      "requires": {
+        "ccount": "^1.0.0",
+        "is-alphanumeric": "^1.0.0",
+        "is-decimal": "^1.0.0",
+        "is-whitespace-character": "^1.0.0",
+        "longest-streak": "^2.0.1",
+        "markdown-escapes": "^1.0.0",
+        "markdown-table": "^1.1.0",
+        "mdast-util-compact": "^1.0.0",
+        "parse-entities": "^1.0.2",
+        "repeat-string": "^1.5.4",
+        "state-toggle": "^1.0.0",
+        "stringify-entities": "^2.0.0",
+        "unherit": "^1.0.4",
+        "xtend": "^4.0.1"
+      }
+    },
+    "remove-trailing-separator": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/remove-trailing-separator/-/remove-trailing-separator-1.1.0.tgz",
+      "integrity": "sha1-wkvOKig62tW8P1jg1IJJuSN52O8="
+    },
+    "remove-trailing-slash": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/remove-trailing-slash/-/remove-trailing-slash-0.1.0.tgz",
+      "integrity": "sha1-FJjl3wmEwn5Jt26/Boh8otARUNI="
+    },
+    "repeat-element": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/repeat-element/-/repeat-element-1.1.3.tgz",
+      "integrity": "sha512-ahGq0ZnV5m5XtZLMb+vP76kcAM5nkLqk0lpqAuojSKGgQtn4eRi4ZZGm2olo2zKFH+sMsWaqOCW1dqAnOru72g=="
+    },
+    "repeat-string": {
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz",
+      "integrity": "sha1-jcrkcOHIirwtYA//Sndihtp15jc="
+    },
+    "repeating": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/repeating/-/repeating-2.0.1.tgz",
+      "integrity": "sha1-UhTFOpJtNVJwdSf7q0FdvAjQbdo=",
+      "requires": {
+        "is-finite": "^1.0.0"
+      }
+    },
+    "replace-ext": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-1.0.0.tgz",
+      "integrity": "sha1-3mMSg3P8v3w8z6TeWkgMRaZ5WOs="
+    },
+    "require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I="
+    },
+    "require-main-filename": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg=="
+    },
+    "resolve": {
+      "version": "1.13.1",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.13.1.tgz",
+      "integrity": "sha512-CxqObCX8K8YtAhOBRg+lrcdn+LK+WYOS8tSjqSFbjtrI5PnS63QPhZl4+yKfrU9tdsbMu9Anr/amegT87M9Z6w==",
+      "requires": {
+        "path-parse": "^1.0.6"
+      }
+    },
+    "resolve-from": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-5.0.0.tgz",
+      "integrity": "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw=="
+    },
+    "resolve-url": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/resolve-url/-/resolve-url-0.2.1.tgz",
+      "integrity": "sha1-LGN/53yJOv0qZj/iGqkIAGjiBSo="
+    },
+    "responselike": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/responselike/-/responselike-1.0.2.tgz",
+      "integrity": "sha1-kYcg7ztjHFZCvgaPFa3lpG9Loec=",
+      "requires": {
+        "lowercase-keys": "^1.0.0"
+      }
+    },
+    "restore-cursor": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-3.1.0.tgz",
+      "integrity": "sha512-l+sSefzHpj5qimhFSE5a8nufZYAM3sBSVMAPtYkmC+4EH2anSGaEMXSD0izRQbu9nfyQ9y5JrVmp7E8oZrUjvA==",
+      "requires": {
+        "onetime": "^5.1.0",
+        "signal-exit": "^3.0.2"
+      }
+    },
+    "ret": {
+      "version": "0.1.15",
+      "resolved": "https://registry.npmjs.org/ret/-/ret-0.1.15.tgz",
+      "integrity": "sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg=="
+    },
+    "retry": {
+      "version": "0.12.0",
+      "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz",
+      "integrity": "sha1-G0KmJmoh8HQh0bC1S33BZ7AcATs="
+    },
+    "reusify": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz",
+      "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw=="
+    },
+    "rimraf": {
+      "version": "2.6.3",
+      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.6.3.tgz",
+      "integrity": "sha512-mwqeW5XsA2qAejG46gYdENaxXjx9onRNCfn7L0duuP4hCuTIi/QO7PDK07KJfp1d+izWPrzEJDcSqBa0OZQriA==",
+      "requires": {
+        "glob": "^7.1.3"
+      }
+    },
+    "ripemd160": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-2.0.2.tgz",
+      "integrity": "sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA==",
+      "requires": {
+        "hash-base": "^3.0.0",
+        "inherits": "^2.0.1"
+      }
+    },
+    "run-async": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/run-async/-/run-async-2.3.0.tgz",
+      "integrity": "sha1-A3GrSuC91yDUFm19/aZP96RFpsA=",
+      "requires": {
+        "is-promise": "^2.1.0"
+      }
+    },
+    "run-node": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/run-node/-/run-node-1.0.0.tgz",
+      "integrity": "sha512-kc120TBlQ3mih1LSzdAJXo4xn/GWS2ec0l3S+syHDXP9uRr0JAT8Qd3mdMuyjqCzeZktgP3try92cEgf9Nks8A=="
+    },
+    "run-parallel": {
+      "version": "1.1.9",
+      "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.1.9.tgz",
+      "integrity": "sha512-DEqnSRTDw/Tc3FXf49zedI638Z9onwUotBMiUFKmrO2sdFKIbXamXGQ3Axd4qgphxKB4kw/qP1w5kTxnfU1B9Q=="
+    },
+    "run-queue": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/run-queue/-/run-queue-1.0.3.tgz",
+      "integrity": "sha1-6Eg5bwV9Ij8kOGkkYY4laUFh7Ec=",
+      "requires": {
+        "aproba": "^1.1.1"
+      }
+    },
+    "rxjs": {
+      "version": "6.5.3",
+      "resolved": "https://registry.npmjs.org/rxjs/-/rxjs-6.5.3.tgz",
+      "integrity": "sha512-wuYsAYYFdWTAnAaPoKGNhfpWwKZbJW+HgAJ+mImp+Epl7BG8oNWBCTyRM8gba9k4lk8BgWdoYm21Mo/RYhhbgA==",
+      "requires": {
+        "tslib": "^1.9.0"
+      }
+    },
+    "safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+    },
+    "safe-regex": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/safe-regex/-/safe-regex-1.1.0.tgz",
+      "integrity": "sha1-QKNmnzsHfR6UPURinhV91IAjvy4=",
+      "requires": {
+        "ret": "~0.1.10"
+      }
+    },
+    "safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
+    },
+    "sanitize.css": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/sanitize.css/-/sanitize.css-10.0.0.tgz",
+      "integrity": "sha512-vTxrZz4dX5W86M6oVWVdOVe72ZiPs41Oi7Z6Km4W5Turyz28mrXSJhhEBZoRtzJWIv3833WKVwLSDWWkEfupMg=="
+    },
+    "sax": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
+      "integrity": "sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw=="
+    },
+    "scheduler": {
+      "version": "0.18.0",
+      "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.18.0.tgz",
+      "integrity": "sha512-agTSHR1Nbfi6ulI0kYNK0203joW2Y5W4po4l+v03tOoiJKpTBbxpNhWDvqc/4IcOw+KLmSiQLTasZ4cab2/UWQ==",
+      "requires": {
+        "loose-envify": "^1.1.0",
+        "object-assign": "^4.1.1"
+      }
+    },
+    "schema-utils": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-1.0.0.tgz",
+      "integrity": "sha512-i27Mic4KovM/lnGsy8whRCHhc7VicJajAjTrYg11K9zfZXnYIt4k5F+kZkwjnrhKzLic/HLU4j11mjsz2G/75g==",
+      "requires": {
+        "ajv": "^6.1.0",
+        "ajv-errors": "^1.0.0",
+        "ajv-keywords": "^3.1.0"
+      }
+    },
+    "section-matter": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/section-matter/-/section-matter-1.0.0.tgz",
+      "integrity": "sha512-vfD3pmTzGpufjScBh50YHKzEu2lxBWhVEHsNGoEXmCmn2hKGfeNLYMzCJpe8cD7gqX7TJluOVpBkAequ6dgMmA==",
+      "requires": {
+        "extend-shallow": "^2.0.1",
+        "kind-of": "^6.0.0"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+          "requires": {
+            "is-extendable": "^0.1.0"
+          }
+        }
+      }
+    },
+    "seek-bzip": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/seek-bzip/-/seek-bzip-1.0.5.tgz",
+      "integrity": "sha1-z+kXyz0nS8/6x5J1ivUxc+sfq9w=",
+      "requires": {
+        "commander": "~2.8.1"
+      },
+      "dependencies": {
+        "commander": {
+          "version": "2.8.1",
+          "resolved": "https://registry.npmjs.org/commander/-/commander-2.8.1.tgz",
+          "integrity": "sha1-Br42f+v9oMMwqh4qBy09yXYkJdQ=",
+          "requires": {
+            "graceful-readlink": ">= 1.0.0"
+          }
+        }
+      }
+    },
+    "semver": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
+      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ=="
+    },
+    "semver-compare": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/semver-compare/-/semver-compare-1.0.0.tgz",
+      "integrity": "sha1-De4hahyUGrN+nvsXiPavxf9VN/w="
+    },
+    "semver-regex": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz",
+      "integrity": "sha512-mUdIBBvdn0PLOeP3TEkMH7HHeUP3GjsXCwKarjv/kGmUFOYg1VqEemKhoQpWMu6X2I8kHeuVdGibLGkVK+/5Qw=="
+    },
+    "semver-truncate": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/semver-truncate/-/semver-truncate-1.1.2.tgz",
+      "integrity": "sha1-V/Qd5pcHpicJp+AQS6IRcQnqR+g=",
+      "requires": {
+        "semver": "^5.3.0"
+      }
+    },
+    "send": {
+      "version": "0.17.1",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.17.1.tgz",
+      "integrity": "sha512-BsVKsiGcQMFwT8UxypobUKyv7irCNRHk1T0G680vk88yf6LBByGcZJOTJCrTP2xVN6yI+XjPJcNuE3V4fT9sAg==",
+      "requires": {
+        "debug": "2.6.9",
+        "depd": "~1.1.2",
+        "destroy": "~1.0.4",
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "fresh": "0.5.2",
+        "http-errors": "~1.7.2",
+        "mime": "1.6.0",
+        "ms": "2.1.1",
+        "on-finished": "~2.3.0",
+        "range-parser": "~1.2.1",
+        "statuses": "~1.5.0"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "requires": {
+            "ms": "2.0.0"
+          },
+          "dependencies": {
+            "ms": {
+              "version": "2.0.0",
+              "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+              "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+            }
+          }
+        },
+        "ms": {
+          "version": "2.1.1",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
+          "integrity": "sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg=="
+        }
+      }
+    },
+    "serialize-javascript": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz",
+      "integrity": "sha512-rs9OggEUF0V4jUSecXazOYsLfu7OGK2qIn3c7IPBiffz32XniEp/TX9Xmc9LQfK2nQ2QKHvZ2oygKUGU0lG4jQ=="
+    },
+    "serve-static": {
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.14.1.tgz",
+      "integrity": "sha512-JMrvUwE54emCYWlTI+hGrGv5I8dEwmco/00EvkzIIsR7MqrHonbD9pO2MOfFnpFntl7ecpZs+3mW+XbQZu9QCg==",
+      "requires": {
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "parseurl": "~1.3.3",
+        "send": "0.17.1"
+      }
+    },
+    "set-blocking": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
+      "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc="
+    },
+    "set-value": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz",
+      "integrity": "sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==",
+      "requires": {
+        "extend-shallow": "^2.0.1",
+        "is-extendable": "^0.1.1",
+        "is-plain-object": "^2.0.3",
+        "split-string": "^3.0.1"
+      },
+      "dependencies": {
+        "extend-shallow": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+          "requires": {
+            "is-extendable": "^0.1.0"
+          }
+        }
+      }
+    },
+    "setimmediate": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/setimmediate/-/setimmediate-1.0.5.tgz",
+      "integrity": "sha1-KQy7Iy4waULX1+qbg3Mqt4VvgoU="
+    },
+    "setprototypeof": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz",
+      "integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw=="
+    },
+    "sha.js": {
+      "version": "2.4.11",
+      "resolved": "https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz",
+      "integrity": "sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==",
+      "requires": {
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "shebang-command": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-1.2.0.tgz",
+      "integrity": "sha1-RKrGW2lbAzmJaMOfNj/uXer98eo=",
+      "requires": {
+        "shebang-regex": "^1.0.0"
+      }
+    },
+    "shebang-regex": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-1.0.0.tgz",
+      "integrity": "sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM="
+    },
+    "shell-quote": {
+      "version": "1.7.2",
+      "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz",
+      "integrity": "sha512-mRz/m/JVscCrkMyPqHc/bczi3OQHkLTqXHEFu0zDhK/qfv3UcOA4SVmRCLmos4bhjr9ekVQubj/R7waKapmiQg=="
+    },
+    "signal-exit": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.2.tgz",
+      "integrity": "sha1-tf3AjxKH6hF4Yo5BXiUTK3NkbG0="
+    },
+    "signale": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/signale/-/signale-1.4.0.tgz",
+      "integrity": "sha512-iuh+gPf28RkltuJC7W5MRi6XAjTDCAPC/prJUpQoG4vIP3MJZ+GTydVnodXA7pwvTKb2cA0m9OFZW/cdWy/I/w==",
+      "requires": {
+        "chalk": "^2.3.2",
+        "figures": "^2.0.0",
+        "pkg-conf": "^2.1.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        },
+        "figures": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/figures/-/figures-2.0.0.tgz",
+          "integrity": "sha1-OrGi0qYsi/tDGgyUy3l6L84nyWI=",
+          "requires": {
+            "escape-string-regexp": "^1.0.5"
+          }
+        }
+      }
+    },
+    "signedsource": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/signedsource/-/signedsource-1.0.0.tgz",
+      "integrity": "sha1-HdrOSYF5j5O9gzlzgD2A1S6TrWo="
+    },
+    "slash": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz",
+      "integrity": "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q=="
+    },
+    "slice-ansi": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-2.1.0.tgz",
+      "integrity": "sha512-Qu+VC3EwYLldKa1fCxuuvULvSJOKEgk9pi8dZeCVK7TqBfUNTH4sFkk4joj8afVSfAYgJoSOetjx9QWOJ5mYoQ==",
+      "requires": {
+        "ansi-styles": "^3.2.0",
+        "astral-regex": "^1.0.0",
+        "is-fullwidth-code-point": "^2.0.0"
+      }
+    },
+    "slugify": {
+      "version": "1.3.6",
+      "resolved": "https://registry.npmjs.org/slugify/-/slugify-1.3.6.tgz",
+      "integrity": "sha512-wA9XS475ZmGNlEnYYLPReSfuz/c3VQsEMoU43mi6OnKMCdbnFXd4/Yg7J0lBv8jkPolacMpOrWEaoYxuE1+hoQ=="
+    },
+    "snapdragon": {
+      "version": "0.8.2",
+      "resolved": "https://registry.npmjs.org/snapdragon/-/snapdragon-0.8.2.tgz",
+      "integrity": "sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==",
+      "requires": {
+        "base": "^0.11.1",
+        "debug": "^2.2.0",
+        "define-property": "^0.2.5",
+        "extend-shallow": "^2.0.1",
+        "map-cache": "^0.2.2",
+        "source-map": "^0.5.6",
+        "source-map-resolve": "^0.5.0",
+        "use": "^3.1.0"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "requires": {
+            "ms": "2.0.0"
+          }
+        },
+        "define-property": {
+          "version": "0.2.5",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        },
+        "extend-shallow": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz",
+          "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=",
+          "requires": {
+            "is-extendable": "^0.1.0"
+          }
+        },
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "snapdragon-node": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/snapdragon-node/-/snapdragon-node-2.1.1.tgz",
+      "integrity": "sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==",
+      "requires": {
+        "define-property": "^1.0.0",
+        "isobject": "^3.0.0",
+        "snapdragon-util": "^3.0.1"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz",
+          "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=",
+          "requires": {
+            "is-descriptor": "^1.0.0"
+          }
+        },
+        "is-accessor-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz",
+          "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-data-descriptor": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz",
+          "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==",
+          "requires": {
+            "kind-of": "^6.0.0"
+          }
+        },
+        "is-descriptor": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz",
+          "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==",
+          "requires": {
+            "is-accessor-descriptor": "^1.0.0",
+            "is-data-descriptor": "^1.0.0",
+            "kind-of": "^6.0.2"
+          }
+        }
+      }
+    },
+    "snapdragon-util": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/snapdragon-util/-/snapdragon-util-3.0.1.tgz",
+      "integrity": "sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==",
+      "requires": {
+        "kind-of": "^3.2.0"
+      },
+      "dependencies": {
+        "kind-of": {
+          "version": "3.2.2",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "sort-keys": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/sort-keys/-/sort-keys-3.0.0.tgz",
+      "integrity": "sha512-77XUKMiZN5LvQXZ9sgWfJza19AvYIDwaDGwGiULM+B5XYru8Z90Oh06JvqDlJczvjjYvssrV0aK1GI6+YXvn5A==",
+      "requires": {
+        "is-plain-obj": "^2.0.0"
+      }
+    },
+    "sort-keys-length": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/sort-keys-length/-/sort-keys-length-1.0.1.tgz",
+      "integrity": "sha1-nLb09OnkgVWmqgZx7dM2/xR5oYg=",
+      "requires": {
+        "sort-keys": "^1.0.0"
+      },
+      "dependencies": {
+        "is-plain-obj": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-1.1.0.tgz",
+          "integrity": "sha1-caUMhCnfync8kqOQpKA7OfzVHT4="
+        },
+        "sort-keys": {
+          "version": "1.1.2",
+          "resolved": "https://registry.npmjs.org/sort-keys/-/sort-keys-1.1.2.tgz",
+          "integrity": "sha1-RBttTTRnmPG05J6JIK37oOVD+a0=",
+          "requires": {
+            "is-plain-obj": "^1.0.0"
+          }
+        }
+      }
+    },
+    "source-list-map": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/source-list-map/-/source-list-map-2.0.1.tgz",
+      "integrity": "sha512-qnQ7gVMxGNxsiL4lEuJwe/To8UnK7fAnmbGEEH8RpLouuKbeEm0lhbQVFIrNSuB+G7tVrAlVsZgETT5nljf+Iw=="
+    },
+    "source-map": {
+      "version": "0.5.7",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
+      "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w="
+    },
+    "source-map-resolve": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/source-map-resolve/-/source-map-resolve-0.5.2.tgz",
+      "integrity": "sha512-MjqsvNwyz1s0k81Goz/9vRBe9SZdB09Bdw+/zYyO+3CuPk6fouTaxscHkgtE8jKvf01kVfl8riHzERQ/kefaSA==",
+      "requires": {
+        "atob": "^2.1.1",
+        "decode-uri-component": "^0.2.0",
+        "resolve-url": "^0.2.1",
+        "source-map-url": "^0.4.0",
+        "urix": "^0.1.0"
+      }
+    },
+    "source-map-support": {
+      "version": "0.5.16",
+      "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.16.tgz",
+      "integrity": "sha512-efyLRJDr68D9hBBNIPWFjhpFzURh+KJykQwvMyW5UiZzYwoF6l4YMMDIJJEyFWxWCqfyxLzz6tSfUFR+kXXsVQ==",
+      "requires": {
+        "buffer-from": "^1.0.0",
+        "source-map": "^0.6.0"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "source-map-url": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/source-map-url/-/source-map-url-0.4.0.tgz",
+      "integrity": "sha1-PpNdfd1zYxuXZZlW1VEo6HtQhKM="
+    },
+    "space-separated-tokens": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/space-separated-tokens/-/space-separated-tokens-1.1.4.tgz",
+      "integrity": "sha512-UyhMSmeIqZrQn2UdjYpxEkwY9JUrn8pP+7L4f91zRzOQuI8MF1FGLfYU9DKCYeLdo7LXMxwrX5zKFy7eeeVHuA=="
+    },
+    "spdx-correct": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.1.0.tgz",
+      "integrity": "sha512-lr2EZCctC2BNR7j7WzJ2FpDznxky1sjfxvvYEyzxNyb6lZXHODmEoJeFu4JupYlkfha1KZpJyoqiJ7pgA1qq8Q==",
+      "requires": {
+        "spdx-expression-parse": "^3.0.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "spdx-exceptions": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.2.0.tgz",
+      "integrity": "sha512-2XQACfElKi9SlVb1CYadKDXvoajPgBVPn/gOQLrTvHdElaVhr7ZEbqJaRnJLVNeaI4cMEAgVCeBMKF6MWRDCRA=="
+    },
+    "spdx-expression-parse": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.0.tgz",
+      "integrity": "sha512-Yg6D3XpRD4kkOmTpdgbUiEJFKghJH03fiC1OPll5h/0sO6neh2jqRDVHOQ4o/LMea0tgCkbMgea5ip/e+MkWyg==",
+      "requires": {
+        "spdx-exceptions": "^2.1.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "spdx-license-ids": {
+      "version": "3.0.5",
+      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.5.tgz",
+      "integrity": "sha512-J+FWzZoynJEXGphVIS+XEh3kFSjZX/1i9gFBaWQcB+/tmpe2qUsSBABpcxqxnAxFdiUFEgAX1bjYGQvIZmoz9Q=="
+    },
+    "split-string": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/split-string/-/split-string-3.1.0.tgz",
+      "integrity": "sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw==",
+      "requires": {
+        "extend-shallow": "^3.0.0"
+      }
+    },
+    "sprintf-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
+      "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw="
+    },
+    "squeak": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/squeak/-/squeak-1.3.0.tgz",
+      "integrity": "sha1-MwRQN7ZDiLVnZ0uEMiplIQc5FsM=",
+      "requires": {
+        "chalk": "^1.0.0",
+        "console-stream": "^0.1.1",
+        "lpad-align": "^1.0.1"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
+          "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4="
+        },
+        "chalk": {
+          "version": "1.1.3",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz",
+          "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=",
+          "requires": {
+            "ansi-styles": "^2.2.1",
+            "escape-string-regexp": "^1.0.2",
+            "has-ansi": "^2.0.0",
+            "strip-ansi": "^3.0.0",
+            "supports-color": "^2.0.0"
+          }
+        },
+        "supports-color": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
+          "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc="
+        }
+      }
+    },
+    "ssri": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz",
+      "integrity": "sha512-3Wge10hNcT1Kur4PDFwEieXSCMCJs/7WvSACcrMYrNp+b8kDL1/0wJch5Ni2WrtwEa2IO8OsVfeKIciKCDx/QA==",
+      "requires": {
+        "figgy-pudding": "^3.5.1"
+      }
+    },
+    "stable": {
+      "version": "0.1.8",
+      "resolved": "https://registry.npmjs.org/stable/-/stable-0.1.8.tgz",
+      "integrity": "sha512-ji9qxRnOVfcuLDySj9qzhGSEFVobyt1kIOSkj1qZzYLzq7Tos/oUUWvotUPQLlrsidqsK6tBH89Bc9kL5zHA6w=="
+    },
+    "stack-generator": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/stack-generator/-/stack-generator-2.0.4.tgz",
+      "integrity": "sha512-ha1gosTNcgxwzo9uKTQ8zZ49aUp5FIUW58YHFxCqaAHtE0XqBg0chGFYA1MfmW//x1KWq3F4G7Ug7bJh4RiRtg==",
+      "requires": {
+        "stackframe": "^1.1.0"
+      }
+    },
+    "stackframe": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/stackframe/-/stackframe-1.1.0.tgz",
+      "integrity": "sha512-Vx6W1Yvy+AM1R/ckVwcHQHV147pTPBKWCRLrXMuPrFVfvBUc3os7PR1QLIWCMhPpRg5eX9ojzbQIMLGBwyLjqg=="
+    },
+    "state-toggle": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/state-toggle/-/state-toggle-1.0.2.tgz",
+      "integrity": "sha512-8LpelPGR0qQM4PnfLiplOQNJcIN1/r2Gy0xKB2zKnIW2YzPMt2sR4I/+gtPjhN7Svh9kw+zqEg2SFwpBO9iNiw=="
+    },
+    "static-extend": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/static-extend/-/static-extend-0.1.2.tgz",
+      "integrity": "sha1-YICcOcv/VTNyJv1eC1IPNB8ftcY=",
+      "requires": {
+        "define-property": "^0.2.5",
+        "object-copy": "^0.1.0"
+      },
+      "dependencies": {
+        "define-property": {
+          "version": "0.2.5",
+          "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz",
+          "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=",
+          "requires": {
+            "is-descriptor": "^0.1.0"
+          }
+        }
+      }
+    },
+    "statuses": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
+      "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow="
+    },
+    "stream-browserify": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/stream-browserify/-/stream-browserify-2.0.2.tgz",
+      "integrity": "sha512-nX6hmklHs/gr2FuxYDltq8fJA1GDlxKQCz8O/IM4atRqBH8OORmBNgfvW5gG10GT/qQ9u0CzIvr2X5Pkt6ntqg==",
+      "requires": {
+        "inherits": "~2.0.1",
+        "readable-stream": "^2.0.2"
+      }
+    },
+    "stream-each": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/stream-each/-/stream-each-1.2.3.tgz",
+      "integrity": "sha512-vlMC2f8I2u/bZGqkdfLQW/13Zihpej/7PmSiMQsbYddxuTsJp8vRe2x2FvVExZg7FaOds43ROAuFJwPR4MTZLw==",
+      "requires": {
+        "end-of-stream": "^1.1.0",
+        "stream-shift": "^1.0.0"
+      }
+    },
+    "stream-http": {
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/stream-http/-/stream-http-2.8.3.tgz",
+      "integrity": "sha512-+TSkfINHDo4J+ZobQLWiMouQYB+UVYFttRA94FpEzzJ7ZdqcL4uUUQ7WkdkI4DSozGmgBUE/a47L+38PenXhUw==",
+      "requires": {
+        "builtin-status-codes": "^3.0.0",
+        "inherits": "^2.0.1",
+        "readable-stream": "^2.3.6",
+        "to-arraybuffer": "^1.0.0",
+        "xtend": "^4.0.0"
+      }
+    },
+    "stream-shift": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/stream-shift/-/stream-shift-1.0.1.tgz",
+      "integrity": "sha512-AiisoFqQ0vbGcZgQPY1cdP2I76glaVA/RauYR4G4thNFgkTqr90yXTo4LYX60Jl+sIlPNHHdGSwo01AvbKUSVQ=="
+    },
+    "strict-uri-encode": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/strict-uri-encode/-/strict-uri-encode-1.1.0.tgz",
+      "integrity": "sha1-J5siXfHVgrH1TmWt3UNS4Y+qBxM="
+    },
+    "string-argv": {
+      "version": "0.3.1",
+      "resolved": "https://registry.npmjs.org/string-argv/-/string-argv-0.3.1.tgz",
+      "integrity": "sha512-a1uQGz7IyVy9YwhqjZIZu1c8JO8dNIe20xBmSS6qu9kv++k3JGzCVmprbNN5Kn+BgzD5E7YYwg1CcjuJMRNsvg=="
+    },
+    "string-hash": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/string-hash/-/string-hash-1.1.3.tgz",
+      "integrity": "sha1-6Kr8CsGFW0Zmkp7X3RJ1311sgRs="
+    },
+    "string-length": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/string-length/-/string-length-3.1.0.tgz",
+      "integrity": "sha512-Ttp5YvkGm5v9Ijagtaz1BnN+k9ObpvS0eIBblPMp2YWL8FBmi9qblQ9fexc2k/CXFgrTIteU3jAw3payCnwSTA==",
+      "requires": {
+        "astral-regex": "^1.0.0",
+        "strip-ansi": "^5.2.0"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+          "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          }
+        }
+      }
+    },
+    "string-width": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-3.1.0.tgz",
+      "integrity": "sha512-vafcv6KjVZKSgz06oM/H6GDBrAtz8vdhQakGjFIvNrHA6y3HCF1CInLy+QLq8dTJPQ1b+KDUqDFctkdRW44e1w==",
+      "requires": {
+        "emoji-regex": "^7.0.1",
+        "is-fullwidth-code-point": "^2.0.0",
+        "strip-ansi": "^5.1.0"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+          "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          }
+        }
+      }
+    },
+    "string.prototype.trimleft": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/string.prototype.trimleft/-/string.prototype.trimleft-2.1.0.tgz",
+      "integrity": "sha512-FJ6b7EgdKxxbDxc79cOlok6Afd++TTs5szo+zJTUyow3ycrRfJVE2pq3vcN53XexvKZu/DJMDfeI/qMiZTrjTw==",
+      "requires": {
+        "define-properties": "^1.1.3",
+        "function-bind": "^1.1.1"
+      }
+    },
+    "string.prototype.trimright": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/string.prototype.trimright/-/string.prototype.trimright-2.1.0.tgz",
+      "integrity": "sha512-fXZTSV55dNBwv16uw+hh5jkghxSnc5oHq+5K/gXgizHwAvMetdAJlHqqoFC1FSDVPYWLkAKl2cxpUT41sV7nSg==",
+      "requires": {
+        "define-properties": "^1.1.3",
+        "function-bind": "^1.1.1"
+      }
+    },
+    "string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "requires": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
+    "stringify-entities": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/stringify-entities/-/stringify-entities-2.0.0.tgz",
+      "integrity": "sha512-fqqhZzXyAM6pGD9lky/GOPq6V4X0SeTAFBl0iXb/BzOegl40gpf/bV3QQP7zULNYvjr6+Dx8SCaDULjVoOru0A==",
+      "requires": {
+        "character-entities-html4": "^1.0.0",
+        "character-entities-legacy": "^1.0.0",
+        "is-alphanumerical": "^1.0.0",
+        "is-decimal": "^1.0.2",
+        "is-hexadecimal": "^1.0.0"
+      }
+    },
+    "stringify-object": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/stringify-object/-/stringify-object-3.3.0.tgz",
+      "integrity": "sha512-rHqiFh1elqCQ9WPLIC8I0Q/g/wj5J1eMkyoiD6eoQApWHP0FtlK7rqnhmabL5VUY9JQCcqwwvlOaSuutekgyrw==",
+      "requires": {
+        "get-own-enumerable-property-symbols": "^3.0.0",
+        "is-obj": "^1.0.1",
+        "is-regexp": "^1.0.0"
+      }
+    },
+    "strip-ansi": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz",
+      "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=",
+      "requires": {
+        "ansi-regex": "^2.0.0"
+      }
+    },
+    "strip-bom": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-3.0.0.tgz",
+      "integrity": "sha1-IzTBjpx1n3vdVv3vfprj1YjmjtM="
+    },
+    "strip-bom-string": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/strip-bom-string/-/strip-bom-string-1.0.0.tgz",
+      "integrity": "sha1-5SEekiQ2n7uB1jOi8ABE3IztrZI="
+    },
+    "strip-dirs": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/strip-dirs/-/strip-dirs-2.1.0.tgz",
+      "integrity": "sha512-JOCxOeKLm2CAS73y/U4ZeZPTkE+gNVCzKt7Eox84Iej1LT/2pTWYpZKJuxwQpvX1LiZb1xokNR7RLfuBAa7T3g==",
+      "requires": {
+        "is-natural-number": "^4.0.1"
+      }
+    },
+    "strip-eof": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/strip-eof/-/strip-eof-1.0.0.tgz",
+      "integrity": "sha1-u0P/VZim6wXYm1n80SnJgzE2Br8="
+    },
+    "strip-final-newline": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-2.0.0.tgz",
+      "integrity": "sha512-BrpvfNAE3dcvq7ll3xVumzjKjZQ5tI1sEUIKr3Uoks0XUl45St3FlatVqef9prk4jRDzhW6WZg+3bk93y6pLjA=="
+    },
+    "strip-indent": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/strip-indent/-/strip-indent-1.0.1.tgz",
+      "integrity": "sha1-DHlipq3vp7vUrDZkYKY4VSrhoKI=",
+      "requires": {
+        "get-stdin": "^4.0.1"
+      },
+      "dependencies": {
+        "get-stdin": {
+          "version": "4.0.1",
+          "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-4.0.1.tgz",
+          "integrity": "sha1-uWjGsKBDhDJJAui/Gl3zJXmkUP4="
+        }
+      }
+    },
+    "strip-json-comments": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.0.1.tgz",
+      "integrity": "sha512-VTyMAUfdm047mwKl+u79WIdrZxtFtn+nBxHeb844XBQ9uMNTuTHdx2hc5RiAJYqwTj3wc/xe5HLSdJSkJ+WfZw=="
+    },
+    "strip-outer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/strip-outer/-/strip-outer-1.0.1.tgz",
+      "integrity": "sha512-k55yxKHwaXnpYGsOzg4Vl8+tDrWylxDEpknGjhTiZB8dFRU5rTo9CAzeycivxV3s+zlTKwrs6WxMxR95n26kwg==",
+      "requires": {
+        "escape-string-regexp": "^1.0.2"
+      }
+    },
+    "style-loader": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/style-loader/-/style-loader-1.0.0.tgz",
+      "integrity": "sha512-B0dOCFwv7/eY31a5PCieNwMgMhVGFe9w+rh7s/Bx8kfFkrth9zfTZquoYvdw8URgiqxObQKcpW51Ugz1HjfdZw==",
+      "requires": {
+        "loader-utils": "^1.2.3",
+        "schema-utils": "^2.0.1"
+      },
+      "dependencies": {
+        "schema-utils": {
+          "version": "2.6.4",
+          "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-2.6.4.tgz",
+          "integrity": "sha512-VNjcaUxVnEeun6B2fiiUDjXXBtD4ZSH7pdbfIu1pOFwgptDPLMo/z9jr4sUfsjFVPqDCEin/F7IYlq7/E6yDbQ==",
+          "requires": {
+            "ajv": "^6.10.2",
+            "ajv-keywords": "^3.4.1"
+          }
+        }
+      }
+    },
+    "style-to-object": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/style-to-object/-/style-to-object-0.3.0.tgz",
+      "integrity": "sha512-CzFnRRXhzWIdItT3OmF8SQfWyahHhjq3HwcMNCNLn+N7klOOqPjMeG/4JSu77D7ypZdGvSzvkrbyeTMizz2VrA==",
+      "requires": {
+        "inline-style-parser": "0.1.1"
+      }
+    },
+    "styled-jsx": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/styled-jsx/-/styled-jsx-3.2.4.tgz",
+      "integrity": "sha512-UMclQzI1lss38RhyjTf7SmtXJEMbB6Q9slDz8adGtzHjirYb1PPgeWLSP8SlZc8c9f3LF6axmtv+6K/553ANdg==",
+      "requires": {
+        "babel-plugin-syntax-jsx": "6.18.0",
+        "babel-types": "6.26.0",
+        "convert-source-map": "1.7.0",
+        "loader-utils": "1.2.3",
+        "source-map": "0.7.3",
+        "string-hash": "1.1.3",
+        "stylis": "3.5.4",
+        "stylis-rule-sheet": "0.0.10"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.7.3",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.3.tgz",
+          "integrity": "sha512-CkCj6giN3S+n9qrYiBTX5gystlENnRW5jZeNLHpe6aue+SrHcG5VYwujhW9s4dY31mEGsxBDrHR6oI69fTXsaQ=="
+        }
+      }
+    },
+    "stylis": {
+      "version": "3.5.4",
+      "resolved": "https://registry.npmjs.org/stylis/-/stylis-3.5.4.tgz",
+      "integrity": "sha512-8/3pSmthWM7lsPBKv7NXkzn2Uc9W7NotcwGNpJaa3k7WMM1XDCA4MgT5k/8BIexd5ydZdboXtU90XH9Ec4Bv/Q=="
+    },
+    "stylis-rule-sheet": {
+      "version": "0.0.10",
+      "resolved": "https://registry.npmjs.org/stylis-rule-sheet/-/stylis-rule-sheet-0.0.10.tgz",
+      "integrity": "sha512-nTbZoaqoBnmK+ptANthb10ZRZOGC+EmTLLUxeYIuHNkEKcmKgXX1XWKkUBT2Ac4es3NybooPe0SmvKdhKJZAuw=="
+    },
+    "supports-color": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+      "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+      "requires": {
+        "has-flag": "^3.0.0"
+      }
+    },
+    "supports-hyperlinks": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/supports-hyperlinks/-/supports-hyperlinks-1.0.1.tgz",
+      "integrity": "sha512-HHi5kVSefKaJkGYXbDuKbUGRVxqnWGn3J2e39CYcNJEfWciGq2zYtOhXLTlvrOZW1QU7VX67w7fMmWafHX9Pfw==",
+      "requires": {
+        "has-flag": "^2.0.0",
+        "supports-color": "^5.0.0"
+      },
+      "dependencies": {
+        "has-flag": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-2.0.0.tgz",
+          "integrity": "sha1-6CB68cx7MNRGzHC3NLXovhj4jVE="
+        }
+      }
+    },
+    "svgo": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/svgo/-/svgo-1.3.2.tgz",
+      "integrity": "sha512-yhy/sQYxR5BkC98CY7o31VGsg014AKLEPxdfhora76l36hD9Rdy5NZA/Ocn6yayNPgSamYdtX2rFJdcv07AYVw==",
+      "requires": {
+        "chalk": "^2.4.1",
+        "coa": "^2.0.2",
+        "css-select": "^2.0.0",
+        "css-select-base-adapter": "^0.1.1",
+        "css-tree": "1.0.0-alpha.37",
+        "csso": "^4.0.2",
+        "js-yaml": "^3.13.1",
+        "mkdirp": "~0.5.1",
+        "object.values": "^1.1.0",
+        "sax": "~1.2.4",
+        "stable": "^0.1.8",
+        "unquote": "~1.1.1",
+        "util.promisify": "~1.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "symbol-observable": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/symbol-observable/-/symbol-observable-1.2.0.tgz",
+      "integrity": "sha512-e900nM8RRtGhlV36KGEU9k65K3mPb1WV70OdjfxlG2EAuM1noi/E/BaW/uMhL7bPEssK8QV57vN3esixjUvcXQ=="
+    },
+    "table": {
+      "version": "5.4.6",
+      "resolved": "https://registry.npmjs.org/table/-/table-5.4.6.tgz",
+      "integrity": "sha512-wmEc8m4fjnob4gt5riFRtTu/6+4rSe12TpAELNSqHMfF3IqnA+CH37USM6/YR3qRZv7e56kAEAtd6nKZaxe0Ug==",
+      "requires": {
+        "ajv": "^6.10.2",
+        "lodash": "^4.17.14",
+        "slice-ansi": "^2.1.0",
+        "string-width": "^3.0.0"
+      }
+    },
+    "tapable": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-1.1.3.tgz",
+      "integrity": "sha512-4WK/bYZmj8xLr+HUCODHGF1ZFzsYffasLUgEiMBY4fgtltdO6B4WJtlSbPaDTLpYTcGVwM2qLnFTICEcNxs3kA=="
+    },
+    "tar-stream": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-1.6.2.tgz",
+      "integrity": "sha512-rzS0heiNf8Xn7/mpdSVVSMAWAoy9bfb1WOTYC78Z0UQKeKa/CWS8FOq0lKGNa8DWKAn9gxjCvMLYc5PGXYlK2A==",
+      "requires": {
+        "bl": "^1.0.0",
+        "buffer-alloc": "^1.2.0",
+        "end-of-stream": "^1.0.0",
+        "fs-constants": "^1.0.0",
+        "readable-stream": "^2.3.0",
+        "to-buffer": "^1.1.1",
+        "xtend": "^4.0.0"
+      }
+    },
+    "temp-dir": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/temp-dir/-/temp-dir-1.0.0.tgz",
+      "integrity": "sha1-CnwOom06Oa+n4OvqnB/AvE2qAR0="
+    },
+    "tempfile": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/tempfile/-/tempfile-2.0.0.tgz",
+      "integrity": "sha1-awRGhWqbERTRhW/8vlCczLCXcmU=",
+      "requires": {
+        "temp-dir": "^1.0.0",
+        "uuid": "^3.0.1"
+      }
+    },
+    "terminal-link": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/terminal-link/-/terminal-link-1.3.0.tgz",
+      "integrity": "sha512-nFaWG/gs3brGi3opgWU2+dyFGbQ7tueSRYOBOD8URdDXCbAGqDEZzuskCc+okCClYcJFDPwn8e2mbv4FqAnWFA==",
+      "requires": {
+        "ansi-escapes": "^3.2.0",
+        "supports-hyperlinks": "^1.0.1"
+      },
+      "dependencies": {
+        "ansi-escapes": {
+          "version": "3.2.0",
+          "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-3.2.0.tgz",
+          "integrity": "sha512-cBhpre4ma+U0T1oM5fXg7Dy1Jw7zzwv7lt/GoCpr+hDQJoYnKVPLL4dCvSEFMmQurOQvSrwT7SL/DAlhBI97RQ=="
+        }
+      }
+    },
+    "terser": {
+      "version": "4.4.2",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-4.4.2.tgz",
+      "integrity": "sha512-Uufrsvhj9O1ikwgITGsZ5EZS6qPokUOkCegS7fYOdGTv+OA90vndUbU6PEjr5ePqHfNUbGyMO7xyIZv2MhsALQ==",
+      "requires": {
+        "commander": "^2.20.0",
+        "source-map": "~0.6.1",
+        "source-map-support": "~0.5.12"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "terser-webpack-plugin": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-1.4.3.tgz",
+      "integrity": "sha512-QMxecFz/gHQwteWwSo5nTc6UaICqN1bMedC5sMtUc7y3Ha3Q8y6ZO0iCR8pq4RJC8Hjf0FEPEHZqcMB/+DFCrA==",
+      "requires": {
+        "cacache": "^12.0.2",
+        "find-cache-dir": "^2.1.0",
+        "is-wsl": "^1.1.0",
+        "schema-utils": "^1.0.0",
+        "serialize-javascript": "^2.1.2",
+        "source-map": "^0.6.1",
+        "terser": "^4.1.2",
+        "webpack-sources": "^1.4.0",
+        "worker-farm": "^1.7.0"
+      },
+      "dependencies": {
+        "find-cache-dir": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/find-cache-dir/-/find-cache-dir-2.1.0.tgz",
+          "integrity": "sha512-Tq6PixE0w/VMFfCgbONnkiQIVol/JJL7nRMi20fqzA4NRs9AfeqMGeRdPi3wIhYkxjeBaWh2rxwapn5Tu3IqOQ==",
+          "requires": {
+            "commondir": "^1.0.1",
+            "make-dir": "^2.0.0",
+            "pkg-dir": "^3.0.0"
+          }
+        },
+        "find-up": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz",
+          "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==",
+          "requires": {
+            "locate-path": "^3.0.0"
+          }
+        },
+        "is-wsl": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/is-wsl/-/is-wsl-1.1.0.tgz",
+          "integrity": "sha1-HxbkqiKwTRM2tmGIpmrzxgDDpm0="
+        },
+        "locate-path": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz",
+          "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==",
+          "requires": {
+            "p-locate": "^3.0.0",
+            "path-exists": "^3.0.0"
+          }
+        },
+        "make-dir": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-2.1.0.tgz",
+          "integrity": "sha512-LS9X+dc8KLxXCb8dni79fLIIUA5VyZoyjSMCwTluaXA0o27cCK0bhXkpgw+sTXVpPy/lSO57ilRixqk0vDmtRA==",
+          "requires": {
+            "pify": "^4.0.1",
+            "semver": "^5.6.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz",
+          "integrity": "sha512-WGR+xHecKTr7EbUEhyLSh5Dube9JtdiG78ufaeLxTgpudf/20KqyMioIUZJAezlTIi6evxuoUs9YXc11cU+yzQ==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz",
+          "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==",
+          "requires": {
+            "p-limit": "^2.0.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        },
+        "pify": {
+          "version": "4.0.1",
+          "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
+          "integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g=="
+        },
+        "pkg-dir": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-3.0.0.tgz",
+          "integrity": "sha512-/E57AYkoeQ25qkxMj5PBOVgF8Kiu/h7cYS30Z5+R7WaiCCBfLq58ZI/dSeaEKb9WVJV5n/03QwrN3IeWIFllvw==",
+          "requires": {
+            "find-up": "^3.0.0"
+          }
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "text-table": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz",
+      "integrity": "sha1-f17oI66AUgfACvLfSoTsP8+lcLQ="
+    },
+    "thread-loader": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/thread-loader/-/thread-loader-2.1.3.tgz",
+      "integrity": "sha512-wNrVKH2Lcf8ZrWxDF/khdlLlsTMczdcwPA9VEK4c2exlEPynYWxi9op3nPTo5lAnDIkE0rQEB3VBP+4Zncc9Hg==",
+      "requires": {
+        "loader-runner": "^2.3.1",
+        "loader-utils": "^1.1.0",
+        "neo-async": "^2.6.0"
+      }
+    },
+    "through": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
+      "integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU="
+    },
+    "through2": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz",
+      "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==",
+      "requires": {
+        "readable-stream": "~2.3.6",
+        "xtend": "~4.0.1"
+      }
+    },
+    "timed-out": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/timed-out/-/timed-out-4.0.1.tgz",
+      "integrity": "sha1-8y6srFoXW+ol1/q1Zas+2HQe9W8="
+    },
+    "timers-browserify": {
+      "version": "2.0.11",
+      "resolved": "https://registry.npmjs.org/timers-browserify/-/timers-browserify-2.0.11.tgz",
+      "integrity": "sha512-60aV6sgJ5YEbzUdn9c8kYGIqOubPoUdqQCul3SBAsRCZ40s6Y5cMcrW4dt3/k/EsbLVJNl9n6Vz3fTc+k2GeKQ==",
+      "requires": {
+        "setimmediate": "^1.0.4"
+      }
+    },
+    "tiny-warning": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/tiny-warning/-/tiny-warning-1.0.3.tgz",
+      "integrity": "sha512-lBN9zLN/oAf68o3zNXYrdCt1kP8WsiGW8Oo2ka41b2IM5JL/S1CTyX1rW0mb/zSuJun0ZUrDxx4sqvYS2FWzPA=="
+    },
+    "tippy.js": {
+      "version": "4.3.5",
+      "resolved": "https://registry.npmjs.org/tippy.js/-/tippy.js-4.3.5.tgz",
+      "integrity": "sha512-NDq3efte8nGK6BOJ1dDN1/WelAwfmh3UtIYXXck6+SxLzbIQNZE/cmRSnwScZ/FyiKdIcvFHvYUgqmoGx8CcyA==",
+      "requires": {
+        "popper.js": "^1.14.7"
+      }
+    },
+    "tmp": {
+      "version": "0.0.33",
+      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz",
+      "integrity": "sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==",
+      "requires": {
+        "os-tmpdir": "~1.0.2"
+      }
+    },
+    "to-arraybuffer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/to-arraybuffer/-/to-arraybuffer-1.0.1.tgz",
+      "integrity": "sha1-fSKbH8xjfkZsoIEYCDanqr/4P0M="
+    },
+    "to-buffer": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/to-buffer/-/to-buffer-1.1.1.tgz",
+      "integrity": "sha512-lx9B5iv7msuFYE3dytT+KE5tap+rNYw+K4jVkb9R/asAb+pbBSM17jtunHplhBe6RRJdZx3Pn2Jph24O32mOVg=="
+    },
+    "to-fast-properties": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-2.0.0.tgz",
+      "integrity": "sha1-3F5pjL0HkmW8c+A3doGk5Og/YW4="
+    },
+    "to-object-path": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/to-object-path/-/to-object-path-0.3.0.tgz",
+      "integrity": "sha1-KXWIt7Dn4KwI4E5nL4XB9JmeF68=",
+      "requires": {
+        "kind-of": "^3.0.2"
+      },
+      "dependencies": {
+        "kind-of": {
+          "version": "3.2.2",
+          "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz",
+          "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=",
+          "requires": {
+            "is-buffer": "^1.1.5"
+          }
+        }
+      }
+    },
+    "to-readable-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/to-readable-stream/-/to-readable-stream-1.0.0.tgz",
+      "integrity": "sha512-Iq25XBt6zD5npPhlLVXGFN3/gyR2/qODcKNNyTMd4vbm39HUaOiAM4PMq0eMVC/Tkxz+Zjdsc55g9yyz+Yq00Q=="
+    },
+    "to-regex": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/to-regex/-/to-regex-3.0.2.tgz",
+      "integrity": "sha512-FWtleNAtZ/Ki2qtqej2CXTOayOH9bHDQF+Q48VpWyDXjbYxA4Yz8iDB31zXOBUlOHHKidDbqGVrTUvQMPmBGBw==",
+      "requires": {
+        "define-property": "^2.0.2",
+        "extend-shallow": "^3.0.2",
+        "regex-not": "^1.0.2",
+        "safe-regex": "^1.1.0"
+      }
+    },
+    "to-regex-range": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz",
+      "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=",
+      "requires": {
+        "is-number": "^3.0.0",
+        "repeat-string": "^1.6.1"
+      }
+    },
+    "to-vfile": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/to-vfile/-/to-vfile-6.0.0.tgz",
+      "integrity": "sha512-i9fwXXSsHLu7mzgixc1WjgnqSe6pGpjnzCYoFmrASvEueLfyKf09QAe+XQYu8OAJ62aFqHpe2EKXojeRVvEzqA==",
+      "requires": {
+        "is-buffer": "^2.0.0",
+        "vfile": "^4.0.0"
+      },
+      "dependencies": {
+        "is-buffer": {
+          "version": "2.0.4",
+          "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.4.tgz",
+          "integrity": "sha512-Kq1rokWXOPXWuaMAqZiJW4XxsmD9zGx9q4aePabbn3qCRGedtH7Cm+zV8WETitMfu1wdh+Rvd6w5egwSngUX2A=="
+        }
+      }
+    },
+    "toidentifier": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz",
+      "integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw=="
+    },
+    "traverse": {
+      "version": "0.6.6",
+      "resolved": "https://registry.npmjs.org/traverse/-/traverse-0.6.6.tgz",
+      "integrity": "sha1-y99WD9e5r2MlAv7UD5GMFX6pcTc="
+    },
+    "trim": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/trim/-/trim-0.0.1.tgz",
+      "integrity": "sha1-WFhUf2spB1fulczMZm+1AITEYN0="
+    },
+    "trim-lines": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/trim-lines/-/trim-lines-1.1.2.tgz",
+      "integrity": "sha512-3GOuyNeTqk3FAqc3jOJtw7FTjYl94XBR5aD9QnDbK/T4CA9sW/J0l9RoaRPE9wyPP7NF331qnHnvJFBJ+IDkmQ=="
+    },
+    "trim-newlines": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz",
+      "integrity": "sha1-WIeWa7WCpFA6QetST301ARgVphM="
+    },
+    "trim-repeated": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/trim-repeated/-/trim-repeated-1.0.0.tgz",
+      "integrity": "sha1-42RqLqTokTEr9+rObPsFOAvAHCE=",
+      "requires": {
+        "escape-string-regexp": "^1.0.2"
+      }
+    },
+    "trim-trailing-lines": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/trim-trailing-lines/-/trim-trailing-lines-1.1.2.tgz",
+      "integrity": "sha512-MUjYItdrqqj2zpcHFTkMa9WAv4JHTI6gnRQGPFLrt5L9a6tRMiDnIqYl8JBvu2d2Tc3lWJKQwlGCp0K8AvCM+Q=="
+    },
+    "trough": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/trough/-/trough-1.0.4.tgz",
+      "integrity": "sha512-tdzBRDGWcI1OpPVmChbdSKhvSVurznZ8X36AYURAcl+0o2ldlCY2XPzyXNNxwJwwyIU+rIglTCG4kxtNKBQH7Q=="
+    },
+    "tryer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/tryer/-/tryer-1.0.1.tgz",
+      "integrity": "sha512-c3zayb8/kWWpycWYg87P71E1S1ZL6b6IJxfb5fvsUgsf0S2MVGaDhDXXjDMpdCpfWXqptc+4mXwmiy1ypXqRAA=="
+    },
+    "ts-invariant": {
+      "version": "0.4.4",
+      "resolved": "https://registry.npmjs.org/ts-invariant/-/ts-invariant-0.4.4.tgz",
+      "integrity": "sha512-uEtWkFM/sdZvRNNDL3Ehu4WVpwaulhwQszV8mrtcdeE8nN00BV9mAmQ88RkrBhFgl9gMgvjJLAQcZbnPXI9mlA==",
+      "requires": {
+        "tslib": "^1.9.3"
+      }
+    },
+    "ts-pnp": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/ts-pnp/-/ts-pnp-1.1.5.tgz",
+      "integrity": "sha512-ti7OGMOUOzo66wLF3liskw6YQIaSsBgc4GOAlWRnIEj8htCxJUxskanMUoJOD6MDCRAXo36goXJZch+nOS0VMA=="
+    },
+    "tslib": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.10.0.tgz",
+      "integrity": "sha512-qOebF53frne81cf0S9B41ByenJ3/IuH8yJKngAX35CmiZySA0khhkovshKK+jGCaMnVomla7gVlIcc3EvKPbTQ=="
+    },
+    "tsutils": {
+      "version": "3.17.1",
+      "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.17.1.tgz",
+      "integrity": "sha512-kzeQ5B8H3w60nFY2g8cJIuH7JDpsALXySGtwGJ0p2LSjLgay3NdIpqq5SoOBe46bKDW2iq25irHCr8wjomUS2g==",
+      "requires": {
+        "tslib": "^1.8.1"
+      }
+    },
+    "tty-browserify": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/tty-browserify/-/tty-browserify-0.0.0.tgz",
+      "integrity": "sha1-oVe6QC2iTpv5V/mqadUk7tQpAaY="
+    },
+    "tunnel-agent": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz",
+      "integrity": "sha1-J6XeoGs2sEoKmWZ3SykIaPD8QP0=",
+      "requires": {
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "type-check": {
+      "version": "0.3.2",
+      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.3.2.tgz",
+      "integrity": "sha1-WITKtRLPHTVeP7eE8wgEsrUg23I=",
+      "requires": {
+        "prelude-ls": "~1.1.2"
+      }
+    },
+    "type-fest": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.8.1.tgz",
+      "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA=="
+    },
+    "type-is": {
+      "version": "1.6.18",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
+      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "requires": {
+        "media-typer": "0.3.0",
+        "mime-types": "~2.1.24"
+      }
+    },
+    "typedarray": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz",
+      "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c="
+    },
+    "typedarray-to-buffer": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/typedarray-to-buffer/-/typedarray-to-buffer-3.1.5.tgz",
+      "integrity": "sha512-zdu8XMNEDepKKR+XYOXAVPtWui0ly0NtohUscw+UmaHiAWT8hrV1rr//H6V+0DvJ3OQ19S979M0laLfX8rm82Q==",
+      "requires": {
+        "is-typedarray": "^1.0.0"
+      }
+    },
+    "typescript": {
+      "version": "3.7.4",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.7.4.tgz",
+      "integrity": "sha512-A25xv5XCtarLwXpcDNZzCGvW2D1S3/bACratYBx2sax8PefsFhlYmkQicKHvpYflFS8if4zne5zT5kpJ7pzuvw=="
+    },
+    "typewriter": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/typewriter/-/typewriter-7.0.1.tgz",
+      "integrity": "sha512-5HkRuZxvMcbHyS2m6XEJEbLSmo2h27+RLOLb2KEw0CvH8erCOMMVdFdHYe4wEFPhZDNk1QK9qblSnWlrPBEFCQ==",
+      "requires": {
+        "@hapi/joi": "^15.1.1",
+        "analytics-node": "3.4.0-beta.1",
+        "figures": "^3.0.0",
+        "fuse.js": "^3.4.5",
+        "got": "^9.6.0",
+        "handlebars": "4.5.3",
+        "ink": "^2.5.0",
+        "ink-link": "^1.0.0",
+        "ink-select-input": "^3.1.2",
+        "ink-spinner": "^3.0.1",
+        "ink-text-input": "^3.2.1",
+        "js-yaml": "^3.13.1",
+        "json-stable-stringify": "^1.0.1",
+        "latest-version": "^5.1.0",
+        "lodash": "4.17.12",
+        "node-machine-id": "^1.1.12",
+        "prettier": "^1.17.0",
+        "react": "^16.9.0",
+        "semver": "^6.3.0",
+        "sort-keys": "^3.0.0",
+        "typescript": "^3.4.5",
+        "yargs": "^13.2.2"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz",
+          "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==",
+          "requires": {
+            "locate-path": "^3.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz",
+          "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==",
+          "requires": {
+            "p-locate": "^3.0.0",
+            "path-exists": "^3.0.0"
+          }
+        },
+        "lodash": {
+          "version": "4.17.12",
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.12.tgz",
+          "integrity": "sha512-+CiwtLnsJhX03p20mwXuvhoebatoh5B3tt+VvYlrPgZC1g36y+RRbkufX95Xa+X4I59aWEacDFYwnJZiyBh9gA=="
+        },
+        "p-limit": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz",
+          "integrity": "sha512-WGR+xHecKTr7EbUEhyLSh5Dube9JtdiG78ufaeLxTgpudf/20KqyMioIUZJAezlTIi6evxuoUs9YXc11cU+yzQ==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz",
+          "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==",
+          "requires": {
+            "p-limit": "^2.0.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        },
+        "semver": {
+          "version": "6.3.0",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
+          "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
+        },
+        "yargs": {
+          "version": "13.3.0",
+          "resolved": "https://registry.npmjs.org/yargs/-/yargs-13.3.0.tgz",
+          "integrity": "sha512-2eehun/8ALW8TLoIl7MVaRUrg+yCnenu8B4kBlRxj3GJGDKU1Og7sMXPNm1BYyM1DOJmTZ4YeN/Nwxv+8XJsUA==",
+          "requires": {
+            "cliui": "^5.0.0",
+            "find-up": "^3.0.0",
+            "get-caller-file": "^2.0.1",
+            "require-directory": "^2.1.1",
+            "require-main-filename": "^2.0.0",
+            "set-blocking": "^2.0.0",
+            "string-width": "^3.0.0",
+            "which-module": "^2.0.0",
+            "y18n": "^4.0.0",
+            "yargs-parser": "^13.1.1"
+          }
+        },
+        "yargs-parser": {
+          "version": "13.1.1",
+          "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz",
+          "integrity": "sha512-oVAVsHz6uFrg3XQheFII8ESO2ssAf9luWuAd6Wexsu4F3OtIW0o8IribPXYrD4WC24LWtPrJlGy87y5udK+dxQ==",
+          "requires": {
+            "camelcase": "^5.0.0",
+            "decamelize": "^1.2.0"
+          }
+        }
+      }
+    },
+    "ua-parser-js": {
+      "version": "0.7.20",
+      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.20.tgz",
+      "integrity": "sha512-8OaIKfzL5cpx8eCMAhhvTlft8GYF8b2eQr6JkCyVdrgjcytyOmPCXrqXFcUnhonRpLlh5yxEZVohm6mzaowUOw=="
+    },
+    "uglify-js": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.2.tgz",
+      "integrity": "sha512-uhRwZcANNWVLrxLfNFEdltoPNhECUR3lc+UdJoG9CBpMcSnKyWA94tc3eAujB1GcMY5Uwq8ZMp4qWpxWYDQmaA==",
+      "optional": true,
+      "requires": {
+        "commander": "~2.20.3",
+        "source-map": "~0.6.1"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "optional": true
+        }
+      }
+    },
+    "unbzip2-stream": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/unbzip2-stream/-/unbzip2-stream-1.3.3.tgz",
+      "integrity": "sha512-fUlAF7U9Ah1Q6EieQ4x4zLNejrRvDWUYmxXUpN3uziFYCHapjWFaCAnreY9bGgxzaMCFAPPpYNng57CypwJVhg==",
+      "requires": {
+        "buffer": "^5.2.1",
+        "through": "^2.3.8"
+      }
+    },
+    "unfetch": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/unfetch/-/unfetch-4.1.0.tgz",
+      "integrity": "sha512-crP/n3eAPUJxZXM9T80/yv0YhkTEx2K1D3h7D1AJM6fzsWZrxdyRuLN0JH/dkZh1LNH8LxCnBzoPFCPbb2iGpg=="
+    },
+    "unherit": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/unherit/-/unherit-1.1.2.tgz",
+      "integrity": "sha512-W3tMnpaMG7ZY6xe/moK04U9fBhi6wEiCYHUW5Mop/wQHf12+79EQGwxYejNdhEz2mkqkBlGwm7pxmgBKMVUj0w==",
+      "requires": {
+        "inherits": "^2.0.1",
+        "xtend": "^4.0.1"
+      }
+    },
+    "unicode-canonical-property-names-ecmascript": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-1.0.4.tgz",
+      "integrity": "sha512-jDrNnXWHd4oHiTZnx/ZG7gtUTVp+gCcTTKr8L0HjlwphROEW3+Him+IpvC+xcJEFegapiMZyZe02CyuOnRmbnQ=="
+    },
+    "unicode-match-property-ecmascript": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/unicode-match-property-ecmascript/-/unicode-match-property-ecmascript-1.0.4.tgz",
+      "integrity": "sha512-L4Qoh15vTfntsn4P1zqnHulG0LdXgjSO035fEpdtp6YxXhMT51Q6vgM5lYdG/5X3MjS+k/Y9Xw4SFCY9IkR0rg==",
+      "requires": {
+        "unicode-canonical-property-names-ecmascript": "^1.0.4",
+        "unicode-property-aliases-ecmascript": "^1.0.4"
+      }
+    },
+    "unicode-match-property-value-ecmascript": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/unicode-match-property-value-ecmascript/-/unicode-match-property-value-ecmascript-1.1.0.tgz",
+      "integrity": "sha512-hDTHvaBk3RmFzvSl0UVrUmC3PuW9wKVnpoUDYH0JDkSIovzw+J5viQmeYHxVSBptubnr7PbH2e0fnpDRQnQl5g=="
+    },
+    "unicode-property-aliases-ecmascript": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/unicode-property-aliases-ecmascript/-/unicode-property-aliases-ecmascript-1.0.5.tgz",
+      "integrity": "sha512-L5RAqCfXqAwR3RriF8pM0lU0w4Ryf/GgzONwi6KnL1taJQa7x1TCxdJnILX59WIGOwR57IVxn7Nej0fz1Ny6fw=="
+    },
+    "unified": {
+      "version": "8.4.2",
+      "resolved": "https://registry.npmjs.org/unified/-/unified-8.4.2.tgz",
+      "integrity": "sha512-JCrmN13jI4+h9UAyKEoGcDZV+i1E7BLFuG7OsaDvTXI5P0qhHX+vZO/kOhz9jn8HGENDKbwSeB0nVOg4gVStGA==",
+      "requires": {
+        "bail": "^1.0.0",
+        "extend": "^3.0.0",
+        "is-plain-obj": "^2.0.0",
+        "trough": "^1.0.0",
+        "vfile": "^4.0.0"
+      }
+    },
+    "union-value": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/union-value/-/union-value-1.0.1.tgz",
+      "integrity": "sha512-tJfXmxMeWYnczCVs7XAEvIV7ieppALdyepWMkHkwciRpZraG/xwT+s2JN8+pr1+8jCRf80FFzvr+MpQeeoF4Xg==",
+      "requires": {
+        "arr-union": "^3.1.0",
+        "get-value": "^2.0.6",
+        "is-extendable": "^0.1.1",
+        "set-value": "^2.0.1"
+      }
+    },
+    "uniq": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/uniq/-/uniq-1.0.1.tgz",
+      "integrity": "sha1-sxxa6CVIRKOoKBVBzisEuGWnNP8="
+    },
+    "unique-filename": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/unique-filename/-/unique-filename-1.1.1.tgz",
+      "integrity": "sha512-Vmp0jIp2ln35UTXuryvjzkjGdRyf9b2lTXuSYUiPmzRcl3FDtYqAwOnTJkAngD9SWhnoJzDbTKwaOrZ+STtxNQ==",
+      "requires": {
+        "unique-slug": "^2.0.0"
+      }
+    },
+    "unique-slug": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/unique-slug/-/unique-slug-2.0.2.tgz",
+      "integrity": "sha512-zoWr9ObaxALD3DOPfjPSqxt4fnZiWblxHIgeWqW8x7UqDzEtHEQLzji2cuJYQFCU6KmoJikOYAZlrTHHebjx2w==",
+      "requires": {
+        "imurmurhash": "^0.1.4"
+      }
+    },
+    "unist-builder": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/unist-builder/-/unist-builder-1.0.4.tgz",
+      "integrity": "sha512-v6xbUPP7ILrT15fHGrNyHc1Xda8H3xVhP7/HAIotHOhVPjH5dCXA097C3Rry1Q2O+HbOLCao4hfPB+EYEjHgVg==",
+      "requires": {
+        "object-assign": "^4.1.0"
+      }
+    },
+    "unist-util-find-after": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/unist-util-find-after/-/unist-util-find-after-2.0.4.tgz",
+      "integrity": "sha512-zo0ShIr+E/aU9xSK7JC9Kb+WP9seTFCuqVYdo5+HJSjN009XMfhiA1FIExEKzdDP1UsgvKGleGlB/pSdTSqZww==",
+      "requires": {
+        "unist-util-is": "^3.0.0"
+      },
+      "dependencies": {
+        "unist-util-is": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-3.0.0.tgz",
+          "integrity": "sha512-sVZZX3+kspVNmLWBPAB6r+7D9ZgAFPNWm66f7YNb420RlQSbn+n8rG8dGZSkrER7ZIXGQYNm5pqC3v3HopH24A=="
+        }
+      }
+    },
+    "unist-util-flatmap": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unist-util-flatmap/-/unist-util-flatmap-1.0.0.tgz",
+      "integrity": "sha512-IG32jcKJlhARCYT2LsYPJWdoXYkzz3ESAdl1aa2hn9Auh+cgUmU6wgkII4yCc/1GgeWibRdELdCZh/p3QKQ1dQ=="
+    },
+    "unist-util-generated": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/unist-util-generated/-/unist-util-generated-1.1.5.tgz",
+      "integrity": "sha512-1TC+NxQa4N9pNdayCYA1EGUOCAO0Le3fVp7Jzns6lnua/mYgwHo0tz5WUAfrdpNch1RZLHc61VZ1SDgrtNXLSw=="
+    },
+    "unist-util-is": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-4.0.1.tgz",
+      "integrity": "sha512-7NYjErP4LJtkEptPR22wO5RsCPnHZZrop7t2SoQzjvpFedCFer4WW8ujj9GI5DkUX7yVcffXLjoURf6h2QUv6Q=="
+    },
+    "unist-util-position": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/unist-util-position/-/unist-util-position-3.0.4.tgz",
+      "integrity": "sha512-tWvIbV8goayTjobxDIr4zVTyG+Q7ragMSMeKC3xnPl9xzIc0+she8mxXLM3JVNDDsfARPbCd3XdzkyLdo7fF3g=="
+    },
+    "unist-util-remove": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/unist-util-remove/-/unist-util-remove-1.0.3.tgz",
+      "integrity": "sha512-mB6nCHCQK0pQffUAcCVmKgIWzG/AXs/V8qpS8K72tMPtOSCMSjDeMc5yN+Ye8rB0FhcE+JvW++o1xRNc0R+++g==",
+      "requires": {
+        "unist-util-is": "^3.0.0"
+      },
+      "dependencies": {
+        "unist-util-is": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-3.0.0.tgz",
+          "integrity": "sha512-sVZZX3+kspVNmLWBPAB6r+7D9ZgAFPNWm66f7YNb420RlQSbn+n8rG8dGZSkrER7ZIXGQYNm5pqC3v3HopH24A=="
+        }
+      }
+    },
+    "unist-util-remove-position": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/unist-util-remove-position/-/unist-util-remove-position-1.1.4.tgz",
+      "integrity": "sha512-tLqd653ArxJIPnKII6LMZwH+mb5q+n/GtXQZo6S6csPRs5zB0u79Yw8ouR3wTw8wxvdJFhpP6Y7jorWdCgLO0A==",
+      "requires": {
+        "unist-util-visit": "^1.1.0"
+      },
+      "dependencies": {
+        "unist-util-visit": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-1.4.1.tgz",
+          "integrity": "sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==",
+          "requires": {
+            "unist-util-visit-parents": "^2.0.0"
+          }
+        }
+      }
+    },
+    "unist-util-stringify-position": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/unist-util-stringify-position/-/unist-util-stringify-position-2.0.2.tgz",
+      "integrity": "sha512-nK5n8OGhZ7ZgUwoUbL8uiVRwAbZyzBsB/Ddrlbu6jwwubFza4oe15KlyEaLNMXQW1svOQq4xesUeqA85YrIUQA==",
+      "requires": {
+        "@types/unist": "^2.0.2"
+      }
+    },
+    "unist-util-visit": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/unist-util-visit/-/unist-util-visit-2.0.1.tgz",
+      "integrity": "sha512-bEDa5S/O8WRDeI1mLaMoKuFFi89AjF+UAoMNxO+bbVdo06q+53Vhq4iiv1PenL6Rx1ZxIpXIzqZoc5HD2I1oMA==",
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "unist-util-is": "^4.0.0",
+        "unist-util-visit-parents": "^3.0.0"
+      },
+      "dependencies": {
+        "unist-util-visit-parents": {
+          "version": "3.0.1",
+          "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-3.0.1.tgz",
+          "integrity": "sha512-umEOTkm6/y1gIqPrqet55mYqlvGXCia/v1FSc5AveLAI7jFmOAIbqiwcHcviLcusAkEQt1bq2hixCKO9ltMb2Q==",
+          "requires": {
+            "@types/unist": "^2.0.0",
+            "unist-util-is": "^4.0.0"
+          }
+        }
+      }
+    },
+    "unist-util-visit-parents": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/unist-util-visit-parents/-/unist-util-visit-parents-2.1.2.tgz",
+      "integrity": "sha512-DyN5vD4NE3aSeB+PXYNKxzGsfocxp6asDc2XXE3b0ekO2BaRUpBicbbUygfSvYfUz1IkmjFR1YF7dPklraMZ2g==",
+      "requires": {
+        "unist-util-is": "^3.0.0"
+      },
+      "dependencies": {
+        "unist-util-is": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/unist-util-is/-/unist-util-is-3.0.0.tgz",
+          "integrity": "sha512-sVZZX3+kspVNmLWBPAB6r+7D9ZgAFPNWm66f7YNb420RlQSbn+n8rG8dGZSkrER7ZIXGQYNm5pqC3v3HopH24A=="
+        }
+      }
+    },
+    "universalify": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz",
+      "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg=="
+    },
+    "unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw="
+    },
+    "unquote": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/unquote/-/unquote-1.1.1.tgz",
+      "integrity": "sha1-j97XMk7G6IoP+LkF58CYzcCG1UQ="
+    },
+    "unset-value": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unset-value/-/unset-value-1.0.0.tgz",
+      "integrity": "sha1-g3aHP30jNRef+x5vw6jtDfyKtVk=",
+      "requires": {
+        "has-value": "^0.3.1",
+        "isobject": "^3.0.0"
+      },
+      "dependencies": {
+        "has-value": {
+          "version": "0.3.1",
+          "resolved": "https://registry.npmjs.org/has-value/-/has-value-0.3.1.tgz",
+          "integrity": "sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8=",
+          "requires": {
+            "get-value": "^2.0.3",
+            "has-values": "^0.1.4",
+            "isobject": "^2.0.0"
+          },
+          "dependencies": {
+            "isobject": {
+              "version": "2.1.0",
+              "resolved": "https://registry.npmjs.org/isobject/-/isobject-2.1.0.tgz",
+              "integrity": "sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=",
+              "requires": {
+                "isarray": "1.0.0"
+              }
+            }
+          }
+        },
+        "has-values": {
+          "version": "0.1.4",
+          "resolved": "https://registry.npmjs.org/has-values/-/has-values-0.1.4.tgz",
+          "integrity": "sha1-bWHeldkd/Km5oCCJrThL/49it3E="
+        }
+      }
+    },
+    "upath": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/upath/-/upath-1.2.0.tgz",
+      "integrity": "sha512-aZwGpamFO61g3OlfT7OQCHqhGnW43ieH9WZeP7QxN/G/jS4jfqUkZxoryvJgVPEcrl5NL/ggHsSmLMHuH64Lhg=="
+    },
+    "upper-case": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/upper-case/-/upper-case-2.0.1.tgz",
+      "integrity": "sha512-laAsbea9SY5osxrv7S99vH9xAaJKrw5Qpdh4ENRLcaxipjKsiaBwiAsxfa8X5mObKNTQPsupSq0J/VIxsSJe3A==",
+      "requires": {
+        "tslib": "^1.10.0"
+      }
+    },
+    "uri-js": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.2.2.tgz",
+      "integrity": "sha512-KY9Frmirql91X2Qgjry0Wd4Y+YTdrdZheS8TFwvkbLWf/G5KNJDCh6pKL5OZctEW4+0Baa5idK2ZQuELRwPznQ==",
+      "requires": {
+        "punycode": "^2.1.0"
+      }
+    },
+    "urix": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/urix/-/urix-0.1.0.tgz",
+      "integrity": "sha1-2pN/emLiH+wf0Y1Js1wpNQZ6bHI="
+    },
+    "url": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/url/-/url-0.11.0.tgz",
+      "integrity": "sha1-ODjpfPxgUh63PFJajlW/3Z4uKPE=",
+      "requires": {
+        "punycode": "1.3.2",
+        "querystring": "0.2.0"
+      },
+      "dependencies": {
+        "punycode": {
+          "version": "1.3.2",
+          "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.3.2.tgz",
+          "integrity": "sha1-llOgNvt8HuQjQvIyXM7v6jkmxI0="
+        }
+      }
+    },
+    "url-loader": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/url-loader/-/url-loader-1.1.2.tgz",
+      "integrity": "sha512-dXHkKmw8FhPqu8asTc1puBfe3TehOCo2+RmOOev5suNCIYBcT626kxiWg1NBVkwc4rO8BGa7gP70W7VXuqHrjg==",
+      "requires": {
+        "loader-utils": "^1.1.0",
+        "mime": "^2.0.3",
+        "schema-utils": "^1.0.0"
+      },
+      "dependencies": {
+        "mime": {
+          "version": "2.4.4",
+          "resolved": "https://registry.npmjs.org/mime/-/mime-2.4.4.tgz",
+          "integrity": "sha512-LRxmNwziLPT828z+4YkNzloCFC2YM4wrB99k+AV5ZbEyfGNWfG8SO1FUXLmLDBSo89NrJZ4DIWeLjy1CHGhMGA=="
+        }
+      }
+    },
+    "url-parse-lax": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/url-parse-lax/-/url-parse-lax-3.0.0.tgz",
+      "integrity": "sha1-FrXK/Afb42dsGxmZF3gj1lA6yww=",
+      "requires": {
+        "prepend-http": "^2.0.0"
+      }
+    },
+    "url-polyfill": {
+      "version": "1.1.7",
+      "resolved": "https://registry.npmjs.org/url-polyfill/-/url-polyfill-1.1.7.tgz",
+      "integrity": "sha512-ZrAxYWCREjmMtL8gSbSiKKLZZticgihCvVBtrFbUVpyoETt8GQJeG2okMWA8XryDAaHMjJfhnc+rnhXRbI4DXA=="
+    },
+    "url-to-options": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/url-to-options/-/url-to-options-1.0.1.tgz",
+      "integrity": "sha1-FQWgOiiaSMvXpDTvuu7FBV9WM6k="
+    },
+    "use": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/use/-/use-3.1.1.tgz",
+      "integrity": "sha512-cwESVXlO3url9YWlFW/TA9cshCEhtu7IKJ/p5soJ/gGpj7vbvFrAY/eIioQ6Dw23KjZhYgiIo8HOs1nQ2vr/oQ=="
+    },
+    "use-subscription": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/use-subscription/-/use-subscription-1.1.1.tgz",
+      "integrity": "sha512-gk4fPTYvNhs6Ia7u8/+K7bM7sZ7O7AMfWtS+zPO8luH+zWuiGgGcrW0hL4MRWZSzXo+4ofNorf87wZwBKz2YdQ=="
+    },
+    "util": {
+      "version": "0.11.1",
+      "resolved": "https://registry.npmjs.org/util/-/util-0.11.1.tgz",
+      "integrity": "sha512-HShAsny+zS2TZfaXxD9tYj4HQGlBezXZMZuM/S5PKLLoZkShZiGk9o5CzukI1LVHZvjdvZ2Sj1aW/Ndn2NB/HQ==",
+      "requires": {
+        "inherits": "2.0.3"
+      },
+      "dependencies": {
+        "inherits": {
+          "version": "2.0.3",
+          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
+          "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
+        }
+      }
+    },
+    "util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8="
+    },
+    "util.promisify": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/util.promisify/-/util.promisify-1.0.0.tgz",
+      "integrity": "sha512-i+6qA2MPhvoKLuxnJNpXAGhg7HphQOSUq2LKMZD0m15EiskXUkMvKdF4Uui0WYeCUGea+o2cw/ZuwehtfsrNkA==",
+      "requires": {
+        "define-properties": "^1.1.2",
+        "object.getownpropertydescriptors": "^2.0.3"
+      }
+    },
+    "utils-merge": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
+      "integrity": "sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM="
+    },
+    "uuid": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.3.3.tgz",
+      "integrity": "sha512-pW0No1RGHgzlpHJO1nsVrHKpOEIxkGg1xB+v0ZmdNH5OAeAwzAVrCnI2/6Mtx+Uys6iaylxa+D3g4j63IKKjSQ=="
+    },
+    "v8-compile-cache": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.1.0.tgz",
+      "integrity": "sha512-usZBT3PW+LOjM25wbqIlZwPeJV+3OSz3M1k1Ws8snlW39dZyYL9lOGC5FgPVHfk0jKmjiDV8Z0mIbVQPiwFs7g=="
+    },
+    "valid-url": {
+      "version": "1.0.9",
+      "resolved": "https://registry.npmjs.org/valid-url/-/valid-url-1.0.9.tgz",
+      "integrity": "sha1-HBRHm0DxOXp1eC8RXkCGRHQzogA="
+    },
+    "validate-npm-package-license": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz",
+      "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==",
+      "requires": {
+        "spdx-correct": "^3.0.0",
+        "spdx-expression-parse": "^3.0.0"
+      }
+    },
+    "vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha1-IpnwLG3tMNSllhsLn3RSShj2NPw="
+    },
+    "vfile": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/vfile/-/vfile-4.0.2.tgz",
+      "integrity": "sha512-yhoTU5cDMSsaeaMfJ5g0bUKYkYmZhAh9fn9TZicxqn+Cw4Z439il2v3oT9S0yjlpqlI74aFOQCt3nOV+pxzlkw==",
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "is-buffer": "^2.0.0",
+        "replace-ext": "1.0.0",
+        "unist-util-stringify-position": "^2.0.0",
+        "vfile-message": "^2.0.0"
+      },
+      "dependencies": {
+        "is-buffer": {
+          "version": "2.0.4",
+          "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.4.tgz",
+          "integrity": "sha512-Kq1rokWXOPXWuaMAqZiJW4XxsmD9zGx9q4aePabbn3qCRGedtH7Cm+zV8WETitMfu1wdh+Rvd6w5egwSngUX2A=="
+        }
+      }
+    },
+    "vfile-location": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/vfile-location/-/vfile-location-2.0.6.tgz",
+      "integrity": "sha512-sSFdyCP3G6Ka0CEmN83A2YCMKIieHx0EDaj5IDP4g1pa5ZJ4FJDvpO0WODLxo4LUX4oe52gmSCK7Jw4SBghqxA=="
+    },
+    "vfile-message": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/vfile-message/-/vfile-message-2.0.2.tgz",
+      "integrity": "sha512-gNV2Y2fDvDOOqq8bEe7cF3DXU6QgV4uA9zMR2P8tix11l1r7zju3zry3wZ8sx+BEfuO6WQ7z2QzfWTvqHQiwsA==",
+      "requires": {
+        "@types/unist": "^2.0.0",
+        "unist-util-stringify-position": "^2.0.0"
+      }
+    },
+    "vm-browserify": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vm-browserify/-/vm-browserify-1.1.2.tgz",
+      "integrity": "sha512-2ham8XPWTONajOR0ohOKOHXkm3+gaBmGut3SRuu75xLd/RRaY6vqgh8NBYYk7+RW3u5AtzPQZG8F10LHkl0lAQ=="
+    },
+    "vue-template-compiler": {
+      "version": "2.6.11",
+      "resolved": "https://registry.npmjs.org/vue-template-compiler/-/vue-template-compiler-2.6.11.tgz",
+      "integrity": "sha512-KIq15bvQDrcCjpGjrAhx4mUlyyHfdmTaoNfeoATHLAiWB+MU3cx4lOzMwrnUh9cCxy0Lt1T11hAFY6TQgroUAA==",
+      "optional": true,
+      "requires": {
+        "de-indent": "^1.0.2",
+        "he": "^1.1.0"
+      }
+    },
+    "watchpack": {
+      "version": "2.0.0-beta.5",
+      "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.0.0-beta.5.tgz",
+      "integrity": "sha512-HGqh9e9QZFhow8JYX+1+E+kIYK0uTTsk6rCOkI0ff0f9kMO0wX783yW8saQC9WDx7qHpVGPXsRnld9nY7iwzQA==",
+      "requires": {
+        "glob-to-regexp": "^0.4.1",
+        "graceful-fs": "^4.1.2",
+        "neo-async": "^2.5.0"
+      },
+      "dependencies": {
+        "glob-to-regexp": {
+          "version": "0.4.1",
+          "resolved": "https://registry.npmjs.org/glob-to-regexp/-/glob-to-regexp-0.4.1.tgz",
+          "integrity": "sha512-lkX1HJXwyMcprw/5YUZc2s7DrpAiHB21/V+E1rHUrVNokkvB6bqMzT0VfV6/86ZNabt1k14YOIaT7nDvOX3Iiw=="
+        }
+      }
+    },
+    "wcwidth": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/wcwidth/-/wcwidth-1.0.1.tgz",
+      "integrity": "sha1-8LDc+RW8X/FSivrbLA4XtTLaL+g=",
+      "requires": {
+        "defaults": "^1.0.3"
+      }
+    },
+    "web-namespaces": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/web-namespaces/-/web-namespaces-1.1.3.tgz",
+      "integrity": "sha512-r8sAtNmgR0WKOKOxzuSgk09JsHlpKlB+uHi937qypOu3PZ17UxPrierFKDye/uNHjNTTEshu5PId8rojIPj/tA=="
+    },
+    "webpack": {
+      "version": "4.41.2",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-4.41.2.tgz",
+      "integrity": "sha512-Zhw69edTGfbz9/8JJoyRQ/pq8FYUoY0diOXqW0T6yhgdhCv6wr0hra5DwwWexNRns2Z2+gsnrNcbe9hbGBgk/A==",
+      "requires": {
+        "@webassemblyjs/ast": "1.8.5",
+        "@webassemblyjs/helper-module-context": "1.8.5",
+        "@webassemblyjs/wasm-edit": "1.8.5",
+        "@webassemblyjs/wasm-parser": "1.8.5",
+        "acorn": "^6.2.1",
+        "ajv": "^6.10.2",
+        "ajv-keywords": "^3.4.1",
+        "chrome-trace-event": "^1.0.2",
+        "enhanced-resolve": "^4.1.0",
+        "eslint-scope": "^4.0.3",
+        "json-parse-better-errors": "^1.0.2",
+        "loader-runner": "^2.4.0",
+        "loader-utils": "^1.2.3",
+        "memory-fs": "^0.4.1",
+        "micromatch": "^3.1.10",
+        "mkdirp": "^0.5.1",
+        "neo-async": "^2.6.1",
+        "node-libs-browser": "^2.2.1",
+        "schema-utils": "^1.0.0",
+        "tapable": "^1.1.3",
+        "terser-webpack-plugin": "^1.4.1",
+        "watchpack": "^1.6.0",
+        "webpack-sources": "^1.4.1"
+      },
+      "dependencies": {
+        "anymatch": {
+          "version": "2.0.0",
+          "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-2.0.0.tgz",
+          "integrity": "sha512-5teOsQWABXHHBFP9y3skS5P3d/WfWXpv3FUpy+LorMrNYaT9pI4oLMQX7jzQ2KklNpGpWHzdCXTDT2Y3XGlZBw==",
+          "requires": {
+            "micromatch": "^3.1.4",
+            "normalize-path": "^2.1.1"
+          },
+          "dependencies": {
+            "normalize-path": {
+              "version": "2.1.1",
+              "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-2.1.1.tgz",
+              "integrity": "sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=",
+              "requires": {
+                "remove-trailing-separator": "^1.0.1"
+              }
+            }
+          }
+        },
+        "binary-extensions": {
+          "version": "1.13.1",
+          "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-1.13.1.tgz",
+          "integrity": "sha512-Un7MIEDdUC5gNpcGDV97op1Ywk748MpHcFTHoYs6qnj1Z3j7I53VG3nwZhKzoBZmbdRNnb6WRdFlwl7tSDuZGw=="
+        },
+        "chokidar": {
+          "version": "2.1.8",
+          "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-2.1.8.tgz",
+          "integrity": "sha512-ZmZUazfOzf0Nve7duiCKD23PFSCs4JPoYyccjUFF3aQkQadqBhfzhjkwBH2mNOG9cTBwhamM37EIsIkZw3nRgg==",
+          "requires": {
+            "anymatch": "^2.0.0",
+            "async-each": "^1.0.1",
+            "braces": "^2.3.2",
+            "fsevents": "^1.2.7",
+            "glob-parent": "^3.1.0",
+            "inherits": "^2.0.3",
+            "is-binary-path": "^1.0.0",
+            "is-glob": "^4.0.0",
+            "normalize-path": "^3.0.0",
+            "path-is-absolute": "^1.0.0",
+            "readdirp": "^2.2.1",
+            "upath": "^1.1.1"
+          }
+        },
+        "eslint-scope": {
+          "version": "4.0.3",
+          "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-4.0.3.tgz",
+          "integrity": "sha512-p7VutNr1O/QrxysMo3E45FjYDTeXBy0iTltPFNSqKAIfjDSXC+4dj+qfyuD8bfAXrW/y6lW3O76VaYNPKfpKrg==",
+          "requires": {
+            "esrecurse": "^4.1.0",
+            "estraverse": "^4.1.1"
+          }
+        },
+        "fsevents": {
+          "version": "1.2.11",
+          "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-1.2.11.tgz",
+          "integrity": "sha512-+ux3lx6peh0BpvY0JebGyZoiR4D+oYzdPZMKJwkZ+sFkNJzpL7tXc/wehS49gUAxg3tmMHPHZkA8JU2rhhgDHw==",
+          "optional": true,
+          "requires": {
+            "bindings": "^1.5.0",
+            "nan": "^2.12.1",
+            "node-pre-gyp": "*"
+          },
+          "dependencies": {
+            "abbrev": {
+              "version": "1.1.1",
+              "bundled": true,
+              "optional": true
+            },
+            "ansi-regex": {
+              "version": "2.1.1",
+              "bundled": true,
+              "optional": true
+            },
+            "aproba": {
+              "version": "1.2.0",
+              "bundled": true,
+              "optional": true
+            },
+            "are-we-there-yet": {
+              "version": "1.1.5",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "delegates": "^1.0.0",
+                "readable-stream": "^2.0.6"
+              }
+            },
+            "balanced-match": {
+              "version": "1.0.0",
+              "bundled": true,
+              "optional": true
+            },
+            "brace-expansion": {
+              "version": "1.1.11",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "balanced-match": "^1.0.0",
+                "concat-map": "0.0.1"
+              }
+            },
+            "chownr": {
+              "version": "1.1.3",
+              "bundled": true,
+              "optional": true
+            },
+            "code-point-at": {
+              "version": "1.1.0",
+              "bundled": true,
+              "optional": true
+            },
+            "concat-map": {
+              "version": "0.0.1",
+              "bundled": true,
+              "optional": true
+            },
+            "console-control-strings": {
+              "version": "1.1.0",
+              "bundled": true,
+              "optional": true
+            },
+            "core-util-is": {
+              "version": "1.0.2",
+              "bundled": true,
+              "optional": true
+            },
+            "debug": {
+              "version": "3.2.6",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "ms": "^2.1.1"
+              }
+            },
+            "deep-extend": {
+              "version": "0.6.0",
+              "bundled": true,
+              "optional": true
+            },
+            "delegates": {
+              "version": "1.0.0",
+              "bundled": true,
+              "optional": true
+            },
+            "detect-libc": {
+              "version": "1.0.3",
+              "bundled": true,
+              "optional": true
+            },
+            "fs-minipass": {
+              "version": "1.2.7",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "minipass": "^2.6.0"
+              }
+            },
+            "fs.realpath": {
+              "version": "1.0.0",
+              "bundled": true,
+              "optional": true
+            },
+            "gauge": {
+              "version": "2.7.4",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "aproba": "^1.0.3",
+                "console-control-strings": "^1.0.0",
+                "has-unicode": "^2.0.0",
+                "object-assign": "^4.1.0",
+                "signal-exit": "^3.0.0",
+                "string-width": "^1.0.1",
+                "strip-ansi": "^3.0.1",
+                "wide-align": "^1.1.0"
+              }
+            },
+            "glob": {
+              "version": "7.1.6",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "fs.realpath": "^1.0.0",
+                "inflight": "^1.0.4",
+                "inherits": "2",
+                "minimatch": "^3.0.4",
+                "once": "^1.3.0",
+                "path-is-absolute": "^1.0.0"
+              }
+            },
+            "has-unicode": {
+              "version": "2.0.1",
+              "bundled": true,
+              "optional": true
+            },
+            "iconv-lite": {
+              "version": "0.4.24",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "safer-buffer": ">= 2.1.2 < 3"
+              }
+            },
+            "ignore-walk": {
+              "version": "3.0.3",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "minimatch": "^3.0.4"
+              }
+            },
+            "inflight": {
+              "version": "1.0.6",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "once": "^1.3.0",
+                "wrappy": "1"
+              }
+            },
+            "inherits": {
+              "version": "2.0.4",
+              "bundled": true,
+              "optional": true
+            },
+            "ini": {
+              "version": "1.3.5",
+              "bundled": true,
+              "optional": true
+            },
+            "is-fullwidth-code-point": {
+              "version": "1.0.0",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "number-is-nan": "^1.0.0"
+              }
+            },
+            "isarray": {
+              "version": "1.0.0",
+              "bundled": true,
+              "optional": true
+            },
+            "minimatch": {
+              "version": "3.0.4",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "brace-expansion": "^1.1.7"
+              }
+            },
+            "minimist": {
+              "version": "0.0.8",
+              "bundled": true,
+              "optional": true
+            },
+            "minipass": {
+              "version": "2.9.0",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "safe-buffer": "^5.1.2",
+                "yallist": "^3.0.0"
+              }
+            },
+            "minizlib": {
+              "version": "1.3.3",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "minipass": "^2.9.0"
+              }
+            },
+            "mkdirp": {
+              "version": "0.5.1",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "minimist": "0.0.8"
+              }
+            },
+            "ms": {
+              "version": "2.1.2",
+              "bundled": true,
+              "optional": true
+            },
+            "needle": {
+              "version": "2.4.0",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "debug": "^3.2.6",
+                "iconv-lite": "^0.4.4",
+                "sax": "^1.2.4"
+              }
+            },
+            "node-pre-gyp": {
+              "version": "0.14.0",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "detect-libc": "^1.0.2",
+                "mkdirp": "^0.5.1",
+                "needle": "^2.2.1",
+                "nopt": "^4.0.1",
+                "npm-packlist": "^1.1.6",
+                "npmlog": "^4.0.2",
+                "rc": "^1.2.7",
+                "rimraf": "^2.6.1",
+                "semver": "^5.3.0",
+                "tar": "^4.4.2"
+              }
+            },
+            "nopt": {
+              "version": "4.0.1",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "abbrev": "1",
+                "osenv": "^0.1.4"
+              }
+            },
+            "npm-bundled": {
+              "version": "1.1.1",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "npm-normalize-package-bin": "^1.0.1"
+              }
+            },
+            "npm-normalize-package-bin": {
+              "version": "1.0.1",
+              "bundled": true,
+              "optional": true
+            },
+            "npm-packlist": {
+              "version": "1.4.7",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "ignore-walk": "^3.0.1",
+                "npm-bundled": "^1.0.1"
+              }
+            },
+            "npmlog": {
+              "version": "4.1.2",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "are-we-there-yet": "~1.1.2",
+                "console-control-strings": "~1.1.0",
+                "gauge": "~2.7.3",
+                "set-blocking": "~2.0.0"
+              }
+            },
+            "number-is-nan": {
+              "version": "1.0.1",
+              "bundled": true,
+              "optional": true
+            },
+            "object-assign": {
+              "version": "4.1.1",
+              "bundled": true,
+              "optional": true
+            },
+            "once": {
+              "version": "1.4.0",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "wrappy": "1"
+              }
+            },
+            "os-homedir": {
+              "version": "1.0.2",
+              "bundled": true,
+              "optional": true
+            },
+            "os-tmpdir": {
+              "version": "1.0.2",
+              "bundled": true,
+              "optional": true
+            },
+            "osenv": {
+              "version": "0.1.5",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "os-homedir": "^1.0.0",
+                "os-tmpdir": "^1.0.0"
+              }
+            },
+            "path-is-absolute": {
+              "version": "1.0.1",
+              "bundled": true,
+              "optional": true
+            },
+            "process-nextick-args": {
+              "version": "2.0.1",
+              "bundled": true,
+              "optional": true
+            },
+            "rc": {
+              "version": "1.2.8",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "deep-extend": "^0.6.0",
+                "ini": "~1.3.0",
+                "minimist": "^1.2.0",
+                "strip-json-comments": "~2.0.1"
+              },
+              "dependencies": {
+                "minimist": {
+                  "version": "1.2.0",
+                  "bundled": true,
+                  "optional": true
+                }
+              }
+            },
+            "readable-stream": {
+              "version": "2.3.6",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "core-util-is": "~1.0.0",
+                "inherits": "~2.0.3",
+                "isarray": "~1.0.0",
+                "process-nextick-args": "~2.0.0",
+                "safe-buffer": "~5.1.1",
+                "string_decoder": "~1.1.1",
+                "util-deprecate": "~1.0.1"
+              }
+            },
+            "rimraf": {
+              "version": "2.7.1",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "glob": "^7.1.3"
+              }
+            },
+            "safe-buffer": {
+              "version": "5.1.2",
+              "bundled": true,
+              "optional": true
+            },
+            "safer-buffer": {
+              "version": "2.1.2",
+              "bundled": true,
+              "optional": true
+            },
+            "sax": {
+              "version": "1.2.4",
+              "bundled": true,
+              "optional": true
+            },
+            "semver": {
+              "version": "5.7.1",
+              "bundled": true,
+              "optional": true
+            },
+            "set-blocking": {
+              "version": "2.0.0",
+              "bundled": true,
+              "optional": true
+            },
+            "signal-exit": {
+              "version": "3.0.2",
+              "bundled": true,
+              "optional": true
+            },
+            "string-width": {
+              "version": "1.0.2",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "code-point-at": "^1.0.0",
+                "is-fullwidth-code-point": "^1.0.0",
+                "strip-ansi": "^3.0.0"
+              }
+            },
+            "string_decoder": {
+              "version": "1.1.1",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "safe-buffer": "~5.1.0"
+              }
+            },
+            "strip-ansi": {
+              "version": "3.0.1",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "ansi-regex": "^2.0.0"
+              }
+            },
+            "strip-json-comments": {
+              "version": "2.0.1",
+              "bundled": true,
+              "optional": true
+            },
+            "tar": {
+              "version": "4.4.13",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "chownr": "^1.1.1",
+                "fs-minipass": "^1.2.5",
+                "minipass": "^2.8.6",
+                "minizlib": "^1.2.1",
+                "mkdirp": "^0.5.0",
+                "safe-buffer": "^5.1.2",
+                "yallist": "^3.0.3"
+              }
+            },
+            "util-deprecate": {
+              "version": "1.0.2",
+              "bundled": true,
+              "optional": true
+            },
+            "wide-align": {
+              "version": "1.1.3",
+              "bundled": true,
+              "optional": true,
+              "requires": {
+                "string-width": "^1.0.2 || 2"
+              }
+            },
+            "wrappy": {
+              "version": "1.0.2",
+              "bundled": true,
+              "optional": true
+            },
+            "yallist": {
+              "version": "3.1.1",
+              "bundled": true,
+              "optional": true
+            }
+          }
+        },
+        "is-binary-path": {
+          "version": "1.0.1",
+          "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-1.0.1.tgz",
+          "integrity": "sha1-dfFmQrSA8YenEcgUFh/TpKdlWJg=",
+          "requires": {
+            "binary-extensions": "^1.0.0"
+          }
+        },
+        "readdirp": {
+          "version": "2.2.1",
+          "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-2.2.1.tgz",
+          "integrity": "sha512-1JU/8q+VgFZyxwrJ+SVIOsh+KywWGpds3NTqikiKpDMZWScmAYyKIgqkO+ARvNWJfXeXR1zxz7aHF4u4CyH6vQ==",
+          "requires": {
+            "graceful-fs": "^4.1.11",
+            "micromatch": "^3.1.10",
+            "readable-stream": "^2.0.2"
+          }
+        },
+        "watchpack": {
+          "version": "1.6.0",
+          "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-1.6.0.tgz",
+          "integrity": "sha512-i6dHe3EyLjMmDlU1/bGQpEw25XSjkJULPuAVKCbNRefQVq48yXKUpwg538F7AZTf9kyr57zj++pQFltUa5H7yA==",
+          "requires": {
+            "chokidar": "^2.0.2",
+            "graceful-fs": "^4.1.2",
+            "neo-async": "^2.5.0"
+          }
+        }
+      }
+    },
+    "webpack-bundle-analyzer": {
+      "version": "3.3.2",
+      "resolved": "https://registry.npmjs.org/webpack-bundle-analyzer/-/webpack-bundle-analyzer-3.3.2.tgz",
+      "integrity": "sha512-7qvJLPKB4rRWZGjVp5U1KEjwutbDHSKboAl0IfafnrdXMrgC0tOtZbQD6Rw0u4cmpgRN4O02Fc0t8eAT+FgGzA==",
+      "requires": {
+        "acorn": "^6.0.7",
+        "acorn-walk": "^6.1.1",
+        "bfj": "^6.1.1",
+        "chalk": "^2.4.1",
+        "commander": "^2.18.0",
+        "ejs": "^2.6.1",
+        "express": "^4.16.3",
+        "filesize": "^3.6.1",
+        "gzip-size": "^5.0.0",
+        "lodash": "^4.17.10",
+        "mkdirp": "^0.5.1",
+        "opener": "^1.5.1",
+        "ws": "^6.0.0"
+      },
+      "dependencies": {
+        "chalk": {
+          "version": "2.4.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+          "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+          "requires": {
+            "ansi-styles": "^3.2.1",
+            "escape-string-regexp": "^1.0.5",
+            "supports-color": "^5.3.0"
+          }
+        }
+      }
+    },
+    "webpack-dev-middleware": {
+      "version": "3.7.0",
+      "resolved": "https://registry.npmjs.org/webpack-dev-middleware/-/webpack-dev-middleware-3.7.0.tgz",
+      "integrity": "sha512-qvDesR1QZRIAZHOE3iQ4CXLZZSQ1lAUsSpnQmlB1PBfoN/xdRjmge3Dok0W4IdaVLJOGJy3sGI4sZHwjRU0PCA==",
+      "requires": {
+        "memory-fs": "^0.4.1",
+        "mime": "^2.4.2",
+        "range-parser": "^1.2.1",
+        "webpack-log": "^2.0.0"
+      },
+      "dependencies": {
+        "mime": {
+          "version": "2.4.4",
+          "resolved": "https://registry.npmjs.org/mime/-/mime-2.4.4.tgz",
+          "integrity": "sha512-LRxmNwziLPT828z+4YkNzloCFC2YM4wrB99k+AV5ZbEyfGNWfG8SO1FUXLmLDBSo89NrJZ4DIWeLjy1CHGhMGA=="
+        }
+      }
+    },
+    "webpack-hot-middleware": {
+      "version": "2.25.0",
+      "resolved": "https://registry.npmjs.org/webpack-hot-middleware/-/webpack-hot-middleware-2.25.0.tgz",
+      "integrity": "sha512-xs5dPOrGPCzuRXNi8F6rwhawWvQQkeli5Ro48PRuQh8pYPCPmNnltP9itiUPT4xI8oW+y0m59lyyeQk54s5VgA==",
+      "requires": {
+        "ansi-html": "0.0.7",
+        "html-entities": "^1.2.0",
+        "querystring": "^0.2.0",
+        "strip-ansi": "^3.0.0"
+      }
+    },
+    "webpack-log": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/webpack-log/-/webpack-log-2.0.0.tgz",
+      "integrity": "sha512-cX8G2vR/85UYG59FgkoMamwHUIkSSlV3bBMRsbxVXVUk2j6NleCKjQ/WE9eYg9WY4w25O9w8wKP4rzNZFmUcUg==",
+      "requires": {
+        "ansi-colors": "^3.0.0",
+        "uuid": "^3.3.2"
+      }
+    },
+    "webpack-merge": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/webpack-merge/-/webpack-merge-4.2.2.tgz",
+      "integrity": "sha512-TUE1UGoTX2Cd42j3krGYqObZbOD+xF7u28WB7tfUordytSjbWTIjK/8V0amkBfTYN4/pB/GIDlJZZ657BGG19g==",
+      "requires": {
+        "lodash": "^4.17.15"
+      }
+    },
+    "webpack-sources": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz",
+      "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==",
+      "requires": {
+        "source-list-map": "^2.0.0",
+        "source-map": "~0.6.1"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+        }
+      }
+    },
+    "whatwg-fetch": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.0.0.tgz",
+      "integrity": "sha512-9GSJUgz1D4MfyKU7KRqwOjXCXTqWdFNvEr7eUBYchQiVc744mqK/MzXPNR2WsPkmkOa4ywfg8C2n8h+13Bey1Q=="
+    },
+    "which": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz",
+      "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
+      "requires": {
+        "isexe": "^2.0.0"
+      }
+    },
+    "which-module": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.0.tgz",
+      "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho="
+    },
+    "which-pm-runs": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/which-pm-runs/-/which-pm-runs-1.0.0.tgz",
+      "integrity": "sha1-Zws6+8VS4LVd9rd4DKdGFfI60cs=",
+      "dev": true
+    },
+    "widest-line": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/widest-line/-/widest-line-3.1.0.tgz",
+      "integrity": "sha512-NsmoXalsWVDMGupxZ5R08ka9flZjjiLvHVAWYOKtiKM8ujtZWr9cRffak+uSE48+Ob8ObalXpwyeUiyDD6QFgg==",
+      "requires": {
+        "string-width": "^4.0.0"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "5.0.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz",
+          "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg=="
+        },
+        "emoji-regex": {
+          "version": "8.0.0",
+          "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+          "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="
+        },
+        "is-fullwidth-code-point": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+          "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="
+        },
+        "string-width": {
+          "version": "4.2.0",
+          "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.0.tgz",
+          "integrity": "sha512-zUz5JD+tgqtuDjMhwIg5uFVV3dtqZ9yQJlZVfq4I01/K5Paj5UHj7VyrQOJvzawSVlKpObApbfD0Ed6yJc+1eg==",
+          "requires": {
+            "emoji-regex": "^8.0.0",
+            "is-fullwidth-code-point": "^3.0.0",
+            "strip-ansi": "^6.0.0"
+          }
+        },
+        "strip-ansi": {
+          "version": "6.0.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz",
+          "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==",
+          "requires": {
+            "ansi-regex": "^5.0.0"
+          }
+        }
+      }
+    },
+    "word-wrap": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
+      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ=="
+    },
+    "wordwrap": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
+      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
+    },
+    "worker-farm": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/worker-farm/-/worker-farm-1.7.0.tgz",
+      "integrity": "sha512-rvw3QTZc8lAxyVrqcSGVm5yP/IJ2UcB3U0graE3LCFoZ0Yn2x4EoVSqJKdB/T5M+FLcRPjz4TDacRf3OCfNUzw==",
+      "requires": {
+        "errno": "~0.1.7"
+      }
+    },
+    "worker-rpc": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/worker-rpc/-/worker-rpc-0.1.1.tgz",
+      "integrity": "sha512-P1WjMrUB3qgJNI9jfmpZ/htmBEjFh//6l/5y8SD9hg1Ef5zTTVVoRjTrTEzPrNBQvmhMxkoTsjOXN10GWU7aCg==",
+      "requires": {
+        "microevent.ts": "~0.1.1"
+      }
+    },
+    "wrap-ansi": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-5.1.0.tgz",
+      "integrity": "sha512-QC1/iN/2/RPVJ5jYK8BGttj5z83LmSKmvbvrXPNCLZSEb32KKVDJDl/MOt2N01qU2H/FkzEa9PKto1BqDjtd7Q==",
+      "requires": {
+        "ansi-styles": "^3.2.0",
+        "string-width": "^3.0.0",
+        "strip-ansi": "^5.0.0"
+      },
+      "dependencies": {
+        "ansi-regex": {
+          "version": "4.1.0",
+          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
+          "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg=="
+        },
+        "strip-ansi": {
+          "version": "5.2.0",
+          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
+          "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==",
+          "requires": {
+            "ansi-regex": "^4.1.0"
+          }
+        }
+      }
+    },
+    "wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
+    },
+    "write": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/write/-/write-1.0.3.tgz",
+      "integrity": "sha512-/lg70HAjtkUgWPVZhZcm+T4hkL8Zbtp1nFNOn3lRrxnlv50SRBv7cR7RqR+GMsd3hUXy9hWBo4CHTbFTcOYwig==",
+      "requires": {
+        "mkdirp": "^0.5.1"
+      }
+    },
+    "write-file-atomic": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-3.0.1.tgz",
+      "integrity": "sha512-JPStrIyyVJ6oCSz/691fAjFtefZ6q+fP6tm+OS4Qw6o+TGQxNp1ziY2PgS+X/m0V8OWhZiO/m4xSj+Pr4RrZvw==",
+      "requires": {
+        "imurmurhash": "^0.1.4",
+        "is-typedarray": "^1.0.0",
+        "signal-exit": "^3.0.2",
+        "typedarray-to-buffer": "^3.1.5"
+      }
+    },
+    "ws": {
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-6.2.1.tgz",
+      "integrity": "sha512-GIyAXC2cB7LjvpgMt9EKS2ldqr0MTrORaleiOno6TweZ6r3TKtoFQWay/2PceJ3RuBasOHzXNn5Lrw1X0bEjqA==",
+      "requires": {
+        "async-limiter": "~1.0.0"
+      }
+    },
+    "xtend": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
+      "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ=="
+    },
+    "y18n": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz",
+      "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w=="
+    },
+    "yallist": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-2.1.2.tgz",
+      "integrity": "sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI="
+    },
+    "yaml": {
+      "version": "1.7.2",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.7.2.tgz",
+      "integrity": "sha512-qXROVp90sb83XtAoqE8bP9RwAkTTZbugRUTm5YeFCBfNRPEp2YzTeqWiz7m5OORHzEvrA/qcGS8hp/E+MMROYw==",
+      "dev": true,
+      "requires": {
+        "@babel/runtime": "^7.6.3"
+      }
+    },
+    "yargs": {
+      "version": "14.2.2",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-14.2.2.tgz",
+      "integrity": "sha512-/4ld+4VV5RnrynMhPZJ/ZpOCGSCeghMykZ3BhdFBDa9Wy/RH6uEGNWDJog+aUlq+9OM1CFTgtYRW5Is1Po9NOA==",
+      "requires": {
+        "cliui": "^5.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^3.0.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^3.0.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^15.0.0"
+      },
+      "dependencies": {
+        "find-up": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz",
+          "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==",
+          "requires": {
+            "locate-path": "^3.0.0"
+          }
+        },
+        "locate-path": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz",
+          "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==",
+          "requires": {
+            "p-locate": "^3.0.0",
+            "path-exists": "^3.0.0"
+          }
+        },
+        "p-limit": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz",
+          "integrity": "sha512-WGR+xHecKTr7EbUEhyLSh5Dube9JtdiG78ufaeLxTgpudf/20KqyMioIUZJAezlTIi6evxuoUs9YXc11cU+yzQ==",
+          "requires": {
+            "p-try": "^2.0.0"
+          }
+        },
+        "p-locate": {
+          "version": "3.0.0",
+          "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz",
+          "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==",
+          "requires": {
+            "p-limit": "^2.0.0"
+          }
+        },
+        "p-try": {
+          "version": "2.2.0",
+          "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+          "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+        }
+      }
+    },
+    "yargs-parser": {
+      "version": "15.0.0",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-15.0.0.tgz",
+      "integrity": "sha512-xLTUnCMc4JhxrPEPUYD5IBR1mWCK/aT6+RJ/K29JY2y1vD+FhtgKK0AXRWvI262q3QSffAQuTouFIKUuHX89wQ==",
+      "requires": {
+        "camelcase": "^5.0.0",
+        "decamelize": "^1.2.0"
+      }
+    },
+    "yauzl": {
+      "version": "2.10.0",
+      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.10.0.tgz",
+      "integrity": "sha1-x+sXyT4RLLEIb6bY5R+wZnt5pfk=",
+      "requires": {
+        "buffer-crc32": "~0.2.3",
+        "fd-slicer": "~1.1.0"
+      }
+    },
+    "yoga-layout-prebuilt": {
+      "version": "1.9.3",
+      "resolved": "https://registry.npmjs.org/yoga-layout-prebuilt/-/yoga-layout-prebuilt-1.9.3.tgz",
+      "integrity": "sha512-9SNQpwuEh2NucU83i2KMZnONVudZ86YNcFk9tq74YaqrQfgJWO3yB9uzH1tAg8iqh5c9F5j0wuyJ2z72wcum2w=="
+    },
+    "zen-observable": {
+      "version": "0.8.15",
+      "resolved": "https://registry.npmjs.org/zen-observable/-/zen-observable-0.8.15.tgz",
+      "integrity": "sha512-PQ2PC7R9rslx84ndNBZB/Dkv8V8fZEpk83RLgXtYd0fwUgEjseMn1Dgajh2x6S8QbZAFa9p2qVCEuYZNgve0dQ=="
+    },
+    "zen-observable-ts": {
+      "version": "0.8.20",
+      "resolved": "https://registry.npmjs.org/zen-observable-ts/-/zen-observable-ts-0.8.20.tgz",
+      "integrity": "sha512-2rkjiPALhOtRaDX6pWyNqK1fnP5KkJJybYebopNSn6wDG1lxBoFs2+nwwXKoA6glHIrtwrfBBy6da0stkKtTAA==",
+      "requires": {
+        "tslib": "^1.9.3",
+        "zen-observable": "^0.8.0"
+      }
+    },
+    "zwitch": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/zwitch/-/zwitch-1.0.4.tgz",
+      "integrity": "sha512-YO803/X+13GNaZB7fVopjvHH0uWQKgJkgKnU1YCjxShjKGVuN9PPHHW8g+uFDpkHpSTNi3rCMKMewIcbC1BAYg=="
+    }
+  }
+}
diff --git a/website/package.json b/website/package.json
new file mode 100644
index 000000000000..fe16b9b22521
--- /dev/null
+++ b/website/package.json
@@ -0,0 +1,64 @@
+{
+  "name": "vault-docs-platform",
+  "description": "Description of your website",
+  "version": "0.0.1",
+  "author": "HashiCorp",
+  "dependencies": {
+    "@bugsnag/js": "^6.5.0",
+    "@bugsnag/plugin-react": "^6.5.0",
+    "@hashicorp/nextjs-scripts": "^6.0.0-1",
+    "@hashicorp/react-button": "^2.1.3",
+    "@hashicorp/react-case-study-slider": "^2.0.4",
+    "@hashicorp/react-consent-manager": "^2.0.3",
+    "@hashicorp/react-content": "^2.1.1",
+    "@hashicorp/react-docs-sidenav": "^2.2.2",
+    "@hashicorp/react-docs-sitemap": "^1.0.0",
+    "@hashicorp/react-footer": "3.1.6",
+    "@hashicorp/react-global-styles": "^4.0.8",
+    "@hashicorp/react-hero": "3.0.0",
+    "@hashicorp/react-image": "^2.0.1",
+    "@hashicorp/react-inline-svg": "^1.0.0",
+    "@hashicorp/react-mega-nav": "^4.0.0-0",
+    "@hashicorp/react-product-downloader": "^2.0.1",
+    "@hashicorp/react-section-header": "^2.0.0",
+    "@hashicorp/react-text-and-content": "^3.0.9",
+    "@hashicorp/react-use-cases": "^1.0.3",
+    "@hashicorp/react-vertical-text-block-list": "^2.0.1",
+    "babel-plugin-import-glob-array": "^0.2.0",
+    "highlight.js": "^9.17.1",
+    "imagemin-mozjpeg": "^8.0.0",
+    "imagemin-optipng": "^7.1.0",
+    "imagemin-svgo": "^7.0.0",
+    "isomorphic-unfetch": "^3.0.0",
+    "marked": "^0.7.0",
+    "next": "^9.2.0",
+    "nprogress": "^0.2.0",
+    "react": "^16.12.0",
+    "react-dom": "^16.12.0",
+    "slugify": "^1.3.6",
+    "stringify-object": "^3.3.0"
+  },
+  "devDependencies": {
+    "glob": "^7.1.6",
+    "husky": "^4.0.10",
+    "inquirer": "^7.0.3",
+    "prettier": "^1.19.1"
+  },
+  "husky": {
+    "hooks": {
+      "pre-commit": "next-hashicorp precommit"
+    }
+  },
+  "main": "index.js",
+  "scripts": {
+    "build": "node --max-old-space-size=2048 ./node_modules/.bin/next build",
+    "dynamic": "NODE_ENV=production next build && next start",
+    "export": "node --max-old-space-size=2048 ./node_modules/.bin/next export",
+    "format": "next-hashicorp format",
+    "generate:component": "next-hashicorp generate component",
+    "lint": "next-hashicorp lint",
+    "start": "npm run clear_babel_cache && next dev",
+    "static": "npm run clear_babel_cache && npm run build && npm run export && cp _redirects out/.",
+    "clear_babel_cache": "rm -rf .next/cache/next-babel-loader"
+  }
+}
diff --git a/website/pages/_app.js b/website/pages/_app.js
new file mode 100644
index 000000000000..1a37cb46879b
--- /dev/null
+++ b/website/pages/_app.js
@@ -0,0 +1,62 @@
+import './style.css'
+import App from 'next/app'
+import NProgress from 'nprogress'
+import Router from 'next/router'
+import DefaultHeadTags from '../components/default-head-tags'
+import ProductSubnav from '../components/subnav'
+import MegaNav from '@hashicorp/react-mega-nav'
+import Footer from '@hashicorp/react-footer'
+import { ConsentManager, open } from '@hashicorp/react-consent-manager'
+import consentManagerConfig from '../lib/consent-manager-config'
+import bugsnagClient from '../lib/bugsnag'
+import Error from './_error'
+import subnavLinks from '../data/subnav'
+
+Router.events.on('routeChangeStart', NProgress.start)
+Router.events.on('routeChangeError', NProgress.done)
+Router.events.on('routeChangeComplete', url => {
+  setTimeout(() => window.analytics.page(url), 0)
+  NProgress.done()
+})
+
+// Bugsnag
+const ErrorBoundary = bugsnagClient.getPlugin('react')
+
+class NextApp extends App {
+  static async getInitialProps({ Component, ctx }) {
+    let pageProps = {}
+
+    if (Component.getInitialProps) {
+      pageProps = await Component.getInitialProps(ctx)
+    } else if (Component.isMDXComponent) {
+      // fix for https://github.com/mdx-js/mdx/issues/382
+      const mdxLayoutComponent = Component({}).props.originalType
+      if (mdxLayoutComponent.getInitialProps) {
+        pageProps = await mdxLayoutComponent.getInitialProps(ctx)
+      }
+    }
+
+    return { pageProps, path: ctx.asPath }
+  }
+
+  render() {
+    const { Component, pageProps, path } = this.props
+
+    return (
+      <ErrorBoundary FallbackComponent={Error}>
+        <DefaultHeadTags />
+        <MegaNav product="Vault" />
+        <ProductSubnav
+          links={subnavLinks}
+          currentPath={path}
+          rootUrl="vaultproject.io"
+        />
+        <Component {...pageProps} />
+        <Footer openConsentManager={open} />
+        <ConsentManager {...consentManagerConfig} />
+      </ErrorBoundary>
+    )
+  }
+}
+
+export default NextApp
diff --git a/website/pages/_document.js b/website/pages/_document.js
new file mode 100644
index 000000000000..1e15c38dd1f1
--- /dev/null
+++ b/website/pages/_document.js
@@ -0,0 +1,28 @@
+import Document, { Head, Main, NextScript } from 'next/document'
+
+export default class MyDocument extends Document {
+  static async getInitialProps(ctx) {
+    const initialProps = await Document.getInitialProps(ctx)
+    return { ...initialProps }
+  }
+
+  render() {
+    return (
+      <html>
+        <Head>
+          <meta name="viewport" content="width=device-width, initial-scale=1" />
+          <link rel="stylesheet" type="text/css" href="/css/nprogress.css" />
+        </Head>
+        <body>
+          <Main />
+          <NextScript />
+          <script
+            dangerouslySetInnerHTML={{
+              __html: `window.MSInputMethodContext && document.documentMode && document.write('<script src="/ie-custom-properties.js"><\\x2fscript>');`
+            }}
+          />
+        </body>
+      </html>
+    )
+  }
+}
diff --git a/website/pages/_error.jsx b/website/pages/_error.jsx
new file mode 100644
index 000000000000..433da07d6fa9
--- /dev/null
+++ b/website/pages/_error.jsx
@@ -0,0 +1,13 @@
+import React from 'react'
+import ErrorPage from 'next/error'
+import bugsnagClient from '../lib/bugsnag'
+
+export default class Page extends React.Component {
+  static async getInitialProps(ctx) {
+    if (ctx.err) bugsnagClient.notify(ctx.err)
+    return ErrorPage.getInitialProps(ctx)
+  }
+  render() {
+    return <ErrorPage statusCode={this.props.statusCode || '¯\\_(ツ)_/¯'} />
+  }
+}
diff --git a/website/pages/api-docs/auth/alicloud/index.mdx b/website/pages/api-docs/auth/alicloud/index.mdx
new file mode 100644
index 000000000000..46a53ee6709b
--- /dev/null
+++ b/website/pages/api-docs/auth/alicloud/index.mdx
@@ -0,0 +1,201 @@
+---
+layout: api
+page_title: AliCloud - Auth Methods - HTTP API
+sidebar_title: AliCloud
+description: This is the API documentation for the Vault AliCloud auth method.
+---
+
+# AliCloud Auth Method (API)
+
+This is the API documentation for the Vault AliCloud auth method. For
+general information about the usage and operation of the AliCloud method, please
+see the [Vault AliCloud auth method documentation](/docs/auth/alicloud.html).
+
+This documentation assumes the AliCloud auth method is mounted at the `/auth/alicloud`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Create Role
+
+Registers a role. Only entities using the role registered using this endpoint
+will be able to perform the login operation.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `POST` | `/auth/alicloud/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role. Must correspond with the name of the role reflected in the arn.
+- `arn` `(string: <required>)` - The role's arn.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "arn": "acs:ram::5138828231865461:role/dev-role",
+  "policies": ["dev", "prod"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
+```
+
+## Read Role
+
+Returns the previously registered role configuration.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `GET`  | `/auth/alicloud/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "arn": "acs:ram::5138828231865461:role/dev-role",
+    "policies": ["default", "dev", "prod"],
+    "ttl": 1800000,
+    "max_ttl": 1800000,
+    "period": 0
+  }
+}
+```
+
+## List Roles
+
+Lists all the roles that are registered with the method.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `LIST` | `/auth/alicloud/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/alicloud/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["dev-role", "prod-role"]
+  }
+}
+```
+
+## Delete Role
+
+Deletes the previously registered role.
+
+| Method   | Path                        |
+| :------- | :-------------------------- |
+| `DELETE` | `/auth/alicloud/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
+```
+
+## Login
+
+Fetch a token. This endpoint verifies the signature of the signed
+GetCallerIdentity request.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/auth/alicloud/login` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+- `identity_request_url` `(string: <required>)` - Base64-encoded HTTP URL used in
+  the signed request.
+- `identity_request_headers` `(string: <required>)` - Base64-encoded,
+  JSON-serialized representation of the sts:GetCallerIdentity HTTP request
+  headers. The JSON serialization assumes that each header key maps to either a
+  string value or an array of string values (though the length of that array
+  will probably only be one).
+
+### Sample Payload
+
+```json
+{
+  "role": "dev-role",
+  "identity_request_url": "aWRlbnRpdHlabrVxdWVzdF91cmw=",
+  "identity_request_headers": "aWRlimRpdHlfcmVxdWVzdF9oZWFkZXJz"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/alicloud/login
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 1800000,
+    "metadata": {
+      "role_tag_max_ttl": "0",
+      "instance_id": "i-de0f1344",
+      "ami_id": "ami-fce36983",
+      "role": "dev-role",
+      "auth_type": "ec2",
+      "account_id": "5138828231865461",
+      "user_id": "216959339000654321",
+      "role_id": "4657-abcd",
+      "arn": "acs:ram::5138828231865461:assumed-role/dev-role/vm-ram-i-rj978rorvlg76urhqh7q",
+      "identity_type": "assumed-role",
+      "principal_id": "vm-ram-i-rj978rorvlg76urhqh7q",
+      "request_id": "D6E46F10-F26C-4AA0-BB69-FE2743D9AE62",
+      "role_name": "dev-role"
+    },
+    "policies": ["default", "dev"],
+    "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
+    "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
+  }
+}
+```
diff --git a/website/pages/api-docs/auth/app-id/index.mdx b/website/pages/api-docs/auth/app-id/index.mdx
new file mode 100644
index 000000000000..c774fb6a6b9a
--- /dev/null
+++ b/website/pages/api-docs/auth/app-id/index.mdx
@@ -0,0 +1,19 @@
+---
+layout: api
+page_title: AppID - Auth Methods - HTTP API
+sidebar_title: App ID <sup>DEPRECATED</sup>
+description: This is the API documentation for the Vault App ID auth method.
+---
+
+# AppID Auth Method (API)
+
+~> This API is deprecated and will be removed in a future version of Vault.
+Please use AppRole instead.
+
+This is the API documentation for the Vault App ID auth method. For
+general information about the usage and operation of the App ID method, please
+see the [Vault App ID method documentation](/docs/auth/app-id.html).
+
+This documentation assumes the App ID method is mounted at the `/auth/app-id`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
diff --git a/website/pages/api-docs/auth/approle/index.mdx b/website/pages/api-docs/auth/approle/index.mdx
new file mode 100644
index 000000000000..7def1a9f890b
--- /dev/null
+++ b/website/pages/api-docs/auth/approle/index.mdx
@@ -0,0 +1,651 @@
+---
+layout: api
+page_title: AppRole - Auth Methods - HTTP API
+sidebar_title: AppRole
+description: This is the API documentation for the Vault AppRole auth method.
+---
+
+# AppRole Auth Method (API)
+
+This is the API documentation for the Vault AppRole auth method. For
+general information about the usage and operation of the AppRole method, please
+see the [Vault AppRole method documentation](/docs/auth/approle.html).
+
+This documentation assumes the AppRole method is mounted at the `/auth/approle`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## List Roles
+
+This endpoint returns a list the existing AppRoles in the method.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `LIST` | `/auth/approle/role` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/approle/role
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["dev", "prod", "test"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Create/Update AppRole
+
+Creates a new AppRole or updates an existing AppRole. This endpoint
+supports both `create` and `update` capabilities. There can be one or more
+constraints enabled on the role. It is required to have at least one of them
+enabled while creating or updating a role.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `POST` | `/auth/approle/role/:role_name` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `bind_secret_id` `(bool: true)` - Require `secret_id` to be presented when
+  logging in using this AppRole.
+- `secret_id_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
+  blocks; if set, specifies blocks of IP addresses which can perform the login
+  operation.
+- `secret_id_num_uses` `(integer: 0)` - Number of times any particular SecretID
+  can be used to fetch a token from this AppRole, after which the SecretID will
+  expire. A value of zero will allow unlimited uses.
+- `secret_id_ttl` `(string: "")` - Duration in either an integer number of
+  seconds (`3600`) or an integer time unit (`60m`) after which any SecretID
+  expires.
+- `enable_local_secret_ids` `(bool: false)` - If set, the secret IDs generated
+  using this role will be cluster local. This can only be set during role
+  creation and once set, it can't be reset later.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "token_ttl": "10m",
+  "token_max_ttl": "15m",
+  "token_policies": ["default"],
+  "period": 0,
+  "bind_secret_id": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1
+```
+
+## Read AppRole
+
+Reads the properties of an existing AppRole.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `GET`  | `/auth/approle/role/:role_name` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "token_ttl": 1200,
+    "token_max_ttl": 1800,
+    "secret_id_ttl": 600,
+    "secret_id_num_uses": 40,
+    "token_policies": ["default"],
+    "period": 0,
+    "bind_secret_id": true,
+    "bound_cidr_list": []
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Delete AppRole
+
+Deletes an existing AppRole from the method.
+
+| Method   | Path                            |
+| :------- | :------------------------------ |
+| `DELETE` | `/auth/approle/role/:role_name` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1
+```
+
+## Read AppRole Role ID
+
+Reads the RoleID of an existing AppRole.
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `GET`  | `/auth/approle/role/:role_name/role-id` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "role_id": "e5a7b66e-5d08-da9c-7075-71984634b882"
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Update AppRole Role ID
+
+Updates the RoleID of an existing AppRole to a custom value.
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `POST` | `/auth/approle/role/:role_name/role-id` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `role_id` `(string: <required>)` - Value to be set as RoleID.
+
+### Sample Payload
+
+```json
+{
+  "role_id": "custom-role-id"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "role_id": "e5a7b66e-5d08-da9c-7075-71984634b882"
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Generate New Secret ID
+
+Generates and issues a new SecretID on an existing AppRole. Similar to
+tokens, the response will also contain a `secret_id_accessor` value which can
+be used to read the properties of the SecretID without divulging the SecretID
+itself, and also to delete the SecretID from the AppRole.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `POST` | `/auth/approle/role/:role_name/secret-id` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `metadata` `(string: "")` - Metadata to be tied to the SecretID. This should be
+  a JSON-formatted string containing the metadata in key-value pairs. This
+  metadata will be set on tokens issued with this SecretID, and is logged in
+  audit logs _in plaintext_.
+- `cidr_list` `(array: [])` - Comma separated string or list of CIDR blocks
+  enforcing secret IDs to be used from specific set of IP addresses. If
+  `bound_cidr_list` is set on the role, then the list of CIDR blocks listed
+  here should be a subset of the CIDR blocks listed on the role.
+- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
+  blocks; if set, specifies blocks of IP addresses which can use the auth tokens
+  generated by this SecretID. Overrides any role-set value but must be a subset.
+
+### Sample Payload
+
+```json
+{
+  "metadata": "{ \"tag1\": \"production\" }"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780",
+    "secret_id": "841771dc-11c9-bbc7-bcac-6a3945a69cd9"
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## List Secret ID Accessors
+
+Lists the accessors of all the SecretIDs issued against the AppRole.
+This includes the accessors for "custom" SecretIDs as well.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `LIST` | `/auth/approle/role/:role_name/secret-id` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": [
+      "ce102d2a-8253-c437-bf9a-aceed4241491",
+      "a1c8dee4-b869-e68d-3520-2040c1a0849a",
+      "be83b7e2-044c-7244-07e1-47560ca1c787",
+      "84896a0c-1347-aa90-a4f6-aca8b7558780",
+      "239b1328-6523-15e7-403a-a48038cdc45a"
+    ]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Read AppRole Secret ID
+
+Reads out the properties of a SecretID.
+
+| Method | Path                                             |
+| :----- | :----------------------------------------------- |
+| `POST` | `/auth/approle/role/:role_name/secret-id/lookup` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `secret_id` `(string: <required>)` - Secret ID attached to the role.
+
+### Sample Payload
+
+```json
+{
+  "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/lookup
+```
+
+## Destroy AppRole Secret ID
+
+Destroy an AppRole secret ID.
+
+| Method | Path                                              |
+| :----- | :------------------------------------------------ |
+| `POST` | `/auth/approle/role/:role_name/secret-id/destroy` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `secret_id` `(string: <required>)` - Secret ID attached to the role.
+
+### Sample Payload
+
+```json
+{
+  "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/destroy
+```
+
+## Read AppRole Secret ID Accessor
+
+Reads out the properties of a SecretID.
+
+| Method | Path                                                      |
+| :----- | :-------------------------------------------------------- |
+| `POST` | `/auth/approle/role/:role_name/secret-id-accessor/lookup` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `secret_id_accessor` `(string: <required>)` - Secret ID accessor attached to the role.
+
+### Sample Payload
+
+```json
+{
+  "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/lookup
+```
+
+## Destroy AppRole Secret ID Accessor
+
+Destroy an AppRole secret ID by its accessor.
+
+| Method | Path                                                       |
+| :----- | :--------------------------------------------------------- |
+| `POST` | `/auth/approle/role/:role_name/secret-id-accessor/destroy` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `secret_id_accessor` `(string: <required>)` - Secret ID accessor attached to the role.
+
+### Sample Payload
+
+```json
+{
+  "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/destroy
+```
+
+## Create Custom AppRole Secret ID
+
+Assigns a "custom" SecretID against an existing AppRole. This is used in the
+"Push" model of operation.
+
+| Method | Path                                             |
+| :----- | :----------------------------------------------- |
+| `POST` | `/auth/approle/role/:role_name/custom-secret-id` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - Name of the AppRole.
+- `secret_id` `(string: <required>)` - SecretID to be attached to the Role.
+- `metadata` `(string: "")` - Metadata to be tied to the SecretID. This should be
+  a JSON-formatted string containing the metadata in key-value pairs. This
+  metadata will be set on tokens issued with this SecretID, and is logged in
+  audit logs _in plaintext_.
+- `cidr_list` `(array: [])` - Comma separated string or list of CIDR blocks
+  enforcing secret IDs to be used from specific set of IP addresses. If
+  `bound_cidr_list` is set on the role, then the list of CIDR blocks listed
+  here should be a subset of the CIDR blocks listed on the role.
+- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
+  blocks; if set, specifies blocks of IP addresses which can use the auth tokens
+  generated by this SecretID. Overrides any role-set value but must be a subset.
+
+### Sample Payload
+
+```json
+{
+  "secret_id": "testsecretid"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/role/application1/custom-secret-id
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780",
+    "secret_id": "testsecretid"
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Login With AppRole
+
+Issues a Vault token based on the presented credentials. `role_id` is always
+required; if `bind_secret_id` is enabled (the default) on the AppRole,
+`secret_id` is required too. Any other bound authentication values on the
+AppRole (such as client IP CIDR) are also evaluated.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/auth/approle/login` |
+
+### Parameters
+
+- `role_id` `(string: <required>)` - RoleID of the AppRole.
+- `secret_id` `(string: <required>)` - SecretID belonging to AppRole.
+
+### Sample Payload
+
+```json
+{
+  "role_id": "59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8",
+  "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/approle/login
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 1200,
+    "metadata": null,
+    "token_policies": ["default"],
+    "accessor": "fd6c9a00-d2dc-3b11-0be5-af7ae0e1d374",
+    "client_token": "5b1a0318-679c-9c45-e5c6-d1b9a9035d49"
+  },
+  "warnings": null,
+  "wrap_info": null,
+  "data": null,
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Read, Update, or Delete AppRole Properties
+
+Updates the respective property in the existing AppRole. All of these
+parameters of the AppRole can be updated using the `/auth/approle/role/:role_name`
+endpoint directly. The endpoints for each field is provided separately
+to be able to delegate specific endpoints using Vault's ACL system.
+
+| Method            | Path                                                  |
+| :---------------- | :---------------------------------------------------- |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/policies`              | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/secret-id-num-uses`    | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/secret-id-ttl`         | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/token-ttl`             | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/token-max-ttl`         | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/bind-secret-id`        | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/secret-id-bound-cidrs` | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/token-bound-cidrs`     | `200/204` |
+| `GET/POST/DELETE` | `/auth/approle/role/:role_name/period`                | `200/204` |
+
+Refer to `/auth/approle/role/:role_name` endpoint.
+
+## Tidy Tokens
+
+Performs some maintenance tasks to clean up invalid entries that may remain
+in the token store. Generally, running this is not needed unless upgrade
+notes or support personnel suggest it. This may perform a lot of I/O to the
+storage method so should be used sparingly.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/auth/approle/tidy/secret-id` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/approle/tidy/secret-id
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "b20b56e3-4699-5b19-cc6b-e74f7b787bbf",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": [
+    "Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
+  ],
+  "auth": null
+}
+```
diff --git a/website/pages/api-docs/auth/aws/index.mdx b/website/pages/api-docs/auth/aws/index.mdx
new file mode 100644
index 000000000000..0ff2816b8849
--- /dev/null
+++ b/website/pages/api-docs/auth/aws/index.mdx
@@ -0,0 +1,1282 @@
+---
+layout: api
+page_title: AWS - Auth Methods - HTTP API
+sidebar_title: AWS
+description: This is the API documentation for the Vault AWS auth method.
+---
+
+# AWS Auth Method (API)
+
+This is the API documentation for the Vault AWS auth method. For
+general information about the usage and operation of the AWS method, please
+see the [Vault AWS method documentation](/docs/auth/aws.html).
+
+This documentation assumes the AWS method is mounted at the `/auth/aws`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Configure Client
+
+Configures the credentials required to perform API calls to AWS as well as
+custom endpoints to talk to AWS APIs. The instance identity document
+fetched from the PKCS#7 signature will provide the EC2 instance ID. The
+credentials configured using this endpoint will be used to query the status
+of the instances via DescribeInstances API. If static credentials are not
+provided using this endpoint, then the credentials will be retrieved from
+the environment variables `AWS_ACCESS_KEY`, `AWS_SECRET_KEY` and
+`AWS_REGION` respectively. If the credentials are still not found and if the
+method is configured on an EC2 instance with metadata querying
+capabilities, the credentials are fetched automatically.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/auth/aws/config/client` |
+
+### Parameters
+
+- `max_retries` `(int: -1)` - Number of max retries the client should use for
+  recoverable errors. The default (`-1`) falls back to the AWS SDK's default
+  behavior.
+- `access_key` `(string: "")` - AWS Access key with permissions to query AWS
+  APIs. The permissions required depend on the specific configurations. If using
+  the `iam` auth method without inferencing, then no credentials are necessary.
+  If using the `ec2` auth method or using the `iam` auth method with
+  inferencing, then these credentials need access to `ec2:DescribeInstances`. If
+  additionally a `bound_iam_role` is specified, then these credentials also need
+  access to `iam:GetInstanceProfile`. If, however, an alternate sts
+  configuration is set for the target account, then the credentials must be
+  permissioned to call `sts:AssumeRole` on the configured role, and that role
+  must have the permissions described here.
+- `secret_key` `(string: "")` - AWS Secret key with permissions to query AWS
+  APIs.
+- `endpoint` `(string: "")` - URL to override the default generated endpoint for
+  making AWS EC2 API calls.
+- `iam_endpoint` `(string: "")` - URL to override the default generated endpoint
+  for making AWS IAM API calls.
+- `sts_endpoint` `(string: "")` - URL to override the default generated endpoint
+  for making AWS STS API calls. If set, `sts_region` should also be set.
+- `sts_region` `(string: "")` - Region to override the default region for making
+  AWS STS API calls. Should only be set if `sts_endpoint` is set. If so, should
+  be set to the region in which the custom `sts_endpoint` resides.
+- `iam_server_id_header_value` `(string: "")` - The value to require in the
+  `X-Vault-AWS-IAM-Server-ID` header as part of GetCallerIdentity requests that
+  are used in the iam auth method. If not set, then no value is required or
+  validated. If set, clients must include an X-Vault-AWS-IAM-Server-ID header in
+  the headers of login requests, and further this header must be among the
+  signed headers validated by AWS. This is to protect against different types of
+  replay attacks, for example a signed request sent to a dev server being resent
+  to a production server. Consider setting this to the Vault server's DNS name.
+
+### Sample Payload
+
+```json
+{
+  "access_key": "VKIAJBRHKH6EVTTNXDHA",
+  "secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/config/client
+```
+
+## Read Config
+
+Returns the previously configured AWS access credentials.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/auth/aws/config/client` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/config/client
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "access_key": "VKIAJBRHKH6EVTTNXDHA",
+    "endpoint": "",
+    "iam_endpoint": "",
+    "sts_endpoint": "",
+    "sts_region": "",
+    "iam_server_id_header_value": ""
+  }
+}
+```
+
+## Delete Config
+
+Deletes the previously configured AWS access credentials.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/auth/aws/config/client` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/config/client
+```
+
+## Configure Identity Integration
+
+This configures the way that Vault interacts with the
+[Identity](/docs/secrets/identity/index.html) store. The default (as of Vault
+1.0.3) is `role_id` for both values.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `POST` | `/auth/aws/config/identity` |
+
+### Parameters
+
+- `iam_alias` `(string: "role_id")` - How to generate the identity alias when
+  using the `iam` auth method. Valid choices are `role_id`, `unique_id`, and
+  `full_arn` When `role_id` is selected, the randomly generated ID of the role
+  is used. When `unique_id` is selected, the [IAM Unique
+  ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+  of the IAM principal (either the user or role) is used as the identity alias
+  name. When `full_arn` is selected, the ARN returned by the
+  `sts:GetCallerIdentity` call is used as the alias name. This is either
+  `arn:aws:iam::<account_id>:user/<optional_path/><user_name>` or
+  `arn:aws:sts::<account_id>:assumed-role/<role_name_without_path>/<role_session_name>`.
+  **Note**: if you select `full_arn` and then delete and recreate the IAM role,
+  Vault won't be aware and any identity aliases set up for the role name will
+  still be valid.
+
+- `ec2_alias` `(string: "role_id")` - Configures how to generate the identity
+  alias when using the `ec2` auth method. Valid choices are `role_id`,
+  `instance_id`, and `image_id`. When `role_id` is selected, the randomly
+  generated ID of the role is used. When `instance_id` is selected, the
+  instance identifier is used as the identity alias name. When `image_id` is
+  selected, AMI ID of the instance is used as the identity alias name.
+
+### Sample Payload
+
+```json
+{
+  "iam_alias": "unique_id"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    -- header "X-Vault-Token:..." \
+    --request POST
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/config/identity
+```
+
+## Read Identity Integration Configuration
+
+Returns the previously configured Identity integration configuration
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `GET`  | `/auth/aws/config/identity` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token:..." \
+    http://127.0.0.1:8200/v1/auth/aws/config/identity
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "iam_alias": "full_arn"
+  }
+}
+```
+
+## Create Certificate Configuration
+
+Registers an AWS public key to be used to verify the instance identity
+documents. While the PKCS#7 signature of the identity documents have DSA
+digest, the identity signature will have RSA digest, and hence the public
+keys for each type varies respectively. Indicate the type of the public key
+using the "type" parameter.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `POST` | `/auth/aws/config/certificate/:cert_name` |
+
+### Parameters
+
+- `cert_name` `(string: <required>)` - Name of the certificate.
+- `aws_public_cert` `(string: <required>)` - Base64 encoded AWS Public key required to verify
+  PKCS7 signature of the EC2 instance metadata.
+- `type` `(string: "pkcs7")` - Takes the value of either "pkcs7" or "identity",
+  indicating the type of document which can be verified using the given
+  certificate. The PKCS#7 document will have a DSA digest and the identity
+  signature will have an RSA signature, and accordingly the public certificates
+  to verify those also vary. Defaults to "pkcs7".
+
+### Sample Payload
+
+```json
+{
+  "aws_public_cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQXEwQ0NRQ1d1a2paNVY0YVp6QUpCZ2NxaGtqT09BUURNRnd4Q3pBSkJnTlZCQVlUQWxWVE1Sa3cKRndZRFZRUUlFeEJYWVhOb2FXNW5kRzl1SUZOMFlYUmxNUkF3RGdZRFZRUUhFd2RUWldGMGRHeGxNU0F3SGdZRApWUVFLRXhkQmJXRjZiMjRnVjJWaUlGTmxjblpwWTJWeklFeE1RekFlRncweE1qQXhNRFV4TWpVMk1USmFGdzB6Ck9EQXhNRFV4TWpVMk1USmFNRnd4Q3pBSkJnTlZCQVlUQWxWVE1Sa3dGd1lEVlFRSUV4QlhZWE5vYVc1bmRHOXUKSUZOMFlYUmxNUkF3RGdZRFZRUUhFd2RUWldGMGRHeGxNU0F3SGdZRFZRUUtFeGRCYldGNmIyNGdWMlZpSUZObApjblpwWTJWeklFeE1RekNDQWJjd2dnRXNCZ2NxaGtqT09BUUJNSUlCSHdLQmdRQ2prdmNTMmJiMVZRNHl0LzVlCmloNU9PNmtLL24xTHpsbHI3RDhad3RRUDhmT0VwcDVFMm5nK0Q2VWQxWjFnWWlwcjU4S2ozbnNzU05wSTZiWDMKVnlJUXpLN3dMY2xuZC9Zb3pxTk5tZ0l5WmVjTjdFZ2xLOUlUSEpMUCt4OEZ0VXB0M1FieVlYSmRtVk1lZ042UApodmlZdDVKSC9uWWw0aGgzUGExSEpkc2tnUUlWQUxWSjNFUjExK0tvNHRQNm53dkh3aDYrRVJZUkFvR0JBSTFqCmsrdGtxTVZIdUFGY3ZBR0tvY1Rnc2pKZW02LzVxb216SnVLRG1iSk51OVF4dzNyQW90WGF1OFFlK01CY0psL1UKaGh5MUtIVnBDR2w5ZnVlUTJzNklMMENhTy9idXljVTFDaVlRazQwS05IQ2NIZk5pWmJkbHgxRTlycFVwN2JuRgpsUmEydjFudE1YM2NhUlZEZGJ0UEVXbWR4U0NZc1lGRGs0bVpyT0xCQTRHRUFBS0JnRWJtZXZlNWY4TElFL0dmCk1ObVA5Q001ZW92UU9HeDVobzhXcUQrYVRlYnMrazJ0bjkyQkJQcWVacXBXUmE1UC8ranJkS21sMXF4NGxsSFcKTVhyczNJZ0liNitoVUlCK1M4ZHo4L21tTzBicHI3NlJvWlZDWFlhYjJDWmVkRnV0N3FjM1dVSDkrRVVBSDVtdwp2U2VEQ09VTVlRUjdSOUxJTll3b3VISXppcVFZTUFrR0J5cUdTTTQ0QkFNREx3QXdMQUlVV1hCbGs0MHhUd1N3CjdIWDMyTXhYWXJ1c2U5QUNGQk5HbWRYMlpCclZOR3JOOU4yZjZST2swazlLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
+```
+
+## Read Certificate Configuration
+
+Returns the previously configured AWS public key.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `GET`  | `/auth/aws/config/certificate/:cert_name` |
+
+### Parameters
+
+- `cert_name` `(string: <required>)` - Name of the certificate.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "aws_public_cert": "-----BEGIN CERTIFICATE-----\nMIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw\nFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD\nVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z\nODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u\nIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl\ncnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e\nih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3\nVyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P\nhviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j\nk+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U\nhhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF\nlRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf\nMNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW\nMXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw\nvSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw\n7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K\n-----END CERTIFICATE-----\n",
+    "type": "pkcs7"
+  }
+}
+```
+
+## Delete Certificate Configuration
+
+Removes the previously configured AWS public key.
+
+| Method   | Path                                      |
+| :------- | :---------------------------------------- |
+| `DELETE` | `/auth/aws/config/certificate/:cert_name` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
+```
+
+## List Certificate Configurations
+
+Lists all the AWS public certificates that are registered with the method.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `LIST` | `/auth/aws/config/certificates` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/aws/config/certificates
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["cert1"]
+  }
+}
+```
+
+## Create STS Role
+
+Allows the explicit association of STS roles to satellite AWS accounts
+(i.e. those which are not the account in which the Vault server is
+running.) Vault will use credentials obtained by assuming these STS roles
+when validating IAM principals or EC2 instances in the particular AWS account.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/auth/aws/config/sts/:account_id` |
+
+### Parameters
+
+- `account_id` `(string: <required>)` - AWS account ID to be associated with
+  STS role. If set, Vault will use assumed credentials to verify any login
+  attempts from EC2 instances in this account.
+- `sts_role` `(string: <required>)` - AWS ARN for STS role to be assumed when
+  interacting with the account specified. The Vault server must have
+  permissions to assume this role.
+
+### Sample Payload
+
+```json
+{
+  "sts_role": "arn:aws:iam:111122223333:role/myRole"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
+```
+
+## Read STS Role
+
+Returns the previously configured STS role.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `GET`  | `/auth/aws/config/sts/:account_id` |
+
+### Parameters
+
+- `account_id` `(string: <required>)` - AWS account ID that has been
+  previously associated with STS role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "sts_role ": "arn:aws:iam:111122223333:role/myRole"
+  }
+}
+```
+
+## List STS Roles
+
+Lists all the AWS Account IDs for which an STS role is registered.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `LIST` | `/auth/aws/config/sts` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/aws/config/sts
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["111122223333", "999988887777"]
+  }
+}
+```
+
+## Delete STS Role
+
+Deletes a previously configured AWS account/STS role association.
+
+| Method   | Path                               |
+| :------- | :--------------------------------- |
+| `DELETE` | `/auth/aws/config/sts/:account_id` |
+
+### Parameters
+
+- `account_id` `(string: <required>)` - AWS account ID that has been
+  previously associated with STS role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
+```
+
+## Configure Identity Whitelist Tidy Operation
+
+Configures the periodic tidying operation of the whitelisted identity entries.
+
+| Method | Path                                       |
+| :----- | :----------------------------------------- |
+| `POST` | `/auth/aws/config/tidy/identity-whitelist` |
+
+### Parameters
+
+- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
+  passed beyond the `roletag` expiration, before it is removed from the method
+  storage. Defaults to 72h.
+- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
+  periodic tidying of the `identity-whitelist/<instance_id>` entries.
+
+### Sample Payload
+
+```json
+{
+  "safety_buffer": "48h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-whitelist
+```
+
+## Read Identity Whitelist Tidy Settings
+
+Returns the previously configured periodic whitelist tidying settings.
+
+| Method | Path                                       |
+| :----- | :----------------------------------------- |
+| `GET`  | `/auth/aws/config/tidy/identity-whitelist` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-whitelist
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "safety_buffer": 600,
+    "disable_periodic_tidy": false
+  }
+}
+```
+
+## Delete Identity Whitelist Tidy Settings
+
+Deletes the previously configured periodic whitelist tidying settings.
+
+| Method   | Path                                       |
+| :------- | :----------------------------------------- |
+| `DELETE` | `/auth/aws/config/tidy/identity-whitelist` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-whitelist
+```
+
+## Configure Role Tag Blacklist Tidy Operation
+
+Configures the periodic tidying operation of the blacklisted role tag entries.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `POST` | `/auth/aws/config/tidy/roletag-blacklist` |
+
+### Parameters
+
+- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
+  passed beyond the `roletag` expiration, before it is removed from the method
+  storage. Defaults to 72h.
+- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
+  periodic tidying of the `roletag-blacklist/<instance_id>` entries.
+
+### Sample Payload
+
+```json
+{
+  "safety_buffer": "48h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-blacklist
+```
+
+## Read Role Tag Blacklist Tidy Settings
+
+Returns the previously configured periodic blacklist tidying settings.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `GET`  | `/auth/aws/config/tidy/roletag-blacklist` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-blacklist
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "safety_buffer": 600,
+    "disable_periodic_tidy": false
+  }
+}
+```
+
+## Delete Role Tag Blacklist Tidy Settings
+
+Deletes the previously configured periodic blacklist tidying settings.
+
+| Method   | Path                                      |
+| :------- | :---------------------------------------- |
+| `DELETE` | `/auth/aws/config/tidy/roletag-blacklist` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-blacklist
+```
+
+## Create Role
+
+Registers a role in the method. Only those instances or principals which
+are using the role registered using this endpoint, will be able to perform
+the login operation. Constraints can be specified on the role, that are
+applied on the instances or principals attempting to login. At least one
+constraint must be specified on the role. The available constraints you
+can choose are dependent on the `auth_type` of the role and, if the
+`auth_type` is `iam`, then whether inferencing is enabled. A role will not
+let you configure a constraint if it is not checked by the `auth_type` and
+inferencing configuration of that role. For the constraints which accept a list
+of values, the authenticating instance/principal must match any one value in the
+list in order to satisfy that constraint.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/auth/aws/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role. Vault normalizes all role
+  names to lower case. If you create two roles, "Web-Workers" and "WEB-WORKERS",
+  they will both be normalized to "web-workers" and will be regarded as the same role.
+  This is to prevent unexpected behavior due to casing differences. At all points,
+  Vault can be provided the role in any casing, and it will internally handle
+  sending it to lower case and seeking it inside its storage engine.
+- `auth_type` `(string: "iam")` - The auth type permitted for this role. Valid
+  choices are "ec2" or "iam". If no value is specified, then it will default to
+  "iam" (except for legacy `aws-ec2` auth types, for which it will default to
+  "ec2"). Only those bindings applicable to the auth type chosen will be allowed
+  to be configured on the role.
+- `bound_ami_id` `(list: [])` - If set, defines a constraint on the EC2
+  instances that they should be using one of the AMI ID specified by this parameter.
+  This constraint is checked during ec2 auth as well as the iam auth method only
+  when inferring an EC2 instance. This is a comma-separated string or JSON
+  array.
+- `bound_account_id` `(list: [])` - If set, defines a constraint on the EC2
+  instances that the account ID in its identity document to match one of the ones
+  specified by this parameter. This constraint is checked during ec2 auth as
+  well as the iam auth method only when inferring an EC2 instance. This is a
+  comma-separated string or JSON array.
+- `bound_region` `(list: [])` - If set, defines a constraint on the EC2
+  instances that the region in its identity document must match one of the
+  regions specified by this parameter. This constraint is only checked by the ec2 auth
+  method as well as the iam auth method only when inferring an ec2 instance.
+  This is a comma-separated string or JSON array.
+- `bound_vpc_id` `(list: [])` - If set, defines a constraint on the EC2
+  instance to be associated with a VPC ID that matches one of the values specified by
+  this parameter. This constraint is only checked by the ec2 auth method as well
+  as the iam auth method only when inferring an ec2 instance. This is a
+  comma-separated string or JSON array.
+- `bound_subnet_id` `(list: [])` - If set, defines a constraint on the EC2
+  instance to be associated with a subnet ID that matches one of the values specified
+  by this parameter. This constraint is only checked by the ec2 auth method as
+  well as the iam auth method only when inferring an ec2 instance. This is a
+  comma-separated string or a JSON array.
+- `bound_iam_role_arn` `(list: [])` - If set, defines a constraint on the
+  authenticating EC2 instance that it must match one of the IAM role ARNs specified by
+  this parameter. Wildcards are supported at the end of the ARN to allow for
+  prefix matching. The configured IAM user or EC2 instance role must be allowed to
+  execute the `iam:GetInstanceProfile` action if this is specified. This
+  constraint is checked by the ec2 auth method as well as the iam auth method
+  only when inferring an EC2 instance. This is a comma-separated string or a
+  JSON array.
+- `bound_iam_instance_profile_arn` `(list: [])` - If set, defines a constraint
+  on the EC2 instances to be associated with an IAM instance profile ARN.
+  Wildcards are supported at the end of the ARN to allow for prefix matching.
+  This constraint is
+  checked by the ec2 auth method as well as the iam auth method only when
+  inferring an ec2 instance. This is a comma-separated string or a JSON array.
+- `bound_ec2_instance_id` `(list: [])` - If set, defines a constraint on the
+  EC2 instances to have one of these instance IDs. This constraint is checked by
+  the ec2 auth method as well as the iam auth method only when inferring an ec2
+  instance. This is a comma-separated string or a JSON array.
+- `role_tag` `(string: "")` - If set, enables the role tags for this role. The
+  value set for this field should be the 'key' of the tag on the EC2 instance.
+  The 'value' of the tag should be generated using `role/<role>/tag` endpoint.
+  Defaults to an empty string, meaning that role tags are disabled. This
+  constraint is valid only with the ec2 auth method and is not allowed when
+  `auth_type` is iam.
+- `bound_iam_principal_arn` `(list: [])` - Defines the list of IAM principals
+  that are permitted to login to the role using the iam auth method. Individual
+  values should look like "arn:aws:iam::123456789012:user/MyUserName" or
+  "arn:aws:iam::123456789012:role/MyRoleName". Wildcards are supported at the
+  end of the ARN, e.g., "arn:aws:iam::123456789012:\*" will match any IAM
+  principal in the AWS account 123456789012. When `resolve_aws_unique_ids` is
+  `false` and you are binding to IAM roles (as opposed to users) and you are not
+  using a wildcard at the end, then you must specify the ARN by omitting any
+  path component; see the documentation for `resolve_aws_unique_ids` below.
+  This constraint is only checked by
+  the iam auth method. Wildcards are supported at the end of the ARN, e.g.,
+  "arn:aws:iam::123456789012:role/\*" will match all roles in the AWS account.
+  This is a comma-separated string or JSON array.
+- `inferred_entity_type` `(string: "")` - When set, instructs Vault to turn on
+  inferencing. The only current valid value is "ec2_instance" instructing Vault
+  to infer that the role comes from an EC2 instance in an IAM instance profile.
+  This only applies to the iam auth method. If you set this on an existing role
+  where it had not previously been set, tokens that had been created prior will
+  not be renewable; clients will need to get a new token.
+- `inferred_aws_region` `(string: "")` - When role inferencing is activated, the
+  region to search for the inferred entities (e.g., EC2 instances). Required if
+  role inferencing is activated. This only applies to the iam auth method.
+- `resolve_aws_unique_ids` `(bool: true)` - When set, resolves the
+  `bound_iam_principal_arn` to the
+  [AWS Unique ID](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+  for the bound principal ARN. This field is ignored when
+  `bound_iam_principal_arn` ends with a wildcard character.
+  This requires Vault to be able to call `iam:GetUser` or `iam:GetRole` on the
+  `bound_iam_principal_arn` that is being bound. Resolving to internal AWS IDs
+  more closely mimics the behavior of AWS services in that if an IAM user or
+  role is deleted and a new one is recreated with the same name, those new users
+  or roles won't get access to roles in Vault that were permissioned to the
+  prior principals of the same name. The default value for new roles is true,
+  while the default value for roles that existed prior to this option existing
+  is false (you can check the value for a given role using the GET method on the
+  role). Any authentication tokens created prior to this being supported won't
+  verify the unique ID upon token renewal. When this is changed from false to
+  true on an existing role, Vault will attempt to resolve the role's bound IAM
+  ARN to the unique ID and, if unable to do so, will fail to enable this option.
+  Changing this from `true` to `false` is not supported; if absolutely
+  necessary, you would need to delete the role and recreate it explicitly
+  setting it to `false`. However; the instances in which you would want to do
+  this should be rare. If the role creation (or upgrading to use this) succeed,
+  then Vault has already been able to resolve internal IDs, and it doesn't need
+  any further IAM permissions to authenticate users. If a role has been deleted
+  and recreated, and Vault has cached the old unique ID, you should just call
+  this endpoint specifying the same `bound_iam_principal_arn` and, as long as
+  Vault still has the necessary IAM permissions to resolve the unique ID, Vault
+  will update the unique ID. (If it does not have the necessary permissions to
+  resolve the unique ID, then it will fail to update.) If this option is set to
+  false, then you MUST leave out the path component in `bound_iam_principal_arn`
+  for **roles** that do not specify a wildcard at the end, but not IAM users or
+  role bindings that have a wildcard. That is, if your IAM role ARN is of the
+  form `arn:aws:iam::123456789012:role/some/path/to/MyRoleName`, and
+  `resolve_aws_unique_ids` is `false`, you **must** specify a
+  `bound_iam_principal_arn` of `arn:aws:iam::123456789012:role/MyRoleName` for
+  authentication to work.
+- `allow_instance_migration` `(bool: false)` - If set, allows migration of the
+  underlying instance where the client resides. This keys off of pendingTime in
+  the metadata document, so essentially, this disables the client nonce check
+  whenever the instance is migrated to a new host and pendingTime is newer than
+  the previously-remembered time. Use with caution. This only applies to
+  authentications via the ec2 auth method. This is mutually exclusive with
+  `disallow_reauthentication`.
+- `disallow_reauthentication` `(bool: false)` - If set, only allows a single
+  token to be granted per instance ID. In order to perform a fresh login, the
+  entry in whitelist for the instance ID needs to be cleared using
+  `auth/aws/identity-whitelist/<instance_id>` endpoint. Defaults to 'false'.
+  This only applies to authentications via the ec2 auth method. This is mutually
+  exclusive with `allow_instance_migration`.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "bound_ami_id": ["ami-fce36987"],
+  "bound_ec2_instance_id": ["i-12345678901234567"],
+  "role_tag": "",
+  "policies": ["default", "dev", "prod"],
+  "max_ttl": 1800000,
+  "disallow_reauthentication": false,
+  "allow_instance_migration": false
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/role/dev-role
+```
+
+## Read Role
+
+Returns the previously registered role configuration.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/auth/aws/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/role/dev-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "bound_ami_id": ["ami-fce36987"],
+    "role_tag": "",
+    "policies": ["default", "dev", "prod"],
+    "max_ttl": 1800000,
+    "disallow_reauthentication": false,
+    "allow_instance_migration": false
+  }
+}
+```
+
+## List Roles
+
+Lists all the roles that are registered with the method.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `LIST` | `/auth/aws/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/aws/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["dev-role", "prod-role"]
+  }
+}
+```
+
+## Delete Role
+
+Deletes the previously registered role.
+
+| Method   | Path                   |
+| :------- | :--------------------- |
+| `DELETE` | `/auth/aws/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/role/dev-role
+```
+
+## Create Role Tags
+
+Creates a role tag on the role, which help in restricting the capabilities
+that are set on the role. Role tags are not tied to any specific ec2
+instance unless specified explicitly using the `instance_id` parameter. By
+default, role tags are designed to be used across all instances that
+satisfies the constraints on the role. Regardless of which instances have
+role tags on them, capabilities defined in a role tag must be a strict
+subset of the given role's capabilities. Note that, since adding and
+removing a tag is often a widely distributed privilege, care needs to be
+taken to ensure that the instances are attached with correct tags to not
+let them gain more privileges than what were intended. If a role tag is
+changed, the capabilities inherited by the instance will be those defined
+on the new role tag. Since those must be a subset of the role
+capabilities, the role should never provide more capabilities than any
+given instance can be allowed to gain in a worst-case scenario.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/auth/aws/role/:role/tag` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+- `policies` `(array: [])` - Policies to be associated with the tag. If set,
+  must be a subset of the role's policies. If set, but set to an empty value,
+  only the 'default' policy will be given to issued tokens.
+- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using
+  this role.
+- `instance_id` `(string: "")` - Instance ID for which this tag is intended for.
+  If set, the created tag can only be used by the instance with the given ID.
+- `allow_instance_migration` `(bool: false)` - If set, allows migration of the
+  underlying instance where the client resides. This keys off of pendingTime in
+  the metadata document, so essentially, this disables the client nonce check
+  whenever the instance is migrated to a new host and pendingTime is newer than
+  the previously-remembered time. Use with caution. Defaults to 'false'.
+  Mutually exclusive with `disallow_reauthentication`.
+- `disallow_reauthentication` `(bool: false)` - If set, only allows a single
+  token to be granted per instance ID. This can be cleared with the
+  auth/aws/identity-whitelist endpoint. Defaults to 'false'. Mutually exclusive
+  with `allow_instance_migration`.
+
+### Sample Payload
+
+```json
+{
+  "policies": ["default", "dev-api"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/role/dev-api-and-web-role/tag
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "tag_value": "v1:09Vp0qGuyB8=:r=dev-role:p=default,dev-api:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/pJIdVyOI=",
+    "tag_key": "VaultRole"
+  }
+}
+```
+
+## Login
+
+Fetch a token. This endpoint verifies the pkcs7 signature of the instance
+identity document or the signature of the signed GetCallerIdentity request.
+With the ec2 auth method, or when inferring an EC2 instance, verifies that
+the instance is actually in a running state. Cross checks the constraints
+defined on the role with which the login is being performed. With the ec2
+auth method, as an alternative to pkcs7 signature, the identity document
+along with its RSA digest can be supplied to this endpoint.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/auth/aws/login` |
+
+### Sample Payload
+
+- `role` `(string: "")` - Name of the role against which the login is being
+  attempted. If `role` is not specified, then the login endpoint looks for a
+  role bearing the name of the AMI ID of the EC2 instance that is trying to
+  login if using the ec2 auth method, or the "friendly name" (i.e., role name or
+  username) of the IAM principal authenticated. If a matching role is not found,
+  login fails.
+- `identity` `(string: <required-ec2>)` - Base64 encoded EC2 instance identity
+  document. This needs to be supplied along with the `signature` parameter. If
+  using `curl` for fetching the identity document, consider using the option
+  `-w 0` while piping the output to `base64` binary.
+- `signature` `(string: <required-ec2>)` - Base64 encoded SHA256 RSA signature of
+  the instance identity document. This needs to be supplied along with
+  `identity` parameter when using the ec2 auth method.
+- `pkcs7` `(string: <required-ec2>)` - PKCS7 signature of the identity document with
+  all `\n` characters removed. Either this needs to be set _OR_ both `identity`
+  and `signature` need to be set when using the ec2 auth method.
+- `nonce` `(string: "")` - The nonce to be used for subsequent login requests.
+  If this parameter is not specified at all and if reauthentication is allowed,
+  then the method will generate a random nonce, attaches it to the instance's
+  identity-whitelist entry and returns the nonce back as part of auth metadata.
+  This value should be used with further login requests, to establish client
+  authenticity. Clients can choose to set a custom nonce if preferred, in which
+  case, it is recommended that clients provide a strong nonce. If a nonce is
+  provided but with an empty value, it indicates intent to disable
+  reauthentication. Note that, when `disallow_reauthentication` option is
+  enabled on either the role or the role tag, the `nonce` holds no significance.
+  This is ignored unless using the ec2 auth method.
+- `iam_http_request_method` `(string: <required-iam>)` - HTTP method used in the
+  signed request. Currently only POST is supported, but other methods may be
+  supported in the future. This is required when using the iam auth method.
+- `iam_request_url` `(string: <required-iam>)` - Base64-encoded HTTP URL used in
+  the signed request. Most likely just `aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=`
+  (base64-encoding of `https://sts.amazonaws.com/`) as most requests will
+  probably use POST with an empty URI. This is required when using the iam auth
+  method.
+- `iam_request_body` `(string: <required-iam>)` - Base64-encoded body of the
+  signed request. Most likely
+  `QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==` which is the
+  base64 encoding of `Action=GetCallerIdentity&Version=2011-06-15`. This is
+  required when using the iam auth method.
+- `iam_request_headers` `(string: <required-iam>)` - Key/value pairs of headers
+  for use in the `sts:GetCallerIdentity` HTTP requests headers. Can be either a
+  Base64-encoded, JSON-serialized string, or a JSON object of key/value pairs. The
+  JSON serialization assumes that each header key maps to either a string value or
+  an array of string values (though the length of that array will probably only be
+  one). If the `iam_server_id_header_value` is configured in Vault for the aws
+  auth mount, then the headers must include the X-Vault-AWS-IAM-Server-ID header,
+  its value must match the value configured, and the header must be included in
+  the signed headers. This is required when using the iam auth method.
+
+### Sample Payload
+
+```json
+{}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/aws/login
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 1800000,
+    "metadata": {
+      "role_tag_max_ttl": "0",
+      "instance_id": "i-de0f1344",
+      "ami_id": "ami-fce36983",
+      "role": "dev-role",
+      "auth_type": "ec2"
+    },
+    "policies": ["default", "dev"],
+    "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
+    "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
+  }
+}
+```
+
+## Place Role Tags in Blacklist
+
+Places a valid role tag in a blacklist. This ensures that the role tag
+cannot be used by any instance to perform a login operation again. Note
+that if the role tag was previously used to perform a successful login,
+placing the tag in the blacklist does not invalidate the already issued
+token.
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `POST` | `/auth/aws/roletag-blacklist/:role_tag` |
+
+### Parameters
+
+- `role_tag` `(string: <required>)` - Role tag to be blacklisted. This is the `tag_value` returned when the role tag is
+  created. The tag can be supplied as-is. In order to avoid any encoding problems, it can be base64
+  encoded.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
+```
+
+### Read Role Tag Blacklist Information
+
+Returns the blacklist entry of a previously blacklisted role tag.
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `GET`  | `/auth/aws/roletag-blacklist/:role_tag` |
+
+### Parameters
+
+- `role_tag` `(string: <required>)` - Role tag to be blacklisted. The tag can be
+  supplied as-is. In order to avoid any encoding problems, it can be base64
+  encoded.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "expiration_time": "2016-04-25T10:35:20.127058773-04:00",
+    "creation_time": "2016-04-12T22:35:01.178348124-04:00"
+  }
+}
+```
+
+## List Blacklist Tags
+
+Lists all the role tags that are blacklisted.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `LIST` | `/auth/aws/roletag-blacklist` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": [
+      "v1:09Vp0qGuyB8=:a=ami-fce3c696:p=default,prod:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/"
+    ]
+  }
+}
+```
+
+## Delete Blacklist Tags
+
+Deletes a blacklisted role tag.
+
+| Method   | Path                                    |
+| :------- | :-------------------------------------- |
+| `DELETE` | `/auth/aws/roletag-blacklist/:role_tag` |
+
+### Parameters
+
+- `role_tag` `(string: <required>)` - Role tag to be blacklisted. The tag can be
+  supplied as-is. In order to avoid any encoding problems, it can be base64
+  encoded.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
+```
+
+## Tidy Blacklist Tags
+
+Cleans up the entries in the blacklist based on expiration time on the entry and
+`safety_buffer`.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/auth/aws/tidy/roletag-blacklist` |
+
+### Parameters
+
+- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
+  passed beyond the `roletag` expiration, before it is removed from the method
+  storage. Defaults to 72h.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/aws/tidy/roletag-blacklist
+```
+
+### Read Identity Whitelist Information
+
+Returns an entry in the whitelist. An entry will be created/updated by every
+successful login.
+
+| Method | Path                                        |
+| :----- | :------------------------------------------ |
+| `GET`  | `/auth/aws/identity-whitelist/:instance_id` |
+
+### Parameters
+
+- `instance_id` `(string: <required>)` - EC2 instance ID. A successful login
+  operation from an EC2 instance gets cached in this whitelist, keyed off of
+  instance ID.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/aws/identity-whitelist/i-aab47d37
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "pending_time": "2016-04-14T01:01:41Z",
+    "expiration_time": "2016-05-05 10:09:16.67077232 +0000 UTC",
+    "creation_time": "2016-04-14 14:09:16.67077232 +0000 UTC",
+    "client_nonce": "5defbf9e-a8f9-3063-bdfc-54b7a42a1f95",
+    "role": "dev-role"
+  }
+}
+```
+
+## List Identity Whitelist Entries
+
+Lists all the instance IDs that are in the whitelist of successful logins.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `LIST` | `/auth/aws/identity-whitelist` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/aws/identity-whitelist
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["i-aab47d37"]
+  }
+}
+```
+
+## Delete Identity Whitelist Entries
+
+Deletes a cache of the successful login from an instance.
+
+| Method   | Path                                        |
+| :------- | :------------------------------------------ |
+| `DELETE` | `/auth/aws/identity-whitelist/:instance_id` |
+
+### Parameters
+
+- `instance_id` `(string: <required>)` - EC2 instance ID. A successful login
+  operation from an EC2 instance gets cached in this whitelist, keyed off of
+  instance ID.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/aws/identity-whitelist/i-aab47d37
+```
+
+## Tidy Identity Whitelist Entries
+
+Cleans up the entries in the whitelist based on expiration time and
+`safety_buffer`.
+
+| Method | Path                                |
+| :----- | :---------------------------------- |
+| `POST` | `/auth/aws/tidy/identity-whitelist` |
+
+### Parameters
+
+- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
+  passed beyond the `roletag` expiration, before it is removed from the method
+  storage. Defaults to 72h.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/aws/tidy/identity-whitelist
+```
diff --git a/website/pages/api-docs/auth/azure/index.mdx b/website/pages/api-docs/auth/azure/index.mdx
new file mode 100644
index 000000000000..a3ee1003cf34
--- /dev/null
+++ b/website/pages/api-docs/auth/azure/index.mdx
@@ -0,0 +1,314 @@
+---
+layout: api
+page_title: Azure - Auth Methods - HTTP API
+sidebar_title: Azure
+description: |-
+  This is the API documentation for the Vault Azure authentication
+  method plugin.
+---
+
+# Azure Auth Method (API)
+
+This is the API documentation for the Vault Azure auth method
+plugin. To learn more about the usage and operation, see the
+[Vault Azure method documentation](/docs/auth/azure.html).
+
+This documentation assumes the plugin method is mounted at the
+`/auth/azure` path in Vault. Since it is possible to enable auth methods
+at any location, please update your API calls accordingly.
+
+## Configure
+
+Configures the credentials required for the plugin to perform API calls
+to Azure. These credentials will be used to query the metadata about the
+virtual machine.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/auth/azure/config` |
+
+### Parameters
+
+- `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization.
+- `resource` `(string: <required>)` - The configured URL for the application registered in Azure Active Directory.
+- `environment` `(string: 'AzurePublicCloud')` - The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
+- `client_id` `(string: '')` - The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.
+- `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs.
+
+### Sample Payload
+
+```json
+{
+  "tenant_id": "kd83...",
+  "resource": "https://vault.hashicorp.com/",
+  "client_id": "12ud...",
+  "client_secret": "DUJDS3..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/azure/config
+```
+
+# Read Config
+
+Returns the previously configured config, including credentials.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/auth/azure/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/auth/azure/config
+```
+
+### Sample Response
+
+```json
+{
+  "data":{
+    "tenant_id": "kd83...",
+    "resource": "https://vault.hashicorp.com/",
+    "client_id": "12ud...",
+    "client_secret": "DUJDS3..."
+  },
+  ...
+}
+
+```
+
+## Delete Config
+
+Deletes the previously configured Azure config and credentials.
+
+| Method   | Path                 |
+| :------- | :------------------- |
+| `DELETE` | `/auth/azure/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/auth/azure/config
+```
+
+## Create Role
+
+Registers a role in the method. Role types have specific entities
+that can perform login operations against this endpoint. Constraints specific
+to the role type must be set on the role. These are applied to the authenticated
+entities attempting to login.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/auth/azure/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+- `bound_service_principal_ids` `(array: [])` - The list of Service Principal IDs
+  that login is restricted to.
+- `bound_group_ids` `(array: [])` - The list of group ids that login is restricted
+  to.
+- `bound_locations` `(array: [])` - The list of locations that login is restricted to.
+- `bound_subscription_ids` `(array: [])` - The list of subscription IDs that login
+  is restricted to.
+- `bound_resource_groups` `(array: [])` - The list of resource groups that
+  login is restricted to.
+- `bound_scale_sets` `(array: [])` - The list of scale set names that the
+  login is restricted to.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "token_policies": ["default", "dev", "prod"],
+  "max_ttl": 1800000,
+  "max_jwt_exp": 10000,
+  "bound_resource_groups": ["vault-dev", "vault-staging", "vault-prod"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/azure/role/dev-role
+```
+
+## Read Role
+
+Returns the previously registered role configuration.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/auth/azure/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/auth/azure/role/dev-role
+```
+
+### Sample Response
+
+```json
+{
+  "data":{
+    "token_policies": [
+        "default",
+        "dev",
+        "prod"
+    ],
+    "max_ttl": 1800000,
+    "max_jwt_exp": 10000,
+    "bound_resource_groups": [
+        "vault-dev",
+        "vault-staging",
+        "vault-prod"
+    ]
+  },
+  ...
+}
+
+```
+
+## List Roles
+
+Lists all the roles that are registered with the plugin.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `LIST` | `/auth/azure/role` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/auth/azure/role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": [
+      "dev-role",
+      "prod-role"
+    ]
+  },
+  ...
+}
+```
+
+## Delete Role
+
+Deletes the previously registered role.
+
+| Method   | Path                     |
+| :------- | :----------------------- |
+| `DELETE` | `/auth/azure/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/auth/azure/role/dev-role
+```
+
+## Login
+
+Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
+a role name for some entity. It verifies the JWT signature to authenticate that
+entity and then authorizes the entity for the given role.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/auth/azure/login` |
+
+### Sample Payload
+
+- `role` `(string: <required>)` - Name of the role against which the login is being
+  attempted.
+- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI.
+- `subscription_id` `(string: "")` - The subscription ID for the machine that
+  generated the MSI token. This information can be obtained through instance
+  metadata.
+- `resource_group_name` `(string: "")` - The resource group for the machine that
+  generated the MSI token. This information can be obtained through instance
+  metadata.
+- `vm_name` `(string: "")` - The virtual machine name for the machine that
+  generated the MSI token. This information can be obtained through instance
+  metadata. If vmss_name is provided, this value is ignored.
+- `vmss_name` `(string: "")` - The virtual machine scale set name for the machine
+  that generated the MSI token. This information can be obtained through instance
+  metadata.
+
+### Sample Payload
+
+```json
+{
+  "role": "dev-role",
+  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/azure/login
+```
+
+### Sample Response
+
+```json
+{
+    "auth":{
+        "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
+        "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
+        "token_policies":[
+            "default",
+            "dev",
+            "prod"
+        ],
+        "lease_duration":2764800,
+        "renewable":true
+    },
+    ...
+}
+```
diff --git a/website/pages/api-docs/auth/cert/index.mdx b/website/pages/api-docs/auth/cert/index.mdx
new file mode 100644
index 000000000000..d53cfd1a1f32
--- /dev/null
+++ b/website/pages/api-docs/auth/cert/index.mdx
@@ -0,0 +1,357 @@
+---
+layout: api
+page_title: TLS Certificate - Auth Methods - HTTP API
+sidebar_title: TLS Certificates
+description: |-
+  This is the API documentation for the Vault TLS Certificate authentication
+  method.
+---
+
+# TLS Certificate Auth Method (API)
+
+This is the API documentation for the Vault TLS Certificate authentication
+method. For general information about the usage and operation of the TLS
+Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert.html).
+
+This documentation assumes the TLS Certificate method is mounted at the
+`/auth/cert` path in Vault. Since it is possible to enable auth methods at any
+location, please update your API calls accordingly.
+
+## Create CA Certificate Role
+
+Sets a CA cert and associated parameters in a role name.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/auth/cert/certs/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the certificate role.
+- `certificate` `(string: <required>)` - The PEM-format CA certificate.
+- `allowed_names` `(string: "")` - DEPRECATED: Please use the individual
+  `allowed_X_sans` parameters instead. Constrain the Common and Alternative
+  Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
+  a comma-separated list of patterns. Authentication requires at least one Name
+  matching at least one pattern. If not set, defaults to allowing all names.
+- `allowed_common_names` `(string: "" or array: [])` - Constrain the Common
+  Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
+  a comma-separated list of patterns. Authentication requires at least one Name
+  matching at least one pattern. If not set, defaults to allowing all names.
+- `allowed_dns_sans` `(string: "" or array: [])` - Constrain the Alternative
+  Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
+  a comma-separated list of patterns. Authentication requires at least one DNS
+  matching at least one pattern. If not set, defaults to allowing all dns.
+- `allowed_email_sans` `(string: "" or array: [])` - Constrain the Alternative
+  Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
+  a comma-separated list of patterns. Authentication requires at least one
+  Email matching at least one pattern. If not set, defaults to allowing all
+  emails.
+- `allowed_uri_sans` `(string: "" or array: [])` - Constrain the Alternative
+  Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
+  a comma-separated list of URI patterns. Authentication requires at least one
+  URI matching at least one pattern. If not set, defaults to allowing all URIs.
+- `allowed_organizational_units` `(string: "" or array: [])` - Constrain the
+  Organizational Units (OU) in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
+  a comma-separated list of OU patterns. Authentication requires at least one
+  OU matching at least one pattern. If not set, defaults to allowing all OUs.
+- `required_extensions` `(string: "" or array: [])` - Require specific Custom
+  Extension OIDs to exist and match the pattern. Value is a comma separated
+  string or array of `oid:value`. Expects the extension value to be some type
+  of ASN1 encoded string. All conditions _must_ be met. Supports globbing on
+  `value`.
+- `display_name` `(string: "")` - The `display_name` to set on tokens issued
+  when authenticating against this CA certificate. If not set, defaults to the
+  name of the role.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
+  "display_name": "test",
+  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
+```
+
+## Read CA Certificate Role
+
+Gets information associated with the named role.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/auth/cert/certs/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the certificate role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
+    "display_name": "test",
+    "policies": "",
+    "allowed_names": "",
+    "required_extensions": "",
+    "ttl": 2764800,
+    "max_ttl": 2764800,
+    "period": 0
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+## List Certificate Roles
+
+Lists configured certificate names.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `LIST` | `/auth/cert/certs` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/cert/certs
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["cert1", "cert2"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Delete Certificate Role
+
+Deletes the named role and CA cert from the method mount.
+
+| Method   | Path                     |
+| :------- | :----------------------- |
+| `DELETE` | `/auth/cert/certs/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the certificate role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/cert/certs/cert1
+```
+
+## Create CRL
+
+Sets a named CRL.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/auth/cert/crls/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the CRL.
+- `crl` `(string: <required>)` - The PEM format CRL.
+
+### Sample Payload
+
+```json
+{
+  "crl": "-----BEGIN X509 CRL-----\n...\n-----END X509 CRL-----"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
+```
+
+## Read CRL
+
+Gets information associated with the named CRL (currently, the serial
+numbers contained within). As the serials can be integers up to an
+arbitrary size, these are returned as strings.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/auth/cert/crls/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the CRL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "serials": {
+      "13": {}
+    }
+  },
+  "lease_duration": 0,
+  "lease_id": "",
+  "renewable": false,
+  "warnings": null
+}
+```
+
+## Delete CRL
+
+Deletes the named CRL from the auth method mount.
+
+| Method   | Path                    |
+| :------- | :---------------------- |
+| `DELETE` | `/auth/cert/crls/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the CRL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/cert/crls/cert1
+```
+
+## Configure TLS Certificate Method
+
+Configuration options for the method.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/auth/cert/config` |
+
+### Parameters
+
+- `disable_binding` `(boolean: false)` - If set, during renewal, skips the
+  matching of presented client identity with the client identity used during
+  login.
+
+### Sample Payload
+
+```json
+{
+  "disable_binding": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/cert/certs/cert1
+```
+
+## Login with TLS Certificate Method
+
+Log in and fetch a token. If there is a valid chain to a CA configured in the
+method and all role constraints are matched, a token will be issued. If the
+certificate has DNS SANs in it, each of those will be verified. If Common Name
+is required to be verified, then it should be a fully qualified DNS domain name
+and must be duplicated as a DNS SAN (see
+https://tools.ietf.org/html/rfc6125#section-2.3)
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/auth/cert/login` |
+
+### Parameters
+
+- `name` `(string: "")` - Authenticate against only the named certificate role,
+  returning its policy list if successful. If not set, defaults to trying all
+  certificate roles and returning any one that matches.
+
+### Sample Payload
+
+```json
+{
+  "name": "cert1"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --cert cert.pem \
+    --key key.pem \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/cert/login
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "client_token": "cf95f87d-f95b-47ff-b1f5-ba7bff850425",
+    "policies": ["web", "stage"],
+    "lease_duration": 3600,
+    "renewable": true
+  }
+}
+```
diff --git a/website/pages/api-docs/auth/cf/index.mdx b/website/pages/api-docs/auth/cf/index.mdx
new file mode 100644
index 000000000000..4bedd728e6e7
--- /dev/null
+++ b/website/pages/api-docs/auth/cf/index.mdx
@@ -0,0 +1,337 @@
+---
+layout: api
+page_title: Cloud Foundry - Auth Methods - HTTP API
+sidebar_title: Cloud Foundry
+description: This is the API documentation for the Vault Cloud Foundry auth method.
+---
+
+# Pivotal Cloud Foundry (CF) Auth Method (API)
+
+This is the API documentation for the Vault CF auth method. For
+general information about the usage and operation of the CF method, please
+see the [Vault CF method documentation](/docs/auth/cf.html).
+
+This documentation assumes the CF method is mounted at the `/auth/cf`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Create Configuration
+
+Configure the root CA certificate to be used for verifying instance identity
+certificates, and configure access to the CF API. For detailed instructions
+on how to obtain these values, please see the [Vault CF method
+documentation](/docs/auth/cf.html).
+
+| Method | Path              |
+| :----- | ----------------- |
+| `POST` | `/auth/cf/config` |
+
+### Parameters
+
+- `identity_ca_certificates` `(array: [], required)` - The root CA certificate(s)
+  to be used for verifying that the `CF_INSTANCE_CERT` presented for logging in was
+  issued by the proper authority.
+- `cf_api_addr` `(string: required)`: CF's full API address, to be used for verifying
+  that a given `CF_INSTANCE_CERT` shows an application ID, space ID, and organization ID
+  that presently exist.
+- `cf_username` `(string: required)`: The username for authenticating to the CF API.
+- `cf_password` `(string: required)`: The password for authenticating to the CF API.
+- `cf_api_trusted_certificates` `(array: [])`: The certificate that's presented by the
+  CF API. This configures Vault to trust this certificate when making API calls, resolving
+  `x509: certificate signed by unknown authority` errors.
+- `login_max_seconds_not_before` `(int: 300)`: The maximum number of seconds in the past when a
+  signature could have been created. The lower the value, the lower the risk of replay
+  attacks.
+- `login_max_seconds_not_after` `(int: 60)`: In case of clock drift, the maximum number of
+  seconds in the future when a signature could have been created. The lower the value,
+  the lower the risk of replay attacks.
+
+### Sample Payload
+
+```json
+{
+  "identity_ca_certificates": [
+    "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
+  ],
+  "cf_api_addr": "https://api.sys.somewhere.cf-app.com",
+  "cf_username": "vault",
+  "cf_password": "pa55w0rd",
+  "cf_api_trusted_certificates": [
+    "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
+  ],
+  "login_max_seconds_not_before": 5,
+  "login_max_seconds_not_after": 1
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/cf/config
+```
+
+## Read Config
+
+Returns the present CF configuration.
+
+| Method | Path              |
+| :----- | ----------------- |
+| `GET`  | `/auth/cf/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/cf/config
+```
+
+### Sample Response
+
+```json
+{
+  "identity_ca_certificates": [
+    "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
+  ],
+  "cf_api_addr": "https://api.sys.somewhere.cf-app.com",
+  "cf_username": "vault",
+  "cf_api_trusted_certificates": [
+    "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
+  ],
+  "login_max_seconds_not_before": 5,
+  "login_max_seconds_not_after": 1
+}
+```
+
+## Delete Config
+
+Deletes the present CF configuration.
+
+| Method   | Path              |
+| :------- | ----------------- |
+| `DELETE` | `/auth/cf/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/cf/config
+```
+
+## Create Role
+
+Create a role in Vault granting a particular level of access to a particular group
+of CF instances. We recommend using the CF API or the CF CLI to gain the IDs you
+wish to target.
+
+If you list no `bound` parameters, then any entity with a valid
+`CF_INSTANCE_CERT` that's been issued by any configured `identity_ca_certificates`
+will be able to authenticate against this role.
+
+| Method | Path                   |
+| :----- | ---------------------- |
+| `POST` | `/auth/cf/roles/:role` |
+
+### Parameters
+
+- `role` `(string: required)` - The name of the role.
+- `bound_application_ids` `(array: [])` - An optional list of application IDs
+  an instance must be a member of to qualify as a member of this role.
+- `bound_space_ids` `(array: [])` - An optional list of space IDs
+  an instance must be a member of to qualify as a member of this role.
+- `bound_organization_ids` `(array: [])` - An optional list of organization IDs
+  an instance must be a member of to qualify as a member of this role.
+- `bound_instance_ids` `(array: [])` - An optional list of instance IDs
+  an instance must be a member of to qualify as a member of this role. Please note that
+  every time you use `cf push` on an app, its instance ID changes. Also, instance IDs
+  are not verifiable as being presently alive using the CF API. Thus, we recommend against
+  using this setting for most use cases.
+- `disable_ip_matching` `(bool: false)` - If set to true, disables the default behavior
+  that logging in must be performed from an acceptable IP address described by the
+  certificate presented. Should only be set to true if required, generally when a proxy
+  is used to perform logins.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "bound_application_ids": ["09d7eb6a-afc2-49a0-bb32-858c22f2b346"],
+  "bound_space_ids": ["21005ebb-8943-433e-84e6-d9d9d7338853"],
+  "bound_organization_ids": ["9785a884-5e93-49bd-97ee-57bf7c2b20e0"],
+  "bound_instance_ids": ["f3e0f176-3f83-4efb-5842-2ff4"],
+  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
+  "policies": ["default"],
+  "ttl": "1h",
+  "max_ttl": "1h",
+  "period": "1h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/cf/roles/:role
+```
+
+## Read Role
+
+Returns a CF role.
+
+| Method | Path                   |
+| :----- | ---------------------- |
+| `GET`  | `/auth/cf/roles/:role` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/cf/roles/:role
+```
+
+### Sample Response
+
+```json
+{
+  "bound_application_ids": ["09d7eb6a-afc2-49a0-bb32-858c22f2b346"],
+  "bound_space_ids": ["21005ebb-8943-433e-84e6-d9d9d7338853"],
+  "bound_organization_ids": ["9785a884-5e93-49bd-97ee-57bf7c2b20e0"],
+  "bound_instance_ids": ["f3e0f176-3f83-4efb-5842-2ff4"],
+  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
+  "policies": ["default"],
+  "ttl": 2764790,
+  "max_ttl": 2764790,
+  "period": 2764790
+}
+```
+
+## Delete Role
+
+Deletes a CF role.
+
+| Method   | Path                   |
+| :------- | ---------------------- |
+| `DELETE` | `/auth/cf/roles/:role` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/cf/roles/:role
+```
+
+## List Roles
+
+Returns a CF role.
+
+| Method | Path             |
+| :----- | ---------------- |
+| `LIST` | `/auth/cf/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST
+    http://127.0.0.1:8200/v1/auth/cf/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["role1", "role2"]
+  }
+}
+```
+
+## Login
+
+Log in to CF.
+
+Vault provides both an agent and a CLI tool for logging in that
+eliminates the need to build a signature yourself. However, if you do wish to
+build the signature, its signing algorithm is viewable [here](https://github.com/hashicorp/vault-plugin-auth-cf/tree/master/signatures).
+The [plugin repo](https://github.com/hashicorp/vault-plugin-auth-cf) also contains
+a command-line tool (`generate-signature`) that can be compiled as a binary for generating a signature,
+and a test that outputs steps in generating the signature so they can be duplicated.
+
+However, at a high level, these are the steps for generating a signature:
+
+- Get and format the current time, ex. `2006-01-02T15:04:05Z`.
+- Get the full body of the file located at `CF_INSTANCE_CERT`.
+- Get the name of the role.
+- Concatenate them together in the above order, with no extra string used for joining them.
+- Create a SHA256 checksum of the resulting string (`checksum` below).
+- Sign the string using the key located at `CF_INSTANCE_KEY`. In Go, this is performed using
+  the following line of code which you can more deeply inspect:
+
+```
+rsa.SignPSS(rand.Reader, rsaPrivateKey, crypto.SHA256, checksum, nil)
+```
+
+- Convert the signature to a string.
+
+| Method | Path             |
+| :----- | ---------------- |
+| `POST` | `/auth/cf/login` |
+
+### Parameters
+
+- `role` `(string: required)` - The name of the role.
+- `cf_instance_cert` `(string: required)` - The full body of the file available at
+  the path denoted by `CF_INSTANCE_CERT`.
+- `signing_time` `(string: required)` - The date and time used to construct the signature.
+- `signature` `(string: required)` - The signature generated by the algorithm described
+  above using the `CF_INSTANCE_KEY`.
+
+### Sample Payload
+
+```json
+{
+  "role": "test-role",
+  "cf_instance_cert": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
+  "signing_time": "2006-01-02T15:04:05Z",
+  "signature": "MmyUjQ1OqxQmF0W6raVQDL-hlqqe1oG-7abA6Oi3NHwT-9lMfrYxsCwMnd2HKGMly2tCgetcoA2orfquoe6MkMuksx_KGH_KLObcAykt53z4rHceHKGvm7eGj60cjWFYtiNPic-lzUGERLbUeKLMi6NlThm9ueb7hhpyTUpEYtphV3gorbVxvlkrnuYSbgy2NGpOUY1N8dRzcxmHkYjh12XoWEw4Is5aFr6eFKbZ0vmLWBzhJ7_w20CFyTpRYB-6heGz1iR9qEG8mZk3_x4rZpT5mejJ5zmH2xlUjBJMndfcz47btEi2BO9pFVxK2wK-tKeUUFgx6RcomAopTskkmg=="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/cf/login
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 1800000,
+    "policies": ["default", "dev"],
+    "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
+    "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
+  }
+}
+```
diff --git a/website/pages/api-docs/auth/gcp/index.mdx b/website/pages/api-docs/auth/gcp/index.mdx
new file mode 100644
index 000000000000..afdb116c8e7e
--- /dev/null
+++ b/website/pages/api-docs/auth/gcp/index.mdx
@@ -0,0 +1,440 @@
+---
+layout: api
+page_title: Google Cloud - Auth Methods - HTTP API
+sidebar_title: Google Cloud
+description: |-
+  This is the API documentation for the Vault Google Cloud authentication
+  method.
+---
+
+# Google Cloud Auth Method (API)
+
+This is the API documentation for the Vault Google Cloud auth method. To learn
+more about the usage and operation, see the
+[Vault Google Cloud method documentation](/docs/auth/gcp.html).
+
+This documentation assumes the plugin method is mounted at the
+`/auth/gcp` path in Vault. Since it is possible to enable auth methods
+at any location, please update your API calls accordingly.
+
+## Configure
+
+Configures the credentials required for the plugin to perform API calls
+to Google Cloud. These credentials will be used to query the status of IAM
+entities and get service account or other Google public certificates
+to confirm signed JWTs passed in during login.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/auth/gcp/config` |
+
+### Parameters
+
+- `credentials` `(string: "")` - A JSON string containing the contents
+  of a GCP credentials file. The credentials file must have the following
+  [permissions](https://cloud.google.com/compute/docs/access/iam):
+
+  ```
+  iam.serviceAccounts.get
+  iam.serviceAccountKeys.get
+  ```
+
+  If this value is empty, Vault will try to use [Application Default
+  Credentials][gcp-adc] from the machine on which the Vault server is running.
+
+  The project must have the `iam.googleapis.com` API [enabled](https://console.cloud.google.com/flows/enableapi?apiid=iam.googleapis.com).
+
+### Sample Payload
+
+```json
+{
+  "credentials": "{ \"type\": \"service_account\", \"project_id\": \"project-123456\", ...}"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/gcp/config
+```
+
+## Read Config
+
+Returns the configuration, if any, including credentials.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/auth/gcp/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/gcp/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "client_email": "service-account@project-123456.iam.gserviceaccount.com",
+    "client_id": "123456789101112131415",
+    "private_key_id": "97fd7ba59a96e1f3830296aedb4f50879e4d5382",
+    "project_id": "project-123456"
+  }
+}
+```
+
+## Create Role
+
+Registers a role in the method. Role types have specific entities
+that can perform login operations against this endpoint. Constraints specific
+to the role type must be set on the role. These are applied to the authenticated
+entities attempting to login.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/auth/gcp/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the role.
+
+- `type` `(string: <required>)` - The type of this role. Certain fields
+  correspond to specific roles and will be rejected otherwise. Please see below
+  for more information.
+
+- `bound_service_accounts` `(array: <required for iam>)` - An array of
+  service account emails or IDs that login is restricted to,
+  either directly or through an associated instance. If set to
+  `*`, all service accounts are allowed (you can bind this further using
+  `bound_projects`.)
+
+- `bound_projects` `(array: [])` - An array of GCP project IDs. Only entities
+  belonging to this project can authenticate under the role.
+
+- `add_group_aliases` `(bool: false)` - If true, any auth token
+  generated under this token will have associated group aliases, namely
+  `project-$PROJECT_ID`, `folder-$PROJECT_ID`, and `organization-$ORG_ID`
+  for the entities project and all its folder or organization ancestors. This
+  requires Vault to have IAM permission `resourcemanager.projects.get`.
+
+@include 'partials/tokenfields.mdx'
+
+#### `iam`-only Parameters
+
+The following parameters are only valid when the role is of type `"iam"`:
+
+- `max_jwt_exp` `(string: "15m")` - The number of seconds past the time of
+  authentication that the login param JWT must expire within. For example, if a
+  user attempts to login with a token that expires within an hour and this is
+  set to 15 minutes, Vault will return an error prompting the user to create a
+  new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not
+  allow the `exp` claim to be customized.
+
+- `allow_gce_inference` `(bool: true)` - A flag to determine if this role should
+  allow GCE instances to authenticate by inferring service accounts from the
+  GCE identity metadata token.
+
+#### `gce`-only Parameters
+
+The following parameters are only valid when the role is of type `"gce"`:
+
+- `bound_zones` `(array: [])`: The list of zones that a GCE instance must belong
+  to in order to be authenticated. If `bound_instance_groups` is provided, it is
+  assumed to be a zonal group and the group must belong to this zone.
+
+- `bound_regions` `(array: [])`: The list of regions that a GCE instance must
+  belong to in order to be authenticated. If `bound_instance_groups` is
+  provided, it is assumed to be a regional group and the group must belong to
+  this region. If `bound_zones` are provided, this attribute is ignored.
+
+- `bound_instance_groups` `(array: [])`: The instance groups that an authorized
+  instance must belong to in order to be authenticated. If specified, either
+  `bound_zones` or `bound_regions` must be set too.
+
+- `bound_labels` `(array: [])`: A comma-separated list of GCP labels formatted
+  as "key:value" strings that must be set on authorized GCE instances. Because
+  GCP labels are not currently ACL'd, we recommend that this be used in
+  conjunction with other restrictions.
+
+### Sample Payload
+
+Example `iam` role:
+
+```json
+{
+  "type": "iam",
+  "project_id": "project-123456",
+  "policies": ["prod"],
+  "ttl": "30m",
+  "max_ttl": "24h",
+  "max_jwt_exp": "5m",
+  "bound_service_accounts": ["dev-1@project-123456.iam.gserviceaccount.com"]
+}
+```
+
+Example `gce` role:
+
+```json
+{
+  "type": "gce",
+  "project_id": "project-123456",
+  "policies": ["prod"],
+  "bound_zones": ["us-east1-b", "eu-west2-a"],
+  "ttl": "30m",
+  "max_ttl": "24h",
+  "bound_service_accounts": ["dev-1@project-123456.iam.gserviceaccount.com"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
+```
+
+## Edit Service Accounts on IAM Role
+
+Edit service accounts for an existing IAM role in the method.
+This allows you to add or remove service accounts from the list of
+service accounts on the role.
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `POST` | `/auth/gcp/role/:name/service-accounts` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of an existing `iam` type role. This
+  will return an error if role is not an `iam` type role.
+
+- `add` `(array: [])` - The list of service accounts to add to the role's
+  service accounts.
+
+- `remove` `(array: [])` - The list of service accounts to remove from the
+  role's service accounts.
+
+### Sample Payload
+
+```json
+{
+  "add": ["dev-1@project-123456.iam.gserviceaccount.com", "123456789"],
+  "remove": ["dev-2@project-123456.iam.gserviceaccount.com"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
+```
+
+## Edit Labels on GCE Role
+
+Edit labels for an existing GCE role in the backend. This allows you to add or
+remove labels (keys, values, or both) from the list of keys on the role.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/auth/gcp/role/:name/labels` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of an existing `gce` role. This will
+  return an error if role is not a `gce` type role.
+
+- `add` `(array: [])` - The list of `key:value` labels to add to the GCE role's
+  bound labels.
+
+- `remove` `(array: [])` - The list of label _keys_ to remove from the role's
+  bound labels. If any of the specified keys do not exist, no error is returned
+  (idempotent).
+
+### Sample Payload
+
+```json
+{
+  "add": ["foo:bar", "env:dev", "key:value"],
+  "remove": ["key1", "key2"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
+```
+
+## Read Role
+
+Returns the previously registered role configuration.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/auth/gcp/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the role to read.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "bound_labels": {
+      "env": "dev",
+      "foo": "bar",
+      "key": "value"
+    },
+    "bound_service_accounts": ["dev-1@project-123456.iam.gserviceaccount.com"],
+    "bound_zones": ["eu-west2-a", "us-east1-b"],
+    "max_ttl": 86400,
+    "policies": ["prod"],
+    "project_id": "project-123456",
+    "type": "gce",
+    "ttl": 1800
+  }
+}
+```
+
+## List Roles
+
+Lists all the roles that are registered with the plugin.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `LIST` | `/auth/gcp/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/gcp/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["my-role", "my-other-role"]
+  }
+}
+```
+
+## Delete Role
+
+Deletes the previously registered role.
+
+| Method   | Path                   |
+| :------- | :--------------------- |
+| `DELETE` | `/auth/gcp/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - The name of the role to delete.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
+```
+
+## Login
+
+Login to retrieve a Vault token. This endpoint takes a signed JSON Web Token
+(JWT) and a role name for some entity. It verifies the JWT signature with Google
+Cloud to authenticate that entity and then authorizes the entity for the given
+role.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/auth/gcp/login` |
+
+### Sample Payload
+
+- `role` `(string: <required>)` - The name of the role against which the login
+  is being attempted.
+
+- `jwt` `(string: <required>)` - A Signed [JSON Web Token][jwt].
+
+  - For `iam` type roles, this is a JWT signed with the
+    [`signJwt` method][signjwt-method] or a self-signed JWT.
+
+  - For `gce` type roles, this is an [identity metadata token][instance-token].
+
+### Sample Payload
+
+```json
+{
+  "role": "my-role",
+  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/gcp/login
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
+    "accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
+    "policies": ["default", "dev", "prod"],
+    "metadata": {
+      "project_id": "my-project",
+      "role": "my-role",
+      "service_account_email": "dev1@project-123456.iam.gserviceaccount.com",
+      "service_account_id": "111111111111111111111"
+    },
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
+
+[gcp-adc]: https://developers.google.com/identity/protocols/application-default-credentials
+[jwt]: https://tools.ietf.org/html/rfc7519
+[signjwt-method]: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt
+[instance-token]: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature
diff --git a/website/pages/api-docs/auth/github/index.mdx b/website/pages/api-docs/auth/github/index.mdx
new file mode 100644
index 000000000000..98cdfca303f5
--- /dev/null
+++ b/website/pages/api-docs/auth/github/index.mdx
@@ -0,0 +1,271 @@
+---
+layout: api
+page_title: GitHub - Auth Methods - HTTP API
+sidebar_title: GitHub
+description: This is the API documentation for the Vault GitHub auth method.
+---
+
+# GitHub Auth Method (API)
+
+This is the API documentation for the Vault GitHub auth method. For
+general information about the usage and operation of the GitHub method, please
+see the [Vault GitHub method documentation](/docs/auth/github.html).
+
+This documentation assumes the GitHub method is enabled at the `/auth/github`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Configure Method
+
+Configures the connection parameters for GitHub. This path honors the
+distinction between the `create` and `update` capabilities inside ACL policies.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/auth/github/config` |
+
+### Parameters
+
+- `organization` `(string: <required>)` - The organization users must be part
+  of.
+- `base_url` `(string: "")` - The API endpoint to use. Useful if you are running
+  GitHub Enterprise or an API-compatible authentication server.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "organization": "acme-org"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/github/config
+```
+
+## Read Configuration
+
+Reads the GitHub configuration.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `GET`  | `/auth/github/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/github/config
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "organization": "acme-org",
+    "base_url": "",
+    "ttl": "",
+    "max_ttl": ""
+  },
+  "warnings": null
+}
+```
+
+## Map GitHub Teams
+
+Map a list of policies to a team that exists in the configured GitHub organization.
+
+| Method | Path                                |
+| :----- | :---------------------------------- |
+| `POST` | `/auth/github/map/teams/:team_name` |
+
+### Parameters
+
+- `team_name` `(string)` - GitHub team name in "slugified" format
+- `value` `(string)` - Comma separated list of policies to assign
+
+### Sample Payload
+
+```json
+{
+  "value": "dev-policy"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/github/map/teams/dev
+```
+
+## Read Team Mapping
+
+Reads the GitHub team policy mapping.
+
+| Method | Path                                |
+| :----- | :---------------------------------- |
+| `GET`  | `/auth/github/map/teams/:team_name` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/github/map/teams/dev
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "key": "dev",
+    "value": "dev-policy"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Map GitHub Users
+
+Map a list of policies to a specific GitHub user exists in the configured
+organization.
+
+| Method | Path                                |
+| :----- | :---------------------------------- |
+| `POST` | `/auth/github/map/users/:user_name` |
+
+### Parameters
+
+- `user_name` `(string)` - GitHub user name
+- `value` `(string)` - Comma separated list of policies to assign
+
+### Sample Payload
+
+```json
+{
+  "value": "sethvargo-policy"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/github/map/users/sethvargo
+```
+
+The user with username `sethvargo` will be assigned the `sethvargo-policy`
+policy **in addition to** any team policies.
+
+## Read User Mapping
+
+Reads the GitHub user policy mapping.
+
+| Method | Path                                |
+| :----- | :---------------------------------- |
+| `GET`  | `/auth/github/map/users/:user_name` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/github/map/users/sethvargo
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "764b6f88-efba-51bd-ed62-cf1c9e80e37a",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "key": "sethvargo",
+    "value": "sethvargo-policy"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Login
+
+Login using GitHub access token.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/auth/github/login` |
+
+### Parameters
+
+- `token` `(string: <required>)` - GitHub personal API token.
+
+### Sample Payload
+
+```json
+{
+  "token": "ABC123..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/github/login
+```
+
+### Sample Response
+
+```javascript
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
+    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
+    "policies": ["default"],
+    "metadata": {
+      "username": "fred",
+      "org": "acme-org"
+    },
+  },
+  "lease_duration": 7200,
+  "renewable": true
+}
+```
diff --git a/website/pages/api-docs/auth/index.mdx b/website/pages/api-docs/auth/index.mdx
new file mode 100644
index 000000000000..48a92ad05035
--- /dev/null
+++ b/website/pages/api-docs/auth/index.mdx
@@ -0,0 +1,18 @@
+---
+layout: api
+page_title: Auth Methods - HTTP API
+sidebar_title: Auth Methods
+description: |-
+  Each auth method publishes its own set of API paths and methods.
+  These endpoints are documented in this section.
+---
+
+# Auth Methods
+
+Each auth method publishes its own set of API paths and methods. These endpoints
+are documented in this section. Auth methods are enabled at a path, but the
+documentation will assume the default paths for simplicity. If you are enabling
+at a different path, you should adjust your API calls accordingly.
+
+For the API documentation for a specific auth method, please choose a auth
+method from the navigation.
diff --git a/website/pages/api-docs/auth/jwt/index.mdx b/website/pages/api-docs/auth/jwt/index.mdx
new file mode 100644
index 000000000000..ddf93447996f
--- /dev/null
+++ b/website/pages/api-docs/auth/jwt/index.mdx
@@ -0,0 +1,411 @@
+---
+layout: api
+page_title: JWT/OIDC - Auth Methods - HTTP API
+sidebar_title: JWT/OIDC
+description: |-
+  This is the API documentation for the Vault JWT/OIDC authentication
+  method plugin.
+---
+
+# JWT/OIDC Auth Method (API)
+
+This is the API documentation for the Vault JWT/OIDC auth method
+plugin. To learn more about the usage and operation, see the
+[Vault JWT/OIDC method documentation](/docs/auth/jwt.html).
+
+This documentation assumes the plugin method is mounted at the
+`/auth/jwt` path in Vault. Since it is possible to enable auth methods
+at any location, please update your API calls accordingly.
+
+## Configure
+
+Configures the validation information to be used globally across all roles. One
+(and only one) of `oidc_discovery_url` and `jwt_validation_pubkeys` must be
+set.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/auth/jwt/config` |
+
+### Parameters
+
+- `oidc_discovery_url` `(string: <optional>)` - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
+- `oidc_discovery_ca_pem` `(string: <optional>)` - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
+- `oidc_client_id` `(string: <optional>)` - The OAuth Client ID from the provider for OIDC roles.
+- `oidc_client_secret` `(string: <optional>)` - The OAuth Client Secret from the provider for OIDC roles.
+- `jwks_url` `(string: <optional>)` - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+- `jwks_ca_pem` `(string: <optional>)` - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
+- `jwt_validation_pubkeys` `(comma-separated string, or array of strings: <optional>)` - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
+- `bound_issuer` `(string: <optional>)` - The value against which to match the `iss` claim in a JWT.
+- `jwt_supported_algs` `(comma-separated string, or array of strings: <optional>)` - A list of supported signing algorithms. Defaults to [RS256]. ([Available algorithms](https://github.com/hashicorp/vault-plugin-auth-jwt/blob/master/vendor/github.com/coreos/go-oidc/jose.go#L7))
+- `default_role` `(string: <optional>)` - The default role to use if none is provided during login.
+
+### Sample Payload
+
+```json
+{
+  "oidc_discovery_url": "https://myco.auth0.com/",
+  "bound_issuer": "https://myco.auth0.com/"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/jwt/config
+```
+
+# Read Config
+
+Returns the previously configured config.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/auth/jwt/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/auth/jwt/config
+```
+
+### Sample Response
+
+```json
+{
+  "data":{
+    "oidc_discovery_url": "https://myco.auth0.com/",
+    "oidc_discovery_ca_pem": [],
+    "bound_issuer": "https://myco.auth0.com/",
+    "jwt_validation_pubkeys": []
+  },
+  ...
+}
+```
+
+## Create Role
+
+Registers a role in the method. Role types have specific entities
+that can perform login operations against this endpoint. Constraints specific
+to the role type must be set on the role. These are applied to the authenticated
+entities attempting to login. At least one of the bound values must be set.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/auth/jwt/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+- `role_type` `(string: <optional>)` - Type of role, either "oidc" (default) or "jwt".
+- `bound_audiences` `(array: <optional>)` - List of `aud` claims to match against.
+  Any match is sufficient. Required for "jwt" roles, optional for "oidc" roles.
+- `user_claim` `(string: <required>)` - The claim to use to uniquely identify
+  the user; this will be used as the name for the Identity entity alias created
+  due to a successful login. The claim value must be a string.
+- `clock_skew_leeway` `(int: <optional>)` - The amount of leeway to add to all claims to
+  account for clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled
+  if set to `-1`. Only applicable with "jwt" roles.
+- `expiration_leeway` `(int: <optional>)` - The amount of leeway to add to expiration (`exp`) claims to
+  account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled
+  if set to `-1`. Only applicable with "jwt" roles.
+- `not_before_leeway` `(int: <optional>)` - The amount of leeway to add to not before (`nbf`) claims to
+  account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled
+  if set to `-1`. Only applicable with "jwt" roles.
+- `bound_subject` `(string: <optional>)` - If set, requires that the `sub`
+  claim matches this value.
+- `bound_claims` `(map: <optional>)` - If set, a map of claims/values to match against.
+  The expected value may be a single string or a list of strings.
+- `groups_claim` `(string: <optional>)` - The claim to use to uniquely identify
+  the set of groups to which the user belongs; this will be used as the names
+  for the Identity group aliases created due to a successful login. The claim
+  value must be a list of strings.
+- `claim_mappings` `(map: <optional>)` - If set, a map of claims (keys) to be copied to
+  specified metadata fields (values).
+- `oidc_scopes` `(list: <optional>)` - If set, a list of OIDC scopes to be used with an OIDC role.
+  The standard scope "openid" is automatically included and need not be specified.
+- `allowed_redirect_uris` `(list: <required>)` - The list of allowed values for redirect_uri
+  during OIDC logins.
+- `verbose_oidc_logging` `(bool: false)` - Log received OIDC tokens and claims when debug-level
+  logging is active. Not recommended in production since sensitive information may be present
+  in OIDC responses.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "policies": ["dev", "prod"],
+  "bound_subject": "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@clients",
+  "bound_audiences": "https://myco.test",
+  "user_claim": "https://vault/user",
+  "groups_claim": "https://vault/groups",
+  "bound_claims": {
+    "department": "engineering",
+    "sector": "7g"
+  },
+  "claim_mappings": {
+    "preferred_language": "language",
+    "group": "group"
+  }
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
+```
+
+## Read Role
+
+Returns the previously registered role configuration.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/auth/jwt/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
+```
+
+### Sample Response
+
+```json
+{
+  "data":{
+    "bound_subject": "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@clients",
+    "bound_audiences": [
+      "https://myco.test"
+    ],
+    "bound_cidrs": [],
+    "user_claim": "https://vault/user",
+    "groups_claim": "https://vault/groups",
+    "policies": [
+      "dev",
+      "prod"
+    ],
+    "period": 0,
+    "ttl": 0,
+    "num_uses": 0,
+    "max_ttl": 0
+  },
+  ...
+}
+
+```
+
+## List Roles
+
+Lists all the roles that are registered with the plugin.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `LIST` | `/auth/jwt/role` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/auth/jwt/role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": [
+      "dev-role",
+      "prod-role"
+    ]
+  },
+  ...
+}
+```
+
+## Delete Role
+
+Deletes the previously registered role.
+
+| Method   | Path                   |
+| :------- | :--------------------- |
+| `DELETE` | `/auth/jwt/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
+```
+
+## OIDC Authorization URL Request
+
+Obtain an authorization URL from Vault to start an OIDC login flow.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/auth/jwt/oidc/auth_url` |
+
+### Parameters
+
+- `role` `(string: <optional>)` - Name of the role against which the login is being
+  attempted. Defaults to configured `default_role` if not provided.
+- `redirect_uri` `(string: <required>)` - Path to the callback to complete the login. This will be
+  of the form, "https://.../oidc/callback" where the leading portion is dependent on your Vault
+  server location, port, and the mount of the JWT plugin. This must be configured with Vault and the
+  provider. See [Redirect URIs](/docs/auth/jwt.html#redirect-uris) for more information.
+
+### Sample Payload
+
+```json
+{
+  "role": "dev-role",
+  "redirect_uri": "https://vault.myco.com:8200/ui/vault/auth/jwt/oidc/callback"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/jwt/oidc/auth_url
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "c701169c-64f8-26cc-0315-078e8c3ce897",
+  "data": {
+    "auth_url": "https://myco.auth0.com/authorize?client_id=r3qXcK2bezU3Sbmh0K16fatW6&nonce=851b69a9bfa5a6a5668111314414e3687891a599&redirect_uri=https%3A%2F%2Fvault.myco.com3A8200%2Fui%2Fvault%2Fauth%2Fjwt%2Foidc%2Fcallback&response_type=code&scope=openid+email+profile&state=1011e726d24960e09cfca2e04b36b38593cb6a22"
+  },
+  ...
+}
+```
+
+## OIDC Callback
+
+Exchange an authorization code for an OIDC ID Token. The ID token will be further validated
+against any bound claims, and if valid a Vault token will be returned.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/auth/jwt/oidc/callback` |
+
+### Parameters
+
+- `state` `(string: <required>)` - Opaque state ID that is part of the Authorization URL and will
+  be included in the the redirect following successful authenication on the provider.
+- `nonce` `(string: <required>)` - Opaque nonce that is part of the Authorization URL and will
+  be included in the the redirect following successful authenication on the provider.
+- `code` `(string: <required>)` - Provider-generated authorization code that Vault will exchange for
+  an ID token.
+
+### Sample Request
+
+```
+$ curl \
+    https://127.0.0.1:8200/v1/auth/jwt/oidc/callback?state=n2kfh3nsl&code=mn2ldl2nv98h2jl&nonce=ni42i2idj2jj
+```
+
+### Sample Response
+
+```json
+{
+    "auth":{
+        "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
+        "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
+        "policies":[
+            "default",
+            "dev",
+            "prod"
+        ],
+        "lease_duration":2764800,
+        "renewable":true
+    },
+    ...
+}
+```
+
+## JWT Login
+
+Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
+a role name for some entity. It verifies the JWT signature to authenticate that
+entity and then authorizes the entity for the given role.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/auth/jwt/login` |
+
+### Parameters
+
+- `role` `(string: <optional>)` - Name of the role against which the login is being
+  attempted. Defaults to configured `default_role` if not provided.
+- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT).
+
+### Sample Payload
+
+```json
+{
+  "role": "dev-role",
+  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/auth/jwt/login
+```
+
+### Sample Response
+
+```json
+{
+    "auth":{
+        "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
+        "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
+        "policies":[
+            "default",
+            "dev",
+            "prod"
+        ],
+        "lease_duration":2764800,
+        "renewable":true
+    },
+    ...
+}
+```
diff --git a/website/pages/api-docs/auth/kerberos/index.mdx b/website/pages/api-docs/auth/kerberos/index.mdx
new file mode 100644
index 000000000000..9451159708d9
--- /dev/null
+++ b/website/pages/api-docs/auth/kerberos/index.mdx
@@ -0,0 +1,399 @@
+---
+layout: api
+page_title: Kerberos - Auth Methods - HTTP API
+sidebar_title: Kerberos
+description: This is the API documentation for the Vault Kerberos auth method plugin.
+---
+
+# Kerberos Auth Method (API)
+
+This is the API documentation for the Vault Kerberos auth method plugin. To
+learn more about the usage and operation, see the
+[Vault Kerberos auth method](/docs/auth/kerberos.html).
+
+This documentation assumes the Kerberos auth method is mounted at the
+`auth/kerberos` path in Vault. Since it is possible to enable auth methods at
+any location, please update your API calls accordingly.
+
+The Kerberos auth method validates both Kerberos and LDAP authorization,
+so both configurations are required.
+
+## Configure Vault Kerberos
+
+This endpoint configures the keytab and service account to be used by Vault
+for verifying inbound SPNEGO tokens.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/auth/kerberos/config` |
+
+- `keytab` `(string: <required>)` – A base 64 representation of the contents
+  of the Kerberos keytab that will be used for verifying inbound SPNEGO tokens.
+  It should contain an entry matching the service account given. This can be
+  created through the following command: `$ base64 vault.keytab > vault.keytab.base64`.
+- `service_account` `(string: <required>)` – The service account associated
+  with both the keytab entry and an LDAP service account created for Vault. Ex.:
+  `"vault_svc"`.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/kerberos/config
+```
+
+### Sample Payload
+
+```json
+{
+  "keytab": "BQIAAAA6AAEACk1BVFJJWC5MQU4ACXZhdWx0X3N2YwAAAAFdzZSjAgAXABDwhEyRR9nRqkpP8KTn2A83AAAAAg==",
+  "service_account": "vault_svc"
+}
+```
+
+## Read Vault Kerberos
+
+This endpoint retrieves the service account for the Kerberos auth method.
+The keytab is not returned because it is sensitive information.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/auth/kerberos/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/kerberos/config
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "service_account": "vault_svc"
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Configure Kerberos LDAP
+
+This endpoint configures LDAP in the Kerberos auth method.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/auth/kerberos/config/ldap` |
+
+### Parameters
+
+- `url` `(string: <required>)` – The LDAP server to connect to. Examples:
+  `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. Multiple URLs can be
+  specified with commas, e.g. `ldap://ldap.myorg.com,ldap://ldap2.myorg.com`;
+  these will be tried in-order.
+- `case_sensitive_names` `(bool: false)` – If set, user and group names
+  assigned to policies within the backend will be case sensitive. Otherwise,
+  names will be normalized to lower case. Case will still be preserved when
+  sending the username to the LDAP server at login time; this is only for
+  matching local user/group definitions.
+- `starttls` `(bool: false)` – If true, issues a `StartTLS` command after
+  establishing an unencrypted connection.
+- `tls_min_version` `(string: tls12)` – Minimum TLS version to use. Accepted
+  values are `tls10`, `tls11` or `tls12`.
+- `tls_max_version` `(string: tls12)` – Maximum TLS version to use. Accepted
+  values are `tls10`, `tls11` or `tls12`.
+- `insecure_tls` `(bool: false)` – If true, skips LDAP server SSL certificate
+  verification - insecure, use with caution!
+- `certificate` `(string: "")` – CA certificate to use when verifying LDAP server
+  certificate, must be x509 PEM encoded.
+- `binddn` `(string: "")` – Distinguished name of object to bind when performing
+  user search. Example: `cn=vault,ou=Users,dc=example,dc=com`
+- `bindpass` `(string: "")` – Password to use along with `binddn` when performing
+  user search.
+- `userdn` `(string: "")` – Base DN under which to perform user search. Example:
+  `ou=Users,dc=example,dc=com`
+- `userattr` `(string: "")` – Attribute on user attribute object matching the
+  username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
+- `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
+  user.
+- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
+  authentication when providing an empty password.
+- `upndomain` `(string: "")` – The _userPrincipalDomain_ used to construct the UPN
+  string for the authenticating user. The constructed UPN will appear as
+  `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind
+  as `username@example.com`.
+- `groupfilter` `(string: "")` – Go template used when constructing the group
+  membership query. The template can access the following context variables:
+  \[`UserDN`, `Username`\]. The default is
+  `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
+  which is compatible with several common directory schemas. To support
+  nested group resolution for Active Directory, instead use the following
+  query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
+- `groupdn` `(string: "")` – LDAP search base to use for group membership
+  search. This can be the root containing either groups or users. Example:
+  `ou=Groups,dc=example,dc=com`
+- `groupattr` `(string: "")` – LDAP attribute to follow on objects returned by
+  `groupfilter` in order to enumerate user group membership. Examples: for
+  groupfilter queries returning _group_ objects, use: `cn`. For queries
+  returning _user_ objects, use: `memberOf`. The default is `cn`.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
+```
+
+### Sample Payload
+
+```json
+{
+  "binddn": "cn=vault,ou=Users,dc=example,dc=com",
+  "deny_null_bind": true,
+  "discoverdn": false,
+  "groupattr": "cn",
+  "groupdn": "ou=Groups,dc=example,dc=com",
+  "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
+  "insecure_tls": false,
+  "starttls": false,
+  "tls_max_version": "tls12",
+  "tls_min_version": "tls12",
+  "url": "ldaps://ldap.myorg.com:636",
+  "userattr": "samaccountname",
+  "userdn": "ou=Users,dc=example,dc=com"
+}
+```
+
+## Read Kerberos LDAP Configuration
+
+This endpoint retrieves the LDAP configuration for the Kerberos auth method.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/auth/kerberos/config/ldap` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "binddn": "cn=vault,ou=Users,dc=example,dc=com",
+    "bindpass": "",
+    "certificate": "",
+    "deny_null_bind": true,
+    "discoverdn": false,
+    "groupattr": "cn",
+    "groupdn": "ou=Groups,dc=example,dc=com",
+    "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
+    "insecure_tls": false,
+    "starttls": false,
+    "tls_max_version": "tls12",
+    "tls_min_version": "tls12",
+    "upndomain": "",
+    "url": "ldaps://ldap.myorg.com:636",
+    "userattr": "samaccountname",
+    "userdn": "ou=Users,dc=example,dc=com"
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## List Kerberos LDAP Groups
+
+This endpoint returns a list of existing LDAP groups in the Kerberos auth method.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `LIST` | `/auth/kerberos/groups` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/kerberos/groups
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["scientists", "engineers"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Read Kerberos LDAP Group
+
+This endpoint returns the policies associated with a Kerberos LDAP group.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `GET`  | `/auth/kerberos/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the LDAP group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "policies": ["admin", "default"]
+  },
+  "renewable": false,
+  "lease_id": "",
+  "lease_duration": 0,
+  "warnings": null
+}
+```
+
+## Create/Update Kerberos LDAP Group
+
+This endpoint creates or updates LDAP group policies.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/auth/kerberos/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the LDAP group.
+- `policies` `(string: "")` – Comma-separated list of policies associated to the
+  group.
+
+### Sample Payload
+
+```json
+{
+  "policies": "admin,default"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
+```
+
+## Delete Kerberos LDAP Group
+
+This endpoint deletes the LDAP group and policy association.
+
+| Method   | Path                          |
+| :------- | :---------------------------- |
+| `DELETE` | `/auth/kerberos/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the LDAP group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
+```
+
+## Login with Kerberos
+
+This endpoint allows you to log in with a valid Kerberos SPNEGO
+token. This token is obtained by the client, marshalled, and
+converted to base 64 using standard encoding.
+
+Example SPNEGO token (newlines added for readability):
+
+```
+YIIFSwYGKwYBBQUCoIIFPzCCBTugDTALBgkqhkiG9xIBAgKiggUoBIIFJGCCBSAGCSq
+GSIb3EgECAgEAboIFDzCCBQugAwIBBaEDAgEOogcDBQAgAAAAo4IEB2GCBAMwggP/oA
+MCAQWhDBsKTUFUUklYLkxBTqIvMC2gAwIBA6EmMCQbBEhUVFAbHDdlZmNjZTg4MGVkM
+y5tYXRyaXgubGFuOjgyMDCjggO3MIIDs6ADAgEXoQMCAQKiggOlBIIDoXky+VDSMXqT
+Z8XqUiIfzX3+t1ROgO49WYQPoqW1EJLA6vOVtsLITTuDUw8WaLIexki07up3wiO7bKn
+unPFN3Y6VaKZfGoubVBFnLwrxqiEqytk19fiuc0bUJD5fNX+BUeHjePPmE73kRcuchC
+L5+WkbY0X37cH5uKwCWI6TxpuEc74+mvmGOdAOdisC31MO6EBnOpTlxvKOXzShVk5Xa
+rkkHjTJyjoUslgm8JVdj/uB/+x16k0bFVOuWybfeCkn4FY7OeIxypxDJgk6uHU+5jpy
+XsdXK4w5GG+TK5BI6LXW8ZH6NOhcTZnRyt1/S4Wihd6HKhL8lH6H+wPWAnN4Ym8jiSg
+7O0nIkp9su1l/umJWnLnyUdsC9ekKmCYS9MLrmaUREnKMFfrYOF283gWVmfuSWd832Q
+9PIE93vUVTfetw1OwbJXEbG7ex3BotXPJ8yaDUAz4Zv0a6zQlj6JutE7LF3JvuuQeot
+QnwPhrZTrmv7ZbmGO3GmkzbMzIwcTXCCKX8ocOo8GLmtEigAPK23FOW2Y0p1meYjF0U
+xPzU6MPxfQWiXTWflqabXug7uZh8u76rzSEEceosPxoBqMm6hSmGc85+0bzy/E7AGJM
+5ELa2Ny2KpyniPiYCap44GsFZbGM1FwJeh1bG3dJungIn7po4X2wlg00wZVlbHsBzhP
+Hys0oxVzOQfrvx88G0fH80+vyzQiQAq4ZqmZqkO0zFSsdqG8ReJvpY0eGzN6/lGwcRl
+eav7Vum/s5MalXhYUdOjB4K3A5yQArHbbLfeZlhb7d4vttzPNkmaZ9ZNTyW1GSuqDtd
++YJ0g70aN82KQMWiK3cbJcx/1jcmaN5gjSDm0xk19G2eb8VlRpwLFAazOlpPGozPl0Y
+PD45h3Yv3AA5aMVXvEi+NvSYR3z9VXxk6A8wFJxV5NZxV2hYwmxt0S+TYXFeudXzT+W
+ySoykcsxIU6rUevmJlEqZDyD3VcdnUOE9pxrIY/cqpdBBwatorF+jIK/ytcTBjvoM6c
+LL4g4n/isWMu8Xs6lSMxZzrC3Ewv9VYMzOEFxaHUXlyIC8GCN6t9DHZNzT91TC0u5Rj
+XuLqXENczg33dACvr+yhvin/0QNBQG+EXz/E4NiBBWqtTFa0BiTVTwyrKL5OyiLcIVe
+v4l8l9vyj/ABwDacr9ZGjhFbOShCTuFFWBPNnBwPqiRBV4y1gPP4abYBmeboLrUiqwZ
+81UrP2L8rCTEtYu9q3GmW/pIHqMIHnoAMCAReigd8EgdxwBViqyCyL0+J/k2bw0upNL
+h+4wzJcFBFC/wxX2aMvvIYdQv5nWwdNLMII3l/zQ0+eRdzpKfg1ZRT6x0D5278eQLto
+9r1CqKNW515u4kD5+pE8VOwZJMVe3FmduaH2gnTLAcoYXkBUE24hcr0ExSY6kTTBWPj
+U5dsmUsj3+qrN9JruEADqw99t/EWnN3iTsHh1rOQOd9jIJ1wCIkgvnLB8Rad+q5jguG
+8qQh1WDObTlNOnezDtiuLtRb03QDo8Q4Sm72IIcLDlffVvl7WAog5TpC8qM97+Wmv0C
+sWw
+```
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/auth/kerberos/login` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "Authorization: Negotiate YIIFSw...sWw" \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/kerberos/login
+```
diff --git a/website/pages/api-docs/auth/kubernetes/index.mdx b/website/pages/api-docs/auth/kubernetes/index.mdx
new file mode 100644
index 000000000000..e7254645107c
--- /dev/null
+++ b/website/pages/api-docs/auth/kubernetes/index.mdx
@@ -0,0 +1,276 @@
+---
+layout: api
+page_title: Kubernetes - Auth Methods - HTTP API
+sidebar_title: Kubernetes
+description: This is the API documentation for the Vault Kubernetes auth method plugin.
+---
+
+# Kubernetes Auth Method (API)
+
+This is the API documentation for the Vault Kubernetes auth method plugin. To
+learn more about the usage and operation, see the
+[Vault Kubernetes auth method](/docs/auth/kubernetes.html).
+
+This documentation assumes the Kubernetes method is mounted at the
+`/auth/kubernetes` path in Vault. Since it is possible to enable auth methods at
+any location, please update your API calls accordingly.
+
+## Configure Method
+
+The Kubernetes auth method validates service account JWTs and verifies their
+existence with the Kubernetes TokenReview API. This endpoint configures the
+public key used to validate the JWT signature and the necessary information to
+access the Kubernetes API.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/auth/kubernetes/config` |
+
+### Parameters
+
+- `kubernetes_host` `(string: <required>)` - Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
+- `kubernetes_ca_cert` `(string: "")` - PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. NOTE: Every line must end with a newline: \n
+- `token_reviewer_jwt` `(string: "")` - A service account JWT used to access the TokenReview
+  API to validate other JWTs during login. If not set
+  the JWT used for login will be used to access the API.
+- `pem_keys` `(array: [])` - Optional list of PEM-formatted public keys or certificates
+  used to verify the signatures of Kubernetes service account
+  JWTs. If a certificate is given, its public key will be
+  extracted. Not every installation of Kubernetes exposes these
+  keys.
+- `issuer` `(string: "")` - Optional JWT issuer. If no issuer is specified, then this plugin will
+  use `kubernetes.io/serviceaccount` as the default issuer.
+
+### Sample Payload
+
+```json
+{
+  "kubernetes_host": "https://192.168.99.100:8443",
+  "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----",
+  "pem_keys": "-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----"
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/kubernetes/config
+```
+
+## Read Config
+
+Returns the previously configured config, including credentials.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/auth/kubernetes/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/kubernetes/config
+```
+
+### Sample Response
+
+```json
+{
+  "data":{
+    "kubernetes_host": "https://192.168.99.100:8443",
+    "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
+    "pem_keys": ["-----BEGIN CERTIFICATE-----.....", .....]
+  }
+}
+```
+
+## Create Role
+
+Registers a role in the auth method. Role types have specific entities
+that can perform login operations against this endpoint. Constraints specific
+to the role type must be set on the role. These are applied to the authenticated
+entities attempting to login.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/auth/kubernetes/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+- `bound_service_account_names` `(array: <required>)` - List of service account
+  names able to access this role. If set to "\*" all names are allowed, both this
+  and bound_service_account_namespaces can not be "\*".
+- `bound_service_account_namespaces` `(array: <required>)` - List of namespaces
+  allowed to access this role. If set to "\*" all namespaces are allowed, both
+  this and bound_service_account_names can not be set to "\*".
+- `audience` `(string: "")` - Optional Audience claim to verify in the JWT.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "bound_service_account_names": "vault-auth",
+  "bound_service_account_namespaces": "default",
+  "policies": ["dev", "prod"],
+  "max_ttl": 1800000
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
+```
+
+## Read Role
+
+Returns the previously registered role configuration.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `GET`  | `/auth/kubernetes/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "bound_service_account_names": "vault-auth",
+    "bound_service_account_namespaces": "default",
+    "max_ttl": 1800000,
+    "ttl": 0,
+    "period": 0,
+    "policies": ["dev", "prod"]
+  }
+}
+```
+
+## List Roles
+
+Lists all the roles that are registered with the auth method.
+
+| Method | Path                              |
+| :----- | :-------------------------------- |
+| `LIST` | `/auth/kubernetes/role`           |
+| `GET`  | `/auth/kubernetes/role?list=true` |
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/kubernetes/role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["dev-role", "prod-role"]
+  }
+}
+```
+
+## Delete Role
+
+Deletes the previously registered role.
+
+| Method   | Path                          |
+| :------- | :---------------------------- |
+| `DELETE` | `/auth/kubernetes/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
+```
+
+## Login
+
+Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
+a role name for some entity. It verifies the JWT signature to authenticate that
+entity and then authorizes the entity for the given role.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/auth/kubernetes/login` |
+
+### Sample Payload
+
+- `role` `(string: <required>)` - Name of the role against which the login is being
+  attempted.
+- `jwt` `(string: <required>)` - Signed [JSON Web
+  Token](https://tools.ietf.org/html/rfc7519) (JWT) for authenticating a service
+  account.
+
+### Sample Payload
+
+```json
+{
+  "role": "dev-role",
+  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/kubernetes/login
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "client_token": "62b858f9-529c-6b26-e0b8-0457b6aacdb4",
+    "accessor": "afa306d0-be3d-c8d2-b0d7-2676e1c0d9b4",
+    "policies": ["default"],
+    "metadata": {
+      "role": "test",
+      "service_account_name": "vault-auth",
+      "service_account_namespace": "default",
+      "service_account_secret_name": "vault-auth-token-pd21c",
+      "service_account_uid": "aa9aa8ff-98d0-11e7-9bb7-0800276d99bf"
+    },
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
diff --git a/website/pages/api-docs/auth/ldap/index.mdx b/website/pages/api-docs/auth/ldap/index.mdx
new file mode 100644
index 000000000000..9837847a4bd0
--- /dev/null
+++ b/website/pages/api-docs/auth/ldap/index.mdx
@@ -0,0 +1,457 @@
+---
+layout: api
+page_title: LDAP - Auth Methods - HTTP API
+sidebar_title: LDAP
+description: This is the API documentation for the Vault LDAP auth method.
+---
+
+# LDAP Auth Method (API)
+
+This is the API documentation for the Vault LDAP auth method. For
+general information about the usage and operation of the LDAP method, please
+see the [Vault LDAP method documentation](/docs/auth/ldap.html).
+
+This documentation assumes the LDAP method is mounted at the `/auth/ldap`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Configure LDAP
+
+This endpoint configures the LDAP auth method.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/auth/ldap/config` |
+
+### Parameters
+
+- `url` `(string: ldap://127.0.0.1)` – The LDAP server to connect to. Examples:
+  `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. Multiple URLs can be
+  specified with commas, e.g. `ldap://ldap.myorg.com,ldap://ldap2.myorg.com`;
+  these will be tried in-order.
+- `case_sensitive_names` `(bool: false)` – If set, user and group names
+  assigned to policies within the backend will be case sensitive. Otherwise,
+  names will be normalized to lower case. Case will still be preserved when
+  sending the username to the LDAP server at login time; this is only for
+  matching local user/group definitions.
+- `request_timeout` `(integer: 90 or string: "90s")` - Timeout, in seconds, for
+  the connection when making requests against the server before returning back
+  an error.
+- `starttls` `(bool: false)` – If true, issues a `StartTLS` command after
+  establishing an unencrypted connection.
+- `tls_min_version` `(string: tls12)` – Minimum TLS version to use. Accepted
+  values are `tls10`, `tls11` or `tls12`.
+- `tls_max_version` `(string: tls12)` – Maximum TLS version to use. Accepted
+  values are `tls10`, `tls11` or `tls12`.
+- `insecure_tls` `(bool: false)` – If true, skips LDAP server SSL certificate
+  verification - insecure, use with caution!
+- `certificate` `(string: "")` – CA certificate to use when verifying LDAP server
+  certificate, must be x509 PEM encoded.
+- `binddn` `(string: "")` – Distinguished name of object to bind when performing
+  user search. Example: `cn=vault,ou=Users,dc=example,dc=com`
+- `bindpass` `(string: "")` – Password to use along with `binddn` when performing
+  user search.
+- `userdn` `(string: "")` – Base DN under which to perform user search. Example:
+  `ou=Users,dc=example,dc=com`
+- `userattr` `(string: "cn")` – Attribute on user attribute object matching the
+  username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
+- `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
+  user.
+- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
+  authentication when providing an empty password.
+- `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
+  string for the authenticating user. The constructed UPN will appear as
+  `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind
+  as `username@example.com`.
+- `groupfilter` `(string: "")` – Go template used when constructing the group
+  membership query. The template can access the following context variables:
+  \[`UserDN`, `Username`\]. The default is
+  `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
+  which is compatible with several common directory schemas. To support
+  nested group resolution for Active Directory, instead use the following
+  query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
+- `groupdn` `(string: "")` – LDAP search base to use for group membership
+  search. This can be the root containing either groups or users. Example:
+  `ou=Groups,dc=example,dc=com`
+- `groupattr` `(string: "")` – LDAP attribute to follow on objects returned by
+  `groupfilter` in order to enumerate user group membership. Examples: for
+  groupfilter queries returning _group_ objects, use: `cn`. For queries
+  returning _user_ objects, use: `memberOf`. The default is `cn`.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/ldap/config
+```
+
+### Sample Payload
+
+```json
+{
+  "binddn": "cn=vault,ou=Users,dc=example,dc=com",
+  "deny_null_bind": true,
+  "discoverdn": false,
+  "groupattr": "cn",
+  "groupdn": "ou=Groups,dc=example,dc=com",
+  "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
+  "insecure_tls": false,
+  "starttls": false,
+  "tls_max_version": "tls12",
+  "tls_min_version": "tls12",
+  "url": "ldaps://ldap.myorg.com:636",
+  "userattr": "samaccountname",
+  "userdn": "ou=Users,dc=example,dc=com"
+}
+```
+
+## Read LDAP Configuration
+
+This endpoint retrieves the LDAP configuration for the auth method.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/auth/ldap/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/ldap/config
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "binddn": "cn=vault,ou=Users,dc=example,dc=com",
+    "bindpass": "",
+    "certificate": "",
+    "deny_null_bind": true,
+    "discoverdn": false,
+    "groupattr": "cn",
+    "groupdn": "ou=Groups,dc=example,dc=com",
+    "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
+    "insecure_tls": false,
+    "starttls": false,
+    "tls_max_version": "tls12",
+    "tls_min_version": "tls12",
+    "upndomain": "",
+    "url": "ldaps://ldap.myorg.com:636",
+    "userattr": "samaccountname",
+    "userdn": "ou=Users,dc=example,dc=com"
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## List LDAP Groups
+
+This endpoint returns a list of existing groups in the method.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `/auth/ldap/groups` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/ldap/groups
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["scientists", "engineers"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Read LDAP Group
+
+This endpoint returns the policies associated with a LDAP group.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/auth/ldap/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the LDAP group
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/ldap/groups/admins
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "policies": [
+      "admin",
+      "default"
+    ]
+  },
+  "renewable": false,
+  "lease_id": ""
+  "lease_duration": 0,
+  "warnings": null
+}
+```
+
+## Create/Update LDAP Group
+
+This endpoint creates or updates LDAP group policies.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/auth/ldap/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the LDAP group
+- `policies` `(string: "")` – Comma-separated list of policies associated to the
+  group.
+
+### Sample Payload
+
+```json
+{
+  "policies": "admin,default"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/ldap/groups/admins
+```
+
+## Delete LDAP Group
+
+This endpoint deletes the LDAP group and policy association.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/auth/ldap/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the LDAP group
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/ldap/groups/admins
+```
+
+## List LDAP Users
+
+This endpoint returns a list of existing users in the method.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `LIST` | `/auth/ldap/users` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/ldap/users
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["mitchellh", "armon"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Read LDAP User
+
+This endpoint returns the policies associated with a LDAP user.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/auth/ldap/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username of the LDAP user
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "policies": [
+      "admin",
+      "default"
+    ],
+    "groups": ""
+  },
+  "renewable": false,
+  "lease_id": ""
+  "lease_duration": 0,
+  "warnings": null
+}
+```
+
+## Create/Update LDAP User
+
+This endpoint creates or updates LDAP users policies and group associations.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/auth/ldap/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username of the LDAP user
+- `policies` `(string: "")` – Comma-separated list of policies associated to the
+  user.
+- `groups` `(string: "")` – Comma-separated list of groups associated to the
+  user.
+
+### Sample Payload
+
+```json
+{
+  "policies": "admin,default"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
+```
+
+## Delete LDAP User
+
+This endpoint deletes the LDAP user and policy association.
+
+| Method   | Path                         |
+| :------- | :--------------------------- |
+| `DELETE` | `/auth/ldap/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username of the LDAP user
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
+```
+
+## Login with LDAP User
+
+This endpoint allows you to log in with LDAP credentials
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/auth/ldap/login/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username of the LDAP user
+- `password` `(string: <required>)` – The password for the LDAP user
+
+### Sample Payload
+
+```json
+{
+  "password": "MyPassword1"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "auth": {
+    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
+    "policies": ["admins", "default"],
+    "metadata": {
+      "username": "mitchellh"
+    },
+    "lease_duration": 0,
+    "renewable": false
+  }
+}
+```
diff --git a/website/pages/api-docs/auth/oci/index.mdx b/website/pages/api-docs/auth/oci/index.mdx
new file mode 100644
index 000000000000..a6eb244df0da
--- /dev/null
+++ b/website/pages/api-docs/auth/oci/index.mdx
@@ -0,0 +1,244 @@
+---
+layout: api
+page_title: OCI - Auth Methods - HTTP API
+sidebar_title: OCI
+description: This is the API documentation for the Vault OCI auth method plugin.
+---
+
+# OCI Auth Method (API)
+
+This is the API documentation for the Vault OCI auth method plugin. To
+learn more about the usage and operation, see the
+[Vault OCI auth method](/docs/auth/oci.html).
+
+This documentation assumes the OCI method is mounted at the
+`/auth/oci` path in Vault. Since it is possible to enable auth methods at
+any location, please update your API calls accordingly.
+
+## Configure Home Tenancy Method
+
+Configure your home tenancy in the Vault, so that only users or instances from your tenancy will be allowed to log into Vault, through the OCI Auth method.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/auth/oci/config` |
+
+### Parameters
+
+- `home_tenancy_id` `(string: <required>)` - The Tenancy OCID of your OCI account.
+
+### Sample Payload
+
+```json
+{
+  "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/oci/config
+```
+
+## Read Config
+
+Returns the previously configured config.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/auth/oci/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/oci/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
+  }
+}
+```
+
+## Create Role
+
+Create a Vault administrator role in the OCI Auth method.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/auth/oci/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+- `ocid_list` `(string: <required>)` - A comma separated list of Group or Dynamic Group OCIDs that can take this role.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea",
+  "token_policies": ["dev", "prod"],
+  "token_ttl": 1800
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/oci/role/devrole
+```
+
+## Read Role
+
+Returns the previously registered role configuration.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/auth/oci/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/oci/role/devrole
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ocid_list": [
+      "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq",
+      "ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"
+    ],
+    "token_ttl": 1800,
+    "token_policies": ["dev", "prod"]
+  }
+}
+```
+
+## List Roles
+
+Lists all the roles that are registered with the auth method.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `LIST` | `/auth/oci/role`           |
+| `GET`  | `/auth/oci/role?list=true` |
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/oci/role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["devrole", "prodrole"]
+  }
+}
+```
+
+## Delete Role
+
+Deletes the previously registered role.
+
+| Method   | Path                   |
+| :------- | :--------------------- |
+| `DELETE` | `/auth/oci/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/oci/role/devrole
+```
+
+## Login
+
+Fetch a token. This endpoint takes signed request headers and
+a role name for some entity. It verifies the signed request headers to authenticate that
+entity and then authorizes the entity for the given role.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/auth/oci/login/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role against which the login is being attempted.
+- `request_headers` `(list: [])` - Signed request headers for authenticating. For details on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm)
+
+### Sample Payload
+
+```json
+{
+  "request_headers": {
+    "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
+    "(request-target)": ["get /v1/auth/oci/login/devrole"],
+    "host": ["127.0.0.1"],
+    "content-type": ["application/json"],
+    "authorization": [
+      "Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""
+    ]
+  }
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/oci/login/devrole
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "token": "62b8ssf9-529c-6b26-e0b8-045fcdb4",
+    "token_accessor": "afaff6d0-be3d-c8d2-b0d7-2676sss0d9b4",
+    "token_policies": ["dev"],
+    "token_duration": 1800
+  }
+}
+```
diff --git a/website/pages/api-docs/auth/okta/index.mdx b/website/pages/api-docs/auth/okta/index.mdx
new file mode 100644
index 000000000000..ea275a211fd0
--- /dev/null
+++ b/website/pages/api-docs/auth/okta/index.mdx
@@ -0,0 +1,385 @@
+---
+layout: api
+page_title: Okta - Auth Methods - HTTP API
+sidebar_title: Okta
+description: This is the API documentation for the Vault Okta auth method.
+---
+
+# Okta Auth Method (API)
+
+This is the API documentation for the Vault Okta auth method. For
+general information about the usage and operation of the Okta method, please
+see the [Vault Okta method documentation](/docs/auth/okta.html).
+
+This documentation assumes the Okta method is mounted at the `/auth/okta`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Create Configuration
+
+Configures the connection parameters for Okta. This path honors the
+distinction between the `create` and `update` capabilities inside ACL policies.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/auth/okta/config` |
+
+### Parameters
+
+- `org_name` `(string: <required>)` - Name of the organization to be used in the
+  Okta API.
+- `api_token` `(string: "")` - Okta API token. This is required to query Okta
+  for user group membership. If this is not supplied only locally configured
+  groups will be enabled.
+- `base_url` `(string: "")` - If set, will be used as the base domain
+  for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com.
+- `bypass_okta_mfa` `(bool: false)` - Whether to bypass an Okta MFA request.
+  Useful if using one of Vault's built-in MFA mechanisms, but this will also
+  cause certain other statuses to be ignored, such as `PASSWORD_EXPIRED`.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "org_name": "example",
+  "api_token": "abc123"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/okta/config
+```
+
+## Read Configuration
+
+Reads the Okta configuration.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/auth/okta/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/okta/config
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "org_name": "example",
+    "api_token": "abc123",
+    "base_url": "okta.com",
+    "ttl": "",
+    "max_ttl": ""
+  },
+  "warnings": null
+}
+```
+
+## List Users
+
+List the users configured in the Okta method.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `LIST` | `/auth/okta/users` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/okta/users
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["fred", "jane"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Register User
+
+Registers a new user and maps a set of policies to it.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/auth/okta/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Name of the user.
+- `groups` `(array: [])` - List or comma-separated string of groups associated with the user.
+- `policies` `(array: [])` - List or comma-separated string of policies associated with the user.
+
+```json
+{
+  "policies": ["dev", "prod"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/okta/users/fred
+```
+
+## Read User
+
+Reads the properties of an existing username.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/auth/okta/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Username for this user.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/okta/users/test-user
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "policies": ["default", "dev"],
+    "groups": []
+  },
+  "warnings": null
+}
+```
+
+## Delete User
+
+Deletes an existing username from the method.
+
+| Method   | Path                         |
+| :------- | :--------------------------- |
+| `DELETE` | `/auth/okta/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Username for this user.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/okta/users/test-user
+```
+
+## List Groups
+
+List the groups configured in the Okta method.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `/auth/okta/groups` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/okta/groups
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["admins", "dev-users"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Register Group
+
+Registers a new group and maps a set of policies to it.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/auth/okta/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the group.
+- `policies` `(array: [])` - The list or comma-separated string of policies associated with the group.
+
+```json
+{
+  "policies": ["dev", "prod"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/okta/groups/admins
+```
+
+## Read Group
+
+Reads the properties of an existing group.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/auth/okta/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name for the group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/okta/groups/admins
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "policies": ["default", "admin"]
+  },
+  "warnings": null
+}
+```
+
+## Delete Group
+
+Deletes an existing group from the method.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/auth/okta/groups/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name for the group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/okta/users/test-user
+```
+
+## Login
+
+Login with the username and password.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/auth/okta/login/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Username for this user.
+- `password` `(string: <required>)` - Password for the authenticating user.
+
+### Sample Payload
+
+```json
+{
+  "password": "Password!"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/okta/login/fred
+```
+
+### Sample Response
+
+```javascript
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
+    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
+    "policies": ["default"],
+    "metadata": {
+      "username": "fred",
+      "policies": "default"
+    },
+  },
+  "lease_duration": 7200,
+  "renewable": true
+}
+```
diff --git a/website/pages/api-docs/auth/radius/index.mdx b/website/pages/api-docs/auth/radius/index.mdx
new file mode 100644
index 000000000000..af2b13e07b60
--- /dev/null
+++ b/website/pages/api-docs/auth/radius/index.mdx
@@ -0,0 +1,234 @@
+---
+layout: api
+page_title: RADIUS - Auth Methods - HTTP API
+sidebar_title: RADIUS
+description: This is the API documentation for the Vault RADIUS auth method.
+---
+
+# RADIUS Auth Method (API)
+
+This is the API documentation for the Vault RADIUS auth method. For
+general information about the usage and operation of the RADIUS method, please
+see the [Vault RADIUS method documentation](/docs/auth/radius.html).
+
+This documentation assumes the RADIUS method is mounted at the `/auth/radius`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Configure RADIUS
+
+Configures the connection parameters and shared secret used to communicate with
+RADIUS.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/auth/radius/config` |
+
+### Parameters
+
+- `host` `(string: <required>)` - The RADIUS server to connect to. Examples:
+  `radius.myorg.com`, `127.0.0.1`
+- `port` `(integer: 1812)` - The UDP port where the RADIUS server is listening
+  on. Defaults is 1812.
+- `secret` `(string: <required>)` - The RADIUS shared secret.
+- `unregistered_user_policies` `(string: "")` - A comma-separated list of
+  policies to be granted to unregistered users.
+- `dial_timeout` `(integer: 10)` - Number of second to wait for a backend
+  connection before timing out. Default is 10.
+- `nas_port` `(integer: 10)` - The NAS-Port attribute of the RADIUS request.
+  Defaults is 10.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "host": "radius.myorg.com",
+  "port": 1812,
+  "secret": "mySecret"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/radius/config
+```
+
+## Register User
+
+Registers a new user and maps a set of policies to it. This path honors the
+distinction between the `create` and `update` capabilities inside ACL policies.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/auth/radius/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Username for this user.
+- `policies` `(string: "")` - Comma-separated list of policies. If set to
+  empty string, only the `default` policy will be applicable to the user.
+
+```json
+{
+  "policies": "dev,prod"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/radius/users/test-user
+```
+
+## Read User
+
+Reads the properties of an existing username.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/auth/radius/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Username for this user.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/radius/users/test-user
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "policies": "default,dev"
+  },
+  "warnings": null
+}
+```
+
+## Delete User
+
+Deletes an existing username from the method.
+
+| Method   | Path                           |
+| :------- | :----------------------------- |
+| `DELETE` | `/auth/radius/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Username for this user.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/radius/users/test-user
+```
+
+## List Users
+
+List the users registered with the method.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `LIST` | `/auth/radius/users` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/radius/users
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["devuser", "produser"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Login
+
+Login with the username and password.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/auth/radius/login`           |
+| `POST` | `/auth/radius/login/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - Username for this user.
+- `password` `(string: <required>)` - Password for the authenticating user.
+
+### Sample Payload
+
+```json
+{
+  "password": "Password!"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/radius/login/test-user
+```
+
+### Sample Response
+
+```javascript
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
+    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
+    "policies": ["default"],
+    "metadata": {
+      "username": "vishal"
+    },
+  },
+  "lease_duration": 7200,
+  "renewable": true
+}
+```
diff --git a/website/pages/api-docs/auth/token/index.mdx b/website/pages/api-docs/auth/token/index.mdx
new file mode 100644
index 000000000000..7391761f8bdc
--- /dev/null
+++ b/website/pages/api-docs/auth/token/index.mdx
@@ -0,0 +1,790 @@
+---
+layout: api
+page_title: Token - Auth Methods - HTTP API
+sidebar_title: Tokens
+description: This is the API documentation for the Vault token auth method.
+---
+
+# Token Auth Method (API)
+
+This is the API documentation for the Vault token auth method. For
+general information about the usage and operation of the token method, please
+see the [Vault Token method documentation](/docs/auth/token.html).
+
+## List Accessors
+
+This endpoint lists token accessor. This requires `sudo` capability, and access
+to it should be tightly controlled as the accessors can be used to revoke very
+large numbers of tokens and their associated leases at once.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `LIST` | `/auth/token/accessors` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/token/accessors
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": [
+      "476ea048-ded5-4d07-eeea-938c6b4e43ec",
+      "bb00c093-b7d3-b0e9-69cc-c4d85081165b"
+    ]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Create Token
+
+Creates a new token. Certain options are only available when called by a
+root token. If used via the `/auth/token/create-orphan` endpoint, a root
+token is not required to create an orphan token (otherwise set with the
+`no_parent` option). If used with a role name in the path, the token will
+be created against the specified role name; this may override options set
+during this call.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `POST` | `/auth/token/create`            |
+| `POST` | `/auth/token/create-orphan`     |
+| `POST` | `/auth/token/create/:role_name` |
+
+### Parameters
+
+- `id` `(string: "")` – The ID of the client token. Can only be specified by a
+  root token. Otherwise, the token ID is a randomly generated value.
+- `role_name` `(string: "")` – The name of the token role.
+- `policies` `(array: "")` – A list of policies for the token. This must be a
+  subset of the policies belonging to the token making the request, unless root.
+  If not specified, defaults to all the policies of the calling token.
+- `meta` `(map: {})` – A map of string to string valued metadata. This is
+  passed through to the audit devices.
+- `no_parent` `(bool: false)` - If true and set by a root caller, the token will
+  not have the parent token of the caller. This creates a token with no parent.
+- `no_default_policy` `(bool: false)` - If true the `default` policy will not be
+  contained in this token's policy set.
+- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
+  to be renewed past its initial TTL. Setting the value to `true` will allow
+  the token to be renewable up to the system/mount maximum TTL.
+- `lease` `(string: "")` - DEPRECATED; use `ttl` instead
+- `ttl` `(string: "")` - The TTL period of the token, provided as "1h", where
+  hour is the largest suffix. If not provided, the token is valid for the
+  [default lease TTL](/docs/configuration/index.html), or indefinitely if the
+  root policy is used.
+- `type` `(string: "")` - The token type. Can be "batch" or "service". Defaults
+  to the type specified by the role configuration named by `role_name`.
+- `explicit_max_ttl` `(string: "")` - If set, the token will have an explicit
+  max TTL set upon it. This maximum token TTL _cannot_ be changed later, and
+  unlike with normal tokens, updates to the system/mount max TTL value will
+  have no effect at renewal time -- the token will never be able to be renewed
+  or used past the value set at issue time.
+- `display_name` `(string: "token")` - The display name of the token.
+- `num_uses` `(integer: 0)` - The maximum uses for the given token. This can be
+  used to create a one-time-token or limited use token. The value of 0 has no
+  limit to the number of uses.
+- `period` `(string: "")` - If specified, the token will be periodic; it will have
+  no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal
+  will use the given period. Requires a root/sudo token to use.
+- `entity_alias` `(string: "")` - Name of the entity alias to associate with
+  during token creation. Only works in combination with `role_name` argument
+  and used entity alias must be listed in `allowed_entity_aliases`. If this has
+  been specified, the entity will not be inherited from the parent.
+
+### Sample Payload
+
+```json
+{
+  "policies": ["web", "stage"],
+  "meta": {
+    "user": "armon"
+  },
+  "ttl": "1h",
+  "renewable": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/create
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "f00341c1-fad5-f6e6-13fd-235617f858a1",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": [
+    "Policy \"stage\" does not exist",
+    "Policy \"web\" does not exist"
+  ],
+  "auth": {
+    "client_token": "s.wOrq9dO9kzOcuvB06CMviJhZ",
+    "accessor": "B6oixijqmeR4bsLOJH88Ska9",
+    "policies": ["default", "stage", "web"],
+    "token_policies": ["default", "stage", "web"],
+    "metadata": {
+      "user": "armon"
+    },
+    "lease_duration": 3600,
+    "renewable": true,
+    "entity_id": "",
+    "token_type": "service",
+    "orphan": false
+  }
+}
+```
+
+## Lookup a Token
+
+Returns information about the client token.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/auth/token/lookup` |
+
+### Parameters
+
+- `token` `(string: <required>)` - Token to lookup.
+
+### Sample Payload
+
+```json
+{
+  "token": "ClientToken"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/lookup
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
+    "creation_time": 1523979354,
+    "creation_ttl": 2764800,
+    "display_name": "ldap2-tesla",
+    "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
+    "expire_time": "2018-05-19T11:35:54.466476215-04:00",
+    "explicit_max_ttl": 0,
+    "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
+    "identity_policies": ["dev-group-policy"],
+    "issue_time": "2018-04-17T11:35:54.466476078-04:00",
+    "meta": {
+      "username": "tesla"
+    },
+    "num_uses": 0,
+    "orphan": true,
+    "path": "auth/ldap2/login/tesla",
+    "policies": ["default", "testgroup2-policy"],
+    "renewable": true,
+    "ttl": 2764790
+  }
+}
+```
+
+## Lookup a Token (Self)
+
+Returns information about the current client token.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/auth/token/lookup-self` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/token/lookup-self
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
+    "creation_time": 1523979354,
+    "creation_ttl": 2764800,
+    "display_name": "ldap2-tesla",
+    "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
+    "expire_time": "2018-05-19T11:35:54.466476215-04:00",
+    "explicit_max_ttl": 0,
+    "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
+    "identity_policies": ["dev-group-policy"],
+    "issue_time": "2018-04-17T11:35:54.466476078-04:00",
+    "meta": {
+      "username": "tesla"
+    },
+    "num_uses": 0,
+    "orphan": true,
+    "path": "auth/ldap2/login/tesla",
+    "policies": ["default", "testgroup2-policy"],
+    "renewable": true,
+    "ttl": 2764790
+  }
+}
+```
+
+## Lookup a Token (Accessor)
+
+Returns information about the client token from the accessor.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/auth/token/lookup-accessor` |
+
+### Parameters
+
+- `accessor` `(string: <required>)` - Token accessor to lookup.
+
+### Sample Payload
+
+```json
+{
+  "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/lookup-accessor
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
+    "creation_time": 1523979354,
+    "creation_ttl": 2764800,
+    "display_name": "ldap2-tesla",
+    "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
+    "expire_time": "2018-05-19T11:35:54.466476215-04:00",
+    "explicit_max_ttl": 0,
+    "id": "",
+    "identity_policies": ["dev-group-policy"],
+    "issue_time": "2018-04-17T11:35:54.466476078-04:00",
+    "meta": {
+      "username": "tesla"
+    },
+    "num_uses": 0,
+    "orphan": true,
+    "path": "auth/ldap2/login/tesla",
+    "policies": ["default", "testgroup2-policy"],
+    "renewable": true,
+    "ttl": 2763902
+  }
+}
+```
+
+## Renew a Token
+
+Renews a lease associated with a token. This is used to prevent the expiration
+of a token, and the automatic revocation of it. Token renewal is possible only
+if there is a lease associated with it.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/auth/token/renew` |
+
+### Parameters
+
+- `token` `(string: <required>)` - Token to renew. This can be part of the URL
+  or the body.
+- `increment` `(string: "")` - An optional requested lease increment can be
+  provided. This increment may be ignored.
+
+### Sample Payload
+
+```json
+{
+  "token": "ClientToken"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/renew
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "client_token": "ABCD",
+    "policies": ["web", "stage"],
+    "metadata": {
+      "user": "armon"
+    },
+    "lease_duration": 3600,
+    "renewable": true
+  }
+}
+```
+
+## Renew a Token (Self)
+
+Renews a lease associated with the calling token. This is used to prevent the
+expiration of a token, and the automatic revocation of it. Token renewal is
+possible only if there is a lease associated with it.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/auth/token/renew-self` |
+
+### Parameters
+
+- `increment` `(string: "")` - An optional requested lease increment can be
+  provided. This increment may be ignored.
+
+### Sample Payload
+
+```json
+{
+  "increment": "1h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/renew-self
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "client_token": "ABCD",
+    "policies": ["web", "stage"],
+    "metadata": {
+      "user": "armon"
+    },
+    "lease_duration": 3600,
+    "renewable": true
+  }
+}
+```
+
+## Renew a Token (Accessor)
+
+Renews a lease associated with a token using its accessor. This is used to
+prevent the expiration of a token, and the automatic revocation of it. Token
+renewal is possible only if there is a lease associated with it.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/auth/token/renew-accessor` |
+
+### Parameters
+
+- `accessor` `(string: <required>)` - Accessor associated with the token to
+  renew.
+- `increment` `(string: "")` - An optional requested lease increment can be
+  provided. This increment may be ignored.
+
+### Sample Payload
+
+```json
+{
+  "accessor": "7JFKXuXKXa2D44YfDiovZ9aq"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/renew-accessor
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "client_token": "",
+    "policies": ["web", "stage"],
+    "metadata": {
+      "user": "armon"
+    },
+    "lease_duration": 3600,
+    "renewable": true
+  }
+}
+```
+
+## Revoke a Token
+
+Revokes a token and all child tokens. When the token is revoked, all dynamic secrets
+generated with it are also revoked.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/auth/token/revoke` |
+
+### Parameters
+
+- `token` `(string: <required>)` - Token to revoke.
+
+### Sample Payload
+
+```json
+{
+  "token": "ClientToken"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/revoke
+```
+
+## Revoke a Token (Self)
+
+Revokes the token used to call it and all child tokens. When the token is
+revoked, all dynamic secrets generated with it are also revoked.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/auth/token/revoke-self` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/token/revoke-self
+```
+
+## Revoke a Token Accessor
+
+Revoke the token associated with the accessor and all the child tokens. This is
+meant for purposes where there is no access to token ID but there is need to
+revoke a token and its children.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/auth/token/revoke-accessor` |
+
+### Parameters
+
+- `accessor` `(string: <required>)` - Accessor of the token.
+
+### Sample Payload
+
+```json
+{
+  "accessor": "2c84f488-2133-4ced-87b0-570f93a76830"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/revoke-accessor
+```
+
+## Revoke Token and Orphan Children
+
+Revokes a token but not its child tokens. When the token is revoked, all secrets
+generated with it are also revoked. All child tokens are orphaned, but can be
+revoked sub-sequently using `/auth/token/revoke/`. This is a root-protected
+endpoint.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `POST` | `/auth/token/revoke-orphan` |
+
+### Parameters
+
+- `token` `(string: <required>)` - Token to revoke. This can be part of the URL
+  or the body.
+
+### Sample Payload
+
+```json
+{
+  "token": "ClientToken"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/token/revoke-orphan
+```
+
+## Read Token Role
+
+Fetches the named role configuration.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/auth/token/roles/:role_name` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - The name of the token role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/token/roles/nomad
+```
+
+### Sample Response
+
+```javascript
+{
+  "request_id": "075a19cd-4e56-a3ca-d956-7609819831ec",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "allowed_entity_aliases": [
+      "my-entity-alias"
+    ],
+    "allowed_policies": [],
+    "disallowed_policies": [],
+    "explicit_max_ttl": 0,
+    "name": "nomad",
+    "orphan": false,
+    "path_suffix": "",
+    "period": 0,
+    "renewable": true,
+    "token_explicit_max_ttl": 0,
+    "token_period": 0,
+    "token_type": "default-service"
+  },
+  "warnings": null
+}
+```
+
+## List Token Roles
+
+List available token roles.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `/auth/token/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST
+    http://127.0.0.1:8200/v1/auth/token/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["role1", "role2"]
+  }
+}
+```
+
+## Create/Update Token Role
+
+Creates (or replaces) the named role. Roles enforce specific behavior when
+creating tokens that allow token functionality that is otherwise not
+available or would require `sudo`/root privileges to access. Role
+parameters, when set, override any provided options to the `create`
+endpoints. The role name is also included in the token path, allowing all
+tokens created against a role to be revoked using the
+`/sys/leases/revoke-prefix` endpoint.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/auth/token/roles/:role_name` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` – The name of the token role.
+- `allowed_policies` `(list: [])` – If set, tokens can be created with any
+  subset of the policies in this list, rather than the normal semantics of
+  tokens being a subset of the calling token's policies. The parameter is a
+  comma-delimited string of policy names. If at creation time
+  `no_default_policy` is not set and `"default"` is not contained in
+  `disallowed_policies`, the `"default"` policy will be added to the created
+  token automatically.
+- `disallowed_policies` `(list: [])` – If set, successful token creation via
+  this role will require that no policies in the given list are requested. The
+  parameter is a comma-delimited string of policy names. Adding `"default"` to
+  this list will prevent `"default"` from being added automatically to created
+  tokens.
+- `orphan` `(bool: false)` - If `true`, tokens created against this policy will
+  be orphan tokens (they will have no parent). As such, they will not be
+  automatically revoked by the revocation of any other token.
+- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
+  to be renewed past its initial TTL. Setting the value to `true` will allow
+  the token to be renewable up to the system/mount maximum TTL.
+- `path_suffix` `(string: "")` - If set, tokens created against this role will
+  have the given suffix as part of their path in addition to the role name. This
+  can be useful in certain scenarios, such as keeping the same role name in the
+  future but revoking all tokens created against it before some point in time.
+  The suffix can be changed, allowing new callers to have the new suffix as part
+  of their path, and then tokens with the old suffix can be revoked via
+  `/sys/leases/revoke-prefix`.
+- `allowed_entity_aliases` `(string: "", or list: [])` - String or JSON list
+  of allowed entity aliases. If set, specifies the entity aliases which are
+  allowed to be used during token generation. This field supports globbing.
+
+@include 'partials/tokenstorefields.mdx'
+
+### Sample Payload
+
+```json
+  "allowed_policies": [
+    "dev"
+  ],
+  "name": "nomad",
+  "orphan": false,
+  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
+  "renewable": true,
+  "allowed_entity_aliases": ["web-entity-alias", "app-entity-*"]
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST
+    --data @payload.json
+    http://127.0.0.1:8200/v1/auth/token/roles/nomad
+```
+
+## Delete Token Role
+
+This endpoint deletes the named token role.
+
+| Method   | Path                           |
+| :------- | :----------------------------- |
+| `DELETE` | `/auth/token/roles/:role_name` |
+
+### Parameters
+
+- `role_name` `(string: <required>)` - The name of the token role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/token/roles/admins
+```
+
+## Tidy Tokens
+
+Performs some maintenance tasks to clean up invalid entries that may remain
+in the token store. Generally, running this is not needed unless upgrade
+notes or support personnel suggest it. This may perform a lot of I/O to the
+storage method so should be used sparingly.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/auth/token/tidy` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/token/tidy
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "84437c7f-36a1-6c1d-381d-14ec99217e94",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": [
+    "Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
+  ],
+  "auth": null
+}
+```
diff --git a/website/pages/api-docs/auth/userpass/index.mdx b/website/pages/api-docs/auth/userpass/index.mdx
new file mode 100644
index 000000000000..48bcef6414ee
--- /dev/null
+++ b/website/pages/api-docs/auth/userpass/index.mdx
@@ -0,0 +1,249 @@
+---
+layout: api
+page_title: Userpass - Auth Methods - HTTP API
+sidebar_title: Username & Password
+description: |-
+  This is the API documentation for the Vault username and password
+  auth method.
+---
+
+# Userpass Auth Method (HTTP API)
+
+This is the API documentation for the Vault Username & Password auth method. For
+general information about the usage and operation of the Username and Password method, please
+see the [Vault Userpass method documentation](/docs/auth/userpass.html).
+
+This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Create/Update User
+
+Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `POST` | `/auth/userpass/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username for the user.
+- `password` `(string: <required>)` - The password for the user. Only required
+  when creating the user.
+
+@include 'partials/tokenfields.mdx'
+
+### Sample Payload
+
+```json
+{
+  "password": "superSecretPassword",
+  "policies": "admin,default",
+  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
+```
+
+## Read User
+
+Reads the properties of an existing username.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `GET`  | `/auth/userpass/users/:username` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "max_ttl": 0,
+    "policies": ["default", "dev"],
+    "ttl": 0
+  },
+  "warnings": null
+}
+```
+
+## Delete User
+
+This endpoint deletes the user from the method.
+
+| Method   | Path                             |
+| :------- | :------------------------------- |
+| `DELETE` | `/auth/userpass/users/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` - The username for the user.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
+```
+
+## Update Password on User
+
+Update password for an existing user.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `POST` | `/auth/userpass/users/:username/password` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username for the user.
+- `password` `(string: <required>)` - The password for the user.
+
+### Sample Payload
+
+```json
+{
+  "password": "superSecretPassword2"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/password
+```
+
+## Update Policies on User
+
+Update policies for an existing user.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `POST` | `/auth/userpass/users/:username/policies` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username for the user.
+- `policies` `(string: "")` – Comma-separated list of policies. If set to empty
+
+### Sample Payload
+
+```json
+{
+  "policies": ["policy1", "policy2"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/policies
+```
+
+## List Users
+
+List available userpass users.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `LIST` | `/auth/userpass/users` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST
+    http://127.0.0.1:8200/v1/auth/userpass/users
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["mitchellh", "armon"]
+  }
+}
+```
+
+## Login
+
+Login with the username and password.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `POST` | `/auth/userpass/login/:username` |
+
+### Parameters
+
+- `username` `(string: <required>)` – The username for the user.
+- `password` `(string: <required>)` - The password for the user.
+
+### Sample Payload
+
+```json
+{
+  "password": "superSecretPassword2"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
+    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
+    "policies": ["default"],
+    "metadata": {
+      "username": "mitchellh"
+    },
+    "lease_duration": 7200,
+    "renewable": true
+  }
+}
+```
diff --git a/website/source/api/index.html.md.erb b/website/pages/api-docs/index.html.md.erb
similarity index 100%
rename from website/source/api/index.html.md.erb
rename to website/pages/api-docs/index.html.md.erb
diff --git a/website/pages/api-docs/index.mdx b/website/pages/api-docs/index.mdx
new file mode 100644
index 000000000000..ea40ae116485
--- /dev/null
+++ b/website/pages/api-docs/index.mdx
@@ -0,0 +1,292 @@
+---
+layout: api
+page_title: HTTP API
+sidebar_title: Overview
+description: Vault has an HTTP API that can be used to control every aspect of Vault.
+---
+
+# HTTP API
+
+The Vault HTTP API gives you full access to Vault via HTTP. Every aspect of
+Vault can be controlled via this API. The Vault CLI uses the HTTP API to access
+Vault.
+
+All API routes are prefixed with `/v1/`.
+
+This documentation is only for the v1 API, which is currently the only version.
+
+~> **Backwards compatibility:** At the current version, Vault does not yet
+promise backwards compatibility even with the v1 prefix. We'll remove this
+warning when this policy changes. At this point in time the core API (that
+is, `sys/` routes) change very infrequently, but various secrets engines/auth
+methods/etc. sometimes have minor changes to accommodate new features as
+they're developed.
+
+## Transport
+
+The API is expected to be accessed over a TLS connection at all times, with a
+valid certificate that is verified by a well-behaved client. It is possible to
+disable TLS verification for listeners, however, so API clients should expect
+to have to do both depending on user settings.
+
+## Authentication
+
+Once Vault is unsealed, almost every other operation requires a _client token_.
+A user may have a client token sent to them. The client token must be sent as
+either the `X-Vault-Token` HTTP Header or as `Authorization` HTTP Header using
+the `Bearer <token>` scheme.
+
+Otherwise, a client token can be retrieved via [authentication
+backends](/docs/auth/index.html).
+
+Each auth method has one or more unauthenticated login endpoints. These
+endpoints can be reached without any authentication, and are used for
+authentication to Vault itself. These endpoints are specific to each auth
+method.
+
+Responses from auth login methods that generate an authentication token are
+sent back to the client via JSON. The resulting token should be saved on the
+client or passed via the `X-Vault-Token` or `Authorization` header for future requests.
+
+## Namespaces
+
+If using the [Namespaces](/docs/enterprise/namespaces/index.html) feature, API
+operations are relative to the namespace value passed in via the
+`X-Vault-Namespace` header. For instance, if the request path is to
+`secret/foo`, and the header is set to `ns1/ns2/`, the final request path Vault
+uses will be `ns1/ns2/secret/foo`. Note that it is semantically equivalent to
+use a full path rather than the `X-Vault-Namespace` header, as the operation in
+Vault will always look up the correct namespace based on the final given path.
+Thus, it would be equivalent to the above example to set `X-Vault-Namespace` to
+`ns1/` and a request path of `ns2/secret/foo`, or to not set
+`X-Vault-Namespace` at all and use a request path of `ns1/ns2/secret/foo`.
+
+For example, the following two commands result in equivalent requests:
+
+```shell
+$ curl \
+    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
+    -H "X-Vault-Namespace: ns1/ns2/" \
+    -X GET \
+    http://127.0.0.1:8200/v1/secret/foo
+```
+
+```shell
+$ curl \
+    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
+    -X GET \
+    http://127.0.0.1:8200/v1/ns1/ns2/secret/foo
+```
+
+## API Operations
+
+With few documented exceptions, all request body data and response data from
+Vault is via JSON. Vault will set the `Content-Type` header appropriately but
+does not require that clients set it.
+
+Different plugins implement different APIs according to their functionality.
+The examples below are created with the `KVv1` backend, which acts like a very
+simple Key/Value store. Read the documentation for a particular backend for
+detailed information on its API; this simply provides a general overview.
+
+For `KVv1`, reading a secret via the HTTP API is done by issuing a GET:
+
+```text
+/v1/secret/foo
+```
+
+This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which
+is mounted by default on a fresh Vault install and is of type `kv`.
+
+Here is an example of reading a secret using cURL:
+
+```shell
+$ curl \
+    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
+    -X GET \
+    http://127.0.0.1:8200/v1/secret/foo
+```
+
+A few endpoints consume query parameters via `GET` calls, but only if those
+parameters are not sensitive, as some load balancers will log these. Most
+endpoints that consume parameters use `POST` instead and put the parameters in
+the request body.
+
+You can list secrets as well. To do this, either issue a GET with the query
+parameter `list=true`, or you can use the `LIST` HTTP verb. For the `kv`
+backend, listing is allowed on directories only, and returns the keys in the
+given directory:
+
+```shell
+$ curl \
+    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
+    -X LIST \
+    http://127.0.0.1:8200/v1/secret/
+```
+
+The API documentation uses `LIST` as the HTTP verb, but you can still use `GET`
+with the `?list=true` query string.
+
+To use an API that consumes data via request body, issue a `POST` or `PUT`:
+
+```text
+/v1/secret/foo
+```
+
+with a JSON body like:
+
+```javascript
+{
+  "value": "bar"
+}
+```
+
+Here is an example of writing a secret using cURL:
+
+```shell
+$ curl \
+    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
+    -H "Content-Type: application/json" \
+    -X POST \
+    -d '{"value":"bar"}' \
+    http://127.0.0.1:8200/v1/secret/baz
+```
+
+Vault currently considers `PUT` and `POST` to be synonyms. Rather than trust a
+client's stated intentions, Vault backends can implement an existence check to
+discover whether an operation is actually a create or update operation based on
+the data already stored within Vault. This makes permission management via ACLs
+more flexible.
+
+For more examples, please look at the Vault API client.
+
+## The `X-Vault-Request` Header
+
+Requests that are sent to a [Vault Agent][agent] that is configured to use the
+`require_request_header` option must include the `X-Vault-Request` header
+entry, e.g.:
+
+```shell
+$ curl \
+    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
+    -H "X-Vault-Request: true" \
+    -H "Content-Type: application/json" \
+    -X POST \
+    -d '{"value":"bar"}' \
+    http://127.0.0.1:8200/v1/secret/baz
+```
+
+The Vault CLI always adds this header to every request, regardless of whether
+the request is being sent to a Vault Agent or directly to a Vault Server. In
+addition, the Vauld SDK always adds this header to every request.
+
+## Help
+
+To retrieve the help for any API within Vault, including mounted backends, auth
+methods, etc. then append `?help=1` to any URL. If you have valid permission to
+access the path, then the help text will be return a markdown-formatted block in the `help` attribute of the response.
+
+Additionally, with the [OpenAPI generation](/api/system/internal-specs-openapi.html) in Vault, you will get back a small
+OpenAPI document in the `openapi` attribute. This document is relevant for the path you're looking up and any paths under it - also note paths in the OpenAPI document are relative to the initial path queried.
+
+Example request:
+
+```shell
+$ curl \
+    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
+    http://127.0.0.1:8200/v1/secret?help=1
+```
+
+Example response:
+
+```javascript
+
+{
+  "help": "## DESCRIPTION\n\nThis backend provides a versioned key-value store. The kv backend reads and\nwrites arbitrary secrets to the storage backend. The secrets are\nencrypted/decrypted by Vault: they are never stored unencrypted in the backend\nand the backend never has an opportunity to see the unencrypted value. Each key\ncan have a configured number of versions, and versions can be retrieved based on\ntheir version numbers.\n\n## PATHS\n\nThe following paths are supported by this backend. To view help for\nany of the paths below, use the help command with any route matching\nthe path pattern. Note that depending on the policy of your auth token,\nyou may or may not be able to access certain paths.\n\n    ^.*$\n\n\n    ^config$\n        Configures settings for the KV store\n\n    ^data/(?P<path>.*)$\n        Write, Read, and Delete data in the Key-Value Store.\n\n    ^delete/(?P<path>.*)$\n        Marks one or more versions as deleted in the KV store.\n\n    ^destroy/(?P<path>.*)$\n        Permanently removes one or more versions in the KV store\n\n    ^metadata/(?P<path>.*)$\n        Configures settings for the KV store\n\n    ^undelete/(?P<path>.*)$\n        Undeletes one or more versions from the KV store.",
+  "openapi": {
+    "openapi": "3.0.2",
+    "info": {
+      "title": "HashiCorp Vault API",
+      "description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
+      "version": "1.0.0",
+      "license": {
+        "name": "Mozilla Public License 2.0",
+        "url": "https://www.mozilla.org/en-US/MPL/2.0"
+      }
+    },
+    "paths": {
+      "/.*": {},
+      "/config": {
+        "description": "Configures settings for the KV store",
+        "x-vault-create-supported": true,
+        "get": {
+          "summary": "Read the backend level settings.",
+          "tags": [
+            "secrets"
+          ],
+          "responses": {
+            "200": {
+              "description": "OK"
+            }
+          }
+        },
+     ...[output truncated]...
+     }
+  }
+}
+```
+
+## Error Response
+
+A common JSON structure is always returned to return errors:
+
+```javascript
+{
+  "errors": [
+    "message",
+    "another message"
+  ]
+}
+```
+
+This structure will be sent down for any HTTP status greater than
+or equal to 400.
+
+## HTTP Status Codes
+
+The following HTTP status codes are used throughout the API. Vault tries to
+adhere to these whenever possible, but in some cases may not -- feel free to
+file a bug in that case to point our attention to it!
+
+~> _Note_: Applications should be prepared to accept both `200` and `204` as
+success. `204` is simply an indication that there is no response body to parse,
+but API endpoints that indicate that they return a `204` may return a `200` if
+warnings are generated during the operation.
+
+- `200` - Success with data.
+- `204` - Success, no data returned.
+- `400` - Invalid request, missing or invalid data.
+- `403` - Forbidden, your authentication details are either incorrect, you
+  don't have access to this feature, or - if CORS is enabled - you made a
+  cross-origin request from an origin that is not allowed to make such
+  requests.
+- `404` - Invalid path. This can both mean that the path truly doesn't exist or
+  that you don't have permission to view a specific path. We use 404 in some
+  cases to avoid state leakage.
+- `429` - Default return code for health status of standby nodes. This will
+  likely change in the future.
+- `473` - Default return code for health status of performance standby nodes.
+- `500` - Internal server error. An internal error has occurred, try again
+  later. If the error persists, report a bug.
+- `502` - A request to Vault required Vault making a request to a third party;
+  the third party responded with an error of some kind.
+- `503` - Vault is down for maintenance or is currently sealed. Try again
+  later.
+
+## Limits
+
+A maximum request size of 32MB is imposed to prevent a denial of service attack
+with arbitrarily large requests; this can be tuned per `listener` block in
+Vault's server configuration file.
+
+[agent]: /docs/agent/index.html#listener-stanza
diff --git a/website/pages/api-docs/libraries.mdx b/website/pages/api-docs/libraries.mdx
new file mode 100644
index 000000000000..33d3c9c1d3c8
--- /dev/null
+++ b/website/pages/api-docs/libraries.mdx
@@ -0,0 +1,166 @@
+---
+layout: api
+page_title: 'HTTP API: Libraries'
+sidebar_title: Client Libraries
+description: >-
+  List of official and community contributed libraries for interacting with the
+  Vault HTTP API.
+---
+
+# Libraries
+
+The programming libraries listed on this page can be used to consume the API more conveniently.
+Some are officially maintained while others are provided by the community.
+
+## Official
+
+These libraries are officially maintained by HashiCorp.
+
+### Go
+
+- [Vault Go Client](https://github.com/hashicorp/vault/tree/master/api)
+
+```shell
+$ go get github.com/hashicorp/vault/api
+```
+
+### Ruby
+
+- [Vault Ruby Client](https://github.com/hashicorp/vault-ruby)
+
+```shell
+$ gem install vault
+```
+
+## Community
+
+These libraries are provided by the community.
+
+### Ansible
+
+- [ansible-vault](https://github.com/jhaals/ansible-vault) lookup plugin without third-party dependencies.
+- [Ansible Modules Hashivault](https://pypi.python.org/pypi/ansible-modules-hashivault)
+
+```shell
+$ pip install ansible-modules-hashivault
+```
+
+### C&#35;
+
+- [VaultSharp](https://github.com/rajanadar/VaultSharp) (.NET Standard 2.0 & 1.3, .NET Core >= 1.0.0, .NET 4.5, .NET 4.6, Mono, iOS, Android, Mac, UWP etc.)
+
+```shell
+$ Install-Package VaultSharp
+```
+
+- [Vault.NET](https://github.com/Chatham/Vault.NET)
+
+```shell
+$ Install-Package Vault
+```
+
+### C++
+
+- [libvault](https://github.com/abedra/libvault)
+
+### Clojure
+
+- [vault-clj](https://github.com/amperity/vault-clj)
+
+### Elixir
+
+- [libvault](https://hex.pm/packages/libvault)
+- [vaultex](https://hex.pm/packages/vaultex)
+
+### Go
+
+- [vc](https://github.com/adfinis-sygroup/vault-client)
+
+```shell
+$ go get github.com/adfinis-sygroup/vault-client
+```
+
+### Haskell
+
+- [vault-tool](https://hackage.haskell.org/package/vault-tool)
+
+```shell
+$ cabal install vault-tool
+```
+
+- [gothic](http://hackage.haskell.org/package/gothic)
+
+```shell
+$ stack install gothic
+```
+
+### Java
+
+- [Spring Vault](https://github.com/spring-projects/spring-vault)
+- [vault-java-driver](https://github.com/BetterCloud/vault-java-driver)
+
+### Kotlin
+
+- [vault-kotlin](https://github.com/kunickiaj/vault-kotlin)
+
+### Node.js
+
+- [node-vault](https://github.com/kr1sp1n/node-vault)
+
+```shell
+$ npm install node-vault
+```
+
+### PHP
+
+- [vault-php-sdk](https://github.com/jippi/vault-php-sdk)
+
+```shell
+$ composer require jippi/vault-php-sdk
+```
+
+- [vault-php-sdk](https://github.com/violuke/vault-php-sdk) extended from jipppi
+
+```shell
+$ composer require violuke/vault-php-sdk
+```
+
+- [vault-php](https://github.com/CSharpRU/vault-php)
+
+```shell
+$ composer require csharpru/vault-php
+```
+
+### PowerShell
+
+- [Zyborg.Vault](https://github.com/zyborg/Zyborg.Vault)
+
+```PowerShell
+Install-Module Zyborg.Vault
+```
+
+### Python
+
+- [HVAC](https://github.com/ianunruh/hvac)
+
+```shell
+$ pip install hvac
+```
+
+- [Async-HVAC](https://github.com/Aloomaio/async-hvac)
+
+```shell
+$ pip install async-hvac
+```
+
+### R
+
+- [vaultr](https://github.com/vimc/vaultr)
+
+### Rust
+
+- [HashicorpVault](https://crates.io/crates/hashicorp_vault)
+
+### Scala
+
+- [scala-vault](https://github.com/janstenpickle/scala-vault)
diff --git a/website/pages/api-docs/relatedtools.mdx b/website/pages/api-docs/relatedtools.mdx
new file mode 100644
index 000000000000..b2683e2eb897
--- /dev/null
+++ b/website/pages/api-docs/relatedtools.mdx
@@ -0,0 +1,37 @@
+---
+layout: api
+page_title: Related Tools
+sidebar_title: Related Tools
+description: Short list of third-party tools that work with or are related to Vault.
+---
+
+# Related Tools
+
+## Hashicorp Tools
+
+- The [Terraform Vault provider](https://www.terraform.io/docs/providers/vault/index.html) can read from, write to, and configure Vault from [HashiCorp Terraform](https://www.terraform.io/)
+- [consul-template](https://github.com/hashicorp/consul-template) is a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data
+- [envconsul](https://github.com/hashicorp/envconsul) allows you to read and set environmental variables for processes from Consul and Vault data
+- The [vault-ssh-helper](https://github.com/hashicorp/vault-ssh-helper) can be used to enable one-time passwords for SSH authentication via Vault
+
+## Third-Party Tools
+
+The following list of tools is maintained by the community of Vault users; HashiCorp has not tested or approved them and makes no claims as to their suitability or security.
+
+- [HashiCorp Vault Jenkins plugin](https://plugins.jenkins.io/hashicorp-vault-plugin) - a Jenkins plugin for injecting Vault secrets into the build environment
+- [Spring Vault](http://projects.spring.io/spring-vault/) - a Java Spring project for working with Vault secrets
+- [vault-exec](https://github.com/kmanning/vault_exec) - a shell wrapper to execute arbitrary scripts using temporary AWS credentials managed by Vault
+- [pouch](https://github.com/tuenti/pouch) - A set of tools to manage provisioning of secrets on hosts based on the AppRole authentication method of Vault
+- [vault-aws-creds](https://github.com/jantman/vault-aws-creds) - Python helper to export Vault-provided temporary AWS creds into the environment
+- [goldfish](https://github.com/Caiyeon/goldfish) - A Vault UI panel written with VueJS and Vault native Go API.
+- [vaultenv](https://github.com/channable/vaultenv) - A tool that fetches secrets in parallel, puts them into the environment and then `exec`s the process that needs them
+- [vault-migrator](https://github.com/nebtex/vault-migrator) - A tool to migrate data between different Vault storage mechanisms
+- [Cryptr](https://github.com/adobe/cryptr) - a desktop Vault UI for Mac, Windows and Linux
+- [sequelize-vault](https://github.com/linyows/sequelize-vault) - A Sequelize plugin for easily integrating Vault secrets.
+- [ansible-modules-hashivault](https://github.com/TerryHowe/ansible-modules-hashivault) - An Ansible module for configuring most things in Vault including secrets, backends and policies.
+- [Docker credential helper](https://github.com/morningconsult/docker-credential-vault-login) - A program that automatically reads Docker credentials from your Vault server and passes them to the Docker daemon to authenticate to your Docker registry when pulling an image
+- [Cruise Daytona](https://github.com/cruise-automation/daytona) - An alternative implementation of the Vault client CLI for services and containers. Its core features are the abilty to automate authentication, fetching of secrets, and automated token renewal. Support for AWS, GCP, & Kubernetes Vault Auth Backends.
+- [Vault-CRD](https://vault.koudingspawn.de/) - Synchronize secrets stored in HashiCorp Vault to Kubernetes Secrets for better GitOps without secrets stored in git manifest files.
+- [nc-vault-env](https://github.com/namecheap/nc-vault-env) - JS CLI tool that fetches secrets in parallel, puts them into the environment and then `exec`s the process that needs them. Supports auth token renewal, multiple auth backends, verbose logging and dummy mode.
+
+Want to add your own project, or one that you use? Additions are welcome via [pull requests](https://github.com/hashicorp/vault/blob/master/website/source/api/relatedtools.html.md).
diff --git a/website/pages/api-docs/secret/ad/index.mdx b/website/pages/api-docs/secret/ad/index.mdx
new file mode 100644
index 000000000000..e7638458914e
--- /dev/null
+++ b/website/pages/api-docs/secret/ad/index.mdx
@@ -0,0 +1,436 @@
+---
+layout: api
+page_title: Active Directory - Secrets Engines - HTTP API
+sidebar_title: Active Directory
+description: This is the API documentation for the Vault Active Directory secrets engine.
+---
+
+# Active Directory Secrets Engine (API)
+
+This is the API documentation for the Vault AD secrets engine. For general
+information about the usage and operation of the AD secrets engine, please see
+the [Vault Active Directory documentation](/docs/secrets/ad/index.html).
+
+This documentation assumes the AD secrets engine is enabled at the `/ad` path
+in Vault. Since it is possible to enable secrets engines at any location, please
+update your API calls accordingly.
+
+## Configuration
+
+The `config` endpoint configures the LDAP connection and binding parameters, as well as the password rotation configuration.
+
+### Password parameters
+
+- `ttl` (string, optional) - The default password time-to-live in seconds. Once the ttl has passed, a password will be rotated the next time it's requested.
+- `max_ttl` (string, optional) - The maximum password time-to-live in seconds. No role will be allowed to set a custom ttl greater than the `max_ttl`.
+- `length` (string, optional) - The desired password length. Defaults to 64. Minimum is 14.
+- `formatter` (string, optional) - Text into which the base64 password should be inserted, formatted like so: `mycustom{{PASSWORD}}`.
+
+To meet Microsoft's password complexity requirements, all passwords begin with "?@09AZ" unless a `formatter` is provided.
+The `formatter` is for organizations with different, custom password requirements. It allows an organization to supply
+text that fulfills those requirements. `{{PASSWORD}}` must appear exactly once and can be anywhere in the text.
+
+### Connection parameters
+
+- `url` (string, optional) - The LDAP server to connect to. Examples: `ldaps://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. This can also be a comma-delineated list of URLs, e.g. `ldaps://ldap.myorg.com,ldaps://ldap.myorg.com:636`, in which case the servers will be tried in-order if there are errors during the connection process. Default is `ldap://127.0.0.1`.
+- `case_sensitive_names` `(bool: false)` – If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case. Case will still be preserved when sending the username to the LDAP server at login time; this is only for matching local user/group definitions.
+- `request_timeout` `(integer: 90 or string: "90s")` - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
+- `starttls` (bool, optional) - If true, issues a `StartTLS` command after establishing an unencrypted connection.
+- `insecure_tls` - (bool, optional) - If true, skips LDAP server SSL certificate verification - insecure, use with caution!
+- `certificate` - (string, optional) - CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
+
+### Binding parameters
+
+- `binddn` (string, required) - Distinguished name of object to bind when performing user and group search. Example: `cn=vault,ou=Users,dc=example,dc=com`
+- `bindpass` (string, required) - Password to use along with `binddn` when performing user search.
+- `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
+- `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `username@example.com`.
+
+### Other parameters
+
+- `last_rotation_tolerance` (string, optional) - Tolerance duration to use when checking the last rotation time.
+  Active Directory often shows a "pwdLastSet" time after Vault's because it takes
+  a while for password updates to be propagated across a large cluster. By default, if Active Directory's last rotation time is
+  within 5 seconds of Vault's, Vault considers itself to have been the last entity that rotated the password. However, if it's been
+  more than 5 seconds, Vault thinks that something rotated the password out-of-band, and re-rotates it so it will "know" it and be
+  able to continue returning it. This may be too low for larger Active Directory clusters, and too high for smaller ones.
+
+## Config management
+
+At present, this endpoint does not confirm that the provided AD credentials are
+valid AD credentials with proper permissions.
+
+| Method   | Path         |
+| :------- | :----------- |
+| `POST`   | `/ad/config` |
+| `GET`    | `/ad/config` |
+| `DELETE` | `/ad/config` |
+
+### Sample Post Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ad/config
+```
+
+### Sample Post Payload
+
+```json
+{
+  "binddn": "domain-admin",
+  "bindpass": "pa$$w0rd",
+  "url": "ldaps://127.0.0.11",
+  "userdn": "dc=example,dc=com"
+}
+```
+
+### Sample Get Response Data
+
+```json
+{
+  "binddn": "domain-admin",
+  "certificate": "",
+  "insecure_tls": false,
+  "length": 64,
+  "max_ttl": 2764800,
+  "starttls": false,
+  "tls_max_version": "tls12",
+  "tls_min_version": "tls12",
+  "ttl": 2764800,
+  "upndomain": "",
+  "url": "ldaps://127.0.0.11",
+  "userdn": "dc=example,dc=com"
+}
+```
+
+## Role management
+
+The `roles` endpoint configures how Vault will manage the passwords for individual service accounts.
+
+### Parameters
+
+- `service_account_name` (string, required) - The name of a pre-existing service account in Active Directory that maps to this role.
+- `ttl` (string, optional) - The password time-to-live in seconds. Defaults to the configuration `ttl` if not provided.
+
+When adding a role, Vault verifies its associated service account exists.
+
+| Method   | Path                   |
+| :------- | :--------------------- |
+| `GET`    | `/ad/roles`            |
+| `POST`   | `/ad/roles/:role_name` |
+| `GET`    | `/ad/roles/:role_name` |
+| `DELETE` | `/ad/roles/:role_name` |
+
+### Sample Post Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ad/roles/my-application
+```
+
+### Sample Post Payload
+
+```json
+{
+  "service_account_name": "my-application@example.com",
+  "ttl": 100
+}
+```
+
+### Sample Get Role Response
+
+```json
+{
+  "last_vault_rotation": "2018-05-24T17:14:38.677370855Z",
+  "password_last_set": "2018-05-24T17:14:38.6038495Z",
+  "service_account_name": "my-application@example.com",
+  "ttl": 100
+}
+```
+
+### Sample List Roles Response
+
+Performing a `LIST` on the `/ad/roles` endpoint will list the names of all the roles Vault contains.
+
+```json
+["my-application"]
+```
+
+## Retrieving passwords
+
+The `creds` endpoint offers the credential information for a given role.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/ad/creds/:role_name` |
+
+### Sample Get Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/ad/creds/my-application
+```
+
+### Sample Get Response
+
+```json
+{
+  "current_password": "?@09AZnh4Q5N4O5zdLk/4F8aIMgsnpDM6tSQEZCge3Mz1wXcZEgZhOa6OR748F96",
+  "last_password": "?@09AZSen9TzUwK7ZhafS7B0GuWGraQjfWEna5SwnmF/tVaKFqjXhhGV/Z0v/pBJ",
+  "username": "my-application"
+}
+```
+
+## Library management
+
+The `library` endpoint configures the sets of service accounts that Vault will offer for check-out.
+
+### Parameters
+
+- `name` (string: "", required): The name of the set of service accounts.
+- `service_account_names` (string: "", or list: [] required): The names of all the service accounts that can be
+  checked out from this set. These service accounts must only be used by Vault, and may only be in one set. These
+  service accounts must already exist in Active Directory.
+- `ttl` (duration: "24h", optional): The maximum amount of time a single check-out lasts before Vault
+  automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
+- `max_ttl` (duration: "24h", optional): The maximum amount of time a check-out last with renewal before Vault
+  automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
+- `disable_check_in_enforcement` (bool: false, optional): Disable enforcing that service accounts must be
+  checked in by the entity or client token that checked them out. Defaults to false.
+
+When adding a service account to the library, Vault verifies it already exists in Active Directory.
+
+| Method   | Path                    |
+| :------- | :---------------------- |
+| `LIST`   | `/ad/library`           |
+| `POST`   | `/ad/library/:set_name` |
+| `GET`    | `/ad/library/:set_name` |
+| `DELETE` | `/ad/library/:set_name` |
+
+### Sample Post Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ad/library/accounting-team
+```
+
+### Sample Post Payload
+
+```json
+{
+  "service_account_names": ["fizz@example.com", "buzz@example.com"],
+  "ttl": "10h",
+  "max_ttl": "20h",
+  "disable_check_in_enforcement": false
+}
+```
+
+### Sample Get Response
+
+```json
+{
+  "service_account_names": ["fizz@example.com", "buzz@example.com"],
+  "ttl": "10h",
+  "max_ttl": "20h",
+  "disable_check_in_enforcement": false
+}
+```
+
+### Sample List Response
+
+Performing a `LIST` on the `/ad/library` endpoint will list the names of all the sets of service accounts Vault contains.
+
+```json
+["accounting-team"]
+```
+
+## Check-out management
+
+These endpoints help manage check-outs.
+
+### Check a credential out
+
+Returns a `200` if a credential is available, and a `400` if no credential is available.
+
+- `name` (string: "", required): The name of the set of service accounts.
+- `ttl` (duration: "", optional): The maximum amount of time a check-out lasts before Vault
+  automatically checks it back in. Setting it to zero reflects an unlimited lending period.
+  Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
+
+| Method | Path                              |
+| :----- | :-------------------------------- |
+| `POST` | `/ad/library/:set_name/check-out` |
+
+### Sample Post Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ad/library/accounting-team/check-out
+```
+
+### Sample Post Payload
+
+```json
+{
+  "ttl": "1h"
+}
+```
+
+### Sample Post Response
+
+```json
+{
+  "request_id": "364a17d4-e5ab-998b-ceee-b49929229e0c",
+  "lease_id": "ad/library/accounting-team/check-out/aoBsaBEI4PK96VnukubvYDlZ",
+  "renewable": true,
+  "lease_duration": 36000,
+  "data": {
+    "password": "?@09QW0KZ8DSBu3deIu7XLY1NZqzwhozmMAZ6v0IcZJGOjs5GvpVMvOeW7/duls2",
+    "service_account_name": "fizz@example.com"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+### Check a credential in
+
+By default, check-in must be called by the same entity or client token used for check-out.
+To disable this behavior, use the `disable_check_in_enforcement` toggle on the library set. Or, use
+the `ad/library/manage/:set_name/check-in` behavior to force check-in of the account. Access to the
+"manage" endpoint should only be granted to highly privileged Vault users, like Vault operators.
+
+If a caller attempts to check in a service account they're not authorized to check in, they will
+receive an error response. If they attempt to check in a service account they _are_ authorized to
+check in, but it's _already_ checked in, they will receive a successful response but the account
+will not be included in the `check_ins` listed. `check_ins` shows which service accounts were checked
+in _by this particular call_.
+
+- `name` (string: "", required): The name of the set of service accounts.
+- `service_account_names` (string: "", or list: [] optional): The names of all the service accounts to be
+  checked in. May be omitted if only one is checked out.
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `POST` | `/ad/library/:set_name/check-in`        |
+| `POST` | `/ad/library/manage/:set_name/check-in` |
+
+### Sample Post Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ad/library/accounting-team/check-in
+```
+
+### Sample Post Payload
+
+```json
+{
+  "service_account_names": ["fizz@example.com"]
+}
+```
+
+### Sample Post Response
+
+```json
+{
+  "request_id": "db45c714-3f68-b748-95bc-8f7467637a52",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "check_ins": ["fizz@example.com"]
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+### Check the status of service accounts
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/ad/library/:set_name/status` |
+
+### Sample Get Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/ad/library/accounting-team/status
+```
+
+### Sample Get Response
+
+```json
+{
+  "request_id": "9e44c8b5-d142-5867-2a11-49f3ba71215a",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "buzz@example.com": {
+      "available": true
+    },
+    "fizz@example.com": {
+      "available": false,
+      "borrower_client_token": "4c653e473bf7e27c6759fccc3def20c44d776279",
+      "borrower_entity_id": "631256b1-8523-9838-5501-d0a1e2cdad9c"
+    }
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Rotate Root Credentials
+
+Rotate the `bindpass` to a new one known only to Vault.
+
+### Risks
+
+1. When the `bindpass` is rotated, it successfully gets rotated in Active Directory but Vault can't store it so it becomes unknown.
+2. If the `binddn` in use applies to more than one entity in Active Directory, root credential rotation will fail because it's unclear which entity to perform the operation for.
+
+### Mitigating Risks
+
+1. Always have another account that can provision a new `binddn` and `bindpass` to replace one whose password becomes unknown.
+2. Ensure the `binddn` in use only applies to one entity by including all distinguished name parameters possible. For example, use `"CN=vault-ad-test,CN=Users,DC=example,DC=com"` instead of `"CN=vault-ad-test"`.
+
+### Endpoints
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/ad/rotate-root` | `204 (empty body) or 200 with warning` |
+
+Generally, `rotate-root` returns a 204. However, if `rotate-root` is already in progress, it may return a 200 with a warning that root credential rotation is already in progress.
+
+### Sample Get Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/ad/rotate-root
+```
diff --git a/website/pages/api-docs/secret/alicloud/index.mdx b/website/pages/api-docs/secret/alicloud/index.mdx
new file mode 100644
index 000000000000..f41b89867c57
--- /dev/null
+++ b/website/pages/api-docs/secret/alicloud/index.mdx
@@ -0,0 +1,216 @@
+---
+layout: api
+page_title: AliCloud - Secrets Engines - HTTP API
+sidebar_title: AliCloud
+description: This is the API documentation for the Vault AliCloud secrets engine.
+---
+
+# AliCloud Secrets Engine (API)
+
+This is the API documentation for the Vault AliCloud secrets engine. For general
+information about the usage and operation of the AliCloud secrets engine, please see
+the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html).
+
+This documentation assumes the AliCloud secrets engine is enabled at the `/alicloud` path
+in Vault. Since it is possible to enable secrets engines at any location, please
+update your API calls accordingly.
+
+## Config management
+
+This endpoint configures the root RAM credentials to communicate with AliCloud. AliCloud
+will use credentials in the following order:
+
+1. [Environment variables](https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/auth/credentials/providers/env.go)
+2. A static credential configuration set at this endpoint
+3. Instance metadata (recommended)
+
+To use instance metadata, leave the static credential configuration unset.
+
+At present, this endpoint does not confirm that the provided AliCloud credentials are
+valid AliCloud credentials with proper permissions.
+
+Please see the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) for
+the policies that should be attached to the access key you provide.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/alicloud/config` |
+| `GET`  | `/alicloud/config` |
+
+### Parameters
+
+- `access_key` (string, required) - The ID of an access key with appropriate policies.
+- `secret_key` (string, required) - The secret for that key.
+
+### Sample Post Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/alicloud/config
+```
+
+### Sample Post Payload
+
+```json
+{
+  "access_key": "0wNEpMMlzy7szvai",
+  "secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
+}
+```
+
+### Sample Get Response Data
+
+```json
+{
+  "access_key": "0wNEpMMlzy7szvai"
+}
+```
+
+## Role management
+
+The `role` endpoint configures how Vault will generate credentials for users of each role.
+
+### Parameters
+
+- `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
+- `remote_policies` (string, optional) - The names and types of a pre-existing policies to be applied to the generate access token. Example: "name:AliyunOSSReadOnlyAccess,type:System".
+- `inline_policies` (string, optional) - The policy document JSON to be generated and attached to the access token.
+- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) regarding trusted actors.
+- `ttl` (int, optional) - The duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
+- `max_ttl` (int, optional) - The maximum allowed lifetime of tokens issued using this role.
+
+| Method   | Path                        |
+| :------- | :-------------------------- |
+| `GET`    | `/alicloud/role`            |
+| `POST`   | `/alicloud/role/:role_name` |
+| `GET`    | `/alicloud/role/:role_name` |
+| `DELETE` | `/alicloud/role/:role_name` |
+
+### Sample Post Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/alicloud/role/my-application
+```
+
+### Sample Post Payload Using Policies
+
+```json
+{
+  "remote_policies": [
+    "name:AliyunOSSReadOnlyAccess,type:System",
+    "name:AliyunRDSReadOnlyAccess,type:System"
+  ],
+  "inline_policies": "[{\"Statement\": [{\"Action\": [\"ram:Get*\",\"ram:List*\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}],\"Version\": \"1\"}]"
+}
+```
+
+### Sample Get Role Response Using Policies
+
+```json
+{
+  "inline_policies": [
+    {
+      "hash": "49796debb24d39b7a61485f9b0c97e04",
+      "policy_document": {
+        "Statement": [
+          {
+            "Action": ["ram:Get*", "ram:List*"],
+            "Effect": "Allow",
+            "Resource": "*"
+          }
+        ],
+        "Version": "1"
+      }
+    }
+  ],
+  "max_ttl": 0,
+  "remote_policies": [
+    {
+      "name": "AliyunOSSReadOnlyAccess",
+      "type": "System"
+    },
+    {
+      "name": "AliyunRDSReadOnlyAccess",
+      "type": "System"
+    }
+  ],
+  "role_arn": "",
+  "ttl": 0
+}
+```
+
+### Sample Post Payload Using Assume-Role
+
+```json
+{
+  "role_arn": "acs:ram::5138828231865461:role/hastrustedactors"
+}
+```
+
+### Sample Get Role Response Using Assume-Role
+
+```json
+{
+  "inline_policies": null,
+  "max_ttl": 0,
+  "remote_policies": null,
+  "role_arn": "acs:ram::5138828231865461:role/hastrustedactors",
+  "ttl": 0
+}
+```
+
+### Sample List Roles Response
+
+Performing a `LIST` on the `/alicloud/roles` endpoint will list the names of all the roles Vault contains.
+
+```json
+["policy-based", "role-based"]
+```
+
+## Generate RAM Credentials
+
+This endpoint generates dynamic RAM credentials based on the named role. This
+role must be created before queried.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/alicloud/creds/:name` |
+
+### Parameters
+
+- `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/alicloud/creds/example-role
+```
+
+### Sample Response for Roles Using Policies
+
+```json
+{
+  "access_key": "0wNEpMMlzy7szvai",
+  "secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
+}
+```
+
+### Sample Response for Roles Using Assume-Role
+
+```json
+{
+  "access_key": "STS.L4aBSCSJVMuKg5U1vFDw",
+  "expiration": "2018-08-15T22:04:07Z",
+  "secret_key": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pKCNZ9",
+  "security_token": "CAESrAIIARKAAShQquMnLIlbvEcIxO6wCoqJufs8sWwieUxu45hS9AvKNEte8KRUWiJWJ6Y+YHAPgNwi7yfRecMFydL2uPOgBI7LDio0RkbYLmJfIxHM2nGBPdml7kYEOXmJp2aDhbvvwVYIyt/8iES/R6N208wQh0Pk2bu+/9dvalp6wOHF4gkFGhhTVFMuTDRhQlNDU0pWTXVLZzVVMXZGRHciBTQzMjc0KgVhbGljZTCpnJjwySk6BlJzYU1ENUJuCgExGmkKBUFsbG93Eh8KDEFjdGlvbkVxdWFscxIGQWN0aW9uGgcKBW9zczoqEj8KDlJlc291cmNlRXF1YWxzEghSZXNvdXJjZRojCiFhY3M6b3NzOio6NDMyNzQ6c2FtcGxlYm94L2FsaWNlLyo="
+}
+```
diff --git a/website/pages/api-docs/secret/aws/index.mdx b/website/pages/api-docs/secret/aws/index.mdx
new file mode 100644
index 000000000000..127c5c9c9033
--- /dev/null
+++ b/website/pages/api-docs/secret/aws/index.mdx
@@ -0,0 +1,473 @@
+---
+layout: api
+page_title: AWS - Secrets Engines - HTTP API
+sidebar_title: AWS
+description: This is the API documentation for the Vault AWS secrets engine.
+---
+
+# AWS Secrets Engine (API)
+
+This is the API documentation for the Vault AWS secrets engine. For general
+information about the usage and operation of the AWS secrets engine, please see
+the [Vault AWS documentation](/docs/secrets/aws/index.html).
+
+This documentation assumes the AWS secrets engine is enabled at the `/aws` path
+in Vault. Since it is possible to enable secrets engines at any location, please
+update your API calls accordingly.
+
+## Configure Root IAM Credentials
+
+This endpoint configures the root IAM credentials to communicate with AWS. There
+are multiple ways to pass root IAM credentials to the Vault server, specified
+below with the highest precedence first. If credentials already exist, this will
+overwrite them.
+
+The official AWS SDK is used for sourcing credentials from env vars, shared
+files, or IAM/ECS instances.
+
+- Static credentials provided to the API as a payload
+
+- Credentials in the `AWS_ACCESS_KEY`, `AWS_SECRET_KEY`, and `AWS_REGION`
+  environment variables **on the server**
+
+- Shared credentials files
+
+- Assigned IAM role or ECS task role credentials
+
+At present, this endpoint does not confirm that the provided AWS credentials are
+valid AWS credentials with proper permissions.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/aws/config/root` |
+
+### Parameters
+
+- `max_retries` `(int: -1)` - Number of max retries the client should use for
+  recoverable errors. The default (`-1`) falls back to the AWS SDK's default
+  behavior.
+
+- `access_key` `(string: <required>)` – Specifies the AWS access key ID.
+
+- `secret_key` `(string: <required>)` – Specifies the AWS secret access key.
+
+- `region` `(string: <optional>)` – Specifies the AWS region. If not set it
+  will use the `AWS_REGION` env var, `AWS_DEFAULT_REGION` env var, or
+  `us-east-1` in that order.
+
+- `iam_endpoint` `(string: <optional>)` – Specifies a custom HTTP IAM endpoint to use.
+
+- `sts_endpoint` `(string: <optional>)` – Specifies a custom HTTP STS endpoint to use.
+
+### Sample Payload
+
+```json
+{
+  "access_key": "AKIA...",
+  "secret_key": "2J+...",
+  "region": "us-east-1"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/aws/config/root
+```
+
+## Read Root Configuration
+
+This endpoint allows you to read non-secure values that have been configured in the
+`config/root` endpoint. In particular, the `secret_key` parameter is never returned.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/aws/config/root` |
+
+### Sample Request
+
+```
+$ curl
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/aws/config/root
+
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "access_key": "AKIAEXAMPLE",
+    "region": "us-west-2",
+    "iam_endpoint": "https://iam.amazonaws.com",
+    "sts_endpoint": "https://sts.us-west-2.amazonaws.com",
+    "max_retries": -1
+  }
+}
+```
+
+## Rotate Root IAM Credentials
+
+When you have configured Vault with static credentials, you can use this
+endpoint to have Vault rotate the access key it used. Note that, due to AWS
+eventual consistency, after calling this endpoint, subsequent calls from Vault
+to AWS may fail for a few seconds until AWS becomes consistent again.
+
+In order to call this endpoint, Vault's AWS access key MUST be the only access
+key on the IAM user; otherwise, generation of a new access key will fail. Once
+this method is called, Vault will now be the only entity that knows the AWS
+secret key is used to access AWS.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/aws/config/rotate-root` |
+
+### Parameters
+
+There are no parameters to this operation.
+
+### Sample Request
+
+```shell
+$ curl \
+  --header "X-Vault-Token: ..." \
+  --request POST \
+  http://127.0.0.1:8211/v1/aws/config/rotate-root
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "access_key": "AKIA..."
+  }
+}
+```
+
+The new access key Vault uses is returned by this operation.
+
+## Configure Lease
+
+This endpoint configures lease settings for the AWS secrets engine. It is
+optional, as there are default values for `lease` and `lease_max`.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/aws/config/lease` |
+
+### Parameters
+
+- `lease` `(string: <required>)` – Specifies the lease value provided as a
+  string duration with time suffix. "h" (hour) is the largest suffix.
+
+- `lease_max` `(string: <required>)` – Specifies the maximum lease value
+  provided as a string duration with time suffix. "h" (hour) is the largest
+  suffix.
+
+### Sample Payload
+
+```json
+{
+  "lease": "30m",
+  "lease_max": "12h"
+}
+```
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/aws/config/lease
+```
+
+## Read Lease
+
+This endpoint returns the current lease settings for the AWS secrets engine.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/aws/config/lease` |
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/aws/config/lease
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "lease": "30m0s",
+    "lease_max": "12h0m0s"
+  }
+}
+```
+
+## Create/Update Role
+
+This endpoint creates or updates the role with the given `name`. If a role with
+the name does not exist, it will be created. If the role exists, it will be
+updated with the new attributes.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/aws/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create. This
+  is part of the request URL.
+
+- `credential_type` `(string: <required>)` – Specifies the type of credential to be used when
+  retrieving credentials from the role. Must be one of `iam_user`,
+  `assumed_role`, or `federation_token`.
+
+- `role_arns` `(list: [])` – Specifies the ARNs of the AWS roles this Vault role
+  is allowed to assume. Required when `credential_type` is `assumed_role` and
+  prohibited otherwise. This is a comma-separated string or JSON array.
+
+- `policy_arns` `(list: [])` – Specifies a list of AWS managed policy ARN. The
+  behavior depends on the credential type. With `iam_user`, the policies will
+  be attached to IAM users when they are requested. With `assumed_role` and
+  `federation_token`, the policy ARNs will act as a filter on what the
+  credentials can do, similar to `policy_document`.
+  When `credential_type` is `iam_user` or `federation_token`, at
+  least one of `policy_arns` or `policy_document` must be specified. This is a
+  comma-separated string or JSON array.
+
+- `policy_document` `(string)` – The IAM policy document for the role. The
+  behavior depends on the credential type. With `iam_user`, the policy document
+  will be attached to the IAM user generated and augment the permissions the IAM
+  user has. With `assumed_role` and `federation_token`, the policy document will
+  act as a filter on what the credentials can do, similar to `policy_arns`.
+
+- `default_sts_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not
+  specified when STS credentials are requested, and a default TTL is specified
+  on the role, then this default TTL will be used. Valid only when
+  `credential_type` is one of `assumed_role` or `federation_token`.
+
+- `max_sts_ttl` `(string)` - The max allowed TTL for STS credentials (credentials
+  TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is one of
+  `assumed_role` or `federation_token`.
+
+- `user_path` `(string)` - The path for the user name. Valid only when
+  `credential_type` is `iam_user`. Default is `/`
+
+- `permissions_boundary_arn` `(string)` - The ARN of the [AWS Permissions
+  Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+  to attach to IAM users created in the role. Valid only when `credential_type`
+  is `iam_user`. If not specified, then no permissions boundary policy will be
+  attached.
+
+Legacy parameters:
+
+These parameters are supported for backwards compatibility only. They cannot be
+mixed with the parameters listed above.
+
+- `policy` `(string: <required unless arn provided>)` – Specifies the IAM policy
+  in JSON format.
+
+- `arn` `(string: <required unless policy provided>)` – Specifies the full ARN
+  reference to the desired existing policy.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/aws/roles/example-role
+```
+
+### Sample Payloads
+
+Using an inline IAM policy:
+
+```json
+{
+  "credential_type": "federation_token",
+  "policy_document": "{\"Version\": \"...\"}"
+}
+```
+
+Using an ARN:
+
+```json
+{
+  "credential_type": "assumed_role",
+  "role_arns": "arn:aws:iam::123456789012:role/DeveloperRole"
+}
+```
+
+## Read Role
+
+This endpoint queries an existing role by the given name. If the role does not
+exist, a 404 is returned.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/aws/roles/:name` |
+
+If invalid role data was supplied to the role from an earlier version of Vault,
+then it will show up in the response as `invalid_data`.
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/aws/roles/example-role
+```
+
+### Sample Responses
+
+For an inline IAM policy:
+
+```json
+{
+  "data": {
+    "policy_document": "{\"Version\": \"...\"}",
+    "policy_arns": [],
+    "credential_types": ["assumed_role"],
+    "role_arns": []
+  }
+}
+```
+
+For a role ARN:
+
+```json
+{
+  "data": {
+    "policy_document": "",
+    "policy_arns": [],
+    "credential_types": ["assumed_role"],
+    "role_arns": ["arn:aws:iam::123456789012:role/example-role"]
+  }
+}
+```
+
+## List Roles
+
+This endpoint lists all existing roles in the secrets engine.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/aws/roles` |
+
+### Sample Request
+
+```shell
+$ curl
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/aws/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["example-role"]
+  }
+}
+```
+
+## Delete Role
+
+This endpoint deletes an existing role by the given name. If the role does not
+exist, a 404 is returned.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/aws/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is part of the request URL.
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/aws/roles/example-role
+```
+
+## Generate Credentials
+
+This endpoint generates credentials based on the named role. This role must be
+created before queried.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/aws/creds/:name` |
+| `GET`  | `/aws/sts/:name`   |
+
+The `/aws/creds` and `/aws/sts` endpoints are almost identical. The exception is
+when retrieving credentials for a role that was specified with the legacy `arn`
+or `policy` parameter. In this case, credentials retrieved through `/aws/sts`
+must be of either the `assumed_role` or `federation_token` types, and
+credentials retrieved through `/aws/creds` must be of the `iam_user` type.
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to generate
+  credentials against. This is part of the request URL.
+- `role_arn` `(string)` – The ARN of the role to assume if `credential_type` on
+  the Vault role is `assumed_role`. Must match one of the allowed role ARNs in
+  the Vault role. Optional if the Vault role only allows a single AWS role ARN;
+  required otherwise.
+- `ttl` `(string: "3600s")` – Specifies the TTL for the use of the STS token.
+  This is specified as a string with a duration suffix. Valid only when
+  `credential_type` is `assumed_role` or `federation_token`. When not specified,
+  the `default_sts_ttl` set for the role will be used. If that is also not set, then
+  the default value of `3600s` will be used. AWS places limits
+  on the maximum TTL allowed. See the AWS documentation on the `DurationSeconds`
+  parameter for
+  [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
+  (for `assumed_role` credential types) and
+  [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
+  (for `federation_token` credential types) for more details.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/aws/creds/example-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "access_key": "AKIA...",
+    "secret_key": "xlCs...",
+    "security_token": null
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/azure/index.mdx b/website/pages/api-docs/secret/azure/index.mdx
new file mode 100644
index 000000000000..a2bdfff912a5
--- /dev/null
+++ b/website/pages/api-docs/secret/azure/index.mdx
@@ -0,0 +1,230 @@
+---
+layout: api
+page_title: Azure - Secrets Engines - HTTP API
+sidebar_title: Azure
+description: This is the API documentation for the Vault Azure secrets engine.
+---
+
+# Azure Secrets Engine (API)
+
+This is the API documentation for the Vault Azure
+secrets engine. For general information about the usage and operation of
+the Azure secrets engine, please see the main [Azure secrets documentation][docs].
+
+This documentation assumes the Azure secrets engine is enabled at the `/azure` path
+in Vault. Since it is possible to mount secrets engines at any path, please
+update your API calls accordingly.
+
+## Configure Access
+
+Configures the credentials required for the plugin to perform API calls
+to Azure. These credentials will be used to query roles and create/delete
+service principals. Environment variables will override any parameters set in the config.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `POST` | `/azure/config` |
+
+- `subscription_id` (`string: <required>`) - The subscription id for the Azure Active Directory.
+  This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.
+- `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
+  This value can also be provided with the AZURE_TENANT_ID environment variable.
+- `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
+  with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
+- `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
+  provided with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
+- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
+  environment variable. If not specified, Vault will use Azure Public Cloud.
+
+### Sample Payload
+
+```json
+{
+  "subscription_id": "94ca80...",
+  "tenant_id": "d0ac7e...",
+  "client_id": "e607c4...",
+  "client_secret": "9a6346...",
+  "environment": "AzureGermanCloud"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/azure/config
+```
+
+## Read Config
+
+Return the stored configuration, omitting `client_secret`.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `GET`  | `/azure/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/azure/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "subscription_id": "94ca80...",
+    "tenant_id": "d0ac7e...",
+    "client_id": "e607c4...",
+    "environment": "AzureGermanCloud"
+  },
+  ...
+}
+```
+
+## Delete Config
+
+Deletes the stored Azure configuration and credentials.
+
+| Method   | Path            |
+| :------- | :-------------- |
+| `DELETE` | `/azure/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/azure/config
+```
+
+## Create/Update Role
+
+Create or update a Vault role. Either `application_object_id` or
+`azure_roles` must be provided, and these resources must exist for this
+call to succeed. See the Azure secrets [roles docs][roles] for more
+information about roles.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/azure/roles/:name` |
+
+### Parameters
+
+- `azure_roles` (`string: ""`) - List of Azure roles to be assigned to the generated service
+  principal. The array must be in JSON format, properly escaped as a string. See [roles docs][roles]
+  for details on role definition.
+- `azure_groups` (`string: ""`) - List of Azure groups that the generated service principal will be
+  assigned to. The array must be in JSON format, properly escaped as a string. See [groups docs][groups]
+  for more details.
+- `application_object_id` (`string: ""`) - Application Object ID for an existing service principal that will
+  be used instead of creating dynamic service principals. If present, `azure_roles` will be ignored. See
+  [roles docs][roles] for details on role definition.
+- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
+  Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
+  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+
+### Sample Payload
+
+```json
+{
+  "azure_roles": "[
+    {
+      \"role_name\": \"Contributor\",
+      \"scope\":  \"/subscriptions/<uuid>/resourceGroup/Website\"
+    },
+    {
+      \"role_id\": \"/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>\",
+      \"scope\":  \"/subscriptions/<uuid>\"
+    }
+  ]",
+  "ttl": 3600,
+  "max_ttl": "24h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/azure/roles/my-role
+```
+
+## List Roles
+
+Lists all of the roles that are registered with the plugin.
+
+| Method | Path           |
+| :----- | :------------- |
+| `LIST` | `/azure/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/azure/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["my-role-one", "my-role-two"]
+  }
+}
+```
+
+## Generate Credentials
+
+This endpoint generates a new service principal based on the named role.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/azure/creds/:name` |
+
+### Parameters
+
+- `name` (`string: <required>`) - Specifies the name of the role to create credentials against.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/azure/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "client_id": "408bf248-dd4e-4be5-919a-7f6207a307ab",
+    "client_secret": "ad06228a-2db9-4e0a-8a5d-e047c7f32594",
+    ...
+  }
+}
+```
+
+## Revoking/Renewing Secrets
+
+See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
+
+[docs]: /docs/secrets/azure/index.html
+[roles]: /docs/secrets/azure/index.html#roles
+[groups]: /docs/secrets/azure/index.html#azure-groups
diff --git a/website/pages/api-docs/secret/cassandra/index.mdx b/website/pages/api-docs/secret/cassandra/index.mdx
new file mode 100644
index 000000000000..29d4facd16cf
--- /dev/null
+++ b/website/pages/api-docs/secret/cassandra/index.mdx
@@ -0,0 +1,248 @@
+---
+layout: api
+page_title: Cassandra - Secrets Engines - HTTP API
+sidebar_title: Cassandra <sup>DEPRECATED</sup>
+description: This is the API documentation for the Vault Cassandra secrets engine.
+---
+
+# Cassandra Secrets Engine (API)
+
+~> **Deprecation Note:** This backend is deprecated in favor of the
+combined databases backend added in v0.7.1. See the API documentation for
+the new implementation of this backend at
+[Cassandra database plugin HTTP API](/api/secret/databases/cassandra.html).
+
+This is the API documentation for the Vault Cassandra secrets engine. For
+general information about the usage and operation of the Cassandra backend,
+please see the
+[Vault Cassandra backend documentation](/docs/secrets/cassandra/index.html).
+
+This documentation assumes the Cassandra backend is mounted at the `/cassandra`
+path in Vault. Since it is possible to enable secrets engines at any location,
+please update your API calls accordingly.
+
+## Configure Connection
+
+This endpoint configures the connection information used to communicate with
+Cassandra.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/cassandra/config/connection` |
+
+### Parameters
+
+- `hosts` `(string: <required>)` – Specifies a set of comma-delineated Cassandra
+  hosts to connect to.
+
+- `username` `(string: <required>)` – Specifies the username to use for
+  superuser access.
+
+- `password` `(string: <required>)` – Specifies the password corresponding to
+  the given username.
+
+- `tls` `(bool: true)` – Specifies whether to use TLS when connecting to
+  Cassandra.
+
+- `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the
+  server certificate when using TLS.
+
+- `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a
+  certificate and private key; a certificate, private key, and issuing CA
+  certificate; or just a CA certificate.
+
+- `pem_json` `(string: "")` – Specifies JSON containing a certificate and
+  private key; a certificate, private key, and issuing CA certificate; or just a
+  CA certificate. For convenience format is the same as the output of the
+  `issue` command from the `pki` backend; see
+  [the pki documentation](/docs/secrets/pki/index.html).
+
+- `protocol_version` `(int: 2)` – Specifies the CQL protocol version to use.
+
+- `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
+
+- `consistency` `(string: "")` – Specifies the consistency option to use. See
+  the [gocql
+  definition](https://github.com/gocql/gocql/blob/master/frame.go#L188) for
+  valid options.
+
+TLS works as follows:
+
+- If `tls` is set to true, the connection will use TLS; this happens
+  automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
+
+- If `insecure_tls` is set to true, the connection will not perform verification
+  of the server certificate; this also sets `tls` to true
+
+- If only `issuing_ca` is set in `pem_json`, or the only certificate in
+  `pem_bundle` is a CA certificate, the given CA certificate will be used for
+  server certificate verification; otherwise the system CA certificates will be
+  used
+
+- If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`,
+  client auth will be turned on for the connection
+
+`pem_bundle` should be a PEM-concatenated bundle of a private key + client
+certificate, an issuing CA certificate, or both. `pem_json` should contain the
+same information; for convenience, the JSON format is the same as that output by
+the issue command from the PKI backend.
+
+### Sample Payload
+
+```json
+{
+  "hosts": "cassandra1.local",
+  "username": "user",
+  "password": "pass"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/cassandra/config/connection
+```
+
+## Create Role
+
+This endpoint creates or updates the role definition.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/cassandra/roles/:name` |
+
+### Parameters
+
+- `creation_cql` `(string: "")` – Specifies the CQL statements executed to
+  create and configure the new user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{username}}' and
+  '{{password}}' values will be substituted; it is required that these
+  parameters are in single quotes. The default creates a non-superuser user with
+  no authorization grants.
+
+- `rollback_cql` `(string: "")` – Specifies the CQL statements executed to
+  attempt a rollback if an error is encountered during user creation. The
+  default is to delete the user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{username}}' and
+  '{{password}}' values will be substituted; it is required that these
+  parameters are in single quotes.
+
+- `lease` `(string: "")` – Specifies the lease value provided as a string
+  duration with time suffix. "h" hour is the largest suffix.
+
+- `consistency` `(string: "Quorum")` – Specifies the consistency level value
+  provided as a string. Determines the consistency level used for operations
+  performed on the Cassandra database.
+
+### Sample Payload
+
+```json
+{
+  "creation_cql": "CREATE USER ..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/cassandra/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/cassandra/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/cassandra/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "creation_cql": "CREATE USER...",
+    "rollback_cql": "DROP USER...",
+    "lease": "12h",
+    "consistency": "Quorum"
+  }
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition.
+
+| Method   | Path                     |
+| :------- | :----------------------- |
+| `DELETE` | `/cassandra/roles/:name` | `204 (no body)` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/cassandra/roles/my-role
+```
+
+## Generate Credentials
+
+This endpoint generates a new set of dynamic credentials based on the named
+role.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/cassandra/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/cassandra/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "username": "vault-root-1430158508-126",
+    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/consul/index.mdx b/website/pages/api-docs/secret/consul/index.mdx
new file mode 100644
index 000000000000..f74548d96310
--- /dev/null
+++ b/website/pages/api-docs/secret/consul/index.mdx
@@ -0,0 +1,265 @@
+---
+layout: api
+page_title: Consul - Secrets Engines - HTTP API
+sidebar_title: Consul
+description: This is the API documentation for the Vault Consul secrets engine.
+---
+
+# Consul Secrets Engine (API)
+
+This is the API documentation for the Vault Consul secrets engine. For general
+information about the usage and operation of the Consul secrets engine, please
+see the [Vault Consul documentation](/docs/secrets/consul/index.html).
+
+This documentation assumes the Consul secrets engine is enabled at the `/consul`
+path in Vault. Since it is possible to enable secrets engines at any location,
+please update your API calls accordingly.
+
+## Configure Access
+
+This endpoint configures the access information for Consul. This access
+information is used so that Vault can communicate with Consul and generate
+Consul tokens.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/consul/config/access` |
+
+### Parameters
+
+- `address` `(string: <required>)` – Specifies the address of the Consul
+  instance, provided as `"host:port"` like `"127.0.0.1:8500"`.
+
+- `scheme` `(string: "http")` – Specifies the URL scheme to use.
+
+- `token` `(string: <required>)` – Specifies the Consul ACL token to use. This
+  must be a management type token.
+
+### Sample Payload
+
+```json
+{
+  "address": "127.0.0.1:8500",
+  "scheme": "https",
+  "token": "adha..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --header "X-Vault-Token: ..." \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/consul/config/access
+```
+
+## Create/Update Role
+
+This endpoint creates or updates the Consul role definition. If the role does
+not exist, it will be created. If the role already exists, it will receive
+updated attributes.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/consul/roles/:name` |
+
+### Parameters for Consul versions 1.4 and above
+
+- `name` `(string: <required>)` – Specifies the name of an existing role against
+  which to create this Consul credential. This is part of the request URL.
+
+- `token_type` `(string: "client")` - Specifies the type of token to create when
+  using this role. Valid values are `"client"` or `"management"`.
+
+- `policy` `(string: <policy or policies>)` – Specifies the base64 encoded ACL policy. The
+  ACL format can be found in the [Consul ACL
+  documentation](https://www.consul.io/docs/internals/acl.html). This is
+  required unless the `token_type` is `management`.
+
+- `policies` `(list: <policy or policies>)` – The list of policies to assign to the generated
+  token. This is only available in Consul 1.4 and greater.
+
+- `local` `(bool: false)` - Indicates that the token should not be replicated
+  globally and instead be local to the current datacenter. Only available in Consul
+  1.4 and greater.
+
+- `ttl` `(duration: "")` – Specifies the TTL for this role. This is provided
+  as a string duration with a time suffix like `"30s"` or `"1h"` or as seconds. If not
+  provided, the default Vault TTL is used.
+
+- `max_ttl` `(duration: "")` – Specifies the max TTL for this role. This is provided
+  as a string duration with a time suffix like `"30s"` or `"1h"` or as seconds. If not
+  provided, the default Vault Max TTL is used.
+
+### Sample Payload
+
+To create management tokens:
+
+```json
+{
+  "token_type": "management"
+}
+```
+
+To create a client token with a custom policy:
+
+```json
+{
+  "policy": "abd2...=="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --header "X-Vault-Token: ..." \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/consul/roles/example-role
+```
+
+### Parameters for Consul version below 1.4
+
+- `lease` `(string: "")` – Specifies the lease for this role. This is provided
+  as a string duration with a time suffix like `"30s"` or `"1h"`. If not
+  provided, the default Vault lease is used.
+
+- `policies` `(string: <required>)` – Comma separated list of policies to be applied
+  to the tokens.
+
+### Sample payload
+
+```json
+{
+  "policies": "global-management"
+}
+```
+
+### Sample request
+
+```sh
+curl \
+→     --request POST \
+→     --header "X-Vault-Token: ..."\
+→     --data @payload.json \
+→     http://127.0.0.1:8200/v1/consul/roles/example-role
+```
+
+## Read Role
+
+This endpoint queries for information about a Consul role with the given name.
+If no role exists with that name, a 404 is returned.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `GET`  | `/consul/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to query. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/consul/roles/example-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "policy": "abd2...==",
+    "lease": "1h0m0s",
+    "token_type": "client"
+  }
+}
+```
+
+## List Roles
+
+This endpoint lists all existing roles in the secrets engine.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `LIST` | `/consul/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/consul/roles
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["example-role"]
+  }
+}
+```
+
+## Delete Role
+
+This endpoint deletes a Consul role with the given name. Even if the role does
+not exist, this endpoint will still return a successful response.
+
+| Method   | Path                  |
+| :------- | :-------------------- |
+| `DELETE` | `/consul/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --request DELETE \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/consul/roles/example-role
+```
+
+## Generate Credential
+
+This endpoint generates a dynamic Consul token based on the given role
+definition.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `GET`  | `/consul/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of an existing role against
+  which to create this Consul credential. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/consul/creds/example-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "token": "973a31ea-1ec4-c2de-0f63-623f477c2510"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/cubbyhole/index.mdx b/website/pages/api-docs/secret/cubbyhole/index.mdx
new file mode 100644
index 000000000000..57a00e5585ea
--- /dev/null
+++ b/website/pages/api-docs/secret/cubbyhole/index.mdx
@@ -0,0 +1,154 @@
+---
+layout: api
+page_title: Cubbyhole - Secrets Engines - HTTP API
+sidebar_title: Cubbyhole
+description: This is the API documentation for the Vault Cubbyhole secrets engine.
+---
+
+# Cubbyhole Secrets Engine (API)
+
+This is the API documentation for the Vault Cubbyhole secrets engine. For
+general information about the usage and operation of the Cubbyhole secrets
+engine, please see the
+[Vault Cubbyhole documentation](/docs/secrets/cubbyhole/index.html).
+
+This documentation assumes the Cubbyhole secrets engine is enabled at the
+`/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
+any location, please update your API calls accordingly.
+
+## Read Secret
+
+This endpoint retrieves the secret at the specified location.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/cubbyhole/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to read.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/cubbyhole/my-secret
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "foo": "bar"
+  },
+  "lease_duration": 0,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## List Secrets
+
+This endpoint returns a list of secret entries at the specified location.
+Folders are suffixed with `/`. The input must be a folder; list on a file will
+not return a value. The values themselves are not accessible via this command.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `LIST` | `/cubbyhole/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secrets to list.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/cubbyhole/my-secret
+```
+
+### Sample Response
+
+The example below shows output for a query path of `cubbyhole/` when there are
+secrets at `cubbyhole/foo` and `cubbyhole/foo/bar`; note the difference in the
+two entries.
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["foo", "foo/"]
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Create/Update Secret
+
+This endpoint stores a secret at the specified location.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/cubbyhole/:path` |
+| `PUT`  | `/cubbyhole/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secrets to
+  create/update. This is specified as part of the URL.
+
+- `:key` `(string: "")` – Specifies a key, paired with an associated value, to
+  be held at the given location. Multiple key/value pairs can be specified, and
+  all will be returned on a read operation. A key called `ttl` will trigger some
+  special behavior; see above for details.
+
+### Sample Payload
+
+```json
+{
+  "foo": "bar",
+  "zip": "zap"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/cubbyhole/my-secret
+```
+
+## Delete Secret
+
+This endpoint deletes the secret at the specified location.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/cubbyhole/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to delete.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/cubbyhole/my-secret
+```
diff --git a/website/pages/api-docs/secret/databases/cassandra.mdx b/website/pages/api-docs/secret/databases/cassandra.mdx
new file mode 100644
index 000000000000..e0cad8dc88f1
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/cassandra.mdx
@@ -0,0 +1,150 @@
+---
+layout: api
+page_title: Cassandra - Database - Secrets Engines - HTTP API
+sidebar_title: Cassandra
+description: >-
+  The Cassandra plugin for Vault's database secrets engine generates database
+  credentials to access Cassandra servers.
+---
+
+# Cassandra Database Plugin HTTP API
+
+The Cassandra database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the Cassandra database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Secrets Engine](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `hosts` `(string: <required>)` – Specifies a set of comma-delineated Cassandra
+  hosts to connect to.
+
+- `port` `(int: 9042)` – Specifies the default port to use if none is provided
+  as part of the host URI. Defaults to Cassandra's default transport port, 9042.
+
+- `username` `(string: <required>)` – Specifies the username to use for
+  superuser access.
+
+- `password` `(string: <required>)` – Specifies the password corresponding to
+  the given username.
+
+- `tls` `(bool: true)` – Specifies whether to use TLS when connecting to
+  Cassandra.
+
+- `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the
+  server certificate when using TLS.
+
+- `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a
+  certificate and private key; a certificate, private key, and issuing CA
+  certificate; or just a CA certificate.
+
+- `pem_json` `(string: "")` – Specifies JSON containing a certificate and
+  private key; a certificate, private key, and issuing CA certificate; or just a
+  CA certificate. For convenience format is the same as the output of the
+  `issue` command from the `pki` secrets engine; see
+  [the pki documentation](/docs/secrets/pki/index.html).
+
+- `skip_verification` `(bool: false)` - Skip permissions checks when a connection to Cassandra
+  is first created. These checks ensure that Vault is able to create roles, but can be resource
+  intensive in clusters with many roles.
+
+- `protocol_version` `(int: 2)` – Specifies the CQL protocol version to use.
+
+- `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
+
+- `local_datacenter` `(string: "")` – If set, enables host selection policy
+  which will prioritize and use hosts which are in the local datacenter before
+  hosts in all other datacenters (for example "dc-01").
+
+- `socket_keep_alive` `(string: "0s")` – the keep-alive period for an active
+  network connection. If zero, keep-alives are not enabled.
+
+- `consistency` `(string: "")` – Specifies the consistency option to use. See
+  the [gocql
+  definition](https://github.com/gocql/gocql/blob/master/frame.go#L188) for
+  valid options.
+
+TLS works as follows:
+
+- If `tls` is set to true, the connection will use TLS; this happens
+  automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
+
+- If `insecure_tls` is set to true, the connection will not perform verification
+  of the server certificate; this also sets `tls` to true
+
+- If only `issuing_ca` is set in `pem_json`, or the only certificate in
+  `pem_bundle` is a CA certificate, the given CA certificate will be used for
+  server certificate verification; otherwise the system CA certificates will be
+  used
+
+- If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`,
+  client auth will be turned on for the connection
+
+`pem_bundle` should be a PEM-concatenated bundle of a private key + client
+certificate, an issuing CA certificate, or both. `pem_json` should contain the
+same information; for convenience, the JSON format is the same as that output by
+the issue command from the PKI secrets engine.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "cassandra-database-plugin",
+  "allowed_roles": "readonly",
+  "hosts": "cassandra1.local",
+  "username": "user",
+  "password": "pass"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/cassandra/config/connection
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(list: [])` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{username}}' and '{{password}}' values will be substituted. If not
+  provided, defaults to a generic create user statements that creates a
+  non-superuser.
+
+- `revocation_statements` `(list: [])` – Specifies the database statements to
+  be executed to revoke a user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{username}}' value will be
+  substituted. If not provided defaults to a generic drop user statement.
+
+- `rollback_statements` `(list: [])` – Specifies the database statements to be
+  executed to rollback a create operation in the event of an error. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{username}}' value will be substituted. If not provided, defaults to
+  a generic drop user statement
diff --git a/website/pages/api-docs/secret/databases/elasticdb.mdx b/website/pages/api-docs/secret/databases/elasticdb.mdx
new file mode 100644
index 000000000000..61beac1e95e8
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/elasticdb.mdx
@@ -0,0 +1,104 @@
+---
+layout: api
+page_title: Elasticsearch - Database - Secrets Engines - HTTP API
+sidebar_title: Elasticsearch
+description: >-
+  The Elasticsearch plugin for Vault's database secrets engine generates
+  database credentials to access Elasticsearch.
+---
+
+# Elasticsearch Database Plugin HTTP API
+
+The Elasticsearch database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates credentials dynamically based on
+configured roles for Elasticsearch.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Backend](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `url` `(string: <required>)` - The URL for Elasticsearch's API ("http://localhost:9200").
+- `username` `(string: <required>)` - The username to be used in the connection URL ("vault").
+- `password` `(string: <required>)` - The password to be used in the connection URL ("pa55w0rd").
+- `ca_cert` `(string: "")` - The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
+- `ca_path` `(string: "")` - The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
+- `client_cert` `(string: "")` - The path to the certificate for the Elasticsearch client to present for communication.
+- `client_key` `(string: "")` - The path to the key for the Elasticsearch client to use for communication.
+- `tls_server_name` `(string: "")` - This, if set, is used to set the SNI host when connecting via 1TLS.
+- `insecure` `(bool: false)` - Not recommended. Default to false. Can be set to true to disable SSL verification.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "elasticsearch-database-plugin",
+  "allowed_roles": "internally-defined-role,externally-defined-role",
+  "url": "http://localhost:9200",
+  "username": "vault",
+  "password": "myPa55word",
+  "ca_cert": "/usr/share/ca-certificates/extra/elastic-stack-ca.crt.pem",
+  "client_cert": "$ES_HOME/config/certs/elastic-certificates.crt.pem",
+  "client_key": "$ES_HOME/config/certs/elastic-certificates.key.pem"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/my-elasticsearch-database
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(string: <required>)` – Using JSON, either defines an
+  `elasticsearch_role_definition` or a group of pre-existing `elasticsearch_roles`.
+  The object specified by the `elasticsearch_role_definition` is the JSON directly
+  passed through to the Elasticsearch API, so you can pass through anything shown
+  [here](https://www.elastic.co/guide/en/elasticsearch/reference/6.6/security-api-put-role.html).
+  For `elasticsearch_roles`, add the names of the roles only. They must pre-exist
+  in Elasticsearch. Defining roles in Vault is more secure than using pre-existing
+  roles because a privilege escalation could be performed by editing the roles used
+  out-of-band in Elasticsearch.
+
+### Sample Creation Statements
+
+```json
+{
+  "elasticsearch_role_definition": {
+    "indices": [
+      {
+        "names": ["*"],
+        "privileges": ["read"]
+      }
+    ]
+  }
+}
+```
+
+```json
+{
+  "elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]
+}
+```
diff --git a/website/pages/api-docs/secret/databases/hanadb.mdx b/website/pages/api-docs/secret/databases/hanadb.mdx
new file mode 100644
index 000000000000..979f0866ae18
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/hanadb.mdx
@@ -0,0 +1,99 @@
+---
+layout: api
+page_title: HANA - Database - Secrets Engines - HTTP API
+sidebar_title: HanaDB
+description: >-
+  The HANA plugin for Vault's database secrets engine generates database
+  credentials to access HANA servers.
+---
+
+# HANA Database Plugin HTTP API
+
+The HANA database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the HANA database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [database
+secrets engine](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     | Produces |
+| :----- | :----------------------- | -------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` - Specifies the HANA DSN. This field
+  can be templated and supports passing the username and password
+  parameters in the following format {{field_name}}. A templated connection URL is
+  required when using root credential rotation.
+
+- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
+  connections to the database.
+
+- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If larger than
+  `max_open_connections` it will be reduced to be equal.
+
+- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
+  time a connection may be reused. If <= 0s connections are reused forever.
+
+- `username` `(string: "")` - The root credential username used in the connection URL.
+
+- `password` `(string: "")` - The root credential password used in the connection URL.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "hana-database-plugin",
+  "allowed_roles": "readonly",
+  "connection_url": "hdb://{{username}}:{{password}}@localhost:1433",
+  "max_open_connections": 5,
+  "max_connection_lifetime": "5s",
+  "username": "username",
+  "password": "password
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/hana
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(llist: <required>)` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{name}}', '{{password}}', and '{{expiration}}' values will be
+  substituted.
+
+  - The expiration time will be HANA server time plus the role's `default_ttl`.
+    If `default_ttl` is 0 or not set, a SQL HdbError 438 will be returned.
+
+- `revocation_statements` `(list: [])` – Specifies the database statements to
+  be executed to revoke a user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{name}}' value will be
+  substituted. If not provided, defaults to dropping the user only if they have
+  no dependent objects.
diff --git a/website/pages/api-docs/secret/databases/index.mdx b/website/pages/api-docs/secret/databases/index.mdx
new file mode 100644
index 000000000000..154403fbb21d
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/index.mdx
@@ -0,0 +1,598 @@
+---
+layout: api
+page_title: Database - Secrets Engines - HTTP API
+sidebar_title: Databases
+description: Top page for database secrets engine information
+---
+
+# Database Secrets Engine (API)
+
+This is the API documentation for the Vault Database secrets engine. For
+general information about the usage and operation of the database secrets engine,
+please see the
+[Vault database secrets engine documentation](/docs/secrets/databases/index.html).
+
+This documentation assumes the database secrets engine is enabled at the
+`/database` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
+
+## Configure Connection
+
+This endpoint configures the connection string used to communicate with the
+desired database. In addition to the parameters listed here, each Database
+plugin has additional, database plugin specific, parameters for this endpoint.
+Please read the HTTP API for the plugin you'd wish to configure to see the full
+list of additional parameters.
+
+~> This endpoint distinguishes between `create` and `update` ACL capabilities.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name for this database
+  connection. This is specified as part of the URL.
+
+- `plugin_name` `(string: <required>)` - Specifies the name of the plugin to use
+  for this connection.
+
+- `verify_connection` `(bool: true)` – Specifies if the connection is verified
+  during initial configuration. Defaults to true.
+
+- `allowed_roles` `(list: [])` - List of the roles allowed to use this connection.
+  Defaults to empty (no roles), if contains a "\*" any role can use this connection.
+
+- `root_rotation_statements` `(list: [])` - Specifies the database statements to be
+  executed to rotate the root user's credentials. See the plugin's API page for more
+  information on support and formatting for this parameter.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "mysql-database-plugin",
+  "allowed_roles": "readonly",
+  "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
+  "username": "root",
+  "password": "mysql"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/mysql
+```
+
+## Read Connection
+
+This endpoint returns the configuration settings for a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/database/config/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the connection to read.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/database/config/mysql
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "allowed_roles": ["readonly"],
+    "connection_details": {
+      "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
+      "username": "root"
+    },
+    "plugin_name": "mysql-database-plugin"
+  }
+}
+```
+
+## List Connections
+
+This endpoint returns a list of available connections. Only the connection names
+are returned, not any values.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `LIST` | `/database/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/database/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["db-one", "db-two"]
+  }
+}
+```
+
+## Delete Connection
+
+This endpoint deletes a connection.
+
+| Method   | Path                     |
+| :------- | :----------------------- |
+| `DELETE` | `/database/config/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the connection to delete.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/database/config/mysql
+```
+
+## Reset Connection
+
+This endpoint closes a connection and it's underlying plugin and restarts it
+with the configuration stored in the barrier.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/database/reset/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the connection to reset.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/database/reset/mysql
+```
+
+## Rotate Root Credentials
+
+This endpoint is used to rotate the root superuser credentials stored for
+the database connection. This user must have permissions to update its own
+password.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/database/rotate-root/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the connection to rotate.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/database/rotate-root/mysql
+```
+
+## Create Role
+
+This endpoint creates or updates a role definition.
+
+~> This endpoint distinguishes between `create` and `update` ACL capabilities.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/database/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create. This
+  is specified as part of the URL.
+
+- `db_name` `(string: <required>)` - The name of the database connection to use
+  for this role.
+
+- `default_ttl` `(string/int: 0)` - Specifies the TTL for the leases
+  associated with this role. Accepts time suffixed strings ("1h") or an integer
+  number of seconds. Defaults to system/engine default TTL time.
+
+- `max_ttl` `(string/int: 0)` - Specifies the maximum TTL for the leases
+  associated with this role. Accepts time suffixed strings ("1h") or an integer
+  number of seconds. Defaults to system/mount default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](https://www.vaultproject.io/docs/concepts/tokens.html#the-general-case).
+
+- `creation_statements` `(list: <required>)` – Specifies the database
+  statements executed to create and configure a user. See the plugin's API page
+  for more information on support and formatting for this parameter.
+
+- `revocation_statements` `(list: [])` – Specifies the database statements to
+  be executed to revoke a user. See the plugin's API page for more information
+  on support and formatting for this parameter.
+
+- `rollback_statements` `(list: [])` – Specifies the database statements to be
+  executed rollback a create operation in the event of an error. Not every
+  plugin type will support this functionality. See the plugin's API page for
+  more information on support and formatting for this parameter.
+
+- `renew_statements` `(list: [])` – Specifies the database statements to be
+  executed to renew a user. Not every plugin type will support this
+  functionality. See the plugin's API page for more information on support and
+  formatting for this parameter.
+
+### Sample Payload
+
+```json
+{
+  "db_name": "mysql",
+  "creation_statements": [
+    "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'",
+    "GRANT SELECT ON *.* TO '{{name}}'@'%'"
+  ],
+  "default_ttl": "1h",
+  "max_ttl": "24h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/database/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/database/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "creation_statements": [
+      "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
+      "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
+    ],
+    "db_name": "mysql",
+    "default_ttl": 3600,
+    "max_ttl": 86400,
+    "renew_statements": [],
+    "revocation_statements": [],
+    "rollback_statements": []
+  }
+}
+```
+
+## List Roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `LIST` | `/database/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/database/roles
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev", "prod"]
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition.
+
+| Method   | Path                    |
+| :------- | :---------------------- |
+| `DELETE` | `/database/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/database/roles/my-role
+```
+
+## Generate Credentials
+
+This endpoint generates a new set of dynamic credentials based on the named
+role.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/database/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/database/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "username": "root-1430158508-126",
+    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
+  }
+}
+```
+
+## Create Static Role
+
+This endpoint creates or updates a static role definition. Static Roles are a
+1-to-1 mapping of a Vault Role to a user in a database which are automatically
+rotated based on the configured `rotation_period`. Not all databases support
+Static Roles, please see the database-specific documentation.
+
+~> This endpoint distinguishes between `create` and `update` ACL capabilities.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/database/static-roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create. This
+  is specified as part of the URL.
+
+- `username` `(string: <required>)` – Specifies the database username that this
+  Vault role corresponds to.
+
+- `rotation_period` `(string/int: <required>)` – Specifies the amount of time
+  Vault should wait before rotating the password. The minimum is 5 seconds.
+
+- `db_name` `(string: <required>)` - The name of the database connection to use
+  for this role.
+
+- `rotation_statements` `(list: [])` – Specifies the database statements to be
+  executed to rotate the password for the configured database user. Not every
+  plugin type will support this functionality. See the plugin's API page for
+  more information on support and formatting for this parameter.
+
+### Sample Payload
+
+```json
+{
+    "db_name": "mysql",
+    "username": "static-database-user",
+    "rotation_statements": ["ALTER USER "{{name}}" WITH PASSWORD '{{password}}';"],
+    "rotation_period": "1h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/static-roles/my-static-role
+```
+
+## Read Static Role
+
+This endpoint queries the static role definition.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/database/static-roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the static role to read.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/database/static-roles/my-static-role
+```
+
+### Sample Response
+
+```json
+{
+    "data": {
+		"db_name": "mysql",
+    "username":"static-user",
+    "rotation_statements": ["ALTER USER "{{name}}" WITH PASSWORD '{{password}}';"],
+    "rotation_period":"1h",
+	},
+}
+```
+
+## List Static Roles
+
+This endpoint returns a list of available static roles. Only the role names are
+returned, not any values.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `LIST` | `/database/static-roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/database/static-roles
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev-static", "prod-static"]
+  }
+}
+```
+
+## Delete Static Role
+
+This endpoint deletes the static role definition and revokes the database user.
+
+| Method   | Path                           |
+| :------- | :----------------------------- |
+| `DELETE` | `/database/static-roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the static role to
+  delete. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/database/static-roles/my-role
+```
+
+## Get Static Credentials
+
+This endpoint returns the current credentials based on the named static role.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/database/static-creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the static role to get
+  credentials for. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/database/static-creds/my-static-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "username": "static-user",
+    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
+    "last_vault_rotation": "2019-05-06T15:26:42.525302-05:00",
+    "rotation_period": 30,
+    "ttl": 28,
+  }
+}
+```
+
+## Rotate Static Role Credentials
+
+This endpoint is used to rotate the Static Role credentials stored for a given
+role name. While Static Roles are rotated automatically by Vault at configured
+rotation periods, users can use this endpoint to manually trigger a rotation to
+change the stored password and reset the TTL of the Static Role's password.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/database/rotate-role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the Static Role to
+  trigger the password rotation for. The name is specified as part of the URL.
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/database/rotate-role/my-static-role
+```
diff --git a/website/pages/api-docs/secret/databases/influxdb.mdx b/website/pages/api-docs/secret/databases/influxdb.mdx
new file mode 100644
index 000000000000..27c730c8ab4c
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/influxdb.mdx
@@ -0,0 +1,132 @@
+---
+layout: api
+page_title: Influxdb - Database - Secrets Engines - HTTP API
+sidebar_title: Influxdb
+description: >-
+  The Influxdb plugin for Vault's database secrets engine generates database
+  credentials to access Influxdb servers.
+---
+
+# Influxdb Database Plugin HTTP API
+
+The Influxdb database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the Influxdb database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Secrets Engine](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `host` `(string: <required>)` – Specifies a Influxdb
+  host to connect to.
+
+- `port` `(int: 8086)` – Specifies the default port to use if none is provided
+  as part of the host URI. Defaults to Influxdb's default transport port, 8086.
+
+- `username` `(string: <required>)` – Specifies the username to use for
+  superuser access.
+
+- `password` `(string: <required>)` – Specifies the password corresponding to
+  the given username.
+
+- `tls` `(bool: true)` – Specifies whether to use TLS when connecting to
+  Influxdb.
+
+- `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the
+  server certificate when using TLS.
+
+- `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a
+  certificate and private key; a certificate, private key, and issuing CA
+  certificate; or just a CA certificate.
+
+- `pem_json` `(string: "")` – Specifies JSON containing a certificate and
+  private key; a certificate, private key, and issuing CA certificate; or just a
+  CA certificate. For convenience format is the same as the output of the
+  `issue` command from the `pki` secrets engine; see
+  [the pki documentation](/docs/secrets/pki/index.html).
+
+- `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
+
+TLS works as follows:
+
+- If `tls` is set to true, the connection will use TLS; this happens
+  automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
+
+- If `insecure_tls` is set to true, the connection will not perform verification
+  of the server certificate; this also sets `tls` to true
+
+- If only `issuing_ca` is set in `pem_json`, or the only certificate in
+  `pem_bundle` is a CA certificate, the given CA certificate will be used for
+  server certificate verification; otherwise the system CA certificates will be
+  used
+
+- If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`,
+  client auth will be turned on for the connection
+
+`pem_bundle` should be a PEM-concatenated bundle of a private key + client
+certificate, an issuing CA certificate, or both. `pem_json` should contain the
+same information; for convenience, the JSON format is the same as that output by
+the issue command from the PKI secrets engine.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "influxdb-database-plugin",
+  "allowed_roles": "readonly",
+  "host": "influxdb1.local",
+  "username": "user",
+  "password": "pass"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/influxdb/config/connection
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(list: [])` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{username}}' and '{{password}}' values will be substituted. If not
+  provided, defaults to a generic create user statements that creates a
+  non-superuser.
+
+- `revocation_statements` `(list: [])` – Specifies the database statements to
+  be executed to revoke a user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{username}}' value will be
+  substituted. If not provided defaults to a generic drop user statement.
+
+- `rollback_statements` `(list: [])` – Specifies the database statements to be
+  executed to rollback a create operation in the event of an error. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{username}}' value will be substituted. If not provided, defaults to
+  a generic drop user statement
diff --git a/website/pages/api-docs/secret/databases/mongodb.mdx b/website/pages/api-docs/secret/databases/mongodb.mdx
new file mode 100644
index 000000000000..6ee9245bf12d
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/mongodb.mdx
@@ -0,0 +1,105 @@
+---
+layout: api
+page_title: MongoDB - Database - Secrets Engines - HTTP API
+sidebar_title: MongoDB
+description: >-
+  The MongoDB plugin for Vault's database secrets engine generates database
+  credentials to access MongoDB servers.
+---
+
+# MongoDB Database Plugin HTTP API
+
+The MongoDB database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the MongoDB database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Backend](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` – Specifies the MongoDB standard
+  connection string (URI). This field can be templated and supports passing the
+  username and password parameters in the following format {{field_name}}. A
+  templated connection URL is required when using root credential rotation.
+- `write_concern` `(string: "")` - Specifies the MongoDB [write
+  concern][mongodb-write-concern]. This is set for the entirety of the session,
+  maintained for the lifecycle of the plugin process. Must be a serialized JSON
+  object, or a base64-encoded serialized JSON object. The JSON payload values
+  map to the values in the [Safe][mgo-safe] struct from the mgo driver.
+- `username` `(string: "")` - The root credential username used in the connection URL.
+- `password` `(string: "")` - The root credential password used in the connection URL.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "mongodb-database-plugin",
+  "allowed_roles": "readonly",
+  "connection_url": "mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true",
+  "write_concern": "{ \"wmode\": \"majority\", \"wtimeout\": 5000 }",
+  "username": "admin",
+  "password": "Password!"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/mongodb
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(string: <required>)` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  serialized JSON object, or a base64-encoded serialized JSON object.
+  The object can optionally contain a "db" string for session connection,
+  and must contain a "roles" array. This array contains objects that holds
+  a "role", and an optional "db" value, and is similar to the BSON document that
+  is accepted by MongoDB's `roles` field. Vault will transform this array into
+  such format. For more information regarding the `roles` field, refer to
+  [MongoDB's documentation](https://docs.mongodb.com/manual/reference/method/db.createUser/).
+
+- `revocation_statements` `(string: "")` – Specifies the database statements to
+  be executed to revoke a user. Must be a serialized JSON object, or a base64-encoded
+  serialized JSON object. The object can optionally contain a "db" string. If no
+  "db" value is provided, it defaults to the "admin" database.
+
+### Sample Creation Statement
+
+```json
+{
+  "db": "admin",
+  "roles": [
+    {
+      "role": "read",
+      "db": "foo"
+    }
+  ]
+}
+```
+
+[mongodb-write-concern]: https://docs.mongodb.com/manual/reference/write-concern/
+[mgo-safe]: https://godoc.org/gopkg.in/mgo.v2#Safe
diff --git a/website/pages/api-docs/secret/databases/mssql.mdx b/website/pages/api-docs/secret/databases/mssql.mdx
new file mode 100644
index 000000000000..ebd01d6bbb93
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/mssql.mdx
@@ -0,0 +1,94 @@
+---
+layout: api
+page_title: MSSQL - Database - Secrets Engines - HTTP API
+sidebar_title: MSSQL
+description: >-
+  The MSSQL plugin for Vault's database secrets engine generates database
+  credentials to access MSSQL servers.
+---
+
+# MSSQL Database Plugin HTTP API
+
+The MSSQL database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the MSSQL database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Backend](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` - Specifies the MSSQL DSN. This field
+  can be templated and supports passing the username and password
+  parameters in the following format {{field_name}}. A templated connection URL is
+  required when using root credential rotation.
+
+- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
+  connections to the database.
+
+- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If larger than
+  `max_open_connections` it will be reduced to be equal.
+
+- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
+  time a connection may be reused. If <= 0s connections are reused forever.
+
+- `username` `(string: "")` - The root credential username used in the connection URL.
+
+- `password` `(string: "")` - The root credential password used in the connection URL.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "mssql-database-plugin",
+  "allowed_roles": "readonly",
+  "connection_url": "sqlserver://{{username}}:{{password}}@localhost:1433",
+  "max_open_connections": 5,
+  "max_connection_lifetime": "5s",
+  "username": "sa",
+  "password": "yourStrong(!)Password"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/mssql
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(list: <required>)` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{name}}' and '{{password}}' values will be substituted.
+
+- `revocation_statements` `(list: [])` – Specifies the database statements to
+  be executed to revoke a user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{name}}' value will be
+  substituted. If not provided defaults to a generic drop user statement.
diff --git a/website/pages/api-docs/secret/databases/mysql-maria.mdx b/website/pages/api-docs/secret/databases/mysql-maria.mdx
new file mode 100644
index 000000000000..eae47c6f8613
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/mysql-maria.mdx
@@ -0,0 +1,95 @@
+---
+layout: api
+page_title: MySQL/MariaDB - Database - Secrets Engines - HTTP API
+sidebar_title: MySQL/MariaDB
+description: >-
+  The MySQL/MariaDB plugin for Vault's database secrets engine generates
+  database credentials to access MySQL and MariaDB servers.
+---
+
+# MySQL/MariaDB Database Plugin HTTP API
+
+The MySQL database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the MySQL database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Backend](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` - Specifies the MySQL DSN. This field
+  can be templated and supports passing the username and password
+  parameters in the following format {{field_name}}. A templated connection URL is
+  required when using root credential rotation.
+
+- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
+  connections to the database.
+
+- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If larger than
+  `max_open_connections` it will be reduced to be equal.
+
+- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
+  time a connection may be reused. If <= 0s connections are reused forever.
+
+- `username` `(string: "")` - The root credential username used in the connection URL.
+
+- `password` `(string: "")` - The root credential password used in the connection URL.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "mysql-database-plugin",
+  "allowed_roles": "readonly",
+  "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
+  "max_open_connections": 5,
+  "max_connection_lifetime": "5s",
+  "username": "root",
+  "password": "mysql"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/mysql
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(list: <required>)` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{name}}' and '{{password}}' values will be substituted. The
+  generated password will be a random alphanumeric 20 character string.
+
+- `revocation_statements` `(list: [])` – Specifies the database statements to
+  be executed to revoke a user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{name}}' value will be
+  substituted. If not provided defaults to a generic drop user statement.
diff --git a/website/pages/api-docs/secret/databases/oracle.mdx b/website/pages/api-docs/secret/databases/oracle.mdx
new file mode 100644
index 000000000000..c4c439c91010
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/oracle.mdx
@@ -0,0 +1,91 @@
+---
+layout: api
+page_title: Oracle - Database - Secrets Engines - HTTP API
+sidebar_title: Oracle
+description: >-
+  The Oracle plugin for Vault's database secrets engine generates database
+  credentials to access Oracle servers.
+---
+
+# Oracle Database Plugin HTTP API
+
+The Oracle database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the Oracle database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Backend](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` - Specifies the Oracle DSN.
+
+- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
+  connections to the database.
+
+- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If larger than
+  `max_open_connections` it will be reduced to be equal.
+
+- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
+  time a connection may be reused. If <= 0s connections are reused forever.
+
+- `username` `(string: "")` - The root credential username used in the connection URL.
+
+- `password` `(string: "")` - The root credential password used in the connection URL.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "oracle-database-plugin",
+  "allowed_roles": "readonly",
+  "connection_url": "{{username}}/{{password}}@localhost:1521/OraDoc.localhost",
+  "max_open_connections": 5,
+  "max_connection_lifetime": "5s",
+  "username": "system",
+  "password": "Oracle"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/oracle
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(string: <required>)` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{name}}' and '{{password}}' values will be substituted.
+
+- `revocation_statements` `(string: "")` – Specifies the database statements to
+  be executed to revoke a user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{name}}' value will be
+  substituted. If not provided defaults to a generic drop user statement.
diff --git a/website/pages/api-docs/secret/databases/postgresql.mdx b/website/pages/api-docs/secret/databases/postgresql.mdx
new file mode 100644
index 000000000000..cae50df10148
--- /dev/null
+++ b/website/pages/api-docs/secret/databases/postgresql.mdx
@@ -0,0 +1,117 @@
+---
+layout: api
+page_title: PostgreSQL - Database - Secrets Engines - HTTP API
+sidebar_title: PostgreSQL
+description: >-
+  The PostgreSQL plugin for Vault's database secrets engine generates database
+  credentials to access PostgreSQL servers.
+---
+
+# PostgreSQL Database Plugin HTTP API
+
+The PostgreSQL database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
+configured roles for the PostgreSQL database.
+
+## Configure Connection
+
+In addition to the parameters defined by the [Database
+Backend](/api/secret/databases/index.html#configure-connection), this plugin
+has a number of parameters to further configure a connection.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/database/config/:name` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` - Specifies the PostgreSQL DSN. This field
+  can be templated and supports passing the username and password
+  parameters in the following format {{field_name}}. A templated connection URL is
+  required when using root credential rotation.
+
+- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
+  connections to the database.
+
+- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If larger than
+  `max_open_connections` it will be reduced to be equal.
+
+- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
+  time a connection may be reused. If <= 0s connections are reused forever.
+
+- `username` `(string: "")` - The root credential username used in the connection URL.
+
+- `password` `(string: "")` - The root credential password used in the connection URL.
+
+### Sample Payload
+
+```json
+{
+  "plugin_name": "postgresql-database-plugin",
+  "allowed_roles": "readonly",
+  "connection_url": "postgresql://{{username}}:{{password}}@localhost:5432/postgres",
+  "max_open_connections": 5,
+  "max_connection_lifetime": "5s",
+  "username": "username",
+  "password": "password"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/postgresql
+```
+
+## Statements
+
+Statements are configured during role creation and are used by the plugin to
+determine what is sent to the database on user creation, renewing, and
+revocation. For more information on configuring roles see the [Role
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
+
+### Parameters
+
+The following are the statements used by this plugin. If not mentioned in this
+list the plugin does not support that statement type.
+
+- `creation_statements` `(list: <required>)` – Specifies the database
+  statements executed to create and configure a user. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{name}}', '{{password}}' and '{{expiration}}' values will be
+  substituted. The generated password will be a random alphanumeric 20 character
+  string.
+
+- `revocation_statements` `(list: [])` – Specifies the database statements to
+  be executed to revoke a user. Must be a semicolon-separated string, a
+  base64-encoded semicolon-separated string, a serialized JSON string array, or
+  a base64-encoded serialized JSON string array. The '{{name}}' value will be
+  substituted. If not provided defaults to a generic drop user statement.
+
+- `rollback_statements` `(list: [])` – Specifies the database statements to be
+  executed rollback a create operation in the event of an error. Not every
+  plugin type will support this functionality. Must be a semicolon-separated
+  string, a base64-encoded semicolon-separated string, a serialized JSON string
+  array, or a base64-encoded serialized JSON string array. The '{{name}}' value
+  will be substituted.
+
+- `renew_statements` `(list: [])` – Specifies the database statements to be
+  executed to renew a user. Not every plugin type will support this
+  functionality. Must be a semicolon-separated string, a base64-encoded
+  semicolon-separated string, a serialized JSON string array, or a
+  base64-encoded serialized JSON string array. The '{{name}}' and
+  '{{expiration}}' values will be substituted.
+
+- `rotation_statements` `(list: [])` – Specifies the database statements to be
+  executed to rotate the password for a given username. Must be a
+  semicolon-separated string, a base64-encoded semicolon-separated string, a
+  serialized JSON string array, or a base64-encoded serialized JSON string
+  array. The '{{name}}' and '{{password}}' values will be substituted. The
+  generated password will be a random alphanumeric 20 character string.
diff --git a/website/pages/api-docs/secret/gcp/index.mdx b/website/pages/api-docs/secret/gcp/index.mdx
new file mode 100644
index 000000000000..f3c0c2bc8e3c
--- /dev/null
+++ b/website/pages/api-docs/secret/gcp/index.mdx
@@ -0,0 +1,384 @@
+---
+layout: api
+page_title: Google Cloud - Secrets Engines - HTTP API
+sidebar_title: Google Cloud
+description: This is the API documentation for the Vault Google Cloud secrets engine.
+---
+
+# Google Cloud Secrets Engine (API)
+
+This is the API documentation for the Vault Google Cloud Platform (GCP)
+secrets engine. For general information about the usage and operation of
+the GCP secrets engine, please see [these docs](/docs/secrets/gcp/index.html).
+
+This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
+in Vault. Since it is possible to mount secrets engines at any path, please
+update your API calls accordingly.
+
+## Write Config
+
+| Method | Path          |
+| :----- | :------------ |
+| `POST` | `/gcp/config` |
+
+This endpoint configures shared information for the secrets engine.
+
+### Parameters
+
+- `credentials` (`string:""`) - JSON credentials (either file contents or '@path/to/file')
+  See docs for [alternative ways](/docs/secrets/gcp/index.html#passing-credentials-to-vault)
+  to pass in to this parameter, as well as the
+  [required permissions](/docs/secrets/gcp/index.html#required-permissions).
+
+- `ttl` (`int: 0 || string:"0s"`) – Specifies default config TTL for long-lived credentials
+  (i.e. service account keys). Accepts integer number of seconds or Go duration format string.
+
+- `max_ttl` (`int: 0 || string:"0s"`)– Specifies the maximum config TTL for long-lived credentials
+  (i.e. service account keys). Accepts integer number of seconds or Go duration format string.\*\*
+
+### Sample Payload
+
+```json
+{
+  "credentials": "<JSON string>",
+  "ttl": 3600,
+  "max_ttl": 14400
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcp/config
+```
+
+## Read Config
+
+| Method | Path          |
+| :----- | :------------ |
+| `GET`  | `/gcp/config` |
+
+Credentials will be omitted from returned data.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/gcp/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ttl": "1h",
+    "max_ttl": "4h"
+  }
+}
+```
+
+## Create/Update Roleset
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/gcp/roleset/:name` |
+
+This method allows you to create a roleset or update an existing roleset. See [roleset docs](/docs/secrets/gcp/index.html#rolesets) for the GCP secrets backend
+to learn more about what happens when you create or update a roleset.
+
+**If you update a roleset's bindings, this will effectively revoke any secrets
+generated under this roleset.**
+
+### Parameters
+
+- `name` (`string: <required>`): Required. Name of the role. Cannot be updated.
+- `secret_type` (`string: "access_token"`): Type of secret generated for this role set. Accepted values: `access_token`, `service_account_key`. Cannot be updated.
+- `project` (`string: <required>`): Name of the GCP project that this roleset's service account will belong to. Cannot be updated.
+- `bindings` (`string: <required>`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)
+- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
+
+### Sample Payload
+
+```json
+{
+  "secret_type": "access_token",
+  "project": "mygcpproject",
+  "bindings": "...",
+  "token_scopes": [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/bigquery"
+  ]
+}
+```
+
+#### Sample Bindings:
+
+See [bindings format docs](/docs/secrets/gcp/index.html#roleset-bindings) for more information.
+
+```hcl
+resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
+  roles = [
+    "roles/viewer"
+  ],
+}
+
+resource "https://selflink/to/my/resource" {
+  roles = [
+    "project/mygcpproject/roles/projcustomrole",
+    "organizations/myorg/roles/orgcustomrole"
+  ],
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
+```
+
+## Rotate Roleset Account
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `POST` | `/gcp/roleset/:name/rotate` | `204 (empty body)`` |
+
+This will rotate the service account this roleset uses to generate secrets.
+(this also replaces the key `access_token` roleset). This can be used to invalidate
+old secrets generated by the roleset or fix issues if a roleset's service account
+(and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/consul/gcp/roleset/my-token-roleset/rotate
+```
+
+## Rotate Roleset Account Key (`access_token` Roleset Only)
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `POST` | `/gcp/roleset/:name/rotate-key` | `204 (empty body)`` |
+
+This will rotate the service account key this roleset uses to generate
+access tokens. This does not recreate the roleset service account.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/consul/gcp/roleset/my-token-roleset/rotate-key
+```
+
+## Read Roleset
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/gcp/roleset/:name` |
+
+### Parameters
+
+- `name` (`string:<required>`): Name of the roleset to delete.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/consul/gcp/roleset/my-token-roleset
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "secret_type": "access_token",
+    "service_account_email": "vault-myroleset-XXXXXXXXXX@myproject.gserviceaccounts.com",
+    "service_account_project": "service-account-project",
+    "bindings": {
+      "project/mygcpproject": ["roles/viewer"],
+      "https://selflink/to/my/resource": [
+        "project/mygcpproject/roles/projcustomrole",
+        "organizations/myorg/roles/orgcustomrole"
+      ]
+    },
+    "token_scopes": ["https://www.googleapis.com/auth/cloud-platform"]
+  }
+}
+```
+
+## List Rolesets
+
+| Method | Path            |
+| :----- | :-------------- |
+| `LIST` | `/gcp/rolesets` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/gcp/rolesets
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["my-token-roleset", "my-sakey-roleset"]
+  }
+}
+```
+
+## Delete Roleset
+
+This endpoint deletes an existing roleset by the given name.
+
+| Method   | Path                 |
+| :------- | :------------------- |
+| `DELETE` | `/gcp/roleset/:name` |
+
+### Parameters
+
+- `name` (`string:<required>`): Name of the roleset to delete.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
+```
+
+## Generate Secret (IAM Service Account Creds): OAuth2 Access Token
+
+| Method         | Path                  |
+| :------------- | :-------------------- |
+| `GET` / `POST` | `/gcp/token/:roleset` |
+
+Generates an OAuth2 token with the scopes defined on the roleset. This OAuth access token can
+be used in GCP API calls, e.g. `curl -H "Authorization: Bearer $TOKEN" ...`
+
+Tokens are non-revocable and non-renewable and have a static TTL of an hour. The TTL configured
+for the backend (either through the default system TTLs or through the `config/` endpoint)
+do not apply.
+
+### Parameters
+
+- `roleset` (`string:<required>`): Name of an roleset with secret type `access_token` to generate access_token under.
+
+### Sample Request
+
+```sh
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/gcp/token/my-token-roleset
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "<uuid>",
+  "data": {
+    "token": "ya29.c.Elp5Be3ga87...",
+    "expires_at_seconds": 1537400046,
+    "token_ttl": 3599
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Generate Secret (IAM Service Account Creds): Service Account Key
+
+| Method         | Path                |
+| :------------- | :------------------ |
+| `GET` / `POST` | `/gcp/key/:roleset` |
+
+If using `GET` ('read'), the optional parameters will be set to their defaults. Use `POST` if you
+want to specify different values for these params.
+
+These keys are renewable and have TTL/max TTL as defined by either the backend config
+or the system default if config was not defined.
+
+### Parameters
+
+- `roleset` (`string:<required>`): Name of an roleset with secret type `service_account_key` to generate key under.
+- `key_algorithm` (`string:"KEY_ALG_RSA_2048"`): Key algorithm used to generate key. Defaults to 2k RSA key
+  You probably should not choose other values (i.e. 1k), but accepted values are
+  `enum(`[`ServiceAccountKeyAlgorithm`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)`)`
+- `key_type` (`string:"TYPE_GOOGLE_CREDENTIALS_FILE`): Private key type to generate. Defaults to JSON credentials file.
+  Accepted values are `enum(`[`ServiceAccountPrivateKeyType`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType)`)`
+
+### Sample Payload
+
+```json
+{
+  "key_algorithm": "TYPE_GOOGLE_CREDENTIALS_FILE",
+  "key_type": "KEY_ALG_RSA_2048"
+}
+```
+
+### Sample Request
+
+```sh
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/gcp/key/my-key-roleset
+```
+
+```sh
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcp/key/my-key-roleset
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "<uuid>",
+  "lease_id": "gcp/key/my-key-roleset/<uuid>",
+  "renewable": true,
+  "lease_duration": 3600,
+  "data": {
+    "private_key_data": "<base64-encoded private key data>",
+    "key_algorithm": "TYPE_GOOGLE_CREDENTIALS_FILE",
+    "key_type": "KEY_ALG_RSA_2048"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Revoking/Renewing Secrets
+
+See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
+Note this only applies to service account keys.
diff --git a/website/pages/api-docs/secret/gcpkms/index.mdx b/website/pages/api-docs/secret/gcpkms/index.mdx
new file mode 100644
index 000000000000..da5eab6d11de
--- /dev/null
+++ b/website/pages/api-docs/secret/gcpkms/index.mdx
@@ -0,0 +1,858 @@
+---
+layout: api
+page_title: Google Cloud KMS - Secrets Engines - HTTP API
+sidebar_title: Google Cloud KMS
+description: This is the API documentation for the Vault Google Cloud KMS secrets engine.
+---
+
+# Google Cloud KMS Secrets Engine (API)
+
+This is the API documentation for the Vault Google Cloud KMS secrets engine. For
+general information about the usage and operation of the Google Cloud KMS
+secrets engine, please see the
+[Google Cloud KMS documentation](/docs/secrets/gcpkms/index.html).
+
+This documentation assumes the Google Cloud KMS secrets engine is enabled at the
+`/gcpkms` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
+
+## Configure Credentials
+
+This endpoint configures the Google Cloud KMS secrets engine with credentials
+and manages the requested scope(s) for authentication.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `POST` | `gcpkms/config` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/config" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `credentials` (`string: ""`) -
+  The credentials to use for authenticating to Google Cloud. Leave this blank to
+  use the Default Application Credentials or instance metadata authentication.
+
+- `scopes` (`array<string>: []`) -
+  The list of full-URL scopes to request when authenticating. By default, this
+  requests https://www.googleapis.com/auth/cloudkms.
+
+### Sample Payload
+
+```json
+{
+  "credentials": "< JSON credentials... >"
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/config
+```
+
+## Read Configuration
+
+This endpoint returns the configuration endpoint for the Google Cloud KMS
+secrets engine. The credentials are not returned.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `GET`  | `gcpkms/config` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/config" {
+  capabilities = ["read"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/gcpkms/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "scopes": ["https://www.googleapis.com/auth/cloudkms"]
+  }
+}
+```
+
+## Delete Configuration
+
+This endpoint deletes any configuration for the Google Cloud KMS secrets engine.
+If there is no configuration, the endpoint still returns successfully.
+
+| Method   | Path            |
+| :------- | :-------------- |
+| `DELETE` | `gcpkms/config` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/config" {
+  capabilities = ["delete"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/gcpkms/config
+```
+
+## Decrypt Ciphertext
+
+This endpoint uses the named encryption key to decrypt the ciphertext string. For symmetric key types, the provided ciphertext must come from a previous invocation of the `/encrypt` endpoint. For asymmetric key types, the provided ciphertext must be from the encrypt operation against the corresponding key version's public key.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `gcpkms/decrypt/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/decrypt/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key in Vault to use for decryption. This key must already exist in
+  Vault and must map back to a Google Cloud KMS key.
+  This is specified as part of the URL.
+
+- `additional_authenticated_data` (`string: ""`) -
+  Optional data that was specified during encryption of this payload.
+
+- `ciphertext` (`string: ""`) -
+  Ciphertext to decrypt as previously returned from an encrypt operation. This
+  must be base64-encoded ciphertext as previously returned from an encrypt
+  operation.
+
+- `key_version` (`int: 0`) -
+  Integer version of the crypto key version to use for decryption. This is
+  required for asymmetric keys. For symmetric keys, Cloud KMS will choose the
+  correct version automatically.
+
+### Sample Payload
+
+```json
+{
+  "ciphertext": "CiQAuMv0..."
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/decrypt/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "plaintext": "hello world"
+  }
+}
+```
+
+## Encrypt Plaintext
+
+This endpoint uses the named encryption key to encrypt arbitrary plaintext
+string data. The response will be base64-encoded encrypted ciphertext.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `gcpkms/encrypt/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/encrypt/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key in Vault to use for encryption. This key must already exist in
+  Vault and must map back to a Google Cloud KMS key.
+  This is specified as part of the URL.
+
+- `additional_authenticated_data` (`string: ""`) -
+  Optional base64-encoded data that, if specified, must also be provided to
+  decrypt this payload.
+
+- `key_version` (`int: 0`) -
+  Integer version of the crypto key version to use for encryption. If unspecified,
+  this defaults to the latest active crypto key version.
+
+- `plaintext` (`string: ""`) -
+  Plaintext value to be encrypted. This can be a string or binary, but the size
+  is limited. See the Google Cloud KMS documentation for information on size
+  limitations by key types.
+
+### Sample Payload
+
+```json
+{
+  "plaintext": "hello world"
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/encrypt/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ciphertext": "CiQAuMv0...",
+    "key_version": "1"
+  }
+}
+```
+
+## Re-Encrypt Existing Ciphertext
+
+This endpoint uses the named encryption key to re-encrypt the underlying
+cryptokey to the latest version for this ciphertext without disclosing the
+original plaintext value to the requestor. This is similar to "rewrapping" in
+Vault's transit secrets engine.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `gcpkms/reencrypt/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/reencrypt/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key to use for encryption. This key must already exist in Vault and
+  Google Cloud KMS.
+  This is specified as part of the URL.
+
+- `additional_authenticated_data` (`string: ""`) -
+  Optional data that, if specified, must also be provided during decryption.
+
+- `ciphertext` (`string: ""`) -
+  Ciphertext to be re-encrypted to the latest key version. This must be ciphertext
+  that Vault previously generated for this named key.
+
+- `key_version` (`int: 0`) -
+  Integer version of the crypto key version to use for re-encryption. If unspecified,
+  this defaults to the latest active crypto key version.
+
+### Sample Payload
+
+```json
+{
+  "ciphertext": "CiQAuMv0..."
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/reencrypt/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ciphertext": "0lX848IG...",
+    "key_version": "3"
+  }
+}
+```
+
+## Sign Digest
+
+This endpoint uses the named encryption key to sign digest string data. The
+response will include the base64-encoded signature.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `gcpkms/sign/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/sign/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key in Vault to use for signing. This key must already exist in
+  Vault and must map back to a Google Cloud KMS key.
+  This is specified as part of the URL.
+
+- `key_version` (`int: <required>`) -
+  Integer version of the crypto key version to use for signing.
+
+- `digest` (`string: <required>`) -
+  Digest to sign. This digest is the base64 encoded binary value, and must match
+  the signing algorithm digest of the Cloud KMS key, for example:
+
+      ```text
+      $ openssl dgst -sha256 -binary /my/file | base64
+      ```
+
+### Sample Payload
+
+```json
+{
+  "key_version": "1",
+  "digest": "LoM6lxd8YS+hUynZwrlCG20ViUUqqbNNNmh7HCtOkSc="
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/sign/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "signature": "MGYCMQCOfWMc21jBevoRRo4zGjYsCXer8s..."
+  }
+}
+```
+
+## Verify Digest
+
+This endpoint uses the named encryption key to verify a signature and digest
+string data.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `gcpkms/verify/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/verify/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key in Vault to use for verifying. This key must already exist in
+  Vault and must map back to a Google Cloud KMS key.
+  This is specified as part of the URL.
+
+- `key_version` (`int: <required>`) -
+  Integer version of the crypto key version to use for verifying.
+
+- `digest` (`string: <required>`) -
+  Digest that was signed. This digest is the base64 encoded binary value, and must match
+  the signing algorithm digest of the Cloud KMS key. For example:
+
+      ```text
+      $ openssl dgst -sha256 -binary /my/file | base64
+      ```
+
+- `signature` (`string: <required>`) -
+  Signature of the digest as returned from a signing operation.
+
+### Sample Payload
+
+```json
+{
+  "key_version": "1",
+  "digest": "LoM6lxd8YS+hUynZwrlCG20ViUUqqbNNNmh7HCtOkSc=",
+  "signature": "MGQCMEN2rgg6sj2vUEC3IcKDD+UprtMnxDoB3..."
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/verify/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "valid": true
+  }
+}
+```
+
+## List Keys
+
+This endpoint lists the named keys available for use in Vault. It does not list
+all Google Cloud KMS keys.
+
+| Method | Path          |
+| :----- | :------------ |
+| `LIST` | `gcpkms/keys` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys" {
+  capabilities = ["list"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/gcpkms/keys
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["my-key"]
+  }
+}
+```
+
+## Create/Update Google Cloud KMS key
+
+This endpoint is used to create or update a Google Cloud KMS key. In addition to
+registering the key in Vault, this endpoint will also create the corresponding
+Google Cloud KMS key with the given configuration options.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `gcpkms/keys/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key in Vault.
+  This is specified as part of the URL.
+
+- `crypto_key` (`string: ""`) -
+  Name of the crypto key to use. If the given crypto key does not exist, Vault
+  will try to create it. This defaults to the name of the key given to Vault as
+  the parameter if unspecified.
+
+- `key_ring` (`string: ""`) -
+  Full Google Cloud resource ID of the key ring with the project and location
+  (e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given
+  key ring does not exist, Vault will try to create it during a create operation.
+
+- `label` (`map<string>string: nil`) -
+  Arbitrary key=value label to apply to the crypto key. To specify multiple
+  labels, specify this argument multiple times (e.g. label="a=b" label="c=d").
+
+- `rotation_period` (`string: ""`) -
+  Amount of time between crypto key version rotations. This is specified as a
+  time duration value like 72h (72 hours). The smallest possible value is 24h.
+
+### Sample Payload
+
+```json
+{
+  "key_ring": "projects/my-project/locations/my-location/keyRings/my-keyring",
+  "labels": {
+    "foo": "bar"
+  },
+  "rotation_period": "72h"
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/keys/my-key
+```
+
+## Delete Google Cloud KMS Key
+
+This endpoint deletes a key from both Vault and Google Cloud KMS. This will
+disable all crypto key versions for this crypto key in Google Cloud KMS and
+delete Vault's reference to the crypto key.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `gcpkms/keys/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/my-key" {
+  capabilities = ["delete"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/gcpkms/keys/my-key
+```
+
+## Read Google Cloud KMS Key
+
+This endpoint reads data about a Google Cloud KMS crypto key, including the key
+status and current primary key version.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `gcpkms/keys/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/my-key" {
+  capabilities = ["read"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/gcpkms/keys/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "id": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
+    "labels": {
+      "foo": "bar"
+    },
+    "next_rotation_time_seconds": 1536613424,
+    "primary_version": "3",
+    "purpose": "encrypt_decrypt",
+    "rotation_schedule_seconds": 259200,
+    "state": "enabled"
+  }
+}
+```
+
+## Read Vault Key Configuration
+
+This endpoint reads data about a Vault's configuration of the key.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `gcpkms/keys/config/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/config/my-key" {
+  capabilities = ["read"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "name": "my-key",
+    "crypto_key": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
+    "min_version": 10
+  }
+}
+```
+
+## Update Vault Key Configuration
+
+This endpoint is used to update Vault's information about an existing key.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `gcpkms/keys/config/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key in Vault.
+  This is specified as part of the URL.
+
+- `min_version` (`int: 0`) -
+  Minimum allowed crypto key version. If set to a positive value, key versions
+  less than the given value are not permitted to be used. If set to 0 or a
+  negative value, there is no minimum key version.
+
+- `max_version` (`int: 0`) -
+  Maximum allowed crypto key version. If set to a positive value, key versions
+  greater than the given value are not permitted to be used. If set to 0 or a
+  negative value, there is no maximum key version.
+
+### Sample Payload
+
+```json
+{
+  "min_version": 10
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
+```
+
+## Deregister Crypto Key
+
+This endpoint deregisters an existing reference Vault has to a crypto key in
+Google Cloud KMS. The underlying Google Cloud KMS key remains unchanged.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `gcpkms/keys/deregister/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/deregister/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/gcpkms/keys/deregister/my-key
+```
+
+## Register Crypto Key
+
+This endpoint registers an existing crypto key in Google Cloud KMS and makes it
+available for encryption and decryption in Vault.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `POST` | `gcpkms/keys/register/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/register/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Parameters
+
+- `key` (`string: ""`) -
+  Name of the key to register in Vault. This will be the named used to refer to
+  the underlying crypto key when encrypting or decrypting data.
+  This is specified as part of the URL.
+
+- `crypto_key` (`string: ""`) -
+  Full resource ID of the crypto key including the project, location, key ring,
+  and crypto key like "projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s". This
+  crypto key must already exist in Google Cloud KMS unless verify is set to
+  "false".
+
+- `verify` (`bool: true`) -
+  Verify that the given Google Cloud KMS crypto key exists and is accessible
+  before creating the storage entry in Vault. Set this to "false" if the key will
+  not exist at creation time.
+
+### Sample Payload
+
+```json
+{
+  "crypto_key": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
+  "verify": true
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/gcpkms/keys/register/my-key
+```
+
+## Rotate Crypto Key
+
+This endpoint rotates a crypto key by creating a new crypto key version for the
+corresponding Google Cloud KMS key and updates the new crypto key to be the
+primary key for future encryptions.
+
+**It can take up to 2 hours for a new crypto key version to become the primary,
+so be sure to issue a read operation if you require new data to be encrypted
+with this key.**
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `gcpkms/keys/rotate/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/rotate/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/gcpkms/keys/rotate/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "key_version": "3"
+  }
+}
+```
+
+## Trim KMS Key Versions
+
+This endpoint deletes old crypto key versions that are older than the key's specified `min_version`.
+
+**Data encrypted with older key versions will be irrecoverable!**
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `gcpkms/keys/trim/:key` |
+
+### Example Policy
+
+```hcl
+path "gcpkms/keys/trim/my-key" {
+  capabilities = ["create", "update"]
+}
+```
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/gcpkms/keys/trim/my-key
+```
diff --git a/website/pages/api-docs/secret/identity/entity-alias.mdx b/website/pages/api-docs/secret/identity/entity-alias.mdx
new file mode 100644
index 000000000000..d6ca93300d45
--- /dev/null
+++ b/website/pages/api-docs/secret/identity/entity-alias.mdx
@@ -0,0 +1,211 @@
+---
+layout: api
+page_title: 'Identity Secret Backend: Entity Alias - HTTP API'
+sidebar_title: Entity Alias
+description: >-
+  This is the API documentation for managing entity aliases in the identity
+  store.
+---
+
+## Create an Entity Alias
+
+This endpoint creates a new alias for an entity.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/identity/entity-alias` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the alias. Name should be the identifier
+  of the client in the authentication source. For example, if the alias belongs
+  to userpass backend, the name should be a valid username within userpass
+  backend. If alias belongs to GitHub, it should be the GitHub username.
+
+- `id` `(string: <optional>)` - ID of the entity alias. If set, updates the
+  corresponding entity alias.
+
+- `canonical_id` `(string: <required>)` - Entity ID to which this alias belongs to.
+
+- `mount_accessor` `(string: <required>)` - Accessor of the mount to which the
+  alias should belong to.
+
+### Sample Payload
+
+```json
+{
+  "name": "testuser",
+  "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
+  "mount_accessor": "auth_userpass_e50b1a44"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/entity-alias
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
+    "id": "34982d3d-e3ce-5d8b-6e5f-b9bb34246c31"
+  }
+}
+```
+
+## Read Entity Alias by ID
+
+This endpoint queries the entity alias by its identifier.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `GET`  | `/identity/entity-alias/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of entity alias.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "creation_time": "2017-07-25T21:41:09.820717636Z",
+    "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
+    "id": "34982d3d-e3ce-5d8b-6e5f-b9bb34246c31",
+    "last_update_time": "2017-07-25T21:41:09.820717636Z",
+    "metadata": {
+      "group": "san_francisco",
+      "region": "west"
+    },
+    "mount_accessor": "auth_userpass_e50b1a44",
+    "mount_path": "userpass/",
+    "mount_type": "userpass",
+    "name": "testuser"
+  }
+}
+```
+
+## Update Entity Alias by ID
+
+This endpoint is used to update an existing entity alias.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `POST` | `/identity/entity-alias/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of the entity alias.
+
+- `name` `(string: <required>)` - Name of the alias. Name should be the identifier
+  of the client in the authentication source. For example, if the alias belongs
+  to userpass backend, the name should be a valid username within userpass
+  backend. If alias belongs to GitHub, it should be the GitHub username.
+
+- `canonical_id` `(string: <required>)` - Entity ID to which this alias belongs to.
+
+- `mount_accessor` `(string: <required>)` - Accessor of the mount to which the
+  alias should belong to.
+
+### Sample Payload
+
+```json
+{
+  "name": "testuser",
+  "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
+  "mount_accessor": "auth_userpass_e50b1a44"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
+    "id": "34982d3d-e3ce-5d8b-6e5f-b9bb34246c31"
+  }
+}
+```
+
+### Delete Entity Alias by ID
+
+This endpoint deletes an alias from its corresponding entity.
+
+| Method   | Path                            |
+| :------- | :------------------------------ |
+| `DELETE` | `/identity/entity-alias/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of the entity alias.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
+```
+
+### List Entity Aliases by ID
+
+This endpoint returns a list of available entity aliases by their identifiers.
+
+| Method | Path                                  |
+| :----- | :------------------------------------ |
+| `LIST` | `/identity/entity-alias/id`           |
+| `GET`  | `/identity/entity-alias/id?list=true` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/entity-alias/id
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": [
+      "2e8217fa-8cb6-8aec-9e22-3196d74ca2ba",
+      "91ebe973-ec86-84db-3c7c-f760415326de",
+      "92308b08-4139-3ec6-7af2-8e98166b4e0c",
+      "a3b042e6-5cc1-d5a9-8874-d53a51954de2",
+      "d5844921-017f-e496-2a9a-23d4a2f3e8a3"
+    ]
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/identity/entity.mdx b/website/pages/api-docs/secret/identity/entity.mdx
new file mode 100644
index 000000000000..ff7a68034dde
--- /dev/null
+++ b/website/pages/api-docs/secret/identity/entity.mdx
@@ -0,0 +1,401 @@
+---
+layout: api
+page_title: 'Identity Secret Backend: Entity - HTTP API'
+sidebar_title: Entity
+description: This is the API documentation for managing entities in the identity store.
+---
+
+## Create an Entity
+
+This endpoint creates or updates an Entity.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/identity/entity` |
+
+### Parameters
+
+- `name` `(string: entity-<UUID>)` – Name of the entity.
+
+- `id` `(string: <optional>)` - ID of the entity. If set, updates the
+  corresponding existing entity.
+
+- `metadata` `(key-value-map: {})` – Metadata to be associated with the
+  entity.
+
+- `policies` `(list of strings: [])` – Policies to be tied to the entity.
+
+- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
+  entities' associated tokens cannot be used, but are not revoked.
+
+### Sample Payload
+
+```json
+{
+  "metadata": {
+    "organization": "hashicorp",
+    "team": "vault"
+  },
+  "policies": ["eng-dev", "infra-dev"]
+}
+```
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/entity
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
+    "aliases": null
+  }
+}
+```
+
+## Read Entity by ID
+
+This endpoint queries the entity by its identifier.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/identity/entity/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of the entity.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "bucket_key_hash": "177553e4c58987f4cc5d7e530136c642",
+    "creation_time": "2017-07-25T20:29:22.614756844Z",
+    "disabled": false,
+    "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
+    "last_update_time": "2017-07-25T20:29:22.614756844Z",
+    "metadata": {
+      "organization": "hashicorp",
+      "team": "vault"
+    },
+    "name": "entity-c323de27-2ad2-5ded-dbf3-0c7ef98bc613",
+    "aliases": [],
+    "policies": ["eng-dev", "infra-dev"]
+  }
+}
+```
+
+## Update Entity by ID
+
+This endpoint is used to update an existing entity.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/identity/entity/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of the entity.
+- `name` `(string: entity-<UUID>)` – Name of the entity.
+- `metadata` `(key-value-map: {})` – Metadata to be associated with the entity.
+- `policies` `(list of strings: [])` – Policies to be tied to the entity.
+- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
+  entities' associated tokens cannot be used, but are not revoked.
+
+### Sample Payload
+
+```json
+{
+  "name": "updatedEntityName",
+  "metadata": {
+    "organization": "hashicorp",
+    "team": "nomad"
+  },
+  "policies": ["eng-developers", "infra-developers"]
+}
+```
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
+    "aliases": null
+  }
+}
+```
+
+## Delete Entity by ID
+
+This endpoint deletes an entity and all its associated aliases.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/identity/entity/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of the entity.
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
+```
+
+## List Entities by ID
+
+This endpoint returns a list of available entities by their identifiers.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `LIST` | `/identity/entity/id`           |
+| `GET`  | `/identity/entity/id?list=true` |
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/entity/id
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": [
+      "02fe5a88-912b-6794-62ed-db873ef86a95",
+      "3bf81bc9-44df-8138-57f9-724a9ae36d04",
+      "627fba68-98c9-c012-71ba-bfb349585ce1",
+      "6c4c805b-b384-3d0e-4d51-44d349887b96",
+      "70a72feb-35d1-c775-0813-8efaa8b4b9b5",
+      "f1092a67-ce34-48fd-161d-c13a367bc1cd",
+      "faedd89a-0d82-c197-c8f9-93a3e6cf0cd0"
+    ]
+  }
+}
+```
+
+## Create/Update Entity by Name
+
+This endpoint is used to create or update an entity by a given name.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/identity/entity/name/:name` |
+
+### Parameters
+
+- `name` `(string: entity-<UUID>)` – Name of the entity.
+
+- `metadata` `(key-value-map: {})` – Metadata to be associated with the entity.
+
+- `policies` `(list of strings: [])` – Policies to be tied to the entity.
+
+- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
+  entities' associated tokens cannot be used, but are not revoked.
+
+### Sample Payload
+
+```json
+{
+  "metadata": {
+    "organization": "hashicorp",
+    "team": "nomad"
+  },
+  "policies": ["eng-developers", "infra-developers"]
+}
+```
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/entity/name/testentityname
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "aliases": null,
+    "id": "0826be06-577c-a076-3942-2f92da0310ce"
+  }
+}
+```
+
+## Read Entity by Name
+
+This endpoint queries the entity by its name.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `GET`  | `/identity/entity/name/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the entity.
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/identity/entity/name/testentityname
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "aliases": [],
+    "creation_time": "2018-09-19T17:20:27.705389973Z",
+    "direct_group_ids": [],
+    "disabled": false,
+    "group_ids": [],
+    "id": "0826be06-577c-a076-3942-2f92da0310ce",
+    "inherited_group_ids": [],
+    "last_update_time": "2018-09-19T17:20:27.705389973Z",
+    "merged_entity_ids": null,
+    "metadata": {
+      "organization": "hashicorp",
+      "team": "nomad"
+    },
+    "name": "testentityname",
+    "policies": ["eng-developers", "infra-developers"]
+  }
+}
+```
+
+## Delete Entity by Name
+
+This endpoint deletes an entity and all its associated aliases, given the
+entity name.
+
+| Method   | Path                          |
+| :------- | :---------------------------- |
+| `DELETE` | `/identity/entity/name/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the entity.
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/entity/name/testentityname
+```
+
+## List Entities by Name
+
+This endpoint returns a list of available entities by their names.
+
+| Method | Path                              |
+| :----- | :-------------------------------- |
+| `LIST` | `/identity/entity/name`           |
+| `GET`  | `/identity/entity/name?list=true` |
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/entity/name
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["testentityname"]
+  }
+}
+```
+
+## Merge Entities
+
+This endpoint merges many entities into one entity.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/identity/entity/merge` |
+
+### Parameters
+
+- `from_entity_ids` `(array: <required>)` - Entity IDs which needs to get
+  merged.
+
+- `to_entity_id` `(string: <required>)` - Entity ID into which all the other
+  entities need to get merged.
+
+- `force` `(bool: false)` - Setting this will follow the 'mine' strategy for
+  merging MFA secrets. If there are secrets of the same type both in entities
+  that are merged from and in entity into which all others are getting merged,
+  secrets in the destination will be unaltered. If not set, this API will throw
+  an error containing all the conflicts.
+
+### Sample Payload
+
+```json
+{
+  "to_entity_id": "f2cdefbe-f510-a226-77fa-989a48ba6abc",
+  "from_entity_ids": [
+    "1ade80ec-ba5c-8eed-91e2-b9dcd41d6fff",
+    "270976d0-9bab-14a5-4b92-3861805ef73d"
+  ]
+}
+```
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
+```
diff --git a/website/pages/api-docs/secret/identity/group-alias.mdx b/website/pages/api-docs/secret/identity/group-alias.mdx
new file mode 100644
index 000000000000..41c57b6adc80
--- /dev/null
+++ b/website/pages/api-docs/secret/identity/group-alias.mdx
@@ -0,0 +1,197 @@
+---
+layout: api
+page_title: 'Identity Secret Backend: Group Alias - HTTP API'
+sidebar_title: Group Alias
+description: >-
+  This is the API documentation for managing the group aliases in the identity
+  store.
+---
+
+## Create a Group Alias
+
+This endpoint creates or updates a group alias.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/identity/group-alias` |
+
+### Parameters
+
+- `name` `(string: entity-<UUID>)` – Name of the group alias.
+
+- `id` `(string: <optional>)` - ID of the group alias. If set, updates the
+  corresponding existing group alias.
+
+- `mount_accessor` `(string: "")` – Mount accessor which this alias belongs
+  to.
+
+- `canonical_id` `(string: "")` - ID of the group to which this is an alias.
+
+### Sample Payload
+
+```json
+{
+  "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
+  "mount_accessor": "auth_github_232a90dc",
+  "name": "dev-team"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/group-alias
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
+    "id": "ca726050-d8ac-6f1f-4210-3b5c5b613824"
+  }
+}
+```
+
+## Update Group Alias by ID
+
+This endpoint is used to update an existing group alias.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/identity/group-alias/id/:id` |
+
+### Parameters
+
+- `id` `(string: <optional>)` - ID of the group alias.
+
+- `name` `(string: entity-<UUID>)` – Name of the group alias.
+
+- `mount_accessor` `(string: "")` – Mount accessor which this alias belongs
+  to.
+
+- `canonical_id` `(string: "")` - ID of the group to which this is an alias.
+
+### Sample Payload
+
+```json
+{
+  "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
+  "mount_accessor": "auth_github_232a90dc",
+  "name": "dev-team"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
+    "id": "ca726050-d8ac-6f1f-4210-3b5c5b613824"
+  }
+}
+```
+
+## Read Group Alias by ID
+
+This endpoint queries the group alias by its identifier.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/identity/group-alias/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – ID of the group alias.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
+    "creation_time": "2017-11-13T20:09:41.661694Z",
+    "id": "ca726050-d8ac-6f1f-4210-3b5c5b613824",
+    "last_update_time": "2017-11-13T20:09:41.661694Z",
+    "merged_from_canonical_ids": null,
+    "metadata": null,
+    "mount_accessor": "auth_github_232a90dc",
+    "mount_path": "",
+    "mount_type": "github",
+    "name": "dev-team"
+  }
+}
+```
+
+## Delete Group Alias by ID
+
+This endpoint deletes a group alias.
+
+| Method   | Path                           |
+| :------- | :----------------------------- |
+| `DELETE` | `/identity/group-alias/id/:id` |
+
+## Parameters
+
+- `id` `(string: <required>)` – ID of the group alias.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
+```
+
+## List Group Alias by ID
+
+This endpoint returns a list of available group aliases by their identifiers.
+
+| Method | Path                                 |
+| :----- | :----------------------------------- |
+| `LIST` | `/identity/group-alias/id`           |
+| `GET`  | `/identity/group-alias/id?list=true` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/group-alias/id
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["ca726050-d8ac-6f1f-4210-3b5c5b613824"]
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/identity/group.mdx b/website/pages/api-docs/secret/identity/group.mdx
new file mode 100644
index 000000000000..155161e07efa
--- /dev/null
+++ b/website/pages/api-docs/secret/identity/group.mdx
@@ -0,0 +1,381 @@
+---
+layout: api
+page_title: 'Identity Secret Backend: Group - HTTP API'
+sidebar_title: Group
+description: This is the API documentation for managing groups in the identity store.
+---
+
+## Create a Group
+
+This endpoint creates or updates a Group.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/identity/group` |
+
+### Parameters
+
+- `name` `(string: entity-<UUID>)` – Name of the group.
+
+- `id` `(string: <optional>)` - ID of the group. If set, updates the
+  corresponding existing group.
+
+- `type` `(string: "internal")` - Type of the group, `internal` or `external`.
+  Defaults to `internal`.
+
+- `metadata` `(key-value-map: {})` – Metadata to be associated with the
+  group.
+
+- `policies` `(list of strings: [])` – Policies to be tied to the group.
+
+- `member_group_ids` `(list of strings: [])` - Group IDs to be assigned as
+  group members.
+
+- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
+  group members.
+
+### Sample Payload
+
+```json
+{
+  "metadata": {
+    "hello": "world"
+  },
+  "policies": ["grouppolicy1", "grouppolicy2"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/group
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "id": "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
+    "name": "group_ab813d63"
+  }
+}
+```
+
+## Read Group by ID
+
+This endpoint queries the group by its identifier.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/identity/group/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of the group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "alias": {},
+    "creation_time": "2017-11-13T19:36:47.102945Z",
+    "id": "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
+    "last_update_time": "2017-11-13T19:36:47.102945Z",
+    "member_entity_ids": [],
+    "member_group_ids": null,
+    "metadata": {
+      "hello": "world"
+    },
+    "modify_index": 1,
+    "name": "group_ab813d63",
+    "policies": ["grouppolicy1", "grouppolicy2"],
+    "type": "internal"
+  }
+}
+```
+
+## Update Group by ID
+
+This endpoint is used to update an existing group.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/identity/group/id/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Identifier of the entity.
+
+- `name` `(string: entity-<UUID>)` – Name of the group.
+
+- `type` `(string: "internal")` - Type of the group, `internal` or `external`.
+  Defaults to `internal`.
+
+- `metadata` `(key-value-map: {})` – Metadata to be associated with the
+  group.
+
+- `policies` `(list of strings: [])` – Policies to be tied to the group.
+
+- `member_group_ids` `(list of strings: [])` - Group IDs to be assigned as
+  group members.
+
+- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
+  group members.
+
+### Sample Payload
+
+```json
+{
+  "name": "testgroupname",
+  "metadata": {
+    "hello": "everyone"
+  },
+  "policies": ["grouppolicy2", "grouppolicy3"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "id": "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
+    "name": "testgroupname"
+  }
+}
+```
+
+## Delete Group by ID
+
+This endpoint deletes a group.
+
+| Method   | Path                     |
+| :------- | :----------------------- |
+| `DELETE` | `/identity/group/id/:id` |
+
+## Parameters
+
+- `id` `(string: <required>)` – Identifier of the group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
+```
+
+## List Groups by ID
+
+This endpoint returns a list of available groups by their identifiers.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `LIST` | `/identity/group/id`           |
+| `GET`  | `/identity/group/id?list=true` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/group/id
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": [
+      "052567cf-1580-6f20-50c8-d38bc46dae6e",
+      "26da8035-6691-b89e-67ac-ebf9ea7f9893",
+      "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
+      "5c4a5720-7408-c113-1dcc-9ede725d0ac8",
+      "d55e0f34-5c16-38ae-87af-324c9b656c43",
+      "e4e56e04-0dec-9b68-9b20-a450975d898e"
+    ]
+  }
+}
+```
+
+## Create/Update Group by Name
+
+This endpoint is used to create or update a group by its name.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/identity/group/name/:name` |
+
+### Parameters
+
+- `name` `(string: entity-<UUID>)` – Name of the group.
+
+- `type` `(string: "internal")` - Type of the group, `internal` or `external`.
+  Defaults to `internal`.
+
+- `metadata` `(key-value-map: {})` – Metadata to be associated with the
+  group.
+
+- `policies` `(list of strings: [])` – Policies to be tied to the group.
+
+- `member_group_ids` `(list of strings: [])` - Group IDs to be assigned as
+  group members.
+
+- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
+  group members.
+
+### Sample Payload
+
+```json
+{
+  "metadata": {
+    "hello": "everyone"
+  },
+  "policies": ["grouppolicy2", "grouppolicy3"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/group/name/testgroupname
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "b98b4a3d-a9f1-e151-11e1-ad91cfb08351",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "id": "5a3a04a0-0c3a-a4c3-74e8-26b1adbeaece",
+    "name": "testgroupname"
+  },
+  "warnings": null
+}
+```
+
+## Read Group by Name
+
+This endpoint queries the group by its name.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/identity/group/name/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/identity/group/name/testgroupname
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "alias": {},
+    "creation_time": "2018-09-19T22:02:04.395128091Z",
+    "id": "5a3a04a0-0c3a-a4c3-74e8-26b1adbeaece",
+    "last_update_time": "2018-09-19T22:02:04.395128091Z",
+    "member_entity_ids": [],
+    "member_group_ids": null,
+    "metadata": {
+      "foo": "bar"
+    },
+    "modify_index": 1,
+    "name": "testgroupname",
+    "parent_group_ids": null,
+    "policies": ["grouppolicy1", "grouppolicy2"],
+    "type": "internal"
+  }
+}
+```
+
+## Delete Group by Name
+
+This endpoint deletes a group, given its name.
+
+| Method   | Path                         |
+| :------- | :--------------------------- |
+| `DELETE` | `/identity/group/name/:name` |
+
+## Parameters
+
+- `name` `(string: <required>)` – Name of the group.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/group/name/testgroupname
+```
+
+## List Groups by Name
+
+This endpoint returns a list of available groups by their names.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `LIST` | `/identity/group/name`           |
+| `GET`  | `/identity/group/name?list=true` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/group/name
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["testgroupname"]
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/identity/index.mdx b/website/pages/api-docs/secret/identity/index.mdx
new file mode 100644
index 000000000000..bd459866331a
--- /dev/null
+++ b/website/pages/api-docs/secret/identity/index.mdx
@@ -0,0 +1,21 @@
+---
+layout: api
+page_title: Identity - Secrets Engines - HTTP API
+sidebar_title: Identity
+description: This is the API documentation for the Vault Identity secrets engine.
+---
+
+# Identity Secrets Engine (API)
+
+This is the API documentation for the Vault Identity secrets engine. For general
+information about the usage and operation of the Identity secrets engine, please
+see the [Vault Identity documentation](/docs/secrets/identity/index.html).
+
+## API Sections
+
+- [Entity](entity.html)
+- [Entity Alias](entity-alias.html)
+- [Group](group.html)
+- [Group Alias](group-alias.html)
+- [Identity Tokens](tokens.html)
+- [Lookup](lookup.html)
diff --git a/website/pages/api-docs/secret/identity/lookup.mdx b/website/pages/api-docs/secret/identity/lookup.mdx
new file mode 100644
index 000000000000..952575b30dab
--- /dev/null
+++ b/website/pages/api-docs/secret/identity/lookup.mdx
@@ -0,0 +1,132 @@
+---
+layout: api
+page_title: 'Identity Secret Backend: Lookup - HTTP API'
+sidebar_title: Lookup
+description: |-
+  This is the API documentation for entity and group lookups from identity
+  store.
+---
+
+## Lookup an Entity
+
+This endpoint queries the entity based on the given criteria. The criteria can
+be `name`, `id`, `alias_id`, or a combination of `alias_name` and
+`alias_mount_accessor`.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/identity/lookup/entity` |
+
+### Parameters
+
+- `name` `(string: "")` – Name of the entity.
+
+- `id` `(string: "")` - ID of the entity.
+
+- `alias_id` `(string: "")` - ID of the alias.
+
+- `alias_name` `(string: "")` - Name of the alias. This should be supplied in
+  conjunction with `alias_mount_accessor`.
+
+- `alias_mount_accessor` `(string: "")` - Accessor of the mount to which the
+  alias belongs to. This should be supplied in conjunction with `alias_name`.
+
+### Sample Payload
+
+```json
+{
+  "id": "043fedec-967d-b2c9-d3af-0c467b04e1fd"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/lookup/entity
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "aliases": [],
+    "creation_time": "2017-11-13T21:01:33.543497Z",
+    "direct_group_ids": [],
+    "group_ids": [],
+    "id": "043fedec-967d-b2c9-d3af-0c467b04e1fd",
+    "inherited_group_ids": [],
+    "last_update_time": "2017-11-13T21:01:33.543497Z",
+    "merged_entity_ids": null,
+    "metadata": null,
+    "name": "entity_43cc451b",
+    "policies": null
+  }
+}
+```
+
+## Lookup a Group
+
+This endpoint queries the group based on the given criteria. The criteria can
+be `name`, `id`, `alias_id`, or a combination of `alias_name` and
+`alias_mount_accessor`.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/identity/lookup/group` |
+
+### Parameters
+
+- `name` `(string: "")` – Name of the group.
+
+- `id` `(string: "")` - ID of the group.
+
+- `alias_id` `(string: "")` - ID of the alias.
+
+- `alias_name` `(string: "")` - Name of the alias. This should be supplied in
+  conjunction with `alias_mount_accessor`.
+
+- `alias_mount_accessor` `(string: "")` - Accessor of the mount to which the
+  alias belongs to. This should be supplied in conjunction with `alias_name`.
+
+### Sample Payload
+
+```json
+{
+  "id": "70a4bdef-9da3-4460-b524-bb08542eef25"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/lookup/group
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "alias": {},
+    "creation_time": "2017-11-13T21:06:44.475587Z",
+    "id": "70a4bdef-9da3-4460-b524-bb08542eef25",
+    "last_update_time": "2017-11-13T21:06:44.475587Z",
+    "member_entity_ids": [],
+    "member_group_ids": null,
+    "metadata": null,
+    "modify_index": 1,
+    "name": "group_eaf2aab1",
+    "policies": null,
+    "type": "internal"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/identity/tokens.mdx b/website/pages/api-docs/secret/identity/tokens.mdx
new file mode 100644
index 000000000000..a72c2716b9b0
--- /dev/null
+++ b/website/pages/api-docs/secret/identity/tokens.mdx
@@ -0,0 +1,483 @@
+---
+layout: api
+page_title: 'Identity Secret Backend: Identity Tokens - HTTP API'
+sidebar_title: Identity Tokens
+description: >-
+  This is the API documentation for configuring, acquiring, and validating vault
+  issued identity tokens.
+---
+
+## Configure the Identity Tokens Backend
+
+This endpoint updates configurations for OIDC-compliant identity tokens issued by Vault.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `identity/oidc/config` |
+
+### Parameters
+
+- `issuer` `(string: "")` – Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.
+
+### Sample Payload
+
+```json
+{
+  "issuer": "https://example.com:1234"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/oidc/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": null,
+  "warnings": [
+    "If \"issuer\" is set explicitly, all tokens must be validated against that address, including those issued by secondary clusters. Setting issuer to \"\" will restore the default behavior of using the cluster's api_addr as the issuer."
+  ]
+}
+```
+
+## Read Configurations for the Identity Tokens Backend
+
+This endpoint queries vault identity tokens configurations.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `identity/oidc/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/identity/oidc/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "issuer": "https://example.com:1234"
+  }
+}
+```
+
+## Create a Named Key
+
+This endpoint creates or updates a named key which is used by a role to sign tokens.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `identity/oidc/key/:name` |
+
+### Parameters
+
+- `name` `(string)` – Name of the named key.
+
+- `rotation_period` `(int or time string: "24h")` - How often to generate a new signing key. Can be specified as a number of seconds or as a time string like "30m" or "6h".
+
+- `verification_ttl` `(int or time string: "24h")` - Controls how long the public portion of a signing key will be available for verification after being rotated.
+
+- `allowed_client_ids` `(list: [])` - Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "\*", all roles are allowed.
+
+- `algorithm` `(string: "RS256")` - Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
+
+### Sample Payload
+
+```json
+{
+  "rotation_period": "12h",
+  "verification_ttl": 43200
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
+```
+
+## Read a Named Key
+
+This endpoint queries a named key and returns its configurations.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `identity/oidc/key/:name` |
+
+### Parameters
+
+- `name` `(string)` – Name of the key.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "algorithm": "RS256",
+    "rotation_period": 43200,
+    "verification_ttl": 43200
+  }
+}
+```
+
+## Delete a Named Key
+
+This endpoint deletes a named key.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `identity/oidc/key/:name` |
+
+### Parameters
+
+- `name` `(string)` – Name of the key.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
+```
+
+## List Named Keys
+
+This endpoint will List all named keys.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `identity/oidc/key` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/oidc/key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["named-key-001", "named-key-002"]
+  }
+}
+```
+
+## Rotate a Named Key
+
+This endpoint rotates a named key.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `POST` | `identity/oidc/key/:name/rotate` |
+
+### Parameters
+
+- `name` `(string)` – Name of the key to be rotated.
+
+- `verification_ttl` `(string: <optional>)` - Controls how long the public portion of the key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
+
+### Sample Payload
+
+```json
+{
+  "verification_ttl": 0
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001/rotate
+```
+
+## Create or Update a Role
+
+Create or update a role. ID tokens are generated against a role and signed against a named key.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `identity/oidc/role/:name` |
+
+### Parameters
+
+- `name` `(string)` – Name of the role.
+
+- `key` `(string)` – A configured named key, the key must already exist.
+
+- `template` `(string: <optional>)` - The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
+
+- `ttl` `(int or time string: "24h")` - TTL of the tokens generated against the role. Can be specified as a number of seconds or as a time string like "30m" or "6h".
+
+### Sample Payload
+
+```json
+{
+  "key": "named-key-001",
+  "ttl": "12h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/oidc/role/role-001
+```
+
+## Read a Role
+
+This endpoint queries a role and returs its configuration.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `GET`  | `identity/oidc/role/:name` |
+
+### Parameters
+
+- `name` `(string)` – Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/identity/oidc/role/role-001
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "client_id": "PGE8tf4RmJkDwvjI1FgARkXEmH",
+    "key": "named-key-001",
+    "template": "",
+    "ttl": 43200
+  }
+}
+```
+
+## Delete a Role
+
+This endpoint deletes a role.
+
+| Method   | Path                       |
+| :------- | :------------------------- |
+| `DELETE` | `identity/oidc/role/:name` |
+
+### Parameters
+
+- `name` `(string)` – Name of the role.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/identity/oidc/role/role-001
+```
+
+## List Roles
+
+This endpoint will list all signing keys.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `LIST` | `identity/oidc/role` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/identity/oidc/role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["role-001", "role-002", "testrole"]
+  }
+}
+```
+
+## Generate a Signed ID Token
+
+Use this endpoint to generate a signed ID (OIDC) token.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `GET`  | `identity/oidc/token/:name` |
+
+### Parameters
+
+- `name` `(string: "")` – The name of the role against which to generate a signed ID token
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/oidc/token/role-001
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "client_id": "P6CfCzyHsQY4pMcA6kWAOCItA7",
+    "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJkMGI4YjlkLWYwNGQtNzFlYy1iNjc0LWM3MzU4NDMyYmM1YiJ9.eyJhdWQiOiJQNkNmQ3p5SHNRWTRwTWNBNmtXQU9DSXRBNyIsImV4cCI6MTU2MTQ4ODQxMiwiaWF0IjoxNTYxNDAyMDEyLCJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tOjEyMzQiLCJzdWIiOiI2YzY1ZWFmNy1kNGY0LTEzMzMtMDJiYy0xYzc1MjE5YzMxMDIifQ.IcbWTmks7P5eVtwmIBl5rL1B88MI55a9JJuYVLIlwE9aP_ilXpX5fE38CDm5PixDDVJb8TI2Q_FO4GMMH0ymHDO25ZvA917WcyHCSBGaQlgcS-WUL2fYTqFjSh-pezszaYBgPuGvH7hJjlTZO6g0LPCyUWat3zcRIjIQdXZum-OyhWAelQlveEL8sOG_ldyZ8v7fy7GXDxfJOK1kpw5AX9DXJKylbwZTBS8tLb-7edq8uZ0lNQyWy9VPEW_EEIZvGWy0AHua-Loa2l59GRRP8mPxuMYxH_c88x1lsSw0vH9E3rU8AXLyF3n4d40PASXEjZ-7dnIf4w4hf2P4L0xs_g",
+    "ttl": 86400
+  }
+}
+```
+
+## Introspect a signed ID Token
+
+This endpoint can verify the authenticity and active state of a signed ID token.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `identity/oidc/introspect` |
+
+### Parameters
+
+- `token` `(string)` – A signed OIDC compliant ID token
+
+- `client_id` `(string: <optional>)` - Specifying the client ID optimizes validation time
+
+### Sample Payload
+
+```json
+{
+  "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImE4NDQ4YmVkLTk4ZTMtMDNhMC01ODY4LTdmOWYyZDc5NWY2NSJ9.eyJhdWQiOiJpUDdyV1A4dmhDVFFpOTAydGhaR0hUazJMbyIsImV4cCI6MTU2MTQ4OTE0OSwiaWF0IjoxNTYxNDAyNzQ5LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgyMDAvdjEvaWRlbnRpdHkvb2lkYyIsInN1YiI6IjQ1NDQxZTg3LWMyMWQtYzY5NS0wNGM3LWU0YmU4MGU1M2Y0ZiJ9.IYZx1bBofBgwphLZggugFUE7V3ZLFDNr0UYv3hhc4RlIu5WgFZPRjpKVXPdORozYJJB_37aJW6qm5j8nNSz4WrWUmMcrVxoZi2VBExu-GcHHniEPRryR9t_45rqP2MycLBz0dICOjFDWvfkp6ddyCsQfkRnplPGCaN67MUEdgYQf5QNyxaG-yabRPiATY_OtXSjiNsMhJe6ZloYTZZc9gTTfKcKQf4mfy5yRY6471qkqeTuYNhKjwdkEnCSaEjHmCdZOYC5DAet16eQ7ankcwBno17_zs7vbPmkXNttALOrjSQgGe1td1SCfZeg5UOs7_IPk0qqdwOdyQ8wsrDmSyg"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/identity/oidc/introspect
+```
+
+### Sample Response
+
+```json
+{
+  "active": true
+}
+```
+
+## Read .well-known Configurations
+
+Query this path to retrieve a set of claims about the identity tokens' configuration. The response is a compliant [OpenID Provider Configuration Response](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+
+| Method | Path                                             |
+| :----- | :----------------------------------------------- |
+| `GET`  | `identity/oidc/.well-known/openid-configuration` |
+
+### Sample Request
+
+```
+$ curl \
+    --request GET \
+    http://127.0.0.1:8200/v1/identity/oidc/.well-known/openid-configuration
+```
+
+### Sample Response
+
+```json
+{
+  "issuer": "https://example.com:1234",
+  "authorization_endpoint": "",
+  "token_endpoint": "",
+  "jwks_uri": "https://example.com:1234/.well-known/keys",
+  "response_types_supported": null,
+  "subject_types_supported": ["public"],
+  "id_token_signing_alg_values_supported": ["RS256"],
+  "scopes_supported": null,
+  "token_endpoint_auth_methods_supported": null,
+  "claims_supported": null
+}
+```
+
+## Read Active Public Keys
+
+Query this path to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.
+
+### Sample Request
+
+```
+$ curl \
+    --request GET \
+    http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys
+```
+
+### Sample Response
+
+```json
+{
+  "keys": [
+    {
+      "use": "sig",
+      "kty": "RSA",
+      "kid": "94178020-55b5-e18d-b32b-1010ba5a35b4",
+      "alg": "RS256",
+      "n": "1bt-V8T7g0zr7koNbdppFrUM5YrnybPDOt-cK3MKmL1FcN3aOltCw9tCYStHgm8mIz_DJ1HgIjA-DcK_O9gacEGFCidUuudV8O4TixToHEVyRe1yXu-Q98hwkm9JtFF9PvMzDXhn4s3bLanOZzO15JAdVCo0JnwSIT9Ay3LxPLbWHYbPj7ROScuvic99OyvWz87qBK-AoXmxo9lRNY39LtieMr1D2iq0HvtjHkfiarr34CSTcuksknOsY49BU5ktrs_YJSEVpeRQ8RywY1sWrq8w_UmGsNFfPr--crXQw0ekJCXzmotsRHE5jwMuhjuucVlnyQFBYEdfDB_iPbC7Hw",
+      "e": "AQAB"
+    }
+  ]
+}
+```
diff --git a/website/pages/api-docs/secret/index.mdx b/website/pages/api-docs/secret/index.mdx
new file mode 100644
index 000000000000..1ef161a0f9b8
--- /dev/null
+++ b/website/pages/api-docs/secret/index.mdx
@@ -0,0 +1,18 @@
+---
+layout: api
+page_title: Secrets Engines - HTTP API
+sidebar_title: Secrets Engines
+description: |-
+  Each secrets engine publishes its own set of API paths and methods. These
+  endpoints are documented in this section.
+---
+
+# Secrets Engines
+
+Each secrets engine publishes its own set of API paths and methods. These
+endpoints are documented in this section. secrets engines are enabled at a path,
+but the documentation will assume the default paths for simplicity. If you are
+enabled at a different path, you should adjust your API calls accordingly.
+
+For the API documentation for a specific secrets engine, please choose a secrets
+engine from the navigation.
diff --git a/website/pages/api-docs/secret/kmip/index.mdx b/website/pages/api-docs/secret/kmip/index.mdx
new file mode 100644
index 000000000000..cb5420210ae9
--- /dev/null
+++ b/website/pages/api-docs/secret/kmip/index.mdx
@@ -0,0 +1,537 @@
+---
+layout: api
+page_title: KMIP - Secrets Engines - HTTP API
+sidebar_title: KMIP <sup>ENTERPRISE</sup>
+description: This is the API documentation for the Vault KMIP secrets engine.
+---
+
+# KMIP Secrets Engine (API)
+
+This is the API documentation for the Vault KMIP secrets engine. For general
+information about the usage and operation of
+the KMIP secrets engine, please see [these docs](/docs/secrets/kmip/index.html).
+
+This documentation assumes the KMIP secrets engine is enabled at the `/kmip` path
+in Vault. Since it is possible to mount secrets engines at any path, please
+update your API calls accordingly.
+
+## Write Config
+
+| Method | Path           |
+| :----- | :------------- |
+| `POST` | `/kmip/config` |
+
+This endpoint configures shared information for the secrets engine. After writing
+to it the KMIP engine will generate a CA and start listening for KMIP requests.
+If the server was already running and any non-client settings are changed, the
+server will be restarted using the new settings.
+
+### Parameters
+
+- `listen_addrs` (`list: ["127.0.0.1:5696"] || string`) - Address and port the
+  KMIP server should listen on. Can be given as a JSON list or a
+  comma-separated string list. If multiple values are given, all will be
+  listened on.
+- `connection_timeout` (`int: 1 || string:"1s"`) - Duration in either an integer
+  number of seconds (10) or an integer time unit (10s) within which connections
+  must become ready.
+
+- `server_hostnames` (`list: ["localhost"] || string`) - Hostnames to include in
+  the server's TLS certificate as SAN DNS names. The first will be used as the
+  common name (CN).
+
+- `server_ips` (`list: [] || string`) - IPs to include in the server's TLS
+  certificate as SAN IP addresses. Localhost (IPv4 and IPv6) will be automatically
+  included.
+- `tls_ca_key_type` (`string: "ec"`) - CA key type, `rsa` or `ec`.
+
+- `tls_ca_key_bits` (`int: 521`) - CA key bits, valid values depend on key type.
+
+- `tls_min_version` (`string: "tls12"`) - Minimum TLS version to accept.
+
+- `default_tls_client_key_type` (`string: "ec"`): - Client certificate key type,
+  `rsa` or `ec`.
+
+- `default_tls_client_key_bits` (`int: 521`): - Client certificate key bits, valid
+  values depend on key type.
+
+- `default_tls_client_ttl` (`int: 86400 || string:"24h"`) – Client certificate
+  TTL in either an integer number of seconds (10) or an integer time unit (10s).
+
+### Sample Payload
+
+```json
+{
+  "listen_addrs": "127.0.0.1:5696,192.168.1.2:9000",
+  "connection_timeout": "1s",
+  "server_hostnames": "myhostname1,myhostname2",
+  "server_ips": "192.168.1.2",
+  "tls_ca_key_type": "ec",
+  "tls_ca_key_bits": 521,
+  "tls_min_version": "tls11",
+  "default_tls_client_key_type": "ec",
+  "default_tls_client_key_bits": 224,
+  "default_tls_client_ttl": 86400
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/kmip/config
+```
+
+## Read Config
+
+| Method | Path           |
+| :----- | :------------- |
+| `GET`  | `/kmip/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/kmip/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "listen_addrs": ["127.0.0.1:5696", "192.168.1.2:9000"],
+    "connection_timeout": "1s",
+    "server_hostnames": ["myhostname1", "myhostname2"],
+    "server_ips": ["192.168.1.2"],
+    "tls_ca_key_type": "ec",
+    "tls_ca_key_bits": 521,
+    "tls_min_version": "tls11",
+    "default_tls_client_key_type": "ec",
+    "default_tls_client_key_bits": 224,
+    "default_tls_client_ttl": 86400
+  }
+}
+```
+
+## Read CA
+
+| Method | Path       |
+| :----- | :--------- |
+| `GET`  | `/kmip/ca` |
+
+Returns the CA certificates in PEM format. Returns an error if config has never
+been written.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/kmip/ca
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ca_pem": "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUApNsRil/dzQy3XT+yjZQEpcA49kwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MzIzM1oX\nDTI5MDYyMTE4MzMwM1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAGWJGwPjGGoXivBv\nLJwR+fIG3z6Ei06bhZgTaRW/U3eA5oivxubxOVZPe1BJGWCsIVNjxMZAN4Pswki7\nAHme9bdJAUbQw33tC1iAb0wjzIpoPv1+pdSk6wYZTCKzOYWCbsTb3SOIetpk7sQw\niM17agwIRK9qGvX3Q4PBfEKEpstAjoaJo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUKMwPpRxU2Uzydv21bc8ePfUpGFEw\nHwYDVR0jBBgwFoAUwrPrJc9EsU6kTWJ5hXkJV4PEq9swCgYIKoZIzj0EAwIDgYwA\nMIGIAkIBRCarRMer42Ni/fKQBTi+uFk+2sPyCxCYDWTfMFAusC51dC2F91mUL77R\nkHxauSkh5gcZVAch/dg/L0ewP0AZUBUCQgE1VqoBN9klFky7LHfl62p6PgprH7d1\nYCvYVbWdBNnEdrL2P9aKsuCewdqycZVJLmM36cHnOAEGg1yea8soQL0Ylw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIICKTCCAYugAwIBAgIUOBgW1GCH+n5gC6m8Ff5jq+5DmO8wCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MzIzM1oX\nDTI5MDYyMTE4MzMwM1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA7vkbmKJR+SVBTJjAFnma0ynTIi64doZA\n5oOXIAExvOyyI2KBNfqXxgzt/51u9vvixQf3VX/1Jph+0fkIcIYUEmIBFAH7Th1X\n0EOOdmMHfN0YkXDEUUdKIZyQxgA7o3DF+JAVg1cdBV7S8jZyXik7pL+IFnlYdfvN\nUZcArUkMfKo1cZajZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBTCs+slz0SxTqRNYnmFeQlXg8Sr2zAfBgNVHSMEGDAWgBTC\ns+slz0SxTqRNYnmFeQlXg8Sr2zAKBggqhkjOPQQDAgOBiwAwgYcCQgGjKAC371/5\npxgYdLVBmVC6Aa+oOvwGfnich2YLSLbThySED7+fXl1BY43VU703ad6M34fStf6z\nwFZvVZVK188DCQJBJcSZ7YA3PjOre+epJHtAba+1CkAdbSAeGhBDgHdIEP1/FDvx\n+U2QYeVZ7kAVnkzPxa17V0yqjxDtQDTiOw/ZV5c=\n-----END CERTIFICATE-----"
+  }
+}
+```
+
+## Write scope
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/kmip/scope/:scope` |
+
+Creates a new scope with the given name.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope
+```
+
+## List scopes
+
+| Method | Path          |
+| :----- | :------------ |
+| `LIST` | `/kmip/scope` |
+
+List existing scopes.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/kmip/scope
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["myscope"]
+  }
+}
+```
+
+## Delete scope
+
+| Method   | Path                 |
+| :------- | :------------------- |
+| `DELETE` | `/kmip/scope/:scope` |
+
+Delete a scope by name.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `force` (`bool: false`) - Force scope deletion. If KMIP managed objects have
+  been created within the scope this param must be provided or the deletion will
+  fail. This value should be supplied as a query parameter, or as an argument in
+  the CLI.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope?force=false
+```
+
+## Write role
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `POST` | `/kmip/scope/:scope/role/:role` |
+
+Creates or updates a role.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `role` (`string: <required>`) - Name of role. This is part of the request URL.
+- `operation_none` (`bool: false`) - Remove all permissions
+  from this role. May not be specified with any other
+  `operation_` params.
+- `operation_all` (`bool: false`) - Grant all permissions
+  to this role. May not be specified with any other
+  `operation_` params.
+- `operation_activate` (`bool: false`) - Grant permission to use the KMIP
+  `Activate` operation.
+- `operation_add_attribute` (`bool: false`) - Grant permission to use the KMIP
+  `Add Attribute` operation.
+- `operation_create` (`bool: false`) - Grant permission to use the KMIP
+  `Create` operation.
+- `operation_destroy` (`bool: false`) - Grant permission to use the KMIP
+  `Destroy` operation.
+- `operation_discover_versions` (`bool: false`) - Grant permission to use the KMIP
+  `Discover Version` operation.
+- `operation_get` (`bool: false`) - Grant permission to use the KMIP
+  `Get` operation.
+- `operation_get_attribute_list` (`bool: false`) - Grant permission to use the KMIP
+  `Get Attribute List` operation.
+- `operation_get_attributes` (`bool: false`) - Grant permission to use the KMIP
+  `Get Attributes` operation.
+- `operation_locate` (`bool: false`) - Grant permission to use the KMIP
+  `Locate` operation.
+- `operation_register` (`bool: false`) - Grant permission to use the KMIP
+  `Register` operation.
+- `operation_rekey` (`bool: false`) - Grant permission to use the KMIP
+  `Rekey` operation.
+- `operation_revoke` (`bool: false`) - Grant permission to use the KMIP
+  `Revoke` operation.
+
+### Sample Payload
+
+```json
+{
+  "operation_activate": true,
+  "operation_add_attribute": true,
+  "operation_create": true,
+  "operation_destroy": true,
+  "operation_discover_versions": true,
+  "operation_get": true,
+  "operation_get_attribute_list": true,
+  "operation_get_attributes": true,
+  "operation_locate": true,
+  "operation_register": true,
+  "operation_rekey": true,
+  "operation_revoke": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole
+```
+
+## Read role
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `GET`  | `/kmip/scope/:scope/role/:role` |
+
+Read a role.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `role` (`string: <required>`) - Name of role. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "operation_activate": true,
+    "operation_add_attribute": true,
+    "operation_create": true,
+    "operation_destroy": true,
+    "operation_discover_versions": true,
+    "operation_get": true,
+    "operation_get_attribute_list": true,
+    "operation_get_attributes": true,
+    "operation_locate": true,
+    "operation_register": true,
+    "operation_rekey": true,
+    "operation_revoke": true
+  }
+}
+```
+
+## List roles
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `LIST` | `/kmip/scope/:scope/role` |
+
+List roles with a scope.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["myrole"]
+  }
+}
+```
+
+## Delete role
+
+| Method   | Path                            |
+| :------- | :------------------------------ |
+| `DELETE` | `/kmip/scope/:scope/role/:role` |
+
+Delete a role by name.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `role` (`string: <required>`) - Name of role. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole
+```
+
+## Generate credential
+
+| Method | Path                                                |
+| :----- | :-------------------------------------------------- |
+| `POST` | `/kmip/scope/:scope/role/:role/credential/generate` |
+
+Create a new client certificate tied to the given role and scope.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `role` (`string: <required>`) - Name of role. This is part of the request URL.
+- `format` (`string: "pem"`) - Format to return the certificate, private key,
+  and CA chain in. One of `pem`, `pem_bundle`, or `der`.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/generate
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUKOGtsdXdMjjGni52EsaMQ7ozhCEwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4NTgyMVoX\nDTI5MDYyMTE4NTg1MVowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEATHNhNvU0GMtzl6A\nPbNaCoF0jV3z09RCfLKEqMl/MXv/AlPcfiqCQeOWBwWHv76epPWkCCo+IlNq8ldQ\neVe52p6mABMvRjE6BZ/eLea27zImI6waK7nZ2hqx0npb8ivdbwmrgp0NQnv0sJ+o\nPeLa2vh9wDK1NJebmOv0yRAbCw2CH7Rbo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQU2naFRym+xfFvZm2TNRBXNf3MJSsw\nHwYDVR0jBBgwFoAUFrA/R807R0BnIt395KzaXdP4n00wCgYIKoZIzj0EAwIDgYwA\nMIGIAkIAkb8EdHCXgPpQsKYedMz4X2j5CFSVdZTWsPVw1XuSXIsIsc6018V4z9Kp\nkPacsHZTBR636y2toqRPDG4y9MLqFFkCQgCV1jEkiNhhKc+ZWuDjerdqNvLnCbe+\n7t4fiG9zQgWwh6IxL11cNyGVz9gS9af32DtuYf0xwFLOwLgn1RadC9Pd7Q==\n-----END CERTIFICATE-----",
+      "-----BEGIN CERTIFICATE-----\nMIICKTCCAYugAwIBAgIUOcs4pXlp+UgGiUKfKlcxIE/woPEwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4NTgyMVoX\nDTI5MDYyMTE4NTg1MVowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcst7uNwu77WtLDkbz4ILYDiQ3BgS++qU\nOoNKcKyvNe8YX6PtrdQWPTaxT4MZNHZvTv+BAQTQqGLKrstpkjXPh+sBn7V4trkT\nMCtxUjIGneURUXS4IC/KJEA60P7ep7MrGnJfG/N4m+Q/a6BuxKhdEavXtepniCMz\npHw4DCpW/9m2t16jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBQWsD9HzTtHQGci3f3krNpd0/ifTTAfBgNVHSMEGDAWgBQW\nsD9HzTtHQGci3f3krNpd0/ifTTAKBggqhkjOPQQDAgOBiwAwgYcCQR7iNoA4nBV3\ndSn8nfafklFvHZxoKR1j3nn+56z4JHD6TNr//GNqQiqnM3P//Tce+E4KzEax4xRg\nhaLURgPLNBjOAkIAqW+1/+v9D0vXOU1WPc+/oFvhSjYnr5qqcTL7by5fsmMXzAIe\nLODXiODxdppXXnMZPCPZh6MGgUwEGYeCnaXopWc=\n-----END CERTIFICATE-----"
+    ],
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIICOzCCAZygAwIBAgIUeOkn0HAdoh31nGkVKdafpCNuhFEwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x\nOTA2MjQxOTAwMDlaFw0xOTA2MjUxOTAwMzlaMCAxDjAMBgNVBAsTBWlsVjYzMQ4w\nDAYDVQQDEwUyRnlWTjCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAA0rIy0h2DL3\nzmTXVj2v22Kz0N1EUUATlRgBj1XBsBA1Pdd7CSZoefmh/u6Z8TjtRX9Z1aj9Bb/d\nJxS3zB4mguULAF4k7bLH1gKXMVC6NYjjk3mfxH5jG4QY8S8n6uyqzNgI5KRJ2Hyj\nm8549Nvq3rvs8yOVXPSOGzkJ5KdUmSvXicMQo2cwZTAOBgNVHQ8BAf8EBAMCA6gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFEuzruLILCil5Fp32ZjE4AhD\nU268MB8GA1UdIwQYMBaAFNp2hUcpvsXxb2ZtkzUQVzX9zCUrMAoGCCqGSM49BAMC\nA4GMADCBiAJCAeeuaIsgO9ro7opzZ9y9hSHkKB5WA5Qc7ePoSiKHNNbVvIJMkjRQ\nC9YtUMQNnQ8wE6D/9xvR+9OBIi7t16iHGPGbAkIA6WIG6HHRNUXnHPIiW8iy/04O\nfVqZgJHJEeyGQbwdaehs+Z5xOz6TA4Z3uZOAMnPcb+KDwchnQ8CJnmT/KnnT5D8=\n-----END CERTIFICATE-----",
+    "private_key": "-----BEGIN EC PRIVATE KEY-----\nMIHcAgEBBEIBB4xDj9SUtb6Z466lVQIf3ucy21q5S2Fp9bzTQ0Ch5Vg2+DhUZUa1\nDjKvDdICY6hLPBFAwcOUFdDXr4kH/i8wuRWgBwYFK4EEACOhgYkDgYYABAANKyMt\nIdgy985k11Y9r9tis9DdRFFAE5UYAY9VwbAQNT3XewkmaHn5of7umfE47UV/WdWo\n/QW/3ScUt8weJoLlCwBeJO2yx9YClzFQujWI45N5n8R+YxuEGPEvJ+rsqszYCOSk\nSdh8o5vOePTb6t677PMjlVz0jhs5CeSnVJkr14nDEA==\n-----END EC PRIVATE KEY-----",
+    "serial_number": "728181095563584845125173905844944137943705466376"
+  }
+}
+```
+
+## Lookup credential
+
+| Method | Path                                              |
+| :----- | :------------------------------------------------ |
+| `GET`  | `/kmip/scope/:scope/role/:role/credential/lookup` |
+
+Read a certificate by serial number. The private key cannot be obtained except
+at generation time.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `role` (`string: <required>`) - Name of role. This is part of the request URL.
+- `serial_number` (`string: <required>`) - Serial number of certificate to revoke.
+- `format` (`string: "pem"`) - Format to return the certificate, private key,
+  and CA chain in. One of `pem`, `pem_bundle`, or `der`.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/lookup?serial_number=728181095563584845125173905844944137943705466376
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUGptwpwpVvxlx3sBniJ7TRGD9gCkwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE5MDY0N1oX\nDTI5MDYyMTE5MDcxN1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEADO48mMu5V2PTbcg\nq0JPB5ReWwnUHhfFh/+XLP8ZM112JpOFutlcUYYZ23jAlvrlYZ+m1E0ASr0592ZM\n9CwIXy3zAJChPrV3tiofhINR5PPqCF42FcfNj4l7VN/XeYMN6dslX+O4dPn/DsbH\nZi7kWr5KSOR939ULFaRMYe3l2MxaYZ2do2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUPP7VJOGk3qR0qKqx3TLN1R8JDiQw\nHwYDVR0jBBgwFoAUBHr+hhaorPU2jIF35DTBDhL7uWowCgYIKoZIzj0EAwIDgYwA\nMIGIAkIA7G82rqLYb6bKrQZzhpNwvVIFOSocEJrUbP0E0D8dEeOmKs43C70P5e0s\nTrrpNAMEsK6vXWtM+QcrZZp+yyM6k3QCQgG8cxFIl8tgoMKWe0+cDeOoHtczopRy\nSk+Tt7DNNP9sfYK11g7w8xzbtW4ZuZKKoYRbxN+eQHn5c+8akMSt4h71Dg==\n-----END CERTIFICATE-----",
+      "-----BEGIN CERTIFICATE-----\nMIICKDCCAYugAwIBAgIUWv6jrjNbsvdX43l4s10HaJkSxOMwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE5MDY0N1oX\nDTI5MDYyMTE5MDcxN1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAP6C8d9ZUalKBM1NdALtEMlv+dwFnK88F\n8bp7i6hV55vER45FtKKciQwWoA91FjfWTrDYPHb1X4OPZvcjQGnIJ1AAj+BSzEWr\neJXNo46RxLLl+cndiVDqlbJlhE9qVn9ueLHhPIPNSFZneY9cTj5+EOPyKiBCo4xB\ndTtVr29lLu/JwM2jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBQEev6GFqis9TaMgXfkNMEOEvu5ajAfBgNVHSMEGDAWgBQE\nev6GFqis9TaMgXfkNMEOEvu5ajAKBggqhkjOPQQDAgOBigAwgYYCQUlJqNoWCz4H\npjMNphxD4A8lfWtIrajGUhSxE9+JWRzoPpEJSwVobvryU2SO5u0sfqxtcmX/sBjY\n12N5QVFfqpB3AkErsjg8eMkh+OMalmWxRYtTuZt+i4DPm1CKEVIkUT8ZBXYTIl9V\nG3TG8lmby/8e+YUwJEKVvOy6tVI8ExEoVslwKw==\n-----END CERTIFICATE-----"
+    ],
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIICOjCCAZygAwIBAgIUf4zFBobFJMkSIvM7CfceSVfYNggwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x\nOTA2MjQxOTA3MTBaFw0xOTA2MjUxOTA3NDBaMCAxDjAMBgNVBAsTBW5BcUswMQ4w\nDAYDVQQDEwU0Qjd2STCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAdxHrbr/EXUz\nzWCd9HMUDus6r/3QF1Y3u9dPD2UwM76J3aICmykkm7xoYpoyg4chBEDxBWh2YkGT\na4WFMoXBa+k1AZhdvlj8tjOUlYZrTCLB9FBPCGz3JB4f5cmbG5JVsQ8qnBPiyV3e\nU21cWM6mWlhZKHWIdBU2pj+eXW78K5LMu2sWo2cwZTAOBgNVHQ8BAf8EBAMCA6gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFAT0QZOpZCTMCz7F8+BvF2xs\nZSfkMB8GA1UdIwQYMBaAFDz+1SThpN6kdKiqsd0yzdUfCQ4kMAoGCCqGSM49BAMC\nA4GLADCBhwJBPxBV4DgPi5zihRnxu7zTNeqe/xlvrEt1uTff8QtW3JsigbBDHV+A\nxBe7vc8mL8VQPG7BFKvvxuQvOAeeQ+AR8ZoCQgDtbaWgLtfbzKvwlY48e6dLeBpK\nDu1DaZq+79EON2lhWQ+ULHblJc5cK0F6Ff5OC89aDnV1TWQDHeR91mZdYiWZZQ==\n-----END CERTIFICATE-----",
+    "serial_number": "728181095563584845125173905844944137943705466376"
+  }
+}
+```
+
+## List credential serial numbers
+
+| Method | Path                                       |
+| :----- | :----------------------------------------- |
+| `LIST` | `/kmip/scope/:scope/role/:role/credential` |
+
+List the serial numbers of all certificates within a role.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `role` (`string: <required>`) - Name of role. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["728181095563584845125173905844944137943705466376"]
+  }
+}
+```
+
+## Revoke credential
+
+| Method | Path                                              |
+| :----- | :------------------------------------------------ |
+| `POST` | `/kmip/scope/:scope/role/:role/credential/revoke` |
+
+Delete a certificate, thereby revoking it.
+
+### Parameters
+
+- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
+- `role` (`string: <required>`) - Name of role. This is part of the request URL.
+- `serial_number` (`string: ""`) - Serial number of certificate to revoke.
+  Exactly one of `serial_number` or `certificate` must be provided.
+- `certificate` (`string: """`) - Certificate to revoke, in PEM format.
+  Exactly one of `serial_number` or `certificate` must be provided.
+
+### Sample Payload
+
+```json
+{
+  "serial_number": "728181095563584845125173905844944137943705466376"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/revoke
+```
diff --git a/website/pages/api-docs/secret/kv/index.mdx b/website/pages/api-docs/secret/kv/index.mdx
new file mode 100644
index 000000000000..0086949a0800
--- /dev/null
+++ b/website/pages/api-docs/secret/kv/index.mdx
@@ -0,0 +1,16 @@
+---
+layout: api
+page_title: KV - Secrets Engines - HTTP API
+sidebar_title: Key/Value
+description: This is the API documentation for the Vault KV secrets engine.
+---
+
+# KV Secrets Engine (API)
+
+This backend can be run in one of two versions. Each of which have a distinct API.
+Choose the version below you are running. For more information on the KV secrets
+engine see the [Vault kv documentation](/docs/secrets/kv/index.html).
+
+- [KV Version 1 API](/api/secret/kv/kv-v1.html)
+
+- [KV Version 2 API](/api/secret/kv/kv-v2.html)
diff --git a/website/pages/api-docs/secret/kv/kv-v1.mdx b/website/pages/api-docs/secret/kv/kv-v1.mdx
new file mode 100644
index 000000000000..45ff4b5eaaa6
--- /dev/null
+++ b/website/pages/api-docs/secret/kv/kv-v1.mdx
@@ -0,0 +1,166 @@
+---
+layout: api
+page_title: KV - Secrets Engines - HTTP API
+sidebar_title: K/V Version 1
+description: This is the API documentation for the Vault KV secrets engine.
+---
+
+# KV Secrets Engine - Version 1 (API)
+
+This is the API documentation for the Vault KV secrets engine. For general
+information about the usage and operation of the kv secrets engine, please
+see the [Vault kv documentation](/docs/secrets/kv/index.html).
+
+This documentation assumes the kv secrets engine is enabled at the
+`/secret` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
+
+## Read Secret
+
+This endpoint retrieves the secret at the specified location.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `GET`  | `/secret/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to read.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/secret/my-secret
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "foo": "bar",
+    "ttl": "1h"
+  },
+  "lease_duration": 3600,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+_Note_: the `lease_duration` field, which will be populated if a "ttl" field
+was included in the data, is advisory. No lease is created. This is a way for
+writers to indicate how often a given value should be re-read by the client.
+See the [Vault KV secrets engine documentation](/docs/secrets/kv/index.html)
+for more details.
+
+## List Secrets
+
+This endpoint returns a list of key names at the specified location. Folders are
+suffixed with `/`. The input must be a folder; list on a file will not return a
+value. Note that no policy-based filtering is performed on keys; do not encode
+sensitive information in key names. The values themselves are not accessible via
+this command.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `LIST` | `/secret/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secrets to list.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/secret/my-secret
+```
+
+### Sample Response
+
+The example below shows output for a query path of `secret/` when there are
+secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
+entries.
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["foo", "foo/"]
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Create/Update Secret
+
+This endpoint stores a secret at the specified location. If the value does not
+yet exist, the calling token must have an ACL policy granting the `create`
+capability. If the value already exists, the calling token must have an ACL
+policy granting the `update` capability.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `POST` | `/secret/:path` |
+| `PUT`  | `/secret/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secrets to
+  create/update. This is specified as part of the URL.
+
+- `:key` `(string: "")` – Specifies a key, paired with an associated value, to
+  be held at the given location. Multiple key/value pairs can be specified, and
+  all will be returned on a read operation. A key called `ttl` will trigger
+  some special behavior. See the [Vault KV secrets engine
+  documentation](/docs/secrets/kv/index.html) for details.
+
+### Sample Payload
+
+```json
+{
+  "foo": "bar",
+  "zip": "zap"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/secret/my-secret
+```
+
+## Delete Secret
+
+This endpoint deletes the secret at the specified location.
+
+| Method   | Path            |
+| :------- | :-------------- |
+| `DELETE` | `/secret/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to delete.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/secret/my-secret
+```
diff --git a/website/pages/api-docs/secret/kv/kv-v2.mdx b/website/pages/api-docs/secret/kv/kv-v2.mdx
new file mode 100644
index 000000000000..506fa2276f8b
--- /dev/null
+++ b/website/pages/api-docs/secret/kv/kv-v2.mdx
@@ -0,0 +1,491 @@
+---
+layout: api
+page_title: KV - Secrets Engines - HTTP API
+sidebar_title: K/V Version 2
+description: This is the API documentation for the Vault KV secrets engine.
+---
+
+# KV Secrets Engine - Version 2 (API)
+
+This is the API documentation for the Vault KV secrets engine while running in
+versioned mode. For general information about the usage and operation of the kv
+secrets engine, please see the [Vault kv
+documentation](/docs/secrets/kv/index.html).
+
+This documentation assumes the kv secrets engine is enabled at the
+`/secret` path in Vault and that versioning has been enabled. Since it is
+possible to enable secrets engines at any location, please update your API calls
+accordingly.
+
+## Configure the KV Engine
+
+This path configures backend level settings that are applied to every key in the
+key-value store.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `POST` | `/secret/config` |
+
+### Parameters
+
+- `max_versions` `(int: 0)` – The number of versions to keep per key. This value
+  applies to all keys, but a key's metadata setting can overwrite this value.
+  Once a key has more than the configured allowed versions the oldest version
+  will be permanently deleted. Defaults to 10.
+
+- `cas_required` `(bool: false)` – If true all keys will require the cas
+  parameter to be set on all write requests.
+
+- `delete_version_after` `(string:"0s")` – If set, specifies the length
+  of time before a version is deleted.
+  Accepts [Go duration format string][duration-godoc].
+
+[duration-godoc]: https://golang.org/pkg/time/#ParseDuration
+
+### Sample Payload
+
+```json
+{
+  "max_versions": 5,
+  "cas_required": false,
+  "delete_version_after": "3h25m19s"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/secret/config
+```
+
+## Read KV Engine configuration
+
+This path retrieves the current configuration for the secrets backend at the
+given path.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `GET`  | `/secret/config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/secret/config
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "cas_required": false,
+    "max_versions": 0,
+    "delete_version_after": "3h25m19s"
+  }
+}
+```
+
+## Read Secret Version
+
+This endpoint retrieves the secret at the specified location.
+
+| Method | Path                                         |
+| :----- | :------------------------------------------- |
+| `GET`  | `/secret/data/:path?version=:version-number` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to read.
+  This is specified as part of the URL.
+- `version` `(int: 0)` - Specifies the version to return. If not set the latest
+  version is returned.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/secret/data/my-secret?version=2
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "data": {
+      "foo": "bar"
+    },
+    "metadata": {
+      "created_time": "2018-03-22T02:24:06.945319214Z",
+      "deletion_time": "",
+      "destroyed": false,
+      "version": 2
+    }
+  }
+}
+```
+
+## Create/Update Secret
+
+This endpoint creates a new version of a secret at the specified location. If
+the value does not yet exist, the calling token must have an ACL policy granting
+the `create` capability. If the value already exists, the calling token must
+have an ACL policy granting the `update` capability.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/secret/data/:path` |
+
+### Parameters
+
+- `options` `(Map: <optional>)` – An object that holds option settings.
+
+  - `cas` `(int: <optional>)` - Set the "cas" value to use a Check-And-Set
+    operation. If not set the write will be allowed. If set to 0 a write will
+    only be allowed if the key doesn’t exist. If the index is non-zero the
+    write will only be allowed if the key’s current version matches the
+    version specified in the cas parameter.
+
+- `data` `(Map: <required>)` – The contents of the data map will be stored and
+  returned on read.
+
+### Sample Payload
+
+```json
+{
+  "options": {
+    "cas": 0
+  },
+  "data": {
+    "foo": "bar",
+    "zip": "zap"
+  }
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/secret/data/my-secret
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "created_time": "2018-03-22T02:36:43.986212308Z",
+    "deletion_time": "",
+    "destroyed": false,
+    "version": 1
+  }
+}
+```
+
+## Delete Latest Version of Secret
+
+This endpoint issues a soft delete of the secret's latest version at the
+specified location. This marks the version as deleted and will stop it from
+being returned from reads, but the underlying data will not be removed. A
+delete can be undone using the `undelete` path.
+
+| Method   | Path                 |
+| :------- | :------------------- |
+| `DELETE` | `/secret/data/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to delete.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/secret/data/my-secret
+```
+
+## Delete Secret Versions
+
+This endpoint issues a soft delete of the specified versions of the secret. This
+marks the versions as deleted and will stop them from being returned from reads,
+but the underlying data will not be removed. A delete can be undone using the
+`undelete` path.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/secret/delete/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to delete.
+  This is specified as part of the URL.
+- `versions` `([]int: <required>)` - The versions to be deleted. The versioned
+  data will not be deleted, but it will no longer be returned in normal get
+  requests.
+
+### Sample Payload
+
+```json
+{
+  "versions": [1, 2]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/secret/delete/my-secret
+```
+
+## Undelete Secret Versions
+
+Undeletes the data for the provided version and path in the key-value store.
+This restores the data, allowing it to be returned on get requests.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/secret/undelete/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to undelete.
+  This is specified as part of the URL.
+
+- `versions` `([]int: <required>)` - The versions to undelete. The versions will
+  be restored and their data will be returned on normal get requests.
+
+### Sample Payload
+
+```json
+{
+  "versions": [1, 2]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/secret/undelete/my-secret
+```
+
+## Destroy Secret Versions
+
+Permanently removes the specified version data for the provided key and version
+numbers from the key-value store.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/secret/destroy/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to destroy.
+  This is specified as part of the URL.
+
+- `versions` `([]int: <required>)` - The versions to destroy. Their data will be
+  permanently deleted.
+
+### Sample Payload
+
+```json
+{
+  "versions": [1, 2]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/secret/destroy/my-secret
+```
+
+## List Secrets
+
+This endpoint returns a list of key names at the specified location. Folders are
+suffixed with `/`. The input must be a folder; list on a file will not return a
+value. Note that no policy-based filtering is performed on keys; do not encode
+sensitive information in key names. The values themselves are not accessible via
+this command.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `LIST` | `/secret/metadata/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secrets to list.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/secret/metadata/my-secret
+```
+
+### Sample Response
+
+The example below shows output for a query path of `secret/` when there are
+secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
+entries.
+
+```json
+{
+  "data": {
+    "keys": ["foo", "foo/"]
+  }
+}
+```
+
+## Read Secret Metadata
+
+This endpoint retrieves the metadata and versions for the secret at the
+specified path.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/secret/metadata/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to read.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/secret/metadata/my-secret
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "created_time": "2018-03-22T02:24:06.945319214Z",
+    "current_version": 3,
+    "max_versions": 0,
+    "oldest_version": 0,
+    "updated_time": "2018-03-22T02:36:43.986212308Z",
+    "versions": {
+      "1": {
+        "created_time": "2018-03-22T02:24:06.945319214Z",
+        "deletion_time": "",
+        "destroyed": false
+      },
+      "2": {
+        "created_time": "2018-03-22T02:36:33.954880664Z",
+        "deletion_time": "",
+        "destroyed": false
+      },
+      "3": {
+        "created_time": "2018-03-22T02:36:43.986212308Z",
+        "deletion_time": "",
+        "destroyed": false
+      }
+    }
+  }
+}
+```
+
+## Update Metadata
+
+This endpoint creates a new version of a secret at the specified location. If
+the value does not yet exist, the calling token must have an ACL policy granting
+the `create` capability. If the value already exists, the calling token must
+have an ACL policy granting the `update` capability.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/secret/metadata/:path` |
+
+### Parameters
+
+- `max_versions` `(int: 0)` – The number of versions to keep per key. If not
+  set, the backend’s configured max version is used. Once a key has more than
+  the configured allowed versions the oldest version will be permanently
+  deleted.
+
+- `cas_required` `(bool: false)` – If true the key will require the cas
+  parameter to be set on all write requests. If false, the backend’s
+  configuration will be used.
+
+- `delete_version_after` `(string:"0s")` – Set the `delete_version_after` value
+  to a duration to specify the `deletion_time` for all new versions
+  written to this key. If not set, the backend's `delete_version_after` will be
+  used. If the value is greater than the backend's `delete_version_after`, the
+  backend's `delete_version_after` will be used. Accepts [Go duration
+  format string][duration-godoc].
+
+### Sample Payload
+
+```json
+{
+  "max_versions": 5,
+  "cas_required": false,
+  "delete_version_after": "3h25m19s"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    https://127.0.0.1:8200/v1/secret/metadata/my-secret
+```
+
+## Delete Metadata and All Versions
+
+This endpoint permanently deletes the key metadata and all version data for the
+specified key. All version history will be removed.
+
+| Method   | Path                     |
+| :------- | :----------------------- |
+| `DELETE` | `/secret/metadata/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the secret to delete.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    https://127.0.0.1:8200/v1/secret/metadata/my-secret
+```
diff --git a/website/pages/api-docs/secret/mongodb/index.mdx b/website/pages/api-docs/secret/mongodb/index.mdx
new file mode 100644
index 000000000000..b3d40b2701ad
--- /dev/null
+++ b/website/pages/api-docs/secret/mongodb/index.mdx
@@ -0,0 +1,346 @@
+---
+layout: api
+page_title: MongoDB - Secrets Engines - HTTP API
+sidebar_title: MongoDB <sup>DEPRECATED</sup>
+description: This is the API documentation for the Vault MongoDB secrets engine.
+---
+
+# MongoDB Secrets Engine (API)
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[MongoDB database plugin HTTP API](/api/secret/databases/mongodb.html).
+
+This is the API documentation for the Vault MongoDB secrets engine. For general
+information about the usage and operation of the MongoDB secrets engine, please
+see the
+[Vault MongoDB secrets engine documentation](/docs/secrets/mongodb/index.html).
+
+This documentation assumes the MongoDB secrets engine is enabled at the
+`/mongodb` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
+
+## Configure Connection
+
+This endpoint configures the standard connection string (URI) used to
+communicate with MongoDB.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/mongodb/config/connection` |
+
+### Parameters
+
+- `url` `(string: <required>)` – Specifies the MongoDB standard connection
+  string (URI).
+
+- `verify_connection` `(bool: true)` – Specifies if the connection is verified
+  during initial configuration.
+
+### Sample Payload
+
+```json
+{
+  "url": "mongodb://db1.example.net,db2.example.net:2500/?replicaSet=test"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mongodb/config/connection
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": [
+    "Read access to this endpoint should be controlled via ACLs as it will return the connection URI as it is, including passwords, if any."
+  ],
+  "auth": null
+}
+```
+
+## Read Connection
+
+This endpoint queries the connection configuration. Access to this endpoint
+should be controlled via ACLs as it will return the connection URI as it is,
+including passwords, if any.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/mongodb/config/connection` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mongodb/config/connection
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "uri": "mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Configure Lease
+
+This endpoint configures the default lease TTL settings for credentials
+generated by the mongodb secrets engine.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/mongodb/config/lease` |
+
+### Parameters
+
+- `lease` `(string: <required>)` – Specifies the lease value provided as a
+  string duration with time suffix. "h" (hour) is the largest suffix.
+
+- `lease_max` `(string: <required>)` – Specifies the maximum lease value
+  provided as a string duration with time suffix. "h" (hour) is the largest
+  suffix.
+
+### Sample Payload
+
+```json
+{
+  "lease": "12h",
+  "lease_max": "24h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mongodb/config/lease
+```
+
+## Read Lease
+
+This endpoint queries the lease configuration.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/mongodb/config/lease` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mongodb/config/lease
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "max_ttl": 60,
+    "ttl": 60
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Create Role
+
+This endpoint creates or updates a role definition.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/mongodb/roles/:name` |
+
+### Parameters
+
+- `db` `(string: <required>)` – Specifies the name of the database users should
+  be created in for this role.
+
+- `roles` `(string: "")` – Specifies the MongoDB roles to assign to the users
+  generated for this role.
+
+### Sample Payload
+
+```json
+{
+  "db": "my-db",
+  "roles": "[\"readWrite\",{\"db\":\"bar\",\"role\":\"read\"}]"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mongodb/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/mongodb/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mongodb/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "db": "foo",
+    "roles": "[\"readWrite\",{\"db\":\"bar\",\"role\":\"read\"}]"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## List Roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `LIST` | `/mongodb/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/mongodb/roles
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "keys": ["dev", "prod"]
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition.
+
+| Method   | Path                   |
+| :------- | :--------------------- |
+| `DELETE` | `/mongodb/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/mongodb/roles/my-role
+```
+
+## Generate Credentials
+
+This endpoint generates a new set of dynamic credentials based on the named
+role.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/mongodb/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mongodb/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "mongodb/creds/readonly/e64e79d8-9f56-e379-a7c5-373f9b4ee3d8",
+  "renewable": true,
+  "lease_duration": 3600,
+  "data": {
+    "db": "foo",
+    "password": "de0f7b50-d700-54e5-4e81-5c3724283999",
+    "username": "vault-token-b32098cb-7ff2-dcf5-83cd-d5887cedf81b"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
diff --git a/website/pages/api-docs/secret/mssql/index.mdx b/website/pages/api-docs/secret/mssql/index.mdx
new file mode 100644
index 000000000000..2ff4871f4560
--- /dev/null
+++ b/website/pages/api-docs/secret/mssql/index.mdx
@@ -0,0 +1,248 @@
+---
+layout: api
+page_title: MSSQL - Secrets Engines - HTTP API
+sidebar_title: MSSQL <sup>DEPRECATED</sup>
+description: This is the API documentation for the Vault MSSQL secrets engine.
+---
+
+# MSSQL Secrets Engine (API)
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[MSSQL database plugin HTTP API](/api/secret/databases/mssql.html).
+
+This is the API documentation for the Vault MSSQL secrets engine. For general
+information about the usage and operation of the MSSQL secrets engine, please
+see the [Vault MSSQL documentation](/docs/secrets/mssql/index.html).
+
+This documentation assumes the MSSQL secrets engine is enabled at the `/mssql`
+path in Vault. Since it is possible to enable secrets engines at any location,
+please update your API calls accordingly.
+
+## Configure Connection
+
+This endpoint configures the connection DSN used to communicate with Microsoft
+SQL Server.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/mssql/config/connection` |
+
+### Parameters
+
+- `connection_string` `(string: <required>)` – Specifies the MSSQL DSN.
+
+- `max_open_connections` `(int: 2)` – Specifies the maximum number of open
+  connections to the database.
+
+- `max_idle_connections` `(int: 0)` – Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If larger than
+  `max_open_connections` it will be reduced to be equal.
+
+### Sample Payload
+
+```json
+{
+  "connection_string": "Server=myServerAddress;Database=myDataBase;User Id=myUsername; Password=myPassword;"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mssql/config/connection
+```
+
+## Configure Lease
+
+This endpoint configures the lease settings for generated credentials.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/mysql/config/lease` |
+
+### Parameters
+
+- `lease` `(string: <required>)` – Specifies the lease value provided as a
+  string duration with time suffix. "h" (hour) is the largest suffix.
+
+- `lease_max` `(string: <required>)` – Specifies the maximum lease value
+  provided as a string duration with time suffix. "h" (hour) is the largest
+  suffix.
+
+### Sample Payload
+
+```json
+{
+  "lease": "12h",
+  "lease_max": "24h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mssql/config/lease
+```
+
+## Create Role
+
+This endpoint creates or updates the role definition.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/mssql/roles/:name` |
+
+### Parameters
+
+- `sql` `(string: <required>)` – Specifies the SQL statements executed to create
+  and configure the role. The '{{name}}' and '{{password}}' values will be
+  substituted. Must be a semicolon-separated string, a base64-encoded
+  semicolon-separated string, a serialized JSON string array, or a
+  base64-encoded serialized JSON string array.
+
+### Sample Payload
+
+```json
+{
+  "sql": "CREATE LOGIN ..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mssql/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/mssql/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mssql/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "sql": "CREATE LOGIN..."
+  }
+}
+```
+
+## List Roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values.
+
+| Method | Path           |
+| :----- | :------------- |
+| `LIST` | `/mssql/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/mssql/roles
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev", "prod"]
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition.
+
+| Method   | Path                 |
+| :------- | :------------------- |
+| `DELETE` | `/mssql/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/mssql/roles/my-role
+```
+
+## Generate Credentials
+
+This endpoint generates a new set of dynamic credentials based on the named
+role.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/mssql/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mssql/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "username": "root-a147d529-e7d6-4a16-8930-4c3e72170b19",
+    "password": "ee202d0d-e4fd-4410-8d14-2a78c5c8cb76"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/mysql/index.mdx b/website/pages/api-docs/secret/mysql/index.mdx
new file mode 100644
index 000000000000..db19cd2655c4
--- /dev/null
+++ b/website/pages/api-docs/secret/mysql/index.mdx
@@ -0,0 +1,269 @@
+---
+layout: api
+page_title: MySQL - Secrets Engines - HTTP API
+sidebar_title: MySQL <sup>DEPRECATED</sup>
+description: This is the API documentation for the Vault MySQL secrets engine.
+---
+
+# MySQL Secrets Engine (API)
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[MySQL/MariaDB database plugin HTTP API](/api/secret/databases/mysql-maria.html).
+
+This is the API documentation for the Vault MySQL secrets engine. For general
+information about the usage and operation of the MySQL secrets engine, please
+see the [Vault MySQL documentation](/docs/secrets/mysql/index.html).
+
+This documentation assumes the MySQL secrets engine is enabled at the `/mysql`
+path in Vault. Since it is possible to enable secrets engines at any location,
+please update your API calls accordingly.
+
+## Configure Connection
+
+This endpoint configures the connection DSN used to communicate with MySQL.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/mysql/config/connection` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` – Specifies the MySQL DSN.
+
+- `max_open_connections` `(int: 2)` – Specifies the maximum number of open
+  connections to the database.
+
+- `max_idle_connections` `(int: 0)` – Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If larger than
+  `max_open_connections` it will be reduced to be equal.
+
+- `verify_connection` `(bool: true)` – Specifies if the connection is verified
+  during initial configuration.
+
+### Sample Payload
+
+```json
+{
+  "connection_url": "mysql:host=localhost;dbname=testdb"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mysql/config/connection
+```
+
+## Configure Lease
+
+This endpoint configures the lease settings for generated credentials. If not
+configured, leases default to 1 hour. This is a root protected endpoint.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/mysql/config/lease` |
+
+### Parameters
+
+- `lease` `(string: <required>)` – Specifies the lease value provided as a
+  string duration with time suffix. "h" (hour) is the largest suffix.
+
+- `lease_max` `(string: <required>)` – Specifies the maximum lease value
+  provided as a string duration with time suffix. "h" (hour) is the largest
+  suffix.
+
+### Sample Payload
+
+```json
+{
+  "lease": "12h",
+  "lease_max": "24h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mysql/config/lease
+```
+
+## Create Role
+
+This endpoint creates or updates the role definition.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/mysql/roles/:name` |
+
+### Parameters
+
+- `sql` `(string: <required>)` – Specifies the SQL statements executed to create
+  and configure a user. Must be a semicolon-separated string, a base64-encoded
+  semicolon-separated string, a serialized JSON string array, or a
+  base64-encoded serialized JSON string array. The '{{name}}' and
+  '{{password}}' values will be substituted.
+
+- `revocation_sql` `(string: "")` – Specifies the SQL statements executed to
+  revoke a user. Must be a semicolon-separated string, a base64-encoded
+  semicolon-separated string, a serialized JSON string array, or a
+  base64-encoded serialized JSON string array. The '{{name}}' value will be
+  substituted.
+
+- `rolename_length` `(int: 4)` – Specifies how many characters from the role
+  name will be used to form the mysql username interpolated into the '{{name}}'
+  field of the sql parameter.
+
+- `displayname_length` `(int: 4)` – Specifies how many characters from the token
+  display name will be used to form the mysql username interpolated into the
+  '{{name}}' field of the sql parameter.
+
+- `username_length` `(int: 16)` – Specifies the maximum total length in
+  characters of the mysql username interpolated into the '{{name}}' field of the
+  sql parameter.
+
+### Sample Payload
+
+```json
+{
+  "sql": "CREATE USER ..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/mysql/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/mysql/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mysql/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "sql": "CREATE USER..."
+  }
+}
+```
+
+## List Roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values.
+
+| Method | Path           |
+| :----- | :------------- |
+| `LIST` | `/mysql/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/mysql/roles
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev", "prod"]
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition.
+
+| Method   | Path                 |
+| :------- | :------------------- |
+| `DELETE` | `/mysql/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/mysql/roles/my-role
+```
+
+## Generate Credentials
+
+This endpoint generates a new set of dynamic credentials based on the named
+role.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/mysql/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/mysql/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "username": "user-role-aefa63",
+    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/nomad/index.mdx b/website/pages/api-docs/secret/nomad/index.mdx
new file mode 100644
index 000000000000..9a8130acd02d
--- /dev/null
+++ b/website/pages/api-docs/secret/nomad/index.mdx
@@ -0,0 +1,326 @@
+---
+layout: api
+page_title: Nomad Secret Backend - HTTP API
+sidebar_title: Nomad
+description: This is the API documentation for the Vault Nomad secret backend.
+---
+
+# Nomad Secret Backend HTTP API
+
+This is the API documentation for the Vault Nomad secret backend. For general
+information about the usage and operation of the Nomad backend, please see the
+[Vault Nomad backend documentation](/docs/secrets/nomad/index.html).
+
+This documentation assumes the Nomad backend is mounted at the `/nomad` path
+in Vault. Since it is possible to mount secret backends at any location, please
+update your API calls accordingly.
+
+## Configure Access
+
+This endpoint configures the access information for Nomad. This access
+information is used so that Vault can communicate with Nomad and generate
+Nomad tokens.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/nomad/config/access` |
+
+### Parameters
+
+- `address` `(string: "")` – Specifies the address of the Nomad
+  instance, provided as `"protocol://host:port"` like `"http://127.0.0.1:4646"`.
+  This value can also be provided on individual calls with the NOMAD_ADDR
+  environment variable.
+
+- `token` `(string: "")` – Specifies the Nomad Management token to use.
+  This value can also be provided on individual calls with the NOMAD_TOKEN
+  environment variable.
+
+- `max_token_name_length` `(int: <optional>)` – Specifies the maximum length to
+  use for the name of the Nomad token generated with [Generate
+  Credential](#generate-credential). If omitted, `0` is used and ignored,
+  defaulting to the max value allowed by the Nomad version. For Nomad versions
+  0.8.3 and earlier, the default is `64`. For Nomad version 0.8.4 and later, the default is
+  `256`.
+
+### Sample Payload
+
+```json
+{
+  "address": "http://127.0.0.1:4646",
+  "token": "adha...",
+  "max_token_name_length": 256
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --header "X-Vault-Token: ..." \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/nomad/config/access
+```
+
+## Read Access Configuration
+
+This endpoint queries for information about the Nomad connection.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/nomad/config/access` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/nomad/config/access
+```
+
+### Sample Response
+
+```json
+  "data": {
+    "address": "http://localhost:4646/"
+  }
+```
+
+## Configure Lease
+
+This endpoint configures the lease settings for generated tokens.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/nomad/config/lease` |
+
+### Parameters
+
+- `ttl` `(string: "")` – Specifies the ttl for the lease. This is provided
+  as a string duration with a time suffix like `"30s"` or `"1h"` or as total
+  seconds.
+
+- `max_ttl` `(string: "")` – Specifies the max ttl for the lease. This is
+  provided as a string duration with a time suffix like `"30s"` or `"1h"` or as
+  total seconds.
+
+### Sample Payload
+
+```json
+{
+  "ttl": 1800,
+  "max_ttl": 3600
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/nomad/config/lease
+```
+
+## Read Lease Configuration
+
+This endpoint queries for information about the Lease TTL for the specified mount.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `GET`  | `/nomad/config/lease` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/nomad/config/lease
+```
+
+### Sample Response
+
+```json
+  "data": {
+    "max_ttl": 86400,
+    "ttl": 86400
+  }
+```
+
+## Delete Lease Configuration
+
+This endpoint deletes the lease configuration.
+
+| Method   | Path                  |
+| :------- | :-------------------- |
+| `DELETE` | `/nomad/config/lease` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/nomad/config/lease
+```
+
+## Create/Update Role
+
+This endpoint creates or updates the Nomad role definition in Vault. If the role does not exist, it will be created. If the role already exists, it will receive
+updated attributes.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/nomad/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of an existing role against
+  which to create this Nomad tokens. This is part of the request URL.
+
+- `policies` `(string: "")` – Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
+
+- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](https://www.nomadproject.io/guides/acl.html#acl-tokens).
+
+- `type` `(string: "client")` - Specifies the type of token to create when
+  using this role. Valid values are `"client"` or `"management"`.
+
+### Sample Payload
+
+To create a client token with a custom policy:
+
+```json
+{
+  "policies": "readonly"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --header "X-Vault-Token: ..." \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/nomad/role/monitoring
+```
+
+## Read Role
+
+This endpoint queries for information about a Nomad role with the given name.
+If no role exists with that name, a 404 is returned.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/nomad/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to query. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/nomad/role/monitoring
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "lease": "0s",
+    "policies": ["example"],
+    "token_type": "client"
+  }
+}
+```
+
+## List Roles
+
+This endpoint lists all existing roles in the backend.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `LIST` | `/nomad/role`           |
+| `GET`  | `/nomad/role?list=true` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/nomad/role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["example"]
+  }
+}
+```
+
+## Delete Role
+
+This endpoint deletes a Nomad role with the given name. Even if the role does
+not exist, this endpoint will still return a successful response.
+
+| Method   | Path                |
+| :------- | :------------------ |
+| `DELETE` | `/nomad/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --request DELETE \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/nomad/role/example-role
+```
+
+## Generate Credential
+
+This endpoint generates a dynamic Nomad token based on the given role
+definition.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/nomad/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of an existing role against
+  which to create this Nomad token. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/nomad/creds/example
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "accessor_id": "c834ba40-8d84-b0c1-c084-3a31d3383c03",
+    "secret_id": "65af6f07-7f57-bb24-cdae-a27f86a894ce"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/pki/index.mdx b/website/pages/api-docs/secret/pki/index.mdx
new file mode 100644
index 000000000000..545ee3d19d51
--- /dev/null
+++ b/website/pages/api-docs/secret/pki/index.mdx
@@ -0,0 +1,1601 @@
+---
+layout: api
+page_title: PKI - Secrets Engines - HTTP API
+sidebar_title: PKI
+description: This is the API documentation for the Vault PKI secrets engine.
+---
+
+# PKI Secrets Engine (API)
+
+This is the API documentation for the Vault PKI secrets engine. For general
+information about the usage and operation of the PKI secrets engine, please see
+the [PKI documentation](/docs/secrets/pki/index.html).
+
+This documentation assumes the PKI secrets engine is enabled at the `/pki` path
+in Vault. Since it is possible to enable secrets engines at any location, please
+update your API calls accordingly.
+
+## Table of Contents
+
+- [Read CA Certificate](#read-ca-certificate)
+- [Read CA Certificate Chain](#read-ca-certificate-chain)
+- [Read Certificate](#read-certificate)
+- [List Certificates](#list-certificates)
+- [Submit CA Information](#submit-ca-information)
+- [Read CRL Configuration](#read-crl-configuration)
+- [Set CRL Configuration](#set-crl-configuration)
+- [Read URLs](#read-urls)
+- [Set URLs](#set-urls)
+- [Read CRL](#read-crl)
+- [Rotate CRLs](#rotate-crls)
+- [Generate Intermediate](#generate-intermediate)
+- [Set Signed Intermediate](#set-signed-intermediate)
+- [Generate Certificate](#generate-certificate)
+- [Revoke Certificate](#revoke-certificate)
+- [Create/Update Role](#create-update-role)
+- [Read Role](#read-role)
+- [List Roles](#list-roles)
+- [Delete Role](#delete-role)
+- [Generate Root](#generate-root)
+- [Delete Root](#delete-root)
+- [Sign Intermediate](#sign-intermediate)
+- [Sign Self-Issued](#sign-self-issued)
+- [Sign Certificate](#sign-certificate)
+- [Sign Verbatim](#sign-verbatim)
+- [Tidy](#tidy)
+
+## Read CA Certificate
+
+This endpoint retrieves the CA certificate _in raw DER-encoded form_. This is a
+bare endpoint that does not return a standard Vault data structure and cannot
+be read by the Vault CLI; use `/pki/cert` for that. If `/pem` is added to the
+endpoint, the CA certificate is returned in PEM format.
+
+This is an unauthenticated endpoint.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `GET`  | `/pki/ca(/pem)` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/pki/ca/pem
+```
+
+### Sample Response
+
+```
+<binary DER-encoded certificate>
+```
+
+## Read CA Certificate Chain
+
+This endpoint retrieves the CA certificate chain, including the CA _in PEM
+format_. This is a bare endpoint that does not return a standard Vault data
+structure and cannot be read by the Vault CLI; use `/pki/cert` for that.
+
+This is an unauthenticated endpoint.
+
+| Method | Path            |
+| :----- | :-------------- |
+| `GET`  | `/pki/ca_chain` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/pki/ca_chain
+```
+
+### Sample Response
+
+```
+<PEM-encoded certificate chain>
+```
+
+## Read Certificate
+
+This endpoint retrieves one of a selection of certificates. This endpoint returns the certificate in PEM formatting in the
+`certificate` key of the JSON object, which is a standard Vault response that is readable by the Vault CLI.
+
+This is an unauthenticated endpoint.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/pki/cert/:serial` |
+
+### Parameters
+
+- `serial` `(string: <required>)` – Specifies the serial of the key to read.
+  This is part of the request URL. Valid values for `serial` are:
+
+  - `<serial>` for the certificate with the given serial number
+  - `ca` for the CA certificate
+  - `crl` for the current CRL
+  - `ca_chain` for the CA trust chain or a serial number in either hyphen-separated or colon-separated octal format
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/pki/cert/crl
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIGmDCCBYCgAwIBAgIHBzEB3fTzhTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE\n..."
+  }
+}
+```
+
+## List Certificates
+
+This endpoint returns a list of the current certificates by serial number only.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/pki/certs` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/certs
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "keys": [
+      "17:67:16:b0:b9:45:58:c0:3a:29:e3:cb:d6:98:33:7a:a6:3b:66:c1",
+      "26:0f:76:93:73:cb:3f:a0:7a:ff:97:85:42:48:3a:aa:e5:96:03:21"
+    ]
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Submit CA Information
+
+This endpoint allows submitting the CA information for the backend via a PEM
+file containing the CA certificate and its private key, concatenated.
+
+May optionally append additional CA certificates. Useful when creating an
+intermediate CA to ensure a full chain is returned when signing or generating
+certificates.
+
+Not needed if you are generating a self-signed root certificate, and not used
+if you have a signed intermediate CA certificate with a generated key (use the
+`/pki/intermediate/set-signed` endpoint for that). _If you have already set a
+certificate and key, they will be overridden._
+
+| Method | Path             |
+| :----- | :--------------- |
+| `POST` | `/pki/config/ca` |
+
+### Parameters
+
+- `pem_bundle` `(string: <required>)` – Specifies the key and certificate concatenated in PEM format.
+
+### Sample Request
+
+```text
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data "@payload.json" \
+    http://127.0.0.1:8200/v1/pki/config/ca
+```
+
+Note that if you provide the data through the HTTP API it must be
+JSON-formatted, with newlines replaced with `\n`, like so:
+
+```json
+{
+  "pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END CERTIFICATE-----"
+}
+```
+
+## Read CRL Configuration
+
+This endpoint allows getting the duration for which the generated CRL should be
+marked valid.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/pki/config/crl` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/crl
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "disable": false,
+    "expiry": "72h"
+  },
+  "auth": null
+}
+```
+
+## Set CRL Configuration
+
+This endpoint allows setting the duration for which the generated CRL should be
+marked valid. If the CRL is disabled, it will return a signed but zero-length
+CRL for any request. If enabled, it will re-build the CRL.
+
+~> Note: Disabling the CRL does not affect whether revoked certificates are
+stored internally. Certificates that have been revoked when a role's
+certificate storage is enabled will continue to be marked and stored as
+revoked until `tidy` has been run with the desired safety buffer. Re-enabling
+CRL generation will then result in all such certificates becoming a part of
+the CRL.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/pki/config/crl` |
+
+### Parameters
+
+- `expiry` `(string: "72h")` – Specifies the time until expiration.
+- `disable` `(bool: false)` – Disables or enables CRL building.
+
+### Sample Payload
+
+```json
+{
+  "expiry": "48h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/crl
+```
+
+## Read URLs
+
+This endpoint fetches the URLs to be encoded in generated certificates.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/pki/config/urls` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/config/urls
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "issuing_certificates": ["<url1>", "<url2>"],
+    "crl_distribution_points": ["<url1>", "<url2>"],
+    "ocsp_servers": ["<url1>", "<url2>"]
+  },
+  "auth": null
+}
+```
+
+## Set URLs
+
+This endpoint allows setting the issuing certificate endpoints, CRL distribution
+points, and OCSP server endpoints that will be encoded into issued certificates.
+You can update any of the values at any time without affecting the other
+existing values. To remove the values, simply use a blank string as the
+parameter.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/pki/config/urls` |
+
+### Parameters
+
+- `issuing_certificates` `(array<string>: nil)` – Specifies the URL values for
+  the Issuing Certificate field. This can be an array or a comma-separated
+  string list.
+
+- `crl_distribution_points` `(array<string>: nil)` – Specifies the URL values
+  for the CRL Distribution Points field. This can be an array or a
+  comma-separated string list.
+
+- `ocsp_servers` `(array<string>: nil)` – Specifies the URL values for the OCSP
+  Servers field. This can be an array or a comma-separated string list.
+
+### Sample Payload
+
+```json
+{
+  "ocsp_servers": ["https://..."]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/config/urls
+```
+
+## Read CRL
+
+This endpoint retrieves the current CRL **in raw DER-encoded form**. This
+endpoint is suitable for usage in the CRL Distribution Points extension in a CA
+certificate. This is a bare endpoint that does not return a standard Vault data
+structure and cannot be parsed by the Vault CLI; use `/pki/cert/crl` in that case.
+If `/pem` is added to the endpoint, the CRL is returned in PEM format.
+
+This is an unauthenticated endpoint.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `GET`  | `/pki/crl(/pem)` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/pki/crl/pem
+```
+
+### Sample Response
+
+```
+<binary DER-encoded CRL>
+```
+
+## Rotate CRLs
+
+This endpoint forces a rotation of the CRL. This can be used by administrators
+to cut the size of the CRL if it contains a number of certificates
+that have now expired, but has not been rotated due to no further
+certificates being revoked.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/pki/crl/rotate` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/crl/rotate
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "success": true
+  }
+}
+```
+
+## Generate Intermediate
+
+This endpoint generates a new private key and a CSR for signing. If using Vault
+as a root, and for many other CAs, the various parameters on the final
+certificate are set at signing time and may or may not honor the parameters set
+here. _This will overwrite any previously existing CA private key._
+
+This is mostly meant as a helper function, and not all possible parameters that
+can be set in a CSR are supported.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/pki/intermediate/generate/:type` |
+
+### Parameters
+
+- `type` `(string: <required>)` – Specifies the type of the intermediate to
+  create. If `exported`, the private key will be returned in the response; if
+  `internal` the private key will not be returned and _cannot be retrieved
+  later_. This is part of the request URL.
+
+- `common_name` `(string: <required>)` – Specifies the requested CN for the
+  certificate.
+
+- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields.
+
+- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list.
+
+- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list.
+
+- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `format` `(string: "pem")` – Specifies the format for returned data. This can be
+  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
+  base64 encoded. If `pem_bundle`, the `csr` field will contain the private key
+  (if exported) and CSR, concatenated.
+
+- `private_key_format` `(string: "der")` – Specifies the format for marshaling the
+  private key. Defaults to `der` which will return either base64-encoded DER or
+  PEM-encoded DER, depending on the value of `format`. The other option is
+  `pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
+
+- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`
+  or `ec`.
+
+- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
+  changed to a valid value if the `key_type` is `ec`, e.g., 224 or 521.
+
+- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `organization` `(string: "")` – Specifies the O (Organization) values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `country` `(string: "")` – Specifies the C (Country) values in the subject
+  field of the resulting CSR. This is a comma-separated string or JSON
+  array.
+
+- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
+  field of the resulting CSR. This is a comma-separated string or JSON
+  array.
+
+- `province` `(string: "")` – Specifies the ST (Province) values in the subject
+  field of the resulting CSR. This is a comma-separated string or JSON
+  array.
+
+- `street_address` `(string: "")` – Specifies the Street Address values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `postal_code` `(string: "")` – Specifies the Postal Code values in the
+  subject field of the resulting CSR. This is a comma-separated string
+  or JSON array.
+
+- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
+  Otherwise Vault will generate a random serial for you. If you want more than
+  one, specify alternative names in the alt_names map using OID 2.5.4.5.
+
+### Sample Payload
+
+```json
+{
+  "common_name": "www.example.com"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/intermediate/generate/exported
+```
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE REQUEST-----\n",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEAwsANtGz9gS3o5SwTSlOG1l-----END RSA PRIVATE KEY-----",
+    "private_key_type": "rsa"
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Set Signed Intermediate
+
+This endpoint allows submitting the signed CA certificate corresponding to a
+private key generated via `/pki/intermediate/generate`. The certificate should
+be submitted in PEM format; see the documentation for
+[/pki/config/ca](/api/secret/pki/index.html#submit-ca-information) for some
+hints on submitting.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/pki/intermediate/set-signed` |
+
+## Parameters
+
+- `certificate` `(string: <required>)` – Specifies the certificate in PEM
+  format. May optionally append additional CA certificates to populate the
+  whole chain, which will then enable returning the full chain from issue and
+  sign operations.
+
+### Sample Payload
+
+```json
+{
+  "certificate": "-----BEGIN CERTIFICATE..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/intermediate/set-signed
+```
+
+## Generate Certificate
+
+This endpoint generates a new set of credentials (private key and certificate)
+based on the role named in the endpoint. The issuing CA certificate is returned
+as well, so that only the root CA need be in a client's trust store.
+
+**The private key is _not_ stored. If you do not save the private key, you will
+need to request a new certificate.**
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/pki/issue/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create the
+  certificate against. This is part of the request URL.
+
+- `common_name` `(string: <required>)` – Specifies the requested CN for the
+  certificate. If the CN is allowed by role policy, it will be issued.
+
+- `alt_names` `(string: "")` – Specifies requested Subject Alternative Names, in
+  a comma-delimited list. These can be host names or email addresses; they will
+  be parsed into their respective fields. If any requested names do not match
+  role policy, the entire request will be denied.
+
+- `ip_sans` `(string: "")` – Specifies requested IP Subject Alternative Names,
+  in a comma-delimited list. Only valid if the role allows IP SANs (which is the
+  default).
+
+- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list.
+
+- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ttl` `(string: "")` – Specifies requested Time To Live. Cannot be greater
+  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
+  be used. Note that the role values default to system values if not explicitly
+  set.
+
+- `format` `(string: "")` – Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
+  base64 encoded. If `pem_bundle`, the `certificate` field will contain the
+  private key and certificate, concatenated; if the issuing CA is not a
+  Vault-derived self-signed root, this will be included as well.
+
+- `private_key_format` `(string: "")` – Specifies the format for marshaling the
+  private key. Defaults to `der` which will return either base64-encoded DER or
+  PEM-encoded DER, depending on the value of `format`. The other option is
+  `pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
+
+- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+### Sample Payload
+
+```json
+{
+  "common_name": "www.example.com"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/issue/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "pki/issue/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAnVHfwoKsUG1GDVyWB1AFroaKl2ImMBO8EnvGLRrmobIkQvh+\n...\nQN351pgTphi6nlCkGPzkDuwvtxSxiCWXQcaxrHAL7MiJpPzkIBq1\n-----END RSA PRIVATE KEY-----\n",
+    "private_key_type": "rsa",
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "warnings": "",
+  "auth": null
+}
+```
+
+## Revoke Certificate
+
+This endpoint revokes a certificate using its serial number. This is an
+alternative option to the standard method of revoking using Vault lease IDs. A
+successful revocation will rotate the CRL.
+
+| Method | Path          |
+| :----- | :------------ |
+| `POST` | `/pki/revoke` |
+
+### Parameters
+
+- `serial_number` `(string: <required>)` – Specifies the serial number of the
+  certificate to revoke, in hyphen-separated or colon-separated octal.
+
+### Sample Payload
+
+```json
+{
+  "serial_number": "39:dd:2e..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/revoke
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "revocation_time": 1433269787
+  }
+}
+```
+
+## Create/Update Role
+
+This endpoint creates or updates the role definition. Note that the
+`allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and
+`allow_any_name` attributes are additive; between them nearly and across
+multiple roles nearly any issuing policy can be accommodated. `server_flag`,
+`client_flag`, and `code_signing_flag` are additive as well. If a client
+requests a certificate that is not allowed by the CN policy in the role, the
+request is denied.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/pki/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create. This
+  is part of the request URL.
+
+- `ttl` `(string: "")` – Specifies the Time To Live value provided as a string
+  duration with time suffix. Hour is the largest suffix. If not set, uses the
+  system default value or the value of `max_ttl`, whichever is shorter.
+
+- `max_ttl` `(string: "")` – Specifies the maximum Time To Live provided as a
+  string duration with time suffix. Hour is the largest suffix. If not set,
+  defaults to the system maximum lease TTL.
+
+- `allow_localhost` `(bool: true)` – Specifies if clients can request
+  certificates for `localhost` as one of the requested common names. This is
+  useful for testing and to allow clients on a single host to talk securely.
+
+- `allowed_domains` `(list: [])` – Specifies the domains of the role. This is
+  used with the `allow_bare_domains` and `allow_subdomains` options.
+
+- `allow_bare_domains` `(bool: false)` – Specifies if clients can request
+  certificates matching the value of the actual domains themselves; e.g. if a
+  configured domain set with `allowed_domains` is `example.com`, this allows
+  clients to actually request a certificate containing the name `example.com` as
+  one of the DNS values on the final certificate. In some scenarios, this can be
+  considered a security risk.
+
+- `allow_subdomains` `(bool: false)` – Specifies if clients can request
+  certificates with CNs that are subdomains of the CNs allowed by the other role
+  options. _This includes wildcard subdomains._ For example, an
+  `allowed_domains` value of `example.com` with this option set to true will
+  allow `foo.example.com` and `bar.example.com` as well as `*.example.com`. This
+  is redundant when using the `allow_any_name` option.
+
+- `allow_glob_domains` `(bool: false)` - Allows names specified in
+  `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`). Clients
+  will be allowed to request certificates with names matching the glob
+  patterns.
+
+- `allow_any_name` `(bool: false)` – Specifies if clients can request any CN.
+  Useful in some circumstances, but make sure you understand whether it is
+  appropriate for your installation before enabling it.
+
+- `enforce_hostnames` `(bool: true)` – Specifies if only valid host names are
+  allowed for CNs, DNS SANs, and the host part of email addresses.
+
+- `allow_ip_sans` `(bool: true)` – Specifies if clients can request IP Subject
+  Alternative Names. No authorization checking is performed except to verify
+  that the given values are valid IP addresses.
+
+- `allowed_uri_sans` `(string: "")` - Defines allowed URI Subject
+  Alternative Names. No authorization checking is performed except to verify
+  that the given values are valid URIs. This can be a comma-delimited list or
+  a JSON string slice. Values can contain glob patterns (e.g.
+  `spiffe://hostname/*`).
+
+- `allowed_other_sans` `(string: "")` – Defines allowed custom OID/UTF8-string
+  SANs. This can be a comma-delimited list or a JSON string slice, where
+  each element has the same format as OpenSSL: `<oid>;<type>:<value>`, but
+  the only valid type is `UTF8` or `UTF-8`. The `value` part of an element
+  may be a `*` to allow any value with that OID.
+  Alternatively, specifying a single `*` will allow any `other_sans` input.
+
+- `server_flag` `(bool: true)` – Specifies if certificates are flagged for
+  server use.
+
+- `client_flag` `(bool: true)` – Specifies if certificates are flagged for
+  client use.
+
+- `code_signing_flag` `(bool: false)` – Specifies if certificates are flagged
+  for code signing use.
+
+- `email_protection_flag` `(bool: false)` – Specifies if certificates are
+  flagged for email protection use.
+
+- `key_type` `(string: "rsa")` – Specifies the type of key to generate for
+  generated private keys and the type of key expected for submitted CSRs.
+  Currently, `rsa` and `ec` are supported, or when signing CSRs `any` can be
+  specified to allow keys of either type and with any bit size (subject to >
+  1024 bits for RSA keys).
+
+- `key_bits` `(int: 2048)` – Specifies the number of bits to use for the
+  generated keys. This will need to be changed for `ec` keys, e.g., 224 or 521.
+
+- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
+  Specifies the allowed key usage constraint on issued certificates. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
+  drop the `KeyUsage` part of the value. Values are not case-sensitive. To
+  specify no key usage constraints, set this to an empty list.
+
+- `ext_key_usage` `(list: [])` –
+  Specifies the allowed extended key usage constraint on issued certificates. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
+  drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
+  specify no key usage constraints, set this to an empty list.
+
+- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.
+
+- `use_csr_common_name` `(bool: true)` – When used with the CSR signing
+  endpoint, the common name in the CSR will be used instead of taken from the
+  JSON data. This does `not` include any requested SANs in the CSR; use
+  `use_csr_sans` for that.
+
+- `use_csr_sans` `(bool: true)` – When used with the CSR signing endpoint, the
+  subject alternate names in the CSR will be used instead of taken from the JSON
+  data. This does `not` include the common name in the CSR; use
+  `use_csr_common_name` for that.
+
+- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `organization` `(string: "")` – Specifies the O (Organization) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `country` `(string: "")` – Specifies the C (Country) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `locality` `(string: "")` – Specifies the L (Locality) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `province` `(string: "")` – Specifies the ST (Province) values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `street_address` `(string: "")` – Specifies the Street Address values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `postal_code` `(string: "")` – Specifies the Postal Code values in the
+  subject field of issued certificates. This is a comma-separated string or
+  JSON array.
+
+- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
+  Otherwise Vault will generate a random serial for you. If you want more than
+  one, specify alternative names in the alt_names map using OID 2.5.4.5.
+
+- `generate_lease` `(bool: false)` – Specifies if certificates issued/signed
+  against this role will have Vault leases attached to them. Certificates can be
+  added to the CRL by `vault revoke <lease_id>` when certificates are associated
+  with leases. It can also be done using the `pki/revoke` endpoint. However,
+  when lease generation is disabled, invoking `pki/revoke` would be the only way
+  to add the certificates to the CRL.
+
+- `no_store` `(bool: false)` – If set, certificates issued/signed against this
+  role will not be stored in the storage backend. This can improve performance
+  when issuing large numbers of certificates. However, certificates issued in
+  this way cannot be enumerated or revoked, so this option is recommended only
+  for certificates that are non-sensitive, or extremely short-lived. This
+  option implies a value of `false` for `generate_lease`.
+
+- `require_cn` `(bool: true)` - If set to false, makes the `common_name` field
+  optional while generating a certificate.
+
+- `policy_identifiers` `(list: [])` – A comma-separated string or list of policy
+  OIDs.
+
+- `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints
+  valid when issuing non-CA certificates.
+
+- `not_before_duration` `(duration: "30s")` – Specifies the duration by which to backdate the NotBefore property.
+
+### Sample Payload
+
+```json
+{
+  "allowed_domains": ["example.com"],
+  "allow_subdomains": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/pki/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "allow_any_name": false,
+    "allow_ip_sans": true,
+    "allow_localhost": true,
+    "allow_subdomains": false,
+    "allowed_domains": ["example.com", "foobar.com"],
+    "allowed_uri_sans": ["example.com", "spiffe://*"],
+    "allowed_other_sans": [
+      "1.3.6.1.4.1.311.20.2.3;utf8:devops@example.com",
+      "1.3.6.1.4.1.311.20.2.4;UTF-8:*"
+    ],
+    "client_flag": true,
+    "code_signing_flag": false,
+    "key_bits": 2048,
+    "key_type": "rsa",
+    "ttl": "6h",
+    "max_ttl": "12h",
+    "server_flag": true
+  }
+}
+```
+
+## List Roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/pki/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/roles
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev", "prod"]
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition. Deleting a role **does not**
+revoke certificates previously issued under this role.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/pki/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/pki/roles/my-role
+```
+
+## Generate Root
+
+This endpoint generates a new self-signed CA certificate and private key. If
+the path ends with `exported`, the private key will be returned in the
+response; if it is `internal` the private key will not be returned and _cannot
+be retrieved later_. Distribution points use the values set via `config/urls`.
+
+As with other issued certificates, Vault will automatically revoke the
+generated root at the end of its lease period; the CA certificate will sign its
+own CRL.
+
+As of Vault 0.8.1, if a CA cert/key already exists, this function will not
+overwrite it; it must be deleted first. Previous versions of Vault would
+overwrite the existing cert/key with new values.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/pki/root/generate/:type` |
+
+### Parameters
+
+- `type` `(string: <required>)` – Specifies the type of the root to
+  create. If `exported`, the private key will be returned in the response; if
+  `internal` the private key will not be returned and _cannot be retrieved
+  later_. This is part of the request URL.
+
+- `common_name` `(string: <required>)` – Specifies the requested CN for the
+  certificate.
+
+- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields.
+
+- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list.
+
+- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list.
+
+- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
+  certificate will be expired). This cannot be larger than the engine's max (or,
+  if not set, the system max).
+
+- `format` `(string: "pem")` – Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the private key (if
+  exported) and certificate, concatenated; if the issuing CA is not a
+  Vault-derived self-signed root, this will be included as well.
+
+- `private_key_format` `(string: "")` – Specifies the format for marshaling the
+  private key. Defaults to `der` which will return either base64-encoded DER or
+  PEM-encoded DER, depending on the value of `format`. The other option is
+  `pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
+
+- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`
+  or `ec`.
+
+- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
+  changed to a valid value if the `key_type` is `ec`, e.g., 224 or 521.
+
+- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
+  the generated certificate. `-1` means no limit. Unless the signing certificate
+  has a maximum path length set, in which case the path length is set to one
+  less than that of the signing certificate. A limit of `0` means a literal
+  path length of zero.
+
+- `exclude_cn_from_sans` `(bool: false)` – If set, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
+  array) containing DNS domains for which certificates are allowed to be issued
+  or signed by this CA certificate. Note that subdomains are allowed, as per
+  [RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
+
+- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `organization` `(string: "")` – Specifies the O (Organization) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `country` `(string: "")` – Specifies the C (Country) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `province` `(string: "")` – Specifies the ST (Province) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `street_address` `(string: "")` – Specifies the Street Address values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `postal_code` `(string: "")` – Specifies the Postal Code values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
+  Otherwise Vault will generate a random serial for you. If you want more than
+  one, specify alternative names in the alt_names map using OID 2.5.4.5.
+
+### Sample Payload
+
+```json
+{
+  "common_name": "example.com"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/root/generate/internal
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+## Delete Root
+
+This endpoint deletes the current CA key (the old CA certificate will still be
+accessible for reading until a new certificate/key are generated or uploaded).
+_This endpoint requires sudo/root privileges._
+
+| Method   | Path        |
+| :------- | :---------- |
+| `DELETE` | `/pki/root` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/pki/root
+```
+
+## Sign Intermediate
+
+This endpoint uses the configured CA certificate to issue a certificate with
+appropriate values for acting as an intermediate CA. Distribution points use the
+values set via `config/urls`. Values set in the CSR are ignored unless
+`use_csr_values` is set to true, in which case the values from the CSR are used
+verbatim.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/pki/root/sign-intermediate` |
+
+### Parameters
+
+- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
+
+- `common_name` `(string: <required>)` – Specifies the requested CN for the
+  certificate.
+
+- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields.
+
+- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list.
+
+- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list.
+
+- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
+  certificate will be expired). This cannot be larger than the engine's max (or,
+  if not set, the system max). However, this can be after the expiration of the
+  signing CA.
+
+- `format` `(string: "pem")` – Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the certificate and, if the
+  issuing CA is not a Vault-derived self-signed root, it will be concatenated
+  with the certificate.
+
+- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
+  the generated certificate. `-1`, means no limit, unless the signing
+  certificate has a maximum path length set, in which case the path length is
+  set to one less than that of the signing certificate. A limit of `0` means a
+  literal path length of zero.
+
+- `exclude_cn_from_sans` `(string: "")` – Specifies the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+- `use_csr_values` `(bool: false)` – If set to `true`, then: 1) Subject
+  information, including names and alternate names, will be preserved from the
+  CSR rather than using the values provided in the other parameters to this
+  path; 2) Any key usages (for instance, non-repudiation) requested in the CSR
+  will be added to the basic set of key usages used for CA certs signed by this
+  path; 3) Extensions requested in the CSR will be copied into the issued
+  certificate.
+
+- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
+  array) containing DNS domains for which certificates are allowed to be issued
+  or signed by this CA certificate. Supports subdomains via a `.` in front of
+  the domain, as per
+  [RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
+
+- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `organization` `(string: "")` – Specifies the O (Organization) values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `country` `(string: "")` – Specifies the C (Country) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `province` `(string: "")` – Specifies the ST (Province) values in the subject
+  field of the resulting certificate. This is a comma-separated string or JSON
+  array.
+
+- `street_address` `(string: "")` – Specifies the Street Address values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `postal_code` `(string: "")` – Specifies the Postal Code values in the
+  subject field of the resulting certificate. This is a comma-separated string
+  or JSON array.
+
+- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
+  Otherwise Vault will generate a random serial for you. If you want more than
+  one, specify alternative names in the alt_names map using OID 2.5.4.5.
+
+### Sample Payload
+
+```json
+{
+  "csr": "...",
+  "common_name": "example.com"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/root/sign-intermediate
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+## Sign Self-Issued
+
+This endpoint uses the configured CA certificate to sign a self-issued
+certificate (which will usually be a self-signed certificate as well).
+
+**_This is an extremely privileged endpoint_**. The given certificate will be
+signed as-is with only minimal validation performed (is it a CA cert, and is it
+actually self-issued). The only values that will be changed will be the
+authority key ID, the issuer DN, and, if set, any distribution points.
+
+This is generally only needed for root certificate rolling in cases where you
+don't want/can't get access to a CSR (such as if it's a root stored in Vault
+where the key is not exposed). If you don't know whether you need this
+endpoint, you most likely should be using a different endpoint (such as
+`sign-intermediate`).
+
+This endpoint requires `sudo` capability.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/pki/root/sign-self-issued` |
+
+### Parameters
+
+- `certificate` `(string: <required>)` – Specifies the PEM-encoded self-issued certificate.
+
+### Sample Payload
+
+```json
+{
+  "certificate": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/root/sign-self-issued
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+  },
+  "auth": null
+}
+```
+
+## Sign Certificate
+
+This endpoint signs a new certificate based upon the provided CSR and the
+supplied parameters, subject to the restrictions contained in the role named in
+the endpoint. The issuing CA certificate is returned as well, so that only the
+root CA need be in a client's trust store.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/pki/sign/:name` |
+
+### Parameters
+
+- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
+
+- `common_name` `(string: <required>)` – Specifies the requested CN for the
+  certificate. If the CN is allowed by role policy, it will be issued.
+
+- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
+  Names, in a comma-delimited list. These can be host names or email addresses;
+  they will be parsed into their respective fields. If any requested names do
+  not match role policy, the entire request will be denied.
+
+- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
+  must match values specified on the role in `allowed_other_sans` (see role
+  creation for allowed_other_sans globbing rules).
+  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
+  only current valid type is `UTF8`. This can be a comma-delimited list or a
+  JSON string slice.
+
+- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
+  Names, in a comma-delimited list. Only valid if the role allows IP SANs (which
+  is the default).
+
+- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
+  Names, in a comma-delimited list. If any requested URIs do not match role policy,
+  the entire request will be denied.
+
+- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
+  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
+  be used. Note that the role values default to system values if not explicitly
+  set.
+
+- `format` `(string: "pem")` – Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the certificate and, if the
+  issuing CA is not a Vault-derived self-signed root, it will be concatenated
+  with the certificate.
+
+- `exclude_cn_from_sans` `(bool: false)` – If set, the given `common_name` will
+  not be included in DNS or Email Subject Alternate Names (as appropriate).
+  Useful if the CN is not a hostname or email address, but is instead some
+  human-readable identifier.
+
+### Sample Payload
+
+```json
+{
+  "csr": "...",
+  "common_name": "example.com"
+}
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "pki/sign/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+## Sign Verbatim
+
+This endpoint signs a new certificate based upon the provided CSR. Values are
+taken verbatim from the CSR; the _only_ restriction is that this endpoint will
+refuse to issue an intermediate CA certificate (see the
+`/pki/root/sign-intermediate` endpoint for that functionality.)
+
+**This is a potentially dangerous endpoint and only highly trusted users should
+have access.**
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/pki/sign-verbatim(/:name)` |
+
+### Parameters
+
+- `name` `(string: "")` - Specifies a role. If set, the following parameters
+  from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, and
+  `no_store`.
+
+- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
+
+- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
+  Specifies the allowed key usage constraint on issued certificates. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
+  drop the `KeyUsage` part of the value. Values are not case-sensitive. To
+  specify no key usage constraints, set this to an empty list.
+
+- `ext_key_usage` `(list: [])` –
+  Specifies the allowed extended key usage constraint on issued certificates. Valid
+  values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
+  drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
+  specify no key usage constraints, set this to an empty list.
+
+- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.
+
+- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
+  than the engine's `max_ttl` value. If not provided, the engine's `ttl` value
+  will be used, which defaults to system values if not explicitly set.
+
+- `format` `(string: "pem")` – Specifies the format for returned data. Can be
+  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
+  `pem_bundle`, the `certificate` field will contain the certificate and, if the
+  issuing CA is not a Vault-derived self-signed root, it will be concatenated
+  with the certificate.
+
+### Sample Payload
+
+```json
+{
+  "csr": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/sign-verbatim
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "pki/sign-verbatim/7ad6cfa5-f04f-c62a-d477-f33210475d05",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
+    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
+    "ca_chain": [
+      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
+    ],
+    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
+  },
+  "auth": null
+}
+```
+
+## Tidy
+
+This endpoint allows tidying up the storage backend and/or CRL by removing
+certificates that have expired and are past a certain buffer period beyond their
+expiration time.
+
+| Method | Path        |
+| :----- | :---------- |
+| `POST` | `/pki/tidy` |
+
+### Parameters
+
+- `tidy_cert_store` `(bool: false)` Specifies whether to tidy up the certificate
+  store.
+
+- `tidy_revoked_certs` `(bool: false)` Set to true to expire all revoked and
+  expired certificates, removing them both from the CRL and from storage. The
+  CRL will be rotated if this causes any values to be removed.
+
+- `safety_buffer` `(string: "")` Specifies A duration (given as an integer
+  number of seconds or a string; defaults to `72h`) used as a safety buffer to
+  ensure certificates are not expunged prematurely; as an example, this can keep
+  certificates from being removed from the CRL that, due to clock skew, might
+  still be considered valid on other hosts. For a certificate to be expunged,
+  the time must be after the expiration time of the certificate (according to
+  the local clock) plus the duration of `safety_buffer`.
+
+### Sample Payload
+
+```json
+{
+  "safety_buffer": "24h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/pki/tidy
+```
diff --git a/website/pages/api-docs/secret/postgresql/index.mdx b/website/pages/api-docs/secret/postgresql/index.mdx
new file mode 100644
index 000000000000..75d30c484c95
--- /dev/null
+++ b/website/pages/api-docs/secret/postgresql/index.mdx
@@ -0,0 +1,263 @@
+---
+layout: api
+page_title: PostgreSQL - Secrets Engines - HTTP API
+sidebar_title: PostgreSQL <sup>DEPRECATED</sup>
+description: This is the API documentation for the Vault PostgreSQL secrets engine.
+---
+
+# PostgreSQL Secrets Engine (API)
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[PostgreSQL database plugin HTTP API](/api/secret/databases/postgresql.html).
+
+This is the API documentation for the Vault PostgreSQL secrets engine. For
+general information about the usage and operation of the PostgreSQL secrets
+engine, please see the [PostgreSQL
+documentation](/docs/secrets/postgresql/index.html).
+
+This documentation assumes the PostgreSQL secrets engine is enabled at the
+`/postgresql` path in Vault. Since it is possible to enable secrets engines at
+any location, please update your API calls accordingly.
+
+## Configure Connection
+
+This endpoint configures the connection string used to communicate with
+PostgreSQL.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `POST` | `/postgresql/config/connection` |
+
+### Parameters
+
+- `connection_url` `(string: <required>)` – Specifies the PostgreSQL connection
+  URL or PG-style string, for example `"user=foo host=bar"`.
+
+- `max_open_connections` `(int: 2)` – Specifies the maximum number of open
+  connections to the database. A negative value means unlimited.
+
+- `max_idle_connections` `(int: 0)` – Specifies the maximum number of idle
+  connections to the database. A zero uses the value of `max_open_connections`
+  and a negative value disables idle connections. If this is larger than
+  `max_open_connections` it will be reduced to be equal.
+
+- `verify_connection` `(bool: true)` – Specifies if the connection is verified
+  during initial configuration.
+
+### Sample Payload
+
+```json
+{
+  "connection_url": "postgresql://user:pass@localhost/my-db"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/postgresql/config/connection
+```
+
+## Configure Lease
+
+This configures the lease settings for generated credentials. If not configured,
+leases default to 1 hour. This is a root protected endpoint.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/postgresql/config/lease` |
+
+### Parameters
+
+- `lease` `(string: <required>)` – Specifies the lease value provided as a
+  string duration with time suffix. "h" (hour) is the largest suffix.
+
+- `lease_max` `(string: <required>)` – Specifies the maximum lease value
+  provided as a string duration with time suffix. "h" (hour) is the largest
+  suffix.
+
+### Sample Payload
+
+```json
+{
+  "lease": "12h",
+  "lease_max": "24h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/postgresql/config/lease
+```
+
+## Create Role
+
+This endpoint creates or updates a role definition.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/postgresql/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create. This
+  is specified as part of the URL.
+
+- `sql` `(string: <required>)` – Specifies the SQL statements executed to create
+  and configure the role. Must be a semicolon-separated string, a base64-encoded
+  semicolon-separated string, a serialized JSON string array, or a
+  base64-encoded serialized JSON string array. The '{{name}}', '{{password}}'
+  and '{{expiration}}' values will be substituted.
+
+- `revocation_sql` `(string: "")` – Specifies the SQL statements to be executed
+  to revoke a user. Must be a semicolon-separated string, a base64-encoded
+  semicolon-separated string, a serialized JSON string array, or a
+  base64-encoded serialized JSON string array. The '{{name}}' value will be
+  substituted.
+
+### Sample Payload
+
+```json
+{
+  "sql": "CREATE USER WITH ROLE {{name}}"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/postgresql/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/postgresql/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/postgresql/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "sql": "CREATE USER..."
+  }
+}
+```
+
+## List Roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `/postgresql/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/postgresql/roles
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev", "prod"]
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/postgresql/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/postgresql/roles/my-role
+```
+
+## Generate Credentials
+
+This endpoint generates a new set of dynamic credentials based on the named
+role.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/postgresql/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/postgresql/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "username": "root-1430158508-126",
+    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/rabbitmq/index.mdx b/website/pages/api-docs/secret/rabbitmq/index.mdx
new file mode 100644
index 000000000000..9111db22cfa5
--- /dev/null
+++ b/website/pages/api-docs/secret/rabbitmq/index.mdx
@@ -0,0 +1,221 @@
+---
+layout: api
+page_title: RabbitMQ - Secrets Engines - HTTP API
+sidebar_title: RabbitMQ
+description: This is the API documentation for the Vault RabbitMQ secrets engine.
+---
+
+# RabbitMQ Secrets Engine (API)
+
+This is the API documentation for the Vault RabbitMQ secrets engine. For general
+information about the usage and operation of the RabbitMQ secrets engine, please
+see the [RabbitMQ documentation](/docs/secrets/rabbitmq/index.html).
+
+This documentation assumes the RabbitMQ secrets engine is enabled at the
+`/rabbitmq` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
+
+## Configure Connection
+
+This endpoint configures the connection string used to communicate with
+RabbitMQ.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `POST` | `/rabbitmq/config/connection` |
+
+### Parameters
+
+- `connection_uri` `(string: <required>)` – Specifies the RabbitMQ connection
+  URI.
+
+- `username` `(string: <required>)` – Specifies the RabbitMQ management
+  administrator username.
+
+- `password` `(string: <required>)` – Specifies the RabbitMQ management
+  administrator password.
+
+- `verify_connection` `(bool: true)` – Specifies whether to verify connection
+  URI, username, and password.
+
+### Sample Payload
+
+```json
+{
+  "connection_uri": "https://...",
+  "username": "user",
+  "password": "password"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/rabbitmq/config/connection
+```
+
+## Configure Lease
+
+This endpoint configures the lease settings for generated credentials.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/rabbitmq/config/lease` |
+
+### Parameters
+
+- `ttl` `(int: 0)` – Specifies the lease ttl provided in seconds.
+
+- `max_ttl` `(int: 0)` – Specifies the maximum ttl provided in seconds.
+
+### Sample Payload
+
+```json
+{
+  "ttl": 1800,
+  "max_ttl": 3600
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/rabbitmq/config/lease
+```
+
+## Create Role
+
+This endpoint creates or updates the role definition.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/rabbitmq/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create. This
+  is specified as part of the URL.
+
+- `tags` `(string: "")` – Specifies a comma-separated RabbitMQ management tags.
+
+- `vhosts` `(string: "")` – Specifies a map of virtual hosts to
+  permissions.
+
+- `vhost_topics` `(string: "")` – Specifies a map of virtual hosts and exchanges
+  to topic permissions. This option requires RabbitMQ 3.7.0 or later.
+
+### Sample Payload
+
+```json
+{
+  "tags": "tag1,tag2",
+  "vhosts": "{\"/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}",
+  "vhost_topics": "{\"/\": {\"amq.topic\": {\"write\":\".*\", \"read\": \".*\"}}}"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/rabbitmq/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries the role definition.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/rabbitmq/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/rabbitmq/roles/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "tags": "",
+    "vhosts": "{\"/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}",
+    "vhost_topics": "{\"/\": {\"amq.topic\": {\"write\":\".*\", \"read\": \".*\"}}}"
+  }
+}
+```
+
+## Delete Role
+
+This endpoint deletes the role definition.
+
+| Method   | Path                    |
+| :------- | :---------------------- |
+| `DELETE` | `/rabbitmq/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/rabbitmq/roles/my-role
+```
+
+## Generate Credentials
+
+This endpoint generates a new set of dynamic credentials based on the named
+role.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/rabbitmq/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/rabbitmq/creds/my-role
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "username": "root-4b95bf47-281d-dcb5-8a60-9594f8056092",
+    "password": "e1b6c159-ca63-4c6a-3886-6639eae06c30"
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/ssh/index.mdx b/website/pages/api-docs/secret/ssh/index.mdx
new file mode 100644
index 000000000000..0674161b15e2
--- /dev/null
+++ b/website/pages/api-docs/secret/ssh/index.mdx
@@ -0,0 +1,811 @@
+---
+layout: api
+page_title: SSH - Secrets Engines - HTTP API
+sidebar_title: SSH
+description: This is the API documentation for the Vault SSH secrets engine.
+---
+
+# SSH Secrets Engine (API)
+
+This is the API documentation for the Vault SSH secrets engine. For general
+information about the usage and operation of the SSH secrets engine, please see
+the [SSH documentation](/docs/secrets/ssh/index.html).
+
+This documentation assumes the SSH secrets engine is enabled at the `/ssh` path
+in Vault. Since it is possible to enable secrets engines at any location, please
+update your API calls accordingly.
+
+## Create/Update Key
+
+This endpoint creates or updates a named key.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/ssh/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the key to create. This
+  is part of the request URL.
+
+- `key` `(string: <required>)` – Specifies an SSH private key with appropriate
+  privileges on remote hosts.
+
+### Sample Payload
+
+```json
+{
+  "key": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/keys/my-key
+```
+
+## Delete Key
+
+This endpoint deletes a named key.
+
+| Method   | Path              |
+| :------- | :---------------- |
+| `DELETE` | `/ssh/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the key to delete. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/ssh/keys/my-key
+```
+
+## Create Role
+
+This endpoint creates or updates a named role.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/ssh/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create. This
+  is part of the request URL.
+
+- `key` `(string: "")` – Specifies the name of the registered key in Vault.
+  Before creating the role, use the `keys/` endpoint to create a named key. This
+  is required for "Dynamic Key" type.
+
+- `admin_user` `(string: "")` – Specifies the admin user at remote host. The
+  shared key being registered should be for this user and should have root or
+  sudo privileges. Every time a dynamic credential is generated for a client,
+  Vault uses this admin username to login to remote host and install the
+  generated credential. This is required for Dynamic Key type.
+
+- `default_user` `(string: "")` – Specifies the default username for which a
+  credential will be generated. When the endpoint `creds/` is used without a
+  username, this value will be used as default username. Its recommended to
+  create individual roles for each username to ensure absolute isolation between
+  usernames. This is required for Dynamic Key type and OTP type.
+
+  For the CA type, if you wish this to be a valid principal, it must also be
+  in `allowed_users`.
+
+- `cidr_list` `(string: "")` – Specifies a comma separated list of CIDR blocks
+  for which the role is applicable for. It is possible that a same set of CIDR
+  blocks are part of multiple roles. This is a required parameter, unless the
+  role is registered under the `/config/zeroaddress` endpoint.
+
+- `exclude_cidr_list` `(string: "")` – Specifies a comma-separated list of CIDR
+  blocks. IP addresses belonging to these blocks are not accepted by the role.
+  This is particularly useful when big CIDR blocks are being used by the role
+  and certain parts need to be kept out.
+
+- `port` `(int: 22)` – Specifies the port number for SSH connection. Port number
+  does not play any role in OTP generation. For the `otp` secrets engine type, this is
+  just a way to inform the client about the port number to use. The port number
+  will be returned to the client by Vault along with the OTP.
+
+- `key_type` `(string: <required>)` – Specifies the type of credentials
+  generated by this role. This can be either `otp`, `dynamic` or `ca`.
+
+- `key_bits` `(int: 1024)` – Specifies the length of the RSA dynamic key in
+  bits. This can be either 1024 or 2048.
+
+- `install_script` `(string: "")` – Specifies the script used to install and
+  uninstall public keys in the target machine. Defaults to the built-in script.
+
+- `allowed_users` `(string: "")` – If this option is not specified, or if it is
+  `*`, the client can request a credential for any valid user at the remote
+  host, including the admin user. If only certain usernames are to be allowed,
+  then this list enforces it. If this field is set, then credentials can only
+  be created for `default_user` and usernames present in this list. Setting
+  this option will enable all the users with access this role to fetch
+  credentials for all other usernames in this list. Use with caution. N.B.: if
+  the type is `ca`, an empty list does not allow any user; instead you must use
+  `*` to enable this behavior.
+
+- `allowed_domains` `(string: "")` – The list of domains for which a client can
+  request a host certificate. If this option is explicitly set to `"*"`, then
+  credentials can be created for any domain. See also `allow_bare_domains` and
+  `allow_subdomains`.
+
+- `key_option_specs` `(string: "")` – Specifies a comma separated option
+  specification which will be prefixed to RSA keys in the remote host's
+  authorized_keys file. N.B.: Vault does not check this string for validity.
+
+- `ttl` `(string: "")` – Specifies the Time To Live value provided as a string
+  duration with time suffix. Hour is the largest suffix. If not set, uses the
+  system default value or the value of `max_ttl`, whichever is shorter.
+
+- `max_ttl` `(string: "")` – Specifies the maximum Time To Live provided as a
+  string duration with time suffix. Hour is the largest suffix. If not set,
+  defaults to the system maximum lease TTL.
+
+- `allowed_critical_options` `(string: "")` – Specifies a comma-separated list
+  of critical options that certificates can have when signed. To allow any
+  critical options, set this to an empty string. Will default to allowing any
+  critical options.
+
+- `allowed_extensions` `(string: "")` – Specifies a comma-separated list of
+  extensions that certificates can have when signed. To allow any critical
+  options, set this to an empty string. Will default to allowing any
+  extensions. For the list of extensions, take a look at the [sshd
+  manual's](https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT)
+  `AUTHORIZED_KEYS FILE FORMAT` section. You should add a `permit-` before the
+  name of extension to allow it.
+
+- `default_critical_options` `(map<string|string>: "")` – Specifies a map of
+  critical options certificates should have if none are provided when signing.
+  This field takes in key value pairs in JSON format. Note that these are not
+  restricted by `allowed_critical_options`. Defaults to none.
+
+- `default_extensions` `(map<string|string>: "")` – Specifies a map of
+  extensions certificates should have if none are provided when signing. This
+  field takes in key value pairs in JSON format. Note that these are not
+  restricted by `allowed_extensions`. Defaults to none.
+
+- `allow_user_certificates` `(bool: false)` – Specifies if certificates are
+  allowed to be signed for use as a 'user'.
+
+- `allow_host_certificates` `(bool: false)` – Specifies if certificates are
+  allowed to be signed for use as a 'host'.
+
+- `allow_bare_domains` `(bool: false)` – Specifies if host certificates that are
+  requested are allowed to use the base domains listed in `allowed_domains`, e.g.
+  "example.com". This is a separate option as in some cases this can be
+  considered a security threat.
+
+- `allow_subdomains` `(bool: false)` – Specifies if host certificates that are
+  requested are allowed to be subdomains of those listed in `allowed_domains`,
+  e.g. if "example.com" is part of `allowed_domains`, this allows
+  "foo.example.com".
+
+- `allow_user_key_ids` `(bool: false)` – Specifies if users can override the key
+  ID for a signed certificate with the "key_id" field. When false, the key ID
+  will always be the token display name. The key ID is logged by the SSH server
+  and can be useful for auditing.
+
+- `key_id_format` `(string: "")` – When supplied, this value specifies a custom
+  format for the key id of a signed certificate. The following variables are
+  available for use: '{{token_display_name}}' - The display name of the token used
+  to make the request. '{{role_name}}' - The name of the role signing the request.
+  '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.
+  e.g. "custom-keyid-{{token_display_name}}"
+
+- `allowed_user_key_lengths` `(map<string|int>: "")` – Specifies a map of ssh key types
+  and their expected sizes which are allowed to be signed by the CA type.
+
+### Sample Payload
+
+```json
+{
+  "key_type": "otp"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/roles/my-role
+```
+
+## Read Role
+
+This endpoint queries a named role.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/ssh/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/ssh/roles/my-role
+```
+
+### Sample Response
+
+For a dynamic key role:
+
+```json
+{
+  "admin_user": "username",
+  "cidr_list": "x.x.x.x/y",
+  "default_user": "username",
+  "key": "<key name>",
+  "key_type": "dynamic",
+  "port": 22
+}
+```
+
+For an OTP role:
+
+```json
+{
+  "cidr_list": "x.x.x.x/y",
+  "default_user": "username",
+  "key_type": "otp",
+  "port": 22
+}
+```
+
+For a CA role:
+
+```json
+{
+  "allow_bare_domains": false,
+  "allow_host_certificates": true,
+  "allow_subdomains": false,
+  "allow_user_key_ids": false,
+  "allow_user_certificates": true,
+  "allowed_critical_options": "",
+  "allowed_extensions": "",
+  "default_critical_options": {},
+  "default_extensions": {},
+  "max_ttl": "768h",
+  "ttl": "4h"
+}
+```
+
+## List Roles
+
+This endpoint returns a list of available roles. Only the role names are
+returned, not any values.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/ssh/roles` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/ssh/roles
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["dev", "prod"],
+    "key_info": {
+      "dev": {
+        "key_type": "ca"
+      },
+      "prod": {
+        "key_type": "dynamic"
+      }
+    }
+  },
+  "lease_duration": 2764800,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Role
+
+This endpoint deletes a named role.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/ssh/roles/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to delete. This
+  is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/roles/my-role
+```
+
+## List Zero-Address Roles
+
+This endpoint returns the list of configured zero-address roles.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/ssh/config/zeroaddress` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/ssh/config/zeroaddress
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "roles": ["otp_key_role"]
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Configure Zero-Address Roles
+
+This endpoint configures zero-address roles.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `POST` | `/ssh/config/zeroaddress` |
+
+### Parameters
+
+- `roles` `(string: <required>)` – Specifies a string containing comma separated
+  list of role names which allows credentials to be requested for any IP
+  address. CIDR blocks previously registered under these roles will be ignored.
+
+### Sample Payload
+
+```json
+{
+  "roles": ["otp_key_role"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/config/zeroaddress
+```
+
+## Delete Zero-Address Role
+
+This endpoint deletes the zero-address roles configuration.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/ssh/config/zeroaddress` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/ssh/config/zeroaddress
+```
+
+## Generate SSH Credentials
+
+This endpoint creates credentials for a specific username and IP with the
+parameters defined in the given role.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/ssh/creds/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to create
+  credentials against. This is part of the request URL.
+
+- `username` `(string: "")` – Specifies the username on the remote host.
+
+- `ip` `(string: <required>)` – Specifies the IP of the remote host.
+
+### Sample Payload
+
+```json
+{
+  "ip": "1.2.3.4"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/creds/my-role
+```
+
+### Sample Response
+
+For a dynamic key role:
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "admin_user": "rajanadar",
+    "allowed_users": "",
+    "cidr_list": "x.x.x.x/y",
+    "default_user": "rajanadar",
+    "exclude_cidr_list": "x.x.x.x/y",
+    "install_script": "pretty_large_script",
+    "key": "5d9ee6a1-c787-47a9-9738-da243f4f69bf",
+    "key_bits": 1024,
+    "key_option_specs": "",
+    "key_type": "dynamic",
+    "port": 22
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+For an OTP role:
+
+```json
+{
+  "lease_id": "sshs/creds/c3c2e60c-5a48-415a-9d5a-a41e0e6cdec5/3ee6ad28-383f-d482-2427-70498eba4d96",
+  "renewable": false,
+  "lease_duration": 2764800,
+  "data": {
+    "ip": "127.0.0.1",
+    "key": "6d6411fd-f622-ea0a-7e2c-989a745cbbb2",
+    "key_type": "otp",
+    "port": 22,
+    "username": "rajanadar"
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+## List Roles by IP
+
+This endpoint lists all of the roles with which the given IP is associated.
+
+| Method | Path          |
+| :----- | :------------ |
+| `POST` | `/ssh/lookup` |
+
+### Parameters
+
+- `ip` `(string: <required>)` – Specifies the IP of the remote host.
+
+### Sample Payload
+
+```json
+{
+  "ip": "1.2.3.4"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/lookup
+```
+
+### Sample Response
+
+An array of roles as a secret structure.
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "roles": [
+      "fe6f61b7-7e4a-46a6-b2c8-0d530b8513df",
+      "6d6411fd-f622-ea0a-7e2c-989a745cbbb2"
+    ]
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Verify SSH OTP
+
+This endpoint verifies if the given OTP is valid. This is an unauthenticated
+endpoint.
+
+| Method | Path          |
+| :----- | :------------ |
+| `POST` | `/ssh/verify` |
+
+## Parameters
+
+- `otp` `(string: <required>)` – Specifies the One-Time-Key that needs to be
+  validated.
+
+### Sample Payload
+
+```json
+{
+  "otp": "bad2b3-..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/verify
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "ip": "127.0.0.1",
+    "username": "rajanadar"
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Submit CA Information
+
+This endpoint allows submitting the CA information for the secrets engine via an SSH
+key pair. _If you have already set a certificate and key, they will be
+overridden._
+
+| Method | Path             |
+| :----- | :--------------- |
+| `POST` | `/ssh/config/ca` | `200/204 application/json` |
+
+### Parameters
+
+- `private_key` `(string: "")` – Specifies the private key part the SSH CA key
+  pair; required if `generate_signing_key` is false.
+
+- `public_key` `(string: "")` – Specifies the public key part of the SSH CA key
+  pair; required if `generate_signing_key` is false.
+
+- `generate_signing_key` `(bool: true)` – Specifies if Vault should generate
+  the signing key pair internally. The generated public key will be returned so
+  you can add it to your configuration.
+
+### Sample Payload
+
+```json
+{
+  "generate_signing_key": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/config/ca
+```
+
+### Sample Response
+
+This will return a `204` response if `generate_signing_key` was unset or false.
+
+This will return a `200` response if `generate_signing_key` was true:
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "public_key": "ssh-rsa AAAAHHNzaC1y...\n"
+  },
+  "warnings": null
+}
+```
+
+## Delete CA Information
+
+This endpoint deletes the CA information for the backend via an SSH key pair.
+
+| Method   | Path             |
+| :------- | :--------------- |
+| `DELETE` | `/ssh/config/ca` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/ssh/config/ca
+```
+
+## Read Public Key (Unauthenticated)
+
+This endpoint returns the configured/generated public key. This is an unauthenticated
+endpoint.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/ssh/public_key` | `200 text/plain` |
+
+### Sample Request
+
+```
+$ curl http://127.0.0.1:8200/v1/ssh/public_key
+```
+
+### Sample Response
+
+```text
+    ssh-rsa AAAAHHNzaC1y...
+```
+
+## Read Public Key (Authenticated)
+
+This endpoint reads the configured/generated public key.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `GET`  | `/ssh/config/ca` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/ssh/config/ca
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "public_key": "ssh-rsa AAAAHHNzaC1y...\n"
+  },
+  "warnings": null
+}
+```
+
+## Sign SSH Key
+
+This endpoint signs an SSH public key based on the supplied parameters, subject
+to the restrictions contained in the role named in the endpoint.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/ssh/sign/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to sign. This
+  is part of the request URL.
+
+- `public_key` `(string: <required>)` – Specifies the SSH public key that should
+  be signed.
+
+- `ttl` `(string: "")` – Specifies the Requested Time To Live. Cannot be greater
+  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
+  be used. Note that the role values default to system values if not explicitly
+  set.
+
+- `valid_principals` `(string: "")` – Specifies valid principals, either
+  usernames or hostnames, that the certificate should be signed for.
+
+- `cert_type` `(string: "user")` – Specifies the type of certificate to be
+  created; either "user" or "host".
+
+- `key_id` `(string: "")` – Specifies the key id that the created certificate
+  should have. If not specified, the display name of the token will be used.
+
+- `critical_options` `(map<string|string>: "")` – Specifies a map of the
+  critical options that the certificate should be signed for. Defaults to none.
+
+- `extension` `(map<string|string>: "")` – Specifies a map of the extensions
+  that the certificate should be signed for. Defaults to none.
+
+### Sample Payload
+
+```json
+{
+  "public_key": "ssh-rsa ..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/ssh/sign/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "ssh/sign/example/097bf207-96dd-0041-0e83-b23bd1923993",
+  "renewable": false,
+  "lease_duration": 21600,
+  "data": {
+    "serial_number": "f65ed2fd21443d5c",
+    "signed_key": "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...\n"
+  },
+  "auth": null
+}
+```
diff --git a/website/pages/api-docs/secret/totp/index.mdx b/website/pages/api-docs/secret/totp/index.mdx
new file mode 100644
index 000000000000..caf1759c23cc
--- /dev/null
+++ b/website/pages/api-docs/secret/totp/index.mdx
@@ -0,0 +1,270 @@
+---
+layout: api
+page_title: TOTP - Secrets Engines - HTTP API
+sidebar_title: TOTP
+description: This is the API documentation for the Vault TOTP secrets engine.
+---
+
+# TOTP Secrets Engine (API)
+
+This is the API documentation for the Vault TOTP secrets engine. For general
+information about the usage and operation of the TOTP secrets engine, please see
+the [TOTP documentation](/docs/secrets/totp/index.html).
+
+This documentation assumes the TOTP secrets engine is enabled at the `/totp`
+path in Vault. Since it is possible to enable secrets engines at any location,
+please update your API calls accordingly.
+
+## Create Key
+
+This endpoint creates or updates a key definition.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/totp/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the key to create. This is specified as part of the URL.
+
+- `generate` `(bool: false)` – Specifies if a key should be generated by Vault or if a key is being passed from another service.
+
+- `exported` `(bool: true)` – Specifies if a QR code and url are returned upon generating a key. Only used if generate is true.
+
+- `key_size` `(int: 20)` – Specifies the size in bytes of the Vault generated key. Only used if generate is true.
+
+- `url` `(string: "")` – Specifies the TOTP key url string that can be used to configure a key. Only used if generate is false.
+
+- `key` `(string: <required - if generate is false and url is empty>)` – Specifies the master key used to generate a TOTP code. Only used if generate is false.
+
+- `issuer` `(string: "" <required - if generate is true>)` – Specifies the name of the key’s issuing organization.
+
+- `account_name` `(string: "" <required - if generate is true>)` – Specifies the name of the account associated with the key.
+
+- `period` `(int or duration format string: 30)` – Specifies the length of time in seconds used to generate a counter for the TOTP code calculation.
+
+- `algorithm` `(string: "SHA1")` – Specifies the hashing algorithm used to generate the TOTP code. Options include "SHA1", "SHA256" and "SHA512".
+
+- `digits` `(int: 6)` – Specifies the number of digits in the generated TOTP code. This value can be set to 6 or 8.
+
+- `skew` `(int: 1)` – Specifies the number of delay periods that are allowed when validating a TOTP code. This value can be either 0 or 1. Only used if generate is true.
+
+- `qr_size` `(int: 200)` – Specifies the pixel size of the square QR code when generating a new key. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.
+
+### Sample Payload
+
+```json
+{
+  "url": "otpauth://totp/Google:test@gmail.com?secret=Y64VEVMBTSXCYIWRSHRNDZW62MPGVU2G&issuer=Google"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/totp/keys/my-key
+```
+
+### Sample Payload
+
+```json
+{
+  "generate": true,
+  "issuer": "Google",
+  "account_name": "test@gmail.com"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/totp/keys/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "barcode": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAGXklEQVR4nOyd4Y4iOQyEmRPv/8p7upX6BJm4XbbDbK30fT9GAtJJhpLjdhw3z1+/HmDEP396AvDO878/X1+9i1frWvu5Po/6Xz+P2kft1nFVa1f7z+YdjT/5PrEQMxDEDAQx4/n6orsGr6z9ZP1mviMbP/MBav/R6/U61Ud0vk8sxAwEMQNBzHju3lTvv6P2ajwS9Ve9zz+9pkfjRp+r/SjzwULMQBAzEMSMrQ/pUo0bouun7dW9LXVvrBq/TMBCzEAQMxDEjKM+JFqT17W4mu9Y+49eq/OL3r/GVX3CJ7KtWIgZCGIGgpix9SHTtXGa4476qfoa1adVc+HV/6/yfWIhZiCIGQhixpsP6Z4nulD3lqavV7q+Yvo6G7/zfWIhZiCIGQhixteJ/Rh1Da3e71d9RjRul2ocdeK7xELMQBAzEMSM3z6ku6dTrdOo1l9M6y5O7clVx5n4SCzEDAQxA0HMuN3L+qlavqj9itpePY+VtVdrHqfzeQULMQNBzEAQM97ikAv1vr/brltTeCp/svarcjLe2F1PnbohCGIGgphRqjG8mJ6PmtYMVnP363Vqv6d8qZrzf2AhfiCIGQhixm0c8n+jQ8+7+jZ4cY3PrlfHO/1Ml+45st18sRAzEMQMBDHjdxyixgPqs0lWsvvwqH00zrSO41R80p3XXXssxAwEMQNBzJCeuaieo6pedzGtb1/76fqgLH6ofg+dZ65gIWYgiBkIYsbbs9/V+/EVde1V+62eh1I/r/qIrs+Ixo2uYy/LGAQxA0HMeNvLilDX1OraXc2jVNtPzxJXr6v+HzuwEDMQxAwEMWNbp95d21WmzzBR6066e07dPMq0XoW9LEMQxAwEMUOqUz+1p9ONd07Xz586u6yifp/4EEMQxAwEMUPay7rIcthqTrx6v1/NTX+qZrIbF63v34GFmIEgZiCIGdvfU++e1a3GM2oOPjtvpfbfjS+qeZFJXgcLMQNBzEAQM6Tn9p7OLVdrFqP5TFF9ZXTdqfqTV7AQMxDEDAQx482HdPMPGdN8SjeHr6710zzJidrCB/kQTxDEDAQxY7uXdTGNC9S9pK6vqs6nWzdyej53PhELMQNBzEAQM0o59YtTz/xQfVO3jmOdl0rmE6f5ort5YSFmIIgZCGLGbU69eka3ep+v5sCzcbp5jZXMR0zr+aPPqVM3BkHMQBAzRs/tjejmwj9d05ihzq96nQr5EEMQxAwEMWPrQy6q9/fdevFTcVA0v+n5K7U/tf4lGhcfYgiCmIEgZtw+6+RCXUurvkKlepZ2vS5i+oyTaby0GxcLMQNBzEAQM0r5kKnv6K6xK9X4R13zu+eyJnXpazssxAwEMQNBzNj+fkg3nqjGK9laPz1vleXwq2v+p+vciUMMQRAzEMSM298xrOYDVqrtpmtzt59uHqc6v2zcBxbiB4KYgSBmbOvUV7q577VdOIliXqLr87p7Tere2YnrsRAzEMQMBDFj+zuGar3Gp+rNp3kUtR5lmj/Jxo/GvZsvFmIGgpiBIGbcPi/rW+MPPaeqOs407xL1E1E9lzWpg8FCzEAQMxDEDOk3qC66a7f6fsSn1uz18+o8P+GzsBAzEMQMBDFjm1Ov7L3s3p+2/6lcfoa6ZxaNm50DWyEOMQRBzEAQM7Zne6PX3XilW5M3zbd0c/3ZHpvqY6P+7j7HQsxAEDMQxIxRPqRaT6Kuzemkh7WJ3RrJbJxq7eOuPyzEDAQxA0HMKJ3t/XbxobW/Gmdka/PpPMxPgoWYgSBmIIgZ0m9QrXTP1mb9Ru2y+/hsD2xaM9jN5UfjEIf8RSCIGQhiRus3qLp7ONU6jK4vynxMdn10XdY+m4/SHxZiBoKYgSBm3MYhGdl9/qkzvN18ilpDqF6nxiPVGs3Xz7EQMxDEDAQx4/ZcVoR6fqobZ6h7Vtm81TVejZdWuvHNXXssxAwEMQNBzHju3pyujdO68Ky9Wm+h9qPGJVG/6nyU+WIhZiCIGQhixtaHdFF9hlqLeOrcVPcMQDeOmtTNYyFmIIgZCGLGUR/SPQs73QuL5tGtiVznlc1X/T8iXtthIWYgiBkIYsbWh3T3nNS1dXqe6tReW8S0Hr1b5/LAQvxAEDMQxIw3H9I9nzU9R6XGHdn41dx4d4+rGp9En7OX9ReAIGYgiBlff6IWG2KwEDP+DQAA//+TDHXGhqE4+AAAAABJRU5ErkJggg==",
+    "url": "otpauth://totp/Google:test@gmail.com?algorithm=SHA1&digits=6&issuer=Google&period=30&secret=HTXT7KJFVNAJUPYWQRWMNVQE5AF5YZI2"
+  }
+}
+```
+
+If a QR code is returned, it consists of base64-formatted PNG bytes. You can embed it in a web page by including the base64 string in an `img` tag with the prefix `data:image/png;base64`
+
+```
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUh.." />
+```
+
+## Read Key
+
+This endpoint queries the key definition.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/totp/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the key to read. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/totp/keys/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "account_name": "test@gmail.com",
+    "algorithm": "SHA1",
+    "digits": 6,
+    "issuer": "Google",
+    "period": 30
+  }
+}
+```
+
+## List Keys
+
+This endpoint returns a list of available keys. Only the key names are
+returned, not any values.
+
+| Method | Path         |
+| :----- | :----------- |
+| `LIST` | `/totp/keys` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/totp/keys
+```
+
+### Sample Response
+
+```json
+{
+  "auth": null,
+  "data": {
+    "keys": ["my-key"]
+  },
+  "lease_duration": 0,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Key
+
+This endpoint deletes the key definition.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/totp/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the key to delete. This
+  is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/totp/keys/my-key
+```
+
+## Generate Code
+
+This endpoint generates a new time-based one-time use password based on the named
+key.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/totp/code/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the key to create
+  credentials against. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/totp/code/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "code": "810920"
+  }
+}
+```
+
+## Validate Code
+
+This endpoint validates a time-based one-time use password generated from the named
+key.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/totp/code/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the key used to generate the password. This is specified as part of the URL.
+
+- `code` `(string: <required>)` – Specifies the password you want to validate.
+
+### Sample Payload
+
+```json
+{
+  "code": "123802"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/totp/code/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "valid": true
+  }
+}
+```
diff --git a/website/pages/api-docs/secret/transit/index.mdx b/website/pages/api-docs/secret/transit/index.mdx
new file mode 100644
index 000000000000..c8fe2cb861e5
--- /dev/null
+++ b/website/pages/api-docs/secret/transit/index.mdx
@@ -0,0 +1,1331 @@
+---
+layout: api
+page_title: Transit - Secrets Engines - HTTP API
+sidebar_title: Transit
+description: This is the API documentation for the Vault Transit secrets engine.
+---
+
+# Transit Secrets Engine (API)
+
+This is the API documentation for the Vault Transit secrets engine. For general
+information about the usage and operation of the Transit secrets engine, please
+see the [transit documentation](/docs/secrets/transit/index.html).
+
+This documentation assumes the transit secrets engine is enabled at the
+`/transit` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
+
+## Create Key
+
+This endpoint creates a new named encryption key of the specified type. The
+values set here cannot be changed after key creation.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `POST` | `/transit/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  create. This is specified as part of the URL.
+
+- `convergent_encryption` `(bool: false)` – If enabled, the key will support
+  convergent encryption, where the same plaintext creates the same ciphertext.
+  This requires _derived_ to be set to `true`. When enabled, each
+  encryption(/decryption/rewrap/datakey) operation will derive a `nonce` value
+  rather than randomly generate it.
+
+- `derived` `(bool: false)` – Specifies if key derivation is to be used. If
+  enabled, all encrypt/decrypt requests to this named key must provide a context
+  which is used for key derivation.
+
+- `exportable` `(bool: false)` - Enables keys to be exportable. This
+  allows for all the valid keys in the key ring to be exported. Once set, this
+  cannot be disabled.
+
+- `allow_plaintext_backup` `(bool: false)` - If set, enables taking backup of
+  named key in the plaintext format. Once set, this cannot be disabled.
+
+- `type` `(string: "aes256-gcm96")` – Specifies the type of key to create. The
+  currently-supported types are:
+
+  - `aes128-gcm96` – AES-128 wrapped with GCM using a 96-bit nonce size AEAD
+    (symmetric, supports derivation and convergent encryption)
+  - `aes256-gcm96` – AES-256 wrapped with GCM using a 96-bit nonce size AEAD
+    (symmetric, supports derivation and convergent encryption, default)
+  - `chacha20-poly1305` – ChaCha20-Poly1305 AEAD (symmetric, supports
+    derivation and convergent encryption)
+  - `ed25519` – ED25519 (asymmetric, supports derivation). When using
+    derivation, a sign operation with the same context will derive the same
+    key and signature; this is a signing analogue to `convergent_encryption`.
+  - `ecdsa-p256` – ECDSA using the P-256 elliptic curve (asymmetric)
+  - `ecdsa-p384` – ECDSA using the P-384 elliptic curve (asymmetric)
+  - `ecdsa-p521` – ECDSA using the P-521 elliptic curve (asymmetric)
+  - `rsa-2048` - RSA with bit size of 2048 (asymmetric)
+  - `rsa-4096` - RSA with bit size of 4096 (asymmetric)
+
+### Sample Payload
+
+```json
+{
+  "type": "ed25519",
+  "derived": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/keys/my-key
+```
+
+## Read Key
+
+This endpoint returns information about a named encryption key. The `keys`
+object shows the creation time of each key version; the values are not the keys
+themselves. Depending on the type of key, different information may be returned,
+e.g. an asymmetric key will return its public key in a standard format for the
+type.
+
+| Method | Path                  |
+| :----- | :-------------------- |
+| `GET`  | `/transit/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  read. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/transit/keys/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "type": "aes256-gcm96",
+    "deletion_allowed": false,
+    "derived": false,
+    "exportable": false,
+    "allow_plaintext_backup": false,
+    "keys": {
+      "1": 1442851412
+    },
+    "min_decryption_version": 1,
+    "min_encryption_version": 0,
+    "name": "foo",
+    "supports_encryption": true,
+    "supports_decryption": true,
+    "supports_derivation": true,
+    "supports_signing": false
+  }
+}
+```
+
+## List Keys
+
+This endpoint returns a list of keys. Only the key names are returned (not the
+actual keys themselves).
+
+| Method | Path            |
+| :----- | :-------------- |
+| `LIST` | `/transit/keys` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/transit/keys
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["foo", "bar"]
+  },
+  "lease_duration": 0,
+  "lease_id": "",
+  "renewable": false
+}
+```
+
+## Delete Key
+
+This endpoint deletes a named encryption key. It will no longer be possible to
+decrypt any data encrypted with the named key. Because this is a potentially
+catastrophic operation, the `deletion_allowed` tunable must be set in the key's
+`/config` endpoint.
+
+| Method   | Path                  |
+| :------- | :-------------------- |
+| `DELETE` | `/transit/keys/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  delete. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/transit/keys/my-key
+```
+
+## Update Key Configuration
+
+This endpoint allows tuning configuration values for a given key. (These values
+are returned during a read operation on the named key.)
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/transit/keys/:name/config` |
+
+### Parameters
+
+- `min_decryption_version` `(int: 0)` – Specifies the minimum version of
+  ciphertext allowed to be decrypted. Adjusting this as part of a key rotation
+  policy can prevent old copies of ciphertext from being decrypted, should they
+  fall into the wrong hands. For signatures, this value controls the minimum
+  version of signature that can be verified against. For HMACs, this controls
+  the minimum version of a key allowed to be used as the key for verification.
+
+- `min_encryption_version` `(int: 0)` – Specifies the minimum version of the
+  key that can be used to encrypt plaintext, sign payloads, or generate HMACs.
+  Must be `0` (which will use the latest version) or a value greater or equal
+  to `min_decryption_version`.
+
+- `deletion_allowed` `(bool: false)` - Specifies if the key is allowed to be
+  deleted.
+
+- `exportable` `(bool: false)` - Enables keys to be exportable. This
+  allows for all the valid keys in the key ring to be exported. Once set, this
+  cannot be disabled.
+
+- `allow_plaintext_backup` `(bool: false)` - If set, enables taking backup of
+  named key in the plaintext format. Once set, this cannot be disabled.
+
+### Sample Payload
+
+```json
+{
+  "deletion_allowed": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/keys/my-key/config
+```
+
+## Rotate Key
+
+This endpoint rotates the version of the named key. After rotation, new
+plaintext requests will be encrypted with the new version of the key. To upgrade
+ciphertext to be encrypted with the latest version of the key, use the `rewrap`
+endpoint. This is only supported with keys that support encryption and
+decryption operations.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/transit/keys/:name/rotate` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/transit/keys/my-key/rotate
+```
+
+## Export Key
+
+This endpoint returns the named key. The `keys` object shows the value of the
+key for each version. If `version` is specified, the specific version will be
+returned. If `latest` is provided as the version, the current key will be
+provided. Depending on the type of key, different information may be returned.
+The key must be exportable to support this operation and the version must still
+be valid.
+
+| Method | Path                                         |
+| :----- | :------------------------------------------- |
+| `GET`  | `/transit/export/:key_type/:name(/:version)` |
+
+### Parameters
+
+- `key_type` `(string: <required>)` – Specifies the type of the key to export.
+  This is specified as part of the URL. Valid values are:
+
+  - `encryption-key`
+  - `signing-key`
+  - `hmac-key`
+
+- `name` `(string: <required>)` – Specifies the name of the key to read
+  information about. This is specified as part of the URL.
+
+- `version` `(string: "")` – Specifies the version of the key to read. If omitted,
+  all versions of the key will be returned. This is specified as part of the
+  URL. If the version is set to `latest`, the current key will be returned.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/transit/export/encryption-key/my-key/1
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "name": "foo",
+    "keys": {
+      "1": "eyXYGHbTmugUJn6EtYD/yVEoF6pCxm4R/cMEutUm3MY=",
+      "2": "Euzymqx6iXjS3/NuGKDCiM2Ev6wdhnU+rBiKnJ7YpHE="
+    }
+  }
+}
+```
+
+## Encrypt Data
+
+This endpoint encrypts the provided plaintext using the named key. This path
+supports the `create` and `update` policy capabilities as follows: if the user
+has the `create` capability for this endpoint in their policies, and the key
+does not exist, it will be upserted with default values (whether the key
+requires derivation depends on whether the context parameter is empty or not).
+If the user only has `update` capability and the key does not exist, an error
+will be returned.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/transit/encrypt/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  encrypt against. This is specified as part of the URL.
+
+- `plaintext` `(string: <required>)` – Specifies **base64 encoded** plaintext to
+  be encoded.
+
+- `context` `(string: "")` – Specifies the **base64 encoded** context for key
+  derivation. This is required if key derivation is enabled for this key.
+
+- `key_version` `(int: 0)` – Specifies the version of the key to use for
+  encryption. If not set, uses the latest version. Must be greater than or
+  equal to the key's `min_encryption_version`, if set.
+
+- `nonce` `(string: "")` – Specifies the **base64 encoded** nonce value. This
+  must be provided if convergent encryption is enabled for this key and the key
+  was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The
+  value must be exactly 96 bits (12 bytes) long and the user must ensure that
+  for any given context (and thus, any given encryption key) this nonce value is
+  **never reused**.
+
+- `batch_input` `(array<object>: nil)` – Specifies a list of items to be
+  encrypted in a single batch. When this parameter is set, if the parameters
+  'plaintext', 'context' and 'nonce' are also set, they will be ignored. The
+  format for the input is:
+
+  ```json
+  [
+    {
+      "context": "c2FtcGxlY29udGV4dA==",
+      "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
+    },
+    {
+      "context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
+      "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
+    }
+  ]
+  ```
+
+- `type` `(string: "aes256-gcm96")` –This parameter is required when encryption
+  key is expected to be created. When performing an upsert operation, the type
+  of key to create.
+
+- `convergent_encryption` `(string: "")` – This parameter will only be used when
+  a key is expected to be created. Whether to support convergent encryption.
+  This is only supported when using a key with key derivation enabled and will
+  require all requests to carry both a context and 96-bit (12-byte) nonce. The
+  given nonce will be used in place of a randomly generated nonce. As a result,
+  when the same context and nonce are supplied, the same ciphertext is
+  generated. It is _very important_ when using this mode that you ensure that
+  all nonces are unique for a given context. Failing to do so will severely
+  impact the ciphertext's security.
+
+**NOTE:** All plaintext data **must be base64-encoded**. The reason for this
+requirement is that Vault does not require that the plaintext is "text". It
+could be a binary file such as a PDF or image. The easiest safe transport
+mechanism for this data as part of a JSON payload is to base64-encode it.
+
+### Sample Payload
+
+Fist, encode the plaintext with base64:
+
+```sh
+$ base64 <<< "the quick brown fox"
+dGhlIHF1aWNrIGJyb3duIGZveAo=
+```
+
+Use the base64-encoded plaintext in the payload:
+
+```json
+{
+  "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo="
+}
+```
+
+!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial
+of service attack. This can be tuned per [`listener`
+block](/docs/configuration/listener/tcp.html) in the Vault server
+configuration.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/encrypt/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
+  }
+}
+```
+
+## Decrypt Data
+
+This endpoint decrypts the provided ciphertext using the named key.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/transit/decrypt/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  decrypt against. This is specified as part of the URL.
+
+- `ciphertext` `(string: <required>)` – Specifies the ciphertext to decrypt.
+
+- `context` `(string: "")` – Specifies the **base64 encoded** context for key
+  derivation. This is required if key derivation is enabled.
+
+- `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
+  encryption. Must be provided if convergent encryption is enabled for this key
+  and the key was generated with Vault 0.6.1. Not required for keys created in
+  0.6.2+.
+
+- `batch_input` `(array<object>: nil)` – Specifies a list of items to be
+  decrypted in a single batch. When this parameter is set, if the parameters
+  'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format
+  for the input goes like this:
+
+  ```json
+  [
+    {
+      "context": "c2FtcGxlY29udGV4dA==",
+      "ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
+    },
+    {
+      "context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
+      "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
+    }
+  ]
+  ```
+
+### Sample Payload
+
+```json
+{
+  "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/decrypt/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo="
+  }
+}
+```
+
+## Rewrap Data
+
+This endpoint rewraps the provided ciphertext using the latest version of the
+named key. Because this never returns plaintext, it is possible to delegate this
+functionality to untrusted users or scripts.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/transit/rewrap/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  re-encrypt against. This is specified as part of the URL.
+
+- `ciphertext` `(string: <required>)` – Specifies the ciphertext to re-encrypt.
+
+- `context` `(string: "")` – Specifies the **base64 encoded** context for key
+  derivation. This is required if key derivation is enabled.
+
+- `key_version` `(int: 0)` – Specifies the version of the key to use for the
+  operation. If not set, uses the latest version. Must be greater than or equal
+  to the key's `min_encryption_version`, if set.
+
+- `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
+  encryption. Must be provided if convergent encryption is enabled for this key
+  and the key was generated with Vault 0.6.1. Not required for keys created in
+  0.6.2+.
+
+- `batch_input` `(array<object>: nil)` – Specifies a list of items to be
+  decrypted in a single batch. When this parameter is set, if the parameters
+  'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format
+  for the input goes like this:
+
+  ```json
+  [
+    {
+      "context": "c2FtcGxlY29udGV4dA==",
+      "ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
+    },
+    {
+      "context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
+      "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
+    }
+  ]
+  ```
+
+### Sample Payload
+
+```json
+{
+  "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/rewrap/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "ciphertext": "vault:v2:abcdefgh"
+  }
+}
+```
+
+## Generate Data Key
+
+This endpoint generates a new high-entropy key and the value encrypted with the
+named key. Optionally return the plaintext of the key as well. Whether plaintext
+is returned depends on the path; as a result, you can use Vault ACL policies to
+control whether a user is allowed to retrieve the plaintext value of a key. This
+is useful if you want an untrusted user or operation to generate keys that are
+then made available to trusted users.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/transit/datakey/:type/:name` |
+
+### Parameters
+
+- `type` `(string: <required>)` – Specifies the type of key to generate. If
+  `plaintext`, the plaintext key will be returned along with the ciphertext. If
+  `wrapped`, only the ciphertext value will be returned. This is specified as
+  part of the URL.
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  use to encrypt the datakey. This is specified as part of the URL.
+
+- `context` `(string: "")` – Specifies the key derivation context, provided as a
+  base64-encoded string. This must be provided if derivation is enabled.
+
+- `nonce` `(string: "")` – Specifies a nonce value, provided as base64 encoded.
+  Must be provided if convergent encryption is enabled for this key and the key
+  was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The
+  value must be exactly 96 bits (12 bytes) long and the user must ensure that
+  for any given context (and thus, any given encryption key) this nonce value is
+  **never reused**.
+
+- `bits` `(int: 256)` – Specifies the number of bits in the desired key. Can be
+  128, 256, or 512.
+
+### Sample Payload
+
+```json
+{
+  "context": "Ab3=="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/datakey/plaintext/my-key
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
+    "ciphertext": "vault:v1:abcdefgh"
+  }
+}
+```
+
+## Generate Random Bytes
+
+This endpoint returns high-quality random bytes of the specified length.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/transit/random(/:bytes)` |
+
+### Parameters
+
+- `bytes` `(int: 32)` – Specifies the number of bytes to return. This value can
+  be specified either in the request body, or as a part of the URL.
+
+- `format` `(string: "base64")` – Specifies the output encoding. Valid options
+  are `hex` or `base64`.
+
+### Sample Payload
+
+```json
+{
+  "format": "hex"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/random/164
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
+  }
+}
+```
+
+## Hash Data
+
+This endpoint returns the cryptographic hash of given data using the specified
+algorithm.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/transit/hash(/:algorithm)` |
+
+### Parameters
+
+- `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
+  can also be specified as part of the URL. Currently-supported algorithms are:
+
+  - `sha2-224`
+  - `sha2-256`
+  - `sha2-384`
+  - `sha2-512`
+
+- `input` `(string: <required>)` – Specifies the **base64 encoded** input data.
+
+- `format` `(string: "hex")` – Specifies the output encoding. This can be either
+  `hex` or `base64`.
+
+### Sample Payload
+
+```json
+{
+  "input": "adba32=="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/hash/sha2-512
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "sum": "dGhlIHF1aWNrIGJyb3duIGZveAo="
+  }
+}
+```
+
+## Generate HMAC
+
+This endpoint returns the digest of given data using the specified hash
+algorithm and the named key. The key can be of any type supported by `transit`;
+the raw key will be marshaled into bytes to be used for the HMAC function. If
+the key is of a type that supports rotation, the latest (current) version will
+be used.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/transit/hmac/:name(/:algorithm)` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  generate hmac against. This is specified as part of the URL.
+
+- `key_version` `(int: 0)` – Specifies the version of the key to use for the
+  operation. If not set, uses the latest version. Must be greater than or equal
+  to the key's `min_encryption_version`, if set.
+
+- `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
+  can also be specified as part of the URL. Currently-supported algorithms are:
+
+  - `sha2-224`
+  - `sha2-256`
+  - `sha2-384`
+  - `sha2-512`
+
+- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
+  `input` or `batch_input` must be supplied.
+
+- `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
+  When this parameter is set, if the parameter 'input' is also set, it will be
+  ignored. Responses are returned in the 'batch_results' array component of the
+  'data' element of the response. If the input data value of an item is invalid, the
+  corresponding item in the 'batch_results' will have the key 'error' with a value
+  describing the error. The format for batch_input is:
+
+  ```json
+  {
+    "batch_input": [
+      {
+        "input": "adba32=="
+      },
+      {
+        "input": "aGVsbG8gd29ybGQuCg=="
+      }
+    ]
+  }
+  ```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/hmac/my-key/sha2-512
+```
+
+### Sample Payload
+
+```json
+{
+  "input": "adba32=="
+}
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "hmac": "dGhlIHF1aWNrIGJyb3duIGZveAo="
+  }
+}
+```
+
+### Sample Payload with batch_input
+
+```json
+{
+  "batch_input": [
+    {
+      "input": "adba32=="
+    },
+    {
+      "input": "adba32=="
+    },
+    {},
+    {
+      "input": ""
+    }
+  ]
+}
+```
+
+### Sample Response for batch_input
+
+```json
+{
+  "data": {
+    "batch_results": [
+      {
+        "hmac": "vault:v1:1jFhRYWHiddSKgEFyVRpX8ieX7UU+748NBwHKecXE3hnGBoAxrfgoD5U0yAvji7b5X6V1fP"
+      },
+      {
+        "hmac": "vault:v1:1jFhRYWHiddSKgEFyVRpX8ieX7UU+748NBwHKecXE3hnGBoAxrfgoD5U0yAvji7b5X6V1fP"
+      },
+      {
+        "error": "missing input for HMAC"
+      },
+      {
+        "hmac": "vault:v1:/wsSP6iQ9ECO9RRkefKLXey9sDntzSjoiW0vBrWfUsYB0ISroyC6plUt/jN7gcOv9O+Ecow"
+      }
+    ]
+  }
+}
+```
+
+## Sign Data
+
+This endpoint returns the cryptographic signature of the given data using the
+named key and the specified hash algorithm. The key must be of a type that
+supports signing.
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `POST` | `/transit/sign/:name(/:hash_algorithm)` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key to
+  use for signing. This is specified as part of the URL.
+
+- `key_version` `(int: 0)` – Specifies the version of the key to use for
+  signing. If not set, uses the latest version. Must be greater than or equal
+  to the key's `min_encryption_version`, if set.
+
+- `hash_algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use for
+  supporting key types (notably, not including `ed25519` which specifies its
+  own hash algorithm). This can also be specified as part of the URL.
+  Currently-supported algorithms are:
+
+  - `sha1`
+  - `sha2-224`
+  - `sha2-256`
+  - `sha2-384`
+  - `sha2-512`
+
+- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
+  `input` or `batch_input` must be supplied.
+
+- `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
+  When this parameter is set, any supplied 'input' or 'context' parameters will be
+  ignored. Responses are returned in the 'batch_results' array component of the
+  'data' element of the response. If the input data value of an item is invalid, the
+  corresponding item in the 'batch_results' will have the key 'error' with a value
+  describing the error. The format for batch_input is:
+
+  ```json
+  {
+    "batch_input": [
+      {
+        "input": "adba32==",
+        "context": "abcd"
+      },
+      {
+        "input": "aGVsbG8gd29ybGQuCg==",
+        "context": "efgh"
+      }
+    ]
+  }
+  ```
+
+- `context` `(string: "")` - Base64 encoded context for key derivation.
+  Required if key derivation is enabled; currently only available with ed25519
+  keys.
+
+- `prehashed` `(bool: false)` - Set to `true` when the input is already hashed.
+  If the key type is `rsa-2048` or `rsa-4096`, then the algorithm used to hash
+  the input should be indicated by the `hash_algorithm` parameter. Just as the
+  value to sign should be the base64-encoded representation of the exact binary
+  data you want signed, when set, `input` is expected to be base64-encoded
+  binary hashed data, not hex-formatted. (As an example, on the command line,
+  you could generate a suitable input via `openssl dgst -sha256 -binary | base64`.)
+
+- `signature_algorithm` `(string: "pss")` – When using a RSA key, specifies the RSA
+  signature algorithm to use for signing. Supported signature types are:
+
+  - `pss`
+  - `pkcs1v15`
+
+- `marshaling_algorithm` `(string: "asn1")` – Specifies the way in which the signature should be marshaled. This currently only applies to ECDSA keys. Supported types are:
+
+  - `asn1`: The default, used by OpenSSL and X.509
+  - `jws`: The version used by JWS (and thus for JWTs). Selecting this will
+    also change the output encoding to URL-safe Base64 encoding instead of
+    standard Base64-encoding.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/sign/my-key/sha2-512
+```
+
+### Sample Payload
+
+```json
+{
+  "input": "adba32=="
+}
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "signature": "vault:v1:MEUCIQCyb869d7KWuA0hBM9b5NJrmWzMW3/pT+0XYCM9VmGR+QIgWWF6ufi4OS2xo1eS2V5IeJQfsi59qeMWtgX0LipxEHI="
+  }
+}
+```
+
+### Sample Payload with batch_input
+
+Given an ed25519 key with derived keys set, the context parameter is expected for each batch_input item, and
+the response will include the derived public key for each item.
+
+```
+{
+  "batch_input": [
+    {
+      "input": "adba32==",
+      "context": "efgh"
+    },
+    {
+      "input": "adba32==",
+      "context": "abcd"
+    },
+    {}
+  ]
+}
+```
+
+### Sample Response for batch_input
+
+```
+{
+  "data": {
+    "batch_results": [
+      {
+        "signature": "vault:v1:+R3cxAy6j4KriYzAyExU6p1glnyT/eLDSaUZO7gr8a8kgi/zSynNbOBSDJcGaAfLD1OF2hGupYBYTjmZMNoVAA==",
+        "publickey": "2fQIaaem7+EhSGs3jUebAS/8qP2+sUrmxOmgqZIZc0c="
+      },
+      {
+        "signature": "vault:v1:3hBwA88lnuAVJqb5rCCEstzKYaBTeSdejk356BTCE/nKwySOhzQH3mWCvJZwbRptNGa7ia5ykosYYdJz+aIKDA==",
+        "publickey": "goDXuePo7L9z6HOw+a54O4HeV189BLECK9nAUudwp4Y="
+      },
+      {
+        "error": "missing input"
+      }
+    ]
+  },
+}
+```
+
+## Verify Signed Data
+
+This endpoint returns whether the provided signature is valid for the given
+data.
+
+| Method | Path                                      |
+| :----- | :---------------------------------------- |
+| `POST` | `/transit/verify/:name(/:hash_algorithm)` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the encryption key that
+  was used to generate the signature or HMAC.
+
+- `hash_algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
+  can also be specified as part of the URL. Currently-supported algorithms are:
+
+  - `sha1`
+  - `sha2-224`
+  - `sha2-256`
+  - `sha2-384`
+  - `sha2-512`
+
+- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
+  `input` or `batch_input` must be supplied.
+
+- `signature` `(string: "")` – Specifies the signature output from the
+  `/transit/sign` function. Either this must be supplied or `hmac` must be
+  supplied.
+
+- `hmac` `(string: "")` – Specifies the signature output from the
+  `/transit/hmac` function. Either this must be supplied or `signature` must be
+  supplied.
+
+- `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
+  When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters
+  will be ignored. 'batch_input' items should contain an 'input' parameter and
+  either an 'hmac' or 'signature' parameter. All items in the batch must consistently
+  supply either 'hmac' or 'signature' parameters. It is an error for some items to
+  supply 'hmac' while others supply 'signature'. Responses are returned in the
+  'batch_results' array component of the 'data' element of the response. If the
+  input data value of an item is invalid, the corresponding item in the 'batch_results'
+  will have the key 'error' with a value describing the error. The format for batch_input is:
+
+  ```json
+  {
+    "batch_input": [
+      {
+        "input": "adba32==",
+        "hmac": "vault:v1:1jFhRYWHiddSKgEFyVRpX8ieX7UU+748NBwHKecXE3hnGBoAxrfgoD5U0yAvji7b5X6V1fP"
+      },
+      {
+        "input": "aGVsbG8gd29ybGQuCg==",
+        "hmac": "vault:v1:/wsSP6iQ9ECO9RRkefKLXey9sDntzSjoiW0vBrWfUsYB0ISroyC6plUt/jN7gcOv9O+Ecow"
+      }
+    ]
+  }
+  ```
+
+- `context` `(string: "")` - Base64 encoded context for key derivation.
+  Required if key derivation is enabled; currently only available with ed25519
+  keys.
+
+- `prehashed` `(bool: false)` - Set to `true` when the input is already
+  hashed. If the key type is `rsa-2048` or `rsa-4096`, then the algorithm used
+  to hash the input should be indicated by the `hash_algorithm` parameter.
+
+- `signature_algorithm` `(string: "pss")` – When using a RSA key, specifies the RSA
+  signature algorithm to use for signature verification. Supported signature types
+  are:
+
+  - `pss`
+  - `pkcs1v15`
+
+- `marshaling_algorithm` `(string: "asn1")` – Specifies the way in which the signature was originally marshaled. This currently only applies to ECDSA keys. Supported types are:
+
+  - `asn1`: The default, used by OpenSSL and X.509
+  - `jws`: The version used by JWS (and thus for JWTs). Selecting this will
+    also expect the input encoding to URL-safe Base64 encoding instead of
+    standard Base64-encoding.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/verify/my-key/sha2-512
+```
+
+### Sample Payload
+
+```json
+{
+  "input": "abcd13==",
+  "signature": "vault:v1:MEUCIQCyb869d7KWuA..."
+}
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "valid": true
+  }
+}
+```
+
+### Sample Payload with batch_input
+
+```
+{
+  "batch_input": [
+    {
+      "input": "adba32==",
+      "context": "abcd",
+      "signature": "vault:v1:3hBwA88lnuAVJqb5rCCEstzKYaBTeSdejk356BTCE/nKwySOhzQH3mWCvJZwbRptNGa7ia5ykosYYdJz+aIKDA=="
+    },
+    {
+      "input": "adba32==",
+      "context": "efgh",
+      "signature": "vault:v1:3hBwA88lnuAVJqb5rCCEstzKYaBTeSdejk356BTCE/nKwySOhzQH3mWCvJZwbRptNGa7ia5ykosYYdJz+aIKDA=="
+    },
+    {
+      "input": "",
+      "context": "abcd",
+      "signature": "vault:v1:C/pxm5V1RI6kqudLdbLdj5Bpm2P38FKgvxoV69oNXphvJukRcQIqjZO793jCa2JPYPG21Y7vquDWy/Ff4Ma4AQ=="
+    }
+  ]
+}
+```
+
+### Sample Response for batch_input
+
+```
+{
+  "data": {
+    "batch_results": [
+      {
+        "valid": true
+      },
+      {
+        "valid": false
+      },
+      {
+        "valid": true
+      }
+    ]
+  },
+}
+```
+
+## Backup Key
+
+This endpoint returns a plaintext backup of a named key. The backup contains all
+the configuration data and keys of all the versions along with the HMAC key.
+The response from this endpoint can be used with the `/restore` endpoint to
+restore the key.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/transit/backup/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the key.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/transit/backup/aes
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "backup": "eyJwb2xpY3kiOnsibmFtZSI6ImFlcyIsImtleXMiOnsiMSI6eyJrZXkiOiJXK3k4Z0dOMHdiTDJLOU95NXFPN1laMGtjdzMvR0ZiNWM4STBzdlNMMnFNPSIsImhtYWNfa2V5IjoiUDBTcjh1YTJaZERNUTdPd2h4RGp1Z0U5d0JSR3Q2QXl6K0t4TzN5Z2M5ST0iLCJ0aW1lIjoiMjAxNy0xMi0wOFQxMTo1MDowOC42MTM4MzctMDU6MDAiLCJlY194IjpudWxsLCJlY195IjpudWxsLCJlY19kIjpudWxsLCJyc2Ffa2V5IjpudWxsLCJwdWJsaWNfa2V5IjoiIiwiY3JlYXRpb25fdGltZSI6MTUxMjc1MTgwOH19LCJkZXJpdmVkIjpmYWxzZSwia2RmIjowLCJjb252ZXJnZW50X2VuY3J5cHRpb24iOmZhbHNlLCJleHBvcnRhYmxlIjpmYWxzZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjEsImFyY2hpdmVfdmVyc2lvbiI6MSwiZGVsZXRpb25fYWxsb3dlZCI6ZmFsc2UsImNvbnZlcmdlbnRfdmVyc2lvbiI6MCwidHlwZSI6MCwiYmFja3VwX2luZm8iOnsidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MjkuMjI4MTU3LTA1OjAwIiwidmVyc2lvbiI6MX0sInJlc3RvcmVfaW5mbyI6bnVsbH0sImFyY2hpdmVkX2tleXMiOnsia2V5cyI6W3sia2V5IjpudWxsLCJobWFjX2tleSI6bnVsbCwidGltZSI6IjAwMDEtMDEtMDFUMDA6MDA6MDBaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjB9LHsia2V5IjoiVyt5OGdHTjB3YkwySzlPeTVxTzdZWjBrY3czL0dGYjVjOEkwc3ZTTDJxTT0iLCJobWFjX2tleSI6IlAwU3I4dWEyWmRETVE3T3doeERqdWdFOXdCUkd0NkF5eitLeE8zeWdjOUk9IiwidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MDguNjEzODM3LTA1OjAwIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjE1MTI3NTE4MDh9XX19Cg=="
+  }
+}
+```
+
+## Restore Key
+
+This endpoint restores the backup as a named key. This will restore the key
+configurations and all the versions of the named key along with HMAC keys. The
+input to this endpoint should be the output of `/backup` endpoint.
+
+~> For safety, by default the backend will refuse to restore to an existing
+key. If you want to reuse a key name, it is recommended you delete the key
+before restoring. It is a good idea to attempt restoring to a different key
+name first to verify that the operation successfully completes.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/transit/restore(/:name)` |
+
+### Parameters
+
+- `backup` `(string: <required>)` - Backed up key data to be restored. This
+  should be the output from the `/backup` endpoint.
+
+- `name` `(string: <optional>)` - If set, this will be the name of the
+  restored key.
+
+- `force` `(bool: false)` - If set, force the restore to proceed even if a key
+  by this name already exists.
+
+### Sample Payload
+
+```json
+  "backup": "eyJwb2xpY3kiOnsibmFtZSI6ImFlcyIsImtleXMiOnsiMSI6eyJrZXkiOiJXK3k4Z0dOMHdiTDJLOU95NXFPN1laMGtjdzMvR0ZiNWM4STBzdlNMMnFNPSIsImhtYWNfa2V5IjoiUDBTcjh1YTJaZERNUTdPd2h4RGp1Z0U5d0JSR3Q2QXl6K0t4TzN5Z2M5ST0iLCJ0aW1lIjoiMjAxNy0xMi0wOFQxMTo1MDowOC42MTM4MzctMDU6MDAiLCJlY194IjpudWxsLCJlY195IjpudWxsLCJlY19kIjpudWxsLCJyc2Ffa2V5IjpudWxsLCJwdWJsaWNfa2V5IjoiIiwiY3JlYXRpb25fdGltZSI6MTUxMjc1MTgwOH19LCJkZXJpdmVkIjpmYWxzZSwia2RmIjowLCJjb252ZXJnZW50X2VuY3J5cHRpb24iOmZhbHNlLCJleHBvcnRhYmxlIjpmYWxzZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjEsImFyY2hpdmVfdmVyc2lvbiI6MSwiZGVsZXRpb25fYWxsb3dlZCI6ZmFsc2UsImNvbnZlcmdlbnRfdmVyc2lvbiI6MCwidHlwZSI6MCwiYmFja3VwX2luZm8iOnsidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MjkuMjI4MTU3LTA1OjAwIiwidmVyc2lvbiI6MX0sInJlc3RvcmVfaW5mbyI6bnVsbH0sImFyY2hpdmVkX2tleXMiOnsia2V5cyI6W3sia2V5IjpudWxsLCJobWFjX2tleSI6bnVsbCwidGltZSI6IjAwMDEtMDEtMDFUMDA6MDA6MDBaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjB9LHsia2V5IjoiVyt5OGdHTjB3YkwySzlPeTVxTzdZWjBrY3czL0dGYjVjOEkwc3ZTTDJxTT0iLCJobWFjX2tleSI6IlAwU3I4dWEyWmRETVE3T3doeERqdWdFOXdCUkd0NkF5eitLeE8zeWdjOUk9IiwidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MDguNjEzODM3LTA1OjAwIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjE1MTI3NTE4MDh9XX19Cg=="
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/restore
+```
+
+## Trim Key
+
+This endpoint trims older key versions setting a minimum version for the
+keyring. Once trimmed, previous versions of the key cannot be recovered.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/transit/keys/:name/trim` |
+
+### Parameters
+
+- `min_available_version` `(int: <required>)` - The minimum available version
+  for the key ring. All versions before this version will be permanently
+  deleted. This value can at most be equal to the lesser of
+  `min_decryption_version` and `min_encryption_version`. This is not allowed to
+  be set when either `min_encryption_version` or `min_decryption_version` is set
+  to zero.
+
+### Sample Payload
+
+```json
+{
+  "min_version": 2
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/keys/my-key/trim
+```
+
+## Configure Cache
+
+This endpoint is used to configure the transit engine's cache. Note that configuration
+changes will not be applied until the transit plugin is reloaded which can be achieved
+using the [`/sys/plugins/reload/backend`][sys-plugin-reload-backend] endpoint.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/transit/cache-config` |
+
+### Parameters
+
+- `size` `(int: 0)` - Specifies the size in terms of number of entries. A size of
+  `0` means unlimited. A _Least Recently Used_ (LRU) caching strategy is used for a
+  non-zero cache size.
+
+### Sample Payload
+
+```json
+{
+  "size": 456
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..."
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/transit/cache-config
+```
+
+## Read Transit Cache Configuration
+
+This endpoint retrieves configurations for the transit engine's cache.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/transit/cache-config` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..."
+    --request GET \
+    http://127.0.0.1:8200/v1/transit/cache-config
+```
+
+### Sample Response
+
+```json
+  "data": {
+    "size": 0
+  },
+```
+
+[sys-plugin-reload-backend]: /api/system/plugins-reload-backend.html#reload-plugins
diff --git a/website/pages/api-docs/system/audit-hash.mdx b/website/pages/api-docs/system/audit-hash.mdx
new file mode 100644
index 000000000000..fb907c4b01db
--- /dev/null
+++ b/website/pages/api-docs/system/audit-hash.mdx
@@ -0,0 +1,63 @@
+---
+layout: api
+page_title: /sys/audit-hash - HTTP API
+sidebar_title: <code>/sys/audit-hash</code>
+description: |-
+  The `/sys/audit-hash` endpoint is used to hash data using an audit device's
+  hash function and salt.
+---
+
+# `/sys/audit-hash`
+
+The `/sys/audit-hash` endpoint is used to calculate the hash of the data used by
+an audit device's hash function and salt. This can be used to search audit logs
+for a hashed value when the original value is known.
+
+## Calculate Hash
+
+This endpoint hashes the given input data with the specified audit device's
+hash function and salt. This endpoint can be used to discover whether a given
+plaintext string (the `input` parameter) appears in the audit log in obfuscated
+form.
+
+The audit log records requests and responses. Since the Vault API is JSON-based,
+any binary data returned from an API call (such as a DER-format certificate) is
+base64-encoded by the Vault server in the response. As a result such information
+should also be base64-encoded to supply into the `input` parameter.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/sys/audit-hash/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the audit device to
+  generate hashes for. This is part of the request URL.
+
+- `input` `(string: <required>)` – Specifies the input string to hash.
+
+### Sample Payload
+
+```json
+{
+  "input": "my-secret-vault"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/audit-hash/example-audit
+```
+
+### Sample Response
+
+```json
+{
+  "hash": "hmac-sha256:08ba35..."
+}
+```
diff --git a/website/pages/api-docs/system/audit.mdx b/website/pages/api-docs/system/audit.mdx
new file mode 100644
index 000000000000..c4e4e0535ad2
--- /dev/null
+++ b/website/pages/api-docs/system/audit.mdx
@@ -0,0 +1,123 @@
+---
+layout: api
+page_title: /sys/audit - HTTP API
+sidebar_title: <code>/sys/audit</code>
+description: The `/sys/audit` endpoint is used to enable and disable audit devices.
+---
+
+# `/sys/audit`
+
+The `/sys/audit` endpoint is used to list, enable, and disable audit devices.
+Audit devices must be enabled before use, and more than one device may be
+enabled at a time.
+
+## List Enabled Audit Devices
+
+This endpoint lists only the enabled audit devices (it does not list all
+available audit devices).
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path         |
+| :----- | :----------- |
+| `GET`  | `/sys/audit` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/audit
+```
+
+### Sample Response
+
+```javascript
+{
+  "file": {
+    "type": "file",
+    "description": "Store logs in a file",
+    "options": {
+      "file_path": "/var/log/vault.log"
+    }
+  }
+}
+```
+
+## Enable Audit Device
+
+This endpoint enables a new audit device at the supplied path. The path can be a
+single word name or a more complex, nested path.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `PUT`  | `/sys/audit/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path in which to enable the audit
+  device. This is part of the request URL.
+
+- `description` `(string: "")` – Specifies a human-friendly description of the
+  audit device.
+
+- `options` `(map<string|string>: nil)` – Specifies configuration options to
+  pass to the audit device itself. This is dependent on the audit device type.
+
+- `type` `(string: <required>)` – Specifies the type of the audit device.
+
+Additionally, the following options are allowed in Vault open-source, but
+relevant functionality is only supported in Vault Enterprise:
+
+- `local` `(bool: false)` – Specifies if the audit device is a local only. Local
+  audit devices are not replicated nor (if a secondary) removed by replication.
+
+### Sample Payload
+
+```json
+{
+  "type": "file",
+  "options": {
+    "file_path": "/var/log/vault/log"
+  }
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/audit/example-audit
+```
+
+## Disable Audit Device
+
+This endpoint disables the audit device at the given path.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/sys/audit/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path of the audit device to
+  delete. This is part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/audit/example-audit
+```
diff --git a/website/pages/api-docs/system/auth.mdx b/website/pages/api-docs/system/auth.mdx
new file mode 100644
index 000000000000..ffe0afcfb63c
--- /dev/null
+++ b/website/pages/api-docs/system/auth.mdx
@@ -0,0 +1,265 @@
+---
+layout: api
+page_title: /sys/auth - HTTP API
+sidebar_title: <code>/sys/auth</code>
+description: The `/sys/auth` endpoint is used to manage auth methods in Vault.
+---
+
+# `/sys/auth`
+
+The `/sys/auth` endpoint is used to list, create, update, and delete auth
+methods. Auth methods convert user or machine-supplied information into a
+token which can be used for all future requests.
+
+## List Auth Methods
+
+This endpoint lists all enabled auth methods.
+
+| Method | Path        |
+| :----- | :---------- |
+| `GET`  | `/sys/auth` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/auth
+```
+
+### Sample Response
+
+```json
+{
+  "github/": {
+    "type": "github",
+    "description": "GitHub auth"
+  },
+  "token/": {
+    "config": {
+      "default_lease_ttl": 0,
+      "max_lease_ttl": 0
+    },
+    "description": "token based credentials",
+    "type": "token"
+  }
+}
+```
+
+## Enable Auth Method
+
+This endpoint enables a new auth method. After enabling, the auth method can
+be accessed and configured via the auth path specified as part of the URL. This
+auth path will be nested under the `auth` prefix.
+
+For example, enable the "foo" auth method will make it accessible at
+`/auth/foo`.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `POST` | `/sys/auth/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path in which to enable the auth
+  method. This is part of the request URL.
+
+  !> **NOTE:** Use ASCII printable characters to specify the desired path.
+
+- `description` `(string: "")` – Specifies a human-friendly description of the
+  auth method.
+
+- `type` `(string: <required>)` – Specifies the name of the authentication
+  method type, such as "github" or "token".
+
+- `config` `(map<string|string>: nil)` – Specifies configuration options for
+  this auth method. These are the possible values:
+
+  - `default_lease_ttl` `(string: "")` - The default lease duration, specified
+    as a string duration like "5s" or "30m".
+
+  - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
+    string duration like "5s" or "30m".
+
+  - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
+    that will not be HMAC'd by audit devices in the request data object.
+
+  - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
+    that will not be HMAC'd by audit devices in the response data object.
+
+  - `listing_visibility` `(string: "")` - Specifies whether to show this mount
+    in the UI-specific listing endpoint.
+
+  - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+    to whitelist and pass from the request to the plugin.
+
+  - `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+    to whitelist, allowing a plugin to include them in the response.
+
+Additionally, the following options are allowed in Vault open-source, but
+relevant functionality is only supported in Vault Enterprise:
+
+- `local` `(bool: false)` – Specifies if the auth method is local only. Local
+  auth methods are not replicated nor (if a secondary) removed by replication.
+
+  ~> ** Warning:** Remember, policies when using replication secondaries are
+  validated by the local cluster. An administrator that can set up a local auth
+  method mount can assign policies to tokens that are valid on the replication
+  primary if a request is forwarded. Never give untrusted administrators the
+  ability to assign policies or configure authentication methods.
+
+- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
+  values stored by the mount to be wrapped by the seal's encryption capability.
+
+### Sample Payload
+
+```json
+{
+  "type": "github",
+  "description": "Login with GitHub"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/auth/my-auth
+```
+
+## Disable Auth Method
+
+This endpoint disables the auth method at the given auth path.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method   | Path              |
+| :------- | :---------------- |
+| `DELETE` | `/sys/auth/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path to disable. This is part of
+  the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/auth/my-auth
+```
+
+## Read Auth Method Tuning
+
+This endpoint reads the given auth path's configuration. _This endpoint requires
+`sudo` capability on the final path, but the same functionality can be achieved
+without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/sys/auth/:path/tune` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path in which to tune.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/auth/my-auth/tune
+```
+
+### Sample Response
+
+```json
+{
+  "default_lease_ttl": 3600,
+  "max_lease_ttl": 7200
+}
+```
+
+## Tune Auth Method
+
+Tune configuration parameters for a given auth path. _This endpoint
+requires `sudo` capability on the final path, but the same functionality
+can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/sys/auth/:path/tune` |
+
+### Parameters
+
+- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. If set on
+  a specific auth path, this overrides the global default.
+
+- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. If set on a
+  specific auth path, this overrides the global default.
+
+- `description` `(string: "")` – Specifies the description of the mount. This
+  overrides the current stored value, if any.
+
+- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
+  list of keys that will not be HMAC'd by audit devices in the request data
+  object.
+
+- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
+  list of keys that will not be HMAC'd by audit devices in the response data
+  object.
+
+- `listing_visibility` `(string: "")` - Specifies whether to show this mount
+  in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`.
+
+- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+  to whitelist and pass from the request to the plugin.
+
+- `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+  to whitelist, allowing a plugin to include them in the response.
+
+- `token_type` `(string: "")` – Specifies the type of tokens that should be
+  returned by the mount. The following values are available:
+
+  - `default-service`: Unless the auth method requests a different type, issue
+    service tokens
+  - `default-batch`: Unless the auth method requests a different type, issue
+    batch tokens
+  - `service`: Override any auth method preference and always issue service
+    tokens from this mount
+  - `batch`: Override any auth method preference and always issue batch tokens
+    from this mount
+
+### Sample Payload
+
+```json
+{
+  "default_lease_ttl": 1800,
+  "max_lease_ttl": 86400
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/auth/my-auth/tune
+```
diff --git a/website/pages/api-docs/system/capabilities-accessor.mdx b/website/pages/api-docs/system/capabilities-accessor.mdx
new file mode 100644
index 000000000000..66730ff398f8
--- /dev/null
+++ b/website/pages/api-docs/system/capabilities-accessor.mdx
@@ -0,0 +1,63 @@
+---
+layout: api
+page_title: /sys/capabilities-accessor - HTTP API
+sidebar_title: <code>/sys/capabilities-accessor</code>
+description: |-
+  The `/sys/capabilities-accessor` endpoint is used to fetch the capabilities of
+  the token associated with an accessor, on the given paths.
+---
+
+# `/sys/capabilities-accessor`
+
+The `/sys/capabilities-accessor` endpoint is used to fetch the capabilities of
+the token associated with the given accessor. The capabilities returned will be
+derived from the policies that are on the token, and from the policies to which
+the token is entitled to through the entity and entity's group memberships.
+
+## Query Token Accessor Capabilities
+
+This endpoint returns the capabilities of the token associated with the given
+accessor, for the given path. Multiple paths are taken in at once and the
+capabilities of the token associated with the given accessor for each path is
+returned. For backwards compatibility, if a single path is supplied, a
+`capabilities` field will also be returned.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/sys/capabilities-accessor` |
+
+### Parameters
+
+- `accessor` `(string: <required>)` – Accessor of the token for which
+  capabilities are being queried.
+
+- `paths` `(list: <required>)` – Paths on which capabilities are being
+  queried.
+
+### Sample Payload
+
+```json
+{
+  "accessor": "abcd1234",
+  "paths": ["secret/foo"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/capabilities-accessor
+```
+
+### Sample Response
+
+```json
+{
+  "capabilities": ["delete", "list", "read", "update"],
+  "secret/foo": ["delete", "list", "read", "update"]
+}
+```
diff --git a/website/pages/api-docs/system/capabilities-self.mdx b/website/pages/api-docs/system/capabilities-self.mdx
new file mode 100644
index 000000000000..f83333d19a67
--- /dev/null
+++ b/website/pages/api-docs/system/capabilities-self.mdx
@@ -0,0 +1,59 @@
+---
+layout: api
+page_title: /sys/capabilities-self - HTTP API
+sidebar_title: <code>/sys/capabilities-self</code>
+description: |-
+  The `/sys/capabilities-self` endpoint is used to fetch the capabilities of
+  client token on the given paths.
+---
+
+# `/sys/capabilities-self`
+
+The `/sys/capabilities-self` endpoint is used to fetch the capabilities of the
+token used to make the API call, on the given paths. The capabilities returned
+will be derived from the policies that are on the token, and from the policies
+to which the token is entitled to through the entity and entity's group
+memberships.
+
+## Query Self Capabilities
+
+This endpoint returns the capabilities of client token on the given paths. The
+client token is the Vault token with which this API call is made. Multiple
+paths are taken in at once and the capabilities of the token for each path is
+returned. For backwards compatibility, if a single path is supplied, a
+`capabilities` field will also be returned.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/sys/capabilities-self` |
+
+### Parameters
+
+- `paths` `(list: <required>)` – Paths on which capabilities are being queried.
+
+### Sample Payload
+
+```json
+{
+  "paths": ["secret/foo"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/capabilities-self
+```
+
+### Sample Response
+
+```json
+{
+  "capabilities": ["delete", "list", "read", "update"],
+  "secret/foo": ["delete", "list", "read", "update"]
+}
+```
diff --git a/website/pages/api-docs/system/capabilities.mdx b/website/pages/api-docs/system/capabilities.mdx
new file mode 100644
index 000000000000..ee672a659e05
--- /dev/null
+++ b/website/pages/api-docs/system/capabilities.mdx
@@ -0,0 +1,61 @@
+---
+layout: api
+page_title: /sys/capabilities - HTTP API
+sidebar_title: <code>/sys/capabilities</code>
+description: |-
+  The `/sys/capabilities` endpoint is used to fetch the capabilities of a token
+  on the given paths.
+---
+
+# `/sys/capabilities`
+
+The `/sys/capabilities` endpoint is used to fetch the capabilities of a token
+on the given paths. The capabilities returned will be derived from the policies
+that are on the token, and from the policies to which the token is entitled to
+through the entity and entity's group memberships.
+
+## Query Token Capabilities
+
+This endpoint returns the list of capabilities of a given token on the given
+paths. Multiple paths are taken in at once and the capabilities of the token
+for each path is returned. For backwards compatibility, if a single path is
+supplied, a `capabilities` field will also be returned.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/sys/capabilities` |
+
+### Parameters
+
+- `paths` `(list: <required>)` – Paths on which capabilities are being queried.
+
+- `token` `(string: <required>)` – Token for which capabilities are being
+  queried.
+
+### Sample Payload
+
+```json
+{
+  "token": "abcd1234",
+  "paths": ["secret/foo"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/capabilities
+```
+
+### Sample Response
+
+```json
+{
+  "capabilities": ["delete", "list", "read", "update"],
+  "secret/foo": ["delete", "list", "read", "update"]
+}
+```
diff --git a/website/pages/api-docs/system/config-auditing.mdx b/website/pages/api-docs/system/config-auditing.mdx
new file mode 100644
index 000000000000..dd32ed548b30
--- /dev/null
+++ b/website/pages/api-docs/system/config-auditing.mdx
@@ -0,0 +1,129 @@
+---
+layout: api
+page_title: /sys/config/auditing - HTTP API
+sidebar_title: <code>/sys/config/auditing</code>
+description: The `/sys/config/auditing` endpoint is used to configure auditing settings.
+---
+
+# `/sys/config/auditing/request-headers`
+
+The `/sys/config/auditing` endpoint is used to configure auditing settings.
+
+## Read All Audited Request Headers
+
+This endpoint lists the request headers that are configured to be audited.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                                   |
+| :----- | :------------------------------------- |
+| `GET`  | `/sys/config/auditing/request-headers` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers
+```
+
+### Sample Response
+
+```json
+{
+  "headers": {
+    "X-Forwarded-For": {
+      "hmac": true
+    }
+  }
+}
+```
+
+## Read Single Audit Request Header
+
+This endpoint lists the information for the given request header.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                                         |
+| :----- | :------------------------------------------- |
+| `GET`  | `/sys/config/auditing/request-headers/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the request header to
+  query. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
+```
+
+### Sample Response
+
+```json
+{
+  "X-Forwarded-For": {
+    "hmac": true
+  }
+}
+```
+
+## Create/Update Audit Request Header
+
+This endpoint enables auditing of a header.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                                         |
+| :----- | :------------------------------------------- |
+| `PUT`  | `/sys/config/auditing/request-headers/:name` |
+
+### Parameters
+
+- `hmac` `(bool: false)` – Specifies if this header's value should be HMAC'ed in
+  the audit logs.
+
+### Sample Payload
+
+```json
+{
+  "hmac": true
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
+```
+
+## Delete Audit Request Header
+
+This endpoint disables auditing of the given request header.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method   | Path                                         |
+| :------- | :------------------------------------------- |
+| `DELETE` | `/sys/config/auditing/request-headers/:name` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
+```
diff --git a/website/pages/api-docs/system/config-control-group.mdx b/website/pages/api-docs/system/config-control-group.mdx
new file mode 100644
index 000000000000..eae75d2881f1
--- /dev/null
+++ b/website/pages/api-docs/system/config-control-group.mdx
@@ -0,0 +1,84 @@
+---
+layout: api
+page_title: /sys/config/control-group - HTTP API
+sidebar_title: <code>/sys/config/control-group</code>
+description: The '/sys/config/control-group' endpoint configures control groups.
+---
+
+# `/sys/config/control-group`
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+The `/sys/config/control-group` endpoint is used to configure Control Group
+settings.
+
+## Read Control Group Settings
+
+This endpoint returns the current Control Group configuration.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `GET`  | `/sys/config/control-group` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/config/control-group
+```
+
+### Sample Response
+
+```json
+{
+  "max_ttl": "4h"
+}
+```
+
+## Configure Control Group Settings
+
+This endpoint allows configuring control groups.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `PUT`  | `/sys/config/control-group` |
+
+### Parameters
+
+- `max_ttl` `int` – The maximum ttl for a control group wrapping token. This can be provided in seconds or duration (2h).
+
+### Sample Payload
+
+```json
+{
+  "max_ttl": "4h"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/config/control-group
+```
+
+## Delete Control Group Settings
+
+This endpoint removes any control group configuration.
+
+| Method   | Path                        |
+| :------- | :-------------------------- |
+| `DELETE` | `/sys/config/control-group` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/config/control-group
+```
diff --git a/website/pages/api-docs/system/config-cors.mdx b/website/pages/api-docs/system/config-cors.mdx
new file mode 100644
index 000000000000..61b223744b97
--- /dev/null
+++ b/website/pages/api-docs/system/config-cors.mdx
@@ -0,0 +1,101 @@
+---
+layout: api
+page_title: /sys/config/cors - HTTP API
+sidebar_title: <code>/sys/config/cors</code>
+description: >-
+  The '/sys/config/cors' endpoint configures how the Vault server responds to
+  cross-origin requests.
+---
+
+# `/sys/config/cors`
+
+The `/sys/config/cors` endpoint is used to configure CORS settings.
+
+- **`sudo` required** – All CORS endpoints require `sudo` capability in
+  addition to any path-specific capabilities.
+
+## Read CORS Settings
+
+This endpoint returns the current CORS configuration.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/sys/config/cors` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/config/cors
+```
+
+### Sample Response
+
+```json
+{
+  "enabled": true,
+  "allowed_origins": ["http://www.example.com"],
+  "allowed_headers": [
+    "Content-Type",
+    "X-Requested-With",
+    "X-Vault-AWS-IAM-Server-ID",
+    "X-Vault-No-Request-Forwarding",
+    "X-Vault-Token",
+    "Authorization",
+    "X-Vault-Wrap-Format",
+    "X-Vault-Wrap-TTL"
+  ]
+}
+```
+
+## Configure CORS Settings
+
+This endpoint allows configuring the origins that are permitted to make
+cross-origin requests, as well as headers that are allowed on cross-origin requests.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `PUT`  | `/sys/config/cors` |
+
+### Parameters
+
+- `allowed_origins` `(string or string array: <required>)` – A wildcard (`*`), comma-delimited string, or array of strings specifying the origins that are permitted to make cross-origin requests.
+
+- `allowed_headers` `(string or string array: "" or [])` – A comma-delimited string or array of strings specifying headers that are permitted to be on cross-origin requests. Headers set via this parameter will be appended to the list of headers that Vault allows by default.
+
+### Sample Payload
+
+```json
+{
+  "allowed_origins": "*",
+  "allowed_headers": "X-Custom-Header"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/config/cors
+```
+
+## Delete CORS Settings
+
+This endpoint removes any CORS configuration.
+
+| Method   | Path               |
+| :------- | :----------------- |
+| `DELETE` | `/sys/config/cors` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/config/cors
+```
diff --git a/website/pages/api-docs/system/config-state.mdx b/website/pages/api-docs/system/config-state.mdx
new file mode 100644
index 000000000000..6b739276cbe2
--- /dev/null
+++ b/website/pages/api-docs/system/config-state.mdx
@@ -0,0 +1,80 @@
+---
+layout: api
+page_title: /sys/config/state - HTTP API
+sidebar_title: <code>/sys/config/state</code>
+description: The '/sys/config/state' endpoint is used to retrieve the configuration state.
+---
+
+# `/sys/config/state`
+
+The endpoints under `sys/config/state` return Vault's configuration state.
+Currently, it only supports returning a sanitized version of the configuration.
+
+## `Get Sanitized Configuration State`
+
+This endpoint returns a sanitized version of the configuration state. The
+configuration excludes certain fields and mappings in the configuration file
+that can potentially contain sensitive information, which includes values from
+`Storage.Config`, `HAStorage.Config`, `Seals.Config` and the
+`Telemetry.CirconusAPIToken` value.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `GET`  | `/sys/config/state/sanitized` |
+
+### Sample Request
+
+```
+$ curl \
+  --header "X-Vault-Token: ..." \
+    'http://127.0.0.1:8200/v1/sys/config/state/sanitized'
+```
+
+### Sample Response
+
+```json
+{
+  "api_addr": "http://127.0.0.1:8200",
+  "cache_size": 0,
+  "cluster_addr": "",
+  "cluster_cipher_suites": "",
+  "cluster_name": "",
+  "default_lease_ttl": 0,
+  "default_max_request_duration": 0,
+  "disable_cache": false,
+  "disable_clustering": false,
+  "disable_indexing": false,
+  "disable_mlock": false,
+  "disable_performance_standby": false,
+  "disable_printable_check": false,
+  "disable_sealwrap": false,
+  "enable_ui": true,
+  "listeners": [
+    {
+      "config": {
+        "address": "127.0.0.1:8200",
+        "tls_disable": 1
+      },
+      "type": "tcp"
+    }
+  ],
+  "log_format": "",
+  "log_level": "",
+  "max_lease_ttl": 0,
+  "pid_file": "",
+  "plugin_directory": "/opt/vault/plugins",
+  "raw_storage_endpoint": false,
+  "seals": [
+    {
+      "disabled": false,
+      "type": "shamir"
+    }
+  ],
+  "storage": {
+    "cluster_addr": "",
+    "disable_clustering": false,
+    "redirect_addr": "http://127.0.0.1:8200",
+    "type": "inmem"
+  }
+}
+```
diff --git a/website/pages/api-docs/system/config-ui.mdx b/website/pages/api-docs/system/config-ui.mdx
new file mode 100644
index 000000000000..24612507b73c
--- /dev/null
+++ b/website/pages/api-docs/system/config-ui.mdx
@@ -0,0 +1,117 @@
+---
+layout: api
+page_title: /sys/config/ui - HTTP API
+sidebar_title: <code>/sys/config/ui</code>
+description: The '/sys/config/ui' endpoint configures the UI.
+---
+
+# `/sys/config/ui`
+
+The `/sys/config/ui` endpoint is used to configure UI settings.
+
+- **`sudo` required** – All UI endpoints require `sudo` capability in
+  addition to any path-specific capabilities.
+
+## Read UI Settings
+
+This endpoint returns the given UI header configuration.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/sys/config/ui/headers/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the custom header.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
+```
+
+### Sample Response
+
+```json
+{
+  "value": "custom-value"
+}
+```
+
+## Configure UI Headers
+
+This endpoint allows configuring the values to be returned for the UI header.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `PUT`  | `/sys/config/ui/headers/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – The name of the custom header.
+
+- `values` `(list: <required>)` - The values to be returned from the header.
+
+### Sample Payload
+
+```json
+{
+  "values": ["custom value 1", "custom value 2"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
+```
+
+## Delete a UI Header
+
+This endpoint removes a UI header.
+
+| Method   | Path                           |
+| :------- | :----------------------------- |
+| `DELETE` | `/sys/config/ui/headers/:name` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
+```
+
+## List UI Headers
+
+This endpoint returns a list of configured UI headers.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `LIST` | `/sys/config/ui/headers` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/sys/config/ui/headers
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["X-Custom...", "X-Header..."]
+  }
+}
+```
diff --git a/website/pages/api-docs/system/control-group.mdx b/website/pages/api-docs/system/control-group.mdx
new file mode 100644
index 000000000000..aa6816c68275
--- /dev/null
+++ b/website/pages/api-docs/system/control-group.mdx
@@ -0,0 +1,103 @@
+---
+layout: api
+page_title: /sys/control-group - HTTP API
+sidebar_title: <code>/sys/control-group</code>
+description: The '/sys/control-group' endpoint handles the Control Group workflow.
+---
+
+## Authorize Control Group Request
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+This endpoint authorizes a control group request.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/sys/control-group/authorize` |
+
+### Parameters
+
+- `accessor` `(string: <required>)` – The accessor for the control group wrapping token.
+
+### Sample Payload
+
+```json
+{
+  "accessor": "0ad21b78-e9bb-64fa-88b8-1e38db217bde"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/control-group/authorize
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "approved": false
+  }
+}
+```
+
+## Check Control Group Request Status
+
+This endpoint checks the status of a control group request.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/sys/control-group/request` |
+
+### Parameters
+
+- `accessor` `(string: <required>)` – The accessor for the control group wrapping token.
+
+### Sample Payload
+
+```json
+{
+  "accessor": "0ad21b78-e9bb-64fa-88b8-1e38db217bde"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/control-group/request
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "approved": false,
+    "request_path": "secret/foo",
+    "request_entity": {
+      "id": "c8b6e404-de4b-50a4-2917-715ff8beec8e",
+      "name": "Bob"
+    },
+    "authorizations": [
+      {
+        "entity_id": "6544a3ec-d3cd-443b-b87b-4fd2e889e0b7",
+        "entity_name": "Abby Jones"
+      },
+      {
+        "entity_id": "919084a4-417e-42ee-9d78-87fa2843af37",
+        "entity_name": "James Franklin"
+      }
+    ]
+  }
+}
+```
diff --git a/website/pages/api-docs/system/generate-recovery-token.mdx b/website/pages/api-docs/system/generate-recovery-token.mdx
new file mode 100644
index 000000000000..c6790e46e125
--- /dev/null
+++ b/website/pages/api-docs/system/generate-recovery-token.mdx
@@ -0,0 +1,172 @@
+---
+layout: api
+page_title: /sys/generate-recovery-token - HTTP API
+sidebar_title: <code>/sys/generate-recovery-token</code>
+description: |-
+  The `/sys/generate-recovery-token/` endpoints are used to create a new 
+  recovery token for Vault.  They are only active in recovery mode.
+---
+
+# `/sys/generate-recovery-token`
+
+The `/sys/generate-recovery-token` endpoint is used to create a new recovery
+token for Vault.
+
+## Read Recovery Token Generation Progress
+
+This endpoint reads the configuration and process of the current root generation
+attempt.
+
+| Method | Path                                   |
+| :----- | :------------------------------------- |
+| `GET`  | `/sys/generate-recovery-token/attempt` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 1,
+  "required": 3,
+  "encoded_token": "",
+  "pgp_fingerprint": "",
+  "otp_length": 24,
+  "complete": false
+}
+```
+
+If a recovery token generation is started, `progress` is how many unseal keys
+have been provided for this generation attempt, where `required` must be reached
+to complete. The `nonce` for the current attempt and whether the attempt is
+complete is also displayed.
+
+If a PGP key is being used to encrypt the final root
+token, its fingerprint will be returned.
+
+If an OTP is being used to encode the final root token it will be returned only
+once, on the response to the start request.
+
+The OTP is a base62 string, with length of otp_length.
+The raw bytes (char codes) of the token will be XOR'd with
+this value before being returned as a response to the final unseal
+key, encoded as base64.
+
+## Start Recovery Token Generation
+
+This endpoint initializes a new recovery token generation attempt. Only a single
+recovery token generation attempt can take place at a time.
+
+| Method | Path                                   |
+| :----- | :------------------------------------- |
+| `PUT`  | `/sys/generate-recovery-token/attempt` |
+
+### Parameters
+
+- `pgp_key` `(string: <optional>)` – Specifies a base64-encoded PGP public key.
+  The raw bytes of the token will be encrypted with this value before being
+  returned to the final unseal key provider.
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 1,
+  "required": 3,
+  "encoded_token": "",
+  "otp": "2vPFYG8gUSW9npwzyvxXMug0",
+  "otp_length": 24,
+  "complete": false
+}
+```
+
+## Cancel Recovery Token Generation
+
+This endpoint cancels any in-progress recovery token generation attempt. This
+clears any progress made. This must be called to change the OTP or PGP key being
+used.
+
+| Method   | Path                                   |
+| :------- | :------------------------------------- |
+| `DELETE` | `/sys/generate-recovery-token/attempt` |
+
+### Sample Request
+
+```
+$ curl \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
+```
+
+## Provide Key Share to Generate Recovery Token
+
+This endpoint is used to enter a single master key share to progress the
+recovery token generation attempt. If the threshold number of master key shares
+is reached, Vault will complete the recovery token generation and issue the new
+token. Otherwise, this API must be called multiple times until that threshold
+is met. The attempt nonce must be provided with each call.
+
+Note that once a token has been issued, Vault is unsealed. The token lives
+only in memory and thus will only be valid until the next restart.
+
+| Method | Path                                  |
+| :----- | :------------------------------------ |
+| `PUT`  | `/sys/generate-recovery-token/update` |
+
+### Parameters
+
+- `key` `(string: <required>)` – Specifies a single master key share.
+
+- `nonce` `(string: <required>)` – Specifies the nonce of the attempt.
+
+### Sample Payload
+
+```json
+{
+  "key": "acbd1234",
+  "nonce": "ad235"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/generate-recovery-token/update
+```
+
+### Sample Response
+
+This returns a JSON-encoded object indicating the attempt nonce, and completion
+status, and the encoded recovery token, if the attempt is complete.
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 3,
+  "required": 3,
+  "pgp_fingerprint": "",
+  "complete": true,
+  "encoded_token": "FPzkNBvwNDeFh4SmGA8c+w=="
+}
+```
diff --git a/website/pages/api-docs/system/generate-root.mdx b/website/pages/api-docs/system/generate-root.mdx
new file mode 100644
index 000000000000..97670739c2ba
--- /dev/null
+++ b/website/pages/api-docs/system/generate-root.mdx
@@ -0,0 +1,167 @@
+---
+layout: api
+page_title: /sys/generate-root - HTTP API
+sidebar_title: <code>/sys/generate-root</code>
+description: |-
+  The `/sys/generate-root/` endpoints are used to create a new root key for
+  Vault.
+---
+
+# `/sys/generate-root`
+
+The `/sys/generate-root` endpoint is used to create a new root key for Vault.
+
+## Read Root Generation Progress
+
+This endpoint reads the configuration and process of the current root generation
+attempt.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/sys/generate-root/attempt` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/generate-root/attempt
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 1,
+  "required": 3,
+  "encoded_token": "",
+  "pgp_fingerprint": "",
+  "otp_length": 24,
+  "complete": false
+}
+```
+
+If a root generation is started, `progress` is how many unseal keys have been
+provided for this generation attempt, where `required` must be reached to
+complete. The `nonce` for the current attempt and whether the attempt is
+complete is also displayed.
+
+If a PGP key is being used to encrypt the final root
+token, its fingerprint will be returned.
+
+If an OTP is being used to encode the final root token it will be returned only
+once, on the response to the start request.
+
+The OTP is a base62 string, with length of otp_length.
+The raw bytes (char codes) of the token will be XOR'd with
+this value before being returned as a response to the final unseal
+key, encoded as base64.
+
+## Start Root Token Generation
+
+This endpoint initializes a new root generation attempt. Only a single root
+generation attempt can take place at a time.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `PUT`  | `/sys/generate-root/attempt` |
+
+### Parameters
+
+- `pgp_key` `(string: <optional>)` – Specifies a base64-encoded PGP public key.
+  The raw bytes of the token will be encrypted with this value before being
+  returned to the final unseal key provider.
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/generate-root/attempt
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 1,
+  "required": 3,
+  "encoded_token": "",
+  "otp": "2vPFYG8gUSW9npwzyvxXMug0",
+  "otp_length": 24,
+  "complete": false
+}
+```
+
+## Cancel Root Generation
+
+This endpoint cancels any in-progress root generation attempt. This clears any
+progress made. This must be called to change the OTP or PGP key being used.
+
+| Method   | Path                         |
+| :------- | :--------------------------- |
+| `DELETE` | `/sys/generate-root/attempt` |
+
+### Sample Request
+
+```
+$ curl \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/generate-root/attempt
+```
+
+## Provide Key Share to Generate Root
+
+This endpoint is used to enter a single master key share to progress the root
+generation attempt. If the threshold number of master key shares is reached,
+Vault will complete the root generation and issue the new token. Otherwise,
+this API must be called multiple times until that threshold is met. The attempt
+nonce must be provided with each call.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `PUT`  | `/sys/generate-root/update` |
+
+### Parameters
+
+- `key` `(string: <required>)` – Specifies a single master key share.
+
+- `nonce` `(string: <required>)` – Specifies the nonce of the attempt.
+
+### Sample Payload
+
+```json
+{
+  "key": "acbd1234",
+  "nonce": "ad235"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/generate-root/update
+```
+
+### Sample Response
+
+This returns a JSON-encoded object indicating the attempt nonce, and completion
+status, and the encoded root token, if the attempt is complete.
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 3,
+  "required": 3,
+  "pgp_fingerprint": "",
+  "complete": true,
+  "encoded_token": "FPzkNBvwNDeFh4SmGA8c+w=="
+}
+```
diff --git a/website/pages/api-docs/system/health.mdx b/website/pages/api-docs/system/health.mdx
new file mode 100644
index 000000000000..5b6f5663fb41
--- /dev/null
+++ b/website/pages/api-docs/system/health.mdx
@@ -0,0 +1,91 @@
+---
+layout: api
+page_title: /sys/health - HTTP API
+sidebar_title: <code>/sys/health</code>
+description: The `/sys/health` endpoint is used to check the health status of Vault.
+---
+
+# `/sys/health`
+
+The `/sys/health` endpoint is used to check the health status of Vault.
+
+## Read Health Information
+
+This endpoint returns the health status of Vault. This matches the semantics of
+a Consul HTTP health check and provides a simple way to monitor the health of a
+Vault instance.
+
+| Method | Path          |
+| :----- | :------------ |
+| `HEAD` | `/sys/health` |
+| `GET`  | `/sys/health` |
+
+The default status codes are:
+
+- `200` if initialized, unsealed, and active
+- `429` if unsealed and standby
+- `472` if disaster recovery mode replication secondary and active
+- `473` if performance standby
+- `501` if not initialized
+- `503` if sealed
+
+### Parameters
+
+- `standbyok` `(bool: false)` – Specifies if being a standby should still return
+  the active status code instead of the standby status code. This is useful when
+  Vault is behind a non-configurable load balancer that just wants a 200-level
+  response. This will not apply if the node is a performance standby.
+
+- `perfstandbyok` `(bool: false)` – Specifies if being a performance standby should
+  still return the active status code instead of the performance standby status code.
+  This is useful when Vault is behind a non-configurable load balancer that just wants
+  a 200-level response.
+
+- `activecode` `(int: 200)` – Specifies the status code that should be returned
+  for an active node.
+
+- `standbycode` `(int: 429)` – Specifies the status code that should be returned
+  for a standby node.
+
+- `drsecondarycode` `(int: 472)` – Specifies the status code that should be
+  returned for a DR secondary node.
+
+- `performancestandbycode` `(int: 473)` – Specifies the status code that should be
+  returned for a performance standby node.
+
+- `sealedcode` `(int: 503)` – Specifies the status code that should be returned
+  for a sealed node.
+
+- `uninitcode` `(int: 501)` – Specifies the status code that should be returned
+  for a uninitialized node.
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/health
+```
+
+### Sample Response
+
+This response is only returned for a `GET` request.
+
+Note: `replication_perf_mode` and `replication_dr_mode` reflect the state of
+the active node in the cluster; if you are querying it for a standby that has
+just come up, it can take a small time for the active node to inform the
+standby of its status.
+
+```json
+{
+  "initialized": true,
+  "sealed": false,
+  "standby": false,
+  "performance_standby": false,
+  "replication_perf_mode": "disabled",
+  "replication_dr_mode": "disabled",
+  "server_time_utc": 1516639589,
+  "version": "0.9.1",
+  "cluster_name": "vault-cluster-3bd69ca2",
+  "cluster_id": "00af5aa8-c87d-b5fc-e82e-97cd8dfaf731"
+}
+```
diff --git a/website/pages/api-docs/system/host-info.mdx b/website/pages/api-docs/system/host-info.mdx
new file mode 100644
index 000000000000..d86c2ed72dd9
--- /dev/null
+++ b/website/pages/api-docs/system/host-info.mdx
@@ -0,0 +1,83 @@
+---
+layout: api
+page_title: /sys/host-info - HTTP API
+sidebar_title: <code>/sys/host-info</code>
+description: The '/sys/host-info' endpoint is used to retrieve host information
+---
+
+# `/sys/host-info`
+
+The `/sys/host-info` endpoint is used retrieve information about the
+host instance that the Vault server is running on.
+
+## Collect Host Information
+
+This endpoint returns information about the host instance that the Vault
+server is running on. The data returned includes CPU information, CPU
+times, disk usage, host info, and memory statistics.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `GET`  | `/sys/host-info` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/host-info
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "cpu": [
+      {
+        "cpu": 0,
+        "vendorId": "GenuineIntel",
+        "family": "6",
+        "model": "78",
+        ...
+      },
+      ...
+    ],
+    "cpu_times": [
+      {
+        "cpu": "cpu",
+        "user": 7491,
+        "system": 16833,
+        "idle": 5726276,
+        ...
+      },
+      ...
+    ],
+    "disk": [
+      {
+        "path": "/",
+        "fstype": "ext4",
+        "total": 410352476160,
+        "free": 102141169664,
+        "used": 306428051456,
+        ...
+      },
+      ...
+    ],
+    "host": {
+      "hostname": "vault-server-1",
+      "uptime": 28618,
+      "bootTime": 1570114491,
+      "procs": 439,
+      ...
+    },
+    "memory": {
+      "total": 17179869184,
+      "available": 6203424768,
+      "used": 10976444416,
+      ...
+    },
+    "timestamp": "2019-10-03T22:51:49.715927Z"
+  }
+}
+```
diff --git a/website/pages/api-docs/system/index.mdx b/website/pages/api-docs/system/index.mdx
new file mode 100644
index 000000000000..9a35137e9ea2
--- /dev/null
+++ b/website/pages/api-docs/system/index.mdx
@@ -0,0 +1,17 @@
+---
+layout: api
+page_title: System Backend - HTTP API
+sidebar_title: System Backend
+description: |-
+  The system backend is a default backend in Vault that is mounted at the `/sys`
+  endpoint. This endpoint cannot be disabled or moved, and is used to configure
+  Vault and interact with many of Vault's internal features.
+---
+
+# System Backend
+
+The system backend is a default backend in Vault that is mounted at the `/sys`
+endpoint. This endpoint cannot be disabled or moved, and is used to configure
+Vault and interact with many of Vault's internal features.
+
+For more information about a particular path, please click on it in the sidebar.
diff --git a/website/pages/api-docs/system/init.mdx b/website/pages/api-docs/system/init.mdx
new file mode 100644
index 000000000000..f912b47d902d
--- /dev/null
+++ b/website/pages/api-docs/system/init.mdx
@@ -0,0 +1,111 @@
+---
+layout: api
+page_title: /sys/init - HTTP API
+sidebar_title: <code>/sys/init</code>
+description: The `/sys/init` endpoint is used to initialize a new Vault.
+---
+
+# `/sys/init`
+
+The `/sys/init` endpoint is used to initialize a new Vault.
+
+## Read Initialization Status
+
+This endpoint returns the initialization status of Vault.
+
+| Method | Path        |
+| :----- | :---------- |
+| `GET`  | `/sys/init` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/init
+```
+
+### Sample Response
+
+```json
+{
+  "initialized": true
+}
+```
+
+## Start Initialization
+
+This endpoint initializes a new Vault. The Vault must not have been previously
+initialized. The recovery options, as well as the stored shares option, are only
+available when using Vault HSM.
+
+| Method | Path        |
+| :----- | :---------- |
+| `PUT`  | `/sys/init` |
+
+### Parameters
+
+- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used
+  to encrypt the output unseal keys. Ordering is preserved. The keys must be
+  base64-encoded from their original binary representation. The size of this
+  array must be the same as `secret_shares`.
+
+- `root_token_pgp_key` `(string: "")` – Specifies a PGP public key used to
+  encrypt the initial root token. The key must be base64-encoded from its
+  original binary representation.
+
+- `secret_shares` `(int: <required>)` – Specifies the number of shares to
+  split the master key into.
+
+- `secret_threshold` `(int: <required>)` – Specifies the number of shares
+  required to reconstruct the master key. This must be less than or equal
+  `secret_shares`. If using Vault HSM with auto-unsealing, this value must be
+  the same as `secret_shares`.
+
+Additionally, the following options are only supported on Vault Pro/Enterprise:
+
+- `stored_shares` `(int: <required>)` – Specifies the number of shares that
+  should be encrypted by the HSM and stored for auto-unsealing. Currently must
+  be the same as `secret_shares`.
+
+- `recovery_shares` `(int: <required>)` – Specifies the number of shares to
+  split the recovery key into.
+
+- `recovery_threshold` `(int: <required>)` – Specifies the number of shares
+  required to reconstruct the recovery key. This must be less than or equal to
+  `recovery_shares`.
+
+- `recovery_pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public
+  keys used to encrypt the output recovery keys. Ordering is preserved. The keys
+  must be base64-encoded from their original binary representation. The size of
+  this array must be the same as `recovery_shares`.
+
+### Sample Payload
+
+```json
+{
+  "secret_shares": 10,
+  "secret_threshold": 5
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/init
+```
+
+### Sample Response
+
+A JSON-encoded object including the (possibly encrypted, if `pgp_keys` was
+provided) master keys, base 64 encoded master keys and initial root token:
+
+```json
+{
+  "keys": ["one", "two", "three"],
+  "keys_base64": ["cR9No5cBC", "F3VLrkOo", "zIDSZNGv"],
+  "root_token": "foo"
+}
+```
diff --git a/website/pages/api-docs/system/internal-specs-openapi.mdx b/website/pages/api-docs/system/internal-specs-openapi.mdx
new file mode 100644
index 000000000000..3ef09515e9d2
--- /dev/null
+++ b/website/pages/api-docs/system/internal-specs-openapi.mdx
@@ -0,0 +1,71 @@
+---
+layout: api
+page_title: /sys/internal/specs/openapi - HTTP API
+sidebar_title: <code>/sys/internal/specs/openapi</code>
+description: >-
+  The `/sys/internal/specs/openapi` endpoint is used to generate an OpenAPI
+  document of the mounted backends.
+---
+
+# `/sys/internal/specs/openapi`
+
+The `/sys/internal/specs/openapi` endpoint is used to generate an OpenAPI document of the mounted backends.
+The response conforms to the [OpenAPI V3 specification](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md),
+with path names matching the mount names used by the Vault server (i.e. customizations with `-path` will be reflected).
+The set of included paths is based on the permissions of the request token.
+
+The response may include Vault-specific [extensions](https://github.com/oai/openapi-specification/blob/master/versions/3.0.2.md#specification-extensions). Three are currently defined:
+
+- `x-vault-sudo` - Endpoint requires [sudo](https://www.vaultproject.io/docs/concepts/policies.html#sudo) privileges.
+- `x-vault-unauthenticated` - Endpoint is unauthenticated.
+- `x-vault-create-supported` - Endpoint allows creation of new items, in addition to updating existing items.
+
+Basic documentation will be generated for all paths, but a newer path definition structure now allows for
+more detailed documentation to be added. At this time the `/sys` endpoints have been updated to use the new
+structure, and other endpoints will be modified incrementally.
+
+## Get OpenAPI Document
+
+This endpoint returns a single OpenAPI document describing all paths visible to the requester.
+
+| Method | Path                          |
+| :----- | :---------------------------- |
+| `GET`  | `/sys/internal/specs/openapi` |
+
+### Sample Request
+
+```
+$ curl http://127.0.0.1:8200/v1/sys/internal/specs/openapi
+```
+
+### Sample Response
+
+```json
+{
+  "openapi": "3.0.2",
+  "info": {
+    "title": "HashiCorp Vault API",
+    "description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
+    "version": "1.0.0",
+    "license": {
+      "name": "Mozilla Public License 2.0",
+      "url": "https://www.mozilla.org/en-US/MPL/2.0"
+    }
+  },
+  "paths": {
+    "/auth/token/create": {
+      "description": "The token create path is used to create new tokens.",
+      "post": {
+        "summary": "The token create path is used to create new tokens.",
+        "tags": [
+          "auth"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    ...
+```
diff --git a/website/pages/api-docs/system/internal-ui-mounts.mdx b/website/pages/api-docs/system/internal-ui-mounts.mdx
new file mode 100644
index 000000000000..743fbc869d33
--- /dev/null
+++ b/website/pages/api-docs/system/internal-ui-mounts.mdx
@@ -0,0 +1,53 @@
+---
+layout: api
+page_title: /sys/internal/ui/mounts - HTTP API
+sidebar_title: <code>/sys/internal/ui/mounts</code>
+description: >-
+  The `/sys/internal/ui/mounts` endpoint is used to manage mount listing
+  visibility.
+---
+
+# `/sys/internal/ui/mounts`
+
+The `/sys/internal/ui/mounts` endpoint is used to manage mount listing
+visibility. The response generated by this endpoint is based on the
+`listing_visibility` value on the mount, which can be set during mount time or
+via mount tuning. This is currently only being used internally for the UI and is
+an unauthenticated endpoint.
+
+Due to the nature of its intended usage, there is no guarantee on backwards
+compatibility for this endpoint.
+
+## Get Available Visible Mounts
+
+This endpoint lists all enabled auth methods.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/sys/internal/ui/mounts` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/internal/ui/mounts
+```
+
+### Sample Response
+
+```json
+{
+  "auth": {
+    "github/": {
+      "description": "GitHub auth",
+      "type": "github"
+    }
+  },
+  "secret": {
+    "custom-secrets/": {
+      "description": "Custom secrets",
+      "type": "kv"
+    }
+  }
+}
+```
diff --git a/website/pages/api-docs/system/key-status.mdx b/website/pages/api-docs/system/key-status.mdx
new file mode 100644
index 000000000000..00bde50bac72
--- /dev/null
+++ b/website/pages/api-docs/system/key-status.mdx
@@ -0,0 +1,44 @@
+---
+layout: api
+page_title: /sys/key-status - HTTP API
+sidebar_title: <code>/sys/key-status</code>
+description: |-
+  The `/sys/key-status` endpoint is used to query info about the current
+  encryption key of Vault.
+---
+
+# `/sys/key-status`
+
+The `/sys/key-status` endpoint is used to query info about the current
+encryption key of Vault.
+
+## Get Encryption Key Status
+
+This endpoint returns information about the current encryption key used by
+Vault.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/sys/key-status` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/key-status
+
+```
+
+### Sample Response
+
+```json
+{
+  "term": 3,
+  "install_time": "2015-05-29T14:50:46.223692553-07:00"
+}
+```
+
+The `term` parameter is the sequential key number, and `install_time` is the
+time that encryption key was installed.
diff --git a/website/pages/api-docs/system/leader.mdx b/website/pages/api-docs/system/leader.mdx
new file mode 100644
index 000000000000..50a4e55a6e9d
--- /dev/null
+++ b/website/pages/api-docs/system/leader.mdx
@@ -0,0 +1,42 @@
+---
+layout: api
+page_title: /sys/leader - HTTP API
+sidebar_title: <code>/sys/leader</code>
+description: |-
+  The `/sys/leader` endpoint is used to check the high availability status and
+  current leader of Vault.
+---
+
+# `/sys/leader`
+
+The `/sys/leader` endpoint is used to check the high availability status and
+current leader of Vault.
+
+## Read Leader Status
+
+This endpoint returns the high availability status and current leader instance
+of Vault.
+
+| Method | Path          |
+| :----- | :------------ |
+| `GET`  | `/sys/leader` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/leader
+```
+
+### Sample Response
+
+```json
+{
+  "ha_enabled": true,
+  "is_self": false,
+  "leader_address": "https://127.0.0.1:8200/",
+  "leader_cluster_address": "https://127.0.0.1:8201/",
+  "performance_standby": false,
+  "performance_standby_last_remote_wal": 0
+}
+```
diff --git a/website/pages/api-docs/system/leases.mdx b/website/pages/api-docs/system/leases.mdx
new file mode 100644
index 000000000000..da8f861242d3
--- /dev/null
+++ b/website/pages/api-docs/system/leases.mdx
@@ -0,0 +1,236 @@
+---
+layout: api
+page_title: /sys/leases - HTTP API
+sidebar_title: <code>/sys/leases</code>
+description: The `/sys/leases` endpoints are used to view and manage leases.
+---
+
+# `/sys/leases`
+
+The `/sys/leases` endpoints are used to view and manage leases in Vault.
+
+## Read Lease
+
+This endpoint retrieve lease metadata.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `PUT`  | `/sys/leases/lookup` |
+
+### Parameters
+
+- `lease_id` `(string: <required>)` – Specifies the ID of the lease to lookup.
+
+### Sample Payload
+
+```json
+{
+  "lease_id": "aws/creds/deploy/abcd-1234..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/leases/lookup
+```
+
+### Sample Response
+
+```json
+{
+  "id": "auth/token/create/25c75065466dfc5f920525feafe47502c4c9915c",
+  "issue_time": "2017-04-30T10:18:11.228946471-04:00",
+  "expire_time": "2017-04-30T11:18:11.228946708-04:00",
+  "last_renewal_time": null,
+  "renewable": true,
+  "ttl": 3558
+}
+```
+
+## List Leases
+
+This endpoint returns a list of lease ids.
+
+**This endpoint requires 'sudo' capability.**
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `LIST` | `/sys/leases/lookup/:prefix` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/sys/leases/lookup/aws/creds/deploy/
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["abcd-1234...", "efgh-1234...", "ijkl-1234..."]
+  }
+}
+```
+
+## Renew Lease
+
+This endpoint renews a lease, requesting to extend the lease. Token leases
+cannot be renewed using this endpoint, use instead the auth/token/renew endpoint.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `PUT`  | `/sys/leases/renew` |
+
+### Parameters
+
+- `lease_id` `(string: <required>)` – Specifies the ID of the lease to extend.
+  This can be specified as part of the URL or as part of the request body.
+
+- `increment` `(int: 0)` – Specifies the requested amount of time (in seconds)
+  to extend the lease.
+
+### Sample Payload
+
+```json
+{
+  "lease_id": "aws/creds/deploy/abcd-1234...",
+  "increment": 1800
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/leases/renew
+```
+
+### Sample Response
+
+```json
+{
+  "lease_id": "aws/creds/deploy/abcd-1234...",
+  "renewable": true,
+  "lease_duration": 2764790
+}
+```
+
+## Revoke Lease
+
+This endpoint revokes a lease immediately.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `PUT`  | `/sys/leases/revoke` |
+
+### Parameters
+
+- `lease_id` `(string: <required>)` – Specifies the ID of the lease to revoke.
+
+### Sample Payload
+
+```json
+{
+  "lease_id": "postgresql/creds/readonly/abcd-1234..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/leases/revoke
+```
+
+## Revoke Force
+
+This endpoint revokes all secrets or tokens generated under a given prefix
+immediately. Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors
+encountered during revocation. This is _potentially very dangerous_ and should
+only be used in specific emergency situations where errors in the backend or the
+connected backend service prevent normal revocation.
+
+By ignoring these errors, Vault abdicates responsibility for ensuring that the
+issued credentials or secrets are properly revoked and/or cleaned up. Access to
+this endpoint should be tightly controlled.
+
+**This endpoint requires 'sudo' capability.**
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `PUT`  | `/sys/leases/revoke-force/:prefix` |
+
+### Parameters
+
+- `prefix` `(string: <required>)` – Specifies the prefix to revoke. This is
+  specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/leases/revoke-force/aws/creds
+```
+
+## Revoke Prefix
+
+This endpoint revokes all secrets (via a lease ID prefix) or tokens (via the
+tokens' path property) generated under a given prefix immediately. This requires
+`sudo` capability and access to it should be tightly controlled as it can be
+used to revoke very large numbers of secrets/tokens at once.
+
+**This endpoint requires 'sudo' capability.**
+
+| Method | Path                                |
+| :----- | :---------------------------------- |
+| `PUT`  | `/sys/leases/revoke-prefix/:prefix` |
+
+### Parameters
+
+- `prefix` `(string: <required>)` – Specifies the prefix to revoke. This is
+  specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/aws/creds
+```
+
+## Tidy Leases
+
+This endpoint cleans up the dangling storage entries for leases. Generally,
+running this is not needed unless upgrade notes or support personnel suggest it.
+This may perform a lot of I/O to the storage method so should be used sparingly.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/sys/leases/tidy` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/leases/tidy
+```
diff --git a/website/pages/api-docs/system/license.mdx b/website/pages/api-docs/system/license.mdx
new file mode 100644
index 000000000000..fe71b3eef3e9
--- /dev/null
+++ b/website/pages/api-docs/system/license.mdx
@@ -0,0 +1,79 @@
+---
+layout: api
+page_title: /sys/license - HTTP API
+sidebar_title: <code>/sys/license</code>
+description: |-
+  The `/sys/license` endpoint is used to view and update the license used in 
+  Vault.
+---
+
+# `/sys/license`
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+The `/sys/license` endpoint is used to view and update the license used in
+Vault.
+
+## Read License
+
+This endpoint returns information about the currently installed license.
+
+| Method | Path           |
+| :----- | :------------- |
+| `GET`  | `/sys/license` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/license
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "expiration_time": "2017-11-14T16:34:36.546753-05:00",
+    "features": ["UI", "HSM", "Performance Replication", "DR Replication"],
+    "license_id": "temporary",
+    "start_time": "2017-11-14T16:04:36.546753-05:00"
+  },
+  "warnings": ["time left on license is 29m33s"]
+}
+```
+
+## Install License
+
+This endpoint is used to install a license into Vault.
+
+| Method | Path           |
+| :----- | :------------- |
+| `PUT`  | `/sys/license` |
+
+### Parameters
+
+- `text` `(string: <required>)` – The text of the license.
+
+_DR Secondary Specific Parameters_
+
+- `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
+
+### Sample Payload
+
+```json
+{
+  "text": "01ABCDEFG..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/license
+```
diff --git a/website/pages/api-docs/system/metrics.mdx b/website/pages/api-docs/system/metrics.mdx
new file mode 100644
index 000000000000..3c67ed83941a
--- /dev/null
+++ b/website/pages/api-docs/system/metrics.mdx
@@ -0,0 +1,69 @@
+---
+layout: api
+page_title: /sys/metrics - HTTP API
+sidebar_title: <code>/sys/metrics</code>
+description: The `/sys/metrics` endpoint is used to get telemetry metrics for Vault.
+---
+
+# `/sys/metrics`
+
+The `/sys/metrics` endpoint is used to get telemetry metrics for Vault.
+
+## Read Telemetry Metrics
+
+This endpoint returns the telemetry metrics for Vault. It can be used by metrics
+collections systems like [Prometheus](https://prometheus.io) that use a pull
+model for metrics collection.
+
+| Method | Path           |
+| :----- | :------------- |
+| `GET`  | `/sys/metrics` |
+
+### Parameters
+
+- `format` `(string: "")` – Specifies the format used for the returned metrics. The
+  default metrics format is JSON. Setting `format` to `prometheus` will return the
+  metrics in [Prometheus format](https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format).
+
+### Sample Request
+
+```
+$ curl \
+  --header "X-Vault-Token: ..." \
+    'http://127.0.0.1:8200/v1/sys/metrics?format=prometheus'
+```
+
+### Sample Response
+
+This response is only returned for a `GET` request.
+
+```
+# HELP vault_audit_log_request vault_audit_log_request
+# TYPE vault_audit_log_request summary
+vault_audit_log_request{quantile="0.5"} 0.005927000194787979
+vault_audit_log_request{quantile="0.9"} 0.005927000194787979
+vault_audit_log_request{quantile="0.99"} 0.005927000194787979
+vault_audit_log_request_sum 0.014550999738276005
+vault_audit_log_request_count 2
+# HELP vault_audit_log_request_failure vault_audit_log_request_failure
+# TYPE vault_audit_log_request_failure counter
+vault_audit_log_request_failure 0
+# HELP vault_audit_log_response vault_audit_log_response
+# TYPE vault_audit_log_response summary
+vault_audit_log_response{quantile="0.5"} NaN
+vault_audit_log_response{quantile="0.9"} NaN
+vault_audit_log_response{quantile="0.99"} NaN
+vault_audit_log_response_sum 0.0057669999077916145
+vault_audit_log_response_count 1
+# HELP vault_audit_log_response_failure vault_audit_log_response_failure
+# TYPE vault_audit_log_response_failure counter
+vault_audit_log_response_failure 0
+# HELP vault_barrier_get vault_barrier_get
+# TYPE vault_barrier_get summary
+vault_barrier_get{quantile="0.5"} 0.011938000097870827
+vault_barrier_get{quantile="0.9"} 0.011938000097870827
+vault_barrier_get{quantile="0.99"} 0.011938000097870827
+vault_barrier_get_sum 0.1814980012131855
+vault_barrier_get_count 36
+...
+```
diff --git a/website/pages/api-docs/system/mfa/duo.mdx b/website/pages/api-docs/system/mfa/duo.mdx
new file mode 100644
index 000000000000..fe3e226941b8
--- /dev/null
+++ b/website/pages/api-docs/system/mfa/duo.mdx
@@ -0,0 +1,121 @@
+---
+layout: api
+page_title: /sys/mfa/method/duo - HTTP API
+sidebar_title: <code>/sys/mfa/method/duo</code>
+description: >-
+  The '/sys/mfa/method/duo' endpoint focuses on managing Duo MFA behaviors in
+  Vault Enterprise.
+---
+
+## Configure Duo MFA Method
+
+This endpoint defines a MFA method of type Duo.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `POST` | `/sys/mfa/method/duo/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+- `mount_accessor` `(string: <required>)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+
+- `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{alias.name}}@example.com"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
+
+  - alias.name: The name returned by the mount configured via the `mount_accessor` parameter
+  - entity.name: The name configured for the Entity
+  - alias.metadata.`<key>`: The value of the Alias's metadata parameter
+  - entity.metadata.`<key>`: The value of the Entity's metadata parameter
+
+- `secret_key` `(string)` - Secret key for Duo.
+
+- `integration_key` `(string)` - Integration key for Duo.
+
+- `api_hostname` `(string)` - API hostname for Duo.
+
+- `push_info` `(string)` - Push information for Duo.
+
+### Sample Payload
+
+```json
+{
+  "mount_accessor": "auth_userpass_1793464a",
+  "secret_key": "BIACEUEAXI20BNWTEYXT",
+  "integration_key": "8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz",
+  "api_hostname": "api-2b5c39f5.duosecurity.com"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mfa/method/duo/my_duo
+```
+
+## Read Duo MFA Method
+
+This endpoint queries the MFA configuration of Duo type for a given method
+name.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `GET`  | `/sys/mfa/method/duo/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/mfa/method/duo/my_duo
+
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "api_hostname": "api-2b5c39f5.duosecurity.com",
+    "id": "0ad21b78-e9bb-64fa-88b8-1e38db217bde",
+    "integration_key": "BIACEUEAXI20BNWTEYXT",
+    "mount_accessor": "auth_userpass_1793464a",
+    "name": "my_duo",
+    "pushinfo": "",
+    "secret_key": "8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz",
+    "type": "duo",
+    "username_format": ""
+  }
+}
+```
+
+## Delete Duo MFA Method
+
+This endpoint deletes a Duo MFA method.
+
+| Method   | Path                        |
+| :------- | :-------------------------- |
+| `DELETE` | `/sys/mfa/method/duo/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/mfa/method/duo/my_duo
+
+```
diff --git a/website/pages/api-docs/system/mfa/index.mdx b/website/pages/api-docs/system/mfa/index.mdx
new file mode 100644
index 000000000000..25b11ceed35f
--- /dev/null
+++ b/website/pages/api-docs/system/mfa/index.mdx
@@ -0,0 +1,22 @@
+---
+layout: api
+page_title: /sys/mfa - HTTP API
+sidebar_title: <code>/sys/mfa</code>
+description: >-
+  The '/sys/mfa' endpoint focuses on managing MFA behaviors in Vault Enterprise
+  MFA.
+---
+
+# `/sys/mfa`
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+## Supported MFA types.
+
+- [TOTP](/api/system/mfa/totp.html)
+
+- [Okta](/api/system/mfa/okta.html)
+
+- [Duo](/api/system/mfa/duo.html)
+
+- [PingID](/api/system/mfa/pingid.html)
diff --git a/website/pages/api-docs/system/mfa/okta.mdx b/website/pages/api-docs/system/mfa/okta.mdx
new file mode 100644
index 000000000000..fd7ca76d0d0e
--- /dev/null
+++ b/website/pages/api-docs/system/mfa/okta.mdx
@@ -0,0 +1,119 @@
+---
+layout: api
+page_title: /sys/mfa/method/okta - HTTP API
+sidebar_title: <code>/sys/mfa/method/okta</code>
+description: >-
+  The '/sys/mfa/method/okta' endpoint focuses on managing Okta MFA behaviors in
+  Vault Enterprise.
+---
+
+## Configure Okta MFA Method
+
+This endpoint defines a MFA method of type Okta.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/sys/mfa/method/okta/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+- `mount_accessor` `(string: <required>)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+
+- `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{alias.name}}@example.com"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
+
+  - alias.name: The name returned by the mount configured via the `mount_accessor` parameter
+  - entity.name: The name configured for the Entity
+  - alias.metadata.`<key>`: The value of the Alias's metadata parameter
+  - entity.metadata.`<key>`: The value of the Entity's metadata parameter
+
+- `org_name` `(string)` - Name of the organization to be used in the Okta API.
+
+- `api_token` `(string)` - Okta API key.
+
+- `base_url` `(string)` - If set, will be used as the base domain for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com.
+
+- `primary_email` `(bool: false)` - If set, the username will only match the primary email for the account.
+
+### Sample Payload
+
+```json
+{
+  "mount_accessor": "auth_userpass_1793464a",
+  "org_name": "dev-262778",
+  "api_token": "0081u7KrReNkzmABZJAP2oDyIXccveqx9vIOEyCZDC"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mfa/method/okta/my_okta
+```
+
+## Read Okta MFA Method
+
+This endpoint queries the MFA configuration of Okta type for a given method
+name.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/sys/mfa/method/okta/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/mfa/method/okta/my_okta
+
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "api_token": "0081u7KrReNkzmABZJAP2oDyIXccveqx9vIOEyCZDC",
+    "id": "e39f08a1-a42d-143d-5b87-15c61d89c15a",
+    "mount_accessor": "auth_userpass_1793464a",
+    "name": "my_okta",
+    "org_name": "dev-262778",
+    "production": true,
+    "type": "okta",
+    "username_format": ""
+  }
+}
+```
+
+## Delete Okta MFA Method
+
+This endpoint deletes a Okta MFA method.
+
+| Method   | Path                         |
+| :------- | :--------------------------- |
+| `DELETE` | `/sys/mfa/method/okta/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/mfa/method/okta/my_okta
+
+```
diff --git a/website/pages/api-docs/system/mfa/pingid.mdx b/website/pages/api-docs/system/mfa/pingid.mdx
new file mode 100644
index 000000000000..6d7b6c1f899c
--- /dev/null
+++ b/website/pages/api-docs/system/mfa/pingid.mdx
@@ -0,0 +1,113 @@
+---
+layout: api
+page_title: /sys/mfa/method/pingid - HTTP API
+sidebar_title: <code>/sys/mfa/method/pingid</code>
+description: >-
+  The '/sys/mfa/method/pingid' endpoint focuses on managing PingID MFA behaviors
+  in Vault Enterprise.
+---
+
+## Configure PingID MFA Method
+
+This endpoint defines a MFA method of type PingID.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/sys/mfa/method/pingid/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+- `mount_accessor` `(string: <required>)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+
+- `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{alias.name}}@example.com"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
+
+  - alias.name: The name returned by the mount configured via the `mount_accessor` parameter
+  - entity.name: The name configured for the Entity
+  - alias.metadata.`<key>`: The value of the Alias's metadata parameter
+  - entity.metadata.`<key>`: The value of the Entity's metadata parameter
+
+- `settings_file_base64` `(string)` - A base64-encoded third-party settings file retrieved from PingID's configuration page.
+
+### Sample Payload
+
+```json
+{
+  "mount_accessor": "auth_userpass_1793464a",
+  "settings_file_base64": "AA8owj3..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mfa/method/pingid/ping
+```
+
+## Read PingiD MFA Method
+
+This endpoint queries the MFA configuration of PingID type for a given method
+name.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/sys/mfa/method/pingid/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/mfa/method/pingid/ping
+
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "use_signature": true,
+    "idp_url": "https://idpxnyl3m.pingidentity.com/pingid",
+    "admin_url": "https://idpxnyl3m.pingidentity.com/pingid",
+    "authenticator_url": "https://authenticator.pingone.com/pingid/ppm",
+    "mount_accessor": "auth_userpass_1793464a",
+    "name": "ping",
+    "org_alias": "181459b0-9fb1-4938-8c86...",
+    "type": "pingid",
+    "username_format": ""
+  }
+}
+```
+
+## Delete PingID MFA Method
+
+This endpoint deletes a PingID MFA method.
+
+| Method   | Path                           |
+| :------- | :----------------------------- |
+| `DELETE` | `/sys/mfa/method/pingid/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/mfa/method/pingid/ping
+
+```
diff --git a/website/pages/api-docs/system/mfa/totp.mdx b/website/pages/api-docs/system/mfa/totp.mdx
new file mode 100644
index 000000000000..c91ee67c1085
--- /dev/null
+++ b/website/pages/api-docs/system/mfa/totp.mdx
@@ -0,0 +1,234 @@
+---
+layout: api
+page_title: /sys/mfa/method/totp - HTTP API
+sidebar_title: <code>/sys/mfa/method/totp</code>
+description: >-
+  The '/sys/mfa/method/totp' endpoint focuses on managing TOTP MFA behaviors in
+  Vault Enterprise.
+---
+
+## Configure TOTP MFA Method
+
+This endpoint defines a MFA method of type TOTP.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/sys/mfa/method/totp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+- `issuer` `(string: <required>)` - The name of the key's issuing organization.
+
+- `period` `(int or duration format string: 30)` - The length of time used to generate a counter for the TOTP token calculation.
+
+- `key_size` `(int: 20)` – Specifies the size in bytes of the generated key.
+
+- `qr_size` `(int: 200)` - The pixel size of the generated square QR code.
+
+- `algorithm` `(string: "SHA1")` – Specifies the hashing algorithm used to generate the TOTP code. Options include "SHA1", "SHA256" and "SHA512".
+
+- `digits` `(int: 6)` - The number of digits in the generated TOTP token. This value can either be 6 or 8.
+
+- `skew` `(int: 1)` - The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
+
+### Sample Payload
+
+```json
+{
+  "issuer": "vault"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp
+```
+
+## Read TOTP MFA Method
+
+This endpoint queries the MFA configuration of TOTP type for a given method
+name.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/sys/mfa/method/totp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp
+
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "algorithm": "SHA1",
+    "digits": 6,
+    "id": "865587ba-6229-7f2a-6da0-609d5370af70",
+    "issuer": "vault",
+    "key_size": 20,
+    "name": "my_totp",
+    "period": 30,
+    "qr_size": 200,
+    "skew": 1,
+    "type": "totp"
+  }
+}
+```
+
+## Delete TOTP MFA Method
+
+This endpoint deletes a TOTP MFA method.
+
+| Method   | Path                         |
+| :------- | :--------------------------- |
+| `DELETE` | `/sys/mfa/method/totp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp
+
+```
+
+## Generate a TOTP MFA Secret
+
+This endpoint generates an MFA secret in the entity of the calling token, if it
+doesn't exist already, using the configuration stored under the given MFA
+method name.
+
+| Method | Path                                  |
+| :----- | :------------------------------------ |
+| `GET`  | `/sys/mfa/method/totp/:name/generate` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the MFA method.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp/generate
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "barcode": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAGc0lEQVR4nOyd244bOQxEZxbz/7+cRQI4sLWiyCLlTU1wzkMAu1uXTIGSxUv3148fH2DEP396AvDK189/Pj97jR/W9Wi/fs7uz/pZya5H92dk40fzjeY1+XtiIWYgiBkIYsbX84dba7O6B0z3hmgPqO5Z6/WsH3VvynjuDwsxA0HMQBAzvnZfZueI6Pvs93r2+z6ax7qWZ+2zPSP7PutfPW8of08sxAwEMQNBzNjuISqRLyc7X6jnkex8UPVBqXtJxk2PORZiBoKYgSBmXNlDsriIeq6J+umeG1RfVjav7L4JWIgZCGIGgpix3UO6a6MaU4/OD9Fnda2P2qnxl2ge1fbKOFiIGQhiBoKY8bKHdH052V5Q3VPUz9n42XhR++zzStWXVgELMQNBzEAQM37tIbd9MtX4Qvc8EI13q32210Sfb8wHCzEDQcxAEDM+f6532e/86nmiPYk31X2sZP1Pz0PVGP+pPRZiBoKYgSBmbPeQ/9xUvP6geg7p9leNj3RrH7v1K+reRm7vNwBBzEAQM471IVmt3oN31V9E93Xr3KNx1BrD7t+jMl8sxAwEMQNBzDjm9lZj5d04gZoLHPX3rjjFu3J5T/8/LMQMBDEDQcyQ6kPUHNsH1TU+Gi/qr+rLmo6zfq6eTzr9YiFmIIgZCGLG5/M69y5fzfr9Ol613bQ/NaYe9bui5gKczmNYiBkIYgaCmHF85mK01t2KO2Q1h9l43dzgbhxG7b+zZ2EhZiCIGQhiRuvZ77dygNVY+3q9es5Qv1+vT2sIlb0OCzEDQcxAEDMkX1bXN7S2z8brxl2q40b3rXR9bxn4sr4RCGIGgpjxUh8S0a2feFdNYrd/Ndad9Xsrpv/cHgsxA0HMQBAzPk/reXdN7fqA3ln/PZnndE9SxsFCzEAQMxDEjJd4iJqrqtYiPlBr9qZE81znk7V/F8TUjUEQMxDEjO1ze9U1PqtFzO5X87VW1H6i+XXqyneQl/UXgSBmIIgZpdzebgxdPWdMfVnr/dHn23XsWb18VpP4DBZiBoKYgSBmbPOyukzr2Lvnlu781FzkaF7deezAQsxAEDMQxIxjTP33TcN8JpXqOOp9qg8tm586n8qehYWYgSBmIIgZrfcYZvGPW2tztZ0aj8nGzb7Prnfr5z+wED8QxAwEMaP0PvVpzV63zru6pld//6t7SvRZzXmO5rPrBwsxA0HMQBAzpGeddH08WT/VNTv6vZ/NJxp/Wh8S9ZvN5/T/x0LMQBAzEMSMY0y9mpdV3YPU+pNsnGm+1v9dyxhBjaExCGIGgpixPYdUzwUdf/8JNV+qu3dE/aj9Z/Un0XzWcTiHGIMgZiCIGaX3qf+++fLe0f0dP83FVfO0VNS9jXOIMQhiBoKY8esc0vUBqb4ttY49Q13js/uzPKsuSr4XFmIGgpiBIGaM8rKmz0bJxo36nZ5Xov6zcbvnFqWWEQsxA0HMQBAzSs9cXKneH8ULpnUV0/lle0Y3DqOOv2uPhZiBIGYgiBnbOvVunfdKNyf2to9L9UV1Y/Tr/ep5iXiIIQhiBoKYcczLys4P1b2lGwNf23dr99Q8rqnvrOvr+sBC/EAQMxDEjG1M/UHXFxWhxAUq31evd5nmjWU+MvKyvgEIYgaCmLF9F+7Ul7TSrbdQzw/qeOv9K7f+v0o7LMQMBDEDQcw4vj8kYlpf3vUFZe2jeVbbVX1Y1fE6eyAWYgaCmIEgZmyfdVL9XT7NAb5F9xyh7n3Tc1IlToKFmIEgZiCIGaV3UHXrv6P23fyubj1K1l80zwg17yq6vhsfCzE DQcxAEDOOz+2troUZaq1hNP40lr/eP61TicbP5nO6joWYgSBmIIgZx7ysiNu+ruj6dB5q7D4ii5Oo82EP+UYgiBkIYob0/pCV2/Uda7/TunX1PJHNq9qvGvN/HgcLMQNBzEAQM1p5WdM6kI mv5zReNo9uvtet+WTz+sBC/EAQMxDEjO0zF99dA9it+6jOM7qe+dKqde7V/qP5nP5eWIgZCGIGgpix3UNUbsXkq/Xd2Thd35zqE5v66Hb9YCFmIIgZCGLGlT3kwS1fUbcGsVq3HvUXnY/U+ ExEZW/DQsxAEDMQxIzS+0Mybq3REd1c3ur5qBs7z/a4zjNWsBAzEMQMBDHjZQ+Z+oAeqGv42o9aq5j1m5HN51ZdfWX+WIgZCGIGgpixfX8I/DmwEDP+DQAA//9kwGH4xZewMgAAAABJRU5E rkJggg==",
+    "url": "otpauth://totp/vault:4746fb81-028c-cd4e-026b-7dd18fe4c2f4?algorithm=SHA1&digits=6&issuer=vault&period=30&secret=XVE7TOZWJVEWQOATOD7 U53IEAJG72Z2I"
+  }
+}
+```
+
+## Administratively Generate a TOTP MFA Secret
+
+This endpoint can be used to generate a TOTP MFA secret. Unlike the `generate`
+API which stores the generated secret on the entity ID of the calling token,
+the `admin-generate` API stores the generated secret on the given entity ID.
+
+| Method | Path                                        |
+| :----- | :------------------------------------------ |
+| `POST` | `/sys/mfa/method/totp/:name/admin-generate` |
+
+### Parameters
+
+- `name` `(string: <required>)` - Name of the MFA method.
+
+- `entity_id` `(string: <required>)` - Entity ID on which the generated secret
+  needs to get stored.
+
+### Sample Payload
+
+```json
+{
+  "entity_id": "4746fb81-028c-cd4e-026b-7dd18fe4c2f4"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp/admin-generate
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "barcode": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAGZElEQVR4nOyd7W4jNwxFkyLv/8pbpMAAHnUo8pJyc1Oc82OB2KOP9QVFSyTlrz9/PsCIv356AnDn6/ufz89e48i6ov6u59f319ezfqtWnf2/snHX19XnVL7bYyFmIIgZCGLG5/e61V2b37WWXkRr9+lxonEvqv1XfeHK6/NYiBkIYgaCmPH19GK2j4ieX9/P9h0R2T6l+pzqYzKfmM0zQvk8sRAzEMQMBDHj0YdMqa6Z1TOvyDdF/VTPnqLnVzIfePLEHAsxA0HMQBAz3uJDqvuVbO1Vv/934yzReNV4ykmwEDMQxAwEMePRh5xeG6fxjNXnVM+Y1HHVM7Tq56R8nliIGQhiBoKYcfMhp2LT6hp7UY2hV8dTY/KZT1N9SufzxELMQBAzEMSMf3zI6X2HembUXbuz8dT9g+qLIiafJxZiBoKYgSBm3OpDunlMartTubrdeEUWI1dzAqa5wK9gIWYgiBkIYsaReIi6P1jbqd/7qznDqm9SfcKJs6sVLMQMBDEDQcz43K3z3fqLaf336fiFymQf8dRe8aVYiBkIYgaCmHHzIdW8pGo8QT1rOuULTvkc9a6TqD+lTgULMQNBzEAQMx7jIRdqjV7ULvpbrReJxl/nodYodseLxu/GWz6wED8QxAwEMeN2X9ZK9/4neRLDNfrUc919yPp8t/8PLMQPBDEDQcyQ6tTVO0JWqvGT6PWu75jub6L+T/kg4iHGIIgZCGLGKB5yKn5SpVuDWKXrI0/4jgssxAwEMQNBzNieZWV0v/erZ0Knxp3OYxoXqoyPhZiBIGYgiBmPub1q7m7G6fiB2n+3niSbZwT7kP8RCGIGgpjxeF9W5iPU8/+ofUY1r6q6ZkfzmtbJV2skozw04iHGIIgZCGKGlJeVvZ61V+MX07OiqJ9oftE41fGm9TD4EEMQxAwEMaN010lW1zGNoVfX+OrZl/rcfx0P2c0XCzEDQcxAEDMe87K68YBubH7tdxonmcb0q+2qZ2DK/gkLMQNBzEAQM2516lXUs6GIbA3v+qruPinrX/Ud0Xx288JCzEAQMxDEjG2NYXf/odztsXuuEoOu9BO93933RONm86n0h4WYgSBmIIgZt9+gqtaDq7m3K2rObnc+UT/Z36f2MZ28MCzEDAQxA0HMaJ1lTevBo/5OxRsysv1O9Fx1nO4Z3QcW4geCmIEgZki/H1Klu+Z369PVeVXHexfEQ34RCGIGgpjxWGN40c1VXdtXaxW79SLTOvqonVpDqdavkNv7C0AQMxDEjNK9vdP4gFq3ntV1Z+NEf099ZEZ1vrv+sBAzEMQMBDFjW2PYjT9U4xqqT1D7/ak4j5rn9QoWYgaCmIEgZpTu7e2u5Vk/4aQO3XFSHUc9s1rnNfVdr/1hIWYgiBkIYsZtH6LGA9Z20d8Z3fuq1HyqUznC1fZVX0c8xBgEMQNBzNje2xvxrlzYan1K1H82fjXOUfU12XzW5yufBxZiBoKYgSBmSL+FezE9s1lR9yHq2VvUT7fefOpjd58fFmIGgpiBIGZId52sr6u5u9M7RtTn1Hmr8ZzqnSvK2R4WYgaCmIEgZmzjIdHr3Rzfi278I3pdvStFrWVUfU52d8quPRZiBoKYgSBmbOvU//Xwobr1U7FpNV8qatetm4+onvU9jYuFmIEgZiCIGbf7srLv1d01vLsWqzmzapymeyaWfQ5qXtsrWIgZCGIGgphR+g2q9f0V9Y6SartsXtP8qOmZWDTe5AwMCzEDQcxAEDMeY+rVfUj0fLddN9Y+3feodfPd+pnKvLAQMxDEDAQxY1unPo11q+2i8adxCXV+an/qfHbzwELMQBAzEMQMKaYediL6FDVmruaBTWsU1bMwdT67/zcWYgaCmIEgZrR+g+piPata18Tu9/Zurq5aTxLNV833qs6nMg8sxAwEMQNBzHisD8lQ6y3W/qt3kpyuS8/ez3xiNL/qfMjL+oUgiBkIYkYppn7R9THd56s5tBGn60myfcSJ3GMsxAwEMQNBzGjdlxXRja1068mj9tla3c3DysaLxon+fgILMQNBzEAQM476kG5c5aJ7BnS6bqX6+jS/jLysXwCCmIEgZmx/x7DK6btCurF31WdMawPfkXOMhZiBIGYgiBmPvx+iUo2RV/vp3llSpZuXpfqgbNwnsBAzEMQMBDHjSH0InAMLMePvAAAA//8x2VnbmmL6HQAAAABJRU5ErkJggg==",
+    "url": "otpauth://totp/vault:4746fb81-028c-cd4e-026b-7dd18fe4c2f4?algorithm=SHA1&digits=6&issuer=vault&period=30&secret=6HQ4RZ7GM6MMLRKVDCI23LXNZF7UDZ2U"
+  }
+}
+```
+
+### Administratively Destroy TOTP MFA Secret
+
+This endpoint deletes a TOTP MFA secret from the given entity ID.
+
+Note that in order to overwrite a secret on the entity, it is required to
+explicitly delete the secret first. This API can be used to delete the secret
+and the `generate` or `admin-generate` APIs should be used to regenerate a new
+secret.
+
+| Method | Path                                  |
+| :----- | :------------------------------------ |
+| `POST` | `/sys/mfa/method/:name/admin-destroy` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the MFA method.
+
+- `entity_id` `(string: <required>)` - Entity ID from which the MFA secret
+  should be removed.
+
+### Sample Payload
+
+```json
+{
+  "entity_id": "4746fb81-028c-cd4e-026b-7dd18fe4c2f4"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp/admin-destroy
+```
diff --git a/website/pages/api-docs/system/mounts.mdx b/website/pages/api-docs/system/mounts.mdx
new file mode 100644
index 000000000000..92138fdc7d27
--- /dev/null
+++ b/website/pages/api-docs/system/mounts.mdx
@@ -0,0 +1,272 @@
+---
+layout: api
+page_title: /sys/mounts - HTTP API
+sidebar_title: <code>/sys/mounts</code>
+description: The `/sys/mounts` endpoint is used manage secrets engines in Vault.
+---
+
+# `/sys/mounts`
+
+The `/sys/mounts` endpoint is used manage secrets engines in Vault.
+
+## List Mounted Secrets Engines
+
+This endpoints lists all the mounted secrets engines.
+
+| Method | Path          |
+| :----- | :------------ |
+| `GET`  | `/sys/mounts` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/mounts
+```
+
+### Sample Response
+
+```json
+{
+  "aws/": {
+    "type": "aws",
+    "description": "AWS keys",
+    "config": {
+      "default_lease_ttl": 0,
+      "max_lease_ttl": 0,
+      "force_no_cache": false,
+      "seal_wrap": false
+    }
+  },
+  "sys/": {
+    "type": "system",
+    "description": "system endpoint",
+    "config": {
+      "default_lease_ttl": 0,
+      "max_lease_ttl": 0,
+      "force_no_cache": false,
+      "seal_wrap": false
+    }
+  },
+  "data": {
+    "aws/": {
+      "type": "aws",
+      "description": "AWS keys",
+      "config": {
+        "default_lease_ttl": 0,
+        "max_lease_ttl": 0,
+        "force_no_cache": false,
+        "seal_wrap": false
+      }
+    },
+    "sys/": {
+      "type": "system",
+      "description": "system endpoint",
+      "config": {
+        "default_lease_ttl": 0,
+        "max_lease_ttl": 0,
+        "force_no_cache": false,
+        "seal_wrap": false
+      }
+    }
+  }
+}
+```
+
+`default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults
+are used by this backend.
+
+## Enable Secrets Engine
+
+This endpoint enables a new secrets engine at the given path.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `POST` | `/sys/mounts/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path where the secrets engine
+  will be mounted. This is specified as part of the URL.
+
+  !> **NOTE:** Use ASCII printable characters to specify the desired path.
+
+- `type` `(string: <required>)` – Specifies the type of the backend, such as
+  "aws".
+
+- `description` `(string: "")` – Specifies the human-friendly description of the
+  mount.
+
+- `config` `(map<string|string>: nil)` – Specifies configuration options for
+  this mount; if set on a specific mount, values will override any global
+  defaults (e.g. the system TTL/Max TTL)
+
+  - `default_lease_ttl` `(string: "")` - The default lease duration, specified
+    as a string duration like "5s" or "30m".
+
+  - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
+    string duration like "5s" or "30m".
+
+  - `force_no_cache` `(bool: false)` - Disable caching.
+
+  - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
+    that will not be HMAC'd by audit devices in the request data object.
+
+  - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
+    that will not be HMAC'd by audit devices in the response data object.
+
+  - `listing_visibility` `(string: "")` - Specifies whether to show this mount
+    in the UI-specific listing endpoint. Valid values are `"unauth"` or
+    `"hidden"`. If not set, behaves like `"hidden"`.
+
+  - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+    to whitelist and pass from the request to the plugin.
+
+  - `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+    to whitelist, allowing a plugin to include them in the response.
+
+- `options` `(map<string|string>: nil)` - Specifies mount type specific options
+  that are passed to the backend.
+
+  _Key/Value (KV)_
+
+  - `version` `(string: "1")` - The version of the KV to mount. Set to "2" for mount
+    KV v2.
+
+Additionally, the following options are allowed in Vault open-source, but
+relevant functionality is only supported in Vault Enterprise:
+
+- `local` `(bool: false)` – Specifies if the secrets engine is a local mount
+  only. Local mounts are not replicated nor (if a secondary) removed by
+  replication.
+
+- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
+  values stored by the mount to be wrapped by the seal's encryption capability.
+
+- `external_entropy_access` `(bool: false)` - Enable the secrets engine to access
+  Vault's external entropy source.
+
+### Sample Payload
+
+```json
+{
+  "type": "aws",
+  "config": {
+    "force_no_cache": true
+  }
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount
+```
+
+## Disable Secrets Engine
+
+This endpoint disables the mount point specified in the URL.
+
+| Method   | Path                |
+| :------- | :------------------ |
+| `DELETE` | `/sys/mounts/:path` | `204 (empty body)` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount
+```
+
+## Read Mount Configuration
+
+This endpoint reads the given mount's configuration. Unlike the `mounts`
+endpoint, this will return the current time in seconds for each TTL, which may
+be the system default or a mount-specific value.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `GET`  | `/sys/mounts/:path/tune` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
+```
+
+### Sample Response
+
+```json
+{
+  "default_lease_ttl": 3600,
+  "max_lease_ttl": 7200,
+  "force_no_cache": false
+}
+```
+
+## Tune Mount Configuration
+
+This endpoint tunes configuration parameters for a given mount point.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/sys/mounts/:path/tune` |
+
+### Parameters
+
+- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. This
+  overrides the global default. A value of `0` is equivalent to the system
+  default TTL.
+
+- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. This
+  overrides the global default. A value of `0` are equivalent and set to the
+  system max TTL.
+
+- `description` `(string: "")` – Specifies the description of the mount. This
+  overrides the current stored value, if any.
+
+- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
+  list of keys that will not be HMAC'd by audit devices in the request data
+  object.
+
+- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
+  list of keys that will not be HMAC'd by audit devices in the response data
+  object.
+
+- `listing_visibility` `(string: "")` - Specifies whether to show this mount in
+  the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
+  If not set, behaves like `"hidden"`.
+
+- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+  to whitelist and pass from the request to the plugin.
+
+- `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+  to whitelist, allowing a plugin to include them in the response.
+
+### Sample Payload
+
+```json
+{
+  "default_lease_ttl": 1800,
+  "max_lease_ttl": 3600
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
+```
diff --git a/website/pages/api-docs/system/namespaces.mdx b/website/pages/api-docs/system/namespaces.mdx
new file mode 100644
index 000000000000..1c4ddca3c663
--- /dev/null
+++ b/website/pages/api-docs/system/namespaces.mdx
@@ -0,0 +1,97 @@
+---
+layout: api
+page_title: /sys/namespaces - HTTP API
+sidebar_title: <code>/sys/namespaces</code>
+description: The `/sys/namespaces` endpoint is used manage namespaces in Vault.
+---
+
+# `/sys/namespaces`
+
+The `/sys/namespaces` endpoint is used manage namespaces in Vault.
+
+## List Namespaces
+
+This endpoints lists all the namespaces.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `LIST` | `/sys/namespaces` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    -X LIST \
+    http://127.0.0.1:8200/v1/sys/namespaces
+```
+
+### Sample Response
+
+```json
+["ns1/", "ns2/"]
+```
+
+## Create Namespace
+
+This endpoint creates a namespace at the givent path.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST` | `/sys/namespaces/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the path where the namespace
+  will be namespace. This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/namespaces/ns1
+```
+
+## Delete Namespace
+
+This endpoint deletes a namespace at the specified path.
+
+| Method   | Path                    |
+| :------- | :---------------------- |
+| `DELETE` | `/sys/namespaces/:path` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/namespaces/ns1
+```
+
+## Read Namespace Information
+
+This endpoint get the metadata for the given namespace path.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `GET`  | `/sys/namespaces/:path` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/namespaces/ns1
+```
+
+### Sample Response
+
+```json
+{
+  "id": "gsudj",
+  "path": "ns1/"
+}
+```
diff --git a/website/pages/api-docs/system/plugins-catalog.mdx b/website/pages/api-docs/system/plugins-catalog.mdx
new file mode 100644
index 000000000000..b4d735ce6482
--- /dev/null
+++ b/website/pages/api-docs/system/plugins-catalog.mdx
@@ -0,0 +1,217 @@
+---
+layout: api
+page_title: /sys/plugins/catalog - HTTP API
+sidebar_title: <code>/sys/plugins/catalog</code>
+description: The `/sys/plugins/catalog` endpoint is used to manage plugins.
+---
+
+# `/sys/plugins/catalog`
+
+The `/sys/plugins/catalog` endpoint is used to read, register, update, and
+remove plugins in Vault's catalog. Plugins must be registered before use, and
+once registered backends can use the plugin by querying the catalog.
+
+## LIST Plugins
+
+This endpoint lists the plugins in the catalog by type.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/sys/plugins/catalog` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/plugins/catalog
+```
+
+### Sample Response
+
+```javascript
+{
+    "data": {
+        "auth": [
+            "aws",
+            "azure",
+            "custom-auth-plugin",
+            "gcp",
+            "ldap"
+        ],
+        "database": [
+            "cassandra-database-plugin",
+            "mssql-database-plugin",
+            "mysql-database-plugin",
+            "postgresql-database-plugin"
+        ],
+        "secret": [
+            "ad",
+            "aws",
+            "azure",
+            "gcp",
+            "transit"
+        ]
+    }
+}
+```
+
+## LIST Plugins
+
+This endpoint lists the plugins in the catalog by type.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `LIST` | `/sys/plugins/catalog/auth`     |
+| `LIST` | `/sys/plugins/catalog/database` |
+| `LIST` | `/sys/plugins/catalog/secret`   |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST
+    http://127.0.0.1:8200/v1/sys/plugins/catalog/auth
+```
+
+### Sample Response
+
+```javascript
+{
+    "data": {
+        "keys": [
+            "aws",
+            "azure",
+            "custom-auth-plugin",
+            "gcp",
+            "ldap"
+        ]
+    }
+}
+```
+
+## Register Plugin
+
+This endpoint registers a new plugin, or updates an existing one with the
+supplied name.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `PUT`  | `/sys/plugins/catalog/:type/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name for this plugin. The name
+  is what is used to look up plugins in the catalog. This is part of the request
+  URL.
+
+- `type` `(string: <required>)` – Specifies the type of this plugin. May be
+  "auth", "database", or "secret".
+
+- `sha256` `(string: <required>)` – This is the SHA256 sum of the plugin's
+  binary. Before a plugin is run it's SHA will be checked against this value, if
+  they do not match the plugin can not be run.
+
+- `command` `(string: <required>)` – Specifies the command used to execute the
+  plugin. This is relative to the plugin directory. e.g. `"myplugin"`.
+
+- `args` `(array: [])` – Specifies the arguments used to execute the plugin. If
+  the arguments are provided here, the `command` parameter should only contain
+  the named program. e.g. `"--my_flag=1"`.
+
+- `env` `(array: [])` – Specifies the environment variables used during the
+  execution of the plugin. Each entry is of the form "key=value". e.g
+  `"FOO=BAR"`.
+
+### Sample Payload
+
+```json
+{
+  "sha256": "d130b9a0fbfddef9709d8ff92e5e6053ccd246b78632fc03b8548457026961e9",
+  "command": "mysql-database-plugin"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/plugins/catalog/secret/example-plugin
+```
+
+## Read Plugin
+
+This endpoint returns the configuration data for the plugin with the given name.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `GET`  | `/sys/plugins/catalog/:type/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the plugin to retrieve.
+  This is part of the request URL.
+
+- `type` `(string: <required>)` – Specifies the type of this plugin. May be
+  "auth", "database", or "secret".
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/plugins/catalog/secret/example-plugin
+```
+
+### Sample Response
+
+```javascript
+{
+	"data": {
+		"args": [],
+		"builtin": false,
+		"command": "/tmp/vault-plugins/mysql-database-plugin",
+		"name": "example-plugin",
+		"sha256": "0TC5oPv93vlwnY/5Ll5gU8zSRreGMvwDuFSEVwJpYek="
+	}
+}
+```
+
+## Remove Plugin from Catalog
+
+This endpoint removes the plugin with the given name.
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
+
+| Method   | Path                               |
+| :------- | :--------------------------------- |
+| `DELETE` | `/sys/plugins/catalog/:type/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the plugin to delete.
+  This is part of the request URL.
+
+- `type` `(string: <required>)` – Specifies the type of this plugin. May be
+  "auth", "database", or "secret".
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/plugins/catalog/secret/example-plugin
+```
diff --git a/website/pages/api-docs/system/plugins-reload-backend.mdx b/website/pages/api-docs/system/plugins-reload-backend.mdx
new file mode 100644
index 000000000000..36393d4ac607
--- /dev/null
+++ b/website/pages/api-docs/system/plugins-reload-backend.mdx
@@ -0,0 +1,46 @@
+---
+layout: api
+page_title: /sys/plugins/reload/backend - HTTP API
+sidebar_title: <code>/sys/plugins/reload/backend</code>
+description: The `/sys/plugins/reload/backend` endpoint is used to reload plugin backends.
+---
+
+# `/sys/plugins/reload/backend`
+
+The `/sys/plugins/reload/backend` endpoint is used to reload mounted plugin
+backends. Either the plugin name (`plugin`) or the desired plugin backend mounts
+(`mounts`) must be provided, but not both. In the case that the plugin name is
+provided, all mounted paths that use that plugin backend will be reloaded.
+
+## Reload Plugins
+
+This endpoint reloads mounted plugin backends.
+
+| Method | Path -                        |
+| :----- | :---------------------------- |
+| `PUT`  | `/sys/plugins/reload/backend` |
+
+### Parameters
+
+- `plugin` `(string: "")` – The name of the plugin to reload, as
+  registered in the plugin catalog.
+
+- `mounts` `(array: [])` – Array or comma-separated string mount paths
+  of the plugin backends to reload.
+
+### Sample Payload
+
+```json
+{
+  "plugin": "mock-plugin"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT
+    http://127.0.0.1:8200/v1/sys/plugins/reload/backend
+```
diff --git a/website/pages/api-docs/system/policies.mdx b/website/pages/api-docs/system/policies.mdx
new file mode 100644
index 000000000000..3813b8974f86
--- /dev/null
+++ b/website/pages/api-docs/system/policies.mdx
@@ -0,0 +1,376 @@
+---
+layout: api
+page_title: /sys/policies/ - HTTP API
+sidebar_title: <code>/sys/policies</code>
+description: >-
+  The `/sys/policies/` endpoints are used to manage ACL, RGP, and EGP policies
+  in Vault.
+---
+
+# `/sys/policies/`
+
+The `/sys/policies` endpoints are used to manage ACL, RGP, and EGP policies in Vault.
+
+~> **NOTE**: This endpoint is only available in Vault version 0.9+. Please also note that RGPs and EGPs are Vault Enterprise Premium features and the associated endpoints are not available in Vault Open Source or Vault Enterprise Pro.
+
+## List ACL Policies
+
+This endpoint lists all configured ACL policies.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `/sys/policies/acl` |
+
+### Sample Request
+
+```
+$ curl \
+    -X LIST --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policies/acl
+```
+
+### Sample Response
+
+```json
+{
+  "keys": ["root", "my-policy"]
+}
+```
+
+## Read ACL Policy
+
+This endpoint retrieves information about the named ACL policy.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/sys/policies/acl/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policies/acl/my-policy
+```
+
+### Sample Response
+
+```json
+{
+  "name": "deploy",
+  "policy": "path \"secret/foo\" {..."
+}
+```
+
+## Create/Update ACL Policy
+
+This endpoint adds a new or updates an existing ACL policy. Once a policy is
+updated, it takes effect immediately to all associated users.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `PUT`  | `/sys/policies/acl/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to create.
+  This is specified as part of the request URL.
+
+- `policy` `(string: <required>)` - Specifies the policy document. This can be
+  base64-encoded to avoid string escaping.
+
+### Sample Payload
+
+```json
+{
+  "policy": "path \"secret/foo\" {..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/policies/acl/my-policy
+```
+
+## Delete ACL Policy
+
+This endpoint deletes the ACL policy with the given name. This will immediately
+affect all users associated with this policy. (A deleted policy set on a token
+acts as an empty policy.)
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/sys/policies/acl/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to delete.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/policies/acl/my-policy
+```
+
+## List RGP Policies
+
+This endpoint lists all configured RGP policies.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `/sys/policies/rgp` |
+
+### Sample Request
+
+```
+$ curl \
+    -X LIST --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policies/rgp
+```
+
+### Sample Response
+
+```json
+{
+  "keys": ["webapp", "database"]
+}
+```
+
+## Read RGP Policy
+
+This endpoint retrieves information about the named RGP policy.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/sys/policies/rgp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policies/rgp/webapp
+```
+
+### Sample Response
+
+```json
+{
+  "name": "webapp",
+  "policy": "rule main = {...",
+  "enforcement_level": "soft-mandatory"
+}
+```
+
+## Create/Update RGP Policy
+
+This endpoint adds a new or updates an existing RGP policy. Once a policy is
+updated, it takes effect immediately to all associated users.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `PUT`  | `/sys/policies/rgp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to create.
+  This is specified as part of the request URL.
+
+- `policy` `(string: <required>)` - Specifies the policy document. This can be
+  base64-encoded to avoid string escaping.
+
+- `enforcement_level` `(string: <required>)` - Specifies the enforcement level
+  to use. This must be one of `advisory`, `soft-mandatory`, or
+  `hard-mandatory`.
+
+### Sample Payload
+
+```json
+{
+  "policy": "rule main = {...",
+  "enforcement_level": "soft-mandatory"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/policies/rgp/webapp
+```
+
+## Delete RGP Policy
+
+This endpoint deletes the RGP policy with the given name. This will immediately
+affect all users associated with this policy. (A deleted policy set on a token
+acts as an empty policy.)
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/sys/policies/rgp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to delete.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/policies/rgp/webapp
+```
+
+## List EGP Policies
+
+This endpoint lists all configured EGP policies. Since EGP policies act on a
+path, this endpoint returns two identifiers:
+
+- `keys` contains a mapping of names to associated paths in a format that
+  `vault list` understands
+- `name_path_map` contains an object mapping names to paths and glob status in
+  a more machine-friendly format
+
+| Method | Path                |
+| :----- | :------------------ |
+| `LIST` | `/sys/policies/egp` |
+
+### Sample Request
+
+```
+$ curl \
+    -X LIST --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policies/egp
+```
+
+### Sample Response
+
+```json
+{
+  "keys": ["breakglass"]
+}
+```
+
+## Read EGP Policy
+
+This endpoint retrieves information about the named EGP policy.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/sys/policies/egp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policies/egp/breakglass
+```
+
+### Sample Response
+
+```json
+{
+  "enforcement_level": "soft-mandatory",
+  "name": "breakglass",
+  "paths": ["*"],
+  "policy": "rule main = {..."
+}
+```
+
+## Create/Update EGP Policy
+
+This endpoint adds a new or updates an existing EGP policy. Once a policy is
+updated, it takes effect immediately to all associated users.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `PUT`  | `/sys/policies/egp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to create.
+  This is specified as part of the request URL.
+
+- `policy` `(string: <required>)` - Specifies the policy document. This can be
+  base64-encoded to avoid string escaping.
+
+- `enforcement_level` `(string: <required>)` - Specifies the enforcement level
+  to use. This must be one of `advisory`, `soft-mandatory`, or
+  `hard-mandatory`.
+
+- `paths` `(string or array: required)` - Specifies the paths on which this EGP
+  should be applied, either as a comma-separated list or an array. Glob
+  characters can denote suffixes, e.g. `secret/*`; a path of `*` will affect
+  all authenticated and login requests.
+
+### Sample Payload
+
+```json
+{
+  "policy": "rule main = {...",
+  "paths": ["*", "secret/*", "transit/keys/*"],
+  "enforcement_level": "soft-mandatory"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/policies/egp/breakglass
+```
+
+## Delete EGP Policy
+
+This endpoint deletes the EGP policy with the given name from all paths on which it was configured.
+
+| Method   | Path                      |
+| :------- | :------------------------ |
+| `DELETE` | `/sys/policies/egp/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to delete.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/policies/egp/breakglass
+```
diff --git a/website/pages/api-docs/system/policy.mdx b/website/pages/api-docs/system/policy.mdx
new file mode 100644
index 000000000000..6d4610a3da85
--- /dev/null
+++ b/website/pages/api-docs/system/policy.mdx
@@ -0,0 +1,121 @@
+---
+layout: api
+page_title: /sys/policy - HTTP API
+sidebar_title: <code>/sys/policy</code>
+description: The `/sys/policy` endpoint is used to manage ACL policies in Vault.
+---
+
+# `/sys/policy`
+
+The `/sys/policy` endpoint is used to manage ACL policies in Vault.
+
+## List Policies
+
+This endpoint lists all configured policies.
+
+| Method | Path          |
+| :----- | :------------ |
+| `GET`  | `/sys/policy` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policy
+```
+
+### Sample Response
+
+```json
+{
+  "policies": ["root", "deploy"]
+}
+```
+
+## Read Policy
+
+This endpoint retrieve the policy body for the named policy.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/sys/policy/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/policy/my-policy
+```
+
+### Sample Response
+
+```json
+{
+  "name": "my-policy",
+  "rules": "path \"secret/*\"...
+}
+```
+
+## Create/Update Policy
+
+This endpoint adds a new or updates an existing policy. Once a policy is
+updated, it takes effect immediately to all associated users.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `PUT`  | `/sys/policy/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to create.
+  This is specified as part of the request URL.
+
+- `policy` `(string: <required>)` - Specifies the policy document.
+
+### Sample Payload
+
+```json
+{
+  "policy": "path \"secret/foo\" {..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/policy/my-policy
+```
+
+## Delete Policy
+
+This endpoint deletes the policy with the given name. This will immediately
+affect all users associated with this policy.
+
+| Method   | Path                |
+| :------- | :------------------ |
+| `DELETE` | `/sys/policy/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` – Specifies the name of the policy to delete.
+  This is specified as part of the request URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/policy/my-policy
+```
diff --git a/website/pages/api-docs/system/pprof.mdx b/website/pages/api-docs/system/pprof.mdx
new file mode 100644
index 000000000000..5c7642681bf1
--- /dev/null
+++ b/website/pages/api-docs/system/pprof.mdx
@@ -0,0 +1,139 @@
+---
+layout: api
+page_title: /sys/pprof - HTTP API
+sidebar_title: <code>/sys/pprof</code>
+description: The `/sys/pprof` endpoint is used to query profiling information.
+---
+
+# `/sys/pprof`
+
+The `/sys/pprof` endpoint is used to query. The response returned by
+these endpoints are equivalent to those returned by the `http/pprof`
+package.
+
+## Index
+
+This endpoint returns an HTML page listing the available profiles.
+
+| Method | Path          |
+| :----- | :------------ |
+| `GET`  | `/sys/pprof/` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/pprof/
+```
+
+## Cmdline
+
+This endpoint returns the running program's command line, with arguments
+separated by NUL bytes.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/sys/pprof/cmdline` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/pprof/cmdline
+```
+
+## Goroutine
+
+This endpoint returns stack traces of all current goroutines.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/sys/pprof/goroutine` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/pprof/goroutine
+```
+
+## Heap
+
+This endpoint returns a sampling of memory allocations of live object.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/sys/pprof/heap` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/pprof/heap
+```
+
+## Profile
+
+This endpoint returns a pprof-formatted cpu profile payload. Profiling
+lasts for duration specified in seconds GET parameter, or for 30 seconds
+if not specified.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `GET`  | `/sys/pprof/profile` |
+
+### Parameters
+
+- `seconds` `(int: 30)` - Specifies the duration to run the profiling
+  command. This value is specified as a query parameter.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/pprof/profile
+```
+
+## Symbol
+
+This endpoint returns the program counters listed in the request.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/sys/pprof/symbol` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/pprof/symbol
+```
+
+## Trace
+
+This endpoint returns the execution trace in binary form. Tracing lasts
+for duration specified in seconds GET parameter, or for 1 second if not
+specified.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/sys/pprof/trace` |
+
+### Parameters
+
+- `seconds` `(int: 1)` - Specifies the duration to run the tracing
+  command. This value is specified as a query parameter.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/pprof/trace
+```
diff --git a/website/pages/api-docs/system/raw.mdx b/website/pages/api-docs/system/raw.mdx
new file mode 100644
index 000000000000..3ffa8f64a591
--- /dev/null
+++ b/website/pages/api-docs/system/raw.mdx
@@ -0,0 +1,133 @@
+---
+layout: api
+page_title: /sys/raw - HTTP API
+sidebar_title: <code>/sys/raw</code>
+description: The `/sys/raw` endpoint is used to access the raw underlying store in Vault.
+---
+
+# `/sys/raw`
+
+The `/sys/raw` endpoint is used to access the raw underlying store in Vault.
+
+This endpoint is off by default. See the
+[Vault configuration documentation](/docs/configuration/index.html) to
+enable.
+
+## Read Raw
+
+This endpoint reads the value of the key at the given path. This is the raw path
+in the storage backend and not the logical path that is exposed via the mount
+system.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `GET`  | `/sys/raw/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the raw path in the storage backend.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    ---header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/raw/secret/foo
+```
+
+### Sample Response
+
+```json
+{
+  "value": "{'foo':'bar'}"
+}
+```
+
+## Create/Update Raw
+
+This endpoint updates the value of the key at the given path. This is the raw
+path in the storage backend and not the logical path that is exposed via the
+mount system.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `PUT`  | `/sys/raw/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the raw path in the storage backend.
+  This is specified as part of the URL.
+
+- `value` `(string: <required>)` – Specifies the value of the key.
+
+### Sample Payload
+
+```json
+{
+  "value": "{\"foo\": \"bar\"}"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/raw/secret/foo
+```
+
+## List Raw
+
+This endpoint returns a list keys for a given path prefix.
+
+**This endpoint requires 'sudo' capability.**
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `LIST` | `/sys/raw/:prefix`           |
+| `GET`  | `/sys/raw/:prefix?list=true` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/sys/raw/logical
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "keys": ["abcd-1234...", "efgh-1234...", "ijkl-1234..."]
+  }
+}
+```
+
+## Delete Raw
+
+This endpoint deletes the key with given path. This is the raw path in the
+storage backend and not the logical path that is exposed via the mount system.
+
+| Method   | Path             |
+| :------- | :--------------- |
+| `DELETE` | `/sys/raw/:path` |
+
+### Parameters
+
+- `path` `(string: <required>)` – Specifies the raw path in the storage backend.
+  This is specified as part of the URL.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/raw/secret/foo
+```
diff --git a/website/pages/api-docs/system/rekey-recovery-key.mdx b/website/pages/api-docs/system/rekey-recovery-key.mdx
new file mode 100644
index 000000000000..6ca1d7ed6bea
--- /dev/null
+++ b/website/pages/api-docs/system/rekey-recovery-key.mdx
@@ -0,0 +1,362 @@
+---
+layout: api
+page_title: /sys/rekey-recovery-key - HTTP API
+sidebar_title: <code>/sys/rekey-recovery-key</code>
+description: >-
+  The `/sys/rekey-recovery-key` endpoints are used to rekey the recovery keys
+  for Vault.
+---
+
+# `/sys/rekey-recovery-key`
+
+~> **Note:** These endpoints are only applicable to seals that support recovery keys.
+
+The `/sys/rekey-recovery-key` endpoints are used to rekey the recovery keys for Vault.
+
+## Read Rekey Progress
+
+This endpoint reads the configuration and progress of the current rekey attempt.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `GET`  | `/sys/rekey-recovery-key/init` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "t": 3,
+  "n": 5,
+  "progress": 1,
+  "required": 3,
+  "pgp_fingerprints": ["abcd1234"],
+  "backup": true,
+  "verification_required": false
+}
+```
+
+If a rekey is started, then `n` is the new shares to generate and `t` is the
+threshold required for the new shares. `progress` is how many recovery keys have
+been provided for this rekey, where `required` must be reached to complete. The
+`nonce` for the current rekey operation is also displayed. If PGP keys are being
+used to encrypt the final shares, the key fingerprints and whether the final
+keys will be backed up to physical storage will also be displayed.
+`verification_required` indicates whether verification was enabled for this
+operation.
+
+## Start Rekey
+
+This endpoint initializes a new rekey attempt. Only a single recovery key rekey
+attempt can take place at a time, and changing the parameters of a rekey
+requires canceling and starting a new rekey, which will also provide a new
+nonce.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `PUT`  | `/sys/rekey-recovery-key/init` |
+
+### Parameters
+
+- `secret_shares` `(int: <required>)` – Specifies the number of shares to split
+  the recovery key into.
+
+- `secret_threshold` `(int: <required>)` – Specifies the number of shares
+  required to reconstruct the recovery key. This must be less than or equal to
+  `secret_shares`.
+
+- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used
+  to encrypt the output recovery key shares. Ordering is preserved. The keys must be
+  base64-encoded from their original binary representation. The size of this
+  array must be the same as `secret_shares`.
+
+- `backup` `(bool: false)` – Specifies if using PGP-encrypted keys, whether
+  Vault should also store a plaintext backup of the PGP-encrypted keys at
+  `core/recovery-keys-backup` in the physical storage backend. These can then
+  be retrieved and removed via the `sys/rekey-recovery-key/backup` endpoint.
+
+- `require_verification` `(bool: false)` – This turns on verification
+  functionality. When verification is turned on, after successful authorization
+  with the current unseal keys, the new unseal keys are returned but the
+  recovery key is not actually rotated. The new keys must be provided to
+  authorize the actual rotation of the key. This ensures that the new keys have
+  been successfully saved and protects against a risk of the keys being lost
+  after rotation but before they can be persisted. This can be used with
+  without `pgp_keys`, and when used with it, it allows ensuring that the
+  returned keys can be successfully decrypted before committing to the new
+  shares, which the backup functionality does not provide.
+
+### Sample Payload
+
+```json
+{
+  "secret_shares": 10,
+  "secret_threshold": 5
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
+```
+
+## Cancel Rekey
+
+This endpoint cancels any in-progress rekey. This clears the rekey settings as
+well as any progress made. This must be called to change the parameters of the
+rekey. Note: verification is still a part of a rekey. If rekeying is canceled
+during the verification flow, the current unseal keys remain valid.
+
+| Method   | Path                           |
+| :------- | :----------------------------- |
+| `DELETE` | `/sys/rekey-recovery-key/init` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
+```
+
+## Read Backup Key
+
+This endpoint returns the backup copy of PGP-encrypted recovery key shares. The
+returned value is the nonce of the rekey operation and a map of PGP key
+fingerprint to hex-encoded PGP-encrypted key.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `GET`  | `/sys/rekey/recovery-key-backup` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/rekey/recovery-key-backup
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "keys": {
+    "abcd1234": "..."
+  }
+}
+```
+
+## Delete Backup Key
+
+This endpoint deletes the backup copy of PGP-encrypted recovery key shares.
+
+| Method   | Path                             |
+| :------- | :------------------------------- |
+| `DELETE` | `/sys/rekey/recovery-key-backup` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/rekey/recovery-key-backup
+```
+
+## Submit Key
+
+This endpoint is used to enter a single recovery key share to progress the rekey
+of the Vault. If the threshold number of recovery key shares is reached, Vault
+will complete the rekey. Otherwise, this API must be called multiple times until
+that threshold is met. The rekey nonce operation must be provided with each
+call.
+
+When the operation is complete, this will return a response like the example
+below; otherwise the response will be the same as the `GET` method against
+`sys/rekey/init`, providing status on the operation itself.
+
+If verification was requested, successfully completing this flow will
+immediately put the operation into a verification state, and provide the nonce
+for the verification operation.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `PUT`  | `/sys/rekey-recovery-key/update` |
+
+### Parameters
+
+- `key` `(string: <required>)` – Specifies a single recovery share key.
+
+- `nonce` `(string: <required>)` – Specifies the nonce of the rekey operation.
+
+### Sample Payload
+
+```json
+{
+  "key": "AB32...",
+  "nonce": "abcd1234..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/update
+```
+
+### Sample Response
+
+```json
+{
+  "complete": true,
+  "keys": ["one", "two", "three"],
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "pgp_fingerprints": ["abcd1234"],
+  "keys_base64": ["base64keyvalue"],
+  "backup": true,
+  "verification_required": true,
+  "verification_nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10"
+}
+```
+
+If the keys are PGP-encrypted, an array of key fingerprints will also be
+provided (with the order in which the keys were used for encryption) along with
+whether or not the keys were backed up to physical storage.
+
+## Read Rekey Recovery Key Verification Progress
+
+This endpoint reads the configuration and progress of the current rekey
+verification attempt.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `GET`  | `/sys/rekey-recovery-key/verify` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10",
+  "t": 3,
+  "n": 5,
+  "progress": 1
+}
+```
+
+`n` is the total number of new shares that were generated and `t` is the
+threshold required for the new shares to pass verification. `progress` is how
+many of the new unseal keys have been provided for this verification operation.
+The `nonce` for the current rekey operation is also displayed.
+
+## Cancel Rekey Verification
+
+This endpoint cancels any in-progress rekey verification operation. This clears
+any progress made and resets the nonce. Unlike a `DELETE` against
+`sys/rekey-recovery-key/init`, this only resets the current verification
+operation, not the entire rekey atttempt. The return value is the same as `GET`
+along with the new nonce.
+
+| Method   | Path                             |
+| :------- | :------------------------------- |
+| `DELETE` | `/sys/rekey-recovery-key/verify` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
+  "t": 3,
+  "n": 5,
+  "progress": 0
+}
+```
+
+## Submit Verification Key
+
+This endpoint is used to enter a single new key share to progress the rekey
+verification operation. If the threshold number of new key shares is reached,
+Vault will complete the rekey by performing the actual rotation of the recovery
+key. Otherwise, this API must be called multiple times until that threshold is
+met. The nonce must be provided with each call.
+
+When the operation is complete, this will return a response like the example
+below; otherwise the response will be the same as the `GET` method against
+`sys/rekey-recovery-key/verify`, providing status on the operation itself.
+
+| Method | Path                             |
+| :----- | :------------------------------- |
+| `PUT`  | `/sys/rekey-recovery-key/verify` |
+
+### Parameters
+
+- `key` `(string: <required>)` – Specifies a single recovery share key from the
+  new set of shares.
+
+- `nonce` `(string: <required>)` – Specifies the nonce of the rekey
+  verification operation.
+
+### Sample Payload
+
+```json
+{
+  "key": "A58d...",
+  "nonce": "5a27bbc1..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
+  "complete": true
+}
+```
diff --git a/website/pages/api-docs/system/rekey.mdx b/website/pages/api-docs/system/rekey.mdx
new file mode 100644
index 000000000000..b23d7626b38c
--- /dev/null
+++ b/website/pages/api-docs/system/rekey.mdx
@@ -0,0 +1,362 @@
+---
+layout: api
+page_title: /sys/rekey - HTTP API
+sidebar_title: <code>/sys/rekey</code>
+description: The `/sys/rekey` endpoints are used to rekey the unseal keys for Vault.
+---
+
+# `/sys/rekey`
+
+The `/sys/rekey` endpoints are used to rekey the unseal keys for Vault.
+
+On seals that support stored keys (e.g. HSM PKCS11), the recovery key share(s)
+can be provided to rekey the master key since no unseal keys are available. The
+secret shares, secret threshold, and stored shares parameters must be set to 1.
+Upon successful rekey, no split unseal key shares are returned.
+
+## Read Rekey Progress
+
+This endpoint reads the configuration and progress of the current rekey attempt.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `GET`  | `/sys/rekey/init` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/rekey/init
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "t": 3,
+  "n": 5,
+  "progress": 1,
+  "required": 3,
+  "pgp_fingerprints": ["abcd1234"],
+  "backup": true,
+  "verification_required": false
+}
+```
+
+If a rekey is started, then `n` is the new shares to generate and `t` is the
+threshold required for the new shares. `progress` is how many unseal keys have
+been provided for this rekey, where `required` must be reached to complete. The
+`nonce` for the current rekey operation is also displayed. If PGP keys are being
+used to encrypt the final shares, the key fingerprints and whether the final
+keys will be backed up to physical storage will also be displayed.
+`verification_required` indicates whether verification was enabled for this
+operation.
+
+## Start Rekey
+
+This endpoint initializes a new rekey attempt. Only a single rekey attempt can
+take place at a time, and changing the parameters of a rekey requires canceling
+and starting a new rekey, which will also provide a new nonce.
+
+| Method | Path              |
+| :----- | :---------------- |
+| `PUT`  | `/sys/rekey/init` |
+
+### Parameters
+
+- `secret_shares` `(int: <required>)` – Specifies the number of shares to split
+  the master key into.
+
+- `secret_threshold` `(int: <required>)` – Specifies the number of shares
+  required to reconstruct the master key. This must be less than or equal to
+  `secret_shares`.
+
+- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used
+  to encrypt the output unseal keys. Ordering is preserved. The keys must be
+  base64-encoded from their original binary representation. The size of this
+  array must be the same as `secret_shares`.
+
+- `backup` `(bool: false)` – Specifies if using PGP-encrypted keys, whether
+  Vault should also store a plaintext backup of the PGP-encrypted keys at
+  `core/unseal-keys-backup` in the physical storage backend. These can then
+  be retrieved and removed via the `sys/rekey/backup` endpoint.
+
+- `require_verification` `(bool: false)` – This turns on verification
+  functionality. When verification is turned on, after successful authorization
+  with the current unseal keys, the new unseal keys are returned but the master
+  key is not actually rotated. The new keys must be provided to authorize the
+  actual rotation of the master key. This ensures that the new keys have been
+  successfully saved and protects against a risk of the keys being lost after
+  rotation but before they can be persisted. This can be used with without
+  `pgp_keys`, and when used with it, it allows ensuring that the returned keys
+  can be successfully decrypted before committing to the new shares, which the
+  backup functionality does not provide.
+
+### Sample Payload
+
+```json
+{
+  "secret_shares": 10,
+  "secret_threshold": 5
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/rekey/init
+```
+
+## Cancel Rekey
+
+This endpoint cancels any in-progress rekey. This clears the rekey settings as
+well as any progress made. This must be called to change the parameters of the
+rekey. Note: verification is still a part of a rekey. If rekeying is canceled
+during the verification flow, the current unseal keys remain valid.
+
+| Method   | Path              |
+| :------- | :---------------- |
+| `DELETE` | `/sys/rekey/init` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/rekey/init
+```
+
+## Read Backup Key
+
+This endpoint returns the backup copy of PGP-encrypted unseal keys. The returned
+value is the nonce of the rekey operation and a map of PGP key fingerprint to
+hex-encoded PGP-encrypted key.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/sys/rekey/backup` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/rekey/backup
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "keys": {
+    "abcd1234": "..."
+  }
+}
+```
+
+## Delete Backup Key
+
+This endpoint deletes the backup copy of PGP-encrypted unseal keys.
+
+| Method   | Path                |
+| :------- | :------------------ |
+| `DELETE` | `/sys/rekey/backup` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/rekey/backup
+```
+
+## Submit Key
+
+This endpoint is used to enter a single master key share to progress the rekey
+of the Vault. If the threshold number of master key shares is reached, Vault
+will complete the rekey. Otherwise, this API must be called multiple times until
+that threshold is met. The rekey nonce operation must be provided with each
+call.
+
+When the operation is complete, this will return a response like the example
+below; otherwise the response will be the same as the `GET` method against
+`sys/rekey/init`, providing status on the operation itself.
+
+If verification was requested, successfully completing this flow will
+immediately put the operation into a verification state, and provide the nonce
+for the verification operation.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `PUT`  | `/sys/rekey/update` |
+
+### Parameters
+
+- `key` `(string: <required>)` – Specifies a single master share key.
+
+- `nonce` `(string: <required>)` – Specifies the nonce of the rekey operation.
+
+### Sample Payload
+
+```json
+{
+  "key": "AB32...",
+  "nonce": "abcd1234..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/rekey/update
+```
+
+### Sample Response
+
+```json
+{
+  "complete": true,
+  "keys": ["one", "two", "three"],
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "pgp_fingerprints": ["abcd1234"],
+  "keys_base64": ["base64keyvalue"],
+  "backup": true,
+  "verification_required": true,
+  "verification_nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10"
+}
+```
+
+If the keys are PGP-encrypted, an array of key fingerprints will also be
+provided (with the order in which the keys were used for encryption) along with
+whether or not the keys were backed up to physical storage.
+
+## Read Rekey Verification Progress
+
+This endpoint reads the configuration and progress of the current rekey
+verification attempt.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/sys/rekey/verify` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/rekey/verify
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10",
+  "t": 3,
+  "n": 5,
+  "progress": 1
+}
+```
+
+`n` is the total number of new shares that were generated and `t` is the
+threshold required for the new shares to pass verification. `progress` is how
+many of the new unseal keys have been provided for this verification operation.
+The `nonce` for the current rekey operation is also displayed.
+
+## Cancel Rekey Verification
+
+This endpoint cancels any in-progress rekey verification operation. This clears
+any progress made and resets the nonce. Unlike a `DELETE` against
+`sys/rekey/init`, this only resets the current verification operation, not the
+entire rekey atttempt. The return value is the same as `GET` along with the new
+nonce.
+
+| Method   | Path                |
+| :------- | :------------------ |
+| `DELETE` | `/sys/rekey/verify` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/rekey/verify
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
+  "t": 3,
+  "n": 5,
+  "progress": 0
+}
+```
+
+## Submit Verification Key
+
+This endpoint is used to enter a single new key share to progress the rekey
+verification operation. If the threshold number of new key shares is reached,
+Vault will complete the rekey by performing the actual rotation of the master
+key. Otherwise, this API must be called multiple times until that threshold is
+met. The nonce must be provided with each call.
+
+When the operation is complete, this will return a response like the example
+below; otherwise the response will be the same as the `GET` method against
+`sys/rekey/verify`, providing status on the operation itself.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `PUT`  | `/sys/rekey/verify` |
+
+### Parameters
+
+- `key` `(string: <required>)` – Specifies a single master share key from the
+  new set of shares.
+
+- `nonce` `(string: <required>)` – Specifies the nonce of the rekey
+  verification operation.
+
+### Sample Payload
+
+```json
+{
+  "key": "A58d...",
+  "nonce": "5a27bbc1..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token" \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/rekey/verify
+```
+
+### Sample Response
+
+```json
+{
+  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
+  "complete": true
+}
+```
diff --git a/website/pages/api-docs/system/remount.mdx b/website/pages/api-docs/system/remount.mdx
new file mode 100644
index 000000000000..96ad2ea91c53
--- /dev/null
+++ b/website/pages/api-docs/system/remount.mdx
@@ -0,0 +1,45 @@
+---
+layout: api
+page_title: /sys/remount - HTTP API
+sidebar_title: <code>/sys/remount</code>
+description: >-
+  The '/sys/remount' endpoint is used remount a mounted backend to a new
+  endpoint.
+---
+
+# `/sys/remount`
+
+The `/sys/remount` endpoint is used remount a mounted backend to a new endpoint.
+
+## Move Backend
+
+This endpoint moves an already-mounted backend to a new mount point.
+
+| Method | Path           |
+| :----- | :------------- |
+| `POST` | `/sys/remount` |
+
+### Parameters
+
+- `from` `(string: <required>)` – Specifies the previous mount point.
+
+- `to` `(string: <required>)` – Specifies the new destination mount point.
+
+### Sample Payload
+
+```json
+{
+  "from": "secret",
+  "to": "new-secret"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/remount
+```
diff --git a/website/pages/api-docs/system/replication/index.mdx b/website/pages/api-docs/system/replication/index.mdx
new file mode 100644
index 000000000000..84d3ed96c7f4
--- /dev/null
+++ b/website/pages/api-docs/system/replication/index.mdx
@@ -0,0 +1,163 @@
+---
+layout: api
+page_title: /sys/replication - HTTP API
+sidebar_title: <code>/sys/replication</code>
+description: >-
+  The '/sys/replication' endpoint focuses on managing general operations in
+  Vault Enterprise replication
+---
+
+# `/sys/replication`
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+## Attempt Recovery
+
+This endpoint attempts recovery if replication is in an adverse state. For
+example: an error has caused replication to stop syncing.
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/sys/replication/recover` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/recover
+```
+
+### Sample Response
+
+```json
+{
+  "warnings": ["..."]
+}
+```
+
+## Reindex Replication
+
+This endpoint reindexes the local data storage. This can cause a very long delay
+depending on the number and size of objects in the data store.
+
+**This endpoint requires 'sudo' capability.**
+
+| Method | Path                       |
+| :----- | :------------------------- |
+| `POST` | `/sys/replication/reindex` |
+
+### Parameters
+
+- `diff` `(bool: false)` – Enables a slower re-indexing which will perform a key
+  level check to diagnose issues. Defaults false.
+
+- `force` `(bool: false)` – Forces a complete re-indexing which only scans data
+  available in the storage. Defaults false.
+
+- `skip_flush` `(bool: false)` – Skips the tree flushing stage of the reindex
+  process. This setting can be used to reduce the amount of time the tree is locked
+  during a reindex process. If this node is killed before the full tree has been
+  asynchronously flushed the reindex may not have applied fully and a new reindex
+  may need to be done. Shutting down this node cleanly will cause the tree to be
+  flushed prior to shutdown. Defaults false.
+
+### Sample Payload
+
+```json
+{}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/reindex
+```
+
+### Sample Response
+
+```json
+{
+  "warnings": ["..."]
+}
+```
+
+## Check Status
+
+This endpoint print information about the status of replication (mode,
+sync progress, etc).
+
+This is an authenticated endpoint.
+
+| Method | Path                      |
+| :----- | :------------------------ |
+| `GET`  | `/sys/replication/status` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/replication/status
+```
+
+### Sample Response
+
+The printed status of the replication environment. As an example, for a
+performance primary and DR primary node, it will look something like:
+
+```json
+{
+  "data": {
+    "dr": {
+      "cluster_id": "f2c21cb5-523f-617b-20ac-c913d9154ba6",
+      "known_secondaries": ["3"],
+      "last_wal": 291,
+      "merkle_root": "38543b95d44132138003939addbaf94125ec184e",
+      "mode": "primary",
+      "primary_cluster_addr": ""
+    },
+    "performance": {
+      "cluster_id": "1598d434-dfec-1f48-f019-3d22a8075bf9",
+      "known_secondaries": ["2"],
+      "last_wal": 291,
+      "merkle_root": "43f40fc775b40cc76cd5d7e289b2e6eaf4ba138c",
+      "mode": "primary",
+      "primary_cluster_addr": ""
+    }
+  }
+}
+```
+
+### Sample Response from Performance Secondary & DR Primary
+
+The printed status of the replication environment. As an example, for a
+performnace secondary and DR primary node, it will look something like:
+
+```json
+{
+  "data": {
+    "dr": {
+      "cluster_id": "e4bfa800-002e-7b6d-14c2-617855ece02f",
+      "known_secondaries": ["4"],
+      "last_wal": 455,
+      "merkle_root": "cdcf796619240ce19dd8af30fa700f64c8006e3d",
+      "mode": "primary",
+      "primary_cluster_addr": ""
+    },
+    "performance": {
+      "cluster_id": "1598d434-dfec-1f48-f019-3d22a8075bf9",
+      "known_primary_cluster_addrs": ["https://127.0.0.1:8201"],
+      "last_remote_wal": 291,
+      "merkle_root": "43f40fc775b40cc76cd5d7e289b2e6eaf4ba138c",
+      "mode": "secondary",
+      "primary_cluster_addr": "https://127.0.0.1:8201",
+      "secondary_id": "2",
+      "state": "stream-wals"
+    }
+  }
+}
+```
diff --git a/website/pages/api-docs/system/replication/replication-dr.mdx b/website/pages/api-docs/system/replication/replication-dr.mdx
new file mode 100644
index 000000000000..738dbed4edba
--- /dev/null
+++ b/website/pages/api-docs/system/replication/replication-dr.mdx
@@ -0,0 +1,617 @@
+---
+layout: api
+page_title: /sys/replication - HTTP API
+sidebar_title: <code>/sys/replication/dr</code>
+description: >-
+  The '/sys/replication/dr' endpoint focuses on managing general operations in
+  Vault Enterprise Disaster Recovery replication
+---
+
+# `/sys/replication/dr`
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+## Check DR Status
+
+This endpoint prints information about the status of replication (mode,
+sync progress, etc).
+
+This is an authenticated endpoint.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/sys/replication/dr/status` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/replication/dr/status
+```
+
+### Sample Response from Primary
+
+The printed status of the replication environment. As an example, for a
+primary, it will look something like:
+
+```json
+{
+  "data": {
+    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
+    "known_secondaries": [],
+    "last_wal": 241,
+    "merkle_root": "56794a98e52598f35974024fba6691f047e772e9",
+    "mode": "primary"
+  }
+}
+```
+
+### Sample Response from Secondary
+
+The printed status of the replication environment. As an example, for a
+secondary, it will look something like:
+
+```json
+{
+  "data": {
+    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
+    "known_primary_cluster_addrs": ["https://127.0.0.1:8201"],
+    "last_remote_wal": 241,
+    "merkle_root": "56794a98e52598f35974024fba6691f047e772e9",
+    "mode": "secondary",
+    "primary_cluster_addr": "https://127.0.0.1:8201",
+    "secondary_id": "3",
+    "state": "stream-wals"
+  }
+}
+```
+
+## Enable DR Primary Replication
+
+This endpoint enables DR replication in primary mode. This is used when DR replication
+is currently disabled on the cluster (if the cluster is already a secondary, it
+must be promoted).
+
+| Method | Path                                 |
+| :----- | :----------------------------------- |
+| `POST` | `/sys/replication/dr/primary/enable` |
+
+### Parameters
+
+- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
+  primary gives to secondary nodes. Useful if the primary's cluster address is
+  not directly accessible and must be accessed via an alternate path/address,
+  such as through a TCP-based load balancer.
+
+### Sample Payload
+
+```json
+{}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/primary/enable
+```
+
+## Demote DR Primary
+
+This endpoint demotes a DR primary cluster to a secondary. This DR secondary cluster
+will not attempt to connect to a primary (see the update-primary call), but will
+maintain knowledge of its cluster ID and can be reconnected to the same
+DR replication set without wiping local storage.
+
+| Method | Path                                 |
+| :----- | :----------------------------------- |
+| `POST` | `/sys/replication/dr/primary/demote` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/dr/primary/demote
+```
+
+## Disable DR Primary
+
+This endpoint disables DR replication entirely on the cluster. Any secondaries will
+no longer be able to connect. Caution: re-enabling this node as a primary or
+secondary will change its cluster ID; in the secondary case this means a wipe of
+the underlying storage when connected to a primary, and in the primary case,
+secondaries connecting back to the cluster (even if they have connected before)
+will require a wipe of the underlying storage.
+
+| Method | Path                                  |
+| :----- | :------------------------------------ |
+| `POST` | `/sys/replication/dr/primary/disable` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/dr/primary/disable
+```
+
+## Generate DR Secondary Token
+
+This endpoint generates a DR secondary activation token for the
+cluster with the given opaque identifier, which must be unique. This
+identifier can later be used to revoke a DR secondary's access.
+
+**This endpoint requires 'sudo' capability.**
+
+| Method | Path                                          |
+| :----- | :-------------------------------------------- |
+| `POST` | `/sys/replication/dr/primary/secondary-token` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
+
+- `ttl` `(string: "30m")` – Specifies the TTL for the secondary activation
+  token.
+
+- `secondary_public_key` `(string: "")` – Specifies the secondary's generated
+  public key, if using encryption rather than response wrapping to protect the
+  secondary credentials. (Vault 1.3+)
+
+### Sample Payload
+
+```json
+{
+  "id": "us-east-1"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/primary/secondary-token
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": null,
+  "warnings": null,
+  "wrap_info": {
+    "token": "fb79b9d3-d94e-9eb6-4919-c559311133d6",
+    "ttl": 300,
+    "creation_time": "2016-09-28T14:41:00.56961496-04:00",
+    "wrapped_accessor": ""
+  }
+}
+```
+
+## Revoke DR Secondary Token
+
+This endpoint revokes a DR secondary's ability to connect to the DR primary cluster;
+the DR secondary will immediately be disconnected and will not be allowed to
+connect again unless given a new activation token.
+
+| Method | Path                                           |
+| :----- | :--------------------------------------------- |
+| `POST` | `/sys/replication/dr/primary/revoke-secondary` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
+
+### Sample Payload
+
+```json
+{
+  "id": "us-east"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/primary/revoke-secondary
+```
+
+## Fetch DR Secondary Public Key
+
+(Vault 1.3+)
+
+This endpoint allows fetching a public key that is used to encrypt the returned
+credential information (instead of using a response wrapped token). This avoids
+needing to make an API call to the primary during activation.
+
+| Method | Path                                                |
+| :----- | :-------------------------------------------------- |
+| `POST` | `/sys/replication/dr/secondary/generate-public-key` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-public-key
+```
+
+## Enable DR Secondary
+
+This endpoint enables replication on a DR secondary using a DR secondary activation
+token.
+
+!> This will immediately clear all data in the secondary cluster!
+
+| Method | Path                                   |
+| :----- | :------------------------------------- |
+| `POST` | `/sys/replication/dr/secondary/enable` |
+
+### Parameters
+
+- `token` `(string: <required>)` – Specifies the secondary activation token
+  fetched from the primary.
+
+- `primary_api_addr` `(string: "")` – Set this to the API address (normal Vault
+  address) to override the value embedded in the token. This can be useful if
+  the primary's redirect address is not accessible directly from this cluster
+  (e.g. through a load balancer).
+
+- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
+  that the secondary can use when unwrapping the token from the primary. If this
+  and ca_path are not given, defaults to system CA roots.
+
+- `ca_path` `(string: "")` – Specifies the path to a CA root directory
+  containing PEM-format files that the secondary can use when unwrapping the
+  token from the primary. If this and ca_file are not given, defaults to system
+  CA roots.
+
+### Sample Payload
+
+```json
+{
+  "token": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/enable
+```
+
+## Promote DR Secondary
+
+This endpoint promotes the DR secondary cluster to DR primary. For data safety and
+security reasons, new secondary tokens will need to be issued to other
+secondaries, and there should never be more than one primary at a time.
+
+If the DR secondary's primary cluster is also in a performance replication set,
+the DR secondary will be promoted into that replication set. Care should be
+taken when promoting to ensure multiple performance primary clusters are not
+activate at the same time.
+
+If the DR secondary's primary cluster is a performance secondary, the promoted
+cluster will attempt to connect to the performance primary cluster using the
+same secondary token.
+
+This endpoint requires a DR Operation Token to be provided as means of
+authorization. See the [DR Operation Token API
+docs](#generate-disaster-recovery-operation-token) for more information.
+
+!> Only one performance primary should be active at a given time. Multiple primaries may
+result in data loss!
+
+| Method | Path                                    |
+| :----- | :-------------------------------------- |
+| `POST` | `/sys/replication/dr/secondary/promote` |
+
+### Parameters
+
+- `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
+- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
+  primary gives to secondary nodes. Useful if the primary's cluster address is
+  not directly accessible and must be accessed via an alternate path/address
+  (e.g. through a load balancer).
+- `force` `(bool: false)` - If true the cluster will be promoted even if it fails
+  certain safety checks. Caution: Forcing promotion could result in data loss if
+  data isn't fully replicated.
+
+### Sample Payload
+
+```json
+{
+  "dr_operation_token": "ijH8tphEHaBtgx+IvPfxDsSi2LV4j9k+Lad6eqT5cJw="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/promote
+```
+
+### Sample Response
+
+```json
+{
+  "progress": 0,
+  "required": 1,
+  "complete": false,
+  "request_id": "ad8f9074-0e24-d30e-83cd-595c9652ff89",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "complete": false,
+    "progress": 0,
+    "required": 1
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+## Update DR Secondary's Primary
+
+This endpoint changes a DR secondary cluster's assigned primary cluster using a
+secondary activation token. This does not wipe all data in the cluster.
+
+This endpoint requires a DR Operation Token to be provided as means of
+authorization. See the [DR Operation Token API
+docs](#generate-disaster-recovery-operation-token) for more information.
+
+| Method | Path                                           |
+| :----- | :--------------------------------------------- |
+| `POST` | `/sys/replication/dr/secondary/update-primary` |
+
+### Parameters
+
+- `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
+
+- `token` `(string: <required>)` – Specifies the secondary activation token
+  fetched from the primary. If you set this to a blank string, the cluster will
+  stay a secondary but clear its knowledge of any past primary (and thus not
+  attempt to connect to the previous primary). This can be useful if the primary
+  is down to stop the secondary from trying to reconnect to it.
+
+- `primary_api_addr` `(string: )` – Specifies the API address (normal Vault
+  address) to override the value embedded in the token. This can be useful if
+  the primary's redirect address is not accessible directly from this cluster.
+
+- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
+  that the secondary can use when unwrapping the token from the primary. If this
+  and ca_path are not given, defaults to system CA roots.
+
+- `ca_path` `string: ()` – Specifies the path to a CA root directory containing
+  PEM-format files that the secondary can use when unwrapping the token from the
+  primary. If this and ca_file are not given, defaults to system CA roots.
+
+### Sample Payload
+
+```json
+{
+  "dr_operation_token": "...",
+  "token": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/update-primary
+```
+
+## Generate Disaster Recovery Operation Token
+
+The `/sys/replication/dr/secondary/generate-operation-token` endpoint is used to create a new Disaster
+Recovery operation token for a DR secondary. These tokens are used to authorize
+certain DR Operations. They should be treated like traditional root tokens by
+being generated when needed and deleted soon after.
+
+## Read Generation Progress
+
+This endpoint reads the configuration and process of the current generation
+attempt.
+
+| Method | Path                                                             |
+| :----- | :--------------------------------------------------------------- |
+| `GET`  | `/sys/replication/dr/secondary/generate-operation-token/attempt` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 1,
+  "required": 3,
+  "encoded_token": "",
+  "pgp_fingerprint": "",
+  "complete": false
+}
+```
+
+If a generation is started, `progress` is how many unseal keys have been
+provided for this generation attempt, where `required` must be reached to
+complete. The `nonce` for the current attempt and whether the attempt is
+complete is also displayed. If a PGP key is being used to encrypt the final
+token, its fingerprint will be returned. Note that if an OTP is being used to
+encode the final token, it will never be returned.
+
+## Start Token Generation
+
+This endpoint initializes a new generation attempt. Only a single
+generation attempt can take place at a time.
+
+| Method | Path                                                             |
+| :----- | :--------------------------------------------------------------- |
+| `PUT`  | `/sys/replication/dr/secondary/generate-operation-token/attempt` |
+
+### Parameters
+
+- `pgp_key` `(string: <optional>)` – Specifies a base64-encoded PGP public key.
+  The raw bytes of the token will be encrypted with this value before being
+  returned to the final unseal key provider.
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt
+```
+
+### Sample Response
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 1,
+  "required": 3,
+  "encoded_token": "",
+  "otp": "2vPFYG8gUSW9npwzyvxXMug0",
+  "otp_length": 24,
+  "complete": false
+}
+```
+
+## Cancel Generation
+
+This endpoint cancels any in-progress generation attempt. This clears any
+progress made. This must be called to change the OTP or PGP key being used.
+
+| Method   | Path                                                             |
+| :------- | :--------------------------------------------------------------- |
+| `DELETE` | `/sys/replication/dr/secondary/generate-operation-token/attempt` |
+
+### Sample Request
+
+```
+$ curl \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt
+```
+
+## Provide Key Share to Generate Token
+
+This endpoint is used to enter a single master key share to progress the
+generation attempt. If the threshold number of master key shares is reached,
+Vault will complete the generation and issue the new token. Otherwise,
+this API must be called multiple times until that threshold is met. The attempt
+nonce must be provided with each call.
+
+| Method | Path                                                            |
+| :----- | :-------------------------------------------------------------- |
+| `PUT`  | `/sys/replication/dr/secondary/generate-operation-token/update` |
+
+### Parameters
+
+- `key` `(string: <required>)` – Specifies a single master key share.
+
+- `nonce` `(string: <required>)` – Specifies the nonce of the attempt.
+
+### Sample Payload
+
+```json
+{
+  "key": "acbd1234",
+  "nonce": "ad235"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/update
+```
+
+### Sample Response
+
+This returns a JSON-encoded object indicating the attempt nonce, and completion
+status, and the encoded token, if the attempt is complete.
+
+```json
+{
+  "started": true,
+  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
+  "progress": 3,
+  "required": 3,
+  "pgp_fingerprint": "",
+  "complete": true,
+  "encoded_token": "FPzkNBvwNDeFh4SmGA8c+w=="
+}
+```
+
+## Delete DR Operation Token
+
+This endpoint revokes the DR Operation Token. This token does not have a TTL
+and therefore should be deleted when it is no longer needed.
+
+| Method | Path                                                   |
+| :----- | :----------------------------------------------------- |
+| `POST` | `/sys/replication/dr/secondary/operation-token/delete` |
+
+### Parameters
+
+- `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
+
+### Sample Payload
+
+```json
+{
+  "dr_operation_token": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/operation-token/delete
+```
diff --git a/website/pages/api-docs/system/replication/replication-performance.mdx b/website/pages/api-docs/system/replication/replication-performance.mdx
new file mode 100644
index 000000000000..56abaa61cdc1
--- /dev/null
+++ b/website/pages/api-docs/system/replication/replication-performance.mdx
@@ -0,0 +1,664 @@
+---
+layout: api
+page_title: /sys/replication - HTTP API
+sidebar_title: <code>/sys/replication/performance</code>
+description: >-
+  The '/sys/replication/performance' endpoint focuses on managing general
+  operations in Vault Enterprise Performance Replication
+---
+
+# `/sys/replication/performance`
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+## Check Performance Status
+
+This endpoint prints information about the status of replication (mode,
+sync progress, etc).
+
+This is an authenticated endpoint.
+
+| Method | Path                                  |
+| :----- | :------------------------------------ |
+| `GET`  | `/sys/replication/performance/status` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/replication/performance/status
+```
+
+### Sample Response from Primary
+
+The printed status of the replication environment. As an example, for a
+primary, it will look something like:
+
+```json
+{
+  "data": {
+    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
+    "known_secondaries": ["2"],
+    "last_wal": 87,
+    "merkle_root": "c31e40f6ff02f32c37b70e6a4d58732ac812abf0",
+    "mode": "primary"
+  }
+}
+```
+
+### Sample Response from Secondary
+
+The printed status of the replication environment. As an example, for a
+secondary, it will look something like:
+
+```json
+{
+  "data": {
+    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
+    "known_primary_cluster_addrs": ["https://127.0.0.1:8201"],
+    "last_remote_wal": 87,
+    "merkle_root": "c31e40f6ff02f32c37b70e6a4d58732ac812abf0",
+    "mode": "secondary",
+    "primary_cluster_addr": "https://127.0.0.1:8201",
+    "secondary_id": "2",
+    "state": "stream-wals"
+  }
+}
+```
+
+## Enable Performance Primary Replication
+
+This endpoint enables replication in primary mode. This is used when replication
+is currently disabled on the cluster (if the cluster is already a secondary, it
+must be promoted).
+
+!> Only one primary should be active at a given time. Multiple primaries may
+result in data loss!
+
+| Method | Path                                          |
+| :----- | :-------------------------------------------- |
+| `POST` | `/sys/replication/performance/primary/enable` |
+
+### Parameters
+
+- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
+  primary gives to secondary nodes. Useful if the primary's cluster address is
+  not directly accessible and must be accessed via an alternate path/address,
+  such as through a TCP-based load balancer. If not set, uses vault's configured
+  cluster address.
+
+### Sample Payload
+
+```json
+{}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/enable
+```
+
+## Demote Performance Primary
+
+This endpoint demotes a performance primary cluster to a performance secondary.
+This secondary cluster will not attempt to connect to a primary (see the update-primary call),
+but will maintain knowledge of its cluster ID and can be reconnected to the same
+replication set without wiping local storage.
+
+| Method | Path                                          |
+| :----- | :-------------------------------------------- |
+| `POST` | `/sys/replication/performance/primary/demote` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/demote
+```
+
+## Disable Performance Primary
+
+This endpoint disables performance replication entirely on the cluster. Any
+performance secondaries will no longer be able to connect. Caution: re-enabling
+this node as a primary or secondary will change its cluster ID; in the secondary
+case this means a wipe of the underlying storage when connected to a primary,
+and in the primary case, secondaries connecting back to the cluster (even if
+they have connected before) will require a wipe of the underlying storage.
+
+| Method | Path                                           |
+| :----- | :--------------------------------------------- |
+| `POST` | `/sys/replication/performance/primary/disable` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/disable
+```
+
+## Generate Performance Secondary Token
+
+This endpoint generates a performance secondary activation token for the
+cluster with the given opaque identifier, which must be unique. This
+identifier can later be used to revoke a secondary's access.
+
+**This endpoint requires 'sudo' capability.**
+
+| Method | Path                                                   |
+| :----- | :----------------------------------------------------- |
+| `POST` | `/sys/replication/performance/primary/secondary-token` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
+
+- `ttl` `(string: "30m")` – Specifies the TTL for the secondary activation
+  token.
+
+- `secondary_public_key` `(string: "")` – Specifies the secondary's generated
+  public key, if using encryption rather than response wrapping to protect the
+  secondary credentials. (Vault 1.3+)
+
+### Sample Payload
+
+```json
+{
+  "id": "us-east-1"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/secondary-token
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": null,
+  "warnings": null,
+  "wrap_info": {
+    "token": "fb79b9d3-d94e-9eb6-4919-c559311133d6",
+    "ttl": 300,
+    "creation_time": "2016-09-28T14:41:00.56961496-04:00",
+    "wrapped_accessor": ""
+  }
+}
+```
+
+## Revoke Performance Secondary Token
+
+This endpoint revokes a performance secondary's ability to connect to the
+performance primary cluster; the secondary will immediately be disconnected and
+will not be allowed to connect again unless given a new activation token.
+
+| Method | Path                                                    |
+| :----- | :------------------------------------------------------ |
+| `POST` | `/sys/replication/performance/primary/revoke-secondary` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
+
+### Sample Payload
+
+```json
+{
+  "id": "us-east"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/revoke-secondary
+```
+
+## Create Paths Filter
+
+This endpoint is used to modify the mounts and namespaces that are filtered to a secondary.
+Filtering can be specified in allow mode or deny mode. In allow
+mode the secret and auth mounts that are specified are included to the
+selected secondary. In deny mode, the mount and namespace paths are excluded.
+
+| Method | Path                                                    |
+| :----- | :------------------------------------------------------ |
+| `POST` | `/sys/replication/performance/primary/paths-filter/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
+
+- `mode` `(string: "allow")` – Specifies the filtering mode. Available values
+  are "allow" and "deny".
+
+- `paths` `(array: [])` – The list of mount and namespace paths that are filtered.
+
+### Sample Payload
+
+```json
+{
+  "mode": "allow",
+  "paths": ["secret/", "ns1/"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
+```
+
+## Read Paths Filter
+
+This endpoint is used to read the mode and the mount/namespace paths that are filtered
+for a secondary.
+
+| Method | Path                                                    |
+| :----- | :------------------------------------------------------ |
+| `GET`  | `/sys/replication/performance/primary/paths-filter/:id` | `200 (empty body)` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
+```
+
+### Sample Response
+
+```json
+{
+  "mode": "allow",
+  "paths": ["secret/", "ns1/"]
+}
+```
+
+## Delete Paths Filter
+
+This endpoint is used to delete the mount and namespace filters for a secondary.
+
+| Method   | Path                                                    |
+| :------- | :------------------------------------------------------ |
+| `DELETE` | `/sys/replication/performance/primary/paths-filter/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
+```
+
+## Read Dynamically Generated Filter (PRIMARY)
+
+This endpoint is used to read the namespace and the mount paths that are dynamically
+filtered for a secondary on the primary.
+
+| Method | Path                                                      |
+| :----- | :-------------------------------------------------------- |
+| `GET`  | `/sys/replication/performance/primary/dynamic-filter/:id` | `200 (empty body)` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/dynamic-filter/mySecondaryID
+```
+
+### Sample Response
+
+```json
+{
+  "dynamic_filtered_mounts": ["ns1/ns2/secret/", "ns1/kv/"],
+  "dynamic_filtered_namespaces": ["ns1/", "ns1/ns2/"]
+}
+```
+
+## Read Dynamically Generated Filter (SECONDARY)
+
+This endpoint is used to read the namespace and the mount paths that are dynamically
+filtered for a secondary on the secondary.
+
+| Method | Path                                                        |
+| :----- | :---------------------------------------------------------- |
+| `GET`  | `/sys/replication/performance/secondary/dynamic-filter/:id` | `200 (empty body)` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/dynamic-filter/mySecondaryID
+```
+
+### Sample Response
+
+```json
+{
+  "dynamic_filtered_mounts": ["ns1/ns2/secret/", "ns1/kv/"],
+  "dynamic_filtered_namespaces": ["ns1/", "ns1/ns2/"]
+}
+```
+
+## Create Mounts Filter (DEPRECATED)
+
+~> This API is deprecated and will be removed in a future version of Vault.
+Please use Paths Filter instead.
+
+This endpoint is used to modify the mounts that are filtered to a secondary.
+Filtering can be specified in whitelist mode or blacklist mode. In whitelist
+mode the secret and auth mounts that are specified are included to the
+selected secondary. In blacklist mode, the mount paths are excluded.
+
+| Method | Path                                                    |
+| :----- | :------------------------------------------------------ |
+| `POST` | `/sys/replication/performance/primary/mount-filter/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
+
+- `mode` `(string: "whitelist")` – Specifies the filtering mode. Available values
+  are "whitelist" and blacklist".
+
+- `paths` `(array: [])` – The list of mount paths that are filtered.
+
+### Sample Payload
+
+```json
+{
+  "mode": "whitelist",
+  "paths": ["secret/"]
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
+```
+
+## Read Mounts Filter (DEPRECATED)
+
+~> This API is deprecated and will be removed in a future version of Vault.
+Please use Paths Filter instead.
+
+This endpoint is used to read the mode and the mount paths that are filtered
+for a secondary.
+
+| Method | Path                                                    |
+| :----- | :------------------------------------------------------ |
+| `GET`  | `/sys/replication/performance/primary/mount-filter/:id` | `200 (empty body)` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
+```
+
+### Sample Response
+
+```json
+{
+  "mode": "whitelist",
+  "paths": ["secret/"]
+}
+```
+
+## Delete Mounts Filter (DEPRECATED)
+
+~> This API is deprecated and will be removed in a future version of Vault.
+Please use Paths Filter instead.
+
+This endpoint is used to delete the mount filters for a secondary.
+
+| Method   | Path                                                    |
+| :------- | :------------------------------------------------------ |
+| `DELETE` | `/sys/replication/performance/primary/mount-filter/:id` |
+
+### Parameters
+
+- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
+```
+
+## Fetch Performance Secondary Public Key
+
+(Vault 1.3+)
+
+This endpoint allows fetching a public key that is used to encrypt the returned
+credential information (instead of using a response wrapped token). This avoids
+needing to make an API call to the primary during activation.
+
+| Method | Path                                                         |
+| :----- | :----------------------------------------------------------- |
+| `POST` | `/sys/replication/performance/secondary/generate-public-key` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/generate-public-key
+```
+
+## Enable Performance Secondary
+
+This endpoint enables performance replication on a secondary using a secondary activation
+token.
+
+!> This will immediately clear all data in the secondary cluster!
+
+| Method | Path                                            |
+| :----- | :---------------------------------------------- |
+| `POST` | `/sys/replication/performance/secondary/enable` |
+
+### Parameters
+
+- `token` `(string: <required>)` – Specifies the secondary activation token
+  fetched from the primary.
+
+- `primary_api_addr` `(string: "")` – Set this to the API address (normal Vault
+  address) to override the value embedded in the token. This can be useful if
+  the primary's redirect address is not accessible directly from this cluster
+  (e.g. through a load balancer).
+
+- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
+  that the secondary can use when unwrapping the token from the primary. If this
+  and ca_path are not given, defaults to system CA roots.
+
+- `ca_path` `(string: "")` – Specifies the path to a CA root directory
+  containing PEM-format files that the secondary can use when unwrapping the
+  token from the primary. If this and ca_file are not given, defaults to system
+  CA roots.
+
+### Sample Payload
+
+```json
+{
+  "token": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/enable
+```
+
+## Promote Performance Secondary
+
+This endpoint promotes the performance secondary cluster to performance primary.
+For data safety and security reasons, new secondary tokens will need to be
+issued to other secondaries, and there should never be more than one performance
+primary at a time.
+
+| Method | Path                                             |
+| :----- | :----------------------------------------------- |
+| `POST` | `/sys/replication/performance/secondary/promote` |
+
+### Parameters
+
+- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
+  primary gives to secondary nodes. Useful if the primary's cluster address is
+  not directly accessible and must be accessed via an alternate path/address
+  (e.g. through a load balancer).
+- `force` `(bool: false)` - If true the cluster will be promoted even if it fails
+  certain safety checks. Caution: Forcing promotion could result in data loss if
+  data isn't fully replicated.
+
+### Sample Payload
+
+```json
+{}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/promote
+```
+
+## Disable Performance Secondary
+
+This endpoint disables performance replication entirely on the cluster. The cluster will no
+longer be able to connect to the performance primary.
+
+!> Re-enabling this node as a performance primary or secondary will change its cluster ID;
+in the secondary case this means a wipe of the underlying storage when connected
+to a primary, and in the primary case, secondaries connecting back to the
+cluster (even if they have connected before) will require a wipe of the
+underlying storage.
+
+| Method | Path                                             |
+| :----- | :----------------------------------------------- |
+| `POST` | `/sys/replication/performance/secondary/disable` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/disable
+```
+
+## Update Performance Secondary's Primary
+
+This endpoint changes a performance secondary cluster's assigned primary cluster using a
+secondary activation token. This does not wipe all data in the cluster.
+
+| Method | Path                                                    |
+| :----- | :------------------------------------------------------ |
+| `POST` | `/sys/replication/performance/secondary/update-primary` |
+
+### Parameters
+
+- `token` `(string: <required>)` – Specifies the secondary activation token
+  fetched from the primary. If you set this to a blank string, the cluster will
+  stay a secondary but clear its knowledge of any past primary (and thus not
+  attempt to connect to the previous primary). This can be useful if the primary
+  is down to stop the secondary from trying to reconnect to it.
+
+- `primary_api_addr` `(string: )` – Specifies the API address (normal Vault
+  address) to override the value embedded in the token. This can be useful if
+  the primary's redirect address is not accessible directly from this cluster.
+
+- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
+  that the secondary can use when unwrapping the token from the primary. If this
+  and ca_path are not given, defaults to system CA roots.
+
+- `ca_path` `string: ()` – Specifies the path to a CA root directory containing
+  PEM-format files that the secondary can use when unwrapping the token from the
+  primary. If this and ca_file are not given, defaults to system CA roots.
+
+### Sample Payload
+
+```json
+{
+  "token": "..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/update-primary
+```
diff --git a/website/pages/api-docs/system/rotate.mdx b/website/pages/api-docs/system/rotate.mdx
new file mode 100644
index 000000000000..39da180e7bfd
--- /dev/null
+++ b/website/pages/api-docs/system/rotate.mdx
@@ -0,0 +1,32 @@
+---
+layout: api
+page_title: /sys/rotate - HTTP API
+sidebar_title: <code>/sys/rotate</code>
+description: The `/sys/rotate` endpoint is used to rotate the encryption key.
+---
+
+# `/sys/rotate`
+
+The `/sys/rotate` endpoint is used to rotate the encryption key.
+
+## Rotate Encryption Key
+
+This endpoint triggers a rotation of the backend encryption key. This is the key
+that is used to encrypt data written to the storage backend, and is not provided
+to operators. This operation is done online. Future values are encrypted with
+the new key, while old values are decrypted with previous encryption keys.
+
+This path requires `sudo` capability in addition to `update`.
+
+| Method | Path          |
+| :----- | :------------ |
+| `PUT`  | `/sys/rotate` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/rotate
+```
diff --git a/website/pages/api-docs/system/seal-status.mdx b/website/pages/api-docs/system/seal-status.mdx
new file mode 100644
index 000000000000..c932e4124fcb
--- /dev/null
+++ b/website/pages/api-docs/system/seal-status.mdx
@@ -0,0 +1,58 @@
+---
+layout: api
+page_title: /sys/seal-status - HTTP API
+sidebar_title: <code>/sys/seal-status</code>
+description: The `/sys/seal-status` endpoint is used to check the seal status of a Vault.
+---
+
+# `/sys/seal-status`
+
+The `/sys/seal-status` endpoint is used to check the seal status of a Vault.
+
+## Seal Status
+
+This endpoint returns the seal status of the Vault. This is an unauthenticated
+endpoint.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/sys/seal-status` |
+
+### Sample Request
+
+```
+$ curl \
+    http://127.0.0.1:8200/v1/sys/seal-status
+```
+
+### Sample Response
+
+The "t" parameter is the threshold, and "n" is the number of shares.
+
+```json
+{
+  "type": "shamir",
+  "sealed": true,
+  "t": 3,
+  "n": 5,
+  "progress": 2,
+  "nonce": "",
+  "version": "0.9.0"
+}
+```
+
+Sample response when Vault is unsealed.
+
+```json
+{
+  "type": "shamir",
+  "sealed": false,
+  "t": 3,
+  "n": 5,
+  "progress": 0,
+  "version": "0.9.0",
+  "cluster_name": "vault-cluster-d6ec3c7f",
+  "cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8",
+  "nonce": "ef05d55d-4d2c-c594-a5e8-55bc88604c24"
+}
+```
diff --git a/website/pages/api-docs/system/seal.mdx b/website/pages/api-docs/system/seal.mdx
new file mode 100644
index 000000000000..aee7a8f3d6f4
--- /dev/null
+++ b/website/pages/api-docs/system/seal.mdx
@@ -0,0 +1,29 @@
+---
+layout: api
+page_title: /sys/seal - HTTP API
+sidebar_title: <code>/sys/seal</code>
+description: The `/sys/seal` endpoint seals the Vault.
+---
+
+# `/sys/seal`
+
+The `/sys/seal` endpoint seals the Vault.
+
+## Seal
+
+This endpoint seals the Vault. In HA mode, only an active node can be sealed.
+Standby nodes should be restarted to get the same effect. Requires a token with
+`root` policy or `sudo` capability on the path.
+
+| Method | Path        |
+| :----- | :---------- |
+| `PUT`  | `/sys/seal` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/seal
+```
diff --git a/website/pages/api-docs/system/sealwrap-rewrap.mdx b/website/pages/api-docs/system/sealwrap-rewrap.mdx
new file mode 100644
index 000000000000..7769948c255a
--- /dev/null
+++ b/website/pages/api-docs/system/sealwrap-rewrap.mdx
@@ -0,0 +1,71 @@
+---
+layout: api
+page_title: /sys/sealwrap/rewrap - HTTP API
+sidebar_title: <code>/sys/sealwrap/rewrap</code>
+description: >-
+  The `/sys/sealwrap/rewrap` endpoint is used to rewrap all seal wrapped
+  entries.
+---
+
+# `/sys/sealwrap/rewrap`
+
+~> **Enterprise Only** – These endpoints require Vault Enterprise.
+
+The `/sys/sealwrap/rewrap` endpoint is used to rewrap all seal wrapped entries.
+This is useful when you want to upgrade seal wrapped entries to use the latest
+key, for example, after a seal migration or after rotating the remote keyring.
+
+## Read Rewrap Status
+
+This endpoint reports whether a seal rewrap process is currently running.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `GET`  | `/sys/sealwrap/rewrap` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/sealwrap/rewrap
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "entries": {
+      "failed": 0,
+      "processed": 30,
+      "succeeded": 30
+    },
+    "is_running": false
+  }
+}
+```
+
+## Start a Seal Rewrap Process
+
+This endpoint starts a seal rewrap process if one is not currently running.
+The process will run in the background. Check the vault server logs for status
+and progress updates.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/sys/sealwrap/rewrap` |
+
+The default status codes are:
+
+- `200` if a seal rewrap process is already running
+- `204` if a seal rewrap process was started
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/sealwrap/rewrap
+```
diff --git a/website/pages/api-docs/system/step-down.mdx b/website/pages/api-docs/system/step-down.mdx
new file mode 100644
index 000000000000..529c30654b2f
--- /dev/null
+++ b/website/pages/api-docs/system/step-down.mdx
@@ -0,0 +1,32 @@
+---
+layout: api
+page_title: /sys/step-down - HTTP API
+sidebar_title: <code>/sys/step-down</code>
+description: The `/sys/step-down` endpoint causes the node to give up active status.
+---
+
+# `/sys/step-down`
+
+The `/sys/step-down` endpoint causes the node to give up active status.
+
+## Step Down Leader
+
+This endpoint forces the node to give up active status. If the node does not
+have active status, this endpoint does nothing. Note that the node will sleep
+for ten seconds before attempting to grab the active lock again, but if no
+standby nodes grab the active lock in the interim, the same node may become the
+active node again. Requires a token with `root` policy or `sudo` capability on
+the path.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `PUT`  | `/sys/step-down` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request PUT \
+    http://127.0.0.1:8200/v1/sys/step-down
+```
diff --git a/website/pages/api-docs/system/storage/index.mdx b/website/pages/api-docs/system/storage/index.mdx
new file mode 100644
index 000000000000..78daec5f1910
--- /dev/null
+++ b/website/pages/api-docs/system/storage/index.mdx
@@ -0,0 +1,10 @@
+---
+layout: api
+page_title: /sys/storage - HTTP API
+sidebar_title: <code>/sys/storage </code>
+description: |-
+
+  The '/sys/storage' endpoints are used to manage Vault's storage backends.
+---
+
+This API sub-section is currently only used to manage [Raft](raft.html) storage backend.
diff --git a/website/pages/api-docs/system/storage/raft.mdx b/website/pages/api-docs/system/storage/raft.mdx
new file mode 100644
index 000000000000..efcfade0e85e
--- /dev/null
+++ b/website/pages/api-docs/system/storage/raft.mdx
@@ -0,0 +1,195 @@
+---
+layout: api
+page_title: /sys/storage/raft - HTTP API
+sidebar_title: <code>/sys/storage/raft</code>
+description: |-
+
+  The `/sys/storage/raft` endpoints are used to manage Vault's Raft storage
+  backend.
+---
+
+## Join a Raft cluster
+
+This endpoint joins a new server node to the Raft cluster. When using Shamir
+seal, as soon as the Vault server is brought up, this API should be invoked
+instead of `sys/init`. This API completes in 2 phases. Once this is invoked,
+the joining node will receive a challenge from the Raft's leader node. This
+challenge can be answered by the joining node only after a successful unseal.
+Hence, the joining node should be unsealed using the unseal keys of the Raft's
+leader node.
+
+| Method | Path                     |
+| :----- | :----------------------- |
+| `POST` | `/sys/storage/raft/join` |
+
+### Parameters
+
+- `leader_api_addr` `(string: <required>)` – Address of the leader node in the
+  Raft cluster to which this node is trying to join.
+
+- `retry` `(bool: false)` - Retry joining the Raft cluster in case of
+  failures.
+
+- `leader_ca_cert` `(string: "")` - CA certificate used to communicate with
+  Raft's leader node.
+
+- `leader_client_cert` `(string: "")` - Client certificate used to communicate
+  with Raft's leader node.
+
+- `leader_client_key` `(string: "")` - Client key used to communicate with
+  Raft's leader node.
+
+### Sample Payload
+
+```json
+{
+  "leader_api_addr": "https://127.0.0.1:8200",
+  "leader_ca_cert": "-----BEGIN CERTIFICATE-----\nMIIDKTCCAhGgAwIBAgIUcd+Uyk1Tz+FhcbYP0zmynlkARoEwDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE5MDYyNDIyMjgzNVoXDTE5MDYy\nNzIyMjkwNVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdYr6rU\n21vYf7q/cpPigtBchqHvGZvpbA9DZucuUdQ0g4oAXRyShQ8omzmZOmO4A1GI3gqz\nHBePSYl+1IZCwgbPBk2CH7MhlMMINdwoEH6IxFgHNBkNK6GbwnGLyKL0Sym88ly1\n+sPP6+llS8uWNKu5GcObHLysD3Ce6QTt3usDPiw0cxp/KL1EkMi2dT7PvxTsX137\nsEsuQcylltGEtRb67xvFBP8XhQZAEGw+u4S3EmtwWMwZixB45WQhj2Ncz5U0+w8V\ncp9DSqB1QheoGPBBI62jHle05kzG85ZKmLBgHE6HEGS8biIHpannM7dgI0cRH6i2\nF69N0rcbzK+NInUCAwEAAaOBhjCBgzAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYw\nFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQelJT5fthHdbCyD5zaI4tw\n7mfp8zAfBgNVHSMEGDAWgBSuG6hyoOWoiGvSA3kqwo9DirS+pzASBgNVHREBAf8E\nCDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQCmetSH5w835RbbyHZD8e3ClHzi\n210SrvzWkx3N0JcBOjs47jlLuqVTl0HRr2xMoIkErFbhPDBXARYV8eezhQ6G5M60\n8AwVsG56rCa1l0weK2JfnEWgkwXZ/zbpZ2yNkWatWNSHdlJwGp99JTSriQYNOnMG\nWvBDA8ukoOkIJd/a8+aXZBdUiAcFvlLWmX73pYGTlnQDiIqJvhrlkgCKPvzZqvV+\njtz7kCt9EfT6sN6Xcny7GusRBSs+XfEe8u10+mbud+ufE/QSJ2D3tTYrS6eGqpVD\nrezD8jS9PfZgQfHXVaphMADyw4flaSVxfJ/ZRFxXql3oJSuj02+VX6QsXex+\n-----END CERTIFICATE-----",
+  "leader_client_cert": "-----BEGIN CERTIFICATE-----\nMIIDNTCCAh2gAwIBAgIULkPFG+qu7tGv21Plc1sg4eGbMPkwDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE5MDYyNDIyMjgwNVoXDTI5MDYy\nMTIyMjgzNVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwszD+A5vWD8S1N632ElHA5Px2dk97wJBKNYc/7RPNptn\n+EOmMTXPfuA3LB92FoSMCR7ye3wvSTzyK9nqafS7U2tlOF4PJrJoNZyzrVwBVLXg\n7Pd8qQxnxbonc3bscWZuEfbFsugkPHgBtnSkyCffXKhhwM5LbJqmK5cfJRZZ0eRy\nwmOCQCJ8ZmN2KfjHiGSEw9v19CNtvFNLyfiTZZLO9M5n4dgainZZCs+vdKD7tSJf\nycwWiZ4ezOwLMIgxdbLYKVglbZsPcMVVPLTskmY8WiHUM6sy3HAbFQn20Rj7JGE6\nldR3NX80YtCMt8/d+xzBfxu4x8juxHCgZFGt3nUS0wIDAQABo38wfTAOBgNVHQ8B\nAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUrhuocqDlqIhr0gN5\nKsKPQ4q0vqcwHwYDVR0jBBgwFoAUrhuocqDlqIhr0gN5KsKPQ4q0vqcwGgYDVR0R\nBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBRno9NOaat\n8g1ma/6OxP1JUt1VRao4+t2GQTCJ697d2SmpHr8CYanMPog+QhDj/lderA/oS0V3\n2jruH9CyH0smFMIsLBZpnRIwdhTISbIXdU3Uvcd6nne/f7LiUUmqf8YS9SHxWPFq\nI72QvtPrsjYKCZwJsHZe071lYScjrjGnlUhhbrug2g6/ZMHJ7mndGE022zMn/XD/\njrrKE6fCDCjJ4PRrta7+G7BvsFHqMSQ+2/947TGohxW69cbNyDeiQVDQ5mpJUy2b\nnOCVVnq0nafSuvBTHCCLxjd7f+9TiB/B3qT8GA9V6LANDSdQ15MRIhpup/yosmqX\nl5goCY/j3bDh\n-----END CERTIFICATE-----",
+  "leader_client_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAp1ivqtTbW9h/ur9yk+KC0FyGoe8Zm+lsD0Nm5y5R1DSDigBd\nHJKFDyibOZk6Y7gDUYjeCrMcF49JiX7UhkLCBs8GTYIfsyGUwwg13CgQfojEWAc0\nGQ0roZvCcYvIovRLKbzyXLX6w8/r6WVLy5Y0q7kZw5scvKwPcJ7pBO3e6wM+LDRz\nGn8ovUSQyLZ1Ps+/FOxfXfuwSy5BzKWW0YS1FvrvG8UE/xeFBkAQbD67hLcSa3BY\nzBmLEHjlZCGPY1zPlTT7DxVyn0NKoHVCF6gY8EEjraMeV7TmTMbzlkqYsGAcTocQ\nZLxuIgelqeczt2AjRxEfqLYXr03StxvMr40idQIDAQABAoIBAHCOhhkw8hnklITX\nIAm34KSklylz2JW1eqkJfL0huogwigjYFciSBE0d0sn69fr8Wb8Nf8tSjSKLjbqd\nQ/TKEhbiSCr5yriBbb2AWDmr+OwisW1D6xaudRpN2Yrlqh1wkt2P6LPS8sehodtp\n9oEIloSqC1o1ii6czAXD3JckJzuJ66yoVyCo2oVC3NETujjJRhdRcNY0dYUGx47M\n+hQo7b4s79wlMFmccrgyJcKI7Ra3DtMrBIaVXm4WcjX2x4DduZX6L4mfG83uLWng\nhbvcEPKGamUErjPGYixKE5XOwgJT6Nzq/ZZJZpok6DbHBCtqvwwByWlfLzh8lc4o\nz+Pl5EECgYEA3pJXRM+SdVUCnWIpMFOAiNstOwz3nm0/c8GDdYYNq0ere1tKCVV0\nii+ujMQY8vEdRrp7fbqJEPJANyI6sM4Jc2nxMveFuBoEsEClZuE4KBFquW8CQU4R\nGNkzKF1W0GaTI5O4QDUag+lFG6TPCwZiejTIkt65o5bnSzGLgdC546sCgYEAwHr9\nlq9HytWkV9OLz0zbcAUEIrFAljnC32Mybsj8LzdSKIZ3wErf9Txh8zqZqMyhedxL\nOn17cpJAq5Vi71uXOaxnhkf7TPuRs8nBRRJfgyNHPXuXLkuWeuvXEe/PIC+nvOIX\nas0Ab0Pvx0fRGl4EkZ2pV9oDAEUezbVVZCoO8l8CgYEAp4p3YNfzwpj0d+5tXPBu\ngBakzJ+tQjewnP1dbLk1TuqLXjdQ2wfVyzOrbFEtCquPwy8bSICDLxt8VURR88eU\n+6kTJK+InBYR029GUtRUhmzd7qpugyQ14IOXa9ofQI8GUbCf8M1IoWWWXQHJzN3I\ngX98QHqiOU+d2k94WYb6dzMCgYA3E7p2oMdZShLRss3hzqtH/Zd2WeQSWIrjox3u\nR4Kp/Bl9UST5GDPHl7SrhcwsWgmmthusq/VkDmeE8aUyurGmJigla3mESMQjfwrX\nue8sti6PcEsNS0HPAKc1EbriCeDkkomC3RBPxk/ZZTp3YgnKpSOs6MxNCnpLAKVj\nmQlX3wKBgQCFYyYJdCKMoaoMrNjMM34sAfTqmZT4Hbxg9KM4OMDSxyvIi0ZaVcnB\nkzssvt0FOMucp4o7h8Iujt8xsgnBHwg81IV7WOw+ZwpUDAzgVc7+kCU6CLd2Q40j\n5uFnuRgiWeGm1aT4arNLWlJrDLSGbyrf59SlGJV1hmu/7SMaYIZHSQ==\n-----END RSA PRIVATE KEY-----"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/storage/raft/join
+```
+
+**Note:** Unseal the joining node immediately after this API is invoked.
+
+## Read Raft Configuration
+
+This endpoint returns the details of all the nodes in the raft cluster.
+
+| Method | Path                              |
+| :----- | :-------------------------------- |
+| `GET`  | `/sys/storage/raft/configuration` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/storage/raft/configuration
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "ca4b5a1d-38d6-e27e-e756-269521328a15",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "config": {
+      "index": 24,
+      "servers": [
+        {
+          "address": "127.0.0.1:8201",
+          "leader": true,
+          "node_id": "raft1",
+          "protocol_version": "\u0003",
+          "voter": true
+        },
+        {
+          "address": "127.0.0.2:8201",
+          "leader": false,
+          "node_id": "raft2",
+          "protocol_version": "\u0003",
+          "voter": true
+        }
+      ]
+    }
+  },
+  "warnings": null
+}
+```
+
+## Remove a node from Raft cluster
+
+This endpoint removes a node from the raft cluster.
+
+| Method | Path                            |
+| :----- | :------------------------------ |
+| `POST` | `/sys/storage/raft/remove-peer` |
+
+### Sample Payload
+
+```json
+{
+  "server_id": "raft1"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/storage/raft/remove-peer
+```
+
+## Take a snapshot of the Raft cluster
+
+This endpoint returns a snapshot of the current state of the raft cluster. The
+snapshot is returned as binary data and should be redirected to a file.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `GET`  | `/sys/storage/raft/snapshot` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot > raft.snap
+```
+
+## Restore Raft using a snapshot
+
+Installs the provided snapshot, returning the cluster to the state defined in it.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/sys/storage/raft/snapshot` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    -- data-binary @raft.snap
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot
+```
+
+## Force Restore Raft using a snapshot
+
+Installs the provided snapshot, returning the cluster to the state defined in
+it. This is same as writing to `/sys/storage/raft/snapshot` except that this
+bypasses checks ensuring the Autounseal or shamir keys are consistent with the
+snapshot data.
+
+| Method | Path                               |
+| :----- | :--------------------------------- |
+| `POST` | `/sys/storage/raft/snapshot-force` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data-binary @raft.snap
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-force
+```
diff --git a/website/pages/api-docs/system/tools.mdx b/website/pages/api-docs/system/tools.mdx
new file mode 100644
index 000000000000..25f2ca55ecb2
--- /dev/null
+++ b/website/pages/api-docs/system/tools.mdx
@@ -0,0 +1,106 @@
+---
+layout: api
+page_title: /sys/tools - HTTP API
+sidebar_title: <code>/sys/tools</code>
+description: This is the API documentation for a general set of crypto  tools.
+---
+
+# `/sys/tools`
+
+The `/sys/tools` endpoints are a general set of tools.
+
+## Generate Random Bytes
+
+This endpoint returns high-quality random bytes of the specified length.
+
+| Method | Path                         |
+| :----- | :--------------------------- |
+| `POST` | `/sys/tools/random(/:bytes)` |
+
+### Parameters
+
+- `bytes` `(int: 32)` – Specifies the number of bytes to return. This value can
+  be specified either in the request body, or as a part of the URL.
+
+- `format` `(string: "base64")` – Specifies the output encoding. Valid options
+  are `hex` or `base64`.
+
+### Sample Payload
+
+```json
+{
+  "format": "hex"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/tools/random/164
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
+  }
+}
+```
+
+## Hash Data
+
+This endpoint returns the cryptographic hash of given data using the specified
+algorithm.
+
+| Method | Path                           |
+| :----- | :----------------------------- |
+| `POST` | `/sys/tools/hash(/:algorithm)` |
+
+### Parameters
+
+- `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
+  can also be specified as part of the URL. Currently-supported algorithms are:
+
+  - `sha2-224`
+  - `sha2-256`
+  - `sha2-384`
+  - `sha2-512`
+
+- `input` `(string: <required>)` – Specifies the **base64 encoded** input data.
+
+- `format` `(string: "hex")` – Specifies the output encoding. This can be either
+  `hex` or `base64`.
+
+### Sample Payload
+
+```json
+{
+  "input": "adba32=="
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/tools/hash/sha2-512
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "sum": "dGhlIHF1aWNrIGJyb3duIGZveAo="
+  }
+}
+```
diff --git a/website/pages/api-docs/system/unseal.mdx b/website/pages/api-docs/system/unseal.mdx
new file mode 100644
index 000000000000..c3db580a4dbf
--- /dev/null
+++ b/website/pages/api-docs/system/unseal.mdx
@@ -0,0 +1,81 @@
+---
+layout: api
+page_title: /sys/unseal - HTTP API
+sidebar_title: <code>/sys/unseal</code>
+description: The `/sys/unseal` endpoint is used to unseal the Vault.
+---
+
+# `/sys/unseal`
+
+The `/sys/seal-unseal` endpoint is used to unseal the Vault.
+
+## Submit Unseal Key
+
+This endpoint is used to enter a single master key share to progress the
+unsealing of the Vault. If the threshold number of master key shares is reached,
+Vault will attempt to unseal the Vault. Otherwise, this API must be called
+multiple times until that threshold is met.
+
+Either the `key` or `reset` parameter must be provided; if both are provided,
+`reset` takes precedence.
+
+| Method | Path          |
+| :----- | :------------ |
+| `PUT`  | `/sys/unseal` |
+
+### Parameters
+
+- `key` `(string: "")` – Specifies a single master key share. This is required
+  unless `reset` is true.
+
+- `reset` `(bool: false)` – Specifies if previously-provided unseal keys are
+  discarded and the unseal process is reset.
+
+- `migrate` `(bool: false)` - Available in 1.0 - Used to migrate the seal
+  from shamir to autoseal or autoseal to shamir. Must be provided on all unseal
+  key calls.
+
+### Sample Payload
+
+```json
+{
+  "key": "abcd1234..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request PUT \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/unseal
+```
+
+### Sample Response
+
+The "t" parameter is the threshold, and "n" is the number of shares.
+
+```json
+{
+  "sealed": true,
+  "t": 3,
+  "n": 5,
+  "progress": 2,
+  "version": "0.6.2"
+}
+```
+
+Sample response when Vault is unsealed.
+
+```json
+{
+  "sealed": false,
+  "t": 3,
+  "n": 5,
+  "progress": 0,
+  "version": "0.6.2",
+  "cluster_name": "vault-cluster-d6ec3c7f",
+  "cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8"
+}
+```
diff --git a/website/pages/api-docs/system/wrapping-lookup.mdx b/website/pages/api-docs/system/wrapping-lookup.mdx
new file mode 100644
index 000000000000..1ea84897b51f
--- /dev/null
+++ b/website/pages/api-docs/system/wrapping-lookup.mdx
@@ -0,0 +1,59 @@
+---
+layout: api
+page_title: /sys/wrapping/lookup - HTTP API
+sidebar_title: <code>/sys/wrapping/lookup</code>
+description: The `/sys/wrapping/lookup` endpoint returns wrapping token properties.
+---
+
+# `/sys/wrapping/lookup`
+
+The `/sys/wrapping/lookup` endpoint returns wrapping token properties.
+
+## Wrapping Lookup
+
+This endpoint looks up wrapping properties for the given token.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/sys/wrapping/lookup` |
+
+### Parameters
+
+- `token` `(string: <required>)` – Specifies the wrapping token ID.
+
+### Sample Payload
+
+```json
+{
+  "token": "abcd1234"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/wrapping/lookup
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "481320f5-fdf8-885d-8050-65fa767fd19b",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "creation_path": "sys/wrapping/wrap",
+    "creation_time": "2016-09-28T14:16:13.07103516-04:00",
+    "creation_ttl": 300
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
diff --git a/website/pages/api-docs/system/wrapping-rewrap.mdx b/website/pages/api-docs/system/wrapping-rewrap.mdx
new file mode 100644
index 000000000000..3a717cc423b4
--- /dev/null
+++ b/website/pages/api-docs/system/wrapping-rewrap.mdx
@@ -0,0 +1,65 @@
+---
+layout: api
+page_title: /sys/wrapping/rewrap - HTTP API
+sidebar_title: <code>/sys/wrapping/rewrap</code>
+description: >-
+  The `/sys/wrapping/rewrap` endpoint can be used to rotate a wrapping token and
+  refresh its TTL.
+---
+
+# `/sys/wrapping/rewrap`
+
+The `/sys/wrapping/rewrap` endpoint can be used to rotate a wrapping token and
+refresh its TTL.
+
+## Wrapping Rewrap
+
+This endpoint rewraps a response-wrapped token. The new token will use the same
+creation TTL as the original token and contain the same response. The old token
+will be invalidated. This can be used for long-term storage of a secret in a
+response-wrapped token when rotation is a requirement.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/sys/wrapping/rewrap` |
+
+### Parameters
+
+- `token` `(string: <required>)` – Specifies the wrapping token ID.
+
+### Sample Payload
+
+```json
+{
+  "token": "abcd1234..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/wrapping/lookup
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": null,
+  "warnings": null,
+  "wrap_info": {
+    "token": "3b6f1193-0707-ac17-284d-e41032e74d1f",
+    "ttl": 300,
+    "creation_time": "2016-09-28T14:22:26.486186607-04:00",
+    "creation_path": "sys/wrapping/wrap"
+  }
+}
+```
diff --git a/website/pages/api-docs/system/wrapping-unwrap.mdx b/website/pages/api-docs/system/wrapping-unwrap.mdx
new file mode 100644
index 000000000000..059dd36b3738
--- /dev/null
+++ b/website/pages/api-docs/system/wrapping-unwrap.mdx
@@ -0,0 +1,68 @@
+---
+layout: api
+page_title: /sys/wrapping/unwrap - HTTP API
+sidebar_title: <code>/sys/wrapping/unwrap</code>
+description: The `/sys/wrapping/unwrap` endpoint unwraps a wrapped response.
+---
+
+# `/sys/wrapping/unwrap`
+
+The `/sys/wrapping/unwrap` endpoint unwraps a wrapped response.
+
+## Wrapping Unwrap
+
+This endpoint returns the original response inside the given wrapping token.
+Unlike simply reading `cubbyhole/response` (which is deprecated), this endpoint
+provides additional validation checks on the token, returns the original value
+on the wire rather than a JSON string representation of it, and ensures that the
+response is properly audit-logged.
+
+This endpoint can be used by using a wrapping token as the client token in the
+API call, in which case the `token` parameter is not required; or, a different
+token with permissions to access this endpoint can make the call and pass in the
+wrapping token in the `token` parameter. Do _not_ use the wrapping token in both
+locations; this will cause the wrapping token to be revoked but the value to be
+unable to be looked up, as it will basically be a double-use of the token!
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/sys/wrapping/unwrap` |
+
+### Parameters
+
+- `token` `(string: "")` – Specifies the wrapping token ID. This is required if
+  the client token is not the wrapping token. Do not use the wrapping token in
+  both locations.
+
+### Sample Payload
+
+```json
+{
+  "token": "abcd1234..."
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/wrapping/unwrap
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "8e33c808-f86c-cff8-f30a-fbb3ac22c4a8",
+  "lease_id": "",
+  "lease_duration": 2592000,
+  "renewable": false,
+  "data": {
+    "zip": "zap"
+  },
+  "warnings": null
+}
+```
diff --git a/website/pages/api-docs/system/wrapping-wrap.mdx b/website/pages/api-docs/system/wrapping-wrap.mdx
new file mode 100644
index 000000000000..0d745e3709d7
--- /dev/null
+++ b/website/pages/api-docs/system/wrapping-wrap.mdx
@@ -0,0 +1,67 @@
+---
+layout: api
+page_title: /sys/wrapping/wrap - HTTP API
+sidebar_title: <code>/sys/wrapping/wrap</code>
+description: |-
+  The `/sys/wrapping/wrap` endpoint wraps the given values in a
+  response-wrapped token.
+---
+
+# `/sys/wrapping/wrap`
+
+The `/sys/wrapping/wrap` endpoint wraps the given values in a response-wrapped
+token.
+
+## Wrapping Wrap
+
+This endpoint wraps the given user-supplied data inside a response-wrapped
+token.
+
+| Method | Path                 |
+| :----- | :------------------- |
+| `POST` | `/sys/wrapping/wrap` |
+
+### Parameters
+
+- `:any` `(map<string|string>: nil)` – Parameters should be supplied as
+  keys/values in a JSON object. The exact set of given parameters will be
+  contained in the wrapped response.
+
+### Sample Payload
+
+```json
+{
+  "foo": "bar",
+  "zip": "zap"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --header "X-Vault-Wrap-TTL: 60" \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/wrapping/wrap
+```
+
+### Sample Response
+
+```json
+{
+  "request_id": "",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": null,
+  "warnings": null,
+  "wrap_info": {
+    "token": "fb79b9d3-d94e-9eb6-4919-c559311133d6",
+    "ttl": 300,
+    "creation_time": "2016-09-28T14:41:00.56961496-04:00",
+    "creation_path": "sys/wrapping/wrap"
+  }
+}
+```
diff --git a/website/pages/community/index.jsx b/website/pages/community/index.jsx
new file mode 100644
index 000000000000..e0f675bdd41b
--- /dev/null
+++ b/website/pages/community/index.jsx
@@ -0,0 +1,39 @@
+import VerticalTextBlockList from '@hashicorp/react-vertical-text-block-list'
+import SectionHeader from '@hashicorp/react-section-header'
+import Head from 'next/head'
+
+function CommunityPage() {
+  return (
+    <div id="community">
+      <Head>
+        <title key="title">Community | Vault by HashiCorp</title>
+      </Head>
+      <SectionHeader
+        headline="Community"
+        description="Vault is an open source project with a growing community. There are active, dedicated users willing to help you through various mediums."
+        use_h1={true}
+      />
+      <VerticalTextBlockList
+        data={[
+          {
+            header: 'Discussion List',
+            body:
+              '[Vault Community Forum](https://discuss.hashicorp.com/c/vault)'
+          },
+          {
+            header: 'Bug Tracker',
+            body:
+              '[Issue tracker on GitHub](https://github.com/hashicorp/vault/issues) for reporting bugs. Use IRC or the mailing list for general help.'
+          },
+          {
+            header: 'Training',
+            body:
+              '[Paid HashiCorp](https://www.hashicorp.com/training) training courses are available in a city near you. Private training courses are also available.'
+          }
+        ]}
+      />
+    </div>
+  )
+}
+
+export default CommunityPage
diff --git a/website/pages/community/style.css b/website/pages/community/style.css
new file mode 100644
index 000000000000..50c5f1da4c28
--- /dev/null
+++ b/website/pages/community/style.css
@@ -0,0 +1,8 @@
+#community {
+  max-width: var(--site-max-width);
+  margin: 72px auto;
+
+  & .g-section-header {
+    margin-bottom: 100px;
+  }
+}
diff --git a/website/pages/docs/agent/autoauth/index.mdx b/website/pages/docs/agent/autoauth/index.mdx
new file mode 100644
index 000000000000..b05a383d2f9f
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/index.mdx
@@ -0,0 +1,166 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth
+sidebar_title: Auto-Auth
+description: |-
+  Vault Agent's Auto-Auth functionality allows easy and automatic
+  authentication to Vault in a variety of environments.
+---
+
+# Vault Agent Auto-Auth
+
+The Auto-Auth functionality of Vault Agent allows for easy authentication in a
+wide variety of environments.
+
+## Functionality
+
+Auto-Auth consists of two parts: a Method, which is the authentication method
+that should be used in the current environment; and one or more Sinks, which
+are locations where the agent should write a token any time the current token
+value has changed.
+
+When the agent is started with Auto-Auth enabled, it will attempt to acquire a
+Vault token using the configured Method. On failure, it will back off for a
+short while (including some randomness to help prevent thundering herd
+scenarios) and retry. On success, unless the auth method is configured to wrap
+the tokens, it will keep the resulting token renewed until renewal is no longer
+allowed or fails, at which point it will attempt to reauthenticate.
+
+Every time an authentication is successful, the token is written to the
+configured Sinks, subject to their configuration.
+
+## Advanced Functionality
+
+Sinks support some advanced features, including the ability for the written
+values to be encrypted or
+[response-wrapped](/docs/concepts/response-wrapping.html).
+
+Both mechanisms can be used concurrently; in this case, the value will be
+response-wrapped, then encrypted.
+
+### Response-Wrapping Tokens
+
+There are two ways that tokens can be response-wrapped by the agent:
+
+1. By the auth method. This allows the end client to introspect the
+   `creation_path` of the token, helping prevent Man-In-The-Middle (MITM)
+   attacks. However, because the agent cannot then unwrap the token and rewrap
+   it without modifying the `creation_path`, the agent is not able to renew the
+   token; it is up to the end client to renew the token. The agent stays
+   daemonized in this mode since some auth methods allow for reauthentication
+   on certain events.
+
+2. By any of the token sinks. Because more than one sink can be configured, the
+   token must be wrapped after it is fetched, rather than wrapped by Vault as
+   it's being returned. As a result, the `creation_path` will always be
+   `sys/wrapping/wrap`, and validation of this field cannot be used as
+   protection against MITM attacks. However, this mode allows the agent to keep
+   the token renewed for the end client and automatically reauthenticate when
+   it expires.
+
+### Encrypting Tokens
+
+~> This is experimental; if input/output formats change we will make every
+effort to provide backwards compatibility.
+
+Tokens can be encrypted, using a Diffie-Hellman exchange to generate an
+ephemeral key. In this mechanism, the client receiving the token writes a
+generated public key to a file. The sink responsible for writing the token to
+that client looks for this public key and uses it to compute a shared secret
+key, which is then used to encrypt the token via AES-GCM. The nonce, encrypted
+payload, and the sink's public key are then written to the output file, where
+the client can compute the shared secret and decrypt the token value.
+
+~> NOTE: This is not a protection against MITM attacks! The purpose of this
+feature is for forward-secrecy and coverage against bare token values being
+persisted. A MITM that can write to the sink's output and/or client public-key
+input files could attack this exchange.
+
+To help mitigate MITM attacks, additional authenticated data (AAD) can be
+provided to the agent. This data is written as part of the AES-GCM tag and must
+match on both the agent and the client. This of course means that protecting
+this AAD becomes important, but it provides another layer for an attacker to
+have to overcome. For instance, if the attacker has access to the file system
+where the token is being written, but not to read agent configuration or read
+environment variables, this AAD can be generated and passed to the agent and
+the client in ways that would be difficult for the attacker to find.
+
+When using AAD, it is always a good idea for this to be as fresh as possible;
+generate a value and pass it to your client and agent on startup. Additionally,
+agent uses a Trust On First Use model; after it finds a generated public key,
+it will reuse that public key instead of looking for new values that have been
+written.
+
+If writing a client that uses this feature, it will likely be helpful to look
+at the
+[dhutil](https://github.com/hashicorp/vault/blob/master/helper/dhutil/dhutil.go)
+library. This shows the expected format of the public key input and envelope
+output formats.
+
+## Configuration
+
+The top level `auto_auth` block has two configuration entries:
+
+- `method` `(object: required)` - Configuration for the method
+
+- `sinks` `(array of objects: required)` - Configuration for the sinks
+
+### Configuration (Method)
+
+These are common configuration values that live within the `method` block:
+
+- `type` `(string: required)` - The type of the method to use, e.g. `aws`,
+  `gcp`, `azure`, etc. _Note_: when using HCL this can be used as the key for
+  the block, e.g. `method "aws" {...}`.
+
+- `mount_path` `(string: optional)` - The mount path of the method. If not
+  specified, defaults to a value of `auth/<method type>`.
+
+- `namespace` `(string: optional)` - The default namespace path for the mount.
+  If not specified, defaults to the root namespace.
+
+- `wrap_ttl` `(string or integer: optional)` - If specified, the written token
+  will be response-wrapped by the agent. This is more secure than wrapping by
+  sinks, but does not allow the agent to keep the token renewed or
+  automatically reauthenticate when it expires. Rather than a simple string,
+  the written value will be a JSON-encoded
+  [SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
+  structure. Values can be an integer number of seconds or a stringish value
+  like `5m`.
+
+- `config` `(object: required)` - Configuration of the method itself. See the
+  sidebar for information about each method.
+
+### Configuration (Sinks)
+
+These configuration values are common to all Sinks:
+
+- `type` `(string: required)` - The type of the method to use, e.g. `file`.
+  _Note_: when using HCL this can be used as the key for the block, e.g. `sink "file" {...}`.
+
+- `wrap_ttl` `(string or integer: optional)` - If specified, the written token
+  will be response-wrapped by the sink. This is less secure than wrapping by
+  the method, but allows the agent to keep the token renewed and automatically
+  reauthenticate when it expires. Rather than a simple string, the written
+  value will be a JSON-encoded
+  [SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
+  structure. Values can be an integer number of seconds or a stringish value
+  like `5m`.
+
+- `dh_type` `(string: optional)` - If specified, the type of Diffie-Hellman exchange to
+  perform, meaning, which ciphers and/or curves. Currently only `curve25519` is
+  supported.
+
+- `dh_path` `(string: required if dh_type is set)` - The path from which the
+  agent should read the client's initial parameters (e.g. curve25519 public
+  key).
+
+- `aad` `(string: optional)` - If specified, additional authenticated data to
+  use with the AES-GCM encryption of the token. Can be any string, including
+  serialized data.
+
+- `aad_env_var` `(string: optional)` - If specified, AAD will be read from the
+  given environment variable rather than a value in the configuration file.
+
+- `config` `(object: required)` - Configuration of the sink itself. See the
+  sidebar for information about each sink.
diff --git a/website/pages/docs/agent/autoauth/methods/alicloud.mdx b/website/pages/docs/agent/autoauth/methods/alicloud.mdx
new file mode 100644
index 000000000000..1bf4c61822f2
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/alicloud.mdx
@@ -0,0 +1,61 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth AliCloud Method
+sidebar_title: AliCloud
+description: AliCloud Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth AliCloud Method
+
+The `alicloud` method performs authentication against the [AliCloud Auth
+method](https://www.vaultproject.io/docs/auth/alicloud.html).
+
+## Credentials
+
+The Vault agent will use the first credential it can successfully obtain in the following order:
+
+1. [Environment variables](https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/auth/credentials/providers/env.go)
+2. A static credential configuration
+3. Instance metadata (recommended)
+
+Wherever possible, we recommend using instance metadata for credentials. These rotate every hour
+and require no effort on your part to provision, making instance metadata the most secure of the three methods. If
+using instance metadata _and_ a custom `credential_poll_interval`, be sure the frequency is set for
+less than an hour, because instance metadata credentials expire every hour.
+
+Environment variables are given first precedence to provide the ability to quickly override your
+configuration.
+
+## Configuration
+
+### General
+
+- `role` `(string: required)` - The role to authenticate against on Vault.
+
+- `region` `(string: required)` - The AliCloud region in which the Vault agent resides. Example: "us-west-1".
+
+- `credential_poll_interval` `(integer: optional)` - In seconds, how frequently the Vault agent should check for new credentials.
+
+### Optional Static Credential Configuration (Not Preferred)
+
+If instance metadata is not available, you may provide credential information through the parameters below.
+
+- `access_key` `(string: optional)` - The access key to use.
+
+- `secret_key` `(string: optional)` - The secret key to use.
+
+- `access_token` `(string: optional)` - The access token to use.
+
+- `role_arn` `(string: optional)` - The role ARN to use.
+
+- `role_session_name` `(string: optional)` - The role session name to use.
+
+- `role_session_expiration` `(string: optional)` - The role session expiration to use.
+
+- `private_key` `(string: optional)` - The private key to use.
+
+- `public_key_id` `(string: optional)` - The public key ID to use.
+
+- `session_expiration` `(string: optional)` - The session expiration to use.
+
+- `role_name` `(string: optional)` - The role name to use.
diff --git a/website/pages/docs/agent/autoauth/methods/approle.mdx b/website/pages/docs/agent/autoauth/methods/approle.mdx
new file mode 100644
index 000000000000..0df06b73e14f
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/approle.mdx
@@ -0,0 +1,38 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth AppRole Method
+sidebar_title: AppRole
+description: AppRole Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth AppRole Method
+
+The `approle` method reads in a role ID and a secret ID from files and sends
+the values to the [AppRole Auth
+method](https://www.vaultproject.io/docs/auth/approle.html).
+
+The method caches values and it is safe to delete the role ID/secret ID files
+after they have been read. In fact, by default, after reading the secret ID,
+the agent will delete the file. New files or values written at the expected
+locations will be used on next authentication and the new values will be
+cached.
+
+## Configuration
+
+- `role_id_file_path` `(string: required)` - The path to the file with role ID
+
+- `secret_id_file_path` `(string: optional)` - The path to the file with secret
+  ID.
+  If not set, only the `role-id` will be used. \
+  In that case, the AppRole should have `bind_secret_id` set to `false` otherwise Vault Agent wouldn't be able to login.
+
+- `remove_secret_id_file_after_reading` `(bool: optional, defaults to true)` -
+  This can be set to `false` to disable the default behavior of removing the
+  secret ID file after it's been read.
+
+- `secret_id_response_wrapping_path` `(string: optional)` - If set, the value
+  at `secret_id_file_path` will be expected to be a [Response-Wrapping
+  Token](https://www.vaultproject.io/docs/concepts/response-wrapping.html)
+  containing the output of the secret ID retrieval endpoint for the role (e.g.
+  `auth/approle/role/webservers/secret-id`) and the creation path for the
+  response-wrapping token must match the value set here.
diff --git a/website/pages/docs/agent/autoauth/methods/aws.mdx b/website/pages/docs/agent/autoauth/methods/aws.mdx
new file mode 100644
index 000000000000..daf7b9bc258c
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/aws.mdx
@@ -0,0 +1,64 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth AWS Method
+sidebar_title: AWS
+description: AWS Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth AWS Method
+
+The `aws` method performs authentication against the [AWS Auth
+method](https://www.vaultproject.io/docs/auth/aws.html). Both `ec2` and `iam`
+authentication types are supported. If `ec2` is used, the agent will store the
+reauthentication value in memory and use it for reauthenticating, but will not
+persist it to disk.
+
+Due to the complexity of the Trust On First Use (TOFU) model used in the `ec2`
+method, we recommend the `iam` method when possible.
+
+## Credentials
+
+Vault will use the AWS SDK's normal credential chain behavior, which means it
+will use the first valid credentials it finds in the following order:
+
+1. A static credential configuration
+2. Environment variables
+3. A file containing credentials
+4. From any identity services available in its physical environment like container environment variables or role-based instance metadata
+
+Wherever possible, we recommend using identity services (method 4) for credentials.
+These rotate regularly and require no effort on your part to provision, making
+identity services the most secure of the four methods. If using identity services _and_ a custom
+`credential_poll_interval`, be sure the frequency is set low enough to pick up new credentials
+from the physical environment as they become available.
+
+To use identity services, choose the `iam` type and leave the `access_key`, `secret_key`, and `session_token`
+parameters unset in your configuration.
+
+## Configuration
+
+- `type` `(string: required)` - The type of authentication; must be `ec2` or `iam`.
+
+- `role` `(string: required)` - The role to authenticate against on Vault.
+
+- `credential_poll_interval` `(integer: optional)` - In seconds, how frequently the Vault agent should check for new credentials if using the iam type.
+
+- `access_key` `(string: optional)` - When using static credentials, the access key to use.
+
+- `secret_key` `(string: optional)` - When using static credentials, the secret key to use.
+
+- `region` `(string: "us-east-1")` - The region to use for signing the authentication request. The
+  region Agent uses should match that corresponding to
+  [`sts_endpoint`](https://www.vaultproject.io/api/auth/aws/index.html#sts_endpoint),
+  if a custom endpoint has been configured on the Vault server.
+
+- `session_token` `(string: optional)` - The session token to use for authentication, if needed.
+
+- `header_value` `(string: optional)` - If configured in Vault, the value to use for
+  [`iam_server_id_header_value`](https://www.vaultproject.io/api/auth/aws/index.html#iam_server_id_header_value).
+
+## Learn
+
+Refer to the [Vault Agent with
+AWS](https://learn.hashicorp.com/vault/identity-access-management/vault-agent-aws)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/agent/autoauth/methods/azure.mdx b/website/pages/docs/agent/autoauth/methods/azure.mdx
new file mode 100644
index 000000000000..de5d520f8182
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/azure.mdx
@@ -0,0 +1,20 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth Azure Method
+sidebar_title: Azure
+description: Azure Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth Azure Method
+
+The `azure` method reads in Azure instance credentials and uses them to
+authenticate with the [Azure Auth
+method](https://www.vaultproject.io/docs/auth/azure.html). It reads most
+parameters needed for authentication directly from instance information based
+on the value of the `resource` parameter.
+
+## Configuration
+
+- `role` `(string: required)` - The role to authenticate against on Vault
+
+- `resource` `(string: required)` - The resource name to use when getting instance information
diff --git a/website/pages/docs/agent/autoauth/methods/cert.mdx b/website/pages/docs/agent/autoauth/methods/cert.mdx
new file mode 100644
index 000000000000..68fcc2a9941a
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/cert.mdx
@@ -0,0 +1,20 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth Cert Method
+sidebar_title: Cert
+description: Cert Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth Cert Method
+
+The `cert` method uses the configured TLS certificates from the `vault` stanza of
+the agent configuration and takes an optional `name` parameter. There is no option
+to use certificates which differ from those used in the `vault` stanza.
+
+See TLS settings in the [`vault` Stanza](https://vaultproject.io/docs/agent/index.html#vault-stanza)
+
+## Configuration
+
+- `name` `(string: optional)` - The trusted certificate role which should be used
+  when authenticating with TLS. If a `name` is not specified, the auth method will
+  try to authenticate against [all trusted certificates](https://www.vaultproject.io/docs/auth/cert.html#authentication).
diff --git a/website/pages/docs/agent/autoauth/methods/cf.mdx b/website/pages/docs/agent/autoauth/methods/cf.mdx
new file mode 100644
index 000000000000..5b1b725f7ea0
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/cf.mdx
@@ -0,0 +1,20 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth CF Method
+sidebar_title: CF
+description: CF Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth CF Method
+
+The `cf` method performs authentication against the [CF Auth
+method](https://www.vaultproject.io/docs/auth/cf.html).
+
+## Credentials
+
+The Vault agent will use the `CF_INSTANCE_CERT` and `CF_INSTANCE_KEY` env variables to
+construct a valid login call for CF.
+
+## Configuration
+
+- `role` `(string: required)` - The role to authenticate against on Vault.
diff --git a/website/pages/docs/agent/autoauth/methods/gcp.mdx b/website/pages/docs/agent/autoauth/methods/gcp.mdx
new file mode 100644
index 000000000000..2c026a6b3c04
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/gcp.mdx
@@ -0,0 +1,38 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth GCP Method
+sidebar_title: GCP
+description: GCP Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth GCP Method
+
+The `gcp` method performs authentication against the [GCP Auth
+method](https://www.vaultproject.io/docs/auth/gcp.html). Both `gce` and `iam`
+authentication types are supported.
+
+## Credentials
+
+Vault will use the GCP SDK's normal credential chain behavior. You can set a
+static `credentials` value but it is usually not needed. If running on GCE
+using Application Default Credentials, you may need to specify the service
+account and project since ADC does not provide metadata used to automatically
+determine these.
+
+## Configuration
+
+- `type` `(string: required)` - The type of authentication; must be `gce` or `iam`
+
+- `role` `(string: required)` - The role to authenticate against on Vault
+
+- `credentials` `(string: optional)` - When using static credentials, the
+  contents of the JSON credentials file
+
+- `service_account` `(string: optional)` - The service account to use, if it
+  cannot be automatically determined
+
+- `project` `(string: optional)` - The project to use, if it cannot be
+  automatically determined
+
+- `jwt_exp` `(string or int: optional)` - The number of minutes a generated JWT
+  should be valid for when using the `iam` method; defaults to 15 minutes
diff --git a/website/pages/docs/agent/autoauth/methods/index.mdx b/website/pages/docs/agent/autoauth/methods/index.mdx
new file mode 100644
index 000000000000..1a6e3cfc04a0
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/index.mdx
@@ -0,0 +1,10 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth Methods
+sidebar_title: Methods
+description: Methods for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth Methods
+
+Please see the sidebar for available methods and their usage/configuration.
diff --git a/website/pages/docs/agent/autoauth/methods/jwt.mdx b/website/pages/docs/agent/autoauth/methods/jwt.mdx
new file mode 100644
index 000000000000..0edcd5aa393c
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/jwt.mdx
@@ -0,0 +1,20 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth JWT Method
+sidebar_title: JWT
+description: JWT Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth JWT Method
+
+The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
+method](https://www.vaultproject.io/docs/auth/jwt.html). Since JWTs often have
+limited lifetime, it constantly watches for a new JWT to be written, and when
+found it will immediately ingress this value, delete the file, and use the new
+JWT to perform a reauthentication.
+
+## Configuration
+
+- `path` `(string: required)` - The path to the JWT file
+
+- `role` `(string: required)` - The role to authenticate against on Vault
diff --git a/website/pages/docs/agent/autoauth/methods/kubernetes.mdx b/website/pages/docs/agent/autoauth/methods/kubernetes.mdx
new file mode 100644
index 000000000000..e820a6338b83
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/methods/kubernetes.mdx
@@ -0,0 +1,25 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth Kubernetes Method
+sidebar_title: Kubernetes
+description: Kubernetes Method for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth Kubernetes Method
+
+The `kubernetes` method reads in a Kubernetes service account token from the
+running pod (via `/var/run/secrets/kubernetes.io/serviceaccount/token`) and
+sends it to the [Kubernetes Auth
+method](https://www.vaultproject.io/docs/auth/kubernetes.html).
+
+## Configuration
+
+- `role` `(string: required)` - The role to authenticate against on Vault
+- `token_path` `(string: optional)` - The file path to a custom JWT token to use
+  for authentication. If omitted, the default service account token path is used.
+
+## Learn
+
+Refer to the [Vault Agent with
+Kubernetes](https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/agent/autoauth/sinks/file.mdx b/website/pages/docs/agent/autoauth/sinks/file.mdx
new file mode 100644
index 000000000000..9109b8b4b0f3
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/sinks/file.mdx
@@ -0,0 +1,25 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth File Sink
+sidebar_title: File
+description: File sink for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth File Sink
+
+The `file` sink writes tokens, optionally response-wrapped and/or encrypted, to
+a file. This may be a local file or a file mapped via some other process (NFS,
+Gluster, CIFS, etc.).
+
+Once the sink writes the file, it is up to the client to control lifecycle;
+generally it is best for the client to remove the file as soon as it is seen.
+
+It is also best practice to write the file to a ramdisk, ideally an encrypted
+ramdisk, and use appropriate filesystem permissions. The file is currently
+written with `0640` permissions as default, but can be overridden with the optional
+'mode' setting.
+
+## Configuration
+
+- `path` `(string: required)` - The path to use to write the token file
+- `mode` `(int: optional)` - A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to "0000" to prevent Vault from modifying the file mode
diff --git a/website/pages/docs/agent/autoauth/sinks/index.mdx b/website/pages/docs/agent/autoauth/sinks/index.mdx
new file mode 100644
index 000000000000..810f01156685
--- /dev/null
+++ b/website/pages/docs/agent/autoauth/sinks/index.mdx
@@ -0,0 +1,10 @@
+---
+layout: docs
+page_title: Vault Agent Auto-Auth Sinks
+sidebar_title: Sinks
+description: Sinks for Vault Agent Auto-Auth
+---
+
+# Vault Agent Auto-Auth Sinks
+
+Please see the sidebar for available sinks and their usage/configuration.
diff --git a/website/pages/docs/agent/caching/index.mdx b/website/pages/docs/agent/caching/index.mdx
new file mode 100644
index 000000000000..f42af3ddc8b4
--- /dev/null
+++ b/website/pages/docs/agent/caching/index.mdx
@@ -0,0 +1,239 @@
+---
+layout: docs
+page_title: Vault Agent Caching
+sidebar_title: Caching
+description: |-
+  Vault Agent Caching allows client-side caching of responses containing newly
+  created tokens and responses containing leased secrets generated off of these
+  newly created tokens.
+---
+
+# Vault Agent Caching
+
+Vault Agent Caching allows client-side caching of responses containing newly
+created tokens and responses containing leased secrets generated off of these
+newly created tokens. The renewals of the cached tokens and leases are also
+managed by the agent.
+
+-> **Note:** Vault Agent Caching works best with servers/clusters that are
+running on Vault 1.1 and above due to changes that were introduced
+alongside this feature, such as the exposure of the `orphan` field in token
+creation responses.
+
+## Caching and Renewals
+
+Response caching and renewals are managed by the agent only under these
+specific scenarios.
+
+1. Token creation requests are made through the agent. This means that any
+   login operations performed using various auth methods and invoking the token
+   creation endpoints of the token auth method via the agent will result in the
+   response getting cached by the agent. Responses containing new tokens will
+   be cached by the agent only if the parent token is already being managed by
+   the agent or if the new token is an orphan token.
+
+2. Leased secret creation requests are made through the agent using tokens that
+   are already managed by the agent. This means that any dynamic credentials
+   that are issued using the tokens managed by the agent, will be cached and
+   its renewals are taken care of.
+
+## Using Auto-Auth Token
+
+Vault Agent allows for easy authentication to Vault in a wide variety of
+environments using [Auto-Auth](/docs/agent/autoauth/index.html). By setting the
+`use_auto_auth_token` (see below) configuration, clients will not be required
+to provide a Vault token to the requests made to the agent. When this
+configuration is set, if the request doesn't already bear a token, then the
+auto-auth token will be used to forward the request to the Vault server. This
+configuration will be overridden if the request already has a token attached,
+in which case, the token present in the request will be used to forward the
+request to the Vault server.
+
+## Cache Evictions
+
+The eviction of cache entries pertaining to secrets will occur when the agent
+can no longer renew them. This can happen when the secrets hit their maximum
+TTL or if the renewals result in errors.
+
+Agent does some best-effort cache evictions by observing specific request types
+and response codes. For example, if a token revocation request is made via the
+agent and if the forwarded request to the Vault server succeeds, then agent
+evicts all the cache entries associated with the revoked token. Similarly, any
+lease revocation operation will also be intercepted by the agent and the
+respective cache entries will be evicted.
+
+Note that while agent evicts the cache entries upon secret expirations and upon
+intercepting revocation requests, it is still possible for the agent to be
+completely unaware of the revocations that happen through direct client
+interactions with the Vault server. This could potentially lead to stale cache
+entries. For managing the stale entries in the cache, an endpoint
+`/agent/v1/cache-clear`(see below) is made available to manually evict cache
+entries based on some of the query criteria used for indexing the cache entries.
+
+## Request Uniqueness
+
+In order to detect repeat requests and return cached responses, agent will need
+to have a way to uniquely identify the requests. This computation as it stands
+today takes a simplistic approach (may change in future) of serializing and
+hashing the HTTP request along with all the headers and the request body. This
+hash value is then used as an index into the cache to check if the response is
+readily available. The consequence of this approach is that the hash value for
+any request will differ if any data in the request is modified. This has the
+side-effect of resulting in false negatives if say, the ordering of the request
+parameters are modified. As long as the requests come in without any change,
+caching behavior should be consistent. Identical requests with differently
+ordered request values will result in duplicated cache entries. A heuristic
+assumption that the clients will use consistent mechanisms to make requests,
+thereby resulting in consistent hash values per request is the idea upon which
+the caching functionality is built upon.
+
+## Renewal Management
+
+The tokens and leases are renewed by the agent using the secret renewer that is
+made available via the Vault server's [Go
+API](https://godoc.org/github.com/hashicorp/vault/api#Renewer). Agent performs
+all operations in memory and does not persist anything to storage. This means
+that when the agent is shut down, all the renewal operations are immediately
+terminated and there is no way for agent to resume renewals after the fact.
+Note that shutting down the agent does not indicate revocations of the secrets,
+instead it only means that renewal responsibility for all the valid unrevoked
+secrets are no longer performed by the Vault agent.
+
+### Agent CLI
+
+Agent's listener address will be picked up by the CLI through the
+`VAULT_AGENT_ADDR` environment variable. This should be a complete URL such as
+"http://127.0.0.1:8200".
+
+## API
+
+### Cache Clear
+
+This endpoint clears the cache based on given criteria. To use this
+API, some information on how the agent caches values should be known
+beforehand. Each response that is cached in the agent will be indexed on some
+factors depending on the type of request. Those factors can be the `token` that
+is belonging to the cached response, the `token_accessor` of the token
+belonging to the cached response, the `request_path` that resulted in the
+cached response, the `lease` that is attached to the cached response, the
+`namespace` to which the cached response belongs to, and a few more. This API
+exposes some factors through which associated cache entries are fetched and
+evicted.
+
+| Method | Path                    | Produces               |
+| :----- | :---------------------- | :--------------------- |
+| `POST` | `/agent/v1/cache-clear` | `200 application/json` |
+
+#### Parameters
+
+- `type` `(strings: required)` - The type of cache entries to evict. Valid
+  values are `request_path`, `lease`, `token`, `token_accessor`, and `all`.
+  If the `type` is set to `all`, the _entire cache_ is cleared.
+
+- `value` `(string: required)` - An exact value or the prefix of the value for
+  the `type` selected. This parameter is optional when the `type` is set
+  to `all`.
+
+- `namespace` `(string: optional)` - This is only applicable when the `type` is set to
+  `request_path`. The namespace of which the cache entries to be evicted for
+  the given request path.
+
+### Sample Payload
+
+```json
+{
+  "type": "token",
+  "value": "s.rlNjegSKykWcplOkwsjd8bP9"
+}
+```
+
+### Sample Request
+
+```
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:1234/agent/v1/cache-clear
+```
+
+## Configuration (`cache`)
+
+The top level `cache` block has the following configuration entries:
+
+- `use_auto_auth_token (bool: false)` - If set, the requests made to agent
+  without a Vault token will be forwarded to the Vault server with the
+  auto-auth token attached. If the requests already bear a token, this
+  configuration will be overridden and the token in the request will be used to
+  forward the request to the Vault server.
+
+## Configuration (`listener`)
+
+- `listener` `(array of objects: required)` - Configuration for the listeners.
+
+There can be one or more `listener` blocks at the top level.
+These configuration values are common to all `listener` blocks.
+
+- `type` `(string: required)` - The type of the listener to use. Valid values
+  are `tcp` and `unix`.
+  _Note_: when using HCL this can be used as the key for the block, e.g.
+  `listener "tcp" {...}`.
+
+- `address` `(string: required)` - The address for the listener to listen to.
+  This can either be a URL path when using `tcp` or a file path when using
+  `unix`. For example, `127.0.0.1:8200` or `/path/to/socket`. Defaults to
+  `127.0.0.1:8200`.
+
+- `tls_disable` `(bool: false)` - Specifies if TLS will be disabled.
+
+- `tls_key_file` `(string: optional)` - Specifies the path to the private key
+  for the certificate.
+
+- `tls_cert_file` `(string: optional)` - Specifies the path to the certificate
+  for TLS.
+
+### Example Configuration
+
+An example configuration, with very contrived values, follows:
+
+```javascript
+auto_auth {
+  method {
+    type = "aws"
+    wrap_ttl = 300
+    config = {
+      role = "foobar"
+    }
+  }
+
+  sink {
+    type = "file"
+    config = {
+      path = "/tmp/file-foo"
+    }
+  }
+}
+
+cache {
+  use_auto_auth_token = true
+}
+
+listener "unix" {
+  address = "/path/to/socket"
+  tls_disable = true
+}
+
+listener "tcp" {
+  address = "127.0.0.1:8200"
+  tls_disable = true
+}
+
+vault {
+  address = "http://127.0.0.1:8200"
+}
+```
+
+## Learn
+
+Refer to the [Vault Agent
+Caching](https://learn.hashicorp.com/vault/identity-access-management/agent-caching)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/agent/index.mdx b/website/pages/docs/agent/index.mdx
new file mode 100644
index 000000000000..065e462e2b40
--- /dev/null
+++ b/website/pages/docs/agent/index.mdx
@@ -0,0 +1,180 @@
+---
+layout: docs
+page_title: Vault Agent
+sidebar_title: Vault Agent
+description: |-
+  Vault Agent is a client-side daemon that can be used to perform some Vault
+  functionality automatically.
+---
+
+# Vault Agent
+
+Vault Agent is a client daemon that provides the following features:
+
+- <tt>
+    [Auto-Auth][autoauth]
+  </tt> - Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
+- <tt>
+    [Caching][caching]
+  </tt> - Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens.
+- <tt>
+    [Templating][template]
+  </tt> - Allows rendering of user supplied templates by Vault Agent, using the token generated by the Auto-Auth step.
+  To get help, run:
+
+```text
+$ vault agent -h
+```
+
+## Auto-Auth
+
+Vault Agent allows for easy authentication to Vault in a wide variety of
+environments. Please see the [Auto-Auth docs][autoauth]
+for information.
+
+Auto-Auth functionality takes place within an `auto_auth` configuration stanza.
+
+## Caching
+
+Vault Agent allows client-side caching of responses containing newly created tokens
+and responses containing leased secrets generated off of these newly created tokens.
+Please see the [Caching docs][caching] for information.
+
+## Configuration
+
+These are the currently-available general configuration option:
+
+- `vault` <tt>([vault][vault]: \<optional\>)</tt> - Specifies the remote Vault server the Agent connects to.
+
+- `auto_auth` <tt>([auto_auth][autoauth]: \<optional\>)</tt> - Specifies the method and other options used for Auto-Auth functionality.
+
+- `cache` <tt>([cache][caching]: \<optional\>)</tt> - Specifies options used for Caching functionality.
+
+- `listener` <tt>([listener][listener]: \<optional\>)</tt> - Specifies the addresses and ports on which the Agent will respond to requests.
+
+- `pid_file` `(string: "")` - Path to the file in which the agent's Process ID
+  (PID) should be stored
+
+- `exit_after_auth` `(bool: false)` - If set to `true`, the agent will exit
+  with code `0` after a single successful auth, where success means that a
+  token was retrieved and all sinks successfully wrote it
+
+- `template` <tt>([template][template`]: \<optional\>)</tt> - Specifies options used for templating Vault secrets to files.
+
+### vault Stanza
+
+There can at most be one top level `vault` block and it has the following
+configuration entries:
+
+- `address (string: optional)` - The address of the Vault server. This should
+  be a complete URL such as `https://127.0.0.1:8200`. This value can be
+  overridden by setting the `VAULT_ADDR` environment variable.
+
+- `ca_cert (string: optional)` - Path on the local disk to a single PEM-encoded
+  CA certificate to verify the Vault server's SSL certificate. This value can
+  be overridden by setting the `VAULT_CACERT` environment variable.
+
+- `ca_path (string: optional)` - Path on the local disk to a directory of
+  PEM-encoded CA certificates to verify the Vault server's SSL certificate.
+  This value can be overridden by setting the `VAULT_CAPATH` environment
+  variable.
+
+- `client_cert (string: option)` - Path on the local disk to a single
+  PEM-encoded CA certificate to use for TLS authentication to the Vault server.
+  This value can be overridden by setting the `VAULT_CLIENT_CERT` environment
+  variable.
+
+- `client_key (string: option)` - Path on the local disk to a single
+  PEM-encoded private key matching the client certificate from `client_cert`.
+  This value can be overridden by setting the `VAULT_CLIENT_KEY` environment
+  variable.
+
+- `tls_skip_verify (string: optional)` - Disable verification of TLS
+  certificates. Using this option is highly discouraged as it decreases the
+  security of data transmissions to and from the Vault server. This value can
+  be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.
+
+- `tls_server_name (string: optional)` - Name to use as the SNI host when
+  connecting via TLS. This value can be overridden by setting the
+  `VAULT_TLS_SERVER_NAME` environment variable.
+
+### listener Stanza
+
+Agent supports one or more [listener][listener_main] stanzas. In addition to
+the standard listener configuration, an Agent's listener configuration also
+supports an additional optional entry:
+
+- `require_request_header (bool: false)` - Require that all incoming HTTP
+  requests on this listener must have an `X-Vault-Request: true` header entry.
+  Using this option offers an additional layer of protection from Server Side
+  Request Forgery attacks. Requests on the listener that do not have the proper
+  `X-Vault-Request` header will fail, with a HTTP response status code of `412: Precondition Failed`.
+
+## Example Configuration
+
+An example configuration, with very contrived values, follows:
+
+```python
+pid_file = "./pidfile"
+
+vault {
+        address = "https://127.0.0.1:8200"
+}
+
+auto_auth {
+        method "aws" {
+                mount_path = "auth/aws-subaccount"
+                config = {
+                        type = "iam"
+                        role = "foobar"
+                }
+        }
+
+        sink "file" {
+                config = {
+                        path = "/tmp/file-foo"
+                }
+        }
+
+        sink "file" {
+                wrap_ttl = "5m"
+                aad_env_var = "TEST_AAD_ENV"
+                dh_type = "curve25519"
+                dh_path = "/tmp/file-foo-dhpath2"
+                config = {
+                        path = "/tmp/file-bar"
+                }
+        }
+}
+
+cache {
+        use_auto_auth_token = true
+}
+
+listener "unix" {
+         address = "/path/to/socket"
+         tls_disable = true
+}
+
+listener "tcp" {
+         address = "127.0.0.1:8100"
+         tls_disable = true
+}
+
+template {
+  source      = "/etc/vault/server.key.ctmpl"
+  destination = "/etc/vault/server.key"
+}
+
+template {
+  source      = "/etc/vault/server.crt.ctmpl"
+  destination = "/etc/vault/server.crt"
+}
+```
+
+[vault]: /docs/agent/index.html#vault-stanza
+[autoauth]: /docs/agent/autoauth/index.html
+[caching]: /docs/agent/caching/index.html
+[template]: /docs/agent/template/index.html
+[listener]: /docs/agent/index.html#listener-stanza
+[listener_main]: /docs/configuration/listener/tcp.html
diff --git a/website/pages/docs/agent/template/index.mdx b/website/pages/docs/agent/template/index.mdx
new file mode 100644
index 000000000000..5e9873e77bfb
--- /dev/null
+++ b/website/pages/docs/agent/template/index.mdx
@@ -0,0 +1,122 @@
+---
+layout: docs
+page_title: Vault Agent Template
+sidebar_title: Templates
+description: >-
+  Vault Agent's Template functionality allows Vault secrets to be rendered to
+  files 
+
+  using Consul Template markup.
+---
+
+# Vault Agent Templates
+
+Vault Agent's Template functionality allows Vault secrets to be rendered to files
+using [Consul Template markup](https://github.com/hashicorp/consul-template#templating-language).
+
+## Functionality
+
+The `template` stanza configures the templating engine in the Vault agent for rendering
+secrets to files using Consul Template markup language. Multiple `template` stanzas
+can be defined to render multiple files.
+
+When the agent is started with templating enabled, it will attempt to acquire a
+Vault token using the configured Method. On failure, it will back off for a short
+while (including some randomness to help prevent thundering herd scenarios) and
+retry. On success, secrets defined in the templates will be retrieved from Vault and
+rendered locally.
+
+## Configuration
+
+The top level `template` block has multiple configurations entries:
+
+- `source` `(object: optional)` - Path on disk to use as the input template. This
+  option is required if not using the `contents` option.
+- `destination` `(object: required)` - Path on disk where the rendered secrets should
+  be created. If the parent directories If the parent directories do not exist, Vault
+  Agent will attempt to create them, unless `create_dest_dirs` is false.
+- `create_dest_dirs` `(object: required)` - This option tells Vault Agent to create
+  the parent directories of the destination path if they do not exist. The default
+  value is true.
+- `contents` `(object: optional)` - This option allows embedding the contents of
+  a template in the configuration file rather then supplying the `source` path to
+  the template file. This is useful for short templates. This option is mutually
+  exclusive with the `source` option.
+- `command` `(object: optional)` - This is the optional command to run when the
+  template is rendered. The command will only run if the resulting template changes.
+  The command must return within 30s (configurable), and it must have a successful
+  exit code. Vault Agent is not a replacement for a process monitor or init system.
+- `command_timeout` `(object: optional)` - This is the maximum amount of time to
+  wait for the optional command to return. Default is 30s.
+- `error_on_missing_key` `(object: optional)` - Exit with an error when accessing
+  a struct or map field/key that does notexist. The default behavior will print `<no value>`
+  when accessing a field that does not exist. It is highly recommended you set this
+  to "true".
+- `perms` `(object: optional)` - This is the permission to render the file. If
+  this option is left unspecified, Vault Agent will attempt to match the permissions
+  of the file that already exists at the destination path. If no file exists at that
+  path, the permissions are 0644.
+- `backup` `(object: optional)` - This option backs up the previously rendered template
+  at the destination path before writing a new one. It keeps exactly one backup.
+  This option is useful for preventing accidental changes to the data without having
+  a rollback strategy.
+- `left_delimiter` `(object: optional)` - Delimiter to use in the template. The
+  default is "{{" but for some templates, it may be easier to use a different
+  delimiter that does not conflict with the output file itself.
+- `right_delimiter` `(object: optional)` - Delimiter to use in the template. The
+  default is "}}" but for some templates, it may be easier to use a different
+  delimiter that does not conflict with the output file itself.
+- `sandbox_path` `(object: optional)` - If a sandbox path is provided, any path
+  provided to the `file` function is checked that it falls within the sandbox path.
+  Relative paths that try to traverse outside the sandbox path will exit with an error.
+- `wait` `(object: required)` - This is the `minimum(:maximum)` to wait before rendering
+  a new template to disk and triggering a command, separated by a colon (`:`).
+
+## Example Template
+
+Template with Vault Agent requires the use of the `secret` [function from Consul Template](https://github.com/hashicorp/consul-template#secret).  
+The following is an example of a template that retrieves a generic secret from Vault's
+KV store:
+
+```
+{{ with secret "secret/my-secret" }}
+{{ .Data.data.foo }}
+{{ end }}
+```
+
+## Example Configuration
+
+The following demonstrates configuring Vault Agent to template secrets using the
+AppRole Auth method:
+
+```python
+pid_file = "./pidfile"
+
+vault {
+  address = "https://127.0.0.1:8200"
+}
+
+auto_auth {
+  method {
+    type      = "approle"
+
+    config = {
+      role_id_file_path = "/etc/vault/roleid"
+      secret_id_file_path = "/etc/vault/secretid"
+    }
+  }
+
+  sink {
+    type = "file"
+
+    config = {
+      path = "/tmp/file-foo"
+    }
+  }
+}
+
+template {
+  source      = "/tmp/agent/template.ctmpl"
+  destination = "/tmp/agent/render.txt"
+}
+```
diff --git a/website/pages/docs/audit/file.mdx b/website/pages/docs/audit/file.mdx
new file mode 100644
index 000000000000..e3e38ecd0f65
--- /dev/null
+++ b/website/pages/docs/audit/file.mdx
@@ -0,0 +1,75 @@
+---
+layout: docs
+page_title: File - Audit Devices
+sidebar_title: File
+description: The "file" audit device writes audit logs to a file.
+---
+
+# File Audit Device
+
+The `file` audit device writes audit logs to a file. This is a very simple audit
+device: it appends logs to a file.
+
+The device does not currently assist with any log rotation. There are very
+stable and feature-filled log rotation tools already, so we recommend using
+existing tools.
+
+Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
+and re-open their underlying file, which can assist with log rotation needs.
+
+## Examples
+
+Enable at the default path:
+
+```text
+$ vault audit enable file file_path=/var/log/vault_audit.log
+```
+
+Enable at a different path. It is possible to enable multiple copies of an audit
+device:
+
+```text
+$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
+```
+
+Enable logs on stdout. This is useful when running in a container:
+
+```text
+$ vault audit enable file file_path=stdout
+```
+
+## Configuration
+
+Note the difference between `audit enable` command options and the `file` backend
+configuration options. Use `vault audit enable -help` to see the command options.
+Following are the configuration options available for the backend.
+
+## Configuration
+
+- `file_path` `(string: <required>)` - The path to where the audit log will be
+  written. If a file already exists at the given path, the audit backend will
+  append to it. There are some special keywords:
+
+  - `stdout` writes the audit log to standard output
+
+  - `discard` writes output (useful in testing scenarios)
+
+- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
+  information without hashing, in the raw format.
+
+- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
+  accessor.
+
+- `mode` `(string: "0600")` - A string containing an octal number representing
+  the bit pattern for the file mode, similar to `chmod`. Set to `"0000"` to
+  prevent Vault from modifying the file mode.
+
+- `format` `(string: "json")` - Allows selecting the output format. Valid values
+  are `"json"` and `"jsonx"`, which formats the normal log entries as XML.
+
+- `prefix` `(string: "")` - A customizable string prefix to write before the
+  actual log line.
+
+## Log File Rotation
+
+To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the `vault` process a signal hang up / `SIGHUP` after each rotation of the log file.
diff --git a/website/pages/docs/audit/index.mdx b/website/pages/docs/audit/index.mdx
new file mode 100644
index 000000000000..4821bedb1694
--- /dev/null
+++ b/website/pages/docs/audit/index.mdx
@@ -0,0 +1,83 @@
+---
+layout: docs
+page_title: Audit Devices
+sidebar_title: Audit Devices
+description: Audit devices are mountable devices that log requests and responses in Vault.
+---
+
+# Audit Devices
+
+Audit devices are the components in Vault that keep a detailed log of all
+requests and response to Vault. Because every operation with Vault is an API
+request/response, the audit log contains _every authenticated_ interaction with
+Vault, including errors.
+
+Multiple audit devices can be enabled and Vault will send the audit logs to
+both. This allows you to not only have a redundant copy, but also a second copy
+in case the first is tampered with.
+
+## Format
+
+Each line in the audit log is a JSON object. The `type` field specifies what
+type of object it is. Currently, only two types exist: `request` and `response`.
+The line contains all of the information for any given request and response. By
+default, all the sensitive information is first hashed before logging in the
+audit logs.
+
+## Sensitive Information
+
+The audit logs contain the full request and response objects for every
+interaction with Vault. The request and response can be matched utilizing a
+unique identifier assigned to each request.
+
+With a few specific exceptions, all strings (including authentication tokens and lease information) contained within requests and
+responses are hashed with a salt using HMAC-SHA256. The purpose of the hash is
+so that secrets aren't in plaintext within your audit logs. However, you're
+still able to check the value of secrets by generating HMACs yourself; this can
+be done with the audit device's hash function and salt by using the
+`/sys/audit-hash` API endpoint (see the documentation for more details).
+
+Note that currently only strings coming from JSON or being returned in JSON are
+HMAC'd. Other data types, like integers, booleans, and so on, are passed
+through in plaintext.
+
+## Enabling/Disabling Audit Devices
+
+When a Vault server is first initialized, no auditing is enabled. Audit
+devices must be enabled by a root user using `vault audit enable`.
+
+When enabling an audit device, options can be passed to it to configure it.
+For example, the command below enables the file audit device:
+
+```text
+$ vault audit enable file file_path=/var/log/vault_audit.log
+```
+
+In the command above, we passed the "file_path" parameter to specify the path
+where the audit log will be written to. Each audit device has its own
+set of parameters. See the documentation to the left for more details.
+
+When an audit device is disabled, it will stop receiving logs immediately.
+The existing logs that it did store are untouched.
+
+## Blocked Audit Devices
+
+If there are any audit devices enabled, Vault requires that at least
+one be able to persist the log before completing a Vault request.
+
+!> If you have only one audit device enabled, and it is blocking (network
+block, etc.), then Vault will be _unresponsive_. Vault **will not** complete
+any requests until the audit device can write.
+
+If you have more than one audit device, then Vault will complete the request
+as long as one audit device persists the log.
+
+Vault will not respond to requests if audit devices are blocked because
+audit logs are critically important and ignoring blocked requests opens
+an avenue for attack. Be absolutely certain that your audit devices cannot
+block.
+
+## API
+
+Audit devices also have a full HTTP API. Please see the [Audit device API
+docs](/api/system/audit.html) for more details.
diff --git a/website/pages/docs/audit/socket.mdx b/website/pages/docs/audit/socket.mdx
new file mode 100644
index 000000000000..8777fdca11f4
--- /dev/null
+++ b/website/pages/docs/audit/socket.mdx
@@ -0,0 +1,54 @@
+---
+layout: docs
+page_title: Socket - Audit Devices
+sidebar_title: Socket
+description: The "socket" audit device writes audit writes to a TCP or UDP socket.
+---
+
+# Socket Audit Device
+
+The `socket` audit device writes to a TCP, UDP, or UNIX socket.
+
+~> **Warning:** Due to the nature of the underlying protocols used in this
+device there exists a case when the connection to a socket is lost a single
+audit entry could be omitted from the logs and the request will still succeed.
+Using this device in conjunction with another audit device will help to improve
+accuracy, but the socket device should not be used if strong guarantees are
+needed for audit logs.
+
+## Enabling
+
+Enable at the default path:
+
+```text
+$ vault audit enable socket
+```
+
+Supply configuration parameters via K=V pairs:
+
+```text
+$ vault audit enable socket address=127.0.0.1:9090 socket_type=tcp
+```
+
+## Configuration
+
+- `address` `(string: "")` - The socket server address to use. Example
+  `127.0.0.1:9090` or `/tmp/audit.sock`.
+
+- `socket_type` `(string: "tcp")` - The socket type to use, any type compatible
+  with <a href="https://golang.org/pkg/net/#Dial">net.Dial</a> is acceptable.
+
+- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
+  information without hashing, in the raw format.
+
+- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
+  accessor.
+
+- `mode` `(string: "0600")` - A string containing an octal number representing
+  the bit pattern for the file mode, similar to `chmod`.
+
+- `format` `(string: "json")` - Allows selecting the output format. Valid values
+  are `"json"` and `"jsonx"`, which formats the normal log entries as XML.
+
+- `prefix` `(string: "")` - A customizable string prefix to write before the
+  actual log line.
diff --git a/website/pages/docs/audit/syslog.mdx b/website/pages/docs/audit/syslog.mdx
new file mode 100644
index 000000000000..7755a4f290d7
--- /dev/null
+++ b/website/pages/docs/audit/syslog.mdx
@@ -0,0 +1,57 @@
+---
+layout: docs
+page_title: Syslog - Audit Devices
+sidebar_title: Syslog
+description: The "syslog" audit device writes audit logs to syslog.
+---
+
+# Syslog Audit Device
+
+The `syslog` audit device writes audit logs to syslog.
+
+It currently does not support a configurable syslog destination, and always
+sends to the local agent. This device is only supported on Unix systems,
+and should not be enabled if any standby Vault instances do not support it.
+
+~> **Warning**: Audit messages generated for some operations can be quite
+large, and can be larger than a [maximum-size single UDP
+packet](https://tools.ietf.org/html/rfc5426#section-3.1). If possible with your
+syslog daemon, configure a TCP listener. Otherwise, consider using a `file`
+backend and having syslog configured to read entries from the file; or, enable
+both `file` and `syslog` so that a failure for a particular message to log
+directly to `syslog` will not result in Vault being blocked.
+
+## Examples
+
+Audit `syslog` device can be enabled by the following command:
+
+```text
+$ vault audit enable syslog
+```
+
+Supply configuration parameters via K=V pairs:
+
+```text
+$ vault audit enable syslog tag="vault" facility="AUTH"
+```
+
+## Configuration
+
+- `facility` `(string: "AUTH")` - The syslog facility to use.
+
+- `tag` `(string: "vault")` - The syslog tag to use.
+
+- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
+  information without hashing, in the raw format.
+
+- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
+  accessor.
+
+- `mode` `(string: "0600")` - A string containing an octal number representing
+  the bit pattern for the file mode, similar to `chmod`.
+
+- `format` `(string: "json")` - Allows selecting the output format. Valid values
+  are `"json"` and `"jsonx"`, which formats the normal log entries as XML.
+
+- `prefix` `(string: "")` - A customizable string prefix to write before the
+  actual log line.
diff --git a/website/pages/docs/auth/alicloud.mdx b/website/pages/docs/auth/alicloud.mdx
new file mode 100644
index 000000000000..7175f1ffa9b7
--- /dev/null
+++ b/website/pages/docs/auth/alicloud.mdx
@@ -0,0 +1,113 @@
+---
+layout: docs
+page_title: AliCloud - Auth Methods
+sidebar_title: AliCloud
+description: The AliCloud auth method allows automated authentication of AliCloud entities.
+---
+
+# AliCloud Auth Method
+
+The `alicloud` auth method provides an automated mechanism to retrieve
+a Vault token for AliCloud entities. Unlike most Vault auth methods, this
+method does not require manual first-deploying, or provisioning
+security-sensitive credentials (tokens, username/password, client certificates,
+etc), by operators. It treats AliCloud as a Trusted Third Party and uses a
+special AliCloud request signed with private credentials. A variety of credentials
+can be used to construct the request, but AliCloud offers
+[instance metadata](https://www.alibabacloud.com/help/faq-detail/49122.htm)
+that's ideally suited for the purpose. By launching an instance with a role,
+the role's STS credentials under instance metadata can be used to securely
+build the request.
+
+## Authentication Workflow
+
+The AliCloud STS API includes a method,
+[`sts:GetCallerIdentity`](https://www.alibabacloud.com/help/doc-detail/43767.htm),
+which allows you to validate the identity of a client. The client signs
+a `GetCallerIdentity` query using the [AliCloud signature
+algorithm](https://www.alibabacloud.com/help/doc-detail/67332.htm). It then
+submits 2 pieces of information to the Vault server to recreate a valid signed
+request: the request URL, and the request headers. The Vault server then
+reconstructs the query and forwards it on to the AliCloud STS service and validates
+the result back.
+
+Importantly, the credentials used to sign the GetCallerIdentity request can come
+from the ECS instance metadata service for an ECS instance, which obviates the
+need for an operator to manually provision some sort of identity material first.
+However, the credentials can, in principle, come from anywhere, not just from
+the locations AliCloud has provided for you.
+
+Each signed AliCloud request includes the current timestamp and a nonce to mitigate
+the risk of replay attacks.
+
+It's also important to note that AliCloud does NOT include any sort
+of authorization around calls to `GetCallerIdentity`. For example, if you have
+a RAM policy on your credential that requires all access to be MFA authenticated,
+non-MFA authenticated credentials will still be able to authenticate to Vault
+using this method. It does not appear possible to enforce a RAM principal to be
+MFA authenticated while authenticating to Vault.
+
+## Authorization Workflow
+
+The basic mechanism of operation is per-role.
+
+Roles are associated with a role ARN that has been pre-created in AliCloud.
+AliCloud's console displays each role's ARN. A role in Vault has a 1:1 relationship
+with a role in AliCloud, and must bear the same name.
+
+When a client assumes that role and sends its `GetCallerIdentity` request to Vault,
+Vault matches the arn of its assumed role with that of a pre-created role in Vault.
+It then checks what policies have been associated with the role, and grants a
+token accordingly.
+
+## Authentication
+
+### Via the CLI
+
+#### Enable AliCloud authentication in Vault.
+
+```
+$ vault auth enable alicloud
+```
+
+#### Configure the policies on the role.
+
+```
+$ vault write auth/alicloud/role/dev-role arn='acs:ram::5138828231865461:role/dev-role'
+```
+
+#### Perform the login operation
+
+```
+$ vault write auth/alicloud/login \
+        role=dev-role \
+        identity_request_url=$IDENTITY_REQUEST_URL_BASE_64 \
+        identity_request_headers=$IDENTITY_REQUEST_HEADERS_BASE_64
+```
+
+For the RAM auth method, generating the signed request is a non-standard
+operation. The Vault CLI supports generating this for you:
+
+```
+$ vault login -method=alicloud access_key=... secret_key=... security_token=... region=...
+```
+
+This assumes you have the AliCloud credentials you would find on an ECS instance using the
+following call:
+
+```
+curl 'http://100.100.100.200/latest/meta-data/ram/security-credentials/$ROLE_NAME'
+```
+
+Please note the `$ROLE_NAME` above is case-sensitive and must be consistent with how it's reflected
+on the instance.
+
+An example of how to generate the required request values for the `login` method
+can be found found in the
+[Vault CLI source code](https://github.com/hashicorp/vault-plugin-auth-alicloud/blob/master/tools/tools.go).
+
+## API
+
+The AliCloud auth method has a full HTTP API. Please see the
+[AliCloud Auth API](/api/auth/alicloud/index.html) for more
+details.
diff --git a/website/pages/docs/auth/app-id.mdx b/website/pages/docs/auth/app-id.mdx
new file mode 100644
index 000000000000..344443b60444
--- /dev/null
+++ b/website/pages/docs/auth/app-id.mdx
@@ -0,0 +1,125 @@
+---
+layout: docs
+page_title: AppID - Auth Methods
+sidebar_title: App ID <sup>DEPRECATED</sup>
+description: The AppID auth method is a mechanism for machines to authenticate with Vault.
+---
+
+# AppID Auth Method
+
+~> **DEPRECATED!** As of Vault 0.6.1, AppID is deprecated in favor of
+[AppRole](/docs/auth/approle.html). AppRole can accommodate the same workflow as
+AppID while enabling much more secure and flexible management and other types
+of authentication workflows. No new features or enhancements are planned for App
+ID, and new users should use AppRole instead of AppID.
+
+The AppID auth method is a mechanism for machines to authenticate with Vault.
+It works by requiring two hard-to-guess unique pieces of information: a unique
+app ID, and a unique user ID.
+
+The goal of this auth method is to allow elastic users (dynamic
+machines, containers, etc.) to authenticate with Vault without having to store
+passwords outside of Vault. It is a single method of solving the
+chicken-and-egg problem of setting up Vault access on a machine. With this
+provider, nobody except the machine itself has access to both pieces of
+information necessary to authenticate. For example: configuration management
+will have the app IDs, but the machine itself will detect its user ID based on
+some unique machine property such as a MAC address (or a hash of it with some
+salt).
+
+An example, real world process for using this provider:
+
+1.  Create unique app IDs (UUIDs work well) and map them to policies. (Path:
+    `map/app-id/<app-id>`)
+
+2.  Store the app IDs within configuration management systems.
+
+3.  An out-of-band process run by security operators map unique user IDs to
+    these app IDs. Example: when an instance is launched, a cloud-init system
+    tells security operators a unique ID for this machine. This process can be
+    scripted, but the key is that it is out-of-band and out of reach of
+    configuration management. (Path: `map/user-id/<user-id>`)
+
+4.  A new server is provisioned. Configuration management configures the app
+    ID, the server itself detects its user ID. With both of these pieces of
+    information, Vault can be accessed according to the policy set by the app
+    ID.
+
+More details on this process follow:
+
+- The app ID is a unique ID that maps to a set of policies. This ID is generated
+  by an operator and configured into the method. The ID itself is usually a
+  UUID-formatted random value, but any hard-to-guess unique value can be used.
+
+- After creating app IDs, an operator authorizes a fixed set of user IDs with
+  each app ID. When a valid {app ID, user ID} tuple is given to the "login"
+  path, then the user is authenticated with the configured app ID policies.
+
+- The user ID can be any value (just like the app ID), however it is generally a
+  value unique to a machine, such as a MAC address or instance ID, or a value
+  hashed from these unique values.
+
+## Authentication
+
+Via the CLI:
+
+```text
+$ vault write auth/app-id/login/:app-id user_id=:user_id
+```
+
+Via the API:
+
+```text
+$ curl \
+    --method POST \
+    --data '{"user_id": ":user_id"}' \
+    http://127.0.0.1:8200/v1/auth/app-id/login/:app_id
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the AppID auth method:
+
+    ```text
+    $ vault auth enable app-id
+    ```
+
+1.  Configure it with the set of AppIDs, user IDs, and the mapping between them:
+
+    ```text
+    $ vault write auth/app-id/map/app-id/foo value=admins display_name=foo
+    # ...
+
+    $ vault write auth/app-id/map/user-id/bar value=foo cidr_block=10.0.0.0/16
+    # ...
+    ```
+
+    This will create an AppID "foo" that associates with the policy "admins".
+    The `display_name` sets the display name for audit logs and secrets. Next,
+    we configure the user ID "bar" and say that the user ID bar can be paired
+    with "foo" but only if the client is in the "10.0.0.0/16" CIDR block. The
+    `cidr_block` configuration is optional.
+
+    This means that if a client authenticates and provide both "foo" and "bar",
+    then the app ID will authenticate that client with the policy "admins".
+
+    In practice, both the user and app ID are likely hard-to-guess UUID-like
+    values.
+
+    Note that it is possible to authorize multiple app IDs with each user ID by
+    writing them as comma-separated values to the user ID mapping:
+
+    ```text
+    $ vault write auth/app-id/map/user-id/bar value=foo,baz cidr_block=10.0.0.0/16
+    # ...
+    ```
+
+## API
+
+The AppID auth method has a full HTTP API. Please see the
+[AppID auth method API](/api/auth/app-id/index.html) for more
+details.
diff --git a/website/pages/docs/auth/approle.mdx b/website/pages/docs/auth/approle.mdx
new file mode 100644
index 000000000000..73c3ba0b7cde
--- /dev/null
+++ b/website/pages/docs/auth/approle.mdx
@@ -0,0 +1,238 @@
+---
+layout: docs
+page_title: AppRole - Auth Methods
+sidebar_title: AppRole
+description: |-
+  The AppRole auth method allows machines and services to authenticate with
+  Vault.
+---
+
+# AppRole Auth Method
+
+The `approle` auth method allows machines or _apps_ to authenticate with
+Vault-defined _roles_. The open design of `AppRole` enables a varied set of
+workflows and configurations to handle large numbers of apps. This auth method
+is oriented to automated workflows (machines and services), and is less useful
+for human operators.
+
+An "AppRole" represents a set of Vault policies and login constraints that must
+be met to receive a token with those policies. The scope can be as narrow or
+broad as desired. An AppRole can be created for a particular machine, or even
+a particular user on that machine, or a service spread across machines. The
+credentials required for successful login depend upon the constraints set on
+the AppRole associated with the credentials.
+
+## Authentication
+
+### Via the CLI
+
+The default path is `/approle`. If this auth method was enabled at a different
+path, specify `auth/my-path/login` instead.
+
+```text
+$ vault write auth/approle/login \
+    role_id=db02de05-fa39-4855-059b-67221c5c2f63 \
+    secret_id=6a174c20-f6de-a53c-74d2-6018fcceff64
+
+Key                Value
+---                -----
+token              65b74ffd-842c-fd43-1386-f7d7006e520a
+token_accessor     3c29bc22-5c72-11a6-f778-2bc8f48cea0e
+token_duration     20m0s
+token_renewable    true
+token_policies     [default]
+```
+
+### Via the API
+
+The default endpoint is `auth/approle/login`. If this auth method was enabled
+at a different path, use that value instead of `approle`.
+
+```sh
+$ curl \
+    --request POST \
+    --data '{"role_id":"988a9df-...","secret_id":"37b74931..."}' \
+    http://127.0.0.1:8200/v1/auth/approle/login
+```
+
+The response will contain the token at `auth.client_token`:
+
+```json
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 2764800,
+    "metadata": {},
+    "policies": ["default", "dev-policy", "test-policy"],
+    "accessor": "5d7fb475-07cb-4060-c2de-1ca3fcbf0c56",
+    "client_token": "98a4c7ab-b1fe-361b-ba0b-e307aacfd587"
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+### Via the CLI
+
+1. Enable the AppRole auth method:
+
+   ```text
+   $ vault auth enable approle
+   ```
+
+1. Create a named role:
+
+   ```text
+   $ vault write auth/approle/role/my-role \
+       secret_id_ttl=10m \
+       token_num_uses=10 \
+       token_ttl=20m \
+       token_max_ttl=30m \
+       secret_id_num_uses=40
+   ```
+
+   For the complete list of configuration options, please see the API
+   documentation.
+
+1. Fetch the RoleID of the AppRole:
+
+   ```text
+   $ vault read auth/approle/role/my-role/role-id
+   role_id     db02de05-fa39-4855-059b-67221c5c2f63
+   ```
+
+1. Get a SecretID issued against the AppRole:
+
+   ```text
+   $ vault write -f auth/approle/role/my-role/secret-id
+   secret_id               6a174c20-f6de-a53c-74d2-6018fcceff64
+   secret_id_accessor      c454f7e5-996e-7230-6074-6ef26b7bcf86
+   ```
+
+### Via the API
+
+1. Enable the AppRole auth method:
+
+   ```sh
+   $ curl \
+       --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type": "approle"}' \
+       http://127.0.0.1:8200/v1/sys/auth/approle
+   ```
+
+1. Create an AppRole with desired set of policies:
+
+   ```sh
+   $ curl \
+       --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"policies": "dev-policy,test-policy"}' \
+       http://127.0.0.1:8200/v1/auth/approle/role/my-role
+   ```
+
+1. Fetch the identifier of the role:
+
+   ```sh
+   $ curl \
+       --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
+   ```
+
+   The response will look like:
+
+   ```json
+   {
+     "data": {
+       "role_id": "988a9dfd-ea69-4a53-6cb6-9d6b86474bba"
+     }
+   }
+   ```
+
+1. Create a new secret identifier under the role:
+
+   ```sh
+   $ curl \
+       --header "X-Vault-Token: ..." \
+       --request POST \
+        http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
+   ```
+
+   The response will look like:
+
+   ```json
+   {
+     "data": {
+       "secret_id_accessor": "45946873-1d96-a9d4-678c-9229f74386a5",
+       "secret_id": "37b74931-c4cd-d49a-9246-ccc62d682a25"
+     }
+   }
+   ```
+
+## Credentials/Constraints
+
+### RoleID
+
+RoleID is an identifier that selects the AppRole against which the other
+credentials are evaluated. When authenticating against this auth method's login
+endpoint, the RoleID is a required argument (via `role_id`) at all times. By
+default, RoleIDs are unique UUIDs, which allow them to serve as secondary
+secrets to the other credential information. However, they can be set to
+particular values to match introspected information by the client (for
+instance, the client's domain name).
+
+### SecretID
+
+SecretID is a credential that is required by default for any login (via
+`secret_id`) and is intended to always be secret. (For advanced usage,
+requiring a SecretID can be disabled via an AppRole's `bind_secret_id`
+parameter, allowing machines with only knowledge of the RoleID, or matching
+other set constraints, to fetch a token). SecretIDs can be created against an
+AppRole either via generation of a 128-bit purely random UUID by the role
+itself (`Pull` mode) or via specific, custom values (`Push` mode). Similarly to
+tokens, SecretIDs have properties like usage-limit, TTLs and expirations.
+
+#### Pull And Push SecretID Modes
+
+If the SecretID used for login is fetched from an AppRole, this is operating in
+Pull mode. If a "custom" SecretID is set against an AppRole by the client, it
+is referred to as a Push mode. Push mode mimics the behavior of the deprecated
+App-ID auth method; however, in most cases Pull mode is the better approach. The
+reason is that Push mode requires some other system to have knowledge of the
+full set of client credentials (RoleID and SecretID) in order to create the
+entry, even if these are then distributed via different paths. However, in Pull
+mode, even though the RoleID must be known in order to distribute it to the
+client, the SecretID can be kept confidential from all parties except for the
+final authenticating client by using [Response
+Wrapping](/docs/concepts/response-wrapping.html).
+
+Push mode is available for App-ID workflow compatibility, which in some
+specific cases is preferable, but in most cases Pull mode is more secure and
+should be preferred.
+
+### Further Constraints
+
+`role_id` is a required credential at the login endpoint. AppRole pointed to by
+the `role_id` will have constraints set on it. This dictates other `required`
+credentials for login. The `bind_secret_id` constraint requires `secret_id` to
+be presented at the login endpoint. Going forward, this auth method can support
+more constraint parameters to support varied set of Apps. Some constraints will
+not require a credential, but still enforce constraints for login. For
+example, `secret_id_bound_cidrs` will only allow logins coming from IP addresses
+belonging to configured CIDR blocks on the AppRole.
+
+## Learn
+
+Refer to the [AppRole Pull
+Authentication](https://learn.hashicorp.com/vault/identity-access-management/iam-authentication)
+guide for a step-by-step tutorial.
+
+## API
+
+The AppRole auth method has a full HTTP API. Please see the
+[AppRole API](/api/auth/approle/index.html) for more
+details.
diff --git a/website/pages/docs/auth/aws.mdx b/website/pages/docs/auth/aws.mdx
new file mode 100644
index 000000000000..3f6290474d7a
--- /dev/null
+++ b/website/pages/docs/auth/aws.mdx
@@ -0,0 +1,732 @@
+---
+layout: docs
+page_title: AWS - Auth Methods
+sidebar_title: AWS
+description: The aws auth method allows automated authentication of AWS entities.
+---
+
+# AWS Auth Method
+
+The `aws` auth method provides an automated mechanism to retrieve a Vault token
+for IAM principals and AWS EC2 instances. Unlike most Vault auth methods, this
+method does not require manual first-deploying, or provisioning
+security-sensitive credentials (tokens, username/password, client certificates,
+etc), by operators under many circumstances.
+
+## Authentication Workflow
+
+There are two authentication types present in the aws auth method: `iam` and
+`ec2`.
+
+With the `iam` method, a special AWS request signed with AWS IAM credentials is
+used for authentication. The IAM credentials are automatically supplied to AWS
+instances in IAM instance profiles, Lambda functions, and others, and it is
+this information already provided by AWS which Vault can use to authenticate
+clients.
+
+With the `ec2` method, AWS is treated as a Trusted Third Party and
+cryptographically signed dynamic metadata information that uniquely represents
+each EC2 instance is used for authentication. This metadata information is
+automatically supplied by AWS to all EC2 instances.
+
+Based on how you attempt to authenticate, Vault will determine if you are
+attempting to use the `iam` or `ec2` type. Each has a different authentication
+workflow, and each can solve different use cases.
+
+Note: The `ec2` method was implemented before the primitives to implement the
+`iam` method were supported by AWS. The `iam` method is the recommended approach
+as it is more flexible and aligns with best practices to perform access
+control and authentication. See the section on comparing the two auth methods
+below for more information.
+
+### IAM auth method
+
+The AWS STS API includes a method,
+[`sts:GetCallerIdentity`](http://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html),
+which allows you to validate the identity of a client. The client signs a
+`GetCallerIdentity` query using the [AWS Signature v4
+algorithm](http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html) and
+submits 4 pieces of information to the Vault server to recreate a valid signed
+request: the request URL, the request body, the request headers, and the
+request method, as the AWS signature is computed over those fields. The Vault
+server then reconstructs the query and forwards it on to the AWS STS service
+and validates the result back. Clients don't need network-level access to talk
+to the AWS STS API endpoint; they merely need access to the credentials to sign
+the request. However, it means that the Vault server does need network-level
+access to send requests to the STS endpoint.
+
+Importantly, the credentials used to sign the GetCallerIdentity request can
+come from the EC2 instance metadata service for an EC2 instance, or from the
+AWS environment variables in an AWS Lambda function execution, which obviates
+the need for an operator to manually provision some sort of identity material
+first. However, the credentials can, in principle, come from anywhere, not
+just from the locations AWS has provided for you.
+
+Each signed AWS request includes the current timestamp to mitigate the risk of
+replay attacks. In addition, Vault allows you to require an additional header,
+`X-Vault-AWS-IAM-Server-ID`, to be present to mitigate against different types
+of replay attacks (such as a signed `GetCallerIdentity` request stolen from a
+dev Vault instance and used to authenticate to a prod Vault instance). Vault
+further requires that this header be one of the headers included in the AWS
+signature and relies upon AWS to authenticate that signature.
+
+While AWS API endpoints support both signed GET and POST requests, for
+simplicity, the aws auth method supports only POST requests. It also does not
+support `presigned` requests, i.e., requests with `X-Amz-Credential`,
+`X-Amz-Signature`, and `X-Amz-SignedHeaders` GET query parameters containing
+the authenticating information.
+
+It's also important to note that Amazon does NOT appear to include any sort of
+authorization around calls to `GetCallerIdentity`. For example, if you have an
+IAM policy on your credential that requires all access to be MFA authenticated,
+non-MFA authenticated credentials (i.e., raw credentials, not those retrieved
+by calling `GetSessionToken` and supplying an MFA code) will still be able to
+authenticate to Vault using this method. It does not appear possible to enforce
+an IAM principal to be MFA authenticated while authenticating to Vault.
+
+### EC2 auth method
+
+Amazon EC2 instances have access to metadata which describes the instance. The
+Vault EC2 auth method leverages the components of this metadata to authenticate
+and distribute an initial Vault token to an EC2 instance. The data flow (which
+is also represented in the graphic below) is as follows:
+
+[![Vault AWS EC2 Authentication Flow](/img/vault-aws-ec2-auth-flow.png)](/img/vault-aws-ec2-auth-flow.png)
+
+1. An AWS EC2 instance fetches its [AWS Instance Identity Document][aws-iid]
+   from the [EC2 Metadata Service][aws-ec2-mds]. In addition to data itself, AWS
+   also provides the PKCS#7 signature of the data, and publishes the public keys
+   (by region) which can be used to verify the signature.
+
+1. The AWS EC2 instance makes a request to Vault with the PKCS#7 signature.
+   The PKCS#7 signature contains the Instance Identity Document within itself.
+
+1. Vault verifies the signature on the PKCS#7 document, ensuring the information
+   is certified accurate by AWS. This process validates both the validity and
+   integrity of the document data. As an added security measure, Vault verifies
+   that the instance is currently running using the public EC2 API endpoint.
+
+1. Provided all steps are successful, Vault returns the initial Vault token to
+   the EC2 instance. This token is mapped to any configured policies based on the
+   instance metadata.
+
+[aws-iid]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
+[aws-ec2-mds]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
+
+There are various modifications to this workflow that provide more or less
+security, as detailed later in this documentation.
+
+## Authorization Workflow
+
+The basic mechanism of operation is per-role. Roles are registered in the
+method and associated with a specific authentication type that cannot be
+changed once the role has been created. Roles can also be associated with
+various optional restrictions, such as the set of allowed policies and max TTLs
+on the generated tokens. Each role can be specified with the constraints that
+are to be met during the login. Many of these constraints accept lists of
+required values. For any constraint which accepts a list of values, that
+constraint will be considered satisfied if any one of the values is matched
+during the login process. For example, one such constraint that is
+supported is to bind against a list of AMI IDs. A role which is bound to a
+specific list of AMIs can only be used for login by EC2 instances that are
+deployed to one of the AMIs that the role is bound to.
+
+The iam auth method allows you to specify bound IAM principal ARNs.
+Clients authenticating to Vault must have an ARN that matches one of the ARNs bound to
+the role they are attempting to login to. The bound ARN allows specifying a
+wildcard at the end of the bound ARN. For example, if the bound ARN were
+`arn:aws:iam::123456789012:*` it would allow any principal in AWS account
+123456789012 to login to it. Similarly, if it were
+`arn:aws:iam::123456789012:role/*` it would allow any IAM role in the AWS
+account to login to it. If you wish to specify a wildcard, you must give Vault
+`iam:GetUser` and `iam:GetRole` permissions to properly resolve the full user
+path.
+
+In general, role bindings that are specific to an EC2 instance are only checked
+when the ec2 auth method is used to login, while bindings specific to IAM
+principals are only checked when the iam auth method is used to login. However,
+the iam method includes the ability for you to "infer" an EC2 instance ID from
+the authenticated client and apply many of the bindings that would otherwise
+only apply specifically to EC2 instances.
+
+In many cases, an organization will use a "seed AMI" that is specialized after
+bootup by configuration management or similar processes. For this reason, a
+role entry in the method can also be associated with a "role tag" when using
+the ec2 auth type. These tags
+are generated by the method and are placed as the value of a tag with the
+given key on the EC2 instance. The role tag can be used to further restrict the
+parameters set on the role, but cannot be used to grant additional privileges.
+If a role with an AMI bind constraint has "role tag" enabled on the role, and
+the EC2 instance performing login does not have an expected tag on it, or if the
+tag on the instance is deleted for some reason, authentication fails.
+
+The role tags can be generated at will by an operator with appropriate API
+access. They are HMAC-signed by a per-role key stored within the method, allowing
+the method to verify the authenticity of a found role tag and ensure that it has
+not been tampered with. There is also a mechanism to blacklist role tags if one
+has been found to be distributed outside of its intended set of machines.
+
+## IAM Authentication Inferences
+
+With the iam auth method, normally Vault will see the IAM principal that
+authenticated, either the IAM user or role. However, when you have an EC2
+instance in an IAM instance profile, Vault can actually see the instance ID of
+the instance and can "infer" that it's an EC2 instance. However, there are
+important security caveats to be aware of before configuring Vault to make that
+inference.
+
+Each AWS IAM role has a "trust policy" which specifies which entities are
+trusted to call
+[`sts:AssumeRole`](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
+on the role and retrieve credentials that can be used to authenticate with that
+role. When AssumeRole is called, a parameter called RoleSessionName is passed
+in, which is chosen arbitrarily by the entity which calls AssumeRole. If you
+have a role with an ARN `arn:aws:iam::123456789012:role/MyRole`, then the
+credentials returned by calling AssumeRole on that role will be
+`arn:aws:sts::123456789012:assumed-role/MyRole/RoleSessionName` where
+RoleSessionName is the session name in the AssumeRole API call. It is this
+latter value which Vault actually sees.
+
+When you have an EC2 instance in an instance profile, the corresponding role's
+trust policy specifies that the principal `"Service": "ec2.amazonaws.com"` is
+trusted to call AssumeRole. When this is configured, EC2 calls AssumeRole on
+behalf of your instance, with a RoleSessionName corresponding to the
+instance's instance ID. Thus, it is possible for Vault to extract the instance
+ID out of the value it sees when an EC2 instance in an instance profile
+authenticates to Vault with the iam auth method. This is known as
+"inferencing." Vault can be configured, on a role-by-role basis, to infer that a
+caller is an EC2 instance and, if so, apply further bindings that apply
+specifically to EC2 instances -- most of the bindings available to the ec2
+auth method.
+
+However, it is very important to note that if any entity other than an AWS
+service is permitted to call AssumeRole on your role, then that entity can
+simply pass in your instance's instance ID and spoof your instance to Vault.
+This also means that anybody who is able to modify your role's trust policy
+(e.g., via
+[`iam:UpdateAssumeRolePolicy`](http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html),
+then that person could also spoof your instances. If this is a concern but you
+would like to take advantage of inferencing, then you should tightly restrict
+who is able to call AssumeRole on the role, tightly restrict who is able to call
+UpdateAssumeRolePolicy on the role, and monitor CloudTrail logs for calls to
+AssumeRole and UpdateAssumeRolePolicy. All of these caveats apply equally to
+using the iam auth method without inferencing; the point is merely
+that Vault cannot offer an iron-clad guarantee about the inference and it is up
+to operators to determine, based on their own AWS controls and use cases,
+whether or not it's appropriate to configure inferencing.
+
+## Mixing Authentication Types
+
+Vault allows you to configure using either the ec2 auth method or the iam auth
+method, but not both auth methods. Further, Vault will prevent you from
+enforcing restrictions that it cannot enforce given the chosen auth type for a
+role. Some examples of how this works in practice:
+
+1. You configure a role with the ec2 auth type, with a bound AMI ID. A
+   client would not be able to login using the iam auth type.
+2. You configure a role with the iam auth type, with a bound IAM
+   principal ARN. A client would not be able to login with the ec2 auth method.
+3. You configure a role with the iam auth type and further configure
+   inferencing. You have a bound AMI ID and a bound IAM principal ARN. A client
+   must login using the iam method; the RoleSessionName must be a valid instance
+   ID viewable by Vault, and the instance must have come from the bound AMI ID.
+
+## Comparison of the IAM and EC2 Methods
+
+The iam and ec2 auth methods serve similar and somewhat overlapping
+functionality, in that both authenticate some type of AWS entity to Vault.
+Here are some comparisons that illustrate why `iam` method is preferred over
+`ec2`.
+
+- What type of entity is authenticated:
+  - The ec2 auth method authenticates only AWS EC2 instances and is specialized
+    to handle EC2 instances, such as restricting access to EC2 instances from
+    a particular AMI, EC2 instances in a particular instance profile, or EC2
+    instances with a specialized tag value (via the role_tag feature).
+  - The iam auth method authenticates AWS IAM principals. This can
+    include IAM users, IAM roles assumed from other accounts, AWS Lambdas that
+    are launched in an IAM role, or even EC2 instances that are launched in an
+    IAM instance profile. However, because it authenticates more generalized IAM
+    principals, this method doesn't offer more granular controls beyond binding
+    to a given IAM principal without the use of inferencing.
+- How the entities are authenticated
+  - The ec2 auth method authenticates instances by making use of the EC2
+    instance identity document, which is a cryptographically signed document
+    containing metadata about the instance. This document changes relatively
+    infrequently, so Vault adds a number of other constructs to mitigate against
+    replay attacks, such as client nonces, role tags, instance migrations, etc.
+    Because the instance identity document is signed by AWS, you have a strong
+    guarantee that it came from an EC2 instance.
+  - The iam auth method authenticates by having clients provide a specially
+    signed AWS API request which the method then passes on to AWS to validate
+    the signature and tell Vault who created it. The actual secret (i.e.,
+    the AWS secret access key) is never transmitted over the wire, and the
+    AWS signature algorithm automatically expires requests after 15 minutes,
+    providing simple and robust protection against replay attacks. The use of
+    inferencing, however, provides a weaker guarantee that the credentials came
+    from an EC2 instance in an IAM instance profile compared to the ec2
+    authentication mechanism.
+  - The instance identity document used in the ec2 auth method is more likely to
+    be stolen given its relatively static nature, but it's harder to spoof. On
+    the other hand, the credentials of an EC2 instance in an IAM instance
+    profile are less likely to be stolen given their dynamic and short-lived
+    nature, but it's easier to spoof credentials that might have come from an
+    EC2 instance.
+- Specific use cases
+  - If you have non-EC2 instance entities, such as IAM users, Lambdas in IAM
+    roles, or developer laptops using [AdRoll's
+    Hologram](https://github.com/AdRoll/hologram) then you would need to use the
+    iam auth method.
+  - If you have EC2 instances, then you could use either auth method. If you
+    need more granular filtering beyond just the instance profile of given EC2
+    instances (such as filtering based off the AMI the instance was launched
+    from), then you would need to use the ec2 auth method, change the instance
+    profile associated with your EC2 instances so they have unique IAM roles
+    for each different Vault role you would want them to authenticate
+    to, or make use of inferencing. If you need to make use of role tags, then
+    you will need to use the ec2 auth method.
+
+## Recommended Vault IAM Policy
+
+This specifies the recommended IAM policy needed by the AWS auth method. Note
+that if you are using the same credentials for the AWS auth and secret methods
+(e.g., if you're running Vault on an EC2 instance in an IAM instance profile),
+then you will need to add additional permissions as required by the AWS secret
+method.
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeInstances",
+        "iam:GetInstanceProfile",
+        "iam:GetUser",
+        "iam:GetRole"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["sts:AssumeRole"],
+      "Resource": ["arn:aws:iam::<AccountId>:role/<VaultRole>"]
+    }
+  ]
+}
+```
+
+Here are some of the scenarios in which Vault would need to use each of these
+permissions. This isn't intended to be an exhaustive list of all the scenarios
+in which Vault might make an AWS API call, but rather illustrative of why these
+are needed.
+
+- `ec2:DescribeInstances` is necessary when you are using the `ec2` auth method
+  or when you are inferring an `ec2_instance` entity type to validate that the
+  EC2 instance meets binding requirements of the role
+- `iam:GetInstanceProfile` is used when you have a `bound_iam_role_arn` in the
+  `ec2` auth method. Vault needs to determine which IAM role is attached to the
+  instance profile.
+- `iam:GetUser` and `iam:GetRole` are used when using the iam auth method and
+  binding to an IAM user or role principal to determine the unique AWS user ID
+  or when using a wildcard on the bound ARN to resolve the full ARN of the user
+  or role.
+- The `sts:AssumeRole` stanza is necessary when you are using [Cross Account
+  Access](#cross-account-access). The `Resource`s specified should be a list of
+  all the roles for which you have configured cross-account access, and each of
+  those roles should have this IAM policy attached (except for the
+  `sts:AssumeRole` statement).
+
+## Client Nonce
+
+Note: this only applies to the ec2 auth method.
+
+If an unintended party gains access to the PKCS#7 signature of the identity
+document (which by default is available to every process and user that gains
+access to an EC2 instance), it can impersonate that instance and fetch a Vault
+token. The method addresses this problem by using a Trust On First Use (TOFU)
+mechanism that allows the first client to present the PKCS#7 signature of the
+document to be authenticated and denying the rest. An important property of
+this design is detection of unauthorized access: if an unintended party authenticates,
+the intended client will be unable to authenticate and can raise an alert for
+investigation.
+
+During the first login, the method stores the instance ID that authenticated
+in a `whitelist`. One method of operation of the method is to disallow any
+authentication attempt for an instance ID contained in the whitelist, using the
+`disallow_reauthentication` option on the role, meaning that an instance is
+allowed to login only once. However, this has consequences for token rotation,
+as it means that once a token has expired, subsequent authentication attempts
+would fail. By default, reauthentication is enabled in this method, and can be
+turned off using `disallow_reauthentication` parameter on the registered role.
+
+In the default method of operation, the method will return a unique nonce
+during the first authentication attempt, as part of auth `metadata`. Clients
+should present this `nonce` for subsequent login attempts and it should match
+the `nonce` cached at the identity-whitelist entry at the method. Since only
+the original client knows the `nonce`, only the original client is allowed to
+reauthenticate. (This is the reason that this is a whitelist rather than a
+blacklist; by default, it's keeping track of clients allowed to reauthenticate,
+rather than those that are not.). Clients can choose to provide a `nonce` even
+for the first login attempt, in which case the provided `nonce` will be tied to
+the cached identity-whitelist entry. It is recommended to use a strong `nonce`
+value in this case.
+
+It is up to the client to behave correctly with respect to the nonce; if the
+client stores the nonce on disk it can survive reboots, but could also give
+access to other users or applications on the instance. It is also up to the
+operator to ensure that client nonces are in fact unique; sharing nonces allows
+a compromise of the nonce value to enable an attacker that gains access to any
+EC2 instance to imitate the legitimate client on that instance. This is why
+nonces can be disabled on the method side in favor of only a single
+authentication per instance; in some cases, such as when using ASGs, instances
+are immutable and single-boot anyways, and in conjunction with a high max TTL,
+reauthentication may not be needed (and if it is, the instance can simply be
+shut down and allow ASG to start a new one).
+
+In both cases, entries can be removed from the whitelist by instance ID,
+allowing reauthentication by a client if the nonce is lost (or not used) and an
+operator approves the process.
+
+One other point: if available by the OS/distribution being used with the EC2
+instance, it is not a bad idea to firewall access to the signed PKCS#7 metadata
+to ensure that it is accessible only to the matching user(s) that require
+access.
+
+The client nonce which is generated by the backend and which gets returned
+along with the authentication response, will be audit logged in plaintext. If
+this is undesired, clients can supply a custom nonce to the login endpoint
+which will not be returned and hence will not be audit logged.
+
+## Advanced Options and Caveats
+
+### Dynamic Management of Policies Via Role Tags
+
+Note: This only applies to the ec2 auth method or the iam auth method when
+inferencing is used.
+
+If the instance is required to have customized set of policies based on the
+role it plays, the `role_tag` option can be used to provide a tag to set on
+instances, for a given role. When this option is set, during login, along with
+verification of PKCS#7 signature and instance health, the method will query
+for the value of a specific tag with the configured key that is attached to the
+instance. The tag holds information that represents a _subset_ of privileges that
+are set on the role and are used to further restrict the set of the role's
+privileges for that particular instance.
+
+A `role_tag` can be created using `auth/aws/role/<role>/tag` endpoint
+and is immutable. The information present in the tag is SHA256 hashed and HMAC
+protected. The per-role key to HMAC is only maintained in the method. This prevents
+an adversarial operator from modifying the tag when setting it on the EC2 instance
+in order to escalate privileges.
+
+When 'role_tag' option is enabled on a role, the instances are required to have a
+role tag. If the tag is not found on the EC2 instance, authentication will fail.
+This is to ensure that privileges of an instance are never escalated for not
+having the tag on it or for getting the tag removed. If the role tag creation does
+not specify the policy component, the client will inherit the allowed policies set
+on the role. If the role tag creation specifies the policy component but it contains
+no policies, the token will contain only the `default` policy; by default, this policy
+allows only manipulation (revocation, renewal, lookup) of the existing token, plus
+access to its [cubbyhole](/docs/secrets/cubbyhole/index.html).
+This can be useful to allow instances access to a secure "scratch space" for
+storing data (via the token's cubbyhole) but without granting any access to
+other resources provided by or resident in Vault.
+
+### Handling Lost Client Nonces
+
+Note: This only applies to the ec2 auth method.
+
+If an EC2 instance loses its client nonce (due to a reboot, a stop/start of the
+client, etc.), subsequent login attempts will not succeed. If the client nonce
+is lost, normally the only option is to delete the entry corresponding to the
+instance ID from the identity `whitelist` in the method. This can be done via
+the `auth/aws/identity-whitelist/<instance_id>` endpoint. This allows a new
+client nonce to be accepted by the method during the next login request.
+
+Under certain circumstances there is another useful setting. When the instance
+is placed onto a host upon creation, it is given a `pendingTime` value in the
+instance identity document (documentation from AWS does not cover this option,
+unfortunately). If an instance is stopped and started, the `pendingTime` value
+is updated (this does not apply to reboots, however).
+
+The method can take advantage of this via the `allow_instance_migration`
+option, which is set per-role. When this option is enabled, if the client nonce
+does not match the saved nonce, the `pendingTime` value in the instance
+identity document will be checked; if it is newer than the stored `pendingTime`
+value, the method assumes that the client was stopped/started and allows the
+client to log in successfully, storing the new nonce as the valid nonce for
+that client. This essentially re-starts the TOFU mechanism any time the
+instance is stopped and started, so should be used with caution. Just like with
+initial authentication, the legitimate client should have a way to alert (or an
+alert should trigger based on its logs) if it is denied authentication.
+
+Unfortunately, the `allow_instance_migration` only helps during stop/start
+actions; the current metadata does not provide for a way to allow this
+automatic behavior during reboots. The method will be updated if this needed
+metadata becomes available.
+
+The `allow_instance_migration` option is set per-role, and can also be
+specified in a role tag. Since role tags can only restrict behavior, if the
+option is set to `false` on the role, a value of `true` in the role tag takes
+effect; however, if the option is set to `true` on the role, a value set in the
+role tag has no effect.
+
+### Disabling Reauthentication
+
+Note: this only applies to the ec2 auth method.
+
+If in a given organization's architecture, a client fetches a long-lived Vault
+token and has no need to rotate the token, all future logins for that instance
+ID can be disabled. If the option `disallow_reauthentication` is set, only one
+login will be allowed per instance. If the intended client successfully
+retrieves a token during login, it can be sure that its token will not be
+hijacked by another entity.
+
+When `disallow_reauthentication` option is enabled, the client can choose not
+to supply a nonce during login, although it is not an error to do so (the nonce
+is simply ignored). Note that reauthentication is enabled by default. If only
+a single login is desired, `disallow_reauthentication` should be set explicitly
+on the role or on the role tag.
+
+The `disallow_reauthentication` option is set per-role, and can also be
+specified in a role tag. Since role tags can only restrict behavior, if the
+option is set to `false` on the role, a value of `true` in the role tag takes
+effect; however, if the option is set to `true` on the role, a value set in the
+role tag has no effect.
+
+### Blacklisting Role Tags
+
+Note: this only applies to the ec2 auth method or the iam auth method
+when inferencing is used.
+
+Role tags are tied to a specific role, but the method has no control over, which
+instances using that role, should have any particular role tag; that is purely up
+to the operator. Although role tags are only restrictive (a tag cannot escalate
+privileges above what is set on its role), if a role tag is found to have been
+used incorrectly, and the administrator wants to ensure that the role tag has no
+further effect, the role tag can be placed on a `blacklist` via the endpoint
+`auth/aws/roletag-blacklist/<role_tag>`. Note that this will not invalidate the
+tokens that were already issued; this only blocks any further login requests from
+those instances that have the blacklisted tag attached to them.
+
+### Expiration Times and Tidying of `blacklist` and `whitelist` Entries
+
+The expired entries in both identity `whitelist` and role tag `blacklist` are
+deleted automatically. The entries in both of these lists contain an expiration
+time which is dynamically determined by three factors: `max_ttl` set on the role,
+`max_ttl` set on the role tag, and `max_ttl` value of the method mount. The
+least of these three dictates the maximum TTL of the issued token, and
+correspondingly will be set as the expiration times of these entries.
+
+The endpoints `auth/aws/tidy/identity-whitelist` and `auth/aws/tidy/roletag-blacklist` are
+provided to clean up the entries present in these lists. These endpoints allow
+defining a safety buffer, such that an entry must not only be expired, but be
+past expiration by the amount of time dictated by the safety buffer in order
+to actually remove the entry.
+
+Automatic deletion of expired entries is performed by the periodic function
+of the method. This function does the tidying of both blacklist role tags
+and whitelist identities. Periodic tidying is activated by default and will
+have a safety buffer of 72 hours, meaning only those entries are deleted which
+were expired before 72 hours from when the tidy operation is being performed.
+This can be configured via `config/tidy/roletag-blacklist` and `config/tidy/identity-whitelist`
+endpoints.
+
+### Varying Public Certificates
+
+Note: this only applies to the ec2 auth method.
+
+The AWS public certificate, which contains the public key used to verify the
+PKCS#7 signature, varies for different AWS regions. The primary AWS public
+certificate, which covers most AWS regions, is already included in Vault and
+does not need to be added. Instances whose PKCS#7 signatures cannot be
+verified by the default public certificate included in Vault can register a
+different public certificate which can be found [here](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
+via the `auth/aws/config/certificate/<cert_name>` endpoint.
+
+### Dangling Tokens
+
+An EC2 instance, after authenticating itself with the method, gets a Vault token.
+After that, if the instance terminates or goes down for any reason, the method
+will not be aware of such events. The token issued will still be valid, until
+it expires. The token will likely be expired sooner than its lifetime when the
+instance fails to renew the token on time.
+
+### Cross Account Access
+
+To allow Vault to authenticate IAM principals and EC2 instances in other
+accounts, Vault supports using AWS STS (Security Token Service) to assume AWS
+IAM Roles in other accounts. For each target AWS account ID, you configure the
+IAM Role for Vault to assume using the `auth/aws/config/sts/<account_id>` and
+Vault will use credentials from assuming that role to validate IAM principals
+and EC2 instances in the target account.
+
+The account in which Vault is running (i.e. the master account) must be listed as
+a trusted entity in the IAM Role being assumed on the remote account. The Role itself
+should allow the permissions specified in the [Recommended Vault IAM
+Policy](#recommended-vault-iam-policy) except it doesn't need any further
+`sts:AssumeRole` permissions.
+
+Furthermore, in the master account, Vault must be granted the action `sts:AssumeRole`
+for the IAM Role to be assumed.
+
+## Authentication
+
+### Via the CLI
+
+#### Enable AWS EC2 authentication in Vault.
+
+```
+$ vault auth enable aws
+```
+
+#### Configure the credentials required to make AWS API calls
+
+If not specified, Vault will attempt to use standard environment variables
+(`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) or IAM EC2 instance role
+credentials if available.
+
+The IAM account or role to which the credentials map must allow the
+`ec2:DescribeInstances` action. In addition, if IAM Role binding is used (see
+`bound_iam_role_arn` below), `iam:GetInstanceProfile` must also be allowed.
+
+```
+$ vault write auth/aws/config/client secret_key=vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj access_key=VKIAJBRHKH6EVTTNXDHA
+```
+
+#### Configure the policies on the role.
+
+```
+$ vault write auth/aws/role/dev-role auth_type=ec2 bound_ami_id=ami-fce3c696 policies=prod,dev max_ttl=500h
+
+$ vault write auth/aws/role/dev-role-iam auth_type=iam \
+              bound_iam_principal_arn=arn:aws:iam::123456789012:role/MyRole policies=prod,dev max_ttl=500h
+```
+
+#### Configure a required X-Vault-AWS-IAM-Server-ID Header (recommended)
+
+```
+$ vault write auth/aws/config/client iam_server_id_header_value=vault.example.com
+```
+
+#### Perform the login operation
+
+```
+$ vault write auth/aws/login role=dev-role \
+pkcs7=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA nonce=5defbf9e-a8f9-3063-bdfc-54b7a42a1f95
+```
+
+For the iam auth method, generating the signed request is a non-standard
+operation. The Vault cli supports generating this for you:
+
+```
+$ vault login -method=aws header_value=vault.example.com role=dev-role-iam
+```
+
+This assumes you have AWS credentials configured in the standard locations AWS
+SDKs search for credentials (environment variables, ~/.aws/credentials, IAM
+instance profile, or ECS task role, in that order). If you do not have IAM
+credentials available at any of these locations, you can explicitly pass them
+in on the command line (though this is not recommended), omitting
+`aws_security_token` if not applicable.
+
+```
+$ vault login -method=aws header_value=vault.example.com role=dev-role-iam \
+        aws_access_key_id=<access_key> \
+        aws_secret_access_key=<secret_key> \
+        aws_security_token=<security_token>
+```
+
+The region used defaults to `us-east-1`, but you can specify a custom region like so:
+
+```
+$ vault login -method=aws region=us-west-2 role=dev-role-iam
+```
+
+When using a custom region, be sure the designated region corresponds to that of the
+STS endpoint you're using.
+
+An example of how to generate the required request values for the `login` method
+can be found found in the [vault cli
+source code](https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go).
+Using an approach such as this, the request parameters can be generated and
+passed to the `login` method:
+
+```
+$ vault write auth/aws/login role=dev-role-iam \
+        iam_http_request_method=POST \
+        iam_request_url=aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8= \
+        iam_request_body=QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ== \
+        iam_request_headers=eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ==
+```
+
+### Via the API
+
+#### Enable AWS authentication in Vault.
+
+```
+curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/sys/auth/aws" -d '{"type":"aws"}'
+```
+
+#### Configure the credentials required to make AWS API calls.
+
+```
+curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/auth/aws/config/client" -d '{"access_key":"VKIAJBRHKH6EVTTNXDHA", "secret_key":"vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj"}'
+```
+
+#### Configure the policies on the role.
+
+```
+curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/auth/aws/role/dev-role -d '{"bound_ami_id":"ami-fce3c696","policies":"prod,dev","max_ttl":"500h"}'
+
+curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/auth/aws/role/dev-role-iam -d '{"auth_type":"iam","policies":"prod,dev","max_ttl":"500h","bound_iam_principal_arn":"arn:aws:iam::123456789012:role/MyRole"}'
+```
+
+#### Perform the login operation
+
+```
+curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev-role","pkcs7":"'$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')'","nonce":"5defbf9e-a8f9-3063-bdfc-54b7a42a1f95"}'
+
+curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", "iam_http_request_method": "POST", "iam_request_url": "aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=", "iam_request_body": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==", "iam_request_headers": "eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ==" }'
+```
+
+The response will be in JSON. For example:
+
+```javascript
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 72000,
+    "metadata": {
+      "role_tag_max_ttl": "0s",
+      "role": "ami-f083709d",
+      "region": "us-east-1",
+      "nonce": "5defbf9e-a8f9-3063-bdfc-54b7a42a1f95",
+      "instance_id": "i-a832f734",
+      "ami_id": "ami-f083709d"
+    },
+    "policies": [
+      "default",
+      "dev",
+      "prod"
+    ],
+    "accessor": "5cd96cd1-58b7-2904-5519-75ddf957ec06",
+    "client_token": "150fc858-2402-49c9-56a5-f4b57f2c8ff1"
+  },
+  "warnings": null,
+  "wrap_info": null,
+  "data": null,
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": "",
+  "request_id": "d7d50c06-56b8-37f4-606c-ccdc87a1ee4c"
+}
+```
+
+## API
+
+The AWS auth method has a full HTTP API. Please see the
+[AWS Auth API](/api/auth/aws/index.html) for more
+details.
diff --git a/website/pages/docs/auth/azure.mdx b/website/pages/docs/auth/azure.mdx
new file mode 100644
index 000000000000..ad055cb28680
--- /dev/null
+++ b/website/pages/docs/auth/azure.mdx
@@ -0,0 +1,197 @@
+---
+layout: docs
+page_title: Azure - Auth Methods
+sidebar_title: Azure
+description: |-
+  The azure auth method plugin allows automated authentication of Azure Active
+  Directory.
+---
+
+# Azure Auth Method
+
+The `azure` auth method allows authentication against Vault using
+Azure Active Directory credentials. It treats Azure as a Trusted Third Party
+and expects a [JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519)
+signed by Azure Active Directory for the configured tenant.
+
+Currently supports authentication for:
+
+- [Azure Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview)
+
+## Prerequisites:
+
+The following documentation assumes that the method has been
+[mounted](/docs/plugin/index.html) at `auth/azure`.
+
+- A configured [Azure AD application](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) which is used as the resource for generating MSI access tokens.
+- Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See [Azure AD Service to Service Client Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
+
+Required Azure API permissions to be granted to Vault user:
+
+- `Microsoft.Compute/virtualMachines/*/read`
+- `Microsoft.Compute/virtualMachineScaleSets/*/read`
+
+If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret. MSI must be [enabled](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm) on the VMs hosting Vault.
+
+The next sections review how the authN/Z workflows work. If you
+have already reviewed these sections, here are some quick links to:
+
+- [Usage](#usage)
+- [API documentation](/api/auth/azure/index.html) docs.
+
+## Authentication
+
+### Via the CLI
+
+The default path is `/auth/azure`. If this auth method was enabled at a different
+path, specify `auth/my-path/login` instead.
+
+```text
+$ vault write auth/azure/login \
+    role="dev-role" \
+    jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
+    subscription_id="12345-..." \
+    resource_group_name="test-group" \
+    vm_name="test-vm"
+```
+
+The `role` and `jwt` parameters are required. When using bound*service_principal_ids and bound_groups in the token roles, all the information is required in the JWT. When using other bound*\* parameters, calls to Azure APIs will be made and subscription id, resource group name, and vm name are all required and can be obtained through instance metadata.
+
+For example:
+
+```text
+$ vault write auth/azure/login role="dev-role" \
+     jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.hashicorp.com%2F' -H Metadata:true | jq -r '.access_token')" \
+     subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId')  \
+     resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
+     vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
+```
+
+### Via the API
+
+The default endpoint is `auth/azure/login`. If this auth method was enabled
+at a different path, use that value instead of `azure`.
+
+```sh
+$ curl \
+    --request POST \
+    --data '{"role": "dev-role", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
+    https://127.0.0.1:8200/v1/auth/azure/login
+```
+
+The response will contain the token at `auth.client_token`:
+
+```json
+{
+  "auth": {
+    "client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
+    "accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
+    "policies": ["default", "dev", "prod"],
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before machines can authenticate.
+These steps are usually completed by an operator or configuration management
+tool.
+
+### Via the CLI
+
+1. Enable Azure authentication in Vault:
+
+   ```text
+   $ vault auth enable azure
+   ```
+
+1. Configure the Azure auth method:
+
+   ```text
+   $ vault write auth/azure/config \
+       tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \
+       resource=https://vault.hashicorp.com \
+       client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \
+       client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
+   ```
+
+   For the complete list of configuration options, please see the API
+   documentation.
+
+1. Create a role:
+
+   ```text
+   $ vault write auth/azure/role/dev-role \
+       policies="prod,dev" \
+       bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \
+       bound_resource_groups=vault
+   ```
+
+   Roles are associated with an authentication type/entity and a set of Vault
+   policies. Roles are configured with constraints specific to the
+   authentication type, as well as overall constraints and configuration for
+   the generated auth tokens.
+
+   For the complete list of role options, please see the [API documentation](/api/auth/azure/index.html).
+
+### Via the API
+
+1. Enable Azure authentication in Vault:
+
+   ```sh
+   $ curl \
+       --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type": "azure"}' \
+       https://127.0.0.1:8200/v1/sys/auth/azure
+   ```
+
+1. Configure the Azure auth method:
+
+   ```sh
+   $ curl \
+       --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"tenant_id": "...", "resource": "..."}' \
+       https://127.0.0.1:8200/v1/auth/azure/config
+   ```
+
+1. Create a role:
+
+   ```sh
+   $ curl \
+       --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"policies": ["dev", "prod"], ...}' \
+       https://127.0.0.1:8200/v1/auth/azure/role/dev-role
+   ```
+
+### Plugin Setup
+
+~> The following section is only relevant if you decide to enable the azure auth
+method as an external plugin. The azure plugin method is integrated into Vault as
+a builtin method by default.
+
+Assuming you have saved the binary `vault-plugin-auth-azure` to some folder and
+configured the [plugin directory](/docs/internals/plugins.html#plugin-directory)
+for your server at `path/to/plugins`:
+
+1. Enable the plugin in the catalog:
+
+   ```text
+   $ vault write sys/plugins/catalog/auth/azure-auth \
+       command="vault-plugin-auth-azure" \
+       sha256="..."
+   ```
+
+1. Enable the azure auth method as a plugin:
+
+   ```text
+   $ vault auth enable -path=azure azure-auth
+   ```
+
+## API
+
+The Azure Auth Plugin has a full HTTP API. Please see the [API documentation](/api/auth/azure/index.html) for more details.
diff --git a/website/pages/docs/auth/cert.mdx b/website/pages/docs/auth/cert.mdx
new file mode 100644
index 000000000000..84e621d2f1b7
--- /dev/null
+++ b/website/pages/docs/auth/cert.mdx
@@ -0,0 +1,130 @@
+---
+layout: docs
+page_title: TLS Certificates - Auth Methods
+sidebar_title: TLS Certificates
+description: >-
+  The "cert" auth method allows users to authenticate with Vault using TLS
+  client certificates.
+---
+
+# TLS Certificates Auth Method
+
+The `cert` auth method allows authentication using SSL/TLS client certificates
+which are either signed by a CA or self-signed.
+
+The trusted certificates and CAs are configured directly to the auth method
+using the `certs/` path. This method cannot read trusted certificates from an
+external source.
+
+CA certificates are associated with a role; role names and CRL names are normalized to
+lower-case.
+
+Please note that to use this auth method, `tls_disable` must be false in the Vault
+configuration. This is because the certificates are sent through TLS communication itself.
+
+## Revocation Checking
+
+Since Vault 0.4, the method supports revocation checking.
+
+An authorised user can submit PEM-formatted CRLs identified by a given name;
+these can be updated or deleted at will. (Note: Vault **does not** fetch CRLs;
+the CRLs themselves and any updates must be pushed into Vault when desired,
+such as via a `cron` job that fetches them from the source and pushes them into
+Vault.)
+
+When there are CRLs present, at the time of client authentication:
+
+- If the client presents any chain where no certificate in the chain matches a
+  revoked serial number, authentication is allowed
+
+- If there is no chain presented by the client without a revoked serial number,
+  authentication is denied
+
+This method provides good security while also allowing for flexibility. For
+instance, if an intermediate CA is going to be retired, a client can be
+configured with two certificate chains: one that contains the initial
+intermediate CA in the path, and the other that contains the replacement. When
+the initial intermediate CA is revoked, the chain containing the replacement
+will still allow the client to successfully authenticate.
+
+**N.B.**: Matching is performed by _serial number only_. For most CAs,
+including Vault's `pki` method, multiple CRLs can successfully be used as
+serial numbers are globally unique. However, since RFCs only specify that
+serial numbers must be unique per-CA, some CAs issue serial numbers in-order,
+which may cause clashes if attempting to use CRLs from two such CAs in the same
+mount of the method. The workaround here is to mount multiple copies of the
+`cert` method, configure each with one CA/CRL, and have clients connect to the
+appropriate mount.
+
+In addition, since the method does not fetch the CRLs itself, the CRL's
+designated time to next update is not considered. If a CRL is no longer in use,
+it is up to the administrator to remove it from the method.
+
+## Authentication
+
+### Via the CLI
+
+The below requires Vault to present a certificate signed by `ca.pem` and
+presents `cert.pem` (using `key.pem`) to authenticate against the `web` cert
+role. Note that the name of `web` ties out with the configuration example
+below writing to a path of `auth/cert/certs/web`. If a certificate role name
+is not specified, the auth method will try to authenticate against all trusted
+certificates.
+
+```
+$ vault login \
+    -method=cert \
+    -ca-cert=ca.pem \
+    -client-cert=cert.pem \
+    -client-key=key.pem \
+    name=web
+```
+
+### Via the API
+
+The endpoint for the login is `/login`. The client simply connects with their
+TLS certificate and when the login endpoint is hit, the auth method will
+determine if there is a matching trusted certificate to authenticate the client.
+Optionally, you may specify a single certificate role to authenticate against.
+
+```sh
+$ curl \
+    --request POST \
+    --cacert ca.pem \
+    --cert cert.pem \
+    --key key.pem \
+    --data '{"name": "web"}' \
+    https://127.0.0.1:8200/v1/auth/cert/login
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the certificate auth method:
+
+   ```text
+   $ vault auth enable cert
+   ```
+
+1. Configure it with trusted certificates that are allowed to authenticate:
+
+   ```text
+   $ vault write auth/cert/certs/web \
+       display_name=web \
+       policies=web,prod \
+       certificate=@web-cert.pem \
+       ttl=3600
+   ```
+
+   This creates a new trusted certificate "web" with same display name and the
+   "web" and "prod" policies. The certificate (public key) used to verify
+   clients is given by the "web-cert.pem" file. Lastly, an optional `ttl` value
+   can be provided in seconds to limit the lease duration.
+
+## API
+
+The TLS Certificate auth method has a full HTTP API. Please see the
+[TLS Certificate API](/api/auth/cert/index.html) for more details.
diff --git a/website/pages/docs/auth/cf.mdx b/website/pages/docs/auth/cf.mdx
new file mode 100644
index 000000000000..460ac9f7cce8
--- /dev/null
+++ b/website/pages/docs/auth/cf.mdx
@@ -0,0 +1,300 @@
+---
+layout: docs
+page_title: Cloud Foundry - Auth Methods
+sidebar_title: Cloud Foundry
+description: The cf auth method allows automated authentication of Cloud Foundry instances.
+---
+
+# Cloud Foundry (CF) Auth Method
+
+The `cf` auth method provides an automated mechanism to retrieve a Vault token
+for CF instances. It leverages CF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation).
+At a high level, this works as follows:
+
+1. You construct a request to Vault including your `CF_INSTANCE_CERT`, signed by your `CF_INSTANCE_KEY`.
+2. Vault validates that the signature is no more than 300 seconds old, or 60 seconds in the future.
+3. Vault validates that the cert was issued by the CA certificate you've pre-configured.
+4. Vault validates that the request was signed by the private key for the `CF_INSTANCE_CERT`.
+5. Vault validates that the `CF_INSTANCE_CERT` application ID, space ID, and org ID presently exist.
+6. If all checks pass, Vault issues an appropriately-scoped token.
+
+## Known Risks
+
+This authentication engine uses CF's instance identity service to authenticate users to Vault. Because
+CF makes its CA certificate and private key available to certain users at any time, it's possible for
+someone with access to them to self-issue identity certificates that meet the criteria for a Vault role,
+allowing them to gain unintended access to Vault.
+
+For this reason, we recommend that if you enable this auth method, you carefully guard access to the
+private key for your instance identity CA certificate. In CredHub, it can be obtained through the
+following call: `$ credhub get -n /cf/diego-instance-identity-root-ca`.
+
+Take extra steps to limit access to that path in CredHub, whether it be through use of CredHub's ACL
+system, or through carefully limiting the users who can access CredHub.
+
+## Usage
+
+### Preparing to Configure the Plugin
+
+To configure this plugin, you'll need to gather the CA certificate that CF uses to issue each `CF_INSTANCE_CERT`,
+and you'll need to configure it to access the CF API.
+
+To gain your instance identity CA certificate, in the [cf dev](https://github.com/cloudfoundry-incubator/cfdev)
+environment it can be found using:
+
+```
+$ bosh int --path /diego_instance_identity_ca ~/.cfdev/state/bosh/creds.yml
+```
+
+In environments containing Ops Manager, it can be found in CredHub. To gain access to CredHub, first install
+[the PCF command-line utility](https://docs.pivotal.io/tiledev/2-2/pcf-command.html) and authenticate to it
+using the `metadata` file it describes. These instructions also use [jq](https://stedolan.github.io/jq/) for
+ease of drilling into the particular part of the response you'll need.
+
+Once those steps are complete, get the credentials you'll use for CredHub:
+
+```
+$ pcf settings | jq '.products[0].director_credhub_client_credentials'
+```
+
+SSH into your Ops Manager VM:
+
+```
+$ ssh -i ops_mgr.pem ubuntu@$OPS_MGR_URL
+```
+
+Please note that the above OPS_MGR_URL shouldn't be prepended with `https://`.
+
+Log into CredHub with the credentials you obtained earlier:
+
+```
+$ credhub login --client-name=director_to_credhub --client-secret=some-secret
+```
+
+And view the root certificate CF uses to issue instance identity certificates:
+
+```
+$ credhub get -n /cf/diego-instance-identity-root-ca
+```
+
+The output to that call will include two certificates and one RSA key. You will need to copy the certificate
+under `ca: |` and place it into a file on your local machine that's properly formatted. Here's an example of
+a properly formatted CA certificate:
+
+```
+$ cat ca.crt
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAhygAwIBAgITPqTy1qvfHNEVuxsl9l1glY85OTANBgkqhkiG9w0BAQsF
+ADAqMSgwJgYDVQQDEx9EaWVnbyBJbnN0YW5jZSBJZGVudGl0eSBSb290IENBMB4X
+DTE5MDYwNjA5MTIwMVoXDTIyMDYwNTA5MTIwMVowKjEoMCYGA1UEAxMfRGllZ28g
+SW5zdGFuY2UgSWRlbnRpdHkgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALa8xGDYT/q3UzEKAsLDajhuHxPpIPFlCXwp6u8U5Qrf427Xof7n
+rXRKzRu3g7E20U/OwzgBi3VZs8T29JGNWeA2k0HtX8oQ+Wc8Qngz9M8t1h9SZlx5
+fGfxPt3x7xozaIGJ8p4HKQH1ZlirL7dzun7Y+7m6Ey8cMVsepqUs64r8+KpCbxKJ
+rV04qtTNlr0LG3yOxSHlip+DDvUVL3jSFz/JDWxwCymiFBAh0QjG1LKp2FisURoX
+GY+HJbf2StpK3i4dYnxQXQlMDpipozK7WFxv3gH4Q6YMZvlmIPidAF8FxfDIsYcq
+TgQ5q0pr9mbu8oKbZ74vyZMqiy+r9vLhbu0CAwEAAaNTMFEwHQYDVR0OBBYEFAHf
+pwqBhZ8/A6ZAvU+p5JPz/omjMB8GA1UdIwQYMBaAFAHfpwqBhZ8/A6ZAvU+p5JPz
+/omjMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADuDJev+6bOC
+v7t9SS4Nd/zeREuF9IKsHDHrYUZBIO1aBQbOO1iDtL4VA3LBEx6fOgN5fbxroUsz
+X9/6PtxLe+5U8i5MOztK+OxxPrtDfnblXVb6IW4EKhTnWesS7R2WnOWtzqRQXKFU
+voBn3QckLV1o9eqzYIE/aob4z0GaVanA9PSzzbVPsX79RCD1B7NmV0cKEQ7IrCrh
+L7ElDV/GlNrtVdHjY0mwz9iu+0YJvxvcHDTERi106b28KXzJz+P5/hyg2wqRXzdI
+faXAjW0kuq5nxyJUALwxD/8pz77uNt4w6WfJoSDM6XrAIhh15K3tZg9EzBmAZ/5D
+jK0RcmCyaXw=
+-----END CERTIFICATE-----
+```
+
+An easy way to verify that your CA certificate is properly formatted is using OpenSSL like so:
+
+```
+$ openssl x509 -in ca.crt -text -noout
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3e:a4:f2:d6:ab:df:1c:d1:15:bb:1b:25:f6:5d:60:95:8f:39:39
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Diego Instance Identity Root CA
+        Validity
+            Not Before: Jun  6 09:12:01 2019 GMT
+            Not After : Jun  5 09:12:01 2022 GMT
+        Subject: CN=Diego Instance Identity Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b6:bc:c4:60:d8:4f:fa:b7:53:31:0a:02:c2:c3:
+                    6a:38:6e:1f:13:e9:20:f1:65:09:7c:29:ea:ef:14:
+                    e5:0a:df:e3:6e:d7:a1:fe:e7:ad:74:4a:cd:1b:b7:
+                    83:b1:36:d1:4f:ce:c3:38:01:8b:75:59:b3:c4:f6:
+                    f4:91:8d:59:e0:36:93:41:ed:5f:ca:10:f9:67:3c:
+                    42:78:33:f4:cf:2d:d6:1f:52:66:5c:79:7c:67:f1:
+                    3e:dd:f1:ef:1a:33:68:81:89:f2:9e:07:29:01:f5:
+                    66:58:ab:2f:b7:73:ba:7e:d8:fb:b9:ba:13:2f:1c:
+                    31:5b:1e:a6:a5:2c:eb:8a:fc:f8:aa:42:6f:12:89:
+                    ad:5d:38:aa:d4:cd:96:bd:0b:1b:7c:8e:c5:21:e5:
+                    8a:9f:83:0e:f5:15:2f:78:d2:17:3f:c9:0d:6c:70:
+                    0b:29:a2:14:10:21:d1:08:c6:d4:b2:a9:d8:58:ac:
+                    51:1a:17:19:8f:87:25:b7:f6:4a:da:4a:de:2e:1d:
+                    62:7c:50:5d:09:4c:0e:98:a9:a3:32:bb:58:5c:6f:
+                    de:01:f8:43:a6:0c:66:f9:66:20:f8:9d:00:5f:05:
+                    c5:f0:c8:b1:87:2a:4e:04:39:ab:4a:6b:f6:66:ee:
+                    f2:82:9b:67:be:2f:c9:93:2a:8b:2f:ab:f6:f2:e1:
+                    6e:ed
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier:
+                01:DF:A7:0A:81:85:9F:3F:03:A6:40:BD:4F:A9:E4:93:F3:FE:89:A3
+            X509v3 Authority Key Identifier:
+                keyid:01:DF:A7:0A:81:85:9F:3F:03:A6:40:BD:4F:A9:E4:93:F3:FE:89:A3
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         3b:83:25:eb:fe:e9:b3:82:bf:bb:7d:49:2e:0d:77:fc:de:44:
+         4b:85:f4:82:ac:1c:31:eb:61:46:41:20:ed:5a:05:06:ce:3b:
+         58:83:b4:be:15:03:72:c1:13:1e:9f:3a:03:79:7d:bc:6b:a1:
+         4b:33:5f:df:fa:3e:dc:4b:7b:ee:54:f2:2e:4c:3b:3b:4a:f8:
+         ec:71:3e:bb:43:7e:76:e5:5d:56:fa:21:6e:04:2a:14:e7:59:
+         eb:12:ed:1d:96:9c:e5:ad:ce:a4:50:5c:a1:54:be:80:67:dd:
+         07:24:2d:5d:68:f5:ea:b3:60:81:3f:6a:86:f8:cf:41:9a:55:
+         a9:c0:f4:f4:b3:cd:b5:4f:b1:7e:fd:44:20:f5:07:b3:66:57:
+         47:0a:11:0e:c8:ac:2a:e1:2f:b1:25:0d:5f:c6:94:da:ed:55:
+         d1:e3:63:49:b0:cf:d8:ae:fb:46:09:bf:1b:dc:1c:34:c4:46:
+         2d:74:e9:bd:bc:29:7c:c9:cf:e3:f9:fe:1c:a0:db:0a:91:5f:
+         37:48:7d:a5:c0:8d:6d:24:ba:ae:67:c7:22:54:00:bc:31:0f:
+         ff:29:cf:be:ee:36:de:30:e9:67:c9:a1:20:cc:e9:7a:c0:22:
+         18:75:e4:ad:ed:66:0f:44:cc:19:80:67:fe:43:8c:ad:11:72:
+         60:b2:69:7c
+```
+
+You will also need to configure access to the CF API. To prepare for this, we will now
+use the [cf](https://docs.cloudfoundry.org/cf-cli/install-go-cli.html) command-line tool.
+
+First, while in the directory containing the `metadata` file you used earlier to authenticate
+to CF, run `$ pcf target`. This points the `cf` tool at the same place as the `pcf` tool. Next,
+run `$ cf api` to view the API endpoint that Vault will use.
+
+Next, configure a user for Vault to use. This plugin was tested with Org Manager level
+permissions, but lower level permissions _may_ be usable.
+
+```
+$ cf create-user vault pa55w0rd
+$ cf orgs
+$ cf org-users my-example-org
+$ cf set-org-role vault my-example-org OrgManager
+```
+
+Specifically, the `vault` user created here will need to be able to perform the following API calls:
+
+- Method: "GET", endpoint: "/v2/info"
+- Method: "POST", endpoint: "/oauth/token"
+- Method: "GET", endpoint: "/v2/apps/\$APP_ID"
+- Method: "GET", endpoint: "/v2/organizations/\$ORG_ID"
+- Method: "GET", endpoint: "/v2/spaces/\$SPACE_ID"
+
+Next, PCF often uses a self-signed certificate for TLS, which can be rejected at first
+with an error like:
+
+```
+x509: certificate signed by unknown authority
+```
+
+If you encounter this error, you will need to first gain a copy of the certificate that CF
+is using for the API via:
+
+```
+$ openssl s_client -showcerts -servername domain.com -connect domain.com:443
+```
+
+Here is an example of a real call:
+
+```
+$ openssl s_client -showcerts -servername api.sys.somewhere.cf-app.com -connect api.sys.somewhere.cf-app.com:443
+```
+
+Part of the response will contain a certificate, which you'll need to copy and paste to
+a well-formatted local file. Please see `ca.crt` above for an example of how the certificate
+should look, and how to verify it can be parsed using `openssl`. The walkthrough below presumes
+you name this file `cfapi.crt`.
+
+### Walkthrough
+
+After obtaining the information described above, a Vault operator will configure the CF auth method
+like so:
+
+```
+$ vault auth enable cf
+
+$ vault write auth/cf/config \
+      identity_ca_certificates=@ca.crt \
+      cf_api_addr=https://api.dev.cfdev.sh \
+      cf_username=vault \
+      cf_password=pa55w0rd \
+      cf_api_trusted_certificates=@cfapi.crt
+
+$ vault write auth/cf/roles/my-role \
+    bound_application_ids=2d3e834a-3a25-4591-974c-fa5626d5d0a1 \
+    bound_space_ids=3d2eba6b-ef19-44d5-91dd-1975b0db5cc9 \
+    bound_organization_ids=34a878d0-c2f9-4521-ba73-a9f664e82c7bf \
+    policies=my-policy
+```
+
+Once configured, from a CF instance containing real values for the `CF_INSTANCE_CERT` and
+`CF_INSTANCE_KEY`, login can be performed using:
+
+```
+$ vault login -method=cf role=test-role
+```
+
+For CF, we do also offer an agent that, once configured, can be used to obtain a Vault token on
+your behalf.
+
+### Maintenance
+
+In testing we found that CF instance identity CA certificates were set to expire in 3 years. Some
+CF docs indicate they expire every 4 years. However long they last, at some point you may need
+to add another CA certificate - one that's soon to expire, and one that is currently or soon-to-be
+valid.
+
+```
+$ CURRENT=$(cat /path/to/current-ca.crt)
+$ FUTURE=$(cat /path/to/future-ca.crt)
+$ vault write auth/vault-plugin-auth-cf/config identity_ca_certificates="$CURRENT,$FUTURE"
+```
+
+If Vault receives a `CF_INSTANCE_CERT` matching _any_ of the `identity_ca_certificates`,
+the instance cert will be considered valid.
+
+A similar approach can be taken to update the `cf_api_trusted_certificates`.
+
+### Troubleshooting At-A-Glance
+
+If you receive an error containing `x509: certificate signed by unknown authority`, set
+`cf_api_trusted_certificates` as described above.
+
+If you're unable to authenticate using the `CF_INSTANCE_CERT`, first obtain a current copy
+of your `CF_INSTANCE_CERT` and copy it to your local environment. Then divide it into two
+files, each being a distinct certificate. The first certificate tends to be the actual
+`identity.crt`, and the second one tends to be the `intermediate.crt`. Verify each are
+properly named and formatted using a command like:
+
+```
+$ openssl x509 -in ca.crt -text -noout
+```
+
+Then, verify that the certificates are properly chained to the `ca.crt` you've configured:
+
+```
+$ openssl verify -CAfile ca.crt -untrusted intermediate.crt identity.crt
+```
+
+This should show a success response. If it doesn't, try to identify the root cause, be it
+an expired certificate, an incorrect `ca.crt`, or a Vault configuration that doesn't
+match the certificates you're checking.
+
+## API
+
+The CF auth method has a full HTTP API. Please see the [CF Auth API](/api/auth/cf/index.html)
+for more details.
diff --git a/website/pages/docs/auth/gcp.mdx b/website/pages/docs/auth/gcp.mdx
new file mode 100644
index 000000000000..9d8bf3a33206
--- /dev/null
+++ b/website/pages/docs/auth/gcp.mdx
@@ -0,0 +1,348 @@
+---
+layout: docs
+page_title: Google Cloud - Auth Methods
+sidebar_title: Google Cloud
+description: |-
+  The "gcp" auth method allows users and machines to authenticate to Vault using
+  Google Cloud service accounts.
+---
+
+# Google Cloud Auth Method
+
+The `gcp` auth method allows Google Cloud Platform entities to authenticate to
+Vault. Vault treats Google Cloud as a trusted third party and verifies
+authenticating entities against the Google Cloud APIs. This backend allows for
+authentication of:
+
+- Google Cloud IAM service accounts
+- Google Compute Engine (GCE) instances
+
+This backend focuses on identities specific to Google _Cloud_ and does not
+support authenticating arbitrary Google or G Suite users or generic OAuth
+against Google.
+
+This plugin is developed in a separate GitHub repository at
+[hashicorp/vault-plugin-auth-gcp][repo],
+but is automatically bundled in Vault releases. Please file all feature
+requests, bugs, and pull requests specific to the GCP plugin under that
+repository.
+
+## Authenticate
+
+### Via the CLI Helper
+
+Vault includes a CLI helper that obtains a signed JWT locally and sends the
+request to Vault. This helper is only available for IAM-type roles.
+
+```text
+$ vault login -method=gcp \
+    role="my-role" \
+    service_account="authenticating-account@my-project.iam.gserviceaccount.com" \
+    project="my-project" \
+    jwt_exp="15m" \
+    credentials=@path/to/signer/credentials.json
+```
+
+For more usage information, run `vault auth help gcp`.
+
+### Via the CLI
+
+```text
+$ vault write -field=token auth/gcp/login \
+    role="my-role" \
+    jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+```
+
+See [Generating JWTs](#generating-jwts) for ways to obtain the JWT token.
+
+### Via the API
+
+```text
+$ curl \
+    --request POST \
+    --data '{"role":"my-role", "jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
+    http://127.0.0.1:8200/v1/auth/gcp/login
+```
+
+See [API docs][api-docs] for expected response.
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the Google Cloud auth method:
+
+   ```text
+   $ vault auth enable gcp
+   ```
+
+1. Configure the auth method credentials:
+
+   ```text
+   $ vault write auth/gcp/config \
+       credentials=@/path/to/credentials.json
+   ```
+
+   If you are using instance credentials or want to specify credentials via
+   an environment variable, you can skip this step. To learn more, see the
+   [Google Cloud Authentication](#google-cloud-authentication) section below.
+
+1. Create a named role:
+
+   For an `iam`-type role:
+
+   ```text
+   $ vault write auth/gcp/role/my-iam-role \
+       type="iam" \
+       policies="dev,prod" \
+       bound_service_accounts="my-service@my-project.iam.gserviceaccount.com"
+   ```
+
+   For a `gce`-type role:
+
+   ```text
+   $ vault write auth/gcp/role/my-gce-role \
+       type="gce" \
+       policies="dev,prod" \
+       bound_projects="my-project1,my-project2" \
+       bound_zones="us-east1-b" \
+       bound_labels="foo:bar,zip:zap"
+   ```
+
+   For the complete list of configuration options for each type, please see the
+   [API documentation][api-docs].
+
+## Authentication
+
+The Google Cloud Vault auth method uses the official Google Cloud Golang SDK.
+This means it supports the common ways of [providing credentials to Google
+Cloud][cloud-creds].
+
+1. The environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
+   as the **path** to a Google Cloud credentials file, typically for a service
+   account. If this environment variable is present, the resulting credentials are
+   used. If the credentials are invalid, an error is returned.
+
+1. Default instance credentials. When no environment variable is present, the
+   default service account credentials are used.
+
+For more information on service accounts, please see the [Google Cloud Service
+Accounts documentation][service-accounts].
+
+To use this auth method, the service account must have the following minimum
+scope:
+
+```text
+https://www.googleapis.com/auth/cloud-platform
+```
+
+### Required GCP Permissions
+
+#### Vault Server Permissions
+
+**For `iam`-type Vault roles**, Vault can be given the following roles:
+
+```text
+roles/iam.serviceAccountKeyAdmin
+```
+
+**For `gce`-type Vault roles**, Vault can be given the following roles:
+
+```text
+roles/compute.viewer
+```
+
+If you instead wish to create a custom role with only the exact GCP permissions
+required, use the following list of permissions:
+
+```text
+iam.serviceAccounts.get
+iam.serviceAccountKeys.get
+compute.instances.get
+compute.instanceGroups.list
+compute.instanceGroups.listInstances
+```
+
+These allow Vault to:
+
+- verify the service account, either directly authenticating or associated with
+  authenticating GCE instance, exists
+- get the corresponding public keys for verifying JWTs signed by service account
+  private keys.
+- verify authenticating GCE instances exist
+- compare bound fields for GCE roles (zone/region, labels, or membership
+  in given instance groups)
+
+#### Permissions For Authenticating Against Vault
+
+Note that the previously mentioned permissions are given to the _Vault servers_.
+The IAM service account or GCE instance that is **authenticating against Vault**
+must have the following role:
+
+```text
+roles/iam.serviceAccountTokenCreator
+```
+
+## Group Aliases
+
+As of Vault 1.0, roles can specify an `add_group_aliases` boolean parameter
+that adds [group aliases][identity-group-aliases] to the auth response. These
+aliases can aid in building reusable policies since they are available as
+interpolated values in Vault's policy engine. Once enabled, the auth response
+will include the following aliases:
+
+```json
+[
+  "project-$PROJECT_ID",
+  "folder-$SUBFOLDER_ID",
+  "folder-$FOLDER_ID",
+  "organization-$ORG_ID"
+]
+```
+
+## Implementation Details
+
+This section describes the implementation details for how Vault communicates
+with Google Cloud to authenticate and authorize JWT tokens. This information is
+provided for those who are curious, but these details are not
+required knowledge for using the auth method.
+
+### IAM Login
+
+IAM login applies only to roles of type `iam`. The Vault authentication workflow
+for IAM service accounts looks like this:
+
+[![Vault Google Cloud IAM Login Workflow](/img/vault-gcp-iam-auth-workflow.svg)](/img/vault-gcp-iam-auth-workflow.svg)
+
+1. The client generates a signed JWT using the IAM
+   [`projects.serviceAccounts.signJwt`][signjwt-method] method. For examples of
+   how to do this, see the [Obtaining JWT Tokens](#obtaining-jwt-tokens) section.
+
+2. The client sends this signed JWT to Vault along with a role name.
+
+3. Vault extracts the `kid` header value, which contains the ID of the
+   key-pair used to generate the JWT, and the `sub` ID/email to find the service
+   account key. If the service account does not exist or the key is not linked to
+   the service account, Vault denies authentication.
+
+4. Vault authorizes the confirmed service account against the given role. If
+   that is successful, a Vault token with the proper policies is returned.
+
+### GCE Login
+
+GCE login only applies to roles of type `gce` and **must be completed on an
+instance running in GCE**. These steps will not work from your local laptop or
+another cloud provider.
+
+[![Vault Google Cloud GCE Login Workflow](/img/vault-gcp-gce-auth-workflow.svg)](/img/vault-gcp-gce-auth-workflow.svg)
+
+1. The client obtains an [instance identity metadata token][instance-identity]
+   on a GCE instance.
+
+2. The client sends this JWT to Vault along with a role name.
+
+3. Vault extracts the `kid` header value, which contains the ID of the
+   key-pair used to generate the JWT, to find the OAuth2 public cert to verify
+   this JWT.
+
+4. Vault authorizes the confirmed instance against the given role, ensuring
+   the instance matches the bound zones, regions, or instance groups. If that is
+   successful, a Vault token with the proper policies is returned.
+
+## Generating JWTs
+
+This section details the various methods and examples for obtaining JWT
+tokens.
+
+### IAM
+
+This describes how to use the GCP IAM [API method][signjwt-method] directly
+to generate the signed JWT with the claims that Vault expects. Note the CLI
+does this process for you and is much easier, and that there is very little
+reason to do this yourself.
+
+#### curl Example
+
+Vault requires the following minimum claim set:
+
+```json
+{
+  "sub": "$SERVICE_ACCOUNT_EMAIL_OR_ID",
+  "aud": "vault/$ROLE",
+  "exp": "$EXPIRATION"
+}
+```
+
+For the API method, expiration is optional and will default to an hour.
+If specified, expiration must be a
+[NumericDate](https://tools.ietf.org/html/rfc7519#section-2) value (seconds from
+Epoch). This value must be before the max JWT expiration allowed for a role.
+This defaults to 15 minutes and cannot be more than 1 hour.
+
+One you have all this information, the JWT token can be signed using curl and
+[oauth2l](https://github.com/google/oauth2l):
+
+```text
+ROLE="my-role"
+PROJECT="my-project"
+SERVICE_ACCOUNT="service-account@my-project.iam.gserviceaccount.com"
+OAUTH_TOKEN="$(oauth2l header cloud-platform)"
+JWT_CLAIM="{\\\"aud\\\":\\\"vault/${ROLE}\\\", \\\"sub\\\": \\\"${SERVICE_ACCOUNT}\\\"}"
+
+curl \
+  --header "${OAUTH_TOKEN}" \
+  --header "Content-Type: application/json" \
+  --request POST \
+  --data "{\"payload\": \"${JWT_CLAIM}\"}" \
+  "https://iam.googleapis.com/v1/projects/${PROJECT}/serviceAccounts/${SERVICE_ACCOUNT}:signJwt"
+```
+
+#### gcloud Example
+
+You can also do this through the (currently beta) gcloud command.
+
+```text
+$ gcloud beta iam service-accounts sign-jwt $INPUT_JWT_CLAIMS $OUTPUT_JWT_FILE \
+    --iam-account=service-account@my-project.iam.gserviceaccount.com \
+    --project=my-project
+```
+
+#### Golang Example
+
+Read more on the
+[Google Open Source blog](https://opensource.googleblog.com/2017/08/hashicorp-vault-and-google-cloud-iam.html).
+
+### GCE
+
+GCE tokens **can only be generated from a GCE instance**. The JWT token can be
+obtained from the `service-accounts/default/identity` endpoint for a
+instance's metadata server.
+
+#### curl Example
+
+```text
+ROLE="my-gce-role"
+
+curl \
+  --header "Metadata-Flavor: Google" \
+  --get \
+  --data-urlencode "audience=http://vault/${ROLE}" \
+  --data-urlencode "format=full" \
+  "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
+```
+
+## API
+
+The GCP Auth Plugin has a full HTTP API. Please see the
+[API docs][api-docs] for more details.
+
+[jwt]: https://tools.ietf.org/html/rfc7519
+[signjwt-method]: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt
+[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
+[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
+[api-docs]: /api/auth/gcp/index.html
+[identity-group-aliases]: /api/secret/identity/group-alias.html
+[instance-identity]: https://cloud.google.com/compute/docs/instances/verifying-instance-identity
+[repo]: https://github.com/hashicorp/vault-plugin-auth-gcp
diff --git a/website/pages/docs/auth/github.mdx b/website/pages/docs/auth/github.mdx
new file mode 100644
index 000000000000..ed582e5ff887
--- /dev/null
+++ b/website/pages/docs/auth/github.mdx
@@ -0,0 +1,113 @@
+---
+layout: docs
+page_title: GitHub - Auth Methods
+sidebar_title: GitHub
+description: The GitHub auth method allows authentication with Vault using GitHub.
+---
+
+# GitHub Auth Method
+
+The `github` auth method can be used to authenticate with Vault using a GitHub
+personal access token. This method of authentication is most useful for humans:
+operators or developers using Vault directly via the CLI.
+
+~> **IMPORTANT NOTE:** Vault does not support an OAuth workflow to generate
+GitHub tokens, so does not act as a GitHub application. As a result, this method
+uses personal access tokens. An important consequence is that any valid GitHub
+access token with the `read:org` scope can be used for authentication. If such a
+token is stolen from a third party service, and the attacker is able to make
+network calls to Vault, they will be able to log in as the user that generated
+the access token. When using this method it is a good idea to ensure that access
+to Vault is restricted at a network level rather than public. If these risks are
+unacceptable to you, you should use a different method.
+
+## Authentication
+
+### Via the CLI
+
+The default path is `/github`. If this auth method was enabled at a different
+path, specify `-path=/my-path` in the CLI.
+
+```text
+$ vault login -method=github token="MY_TOKEN"
+```
+
+### Via the API
+
+The default endpoint is `auth/github/login`. If this auth method was enabled
+at a different path, use that value instead of `github`.
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"token": "MY_TOKEN"}' \
+    http://127.0.0.1:8200/v1/auth/github/login
+```
+
+The response will contain a token at `auth.client_token`:
+
+```json
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 2764800,
+    "metadata": {
+      "username": "my-user",
+      "org": "my-org"
+    },
+    "policies": ["default", "dev-policy"],
+    "accessor": "f93c4b2d-18b6-2b50-7a32-0fecf88237b8",
+    "client_token": "1977fceb-3bfa-6c71-4d1f-b64af98ac018"
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the GitHub auth method:
+
+   ```text
+   $ vault auth enable github
+   ```
+
+1. Use the `/config` endpoint to configure Vault to talk to GitHub.
+
+   ```text
+   $ vault write auth/github/config organization=hashicorp
+   ```
+
+   For the complete list of configuration options, please see the API
+   documentation.
+
+1. Map the users/teams of that GitHub organization to policies in Vault. Team
+   names must be "slugified":
+
+   ```text
+   $ vault write auth/github/map/teams/dev value=dev-policy
+   ```
+
+   In this example, when members of the team "dev" in the organization
+   "hashicorp" authenticate to Vault using a GitHub personal access token, they
+   will be given a token with the "dev-policy" policy attached.
+
+   ***
+
+   You can also create mappings for a specific user `map/users/<user>`
+   endpoint:
+
+   ```text
+   $ vault write auth/github/map/users/sethvargo value=sethvargo-policy
+   ```
+
+   In this example, a user with the GitHub username `sethvargo` will be
+   assigned the `sethvargo-policy` policy **in addition to** any team policies.
+
+## API
+
+The GitHub auth method has a full HTTP API. Please see the
+[GitHub Auth API](/api/auth/github/index.html) for more
+details.
diff --git a/website/pages/docs/auth/index.mdx b/website/pages/docs/auth/index.mdx
new file mode 100644
index 000000000000..519d3f544575
--- /dev/null
+++ b/website/pages/docs/auth/index.mdx
@@ -0,0 +1,45 @@
+---
+layout: docs
+page_title: Auth Methods
+sidebar_title: Auth Methods
+description: Auth methods are mountable methods that perform authentication for Vault.
+---
+
+# Auth Methods
+
+Auth methods are the components in Vault that perform authentication and are
+responsible for assigning identity and a set of policies to a user.
+
+Having multiple auth methods enables you to use an auth method that makes the
+most sense for your use case of Vault and your organization.
+
+For example, on developer machines, the [GitHub auth method](/docs/auth/github.html)
+is easiest to use. But for servers the [AppRole](/docs/auth/approle.html)
+method is the recommended choice.
+
+To learn more about authentication, see the
+[authentication concepts page](/docs/concepts/auth.html).
+
+## Enabling/Disabling Auth Methods
+
+Auth methods can be enabled/disabled using the CLI or the API.
+
+```text
+$ vault auth enable userpass
+```
+
+When enabled, auth methods are similar to [secrets engines](/docs/secrets/index.html):
+they are mounted within the Vault mount table and can be accessed
+and configured using the standard read/write API. All auth methods are mounted underneath the `auth/` prefix.
+
+By default, auth methods are mounted to `auth/<type>`. For example, if you
+enable "github", then you can interact with it at `auth/github`. However, this
+path is customizable, allowing users with advanced use cases to mount a single
+auth method multiple times.
+
+```text
+$ vault auth enable -path=my-login userpass
+```
+
+When an auth method is disabled, all users authenticated via that method are
+automatically logged out.
diff --git a/website/pages/docs/auth/jwt.mdx b/website/pages/docs/auth/jwt.mdx
new file mode 100644
index 000000000000..92151b556ebb
--- /dev/null
+++ b/website/pages/docs/auth/jwt.mdx
@@ -0,0 +1,305 @@
+---
+layout: docs
+page_title: JWT/OIDC - Auth Methods
+sidebar_title: JWT/OIDC
+description: >-
+  The JWT/OIDC auth method allows authentication using OIDC and user-provided
+  JWTs
+---
+
+# JWT/OIDC Auth Method
+
+The `jwt` auth method can be used to authenticate with Vault using
+[OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) or by providing a
+[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token).
+
+The OIDC method allows authentication via a configured OIDC provider using the
+user's web browser. This method may be initiated from the Vault UI or the
+command line. Alternatively, a JWT can be provided directly. The JWT is
+cryptographically verified using locally-provided keys, or, if configured, an
+OIDC Discovery service can be used to fetch the appropriate keys. The choice of
+method is configured per role.
+
+Both methods allow additional processing of the claims data in the JWT. Some of
+the concepts common to both methods will be covered first, followed by specific
+examples of OIDC and JWT usage.
+
+### JWT Verification
+
+JWT signatures will be verified against public keys from the issuer. This process can be done in
+three different ways, though only one method may be configured for a single backend:
+
+- **Static Keys**. A set of public keys is stored directly in the backend configuration.
+
+- **JWKS**. A JSON Web Key Set ([JWKS](https://tools.ietf.org/html/rfc7517)) URL (and optional
+  certificate chain) is configured. Keys will be fetched from this endpoint during authentication.
+
+- **OIDC Discovery**. An OIDC Discovery URL (and optional certificate chain) is configured. Keys
+  will be fetched from this URL during authentication. When OIDC Discovery is used, OIDC validation
+  criteria (e.g. `iss`, `aud`, etc.) will be applied.
+
+If multiple methods are needed, another instance of the backend can be mounted and configured
+at a different path.
+
+### Bound Claims
+
+Once a JWT has been validated as being properly signed and not expired, the
+authorization flow will validate that any configured "bound" parameters match.
+In some cases there are dedicated parameters, for example `bound_subject`,
+which must match the JWT's `sub` parameter. A role may also be configured to
+check arbitrary claims through the `bound_claims` map. The map contains a set
+of claims and their required values. For example, assume `bound_claims` is set
+to:
+
+```json
+{
+  "division": "Europe",
+  "department": "Engineering"
+}
+```
+
+Only JWTs containing both the "division" and "department" claims, and
+respective matching values of "Europe" and "Engineering", would be authorized.
+If the expected value is a list, the claim must match one of the items in the list.
+To limit authorization to a set of email addresses:
+
+```json
+{
+  "email": ["fred@example.com", "julie@example.com"]
+}
+```
+
+### Claims as Metadata
+
+Data from claims can be copied into the resulting auth token and alias metadata by configuring `claim_mappings`. This role
+parameter is a map of items to copy. The map elements are of the form: `"<JWT claim>":"<metadata key>"`. Assume
+`claim_mappings` is set to:
+
+```json
+{
+  "division": "organization",
+  "department": "department"
+}
+```
+
+This specifies that the value in the JWT claim "division" should be copied to the metadata key "organization". The JWT
+"department" claim value will also be copied into metadata but will retain the key name. If a claim is configured in `claim_mappings`,
+it must existing in the JWT or else the authentication will fail.
+
+Note: the metadata key name "role" is reserved and may not be used for claim mappings.
+
+### Claim specifications and JSON Pointer
+
+Some parameters (e.g. `bound_claims` and `groups_claim`) are used to point to data within the JWT. If
+the desired key is at the top of level of the JWT, the name can be provided directly. If it is nested at a
+lower level, a JSON Pointer may be used.
+
+Assume the following JSON data to be referenced:
+
+```json
+{
+  "division": "North America",
+  "groups": {
+    "primary": "Engineering",
+    "secondary": "Software"
+  }
+}
+```
+
+A parameter of `"division"` will reference "North America", as this is a top level key. A parameter
+`"/groups/primary"` uses JSON Pointer syntax to reference "Engineering" at a lower level. Any valid
+JSON Pointer can be used as a selector. Refer to the
+[JSON Pointer RFC](https://tools.ietf.org/html/rfc6901) for a full description of the syntax
+
+## OIDC Authentication
+
+This section covers the setup and use of OIDC roles. If a JWT is to be provided directly,
+refer to the [JWT Authentication](/docs/auth/jwt.html#jwt-authentication) section below. Basic
+familiarity with [OIDC concepts](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1)
+is assumed.
+
+Vault includes two built-in OIDC login flows: the Vault UI, and the CLI
+using a `vault login`.
+
+### Redirect URIs
+
+An important part of OIDC role configuration is properly setting redirect URIs. This must be
+done both in Vault and with the OIDC provider, and these configurations must align. The
+redirect URIs are specified for a role with the `allowed_redirect_uris` parameter. There are
+different redirect URIs to configure the Vault UI and CLI flows, so one or both will need to
+be set up depending on the installation.
+
+**CLI**
+
+If you plan to support authentication via `vault login -method=oidc`, a localhost redirect URI
+must be set. This can usually be: `http://localhost:8250/oidc/callback`. Logins via the CLI may
+specify a different host and/or listening port if needed, and a URI with this host/port must match one
+of the configured redirected URIs. These same "localhost" URIs must be added to the provider as well.
+
+**Vault UI**
+
+Logging in via the Vault UI requires a redirect URI of the form:
+`https://{host:port}/ui/vault/auth/{path}/oidc/callback`
+
+The "host:port" must be correct for the Vault server, and "path" must match the path the JWT
+backend is mounted at (e.g. "oidc" or "jwt").
+If [namespaces](https://www.vaultproject.io/docs/enterprise/namespaces/index.html) are being used,
+they must be added as query parameters, for example:
+
+`https://vault.example.com:8200/ui/vault/auth/oidc/oidc/callback?namespace=my_ns`
+
+### OIDC Login (Vault UI)
+
+1. Select the "OIDC" login method.
+1. Enter a role name if necessary.
+1. Press "Sign In" and complete the authentication with the configured provider.
+
+### OIDC Login (CLI)
+
+The CLI login defaults to path of `/oidc`. If this auth method was enabled at a
+different path, specify `-path=/my-path` in the CLI.
+
+```text
+$ vault login -method=oidc port=8400 role=test
+
+Complete the login via your OIDC provider. Launching browser to:
+
+    https://myco.auth0.com/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A8400%2Foidc%2Fcallback&client_id=r3qXc2bix9eF...
+```
+
+The browser will open to the generated URL to complete the provider's login. The
+URL may be entered manually if the browser cannot be automatically opened.
+
+The callback listener may be customized with the following optional parameters:
+
+- `callbackhost` (default: "localhost")
+- `port` (default: 8250)
+
+### OIDC Provider Configuration
+
+The OIDC authentication flow has been successfully tested with a number of providers. A full
+guide to configuring OAuth/OIDC applications is beyond the scope of Vault documentation, but a
+collection of provider configuration steps has been collected to help get started:
+[OIDC Provider Setup](/docs/auth/jwt_oidc_providers.html)
+
+### OIDC Configuration Troubleshooting
+
+This amount of configuration required for OIDC is relatively small, but it can be tricky to debug
+why things aren't working. Some tips for setting up OIDC:
+
+- Monitor Vault's log output. Important information about OIDC validation failures will be emitted.
+- Ensure Redirect URIs are correct in Vault and on the provider. They need to match exactly. Check:
+  http/https, 127.0.0.1/localhost, port numbers, whether trailing slashes are present.
+- Start simple. The only claim configuration a role requires is `user_claim`. After authentication is
+  known to work, you can add additional claims bindings and metadata copying.
+- `bound_audiences` is optional for OIDC roles and typically not required. OIDC providers will use
+  the client_id as the audience and OIDC validation expects this.
+- Check your provider for what scopes are required in order to receive all
+  of the information you need. The scopes "profile" and "groups" often need to be
+  requested, and can be added by setting `oidc_scopes="profile,groups"` on the role.
+- If you're seeing claim-related errors in logs, review the provider's docs very carefully to see
+  how they're naming and structuring their claims. Depending on the provider, you may be able to
+  construct a simple `curl` implicit grant request to obtain a JWT that you can inspect. An example
+  of how to decode the JWT (in this case located in the "access_token" field of a JSON response):
+
+  `cat jwt.json | jq -r .access_token | cut -d. -f2 | base64 -D`
+
+- As of Vault 1.2, the [`verbose_oidc_logging`](/api/auth/jwt/index.html#verbose_oidc_logging) role
+  option is available which will log the received OIDC token if debug-level logging is enabled. This can
+  be helpful when debugging provider setup and verifying that the received claims are what you expect.
+  Since claims data is logged verbatim and may contain sensitive information, this option should not be
+  used in production.
+
+## JWT Authentication
+
+The authentication flow for roles of type "jwt" is simpler than OIDC since Vault
+only needs to validate the provided JWT.
+
+### Via the CLI
+
+The default path is `/jwt`. If this auth method was enabled at a
+different path, specify `-path=/my-path` in the CLI.
+
+```text
+$ vault write auth/jwt/login role=demo jwt=...
+```
+
+### Via the API
+
+The default endpoint is `auth/jwt/login`. If this auth method was enabled
+at a different path, use that value instead of `jwt`.
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"jwt": "your_jwt", "role": "demo"}' \
+    http://127.0.0.1:8200/v1/auth/jwt/login
+```
+
+The response will contain a token at `auth.client_token`:
+
+```json
+{
+  "auth": {
+    "client_token": "38fe9691-e623-7238-f618-c94d4e7bc674",
+    "accessor": "78e87a38-84ed-2692-538f-ca8b9f400ab3",
+    "policies": ["default"],
+    "metadata": {
+      "role": "demo"
+    },
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the JWT auth method. Either the "jwt" or "oidc" name may be used. The
+    backend will be mounted at the chosen name.
+
+    ```text
+    $ vault auth enable jwt
+      or
+    $ vault auth enable oidc
+    ```
+
+1.  Use the `/config` endpoint to configure Vault. To support JWT roles, either local keys or an OIDC
+    Discovery URL must be present. For OIDC roles, OIDC Discovery URL, OIDC Client ID and OIDC Client Secret are required. For the
+    list of available configuration options, please see the [API documentation](/api/auth/jwt/index.html).
+
+    ```text
+    $ vault write auth/jwt/config \
+        oidc_discovery_url="https://myco.auth0.com/" \
+        oidc_client_id="m5i8bj3iofytj" \
+        oidc_client_secret="f4ubv72nfiu23hnsj" \
+        default_role="demo"
+    ```
+
+1.  Create a named role:
+
+    ```text
+    vault write auth/jwt/role/demo \
+        bound_subject="r3qX9DljwFIWhsiqwFiu38209F10atW6@clients" \
+        bound_audiences="https://vault.plugin.auth.jwt.test" \
+        user_claim="https://vault/user" \
+        groups_claim="https://vault/groups" \
+        policies=webapps \
+        ttl=1h
+    ```
+
+    This role authorizes JWTs with the given subject and audience claims, gives
+    it the `webapps` policy, and uses the given user/groups claims to set up
+    Identity aliases.
+
+    For the complete list of configuration options, please see the API
+    documentation.
+
+## API
+
+The JWT Auth Plugin has a full HTTP API. Please see the
+[API docs](/api/auth/jwt/index.html) for more details.
diff --git a/website/pages/docs/auth/jwt_oidc_providers.mdx b/website/pages/docs/auth/jwt_oidc_providers.mdx
new file mode 100644
index 000000000000..cc7fd6a49777
--- /dev/null
+++ b/website/pages/docs/auth/jwt_oidc_providers.mdx
@@ -0,0 +1,118 @@
+---
+layout: docs
+page_title: OIDC Provider Setup - Auth Methods
+description: OIDC provider configuration quick starts
+---
+
+# OIDC Provider Configuration
+
+This page collects high-level setup steps on how to configure an OIDC
+application for various providers. For more general usage and operation
+information, see the [Vault JWT/OIDC method documentation](https://www.vaultproject.io/docs/auth/jwt.html).
+
+OIDC providers are often highly configurable and you should become familiar with
+their recommended settings and best practices. The instructions below are
+largely community-driven and intended to help you get started. Corrections
+and additions may be submitted via the [Vault Github repository](https://github.com/hashicorp/vault).
+
+## Azure Active Directory (AAD)
+
+Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)
+
+1. Register or select an AAD application. Visit Overview page.
+1. Configure Redirect URIs ("Web" type).
+   - You may include two redirect URIs, one for CLI access another one for Vault UI access.
+     - http://localhost:8250/oidc/callback
+     - https://hostname:port_number/ui/vault/auth/oidc/oidc/callback
+1. Record "Application (client) ID" as you will need it as the oidc_client_id
+1. Under API Permissions grant the following permission:
+   - Microsoft Graph API permission [Group.Read.All](https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-10)
+1. Under "Endpoints", copy the OpenID Connect metadata document URL, omitting the `/well-known...` portion.
+   - The endpoint url (oidc_discovery_url) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
+1. Switch to Certificates & Secrets. Create a new client secret and record the generated value as
+   it will not be accessible after you leave the page.
+
+Please note [Azure AD v2.0 endpoints](https://docs.microsoft.com/en-gb/azure/active-directory/develop/azure-ad-endpoint-comparison)
+are required for [external groups](https://www.vaultproject.io/docs/secrets/identity/index.html#external-vs-internal-groups) to work.
+
+- `groupMembershipClaims` should be changed from `none` in the
+  [App registration manifest](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest).
+  Options are "All" or "Security"
+
+- In the [OIDC Role config](https://www.vaultproject.io/api/auth/jwt/index.html#create-role)
+  the scope `"https://graph.microsoft.com/.default"` should be added to add groups
+  to the jwt token and `groups_claim` should be set to `groups`.
+
+- Finally Azure AD group can be referenced by using the groups `objectId` as the [group alias name](https://www.vaultproject.io/api/secret/identity/group-alias.html) for the external group.
+
+### CLI setup instructions:
+
+You have to fill in the following values make sure to use the correct vault secret
+path that matches the name of the authentication method such as /oidc/
+
+- oidc_client_id = Application Client ID
+- oidc_client_secret = Secret obtained from the Certificates & Secrets Section
+- default_role = default role the user will be using when connecting. (see the second command)
+- oidc_discovery_url = Open ID endpoint retrieved from the App Registration sections.
+
+```
+vault write auth/oidc/config \
+    oidc_client_id="your_client_id" \
+    oidc_client_secret="your_client_secret" \
+    default_role=“your_default_role” \
+    oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0”
+```
+
+```
+vault write auth/oidc/role/demo user_claim="email" \
+    allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
+    groups_claim="groups" \
+    policies=default
+```
+
+## Auth0
+
+1. Select Create Application (Regular Web App).
+1. Configure Allowed Callback URLs.
+1. Copy client ID and secret.
+1. If you see Vault errors involving signature, check the application's Advanced > OAuth settings
+   and verify that signing algorithm is "RS256".
+
+## Gitlab
+
+1. Visit Settings > Applications.
+1. Fill out Name and Redirect URIs.
+1. Making sure to select the "openid" scope.
+1. Copy client ID and secret.
+
+## Google
+
+Main reference: [Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/OAuth2)
+
+1. Visit the [Google API Console](https://console.developers.google.com).
+1. Create or a select a project.
+1. Create a new credential via Credentials > Create Credentials > OAuth Client ID.
+1. Configure the OAuth Consent Screen. Application Name is required. Save.
+1. Select application type: "Web Application".
+1. Configure Authorized Redirect URIs.
+1. Save client ID and secret.
+
+## Keycloak
+
+1. Select/create a Realm and Client. Select a Client and visit Settings.
+1. Client Protocol: openid-connect
+1. Access Type: confidential
+1. Standard Flow Enabled: On
+1. Configure Valid Redirect URIs.
+1. Save.
+1. Visit Credentials. Select Client ID and Secret and note the generated secret.
+
+## Okta
+
+1. Make sure an Authorization Server has been created. The "Issuer" field shown on the Setting page
+   will be used as the `oidc_discovery_url`.
+1. Visit Applications > Add Application (Web).
+1. Configure Login redirect URIs. Save.
+1. Save client ID and secret.
+
+Note your policy will need `oidc_scopes` to include `profile` to get a full profile ("[Fat Token](https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token)"). You will also need to configure bound audience along the lines of `"bound_audiences": ["api://default", "0a4........."]` if you are using the default authorization server.
diff --git a/website/pages/docs/auth/kerberos.mdx b/website/pages/docs/auth/kerberos.mdx
new file mode 100644
index 000000000000..e4fcddfe213b
--- /dev/null
+++ b/website/pages/docs/auth/kerberos.mdx
@@ -0,0 +1,223 @@
+---
+layout: docs
+page_title: Kerberos - Auth Methods
+sidebar_title: Kerberos
+description: The Kerberos auth method allows automated authentication of Kerberos entities.
+---
+
+# Kerberos Auth Method
+
+The `kerberos` auth method provides an automated mechanism to retrieve
+a Vault token for Kerberos entities.
+
+[Kerberos](https://web.mit.edu/kerberos/) is a network authentication
+protocol invented by MIT in the 1980s. Its name is inspired by Cerberus,
+the three-headed hound of Hades from Greek mythology. The three heads
+refer to Kerberos' three entities - an authentication server, a ticket
+granting server, and a principals database. Kerberos underlies
+authentication in Active Directory, and its purpose is to _distribute_
+a network's authentication workload.
+
+Vault's Kerberos auth method was originally written by the folks at
+[Winton](https://github.com/wintoncode), to whom we owe a special thanks
+for both originally building the plugin, and for collaborating to bring
+it into HashiCorp's maintenance.
+
+## Prerequisites
+
+Kerberos is a very hands-on auth method. Other auth methods like
+[LDAP](https://www.vaultproject.io/docs/auth/ldap.html) and
+[Azure](https://www.vaultproject.io/docs/auth/azure.html) only require
+a cursory amount of knowledge for configuration and use.
+Kerberos, on the other hand, is best used by people already familiar
+with it. We recommend that you use simpler authentication methods if
+your use case is achievable through them. If not, we recommend that
+before approaching Kerberos, you become familiar with its fundamentals.
+
+- [MicroNugget: How Kerberos Works in Windows Active Directory](https://www.youtube.com/watch?v=kp5d8Yv3-0c)
+- [MIT's Kerberos Documentation](https://web.mit.edu/kerberos/)
+- [Kerberos: The Definitive Guide](https://www.amazon.com/Kerberos-Definitive-Guide-ebook-dp-B004P1J81C/dp/B004P1J81C/ref=mt_kindle?_encoding=UTF8&me=&qid=1573685442)
+
+Regardless of how you gain your knowledge, before using this auth method,
+ensure you are comfortable with Kerberos' high-level architecture, and
+ensure you've gone through the exercise of:
+
+- Creating a valid `krb5.conf` file
+- Creating a valid `keytab` file
+- Authenticating to your domain server with your `keytab` file using `kinit`
+
+With that knowledge in hand, and with an environment that's already tested
+and confirmed working, you will be ready to use Kerberos with Vault.
+
+## Configuration
+
+- Enable Kerberos authentication in Vault:
+
+```text
+$ vault auth enable \
+    -passthrough-request-headers=Authorization \
+    -allowed-response-headers=www-authenticate \
+    kerberos
+```
+
+- Create a `keytab` for the Kerberos plugin:
+
+```text
+$ ktutil
+ktutil:  addent -password -p your_service_account@REALM.COM -e aes256-cts -k 1
+Password for your_service_account@REALM.COM:
+ktutil:  list -e
+slot KVNO Principal
+---- ---- ---------------------------------------------------------------------
+  1    1            your_service_account@REALM.COM (aes256-cts-hmac-sha1-96)
+ktutil:  wkt vault.keytab
+```
+
+The KVNO (`-k 1`) should match the KVNO of the service account. An error will show in the Vault logs if this is incorrect.
+
+Different encryption types can also be added to the `keytab`, for example `-e rc4-hmac` with additional `addent` commands.
+
+Then base64 encode it:
+
+```text
+$ base64 vault.keytab > vault.keytab.base64
+```
+
+- Configure the Kerberos auth method with the `keytab` and
+  entry name that will be used to verify inbound login
+  requests:
+
+```text
+$ vault write auth/kerberos/config \
+    keytab=@vault.keytab.base64 \
+    service_account="vault_svc"
+```
+
+- Configure the Kerberos auth method to communicate with
+  LDAP using the service account configured above. This is
+  a sample LDAP configuration. Yours will vary. Ensure you've
+  first tested your configuration from the Vault server using
+  a tool like `ldapsearch`.
+
+```text
+$ vault write auth/kerberos/config/ldap \
+    binddn=vault_svc@MATRIX.LAN \
+    bindpass=$VAULT_SVC_PASSWORD \
+    groupattr=sAMAccountName \
+    groupdn="DC=MATRIX,DC=LAN" \
+    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
+    userdn="CN=Users,DC=MATRIX,DC=LAN" \
+    userattr=sAMAccountName \
+    upndomain=MATRIX.LAN \
+    url=ldaps://somewhere.foo
+```
+
+The LDAP above relies upon the same code as the LDAP auth method.
+See [its documentation](https://www.vaultproject.io/docs/auth/ldap.html)
+for further discussion of available parameters.
+
+- Configure the Vault policies that should be granted to those
+  who successfully authenticate based on their LDAP group membership.
+  Since this is identical to the LDAP auth method, see
+  [Group Membership Resolution](https://www.vaultproject.io/docs/auth/ldap.html#group-membership-resolution)
+  and [LDAP Group -> Policy Mapping](https://www.vaultproject.io/docs/auth/ldap.html#ldap-group-gt-policy-mapping)
+  for further discussion.
+
+```text
+$ vault write auth/kerberos/groups/engineering-team \
+    policies=engineers
+```
+
+The above group grants the "engineers" policy to those who authenticate
+via Kerberos and are found to be members of the "engineering-team" LDAP
+group.
+
+## Authentication
+
+From a client machine with a valid `krb5.conf` and `keytab`, perform a command
+like the following:
+
+```text
+$ vault login -method=kerberos \
+    username=grace \
+    service=HTTP/my-service \
+    realm=MATRIX.LAN \
+    keytab_path=/etc/krb5/krb5.keytab  \
+    krb5conf_path=/etc/krb5.conf
+```
+
+- `krb5conf_path` is the path to a valid `krb5.conf` file describing how to
+  communicate with the Kerberos environment.
+- `keytab_path` is the path to the `keytab` in which the entry lives for the
+  entity authenticating to Vault.
+- `username` is the username for the entry _within_ the `keytab` to use for
+  logging into Kerberos. This username must match a service account in LDAP.
+- `service` is the service principal name to use in obtaining a service ticket for
+  gaining a SPNEGO token. This service must exist in LDAP.
+- `realm` is the name of the Kerberos realm. This realm must match the UPNDomain
+  configured on the LDAP connection. This check is case-sensitive.
+
+## Troubleshooting
+
+### Identify the Malfunctioning Piece
+
+Once the malfunctioning piece of the journey is identified, you can focus
+your debugging efforts in the most useful direction.
+
+1. Use `ldapsearch` while logged into your machine hosting Vault to ensure
+   your LDAP configuration is functional.
+2. Authenticate to your domain server using `kinit`, your `keytab`, and your
+   `krb5.conf`. Do this with both Vault's `keytab`, and any client `keytab` being
+   used for logging in. This ensures your Kerberos network is working.
+3. While logged into your client machine, verify you can reach Vault
+   through the following command: `$ curl $VAULT_ADDR/v1/sys/health`.
+
+### Build Clear Steps to Reproduce the Problem
+
+If possible, make it easy for someone else to reproduce the problem who
+is outside of your company. For instance, if you expect that you should
+be able to login using a command like:
+
+```text
+$ vault login -method=kerberos \
+    username=my-name \
+    service=HTTP/my-service \
+    realm=EXAMPLE.COM \
+    keytab_path=/etc/krb5/krb5.keytab  \
+    krb5conf_path=/etc/krb5.conf
+```
+
+Then make sure you're ready to share the error output of that command, the
+contents of the `krb5.conf` file, and [the entries listed](https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjs1q/index.html)
+in the `keytab` file.
+
+After you've stripped the issue down to its simplest form, if you still
+encounter difficulty resolving it, it will be much easier to gain assistance
+by posting your reproduction to the [Vault Forum](https://discuss.hashicorp.com/c/vault)
+or by providing it to [HashiCorp Support](https://www.hashicorp.com/support.html)
+(if applicable.)
+
+### Additional Troubleshooting Resources
+
+- [Troubleshooting Vault](https://learn.hashicorp.com/vault/operations/troubleshooting-vault)
+- [The plugin's code](https://github.com/hashicorp/vault-plugin-auth-kerberos)
+
+The Vault Kerberos library has a working integration test environment that
+can be referenced as an example of a full Kerberos and LDAP environment.
+It runs through Docker and can be started through either one of the following
+commands:
+
+```text
+$ make integration
+$ make dev-env
+```
+
+These commands run variations of [a script](https://github.com/hashicorp/vault-plugin-auth-kerberos/blob/master/scripts/integration_env.sh)
+that spins up a full environment, adds users, and executes a login from a
+client.
+
+## API
+
+The Kerberos auth method has a full HTTP API. Please see the
+[Kerberos auth method API](/api/auth/kerberos/index.html) for more
+details.
diff --git a/website/pages/docs/auth/kubernetes.mdx b/website/pages/docs/auth/kubernetes.mdx
new file mode 100644
index 000000000000..283614facc21
--- /dev/null
+++ b/website/pages/docs/auth/kubernetes.mdx
@@ -0,0 +1,141 @@
+---
+layout: docs
+page_title: Kubernetes - Auth Methods
+sidebar_title: Kubernetes
+description: |-
+  The Kubernetes auth method allows automated authentication of Kubernetes
+  Service Accounts.
+---
+
+# Kubernetes Auth Method
+
+The `kubernetes` auth method can be used to authenticate with Vault using a
+Kubernetes Service Account Token. This method of authentication makes it easy to
+introduce a Vault token into a Kubernetes Pod.
+
+## Authentication
+
+### Via the CLI
+
+The default path is `/kubernetes`. If this auth method was enabled at a
+different path, specify `-path=/my-path` in the CLI.
+
+```text
+$ vault write auth/kubernetes/login role=demo jwt=...
+```
+
+### Via the API
+
+The default endpoint is `auth/kubernetes/login`. If this auth method was enabled
+at a different path, use that value instead of `kubernetes`.
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"jwt": "your_service_account_jwt", "role": "demo"}' \
+    http://127.0.0.1:8200/v1/auth/kubernetes/login
+```
+
+The response will contain a token at `auth.client_token`:
+
+```json
+{
+  "auth": {
+    "client_token": "38fe9691-e623-7238-f618-c94d4e7bc674",
+    "accessor": "78e87a38-84ed-2692-538f-ca8b9f400ab3",
+    "policies": ["default"],
+    "metadata": {
+      "role": "demo",
+      "service_account_name": "vault-auth",
+      "service_account_namespace": "default",
+      "service_account_secret_name": "vault-auth-token-pd21c",
+      "service_account_uid": "aa9aa8ff-98d0-11e7-9bb7-0800276d99bf"
+    },
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the Kubernetes auth method:
+
+    ```text
+    $ vault auth enable kubernetes
+    ```
+
+1.  Use the `/config` endpoint to configure Vault to talk to Kubernetes. For the
+    list of available configuration options, please see the API documentation.
+
+    ```text
+    $ vault write auth/kubernetes/config \
+        token_reviewer_jwt="reviewer_service_account_jwt" \
+        kubernetes_host=https://192.168.99.100:8443 \
+        kubernetes_ca_cert=@ca.crt
+    ```
+
+    !> **NOTE:** The pattern Vault uses to authenticate Pods depends on sharing
+    the JWT token over the network. Given the [security model of
+    Vault](/docs/internals/security.html), this is allowable because Vault is
+    part of the trusted compute base. In general, Kubernetes applications should
+    **not** share this JWT with other applications, as it allows API calls to be
+    made on behalf of the Pod and can result in unintended access being granted
+    to 3rd parties.
+
+1.  Create a named role:
+
+    ```text
+    vault write auth/kubernetes/role/demo \
+        bound_service_account_names=vault-auth \
+        bound_service_account_namespaces=default \
+        policies=default \
+        ttl=1h
+    ```
+
+    This role authorizes the "vault-auth" service account in the default
+    namespace and it gives it the default policy.
+
+    For the complete list of configuration options, please see the API
+    documentation.
+
+## Configuring Kubernetes
+
+This auth method accesses the [Kubernetes TokenReview API][k8s-tokenreview] to
+validate the provided JWT is still valid. Kubernetes should be running with
+`--service-account-lookup`. This is defaulted to true in Kubernetes 1.7, but any
+versions prior should ensure the Kubernetes API server is started with this
+setting. Otherwise deleted tokens in Kubernetes will not be properly revoked and
+will be able to authenticate to this auth method.
+
+Service Accounts used in this auth method will need to have access to the
+TokenReview API. If Kubernetes is configured to use RBAC roles, the Service
+Account should be granted permissions to access this API. The following
+example ClusterRoleBinding could be used to grant these permissions:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: role-tokenreview-binding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: vault-auth
+    namespace: default
+```
+
+## API
+
+The Kubernetes Auth Plugin has a full HTTP API. Please see the
+[API docs](/api/auth/kubernetes/index.html) for more details.
+
+[k8s-tokenreview]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#tokenreview-v1-authentication-k8s-io
diff --git a/website/pages/docs/auth/ldap.mdx b/website/pages/docs/auth/ldap.mdx
new file mode 100644
index 000000000000..3e36679fb1f2
--- /dev/null
+++ b/website/pages/docs/auth/ldap.mdx
@@ -0,0 +1,258 @@
+---
+layout: docs
+page_title: LDAP - Auth Methods
+sidebar_title: LDAP
+description: |-
+  The "ldap" auth method allows users to authenticate with Vault using LDAP
+  credentials.
+---
+
+# LDAP Auth Method
+
+The `ldap` auth method allows authentication using an existing LDAP
+server and user/password credentials. This allows Vault to be integrated
+into environments using LDAP without duplicating the user/pass configuration
+in multiple places.
+
+The mapping of groups and users in LDAP to Vault policies is managed by using
+the `users/` and `groups/` paths.
+
+## A Note on Escaping
+
+**It is up to the administrator** to provide properly escaped DNs. This
+includes the user DN, bind DN for search, and so on.
+
+The only DN escaping performed by this method is on usernames given at login
+time when they are inserted into the final bind DN, and uses escaping rules
+defined in RFC 4514.
+
+Additionally, Active Directory has escaping rules that differ slightly from the
+RFC; in particular it requires escaping of '#' regardless of position in the DN
+(the RFC only requires it to be escaped when it is the first character), and
+'=', which the RFC indicates can be escaped with a backslash, but does not
+contain in its set of required escapes. If you are using Active Directory and
+these appear in your usernames, please ensure that they are escaped, in
+addition to being properly escaped in your configured DNs.
+
+For reference, see [RFC 4514](https://www.ietf.org/rfc/rfc4514.txt) and this
+[TechNet post on characters to escape in Active
+Directory](http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx).
+
+## Authentication
+
+### Via the CLI
+
+```text
+$ vault login -method=ldap username=mitchellh
+Password (will be hidden):
+Successfully authenticated! The policies that are associated
+with this token are listed below:
+
+admins
+```
+
+### Via the API
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"password": "foo"}' \
+    http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh
+```
+
+The response will be in JSON. For example:
+
+```javascript
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "auth": {
+    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
+    "policies": [
+      "admins"
+    ],
+    "metadata": {
+      "username": "mitchellh"
+    },
+    "lease_duration": 0,
+    "renewable": false
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the ldap auth method:
+
+   ```text
+   $ vault auth enable ldap
+   ```
+
+1. Configure connection details for your LDAP server, information on how to
+   authenticate users, and instructions on how to query for group membership. The
+   configuration options are categorized and detailed below.
+
+### Connection parameters
+
+- `url` (string, required) - The LDAP server to connect to. Examples: `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. This can also be a comma-delineated list of URLs, e.g. `ldap://ldap.myorg.com,ldaps://ldap.myorg.com:636`, in which case the servers will be tried in-order if there are errors during the connection process.
+- `starttls` (bool, optional) - If true, issues a `StartTLS` command after establishing an unencrypted connection.
+- `insecure_tls` - (bool, optional) - If true, skips LDAP server SSL certificate verification - insecure, use with caution!
+- `certificate` - (string, optional) - CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
+
+### Binding parameters
+
+There are two alternate methods of resolving the user object used to authenticate the end user: _Search_ or _User Principal Name_. When using _Search_, the bind can be either anonymous or authenticated. User Principal Name is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
+
+#### Binding - Authenticated Search
+
+- `binddn` (string, optional) - Distinguished name of object to bind when performing user and group search. Example: `cn=vault,ou=Users,dc=example,dc=com`
+- `bindpass` (string, optional) - Password to use along with `binddn` when performing user search.
+- `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
+- `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
+
+#### Binding - Anonymous Search
+
+- `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user
+- `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
+- `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
+- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+
+#### Binding - User Principal Name (AD)
+
+- `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `username@example.com`.
+
+### Group Membership Resolution
+
+Once a user has been authenticated, the LDAP auth method must know how to resolve which groups the user is a member of. The configuration for this can vary depending on your LDAP server and your directory schema. There are two main strategies when resolving group membership - the first is searching for the authenticated user object and following an attribute to groups it is a member of. The second is to search for group objects of which the authenticated user is a member of. Both methods are supported.
+
+- `groupfilter` (string, optional) - Go template used when constructing the group membership query. The template can access the following context variables: \[`UserDN`, `Username`\]. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`, which is compatible with several common directory schemas. To support nested group resolution for Active Directory, instead use the following query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
+- `groupdn` (string, required) - LDAP search base to use for group membership search. This can be the root containing either groups or users. Example: `ou=Groups,dc=example,dc=com`
+- `groupattr` (string, optional) - LDAP attribute to follow on objects returned by `groupfilter` in order to enumerate user group membership. Examples: for groupfilter queries returning _group_ objects, use: `cn`. For queries returning _user_ objects, use: `memberOf`. The default is `cn`.
+
+_Note_: When using _Authenticated Search_ for binding parameters (see above) the distinguished name defined for `binddn` is used for the group search. Otherwise, the authenticating user is used to perform the group search.
+
+Use `vault path-help` for more details.
+
+## Examples:
+
+### Scenario 1
+
+- LDAP server running on `ldap.example.com`, port 389.
+- Server supports `STARTTLS` command to initiate encryption on the standard port.
+- CA Certificate stored in file named `ldap_ca_cert.pem`
+- Server is Active Directory supporting the userPrincipalName attribute. Users are identified as `username@example.com`.
+- Groups are nested, we will use `LDAP_MATCHING_RULE_IN_CHAIN` to walk the ancestry graph.
+- Group search will start under `ou=Groups,dc=example,dc=com`. For all group objects under that path, the `member` attribute will be checked for a match against the authenticated user.
+- Group names are identified using their `cn` attribute.
+
+```
+$ vault write auth/ldap/config \
+    url="ldap://ldap.example.com" \
+    userdn="ou=Users,dc=example,dc=com" \
+    groupdn="ou=Groups,dc=example,dc=com" \
+    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
+    groupattr="cn" \
+    upndomain="example.com" \
+    certificate=@ldap_ca_cert.pem \
+    insecure_tls=false \
+    starttls=true
+...
+```
+
+### Scenario 2
+
+- LDAP server running on `ldap.example.com`, port 389.
+- Server supports `STARTTLS` command to initiate encryption on the standard port.
+- CA Certificate stored in file named `ldap_ca_cert.pem`
+- Server does not allow anonymous binds for performing user search.
+- Bind account used for searching is `cn=vault,ou=users,dc=example,dc=com` with password `My$ecrt3tP4ss`.
+- User objects are under the `ou=Users,dc-example,dc=com` organizational unit.
+- Username passed to vault when authenticating maps to the `sAMAccountName` attribute.
+- Group membership will be resolved via the `memberOf` attribute of _user_ objects. That search will begin under `ou=Users,dc=example,dc=com`.
+
+```
+$ vault write auth/ldap/config \
+    url="ldap://ldap.example.com" \
+    userattr=sAMAccountName \
+    userdn="ou=Users,dc=example,dc=com" \
+    groupdn="ou=Users,dc=example,dc=com" \
+    groupfilter="(&(objectClass=person)(uid={{.Username}}))" \
+    groupattr="memberOf" \
+    binddn="cn=vault,ou=users,dc=example,dc=com" \
+    bindpass='My$ecrt3tP4ss' \
+    certificate=@ldap_ca_cert.pem \
+    insecure_tls=false \
+    starttls=true
+...
+```
+
+### Scenario 3
+
+- LDAP server running on `ldap.example.com`, port 636 (LDAPS)
+- CA Certificate stored in file named `ldap_ca_cert.pem`
+- User objects are under the `ou=Users,dc=example,dc=com` organizational unit.
+- Username passed to vault when authenticating maps to the `uid` attribute.
+- User bind DN will be auto-discovered using anonymous binding.
+- Group membership will be resolved via any one of `memberUid`, `member`, or `uniqueMember` attributes. That search will begin under `ou=Groups,dc=example,dc=com`.
+- Group names are identified using the `cn` attribute.
+
+```
+$ vault write auth/ldap/config \
+    url="ldaps://ldap.example.com" \
+    userattr="uid" \
+    userdn="ou=Users,dc=example,dc=com" \
+    discoverdn=true \
+    groupdn="ou=Groups,dc=example,dc=com" \
+    certificate=@ldap_ca_cert.pem \
+    insecure_tls=false \
+    starttls=true
+...
+```
+
+## LDAP Group -> Policy Mapping
+
+Next we want to create a mapping from an LDAP group to a Vault policy:
+
+```
+$ vault write auth/ldap/groups/scientists policies=foo,bar
+```
+
+This maps the LDAP group "scientists" to the "foo" and "bar" Vault policies.
+We can also add specific LDAP users to additional (potentially non-LDAP)
+groups. Note that policies can also be specified on LDAP users as well.
+
+```
+$ vault write auth/ldap/groups/engineers policies=foobar
+$ vault write auth/ldap/users/tesla groups=engineers policies=zoobar
+```
+
+This adds the LDAP user "tesla" to the "engineers" group, which maps to
+the "foobar" Vault policy. User "tesla" itself is associated with "zoobar"
+policy.
+
+Finally, we can test this by authenticating:
+
+```
+$ vault login -method=ldap username=tesla
+Password (will be hidden):
+Successfully authenticated! The policies that are associated
+with this token are listed below:
+
+default, foobar, zoobar
+```
+
+## Note on policy mapping
+
+It should be noted that user -> policy mapping happens at token creation time. And changes in group membership on the LDAP server will not affect tokens that have already been provisioned. To see these changes, old tokens should be revoked and the user should be asked to reauthenticate.
+
+## API
+
+The LDAP auth method has a full HTTP API. Please see the
+[LDAP auth method API](/api/auth/ldap/index.html) for more
+details.
diff --git a/website/pages/docs/auth/mfa.mdx b/website/pages/docs/auth/mfa.mdx
new file mode 100644
index 000000000000..21628f829a94
--- /dev/null
+++ b/website/pages/docs/auth/mfa.mdx
@@ -0,0 +1,107 @@
+---
+layout: docs
+page_title: Multi-Factor Authentication (MFA) - Auth Methods
+sidebar_title: MFA <sup>LEGACY / UNSUPPORTED</sup>
+description: |-
+  Multi-factor authentication (MFA) is supported for several authentication
+  methods.
+---
+
+# Multi-Factor Authentication
+
+~> **NOTE**: This page describes the legacy MFA system available in the OSS
+edition of Vault. This system is not supported by HashiCorp. Vault Enterprise
+contains a fully-supported MFA system that is significantly more complete and
+flexible and which can be used throughout Vault's API. See the [Vault
+Enterprise MFA](/docs/enterprise/mfa/index.html) page for more information.
+
+Several auth methods support multi-factor authentication (MFA). Once
+enabled for a method, users are required to provide additional verification,
+like a one-time passcode, before being authenticated.
+
+Currently, the "ldap", "okta", "radius", and "userpass" backends support MFA.
+
+## Authentication
+
+When authenticating, users still provide the same information as before, in
+addition to MFA verification. Usually this is a passcode, but in other cases,
+like a Duo Push notification, no additional information is needed.
+
+### Via the CLI
+
+```tedt
+$ vault login -method=userpass \
+    username=my-username \
+    password=test \
+    passcode=111111
+```
+
+```text
+$ vault login -method=userpass \
+    username=my-username \
+    password=test \
+    method=push
+```
+
+### Via the API
+
+The endpoint for the login is the same as for the original method. Additional
+MFA information should be sent in the POST body encoded as JSON.
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"password": "test", "passcode": "111111"}' \
+    http://127.0.0.1:8200/v1/auth/userpass/login/my-username
+```
+
+The response is the same as for the original method.
+
+## Configuration
+
+To enable MFA for a supported method, the MFA type must be set in `mfa_config`.
+For example:
+
+```text
+$ vault write auth/userpass/mfa_config type=duo
+```
+
+This enables the Duo MFA type, which is currently the only MFA type supported.
+The username used for MFA is the same as the login username, unless the method
+or MFA type provide options to behave differently (see Duo configuration below).
+
+### Duo
+
+The Duo MFA type is configured through two paths: `duo/config` and `duo/access`.
+
+`duo/access` contains connection information for the Duo Auth API. To configure:
+
+```text
+$ vault write auth/[mount]/duo/access \
+    host=[host] \
+    ikey=[integration key] \
+    skey=[secret key]
+```
+
+`duo/config` is an optional path that contains general configuration information
+for Duo authentication. To configure:
+
+```text
+$ vault write auth/[mount]/duo/config \
+    user_agent="" \
+    username_format="%s"
+```
+
+- `user_agent` is the user agent to use when connecting to Duo.
+
+- `username_format` controls how the username used to login is transformed
+  before authenticating with Duo. This field is a format string that is passed
+  the original username as its first argument and outputs the new username. For
+  example "%s@example.com" would append "@example.com" to the provided username
+  before connecting to Duo.
+
+- `push_info` is a string of URL-encoded key/value pairs that provides
+  additional context about the authentication attempt in the Duo Mobile
+  application.
+
+More information can be found through the CLI `path-help` command.
diff --git a/website/pages/docs/auth/oci.mdx b/website/pages/docs/auth/oci.mdx
new file mode 100644
index 000000000000..ae88d589fca5
--- /dev/null
+++ b/website/pages/docs/auth/oci.mdx
@@ -0,0 +1,203 @@
+---
+layout: docs
+page_title: OCI Auth method
+sidebar_title: Oracle Cloud Infrastructure
+description: >-
+  The OCI Auth method for Vault enables authentication and authorization using
+  OCI Identity credentials.
+---
+
+# OCI Auth Method
+
+The OCI Auth method for Vault enables authentication and authorization using [OCI Identity](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/overview.htm) credentials.
+
+This plugin is developed in a separate GitHub repository at https://github.com/hashicorp/vault-plugin-auth-oci,
+but is automatically bundled in Vault releases. Please file all feature requests, bugs, and pull requests
+specific to the OCI plugin under that repository.
+
+## OCI Roles
+
+The OCI Auth method authorizes using roles, as shown here:
+![Role Based Authorization](/img/oci/oci-role-based-authz.png)
+
+There is a many-to-many relationship between various items seen above:
+
+- A user can belong to many identity groups.
+- An identity group can contain many users.
+- A compute instance can belong to many dynamic groups.
+- A dynamic group can contain many compute instances.
+- A role defined in Vault can be mapped to many groups and dynamic groups.
+- A single role can be mapped to both groups and dynamic groups.
+- A Vault policy can be mapped from different roles.
+
+The `ocid_list` field of a role is a list of [Group or Dynamic Group](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/overview.htm#one) OCIDs. Only members of these Groups or Dynamic Groups are allowed to take this role.
+
+## Configuration
+
+### Configure the OCI Tenancy to Run Vault
+
+The OCI Auth method requires [instance principal](https://blogs.oracle.com/cloud-infrastructure/announcing-instance-principals-for-identity-and-access-management) credentials to call OCI Identity APIs, and therefore the Vault server needs to run inside an OCI compute instance.
+
+Follow the steps below to add policies to your tenancy that allow the OCI compute instance in which the Vault server is running to call certain OCI Identity APIs.
+
+1. In your tenancy, [launch the compute instance(s)](https://docs.cloud.oracle.com/iaas/Content/Compute/Tasks/launchinginstance.htm) that will run the Vault server. The [VCN](https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVCNs.htm) in which you launch the Compute Instance should have a [Service Gateway](https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/servicegateway.htm) added to it .
+1. Make a note of the Oracle Cloud Identifier (OCID) of the compute instance(s) running Vault.
+1. In your tenancy, [create a dynamic group](https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm) with the name VaultDynamicGroup to contain the computer instance(s).
+1. Add the OCID of the compute instance(s) to the dynamic group.
+1. Add the following policies to the root compartment of your tenancy that allow the dynamic group to call specific Identity APIs.
+
+```
+    allow dynamic-group VaultDynamicGroup to {AUTHENTICATION_INSPECT} in tenancy
+    allow dynamic-group VaultDynamicGroup to {GROUP_MEMBERSHIP_INSPECT} in tenancy
+```
+
+### Configure the OCI Auth method
+
+- Configure your home tenancy in the Vault, so that only users or instances from your tenancy will
+  be allowed to log into Vault through the OCI Auth method. Create a file named hometenancyid.json with
+  the below content, using the tenancy OCID. To find your tenancy OCID, see [https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm).
+
+```json
+{ "home_tenancy_id": "your tenancy ocid here" }
+```
+
+- Configure the home_tenancy_id parameter in the Vault.
+
+```sh
+    curl --header "X-Vault-Token: $roottoken" --request PUT \
+    --data @hometenancyid.json \
+    http://127.0.0.1:8200/v1/auth/oci/config (127.0.0.1:8200/v1/auth/oci/config)
+```
+
+- Create a Vault administrator role in the OCI Auth method. The vaultadminrole allows the
+  administrator of Vault to log into Vault and grants them the permissions allowed in the policy.
+
+Create a file named vaultadminrole.json with the below contents. Replace the ocid_list with the
+Group or Dynamic Group OCIDs in your tenancy that has users or instances that you want to take the Vault admin role.
+
+- For testing in dev mode, you can add the OCID of the dynamic group previously created.
+- In production, add only the OCID of groups and dynamic groups that can take the admin role in Vault.
+
+```json
+{
+  "token_policies": "vaultadminpolicy",
+  "token_ttl": "1800",
+  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"
+}
+```
+
+Create the Vault admin role:
+
+```sh
+    curl --header "X-Vault-Token: $roottoken" --request PUT \
+    --data @vaultadminrole.json \
+    http://127.0.0.1:8200/v1/auth/oci/role/vaultadminrole (127.0.0.1:8200/v1/auth/oci/role/vaultadminrole)
+```
+
+1.  Log into the Vault using instance principal.
+    - This assumes that the VAULT_ADDR export has been specified, as shown earlier in this page.
+    - The compute instance that you are logging in from should be a part of a dynamic group that was added to the Vault admin role. The compute instance should also have connectivity to the endpoint specified in VAULT_ADDR.
+    - When testing in dev mode in the same compute instance that the Vault is running, this is [http://127.0.0.1:8200](http://127.0.0.1:8200/).  
+      `vault login -method=oci auth_type=instance role=vaultadminrole`
+
+You will see a response that includes a token with the previously added policy.
+
+1.  Use the received token to read secrets, writer secrets, and add roles per the instructions in [https://www.vaultproject.io/docs/secrets/kv/kv-v1.html](https://www.Vaultproject.io/docs/secrets/kv/kv-v1.html).
+1.  Log into Vault using the user API key.
+
+    - [Add an API Key](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm) for a user in the console. This user should be part of a group that has previously been added to the Vault admin role.
+    - Create the config file `~/.oci/config` using the user's credentials as detailed in [https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm).  
+       Ensure that the region in the config matches the region of the compute instance that is running Vault.
+    - Log into Vault using the user API key.
+
+      `vault login -method=oci auth_type=apikey role=vaultadminrole`
+
+1.  Stop Vault and re-start it in the production environment. See [https://www.vaultproject.io/docs/configuration](https://www.Vaultproject.io/docs/configuration/) for more information.
+1.  Repeat all steps in this [Configure the OCI Auth Method](#OnboardingtoOCIAuthMethod-ConfiguretheOCIAuthMethod) section while in the production environment.
+
+### Manage Roles in the OCI Auth method
+
+1.  Similar to creating the Vault administrator role, create other roles mapped to other policies. Create a file named devrole.json with the following contents. Replace ocid_list with Groups or Dynamic Groups in your tenancy.
+
+```json
+{
+  "token_policies": "devpolicy",
+  "token_ttl": "1500",
+  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmgrouplrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmdg2u5n7ffamn2pdvxaq6esb2vzzoduexamplea"
+}
+```
+
+1.  Add the role.
+
+```sh
+curl --header "X-Vault-Token: $token" --request PUT \
+--data @devrole.json \
+http://127.0.0.1:8200/v1/auth/oci/role/devrole (127.0.0.1:8200/v1/auth/oci/role/devrole)
+```
+
+1.  Login to Vault assuming the devrole.
+
+```sh
+vault login -method=oci auth_type=instance role=vaultadminrole`
+```
+
+## Authentication
+
+When authenticating, users can use Vault cli.
+
+### Via the CLI
+
+With Compute Instance credentials:
+
+```sh
+$ vault login -method=oci auth_type=instance role=devrole
+```
+
+With User credentials: [SDK Config](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm)
+
+```sh
+$ vault login -method=oci auth_type=apikey role=devrole
+```
+
+### Via the API
+
+1.  First, sign the following request with your OCI credentials and obtain the signing string and the authorization header. Replace the endpoint, scheme (http or https) & role of the URL corresponding to your vault configuration. For more information on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm).
+
+    http://127.0.0.1/v1/auth/oci/login/devrole
+
+1.  On signing the above request, you would get headers similar to:
+
+The signing string would look like (line breaks inserted into the (request-target) header for easier reading):
+
+```text
+date: Fri, 22 Aug 2019 21:02:19 GMT
+(request-target): get /v1/auth/oci/login/devrole
+host: 127.0.0.1
+
+The Authorization header would look like:
+
+Signature version="1",headers="date (request-target) host",keyId="ocid1.t
+enancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/
+ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3ryn
+jq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7",algorithm="rsa-sha256
+",signature="GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPe
+DUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll
+8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M="
+```
+
+1.  Add the signed headers to the "request_headers" field and make the actual request to vault. An example is given below:
+
+```sh
+POST http://127.0.0.1/v1/auth/oci/login/devrole
+   "request_headers": {
+       "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
+       "(request-target)": ["get /v1/auth/oci/login/devrole"],
+       "host": ["127.0.0.1"],
+       "content-type": ["application/json"],
+       "authorization": ["Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""]
+   }
+```
+
+## API
+
+The OCI Auth method has a full HTTP API. Please see the [API docs](/api/auth/oci/index.html) for more details.
diff --git a/website/pages/docs/auth/okta.mdx b/website/pages/docs/auth/okta.mdx
new file mode 100644
index 000000000000..83284a0e99ed
--- /dev/null
+++ b/website/pages/docs/auth/okta.mdx
@@ -0,0 +1,116 @@
+---
+layout: docs
+page_title: Okta - Auth Methods
+sidebar_title: Okta
+description: |-
+  The Okta auth method allows users to authenticate with Vault using Okta
+  credentials.
+---
+
+# Okta Auth Method
+
+The `okta` auth method allows authentication using Okta and user/password
+credentials. This allows Vault to be integrated into environments using Okta.
+
+The mapping of groups in Okta to Vault policies is managed by using the
+`users/` and `groups/` paths.
+
+## Authentication
+
+### Via the CLI
+
+The default path is `/okta`. If this auth method was enabled at a different
+path, specify `-path=/my-path` in the CLI.
+
+```text
+$ vault login -method=okta username=my-username
+```
+
+### Via the API
+
+The default endpoint is `auth/okta/login`. If this auth method was enabled
+at a different path, use that value instead of `okta`.
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"password": "MY_PASSWORD"}' \
+    http://127.0.0.1:8200/v1/auth/okta/login/my-username
+```
+
+The response will contain a token at `auth.client_token`:
+
+```json
+{
+  "auth": {
+    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
+    "policies": ["admins"],
+    "metadata": {
+      "username": "mitchellh"
+    }
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+### Via the CLI
+
+1. Enable the Okta auth method:
+
+   ```text
+   $ vault auth enable okta
+   ```
+
+1. Configure Vault to communicate with your Okta account:
+
+   ```text
+   $ vault write auth/okta/config \
+       base_url="okta.com" \
+       organization="dev-123456" \
+       token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
+   ```
+
+   **If no token is supplied, Vault will function, but only locally configured
+   group membership will be available. Without a token, groups will not be
+   queried.**
+
+   For the complete list of configuration options, please see the API
+   documentation.
+
+1. Map an Okta group to a Vault policy:
+
+   ```text
+   $ vault write auth/okta/groups/scientists policies=nuclear-reactor
+   ```
+
+   In this example, anyone who successfully authenticates via Okta who is a
+   member of the "scientists" group will receive a Vault token with the
+   "nuclear-reactor" policy attached.
+
+   ***
+
+   It is also possible to add users directly:
+
+   ```text
+   $ vault write auth/okta/groups/engineers policies=autopilot
+   $ vault write auth/okta/users/tesla groups=engineers
+   ```
+
+   This adds the Okta user "tesla" to the "engineers" group, which maps to
+   the "autopilot" Vault policy.
+
+   **The user-policy mapping via group membership happens at token _creation
+   time_. Any changes in group membership in Okta will not affect existing
+   tokens that have already been provisioned. To see these changes, users
+   will need to re-authenticate. You can force this by revoking the
+   existing tokens.**
+
+## API
+
+The Okta auth method has a full HTTP API. Please see the
+[Okta Auth API](/api/auth/okta/index.html) for more details.
diff --git a/website/pages/docs/auth/radius.mdx b/website/pages/docs/auth/radius.mdx
new file mode 100644
index 000000000000..76c15d173971
--- /dev/null
+++ b/website/pages/docs/auth/radius.mdx
@@ -0,0 +1,83 @@
+---
+layout: docs
+page_title: RADIUS - Auth Methods
+sidebar_title: RADIUS
+description: |-
+  The "radius" auth method allows users to authenticate with Vault using an
+  existing RADIUS server.
+---
+
+# RADIUS Auth Method
+
+The `radius` auth method allows users to authenticate with Vault using an
+existing RADIUS server that accepts the PAP authentication scheme.
+
+## Authentication
+
+The default path is `/radius`. If this auth method was enabled at a different
+path, specify `-path=/my-path` in the CLI.
+
+### Via the CLI
+
+```text
+$ vault login -path=radius username=sethvargo
+```
+
+### Via the API
+
+The default endpoint is `auth/radius/login`. If this auth method was enabled
+at a different path, use that value instead of `radius`.
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"password": "..."}' \
+    http://127.0.0.1:8200/v1/auth/radius/login/sethvargo
+```
+
+The response will contain a token at `auth.client_token`:
+
+```json
+{
+  "auth": {
+    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
+    "policies": ["admins"],
+    "metadata": {
+      "username": "mitchellh"
+    }
+  }
+}
+```
+
+## Configuration
+
+### Via the CLI
+
+1. Enable the radius auth method:
+
+   ```text
+   $ vault auth enable radius
+   ```
+
+1. Configure connection details for your RADIUS server.
+
+   ```text
+   $ vault write auth/radius/users/mitchellh policies=admins
+   ```
+
+   For the complete list of configuration options, please see the API
+   documentation.
+
+   The above creates a new mapping for user "mitchellh" that will be associated
+   with the "admins" policy.
+
+   Alternatively, Vault can assign a configurable set of policies to any user
+   that successfully authenticates with the RADIUS server but has no explicit
+   mapping in the `users/` path. This is done through the
+   `unregistered_user_policies` configuration parameter.
+
+## API
+
+The RADIUS auth method has a full HTTP API. Please see the
+[RADIUS Auth API](/api/auth/radius/index.html) for more
+details.
diff --git a/website/pages/docs/auth/token.mdx b/website/pages/docs/auth/token.mdx
new file mode 100644
index 000000000000..7e386bc28a26
--- /dev/null
+++ b/website/pages/docs/auth/token.mdx
@@ -0,0 +1,41 @@
+---
+layout: docs
+page_title: Token - Auth Methods
+sidebar_title: Tokens
+description: The token store auth method is used to authenticate using tokens.
+---
+
+# Token Auth Method
+
+The `token` method is built-in and automatically available at `/auth/token`. It
+allows users to authenticate using a token, as well to create new tokens, revoke
+secrets by token, and more.
+
+When any other auth method returns an identity, Vault core invokes the
+token method to create a new unique token for that identity.
+
+The token store can also be used to bypass any other auth method:
+you can create tokens directly, as well as perform a variety of other
+operations on tokens such as renewal and revocation.
+
+Please see the [token concepts](/docs/concepts/tokens.html) page dedicated
+to tokens.
+
+## Authentication
+
+### Via the CLI
+
+```text
+$ vault login token=<token>
+```
+
+### Via the API
+
+The token is set directly as a header for the HTTP API. The header should be
+either `X-Vault-Token: <token>` or `Authorization: Bearer <token>`.
+
+## API
+
+The Token auth method has a full HTTP API. Please see the
+[Token auth method API](/api/auth/token/index.html) for more
+details.
diff --git a/website/pages/docs/auth/userpass.mdx b/website/pages/docs/auth/userpass.mdx
new file mode 100644
index 000000000000..6caefe6f1bb8
--- /dev/null
+++ b/website/pages/docs/auth/userpass.mdx
@@ -0,0 +1,88 @@
+---
+layout: docs
+page_title: Userpass - Auth Methods
+sidebar_title: Username &amp; Password
+description: >-
+  The "userpass" auth method allows users to authenticate with Vault using a
+  username and password.
+---
+
+# Userpass Auth Method
+
+The `userpass` auth method allows users to authenticate with Vault using
+a username and password combination.
+
+The username/password combinations are configured directly to the auth
+method using the `users/` path. This method cannot read usernames and
+passwords from an external source.
+
+The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
+same entry.
+
+## Authentication
+
+### Via the CLI
+
+```text
+$ vault login -method=userpass \
+    username=mitchellh \
+    password=foo
+```
+
+### Via the API
+
+```shell
+$ curl \
+    --request POST \
+    --data '{"password": "foo"}' \
+    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
+```
+
+The response will contain the token at `auth.client_token`:
+
+```json
+{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "auth": {
+    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
+    "policies": ["admins"],
+    "metadata": {
+      "username": "mitchellh"
+    },
+    "lease_duration": 0,
+    "renewable": false
+  }
+}
+```
+
+## Configuration
+
+Auth methods must be configured in advance before users or machines can
+authenticate. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the userpass auth method:
+
+   ```text
+   $ vault auth enable userpass
+   ```
+
+1. Configure it with users that are allowed to authenticate:
+
+   ```text
+   $ vault write auth/userpass/users/mitchellh \
+       password=foo \
+       policies=admins
+   ```
+
+   This creates a new user "mitchellh" with the password "foo" that will be
+   associated with the "admins" policy. This is the only configuration
+   necessary.
+
+## API
+
+The Userpass auth method has a full HTTP API. Please see the [Userpass auth
+method API](/api/auth/userpass/index.html) for more details.
diff --git a/website/pages/docs/commands/agent.mdx b/website/pages/docs/commands/agent.mdx
new file mode 100644
index 000000000000..db2c66171b28
--- /dev/null
+++ b/website/pages/docs/commands/agent.mdx
@@ -0,0 +1,10 @@
+---
+layout: docs
+page_title: agent - Command
+sidebar_title: <code>agent</code>
+description: The "agent" command is used to start Vault Agent
+---
+
+# agent
+
+Please see the [Vault Agent documentation page](/docs/agent/index.html).
diff --git a/website/pages/docs/commands/audit/disable.mdx b/website/pages/docs/commands/audit/disable.mdx
new file mode 100644
index 000000000000..0a19dc3f9bc4
--- /dev/null
+++ b/website/pages/docs/commands/audit/disable.mdx
@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: audit disable - Command
+sidebar_title: <code>disable</code>
+description: |-
+  The "audit disable" command disables an audit device at a given path, if one
+  exists. This command is idempotent, meaning it succeeds even if no audit
+  device is enabled at the path.
+---
+
+# audit disable
+
+The `audit disable` command disables an audit device at a given path, if one
+exists. This command is idempotent, meaning it succeeds even if no audit device
+is enabled at the path.
+
+Once an audit device is disabled, no future audit logs are dispatched to it. The
+data associated with the audit device is unaffected. For example, if you
+disabled an audit device that was logging to a file, the file would still exist
+and have stored contents.
+
+## Examples
+
+Disable the audit device enabled at "file/":
+
+```text
+$ vault audit disable file/
+Success! Disabled audit device (if it was enabled) at: file/
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/audit/enable.mdx b/website/pages/docs/commands/audit/enable.mdx
new file mode 100644
index 000000000000..17d1fe75c329
--- /dev/null
+++ b/website/pages/docs/commands/audit/enable.mdx
@@ -0,0 +1,40 @@
+---
+layout: docs
+page_title: audit enable - Command
+sidebar_title: <code>enable</code>
+description: The "audit enable" command enables an audit device at a given path.
+---
+
+# audit enable
+
+The `audit enable` command enables an audit device at a given path. If an audit
+device already exists at the given path, an error is returned. Additional
+options for configuring the audit device are provided as `KEY=VALUE`. Each audit
+device declares its own set of configuration options.
+
+Once an audit device is enabled, almost every request and response will be
+logged to the device.
+
+## Examples
+
+Enable the audit device "file" enabled at "file/":
+
+```text
+$ vault audit enable file file_path=/tmp/my-file.txt
+Success! Enabled the file audit device at: file/
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-description` `(string: "")` - Human-friendly description for the purpose of
+  this audit device.
+
+- `-local` `(bool: false)` - Mark the audit device as a local-only device.
+  Local devices are not replicated or removed by replication.
+
+- `-path` `(string: "")` - Place where the audit device will be accessible. This
+  must be unique across all audit devices. This defaults to the "type" of the
+  audit device.
diff --git a/website/pages/docs/commands/audit/index.mdx b/website/pages/docs/commands/audit/index.mdx
new file mode 100644
index 000000000000..2d8d16ee34f1
--- /dev/null
+++ b/website/pages/docs/commands/audit/index.mdx
@@ -0,0 +1,57 @@
+---
+layout: docs
+page_title: audit - Command
+sidebar_title: <code>audit</code>
+description: |-
+  The "audit" command groups subcommands for interacting with Vault's audit
+  devices. Users can list, enable, and disable audit devices.
+---
+
+# audit
+
+The `audit` command groups subcommands for interacting with Vault's audit
+devices. Users can list, enable, and disable audit devices.
+
+For more information, please see the [audit device
+documentation](/docs/audit/index.html)
+
+## Examples
+
+Enable an audit device:
+
+```text
+$ vault audit enable file file_path=/tmp/my-file.txt
+Success! Enabled the file audit device at: file/
+```
+
+List all audit devices:
+
+```text
+$ vault audit list
+Path     Type    Description
+----     ----    -----------
+file/    file    n/a
+```
+
+Disable an audit device:
+
+```text
+$ vault audit disable file/
+Success! Disabled audit device (if it was enabled) at: file/
+```
+
+## Usage
+
+```text
+Usage: vault audit <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    disable    Disables an audit device
+    enable     Enables an audit device
+    list       Lists enabled audit devices
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/audit/list.mdx b/website/pages/docs/commands/audit/list.mdx
new file mode 100644
index 000000000000..73f00a2124b3
--- /dev/null
+++ b/website/pages/docs/commands/audit/list.mdx
@@ -0,0 +1,49 @@
+---
+layout: docs
+page_title: audit list - Command
+sidebar_title: <code>list</code>
+description: |-
+  The "audit list" command lists the audit devices enabled. The output lists the
+  enabled audit devices and options for those devices.
+---
+
+# audit list
+
+The `audit list` command lists the audit devices enabled. The output lists the
+enabled audit devices and options for those devices.
+
+## Examples
+
+List all audit devices:
+
+```text
+$ vault audit list
+Path     Type    Description
+----     ----    -----------
+file/    file    n/a
+```
+
+List detailed audit device information:
+
+```text
+$ vault audit list -detailed
+Path     Type    Description    Replication    Options
+----     ----    -----------    -----------    -------
+file/    file    n/a            replicated     file_path=/var/log/audit.log
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-detailed` `(bool: false)` - Print detailed information such as options and
+  replication status about each auth device.
diff --git a/website/pages/docs/commands/auth/disable.mdx b/website/pages/docs/commands/auth/disable.mdx
new file mode 100644
index 000000000000..c3e733c55752
--- /dev/null
+++ b/website/pages/docs/commands/auth/disable.mdx
@@ -0,0 +1,33 @@
+---
+layout: docs
+page_title: auth disable - Command
+sidebar_title: <code>disable</code>
+description: |-
+  The "auth disable" command disables an auth method at a given path, if one
+  exists. This command is idempotent, meaning it succeeds even if no auth method
+  is enabled at the path.
+---
+
+# auth disable
+
+The `auth disable` command disables an auth method at a given path, if one
+exists. This command is idempotent, meaning it succeeds even if no auth method
+is enabled at the path.
+
+Once an auth method is disabled, it can no longer be used for authentication.
+**All access tokens generated via the disabled auth method are immediately
+revoked.** This command will block until all tokens are revoked.
+
+## Examples
+
+Disable the auth method enabled at "userpass/":
+
+```text
+$ vault auth disable userpass/
+Success! Disabled the auth method (if it existed) at: userpass/
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/auth/enable.mdx b/website/pages/docs/commands/auth/enable.mdx
new file mode 100644
index 000000000000..97b87fa6af9d
--- /dev/null
+++ b/website/pages/docs/commands/auth/enable.mdx
@@ -0,0 +1,55 @@
+---
+layout: docs
+page_title: auth enable - Command
+sidebar_title: <code>enable</code>
+description: |-
+  The "auth enable" command enables an auth method at a given path. If an auth
+  method already exists at the given path, an error is returned. After the auth
+  method is enabled, it usually needs configuration.
+---
+
+# auth enable
+
+The `auth enable` command enables an auth method at a given path. If an auth
+method already exists at the given path, an error is returned. After the auth
+method is enabled, it usually needs configuration. The configuration varies by
+auth method.
+
+An auth method is responsible for authenticating users or machines and assigning
+them policies and a token with which they can access Vault. Authentication is
+usually mapped to policy. Please see the [policies
+concepts](/docs/concepts/policies.html) page for more information.
+
+## Examples
+
+Enable the auth method "userpass" enabled at "userpass/":
+
+```text
+$ vault auth enable userpass
+Success! Enabled the userpass auth method at: userpass/
+```
+
+Create a user:
+
+```text
+$ vault write auth/userpass/users/sethvargo password=secret
+Success! Data written to: auth/userpass/users/sethvargo
+```
+
+For more information on the specific configuration options and paths, please see
+the [auth method](/docs/auth/index.html) documentation.
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-description` `(string: "")` - Human-friendly description for the purpose of
+  this auth method.
+
+- `-local` `(bool: false)` - Mark the auth method as local-only. Local auth
+  methods are not replicated nor removed by replication.
+
+- `-path` `(string: "")` - Place where the auth method will be accessible. This
+  must be unique across all auth methods. This defaults to the "type" of the
+  auth method. The auth method will be accessible at `/auth/<path>`.
diff --git a/website/pages/docs/commands/auth/help.mdx b/website/pages/docs/commands/auth/help.mdx
new file mode 100644
index 000000000000..b722f1491175
--- /dev/null
+++ b/website/pages/docs/commands/auth/help.mdx
@@ -0,0 +1,44 @@
+---
+layout: docs
+page_title: auth help - Command
+sidebar_title: <code>help</code>
+description: The "auth help" command prints usage and help for an auth method.
+---
+
+# auth help
+
+The `auth help` command prints usage and help for an auth method.
+
+- If given a TYPE, this command prints the default help for the auth method of
+  that type.
+
+- If given a PATH, this command prints the help output for the auth method
+  enabled at that path. This path must already exist.
+
+Each auth method produces its own help output.
+
+## Examples
+
+Get usage instructions for the userpass auth method:
+
+```text
+$ vault auth help userpass
+Usage: vault login -method=userpass [CONFIG K=V...]
+
+  The userpass auth method allows users to authenticate using Vault's
+  internal user database.
+
+# ...
+```
+
+Print usage for the auth method enabled at my-method/
+
+```text
+$ vault auth help my-method/
+# ...
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/auth/index.mdx b/website/pages/docs/commands/auth/index.mdx
new file mode 100644
index 000000000000..ce1cd5826d06
--- /dev/null
+++ b/website/pages/docs/commands/auth/index.mdx
@@ -0,0 +1,80 @@
+---
+layout: docs
+page_title: auth - Command
+sidebar_title: <code>auth</code>
+description: |-
+  The "auth" command groups subcommands for interacting with Vault's auth
+  methods. Users can list, enable, disable, and get help for different auth
+  methods.
+---
+
+# auth
+
+The `auth` command groups subcommands for interacting with Vault's auth methods.
+Users can list, enable, disable, and get help for different auth methods.
+
+For more information, please see the [auth method
+documentation](/docs/auth/index.html) or the [authentication
+concepts](/docs/concepts/auth.html) page.
+
+To authenticate to Vault as a user or machine, use the [`vault login`](/docs/commands/login.html) command instead. This command is for
+interacting with the auth methods themselves, not authenticating to Vault.
+
+## Examples
+
+Enable an auth method:
+
+```text
+$ vault auth enable userpass
+Success! Enabled userpass auth method at: userpass/
+```
+
+List all auth methods:
+
+```text
+$ vault auth list
+Path         Type        Description
+----         ----        -----------
+token/       token       token based credentials
+userpass/    userpass    n/a
+```
+
+Get help about how to authenticate to a particular auth method:
+
+```text
+$ vault auth help userpass/
+Usage: vault login -method=userpass [CONFIG K=V...]
+# ...
+```
+
+Disable an auth method:
+
+```text
+$ vault auth disable userpass/
+Success! Disabled the auth method (if it existed) at: userpass/
+```
+
+Tune an auth method:
+
+```text
+$ vault auth tune -max-lease-ttl=30m userpass/
+Success! Tuned the auth method at: userpass/
+```
+
+## Usage
+
+```text
+Usage: vault auth <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    disable    Disables an auth method
+    enable     Enables a new auth method
+    help       Prints usage for an auth method
+    list       Lists enabled auth methods
+    tune       Tunes an auth method configuration
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/auth/list.mdx b/website/pages/docs/commands/auth/list.mdx
new file mode 100644
index 000000000000..377f5080a8e5
--- /dev/null
+++ b/website/pages/docs/commands/auth/list.mdx
@@ -0,0 +1,51 @@
+---
+layout: docs
+page_title: auth list - Command
+sidebar_title: <code>list</code>
+description: |-
+  The "auth list" command lists the auth methods enabled. The output lists the
+  enabled auth methods and options for those methods.
+---
+
+# auth list
+
+The `auth list` command lists the auth methods enabled. The output lists the
+enabled auth methods and options for those methods.
+
+## Examples
+
+List all auth methods:
+
+```text
+$ vault auth list
+Path         Type        Description
+----         ----        -----------
+token/       token       token based credentials
+userpass/    userpass    n/a
+```
+
+List detailed auth method information:
+
+```text
+$ vault auth list -detailed
+Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
+----         ----        --------                  ------    -----------    -------    -----------    -----------
+token/       token       auth_token_b2166f9e       n/a       system         system     replicated     token based credentials
+userpass/    userpass    auth_userpass_eea6507e    n/a       system         system     replicated     n/a
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-detailed` `(bool: false)` - Print detailed information such as configuration
+  and replication status about each auth method.
diff --git a/website/pages/docs/commands/auth/tune.mdx b/website/pages/docs/commands/auth/tune.mdx
new file mode 100644
index 000000000000..26238e328651
--- /dev/null
+++ b/website/pages/docs/commands/auth/tune.mdx
@@ -0,0 +1,38 @@
+---
+layout: docs
+page_title: auth tune - Command
+sidebar_title: <code>tune</code>
+description: |-
+  The "auth tune" command tunes the configuration options for the auth method at
+  the given PATH.
+---
+
+# auth tune
+
+The `auth tune` command tunes the configuration options for the auth method at
+the given PATH. **The argument corresponds to the PATH where the auth method is
+enabled, not the TYPE!**
+
+## Examples
+
+Tune the default lease for the auth method enabled at "github/":
+
+```text
+$ vault auth tune -default-lease-ttl=72h github/
+Success! Tuned the auth method at: github/
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this auth
+  method. If unspecified, this defaults to the Vault server's globally
+  configured default lease TTL, or a previously configured value for the auth
+  method.
+
+- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth
+  method. If unspecified, this defaults to the Vault server's globally
+  configured maximum lease TTL, or a previously configured value for the auth
+  method.
diff --git a/website/pages/docs/commands/debug.mdx b/website/pages/docs/commands/debug.mdx
new file mode 100644
index 000000000000..7c97f14d43c4
--- /dev/null
+++ b/website/pages/docs/commands/debug.mdx
@@ -0,0 +1,148 @@
+---
+layout: docs
+page_title: debug - Command
+sidebar_title: <code>debug</code>
+description: |-
+  The "debug" command monitors a Vault server, probing information about
+  it for a certain duration.
+---
+
+# debug
+
+The `debug` command starts a process that monitors a Vault server, probing
+information about it for a certain duration.
+
+Gathering information about the state of the Vault cluster often requires the
+operator to access all necessary information via various API calls and terminal
+commands. The `debug` command aims to provide a simple workflow that produces a
+consistent output to help operators retrieve and share information about the
+server in question.
+
+The `debug` command honors the same the variables that the base command
+accepts, such as the token stored via a previous login or the environment
+variables `VAULT_TOKEN` and `VAULT_ADDRESS`. The token used determines the
+permissions and, in turn, the information that `debug` may be able to collect.
+The address specified determines the target server that will be probed against.
+
+If the command is interrupted, the information collected up until that
+point gets persisted to an output directory.
+
+## Permissions
+
+Regardless of whether a particular target is provided, the ability for `debug`
+to fetch data for the target depends on the token provided. Some targets, such
+as `server-status`, queries unauthenticated endpoints which means that it can be
+queried all the time. Other targets require the token to have ACL permissions to
+query the matching endpoint in order to get a proper response. Any errors
+encountered during capture due to permissions or otherwise will be logged in the
+index file.
+
+## Capture Targets
+
+The `-target` flag can be specified multiple times to capture specific
+information when debug is running. By default, it captures all information.
+
+| Target               | Description                                                                       |
+| :------------------- | :-------------------------------------------------------------------------------- |
+| `config`             | Sanitized version of the configuration state.                                     |
+| `host`               | Information about the instance running the server, such as CPU, memory, and disk. |
+| `metrics`            | Telemetry information.                                                            |
+| `pprof`              | Runtime profiling data, including heap, CPU, goroutine, and trace profiling.      |
+| `replication-status` | Replication status.                                                               |
+| `server-status`      | Health and seal status.                                                           |
+
+Note that the `config`, `host`,`metrics`, and `pprof` targets are only queried
+on active and performance standby nodes due to the the fact that the information
+pertains to the local node and the request should not be forwarded.
+
+Additionally, host information is not available on the OpenBSD platform due to
+library limitations in fetching the data without enabling `cgo`.
+
+## Output Layout
+
+The output of the bundled information, once decompressed, is contained within a
+single directory. Each target, with the exception of profiling data, is captured
+in a single file. For each of those targets collection is represented as a JSON
+array object, with each entry captured at each interval as a JSON object.
+
+```text
+$ tree vault-debug-2019-10-15T21-44-49Z/
+vault-debug-2019-10-15T21-44-49Z/
+├── 2019-10-15T21-44-49Z
+│   ├── goroutine.prof
+│   ├── heap.prof
+│   ├── profile.prof
+│   └── trace.out
+├── 2019-10-15T21-45-19Z
+│   ├── goroutine.prof
+│   ├── heap.prof
+│   ├── profile.prof
+│   └── trace.out
+├── 2019-10-15T21-45-49Z
+│   ├── goroutine.prof
+│   ├── heap.prof
+│   ├── profile.prof
+│   └── trace.out
+├── 2019-10-15T21-46-19Z
+│   ├── goroutine.prof
+│   ├── heap.prof
+│   ├── profile.prof
+│   └── trace.out
+├── 2019-10-15T21-46-49Z
+│   ├── goroutine.prof
+│   └── heap.prof
+├── config.json
+├── host_info.json
+├── index.json
+├── metrics.json
+├── replication_status.json
+└── server_status.json
+```
+
+## Examples
+
+Start debug using sane defaults:
+
+```text
+$ vault debug
+```
+
+Start debug with different duration, intervals, and metrics interval values, and
+skip compression:
+
+```text
+$ vault debug -duration=1m -interval=10s -metrics-interval=5s -compress=false
+```
+
+Start debug with specific targets:
+
+```text
+$ vault debug -target=host -target=metrics
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Command Options
+
+- `-compress` `(bool: true)` - Toggles whether to compress output package The
+  default is true.
+
+- `-duration` `(int or time string: "2m")` - Duration to run the command. The
+  default is 2m0s.
+
+- `-interval` `(int or time string: "30s")` - The polling interval at which to
+  collect profiling data and server state. The default is 30s.
+
+- `-metrics-interval` `(int or time string: "10s")` - The polling interval at
+  which to collect metrics data. The default is 10s.
+
+- `-output` `(string)` - Specifies the output path for the debug package. Defaults
+  to an time-based generated file name.
+
+- `-target` `(string: all targets)` - Target to capture, defaulting to all if
+  none specified. This can be specified multiple times to capture multiple
+  targets. Available targets are: config, host, metrics, pprof,
+  replication-status, server-status.
diff --git a/website/pages/docs/commands/delete.mdx b/website/pages/docs/commands/delete.mdx
new file mode 100644
index 000000000000..2516169278cf
--- /dev/null
+++ b/website/pages/docs/commands/delete.mdx
@@ -0,0 +1,40 @@
+---
+layout: docs
+page_title: delete - Command
+sidebar_title: <code>delete</code>
+description: |-
+  The "delete" command deletes secrets and configuration from Vault at the given
+  path. The behavior of "delete" is delegated to the backend corresponding to
+  the given path.
+---
+
+# delete
+
+The `delete` command deletes secrets and configuration from Vault at the given
+path. The behavior of "delete" is delegated to the backend corresponding to the
+given path.
+
+## Examples
+
+Remove data in the static secrets engine:
+
+```text
+$ vault delete secret/my-secret
+```
+
+Uninstall an encryption key in the transit backend:
+
+```text
+$ vault delete transit/keys/my-key
+```
+
+Delete an IAM role:
+
+```text
+$ vault delete aws/roles/ops
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/help.mdx b/website/pages/docs/commands/help.mdx
new file mode 100644
index 000000000000..08c671491275
--- /dev/null
+++ b/website/pages/docs/commands/help.mdx
@@ -0,0 +1,108 @@
+---
+layout: docs
+page_title: Path Help
+sidebar_title: <code>path-help</code>
+description: >-
+  The Vault CLI has a built-in help system that can be used to get help for not
+  only the CLI itself, but also any paths that the CLI can be used with within
+  Vault.
+---
+
+# Help
+
+In addition to standard CLI help using the `-h` or `-help` flag for
+commands, Vault has a built-in `path-help` command that can be used to get
+help for specific paths within Vault. These paths are used with the
+API or `read, write, delete` commands in order to interact with Vault.
+
+The help system is the easiest way to learn how to use the various systems
+in Vault, and also allows you to discover new paths.
+
+-> **Important!** The help system is incredibly important in day-to-day
+use of Vault. As a beginner or experienced user of Vault, you'll be using
+the help command a lot to remember how to use different components of
+Vault. Note that the Vault Server must be running and the client configured
+properly to execute this command to look up paths.
+
+## Discovering Paths
+
+Before using `path-help`, it is important to understand "paths" within Vault.
+Paths are the parameters used for `vault read`, `vault write`, etc. An
+example path is `secret/foo`, or `aws/config/root`. The paths available
+depend on the enabled secrets engines. Because of this, the interactive
+help is an indispensable tool to finding what paths are supported.
+
+To discover what paths are supported, use `vault path-help <mount point>`.
+For example, if you mounted the AWS secrets engine, you can use
+`vault path-help aws` to find the paths supported by that backend. The paths
+will be shown with regular expressions, which can make them hard to
+parse, but they're also extremely exact.
+
+You can try it right away with any Vault with `vault path-help secret`, since
+`secret` is always mounted initially. The output from this command is shown
+below and contains both a description of what that backend is for, along with
+the paths it supports.
+
+```
+$ vault path-help secret
+## DESCRIPTION
+
+The key/value backend reads and writes arbitrary secrets to the backend.
+The secrets are encrypted/decrypted by Vault: they are never stored
+unencrypted in the backend and the backend never has an opportunity to
+see the unencrypted value.
+
+Leases can be set on a per-secret basis. These leases will be sent down
+when that secret is read, and it is assumed that some outside process will
+revoke and/or replace the secret at that path.
+
+## PATHS
+
+The following paths are supported by this backend. To view help for
+any of the paths below, use the help command with any route matching
+the path pattern. Note that depending on the policy of your auth token,
+you may or may not be able to access certain paths.
+
+    ^.*$
+        Pass-through secret storage to the storage backend, allowing you to
+        read/write arbitrary data into secret storage.
+```
+
+## Single Path
+
+Once you've found a path you like, you can learn more about it by
+using `vault path-help <path>` where "path" is a path that matches one of the
+regular expressions from the backend help.
+
+Or, if you saw an example online with `vault write` or some similar
+command, you can plug that directly into `vault path-help` to learn about it
+(assuming you have the proper backends mounted!).
+
+For example, below we get the help for a single secret in the `secret/`
+mount point. The help shows the operations that that path supports, the
+parameters it takes (for write), and a description of that specific path.
+
+```
+$ vault path-help secret/password
+Request:        password
+Matching Route: ^.*$
+
+Pass-through secret storage to the storage backend, allowing you to
+read/write arbitrary data into secret storage.
+
+## PARAMETERS
+
+    lease (string)
+        Lease time for this key when read. Ex: 1h
+
+## DESCRIPTION
+
+The pass-through backend reads and writes arbitrary data into secret storage,
+encrypting it along the way.
+
+A lease can be specified when writing with the "lease" field. If given, then
+when the secret is read, Vault will report a lease with that duration. It
+is expected that the consumer of this backend properly writes renewed keys
+before the lease is up. In addition, revocation must be handled by the
+user of this backend.
+```
diff --git a/website/pages/docs/commands/index.mdx b/website/pages/docs/commands/index.mdx
new file mode 100644
index 000000000000..bb86d4fd3931
--- /dev/null
+++ b/website/pages/docs/commands/index.mdx
@@ -0,0 +1,310 @@
+---
+layout: docs
+page_title: Commands (CLI)
+sidebar_title: Commands (CLI)
+description: |-
+  In addition to a verbose HTTP API, Vault features a command-line interface
+  that wraps common functionality and formats output. The Vault CLI is a single
+  static binary. It is a thin wrapper around the HTTP API. Every CLI command
+  maps directly to the HTTP API internally.
+---
+
+# Vault Commands (CLI)
+
+~> **Note:** The Vault CLI interface was changed substantially in 0.9.2+ and may cause
+confusion while using older versions of Vault with this documentation. Read our
+[upgrade guide](/guides/upgrading/upgrade-to-0.9.2.html#backwards-compatible-cli-changes) for more information.
+
+In addition to a verbose [HTTP API](/api/index.html), Vault features a
+command-line interface that wraps common functionality and formats output. The
+Vault CLI is a single static binary. It is a thin wrapper around the HTTP API.
+Every CLI command maps directly to the HTTP API internally.
+
+Each command is represented as a command or subcommand. Please see the sidebar
+for more information about a particular command. This documentation corresponds
+to the latest version of Vault. If you are running an older version, commands
+may behave differently. Run `vault -h` or `vault <command> -h` to see the help
+output which corresponds to your version.
+
+To get help, run:
+
+```text
+$ vault -h
+```
+
+To get help for a subcommand, run:
+
+```text
+$ vault <subcommand> -h
+```
+
+## CLI Command Structure
+
+There are a number of command and subcommand options available: HTTP options,
+output options, and command specific options.
+
+Construct your Vault CLI command such that the command options precede its path
+and arguments if any:
+
+```text
+vault <command> [options] [path] [args]
+```
+
+- `options` - [Flags](/docs/commands/index.html#flags) to specify additional settings
+- `args` - API arguments specific to the operation
+
+  -> **NOTE:** Run `vault path-help <path>` to see the list of args (parameters).
+
+#### Examples:
+
+The following `write` command creates a new user (`bob`) in the userpass auth
+method. It passes the `-address` flag to specify the Vault server address which
+precedes the path (`auth/userpass/users/bob`) and its
+[argument](/api/auth/userpass/index.html#create-update-user)
+(`password="long-password"`) at last.
+
+```text
+$ vault write -address="http://127.0.0.1:8200" auth/userpass/users/bob password="long-password"
+```
+
+If multiple options (`-address` and `-namespace`) and
+[arguments](/api/auth/userpass/index.html#create-update-user) (`password` and
+`policies`) are specified, the command would look like:
+
+```text
+$ vault write -address="http://127.0.0.1:8200" -namespace="my-organization" \
+        auth/userpass/users/bob password="long-password" policies="admin"
+```
+
+The options (flags) come after the command (or subcommand) preceding the path,
+and the args always follow the path to set API parameter values.
+
+## Exit Codes
+
+The Vault CLI aims to be consistent and well-behaved unless documented
+otherwise.
+
+- Local errors such as incorrect flags, failed validations, or wrong numbers
+  of arguments return an exit code of 1.
+
+- Any remote errors such as API failures, bad TLS, or incorrect API parameters
+  return an exit status of 2
+
+Some commands override this default where it makes sense. These commands
+document this anomaly.
+
+## Autocompletion
+
+The `vault` command features opt-in autocompletion for flags, subcommands, and
+arguments (where supported).
+
+Enable autocompletion by running:
+
+```text
+$ vault -autocomplete-install
+```
+
+~> Be sure to **restart your shell** after installing autocompletion!
+
+When you start typing a Vault command, press the `<tab>` character to show a
+list of available completions. Type `-<tab>` to show available flag completions.
+
+If the `VAULT_*` environment variables are set, the autocompletion will
+automatically query the Vault server and return helpful argument suggestions.
+
+## Reading and Writing Data
+
+The four most common operations in Vault are `read`, `write`, `delete`, and
+`list`. These operations work on most paths in Vault. Some paths will
+contain secrets, other paths might contain configuration. Whatever it is, the
+primary interface for reading and writing data to Vault is similar.
+
+To demonstrate basic read and write operations, the built-in key/value (K/V)
+secrets engine will be used. This engine is automatically mounted and has no
+external dependencies, making it practical for this introduction. Note that
+K/V uses slightly different commands for reading and writing: `kv get`
+and `kv put`, respectively.
+
+~> The original version of K/V used the common `read` and `write` operations.
+A more advanced K/V Version 2 engine was released in Vault 0.10 and introduced
+the `kv get` and `kv put` commands.
+
+### Writing Data
+
+To write data to Vault, use the `vault kv put` command:
+
+```text
+$ vault kv put secret/password value=itsasecret
+```
+
+For some secrets engines, the key/value pairs are arbitrary. For others, they
+are generally more strict. Vault's built-in help will guide you to these
+restrictions where appropriate.
+
+#### stdin
+
+Some commands in Vault can read data from stdin using `-` as the value. If `-`
+is the entire argument, Vault expects to read a JSON object from stdin:
+
+```text
+$ echo -n '{"value":"itsasecret"}' | vault kv put secret/password -
+```
+
+In addition to reading full JSON objects, Vault can read just a value from
+stdin:
+
+```text
+$ echo -n "itsasecret" | vault kv put secret/password value=-
+```
+
+#### Files
+
+Some commands can also read data from a file on disk. The usage is similar to
+stdin as documented above. If an argument starts with `@`, Vault will read it as
+a file:
+
+```text
+$ vault kv put secret/password @data.json
+```
+
+Or specify the contents of a file as a value:
+
+```text
+$ vault kv put secret/password value=@data.txt
+```
+
+### Reading Data
+
+After data is persisted, read it back using `vault kv get`:
+
+```
+$ vault kv get secret/password
+Key                 Value
+---                 -----
+refresh_interval    768h0m0s
+value               itsasecret
+```
+
+## Token Helper
+
+By default, the Vault CLI uses a "token helper" to cache the token after
+authentication. This is conceptually similar to how a website securely stores
+your session information as a cookie in the browser. Token helpers are
+customizable, and you can even build your own.
+
+The default token helper stores the token in `~/.vault-token`. You can delete
+this file at any time to "logout" of Vault.
+
+## Environment Variables
+
+The CLI reads the following environment variables to set behavioral defaults.
+This can alleviate the need to repetitively type a flag. Flags always take
+precedence over the environment variables.
+
+### `VAULT_TOKEN`
+
+Vault authentication token. Conceptually similar to a session token on a
+website, the `VAULT_TOKEN` environment variable holds the contents of the token.
+For more information, please see the [token
+concepts](/docs/concepts/tokens.html) page.
+
+### `VAULT_ADDR`
+
+Address of the Vault server expressed as a URL and port, for example:
+`https://127.0.0.1:8200/`.
+
+### `VAULT_CACERT`
+
+Path to a PEM-encoded CA certificate _file_ on the local disk. This file is used
+to verify the Vault server's SSL certificate. This environment variable takes
+precedence over `VAULT_CAPATH`.
+
+### `VAULT_CAPATH`
+
+Path to a _directory_ of PEM-encoded CA certificate files on the local disk.
+These certificates are used to verify the Vault server's SSL certificate.
+
+### `VAULT_CLIENT_CERT`
+
+Path to a PEM-encoded client certificate on the local disk. This file is used
+for TLS communication with the Vault server.
+
+### `VAULT_CLIENT_KEY`
+
+Path to an unencrypted, PEM-encoded private key on disk which corresponds to the
+matching client certificate.
+
+### `VAULT_CLIENT_TIMEOUT`
+
+Timeout variable. The default value is 60s.
+
+### `VAULT_CLUSTER_ADDR`
+
+Address that should be used for other cluster members to connect to this node
+when in High Availability mode.
+
+### `VAULT_MAX_RETRIES`
+
+Maximum number of retries when a `5xx` error code is encountered. The default is
+`2`, for three total attempts. Set this to `0` or less to disable retrying.
+
+### `VAULT_REDIRECT_ADDR`
+
+Address that should be used when clients are redirected to this node when in
+High Availability mode.
+
+### `VAULT_SKIP_VERIFY`
+
+Do not verify Vault's presented certificate before communicating with it.
+Setting this variable is not recommended and voids Vault's [security
+model](/docs/internals/security.html).
+
+### `VAULT_TLS_SERVER_NAME`
+
+Name to use as the SNI host when connecting via TLS.
+
+### `VAULT_CLI_NO_COLOR`
+
+If provided, Vault output will not include ANSI color escape sequence characters.
+
+### `VAULT_RATE_LIMIT`
+
+This environment variable will limit the rate at which the `vault` command
+sends requests to Vault.
+
+This environment variable has the format `rate[:burst]` (where items in `[]` are
+optional). If not specified, the burst value defaults to rate. Both rate and
+burst are specified in "operations per second". If the environment variable is
+not specified, then the rate and burst will be unlimited _i.e._ rate
+limiting is off by default.
+
+_Note:_ The rate is limited for each invocation of the `vault` CLI. Since
+each invocation of the `vault` CLI typically only makes a few requests,
+this environment variable is most useful when using the Go
+[Vault client API](https://www.vaultproject.io/api/libraries.html#go).
+
+### `VAULT_NAMESPACE`
+
+The namespace to use for the command. Setting this is not necessary
+but allows using relative paths.
+
+### `VAULT_MFA`
+
+**ENTERPRISE ONLY**
+
+MFA credentials in the format `mfa_method_name[:key[=value]]` (items in `[]` are
+optional). Note that when using the environment variable, only one credential
+can be supplied. If a MFA method expects multiple credential values, or if there
+are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be
+used.
+
+## Flags
+
+There are different CLI flags that are available depending on subcommands. Some
+flags, such as those used for setting HTTP and output options, are available
+globally, while others are specific to a particular subcommand. For a completely
+list of available flags, run:
+
+```text
+$ vault <subcommand> -h
+```
diff --git a/website/pages/docs/commands/kv/delete.mdx b/website/pages/docs/commands/kv/delete.mdx
new file mode 100644
index 000000000000..9a0b15452fd4
--- /dev/null
+++ b/website/pages/docs/commands/kv/delete.mdx
@@ -0,0 +1,45 @@
+---
+layout: docs
+page_title: kv delete - Command
+sidebar_title: <code>delete</code>
+description: |-
+  The "kv delete" command disables a secrets engine at a given PATH. The
+  argument corresponds to the enabled PATH of the engine, not the TYPE! All
+  secrets created by this engine are revoked and its Vault data is removed.
+---
+
+# kv delete
+
+The `kv delete` command deletes the data for the provided path in
+the key/value secrets engine. If using K/V Version 2, its versioned data will
+not be fully removed, but marked as deleted and will no longer be returned in
+normal get requests.
+
+## Examples
+
+Delete the latest version of the key "creds":
+
+```text
+$ vault kv delete secret/creds
+Success! Data deleted (if it existed) at: secret/creds
+```
+
+**[K/V Version 2]** Delete version 11 of key "creds":
+
+```text
+$ vault kv delete -versions=11 secret/creds
+Success! Data deleted (if it existed) at: secret/creds
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Command Options
+
+- `-versions` `([]int: <required>)` - The versions to be deleted. The versioned
+  data will not be deleted, but it will no longer be returned in normal get
+  requests.
+
+~> **NOTE:** This command option is only for K/V v2.
diff --git a/website/pages/docs/commands/kv/destroy.mdx b/website/pages/docs/commands/kv/destroy.mdx
new file mode 100644
index 000000000000..ce49d12aec64
--- /dev/null
+++ b/website/pages/docs/commands/kv/destroy.mdx
@@ -0,0 +1,42 @@
+---
+layout: docs
+page_title: kv destroy - Command
+sidebar_title: <code>destroy</code>
+description: |-
+  The "kv destroy" command permanently removes the specified version data for
+  the provided key and version numbers from the key-value store.
+---
+
+# kv destroy
+
+~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
+engine command, and not available for Version 1.
+
+The `kv destroy` command permanently removes the specified versions' data
+from the key/value secrets engine. If no key exists at the path, no action is
+taken.
+
+## Examples
+
+Destroy version 11 of the key "creds":
+
+```text
+$ vault kv destroy -versions=11 secret/creds
+Success! Data written to: secret/destroy/creds
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-versions` `([]int: <required>)` - The versions to destroy. Their data will
+  be permanently deleted.
diff --git a/website/pages/docs/commands/kv/enable-versioning.mdx b/website/pages/docs/commands/kv/enable-versioning.mdx
new file mode 100644
index 000000000000..c4cb7b8dbbe4
--- /dev/null
+++ b/website/pages/docs/commands/kv/enable-versioning.mdx
@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: kv enable-versioning - Command
+sidebar_title: <code>enable-versioning</code>
+description: |-
+  The "kv enable-versioning" command turns on versioning for the backend
+  at the provided path.
+---
+
+# kv enable-versioning
+
+The `kv enable-versioning` command turns on versioning for an existing
+non-versioned key/value secrets engine (K/V Version 1) at its path.
+
+## Examples
+
+This command turns on versioning for the K/V Version 1 secrets engine enabled at
+"secret".
+
+```text
+$ vault kv enable-versioning secret
+Success! Tuned the secrets engine at: secret/
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/kv/get.mdx b/website/pages/docs/commands/kv/get.mdx
new file mode 100644
index 000000000000..43427495bd44
--- /dev/null
+++ b/website/pages/docs/commands/kv/get.mdx
@@ -0,0 +1,74 @@
+---
+layout: docs
+page_title: kv get - Command
+sidebar_title: <code>get</code>
+description: |-
+  The "kv get" command retrieves the value from Vault's key-value store at the
+  given key name. If no key exists with that name, an error is returned. If a
+  key exists with that name but has no data, nothing is returned.
+---
+
+# kv get
+
+The `kv get` command retrieves the value from K/V secrets engine at the given
+key name. If no key exists with that name, an error is returned. If a key exists
+with the name but has no data, nothing is returned.
+
+## Examples
+
+Retrieve the data of the key "creds":
+
+```text
+$ vault kv get secret/creds
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2019-06-06T06:03:26.595978Z
+deletion_time    n/a
+destroyed        false
+version          5
+
+====== Data ======
+Key         Value
+---         -----
+passcode    my-long-passcode
+```
+
+If K/V Version 1 secrets engine is enabled at "secret", the output has no
+metadata since there is no versioning information associated with the data:
+
+```text
+$ vault kv get secret/creds
+====== Data ======
+Key         Value
+---         -----
+passcode    my-long-passcode
+```
+
+Return only the "creds" "passcode" key:
+
+```text
+$ vault kv get -field=passcode secret/creds
+my-long-passcode
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other
+  processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-version` `(int: 0)` - Specifies the version to return. If not set the
+  latest version is returned.
diff --git a/website/pages/docs/commands/kv/index.mdx b/website/pages/docs/commands/kv/index.mdx
new file mode 100644
index 000000000000..f3bd2a020121
--- /dev/null
+++ b/website/pages/docs/commands/kv/index.mdx
@@ -0,0 +1,111 @@
+---
+layout: docs
+page_title: kv - Command
+sidebar_title: <code>kv</code>
+description: |-
+  The "kv" command groups subcommands for interacting with Vault's key/value
+  secret engine.
+---
+
+# kv
+
+The `kv` command groups subcommands for interacting with Vault's key/value
+secrets engine (both [K/V Version 1](/docs/secrets/kv/kv-v1.html) and [K/V
+Version 2](/docs/secrets/kv/kv-v2.html).
+
+## Examples
+
+Create or update the key named "creds" in the K/V Version 2 enabled at "secret"
+with the value "passcode=my-long-passcode":
+
+```text
+$ vault kv put secret/creds passcode=my-long-passcode
+Key              Value
+---              -----
+created_time     2019-06-28T15:53:30.395814Z
+deletion_time    n/a
+destroyed        false
+version          1
+```
+
+Read this value back:
+
+```text
+$ vault kv get secret/creds
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2019-06-28T15:53:30.395814Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+====== Data ======
+Key         Value
+---         -----
+passcode    my-long-passcode
+```
+
+Get metadata for the key named "creds":
+
+```text
+$ vault kv metadata get secret/creds
+========== Metadata ==========
+Key                     Value
+---                     -----
+cas_required            false
+created_time            2019-06-28T15:53:30.395814Z
+current_version         1
+delete_version_after    0s
+max_versions            0
+oldest_version          0
+updated_time            2019-06-28T15:53:30.395814Z
+
+====== Version 1 ======
+Key              Value
+---              -----
+created_time     2019-06-28T15:53:30.395814Z
+deletion_time    n/a
+destroyed        false
+```
+
+Get a specific version of the key named "creds":
+
+```text
+$ vault kv get -version=1 secret/creds
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2019-06-28T15:53:30.395814Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+====== Data ======
+Key         Value
+---         -----
+passcode    my-long-passcode
+```
+
+## Usage
+
+```text
+Usage: vault kv <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    delete               Deletes versions in the KV store
+    destroy              Permanently removes one or more versions in the KV store
+    enable-versioning    Turns on versioning for a KV store
+    get                  Retrieves data from the KV store
+    list                 List data or secrets
+    metadata             Interact with Vault's Key-Value storage
+    patch                Sets or updates data in the KV store without overwriting
+    put                  Sets or updates data in the KV store
+    rollback             Rolls back to a previous version of data
+    undelete             Undeletes versions in the KV store
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/kv/list.mdx b/website/pages/docs/commands/kv/list.mdx
new file mode 100644
index 000000000000..840d4f5d5461
--- /dev/null
+++ b/website/pages/docs/commands/kv/list.mdx
@@ -0,0 +1,44 @@
+---
+layout: docs
+page_title: kv list - Command
+sidebar_title: <code>list</code>
+description: |-
+  The "kv list" command lists data from Vault's K/V secrets engine at the given
+  path.
+---
+
+# kv list
+
+The `kv list` command returns a list of key names at the specified location.
+Folders are suffixed with /. The input must be a folder; list on a file will not
+return a value. Note that no policy-based filtering is performed on keys; do not
+encode sensitive information in key names. The values themselves are not
+accessible via this command.
+
+Use this command to list all existing key names at a specific path.
+
+## Examples
+
+List values under the key "my-app":
+
+```text
+$ vault kv list secret/my-app/
+Keys
+----
+admin_creds
+domain
+eng_creds
+qa_creds
+release
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/kv/metadata.mdx b/website/pages/docs/commands/kv/metadata.mdx
new file mode 100644
index 000000000000..266a50d67b6c
--- /dev/null
+++ b/website/pages/docs/commands/kv/metadata.mdx
@@ -0,0 +1,154 @@
+---
+layout: docs
+page_title: kv metadata - Command
+sidebar_title: <code>metadata</code>
+description: |-
+  The "kv metadata" command has subcommands for interacting with the metadata
+  endpoint in Vault's key-value store.
+---
+
+# kv metadata
+
+~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
+engine command, and not available for Version 1.
+
+The `kv metadata` command has subcommands for interacting with the metadata and
+versions for the versioned secrets (K/V Version 2 secrets engine) at the
+specified path.
+
+## Usage
+
+```text
+Usage: vault kv metadata <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    delete    Deletes all versions and metadata for a key in the KV store
+    get       Retrieves key metadata from the KV store
+    put       Sets or updates key settings in the KV store
+```
+
+### kv metadata delete
+
+The `kv metadata delete` command deletes all versions and metadata for the
+provided key.
+
+#### Examples
+
+Deletes all versions and metadata of the key "creds":
+
+```text
+$ vault kv metadata delete secret/creds
+Success! Data deleted (if it existed) at: secret/metadata/creds
+```
+
+### kv metadata get
+
+The `kv metadata get` command retrieves the metadata of the versioned secrets at
+the given key name. If no key exists with that name, an error is returned.
+
+#### Examples
+
+Retrieves the metadata of the key name, "creds":
+
+```text
+$ vault kv metadata get secret/creds
+========== Metadata ==========
+Key                     Value
+---                     -----
+cas_required            false
+created_time            2019-06-28T15:53:30.395814Z
+current_version         5
+delete_version_after    0s
+max_versions            0
+oldest_version          0
+updated_time            2019-06-28T16:01:47.40064Z
+
+====== Version 1 ======
+Key              Value
+---              -----
+created_time     2019-06-28T15:53:30.395814Z
+deletion_time    n/a
+destroyed        false
+
+====== Version 2 ======
+Key              Value
+---              -----
+created_time     2019-06-28T16:01:36.676912Z
+deletion_time    n/a
+destroyed        false
+
+...
+```
+
+### kv metadata put
+
+The `kv metadata put` command can be used to create a blank key in the K/V v2
+secrets engine or to update key configuration for a specified key.
+
+#### Examples
+
+Create a key in the K/V v2 with no data at the key "creds":
+
+```text
+$ vault kv metadata put secret/creds
+Success! Data written to: secret/metadata/creds
+```
+
+Set the maximum number of versions to keep for the key "creds":
+
+```text
+$ vault kv metadata put -max-versions=5 secret/creds
+Success! Data written to: secret/metadata/creds
+```
+
+**NOTE:** If not set, the backend’s configured max version is used. Once a key
+has more than the configured allowed versions the oldest version will be
+permanently deleted.
+
+Require Check-and-Set for the key "creds":
+
+```text
+$ vault kv metadata put -cas-required secret/creds
+```
+
+**NOTE:** When check-and-set is required, the key will require the `cas`
+parameter to be set on all write requests. Otherwise, the backend’s
+configuration will be used.
+
+Set the length of time before a version is deleted for the key "creds":
+
+```text
+$ vault kv metadata put -delete-version-after="3h25m19s" secret/creds
+```
+
+**NOTE:** If not set, the backend's configured Delete-Version-After is used. If
+set to a duration greater than the backend's, the backend's Delete-Version-After
+setting will be used. Any changes to the Delete-Version-After setting will only
+be applied to new versions.
+
+#### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+#### Subcommand Options
+
+- `-cas-required` `(bool: false)` - If true the key will require the cas
+  parameter to be set on all write requests. If false, the backend’s
+  configuration will be used. The default is false.
+
+- `-max-versions` `(int: 0)` - The number of versions to keep per key. If not
+  set, the backend’s configured max version is used. Once a key has more than the
+  configured allowed versions the oldest version will be permanently deleted.
+
+- `-delete-version-after` `(string:"0s")` – Set the `delete-version-after` value
+  to a duration to specify the `deletion_time` for all new versions written to
+  this key. If not set, the backend's `delete_version_after` will be used. If
+  the value is greater than the backend's `delete_version_after`, the backend's
+  `delete_version_after` will be used. Accepts [Go duration format
+  string][duration-godoc].
+
+[duration-godoc]: https://golang.org/pkg/time/#ParseDuration
diff --git a/website/pages/docs/commands/kv/patch.mdx b/website/pages/docs/commands/kv/patch.mdx
new file mode 100644
index 000000000000..8dab5f6b2f13
--- /dev/null
+++ b/website/pages/docs/commands/kv/patch.mdx
@@ -0,0 +1,70 @@
+---
+layout: docs
+page_title: kv patch - Command
+sidebar_title: <code>patch</code>
+description: |-
+  The "kv patch" command writes the data to the given path in the key-value
+  store. The data can be of any type.
+---
+
+# kv patch
+
+~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
+engine command, and not available for Version 1.
+
+The `kv patch` command writes the data to the given path in the K/V v2 secrets
+engine. The data can be of any type. Unlike the `kv put` command, the `patch`
+command combines the change with existing data instead of replacing them.
+Therefore, this command makes it easy to make a partial updates to an existing
+data.
+
+## Examples
+
+If you wish to add an additional key-value (`ttl=48h`) to the existing data at
+the key "creds":
+
+```text
+$ vault kv patch secret/creds ttl=48h
+Key              Value
+---              -----
+created_time     2019-06-06T16:46:22.090654Z
+deletion_time    n/a
+destroyed        false
+version          6
+```
+
+**NOTE:** The `kv put` command requires both the existing data and
+the data you wish to add in order to accomplish the same result.
+
+```text
+$ vault kv put secret/creds ttl=48h passcode=my-long-passcode
+```
+
+The data can also be consumed from a file on disk by prefixing with the "@"
+symbol. For example:
+
+```text
+$ vault kv patch secret/creds @data.json
+```
+
+Or it can be read from stdin using the "-" symbol:
+
+```text
+$ echo "abcd1234" | vault kv patch secret/foo bar=-
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other
+  processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/kv/put.mdx b/website/pages/docs/commands/kv/put.mdx
new file mode 100644
index 000000000000..bfe6761b976f
--- /dev/null
+++ b/website/pages/docs/commands/kv/put.mdx
@@ -0,0 +1,67 @@
+---
+layout: docs
+page_title: kv put - Command
+sidebar_title: <code>put</code>
+description: |-
+  The "kv put" command writes the data to the given path in the K/V secrets
+  engine. The data can be of any type.
+---
+
+# kv put
+
+The `kv put` command writes the data to the given path in the K/V secrets
+engine.
+
+If working with K/V v2, this command creates a new version of a secret at the
+specified location. If working with K/V v1, this command stores the given secret
+at the specified location.
+
+Regardless of the K/V version, if the value does not yet exist at the specified
+path, the calling token must have an ACL policy granting the "create"
+capability. If the value already exists, the calling token must have an ACL
+policy granting the "update" capability.
+
+## Examples
+
+Writes the data to the key "creds":
+
+```text
+$ vault kv put secret/creds passcode=my-long-passcode
+```
+
+The data can also be consumed from a file on disk by prefixing with the "@"
+symbol. For example:
+
+```text
+$ vault kv put secret/foo @data.json
+```
+
+Or it can be read from stdin using the "-" symbol:
+
+```text
+$ echo "abcd1234" | vault kv put secret/foo bar=-
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other
+  processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-cas` `(int: 0)` - Specifies to use a Check-And-Set operation. If not set the
+  write will be allowed. If set to 0 a write will only be allowed if the key
+  doesn’t exist. If the index is non-zero the write will only be allowed if the
+  key’s current version matches the version specified in the cas parameter. The
+  default is -1.
diff --git a/website/pages/docs/commands/kv/rollback.mdx b/website/pages/docs/commands/kv/rollback.mdx
new file mode 100644
index 000000000000..1b0d5a8d2ad8
--- /dev/null
+++ b/website/pages/docs/commands/kv/rollback.mdx
@@ -0,0 +1,49 @@
+---
+layout: docs
+page_title: kv rollback - Command
+sidebar_title: <code>rollback</code>
+description: |-
+  The "kv rollback" command restores a given previous version to the current
+  version at the given path.
+---
+
+# kv rollback
+
+~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
+engine command, and not available for Version 1.
+
+The `kv rollback` command restores a given previous version to the current
+version at the given path. The value is written as a new version; for instance,
+if the current version is 5 and the rollback version is 2, the data from version
+2 will become version 6. This command makes it easy to restore unintentionally
+overwritten data.
+
+## Examples
+
+Restores the version 2 of the data at key "creds":
+
+```text
+$ vault kv rollback -version=2 secret/creds
+Key              Value
+---              -----
+created_time     2019-06-06T17:07:19.299831Z
+deletion_time    n/a
+destroyed        false
+version          6
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-version` `(int: 0)` - Specifies the version number that should be made
+  current again.
diff --git a/website/pages/docs/commands/kv/undelete.mdx b/website/pages/docs/commands/kv/undelete.mdx
new file mode 100644
index 000000000000..f40dd10f583e
--- /dev/null
+++ b/website/pages/docs/commands/kv/undelete.mdx
@@ -0,0 +1,43 @@
+---
+layout: docs
+page_title: kv undelete - Command
+sidebar_title: <code>undelete</code>
+description: |-
+  The "kv undelete" command undeletes the data for the provided version and path
+  in the key-value store. This restores the data, allowing it to be returned on
+  get requests.
+---
+
+# kv undelete
+
+~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
+engine command, and not available for Version 1.
+
+The `kv undelete` command undoes the deletes of the data for the provided version
+and path in the key-value store. This restores the data, allowing it to be
+returned on get requests.
+
+## Examples
+
+Undelete version 3 of the key "creds":
+
+```text
+$ vault kv undelete -versions=3 secret/creds
+Success! Data written to: secret/undelete/creds
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-versions` `([]int: <required>)` - Specifies the version number that should
+  be made current again.
diff --git a/website/pages/docs/commands/lease.mdx b/website/pages/docs/commands/lease.mdx
new file mode 100644
index 000000000000..447be5b9dd82
--- /dev/null
+++ b/website/pages/docs/commands/lease.mdx
@@ -0,0 +1,48 @@
+---
+layout: docs
+page_title: lease - Command
+sidebar_title: <code>lease</code>
+description: |-
+  The "lease" command groups subcommands for interacting with leases attached to
+  secrets.
+---
+
+# lease
+
+The `lease` command groups subcommands for interacting with leases attached to
+secrets. For leases attached to tokens, use the [`vault token`](/docs/commands/token.html) subcommand.
+
+## Examples
+
+Renew a lease:
+
+```text
+$ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+Key                Value
+---                -----
+lease_id           database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+lease_duration     5m
+lease_renewable    true
+```
+
+Revoke a lease:
+
+```text
+$ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+```
+
+## Usage
+
+```text
+Usage: vault lease <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    renew     Renews the lease of a secret
+    revoke    Revokes leases and secrets
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/lease/index.mdx b/website/pages/docs/commands/lease/index.mdx
new file mode 100644
index 000000000000..447be5b9dd82
--- /dev/null
+++ b/website/pages/docs/commands/lease/index.mdx
@@ -0,0 +1,48 @@
+---
+layout: docs
+page_title: lease - Command
+sidebar_title: <code>lease</code>
+description: |-
+  The "lease" command groups subcommands for interacting with leases attached to
+  secrets.
+---
+
+# lease
+
+The `lease` command groups subcommands for interacting with leases attached to
+secrets. For leases attached to tokens, use the [`vault token`](/docs/commands/token.html) subcommand.
+
+## Examples
+
+Renew a lease:
+
+```text
+$ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+Key                Value
+---                -----
+lease_id           database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+lease_duration     5m
+lease_renewable    true
+```
+
+Revoke a lease:
+
+```text
+$ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+```
+
+## Usage
+
+```text
+Usage: vault lease <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    renew     Renews the lease of a secret
+    revoke    Revokes leases and secrets
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/lease/renew.mdx b/website/pages/docs/commands/lease/renew.mdx
new file mode 100644
index 000000000000..5148b1f75ab1
--- /dev/null
+++ b/website/pages/docs/commands/lease/renew.mdx
@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: lease renew - Command
+sidebar_title: <code>renew</code>
+description: |-
+  The "lease renew" command renews the lease on a secret, extending the time
+  that it can be used before it is revoked by Vault.
+---
+
+# lease renew
+
+The `lease renew` command renews the lease on a secret, extending the time that
+it can be used before it is revoked by Vault.
+
+Every secret in Vault has a lease associated with it. If the owner of the secret
+wants to use it longer than the lease, then it must be renewed. Renewing the
+lease does not change the contents of the secret.
+
+## Examples
+
+Renew a lease:
+
+```text
+$ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-increment` `(duration: "")` - Request a specific increment in seconds. Vault
+  is not required to honor this request.
diff --git a/website/pages/docs/commands/lease/revoke.mdx b/website/pages/docs/commands/lease/revoke.mdx
new file mode 100644
index 000000000000..e366340d5b29
--- /dev/null
+++ b/website/pages/docs/commands/lease/revoke.mdx
@@ -0,0 +1,43 @@
+---
+layout: docs
+page_title: lease revoke - Command
+sidebar_title: <code>revoke</code>
+description: |-
+  The "lease revoke" command revokes the lease on a secret, invalidating the
+  underlying secret.
+---
+
+# lease revoke
+
+The `lease revoke` command revokes the lease on a secret, invalidating the
+underlying secret.
+
+## Examples
+
+Revoke a lease:
+
+```text
+$ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
+```
+
+Revoke a lease which starts with a prefix:
+
+```text
+$ vault lease revoke -prefix database/creds
+Success! Revoked any leases with prefix: database/creds
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-force` `(bool: false)` - Delete the lease from Vault even if the secret
+  engine revocation fails. This is meant for recovery situations where the
+  secret in the target secrets engine was manually removed. If this flag is
+  specified, -prefix is also required. This is aliased as "-f". The default is
+  false.
+
+- `-prefix` `(bool: false)` - Treat the ID as a prefix instead of an exact lease
+  ID. This can revoke multiple leases simultaneously. The default is false.
diff --git a/website/pages/docs/commands/list.mdx b/website/pages/docs/commands/list.mdx
new file mode 100644
index 000000000000..a24ebbf2789e
--- /dev/null
+++ b/website/pages/docs/commands/list.mdx
@@ -0,0 +1,26 @@
+---
+layout: docs
+page_title: list - Command
+sidebar_title: <code>list</code>
+description: |-
+  The "list" command lists data from Vault at the given path. This can be used
+  to list keys in a, given secrets engine.
+---
+
+# list
+
+The `list` command lists data from Vault at the given path. This can be used to
+list keys in a given secrets engine.
+
+## Examples
+
+List values under the "my-app" folder of the KV secrets engine:
+
+```text
+$ vault list secret/my-app/
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/login.mdx b/website/pages/docs/commands/login.mdx
new file mode 100644
index 000000000000..518ea07746df
--- /dev/null
+++ b/website/pages/docs/commands/login.mdx
@@ -0,0 +1,136 @@
+---
+layout: docs
+page_title: login - Command
+sidebar_title: <code>login</code>
+description: |-
+  The "login" command authenticates users or machines to Vault using the
+  provided arguments. A successful authentication results in a Vault token -
+  conceptually similar to a session token on a website.
+---
+
+# login
+
+The `login` command authenticates users or machines to Vault using the provided
+arguments. A successful authentication results in a Vault token - conceptually
+similar to a session token on a website. By default, this token is cached on the
+local machine for future requests.
+
+The `-method` flag allows using other auth methods, such as userpass,
+github, or cert. For these, additional "K=V" pairs may be required. For more
+information about the list of configuration parameters available for a given
+auth method, use the "vault auth help TYPE". You can also use "vault
+auth list" to see the list of enabled auth methods.
+
+If an auth method is enabled at a non-standard path, the `-method`
+flag still refers to the canonical type, but the `-path` flag refers to the
+enabled path.
+
+If the authentication is requested with response wrapping (via `-wrap-ttl`),
+the returned token is automatically unwrapped unless:
+
+- The `-token-only` flag is used, in which case this command will output
+  the wrapping token.
+
+- The `-no-store` flag is used, in which case this command will output the
+  details of the wrapping token.
+
+## Examples
+
+By default, login uses a "token" method:
+
+```text
+$ vault login s.3jnbMAKl1i4YS3QoKdbHzGXq
+Success! You are now authenticated. The token information displayed below
+is already stored in the token helper. You do NOT need to run "vault login"
+again. Future Vault requests will automatically use this token.
+
+Key                  Value
+---                  -----
+token                s.3jnbMAKl1i4YS3QoKdbHzGXq
+token_accessor       7Uod1Rm0ejUAz77Oh7SxpAM0
+token_duration       767h59m49s
+token_renewable      true
+token_policies       ["admin" "default"]
+identity_policies    []
+policies             ["admin" "default"]
+```
+
+To login with a different method, use `-method`:
+
+```text
+$ vault login -method=userpass username=my-username
+Password (will be hidden):
+Success! You are now authenticated. The token information below is already
+stored in the token helper. You do NOT need to run "vault login" again. Future
+requests will use this token automatically.
+
+Key                    Value
+---                    -----
+token                  s.2y4SU3Sk46dK3p2Y8q2jSBwL
+token_accessor         8J125x9SZyB76MI9uF2jSJZf
+token_duration         768h
+token_renewable        true
+token_policies         ["default"]
+identity_policies      []
+policies               ["default"]
+token_meta_username    my-username
+```
+
+~> Notice that the command option (`-method=userpass`) precedes the command
+argument (`username=my-username`).
+
+If a github auth method was enabled at the path "github-prod":
+
+```text
+$ vault login -method=github -path=github-prod
+Success! You are now authenticated. The token information below is already
+stored in the token helper. You do NOT need to run "vault login" again. Future
+requests will use this token automatically.
+
+Key                    Value
+---                    -----
+token                  s.2f3c5L1MHtnqbuNCbx90utmC
+token_accessor         JLUIXJ6ltUftTt2UYRl2lTAC
+token_duration         768h
+token_renewable        true
+token_policies         ["default"]
+identity_policies      []
+policies               ["default"]
+token_meta_org         hashicorp
+token_meta_username    my-username
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-method` `(string "token")` - Type of authentication to use such as
+  "userpass" or "ldap". Note this corresponds to the TYPE, not the enabled path.
+  Use -path to specify the path where the authentication is enabled.
+
+- `-no-print` `(bool: false)` - Do not display the token. The token will be
+  still be stored to the configured token helper. The default is false.
+
+- `-no-store` `(bool: false)` - Do not persist the token to the token helper
+  (usually the local filesystem) after authentication for use in future
+  requests. The token will only be displayed in the command output.
+
+- `-path` `(string: "")` - Remote path in Vault where the auth method
+  is enabled. This defaults to the TYPE of method (e.g. userpass -> userpass/).
+
+- `-token-only` `(bool: false)` - Output only the token with no verification.
+  This flag is a shortcut for "-field=token -no-store". Setting those
+  flags to other values will have no affect.
diff --git a/website/pages/docs/commands/namespace.mdx b/website/pages/docs/commands/namespace.mdx
new file mode 100644
index 000000000000..28f32986a77b
--- /dev/null
+++ b/website/pages/docs/commands/namespace.mdx
@@ -0,0 +1,55 @@
+---
+layout: docs
+page_title: namespace - Command
+sidebar_title: <code>namespace</code>
+description: The "namespace" command groups subcommands for interacting with namespaces.
+---
+
+# namespace
+
+The `namespace` command groups subcommands for interacting with namespaces.
+
+## Examples
+
+List all namespaces:
+
+```text
+$ vault namespace list
+```
+
+Create a namespace at the path `ns1/`:
+
+```text
+$ vault namespace create ns1/
+```
+
+Delete the namespace at path `ns1/`:
+
+```text
+$ vault namespace delete ns1/
+```
+
+Lookup the namespace information at path `ns1/`:
+
+```text
+$ vault namespace lookup ns1/
+```
+
+## Usage
+
+```text
+Usage: vault namespace <subcommand> [options] [args]
+
+  This command groups subcommands for interacting with Vault namespaces.
+  These set of subcommands operate on the context of the namespace that the
+  current logged in token belongs to.
+
+Subcommands:
+    create    Create a new namespace
+    delete    Delete an existing namespace
+    list      List child namespaces
+    lookup    Look up an existing namespace
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/operator/generate-root.mdx b/website/pages/docs/commands/operator/generate-root.mdx
new file mode 100644
index 000000000000..6f454881c537
--- /dev/null
+++ b/website/pages/docs/commands/operator/generate-root.mdx
@@ -0,0 +1,94 @@
+---
+layout: docs
+page_title: operator generate-root - Command
+sidebar_title: <code>generate-root</code>
+description: |-
+  The "operator generate-root" command generates a new root token by combining a
+  quorum of share holders.
+---
+
+# operator generate-root
+
+The `operator generate-root` command generates a new root token by combining a
+quorum of share holders. With the `-dr-token` or `-recovery-token` options,
+it can generate a DR operational token or a recovery token in the same way.
+
+One of the following must be provided to start the root token generation:
+
+- A base64-encoded one-time-password (OTP) provided via the `-otp` flag. Use the
+  `-generate-otp` flag to generate a usable value. The resulting token is XORed
+  with this value when it is returned. Use the `-decode` flag to output the
+  final value.
+
+- A file containing a PGP key or a
+  [keybase](/docs/concepts/pgp-gpg-keybase.html) username in the `-pgp-key`
+  flag. The resulting token is encrypted with this public key.
+
+An unseal key may be provided directly on the command line as an argument to the
+command. If key is specified as "-", the command will read from stdin. If a TTY
+is available, the command will prompt for text.
+
+Please see the [generate root guide](/guides/operations/generate-root.html) for
+step-by-step instructions.
+
+## Examples
+
+Generate an OTP code for the final token:
+
+```text
+$ vault operator generate-root -generate-otp
+```
+
+Start a root token generation:
+
+```text
+$ vault operator generate-root -init -otp="..."
+```
+
+Enter an unseal key to progress root token generation:
+
+```text
+$ vault operator generate-root -otp="..."
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-cancel` `(bool: false)` - Reset the root token generation progress. This
+  will discard any submitted unseal keys or configuration.
+
+- `-decode` `(string: "")` - Decode and output the generated root token. This
+  option requires the `-otp` flag be set to the OTP used during initialization.
+
+- `-generate-otp` `(bool: false)` - Generate and print a high-entropy
+  one-time-password (OTP) suitable for use with the "-init" flag.
+
+- `-init` `(bool: false)` - Start a root token generation. This can only be done
+  if there is not currently one in progress.
+
+- `-nonce` `(string; "")`- Nonce value provided at initialization. The same
+  nonce value must be provided with each unseal key.
+
+- `-otp` `(string: "")` - OTP code to use with `-decode` or `-init`.
+
+- `-pgp-key` `(keybase or pgp)`- Path to a file on disk containing a binary or
+  base64-encoded public GPG key. This can also be specified as a Keybase
+  username using the format `keybase:<username>`. When supplied, the generated
+  root token will be encrypted and base64-encoded with the given public key.
+
+- `-status` `(bool: false)` - Print the status of the current attempt without
+  providing an unseal key. The default is false.
+
+- `-dr-token` `(bool: false)` - Generate DR operational token
+
+- `-recovery-token` `(bool: false)` - Generate recovery operational token
diff --git a/website/pages/docs/commands/operator/index.mdx b/website/pages/docs/commands/operator/index.mdx
new file mode 100644
index 000000000000..5524c9671a0e
--- /dev/null
+++ b/website/pages/docs/commands/operator/index.mdx
@@ -0,0 +1,68 @@
+---
+layout: docs
+page_title: operator - Command
+sidebar_title: <code>operator</code>
+description: |-
+  The "operator" command groups subcommands for operators interacting with
+  Vault. Most users will not need to interact with these commands.
+---
+
+# operator
+
+The `operator` command groups subcommands for operators interacting with Vault.
+Most users will not need to interact with these commands.
+
+## Examples
+
+Initialize a new Vault cluster:
+
+```text
+$ vault operator init
+Unseal Key 1: sP/4C/fwIDjJmHEC2bi/1Pa43uKhsUQMmiB31GRzFc0R
+Unseal Key 2: kHkw2xTBelbDFIMEgEC8NVX7NDSAZ+rdgBJ/HuJwxOX+
+Unseal Key 3: +1+1ZnkQDfJFHDZPRq0wjFxEuEEHxDDOQxa8JJ/AYWcb
+Unseal Key 4: cewseNJTLovmFrgpyY+9Hi5OgJlJgGGCg7PZyiVdPwN0
+Unseal Key 5: wyd7rMGWX5fi0k36X4e+C4myt5CoTmJsHJ0rdYT7BQcF
+
+Initial Root Token: 6662bb4a-afd0-4b6b-faad-e237fb564568
+
+# ...
+```
+
+Force a Vault to resign leadership in a cluster:
+
+```text
+$ vault operator step-down
+Success! Stepped down: https://127.0.0.1:8200
+```
+
+Rotate Vault's underlying encryption key:
+
+```text
+$ vault operator rotate
+Success! Rotated key
+
+Key Term        2
+Install Time    01 Jan 07 12:30 UTC
+```
+
+## Usage
+
+```text
+Usage: vault operator <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    generate-root    Generates a new root token
+    init             Initializes a server
+    key-status       Provides information about the active encryption key
+    rekey            Generates new unseal keys
+    rotate           Rotates the underlying encryption key
+    seal             Seals the Vault server
+    step-down        Forces Vault to resign active duty
+    unseal           Unseals the Vault server
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/operator/init.mdx b/website/pages/docs/commands/operator/init.mdx
new file mode 100644
index 000000000000..1da21f2ac18e
--- /dev/null
+++ b/website/pages/docs/commands/operator/init.mdx
@@ -0,0 +1,125 @@
+---
+layout: docs
+page_title: operator init - Command
+sidebar_title: <code>init</code>
+description: |-
+  The "operator init" command initializes a Vault server. Initialization is the
+  process by which Vault's storage backend is prepared to receive data. Since
+  Vault servers share the same storage backend in HA mode, you only need to
+  initialize one Vault to initialize the storage backend.
+---
+
+# operator init
+
+The `operator init` command initializes a Vault server. Initialization is the
+process by which Vault's storage backend is prepared to receive data. Since
+Vault servers share the same storage backend in HA mode, you only need to
+initialize one Vault to initialize the storage backend.
+
+During initialization, Vault generates an in-memory master key and applies
+Shamir's secret sharing algorithm to disassemble that master key into a
+configuration number of key shares such that a configurable subset of those key
+shares must come together to regenerate the master key. These keys are often
+called "unseal keys" in Vault's documentation.
+
+This command cannot be run against already-initialized Vault cluster.
+
+For more information on sealing and unsealing, please the [seal concepts page](/docs/concepts/seal.html).
+
+## Examples
+
+Start initialization with the default options:
+
+```text
+$ vault operator init
+```
+
+Initialize, but encrypt the unseal keys with pgp keys:
+
+```text
+$ vault operator init \
+    -key-shares=3 \
+    -key-threshold=2 \
+    -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
+```
+
+Initialize Auto Unseal, but encrypt the recovery keys with pgp keys:
+
+```text
+$ vault operator init \
+    -recovery-shares=1 \
+    -recovery-threshold=1 \
+    -recovery-pgp-keys="keybase:grahamhashicorp"
+```
+
+Encrypt the initial root token using a pgp key:
+
+```text
+$ vault operator init -root-token-pgp-key="keybase:hashicorp"
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "")` - Print the output in the given format. Valid formats
+  are "table", "json", or "yaml". The default is table. This can also be
+  specified via the `VAULT_FORMAT` environment variable.
+
+### Common Options
+
+- `-key-shares` `(int: 5)` - Number of key shares to split the generated master
+  key into. This is the number of "unseal keys" to generate. This is aliased as
+  `-n`.
+
+- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the
+  master key. This must be less than or equal to -key-shares. This is aliased as
+  `-t`.
+
+- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk
+  containing public GPG keys OR a comma-separated list of Keybase usernames
+  using the format `keybase:<username>`. When supplied, the generated unseal
+  keys will be encrypted and base64-encoded in the order specified in this list.
+  The number of entries must match -key-shares, unless -stored-shares are used.
+
+- `-root-token-pgp-key` `(string: "")` - Path to a file on disk containing a
+  binary or base64-encoded public GPG key. This can also be specified as a
+  Keybase username using the format `keybase:<username>`. When supplied, the
+  generated root token will be encrypted and base64-encoded with the given
+  public key.
+
+- `-status` `(bool": false)` - Print the current initialization status. An exit
+  code of 0 means the Vault is already initialized. An exit code of 1 means an
+  error occurred. An exit code of 2 means the Vault is not initialized.
+
+### Consul Options
+
+- `-consul-auto` `(bool: false)` - Perform automatic service discovery using
+  Consul in HA mode. When all nodes in a Vault HA cluster are registered with
+  Consul, enabling this option will trigger automatic service discovery based on
+  the provided -consul-service value. When Consul is Vault's HA backend, this
+  functionality is automatically enabled. Ensure the proper Consul environment
+  variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is
+  discovered, it will be initialized automatically. When more than one Vault
+  server is discovered, they will each be output for selection. The default is
+  false.
+
+- `-consul-service` `(string: "vault")` - Name of the service in Consul under
+  which the Vault servers are registered.
+
+### HSM and KMS Options
+
+- `-recovery-pgp-keys` `(string: "...")` - Behaves like `-pgp-keys`, but for the
+  recovery key shares. This is only used in HSM mode.
+
+- `-recovery-shares` `(int: 5)` - Number of key shares to split the recovery key
+  into. This is only used in HSM mode.
+
+- `-recovery-threshold` `(int: 3)` - Number of key shares required to
+  reconstruct the recovery key. This is only used in HSM mode.
+
+- `-stored-shares` `(int: 0)` - Number of unseal keys to store on an HSM. This
+  must be equal to `-key-shares`.
diff --git a/website/pages/docs/commands/operator/key-status.mdx b/website/pages/docs/commands/operator/key-status.mdx
new file mode 100644
index 000000000000..eb0f76b07a92
--- /dev/null
+++ b/website/pages/docs/commands/operator/key-status.mdx
@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: operator key-status - Command
+sidebar_title: <code>key-status</code>
+description: |-
+  The "operator key-status" provides information about the active encryption
+  key.
+---
+
+# operator key-status
+
+The `operator key-status` provides information about the active encryption key.
+Specifically, the current key term and the key installation time.
+
+## Examples
+
+Get the key status:
+
+```text
+$ vault operator key-status
+Key Term        2
+Install Time    01 Jan 17 12:30 UTC
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/operator/migrate.mdx b/website/pages/docs/commands/operator/migrate.mdx
new file mode 100644
index 000000000000..6307715c1fb5
--- /dev/null
+++ b/website/pages/docs/commands/operator/migrate.mdx
@@ -0,0 +1,78 @@
+---
+layout: docs
+page_title: operator migrate - Command
+sidebar_title: <code>migrate</code>
+description: >-
+  The "operator migrate" command copies data between storage backends to
+  facilitate
+
+  migrating Vault between configurations. It operates directly at the storage
+
+  level, with no decryption involved.
+---
+
+# operator migrate
+
+The `operator migrate` command copies data between storage backends to facilitate
+migrating Vault between configurations. It operates directly at the storage
+level, with no decryption involved. Keys in the destination storage backend will
+be overwritten, and the destination should _not_ be initialized prior to the
+migrate operation. The source data is not modified, with the exception of a small lock
+key added during migration.
+
+This is intended to be an offline operation to ensure data consistency, and Vault
+will not allow starting the server if a migration is in progress.
+
+## Examples
+
+Migrate all keys:
+
+```text
+$ vault operator migrate -config migrate.hcl
+
+2018-09-20T14:23:23.656-0700 [INFO ] copied key: data/core/seal-config
+2018-09-20T14:23:23.657-0700 [INFO ] copied key: data/core/wrapping/jwtkey
+2018-09-20T14:23:23.658-0700 [INFO ] copied key: data/logical/fd1bed89-ffc4-d631-00dd-0696c9f930c6/31c8e6d9-2a17-d98f-bdf1-aa868afa1291/archive/metadata
+2018-09-20T14:23:23.660-0700 [INFO ] copied key: data/logical/fd1bed89-ffc4-d631-00dd-0696c9f930c6/31c8e6d9-2a17-d98f-bdf1-aa868afa1291/metadata/5kKFZ4YnzgNfy9UcWOzxxzOMpqlp61rYuq6laqpLQDnB3RawKpqi7yBTrawj1P
+...
+```
+
+Migration is done in a consistent, sorted order. If the migration is halted or
+exits before completion (e.g. due to a connection error with a storage backend),
+it may be resumed from an arbitrary key prefix:
+
+```text
+$ vault operator migrate -config migrate.hcl -start "data/logical/fd"
+```
+
+## Configuration
+
+The `operator migrate` command uses a dedicated configuration file to specify the source
+and destination storage backends. The format of the storage stanzas is identical
+to that used to [configure Vault](/docs/configuration/storage/index.html),
+with the only difference being that two stanzas are required: `storage_source` and `storage_destination`.
+
+```hcl
+storage_source "mysql" {
+  username = "user1234"
+  password = "secret123!"
+  database = "vault"
+}
+
+storage_destination "consul" {
+  address = "127.0.0.1:8500"
+  path    = "vault"
+}
+```
+
+## Usage
+
+The following flags are available for the `operator migrate` command.
+
+- `-config` `(string: <required>)` - Path to the migration configuration file.
+
+- `-start` `(string: "")` - Migration starting key prefix. Only keys at or after this value will be copied.
+
+- `-reset` - Reset the migration lock. A lock file is added during migration to prevent
+  starting the Vault server or another migration. The `-reset` option can be used to
+  remove a stale lock file if present.
diff --git a/website/pages/docs/commands/operator/rekey.mdx b/website/pages/docs/commands/operator/rekey.mdx
new file mode 100644
index 000000000000..34e3e07cb410
--- /dev/null
+++ b/website/pages/docs/commands/operator/rekey.mdx
@@ -0,0 +1,155 @@
+---
+layout: docs
+page_title: operator rekey - Command
+sidebar_title: <code>rekey</code>
+description: |-
+  The "operator rekey" command generates a new set of unseal keys. This can
+  optionally change the total number of key shares or the required threshold of
+  those key shares to reconstruct the master key. This operation is zero
+  downtime, but it requires the Vault is unsealed and a quorum of existing
+  unseal keys are provided.
+---
+
+# operator rekey
+
+The `operator rekey` command generates a new set of unseal keys. This can
+optionally change the total number of key shares or the required threshold of
+those key shares to reconstruct the master key. This operation is zero downtime,
+but it requires the Vault is unsealed and a quorum of existing unseal keys are
+provided.
+
+An unseal key may be provided directly on the command line as an argument to the
+command. If key is specified as "-", the command will read from stdin. If a TTY
+is available, the command will prompt for text.
+
+Please see the [rotating and rekeying](/guides/operations/rekeying-and-rotating.html) for
+step-by-step instructions.
+
+## Examples
+
+Initialize a rekey:
+
+```text
+$ vault operator rekey \
+    -init \
+    -key-shares=15 \
+    -key-threshold=9
+```
+
+Initialize a rekey and activate the verification process:
+
+```text
+$ vault operator rekey \
+    -init \
+    -key-shares=15 \
+    -key-threshold=9 \
+    -verify
+```
+
+Rekey and encrypt the resulting unseal keys with PGP:
+
+```text
+$ vault operator rekey \
+    -init \
+    -key-shares=3 \
+    -key-threshold=2 \
+    -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
+```
+
+Rekey an Auto Unseal vault and encrypt the resulting recovery keys with PGP:
+
+```text
+$ vault operator rekey \
+    -target=recovery \
+    -init \
+    -pgp-keys=keybase:grahamhashicorp
+    -key-shares=1
+    -key-threshold=1
+```
+
+Store encrypted PGP keys in Vault's core:
+
+```text
+$ vault operator rekey \
+    -init \
+    -pgp-keys="..." \
+    -backup
+```
+
+Retrieve backed-up unseal keys:
+
+```text
+$ vault operator rekey -backup-retrieve
+```
+
+Delete backed-up unseal keys:
+
+```text
+$ vault operator rekey -backup-delete
+```
+
+Perform the verification of the rekey using the verification nonce:
+
+```text
+$ vault operator rekey -verify -nonce="..."
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-cancel` `(bool: false)` - Reset the rekeying progress. This will discard any submitted unseal keys
+  or configuration. The default is false.
+
+- `-init` `(bool: false)` - Initialize the rekeying operation. This can only be
+  done if no rekeying operation is in progress. Customize the new number of key
+  shares and key threshold using the `-key-shares` and `-key-threshold flags`.
+
+- `-key-shares` `(int: 5)` - Number of key shares to split the generated master
+  key into. This is the number of "unseal keys" to generate. This is aliased as
+  `-n`
+
+- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the
+  master key. This must be less than or equal to -key-shares. This is aliased as
+  `-t`.
+
+- `-nonce` `(string: "")` - Nonce value provided at initialization. The same
+  nonce value must be provided with each unseal key.
+
+- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk
+  containing public GPG keys OR a comma-separated list of Keybase usernames
+  using the format `keybase:<username>`. When supplied, the generated unseal
+  keys will be encrypted and base64-encoded in the order specified in this list.
+
+- `-status` `(bool: false)` - Print the status of the current attempt without
+  providing an unseal key. The default is false.
+
+- `-target` `(string: "barrier")` - Target for rekeying. "recovery" only applies
+  when HSM support is enabled or using [Auto Unseal](/docs/concepts/seal.html#auto-unseal).
+
+- `-verify` `(bool: false)` - Indicate during the phase `-init` that the
+  verification process is activated for the rekey. Along with `-nonce` option
+  it indicates that the nonce given is for the verification process.
+
+### Backup Options
+
+- `-backup` `(bool: false)` - Store a backup of the current PGP encrypted unseal
+  keys in Vault's core. The encrypted values can be recovered in the event of
+  failure or discarded after success. See the -backup-delete and
+  -backup-retrieve options for more information. This option only applies when
+  the existing unseal keys were PGP encrypted.
+
+- `-backup-delete` `(bool: false)` - Delete any stored backup unseal keys.
+
+- `-backup-retrieve` `(bool: false)` - Retrieve the backed-up unseal keys. This
+  option is only available if the PGP keys were provided and the backup has not
+  been deleted.
diff --git a/website/pages/docs/commands/operator/rotate.mdx b/website/pages/docs/commands/operator/rotate.mdx
new file mode 100644
index 000000000000..6f029b8af68a
--- /dev/null
+++ b/website/pages/docs/commands/operator/rotate.mdx
@@ -0,0 +1,42 @@
+---
+layout: docs
+page_title: operator rotate - Command
+sidebar_title: <code>rotate</code>
+description: |-
+  The "operator rotate" rotates the underlying encryption key which is used to
+  secure data written to the storage backend. This installs a new key in the key
+  ring. This new key is used to encrypt new data, while older keys in the ring
+  are used to decrypt older data.
+---
+
+# operator rotate
+
+The `operator rotate` rotates the underlying encryption key which is used to
+secure data written to the storage backend. This installs a new key in the key
+ring. This new key is used to encrypted new data, while older keys in the ring
+are used to decrypt older data.
+
+This is an online operation and does not cause downtime. This command is run
+per-cluster (not per-server), since Vault servers in HA mode share the same
+storage backend.
+
+## Examples
+
+Rotate Vault's encryption key:
+
+```text
+$ vault operator rotate
+Key Term        3
+Install Time    01 May 17 10:30 UTC
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/operator/seal.mdx b/website/pages/docs/commands/operator/seal.mdx
new file mode 100644
index 000000000000..9015ce499eae
--- /dev/null
+++ b/website/pages/docs/commands/operator/seal.mdx
@@ -0,0 +1,43 @@
+---
+layout: docs
+page_title: operator seal - Command
+sidebar_title: <code>seal</code>
+description: >-
+  The "operator seal" command seals the Vault server. Sealing tells the Vault
+  server to
+
+  stop responding to any operations until it is unsealed. When sealed, the Vault
+
+  server discards its in-memory master key to unlock the data, so it is
+
+  physically blocked from responding to operations unsealed.
+---
+
+# operator seal
+
+The `operator seal` seals the Vault server. Sealing tells the Vault server to
+stop responding to any operations until it is unsealed. When sealed, the Vault
+server discards its in-memory master key to unlock the data, so it is physically
+blocked from responding to operations unsealed.
+
+If an unseal is in progress, sealing the Vault will reset the unsealing process.
+Users will have to re-enter their portions of the master key again.
+
+This command does nothing if the Vault server is already sealed.
+
+For more information on sealing and unsealing, please the [seal concepts
+page](/docs/concepts/seal.html).
+
+## Examples
+
+Seal a Vault server:
+
+```text
+$ vault operator seal
+Success! Vault is sealed.
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/operator/step-down.mdx b/website/pages/docs/commands/operator/step-down.mdx
new file mode 100644
index 000000000000..5ac72657a35e
--- /dev/null
+++ b/website/pages/docs/commands/operator/step-down.mdx
@@ -0,0 +1,30 @@
+---
+layout: docs
+page_title: operator step-down - Command
+sidebar_title: <code>step-down</code>
+description: |-
+  The "operator step-down" forces the Vault server at the given address to step
+  down from active duty.
+---
+
+# operator step-down
+
+The `operator step-down` forces the Vault server at the given address to step
+down from active duty. While the affected node will have a delay before
+attempting to acquire the leader lock again, if no other Vault nodes acquire the
+lock beforehand, it is possible for the same node to re-acquire the lock and
+become active again.
+
+## Examples
+
+Force a Vault server to step down as the leader:
+
+```text
+$ vault operator step-down
+Success! Stepped down: http://127.0.0.1:8200
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/operator/unseal.mdx b/website/pages/docs/commands/operator/unseal.mdx
new file mode 100644
index 000000000000..8312d7e270c9
--- /dev/null
+++ b/website/pages/docs/commands/operator/unseal.mdx
@@ -0,0 +1,63 @@
+---
+layout: docs
+page_title: operator unseal - Command
+sidebar_title: <code>unseal</code>
+description: |-
+  The "operator unseal" allows the user to provide a portion of the master key
+  to unseal a Vault server.
+---
+
+# operator unseal
+
+The `operator unseal` allows the user to provide a portion of the master key to
+unseal a Vault server. Vault starts in a sealed state. It cannot perform
+operations until it is unsealed. This command accepts a portion of the master
+key (an "unseal key").
+
+The unseal key can be supplied as an argument to the command, but this is
+not recommended as the unseal key will be available in your history:
+
+```text
+$ vault operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
+```
+
+Instead, run the command with no arguments and it will prompt for the key:
+
+```text
+$ vault operator unseal
+Key (will be hidden): IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
+```
+
+For more information on sealing and unsealing, please the [seal concepts
+page](/docs/concepts/seal.html).
+
+## Examples
+
+Provide an unseal key:
+
+```text
+$ vault operator unseal
+Key (will be hidden):
+Sealed: false
+Key Shares: 1
+Key Threshold: 1
+Unseal Progress: 0
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-migrate` `(bool: false)` - Indicate that this share is provided with the intent that it is part of a seal migration process.
+
+- `-reset` `(bool: false)` - Discard any previously entered keys to the unseal
+  process.
diff --git a/website/pages/docs/commands/path-help.mdx b/website/pages/docs/commands/path-help.mdx
new file mode 100644
index 000000000000..eae50d34632e
--- /dev/null
+++ b/website/pages/docs/commands/path-help.mdx
@@ -0,0 +1,92 @@
+---
+layout: docs
+page_title: path-help - Command
+sidebar_title: <code>path-help</code>
+description: |-
+  The "path-help" command retrieves API help for paths. All endpoints in Vault
+  provide built-in help in markdown format. This includes system paths, secret
+  engines, and auth methods.
+---
+
+# path-help
+
+The `path-help` command retrieves API help for paths. All endpoints in Vault
+provide built-in help in markdown format. This includes system paths, secret
+engines, and auth methods.
+
+The help system is the easiest way to learn how to use the various systems
+in Vault, and also allows you to discover new paths.
+
+Before using `path-help`, it is important to understand "paths" within Vault.
+Paths are the parameters used for `vault read`, `vault write`, etc. An example
+path is `secret/foo`, or `aws/config/root`. The paths available depend on the
+secrets engines in use. Because of this, the interactive help is an
+indispensable tool to finding what paths are supported.
+
+To discover what paths are supported, use `vault path-help PATH`. For example,
+if you enabled the AWS secrets engine, you can use `vault path-help aws` to find
+the paths supported by that backend. The paths are shown with regular
+expressions, which can make them hard to parse, but they are also extremely
+exact.
+
+## Examples
+
+Get help output for the KV secrets engine:
+
+```text
+$ vault path-help secret
+## DESCRIPTION
+
+The KV backend reads and writes arbitrary secrets to the backend.
+The secrets are encrypted/decrypted by Vault: they are never stored
+unencrypted in the backend and the backend never has an opportunity to
+see the unencrypted value.
+
+Leases can be set on a per-secret basis. These leases will be sent down
+when that secret is read, and it is assumed that some outside process will
+revoke and/or replace the secret at that path.
+
+## PATHS
+
+The following paths are supported by this backend. To view help for
+any of the paths below, use the help command with any route matching
+the path pattern. Note that depending on the policy of your auth token,
+you may or may not be able to access certain paths.
+
+    ^.*$
+        Pass-through secret storage to the storage backend, allowing you to
+        read/write arbitrary data into secret storage.
+```
+
+Once you've found a path you like, you can learn more about it by using `vault path-help <path>` where "path" is a path that matches one of the regular
+expressions from the backend help.
+
+```text
+$ vault path-help secret/password
+Request:        password
+Matching Route: ^.*$
+
+Pass-through secret storage to the storage backend, allowing you to
+read/write arbitrary data into secret storage.
+
+## PARAMETERS
+
+    lease (string)
+        Lease time for this key when read. Ex: 1h
+
+## DESCRIPTION
+
+The pass-through backend reads and writes arbitrary data into secret storage,
+encrypting it along the way.
+
+A lease can be specified when writing with the "lease" field. If given, then
+when the secret is read, Vault will report a lease with that duration. It
+is expected that the consumer of this backend properly writes renewed keys
+before the lease is up. In addition, revocation must be handled by the
+user of this backend.
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/plugin/deregister.mdx b/website/pages/docs/commands/plugin/deregister.mdx
new file mode 100644
index 000000000000..9996d2e50023
--- /dev/null
+++ b/website/pages/docs/commands/plugin/deregister.mdx
@@ -0,0 +1,28 @@
+---
+layout: docs
+page_title: plugin deregister - Command
+sidebar_title: <code>deregister</code>
+description: |-
+  The "plugin deregister" command deregisters a new plugin in Vault's plugin
+  catalog.
+---
+
+# plugin deregister
+
+The `plugin deregister` command deregisters an existing plugin from Vault's
+plugin catalog. If the plugin does not exist, no error is returned. The plugin's
+type of "auth", "database", or "secret" must be included.
+
+## Examples
+
+Deregister a plugin:
+
+```text
+$ vault plugin deregister auth my-custom-plugin
+Success! Deregistered plugin (if it was registered): my-custom-plugin
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/plugin/index.mdx b/website/pages/docs/commands/plugin/index.mdx
new file mode 100644
index 000000000000..972d2c37b02a
--- /dev/null
+++ b/website/pages/docs/commands/plugin/index.mdx
@@ -0,0 +1,63 @@
+---
+layout: docs
+page_title: plugin - Command
+sidebar_title: <code>plugin</code>
+description: |-
+  The "plugin" command groups subcommands for interacting with
+  Vault's plugins and the plugin catalog.
+---
+
+# plugin
+
+The `plugin` command groups subcommands for interacting with Vault's plugins and
+the plugin catalog
+
+## Examples
+
+List all available plugins in the catalog:
+
+```text
+$ vault plugin list
+
+Plugins
+-------
+my-custom-plugin
+# ...
+```
+
+Register a new plugin to the catalog:
+
+```text
+$ vault plugin register \
+  -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
+  my-custom-plugin
+Success! Registered plugin: my-custom-plugin
+```
+
+Get information about a plugin in the catalog:
+
+```text
+$ vault plugin info my-custom-plugin
+Key        Value
+---        -----
+command    my-custom-plugin
+name       my-custom-plugin
+sha256     d3f0a8be02f6c074cf38c9c99d4d04c9c6466249
+```
+
+## Usage
+
+```text
+Usage: vault plugin <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    deregister    Deregister an existing plugin in the catalog
+    list          Lists available plugins
+    read          Read information about a plugin in the catalog
+    register      Registers a new plugin in the catalog
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/plugin/info.mdx b/website/pages/docs/commands/plugin/info.mdx
new file mode 100644
index 000000000000..bba9797e8212
--- /dev/null
+++ b/website/pages/docs/commands/plugin/info.mdx
@@ -0,0 +1,43 @@
+---
+layout: docs
+page_title: plugin info - Command
+sidebar_title: <code>info</code>
+description: The "plugin info" command displays information about a plugin in the catalog.
+---
+
+# plugin info
+
+The `plugin info` displays information about a plugin in the catalog.
+The plugin's type of "auth", "database", or "secret" must be included.
+
+## Examples
+
+Display information about a plugin
+
+```text
+$ vault plugin info auth my-custom-plugin
+
+Key        Value
+---        -----
+args       []
+builtin    false
+command    my-custom-plugin
+name       my-custom-plugin
+sha256     d3f0a8be02f6c074cf38c9c99d4d04c9c6466249
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other
+  processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/plugin/list.mdx b/website/pages/docs/commands/plugin/list.mdx
new file mode 100644
index 000000000000..c343e1e5dcb9
--- /dev/null
+++ b/website/pages/docs/commands/plugin/list.mdx
@@ -0,0 +1,41 @@
+---
+layout: docs
+page_title: plugin list - Command
+sidebar_title: <code>list</code>
+description: The "plugin list" command lists all available plugins in the plugin catalog.
+---
+
+# plugin list
+
+The `plugin list` command lists all available plugins in the plugin catalog.
+It can be used alone or with a type such as "auth", "database", or "secret".
+
+## Examples
+
+List all available plugins in the catalog.
+
+```text
+$ vault plugin list
+
+Plugins
+-------
+my-custom-plugin
+# ...
+
+$ vault plugin list database
+Plugins
+-------
+cassandra-database-plugin
+# ...
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/plugin/register.mdx b/website/pages/docs/commands/plugin/register.mdx
new file mode 100644
index 000000000000..98a3eab4df67
--- /dev/null
+++ b/website/pages/docs/commands/plugin/register.mdx
@@ -0,0 +1,54 @@
+---
+layout: docs
+page_title: plugin register - Command
+sidebar_title: <code>register</code>
+description: |-
+  The "plugin register" command registers a new plugin in Vault's plugin
+  catalog.
+---
+
+# plugin register
+
+The `plugin register` command registers a new plugin in Vault's plugin catalog.
+The plugin's type of "auth", "database", or "secret" must be included.
+
+## Examples
+
+Register a plugin:
+
+```text
+$ vault plugin register \
+    -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
+    auth my-custom-plugin
+Success! Registered plugin: my-custom-plugin
+```
+
+Register a plugin with custom args:
+
+```text
+$ vault plugin register \
+    -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
+    -args=--with-glibc,--with-curl-bindings \
+    auth my-custom-plugin
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-sha256` `(string: <required>)` - Checksum (SHA256) of the plugin binary.
+
+- `-args` `(string: "")` - List of arguments to pass to the binary plugin during
+  each invocation. Specify multiple arguments with commas.
+
+- `-command` `(string: "")` - Name of the command to run to invoke the binary.
+  By default, this is the name of the plugin.
diff --git a/website/pages/docs/commands/policy/delete.mdx b/website/pages/docs/commands/policy/delete.mdx
new file mode 100644
index 000000000000..dff346e37b93
--- /dev/null
+++ b/website/pages/docs/commands/policy/delete.mdx
@@ -0,0 +1,31 @@
+---
+layout: docs
+page_title: policy delete - Command
+sidebar_title: <code>delete</code>
+description: |-
+  The "policy delete" command deletes the policy named NAME in the Vault server.
+  Once the policy is deleted, all tokens associated with the policy are affected
+  immediately.
+---
+
+# policy delete
+
+The `policy delete` command deletes the policy named NAME in the Vault server.
+Once the policy is deleted, all tokens associated with the policy are affected
+immediately.
+
+Note that it is not possible to delete the "default" or "root" policies. These
+are built-in policies.
+
+## Examples
+
+Delete the policy named "my-policy":
+
+```text
+$ vault policy delete my-policy
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/policy/fmt.mdx b/website/pages/docs/commands/policy/fmt.mdx
new file mode 100644
index 000000000000..4ea8e75ad714
--- /dev/null
+++ b/website/pages/docs/commands/policy/fmt.mdx
@@ -0,0 +1,28 @@
+---
+layout: docs
+page_title: policy fmt - Command
+sidebar_title: <code>fmt</code>
+description: |-
+  The "policy fmt" formats a local policy file to the policy specification. This
+  command will overwrite the file at the given PATH with the properly-formatted
+  policy file contents.
+---
+
+# policy fmt
+
+The `policy fmt` formats a local policy file to the policy specification. This
+command will overwrite the file at the given PATH with the properly-formatted
+policy file contents.
+
+## Examples
+
+Format the local file "my-policy.hcl":
+
+```text
+$ vault policy fmt my-policy.hcl
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/policy/index.mdx b/website/pages/docs/commands/policy/index.mdx
new file mode 100644
index 000000000000..ef42509b4f7a
--- /dev/null
+++ b/website/pages/docs/commands/policy/index.mdx
@@ -0,0 +1,53 @@
+---
+layout: docs
+page_title: policy - Command
+sidebar_title: <code>policy</code>
+description: |-
+  The "policy" command groups subcommands for interacting with policies. Users
+  can write, read, and list policies in Vault.
+---
+
+# policy
+
+The `policy` command groups subcommands for interacting with policies. Users can
+write, read, and list policies in Vault.
+
+For more information, please see the [policy
+documentation](/docs/concepts/policies.html).
+
+## Examples
+
+List all enabled policies:
+
+```text
+$ vault policy list
+```
+
+Create a policy named "my-policy" from contents on local disk:
+
+```text
+$ vault policy write my-policy ./my-policy.hcl
+```
+
+Delete the policy named my-policy:
+
+```text
+$ vault policy delete my-policy
+```
+
+## Usage
+
+```text
+Usage: vault policy <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    delete    Deletes a policy by name
+    list      Lists the installed policies
+    read      Prints the contents of a policy
+    write     Uploads a named policy from a file
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/policy/list.mdx b/website/pages/docs/commands/policy/list.mdx
new file mode 100644
index 000000000000..896ac05758f2
--- /dev/null
+++ b/website/pages/docs/commands/policy/list.mdx
@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: policy list - Command
+sidebar_title: <code>list</code>
+description: |-
+  The "policy list" command Lists the names of the policies that are installed
+  on the Vault server.
+---
+
+# policy list
+
+The `policy list` command Lists the names of the policies that are installed on
+the Vault server.
+
+## Examples
+
+List the available policies:
+
+```text
+$ vault policy list
+default
+root
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/policy/read.mdx b/website/pages/docs/commands/policy/read.mdx
new file mode 100644
index 000000000000..e58de66f1cc1
--- /dev/null
+++ b/website/pages/docs/commands/policy/read.mdx
@@ -0,0 +1,32 @@
+---
+layout: docs
+page_title: policy read - Command
+sidebar_title: <code>read</code>
+description: |-
+  The "policy read" command prints the contents and metadata of the Vault policy
+  named NAME. If the policy does not exist, an error is returned.
+---
+
+# policy read
+
+The `policy read` command prints the contents and metadata of the Vault policy
+named NAME. If the policy does not exist, an error is returned.
+
+## Examples
+
+Read the policy named "my-policy":
+
+```text
+$ vault policy read my-policy
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/policy/write.mdx b/website/pages/docs/commands/policy/write.mdx
new file mode 100644
index 000000000000..eec677d84b7a
--- /dev/null
+++ b/website/pages/docs/commands/policy/write.mdx
@@ -0,0 +1,37 @@
+---
+layout: docs
+page_title: policy write - Command
+sidebar_title: <code>write</code>
+description: |-
+  The "policy write" command uploads a policy with name NAME from the contents
+  of a local file PATH or stdin. If PATH is "-", the policy is read from stdin.
+  Otherwise, it is loaded from the file at the given path on the local disk.
+---
+
+# policy write
+
+The `policy write` command uploads a policy with name NAME from the contents of
+a local file PATH or stdin. If PATH is "-", the policy is read from stdin.
+Otherwise, it is loaded from the file at the given path on the local disk.
+
+For details on the policy syntax, please see the [policy
+documentation](/docs/concepts/policies.html).
+
+## Examples
+
+Upload a policy named "my-policy" from "/tmp/policy.hcl" on the local disk:
+
+```text
+$ vault policy write my-policy /tmp/policy.hcl
+```
+
+Upload a policy from stdin:
+
+```text
+$ cat my-policy.hcl | vault policy write my-policy -
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/read.mdx b/website/pages/docs/commands/read.mdx
new file mode 100644
index 000000000000..8ce767bbb844
--- /dev/null
+++ b/website/pages/docs/commands/read.mdx
@@ -0,0 +1,44 @@
+---
+layout: docs
+page_title: read - Command
+sidebar_title: <code>read</code>
+description: |-
+  The "read" command reads data from Vault at the given path. This can be used
+  to read secrets, generate dynamic credentials, get configuration details, and
+  more.
+---
+
+# read
+
+The `read` command reads data from Vault at the given path. This can be used to
+read secrets, generate dynamic credentials, get configuration details, and more.
+
+For a full list of examples and paths, please see the documentation that
+corresponds to the secrets engine in use.
+
+## Examples
+
+Read a secret from the static secrets engine:
+
+```text
+$ vault read secret/my-secret
+Key                 Value
+---                 -----
+refresh_interval    768h
+foo                 bar
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/secrets/disable.mdx b/website/pages/docs/commands/secrets/disable.mdx
new file mode 100644
index 000000000000..454130d334b6
--- /dev/null
+++ b/website/pages/docs/commands/secrets/disable.mdx
@@ -0,0 +1,31 @@
+---
+layout: docs
+page_title: secrets disable - Command
+sidebar_title: <code>disable</code>
+description: |-
+  The "secrets disable" command disables an secrets engine at a given PATH. The
+  argument corresponds to the enabled PATH of the engine, not the TYPE! All
+  secrets created by this engine are revoked and its Vault data is removed.
+---
+
+# secrets disable
+
+The `secrets disable` command disables an secrets engine at a given PATH. The
+argument corresponds to the enabled PATH of the engine, not the TYPE! All
+secrets created by this engine are revoked and its Vault data is removed.
+
+Once an secrets engine is disabled, **all secrets generated via the secrets
+engine are immediately revoked.**
+
+## Examples
+
+Disable the secrets engine enabled at aws/:
+
+```text
+$ vault secrets disable aws/
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/secrets/enable.mdx b/website/pages/docs/commands/secrets/enable.mdx
new file mode 100644
index 000000000000..ce9f23889d08
--- /dev/null
+++ b/website/pages/docs/commands/secrets/enable.mdx
@@ -0,0 +1,84 @@
+---
+layout: docs
+page_title: secrets enable - Command
+sidebar_title: <code>enable</code>
+description: |-
+  The "secrets enable" command enables an secrets engine at a given path. If an
+  secrets engine already exists at the given path, an error is returned. After
+  the secrets engine is enabled, it usually needs configuration. The
+  configuration varies by secrets engine.
+---
+
+# secrets enable
+
+The `secrets enable` command enables an secrets engine at a given path. If an
+secrets engine already exists at the given path, an error is returned. After the
+secrets engine is enabled, it usually needs configuration. The configuration
+varies by secrets engine.
+
+By default, secrets engines are enabled at the path corresponding to their TYPE,
+but users can customize the path using the `-path` option.
+
+Some secrets engines persist data, some act as data pass-through, and some
+generate dynamic credentials. The secrets engine will likely require
+configuration after it is mounted. For details on the specific configuration
+options, please see the [secrets engine
+documentation](/docs/secrets/index.html).
+
+## Examples
+
+Enable the AWS secrets engine at "aws/":
+
+```text
+$ vault secrets enable aws
+Success! Enabled the aws secrets engine at: aws/
+```
+
+Enable the SSH secrets engine at ssh-prod/:
+
+```text
+$ vault secrets enable -path=ssh-prod ssh
+```
+
+Enable the database secrets engine with an explicit maximum TTL of 30m:
+
+```text
+$ vault secrets enable -max-lease-ttl=30m database
+```
+
+Enable a custom plugin (after it is registered in the plugin registry):
+
+```text
+$ vault secrets enable -path=my-secrets my-plugin
+```
+
+For more information on the specific configuration options and paths, please see
+the [secrets engine](/docs/secrets/index.html) documentation.
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
+  engine. If unspecified, this defaults to the Vault server's globally
+  configured default lease TTL.
+
+- `-description` `(string: "")` - Human-friendly description for the purpose of
+  this engine.
+
+- `-force-no-cache` `(bool: false)` - Force the secrets engine to disable
+  caching. If unspecified, this defaults to the Vault server's globally
+  configured cache settings. This does not affect caching of the underlying
+  encrypted data storage.
+
+- `-local` `(bool: false)` - Mark the secrets engine as local-only. Local
+  engines are not replicated or removed by replication.
+
+- `-max-lease-ttl` `(duration: "")` The maximum lease TTL for this secrets
+  engine. If unspecified, this defaults to the Vault server's globally
+  configured maximum lease TTL.
+
+- `-path` `(string: "")` Place where the secrets engine will be accessible. This
+  must be unique cross all secrets engines. This defaults to the "type" of the
+  secrets engine.
diff --git a/website/pages/docs/commands/secrets/index.mdx b/website/pages/docs/commands/secrets/index.mdx
new file mode 100644
index 000000000000..025857824a45
--- /dev/null
+++ b/website/pages/docs/commands/secrets/index.mdx
@@ -0,0 +1,80 @@
+---
+layout: docs
+page_title: secrets - Command
+sidebar_title: <code>secrets</code>
+description: |-
+  The "secrets" command groups subcommands for interacting with Vault's secrets
+  engines.
+---
+
+# secrets
+
+The `secrets` command groups subcommands for interacting with Vault's secrets
+engines. Each secrets engine behaves differently. Please see the documentation
+for more information.
+
+Some secrets engines persist data, some act as data pass-through, and some
+generate dynamic credentials. The secrets engine will likely require
+configuration after it is mounted. For details on the specific configuration
+options, please see the [secrets engine
+documentation](/docs/secrets/index.html).
+
+## Examples
+
+Enable a secrets engine:
+
+```text
+$ vault secrets enable database
+Success! Enabled the database secrets engine at: database/
+```
+
+List all secrets engines:
+
+```text
+$ vault secrets list
+Path          Type         Description
+----          ----         -----------
+cubbyhole/    cubbyhole    per-token private secret storage
+database/     database     n/a
+secret/       kv           key/value secret storage
+sys/          system       system endpoints used for control, policy and debugging
+```
+
+Move a secrets engine to a new path:
+
+```text
+$ vault secrets move database/ db-prod/
+Success! Moved secrets engine database/ to: db-prod/
+```
+
+Tune a secrets engine:
+
+```text
+$ vault secrets tune -max-lease-ttl=30m db-prod/
+Success! Tuned the secrets engine at: db-prod/
+```
+
+Disable a secrets engine:
+
+```text
+$ vault secrets disable db-prod/
+Success! Disabled the secrets engine (if it existed) at: db-prod/
+```
+
+## Usage
+
+```text
+Usage: vault secrets <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    disable    Disable a secrets engine
+    enable     Enable a secrets engine
+    list       List enabled secrets engines
+    move       Move a secrets engine to a new path
+    tune       Tune a secrets engine configuration
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/secrets/list.mdx b/website/pages/docs/commands/secrets/list.mdx
new file mode 100644
index 000000000000..79b85fac42e3
--- /dev/null
+++ b/website/pages/docs/commands/secrets/list.mdx
@@ -0,0 +1,57 @@
+---
+layout: docs
+page_title: secrets list - Command
+sidebar_title: <code>list</code>
+description: |-
+  The "secrets list" command lists the enabled secrets engines on the Vault
+  server. This command also outputs information about the enabled path including
+  configured TTLs and human-friendly descriptions. A TTL of "system" indicates
+  that the system default is in use.
+---
+
+# secrets list
+
+The `secrets list` command lists the enabled secrets engines on the Vault server.
+This command also outputs information about the enabled path including
+configured TTLs and human-friendly descriptions. A TTL of "system" indicates
+that the system default is in use.
+
+## Examples
+
+List all enabled secrets engines:
+
+```text
+$ vault secrets list
+Path          Type         Description
+----          ----         -----------
+cubbyhole/    cubbyhole    per-token private secret storage
+secret/       kv           key/value secret storage
+sys/          system       system endpoints used for control, policy and debugging
+```
+
+List all enabled secrets engines with detailed output:
+
+```text
+$ vault secrets list -detailed
+Path          Type         Accessor              Plugin    Default TTL    Max TTL    Force No Cache    Replication    Description
+----          ----         --------              ------    -----------    -------    --------------    -----------    -----------
+cubbyhole/    cubbyhole    cubbyhole_10fbb584    n/a       n/a            n/a        false             local          per-token private secret storage
+secret/       kv           kv_167ce199           n/a       system         system     false             replicated     key/value secret storage
+sys/          system       system_a9fd745d       n/a       n/a            n/a        false             replicated     system endpoints used for control, policy and debugging
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-detailed` `(bool: false)` - Print detailed information such as configuration
+  and replication status about each secrets engine.
diff --git a/website/pages/docs/commands/secrets/move.mdx b/website/pages/docs/commands/secrets/move.mdx
new file mode 100644
index 000000000000..80a6a4158b4f
--- /dev/null
+++ b/website/pages/docs/commands/secrets/move.mdx
@@ -0,0 +1,31 @@
+---
+layout: docs
+page_title: secrets move - Command
+sidebar_title: <code>move</code>
+description: |-
+  The "secrets move" command moves an existing secrets engine to a new path. Any
+  leases from the old secrets engine are revoked, but all configuration
+  associated with the engine is preserved.
+---
+
+# secrets move
+
+The `secrets move` command moves an existing secrets engine to a new path. Any
+leases from the old secrets engine are revoked, but all configuration associated
+with the engine is preserved.
+
+**Moving an existing secrets engine will revoke any leases from the old
+engine.**
+
+## Examples
+
+Move the existing secrets engine at secret/ to kv/:
+
+```text
+$ vault secrets move secret/ kv/
+```
+
+## Usage
+
+There are no flags beyond the [standard set of flags](/docs/commands/index.html)
+included on all commands.
diff --git a/website/pages/docs/commands/secrets/tune.mdx b/website/pages/docs/commands/secrets/tune.mdx
new file mode 100644
index 000000000000..ea1dbd08ed64
--- /dev/null
+++ b/website/pages/docs/commands/secrets/tune.mdx
@@ -0,0 +1,38 @@
+---
+layout: docs
+page_title: secrets tune - Command
+sidebar_title: <code>tune</code>
+description: |-
+  The "secrets tune" command tunes the configuration options for the secrets
+  engine at the given PATH. The argument corresponds to the PATH where the
+  secrets engine is enabled, not the TYPE!
+---
+
+# secrets tune
+
+The `secrets tune` command tunes the configuration options for the secrets
+engine at the given PATH. The argument corresponds to the PATH where the secrets
+engine is enabled, not the TYPE!
+
+## Examples
+
+Tune the default lease for the PKI secrets engine:
+
+```text
+$ vault secrets tune -default-lease-ttl=72h pki/
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
+  engine. If unspecified, this defaults to the Vault server's globally
+  configured default lease TTL, or a previously configured value for the secrets
+  engine.
+
+- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets
+  engine. If unspecified, this defaults to the Vault server's globally
+  configured maximum lease TTL, or a previously configured value for the secrets
+  engine.
diff --git a/website/pages/docs/commands/server.mdx b/website/pages/docs/commands/server.mdx
new file mode 100644
index 000000000000..1a621b533247
--- /dev/null
+++ b/website/pages/docs/commands/server.mdx
@@ -0,0 +1,82 @@
+---
+layout: docs
+page_title: server - Command
+sidebar_title: <code>server</code>
+description: |-
+  The "server" command starts a Vault server that responds to API requests. By
+  default, Vault will start in a "sealed" state. The Vault cluster must be
+  initialized before use.
+---
+
+# server
+
+The `server` command starts a Vault server that responds to API requests. By
+default, Vault will start in a "sealed" state. The Vault cluster must be
+initialized before use, usually by the `vault operator init` command. Each Vault
+server must also be unsealed using the `vault operator unseal` command or the
+API before the server can respond to requests.
+
+For more information, please see:
+
+- [`operator init` command](/docs/commands/operator/init.html) for information
+  on initializing a Vault server.
+
+- [`operator unseal` command](/docs/commands/operator/unseal.html) for
+  information on providing unseal keys.
+
+- [Vault configuration](/docs/configuration/index.html) for the syntax and
+  various configuration options for a Vault server.
+
+## Examples
+
+Start a server with a configuration file:
+
+```text
+$ vault server -config=/etc/vault/config.hcl
+```
+
+Run in "dev" mode with a custom initial root token:
+
+```text
+$ vault server -dev -dev-root-token-id="root"
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Command Options
+
+- `-config` `(string: "")` - Path to a configuration file or directory of
+  configuration files. This flag can be specified multiple times to load
+  multiple configurations. If the path is a directory, all files which end in
+  .hcl or .json are loaded.
+
+- `-log-level` `(string: "info")` - Log verbosity level. Supported values (in
+  order of detail) are "trace", "debug", "info", "warn", and "err". This can
+  also be specified via the VAULT_LOG_LEVEL environment variable.
+
+- `-log-format` `(string: "standard")` - Log format. Supported values
+  are "standard" and "json". This can also be specified via the
+  VAULT_LOG_FORMAT environment variable.
+
+### Dev Options
+
+- `-dev` `(bool: false)` - Enable development mode. In this mode, Vault runs
+  in-memory and starts unsealed. As the name implies, do not run "dev" mode in
+  production.
+
+- `-dev-listen-address` `(string: "127.0.0.1:8200")` - Address to bind to in
+  "dev" mode. This can also be specified via the `VAULT_DEV_LISTEN_ADDRESS`
+  environment variable.
+
+- `-dev-root-token-id` `(string: "")` - Initial root token. This only applies
+  when running in "dev" mode. This can also be specified via the
+  `VAULT_DEV_ROOT_TOKEN_ID` environment variable.
+
+- `-dev-no-store-token` `(string: "")` - Do not persist the dev root token to
+  the token helper (usually the local filesystem) for use in future requests.
+  The token will only be displayed in the command output.
+
+- `-dev-plugin-dir` `(string: "")` - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.
diff --git a/website/pages/docs/commands/ssh.mdx b/website/pages/docs/commands/ssh.mdx
new file mode 100644
index 000000000000..ba832d106b7a
--- /dev/null
+++ b/website/pages/docs/commands/ssh.mdx
@@ -0,0 +1,107 @@
+---
+layout: docs
+page_title: ssh - Command
+sidebar_title: <code>ssh</code>
+description: |-
+  The "ssh" command establishes an SSH connection with the target machine using
+  credentials obtained from an SSH secrets engine.
+---
+
+# ssh
+
+The `ssh` command establishes an SSH connection with the target machine.
+
+This command uses one of the SSH secrets engines to authenticate and
+automatically establish an SSH connection to a host. This operation requires
+that the SSH secrets engine is mounted and configured.
+
+The user must have `ssh` installed locally - this command will exec out to it
+with the proper commands to provide an "SSH-like" consistent experience.
+
+## Examples
+
+SSH using the OTP mode (requires [sshpass](https://linux.die.net/man/1/sshpass)
+for full automation):
+
+```text
+$ vault ssh -mode=otp -role=my-role user@1.2.3.4
+```
+
+SSH using the CA mode:
+
+```text
+$ vault ssh -mode=ca -role=my-role user@1.2.3.4
+```
+
+SSH using CA mode with host key verification:
+
+```text
+$ vault ssh \
+    -mode=ca \
+    -role=my-role \
+    -host-key-mount-point=host-signer \
+    -host-key-hostnames=example.com \
+    user@example.com
+```
+
+For step-by-step guides and instructions for each of the available SSH
+auth methods, please see the corresponding [SSH secrets
+engine](/docs/secrets/ssh/index.html).
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### SSH Options
+
+- `-mode` `(string: "")` - Name of the authentication mode (ca, dynamic, otp)."
+
+- `-mount-point` `(string: "ssh/")` - Mount point to the SSH secrets engine.
+
+- `-no-exec` `(bool: false)` - Print the generated credentials, but do not
+  establish a connection.
+
+- `-role` `(string: "")` - Name of the role to use to generate the key.
+
+- `-strict-host-key-checking` `(string: "")` - Value to use for the SSH
+  configuration option "StrictHostKeyChecking". The default is ask. This can
+  also be specified via the `VAULT_SSH_STRICT_HOST_KEY_CHECKING` environment
+  variable.
+
+- `-user-known-hosts-file` `(string: "~/.ssh/known_hosts")` - Value to use for
+  the SSH configuration option "UserKnownHostsFile". This can also be specified
+  via the `VAULT_SSH_USER_KNOWN_HOSTS_FILE` environment variable.
+
+### CA Mode Options
+
+- `-host-key-hostnames` `(string: "*")` - List of hostnames to delegate for the
+  CA. The default value allows all domains and IPs. This is specified as a
+  comma-separated list of values. This can also be specified via the
+  `VAULT_SSH_HOST_KEY_HOSTNAMES` environment variable.
+
+- `-host-key-mount-point` `(string: "")` - Mount point to the SSH
+  secrets engine where host keys are signed. When given a value, Vault will
+  generate a custom "known_hosts" file with delegation to the CA at the provided
+  mount point to verify the SSH connection's host keys against the provided CA.
+  By default, host keys are validated against the user's local "known_hosts"
+  file. This flag forces strict key host checking and ignores a custom user
+  known hosts file. This can also be specified via the
+  `VAULT_SSH_HOST_KEY_MOUNT_POINT` environment variable.
+
+- `-private-key-path` `(string: "~/.ssh/id_rsa")` - Path to the SSH private key
+  to use for authentication. This must be the corresponding private key to
+  `-public-key-path`.
+
+- `-public-key-path` `(string: "~/.ssh/id_rsa.pub")` - Path to the SSH public
+  key to send to Vault for signing.
diff --git a/website/pages/docs/commands/status.mdx b/website/pages/docs/commands/status.mdx
new file mode 100644
index 000000000000..a4ecb53385cc
--- /dev/null
+++ b/website/pages/docs/commands/status.mdx
@@ -0,0 +1,50 @@
+---
+layout: docs
+page_title: status - Command
+sidebar_title: <code>status</code>
+description: |-
+  The "status" command prints the current state of Vault including whether it is
+  sealed and if HA mode is enabled. This command prints regardless of whether
+  the Vault is sealed.
+---
+
+# status
+
+The `status` command prints the current state of Vault including whether it is
+sealed and if HA mode is enabled. This command prints regardless of whether the
+Vault is sealed.
+
+The exit code reflects the seal status:
+
+- 0 - unsealed
+- 1 - error
+- 2 - sealed
+
+## Examples
+
+Check the status:
+
+```text
+$ vault status
+Sealed: false
+Key Shares: 5
+Key Threshold: 3
+Unseal Progress: 0
+Unseal Nonce:
+Version: x.y.z
+Cluster Name: vault-cluster-49ffd45f
+Cluster ID: d2dad792-fb99-1c8d-452e-528d073ba205
+
+High-Availability Enabled: false
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/token-helper.mdx b/website/pages/docs/commands/token-helper.mdx
new file mode 100644
index 000000000000..f66d18a4ecd3
--- /dev/null
+++ b/website/pages/docs/commands/token-helper.mdx
@@ -0,0 +1,62 @@
+---
+layout: docs
+page_title: Token Helpers
+sidebar_title: Token Helpers
+description: >-
+  The Vault CLI supports external token helpers that make retrieving, setting
+  and erasing tokens simpler to use.
+---
+
+# Token Helpers
+
+The Vault CLI provides a built in tool for authenticating to any of the enabled auth backends. By default the Vault CLI will take the generated token after a successful authentication and store it on disk in the `~/.vault-token` file. This functionality can change in Vault via the use of a token helper. A token helper is an external program that Vault calls to save, retrieve or erase a saved token. The token helper could be a very simple script or a more complex program depending on your needs. The interface to the external token helper is extremely simple.
+
+## Configuration
+
+To configure a token helper, edit (or create) the file `~/.vault` and add a line similar to:
+
+```
+token_helper = "/path/to/token/helper.sh"
+```
+
+You will need to use the fully qualified path to the token helper script. The script should be executable.
+
+## Developing a Token Helper
+
+The interface to a token helper is extremely simple: the script is passed with one argument that could be `get`, `store` or `erase`. If the argument is `get`, the script should do whatever work it needs to do to retrieve the stored token and then print the token to `STDOUT`. If the argument is `store`, Vault is asking you to store the token. Finally, if the argument is `erase`, your program should erase the stored token.
+
+If your program succeeds, it should exit with status code 0. If it encounters an issue that prevents it from working, it should exit with some other status code. You should write a user-friendly error message to `STDERR`. You should never write anything other than the token to `STDOUT`, as Vault assumes whatever it gets on `STDOUT` is the token.
+
+### Example Token Helper
+
+This is an example token helper written in Ruby that stores and retrieves tokens in a json file called `~/.vault_tokens`. The key is the environment variable \$VAULT_ADDR, this allows the Vault user to easily store and retrieve tokens from a number of different Vault servers.
+
+```ruby
+#!/usr/bin/env ruby
+
+require 'json'
+
+unless ENV['VAULT_ADDR']
+  STDERR.puts "No VAULT_ADDR environment variable set. Set it and run me again!"
+  exit 100
+end
+
+begin
+  tokens = JSON.parse(File.read("#{ENV['HOME']}/.vault_tokens"))
+rescue Errno::ENOENT => e
+  # file doesn't exist so create a blank hash for it
+  tokens = {}
+end
+
+case ARGV.first
+when 'get'
+  print tokens[ENV['VAULT_ADDR']] if tokens[ENV['VAULT_ADDR']]
+  exit 0
+when 'store'
+  tokens[ENV['VAULT_ADDR']] = STDIN.read
+when 'erase'
+  tokens.delete!(ENV['VAULT_ADDR'])
+end
+
+File.open("#{ENV['HOME']}/.vault_tokens", 'w') { |file| file.write(tokens.to_json) }
+```
diff --git a/website/pages/docs/commands/token/capabilities.mdx b/website/pages/docs/commands/token/capabilities.mdx
new file mode 100644
index 000000000000..84c01fdeb5ec
--- /dev/null
+++ b/website/pages/docs/commands/token/capabilities.mdx
@@ -0,0 +1,45 @@
+---
+layout: docs
+page_title: token capabilities - Command
+sidebar_title: <code>capabilities</code>
+description: |-
+  The "token capabilities" command fetches the capabilities of a token for a
+  given path.
+---
+
+# token capabilities
+
+The `token capabilities` command fetches the capabilities of a token for a given
+path.
+
+If a TOKEN is provided as an argument, this command uses the "/sys/capabilities"
+endpoint and permission. If no TOKEN is provided, this command uses the
+"/sys/capabilities-self" endpoint and permission with the locally authenticated
+token.
+
+## Examples
+
+List capabilities for the local token on the "secret/foo" path:
+
+```text
+$ vault token capabilities secret/foo
+read
+```
+
+List capabilities for a token on the "cubbyhole/foo" path:
+
+```text
+$ vault token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 database/creds/readonly
+deny
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/token/create.mdx b/website/pages/docs/commands/token/create.mdx
new file mode 100644
index 000000000000..28c037d32fd6
--- /dev/null
+++ b/website/pages/docs/commands/token/create.mdx
@@ -0,0 +1,123 @@
+---
+layout: docs
+page_title: token create - Command
+sidebar_title: <code>create</code>
+description: |-
+  The "token create" command creates a new token that can be used for
+  authentication. This token will be created as a child of the currently
+  authenticated token. The generated token will inherit all policies and
+  permissions of the currently authenticated token unless you explicitly define
+  a subset list policies to assign to the token.
+---
+
+# token create
+
+The `token create` command creates a new token that can be used for
+authentication. This token will be created as a child of the currently
+authenticated token. The generated token will inherit all policies and
+permissions of the currently authenticated token unless you explicitly define a
+subset list policies to assign to the token.
+
+A ttl can also be associated with the token. If a ttl is not associated with the
+token, then it cannot be renewed. If a ttl is associated with the token, it will
+expire after that amount of time unless it is renewed.
+
+Metadata associated with the token (specified with `-metadata`) is written to
+the audit log when the token is used.
+
+If a role is specified, the role may override parameters specified here.
+
+## Examples
+
+Create a token attached to specific policies:
+
+```text
+$ vault token create -policy=my-policy -policy=other-policy
+Key                Value
+---                -----
+token              95eba8ed-f6fc-958a-f490-c7fd0eda5e9e
+token_accessor     882d4a40-3796-d06e-c4f0-604e8503750b
+token_duration     768h
+token_renewable    true
+token_policies     [default my-policy other-policy]
+```
+
+Create a periodic token:
+
+```text
+$ vault token create -period=30m
+Key                Value
+---                -----
+token              fdb90d58-af87-024f-fdcd-9f95039e353a
+token_accessor     4cd9177c-034b-a004-c62d-54bc56c0e9bd
+token_duration     30m
+token_renewable    true
+token_policies     [my-policy]
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-display-name` `(string: "")` - Name to associate with this token. This is a
+  non-sensitive value that can be used to help identify created secrets (e.g.
+  prefixes).
+
+- `-explicit-max-ttl` `(duration: "")` - Explicit maximum lifetime for the
+  token. Unlike normal TTLs, the maximum TTL is a hard limit and cannot be
+  exceeded. This is specified as a numeric string with suffix like "30s" or
+  "5m".
+
+- `-id` `(string: "")` - Value for the token. By default, this is an
+  auto-generated value. Specifying this value requires sudo permissions.
+
+- `-metadata` `(k=v: "")` - Arbitrary key=value metadata to associate with the
+  token. This metadata will show in the audit log when the token is used. This
+  can be specified multiple times to add multiple pieces of metadata.
+
+- `-no-default-policy` `(bool: false)` - Detach the "default" policy from the
+  policy set for this token.
+
+- `-orphan` `(bool: false)` - Create the token with no parent. This prevents the
+  token from being revoked when the token which created it expires. Setting this
+  value requires sudo permissions.
+
+- `-period` `(duration: "")` - If specified, every renewal will use the given
+  period. Periodic tokens do not expire as long as they are actively being
+  renewed (unless `-explicit-max-ttl` is also provided). Setting this value
+  requires sudo permissions. This is specified as a numeric string with suffix
+  like "30s" or "5m".
+
+- `-policy` `(string: "")` - Name of a policy to associate with this token. This
+  can be specified multiple times to attach multiple policies.
+
+- `-renewable` `(bool: true)` - Allow the token to be renewed up to it's maximum
+  TTL.
+
+- `-role` `(string: "")` - Name of the role to create the token against.
+  Specifying -role may override other arguments. The locally authenticated Vault
+  token must have permission for `auth/token/create/<role>`.
+
+- `-ttl` `(duration: "")` - Initial TTL to associate with the token. Token
+  renewals may be able to extend beyond this value, depending on the configured
+  maximumTTLs. This is specified as a numeric string with suffix like "30s" or
+  "5m".
+
+- `-type` `(string: "service")` - The type of token to create. Can be "service" or "batch".
+
+- `-use-limit` `(int: 0)` - Number of times this token can be used. After the
+  last use, the token is automatically revoked. By default, tokens can be used
+  an unlimited number of times until their expiration.
diff --git a/website/pages/docs/commands/token/index.mdx b/website/pages/docs/commands/token/index.mdx
new file mode 100644
index 000000000000..0be55a06f555
--- /dev/null
+++ b/website/pages/docs/commands/token/index.mdx
@@ -0,0 +1,54 @@
+---
+layout: docs
+page_title: token - Command
+sidebar_title: <code>token</code>
+description: |-
+  The "token" command groups subcommands for interacting with tokens. Users can
+  create, lookup, renew, and revoke tokens.
+---
+
+# token
+
+The `token` command groups subcommands for interacting with tokens. Users can
+create, lookup, renew, and revoke tokens.
+
+For more information on tokens, please see the [token concepts
+page](/docs/concepts/tokens.html).
+
+## Examples
+
+Create a new token:
+
+```text
+$ vault token create
+```
+
+Revoke a token:
+
+```text
+$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
+```
+
+Renew a token:
+
+```text
+$ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
+```
+
+## Usage
+
+```text
+Usage: vault token <subcommand> [options] [args]
+
+  # ...
+
+Subcommands:
+    capabilities    Print capabilities of a token on a path
+    create          Create a new token
+    lookup          Display information about a token
+    renew           Renew a token lease
+    revoke          Revoke a token and its children
+```
+
+For more information, examples, and usage about a subcommand, click on the name
+of the subcommand in the sidebar.
diff --git a/website/pages/docs/commands/token/lookup.mdx b/website/pages/docs/commands/token/lookup.mdx
new file mode 100644
index 000000000000..c6e6c86e76e5
--- /dev/null
+++ b/website/pages/docs/commands/token/lookup.mdx
@@ -0,0 +1,51 @@
+---
+layout: docs
+page_title: token lookup - Command
+sidebar_title: <code>lookup</code>
+description: |-
+  The "token lookup" displays information about a token or accessor. If a TOKEN
+  is not provided, the locally authenticated token is used.
+---
+
+# token lookup
+
+The `token lookup` displays information about a token or accessor. If a TOKEN is
+not provided, the locally authenticated token is used.
+
+## Examples
+
+Get information about the locally authenticated token (this uses the
+`/auth/token/lookup-self` endpoint and permission):
+
+```text
+$ vault token lookup
+```
+
+Get information about a particular token (this uses the `/auth/token/lookup`
+endpoint and permission):
+
+```text
+$ vault token lookup 96ddf4bc-d217-f3ba-f9bd-017055595017
+```
+
+Get information about a token via its accessor:
+
+```text
+$ vault token lookup -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(default: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
+  token. When this option is selected, the output will NOT include the token.
diff --git a/website/pages/docs/commands/token/renew.mdx b/website/pages/docs/commands/token/renew.mdx
new file mode 100644
index 000000000000..3eca84c7a6ab
--- /dev/null
+++ b/website/pages/docs/commands/token/renew.mdx
@@ -0,0 +1,56 @@
+---
+layout: docs
+page_title: token renew - Command
+sidebar_title: <code>renew</code>
+description: |-
+  The "token renew" renews a token's lease, extending the amount of time it can
+  be used. If a TOKEN is not provided, the locally authenticated token is used.
+  Lease renewal will fail if the token is not renewable, the token has already
+  been revoked, or if the token has already reached its maximum TTL.
+---
+
+# token renew
+
+The `token renew` renews a token's lease, extending the amount of time it can be
+used. If a TOKEN is not provided, the locally authenticated token is used. Lease
+renewal will fail if the token is not renewable, the token has already been
+revoked, or if the token has already reached its maximum TTL.
+
+## Examples
+
+Renew a token (this uses the `/auth/token/renew` endpoint and permission):
+
+```text
+$ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
+```
+
+Renew the currently authenticated token (this uses the `/auth/token/renew-self`
+endpoint and permission):
+
+```text
+$ vault token renew
+```
+
+Renew a token requesting a specific increment value:
+
+```text
+$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-format` `(default: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-increment` `(duration: "")` - Request a specific increment for renewal.
+  Vault is not required to honor this request. If not supplied, Vault will use
+  the default TTL. This is specified as a numeric string with suffix like "30s"
+  or "5m". This is aliased as "-i".
diff --git a/website/pages/docs/commands/token/revoke.mdx b/website/pages/docs/commands/token/revoke.mdx
new file mode 100644
index 000000000000..250fb9bac058
--- /dev/null
+++ b/website/pages/docs/commands/token/revoke.mdx
@@ -0,0 +1,53 @@
+---
+layout: docs
+page_title: token revoke - Command
+sidebar_title: <code>revoke</code>
+description: |-
+  The "token revoke" revokes authentication tokens and their children. If a
+  TOKEN is not provided, the locally authenticated token is used.
+---
+
+# token revoke
+
+The `token revoke` revokes authentication tokens and their children. If a TOKEN
+is not provided, the locally authenticated token is used. The `-mode` flag can
+be used to control the behavior of the revocation.
+
+## Examples
+
+Revoke a token and all the token's children:
+
+```text
+$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
+Success! Revoked token (if it existed)
+```
+
+Revoke a token leaving the token's children:
+
+```text
+$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017
+Success! Revoked token (if it existed)
+```
+
+Revoke a token by accessor:
+
+```text
+$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
+Success! Revoked token (if it existed)
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+- `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
+  token.
+
+- `-mode` `(string: "")` - Type of revocation to perform. If unspecified, Vault
+  will revoke the token and all of the token's children. If "orphan", Vault will
+  revoke only the token, leaving the children as orphans. If "path", tokens
+  created from the given authentication path prefix are deleted along with their
+  children.
+
+- `-self` - Perform the revocation on the currently authenticated token.
diff --git a/website/pages/docs/commands/unwrap.mdx b/website/pages/docs/commands/unwrap.mdx
new file mode 100644
index 000000000000..953d17060f04
--- /dev/null
+++ b/website/pages/docs/commands/unwrap.mdx
@@ -0,0 +1,46 @@
+---
+layout: docs
+page_title: unwrap - Command
+sidebar_title: <code>unwrap</code>
+description: |-
+  The "unwrap" command unwraps a wrapped secret from Vault by the given token.
+  The result is the same as the "vault read" operation on the non-wrapped
+  secret. If no token is given, the data in the currently authenticated token is
+  unwrapped.
+---
+
+# unwrap
+
+The `unwrap` command unwraps a wrapped secret from Vault by the given token. The
+result is the same as the "vault read" operation on the non-wrapped secret. If
+no token is given, the data in the currently authenticated token is unwrapped.
+
+## Examples
+
+Unwrap the data in the cubbyhole secrets engine for a token:
+
+```text
+$ vault unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd
+```
+
+Unwrap the data in the active token:
+
+```text
+$ vault login 848f9ccf-7176-098c-5e2b-75a0689d41cd
+$ vault unwrap # unwraps 848f9ccf...
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
diff --git a/website/pages/docs/commands/version.mdx b/website/pages/docs/commands/version.mdx
new file mode 100644
index 000000000000..dee9abcd57fb
--- /dev/null
+++ b/website/pages/docs/commands/version.mdx
@@ -0,0 +1,22 @@
+---
+layout: docs
+page_title: version - Command
+sidebar_title: <code>version</code>
+description: The "version" command prints the version of Vault.
+---
+
+# version
+
+The `version` command prints the Vault version:
+
+```
+$ vault version
+Vault v1.2.3
+```
+
+It can also be printed by adding the flags `--version` or `-v` to the `vault` command:
+
+```
+$ vault -v
+Vault v1.2.3
+```
diff --git a/website/pages/docs/commands/write.mdx b/website/pages/docs/commands/write.mdx
new file mode 100644
index 000000000000..87b6abcc07b7
--- /dev/null
+++ b/website/pages/docs/commands/write.mdx
@@ -0,0 +1,69 @@
+---
+layout: docs
+page_title: write - Command
+sidebar_title: <code>write</code>
+description: |-
+  The "write" command writes data to Vault at the given path. The data can be
+  credentials, secrets, configuration, or arbitrary data. The specific behavior
+  of this command is determined at the thing mounted at the path.
+---
+
+# write
+
+The `write` command writes data to Vault at the given path. The data can be
+credentials, secrets, configuration, or arbitrary data. The specific behavior of
+this command is determined at the thing mounted at the path.
+
+Data is specified as "key=value" pairs. If the value begins with an "@", then it
+is loaded from a file. If the value is "-", Vault will read the value from
+stdin.
+
+For a full list of examples and paths, please see the documentation that
+corresponds to the secrets engines in use.
+
+## Examples
+
+Persist data in the KV secrets engine:
+
+```text
+$ vault write secret/my-secret foo=bar
+```
+
+Create a new encryption key in the transit secrets engine:
+
+```text
+$ vault write -f transit/keys/my-key
+```
+
+Upload an AWS IAM policy from a file on disk:
+
+```text
+$ vault write aws/roles/ops policy=@policy.json
+```
+
+Configure access to Consul by providing an access token:
+
+```text
+$ echo $MY_TOKEN | vault write consul/config/access token=-
+```
+
+## Usage
+
+The following flags are available in addition to the [standard set of
+flags](/docs/commands/index.html) included on all commands.
+
+### Output Options
+
+- `-field` `(string: "")` - Print only the field with the given name. Specifying
+  this option will take precedence over other formatting directives. The result
+  will not have a trailing newline making it ideal for piping to other processes.
+
+- `-format` `(string: "table")` - Print the output in the given format. Valid
+  formats are "table", "json", or "yaml". This can also be specified via the
+  `VAULT_FORMAT` environment variable.
+
+### Command Options
+
+- `-force` `(bool: false)` - Allow the operation to continue with no key=value
+  pairs. This allows writing to keys that do not need or expect data. This is
+  aliased as "-f".
diff --git a/website/pages/docs/concepts/auth.mdx b/website/pages/docs/concepts/auth.mdx
new file mode 100644
index 000000000000..53790b99284f
--- /dev/null
+++ b/website/pages/docs/concepts/auth.mdx
@@ -0,0 +1,113 @@
+---
+layout: docs
+page_title: Authentication
+sidebar_title: Authentication
+description: >-
+  Before performing any operation with Vault, the connecting client must be
+  authenticated.
+---
+
+# Authentication
+
+Authentication in Vault is the process by which user or machine supplied
+information is verified against an internal or external system. Vault supports
+multiple [auth methods](/docs/auth/index.html) including GitHub,
+LDAP, AppRole, and more. Each auth method has a specific use case.
+
+Before a client can interact with Vault, it must _authenticate_ against an
+auth method. Upon authentication, a token is generated. This token is
+conceptually similar to a session ID on a website. The token may have attached
+policy, which is mapped at authentication time. This process is described in
+detail in the [policies concepts](/docs/concepts/policies.html) documentation.
+
+## auth methods
+
+Vault supports a number of auth methods. Some backends are targeted
+toward users while others are targeted toward machines. Most authentication
+backends must be enabled before use. To enable an auth method:
+
+```sh
+$ vault write sys/auth/my-auth type=userpass
+```
+
+This enables the "userpass" auth method at the path "my-auth". This
+authentication will be accessible at the path "my-auth". Often you will see
+authentications at the same path as their name, but this is not a requirement.
+
+To learn more about this authentication, use the built-in `path-help` command:
+
+```sh
+$ vault path-help auth/my-auth
+# ...
+```
+
+Vault supports multiple auth methods simultaneously, and you can even
+mount the same type of auth method at different paths. Only one
+authentication is required to gain access to Vault, and it is not currently
+possible to force a user through multiple auth methods to gain
+access, although some backends do support MFA.
+
+## Tokens
+
+There is an [entire page dedicated to tokens](/docs/concepts/tokens.html),
+but it is important to understand that authentication works by verifying
+your identity and then generating a token to associate with that identity.
+
+For example, even though you may authenticate using something like GitHub,
+Vault generates a unique access token for you to use for future requests.
+The CLI automatically attaches this token to requests, but if you're using
+the API you'll have to do this manually.
+
+This token given for authentication with any backend can also be used
+with the full set of token commands, such as creating new sub-tokens,
+revoking tokens, and renewing tokens. This is all covered on the
+[token concepts page](/docs/concepts/tokens.html).
+
+## Authenticating
+
+### Via the CLI
+
+To authenticate with the CLI, `vault login` is used. This supports many
+of the built-in auth methods. For example, with GitHub:
+
+```
+$ vault login -method=github token=<token>
+...
+```
+
+After authenticating, you will be logged in. The CLI command will also
+output your raw token. This token is used for revocation and renewal.
+As the user logging in, the primary use case of the token is renewal,
+covered below in the "Auth Leases" section.
+
+To determine what variables are needed for an auth method,
+supply the `-method` flag without any additional arguments and help
+will be shown.
+
+If you're using a method that isn't supported via the CLI, then the API
+must be used.
+
+### Via the API
+
+API authentication is generally used for machine authentication. Each
+auth method implements its own login endpoint. Use the `vault path-help`
+mechanism to find the proper endpoint.
+
+For example, the GitHub login endpoint is located at `auth/github/login`.
+And to determine the arguments needed, `vault path-help auth/github/login` can
+be used.
+
+## Auth Leases
+
+Just like secrets, identities have
+[leases](/docs/concepts/lease.html) associated with them. This means that
+you must reauthenticate after the given lease period to continue accessing
+Vault.
+
+To set the lease associated with an identity, reference the help for
+the specific auth method in use. It is specific to each backend
+how leasing is implemented.
+
+And just like secrets, identities can be renewed without having to
+completely reauthenticate. Just use `vault token renew <token>` with the
+leased token associated with your identity to renew it.
diff --git a/website/pages/docs/concepts/dev-server.mdx b/website/pages/docs/concepts/dev-server.mdx
new file mode 100644
index 000000000000..21f4ef6d2558
--- /dev/null
+++ b/website/pages/docs/concepts/dev-server.mdx
@@ -0,0 +1,58 @@
+---
+layout: docs
+page_title: Dev Server Mode
+sidebar_title: "'Dev' Server"
+description: >-
+  The dev server in Vault can be used for development or to experiment with
+  Vault.
+---
+
+# "Dev" Server Mode
+
+You can start Vault as a server in "dev" mode like so: `vault server -dev`.
+This dev-mode server requires no further setup, and your local `vault` CLI will
+be authenticated to talk to it. This makes it easy to experiment with Vault or
+start a Vault instance for development. Every feature of Vault is available in
+"dev" mode. The `-dev` flag just short-circuits a lot of setup to insecure
+defaults.
+
+~> **Warning:** Never, ever, ever run a "dev" mode server in production.
+It is insecure and will lose data on every restart (since it stores data
+in-memory). It is only made for development or experimentation.
+
+## Properties
+
+The properties of the dev server (some can be overridden with command line
+flags or by specifying a configuration file):
+
+- **Initialized and unsealed** - The server will be automatically initialized
+  and unsealed. You don't need to use `vault operator unseal`. It is ready
+  for use immediately.
+
+- **In-memory storage** - All data is stored (encrypted) in-memory. Vault
+  server doesn't require any file permissions.
+
+- **Bound to local address without TLS** - The server is listening on
+  `127.0.0.1:8200` (the default server address) _without_ TLS.
+
+- **Automatically Authenticated** - The server stores your root access
+  token so `vault` CLI access is ready to go. If you are accessing Vault
+  via the API, you'll need to authenticate using the token printed out.
+
+- **Single unseal key** - The server is initialized with a single unseal
+  key. The Vault is already unsealed, but if you want to experiment with
+  seal/unseal, then only the single outputted key is required.
+
+- **Key Value store mounted** - A v2 KV secret engine is mounted at
+  `secret/`.
+
+## Use Case
+
+The dev server should be used for experimentation with Vault features, such
+as different auth methods, secrets engines, audit devices, etc.
+If you're new to Vault, you may want to pick up with [Your First
+Secret](/intro/getting-started/first-secret.html) in
+our getting started guide.
+
+In addition to experimentation, the dev server is very easy to automate
+for development environments.
diff --git a/website/pages/docs/concepts/ha.mdx b/website/pages/docs/concepts/ha.mdx
new file mode 100644
index 000000000000..f0214b888511
--- /dev/null
+++ b/website/pages/docs/concepts/ha.mdx
@@ -0,0 +1,161 @@
+---
+layout: docs
+page_title: High Availability
+sidebar_title: High Availability
+description: >-
+  Vault can be highly available, allowing you to run multiple Vaults to protect
+  against outages.
+---
+
+# High Availability Mode (HA)
+
+Vault supports a multi-server mode for high availability. This mode protects
+against outages by running multiple Vault servers. High availability mode
+is automatically enabled when using a data store that supports it.
+
+You can tell if a data store supports high availability mode ("HA") by starting
+the server and seeing if "(HA available)" is output next to the data store
+information. If it is, then Vault will automatically use HA mode. This
+information is also available on the
+[Configuration](/docs/configuration/index.html) page.
+
+To be highly available, one of the Vault server nodes grabs a lock within the
+data store. The successful server node then becomes the active node; all other
+nodes become standby nodes. At this point, if the standby nodes receive a
+request, they will either forward the request or redirect the client depending
+on the current configuration and state of the cluster -- see the sections below
+for details. Due to this architecture, HA does not enable increased
+scalability. In general, the bottleneck of Vault is the data store itself, not
+Vault core. For example: to increase the scalability of Vault with Consul, you
+would generally scale Consul instead of Vault.
+
+Certain storage backends can support high availability mode, which enable them
+to store both Vault's information in addition to the HA lock. However, Vault
+also supports split data/HA mode, whereby the lock value and the rest of the
+data live separately. This can be done by specifying both the `storage` and
+`ha_storage` stanzas in the configuration file with different backends. For
+instance, a Vault cluster can be set up to use Consul as the `ha_storage` to
+manage the lock, and use Amazon S3 as the `storage` for all other persisted
+data.
+
+The sections below explain the server communication patterns and each type of
+request handling in more detail. At a minimum, the requirements for redirection
+mode must be met for an HA cluster to work successfully.
+
+## Server-to-Server Communication
+
+Both methods of request handling rely on the active node advertising
+information about itself to the other nodes. Rather than over the network, this
+communication takes place within Vault's encrypted storage; the active node
+writes this information and unsealed standby Vault nodes can read it.
+
+For the client redirection method, this is the extent of server-to-server
+communication -- no direct communication with only encrypted entries in the
+data store used to transfer state.
+
+For the request forwarding method, the servers need direct communication with
+each other. In order to perform this securely, the active node also advertises,
+via the encrypted data store entry, a newly-generated private key (ECDSA-P521)
+and a newly-generated self-signed certificate designated for client and server
+authentication. Each standby uses the private key and certificate to open a
+mutually-authenticated TLS 1.2 connection to the active node via the advertised
+cluster address. When client requests come in, the requests are serialized,
+sent over this TLS-protected communication channel, and acted upon by the
+active node. The active node then returns a response to the standby, which
+sends the response back to the requesting client.
+
+## Request Forwarding
+
+If request forwarding is enabled (turned on by default in 0.6.2), clients can
+still force the older/fallback redirection behavior (see below) if desired by
+setting the `X-Vault-No-Request-Forwarding` header to any non-empty value.
+
+Successful cluster setup requires a few configuration parameters, although some
+can be automatically determined.
+
+## Client Redirection
+
+If `X-Vault-No-Request-Forwarding` header in the request is set to a non-empty
+value, the standby nodes will redirect the client using a `307` status code to
+the _active node's_ redirect address.
+
+This is also the fallback method used when request forwarding is turned off or
+there is an error performing the forwarding. As such, a redirect address is
+always required for all HA setups.
+
+Some HA data store drivers can autodetect the redirect address, but it is often
+necessary to configure it manually via a top-level value in the configuration
+file. The key for this value is `api_addr` and the value can also be specified
+by the `VAULT_API_ADDR` environment variable, which takes precedence.
+
+What the `api_addr` value should be set to depends on how Vault is set up.
+There are two common scenarios: Vault servers accessed directly by clients, and
+Vault servers accessed via a load balancer.
+
+In both cases, the `api_addr` should be a full URL including scheme
+(`http`/`https`), not simply an IP address and port.
+
+### Direct Access
+
+When clients are able to access Vault directly, the `api_addr` for each
+node should be that node's address. For instance, if there are two Vault nodes
+`A` (accessed via `https://a.vault.mycompany.com:8200`) and `B` (accessed via
+`https://b.vault.mycompany.com:8200`), node `A` would set its `api_addr`
+to `https://a.vault.mycompany.com:8200` and node `B` would set its
+`api_addr` to `https://b.vault.mycompany.com:8200`.
+
+This way, when `A` is the active node, any requests received by node `B` will
+cause it to redirect the client to node `A`'s `api_addr` at
+`https://a.vault.mycompany.com`, and vice-versa.
+
+### Behind Load Balancers
+
+Sometimes clients use load balancers as an initial method to access one of the
+Vault servers, but actually have direct access to each Vault node. In this
+case, the Vault servers should actually be set up as described in the above
+section, since for redirection purposes the clients have direct access.
+
+However, if the only access to the Vault servers is via the load balancer, the
+`api_addr` on each node should be the same: the address of the load
+balancer. Clients that reach a standby node will be redirected back to the load
+balancer; at that point hopefully the load balancer's configuration will have
+been updated to know the address of the current leader. This can cause a
+redirect loop and as such is not a recommended setup when it can be avoided.
+
+### Per-Node Cluster Listener Addresses
+
+Each `listener` block in Vault's configuration file contains an `address` value
+on which Vault listens for requests. Similarly, each `listener` block can
+contain a `cluster_address` on which Vault listens for server-to-server cluster
+requests. If this value is not set, its IP address will be automatically set to
+same as the `address` value, and its port will be automatically set to the same
+as the `address` value plus one (so by default, port `8201`).
+
+Note that _only_ active nodes have active listeners. When a node becomes active
+it will start cluster listeners, and when it becomes standby it will stop them.
+
+### Per-Node Cluster Address
+
+Similar to the `api_addr`, `cluster_addr` is the value that each node, if
+active, should advertise to the standbys to use for server-to-server
+communications, and lives as a top-level value in the configuration file. On
+each node, this should be set to a host name or IP address that a standby can
+use to reach one of that node's `cluster_address` values set in the `listener`
+blocks, including port. (Note that this will always be forced to `https` since
+only TLS connections are used between servers.)
+
+This value can also be specified by the `VAULT_CLUSTER_ADDR` environment
+variable, which takes precedence.
+
+## Storage Support
+
+Currently there are several storage backends that support high availability
+mode, including Consul, ZooKeeper and etcd. These may change over time, and the
+[configuration page](/docs/configuration/index.html) should be referenced.
+
+The Consul backend is the recommended HA backend, as it is used in production
+by HashiCorp and its customers with commercial support.
+
+If you're interested in implementing another backend or adding HA support to
+another backend, we'd love your contributions. Adding HA support requires
+implementing the `physical.HABackend` interface for the storage backend.
diff --git a/website/pages/docs/concepts/index.mdx b/website/pages/docs/concepts/index.mdx
new file mode 100644
index 000000000000..406de7e2ae53
--- /dev/null
+++ b/website/pages/docs/concepts/index.mdx
@@ -0,0 +1,14 @@
+---
+layout: docs
+page_title: Concepts
+sidebar_title: Concepts
+description: Concepts that are important to understand for Vault usage.
+---
+
+# Concepts
+
+This section covers some concepts that are important to understand for day to
+day Vault usage and operation. Every page in this section is recommended
+reading for anyone consuming or operating Vault.
+
+Please use the navigation to the left to learn more about a topic.
diff --git a/website/pages/docs/concepts/lease.mdx b/website/pages/docs/concepts/lease.mdx
new file mode 100644
index 000000000000..ea944b19f0d7
--- /dev/null
+++ b/website/pages/docs/concepts/lease.mdx
@@ -0,0 +1,83 @@
+---
+layout: docs
+page_title: 'Lease, Renew, and Revoke'
+sidebar_title: 'Lease, Renew, and Revoke'
+description: >-
+  Vault provides a lease with every secret. When this lease is expired, Vault
+  will revoke that secret.
+---
+
+# Lease, Renew, and Revoke
+
+With every dynamic secret and `service` type authentication token, Vault
+creates a _lease_: metadata containing information such as a time duration,
+renewability, and more. Vault promises that the data will be valid for the
+given duration, or Time To Live (TTL). Once the lease is expired, Vault can
+automatically revoke the data, and the consumer of the secret can no longer be
+certain that it is valid.
+
+The benefit should be clear: consumers of secrets need to check in with
+Vault routinely to either renew the lease (if allowed) or request a
+replacement secret. This makes the Vault audit logs more valuable and
+also makes key rolling a lot easier.
+
+All dynamic secrets in Vault are required to have a lease. Even if the data is
+meant to be valid for eternity, a lease is required to force the consumer
+to check in routinely.
+
+In addition to renewals, a lease can be _revoked_. When a lease is revoked, it
+invalidates that secret immediately and prevents any further renewals. For
+example, with the [AWS secrets engine](/docs/secrets/aws/index.html), the
+access keys will be deleted from AWS the moment a lease is revoked. This
+renders the access keys invalid from that point forward.
+
+Revocation can happen manually via the API, via the `vault revoke` cli command,
+or automatically by Vault. When a lease is expired, Vault will automatically
+revoke that lease. When a token is revoked, Vault will revoke all leases that
+were created using that token.
+
+**Note**: The [Key/Value Backend](/docs/secrets/kv/index.html) which stores
+arbitrary secrets does not issue leases although it will sometimes return a
+lease duration; see the documentation for more information.
+
+## Lease IDs
+
+When reading a dynamic secret, such as via `vault read`, Vault always returns a
+`lease_id`. This is the ID used with commands such as `vault renew` and `vault revoke` to manage the lease of the secret.
+
+## Lease Durations and Renewal
+
+Along with the lease ID, a _lease duration_ can be read. The lease duration is
+a Time To Live value: the time in seconds for which the lease is valid. A
+consumer of this secret must renew the lease within that time.
+
+When renewing the lease, the user can request a specific amount of time they
+want remaining on the lease, termed the `increment`. This is not an increment
+at the end of the current TTL; it is an increment _from the current time_. For
+example, `vault lease renew -increment=3600 my-lease-id` would request that the TTL of the lease
+be adjusted to 1 hour (3600 seconds). Having the increment be rooted at the
+current time instead of the end of the lease makes it easy for users to reduce
+the length of leases if they don't actually need credentials for the full
+possible lease period, allowing those credentials to expire sooner and
+resources to be cleaned up earlier.
+
+The requested increment is completely advisory. The backend in charge of the
+secret can choose to completely ignore it. For most secrets, the backend does
+its best to respect the increment, but often limits it to ensure renewals every
+so often.
+
+As a result, the return value of renewals should be carefully inspected to
+determine what the new lease is.
+
+## Prefix-based Revocation
+
+In addition to revoking a single secret, operators with proper access control
+can revoke multiple secrets based on their lease ID prefix.
+
+Lease IDs are structured in a way that their prefix is always the path where
+the secret was requested from. This lets you revoke trees of secrets. For
+example, to revoke all AWS access keys, you can do `vault revoke -prefix aws/`.
+
+This is very useful if there is an intrusion within a specific system: all
+secrets of a specific backend or a certain configured backend can be revoked
+quickly and easily.
diff --git a/website/pages/docs/concepts/pgp-gpg-keybase.mdx b/website/pages/docs/concepts/pgp-gpg-keybase.mdx
new file mode 100644
index 000000000000..fb03dd391bd3
--- /dev/null
+++ b/website/pages/docs/concepts/pgp-gpg-keybase.mdx
@@ -0,0 +1,189 @@
+---
+layout: docs
+page_title: 'Using PGP, GPG, and Keybase'
+sidebar_title: 'PGP, GPG, and Keybase'
+description: |-
+  Vault has the ability to integrate with OpenPGP-compatible programs like GPG
+  and services like Keybase.io to provide an additional layer of security when
+  performing certain operations.  This page details the various GPG
+  integrations, their use, and operation.
+---
+
+# Using PGP, GPG, and Keybase
+
+Vault has the ability to integrate with OpenPGP-compatible programs like GPG
+and services like Keybase.io to provide an additional layer of security when
+performing certain operations. This page details the various PGP integrations,
+their use, and operation.
+
+Keybase.io support is available only in the command-line tool and not via the
+Vault HTTP API, tools that help with initialization should use the Keybase.io
+API in order to obtain the GPG keys needed for a secure initialization if you
+want them to use Keybase for keys.
+
+Once the Vault has been initialized, it is possible to use Keybase to decrypt
+the shards and unseal normally.
+
+## Initializing with PGP
+
+One of the early fundamental problems when bootstrapping and initializing Vault
+was that the first user (the initializer) received a plain-text copy of all of
+the unseal keys. This defeats the promises of Vault's security model, and it
+also makes the distribution of those keys more difficult. Since Vault 0.3,
+Vault can optionally be initialized using PGP keys. In this mode, Vault will
+generate the unseal keys and then immediately encrypt them using the given
+users' public PGP keys. Only the owner of the corresponding private key is then
+able to decrypt the value, revealing the plain-text unseal key.
+
+First, you must create, acquire, or import the appropriate key(s) onto the
+local machine from which you are initializing Vault. This guide will not
+attempt to cover all aspects of PGP keys but give examples using two popular
+programs: Keybase and GPG.
+
+For beginners, we suggest using [Keybase.io](https://keybase.io/) ("Keybase")
+as it can be both simpler and has a number of useful behaviors and properties
+around key management, such as verification of users' identities using a number
+of public online sources. It also exposes the ability for users to have PGP
+keys generated, stored, and managed securely on their servers. Using Vault with
+Keybase will be discussed first as it is simpler.
+
+## Initializing with Keybase
+
+To generate unseal keys for Keybase users, Vault accepts the `keybase:` prefix
+to the `-pgp-keys` argument:
+
+```
+$ vault operator init -key-shares=3 -key-threshold=2 \
+    -pgp-keys="keybase:jefferai,keybase:vishalnayak,keybase:sethvargo"
+```
+
+This requires far fewer steps than traditional PGP (e.g. with `gpg`) because
+Keybase handles a few of the tedious steps. The output will be the similar to
+the following:
+
+```
+Key 1: wcBMA37rwGt6FS1VAQgAk1q8XQh6yc...
+Key 2: wcBMA0wwnMXgRzYYAQgAavqbTCxZGD...
+Key 3: wcFMA2DjqDb4YhTAARAAeTFyYxPmUd...
+...
+```
+
+The output should be rather long in comparison to a regular unseal key. These
+keys are encrypted, and only the user holding the corresponding private key can
+decrypt the value. The keys are encrypted in the order in which specified in
+the `-pgp-keys` attribute. As such, the keys belong to respective Keybase
+accounts of `jefferai`, `vishalnayak`, and `sethvargo`. These keys can be
+distributed over almost any medium, although common sense and judgement are
+best advised. The encrypted keys are base64 encoded before returning.
+
+### Unsealing with Keybase
+
+As a user, the easiest way to decrypt your unseal key is with the Keybase CLI
+tool. You can download it from [Keybase.io download
+page](https://keybase.io/download). After you have downloaded and configured
+the Keybase CLI, you are now tasked with entering your unseal key. To get the
+plain-text unseal key, you must decrypt the value given to you by the
+initializer. To get the plain-text value, run the following command:
+
+```
+$ echo "wcBMA37..." | base64 --decode | keybase pgp decrypt
+```
+
+And replace `wcBMA37...` with the encrypted key.
+
+You will be prompted to enter your Keybase passphrase. The output will be the
+plain-text unseal key.
+
+```
+6ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101
+```
+
+This is your unseal key in plain-text and should be guarded the same way you
+guard a password. Now you can enter your key to the `unseal` command:
+
+```
+$ vault operator unseal
+Key (will be hidden): ...
+```
+
+---
+
+## Initializing with GPG
+
+GPG is an open-source implementation of the OpenPGP standard and is available
+on nearly every platform. For more information, please see the [GPG
+manual](https://gnupg.org/gph/en/manual.html).
+
+To create a new PGP key, run, following the prompts:
+
+```
+$ gpg --gen-key
+```
+
+To import an existing key, download the public key onto disk and run:
+
+```
+$ gpg --import key.asc
+```
+
+Once you have imported the users' public keys, you need to save their values
+to disk as either base64 or binary key files. For example:
+
+```
+$ gpg --export 348FFC4C | base64 > seth.asc
+```
+
+These key files must exist on disk in base64 (the "standard" base64 character set,
+without ASCII armoring) or binary. Once saved to disk, the path to these files
+can be specified as an argument to the `-pgp-keys` flag.
+
+```
+$ vault operator init -key-shares=3 -key-threshold=2 \
+    -pgp-keys="jeff.asc,vishal.asc,seth.asc"
+```
+
+The result should look something like this:
+
+```
+Key 1: wcBMA37rwGt6FS1VAQgAk1q8XQh6yc...
+Key 2: wcBMA0wwnMXgRzYYAQgAavqbTCxZGD...
+Key 3: wcFMA2DjqDb4YhTAARAAeTFyYxPmUd...
+...
+```
+
+The output should be rather long in comparison to a regular unseal key. These
+keys are encrypted, and only the user holding the corresponding private key
+can decrypt the value. The keys are encrypted in the order in which specified
+in the `-pgp-keys` attribute. As such, the first key belongs to Jeff, the second
+to Vishal, and the third to Seth. These keys can be distributed over almost any
+medium, although common sense and judgement are best advised. The encrypted
+keys are base64 encoded before returning.
+
+### Unsealing with a GPG
+
+Assuming you have been given an unseal key that was encrypted using your public
+PGP key, you are now tasked with entering your unseal key. To get the
+plain-text unseal key, you must decrypt the value given to you by the
+initializer. To get the plain-text value, run the following command:
+
+```
+$ echo "wcBMA37..." | base64 --decode | gpg -dq
+```
+
+And replace `wcBMA37...` with the encrypted key.
+
+If you encrypted your private PGP key with a passphrase, you may be prompted to
+enter it. After you enter your password, the output will be the plain-text
+key:
+
+```
+6ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101
+```
+
+This is your unseal key in plain-text and should be guarded the same way you
+guard a password. Now you can enter your key to the `unseal` command:
+
+```
+$ vault operator unseal
+Key (will be hidden): ...
+```
diff --git a/website/pages/docs/concepts/policies.mdx b/website/pages/docs/concepts/policies.mdx
new file mode 100644
index 000000000000..4497041fcb13
--- /dev/null
+++ b/website/pages/docs/concepts/policies.mdx
@@ -0,0 +1,690 @@
+---
+layout: docs
+page_title: Policies
+sidebar_title: Policies
+description: >-
+  Policies are how authorization is done in Vault, allowing you to restrict
+  which parts of Vault a user can access.
+---
+
+# Policies
+
+Everything in Vault is path based, and policies are no exception. Policies
+provide a declarative way to grant or forbid access to certain paths and
+operations in Vault. This section discusses policy workflows and syntaxes.
+
+Policies are **deny by default**, so an empty policy grants no permission in the
+system.
+
+## Policy-Authorization Workflow
+
+Before a human or machine can gain access, an administrator must configure Vault
+with an [auth method](/docs/concepts/auth.html). Authentication is
+the process by which human or machine-supplied information is verified against
+an internal or external system.
+
+Consider the following diagram, which illustrates the steps a security team
+would take to configure Vault to authenticate using a corporate LDAP or
+ActiveDirectory installation. Even though this example uses LDAP, the concept
+applies to all auth methods.
+
+[![Vault Auth Workflow](/img/vault-policy-workflow.svg)](/img/vault-policy-workflow.svg)
+
+1. The security team configures Vault to connect to an auth method.
+   This configuration varies by auth method. In the case of LDAP, Vault
+   needs to know the address of the LDAP server and whether to connect using TLS.
+   It is important to note that Vault does not store a copy of the LDAP database -
+   Vault will delegate the authentication to the auth method.
+
+1. The security team authors a policy (or uses an existing policy) which grants
+   access to paths in Vault. Policies are written in HCL in your editor of
+   preference and saved to disk.
+
+1. The policy's contents are uploaded and stored in Vault and referenced by name.
+   You can think of the policy's name as a pointer or symlink to its set of rules.
+
+1. Most importantly, the security team maps data in the auth method to a policy.
+   For example, the security team might create mappings like:
+
+   > Members of the OU group "dev" map to the Vault policy named "readonly-dev".
+
+   or
+
+   > Members of the OU group "ops" map to the Vault policies "admin" and "auditor".
+
+Now Vault has an internal mapping between a backend authentication system and
+internal policy. When a user authenticates to Vault, the actual authentication
+is delegated to the auth method. As a user, the flow looks like:
+
+[![Vault Auth Workflow](/img/vault-auth-workflow.svg)](/img/vault-auth-workflow.svg)
+
+1. A user attempts to authenticate to Vault using their LDAP credentials,
+   providing Vault with their LDAP username and password.
+
+1. Vault establishes a connection to LDAP and asks the LDAP server to verify the
+   given credentials. Assuming this is successful, the LDAP server returns the
+   information about the user, including the OU groups.
+
+1. Vault maps the result from the LDAP server to policies inside Vault using the
+   mapping configured by the security team in the previous section. Vault then
+   generates a token and attaches the matching policies.
+
+1. Vault returns the token to the user. This token has the correct policies
+   assigned, as dictated by the mapping configuration that was setup by the
+   security team in advance.
+
+The user then uses this Vault token for future operations. If the user performs
+the authentication steps again, they will get a _new_ token. The token will have
+the same permissions, but the actual token will be different. Authenticating a
+second time does not invalidate the original token.
+
+## Policy Syntax
+
+Policies are written in [HCL][hcl] or JSON and describe which paths in Vault a
+user or machine is allowed to access.
+
+[hcl]: https://github.com/hashicorp/hcl
+
+Here is a very simple policy which grants read capabilities to the path
+"secret/foo":
+
+```ruby
+path "secret/foo" {
+  capabilities = ["read"]
+}
+```
+
+When this policy is assigned to a token, the token can read from `"secret/foo"`.
+However, the token cannot update or delete `"secret/foo"`, since the
+capabilities do not allow it. Because policies are **deny by default**, the
+token would have no other access in Vault.
+
+Here is a more detailed policy, and it is documented inline:
+
+```ruby
+# This section grants all access on "secret/*". Further restrictions can be
+# applied to this broad policy, as shown below.
+path "secret/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Even though we allowed secret/*, this line explicitly denies
+# secret/super-secret. This takes precedence.
+path "secret/super-secret" {
+  capabilities = ["deny"]
+}
+
+# Policies can also specify allowed, disallowed, and required parameters. Here
+# the key "secret/restricted" can only contain "foo" (any value) and "bar" (one
+# of "zip" or "zap").
+path "secret/restricted" {
+  capabilities = ["create"]
+  allowed_parameters = {
+    "foo" = []
+    "bar" = ["zip", "zap"]
+  }
+}
+```
+
+Policies use path-based matching to test the set of capabilities against a
+request. A policy `path` may specify an exact path to match, or it could specify
+a glob pattern which instructs Vault to use a prefix match:
+
+```ruby
+# Permit reading only "secret/foo". An attached token cannot read "secret/food"
+# or "secret/foo/bar".
+path "secret/foo" {
+  capabilities = ["read"]
+}
+
+# Permit reading everything under "secret/bar". An attached token could read
+# "secret/bar/zip", "secret/bar/zip/zap", but not "secret/bars/zip".
+path "secret/bar/*" {
+  capabilities = ["read"]
+}
+
+# Permit reading everything prefixed with "zip-". An attached token could read
+# "secret/zip-zap" or "secret/zip-zap/zong", but not "secret/zip/zap
+path "secret/zip-*" {
+  capabilities = ["read"]
+}
+```
+
+In addition, a `+` can be used to denote any number of characters bounded
+within a single path segment (this appeared in Vault 1.1):
+
+```ruby
+# Permit reading the "teamb" path under any top-level path under secret/
+path "secret/+/teamb" {
+  capabilities = ["read"]
+}
+
+# Permit reading secret/foo/bar/teamb, secret/bar/foo/teamb, etc.
+path "secret/+/+/teamb" {
+  capabilities = ["read"]
+}
+```
+
+Vault's architecture is similar to a filesystem. Every action in Vault has a
+corresponding path and capability - even Vault's internal core configuration
+endpoints live under the "sys/" path. Policies define access to these paths and
+capabilities, which controls a token's access to credentials in Vault.
+
+~> Policy paths are matched using the **most specific path match**. This may be
+an exact match or the longest-prefix match of a glob. This means if you define a
+policy for `"secret/foo*"`, the policy would also match `"secret/foobar"`.
+
+!> The glob character referred to in this documentation is the asterisk (`*`). It _is not a regular expression_ and is only supported **as the last character of the path**!
+
+When providing `list` capability, it is important to note that since listing
+always operates on a prefix, policies must operate on a prefix because Vault
+will sanitize request paths to be prefixes. In other words, policy paths
+targeting `list` capability should end with a trailing slash:
+
+```ruby
+path "secret/foo" {
+  capabilities = ["read"]
+}
+
+path "secret/foo/" {
+  capabilities = ["list"]
+}
+```
+
+### Capabilities
+
+Each path must define one or more capabilities which provide fine-grained
+control over permitted (or denied) operations. As shown in the examples above,
+capabilities are always specified as a list of strings, even if there is only
+one capability. The list of capabilities are:
+
+~> In the list below, the associated HTTP verbs are shown in parenthesis next to
+the capability. When authoring policy, it is usually helpful to look at the HTTP
+API documentation for the paths and HTTP verbs and map them back onto
+capabilities. While the mapping is not strictly 1:1, they are often very
+similarly matched.
+
+- `create` (`POST/PUT`) - Allows creating data at the given path. Very few
+  parts of Vault distinguish between `create` and `update`, so most operations
+  require both `create` and `update` capabilities. Parts of Vault that
+  provide such a distinction are noted in documentation.
+
+- `read` (`GET`) - Allows reading the data at the given path.
+
+- `update` (`POST/PUT`) - Allows changing the data at the given path. In most
+  parts of Vault, this implicitly includes the ability to create the initial
+  value at the path.
+
+- `delete` (`DELETE`) - Allows deleting the data at the given path.
+
+- `list` (`LIST`) - Allows listing values at the given path. Note that the
+  keys returned by a `list` operation are _not_ filtered by policies. Do not
+  encode sensitive information in key names. Not all backends support listing.
+
+In addition to the standard set, there are some capabilities that do not map to
+HTTP verbs.
+
+- `sudo` - Allows access to paths that are _root-protected_. Tokens are not
+  permitted to interact with these paths unless they are have the `sudo`
+  capability (in addition to the other necessary capabilities for performing
+  an operation against that path, such as `read` or `delete`).
+
+  For example, modifying the audit log backends requires a token with `sudo`
+  privileges.
+
+- `deny` - Disallows access. This always takes precedence regardless of any
+  other defined capabilities, including `sudo`.
+
+~> Note that capabilities usually map to the HTTP verb, not the underlying
+action taken. This can be a common source of confusion. Generating database
+credentials _creates_ database credentials, but the HTTP request is a GET which
+corresponds to a `read` capability. Thus, to grant access to generate database
+credentials, the policy would grant `read` access on the appropriate path.
+
+## Templated Policies
+
+The policy syntax allows for doing variable replacement in some policy strings
+with values available to the token. Currently `identity` information can be
+injected, and currently the `path` keys in policies allow injection.
+
+### Parameters
+
+| Name                                                                   | Description                                                             |
+| :--------------------------------------------------------------------- | :---------------------------------------------------------------------- |
+| `identity.entity.id`                                                   | The entity's ID                                                         |
+| `identity.entity.name`                                                 | The entity's name                                                       |
+| `identity.entity.metadata.<<metadata key>>`                            | Metadata associated with the entity for the given key                   |
+| `identity.entity.aliases.<<mount accessor>>.id`                        | Entity alias ID for the given mount                                     |
+| `identity.entity.aliases.<<mount accessor>>.name`                      | Entity alias name for the given mount                                   |
+| `identity.entity.aliases.<<mount accessor>>.metadata.<<metadata key>>` | Metadata associated with the alias for the given mount and metadata key |
+| `identity.groups.ids.<<group id>>.name`                                | The group name for the given group ID                                   |
+| `identity.groups.names.<<group name>>.id`                              | The group ID for the given group name                                   |
+| `identity.groups.ids.<<group id>>.metadata.<<metadata key>>`           | Metadata associated with the group for the given key                    |
+| `identity.groups.names.<<group name>>.metadata.<<metadata key>>`       | Metadata associated with the group for the given key                    |
+
+### Examples
+
+The following policy creates a section of the KVv2 Secret Engine to a specific user
+
+```ruby
+path "secret/data/{{identity.entity.id}}/*" {
+  capabilities = ["create", "update", "read", "delete"]
+}
+
+path "secret/metadata/{{identity.entity.id}}/*" {
+  capabilities = ["list"]
+}
+```
+
+If you wanted to create a shared section of KV that is associated with entities that are in a
+group.
+
+```ruby
+# In the example below, the group ID maps a group and the path
+path "secret/data/groups/{{identity.groups.ids.fb036ebc-2f62-4124-9503-42aa7A869741.name}}/*" {
+  capabilities = ["create", "update", "read", "delete"]
+}
+
+path "secret/metadata/groups/{{identity.groups.ids.fb036ebc-2f62-4124-9503-42aa7A869741.name}}/*" {
+  capabilities = ["list"]
+}
+```
+
+~> When developing templated policies, use IDs wherever possible. Each ID is
+unique to the user, whereas names can change over time and can be reused. This
+ensures that if a given user or group name is changed, the policy will be
+mapped to the intended entity or group.
+
+## Fine-Grained Control
+
+In addition to the standard set of capabilities, Vault offers finer-grained
+control over permissions at a given path. The capabilities associated with a
+path take precedence over permissions on parameters.
+
+### Parameter Constraints
+
+In Vault, data is represented as `key=value` pairs. Vault policies can
+optionally further restrict paths based on the keys and data at those keys when
+evaluating the permissions for a path. The optional finer-grained control
+options are:
+
+- `required_parameters` - A list of parameters that must be specified.
+
+  ```ruby
+  # This requires the user to create "secret/foo" with a parameter named
+  # "bar" and "baz".
+  path "secret/foo" {
+    capabilities = ["create"]
+    required_parameters = ["bar", "baz"]
+  }
+  ```
+
+- `allowed_parameters` - Whitelists a list of keys and values that are
+  permitted on the given path.
+
+  - Setting a parameter with a value of the empty list allows the parameter to
+    contain any value.
+
+    ```ruby
+    # This allows the user to create "secret/foo" with a parameter named
+    # "bar". It cannot contain any other parameters, but "bar" can contain
+    # any value.
+    path "secret/foo" {
+      capabilities = ["create"]
+      allowed_parameters = {
+        "bar" = []
+      }
+    }
+    ```
+
+  - Setting a parameter with a value of a populated list allows the parameter
+    to contain only those values.
+
+    ```ruby
+    # This allows the user to create "secret/foo" with a parameter named
+    # "bar". It cannot contain any other parameters, and "bar" can only
+    # contain the values "zip" or "zap".
+    path "secret/foo" {
+      capabilities = ["create"]
+      allowed_parameters = {
+        "bar" = ["zip", "zap"]
+      }
+    }
+    ```
+
+  - If any keys are specified, all non-specified parameters will be denied
+    unless the parameter `"*"` is set to an empty array, which will
+    allow all other parameters to be modified. Parameters with specific values
+    will still be restricted to those values.
+
+    ```ruby
+    # This allows the user to create "secret/foo" with a parameter named
+    # "bar". The parameter "bar" can only contain the values "zip" or "zap",
+    # but any other parameters may be created with any value.
+    path "secret/foo" {
+      capabilities = ["create"]
+      allowed_parameters = {
+        "bar" = ["zip", "zap"]
+        "*"   = []
+      }
+    }
+    ```
+
+- `denied_parameters` - Blacklists a list of parameter and values. Any values
+  specified here take precedence over `allowed_parameters`.
+
+  - Setting a parameter with a value of the empty list denies any changes to
+    that parameter.
+
+    ```ruby
+    # This allows the user to create "secret/foo" with any parameters not
+    # named "bar".
+    path "secret/foo" {
+      capabilities = ["create"]
+      denied_parameters = {
+        "bar" = []
+      }
+    }
+    ```
+
+  - Setting a parameter with a value of a populated list denies any parameter
+    containing those values.
+
+    ```ruby
+    # This allows the user to create "secret/foo" with a parameter named
+    # "bar". It can contain any other parameters, but "bar" cannot contain
+    # the values "zip" or "zap".
+    path "secret/foo" {
+      capabilities = ["create"]
+      denied_parameters = {
+        "bar" = ["zip", "zap"]
+      }
+    }
+    ```
+
+  - Setting to `"*"` will deny any parameter.
+
+    ```ruby
+    # This allows the user to create "secret/foo", but it cannot have any
+    # parameters.
+    path "secret/foo" {
+      capabilities = ["create"]
+      denied_parameters = {
+        "*" = []
+      }
+    }
+    ```
+
+  - If any parameters are specified, all non-specified parameters are allowed,
+    unless `allowed_parameters` is also set, in which case normal rules apply.
+
+Parameter values also support prefix/suffix globbing. Globbing is enabled by
+prepending or appending or prepending a splat (`*`) to the value:
+
+```ruby
+# Only allow a parameter named "bar" with a value starting with "foo-*".
+path "secret/foo" {
+  capabilities = ["create"]
+  allowed_parameters = {
+    "bar" = ["foo-*"]
+  }
+}
+```
+
+Note: the only value that can be used with the `*` parameter is `[]`.
+
+### Required Response Wrapping TTLs
+
+These parameters can be used to set minimums/maximums on TTLs set by clients
+when requesting that a response be
+[wrapped](/docs/concepts/response-wrapping.html), with a granularity of a
+second. These can either be specified as a number of seconds or a string with a
+`s`, `m`, or `h` suffix indicating seconds, minutes, and hours respectively.
+
+In practice, setting a minimum TTL of one second effectively makes response
+wrapping mandatory for a particular path.
+
+- `min_wrapping_ttl` - The minimum allowed TTL that clients can specify for a
+  wrapped response. In practice, setting a minimum TTL of one second
+  effectively makes response wrapping mandatory for a particular path. It can
+  also be used to ensure that the TTL is not too low, leading to end targets
+  being unable to unwrap before the token expires.
+
+- `max_wrapping_ttl` - The maximum allowed TTL that clients can specify for a
+  wrapped response.
+
+```ruby
+# This effectively makes response wrapping mandatory for this path by setting min_wrapping_ttl to 1 second.
+# This also sets this path's wrapped response maximum allowed TTL to 90 seconds.
+path "auth/approle/role/my-role/secret-id" {
+    capabilities = ["create", "update"]
+    min_wrapping_ttl = "1s"
+    max_wrapping_ttl = "90s"
+}
+```
+
+If both are specified, the minimum value must be less than the maximum. In
+addition, if paths are merged from different stanzas, the lowest value
+specified for each is the value that will result, in line with the idea of
+keeping token lifetimes as short as possible.
+
+## Builtin Policies
+
+Vault has two built-in policies: `default` and `root`. This section describes
+the two builtin policies.
+
+### Default Policy
+
+The `default` policy is a builtin Vault policy that cannot be removed. By
+default, it is attached to all tokens, but may be explicitly excluded at token
+creation time by supporting authentication methods.
+
+The policy contains basic functionality such as the ability for the token to
+look up data about itself and to use its cubbyhole data. However, Vault is not
+proscriptive about its contents. It can be modified to suit your needs; Vault
+will never overwrite your modifications. If you want to stay up-to-date with
+the latest upstream version of the `default` policy, simply read the contents
+of the policy from an up-to-date `dev` server, and write those contents into
+your Vault's `default` policy.
+
+To view all permissions granted by the default policy on your Vault
+installation, run:
+
+```sh
+$ vault read sys/policy/default
+```
+
+To disable attachment of the default policy:
+
+```sh
+$ vault token create -no-default-policy
+```
+
+or via the API:
+
+```sh
+$ curl \
+  --request POST \
+  --header "X-Vault-Token: ..." \
+  --data '{"no_default_policy": "true"}' \
+  https://vault.hashicorp.rocks/v1/auth/token/create
+```
+
+### Root Policy
+
+The `root` policy is a builtin Vault policy that can not be modified or removed.
+Any user associated with this policy becomes a root user. A root user can do
+_anything_ within Vault. As such, it is **highly recommended** that you revoke
+any root tokens before running Vault in production.
+
+When a Vault server is first initialized, there always exists one root user.
+This user is used to do the initial configuration and setup of Vault. After
+configured, the initial root token should be revoked and more strictly
+controlled users and authentication should be used.
+
+To revoke a root token, run:
+
+```sh
+$ vault token revoke "<token>"
+```
+
+or via the API:
+
+```sh
+$ curl \
+  --request POST \
+  --header "X-Vault-Token: ..." \
+  --data '{"token": "<token>"}' \
+  https://vault.hashicorp.rocks/v1/auth/token/revoke
+```
+
+For more information, please read:
+
+- [Production Hardening](/guides/operations/production.html)
+- [Generating a Root Token](/guides/operations/generate-root.html)
+
+## Managing Policies
+
+Policies are authored (written) in your editor of choice. They can be authored
+in HCL or JSON, and the syntax is described in detail above. Once saved,
+policies must be uploaded to Vault before they can be used.
+
+### Listing Policies
+
+To list all registered policies in Vault:
+
+```sh
+$ vault read sys/policy
+```
+
+or via the API:
+
+```sh
+$ curl \
+  --header "X-Vault-Token: ..." \
+  https://vault.hashicorp.rocks/v1/sys/policy
+```
+
+~> You may also see the CLI command `vault policies`. This is a convenience
+wrapper around reading the sys endpoint directly. It provides the same
+functionality but formats the output in a special manner.
+
+### Creating Policies
+
+Policies may be created (uploaded) via the CLI or via the API. To create a new
+policy in Vault:
+
+```sh
+$ vault policy write policy-name policy-file.hcl
+```
+
+or via the API:
+
+```sh
+$ curl \
+  --request POST \
+  --header "X-Vault-Token: ..." \
+  --data '{"policy":"path \"...\" {...} "}' \
+  https://vault.hashicorp.rocks/v1/sys/policy/policy-name
+```
+
+In both examples, the name of the policy is "policy-name". You can think of this
+name as a pointer or symlink to the policy ACLs. Tokens are attached policies by
+name, which are then mapped to the set of rules corresponding to that name.
+
+### Updating Policies
+
+Existing policies may be updated to change permissions via the CLI or via the
+API. To update an existing policy in Vault, follow the same steps as creating a
+policy, but use an existing policy name:
+
+```sh
+$ vault write sys/policy/my-existing-policy policy=@updated-policy.json
+```
+
+or via the API:
+
+```sh
+$ curl \
+  --request POST \
+  --header "X-Vault-Token: ..." \
+  --data '{"policy":"path \"...\" {...} "}' \
+  https://vault.hashicorp.rocks/v1/sys/policy/my-existing-policy
+```
+
+### Deleting Policies
+
+Existing policies may be deleted via the CLI or API. To delete a policy:
+
+```sh
+$ vault delete sys/policy/policy-name
+```
+
+or via the API:
+
+```sh
+$ curl \
+  --request DELETE \
+  --header "X-Vault-Token: ..." \
+  https://vault.hashicorp.rocks/v1/sys/policy/policy-name
+```
+
+This is an idempotent operation. Vault will not return an error when deleting a
+policy that does not exist.
+
+## Associating Policies
+
+Vault can automatically associate a set of policies to a token based on an
+authorization. This configuration varies significantly between authentication
+backends. For simplicity, this example will use Vault's built-in userpass
+auth method.
+
+A Vault administrator or someone from the security team would create the user in
+Vault with a list of associated policies:
+
+```sh
+$ vault write auth/userpass/users/sethvargo \
+    password="s3cr3t!" \
+    policies="dev-readonly,logs"
+```
+
+This creates an authentication mapping to the policy such that, when the user
+authenticates successfully to Vault, they will be given a token which has the list
+of policies attached.
+
+The user wishing to authenticate would run
+
+```sh
+$ vault login -method="userpass" username="sethvargo"
+Password (will be hidden): ...
+```
+
+If the provided information is correct, Vault will generate a token, assign the
+list of configured policies to the token, and return that token to the
+authenticated user.
+
+### Tokens
+
+Tokens are associated with their policies at creation time. For example:
+
+```sh
+$ vault token create -policy=dev-readonly -policy=logs
+```
+
+Child tokens can be associated with a subset of a parent's policies. Root users
+can assign any policies.
+
+There is no way to modify the policies associated with a token once the token
+has been issued. The token must be revoked and a new one acquired to receive a
+new set of policies.
+
+However, the _contents_ of policies are parsed in real-time whenever the token is used.
+As a result, if a policy is modified, the modified rules will be in force the
+next time a token, with that policy attached, is used to make a call to Vault.
+
+## Learn
+
+Refer to the following tutorials for further learning:
+
+- [Vault Policies](https://learn.hashicorp.com/vault/identity-access-management/iam-policies)
+- [ACL Policy Path Templating](https://learn.hashicorp.com/vault/identity-access-management/policy-templating)
diff --git a/website/pages/docs/concepts/recovery-mode.mdx b/website/pages/docs/concepts/recovery-mode.mdx
new file mode 100644
index 000000000000..a270c8e8668b
--- /dev/null
+++ b/website/pages/docs/concepts/recovery-mode.mdx
@@ -0,0 +1,45 @@
+---
+layout: docs
+page_title: Recovery Mode
+sidebar_title: Recovery Mode
+description: Recovery mode allows for doing surgery on a Vault that won't start.
+---
+
+# Recovery Mode
+
+Vault can be started using the `-recovery` flag to bring it up in Recovery Mode.
+
+In recovery mode, Vault:
+
+- is automatically unsealed once a recovery token is issued
+- apart from recovery token operations, only supports the `sys/raw` endpoint
+- `raw` requests must be authenticated using a recovery token
+- won't form clusters or handle requests forwarded by standbys
+
+## Recovery tokens
+
+Recovery tokens are issued in much the same way as root tokens are generated:
+the API is basically the same, only using a different endpoint. Unlike root
+tokens, the recovery token is not persisted, so if Vault is restarted into
+recovery mode a new one must be generated.
+
+Only a single recovery token can be generated. If lost, restart Vault and
+generate a new one.
+
+## Raw requests
+
+Requests can be issued to `sys/raw` in just the same way as in regular Vault
+server mode. The only difference is that in recovery mode, `X-Vault-Token`
+must contain a recovery token instead of a service or batch token.
+
+## Raft rejoin
+
+Raft integrated storage is the immediate motivation for recovery mode. With
+other backends it was always possible to delete data directly from a storage
+backend, but that's impractical with a Raft backend. That said, recovery mode
+works with any backend.
+
+In order to bring the Vault server up reliably, using any node's raft data,
+recovery mode Vault automatically resizes the cluster to size 1. This means
+that after having used recovery mode, part of the procedure for returning to
+active service must include rejoining the raft cluster.
diff --git a/website/pages/docs/concepts/response-wrapping.mdx b/website/pages/docs/concepts/response-wrapping.mdx
new file mode 100644
index 000000000000..e4819b8ceba6
--- /dev/null
+++ b/website/pages/docs/concepts/response-wrapping.mdx
@@ -0,0 +1,173 @@
+---
+layout: docs
+page_title: Response Wrapping
+sidebar_title: Response Wrapping
+description: Wrapping responses in cubbyholes for secure distribution.
+---
+
+# Response Wrapping
+
+_Note_: Some of this information relies on features of response-wrapping tokens
+introduced in Vault 0.8 and may not be available in earlier releases.
+
+## Overview
+
+In many Vault deployments, clients can access Vault directly and consume
+returned secrets. In other situations, it may make sense to or be desired to
+separate privileges such that one trusted entity is responsible for interacting
+with most of the Vault API and passing secrets to the end consumer.
+
+However, the more relays a secret travels through, the more possibilities for
+accidental disclosure, especially if the secret is being transmitted in
+plaintext. For instance, you may wish to get a TLS private key to a machine
+that has been cold-booted, but since you do not want to store a decryption key
+in persistent storage, you cannot encrypt this key in transit.
+
+To help address this problem, Vault includes a feature called _response
+wrapping_. When requested, Vault can take the response it would have sent to an
+HTTP client and instead insert it into the
+[`cubbyhole`](/docs/secrets/cubbyhole/index.html) of a single-use token,
+returning that single-use token instead. Logically speaking, the response is
+wrapped by the token, and retrieving it requires an unwrap operation against
+this token.
+
+This provides a powerful mechanism for information sharing in many
+environments. In the types of scenarios, described above, often the best
+practical option is to provide _cover_ for the secret information, be able to
+_detect malfeasance_ (interception, tampering), and limit _lifetime_ of the
+secret's exposure. Response wrapping performs all three of these duties:
+
+- It provides _cover_ by ensuring that the value being transmitted across the
+  wire is not the actual secret but a reference to such a secret, namely the
+  response-wrapping token. Information stored in logs or captured along the
+  way do not directly see the sensitive information.
+- It provides _malfeasance detection_ by ensuring that only a single party can
+  ever unwrap the token and see what's inside. A client receiving a token that
+  cannot be unwrapped can trigger an immediate security incident. In addition,
+  a client can inspect a given token before unwrapping to ensure that its
+  origin is from the expected location in Vault.
+- It _limits the lifetime_ of secret exposure because the response-wrapping
+  token has a lifetime that is separate from the wrapped secret (and often can
+  be much shorter), so if a client fails to come up and unwrap the token, the
+  token can expire very quickly.
+
+## Response-Wrapping Tokens
+
+When a response is wrapped, the normal API response from Vault does not contain
+the original secret, but rather contains a set of information related to the
+response-wrapping token:
+
+- TTL: The TTL of the response-wrapping token itself
+- Token: The actual token value
+- Creation Time: The time that the response-wrapping token was created
+- Creation Path: The API path that was called in the original request
+- Wrapped Accessor: If the wrapped response is an authentication response
+  containing a Vault token, this is the value of the wrapped token's accessor.
+  This is useful for orchestration systems (such as Nomad) to able to control
+  the lifetime of secrets based on their knowledge of the lifetime of jobs,
+  without having to actually unwrap the response-wrapping token or gain
+  knowledge of the token ID inside.
+
+Vault currently does not provide signed response-wrapping tokens, as it
+provides little extra protection. If you are being pointed to the correct Vault
+server, token validation is performed by interacting with the server itself; a
+signed token does not remove the need to validate the token with the server,
+since the token is not carrying data but merely an access mechanism and the
+server will not release data without validating it. If you are being attacked
+and pointed to the wrong Vault server, the same attacker could trivially give
+you the wrong signing public key that corresponds to the wrong Vault server.
+You could cache a previously valid key, but could also cache a previously valid
+address (and in most cases the Vault address will not change or will be set via
+a service discovery mechanism). As such, we rely on the fact that the token
+itself is not carrying authoritative data and do not sign it.
+
+## Response-Wrapping Token Operations
+
+Via the `sys/wrapping` path, several operations can be run against wrapping
+tokens:
+
+- Lookup (`sys/wrapping/lookup`): This allows fetching the response-wrapping
+  token's creation time, creation path, and TTL. This path is unauthenticated
+  and available to response-wrapping tokens themselves. In other words, a
+  response-wrapping token holder wishing to perform validation is always
+  allowed to look up the properties of the token.
+- Unwrap (`sys/wrapping/unwrap`): Unwrap the token, returning the response
+  inside. The response that is returned will be the original wire-format
+  response; it can be used directly with API clients.
+- Rewrap (`sys/wrapping/rewrap`): Allows migrating the wrapped data to a new
+  response-wrapping token. This can be useful for long-lived secrets. For
+  example, an organization may wish (or be required in a compliance scenario)
+  to have the `pki` backend's root CA key be returned in a long-lived
+  response-wrapping token to ensure that nobody has seen the key (easily
+  verified by performing lookups on the response-wrapping token) but available
+  for signing CRLs in case they ever accidentally change or lose the `pki`
+  mount. Often, compliance schemes require periodic rotation of secrets, so
+  this helps achieve that compliance goal without actually exposing what's
+  inside.
+- Wrap (`sys/wrapping/wrap`): A helper endpoint that echoes back the data sent
+  to it in a response-wrapping token. Note that blocking access to this
+  endpoint does not remove the ability for arbitrary data to be wrapped, as it
+  can be done elsewhere in Vault.
+
+## Response-Wrapping Token Creation
+
+Response wrapping is per-request and is triggered by providing to Vault the
+desired TTL for a response-wrapping token for that request. This is set by the
+client using the `X-Vault-Wrap-TTL` header and can be either an integer number
+of seconds or a string duration of seconds (`15s`), minutes (`20m`), or hours
+(`25h`). When using the Vault CLI, you can set this via the `-wrap-ttl`
+parameter. When using the Go API, wrapping is triggered by [setting a helper
+function](https://godoc.org/github.com/hashicorp/vault/api#Client.SetWrappingLookupFunc)
+that tells the API the conditions under which to request wrapping, by mapping
+an operation and path to a desired TTL.
+
+If a client requests wrapping:
+
+1. The original HTTP response is serialized
+2. A new single-use token is generated with the TTL supplied by the client
+3. Internally, the original serialized response is stored in the single-use
+   token's cubbyhole
+4. A new response is generated, with the token ID, TTL, and path stored in the
+   new response's wrap information object
+5. The new response is returned to the caller
+
+Note that policies can control minimum/maximum wrapping TTLs; see the [policies
+concepts page](https://www.vaultproject.io/docs/concepts/policies.html) for
+more information.
+
+## Response-Wrapping Token Validation
+
+Proper validation of response-wrapping tokens is essential to ensure that any
+malfeasance is detected. It's also pretty straightforward.
+
+Validation is best performed by the following steps:
+
+1. If a client has been expecting delivery of a response-wrapping token and
+   none arrives, this may be due to an attacker intercepting the token and then
+   preventing it from traveling further. This should cause an alert to trigger
+   an immediate investigation.
+2. Perform a lookup on the response-wrapping token. This immediately tells you
+   if the token has already been unwrapped or is expired (or otherwise
+   revoked). If the lookup indicates that a token is invalid, it does not
+   necessarily mean that the data was intercepted (for instance, perhaps the
+   client took a long time to start up and the TTL expired) but should trigger
+   an alert for immediate investigation, likely with the assistance of Vault's
+   audit logs to see if the token really was unwrapped.
+3. With the token information in hand, validate that the creation path matches
+   expectations. If you expect to find a TLS key/certificate inside, chances
+   are the path should be something like `pki/issue/...`. If the path is not
+   what you expect, it is possible that the data contained inside was read and
+   then put into a new response-wrapping token. (This is especially likely if
+   the path starts with `cubbyhole` or `sys/wrapping/wrap`.) Particular care
+   should be taken with `kv` secrets engine: exact matches on the path are best
+   there. For example, if you expect a secret to come from `secret/foo` and
+   the interceptor provides a token with `secret/bar` as the path, simply
+   checking for a prefix of `secret/` is not enough.
+4. After prefix validation, unwrap the token. If the unwrap fails, the response
+   is similar to if the initial lookup fails: trigger an alert for immediate
+   investigation.
+
+Following those steps provides very strong assurance that the data contained
+within the response-wrapping token has never been seen by anyone other than the
+intended client and that any interception or tampering has resulted in a
+security alert.
diff --git a/website/pages/docs/concepts/seal.mdx b/website/pages/docs/concepts/seal.mdx
new file mode 100644
index 000000000000..768665073acc
--- /dev/null
+++ b/website/pages/docs/concepts/seal.mdx
@@ -0,0 +1,128 @@
+---
+layout: docs
+page_title: Seal/Unseal
+sidebar_title: Seal/Unseal
+description: >-
+  A Vault must be unsealed before it can access its data. Likewise, it can be
+  sealed to lock it down.
+---
+
+# Seal/Unseal
+
+When a Vault server is started, it starts in a _sealed_ state. In this
+state, Vault is configured to know where and how to access the physical
+storage, but doesn't know how to decrypt any of it.
+
+_Unsealing_ is the process of constructing the master key necessary to
+read the decryption key to decrypt the data, allowing access to the Vault.
+
+Prior to unsealing, almost no operations are possible with Vault. For
+example authentication, managing the mount tables, etc. are all not possible.
+The only possible operations are to unseal the Vault and check the status
+of the unseal.
+
+## Why?
+
+The data stored by Vault is stored encrypted. Vault needs the
+_encryption key_ in order to decrypt the data. The encryption key is
+also stored with the data, but encrypted with another encryption key
+known as the _master key_. The master key isn't stored anywhere.
+
+Therefore, to decrypt the data, Vault must decrypt the encryption key
+which requires the master key. Unsealing is the process of reconstructing
+this master key.
+
+Instead of distributing this master key as a single key to an operator,
+Vault uses an algorithm known as
+[Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing)
+to split the key into shards. A certain threshold of shards is required to
+reconstruct the master key.
+
+This is the _unseal_ process: the shards are added one at a time (in any
+order) until enough shards are present to reconstruct the key and
+decrypt the data.
+
+## Unsealing
+
+The unseal process is done by running `vault operator unseal` or via the API.
+This process is stateful: each key can be entered via multiple mechanisms
+on multiple computers and it will work. This allows each shard of the master
+key to be on a distinct machine for better security.
+
+Once a Vault is unsealed, it remains unsealed until one of two things happens:
+
+1. It is resealed via the API (see below).
+
+2. The server is restarted.
+
+-> **Note:** Unsealing makes the process of automating a Vault install
+difficult. Automated tools can easily install, configure, and start Vault,
+but unsealing it is a very manual process. We have plans in the future to
+make it easier. For the time being, the best method is to manually unseal
+multiple Vault servers in [HA mode](/docs/concepts/ha.html). Use a tool such
+as Consul to make sure you only query Vault servers that are unsealed.
+
+## Sealing
+
+There is also an API to seal the Vault. This will throw away the master
+key and require another unseal process to restore it. Sealing only requires
+a single operator with root privileges.
+
+This way, if there is a detected intrusion, the Vault data can be locked
+quickly to try to minimize damages. It can't be accessed again without
+access to the master key shards.
+
+## Auto Unseal
+
+Auto Unseal was developed to aid in reducing the operational complexity of
+keeping the master key secure. This feature delegates the responsibility of
+securing the master key from users to a trusted device or service. Instead of
+only constructing the key in memory, the master key is encrypted with one of
+these services or devices and then stored in the storage backend allowing Vault
+to decrypt the master key at startup and unseal automatically.
+
+When using Auto Unseal there are certain operations in Vault that still
+require a quorum of users to perform an operation such as generating a root token.
+During the initialization process, a set of Shamir keys are generated that are called
+Recovery Keys and are used for these operations.
+
+For a list of examples and supported providers, please see the
+[seal documentation](/docs/configuration/seal/index.html).
+
+## Seal Migration
+
+The seal can be migrated from Shamir keys to Auto Unseal and vice versa.
+
+~> **NOTE**: This is not currently supported when using Vault Enterprise Replication.
+While the primary can be migrated without issue, the secondaries, depending on
+which type of seal is being migrated from/to, may not work correctly. We plan
+to support this officially in a future release.
+
+To migrate from Shamir keys to Auto Unseal, take your server cluster offline and update
+the [seal configuration](/docs/configuration/seal/index.html) with the appropriate seal
+configuration. Bring your server back up and leave the rest of the nodes offline if
+using multi-server mode, then run the unseal process with the `-migrate` flag and bring
+the rest of the cluster online.
+
+All unseal commands must specify the `-migrate` flag. Once the required threshold of
+unseal keys are entered, unseal keys will be migrated to recovery keys.
+
+```
+$ vault operator unseal -migrate
+```
+
+To migrate from Auto Unseal to Shamir keys, take your server cluster offline and update
+the [seal configuration](/docs/configuration/seal/index.html) and add `disabled = "true"`
+to the seal block. This allows the migration to use this information to decrypt the key
+but will not unseal Vault. When you bring your server back up, run the unseal process
+with the `-migrate` flag and use the Recovery Keys to perform the migration. All unseal
+commands must specify the `-migrate` flag. Once the required threshold of recovery keys
+are entered, the recovery keys will be migrated to be used as unseal keys.
+
+## Recovery Key Rekeying
+
+During Auto Seal initialization process, a set of Shamir keys called Recovery Keys are
+generated which are used for operations that still require a quorum of users.
+
+Recovery Keys can be rekeyed to change the number of shares or thresholds. When using the
+Vault CLI, this is performed by using the `-target=recovery` flag to `vault operator rekey`.
diff --git a/website/pages/docs/concepts/tokens.mdx b/website/pages/docs/concepts/tokens.mdx
new file mode 100644
index 000000000000..55b19a9505c0
--- /dev/null
+++ b/website/pages/docs/concepts/tokens.mdx
@@ -0,0 +1,286 @@
+---
+layout: docs
+page_title: Tokens
+sidebar_title: Tokens
+description: Tokens are a core auth method in Vault. Concepts and important features.
+---
+
+# Tokens
+
+Tokens are the core method for _authentication_ within Vault. Tokens
+can be used directly or [auth methods](/docs/concepts/auth.html)
+can be used to dynamically generate tokens based on external identities.
+
+If you've gone through the getting started guide, you probably noticed that
+`vault server -dev` (or `vault operator init` for a non-dev server) outputs an
+initial "root token." This is the first method of authentication for Vault.
+It is also the only auth method that cannot be disabled.
+
+As stated in the [authentication concepts](/docs/concepts/auth.html),
+all external authentication mechanisms, such as GitHub, map down to dynamically
+created tokens. These tokens have all the same properties as a normal manually
+created token.
+
+Within Vault, tokens map to information. The most important information mapped
+to a token is a set of one or more attached
+[policies](/docs/concepts/policies.html). These policies control what the token
+holder is allowed to do within Vault. Other mapped information includes
+metadata that can be viewed and is added to the audit log, creation time, last
+renewal time, and more.
+
+~> Note that external to Vault, tokens are to be considered opaque values
+by users and as such, their structure is both currently undocumented and
+subject to change.
+
+Read on for a deeper dive into token concepts.
+
+## Token Types
+
+As of Vault 1.0, there are two types of tokens: `service` tokens and `batch`
+tokens. A section near the bottom of this page contains detailed information
+about their differences, but it is useful to understand other token concepts
+first. The features in the following sections all apply to service tokens, and
+their applicability to batch tokens is discussed later.
+
+## The Token Store
+
+Often in documentation or in help channels, the "token store" is referenced.
+This is the same as the [`token` authentication
+backend](/docs/auth/token.html). This is a special
+backend in that it is responsible for creating and storing tokens, and cannot
+be disabled. It is also the only auth method that has no login
+capability -- all actions require existing authenticated tokens.
+
+## Root Tokens
+
+Root tokens are tokens that have the `root` policy attached to them. Root
+tokens can do anything in Vault. _Anything_. In addition, they are the only
+type of token within Vault that can be set to never expire without any renewal
+needed. As a result, it is purposefully hard to create root tokens; in fact
+there are only three ways to create root tokens:
+
+1. The initial root token generated at `vault operator init` time -- this token has no
+   expiration
+2. By using another root token; a root token with an expiration cannot create a
+   root token that never expires
+3. By using `vault operator generate-root` ([example](/guides/operations/generate-root.html))
+   with the permission of a quorum of unseal key holders
+
+Root tokens are useful in development but should be extremely carefully guarded
+in production. In fact, the Vault team recommends that root tokens are only
+used for just enough initial setup (usually, setting up auth methods
+and policies necessary to allow administrators to acquire more limited tokens)
+or in emergencies, and are revoked immediately after they are no longer needed.
+If a new root token is needed, the `operator generate-root` command and associated
+[API endpoint](/api/system/generate-root.html) can be used to generate one on-the-fly.
+
+It is also good security practice for there to be multiple eyes on a terminal
+whenever a root token is live. This way multiple people can verify as to the
+tasks performed with the root token, and that the token was revoked immediately
+after these tasks were completed.
+
+## Token Hierarchies and Orphan Tokens
+
+Normally, when a token holder creates new tokens, these tokens will be created
+as children of the original token; tokens they create will be children of them;
+and so on. When a parent token is revoked, all of its child tokens -- and all
+of their leases -- are revoked as well. This ensures that a user cannot escape
+revocation by simply generating a never-ending tree of child tokens.
+
+Often this behavior is not desired, so users with appropriate access can create
+`orphan` tokens. These tokens have no parent -- they are the root of their own
+token tree. These orphan tokens can be created:
+
+1. Via the `auth/token/create-orphan` endpoint
+2. By having `sudo` capability or `root` policy when accessing
+   `auth/token/create` and setting the `orphan` parameter to `true`
+3. Via token store roles
+4. By logging in with any other (non-`token`) auth method
+
+Users with appropriate permissions can also use the `auth/token/revoke-orphan`
+endpoint, which revokes the given token but rather than revoke the rest of the
+tree, it instead sets the tokens' immediate children to be orphans. Use with
+caution!
+
+## Token Accessors
+
+When tokens are created, a token accessor is also created and returned. This
+accessor is a value that acts as a reference to a token and can only be used to
+perform limited actions:
+
+1. Look up a token's properties (not including the actual token ID)
+2. Look up a token's capabilities on a path
+3. Renew the token
+4. Revoke the token
+
+The token _making the call_, _not_ the token associated with the accessor, must
+have appropriate permissions for these functions.
+
+There are many useful workflows around token accessors. As an example, a
+service that creates tokens on behalf of another service (such as the
+[Nomad](https://www.nomadproject.io/) scheduler) can store the accessor
+correlated with a particular job ID. When the job is complete, the accessor can
+be used to instantly revoke the token given to the job and all of its leased
+credentials, limiting the chance that a bad actor will discover and use them.
+
+Audit devices can optionally be set to not obfuscate token accessors in audit
+logs. This provides a way to quickly revoke tokens in case of an emergency.
+However, it also means that the audit logs can be used to perform a larger-scale
+denial of service attack.
+
+Finally, the only way to "list tokens" is via the `auth/token/accessors`
+command, which actually gives a list of token accessors. While this is still a
+dangerous endpoint (since listing all of the accessors means that they can then
+be used to revoke all tokens), it also provides a way to audit and revoke the
+currently-active set of tokens.
+
+## Token Time-To-Live, Periodic Tokens, and Explicit Max TTLs
+
+Every non-root token has a time-to-live (TTL) associated with it, which is a
+current period of validity since either the token's creation time or last
+renewal time, whichever is more recent. (Root tokens may have a TTL associated,
+but the TTL may also be 0, indicating a token that never expires). After the
+current TTL is up, the token will no longer function -- it, and its associated
+leases, are revoked.
+
+If the token is renewable, Vault can be asked to extend the token validity
+period using `vault token renew` or the appropriate renewal endpoint. At this
+time, various factors come into play. What happens depends upon whether the
+token is a periodic token (available for creation by `root`/`sudo` users, token
+store roles, or some auth methods), has an explicit maximum TTL
+attached, or neither.
+
+### The General Case
+
+In the general case, where there is neither a period nor explicit maximum TTL
+value set on the token, the token's lifetime since it was created will be
+compared to the maximum TTL. This maximum TTL value is dynamically generated
+and can change from renewal to renewal, so the value cannot be displayed when a
+token's information is looked up. It is based on a combination of factors:
+
+1. The system max TTL, which is 32 days but can be changed in Vault's
+   configuration file.
+2. The max TTL set on a mount using [mount
+   tuning](/api/system/mounts.html). This value
+   is allowed to override the system max TTL -- it can be longer or shorter,
+   and if set this value will be respected.
+3. A value suggested by the auth method that issued the token. This
+   might be configured on a per-role, per-group, or per-user basis. This value
+   is allowed to be less than the mount max TTL (or, if not set, the system max
+   TTL), but it is not allowed to be longer.
+
+Note that the values in (2) and (3) may change at any given time, which is why
+a final determination about the current allowed max TTL is made at renewal time
+using the current values. It is also why it is important to always ensure that
+the TTL returned from a renewal operation is within an allowed range; if this
+value is not extending, likely the TTL of the token cannot be extended past its
+current value and the client may want to reauthenticate and acquire a new
+token. However, outside of direct operator interaction, Vault will never revoke
+a token before the returned TTL has expired.
+
+### Explicit Max TTLs
+
+Tokens can have an explicit max TTL set on them. This value becomes a hard
+limit on the token's lifetime -- no matter what the values in (1), (2), and (3)
+from the general case are, the token cannot live past this explicitly-set
+value. This has an effect even when using periodic tokens to escape the normal
+TTL mechanism.
+
+### Periodic Tokens
+
+In some cases, having a token be revoked would be problematic -- for instance,
+if a long-running service needs to maintain its SQL connection pool over a long
+period of time. In this scenario, a periodic token can be used. Periodic tokens
+can be created in a few ways:
+
+1. By having `sudo` capability or a `root` token with the `auth/token/create`
+   endpoint
+2. By using token store roles
+3. By using an auth method that supports issuing these, such as
+   AppRole
+
+At issue time, the TTL of a periodic token will be equal to the configured
+period. At every renewal time, the TTL will be reset back to this configured
+period, and as long as the token is successfully renewed within each of these
+periods of time, it will never expire. Outside of `root` tokens, it is
+currently the only way for a token in Vault to have an unlimited lifetime.
+
+The idea behind periodic tokens is that it is easy for systems and services to
+perform an action relatively frequently -- for instance, every two hours, or
+even every five minutes. Therefore, as long as a system is actively renewing
+this token -- in other words, as long as the system is alive -- the system is
+allowed to keep using the token and any associated leases. However, if the
+system stops renewing within this period (for instance, if it was shut down),
+the token will expire relatively quickly. It is good practice to keep this
+period as short as possible, and generally speaking it is not useful for humans
+to be given periodic tokens.
+
+There are a few important things to know when using periodic tokens:
+
+- When a periodic token is created via a token store role, the _current_ value
+  of the role's period setting will be used at renewal time
+- A token with both a period and an explicit max TTL will act like a periodic
+  token but will be revoked when the explicit max TTL is reached
+
+## CIDR-Bound Tokens
+
+Some tokens are able to be bound to CIDR(s) that restrict the range of client
+IPs allowed to use them. These affect all tokens except for non-expiring root
+tokens (those with a TTL of zero). If a root token has an expiration, it also
+is affected by CIDR-binding.
+
+## Token Types in Detail
+
+There are currently two types of tokens.
+
+### Service Tokens
+
+Service tokens are what users will generally think of as "normal" Vault tokens.
+They support all features, such as renewal, revocation, creating child tokens,
+and more. They are correspondingly heavyweight to create and track.
+
+### Batch Tokens
+
+Batch tokens are encrypted blobs that carry enough information for them to
+be used for Vault actions, but they require no storage on disk to track them.
+As a result they are extremely lightweight and scalable, but lack most of the
+flexibility and features of service tokens.
+
+### Token Type Comparison
+
+This reference chart describes the difference in behavior between service and
+batch tokens.
+
+|                                                     |                                          Service Tokens |                                    Batch Tokens |
+| --------------------------------------------------- | ------------------------------------------------------: | ----------------------------------------------: |
+| Can Be Root Tokens                                  |                                                     Yes |                                              No |
+| Can Create Child Tokens                             |                                                     Yes |                                              No |
+| Can be Renewable                                    |                                                     Yes |                                              No |
+| Can be Periodic                                     |                                                     Yes |                                              No |
+| Can have Explicit Max TTL                           |                                                     Yes |                    No (always uses a fixed TTL) |
+| Has Accessors                                       |                                                     Yes |                                              No |
+| Has Cubbyhole                                       |                                                     Yes |                                              No |
+| Revoked with Parent (if not orphan)                 |                                                     Yes |                                   Stops Working |
+| Dynamic Secrets Lease Assignment                    |                                                    Self |                          Parent (if not orphan) |
+| Can be Used Across Performance Replication Clusters |                                                      No |                                 Yes (if orphan) |
+| Creation Scales with Performance Standby Node Count |                                                      No |                                             Yes |
+| Cost                                                | Heavyweight; multiple storage writes per token creation | Lightweight; no storage cost for token creation |
+
+### Service vs. Batch Token Lease Handling
+
+#### Service Tokens
+
+Leases created by service tokens (including child tokens' leases) are tracked
+along with the service token and revoked when the token expires.
+
+#### Batch Tokens
+
+Leases created by batch tokens are constrained to the remaining TTL of the
+batch tokens and, if the batch token is not an orphan, are tracked by the
+parent. They are revoked when the batch token's TTL expires, or when the batch
+token's parent is revoked (at which point the batch token is also denied access
+to Vault).
+
+As a corollary, batch tokens can be used across performance replication
+clusters, but only if they are orphan, since non-orphan tokens will not be able
+to ensure the validity of the parent token.
diff --git a/website/pages/docs/configuration/entropy-augmentation/index.mdx b/website/pages/docs/configuration/entropy-augmentation/index.mdx
new file mode 100644
index 000000000000..bd9469e463aa
--- /dev/null
+++ b/website/pages/docs/configuration/entropy-augmentation/index.mdx
@@ -0,0 +1,49 @@
+---
+layout: docs
+page_title: Entropy Augmentation - Configuration
+sidebar_title: <code>Entropy Augmentation</code> <sup>ENT</sup>
+description: >-
+  Entropy augmentation enables Vault to sample entropy from external
+  cryptographic modules.
+---
+
+# `Entropy Augmentation` Seal
+
+Entropy augmentation enables Vault to sample entropy from an external cryptographic modules.
+Currently, sourcing external entropy is done through a configured [PKCS11 seal](/docs/configuration/seal/pkcs11.html).
+Vault Enterprises's external entropy support is activated by the presence of an `entropy "seal"`
+block in Vault's configuration file.
+
+## Requirements
+
+The following software packages are required for Vault Enterprise Entropy Augmentation:
+
+- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
+  higher of PKCS#11. Depending on any given HSM, some functions (such as key
+  generation) may have to be performed manually.
+- The [GNU libltdl library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html)
+  — ensure that it is installed for the correct architecture of your servers
+- Governance and Policy module of a Vault Enterprise license
+
+## `entropy` Example
+
+This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration
+file:
+
+```hcl
+seal "pkcs11" {
+    ...
+}
+
+entropy "seal" {
+    mode = "augmentation"
+}
+```
+
+## `entropy augmentation` Parameters
+
+These parameters apply to the `entropy` stanza in the Vault configuration file:
+
+- `mode` `(string: <required>)`: The mode determines which Vault operations requiring
+  entropy will sample entropy from the external source. Currently, the only mode supported
+  is `augmentation` which sources entropy for [Critical Security Parameters (CSPs)](</docs/enterprise/entropy-augmentation/index.html#Critical-Security-Parameters-(CSPs)>).
diff --git a/website/pages/docs/configuration/index.mdx b/website/pages/docs/configuration/index.mdx
new file mode 100644
index 000000000000..4b52ddf0a46c
--- /dev/null
+++ b/website/pages/docs/configuration/index.mdx
@@ -0,0 +1,181 @@
+---
+layout: docs
+page_title: Server Configuration
+sidebar_title: Configuration
+description: Vault server configuration reference.
+---
+
+# Vault Configuration
+
+Outside of development mode, Vault servers are configured using a file.
+The format of this file is [HCL](https://github.com/hashicorp/hcl) or JSON.
+An example configuration is shown below:
+
+```javascript
+storage "consul" {
+  address = "127.0.0.1:8500"
+  path    = "vault"
+}
+
+listener "tcp" {
+  address     = "127.0.0.1:8200"
+  tls_disable = 1
+}
+
+telemetry {
+  statsite_address = "127.0.0.1:8125"
+  disable_hostname = true
+}
+```
+
+After the configuration is written, use the `-config` flag with `vault server`
+to specify where the configuration is.
+
+## Parameters
+
+- `storage` <tt>([StorageBackend][storage-backend]: \<required\>)</tt> –
+  Configures the storage backend where Vault data is stored. Please see the
+  [storage backends documentation][storage-backend] for the full list of
+  available storage backends. Running Vault in HA mode would require
+  coordination semantics to be supported by the backend. If the storage backend
+  supports HA coordination, HA backend options can also be specified in this
+  parameter block. If not, a separate `ha_storage` parameter should be
+  configured with a backend that supports HA, along with corresponding HA
+  options.
+
+- `ha_storage` <tt>([StorageBackend][storage-backend]: nil)</tt> – Configures
+  the storage backend where Vault HA coordination will take place. This must be
+  an HA-supporting backend. If not set, HA will be attempted on the backend
+  given in the `storage` parameter. This parameter is not required if the
+  storage backend supports HA coordination and if HA specific options are
+  already specified with `storage` parameter.
+
+- `listener` <tt>([Listener][listener]: \<required\>)</tt> – Configures how
+  Vault is listening for API requests.
+
+- `seal` <tt>([Seal][seal]: nil)</tt> – Configures the seal type to use for
+  auto-unsealing, as well as for
+  [seal wrapping][sealwrap] as an additional layer of data protection.
+
+- `cluster_name` `(string: <generated>)` – Specifies the identifier for the
+  Vault cluster. If omitted, Vault will generate a value. When connecting to
+  Vault Enterprise, this value will be used in the interface.
+
+- `cache_size` `(string: "32000")` – Specifies the size of the read cache used
+  by the physical storage subsystem. The value is in number of entries, so the
+  total cache size depends on the size of stored entries.
+
+- `disable_cache` `(bool: false)` – Disables all caches within Vault, including
+  the read cache used by the physical storage subsystem. This will very
+  significantly impact performance.
+
+- `disable_mlock` `(bool: false)` – Disables the server from executing the
+  `mlock` syscall. `mlock` prevents memory from being swapped to disk. Disabling
+  `mlock` is not recommended in production, but is fine for local development
+  and testing.
+
+  Disabling `mlock` is not recommended unless the systems running Vault only
+  use encrypted swap or do not use swap at all. Vault only supports memory
+  locking on UNIX-like systems that support the mlock() syscall (Linux, FreeBSD, etc).
+  Non UNIX-like systems (e.g. Windows, NaCL, Android) lack the primitives to keep a
+  process's entire memory address space from spilling to disk and is therefore
+  automatically disabled on unsupported platforms.
+
+  On Linux, to give the Vault executable the ability to use the `mlock`
+  syscall without running the process as root, run:
+
+  ```shell
+  sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+  ```
+
+  Note: Since each plugin runs as a separate process, you need to do the same for each plugin in your [plugins directory](https://www.vaultproject.io/docs/internals/plugins.html#plugin-directory).
+
+  If you use a Linux distribution with a modern version of systemd, you can add
+  the following directive to the "[Service]" configuration section:
+
+  ```ini
+  LimitMEMLOCK=infinity
+  ```
+
+- `plugin_directory` `(string: "")` – A directory from which plugins are
+  allowed to be loaded. Vault must have permission to read files in this
+  directory to successfully load plugins, and the value cannot be a symbolic link.
+
+- `telemetry` <tt>([Telemetry][telemetry]: &lt;none&gt;)</tt> – Specifies the telemetry
+  reporting system.
+
+- `log_level` `(string: "")` – Specifies the log level to use; overridden by
+  CLI and env var parameters. On SIGHUP, Vault will update the log level to the
+  current value specified here (including overriding the CLI/env var
+  parameters). Not all parts of Vault's logging can have its level be changed
+  dynamically this way; in particular, secrets/auth plugins are currently not
+  updated dynamically. Supported log levels: Trace, Debug, Error, Warn, Info.
+
+- `log_format` `(string: "")` – Specifies the log format to use; overridden by
+  CLI and env var parameters. Supported log formats: "standard", "json".
+
+- `default_lease_ttl` `(string: "768h")` – Specifies the default lease duration
+  for tokens and secrets. This is specified using a label suffix like `"30s"` or
+  `"1h"`. This value cannot be larger than `max_lease_ttl`.
+
+- `max_lease_ttl` `(string: "768h")` – Specifies the maximum possible lease
+  duration for tokens and secrets. This is specified using a label
+  suffix like `"30s"` or `"1h"`.
+
+- `default_max_request_duration` `(string: "90s")` – Specifies the default
+  maximum request duration allowed before Vault cancels the request. This can
+  be overridden per listener via the `max_request_duration` value.
+
+- `raw_storage_endpoint` `(bool: false)` – Enables the `sys/raw` endpoint which
+  allows the decryption/encryption of raw data into and out of the security
+  barrier. This is a highly privileged endpoint.
+
+- `ui` `(bool: false)` – Enables the built-in web UI, which is available on all
+  listeners (address + port) at the `/ui` path. Browsers accessing the standard
+  Vault API address will automatically redirect there. This can also be provided
+  via the environment variable `VAULT_UI`. For more information, please see the
+  [ui configuration documentation](/docs/configuration/ui/index.html).
+
+- `pid_file` `(string: "")` - Path to the file in which the Vault server's
+  Process ID (PID) should be stored.
+
+### High Availability Parameters
+
+The following parameters are used on backends that support [high availability][high-availability].
+
+- `api_addr` `(string: "")` - Specifies the address (full URL) to advertise to
+  other Vault servers in the cluster for client redirection. This value is also
+  used for [plugin backends][plugins]. This can also be provided via the
+  environment variable `VAULT_API_ADDR`. In general this should be set as a full
+  URL that points to the value of the [`listener`](#listener) address.
+
+- `cluster_addr` `(string: "")` - – Specifies the address to advertise to other
+  Vault servers in the cluster for request forwarding. This can also be provided
+  via the environment variable `VAULT_CLUSTER_ADDR`. This is a full URL, like
+  `api_addr`, but Vault will ignore the scheme (all cluster members always
+  use TLS with a private key/certificate).
+
+- `disable_clustering` `(bool: false)` – Specifies whether clustering features
+  such as request forwarding are enabled. Setting this to true on one Vault node
+  will disable these features _only when that node is the active node_.
+
+### Vault Enterprise Parameters
+
+The following parameters are only used with Vault Enterprise
+
+- `disable_sealwrap` `(bool: false)` – Disables using [seal wrapping][sealwrap]
+  for any value except the master key. If this value is toggled, the new
+  behavior will happen lazily (as values are read or written).
+
+- `disable_performance_standby` `(bool: false)` – Specifies whether performance
+  standbys should be disabled on this node. Setting this to true on one Vault
+  node will disable this feature when this node is Active or Standby. It's
+  recommended to sync this setting across all nodes in the cluster.
+
+[storage-backend]: /docs/configuration/storage/index.html
+[listener]: /docs/configuration/listener/index.html
+[seal]: /docs/configuration/seal/index.html
+[sealwrap]: /docs/enterprise/sealwrap/index.html
+[telemetry]: /docs/configuration/telemetry.html
+[high-availability]: /docs/concepts/ha.html
+[plugins]: /docs/plugin/index.html
diff --git a/website/pages/docs/configuration/listener/index.mdx b/website/pages/docs/configuration/listener/index.mdx
new file mode 100644
index 000000000000..5aa12e75cb01
--- /dev/null
+++ b/website/pages/docs/configuration/listener/index.mdx
@@ -0,0 +1,15 @@
+---
+layout: docs
+page_title: Listeners - Configuration
+sidebar_title: <code>listener</code>
+description: |-
+  The listener stanza configures the addresses and ports on which Vault will
+  respond to requests.
+---
+
+# `listener` Stanza
+
+The `listener` stanza configures the addresses and ports on which Vault will
+respond to requests. At this time, there is only one listener - [TCP][tcp].
+
+[tcp]: /docs/configuration/listener/tcp.html
diff --git a/website/pages/docs/configuration/listener/tcp.mdx b/website/pages/docs/configuration/listener/tcp.mdx
new file mode 100644
index 000000000000..e68c183c8594
--- /dev/null
+++ b/website/pages/docs/configuration/listener/tcp.mdx
@@ -0,0 +1,193 @@
+---
+layout: docs
+page_title: TCP - Listeners - Configuration
+sidebar_title: TCP
+description: |-
+  The TCP listener configures Vault to listen on the specified TCP address and
+  port.
+---
+
+# `tcp` Listener
+
+The TCP listener configures Vault to listen on a TCP address/port.
+
+```hcl
+listener "tcp" {
+  address = "127.0.0.1:8200"
+}
+```
+
+The `listener` stanza may be specified more than once to make Vault listen on
+multiple interfaces. If you configure multiple listeners you also need to
+specify [`api_addr`][api-addr] and [`cluster_addr`][cluster-addr] so Vault will
+advertise the correct address to other nodes.
+
+## `tcp` Listener Parameters
+
+- `address` `(string: "127.0.0.1:8200")` – Specifies the address to bind to for
+  listening.
+
+- `cluster_address` `(string: "127.0.0.1:8201")` – Specifies the address to bind
+  to for cluster server-to-server requests. This defaults to one port higher
+  than the value of `address`. This does not usually need to be set, but can be
+  useful in case Vault servers are isolated from each other in such a way that
+  they need to hop through a TCP load balancer or some other scheme in order to
+  talk.
+
+- `http_idle_timeout` `(string: "5m")` - Specifies the maximum amount of time to
+  wait for the next request when keep-alives are enabled. If `http_idle_timeout`
+  is zero, the value of `http_read_timeout` is used. If both are zero, the value
+  of `http_read_header_timeout` is used. This is specified using a label suffix
+  like `"30s"` or `"1h"`.
+
+- `http_read_header_timeout` `(string: "10s")` - Specifies the amount of time
+  allowed to read request headers. This is specified using a label suffix like
+  `"30s"` or `"1h"`.
+
+- `http_read_timeout` `(string: "30s")` - Specifies the maximum duration for
+  reading the entire request, including the body. This is specified using a
+  label suffix like `"30s"` or `"1h"`.
+
+- `http_write_timeout` `string: "0")` - Specifies the maximum duration before
+  timing out writes of the response and is reset whenever a new request's header
+  is read. The default value of `"0"` means inifinity. This is specified using a
+  label suffix like `"30s"` or `"1h"`.
+
+- `max_request_size` `(int: 33554432)` – Specifies a hard maximum allowed
+  request size, in bytes. Defaults to 32 MB. Specifying a number less than or
+  equal to `0` turns off limiting altogether.
+
+- `max_request_duration` `(string: "90s")` – Specifies the maximum
+  request duration allowed before Vault cancels the request. This overrides
+  `default_max_request_duration` for this listener.
+
+- `proxy_protocol_behavior` `(string: "")` – When specified, enables a PROXY
+  protocol version 1 behavior for the listener.
+  Accepted Values:
+
+  - _use_always_ - The client's IP address will always be used.
+  - _allow_authorized_ - If the source IP address is in the
+    `proxy_protocol_authorized_addrs` list, the client's IP address will be used.
+    If the source IP is not in the list, the source IP address will be used.
+  - _deny_unauthorized_ - The traffic will be rejected if the source IP
+    address is not in the `proxy_protocol_authorized_addrs` list.
+
+- `proxy_protocol_authorized_addrs` `(string: <required-if-enabled> or array: <required-if-enabled> )` –
+  Specifies the list of allowed source IP addresses to be used with the PROXY protocol.
+  Not required if `proxy_protocol_behavior` is set to `use_always`. Source IPs should
+  be comma-delimited if provided as a string. At least one source IP must be provided,
+  `proxy_protocol_authorized_addrs` cannot be an empty array or string.
+
+- `tls_disable` `(string: "false")` – Specifies if TLS will be disabled. Vault
+  assumes TLS by default, so you must explicitly disable TLS to opt-in to
+  insecure communication.
+
+- `tls_cert_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
+  Specifies the path to the certificate for TLS. To configure the listener to
+  use a CA certificate, concatenate the primary certificate and the CA
+  certificate together. The primary certificate should appear first in the
+  combined file. On `SIGHUP`, the path set here _at Vault startup_ will be used
+  for reloading the certificate; modifying this value while Vault is running
+  will have no effect for `SIGHUP`s.
+
+- `tls_key_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
+  Specifies the path to the private key for the certificate. If the key file
+  is encrypted, you will be prompted to enter the passphrase on server startup.
+  The passphrase must stay the same between key files when reloading your
+  configuration using `SIGHUP`. On `SIGHUP`, the path set here _at Vault
+  startup_ will be used for reloading the certificate; modifying this value
+  while Vault is running will have no effect for `SIGHUP`s.
+
+- `tls_min_version` `(string: "tls12")` – Specifies the minimum supported
+  version of TLS. Accepted values are "tls10", "tls11" or "tls12".
+
+  ~> **Warning**: TLS 1.1 and lower are generally considered insecure.
+
+- `tls_cipher_suites` `(string: "")` – Specifies the list of supported
+  ciphersuites as a comma-separated-list. The list of all available ciphersuites
+  is available in the [Golang TLS documentation][golang-tls].
+
+- `tls_prefer_server_cipher_suites` `(string: "false")` – Specifies to prefer the
+  server's ciphersuite over the client ciphersuites.
+
+- `tls_require_and_verify_client_cert` `(string: "false")` – Turns on client
+  authentication for this listener; the listener will require a presented
+  client cert that successfully validates against system CAs.
+
+- `tls_client_ca_file` `(string: "")` – PEM-encoded Certificate Authority file
+  used for checking the authenticity of client.
+
+- `tls_disable_client_certs` `(string: "false")` – Turns off client
+  authentication for this listener. The default behavior (when this is false)
+  is for Vault to request client certificates when available.
+
+- `x_forwarded_for_authorized_addrs` `(string: <required-to-enable>)` –
+  Specifies the list of source IP CIDRs for which an X-Forwarded-For header
+  will be trusted. Comma-separated list or JSON array. This turns on
+  X-Forwarded-For support.
+
+- `x_forwarded_for_hop_skips` `(string: "0")` – The number of addresses that will be
+  skipped from the _rear_ of the set of hops. For instance, for a header value
+  of `1.2.3.4, 2.3.4.5, 3.4.5.6`, if this value is set to `"1"`, the address that
+  will be used as the originating client IP is `2.3.4.5`.
+
+- `x_forwarded_for_reject_not_authorized` `(string: "true")` – If set false,
+  if there is an X-Forwarded-For header in a connection from an unauthorized
+  address, the header will be ignored and the client connection used as-is,
+  rather than the client connection rejected.
+
+- `x_forwarded_for_reject_not_present` `(string: "true")` – If set false, if
+  there is no X-Forwarded-For header or it is empty, the client address will be
+  used as-is, rather than the client connection rejected.
+
+### `telemetry` Parameters
+
+- `unauthenticated_metrics_access` `(string: "false")` - If set to true, allows
+  unauthenticated access to the `/v1/sys/metrics` endpoint.
+
+## `tcp` Listener Examples
+
+### Configuring TLS
+
+This example shows enabling a TLS listener.
+
+```hcl
+listener "tcp" {
+  tls_cert_file = "/etc/certs/vault.crt"
+  tls_key_file  = "/etc/certs/vault.key"
+}
+```
+
+### Listening on Multiple Interfaces
+
+This example shows Vault listening on a private interface, as well as localhost.
+
+```hcl
+listener "tcp" {
+  address = "127.0.0.1:8200"
+}
+
+listener "tcp" {
+  address = "10.0.0.5:8200"
+}
+
+# Advertise the non-loopback interface
+api_addr = "https://10.0.0.5:8200"
+cluster_addr = "https://10.0.0.5:8201"
+```
+
+### Configuring unauthenticated metrics access
+
+This example shows enabling unauthenticated metrics access.
+
+```hcl
+listener "tcp" {
+  telemetry {
+    unauthenticated_metrics_access = true
+  }
+}
+```
+
+[golang-tls]: https://golang.org/src/crypto/tls/cipher_suites.go
+[api-addr]: /docs/configuration/index.html#api_addr
+[cluster-addr]: /docs/configuration/index.html#cluster_addr
diff --git a/website/pages/docs/configuration/seal/alicloudkms.mdx b/website/pages/docs/configuration/seal/alicloudkms.mdx
new file mode 100644
index 000000000000..0090f473a135
--- /dev/null
+++ b/website/pages/docs/configuration/seal/alicloudkms.mdx
@@ -0,0 +1,92 @@
+---
+layout: docs
+page_title: AliCloud KMS - Seals - Configuration
+sidebar_title: AliCloud KMS
+description: >-
+  The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal
+  wrapping
+
+  mechanism.
+---
+
+# `alicloudkms` Seal
+
+The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping mechanism.
+The AliCloud KMS seal is activated by one of the following:
+
+- The presence of a `seal "alicloudkms"` block in Vault's configuration file.
+- The presence of the environment variable `VAULT_SEAL_TYPE` set to `alicloudkms`. If
+  enabling via environment variable, all other required values specific to AliCloud
+  KMS (i.e. `VAULT_ALICLOUDKMS_SEAL_KEY_ID`) must be also supplied, as well as all
+  other AliCloud-related environment variables that lends to successful
+  authentication.
+
+## `alicloudkms` Example
+
+This example shows configuring AliCloud KMS seal through the Vault configuration file
+by providing all the required values:
+
+```hcl
+seal "alicloudkms" {
+  region     = "us-east-1"
+  access_key = "0wNEpMMlzy7szvai"
+  secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA"
+  kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73"
+}
+```
+
+## `alicloudkms` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `region` `(string: <required> "us-east-1")`: The AliCloud region where the encryption key
+  lives. May also be specified by the `ALICLOUD_REGION`
+  environment variable.
+
+- `domain` `(string: "kms.us-east-1.aliyuncs.com")`: If set, overrides the endpoint
+  AliCloud would normally use for KMS for a particular region. May also be specified
+  by the `ALICLOUD_DOMAIN` environment variable.
+
+- `access_key` `(string: <required>)`: The AliCloud access key ID to use. May also be
+  specified by the `ALICLOUD_ACCESS_KEY` environment variable or as part of the
+  AliCloud profile from the AliCloud CLI or instance profile.
+
+- `secret_key` `(string: <required>)`: The AliCloud secret access key to use. May
+  also be specified by the `ALICLOUD_SECRET_KEY` environment variable or as
+  part of the AliCloud profile from the AliCloud CLI or instance profile.
+
+- `kms_key_id` `(string: <required>)`: The AliCloud KMS key ID to use for encryption
+  and decryption. May also be specified by the `VAULT_ALICLOUDKMS_SEAL_KEY_ID`
+  environment variable.
+
+## Authentication
+
+Authentication-related values must be provided, either as environment
+variables or as configuration parameters.
+
+~> **Note:** Although the configuration file allows you to pass in
+`ALICLOUD_ACCESS_KEY` and `ALICLOUD_SECRET_KEY` as part of the seal's parameters, it
+is _strongly_ recommended to set these values via environment variables.
+
+```text
+AliCloud authentication values:
+
+* `ALICLOUD_REGION`
+* `ALICLOUD_ACCESS_KEY`
+* `ALICLOUD_SECRET_KEY`
+```
+
+Note: The client uses the official AliCloud SDK and will use environment credentials,
+the specified credentials, or RAM role credentials in that order.
+
+## `alicloudkms` Environment Variables
+
+Alternatively, the AliCloud KMS seal can be activated by providing the following
+environment variables:
+
+```text
+Vault Seal specific values:
+
+* `VAULT_SEAL_TYPE`
+* `VAULT_ALICLOUDKMS_SEAL_KEY_ID`
+```
diff --git a/website/pages/docs/configuration/seal/awskms.mdx b/website/pages/docs/configuration/seal/awskms.mdx
new file mode 100644
index 000000000000..fd718fc2ba6c
--- /dev/null
+++ b/website/pages/docs/configuration/seal/awskms.mdx
@@ -0,0 +1,118 @@
+---
+layout: docs
+page_title: AWS KMS - Seals - Configuration
+sidebar_title: AWS KMS
+description: |-
+  The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping
+  mechanism.
+---
+
+# `awskms` Seal
+
+The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping mechanism.
+The AWS KMS seal is activated by one of the following:
+
+- The presence of a `seal "awskms"` block in Vault's configuration file
+- The presence of the environment variable `VAULT_SEAL_TYPE` set to `awskms`. If
+  enabling via environment variable, all other required values specific to AWS
+  KMS (i.e. `VAULT_AWSKMS_SEAL_KEY_ID`) must be also supplied, as well as all
+  other AWS-related environment variables that lends to successful
+  authentication (i.e. `AWS_ACCESS_KEY_ID`, etc.).
+
+## `awskms` Example
+
+This example shows configuring AWS KMS seal through the Vault configuration file
+by providing all the required values:
+
+```hcl
+seal "awskms" {
+  region     = "us-east-1"
+  access_key = "AKIAIOSFODNN7EXAMPLE"
+  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+  kms_key_id = "19ec80b0-dfdd-4d97-8164-c6examplekey"
+  endpoint   = "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com"
+}
+```
+
+## `awskms` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `region` `(string: "us-east-1")`: The AWS region where the encryption key
+  lives. If not provided, may be populated from the `AWS_REGION` or
+  `AWS_DEFAULT_REGION` environment variables, from your `~/.aws/config` file,
+  or from instance metadata.
+
+- `access_key` `(string: <required>)`: The AWS access key ID to use. May also be
+  specified by the `AWS_ACCESS_KEY_ID` environment variable or as part of the
+  AWS profile from the AWS CLI or instance profile.
+
+- `session_token` `(string: "")`: Specifies the AWS session token. This can
+  also be provided via the environment variable `AWS_SESSION_TOKEN`.
+
+- `secret_key` `(string: <required>)`: The AWS secret access key to use. May
+  also be specified by the `AWS_SECRET_ACCESS_KEY` environment variable or as
+  part of the AWS profile from the AWS CLI or instance profile.
+
+- `kms_key_id` `(string: <required>)`: The AWS KMS key ID to use for encryption
+  and decryption. May also be specified by the `VAULT_AWSKMS_SEAL_KEY_ID`
+  environment variable.
+
+- `endpoint` `(string: "")`: The KMS API endpoint to be used to make AWS KMS
+  requests. May also be specified by the `AWS_KMS_ENDPOINT` environment
+  variable. This is useful, for example, when connecting to KMS over a [VPC
+  Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html).
+  If not set, Vault will use the default API endpoint for your region.
+
+## Authentication
+
+Authentication-related values must be provided, either as environment
+variables or as configuration parameters.
+
+~> **Note:** Although the configuration file allows you to pass in
+`AWS_ACCESS_KEY_ID` and `AWS_ACCESS_KEY_ID` as part of the seal's parameters, it
+is _strongly_ recommended to set these values via environment variables.
+
+AWS authentication values:
+
+- `AWS_REGION` or `AWS_DEFAULT_REGION`
+- `AWS_ACCESS_KEY_ID`
+- `AWS_SECRET_ACCESS_KEY`
+
+Note: The client uses the official AWS SDK and will use the specified
+credentials, environment credentials, shared file credentials, or IAM role/ECS
+task credentials in that order, if the above AWS specific values are not
+provided.
+
+Vault needs the following permissions on the KMS key:
+
+- `kms:Encrypt`
+- `kms:Decrypt`
+- `kms:DescribeKey`
+
+These can be granted via IAM permissions on the principal that Vault uses, on
+the KMS key policy for the KMS key, or via KMS Grants on the key.
+
+## `awskms` Environment Variables
+
+Alternatively, the AWS KMS seal can be activated by providing the following
+environment variables.
+
+Vault Seal specific values:
+
+- `VAULT_SEAL_TYPE`
+- `VAULT_AWSKMS_SEAL_KEY_ID`
+
+## Key Rotation
+
+This seal supports rotating the master keys defined in AWS KMS
+[doc](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). Both automatic
+rotation and manual rotation is supported for KMS since the key information is stored with the
+encrypted data. Old keys must not be disabled or deleted and are used to decrypt older data.
+Any new or updated data will be encrypted with the current key defined in the seal configuration
+or set to current under a key alias.
+
+## Learn
+
+Refer to the [Auto-unseal using AWS KMS](https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/configuration/seal/azurekeyvault.mdx b/website/pages/docs/configuration/seal/azurekeyvault.mdx
new file mode 100644
index 000000000000..957e995c9204
--- /dev/null
+++ b/website/pages/docs/configuration/seal/azurekeyvault.mdx
@@ -0,0 +1,99 @@
+---
+layout: docs
+page_title: Azure Key Vault - Seals - Configuration
+sidebar_title: Azure Key Vault
+description: >-
+  The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal
+  wrapping
+
+  mechanism.
+---
+
+# `azurekeyvault` Seal
+
+The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal
+wrapping mechanism. The Azure Key Vault seal is activated by one of the following:
+
+- The presence of a `seal "azurekeyvault"` block in Vault's configuration file.
+- The presence of the environment variable `VAULT_SEAL_TYPE` set to `azurekeyvault`.
+  If enabling via environment variable, all other required values specific to
+  Key Vault (i.e. `VAULT_AZUREKEYVAULT_VAULT_NAME`, etc.) must be also supplied, as
+  well as all other Azure-related environment variables that lends to successful
+  authentication (i.e. `AZURE_TENANT_ID`, etc.).
+
+## `azurekeyvault` Example
+
+This example shows configuring Azure Key Vault seal through the Vault
+configuration file by providing all the required values:
+
+```hcl
+seal "azurekeyvault" {
+  tenant_id      = "46646709-b63e-4747-be42-516edeaf1e14"
+  client_id      = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"
+  client_secret  = "DUJDS3..."
+  vault_name     = "hc-vault"
+  key_name       = "vault_key"
+}
+```
+
+## `azurekeyvault` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `tenant_id` `(string: <required>)`: The tenant id for the Azure Active Directory organization. May
+  also be specified by the `AZURE_TENANT_ID` environment variable.
+
+- `client_id` `(string: <required or MSI>)`: The client id for credentials to query the Azure APIs.
+  May also be specified by the `AZURE_CLIENT_ID` environment variable.
+
+- `client_secret` `(string: <required or MSI>)`: The client secret for credentials to query the Azure APIs.
+  May also be specified by the `AZURE_CLIENT_SECRET` environment variable.
+
+- `environment` `(string: "AZUREPUBLICCLOUD")`: The Azure Cloud environment API endpoints to use. May also
+  be specified by the `AZURE_ENVIRONMENT` environment variable.
+
+- `vault_name` `(string: <required>)`: The Key Vault vault to use the encryption keys for encryption and
+  decryption. May also be specified by the `VAULT_AZUREKEYVAULT_VAULT_NAME` environment variable.
+
+- `key_name` `(string: <required>)`: The Key Vault key to use for encryption and decryption. May also be specified by the
+  `VAULT_AZUREKEYVAULT_KEY_NAME` environment variable.
+
+## Authentication
+
+Authentication-related values must be provided, either as environment
+variables or as configuration parameters.
+
+Azure authentication values:
+
+- `AZURE_TENANT_ID`
+- `AZURE_CLIENT_ID`
+- `AZURE_CLIENT_SECRET`
+- `AZURE_ENVIRONMENT`
+
+~> **Note:** If Vault is hosted on Azure, Vault can use Managed Service
+Identities (MSI) to access Azure instead of an environment and shared client id
+and secret. MSI must be
+[enabled](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm)
+on the VMs hosting Vault, and it is the preferred configuration since MSI
+prevents your Azure credentials from being stored as clear text. Refer to the
+[Production
+Hardening](https://learn.hashicorp.com/vault/day-one/production-hardening) guide
+for more best practices.
+
+## `azurekeyvault` Environment Variables
+
+Alternatively, the Azure Key Vault seal can be activated by providing the following
+environment variables:
+
+- `VAULT_AZUREKEYVAULT_VAULT_NAME`
+- `VAULT_AZUREKEYVAULT_KEY_NAME`
+
+## Key Rotation
+
+This seal supports rotating keys defined in Azure Key Vault. Key metadata is stored with the
+encrypted data to ensure the correct key is used during decryption operations.
+
+## Learn
+
+Refer to the [Auto-unseal using Azure Key Vault](https://learn.hashicorp.com/vault/operations/autounseal-azure-keyvault)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/configuration/seal/gcpckms.mdx b/website/pages/docs/configuration/seal/gcpckms.mdx
new file mode 100644
index 000000000000..70d186b8ea91
--- /dev/null
+++ b/website/pages/docs/configuration/seal/gcpckms.mdx
@@ -0,0 +1,115 @@
+---
+layout: docs
+page_title: GCP Cloud KMS - Seals - Configuration
+sidebar_title: GCP Cloud KMS
+description: >-
+  The GCP Cloud KMS seal configures Vault to use GCP Cloud KMS as the seal
+  wrapping
+
+  mechanism.
+---
+
+# `gcpckms` Seal
+
+The GCP Cloud KMS seal configures Vault to use GCP Cloud KMS as the seal
+wrapping mechanism. The GCP Cloud KMS seal is activated by one of the following:
+
+- The presence of a `seal "gcpckms"` block in Vault's configuration file.
+- The presence of the environment variable `VAULT_SEAL_TYPE` set to `gcpckms`.
+  If enabling via environment variable, all other required values specific to
+  Cloud KMS (i.e. `VAULT_GCPCKMS_SEAL_KEY_RING`, etc.) must be also supplied, as
+  well as all other GCP-related environment variables that lends to successful
+  authentication (i.e. `GOOGLE_PROJECT`, etc.).
+
+## `gcpckms` Example
+
+This example shows configuring GCP Cloud KMS seal through the Vault
+configuration file by providing all the required values:
+
+```hcl
+seal "gcpckms" {
+  credentials = "/usr/vault/vault-project-user-creds.json"
+  project     = "vault-project"
+  region      = "global"
+  key_ring    = "vault-keyring"
+  crypto_key  = "vault-key"
+}
+```
+
+## `gcpckms` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `credentials` `(string: <required>)`: The path to the credentials JSON file
+  to use. May be also specified by the `GOOGLE_CREDENTIALS` or
+  `GOOGLE_APPLICATION_CREDENTIALS` environment variable or set automatically if
+  running under Google App Engine, Google Compute Engine or Google Kubernetes
+  Engine.
+
+- `project` `(string: <required>)`: The GCP project ID to use. May also be
+  specified by the `GOOGLE_PROJECT` environment variable.
+
+- `region` `(string: "us-east-1")`: The GCP region/location where the key ring
+  lives. May also be specified by the `GOOGLE_REGION` environment variable.
+
+- `key_ring` `(string: <required>)`: The GCP CKMS key ring to use. May also be
+  specified by the `VAULT_GCPCKMS_SEAL_KEY_RING` environment variable.
+
+- `crypto_key` `(string: <required>)`: The GCP CKMS crypto key to use for
+  encryption and decryption. May also be specified by the
+  `VAULT_GCPCKMS_SEAL_CRYPTO_KEY` environment variable.
+
+## Authentication &amp; Permissions
+
+Authentication-related values must be provided, either as environment
+variables or as configuration parameters.
+
+GCP authentication values:
+
+- `GOOGLE_CREDENTIALS` or `GOOGLE_APPLICATION_CREDENTIALS`
+- `GOOGLE_PROJECT`
+- `GOOGLE_REGION`
+
+Note: The client uses the official Google SDK and will use the specified
+credentials, environment credentials, or [application default
+credentials](https://developers.google.com/identity/protocols/application-default-credentials)
+in that order, if the above GCP specific values are not provided.
+
+The service account needs the following minimum permissions on the crypto key:
+
+```text
+cloudkms.cryptoKeyVersions.useToEncrypt
+cloudkms.cryptoKeyVersions.useToDecrypt
+cloudkms.cryptoKeys.get
+```
+
+These permissions can be described with the following role:
+
+```text
+roles/cloudkms.cryptoKeyEncrypterDecrypter
+cloudkms.cryptoKeys.get
+```
+
+`cloudkms.cryptoKeys.get` permission is used for retrieving metadata information of keys from CloudKMS within this engine initialization process.
+
+## `gcpckms` Environment Variables
+
+Alternatively, the GCP Cloud KMS seal can be activated by providing the following
+environment variables:
+
+- `VAULT_SEAL_TYPE`
+- `VAULT_GCPCKMS_SEAL_KEY_RING`
+- `VAULT_GCPCKMS_SEAL_CRYPTO_KEY`
+
+## Key Rotation
+
+This seal supports rotating keys defined in Google Cloud KMS
+[doc](https://cloud.google.com/kms/docs/rotating-keys). Both scheduled rotation and manual
+rotation is supported for CKMS since the key information. Old keys version must not be
+disabled or deleted and are used to decrypt older data. Any new or updated data will be
+encrypted with the primary key version.
+
+## Learn
+
+Refer to the [Auto-unseal using GCP Cloud KMS](https://learn.hashicorp.com/vault/operations/autounseal-gcp-kms)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/configuration/seal/index.mdx b/website/pages/docs/configuration/seal/index.mdx
new file mode 100644
index 000000000000..561a1631c896
--- /dev/null
+++ b/website/pages/docs/configuration/seal/index.mdx
@@ -0,0 +1,47 @@
+---
+layout: docs
+page_title: Seals - Configuration
+sidebar_title: <code>seal</code>
+description: >-
+  The seal stanza configures the seal type to use for additional data
+  protection.
+---
+
+# `seal` Stanza
+
+The `seal` stanza configures the seal type to use for additional data
+protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
+master key. This stanza is optional, and in the case of the master key, Vault
+will use the Shamir algorithm to cryptographically split the master key if this
+is not configured.
+
+As of Vault 0.9.0, the seal can also be used for [seal wrapping][sealwrap] to
+add an extra layer of protection and satisfy compliance and regulatory requirements.
+This feature is only available in Vault Enterprise.
+
+For more examples, please choose a specific auto unsealing technology from the
+sidebar.
+
+## Configuration
+
+Seal configuration can be done through the Vault configuration file using the
+`seal` stanza:
+
+```hcl
+seal [NAME] {
+  # ...
+}
+```
+
+For example:
+
+```hcl
+seal "pkcs11" {
+  # ...
+}
+```
+
+For configuration options which also read an environment variable, the
+environment variable will take precedence over values in the configuration file.
+
+[sealwrap]: /docs/enterprise/sealwrap/index.html
diff --git a/website/pages/docs/configuration/seal/ocikms.mdx b/website/pages/docs/configuration/seal/ocikms.mdx
new file mode 100644
index 000000000000..da034e837c8f
--- /dev/null
+++ b/website/pages/docs/configuration/seal/ocikms.mdx
@@ -0,0 +1,113 @@
+---
+layout: docs
+page_title: OCI KMS - Seals - Configuration
+sidebar_title: OCI KMS
+description: |-
+  The OCI KMS seal configures Vault to use OCI KMS as the seal wrapping
+  mechanism.
+---
+
+# `ocikms` Seal
+
+The OCI KMS seal configures Vault to use OCI KMS as the seal wrapping mechanism.
+The OCI KMS seal is activated by one of the following:
+
+- The presence of a `seal "ocikms"` block in Vault's configuration file
+- The presence of the environment variable `VAULT_SEAL_TYPE` set to `ocikms`. If
+  enabling via environment variable, all other required values specific to OCI
+  KMS (i.e. `VAULT_OCIKMS_SEAL_KEY_ID`, `VAULT_OCIKMS_CRYPTO_ENDPOINT` `VAULT_OCIKMS_MANAGEMENT_ENDPOINT`) must be also supplied, as well as all
+  other OCI-related [environment variables][oci-sdk] that lends to successful
+  authentication.
+
+## `ocikms` Example
+
+This example shows configuring the OCI KMS seal through the Vault configuration file
+by providing all the required values:
+
+```hcl
+seal "ocikms" {
+    key_id               = "ocid1.key.oc1.iad.afnxza26aag4s.abzwkljsbapzb2nrha5nt3s7s7p42ctcrcj72vn3kq5qx"
+    crypto_endpoint      = "https://afnxza26aag4s-crypto.kms.us-ashburn-1.oraclecloud.com"
+    management_endpoint  = "https://afnxza26aag4s-management.kms.us-ashburn-1.oraclecloud.com"
+    auth_type_api_key    = "true"
+}
+```
+
+## `ocikms` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `key_id` `(string: <required>)`: The OCI KMS key ID to use. May also be
+  specified by the `VAULT_OCIKMS_SEAL_KEY_ID` environment variable.
+- `crypto_endpoint` `(string: <required>)`: The OCI KMS cryptographic endpoint (or data plane endpoint)
+  to be used to make OCI KMS encryption/decryption requests. May also be specified by the `VAULT_OCIKMS_CRYPTO_ENDPOINT` environment
+  variable.
+- `management_endpoint` `(string: <required>)`: The OCI KMS management endpoint (or control plane endpoint)
+  to be used to make OCI KMS key management requests. May also be specified by the `VAULT_OCIKMS_MANAGEMENT_ENDPOINT` environment
+  variable.
+- `auth_type_api_key` `(boolean: false)`: Specifies if using API key to authenticate to OCI KMS service.
+  If it is `false`, Vault authenticates using the instance principal from the compute instance. See Authentication section for details. Default is `false`.
+
+## Authentication
+
+Authentication-related values must be provided, either as environment
+variables or as configuration parameters.
+
+If you want to use Instance Principal, add section configuration below and add further configuration settings as detailed at https://www.vaultproject.io/docs/configuration/.
+
+```hcl
+seal "ocikms" {
+    crypto_endpoint     = "<kms-crypto-endpoint>"
+    management_endpoint = "<kms-management-endpoint>"
+    key_id              = "<kms-key-id>"
+}
+# Notes:
+# crypto_endpoint can be replaced by VAULT_OCIKMS_CRYPTO_ENDPOINT environment var
+# management_endpoint can be replaced by VAULT_OCIKMS_MANAGEMENT_ENDPOINT environment var
+# key_id can be replaced by VAULT_OCIKMS_SEAL_KEY_ID environment var
+```
+
+If you want to use User Principal, the plugin will take the API key you defined for OCI SDK, often under `~/.oci/config`.
+
+```hcl
+seal "ocikms" {
+    auth_type_api_key   = true
+    crypto_endpoint     = "<kms-crypto-endpoint>"
+    management_endpoint = "<kms-management-endpoint>"
+    key_id              = "<kms-key-id>"
+}
+```
+
+To grant permission for a compute instance to use OCI KMS service, write policies for KMS access.
+
+- Create a [Dynamic Group][oci-dg] in your OCI tenancy.
+- Create a policy that allows the Dynamic Group to use or manage keys from OCI KMS. There are multiple ways to write these policies. The [OCI Identity Policy][oci-id] can be used as a reference or starting point.
+
+The most common policy allows a dynamic group of tenant A to use KMS's keys in tenant B:
+
+```text
+define tenancy tenantB as <tenantB-ocid>
+
+endorse dynamic-group <dynamic-group-name> to use keys in tenancy tenantB
+
+```
+
+```text
+define tenancy tenantA as <tenantA-ocid>
+
+define dynamic-group <dynamic-group-name> as <dynamic-group-ocid>
+
+admit dynamic-group <dynamic-group-name> of tenancy tenantA to use keys in compartment <key-compartment>
+
+```
+
+## `ocikms` Rotate OCI KMS Master Key
+
+For the [OCI KMS key rotation feature][oci-kms-rotation], OCI KMS will create a new version of key internally. This process is independent from Vault, and Vault still uses the same `key_id` without any interruption.
+
+If you want to change the `key_id`: migrate to Shamir, change `key_id`, and then migrate to OCI KMS with the new `key_id`.
+
+[oci-sdk]: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm
+[oci-dg]: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm
+[oci-id]: https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policies.htm
+[oci-kms-rotation]: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Tasks/managingkeys.htm
diff --git a/website/pages/docs/configuration/seal/pkcs11.mdx b/website/pages/docs/configuration/seal/pkcs11.mdx
new file mode 100644
index 000000000000..942f0dcdaa83
--- /dev/null
+++ b/website/pages/docs/configuration/seal/pkcs11.mdx
@@ -0,0 +1,247 @@
+---
+layout: docs
+page_title: PKCS11 - Seals - Configuration
+sidebar_title: HSM PKCS11 <sup>ENT</sup>
+description: |-
+  The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal
+  wrapping mechanism.
+---
+
+# `pkcs11` Seal
+
+The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrapping
+mechanism. Vault Enterprise's HSM PKCS11 support is activated by one of the
+following:
+
+- The presence of a `seal "pkcs11"` block in Vault's configuration file
+- The presence of the environment variable `VAULT_HSM_LIB` set to the library's
+  path as well as `VAULT_HSM_TYPE` set to `pkcs11`. If enabling via environment
+  variable, all other required values (i.e. `VAULT_HSM_SLOT`) must be also
+  supplied.
+
+**IMPORTANT**: Having Vault generate its own key is the easiest way to get up
+and running, but for security, Vault marks the key as non-exportable. If your
+HSM key backup strategy requires the key to be exportable, you should generate
+the key yourself. The list of creation attributes that Vault uses to generate
+the key are listed at the end of this document.
+
+## Requirements
+
+The following software packages are required for Vault Enterprise HSM:
+
+- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
+  higher of PKCS#11. Depending on any given HSM, some functions (such as key
+  generation) may have to be performed manually.
+- The [GNU libltdl
+  library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html)
+  — ensure that it is installed for the correct architecture of your servers
+
+## `pkcs11` Example
+
+This example shows configuring HSM PKCS11 seal through the Vault configuration
+file by providing all the required values:
+
+```hcl
+seal "pkcs11" {
+  lib            = "/usr/vault/lib/libCryptoki2_64.so"
+  slot           = "0"
+  pin            = "AAAA-BBBB-CCCC-DDDD"
+  key_label      = "vault-hsm-key"
+  hmac_key_label = "vault-hsm-hmac-key"
+}
+```
+
+## `pkcs11` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `lib` `(string: <required>)`: The path to the PKCS#11 library shared object
+  file. May also be specified by the `VAULT_HSM_LIB` environment variable.
+  **Note:** Depending on your HSM, this may be either a binary or a dynamic
+  library, and its use may require other libraries depending on which system the
+  Vault binary is currently running on (e.g.: a Linux system may require other
+  libraries to interpret Windows .dll files).
+
+- `slot` `(string: <slot or token label required>)`: The slot number to use,
+  specified as a string (e.g. `"0"`). May also be specified by the `VAULT_HSM_SLOT`
+  environment variable.
+
+- `token_label` `(string: <slot or token label required>)`: The slot token label to
+  use. May also be specified by the `VAULT_HSM_TOKEN_LABEL` environment variable.
+
+- `pin` `(string: <required>)`: The PIN for login. May also be specified by the
+  `VAULT_HSM_PIN` environment variable. _If set via the environment variable,
+  Vault will obfuscate the environment variable after reading it, and it will
+  need to be re-set if Vault is restarted._
+
+- `key_label` `(string: <required>)`: The label of the key to use. If the key
+  does not exist and generation is enabled, this is the label that will be given
+  to the generated key. May also be specified by the `VAULT_HSM_KEY_LABEL`
+  environment variable.
+
+- `default_key_label` `(string: "")`: This is the default key label for decryption
+  operations. Prior to 0.10.1, key labels were not stored with the ciphertext.
+  Seal entries now track the label used in encryption operations. The default value
+  for this field is the `key_label`. If `key_label` is rotated and this value is not
+  set, decryption may fail. May also be specified by the `VAULT_HSM_DEFAULT_KEY_LABEL`
+  environment variable. This value is ignored in new installations.
+
+- `hmac_key_label` `(string: <required>)`: The label of the key to use for
+  HMACing. This needs to be a suitable type. If Vault tries to create this it
+  will attempt to use CKK_GENERIC_SECRET_KEY. If the key does not exist and
+  generation is enabled, this is the label that will be given to the generated
+  key. May also be specified by the `VAULT_HSM_HMAC_KEY_LABEL` environment
+  variable.
+
+- `default_hmac_key_label` `(string: "")`: This is the default HMAC key label for signing
+  operations. Prior to 0.10.1, HMAC key labels were not stored with the signature.
+  Seal entries now track the label used in signing operations. The default value
+  for this field is the `hmac_key_label`. If `hmac_key_label` is rotated and this
+  value is not set, signature verification may fail. May also be specified by the
+  `VAULT_HSM_HMAC_DEFAULT_KEY_LABEL` environment variable. This value is ignored in
+  new installations.
+
+- `mechanism` `(string: <best available>)`: The encryption/decryption mechanism to use,
+  specified as a decimal or hexadecimal (prefixed by `0x`) string. May also be
+  specified by the `VAULT_HSM_MECHANISM` environment variable.  
+  Currently supported mechanisms (in order of precedence):
+
+  - `0x1085` `CKM_AES_CBC_PAD` (HMAC mechanism required)
+  - `0x1082` `CKM_AES_CBC` (HMAC mechanism required)
+  - `0x1087` `CKM_AES_GCM`
+  - `0x0009` `CKM_RSA_PKCS_OAEP`
+  - `0x0001` `CKM_RSA_PKCS`
+
+- `hmac_mechanism` `(string: "0x0251")`: The encryption/decryption mechanism to
+  use, specified as a decimal or hexadecimal (prefixed by `0x`) string.
+  Currently only `0x0251` (corresponding to `CKM_SHA256_HMAC` from the
+  specification) is supported. May also be specified by the
+  `VAULT_HSM_HMAC_MECHANISM` environment variable. This value is only required
+  for specific mechanisms.
+
+- `generate_key` `(string: "false")`: If no existing key with the label
+  specified by `key_label` can be found at Vault initialization time, instructs
+  Vault to generate a key. This is a boolean expressed as a string (e.g.
+  `"true"`). May also be specified by the `VAULT_HSM_GENERATE_KEY` environment
+  variable. Vault may not be able to successfully generate keys in all
+  circumstances, such as if proprietary vendor extensions are required to
+  create keys of a suitable type.
+
+### Mechanism Specific Flags
+
+- `rsa_encrypt_local` `(string: "false")`: For HSMs that do not support encryption
+  for RSA keys, perform encryption locally. Available for mechanisms
+  `CKM_RSA_PKCS_OAEP` and `CKM_RSA_PKCS`. May also be specified by the
+  `VAULT_HSM_RSA_ENCRYPT_LOCAL` environment variable.
+
+- `rsa_oaep_hash` `(string: "sha256")`: Specify the hash algorithm to use for RSA
+  with OAEP padding. Valid values are sha1, sha224, sha256, sha384, and sha512.
+  Available for mechanism `CKM_RSA_PKCS_OAEP`. May also be specified by the
+  `VAULT_HSM_RSA_OAEP_HASH` environment variable.
+
+~> **Note:** Although the configuration file allows you to pass in
+`VAULT_HSM_PIN` as part of the seal's parameters, it is _strongly_ recommended
+to set this value via environment variables.
+
+## `pkcs11` Environment Variables
+
+Alternatively, the HSM seal can be activated by providing the following
+environment variables:
+
+```text
+VAULT_HSM_LIB
+VAULT_HSM_TYPE
+VAULT_HSM_SLOT
+VAULT_HSM_TOKEN_LABEL
+VAULT_HSM_PIN
+VAULT_HSM_KEY_LABEL
+VAULT_HSM_DEFAULT_KEY_LABEL
+VAULT_HSM_HMAC_KEY_LABEL
+VAULT_HSM_HMAC_DEFAULT_KEY_LABEL
+VAULT_HSM_MECHANISM
+VAULT_HSM_HMAC_MECHANISM
+VAULT_HSM_GENERATE_KEY
+VAULT_HSM_RSA_ENCRYPT_LOCAL
+VAULT_HSM_RSA_OAEP_HASH
+```
+
+## Vault Key Generation Attributes
+
+If Vault generates the HSM key for you, the following is the list of attributes
+it uses. These identifiers correspond to official PKCS#11 identifiers.
+
+### AES Key
+
+- `CKA_CLASS`: `CKO_SECRET_KEY` (It's a secret key)
+- `CKA_KEY_TYPE`: `CKK_AES` (Key type is AES)
+- `CKA_VALUE_LEN`: `32` (Key size is 256 bits)
+- `CKA_LABEL`: Set to the key label set in Vault's configuration
+- `CKA_ID`: Set to a random 32-bit unsigned integer
+- `CKA_PRIVATE`: `true` (Key is private to this slot/token)
+- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
+  session only)
+- `CKA_SENSITIVE`: `true` (Key is a sensitive value)
+- `CKA_ENCRYPT`: `true` (Key can be used for encryption)
+- `CKA_DECRYPT`: `true` (Key can be used for decryption)
+- `CKA_WRAP`: `true` (Key can be used for wrapping)
+- `CKA_UNWRAP`: `true` (Key can be used for unwrapping)
+- `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
+
+### RSA Key
+
+_Public Key_
+
+- `CKA_CLASS`: `CKO_PUBLIC_KEY` (It's a public key)
+- `CKA_KEY_TYPE`: `CKK_RSA` (Key type is RSA)
+- `CKA_LABEL`: Set to the key label set in Vault's configuration
+- `CKA_ID`: Set to a random 32-bit unsigned integer
+- `CKA_ENCRYPT`: `true` (Key can be used for encryption)
+- `CKA_WRAP`: `true` (Key can be used for wrapping)
+- `CKA_MODULUS_BITS`: `2048` (Key size is 2048 bits)
+- `CKA_PUBLIC_EXPONENT`: `0x10001` (Public exponent of 65537)
+- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
+  session only)
+
+_Private Key_
+
+- `CKA_CLASS`: `CKO_PRIVATE_KEY` (It's a private key)
+- `CKA_KEY_TYPE`: `CKK_RSA` (Key type is RSA)
+- `CKA_LABEL`: Set to the key label set in Vault's configuration
+- `CKA_ID`: Set to a random 32-bit unsigned integer
+- `CKA_DECRYPT`: `true` (Key can be used for decryption)
+- `CKA_UNWRAP`: `true` (Key can be used for unwrapping)
+- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
+  session only)
+- `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
+
+### HMAC Key
+
+- `CKA_CLASS`: `CKO_SECRET_KEY` (It's a secret key)
+- `CKA_KEY_TYPE`: `CKK_GENERIC_SECRET_KEY` (Key type is a generic secret key)
+- `CKA_VALUE_LEN`: `32` (Key size is 256 bits)
+- `CKA_LABEL`: Set to the HMAC key label set in Vault's configuration
+- `CKA_ID`: Set to a random 32-bit unsigned integer
+- `CKA_PRIVATE`: `true` (Key is private to this slot/token)
+- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
+  session only)
+- `CKA_SENSITIVE`: `true` (Key is a sensitive value)
+- `CKA_SIGN`: `true` (Key can be used for signing)
+- `CKA_VERIFY`: `true` (Key can be used for verifying)
+- `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
+
+## Key Rotation
+
+This seal supports rotating keys by using different key labels to track key versions. To rotate
+the key value, generate a new key in a different key label in the HSM and update Vault's
+configuration with the new key label value. Restart your vault instance to pick up the new key
+label and all new encryption operations will use the updated key label. Old keys must not be disabled
+or deleted and are used to decrypt older data.
+
+**NOTE**: Prior to version 0.10.1, key information was not tracked with the ciphertext. If
+rotation is desired for data that was seal wrapped prior to this version must also set
+`default_key_label` and `hmac_default_key_label` to allow for decryption of older values.
+
+## Learn
+
+Refer to the [HSM Integration - Seal Wrap](https://learn.hashicorp.com/vault/operations/ops-seal-wrap)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/configuration/seal/transit.mdx b/website/pages/docs/configuration/seal/transit.mdx
new file mode 100644
index 000000000000..bd46419ffd94
--- /dev/null
+++ b/website/pages/docs/configuration/seal/transit.mdx
@@ -0,0 +1,122 @@
+---
+layout: docs
+page_title: Vault Transit - Seals - Configuration
+sidebar_title: Vault Transit
+description: |-
+  The Transit seal configures Vault to use Vault's Transit Secret Engine as the
+  autoseal mechanism.
+---
+
+# `transit` Seal
+
+The Transit seal configures Vault to use Vault's Transit Secret Engine as the
+autoseal mechanism.
+The Transit seal is activated by one of the following:
+
+- The presence of a `seal "transit"` block in Vault's configuration file
+- The presence of the environment variable `VAULT_SEAL_TYPE` set to `transit`.
+
+## `transit` Example
+
+This example shows configuring Transit seal through the Vault configuration file
+by providing all the required values:
+
+```hcl
+seal "transit" {
+  address            = "https://vault:8200"
+  token              = "s.Qf1s5zigZ4OX6akYjQXJC1jY"
+  disable_renewal    = "false"
+
+  // Key configuration
+  key_name           = "transit_key_name"
+  mount_path         = "transit/"
+  namespace          = "ns1/"
+
+  // TLS Configuration
+  tls_ca_cert        = "/etc/vault/ca_cert.pem"
+  tls_client_cert    = "/etc/vault/client_cert.pem"
+  tls_client_key     = "/etc/vault/ca_cert.pem"
+  tls_server_name    = "vault"
+  tls_skip_verify    = "false"
+}
+```
+
+## `transit` Parameters
+
+These parameters apply to the `seal` stanza in the Vault configuration file:
+
+- `address` `(string: <required>)`: The full address to the Vault cluster.
+  This may also be specified by the `VAULT_ADDR` environment variable.
+
+- `token` `(string: <required>)`: The Vault token to use. This may also be
+  specified by the `VAULT_TOKEN` environment variable.
+
+- `key_name` `(string: <required>)`: The transit key to use for encryption and
+  decryption. This may also be supplied using the `VAULT_TRANSIT_SEAL_KEY_NAME`
+  environment variable.
+
+- `mount_path` `(string: <required>)`: The mount path to the transit secret engine.  
+  This may also be supplied using the `VAULT_TRANSIT_SEAL_MOUNT_PATH` environment
+  variable.
+
+- `namespace` `(string: "")`: The namespace path to the transit secret engine.  
+  This may also be supplied using the `VAULT_NAMESPACE` environment variable.
+
+- `disable_renewal` `(string: "false")`: Disables the automatic renewal of the token
+  in case the lifecycle of the token is managed with some other mechanism outside of
+  Vault, such as Vault Agent. This may also be specified using the
+  `VAULT_TRANSIT_SEAL_DISABLE_RENEWAL` environment variable.
+
+- `tls_ca_cert` `(string: "")`: Specifies the path to the CA certificate file used
+  for communication with the Vault server. This may also be specified using the
+  `VAULT_CA_CERT` environment variable.
+
+- `tls_client_cert` `(string: "")`: Specifies the path to the client certificate
+  for communication with the Vault server. This may also be specified using the
+  `VAULT_CLIENT_CERT` environment variable.
+
+- `tls_client_key` `(string: "")`: Specifies the path to the private key for
+  communication with the Vault server. This may also be specified using the
+  `VAULT_CLIENT_KEY` environment variable.
+
+- `tls_server_name` `(string: "")`: Name to use as the SNI host when connecting
+  to the Vault server via TLS. This may also be specified via the
+  `VAULT_TLS_SERVER_NAME` environment variable.
+
+- `tls_skip_verify` `(bool: "false")`: Disable verification of TLS certificates.
+  Using this option is highly discouraged and decreases the security of data
+  transmissions to and from the Vault server. This may also be specified using the
+  `VAULT_SKIP_VERIFY` environment variable.
+
+## Authentication
+
+Authentication-related values must be provided, either as environment
+variables or as configuration parameters.
+
+~> **Note:** Although the configuration file allows you to pass in
+`VAULT_TOKEN` as part of the seal's parameters, it is _strongly_ recommended
+to set these values via environment variables.
+
+The Vault token used to authenticate needs the following permissions on the
+transit key:
+
+```hcl
+path "<mount path>/encrypt/<key name>" {
+  capabilities = ["update"]
+}
+
+path "<mount path>/decrypt/<key name>" {
+  capabilities = ["update"]
+}
+```
+
+## Key Rotation
+
+This seal supports key rotation using the Transit Secret Engine's key rotation endpoints. See
+[doc](/api/secret/transit/index.html#rotate-key). Old keys must not be disabled or deleted and are
+used to decrypt older data.
+
+## Learn
+
+Refer to the [Auto-unseal using Transit Secrets Engine](https://learn.hashicorp.com/vault/operations/autounseal-transit)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/configuration/service-registration/consul.mdx b/website/pages/docs/configuration/service-registration/consul.mdx
new file mode 100644
index 000000000000..e397cb68a96a
--- /dev/null
+++ b/website/pages/docs/configuration/service-registration/consul.mdx
@@ -0,0 +1,230 @@
+---
+layout: docs
+page_title: Consul - Service Registration - Configuration
+sidebar_title: Consul
+description: >-
+  Consul Service Registration registers Vault as a service in Consul with a
+  default
+
+  health check.
+---
+
+# Consul Service Registration
+
+Consul Service Registration registers Vault as a service in [Consul][consul] with
+a default health check.
+
+- **HashiCorp Supported** – Consul Service Registration is officially supported
+  by HashiCorp.
+
+```hcl
+service_registration "consul" {
+  address      = "127.0.0.1:8500"
+}
+```
+
+Once properly configured, an unsealed Vault installation should be available and
+accessible at:
+
+```text
+active.vault.service.consul
+```
+
+Unsealed Vault instances in standby mode are available at:
+
+```text
+standby.vault.service.consul
+```
+
+All unsealed Vault instances are available as healthy at:
+
+```text
+vault.service.consul
+```
+
+Sealed Vault instances will mark themselves as unhealthy to avoid being returned
+at Consul's service discovery layer.
+
+## `consul` Parameters
+
+- `address` `(string: "127.0.0.1:8500")` – Specifies the address of the Consul
+  agent to communicate with. This can be an IP address, DNS record, or unix
+  socket. It is recommended that you communicate with a local Consul agent; do
+  not communicate directly with a server.
+
+- `check_timeout` `(string: "5s")` – Specifies the check interval used to send
+  health check information back to Consul. This is specified using a label
+  suffix like `"30s"` or `"1h"`.
+
+- `disable_registration` `(string: "false")` – Specifies whether Vault should
+  register itself with Consul.
+
+- `scheme` `(string: "http")` – Specifies the scheme to use when communicating
+  with Consul. This can be set to "http" or "https". It is highly recommended
+  you communicate with Consul over https over non-local connections. When
+  communicating over a unix socket, this option is ignored.
+
+- `service` `(string: "vault")` – Specifies the name of the service to register
+  in Consul.
+
+- `service_tags` `(string: "")` – Specifies a comma-separated list of tags to
+  attach to the service registration in Consul.
+
+- `service_address` `(string: nil)` – Specifies a service-specific address to
+  set on the service registration in Consul. If unset, Vault will use what it
+  knows to be the HA redirect address - which is usually desirable. Setting
+  this parameter to `""` will tell Consul to leverage the configuration of the
+  node the service is registered on dynamically. This could be beneficial if
+  you intend to leverage Consul's
+  [`translate_wan_addrs`][consul-translate-wan-addrs] parameter.
+
+- `token` `(string: "")` – Specifies the [Consul ACL token][consul-acl] with
+  permission to read and write from the `path` in Consul's key-value store.
+  This is **not** a Vault token. See the ACL section below for help.
+
+The following settings apply when communicating with Consul via an encrypted
+connection. You can read more about encrypting Consul connections on the
+[Consul encryption page][consul-encryption].
+
+- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate used
+  for Consul communication. This defaults to system bundle if not specified.
+  This should be set according to the
+  [`ca_file`](https://www.consul.io/docs/agent/options.html#ca_file) setting in
+  Consul.
+
+- `tls_cert_file` `(string: "")` (optional) – Specifies the path to the
+  certificate for Consul communication. This should be set according to the
+  [`cert_file`](https://www.consul.io/docs/agent/options.html#cert_file) setting
+  in Consul.
+
+- `tls_key_file` `(string: "")` – Specifies the path to the private key for
+  Consul communication. This should be set according to the
+  [`key_file`](https://www.consul.io/docs/agent/options.html#key_file) setting
+  in Consul.
+
+- `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to
+  use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
+
+- `tls_skip_verify` `(string: "false")` – Disable verification of TLS certificates.
+  Using this option is highly discouraged.
+
+## ACLs
+
+If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8,
+the following will work for most use-cases, assuming that your service name is
+`vault` and the prefix being used is `vault/`:
+
+```json
+{
+  "key": {
+    "vault/": {
+      "policy": "write"
+    }
+  },
+  "node": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "service": {
+    "vault": {
+      "policy": "write"
+    }
+  },
+  "agent": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "session": {
+    "": {
+      "policy": "write"
+    }
+  }
+}
+```
+
+For Consul 1.4+, the following example takes into account the changed ACL
+language:
+
+```json
+{
+  "key_prefix": {
+    "vault/": {
+      "policy": "write"
+    }
+  },
+  "node_prefix": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "service": {
+    "vault": {
+      "policy": "write"
+    }
+  },
+  "agent_prefix": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "session_prefix": {
+    "": {
+      "policy": "write"
+    }
+  }
+}
+```
+
+## `consul` Examples
+
+### Local Agent
+
+This example shows a sample configuration which communicates with a local
+Consul agent running on `127.0.0.1:8500`.
+
+```hcl
+service_registration "consul" {}
+```
+
+### Detailed Customization
+
+This example shows communicating with Consul on a custom address with an ACL
+token.
+
+```hcl
+service_registration "consul" {
+  address = "10.5.7.92:8194"
+  token   = "abcd1234"
+}
+```
+
+### Consul via Unix Socket
+
+This example shows communicating with Consul over a local unix socket.
+
+```hcl
+service_registration "consul" {
+  address = "unix:///tmp/.consul.http.sock"
+}
+```
+
+### Custom TLS
+
+This example shows using a custom CA, certificate, and key file to securely
+communicate with Consul over TLS.
+
+```hcl
+service_registration "consul" {
+  scheme        = "https"
+  tls_ca_file   = "/etc/pem/vault.ca"
+  tls_cert_file = "/etc/pem/vault.cert"
+  tls_key_file  = "/etc/pem/vault.key"
+}
+```
+
+[consul]: https://www.consul.io/ 'Consul by HashiCorp'
+[consul-acl]: https://www.consul.io/docs/guides/acl.html 'Consul ACLs'
+[consul-encryption]: https://www.consul.io/docs/agent/encryption.html 'Consul Encryption'
+[consul-translate-wan-addrs]: https://www.consul.io/docs/agent/options.html#translate_wan_addrs 'Consul Configuration'
diff --git a/website/pages/docs/configuration/service-registration/index.mdx b/website/pages/docs/configuration/service-registration/index.mdx
new file mode 100644
index 000000000000..5e2a38a5cfab
--- /dev/null
+++ b/website/pages/docs/configuration/service-registration/index.mdx
@@ -0,0 +1,66 @@
+---
+layout: docs
+page_title: Service Registration - Configuration
+sidebar_title: <code>service_registration</code>
+description: |-
+  The optional `service_registration` stanza configures Vault's mechanism for
+  service registration.
+---
+
+# `service_registration` Stanza
+
+The optional `service_registration` stanza configures Vault's mechanism for
+service registration. The `service_registration` stanza is designed for use cases
+where you would like to use a system like [Consul][consul] for [service
+discovery][consul-discovery], but use a different system for the [storage
+backend][storage-backend].
+
+When Consul is configured as the [storage backend][consul-backend], Vault
+implicitly uses Consul for service registration, so the `service_registration` stanza
+is not needed.
+
+For times when you would like to use a different storage backend, like
+[Raft][raft-backend], but still have service registration available, the
+`service_registration` stanza can be used:
+
+```hcl
+service_registration "consul" {
+  address = "127.0.0.1:8500"
+}
+storage "raft" {
+  path = "/path/to/raft/data"
+  node_id = "raft_node_1"
+}
+```
+
+For information about a specific service registration provider, choose one from
+the navigation on the left.
+
+## Configuration
+
+Service registration configuration is done through the Vault configuration file
+using the `service_registration` stanza:
+
+```hcl
+service_registration [NAME] {
+  [PARAMETERS...]
+}
+```
+
+For example:
+
+```hcl
+service_registration "consul" {
+  address = "127.0.0.1:8500"
+}
+```
+
+For configuration options which also read an environment variable, the
+environment variable will take precedence over values in the configuration
+file.
+
+[consul]: https://www.consul.io/
+[consul-discovery]: https://www.consul.io/discovery.html
+[storage-backend]: /docs/configuration/storage/index.html
+[consul-backend]: /docs/configuration/storage/consul.html
+[raft-backend]: /docs/configuration/storage/raft.html
diff --git a/website/pages/docs/configuration/storage/alicloudoss.mdx b/website/pages/docs/configuration/storage/alicloudoss.mdx
new file mode 100644
index 000000000000..980b6bd88e50
--- /dev/null
+++ b/website/pages/docs/configuration/storage/alicloudoss.mdx
@@ -0,0 +1,66 @@
+---
+layout: docs
+page_title: Alicloud OSS - Storage Backends - Configuration
+sidebar_title: AliCloud OSS
+description: |-
+  The Alicloud OSS storage backend is used to persist Vault's data in
+  an Alicloud OSS bucket.
+---
+
+# Alicloud OSS Storage Backend
+
+The Alicloud OSS storage backend is used to persist Vault's data in
+an [Alicloud OSS][alicloudoss] bucket.
+
+- **No High Availability** – the Alicloud OSS storage backend does not support
+  high availability.
+
+- **Community Supported** – the Alicloud OSS storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "alicloudoss" {
+  access_key = "abcd1234"
+  secret_key = "defg5678"
+  endpoint   = "oss-us-west-1.aliyuncs.com"
+  bucket     = "my-bucket"
+}
+```
+
+## `alicloudoss` Parameters
+
+- `bucket` `(string: <required>)` – Specifies the name of the OSS bucket. This
+  can also be provided via the environment variable `ALICLOUD_OSS_BUCKET`.
+
+- `endpoint` `(string: "")` – Specifies the OSS endpoint. This can also be
+  provided via the environment variable `ALICLOUD_OSS_ENDPOINT`.
+
+The following settings are used for authenticating to Alicloud.
+
+- `access_key` – Specifies the Alicloud access key. This can also be provided via
+  the environment variable `ALICLOUD_ACCESS_KEY`.
+
+- `secret_key` – Specifies the Alicloud secret key. This can also be provided via
+  the environment variable `ALICLOUD_SECRET_KEY`.
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to Alicloud OSS.
+
+## `alicloudoss` Examples
+
+### Default Example
+
+This example shows using Alicloud OSS as a storage backend.
+
+```hcl
+storage "alicloudoss" {
+  access_key = "abcd1234"
+  secret_key = "defg5678"
+  endpoint   = "oss-us-west-1.aliyuncs.com"
+  bucket     = "my-bucket"
+}
+```
+
+[alicloudoss]: https://www.alibabacloud.com/product/oss
diff --git a/website/pages/docs/configuration/storage/azure.mdx b/website/pages/docs/configuration/storage/azure.mdx
new file mode 100644
index 000000000000..fb811d6b969e
--- /dev/null
+++ b/website/pages/docs/configuration/storage/azure.mdx
@@ -0,0 +1,76 @@
+---
+layout: docs
+page_title: Azure - Storage Backends - Configuration
+sidebar_title: Azure
+description: |-
+  The Azure storage backend is used to persist Vault's data in an Azure Storage
+  Container. The storage container must already exist and the provided account
+  credentials must have read and write  permissions to the storage container.
+---
+
+# Azure Storage Backend
+
+The Azure storage backend is used to persist Vault's data in an
+[Azure Storage Container][azure-storage]. The storage container must already
+exist and the provided account credentials must have read and write permissions
+to the storage container. The storage account type must support block blobs. This
+currently includes the general purpose "Storage V2" type with _Standard_ performance
+(Premium will not work), as well as Premium "Block Blob Storage"
+([limited region availability](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=storage&regions=all)).
+
+- **No High Availability** – the Azure storage backend does not support high
+  availability.
+
+- **Community Supported** – the Azure storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "azure" {
+  accountName = "my-storage-account"
+  accountKey  = "abcd1234"
+  container   = "container-efgh5678"
+  environment = "AzurePublicCloud"
+}
+```
+
+The current implementation is limited to a maximum of 4 megabytes per blob.
+
+## `azure` Parameters
+
+- `accountName` `(string: <required>)` – Specifies the Azure Storage account
+  name.
+
+- `accountKey` `(string: <required>)` – Specifies the Azure Storage account key.
+
+- `container` `(string: <required>)` – Specifies the Azure Storage Blob
+  container name.
+
+- `environment` `(string: "AzurePublicCloud")` - Specifies the cloud
+  environment the storage account belongs to by way of the case-insensitive
+  name defined in the [Azure Go SDK][azure-environment].
+
+- `arm_endpoint` `(string: "")` - Specifies the cloud environment
+  the storage account belongs to by way of the Azure Resource Manager endpoint
+  URL.
+
+- `max_parallel` `(string: "128")` – Specifies The maximum number of concurrent
+  requests to Azure.
+
+## `azure` Examples
+
+This example shows configuring the Azure storage backend with a custom number of
+maximum parallel connections.
+
+```hcl
+storage "azure" {
+  accountName  = "my-storage-account"
+  accountKey   = "abcd1234"
+  container    = "container-efgh5678"
+  max_parallel = 512
+}
+```
+
+[azure-storage]: https://azure.microsoft.com/en-us/services/storage/
+[azure-environment]: https://godoc.org/github.com/Azure/go-autorest/autorest/azure#pkg-variables
diff --git a/website/pages/docs/configuration/storage/cassandra.mdx b/website/pages/docs/configuration/storage/cassandra.mdx
new file mode 100644
index 000000000000..f009948a0870
--- /dev/null
+++ b/website/pages/docs/configuration/storage/cassandra.mdx
@@ -0,0 +1,94 @@
+---
+layout: docs
+page_title: Cassandra - Storage Backends - Configuration
+sidebar_title: Cassandra
+description: |-
+  The Cassandra storage backend is used to persist Vault's data in an Apache
+  Cassandra cluster.
+---
+
+# Cassandra Storage Backend
+
+The Cassandra storage backend is used to persist Vault's data in an [Apache
+Cassandra][cassandra] cluster.
+
+- **No High Availability** – the Cassandra storage backend does not support high
+  availability.
+
+- **Community Supported** – the Cassandra storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with it,
+  you may be referred to the original author.
+
+```hcl
+storage "cassandra" {
+  hosts            = "localhost"
+  consistency      = "LOCAL_QUORUM"
+  protocol_version = 3
+}
+```
+
+The Cassandra storage backend does not automatically create the keyspace and
+table. This sample configuration can be used as a guide, but you will want to
+ensure the keyspace [replication options][replication-options]
+are appropriate for your cluster:
+
+```cql
+CREATE KEYSPACE "vault" WITH REPLICATION = {
+    'class': 'SimpleStrategy',
+    'replication_factor': 1
+};
+
+CREATE TABLE "vault"."entries" (
+    bucket text,
+    key text,
+    value blob,
+    PRIMARY KEY (bucket, key)
+) WITH CLUSTERING ORDER BY (key ASC);
+```
+
+## `cassandra` Parameters
+
+- `hosts` `(string: "127.0.0.1")` – Comma-separated list of Cassandra hosts to
+  connect to.
+
+- `keyspace` `(string: "vault")` Cassandra keyspace to use.
+
+- `table` `(string: "entries")` – Table within the `keyspace` in which to store
+  data.
+
+- `consistency` `(string: "LOCAL_QUORUM")` Consistency level to use when
+  reading/writing data. If set, must be one of `"ANY"`, `"ONE"`, `"TWO"`,
+  `"THREE"`, `"QUORUM"`, `"ALL"`, `"LOCAL_QUORUM"`, `"EACH_QUORUM"`, or
+  `"LOCAL_ONE"`.
+
+- `protocol_version` `(int: 2)` Cassandra protocol version to use.
+
+- `username` `(string: "")` – Username to use when authenticating with the
+  Cassandra hosts.
+
+- `password` `(string: "")` – Password to use when authenticating with the
+  Cassandra hosts.
+
+- `connection_timeout` `(int: 0)` - A timeout in seconds to wait until a
+  connection is established with the Cassandra hosts.
+
+- `tls` `(int: 0)` – If `1`, indicates the connection with the Cassandra hosts
+  should use TLS.
+
+- `pem_bundle_file` `(string: "")` - Specifies a file containing a
+  certificate and private key; a certificate, private key, and issuing CA
+  certificate; or just a CA certificate.
+
+- `pem_json_file` `(string: "")` - Specifies a JSON file containing a certificate
+  and private key; a certificate, private key, and issuing CA certificate;
+  or just a CA certificate.
+
+- `tls_skip_verify` `(int: 0)` - If `1`, then TLS host verification
+  will be disabled for Cassandra. Defaults to `0`.
+
+- `tls_min_version` `(string: "tls12")` - Minimum TLS version to use. Accepted
+  values are `tls10`, `tls11` or `tls12`. Defaults to `tls12`.
+
+[cassandra]: http://cassandra.apache.org/
+[replication-options]: https://docs.datastax.com/en/cassandra/2.1/cassandra/architecture/architectureDataDistributeReplication_c.html
diff --git a/website/pages/docs/configuration/storage/cockroachdb.mdx b/website/pages/docs/configuration/storage/cockroachdb.mdx
new file mode 100644
index 000000000000..466dba8d9a67
--- /dev/null
+++ b/website/pages/docs/configuration/storage/cockroachdb.mdx
@@ -0,0 +1,68 @@
+---
+layout: docs
+page_title: CockroachDB - Storage Backends - Configuration
+sidebar_title: CockroachDB
+description: >-
+  The CockroachDB storage backend is used to persist Vault's data in a
+  CockroachDB
+
+  server or cluster.
+---
+
+# CockroachDB Storage Backend
+
+The CockroachDB storage backend is used to persist Vault's data in a
+[CockroachDB][cockroachdb] server or cluster.
+
+- **No High Availability** – the CockroachDB storage backend does not support
+  high availability.
+
+- **Community Supported** – the CockroachDB storage backend is supported by the
+  community. While it has undergone development and review by HashiCorp
+  employees, they may not be as knowledgeable about the technology.
+
+```hcl
+storage "cockroachdb" {
+  connection_url = "postgres://user123:secret123!@localhost:5432/vault"
+}
+```
+
+**Note** - CockroachDB is compatible with the PostgreSQL database driver and
+uses that driver to interact with the database.
+
+## `cockroachdb` Parameters
+
+- `connection_url` `(string: <required>)` – Specifies the connection string to
+  use to authenticate and connect to CockroachDB. A full list of supported
+  parameters can be found in [the pq library documentation][pglib]. For example
+  connection string URLs, see the examples section below.
+
+- `table` `(string: "vault_kv_store")` – Specifies the name of the table in
+  which to write Vault data. This table must already exist (Vault will not
+  attempt to create it).
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to CockroachDB.
+
+## `cockroachdb` Examples
+
+This example shows connecting to a PostgreSQL cluster using full SSL
+verification (recommended).
+
+```hcl
+storage "cockroachdb" {
+  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=verify-full"
+}
+```
+
+To disable SSL verification (not recommended), replace `verify-full` with
+`disable`:
+
+```hcl
+storage "cockroachdb" {
+  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=disable"
+}
+```
+
+[cockroachdb]: https://www.cockroachlabs.com/
+[pglib]: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
diff --git a/website/pages/docs/configuration/storage/consul.mdx b/website/pages/docs/configuration/storage/consul.mdx
new file mode 100644
index 000000000000..65686464ac10
--- /dev/null
+++ b/website/pages/docs/configuration/storage/consul.mdx
@@ -0,0 +1,278 @@
+---
+layout: docs
+page_title: Consul - Storage Backends - Configuration
+sidebar_title: Consul
+description: |-
+  The Consul storage backend is used to persist Vault's data in Consul's
+  key-value store. In addition to providing durable storage, inclusion of this
+  backend will also register Vault as a service in Consul with a default health
+  check.
+---
+
+# Consul Storage Backend
+
+The Consul storage backend is used to persist Vault's data in [Consul's][consul]
+key-value store. In addition to providing durable storage, inclusion of this
+backend will also register Vault as a service in Consul with a default health
+check.
+
+- **High Availability** – the Consul storage backend supports high availability.
+
+- **HashiCorp Supported** – the Consul storage backend is officially supported
+  by HashiCorp.
+
+```hcl
+storage "consul" {
+  address = "127.0.0.1:8500"
+  path    = "vault"
+}
+```
+
+Once properly configured, an unsealed Vault installation should be available and
+accessible at:
+
+```text
+active.vault.service.consul
+```
+
+Unsealed Vault instances in standby mode are available at:
+
+```text
+standby.vault.service.consul
+```
+
+All unsealed Vault instances are available as healthy at:
+
+```text
+vault.service.consul
+```
+
+Sealed Vault instances will mark themselves as unhealthy to avoid being returned
+at Consul's service discovery layer.
+
+Note that if you have configured multiple listeners for Vault, you must specify
+which one Consul should advertise to the cluster using [`api_addr`][api-addr]
+and [`cluster_addr`][cluster-addr] ([example][listener-example]).
+
+## `consul` Parameters
+
+- `address` `(string: "127.0.0.1:8500")` – Specifies the address of the Consul
+  agent to communicate with. This can be an IP address, DNS record, or unix
+  socket. It is recommended that you communicate with a local Consul agent; do
+  not communicate directly with a server.
+
+- `check_timeout` `(string: "5s")` – Specifies the check interval used to send
+  health check information back to Consul. This is specified using a label
+  suffix like `"30s"` or `"1h"`.
+
+- `consistency_mode` `(string: "default")` – Specifies the Consul
+  [consistency mode][consul-consistency]. Possible values are `"default"` or
+  `"strong"`.
+
+- `disable_registration` `(string: "false")` – Specifies whether Vault should
+  register itself with Consul.
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to Consul.
+
+- `path` `(string: "vault/")` – Specifies the path in Consul's key-value store
+  where Vault data will be stored.
+
+- `scheme` `(string: "http")` – Specifies the scheme to use when communicating
+  with Consul. This can be set to "http" or "https". It is highly recommended
+  you communicate with Consul over https over non-local connections. When
+  communicating over a unix socket, this option is ignored.
+
+- `service` `(string: "vault")` – Specifies the name of the service to register
+  in Consul.
+
+- `service_tags` `(string: "")` – Specifies a comma-separated list of tags to
+  attach to the service registration in Consul.
+
+- `service_address` `(string: nil)` – Specifies a service-specific address to
+  set on the service registration in Consul. If unset, Vault will use what it
+  knows to be the HA redirect address - which is usually desirable. Setting
+  this parameter to `""` will tell Consul to leverage the configuration of the
+  node the service is registered on dynamically. This could be beneficial if
+  you intend to leverage Consul's
+  [`translate_wan_addrs`][consul-translate-wan-addrs] parameter.
+
+- `token` `(string: "")` – Specifies the [Consul ACL token][consul-acl] with
+  permission to read and write from the `path` in Consul's key-value store.
+  This is **not** a Vault token. This can also be provided via the environment
+  variable [`CONSUL_HTTP_TOKEN`][consul-token]. See the ACL section below for help.
+
+- `session_ttl` `(string: "15s")` - Specifies the minimum allowed [session
+  TTL][consul-session-ttl]. Consul server has a lower limit of 10s on the
+  session TTL by default. The value of `session_ttl` here cannot be lesser than
+  10s unless the `session_ttl_min` on the consul server's configuration has a
+  lesser value.
+
+- `lock_wait_time` `(string: "15s")` - Specifies the wait time before a lock
+  acquisition is made. This affects the minimum time it takes to cancel a
+  lock acquisition.
+
+The following settings apply when communicating with Consul via an encrypted
+connection. You can read more about encrypting Consul connections on the
+[Consul encryption page][consul-encryption].
+
+- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate used
+  for Consul communication. This defaults to system bundle if not specified.
+  This should be set according to the
+  [`ca_file`](https://www.consul.io/docs/agent/options.html#ca_file) setting in
+  Consul.
+
+- `tls_cert_file` `(string: "")` (optional) – Specifies the path to the
+  certificate for Consul communication. This should be set according to the
+  [`cert_file`](https://www.consul.io/docs/agent/options.html#cert_file) setting
+  in Consul.
+
+- `tls_key_file` `(string: "")` – Specifies the path to the private key for
+  Consul communication. This should be set according to the
+  [`key_file`](https://www.consul.io/docs/agent/options.html#key_file) setting
+  in Consul.
+
+- `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to
+  use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
+
+- `tls_skip_verify` `(string: "false")` – Disable verification of TLS certificates.
+  Using this option is highly discouraged.
+
+## ACLs
+
+If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8,
+the following will work for most use-cases, assuming that your service name is
+`vault` and the prefix being used is `vault/`:
+
+```json
+{
+  "key": {
+    "vault/": {
+      "policy": "write"
+    }
+  },
+  "node": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "service": {
+    "vault": {
+      "policy": "write"
+    }
+  },
+  "agent": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "session": {
+    "": {
+      "policy": "write"
+    }
+  }
+}
+```
+
+For Consul 1.4+, the following example takes into account the changed ACL
+language:
+
+```json
+{
+  "key_prefix": {
+    "vault/": {
+      "policy": "write"
+    }
+  },
+  "node_prefix": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "service": {
+    "vault": {
+      "policy": "write"
+    }
+  },
+  "agent_prefix": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "session_prefix": {
+    "": {
+      "policy": "write"
+    }
+  }
+}
+```
+
+## `consul` Examples
+
+### Local Agent
+
+This example shows a sample physical backend configuration which communicates
+with a local Consul agent running on `127.0.0.1:8500`.
+
+```hcl
+storage "consul" {}
+```
+
+### Detailed Customization
+
+This example shows communicating with Consul on a custom address with an ACL
+token.
+
+```hcl
+storage "consul" {
+  address = "10.5.7.92:8194"
+  token   = "abcd1234"
+}
+```
+
+### Custom Storage Path
+
+This example shows storing data at a custom path in Consul's key-value store.
+This path must be readable and writable by the Consul ACL token, if Consul
+configured to use ACLs.
+
+```hcl
+storage "consul" {
+  path = "vault/"
+}
+```
+
+### Consul via Unix Socket
+
+This example shows communicating with Consul over a local unix socket.
+
+```hcl
+storage "consul" {
+  address = "unix:///tmp/.consul.http.sock"
+}
+```
+
+### Custom TLS
+
+This example shows using a custom CA, certificate, and key file to securely
+communicate with Consul over TLS.
+
+```hcl
+storage "consul" {
+  scheme        = "https"
+  tls_ca_file   = "/etc/pem/vault.ca"
+  tls_cert_file = "/etc/pem/vault.cert"
+  tls_key_file  = "/etc/pem/vault.key"
+}
+```
+
+[consul]: https://www.consul.io/ 'Consul by HashiCorp'
+[consul-acl]: https://www.consul.io/docs/guides/acl.html 'Consul ACLs'
+[consul-consistency]: https://www.consul.io/api/index.html#consistency-modes 'Consul Consistency Modes'
+[consul-encryption]: https://www.consul.io/docs/agent/encryption.html 'Consul Encryption'
+[consul-translate-wan-addrs]: https://www.consul.io/docs/agent/options.html#translate_wan_addrs 'Consul Configuration'
+[consul-token]: https://www.consul.io/docs/commands/acl/set-agent-token.html#token-lt-value-gt- 'Consul Token'
+[consul-session-ttl]: https://www.consul.io/docs/agent/options.html#session_ttl_min 'Consul Configuration'
+[api-addr]: /docs/configuration/index.html#api_addr
+[cluster-addr]: /docs/configuration/index.html#cluster_addr
+[listener-example]: /docs/configuration/listener/tcp.html#listening-on-multiple-interfaces
diff --git a/website/pages/docs/configuration/storage/couchdb.mdx b/website/pages/docs/configuration/storage/couchdb.mdx
new file mode 100644
index 000000000000..1e3c3923724f
--- /dev/null
+++ b/website/pages/docs/configuration/storage/couchdb.mdx
@@ -0,0 +1,45 @@
+---
+layout: docs
+page_title: CouchDB - Storage Backends - Configuration
+sidebar_title: CouchDB
+description: |-
+  The CouchDB storage backend is used to persist Vault's data in a CouchDB
+  database.
+---
+
+# CouchDB Storage Backend
+
+The CouchDB storage backend is used to persist Vault's data in
+[CouchDB][couchdb] table.
+
+- **No High Availability** – the CouchDB backend does not support high
+  availability.
+
+- **Community Supported** – the CouchDB storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "couchdb" {
+  endpoint = "https://my-couchdb-dns.tld:5984/my-database"
+  username = "admin"
+  password = "admin"
+}
+```
+
+## `couchdb` Parameters
+
+- `endpoint` `(string: "")` – Specifies your CouchDB endpoint. This can also be
+  provided via the environment variable `COUCHDB_ENDPOINT`.
+
+- `username` `(string: "")` – Specifies the user to authenticate as. This can
+  also be provided via the environment variable `COUCHDB_USERNAME`.
+
+- `password` `(string: "")` – Specifies the user to authenticate as. This can
+  also be provided via the environment variable `COUCHDB_PASSWORD`.
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to CouchDB.
+
+[couchdb]: http://couchdb.apache.org/
diff --git a/website/pages/docs/configuration/storage/dynamodb.mdx b/website/pages/docs/configuration/storage/dynamodb.mdx
new file mode 100644
index 000000000000..733cf74bd0bf
--- /dev/null
+++ b/website/pages/docs/configuration/storage/dynamodb.mdx
@@ -0,0 +1,187 @@
+---
+layout: docs
+page_title: DynamoDB - Storage Backends - Configuration
+sidebar_title: DynamoDB
+description: |-
+  The DynamoDB storage backend is used to persist Vault's data in DynamoDB
+  table.
+---
+
+# DynamoDB Storage Backend
+
+The DynamoDB storage backend is used to persist Vault's data in
+[DynamoDB][dynamodb] table.
+
+- **High Availability** – the DynamoDB storage backend supports high
+  availability. Because DynamoDB uses the time on the Vault node to implement
+  the session lifetimes on its locks, significant clock skew across Vault nodes
+  could cause contention issues on the lock.
+
+- **Community Supported** – the DynamoDB storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with this
+  storage backend, you could be referred to the original author for support.
+
+```hcl
+storage "dynamodb" {
+  ha_enabled = "true"
+  region     = "us-west-2"
+  table      = "vault-data"
+}
+```
+
+For more information about the read/write capacity of DynamoDB tables, please
+see the [official AWS DynamoDB documentation][dynamodb-rw-capacity].
+
+## DynamoDB Parameters
+
+- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, DynamoDB
+  endpoint. This can also be provided via the environment variable
+  `AWS_DYNAMODB_ENDPOINT`.
+
+- `ha_enabled` `(string: "false")` – Specifies whether this backend should be used
+  to run Vault in high availability mode. Valid values are "true" or "false". This
+  can also be provided via the environment variable `DYNAMODB_HA_ENABLED`.
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests.
+
+- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be
+  provided via the environment variable `AWS_DEFAULT_REGION`.
+
+- `read_capacity` `(int: 5)` – Specifies the maximum number of reads consumed
+  per second on the table, for use if Vault creates the DynamoDB table. This has
+  no effect if the `table` already exists. This can also be provided via the
+  environment variable `AWS_DYNAMODB_READ_CAPACITY`.
+
+- `table` `(string: "vault-dynamodb-backend")` – Specifies the name of the
+  DynamoDB table in which to store Vault data. If the specified table does not
+  yet exist, it will be created during initialization. This can also be
+  provided via the environment variable `AWS_DYNAMODB_TABLE`. See the
+  information on the table schema below.
+
+- `write_capacity` `(int: 5)` – Specifies the maximum number of writes performed
+  per second on the table, for use if Vault creates the DynamoDB table. This value
+  has no effect if the `table` already exists. This can also be provided via the
+  environment variable `AWS_DYNAMODB_WRITE_CAPACITY`.
+
+The following settings are used for authenticating to AWS. If you are
+running your Vault server on an EC2 instance, you can also make use of the EC2
+instance profile service to provide the credentials Vault will use to make
+DynamoDB API calls. Leaving the `access_key` and `secret_key` fields empty will
+cause Vault to attempt to retrieve credentials from the AWS metadata service.
+
+- `access_key` `(string: <required>)` – Specifies the AWS access key. This can
+  also be provided via the environment variable `AWS_ACCESS_KEY_ID`.
+
+- `secret_key` `(string: <required>)` – Specifies the AWS secret key. This can
+  also be provided via the environment variable `AWS_SECRET_ACCESS_KEY`.
+
+- `session_token` `(string: "")` – Specifies the AWS session token. This can
+  also be provided via the environment variable `AWS_SESSION_TOKEN`.
+
+## Required AWS Permissions
+
+The governing policy for the IAM user or EC2 instance profile that Vault uses
+to access DynamoDB must contain the following permissions for Vault to perform
+the required operations on the DynamoDB table:
+
+```javascript
+  "Statement": [
+    {
+      "Action": [
+        "dynamodb:DescribeLimits",
+        "dynamodb:DescribeTimeToLive",
+        "dynamodb:ListTagsOfResource",
+        "dynamodb:DescribeReservedCapacityOfferings",
+        "dynamodb:DescribeReservedCapacity",
+        "dynamodb:ListTables",
+        "dynamodb:BatchGetItem",
+        "dynamodb:BatchWriteItem",
+        "dynamodb:CreateTable",
+        "dynamodb:DeleteItem",
+        "dynamodb:GetItem",
+        "dynamodb:GetRecords",
+        "dynamodb:PutItem",
+        "dynamodb:Query",
+        "dynamodb:UpdateItem",
+        "dynamodb:Scan",
+        "dynamodb:DescribeTable"
+      ],
+      "Effect": "Allow",
+      "Resource": [ "arn:aws:dynamodb:us-east-1:... dynamodb table ARN" ]
+    },
+```
+
+## Table Schema
+
+If you are going to create the DynamoDB table prior to the execution and
+initialization of Vault, you will need to create a table with these attributes:
+
+- Primary partition key: "Path", a string
+- Primary sort key: "Key", a string
+
+You might create the table via Terraform, with a configuration similar to this:
+
+```
+resource "aws_dynamodb_table" "dynamodb-table" {
+  name           = "${var.dynamoTable}"
+  read_capacity  = 1
+  write_capacity = 1
+	hash_key       = "Path"
+	range_key      = "Key"
+	attribute      = [
+		{
+			name = "Path"
+			type = "S"
+		},
+		{
+			name = "Key"
+			type = "S"
+		}
+	]
+  tags {
+    Name        = "vault-dynamodb-table"
+    Environment = "prod"
+  }
+}
+```
+
+If a table with the configured name already exists, Vault will not modify it -
+and the Vault configuration values of `read_capacity` and `write_capacity` have
+no effect.
+
+If the table does not already exist, Vault will try to create it, with read and
+write capacities set to the values of `read_capacity` and `write_capacity`
+respectively.
+
+## DynamoDB Examples of Vault Configuration
+
+### Custom Table and Read-Write Capacity
+
+This example shows using a custom table name and read/write capacity.
+
+```hcl
+storage "dynamodb" {
+  table = "my-vault-data"
+
+  read_capacity  = 10
+  write_capacity = 15
+}
+```
+
+### Enabling High Availability
+
+This example shows enabling high availability for the DynamoDB storage backend.
+
+```hcl
+api_addr = "https://vault-leader.my-company.internal"
+
+storage "dynamodb" {
+  ha_enabled    = "true"
+  ...
+}
+```
+
+[dynamodb]: https://aws.amazon.com/dynamodb/
+[dynamodb-rw-capacity]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.html#ProvisionedThroughput
diff --git a/website/pages/docs/configuration/storage/etcd.mdx b/website/pages/docs/configuration/storage/etcd.mdx
new file mode 100644
index 000000000000..0db60ecc4d04
--- /dev/null
+++ b/website/pages/docs/configuration/storage/etcd.mdx
@@ -0,0 +1,137 @@
+---
+layout: docs
+page_title: Etcd - Storage Backends - Configuration
+sidebar_title: Etcd
+description: |-
+  The Etcd storage backend is used to persist Vault's data in Etcd. It supports
+  both the v2 and v3 Etcd APIs, and the version is automatically detected based
+  on the version of the Etcd cluster.
+---
+
+# Etcd Storage Backend
+
+The Etcd storage backend is used to persist Vault's data in [Etcd][etcd]. It
+supports both the v2 and v3 Etcd APIs, and the version is automatically detected
+based on the version of the Etcd cluster.
+
+- **High Availability** – the Etcd storage backend supports high availability.
+  The v2 API has known issues with HA support and should not be used in HA
+  scenarios.
+
+- **Community Supported** – the Etcd storage backend is supported by CoreOS.
+  While it has undergone review by HashiCorp employees, they may not be as
+  knowledgeable about the technology. If you encounter problems with them, you
+  may be referred to the original author.
+
+```hcl
+storage "etcd" {
+  address  = "http://localhost:2379"
+  etcd_api = "v3"
+}
+```
+
+## `etcd` Parameters
+
+- `address` `(string: "http://localhost:2379")` – Specifies the addresses of the
+  Etcd instances as a comma-separated list. This can also be provided via the
+  environment variable `ETCD_ADDR`.
+
+- `discovery_srv` `(string: "example.com")` - Specifies the domain name to
+  query for SRV records describing cluster endpoints. This can also be provided
+  via the environment variable `ETCD_DISCOVERY_SRV`.
+
+- `discovery_srv_name` `(string: "vault")` - Specifies the service name to use
+  when querying for SRV records describing cluster endpoints. This can also be
+  provided via the environment variable `ETCD_DISCOVERY_SRV_NAME`.
+
+- `etcd_api` `(string: "<varies>")` – Specifies the version of the API to
+  communicate with. By default, this is derived automatically. If the cluster
+  version is 3.1+ and there has been no data written using the v2 API, the
+  auto-detected default is v3.
+
+- `ha_enabled` `(string: "false")` – Specifies if high availability should be
+  enabled. This can also be provided via the environment variable
+  `ETCD_HA_ENABLED`.
+
+- `path` `(string: "/vault/")` – Specifies the path in Etcd where Vault data will
+  be stored.
+
+- `sync` `(string: "true")` – Specifies whether to sync the list of available
+  Etcd services on startup. This is a string that is coerced into a boolean
+  value. You may want to set this to false if your cluster is behind a proxy
+  server and syncing causes Vault to fail.
+
+- `username` `(string: "")` – Specifies the username to use when authenticating
+  with the Etcd server. This can also be provided via the environment variable
+  `ETCD_USERNAME`.
+
+- `password` `(string: "")` – Specifies the password to use when authenticating
+  with the Etcd server. This can also be provided via the environment variable
+  `ETCD_PASSWORD`.
+
+- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate used
+  for Etcd communication. This defaults to system bundle if not specified.
+
+- `tls_cert_file` `(string: "")` – Specifies the path to the certificate for
+  Etcd communication.
+
+- `tls_key_file` `(string: "")` – Specifies the path to the private key for Etcd
+  communication.
+
+- `request_timeout` `(string: "5s")` – Specifies timeout for requests
+  to etcd. 5 seconds should be long enough for most cases, even with internal
+  retry.
+
+- `lock_timeout` `(string: "15s")` – Specifies lock timeout for master
+  Vault instance. Set bigger value if you don't need faster recovery.
+
+## `etcd` Examples
+
+### DNS Discovery of cluster members
+
+This example configures vault to discover the Etcd cluster members via SRV
+records as outlined in the
+[DNS Discovery protocol documentation][dns discovery].
+
+```hcl
+storage "etcd" {
+  discovery_srv = "example.com"
+}
+```
+
+### Custom Authentication
+
+This example shows connecting to the Etcd cluster using a username and password.
+
+```hcl
+storage "etcd" {
+  username = "user1234"
+  password = "pass5678"
+}
+```
+
+### Custom Path
+
+This example shows storing data in a custom path.
+
+```hcl
+storage "etcd" {
+  path = "my-vault-data/"
+}
+```
+
+### Enabling High Availability
+
+This example shows enabling high availability for the Etcd storage backend.
+
+```hcl
+api_addr = "https://vault-leader.my-company.internal"
+
+storage "etcd" {
+  ha_enabled    = "true"
+  ...
+}
+```
+
+[etcd]: https://coreos.com/etcd 'Etcd by CoreOS'
+[dns discovery]: https://coreos.com/etcd/docs/latest/op-guide/clustering.html#dns-discovery 'Etcd cluster DNS Discovery'
diff --git a/website/pages/docs/configuration/storage/filesystem.mdx b/website/pages/docs/configuration/storage/filesystem.mdx
new file mode 100644
index 000000000000..3ebb6f55567f
--- /dev/null
+++ b/website/pages/docs/configuration/storage/filesystem.mdx
@@ -0,0 +1,47 @@
+---
+layout: docs
+page_title: Filesystem - Storage Backends - Configuration
+sidebar_title: Filesystem
+description: |-
+  The Filesystem storage backend stores Vault's data on the filesystem using a
+  standard directory structure. It can be used for durable single server
+  situations, or to develop locally where durability is not critical.
+---
+
+# Filesystem Storage Backend
+
+The Filesystem storage backend stores Vault's data on the filesystem using a
+standard directory structure. It can be used for durable single server
+situations, or to develop locally where durability is not critical.
+
+- **No High Availability** – the Filesystem backend does not support high
+  availability.
+
+- **HashiCorp Supported** – the Filesystem backend is officially supported by
+  HashiCorp.
+
+```hcl
+storage "file" {
+  path = "/mnt/vault/data"
+}
+```
+
+Even though Vault's data is encrypted at rest, you should still take appropriate
+measures to secure access to the filesystem.
+
+## `file` Parameters
+
+- `path` `(string: <required>)` – The absolute path on disk to the directory
+  where the data will be stored. If the directory does not exist, Vault will
+  create it.
+
+## `file` Examples
+
+This example shows the Filesystem storage backend being mounted at
+`/mnt/vault/data`.
+
+```hcl
+storage "file" {
+  path = "/mnt/vault/data"
+}
+```
diff --git a/website/pages/docs/configuration/storage/foundationdb.mdx b/website/pages/docs/configuration/storage/foundationdb.mdx
new file mode 100644
index 000000000000..60caec063469
--- /dev/null
+++ b/website/pages/docs/configuration/storage/foundationdb.mdx
@@ -0,0 +1,164 @@
+---
+layout: docs
+page_title: FoundationDB - Storage Backends - Configuration
+sidebar_title: FoundationDB
+description: |-
+  The FoundationDB storage backend is used to persist Vault's data in the
+  FoundationDB KV store.
+---
+
+# FoundationDB Storage Backend
+
+The FoundationDB storage backend is used to persist Vault's data in
+[FoundationDB][foundationdb].
+
+The backend needs to be explicitly enabled at build time, and is not available
+in the standard Vault binary distribution. Please refer to the documentation
+accompanying the backend's source in the Vault source tree.
+
+- **High Availability** – the FoundationDB storage backend supports high
+  availability. The HA implementation relies on the clocks of the Vault
+  nodes inside the cluster being properly synchronized; clock skews are
+  susceptible to cause contention on the locks.
+
+- **Community Supported** – the FoundationDB storage backend is supported
+  by the community. While it has undergone review by HashiCorp employees,
+  they may not be as knowledgeable about the technology. If you encounter
+  problems with them, you may be referred to the original author.
+
+```hcl
+storage "foundationdb" {
+  api_version      = 520
+  cluster_file     = "/path/to/fdb.cluster"
+
+  tls_verify_peers = "I.CN=MyTrustedIssuer,I.O=MyCompany\, Inc.,I.OU=Certification Authority"
+  tls_ca_file      = "/path/to/ca_bundle.pem"
+  tls_cert_file    = "/path/to/cert.pem"
+  tls_key_file     = "/path/to/key.pem"
+  tls_password     = "PrivateKeyPassword"
+
+  path             = "vault-top-level-directory"
+  ha_enabled       = "true"
+}
+```
+
+## `foundationdb` Parameters
+
+- `api_version` `(int)` - The FoundationDB API version to use; this is a
+  required parameter and doesn't have a default value. The minimum required API
+  version is 520.
+
+- `cluster_file` `(string)` - The path to the cluster file containing the
+  connection data for the target cluster; this is a required parameter and
+  doesn't have a default value.
+
+- `tls_verify_peers` `(string)` - The peer certificate verification criteria;
+  this parameter is mandatory if TLS is enabled. Refer to the [FoundationDB TLS][fdb-tls] documentation.
+
+- `tls_ca_file` `(string)` - The path to the CA certificate bundle file; this
+  parameter is mandatory if TLS is enabled.
+
+- `tls_cert_file` `(string)` - The path to the certificate file; specifying this
+  parameter together with `tls_key_file` will enable TLS support.
+
+- `tls_key_file` `(string)` - The path to the key file; specifying this
+  parameter together with `tls_cert_file` will enable TLS support.
+
+- `tls_password` `(string)` - The password needed to decrypt `tls_key_file`, if
+  it is encrypted; optional. This can also be specified via the
+  `FDB_TLS_PASSWORD` environment variable.
+
+- `path` `(string: "vault")` - The path of the top-level FoundationDB directory
+  (using the directory layer) under which the Vault data will reside.
+
+- `ha_enabled` `(string: "false")` - Whether or not to enable Vault
+  high-availability mode using the FoundationDB backend.
+
+## `foundationdb` tips
+
+### Cluster file
+
+The FoundationDB client expects to be able to update the cluster file at
+runtime, to keep it current with changes happening to the cluster.
+
+It does so by first writing a new cluster file alongside the current one,
+then atomically renaming it into place.
+
+This means the cluster file and the directory it resides in must be writable
+by the user Vault is running as. You probably want to isolate the cluster
+file into its own directory.
+
+### Multi-version client
+
+The FoundationDB client library version is tightly coupled to the server
+version; during cluster upgrades, multiple server versions will be running
+in the cluster, and the client must cope with that situation.
+
+This is handled by the (primary) client library having the ability to load
+a different, later version of the client library to connect to a particular
+server; it is referred to as the [multi-version client][multi-ver-client]
+feature.
+
+#### Client setup with `LD_LIBRARY_PATH`
+
+If you do not use mlock, you can use `LD_LIBRARY_PATH` to point the linker at
+the location of the primary client library.
+
+```
+$ export LD_LIBRARY_PATH=/dest/dir/for/primary:$LD_LIBRARY_PATH
+$ export FDB_NETWORK_OPTION_EXTERNAL_CLIENT_DIRECTORY=/dest/dir/for/secondary
+$ /path/to/bin/vault ...
+```
+
+#### Client setup with `RPATH`
+
+When running Vault with mlock, the Vault binary must have capabilities set to
+allow the use of mlock.
+
+```
+# setcap cap_ipc_lock=+ep /path/to/bin/vault
+$ getcap /path/to/bin/vault
+/path/to/bin/vault = cap_ipc_lock+ep
+```
+
+The presence of the capabilities will cause the linker to ignore
+`LD_LIBRARY_PATH`, for security reasons.
+
+In that case, we have to set an `RPATH` on the Vault binary at build time
+to replace the use of `LD_LIBRARY_PATH`.
+
+When building Vault, pass the `-r /dest/dir/for/primary` option to the Go
+linker, for instance:
+
+```
+$ make dev FDB_ENABLED=1 LD_FLAGS="-r /dest/dir/for/primary "
+```
+
+(Note the trailing space in the variable value above).
+
+You can verify `RPATH` is set on the Vault binary using `readelf`:
+
+```
+$ readelf -d /path/to/bin/vault | grep RPATH
+ 0x000000000000000f (RPATH)              Library rpath: [/dest/dir/for/primary]
+```
+
+With the client libraries installed:
+
+```
+$ ldd /path/to/bin/vault
+...
+    libfdb_c.so => /dest/dir/for/primary/libfdb_c.so (0x00007f270ad05000)
+...
+```
+
+Now run Vault:
+
+```
+$ export FDB_NETWORK_OPTION_EXTERNAL_CLIENT_DIRECTORY=/dest/dir/for/secondary
+$ /path/to/bin/vault ...
+```
+
+[foundationdb]: https://www.foundationdb.org
+[fdb-tls]: https://apple.github.io/foundationdb/tls.html
+[multi-ver-client]: https://apple.github.io/foundationdb/api-general.html#multi-version-client-api
diff --git a/website/pages/docs/configuration/storage/google-cloud-spanner.mdx b/website/pages/docs/configuration/storage/google-cloud-spanner.mdx
new file mode 100644
index 000000000000..066dd6d9c42a
--- /dev/null
+++ b/website/pages/docs/configuration/storage/google-cloud-spanner.mdx
@@ -0,0 +1,147 @@
+---
+layout: docs
+page_title: Google Cloud Spanner - Storage Backends - Configuration
+sidebar_title: Google Cloud Spanner
+description: |-
+  The Google Cloud Spanner storage backend is used to persist Vault's data in
+  Spanner, a fully managed, mission-critical, relational database service that
+  offers transactional consistency at global scale.
+---
+
+# Google Cloud Spanner Storage Backend
+
+The Google Cloud Spanner storage backend is used to persist Vault's data in
+[Spanner][spanner-docs], a fully managed, mission-critical, relational database
+service that offers transactional consistency at global scale, schemas, SQL, and
+automatic, synchronous replication for high availability.
+
+- **High Availability** – the Google Cloud Spanner storage backend supports high
+  availability. Because the Google Cloud Spanner storage backend uses the system
+  time on the Vault node to acquire sessions, clock skew across Vault servers
+  can cause lock contention.
+
+- **Community Supported** – the Google Cloud Spanner storage backend is
+  supported by the community. While it has undergone review by HashiCorp
+  employees, they may not be as knowledgeable about the technology. If you
+  encounter problems with them, you may be referred to the original author.
+
+```hcl
+storage "spanner" {
+  database = "projects/my-project/instances/my-instance/databases/my-database"
+}
+```
+
+For more information on schemas or Google Cloud Spanner, please see the [Google
+Cloud Spanner documentation][spanner-docs].
+
+## `spanner` Setup
+
+To use the Google Cloud Spanner Vault storage backend, you must have a Google
+Cloud Platform account. Either using the API or web interface, create a database
+and the following tables:
+
+-> You can choose "Edit as text" and copy-paste the following as the schema.
+These are the default table names. If you choose to use different table names,
+you will need to update the configuration accordingly.
+
+```sql
+CREATE TABLE Vault (
+  Key       STRING(MAX) NOT NULL,
+  Value     BYTES(MAX),
+) PRIMARY KEY (Key);
+
+CREATE TABLE VaultHA (
+  Key           STRING(MAX) NOT NULL,
+  Value         STRING(MAX),
+  Identity      STRING(36) NOT NULL,
+  Timestamp     TIMESTAMP NOT NULL,
+) PRIMARY KEY (Key);
+```
+
+The Google Cloud Spanner storage backend does not support creating the table
+automatically at this time, but this could be a future enhancement. For more
+information on schemas or Google Cloud Spanner, please see the [Google Cloud
+Spanner documentation][spanner-docs].
+
+## `spanner` Authentication
+
+The Google Cloud Spanner Vault storage backend uses the official Google Cloud
+Golang SDK. This means it supports the common ways of [providing credentials to
+Google Cloud][cloud-creds].
+
+1. The environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
+   as the **path** to a Google Cloud credentials file, typically for a service
+   account. If this environment variable is present, the resulting credentials are
+   used. If the credentials are invalid, an error is returned.
+
+1. Default instance credentials. When no environment variable is present, the
+   default service account credentials are used.
+
+For more information on service accounts, please see the [Google Cloud Service
+Accounts documentation][service-accounts].
+
+To use this storage backend, the service account must have the following
+minimum scope(s):
+
+```text
+https://www.googleapis.com/auth/google-cloud-spanner.data
+```
+
+## `spanner` Parameters
+
+- `database` `(string: <required>)` – Specifies the name of the database. Note
+  that this is specified as a "path" including the project ID and instance, for
+  example:
+
+  ```text
+  projects/my-project/instances/my-instance/databases/my-database
+  ```
+
+- `table` `(string: "Vault")` - Specifies the name of the table where
+  data will be stored and retrieved.
+
+- `max_parallel` `(int: 128)` - Specifies the maximum number of parallel
+  operations to take place.
+
+### High Availability Parameters
+
+- `ha_enabled` `(string: "false")` - Specifies if high availability mode is
+  enabled. This is a boolean value, but it is specified as a string like "true"
+  or "false".
+
+- `ha_table` `(string: "VaultHA")` - Specifies the name of the table to use for
+  storing high availability information. By default, this is the name of the
+  `table` suffixed with "HA".
+
+## `spanner` Examples
+
+### High Availability
+
+This example shows configuring Google Cloud Spanner with high availability
+enabled.
+
+```hcl
+api_addr = "https://vault-leader.my-company.internal"
+
+storage "spanner" {
+  database   = "projects/demo/instances/abc123/databases/vault-data"
+  ha_enabled = "true"
+}
+```
+
+### Custom Tables
+
+This example shows listing custom table names for data and HA with the Google
+Cloud Spanner Vault storage backend.
+
+```hcl
+storage "spanner" {
+  database = "projects/demo/instances/abc123/databases/vault-data"
+  table    = "VaultData"
+  ha_table = "VaultLeader"
+}
+```
+
+[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
+[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
+[spanner-docs]: https://cloud.google.com/spanner/docs/
diff --git a/website/pages/docs/configuration/storage/google-cloud-storage.mdx b/website/pages/docs/configuration/storage/google-cloud-storage.mdx
new file mode 100644
index 000000000000..a96ad9bf32a3
--- /dev/null
+++ b/website/pages/docs/configuration/storage/google-cloud-storage.mdx
@@ -0,0 +1,151 @@
+---
+layout: docs
+page_title: Google Cloud Storage - Storage Backends - Configuration
+sidebar_title: Google Cloud Storage
+description: |-
+  The Google Cloud Storage storage backend is used to persist Vault's data in
+  Google Cloud Storage.
+---
+
+# Google Cloud Storage Storage Backend
+
+The Google Cloud Storage storage backend is used to persist Vault's data in
+[Google Cloud Storage][gcs-docs].
+
+- **High Availability** – the Google Cloud Storage storage backend supports high
+  availability. Because the Google Cloud Storage storage backend uses the system
+  time on the Vault node to acquire sessions, clock skew across Vault servers
+  can cause lock contention.
+
+- **Community Supported** – the Google Cloud Storage storage backend is
+  supported by the community. While it has undergone review by HashiCorp
+  employees, they may not be as knowledgeable about the technology. If you
+  encounter problems with them, you may be referred to the original author.
+
+```hcl
+storage "gcs" {
+  bucket = "my-storage-bucket"
+}
+```
+
+For more information on schemas or Google Cloud Storage, please see the [Google
+Cloud Storage documentation][gcs-docs].
+
+## `gcs` Setup
+
+To use the Google Cloud Storage Vault storage backend, you must have a Google
+Cloud Platform account with permissions to create Google Cloud Storage buckets.
+
+To use the Google Cloud Storage Vault storage backend, you must have a Google
+Cloud Platform account. Either using the API or web interface, create a bucket
+using the [`gsutil`][cloud-sdk] command. Bucket names must be globally unique
+across all of Google Cloud, so choose a unique name:
+
+```sh
+$ gsutil mb gs://mycompany-vault-data
+```
+
+Even though the data is encrypted in transit and at rest, be sure to set the
+appropriate permissions on the bucket to limit exposure. You may want to create
+a service account that limits Vault's interactions with Google Cloud to objects
+in the storage bucket using IAM permissions.
+
+Here is a sample [Google Cloud IAM][iam] policy that grants the proper
+permissions to a [service account][service-accounts]. Be sure to replace the
+value with the value for your service account.
+
+```json
+{
+  "bindings": [
+    {
+      "role": "roles/storage.objectAdmin",
+      "members": ["serviceAccount:my-vault@gserviceaccount.com"]
+    }
+  ]
+}
+```
+
+Then give Vault the service account's credential file as a configuration option.
+
+For more information on schemas or Google Cloud Storage, please see the [Google
+Cloud Storage documentation][gcs-docs].
+
+## `gcs` Authentication
+
+The Google Cloud Storage Vault storage backend uses the official Google Cloud
+Golang SDK. This means it supports the common ways of [providing credentials to
+Google Cloud][cloud-creds].
+
+1. The environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
+   as the **path** to a Google Cloud credentials file, typically for a service
+   account. If this environment variable is present, the resulting credentials are
+   used. If the credentials are invalid, an error is returned.
+
+1. Default instance credentials. When no environment variable is present, the
+   default service account credentials are used.
+
+For more information on service accounts, please see the [Google Cloud Service
+Accounts documentation][service-accounts].
+
+To use this storage backend, the service account must have the following
+minimum scope(s):
+
+```text
+https://www.googleapis.com/auth/devstorage.read_write
+```
+
+## `gcs` Parameters
+
+- `bucket` `(string: <required>)` – Specifies the name of the bucket to use for
+  storage.
+
+- `chunk_size` `(string: "8192")` – Specifies the maximum size (in kilobytes) to
+  send in a single request. If set to 0, it will attempt to send the whole
+  object at once, but will not retry any failures. If you are not storing large
+  objects in Vault, it is recommended to set this to a low value (minimum is
+
+  256. since it will reduce the amount of memory Vault uses.
+
+- `max_parallel` `(int: 128)` - Specifies the maximum number of parallel
+  operations to take place.
+
+### High Availability Parameters
+
+- `ha_enabled` `(string: "false")` - Specifies if high availability mode is
+  enabled. This is a boolean value, but it is specified as a string like "true"
+  or "false".
+
+## `gcs` Examples
+
+### High Availability
+
+This example shows configuring Google Cloud Storage with high availability
+enabled.
+
+```hcl
+api_addr = "https://vault-leader.my-company.internal"
+
+storage "gcs" {
+  bucket        = "mycompany-vault-data"
+  ha_enabled    = "true"
+}
+```
+
+### Custom Chunk Size
+
+This example shows setting a custom chunk size for uploads. When uploading large
+data to Vault, setting a lower number can reduce Vault's memory consumption, but
+will increase the number of outbound requests.
+
+```hcl
+storage "gcs" {
+  bucket     = "mycompany-vault-data"
+  chunk_size = "512"
+}
+```
+
+[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
+[cloud-sdk]: https://cloud.google.com/sdk/downloads
+[gcs-docs]: https://cloud.google.com/storage/docs/
+[iam]: https://cloud.google.com/iam/docs/
+[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
diff --git a/website/pages/docs/configuration/storage/in-memory.mdx b/website/pages/docs/configuration/storage/in-memory.mdx
new file mode 100644
index 000000000000..c54ac2a4e9c4
--- /dev/null
+++ b/website/pages/docs/configuration/storage/in-memory.mdx
@@ -0,0 +1,43 @@
+---
+layout: docs
+page_title: In-Memory - Storage Backends - Configuration
+sidebar_title: In-Memory
+description: |-
+  The In-Memory storage backend is used to persist Vault's data entirely
+  in-memory on the same machine in which Vault is running. This is useful for
+  development and experimentation, but use of this backend is highly discouraged
+  in production except in very specific use-cases.
+---
+
+# In-Memory Storage Backend
+
+The In-Memory storage backend is used to persist Vault's data entirely in-memory
+on the same machine in which Vault is running. This is useful for development
+and experimentation, but use of this backend is **highly discouraged in
+production**. All data is lost when Vault or the machine on which it is running
+is restarted.
+
+- **No High Availability** – the In-Memory backend does not support high
+  availability.
+
+- **Not Production Recommended** – the In-Memory backend is not recommended for
+  production installations as data does not persist beyond restarts.
+
+- **HashiCorp Supported** – the In-Memory backend is officially supported by
+  HashiCorp.
+
+```hcl
+storage "inmem" {}
+```
+
+## `inmem` Parameters
+
+The In-Memory storage backend has no configuration parameters.
+
+## `inmem` Examples
+
+This example shows activating the In-Memory storage backend.
+
+```hcl
+storage "inmem" {}
+```
diff --git a/website/pages/docs/configuration/storage/index.mdx b/website/pages/docs/configuration/storage/index.mdx
new file mode 100644
index 000000000000..541cb6653b77
--- /dev/null
+++ b/website/pages/docs/configuration/storage/index.mdx
@@ -0,0 +1,43 @@
+---
+layout: docs
+page_title: Storage Backends - Configuration
+sidebar_title: <code>storage</code>
+description: |-
+  The storage stanza configures the storage backend, which represents the
+  location for the durable storage of Vault's information. Each backend has
+  pros, cons, advantages, and trade-offs. For example, some backends support
+  high availability while others provide a more robust backup and restoration
+  process.
+---
+
+# `storage` Stanza
+
+The `storage` stanza configures the storage backend, which represents the
+location for the durable storage of Vault's information. Each backend has pros,
+cons, advantages, and trade-offs. For example, some backends support high
+availability while others provide a more robust backup and restoration process.
+For information about a specific backend, choose one from the navigation on the
+left.
+
+## Configuration
+
+Storage backend configuration is done through the Vault configuration file using
+the `storage` stanza:
+
+```hcl
+storage [NAME] {
+  [PARAMETERS...]
+}
+```
+
+For example:
+
+```hcl
+storage "file" {
+  path = "/mnt/vault/data"
+}
+```
+
+For configuration options which also read an environment variable, the
+environment variable will take precedence over values in the configuration
+file.
diff --git a/website/pages/docs/configuration/storage/manta.mdx b/website/pages/docs/configuration/storage/manta.mdx
new file mode 100644
index 000000000000..4ebd02418d63
--- /dev/null
+++ b/website/pages/docs/configuration/storage/manta.mdx
@@ -0,0 +1,67 @@
+---
+layout: docs
+page_title: Manta - Storage Backends - Configuration
+sidebar_title: Manta
+description: >-
+  The Manta storage backend is used to persist Vault's data in Triton's Manta
+  Object
+
+  Storage. The storage folder must already exist.
+---
+
+# Manta Storage Backend
+
+The Manta storage backend is used to persist Vault's data in [Triton's Manta Object
+Storage][manta-object-store]. The storage folder must already exist.
+
+- **No High Availability** – the Manta storage backend does not support high
+  availability.
+
+- **Community Supported** – the Manta storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "manta" {
+  directory   = "manta-directory"
+  user = "myuser"
+  key_id = "40:9d:d3:f9:0b:86:62:48:f4:2e:a5:8e:43:00:2a:9b"
+}
+```
+
+## `manta` Parameters
+
+- `directory` `(string: <required>)` – Specifies the name of the manta directory to use.
+  This will be in the `/stor/` folder in the specific manta account
+
+The following settings are used for authenticating to Manta.
+
+- `user` `(string: <required>)` – Specifies the Manta user account name. This can also be provided via
+  the environment variable `MANTA_USER`.
+
+- `key_id` `(string: <required>)` – The fingerprint of the public key of the SSH key pair to use for authentication with the Manta API.
+  It is assumed that the SSH agent has the private key corresponding to this key ID loaded. This can also be provided
+  via the environment variable `MANTA_KEY_ID`.
+
+- `subuser` - The name of a subuser that has been granted access to the Manta account. This can also be
+  provided via the environment variable `MANTA_SUBUSER`.
+- `url` – Specifies the Manta URL. Defaults to `https://us-east.manta.joyent.com`. This can also be provided via
+  the environment variable `MANTA_URL`.
+
+- `max_parallel` `(string: "128")` – Specifies The maximum number of concurrent
+  requests to Manta.
+
+## `manta` Examples
+
+This example shows configuring the Azure storage backend with a custom number of
+maximum parallel connections.
+
+```hcl
+storage "manta" {
+  directory    = "vault-storage-directory"
+  max_parallel = 512
+}
+```
+
+[manta-object-store]: https://www.joyent.com/triton/object-storage
diff --git a/website/pages/docs/configuration/storage/mssql.mdx b/website/pages/docs/configuration/storage/mssql.mdx
new file mode 100644
index 000000000000..ca6fd2604a2f
--- /dev/null
+++ b/website/pages/docs/configuration/storage/mssql.mdx
@@ -0,0 +1,80 @@
+---
+layout: docs
+page_title: MSSQL - Storage Backends - Configuration
+sidebar_title: MSSQL
+description: >-
+  The MSSQL storage backend is used to persist Vault's data in a Microsoft SQL
+  Server.
+---
+
+# MSSQL Storage Backend
+
+The MSSQL storage backend is used to persist Vault's data in a Microsoft SQL Server.
+
+- **No High Availability** – the MSSQL storage backend does not support high
+  availability.
+
+- **Community Supported** – the MSSQL storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "mssql" {
+  server = "localhost"
+  username = "user1234"
+  password = "secret123!"
+  database = "vault"
+  table = "vault"
+  appname = "vault"
+  schema = "dbo"
+  connectionTimeout = 30
+  logLevel = 0
+}
+```
+
+## `mssql` Parameters
+
+- `server` `(string: <required>)` – host or host\instance.
+
+- `username` `(string: "")` - enter the SQL Server Authentication user id or
+  the Windows Authentication user id in the DOMAIN\User format.
+  On Windows, if user id is empty or missing Single-Sign-On is used.
+
+- `password` `(string: "")` – specifies the MSSQL password to connect to
+  the database.
+
+- `database` `(string: "Vault")` – Specifies the name of the database. If the
+  database does not exist, Vault will attempt to create it.
+
+- `table` `(string: "Vault")` – Specifies the name of the table. If the table
+  does not exist, Vault will attempt to create it.
+
+- `schema` `(string: "dbo")` – Specifies the name of the schema. If the schema
+  does not exist, Vault will attempt to create it.
+
+- `appname` `(string: "Vault")` – the application name.
+
+- `connectionTimeout` `(int: 30)` – in seconds (default is 30).
+
+- `logLevel` `(int: 0)` – logging flags (default 0/no logging, 63 for full logging) .
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to MSSQL.
+
+## `mssql` Examples
+
+### Custom Database, Table and Schema
+
+This example shows configuring the MSSQL backend to use a custom database and
+table name.
+
+```hcl
+storage "mssql" {
+  database = "my-vault"
+  table    = "vault-data"
+  schema   = "vlt"
+  username = "user1234"
+  password = "pass5678"
+}
+```
diff --git a/website/pages/docs/configuration/storage/mysql.mdx b/website/pages/docs/configuration/storage/mysql.mdx
new file mode 100644
index 000000000000..563f4c455020
--- /dev/null
+++ b/website/pages/docs/configuration/storage/mysql.mdx
@@ -0,0 +1,94 @@
+---
+layout: docs
+page_title: MySQL - Storage Backends - Configuration
+sidebar_title: MySQL
+description: |-
+  The MySQL storage backend is used to persist Vault's data in a MySQL server or
+  cluster.
+---
+
+# MySQL Storage Backend
+
+The MySQL storage backend is used to persist Vault's data in a [MySQL][mysql]
+server or cluster.
+
+- **High Availability** – the MySQL storage backend supports high availability.
+  Note that due to the way mysql locking functions work they are lost if a connection
+  dies. If you would like to not have frequent changes in your elected leader you
+  can increase interactive_timeout and wait_timeout MySQL config to much higher than
+  default which is set at 8 hours.
+
+- **Community Supported** – the MySQL storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "mysql" {
+  username = "user1234"
+  password = "secret123!"
+  database = "vault"
+}
+```
+
+## `mysql` Parameters
+
+- `address` `(string: "127.0.0.1:3306")` – Specifies the address of the MySQL
+  host.
+
+- `database` `(string: "vault")` – Specifies the name of the database. If the
+  database does not exist, Vault will attempt to create it.
+
+- `table` `(string: "vault")` – Specifies the name of the table. If the table
+  does not exist, Vault will attempt to create it.
+
+- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate to
+  connect using TLS.
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to MySQL.
+
+- `max_idle_connections` `(string: "0")` – Specifies the maximum number of idle
+  connections to the database. A zero uses value defaults to 2 idle connections
+  and a negative value disables idle connections. If larger than
+  `max_parallel` it will be reduced to be equal.
+
+- `max_connection_lifetime` `(string: "0")` – Specifies the maximum amount of
+  time in seconds that a connection may be reused. If <= 0s connections are reused forever.
+
+Additionally, Vault requires the following authentication information.
+
+- `username` `(string: <required>)` – Specifies the MySQL username to connect to
+  the database.
+
+- `password` `(string: <required>)` – Specifies the MySQL password to connect to
+  the database.
+
+### High Availability Parameters
+
+- `ha_enabled` `(string: "true")` - Specifies if high availability mode is
+  enabled. This is a boolean value, but it is specified as a string like "true"
+  or "false".
+
+- `lock_table` `(string: "vault_lock")` – Specifies the name of the table to
+  use for storing high availability information. By default, this is the name
+  of the `table` suffixed with `_lock`. If the table does not exist, Vault will
+  attempt to create it.
+
+## `mysql` Examples
+
+### Custom Database and Table
+
+This example shows configuring the MySQL backend to use a custom database and
+table name.
+
+```hcl
+storage "mysql" {
+  database = "my-vault"
+  table    = "vault-data"
+  username = "user1234"
+  password = "pass5678"
+}
+```
+
+[mysql]: https://dev.mysql.com
diff --git a/website/pages/docs/configuration/storage/oci-object-storage.mdx b/website/pages/docs/configuration/storage/oci-object-storage.mdx
new file mode 100644
index 000000000000..16898d5aee48
--- /dev/null
+++ b/website/pages/docs/configuration/storage/oci-object-storage.mdx
@@ -0,0 +1,83 @@
+---
+layout: docs
+page_title: OCI Object Storage - Storage Backends - Configuration
+sidebar_title: OCI Object Storage
+description: >-
+  The OCI Object Storage backend is used to persist Vault's data in OCI Object
+  Storage.
+---
+
+# OCI Object Storage Storage Backend
+
+The OCI Object Storage backend is used to persist Vault's data in OCI Object Storage.
+
+- **High Availability** – the OCI Object Storage backend supports high availability.
+
+- **Community Supported** – the OCI Object Storage backend is supported by the community. While it has undergone review by HashiCorp employees, they may not be as knowledgeable about the technology. If you encounter problems with them, you may be referred to the original author.
+
+```hcl
+storage "oci" {
+   namespace_name = "<object_storage_namespace_name>"
+   bucket_name = "<vault_data_bucket_name>"
+   ha_enabled = "<boolean true/false>"
+   lock_bucket_name = "<leader_lock_bucket_name>"
+   auth_type_api_key = "<boolean setting for using api-key instead of instance principals>"
+}
+```
+
+For more information on OCI Object Storage, please see the Oracle's [OCI Object Storage documentation][ocios-docs].
+
+## `oci` Setup
+
+To use the OCI Object Storage Vault storage backend, you must have a OCI account. Either using the API or web interface, create the data bucket and lock bucket if enabling high availability.
+
+The OCI Object Storage backend does not support creating the buckets automatically at this time.
+
+## `oci` Authentication
+
+The OCI Object Storage Vault storage backend uses the official OCI Golang SDK. This means it supports the common ways of providing credentials to OCI.
+
+For more information on service accounts, please see the [OCI Identity documentation][oci-identity].
+
+## `oci` Parameters
+
+- `namespace_name` `(string: <required>)` – Specifies the name of the OCI Object Storage namespaces containing the data bucket and the lock bucket.
+
+- `bucket_name` `(string: <required>)` - Specifies the name of the bucket that will be used to store the vault data.
+
+### High Availability Parameters
+
+- `ha_enabled` `(string: "<required>")` - Specifies if high availability mode is
+  enabled. This is a boolean value, but it is specified as a string like "true"
+  or "false".
+
+- `lock_bucket_name` `(string: "<required>")` - Specifies the name of the bucket that will be used to store the node lease data.
+
+## `oci` Examples
+
+### Standalone Vault instance
+
+This example shows configuring OCI Object Storage as a standalone instance.
+
+```hcl
+storage "oci" {
+    namespace_name = "MyNamespace"
+    bucket_name = "DataBucket"
+}
+```
+
+### High Availability
+
+This example shows configuring OCI Object Storage with high availability enabled.
+
+```hcl
+storage "oci" {
+   namespace_name = "MyNamespace"
+   bucket_name = "DataBucket"
+   ha_enabled = "true"
+   lock_bucket_name = "LockBucket"
+}
+```
+
+[oci-identity]: https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/overview.htm
+[ocios-docs]: https://docs.cloud.oracle.com/iaas/Content/Object/Concepts/objectstorageoverview.htm
diff --git a/website/pages/docs/configuration/storage/postgresql.mdx b/website/pages/docs/configuration/storage/postgresql.mdx
new file mode 100644
index 000000000000..b7f2389cb04b
--- /dev/null
+++ b/website/pages/docs/configuration/storage/postgresql.mdx
@@ -0,0 +1,141 @@
+---
+layout: docs
+page_title: PostgreSQL - Storage Backends - Configuration
+sidebar_title: PostgreSQL
+description: |-
+  The PostgreSQL storage backend is used to persist Vault's data in a PostgreSQL
+  server or cluster.
+---
+
+# PostgreSQL Storage Backend
+
+The PostgreSQL storage backend is used to persist Vault's data in a
+[PostgreSQL][postgresql] server or cluster.
+
+- **High Availability** – the PostgreSQL storage backend supports
+  high availability. Requires PostgreSQL 9.5 or later.
+
+- **Community Supported** – the PostgreSQL storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "postgresql" {
+  connection_url = "postgres://user123:secret123!@localhost:5432/vault"
+}
+```
+
+~> **Note:** The PostgreSQL storage backend plugin will attempt to use SSL
+when connecting to the database. If SSL is not enabled the `connection_url`
+will need to be configured to disable SSL. See the documentation below
+to disable SSL.
+
+The PostgreSQL storage backend does not automatically create the table. Here is
+some sample SQL to create the schema and indexes.
+
+```sql
+CREATE TABLE vault_kv_store (
+  parent_path TEXT COLLATE "C" NOT NULL,
+  path        TEXT COLLATE "C",
+  key         TEXT COLLATE "C",
+  value       BYTEA,
+  CONSTRAINT pkey PRIMARY KEY (path, key)
+);
+
+CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
+```
+
+Store for HAEnabled backend
+
+```sql
+CREATE TABLE vault_ha_locks (
+  ha_key                                      TEXT COLLATE "C" NOT NULL,
+  ha_identity                                 TEXT COLLATE "C" NOT NULL,
+  ha_value                                    TEXT COLLATE "C",
+  valid_until                                 TIMESTAMP WITH TIME ZONE NOT NULL,
+  CONSTRAINT ha_key PRIMARY KEY (ha_key)
+);
+```
+
+If you're using a version of PostgreSQL prior to 9.5, create the following function:
+
+```sql
+CREATE FUNCTION vault_kv_put(_parent_path TEXT, _path TEXT, _key TEXT, _value BYTEA) RETURNS VOID AS
+$$
+BEGIN
+    LOOP
+        -- first try to update the key
+        UPDATE vault_kv_store
+          SET (parent_path, path, key, value) = (_parent_path, _path, _key, _value)
+          WHERE _path = path AND key = _key;
+        IF found THEN
+            RETURN;
+        END IF;
+        -- not there, so try to insert the key
+        -- if someone else inserts the same key concurrently,
+        -- we could get a unique-key failure
+        BEGIN
+            INSERT INTO vault_kv_store (parent_path, path, key, value)
+              VALUES (_parent_path, _path, _key, _value);
+            RETURN;
+        EXCEPTION WHEN unique_violation THEN
+            -- Do nothing, and loop to try the UPDATE again.
+        END;
+    END LOOP;
+END;
+$$
+LANGUAGE plpgsql;
+```
+
+## `postgresql` Parameters
+
+- `connection_url` `(string: <required>)` – Specifies the connection string to
+  use to authenticate and connect to PostgreSQL. The connection URL can also be
+  set using the `VAULT_PG_CONNECTION_URL` environment variable. A full list of supported
+  parameters can be found in [the pq library documentation][pglib]. For example
+  connection string URLs, see the examples section below.
+
+- `table` `(string: "vault_kv_store")` – Specifies the name of the table in
+  which to write Vault data. This table must already exist (Vault will not
+  attempt to create it).
+
+- `max_idle_connections` `(int)` - Default not set. Sets the maximum number of
+  connections in the idle connection pool. See
+  [golang docs on SetMaxIdleConns][golang_setmaxidleconns] for more information.
+  Requires 1.2 or later.
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to PostgreSQL.
+
+- `ha_enabled` `(string: "true|false")` – Default not enabled, requires 9.5 or later.
+
+- `ha_table` `(string: "vault_ha_locks")` – Specifies the name of the table to use
+  for storing high availability information. This table must already exist (Vault
+  will not attempt to create it).
+
+## `postgresql` Examples
+
+### Custom SSL Verification
+
+This example shows connecting to a PostgreSQL cluster using full SSL
+verification (recommended).
+
+```hcl
+storage "postgresql" {
+  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=verify-full"
+}
+```
+
+To disable SSL verification (not recommended), replace `verify-full` with
+`disable`:
+
+```hcl
+storage "postgresql" {
+  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=disable"
+}
+```
+
+[golang_setmaxidleconns]: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
+[postgresql]: https://www.postgresql.org/
+[pglib]: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
diff --git a/website/pages/docs/configuration/storage/raft.mdx b/website/pages/docs/configuration/storage/raft.mdx
new file mode 100644
index 000000000000..c8af8c597529
--- /dev/null
+++ b/website/pages/docs/configuration/storage/raft.mdx
@@ -0,0 +1,49 @@
+---
+layout: docs
+page_title: Raft - Storage Backends - Configuration
+sidebar_title: Raft
+description: |-
+
+  The Raft storage backend is used to persist Vault's data. Unlike all the other
+  storage backends, this backend does not operate from a single source for the
+  data. Instead all the nodes in a Vault cluster will have a replicated copy of
+  the entire data. The data is replicated across the nodes using the Raft
+  Consensus Algorithm.
+---
+
+# Raft Storage Backend
+
+~> **NOTE:** Vault's Integrated Storage is currently a **_Beta_**
+feature and not recommended for deployment in production.
+
+The Raft storage backend is used to persist Vault's data. Unlike other storage
+backends, Raft storage does not operate from a single source of data. Instead
+all the nodes in a Vault cluster will have a replicated copy of Vault's data.
+Data gets replicated across the all the nodes via the [Raft Consensus
+Algorithm][raft].
+
+- **High Availability** – the Raft storage backend supports high availability.
+
+- **HashiCorp Supported** – the Raft storage backend is officially supported
+  by HashiCorp.
+
+```hcl
+storage "raft" {
+  path = "/path/to/raft/data"
+  node_id = "raft_node_1"
+}
+cluster_addr = "http://127.0.0.1:8201"
+```
+
+**Note:** When using the Raft storage backend, it is required to provide `cluster_addr` to indicate the address and port to be used for communication between the nodes in the Raft cluster.
+
+## `raft` Parameters
+
+- `path` `(string: "")` – The file system path where all the Vault data gets
+  stored.
+  This value can be overridden by setting the `VAULT_RAFT_PATH` environment variable.
+
+- `node_id` `(string: "")` - The identifier for the node in the Raft cluster.
+  This value can be overridden by setting the `VAULT_RAFT_NODE_ID` environment variable.
+
+[raft]: https://raft.github.io/ 'The Raft Consensus Algorithm'
diff --git a/website/pages/docs/configuration/storage/s3.mdx b/website/pages/docs/configuration/storage/s3.mdx
new file mode 100644
index 000000000000..bed37d2f900f
--- /dev/null
+++ b/website/pages/docs/configuration/storage/s3.mdx
@@ -0,0 +1,120 @@
+---
+layout: docs
+page_title: S3 - Storage Backends - Configuration
+sidebar_title: S3
+description: |-
+  The S3 storage backend is used to persist Vault's data in an Amazon S3
+  bucket.
+---
+
+# S3 Storage Backend
+
+The S3 storage backend is used to persist Vault's data in an [Amazon S3][s3]
+bucket.
+
+- **No High Availability** – the S3 storage backend does not support high
+  availability.
+
+- **Community Supported** – the S3 storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "s3" {
+  access_key = "abcd1234"
+  secret_key = "defg5678"
+  bucket     = "my-bucket"
+}
+```
+
+## `s3` Parameters
+
+- `bucket` `(string: <required>)` – Specifies the name of the S3 bucket. This
+  can also be provided via the environment variable `AWS_S3_BUCKET`.
+
+- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, S3
+  endpoint. This can also be provided via the environment variable
+  `AWS_S3_ENDPOINT`.
+
+- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be
+  provided via the environment variable `AWS_REGION` or `AWS_DEFAULT_REGION`,
+  in that order of preference.
+
+The following settings are used for authenticating to AWS. If you are
+running your Vault server on an EC2 instance, you can also make use of the EC2
+instance profile service to provide the credentials Vault will use to make
+S3 API calls. Leaving the `access_key` and `secret_key` fields empty will
+cause Vault to attempt to retrieve credentials from the AWS metadata service.
+
+- `access_key` – Specifies the AWS access key. This can also be provided via
+  the environment variable `AWS_ACCESS_KEY_ID`, AWS credential files, or by
+  IAM role.
+
+- `secret_key` – Specifies the AWS secret key. This can also be provided via
+  the environment variable `AWS_SECRET_ACCESS_KEY`, AWS credential files, or
+  by IAM role.
+
+- `session_token` `(string: "")` – Specifies the AWS session token. This can
+  also be provided via the environment variable `AWS_SESSION_TOKEN`.
+
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
+  requests to S3.
+
+- `s3_force_path_style` `(string: "false")` - Specifies whether to use host
+  bucket style domains with the configured endpoint.
+
+- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the
+  endpoint connection (highly recommended not to disable for production).
+
+- `kms_key_id` `(string: "")` - Specifies the ID or Alias of the KMS key used to
+  encrypt data in the S3 backend. Vault must have `kms:Encrypt` and `kms:Decrypt`
+  permissions for this key. You can use `alias/aws/s3` to specify the default
+  key for the account.
+
+- `path` `(string: "")` - Specifies the path in the S3 Bucket where Vault
+  data will be stored.
+
+## `s3` Examples
+
+### Default Example
+
+This example shows using Amazon S3 as a storage backend.
+
+```hcl
+storage "s3" {
+  access_key = "abcd1234"
+  secret_key = "defg5678"
+  bucket     = "my-bucket"
+}
+```
+
+### S3 KMS Encryption with Default Key
+
+This example shows using Amazon S3 as a storage backend using KMS
+encryption with the default S3 KMS key for the account.
+
+```hcl
+storage "s3" {
+  access_key = "abcd1234"
+  secret_key = "defg5678"
+  bucket     = "my-bucket"
+  kms_key_id = "alias/aws/s3"
+}
+```
+
+### S3 KMS Encryption with Custom Key
+
+This example shows using Amazon S3 as a storage backend using KMS
+encryption with a customer managed KMS key.
+
+```hcl
+storage "s3" {
+  access_key = "abcd1234"
+  secret_key = "defg5678"
+  bucket     = "my-bucket"
+  kms_key_id = "001234ac-72d3-9902-a3fc-0123456789ab"
+}
+```
+
+[s3]: https://aws.amazon.com/s3/
diff --git a/website/pages/docs/configuration/storage/swift.mdx b/website/pages/docs/configuration/storage/swift.mdx
new file mode 100644
index 000000000000..efffe8ffcbf3
--- /dev/null
+++ b/website/pages/docs/configuration/storage/swift.mdx
@@ -0,0 +1,83 @@
+---
+layout: docs
+page_title: Swift - Storage Backends - Configuration
+sidebar_title: Swift
+description: |-
+  The Swift storage backend is used to persist Vault's data in an OpenStack
+  Swift Container.
+---
+
+# Swift Storage Backend
+
+The Swift storage backend is used to persist Vault's data in an
+[OpenStack Swift Container][swift].
+
+- **No High Availability** – the Swift storage backend does not support high
+  availability.
+
+- **Community Supported** – the Swift storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "swift" {
+  auth_url  = "https://..."
+  username  = "admin"
+  password  = "secret123!"
+  container = "my-storage-container"
+}
+```
+
+## `swift` Parameters
+
+- `auth_url` `(string: <required>)` – Specifies the OpenStack authentication
+  endpoint. This can also be provided via the environment variable `OS_AUTH_URL`.
+
+- `container` `(string: <required>)` – Specifies the name of the Swift
+  container. This can also be provided via the environment variable
+  `OS_CONTAINER`.
+
+- `max_parallel` `(string: "128")` – The maximum number of concurrent requests.
+
+- `password` `(string: <required>)` – Specifies the OpenStack password. This can
+  also be provided via the environment variable `OS_PASSWORD`.
+
+- `tenant` `(string: "")` – Specifies the name of the tenant. If left blank,
+  this will default to the default tenant of the username. This can also be
+  provided via the environment variable `OS_TENANT_NAME`.
+
+- `username` `(string: <required>)` – Specifies the OpenStack account/username.
+  This can also be provided via the environment variable `OS_USERNAME`.
+
+- `region` `(string: "")` – Specifies the name of the region. This can also be provided via the environment variable `OS_REGION_NAME`.
+
+- `tenant_id` `(string: "")` - Specifies the id of the tenant. This can also be provided via the environment variable `OS_TENANT_ID`.
+
+- `domain` `(string: "")` - Specifies the name of the user domain. This can also be provided via the environment variable `OS_USER_DOMAIN_NAME`.
+
+- `project-domain` `(string: "")` - Specifies the name of the project's domain. This can also be provided via the environment variable `OS_PROJECT_DOMAIN_NAME`.
+
+- `trust_id` `(string: "")` - Specifies the id of the trust. This can also be provided via the environment variable `OS_TRUST_ID`.
+
+- `storage_url` `(string: "")` - Specifies storage URL from alternate authentication. This can also be provided via the environment variable `OS_STORAGE_URL`.
+
+- `auth_token` `(string: "")` - Specifies auth token from alternate authentication. This can also be provided via the environment variable `OS_AUTH_TOKEN`.
+
+## `swift` Examples
+
+### Default Example
+
+This example shows a default configuration for Swift.
+
+```hcl
+storage "swift" {
+  auth_url  = "https://os.internal/v1/auth"
+  container = "container-239"
+
+  username  = "user1234"
+  password  = "pass5678"
+}
+```
+
+[swift]: http://docs.openstack.org/developer/swift/
diff --git a/website/pages/docs/configuration/storage/zookeeper.mdx b/website/pages/docs/configuration/storage/zookeeper.mdx
new file mode 100644
index 000000000000..21624dfb83aa
--- /dev/null
+++ b/website/pages/docs/configuration/storage/zookeeper.mdx
@@ -0,0 +1,151 @@
+---
+layout: docs
+page_title: Zookeeper - Storage Backends - Configuration
+sidebar_title: Zookeeper
+description: The Zookeeper storage backend is used to persist Vault's data in Zookeeper.
+---
+
+# Zookeeper Storage Backend
+
+The Zookeeper storage backend is used to persist Vault's data in
+[Zookeeper][zk].
+
+- **High Availability** – the Zookeeper storage backend supports high
+  availability.
+
+- **Community Supported** – the Zookeeper storage backend is supported by the
+  community. While it has undergone review by HashiCorp employees, they may not
+  be as knowledgeable about the technology. If you encounter problems with them,
+  you may be referred to the original author.
+
+```hcl
+storage "zookeeper" {
+  address = "localhost:2181"
+  path    = "vault/"
+}
+```
+
+## `zookeeper` Parameters
+
+- `address` `(string: "localhost:2181")` – Specifies the addresses of the
+  Zookeeper instances as a comma-separated list.
+
+- `path` `(string: "vault/")` – Specifies the path in Zookeeper where data will
+  be stored.
+
+The following optional settings can be used to configure zNode ACLs:
+
+~> **Warning!** If neither `auth_info` nor `znode_owner` are set, the backend
+will not authenticate with Zookeeper and will set the `OPEN_ACL_UNSAFE` ACL on
+all nodes. In this scenario, anyone connected to Zookeeper could change Vault’s
+znodes and, potentially, take Vault out of service.
+
+- `auth_info` `(string: "")` – Specifies an authentication string in Zookeeper
+  AddAuth format. For example, `digest:UserName:Password` could be used to
+  authenticate as user `UserName` using password `Password` with the `digest`
+  mechanism.
+
+- `znode_owner` `(string: "")` – If specified, Vault will always set all
+  permissions (CRWDA) to the ACL identified here via the Schema and User parts
+  of the Zookeeper ACL format. The expected format is `schema:user-ACL-match`,
+  for example:
+
+  ```text
+  # Access for user "UserName" with corresponding digest "HIDfRvTv623G=="
+  digest:UserName:HIDfRvTv623G==
+  ```
+
+  ```text
+  # Access from localhost only
+  ip:127.0.0.1
+  ```
+
+  ```text
+  # Access from any host on the 70.95.0.0 network (Zookeeper 3.5+)
+  ip:70.95.0.0/16
+  ```
+
+- `tls_enabled` `(bool: false)` – Specifies if TLS communication with the Zookeeper
+  backend has to be enabled.
+
+- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate file used
+  for Zookeeper communication. Multiple CA certificates can be provided in the same file.
+
+- `tls_cert_file` `(string: "")` (optional) – Specifies the path to the
+  client certificate for Zookeeper communication.
+
+- `tls_key_file` `(string: "")` – Specifies the path to the private key for
+  Zookeeper communication.
+
+- `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to
+  use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
+
+- `tls_skip_verify` `(bool: false)` – Disable verification of TLS certificates.
+  Using this option is highly discouraged.
+
+- `tls_verify_ip` `(bool: false)` - This property comes into play only when
+  'tls_skip_verify' is set to false. When 'tls_verify_ip' is set to 'true', the
+  zookeeper server's IP is verified in the presented certificates CN/SAN entry.
+  When set to 'false' the server's DNS name is verified in the certificates CN/SAN entry.
+
+## `zookeeper` Examples
+
+### Custom Address and Path
+
+This example shows configuring Vault to communicate with a Zookeeper
+installation running on a custom port and to store data at a custom path.
+
+```hcl
+storage "zookeeper" {
+  address = "localhost:3253"
+  path    = "my-vault-data/"
+}
+```
+
+### zNode Vault User Only
+
+This example instructs Vault to set an ACL on all of its zNodes which permit
+access only to the user "vaultUser". As per Zookeeper's ACL model, the digest
+value in `znode_owner` must match the user in `znode_owner`.
+
+```hcl
+storage "zookeeper" {
+  znode_owner = "digest:vaultUser:raxgVAfnDRljZDAcJFxznkZsExs="
+  auth_info   = "digest:vaultUser:abc"
+}
+```
+
+### zNode Localhost Only
+
+This example instructs Vault to only allow access from localhost. As this is the
+`ip` no `auth_info` is required since Zookeeper uses the address of the client
+for the ACL check.
+
+```hcl
+storage "zookeeper" {
+  znode_owner = "ip:127.0.0.1"
+}
+```
+
+### zNode connection over TLS.
+
+This example instructs Vault to connect to Zookeeper using the provided TLS configuration. The host verification will happen with the presented certificate using the servers IP because 'tls_verify_ip' is set to true.
+
+```hcl
+storage "zookeeper" {
+  address = "host1.com:5200,host2.com:5200,host3.com:5200"
+  path = "vault_path_on_zk/"
+  znode_owner = "digest:vault_user:digestvalueforpassword="
+  auth_info = "digest:vault_user:thisisthepassword"
+  redirect_addr = "http://localhost:8200"
+  tls_verify_ip = "true"
+  tls_enabled= "true"
+  tls_min_version= "tls12"
+  tls_cert_file = "/path/to/the/cert/file/zkcert.pem"
+  tls_key_file = "/path/to/the/key/file/zkkey.pem"
+  tls_skip_verify= "false"
+  tls_ca_file= "/path/to/the/ca/file/ca.pem"
+}
+```
+
+[zk]: https://zookeeper.apache.org/
diff --git a/website/pages/docs/configuration/telemetry.mdx b/website/pages/docs/configuration/telemetry.mdx
new file mode 100644
index 000000000000..172c8894dd1c
--- /dev/null
+++ b/website/pages/docs/configuration/telemetry.mdx
@@ -0,0 +1,208 @@
+---
+layout: docs
+page_title: Telemetry - Configuration
+sidebar_title: <code>telemetry</code>
+description: |-
+  The telemetry stanza specifies various configurations for Vault to publish
+  metrics to upstream systems.
+---
+
+# `telemetry` Stanza
+
+The `telemetry` stanza specifies various configurations for Vault to publish
+metrics to upstream systems. Available Vault metrics can be found in the
+[Telemetry internals documentation](/docs/internals/telemetry.html).
+
+```hcl
+telemetry {
+  statsite_address = "statsite.company.local:8125"
+}
+```
+
+## `telemetry` Parameters
+
+Due to the number of configurable parameters to the `telemetry` stanza,
+parameters on this page are grouped by the telemetry provider.
+
+### Common
+
+The following options are available on all telemetry configurations.
+
+- `disable_hostname` `(bool: false)` - Specifies if gauge values should be
+  prefixed with the local hostname.
+- `enable_hostname_label` `(bool: false)` - Specifies if all metric values should
+  contain the `host` label with the local hostname. It is recommended to enable
+  `disable_hostname` if this option is used.
+
+### `statsite`
+
+These `telemetry` parameters apply to
+[statsite](https://github.com/armon/statsite).
+
+- `statsite_address` `(string: "")` - Specifies the address of a statsite server
+  to forward metrics data to.
+
+```hcl
+telemetry {
+  statsite_address = "statsite.company.local:8125"
+}
+```
+
+### `statsd`
+
+These `telemetry` parameters apply to
+[statsd](https://github.com/etsy/statsd).
+
+- `statsd_address` `(string: "")` - Specifies the address of a statsd server to
+  forward metrics to.
+
+```hcl
+telemetry {
+  statsd_address = "statsd.company.local:8125"
+}
+```
+
+### `circonus`
+
+These `telemetry` parameters apply to [Circonus](http://circonus.com/).
+
+- `circonus_api_token` `(string: "")` - Specifies a valid Circonus API Token
+  used to create/manage check. If provided, metric management is enabled.
+
+- `circonus_api_app` `(string: "nomad")` - Specifies a valid app name associated
+  with the API token.
+
+- `circonus_api_url` `(string: "https://api.circonus.com/v2")` - Specifies the
+  base URL to use for contacting the Circonus API.
+
+- `circonus_submission_interval` `(string: "10s")` - Specifies the interval at
+  which metrics are submitted to Circonus.
+
+- `circonus_submission_url` `(string: "")` - Specifies the
+  `check.config.submission_url` field, of a Check API object, from a previously
+  created HTTPTRAP check.
+
+- `circonus_check_id` `(string: "")` - Specifies the Check ID (**not check
+  bundle**) from a previously created HTTPTRAP check. The numeric portion of the
+  `check._cid` field in the Check API object.
+
+- `circonus_check_force_metric_activation` `(bool: false)` - Specifies if force
+  activation of metrics which already exist and are not currently active. If
+  check management is enabled, the default behavior is to add new metrics as
+  they are encountered. If the metric already exists in the check, it will
+  not be activated. This setting overrides that behavior.
+
+- `circonus_check_instance_id` `(string: "<hostname>:<application>")` - Serves
+  to uniquely identify the metrics coming from this _instance_. It can be used
+  to maintain metric continuity with transient or ephemeral instances as they
+  move around within an infrastructure. By default, this is set to
+  hostname:application name (e.g. "host123:nomad").
+
+- `circonus_check_search_tag` `(string: <service>:<application>)` - Specifies a
+  special tag which, when coupled with the instance id, helps to narrow down the
+  search results when neither a Submission URL or Check ID is provided. By
+  default, this is set to service:app (e.g. "service:nomad").
+
+- `circonus_check_display_name` `(string: "")` - Specifies a name to give a
+  check when it is created. This name is displayed in the Circonus UI Checks
+  list.
+
+- `circonus_check_tags` `(string: "")` - Comma separated list of additional
+  tags to add to a check when it is created.
+
+- `circonus_broker_id` `(string: "")` - Specifies the ID of a specific Circonus
+  Broker to use when creating a new check. The numeric portion of `broker._cid`
+  field in a Broker API object. If metric management is enabled and neither a
+  Submission URL nor Check ID is provided, an attempt will be made to search for
+  an existing check using Instance ID and Search Tag. If one is not found, a new
+  HTTPTRAP check will be created. By default, this is a random
+  Enterprise Broker is selected, or, the default Circonus Public Broker.
+
+- `circonus_broker_select_tag` `(string: "")` - Specifies a special tag which
+  will be used to select a Circonus Broker when a Broker ID is not provided. The
+  best use of this is to as a hint for which broker should be used based on
+  _where_ this particular instance is running (e.g. a specific geo location or
+  datacenter, dc:sfo).
+
+### `dogstatsd`
+
+These `telemetry` parameters apply to
+[DogStatsD](http://docs.datadoghq.com/guides/dogstatsd/).
+
+- `dogstatsd_addr` `(string: "")` - This provides the address of a DogStatsD
+  instance. DogStatsD is a protocol-compatible flavor of statsd, with the added
+  ability to decorate metrics with tags and event information. If provided,
+  Vault will send various telemetry information to that instance for
+  aggregation. This can be used to capture runtime information.
+
+* `dogstatsd_tags` `(string array: [])` - This provides a list of global tags
+  that will be added to all telemetry packets sent to DogStatsD. It is a list
+  of strings, where each string looks like "my_tag_name:my_tag_value".
+
+### `prometheus`
+
+These `telemetry` parameters apply to
+[prometheus](https://prometheus.io).
+
+- `prometheus_retention_time` `(string: "24h")` - Specifies the amount of time that
+  prometheus metrics are retained in memory. It is recommended to also enable the option
+  `disable_hostname` to avoid having prefixed metrics with hostname. Vault does not use the
+  default Prometheus path, so Prometheus must be configured as follows. Note that using
+  `?format=prometheus` in the path won't work as "?" will be escaped, so it must be specified
+  as a parameter. Additionally a Vault token is required to access /v1/sys/metrics. The prometheus
+  `bearer_token` or `bearer_token_file` options must be added to the scrape job.
+
+```
+metrics_path: "/v1/sys/metrics"
+params:
+  format: ['prometheus']
+bearer_token: your_vault_token_here
+
+```
+
+```hcl
+telemetry {
+  prometheus_retention_time = "30s",
+  disable_hostname = true
+}
+```
+
+### `stackdriver`
+
+These `telemetry` parameters apply to [Stackdriver Monitoring](https://cloud.google.com/monitoring/).
+
+The Stackdriver telemetry provider uses the official Google Cloud Golang SDK. This means
+it supports the common ways of
+[providing credentials to Google Cloud](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application).
+
+To use this telemetry provider, the service account must have the following
+minimum scope(s):
+
+```text
+https://www.googleapis.com/auth/cloud-platform
+https://www.googleapis.com/auth/monitoring
+https://www.googleapis.com/auth/monitoring.write
+```
+
+And the following IAM role(s):
+
+```text
+roles/monitoring.metricWriter
+```
+
+- `stackdriver_project_id` the Google Cloud ProjectID to send telemetry data to.
+- `stackdriver_location` the GCP or AWS region of the monitored resource.
+- `stackdriver_namespace` a namespace identifier for the telemetry data.
+
+It is recommended to also enable the option `disable_hostname` to avoid having prefixed
+metrics with hostname and enable instead `enable_hostname_label`.
+
+```hcl
+telemetry {
+  stackdriver_project_id = "my-test-project"
+  stackdriver_location = "us-east1-a"
+  stackdriver_namespace = "vault-cluster-a"
+  disable_hostname = true
+  enable_hostname_label = true
+}
+```
diff --git a/website/pages/docs/configuration/ui/index.mdx b/website/pages/docs/configuration/ui/index.mdx
new file mode 100644
index 000000000000..b6125f46d276
--- /dev/null
+++ b/website/pages/docs/configuration/ui/index.mdx
@@ -0,0 +1,73 @@
+---
+layout: docs
+page_title: UI - Configuration
+sidebar_title: <code>ui</code>
+description: |-
+  Vault features a user interface (web interface) for interacting with Vault.
+  Easily create, read, update, and delete secrets, authenticate, unseal, and
+  more with the Vault UI.
+---
+
+# Vault UI
+
+Vault features a user interface (web interface) for interacting with Vault.
+Easily create, read, update, and delete secrets, authenticate, unseal, and
+more with the Vault UI.
+
+-> The UI requires **Vault 0.10 or higher** or Vault Enterprise.
+
+## Activating the Vault UI
+
+The Vault UI is not activated by default. To activate the UI, set the `ui`
+configuration option in the Vault server configuration. Vault clients do not
+need to set this option, since they will not be serving the UI.
+
+```hcl
+ui = true
+
+listener "tcp" {
+  # ...
+}
+```
+
+For more information, please see the
+[Vault configuration options](/docs/configuration/index.html).
+
+## Accessing the Vault UI
+
+The UI runs on the same port as the Vault listener. As such, you must configure
+at least one `listener` stanza in order to access the UI.
+
+```hcl
+listener "tcp" {
+  address = "10.0.1.35:8200"
+
+  # If bound to localhost, the Vault UI is only
+  # accessible from the local machine!
+  # address = "127.0.0.1:8200"
+}
+```
+
+In this case, the UI is accessible the following URL from any machine on the
+subnet (provided no network firewalls are in place):
+
+```text
+https://10.0.1.35:8200/ui/
+```
+
+It is also accessible at any DNS entry that resolves to that IP address, such as
+the Consul service address (if using Consul):
+
+```text
+https://vault.service.consul:8200/ui/
+```
+
+### Note on TLS
+
+When using TLS (recommended), the certificate must be valid for all DNS entries
+you will be accessing the Vault UI on, and any IP addresses on the SAN. If you
+are running Vault with a self-signed certificate, any browsers that access the
+Vault UI will need to have the root CA installed. Failure to do so may result in
+the browser displaying a warning that the site is "untrusted". It is highly
+recommended that client browsers accessing the Vault UI install the proper CA
+root for validation to reduce the chance of a MITM attack.
diff --git a/website/pages/docs/enterprise/control-groups/index.mdx b/website/pages/docs/enterprise/control-groups/index.mdx
new file mode 100644
index 000000000000..fe1dcf0168f4
--- /dev/null
+++ b/website/pages/docs/enterprise/control-groups/index.mdx
@@ -0,0 +1,121 @@
+---
+layout: docs
+page_title: Vault Enterprise Control Groups
+sidebar_title: Control Groups
+description: Vault Enterprise has support for Control Group Authorization.
+---
+
+# Vault Enterprise Control Group Support
+
+Vault Enterprise has support for Control Group Authorization. Control Groups
+add additional authorization factors to be required before satisfying a request.
+
+When a Control Group is required for a request, a limited duration response
+wrapping token is returned to the user instead of the requested data. The
+accessor of the response wrapping token can be passed to the authorizers
+required by the control group policy. Once all authorizations are satisfied,
+the wrapping token can be used to unwrap and process the original request.
+
+## Control Group Factors
+
+Control Groups can verify the following factors:
+
+- `Identity Groups` - Require an authorizer to be in a specific set of identity
+  groups.
+
+## Control Groups In ACL Policies
+
+Control Group requirements on paths are specified as `control_group` along
+with other ACL parameters.
+
+### Sample ACL Policies
+
+```
+path "secret/foo" {
+    capabilities = ["read"]
+    control_group = {
+        factor "ops_manager" {
+            identity {
+                group_names = ["managers"]
+                approvals = 1
+            }
+        }
+    }
+}
+```
+
+The above policy grants `read` access to `secret/foo` only after one member of
+the "managers" group authorizes the request.
+
+```
+path "secret/foo" {
+    capabilities = ["create", "update"]
+    control_group = {
+        ttl = "4h"
+        factor "tech leads" {
+            identity {
+                group_names = ["managers", "leads"]
+                approvals = 2
+            }
+        }
+        factor "super users" {
+            identity {
+                group_names = ["superusers"]
+                approvals = 1
+            }
+        }
+    }
+}
+```
+
+The above policy grants `create` and `update` access to `secret/foo` only after
+two member of the "managers" or "leads" group and one member of the "superusers"
+group authorizes the request. If an authorizer is a member of both the
+"managers" and "superusers" group, one authorization for both factors will be
+satisfied.
+
+## Control Groups in Sentinel
+
+Control Groups are also supported in Sentinel policies using the `controlgroup`
+import. See [Sentinel Documentation](/docs/enterprise/sentinel/index.html) for more
+details on available properties.
+
+### Sample Sentinel Policy
+
+```
+import "time"
+import "controlgroup"
+
+control_group = func() {
+    numAuthzs = 0
+    for controlgroup.authorizations as authz {
+		if "managers" in authz.groups.by_name {
+			if time.load(authz.time).unix > time.now.unix - 3600 {
+				numAuthzs = numAuthzs + 1
+			}
+		}
+    }
+    if numAuthzs >= 2 {
+        return true
+    }
+    return false
+}
+
+main = rule {
+    control_group()
+}
+```
+
+The above policy will reject the request unless two members of the `managers`
+group have authorized the request. Additionally it verifies the authorizations
+happened in the last hour.
+
+## Learn
+
+Refer to the [Control Groups](https://learn.hashicorp.com/vault/identity-access-management/iam-control-groups)
+guide for a step-by-step tutorial.
+
+## API
+
+Control Groups can be managed over the HTTP API. Please see
+[Control Groups API](/api/system/control-group.html) for more details.
diff --git a/website/pages/docs/enterprise/entropy-augmentation/index.mdx b/website/pages/docs/enterprise/entropy-augmentation/index.mdx
new file mode 100644
index 000000000000..59cbb81f9056
--- /dev/null
+++ b/website/pages/docs/enterprise/entropy-augmentation/index.mdx
@@ -0,0 +1,56 @@
+---
+layout: docs
+page_title: Vault Enterprise Entropy Augmentation
+sidebar_title: Entropy Augmentation
+description: |-
+  Vault Enterprise features a mechanism to sample entropy from external
+  cryptographic modules.
+---
+
+# Entropy Augmentation
+
+Vault Enterprise features a mechanism to sample entropy (or randomness for
+cryptographic operations) from external cryptographic modules via the [seals](/docs/configuration/seal/index.html)
+interface. While the system entropy used by Vault is more than capable of
+operating in most threat models, there are some situations where additional
+entropy from hardware-based random number generators is desirable.
+
+To use this feature, you must have an active or trial license for Vault
+Enterprise. To start a trial, contact [HashiCorpsales](mailto:sales@hashicorp.com).
+
+# Critical Security Parameters (CSPs)
+
+Entropy augmentation allows Vault Enterprise to supplement its system entropy with
+entropy from an external cryptography module. Designed to operate in environments
+where alignment with cryptographic regulations like [NIST SP800-90B](https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+is required or when augmented entropy from external sources such as hardware true
+random number generators (TRNGs) or [quantum computing TRNGs](https://www.hashicorp.com/blog/quantum-security-and-cryptography-in-hashicorp-vault/)
+are desirable, augmented entropy replaces system entropy when performing random
+number operations on critical security parameters (CSPs).
+
+These CSPs have been selected from our previous work in [evaluating Vault for conformance with
+FIPS 140-2 guidelines for key storage and key transport](https://www.datocms-assets.com/2885/1510600487-vault_compliance_letter_fips_140-2.pdf)
+and include the following:
+
+- Vault’s master key
+- Keyring encryption keys
+- Auto Unseal recovery keys
+- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
+- Enterprise MFA TOTP token keys
+- JWT token wrapping keys
+- Root tokens
+- DR operation tokens
+- [Transit](/docs/secrets/transit/index.html) backend key generation
+
+## Enabling/Disabling
+
+Entropy augmentation is disabled by default. To enable entropy augmentation Vault's
+[configuration file][configuration] must include a properly configured [PKCS#11 seal and
+entropy stanza](/docs/configuration/entropy-augmentation/index.html).
+
+[configuration]: /docs/configuration/index.html
+
+## Learn
+
+Refer to the [HSM Integration - Entropy Augmentation](https://learn.hashicorp.com/vault/operations/hsm-entropy) guide
+for a step-by-step tutorial.
diff --git a/website/pages/docs/enterprise/hsm/behavior.mdx b/website/pages/docs/enterprise/hsm/behavior.mdx
new file mode 100644
index 000000000000..64a169672d1f
--- /dev/null
+++ b/website/pages/docs/enterprise/hsm/behavior.mdx
@@ -0,0 +1,96 @@
+---
+layout: docs
+page_title: Behavioral Changes - HSM Integration - Vault Enterprise
+sidebar_title: Behavioral Changes
+description: >-
+  Vault Enterprise HSM support changes the way Vault works with regard to unseal
+  and recovery keys as well as rekey and recovery operations.
+---
+
+# Vault Enterprise HSM Behavioral Changes
+
+This page contains information about the behavioral differences that take
+effect when using Vault with an HSM.
+
+## Key Split Between Unseal Keys and Recovery Keys
+
+Normally, Vault uses a single set of unseal keys to perform both decryption of
+the cryptographic barrier and to authorize recovery operations, such as the
+[`generate-root`](/api/system/generate-root.html)
+functionality.
+
+When using an HSM, because the HSM automatically unseals the barrier but
+recovery operations should still have human oversight, Vault instead uses two
+sets of keys: unseal keys and recovery keys.
+
+## Unseal (Master) Key
+
+Vault usually generates a master key and splits it using [Shamir's Secret
+Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) to prevent a
+single operator from being able to modify and unseal Vault (see more
+information about Vault's security model
+[here](/docs/internals/security.html)).
+
+When using an HSM, Vault instead stores the master key, encrypted by the HSM,
+into its internal storage. As a result, during an `init` command, the number of
+key shares, threshold, and stored shares are required to be set to `1`, meaning
+to not split the master key, so that the single key share is itself the master
+key. (Vault does not do this automatically as it generally prefers to error
+rather than change parameters set by an operator.)
+
+Both rekeying the master key and rotation of the underlying data
+encryption key are supported when using an HSM.
+
+## Recovery Key
+
+When Vault is initialized while using an HSM, rather than unseal keys being
+returned to the operator, recovery keys are returned. These are generated from
+an internal recovery key that is split via Shamir's Secret Sharing, similar to
+Vault's treatment of unseal keys when running without an HSM.
+
+Details about initialization and rekeying follow. When performing an operation
+that uses recovery keys, such as `generate-root`, selection of the recovery
+keys for this purpose, rather than the barrier unseal keys, is automatic.
+
+### Initialization
+
+When initializing, the split is performed according to the following CLI flags
+and their API equivalents in the
+[/sys/init](/api/system/init.html) endpoint:
+
+- `recovery-shares`: The number of shares into which to split the recovery
+  key. This value is equivalent to the `recovery_shares` value in the API
+  endpoint.
+- `recovery-threshold`: The threshold of shares required to reconstruct the
+  recovery key. This value is equivalent to the `recovery_threshold` value in
+  the API endpoint.
+- `recovery-pgp-keys`: The PGP keys to use to encrypt the returned recovery
+  key shares. This value is equivalent to the `recovery_pgp_keys` value in the
+  API endpoint, although as with `pgp_keys` the object in the API endpoint is
+  an array, not a string.
+
+Additionally, Vault will refuse to initialize if the option has not been set to
+generate a key but no key is found. See
+[Configuration](/docs/configuration/seal/pkcs11.html) for more details.
+
+### Rekeying
+
+#### Unseal Key
+
+Vault's unseal key can be rekeyed using a normal `vault operator rekey`
+operation from the CLI or the matching API calls. The rekey operation is
+authorized by meeting the threshold of recovery keys. After rekeying, the new
+barrier key is wrapped by the HSM and stored like the previous key; it is not
+returned to the users that submitted their recovery keys.
+
+#### Recovery Key
+
+The recovery key can be rekeyed to change the number of shares/threshold or to
+target different key holders via different PGP keys. When using the Vault CLI,
+this is performed by using the `-target=recovery` flag to `vault operator rekey`.
+
+Via the API, the rekey operation is performed with the same parameters as the
+[normal `/sys/rekey`
+endpoint](/api/system/rekey.html); however, the
+API prefix for this operation is at `/sys/rekey-recovery-key` rather than
+`/sys/rekey`.
diff --git a/website/pages/docs/enterprise/hsm/index.mdx b/website/pages/docs/enterprise/hsm/index.mdx
new file mode 100644
index 000000000000..7a651cd0e107
--- /dev/null
+++ b/website/pages/docs/enterprise/hsm/index.mdx
@@ -0,0 +1,44 @@
+---
+layout: docs
+page_title: HSM Integration - Vault Enterprise
+sidebar_title: HSM Support
+description: >-
+  Vault Enterprise has HSM support, allowing for external master key storage and
+  automatic unsealing.
+---
+
+# Vault Enterprise HSM Support
+
+HSM support is a feature of [Vault
+Enterprise](https://www.hashicorp.com/vault.html) that takes advantage of HSMs
+to provide three pieces of special functionality:
+
+- Master Key Wrapping: Vault protects its master key by transiting it through
+  the HSM for encryption rather than splitting into key shares
+- Automatic Unsealing: Vault stores its HSM-wrapped master key in storage,
+  allowing for automatic unsealing
+- [Seal Wrapping](/docs/enterprise/sealwrap/index.html) to provide FIPS
+  KeyStorage-conforming functionality for Critical Security Parameters
+- [Entropy Augmentation](/docs/enterprise/entropy-augmentation/index.html) to
+  allow Vault to sample entropy from an external cryptographic module.
+
+HSM support is available for devices that support PKCS#11 version 2.20+
+interfaces and provide integration libraries, and is currently available for
+linux/amd64 platforms only. It has successfully been tested against many
+different vendor HSMs; HSMs that provide only subsets of the full PKCS#11
+specification can usually be supported but it depends on available
+cryptographic mechanisms.
+
+Please note however that configuration details, flags, and supported features
+within PKCS#11 vary depending on HSM model and configuration. Consult your
+HSM's documentation for more details.
+
+Some parts of Vault work differently when using an HSM. Please see the
+[Behavioral Changes](/docs/enterprise/hsm/behavior.html) page for
+important information on these differences.
+
+The [Configuration](/docs/configuration/seal/pkcs11.html) page contains
+configuration information.
+
+Finally, the [Security](/docs/enterprise/hsm/security.html) page contains
+information about deploying Vault's HSM support in a secure fashion.
diff --git a/website/pages/docs/enterprise/hsm/security.mdx b/website/pages/docs/enterprise/hsm/security.mdx
new file mode 100644
index 000000000000..f90088ff0117
--- /dev/null
+++ b/website/pages/docs/enterprise/hsm/security.mdx
@@ -0,0 +1,40 @@
+---
+layout: docs
+page_title: Security Details - HSM Integration - Vault Enterprise
+sidebar_title: Security
+description: Recommendations to ensure the security of a Vault Enterprise HSM deployment.
+---
+
+# Vault Enterprise HSM Security Details
+
+This page provides information to help ensure that a Vault HSM deployment is
+performed as securely as possible.
+
+## PKCS#11 Authentication
+
+PKCS#11 authentication occurs via a slot number and PIN. In practice, because
+the PIN is not required to be numeric (and some HSMs require more complex
+PINs), this behaves like a username and password.
+
+Like a username and password, these values should be protected. If they are
+stored in Vault's configuration file, read access to the file should be tightly
+controlled to appropriate users. (Vault's configuration file should always have
+tight write controls.) Rather than storing these values into Vault's
+configuration file, they can also be supplied via the environment; see the
+[Configuration](/docs/configuration/seal/pkcs11.html) page for more details.
+
+The attack surface of stolen PKCS#11 credentials depends highly on the
+individual HSM, but generally speaking, it should be assumed that if an
+attacker can see these credentials and has access to a machine on which Vault
+is running, the attacker will be able to access the HSM key protecting Vault's
+master key. Therefore, it is extremely important that access to the machine on
+which Vault is running is also tightly controlled.
+
+## Recovery Key Shares Protection
+
+Recovery key shares should be protected in the same way as your organization
+would protect key shares for the cryptographic barrier. As a quorum of recovery
+key shares can be used with the `generate-root` feature to generate a new root
+token, and root tokens can do anything within Vault, PGP encryption should
+always be used to protect the returned recovery key shares and the recovery
+share holders should be highly trusted individuals.
diff --git a/website/pages/docs/enterprise/index.mdx b/website/pages/docs/enterprise/index.mdx
new file mode 100644
index 000000000000..935ae305706e
--- /dev/null
+++ b/website/pages/docs/enterprise/index.mdx
@@ -0,0 +1,16 @@
+---
+layout: docs
+page_title: Vault Enterprise
+sidebar_title: Vault Enterprise
+description: |-
+  Vault Enterprise features a number of capabilities beyond the open
+  source offering that may be beneficial in certain workflows.
+---
+
+# Vault Enterprise
+
+Vault Enterprise includes a number of features that may be useful in specific
+workflows. Please use the sidebar navigation on the left to choose a specific
+topic.
+
+These features are part of [Vault Enterprise](https://www.hashicorp.com/vault.html?utm_source=oss&utm_medium=docs&utm_campaign=vault&_ga=1.201793489.1956619674.1489356624).
diff --git a/website/pages/docs/enterprise/mfa/index.mdx b/website/pages/docs/enterprise/mfa/index.mdx
new file mode 100644
index 000000000000..534a7a1914ad
--- /dev/null
+++ b/website/pages/docs/enterprise/mfa/index.mdx
@@ -0,0 +1,114 @@
+---
+layout: docs
+page_title: MFA Support - Vault Enterprise
+sidebar_title: MFA
+description: >-
+  Vault Enterprise has support for Multi-factor Authentication (MFA), using
+  different authentication types.
+---
+
+# Vault Enterprise MFA Support
+
+Vault Enterprise has support for Multi-factor Authentication (MFA), using
+different authentication types. MFA is built on top of the Identity system of
+Vault.
+
+## MFA Types
+
+MFA in Vault can be of the following types.
+
+- `Time-based One-time Password (TOTP)` - If configured and enabled on a path,
+  this would require a TOTP passcode along with Vault token, to be presented
+  while invoking the API request. The passcode will be validated against the
+  TOTP key present in the identity of the caller in Vault.
+
+- `Okta` - If Okta push is configured and enabled on a path, then the enrolled
+  device of the user will get a push notification to approve or deny the access
+  to the API. The Okta username will be derived from the caller identity's
+  alias.
+
+- `Duo` - If Duo push is configured and enabled on a path, then the enrolled
+  device of the user will get a push notification to approve or deny the access
+  to the API. The Duo username will be derived from the caller identity's
+  alias.
+
+- `PingID` - If PingID push is configured and enabled on a path, then the
+  enrolled device of the user will get a push notification to approve or deny
+  the access to the API. The PingID username will be derived from the caller
+  identity's alias.
+
+## Configuring MFA Methods
+
+MFA methods are globally managed within the `System Backend` using the HTTP API.
+Please see [MFA API](/api/system/mfa.html) for details on how to configure an MFA
+method.
+
+## MFA Methods In Policies
+
+MFA requirements on paths are specified as `mfa_methods` along with other ACL
+parameters.
+
+### Sample Policy
+
+```hcl
+path "secret/foo" {
+  capabilities = ["read"]
+  mfa_methods  = ["dev_team_duo", "sales_team_totp"]
+}
+```
+
+The above policy grants `read` access to `secret/foo` only after _both_ the MFA
+methods `dev_team_duo` and `sales_team_totp` are validated.
+
+## Namespaces
+
+All MFA configurations must be configured in the root namespace. They can be
+referenced from ACL and Sentinel policies in any namespace via the method name
+and can be tied to a mount accessor in any namespace.
+
+When using [Sentinel
+EGPs](/docs/enterprise/sentinel/index.html#endpoint-governing-policies-egps-),
+any MFA configuration specified must be satisfied by all requests affected by
+the policy, which can be difficult if the configured paths spread across
+namespaces. One way to address this is to use a policy similar to the
+following, using `or` operators to allow MFA configurations tied to mount
+accessors in the various namespaces:
+
+```python
+import "mfa"
+
+has_mfa = rule {
+    mfa.methods.duons1.valid
+}
+
+has_mfa2 = rule {
+    mfa.methods.duons2.valid
+}
+
+main = rule {
+    has_mfa or has_mfa2
+}
+```
+
+When using TOTP, any user with ACL permissions can self-generate credentials.
+Admins can generate or destroy credentials only if the targeted entity is in
+the same namespace.
+
+## Supplying MFA Credentials
+
+MFA credentials are retrieved from the `X-Vault-MFA` HTTP header. The format of
+the header is `mfa_method_name[:key[=value]]`. The items in the `[]` are
+optional.
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --header "X-Vault-MFA:my_totp:695452" \
+    http://127.0.0.1:8200/v1/secret/foo
+```
+
+### API
+
+MFA can be managed entirely over the HTTP API. Please see [MFA API](/api/system/mfa.html) for more details.
diff --git a/website/pages/docs/enterprise/mfa/mfa-duo.mdx b/website/pages/docs/enterprise/mfa/mfa-duo.mdx
new file mode 100644
index 000000000000..c489b5348ea4
--- /dev/null
+++ b/website/pages/docs/enterprise/mfa/mfa-duo.mdx
@@ -0,0 +1,130 @@
+---
+layout: docs
+page_title: Duo MFA - MFA Support - Vault Enterprise
+sidebar_title: Duo MFA
+description: Vault Enterprise supports Duo MFA type.
+---
+
+# Duo MFA
+
+This page demonstrates the Duo MFA on ACL'd paths of Vault.
+
+## Configuration
+
+1.  Enable the appropriate auth method:
+
+    ```text
+    $ vault auth enable userpass
+    ```
+
+1.  Fetch the mount accessor for the enabled auth method:
+
+    ```text
+    $ vault auth list -detailed
+    ```
+
+    The response will look like:
+
+    ```text
+    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
+    ----         ----        --------                  ------    -----------    -------    -----------    -----------
+    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
+    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
+    ```
+
+1.  Configure Duo MFA:
+
+    ```text
+    $ vault write sys/mfa/method/duo/my_duo \
+        mount_accessor=auth_userpass_54b8e339 \
+        integration_key=BIACEUEAXI20BNWTEYXT \
+        secret_key=HIGTHtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz \
+        api_hostname=api-2b5c39f5.duosecurity.com
+    ```
+
+1.  Create a policy that gives access to secret through the MFA method created
+    above:
+
+    ```text
+    $ vault policy write duo-policy -<<EOF
+    path "secret/foo" {
+      capabilities = ["read"]
+      mfa_methods  = ["my_duo"]
+    }
+    EOF
+    ```
+
+1.  Create a user. MFA works only for tokens that have identity information on
+    them. Tokens created by logging in using auth methods will have the associated
+    identity information. Create a user in the `userpass` auth method and
+    authenticate against it:
+
+    ```text
+    $ vault write auth/userpass/users/testuser \
+        password=testpassword \
+        policies=duo-policy
+    ```
+
+1.  Create a login token:
+
+    ```text
+    $ vault write auth/userpass/login/testuser \
+        password=testpassword
+
+    Key                    Value
+    ---                    -----
+    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
+    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+    token_duration         768h
+    token_renewable        true
+    token_policies         [default duo-policy]
+    token_meta_username    "testuser"
+    ```
+
+    Note that the CLI is not authenticated with the newly created token yet, we
+    did not call `vault login`, instead we used the login API to simply return a
+    token.
+
+1.  Fetch the entity ID from the token. The caller identity is represented by the
+    `entity_id` property of the token:
+
+    ```text
+    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
+
+    Key                 Value
+    ---                 -----
+    accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+    creation_time       1502245243
+    creation_ttl        2764800
+    display_name        userpass-testuser
+    entity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
+    expire_time         2017-09-09T22:20:43.448543132-04:00
+    explicit_max_ttl    0
+    id                  70f97438-e174-c03c-40fe-6bcdc1028d6c
+    issue_time          2017-08-08T22:20:43.448543003-04:00
+    meta                map[username:testuser]
+    num_uses            0
+    orphan              true
+    path                auth/userpass/login/testuser
+    policies            [default duo-policy]
+    renewable           true
+    ttl                 2764623
+    ```
+
+1.  Login as the user:
+
+    ```text
+    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
+    ```
+
+1.  Read a secret to trigger a Duo push. This will be a blocking call until
+    the push notification is either approved or declined:
+
+    ```text
+    $ vault read secret/foo
+
+    Key                 Value
+    ---                 -----
+    refresh_interval    768h
+    data                which can only be read after MFA validation
+    ```
diff --git a/website/pages/docs/enterprise/mfa/mfa-okta.mdx b/website/pages/docs/enterprise/mfa/mfa-okta.mdx
new file mode 100644
index 000000000000..fc8bfa9b271e
--- /dev/null
+++ b/website/pages/docs/enterprise/mfa/mfa-okta.mdx
@@ -0,0 +1,128 @@
+---
+layout: docs
+page_title: Okta MFA - MFA Support - Vault Enterprise
+sidebar_title: Okta MFA
+description: Vault Enterprise supports Okta MFA type.
+---
+
+# Okta MFA
+
+This page demonstrates the Okta MFA on ACL'd paths of Vault.
+
+## Configuration
+
+1.  Enable the appropriate auth method:
+
+    ```text
+    $ vault auth enable userpass
+    ```
+
+1.  Fetch the mount accessor for the enabled auth method:
+
+    ```text
+    $ vault auth list -detailed
+    ```
+
+    The response will look like:
+
+    ```text
+    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
+    ----         ----        --------                  ------    -----------    -------    -----------    -----------
+    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
+    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
+    ```
+
+1.  Configure Okta MFA:
+
+    ```text
+    $ vault write sys/mfa/method/okta/my_okta \
+        mount_accessor=auth_userpass_54b8e339 \
+        org_name="dev-262775" \
+        api_token="0071u8PrReNkzmATGJAP2oDyIXwwveqx9vIOEyCZDC"
+    ```
+
+1.  Create a policy that gives access to secret through the MFA method created
+    above:
+
+    ```text
+    $ vault policy write okta-policy -<<EOF
+    path "secret/foo" {
+      capabilities = ["read"]
+      mfa_methods  = ["my_okta"]
+    }
+    EOF
+    ```
+
+1.  Create a user. MFA works only for tokens that have identity information on
+    them. Tokens created by logging in using auth methods will have the associated
+    identity information. Create a user in the `userpass` auth method and
+    authenticate against it:
+
+    ```text
+    $ vault write auth/userpass/users/testuser \
+        password=testpassword \
+        policies=okta-policy
+    ```
+
+1.  Create a login token:
+
+    ```text
+    $ vault write auth/userpass/login/testuser password=testpassword
+
+    Key                    Value
+    ---                    -----
+    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
+    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+    token_duration         768h0m0s
+    token_renewable        true
+    token_policies         [default okta-policy]
+    token_meta_username    "testuser"
+    ```
+
+    Note that the CLI is not authenticated with the newly created token yet, we
+    did not call `vault login`, instead we used the login API to simply return a
+    token.
+
+1.  Fetch the entity ID from the token. The caller identity is represented by the
+    `entity_id` property of the token:
+
+    ```text
+    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
+
+    Key                     Value
+    ---                     -----
+    accessor                a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+    creation_time           1502245243
+    creation_ttl            2764800
+    display_name            userpass-testuser
+    entity_id               307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
+    expire_time             2017-09-09T22:20:43.448543132-04:00
+    explicit_max_ttl        0
+    id                      70f97438-e174-c03c-40fe-6bcdc1028d6c
+    issue_time              2017-08-08T22:20:43.448543003-04:00
+    meta                    map[username:testuser]
+    num_uses                0
+    orphan                  true
+    path                    auth/userpass/login/testuser
+    policies                [default okta-policy]
+    renewable               true
+    ttl                     2764623
+    ```
+
+1.  Login as the user:
+
+    ```text
+    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
+    ```
+
+1.  Read a secret to trigger an Okta push. This will be a blocking call until
+    the push notification is either approved or declined:
+
+    ```text
+    $ vault read secret/foo
+
+    Key                     Value
+    ---                     -----
+    refresh_interval        768h0m0s
+    data                    which can only be read after MFA validation
+    ```
diff --git a/website/pages/docs/enterprise/mfa/mfa-pingid.mdx b/website/pages/docs/enterprise/mfa/mfa-pingid.mdx
new file mode 100644
index 000000000000..986aea6c0e28
--- /dev/null
+++ b/website/pages/docs/enterprise/mfa/mfa-pingid.mdx
@@ -0,0 +1,127 @@
+---
+layout: docs
+page_title: PingID MFA - MFA Support - Vault Enterprise
+sidebar_title: PingID MFA
+description: Vault Enterprise supports PingID MFA type.
+---
+
+# PingID MFA
+
+This page demonstrates PingID MFA on ACL'd paths of Vault.
+
+## Configuration
+
+1. Enable the appropriate auth method:
+
+   ```text
+   $ vault auth enable userpass
+   ```
+
+1. Fetch the mount accessor for the enabled auth method:
+
+   ```text
+   $ vault auth list -detailed
+   ```
+
+   The response will look like:
+
+   ```text
+   Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
+   ----         ----        --------                  ------    -----------    -------    -----------    -----------
+   token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
+   userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
+   ```
+
+1. Configure PingID MFA:
+
+   ```text
+   $ vault write sys/mfa/method/pingid/ping \
+       mount_accessor=auth_userpass_54b8e339 \
+       settings_file_base64="AABDwWaR..."
+   ```
+
+1. Create a policy that gives access to secret through the MFA method created
+   above:
+
+   ```
+   $ vault policy write ping-policy -<<EOF
+   path "secret/foo" {
+     capabilities = ["read"]
+     mfa_methods  = ["ping"]
+   }
+   EOF
+   ```
+
+1. Create a user. MFA works only for tokens that have identity information on
+   them. Tokens created by logging in using auth methods will have the associated
+   identity information. Create a user in the `userpass` auth method and
+   authenticate against it:
+
+   ```text
+   $ vault write auth/userpass/users/testuser \
+       password=testpassword \
+       policies=ping-policy
+   ```
+
+1. Create a login token:
+
+   ```text
+   $ vault write auth/userpass/login/testuser password=testpassword
+
+   Key                    Value
+   ---                    -----
+   token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
+   token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+   token_duration         768h0m0s
+   token_renewable        true
+   token_policies         [default ping-policy]
+   token_meta_username    "testuser"
+   ```
+
+   Note that the CLI is not authenticated with the newly created token yet, we
+   did not call `vault login`, instead we used the login API to simply return a
+   token.
+
+1. Fetch the entity ID from the token. The caller identity is represented by the
+   `entity_id` property of the token:
+
+   ```text
+   $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
+
+   Key                 Value
+   ---                 -----
+   accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+   creation_time       1502245243
+   creation_ttl        2764800
+   display_name        userpass-testuser
+   entity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
+   expire_time         2017-09-09T22:20:43.448543132-04:00
+   explicit_max_ttl    0
+   id                  70f97438-e174-c03c-40fe-6bcdc1028d6c
+   issue_time          2017-08-08T22:20:43.448543003-04:00
+   meta                map[username:testuser]
+   num_uses            0
+   orphan              true
+   path                auth/userpass/login/testuser
+   policies            [default ping-policy]
+   renewable           true
+   ttl                 2764623
+   ```
+
+1. Login as the user:
+
+   ```text
+   $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
+   ```
+
+1. Read a secret to trigger a PingID push. This will be a blocking call until
+   the push notification is either approved or declined:
+
+   ```text
+   $ vault read secret/foo
+
+   Key                 Value
+   ---                 -----
+   refresh_interval    768h
+   data                which can only be read after MFA validation
+   ```
diff --git a/website/pages/docs/enterprise/mfa/mfa-totp.mdx b/website/pages/docs/enterprise/mfa/mfa-totp.mdx
new file mode 100644
index 000000000000..e98f892c1a4d
--- /dev/null
+++ b/website/pages/docs/enterprise/mfa/mfa-totp.mdx
@@ -0,0 +1,147 @@
+---
+layout: docs
+page_title: TOTP MFA - MFA Support - Vault Enterprise
+sidebar_title: TOTP MFA
+description: Vault Enterprise supports TOTP MFA type.
+---
+
+# TOTP MFA
+
+This page demonstrates the TOTP MFA on ACL'd paths of Vault.
+
+## Configuration
+
+1.  Enable the appropriate auth method:
+
+    ```text
+    $ vault auth enable userpass
+    ```
+
+1.  Fetch the mount accessor for the enabled auth method:
+
+    ```text
+    $ vault auth list -detailed
+    ```
+
+    The response will look like:
+
+    ```text
+    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
+    ----         ----        --------                  ------    -----------    -------    -----------    -----------
+    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
+    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
+    ```
+
+1.  Configure TOTP MFA:
+
+    ```text
+    $ vault write sys/mfa/method/totp/my_totp \
+        issuer=Vault \
+        period=30 \
+        key_size=30 \
+        algorithm=SHA256 \
+        digits=6
+    ```
+
+1.  Create a policy that gives access to secret through the MFA method created
+    above:
+
+    ```text
+    $ vault policy write totp-policy -<<EOF
+    path "secret/foo" {
+      capabilities = ["read"]
+      mfa_methods  = ["my_totp"]
+    }
+    EOF
+    ```
+
+1.  Create a user. MFA works only for tokens that have identity information on
+    them. Tokens created by logging in using auth methods will have the associated
+    identity information. Create a user in the `userpass` auth method and
+    authenticate against it:
+
+    ```text
+    $ vault write auth/userpass/users/testuser \
+        password=testpassword \
+        policies=totp-policy
+    ```
+
+1.  Create a login token:
+
+    ```text
+    $ vault write auth/userpass/login/testuser \
+        password=testpassword
+
+    Key                    Value
+    ---                    -----
+    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
+    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+    token_duration         768h
+    token_renewable        true
+    token_policies         [default totp-policy]
+    token_meta_username    "testuser"
+    ```
+
+    Note that the CLI is not authenticated with the newly created token yet, we
+    did not call `vault login`, instead we used the login API to simply return a
+    token.
+
+1.  Fetch the entity ID from the token. The caller identity is represented by the
+    `entity_id` property of the token:
+
+    ```text
+    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
+
+    Key                 Value
+    ---                 -----
+    accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
+    creation_time       1502245243
+    creation_ttl        2764800
+    display_name        userpass-testuser
+    entity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
+    expire_time         2017-09-09T22:20:43.448543132-04:00
+    explicit_max_ttl    0
+    id                  70f97438-e174-c03c-40fe-6bcdc1028d6c
+    issue_time          2017-08-08T22:20:43.448543003-04:00
+    meta                map[username:testuser]
+    num_uses            0
+    orphan              true
+    path                auth/userpass/login/testuser
+    policies            [default totp-policy]
+    renewable           true
+    ttl                 2764623
+    ```
+
+1.  Generate TOTP method attached to the entity. This should be distributed to
+    the intended user to be able to generate TOTP passcode:
+
+    ```text
+    $ vault write sys/mfa/method/totp/my_totp/admin-generate \
+        entity_id=307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
+
+    Key        Value
+    ---        -----
+    barcode    iVBORw0KGgoAAAANSUhEUgAAAM...
+    url        otpauth://totp/Vault:307d6c16-6f5c-4ae7-46a9-2d153ffcbc63?algo...
+    ```
+
+    Either the base64 encoded png barcode or the url should be given to the end
+    user. This barcode/url can be loaded into Google Authenticator or a similar
+    TOTP tool to generate codes.
+
+1.  Login as the user:
+
+    ```text
+    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
+    ```
+
+1.  Read the secret, specifying the mfa flag:
+
+    ```text
+    $ vault read -mfa my_totp:146378 secret/foo
+
+    Key                 Value
+    ---                 -----
+    refresh_interval    768h
+    data                which can only be read after MFA validation
+    ```
diff --git a/website/pages/docs/enterprise/namespaces/index.mdx b/website/pages/docs/enterprise/namespaces/index.mdx
new file mode 100644
index 000000000000..c7b734be48e3
--- /dev/null
+++ b/website/pages/docs/enterprise/namespaces/index.mdx
@@ -0,0 +1,86 @@
+---
+layout: docs
+page_title: Namespaces - Vault Enterprise
+sidebar_title: Namespaces
+description: >-
+  Vault Enterprise has support for Namespaces, a feature to enable Secure
+  Multi-tenancy (SMT) and self-management.
+---
+
+# Vault Enterprise Namespaces
+
+## Overview
+
+Many organizations implement Vault as a "service", providing centralized
+management for teams within an organization while ensuring that those teams
+operate within isolated environments known as _tenants_.
+
+There are two common challenges when implementing this architecture in Vault:
+
+**Tenant Isolation**
+
+Frequently teams within a VaaS environment require strong isolation from other
+users in their policies, secrets, and identities. Tenant isolation is typically a
+result of compliance regulations such as [GDPR](https://www.eugdpr.org/), though it may
+be necessitated by corporate or organizational infosec requirements.
+
+**Self-Management**
+
+As new tenants are added, there is an additional human cost in the management
+overhead for teams. Given that tenants will likely have different policies and
+request changes at a different rate, managing a multi-tenant environment can
+become very difficult for a single team as the number of tenants within that
+organization grow.
+
+'Namespaces' is a set of features within Vault Enterprise that allows Vault
+environments to support _Secure Multi-tenancy_ (or _SMT_) within a single Vault
+infrastructure. Through namespaces, Vault administrators can support tenant isolation
+for teams and individuals as well as empower delegated administrators to manage their
+own tenant environment.
+
+## Usage
+
+API operations performed under a namespace can be done by providing the relative
+request path along with the namespace path using the `X-Vault-Namespace` header.
+Similarly, the namespace header value can be provided in full or partially when
+reaching into nested namespaces. When provided partially, the remaining
+namespace path must be provided in the request path in order to reach into the
+desired nested namespace.
+
+Alternatively, the fully qualified path can be provided without using the
+`X-Vault-Namespace` header. In either scenario, Vault will construct the fully
+qualified path from these two sources to correctly route the request to the
+appropriate namespace.
+
+For example, these three requests are equivalent:
+
+1. Path: `ns1/ns2/secret/foo`
+2. Path: `secret/foo`, Header: `X-Vault-Namespace: ns1/ns2/`
+3. Path: `ns2/secret/foo`, Header: `X-Vault-Namespace: ns1/`
+
+## Architecture
+
+Namespaces are isolated environments that functionally exist as "Vaults within a Vault."
+They have separate login paths and support creating and managing data isolated to their
+namespace. This data includes the following:
+
+- Secret Engines
+- Auth Methods
+- Policies
+- Identities (Entities, Groups)
+- Tokens
+
+Rather than rely on Vault system admins, namespaces can be managed by delegated admins who
+can be prescribed administration rights for their namespace. These delegated admins can also
+create their own child namespaces, thereby prescribing admin rights on a subordinate group
+of delegate admins.
+
+Child namespaces can share policies from their parent namespaces. For example, a child namespace
+may refer to parent identities (entities and groups) when writing policies that function only
+within that child namespace. Similarly, a parent namespace can have policies asserted on child
+identities.
+
+## Learn
+
+Refer to the [Secure Multi-Tenancy with Namespaces](https://learn.hashicorp.com/vault/operations/namespaces)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/enterprise/performance-standby/index.mdx b/website/pages/docs/enterprise/performance-standby/index.mdx
new file mode 100644
index 000000000000..ff02d92a7bd3
--- /dev/null
+++ b/website/pages/docs/enterprise/performance-standby/index.mdx
@@ -0,0 +1,89 @@
+---
+layout: docs
+page_title: Performance Standby Nodes - Vault Enterprise
+sidebar_title: Performance Standbys
+description: Performance Standby Nodes - Vault Enterprise
+---
+
+# Performance Standby Nodes
+
+Vault supports a multi-server mode for high availability. This mode protects
+against outages by running multiple Vault servers. High availability mode
+is automatically enabled when using a data store that supports it. You can
+learn more about HA mode on the [Concepts](/docs/concepts/ha.html) page.
+
+Vault Enterprise offers additional features that allow HA nodes to service
+read-only requests on the local standby node. Read-only requests are requests
+that do not modify Vault's storage.
+
+## Server-to-Server Communication
+
+Performance Standbys require the request forwarding method described in the [HA
+Server-to-Server](/docs/concepts/ha.html#server-to-server-communication) docs.
+
+A performance standby will connect to the active node over the existing request
+forwarding connection. If selected by the active node to be promoted to a
+performance standby it will be handed a newly-generated private key and certificate
+for use in creating a new mutually-authenticated TLS connection to the cluster
+port. This connection will be used to send updates from the active node to the
+standby.
+
+## Request Forwarding
+
+A Performance Standby will attempt to process requests that come in. If a
+storage write is detected the standby will forward the request over the cluster
+port connection to the active node. If the request is read-only the Performance
+Standby will handle the requests locally.
+
+Sending requests to Performance Standbys that result in forwarded writes will be
+slightly slower than going directly to the active node. A client that has
+advanced knowledge of the behavior of the call can choose to point the request
+to the appropriate node.
+
+### Direct Access
+
+A Performance Standby will tag itself as such in consul if service registration
+is enabled. To access the set of Performance Standbys the `performance-standby`
+tag can be used. For example to send requests to only the performance standbys
+`https://performance-standby.vault.dc1.consul` could be used (host name may vary
+based on consul configuration).
+
+### Behind Load Balancers
+
+Additionally, if you wish to point your load balancers at performance standby
+nodes, the `sys/health` endpoint can be used to determine if a node is a
+performance standby. See the [sys/health API](/api/system/health.html) docs for
+more info.
+
+## Disabling Performance Standbys
+
+To disable performance standbys the `disable_performance_standby` flag should be
+set to true in the Vault config file. This will both tell a standby not to
+attempt to enable performance mode and an active node to not allow any
+performance standby connections.
+
+This setting should be synced across all nodes in the cluster.
+
+## Monitoring Performance Standbys
+
+To verify your node is a performance standby the `vault status` command can be
+used:
+
+```
+$ vault status
+Key                                    Value
+---                                    -----
+Seal Type                              shamir
+Sealed                                 false
+Total Shares                           1
+Threshold                              1
+Version                                0.11.0+prem
+Cluster Name                           vault-cluster-d040e74c
+Cluster ID                             9f82e03b-71fb-97a6-9c5a-46fa6715d6e4
+HA Enabled                             true
+HA Cluster                             https://127.0.0.1:8201
+HA Mode                                standby
+Active Node Address                    http://127.0.0.1:8200
+Performance Standby Node               true
+Performance Standby Last Remote WAL    380329
+```
diff --git a/website/pages/docs/enterprise/replication/index.mdx b/website/pages/docs/enterprise/replication/index.mdx
new file mode 100644
index 000000000000..ff1317be5d35
--- /dev/null
+++ b/website/pages/docs/enterprise/replication/index.mdx
@@ -0,0 +1,151 @@
+---
+layout: docs
+page_title: Replication - Vault Enterprise
+sidebar_title: Replication
+description: >-
+  Vault Enterprise has support for Replication, allowing critical data to be
+  replicated across clusters to support horizontally scaling and disaster
+  recovery workloads.
+---
+
+# Vault Enterprise Replication
+
+## Overview
+
+Many organizations have infrastructure that spans multiple datacenters. Vault
+provides the critical services of identity management, secrets storage, and
+policy management. This functionality is expected to be highly available and
+to scale as the number of clients and their functional needs increase; at the
+same time, operators would like to ensure that a common set of policies are
+enforced globally, and a consistent set of secrets and keys are exposed to
+applications that need to interoperate.
+
+Vault replication addresses both of these needs in providing consistency,
+scalability, and highly-available disaster recovery.
+
+Note: Using replication requires a storage backend that supports transactional updates, such as Consul.
+
+## Architecture
+
+The core unit of Vault replication is a **cluster**, which is comprised of a
+collection of Vault nodes (an active and its corresponding HA nodes). Multiple Vault
+clusters communicate in a one-to-many near real-time flow.
+
+Replication operates on a leader/follower model, wherein a leader cluster (known as a
+**primary**) is linked to a series of follower **secondary** clusters. The primary
+cluster acts as the system of record and asynchronously replicates most Vault data.
+
+All communication between primaries and secondaries is end-to-end encrypted
+with mutually-authenticated TLS sessions, setup via replication tokens which are
+exchanged during bootstrapping.
+
+What data is replicated between the primary and secondary depends on the type of
+replication that is configured between the primary and secondary. These types
+of relationships are either **disaster recovery** or **performance**
+relationships.
+
+## Performance Replication and Disaster Recovery (DR) Replication
+
+_Performance Replication_:
+In performance replication, secondaries keep track of their own tokens and leases
+but share the underlying configuration, policies, and supporting secrets (K/V values,
+encryption keys for `transit`, etc).
+
+If a user action would modify underlying shared state, the secondary forwards the request
+to the primary to be handled; this is transparent to the client. In practice, most
+high-volume workloads (reads in the `kv` backend, encryption/decryption operations
+in `transit`, etc.) can be satisfied by the local secondary, allowing Vault to scale
+relatively horizontally with the number of secondaries rather than vertically as
+in the past.
+
+_Disaster Recovery (DR) Replication_:
+In disaster recovery (or DR) replication, secondaries share the same underlying configuration,
+policy, and supporting secrets (K/V values, encryption keys for `transit`, etc) infrastructure
+as the primary. They also share the same token and lease infrastructure as the primary, as
+they are designed to allow for continuous operations with applications connecting to the
+original primary on the election of the DR secondary.
+
+DR is designed to be a mechanism to protect against catastrophic failure of entire clusters.
+They do not forward service read or write requests until they are elected and become a new primary.
+
+| Capability                                                                                                           | Disaster Recovery | Performance                                                                                                                                                                        |
+| -------------------------------------------------------------------------------------------------------------------- | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Mirrors the configuration of a primary cluster                                                                       | Yes               | Yes                                                                                                                                                                                |
+| Mirrors the configuration of a primary cluster’s backends (i.e.: auth methods, secrets engines, audit devices, etc.) | Yes               | Yes                                                                                                                                                                                |
+| Mirrors the tokens and leases for applications and users interacting with the primary cluster                        | Yes               | No. Secondaries keep track of their own tokens and leases. When the secondary is promoted, applications must reauthenticate and obtain new leases from the newly-promoted primary. |
+| Allows the secondary cluster to handle client requests                                                               | No                | Yes                                                                                                                                                                                |
+
+For more information on the capabilities of performance and disaster recovery replication, see the Vault Replication [API Documentation](/api/system/replication.html).
+
+## Internals
+
+Details on the internal design of the replication feature can be found in the
+[replication
+internals](/docs/internals/replication.html)
+document.
+
+## Security Model
+
+Vault is trusted all over the world to keep secrets safe. As such, we have put
+extreme focus to detail to our replication model as well.
+
+### Primary/Secondary Communication
+
+When a cluster is marked as the primary it generates a self-signed CA
+certificate. On request, and given a user-specified identifier, the primary
+uses this CA certificate to generate a private key and certificate and packages
+these, along with some other information, into a replication bootstrapping
+bundle, a.k.a. a secondary activation token. The certificate is used to perform
+TLS mutual authentication between the primary and that secondary.
+
+This CA certificate is never shared with secondaries, and no secondary ever has
+access to any other secondary’s certificate. In practice this means that
+revoking a secondary’s access to the primary does not allow it continue
+replication with any other machine; it also means that if a primary goes down,
+there is full administrative control over which cluster becomes primary. An
+attacker cannot spoof a secondary into believing that a cluster the attacker
+controls is the new primary without also being able to administratively direct
+the secondary to connect by giving it a new bootstrap package (which is an
+ACL-protected call).
+
+Vault makes use of Application Layer Protocol Negotiation on its cluster port.
+This allows the same port to handle both request forwarding and replication,
+even while keeping the certificate root of trust and feature set different.
+
+### Secondary Activation Tokens
+
+A secondary activation token is an extremely sensitive item and as such is
+protected via response wrapping. Experienced Vault users will note that the
+wrapping format for replication bootstrap packages is different from normal
+response wrapping tokens: it is a signed JWT. This allows the replication token
+to carry the redirect address of the primary cluster as part of the token. In
+most cases this means that simply providing the token to a new secondary is
+enough to activate replication, although this can also be overridden when the
+token is provided to the secondary.
+
+Secondary activation tokens should be treated like Vault root tokens. If
+disclosed to a bad actor, that actor can gain access to all Vault data. It
+should therefore be treated with utmost sensitivity. Like all
+response-wrapping tokens, once the token is used successfully (in this case, to
+activate a secondary) it is useless, so it is only necessary to safeguard it
+from one machine to the next. Like with root tokens, HashiCorp recommends that
+when a secondary activation token is live, there are multiple eyes on it from
+generation until it is used.
+
+Once a secondary is activated, its cluster information is stored safely behind
+its encrypted barrier.
+
+## Learn
+
+Refer to the following tutorials replication setup and best practices:
+
+- [Setting up Performance Replication](https://learn.hashicorp.com/vault/operations/ops-replication)
+- [Disaster Recovery Replication Setup](https://learn.hashicorp.com/vault/operations/ops-disaster-recovery)
+- [Performance Replication with Mount Filters](https://learn.hashicorp.com/vault/operations/mount-filter)
+- [Monitoring Vault Replication](https://learn.hashicorp.com/vault/operations/monitor-replication)
+
+## API
+
+The Vault replication component has a full HTTP API. Please see the
+[Vault Replication API](/api/system/replication.html) for more
+details.
diff --git a/website/source/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf b/website/pages/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf
similarity index 100%
rename from website/source/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf
rename to website/pages/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf
diff --git a/website/pages/docs/enterprise/sealwrap/index.mdx b/website/pages/docs/enterprise/sealwrap/index.mdx
new file mode 100644
index 000000000000..56c775ef4260
--- /dev/null
+++ b/website/pages/docs/enterprise/sealwrap/index.mdx
@@ -0,0 +1,110 @@
+---
+layout: docs
+page_title: Vault Enterprise Seal Wrap
+sidebar_title: Seal Wrap / FIPS 140-2
+description: |-
+  Vault Enterprise features a mechanism to wrap values with an extra layer of
+  encryption for supporting seals
+---
+
+# Seal Wrap
+
+Vault Enterprise features a mechanism to wrap values with an extra layer of
+encryption for supporting [seals](/docs/configuration/seal/index.html). This adds an
+extra layer of protection and is useful in some compliance and regulatory
+environments, including FIPS 140-2 environments.
+
+To use this feature, you must have an active or trial license for Vault
+Enterprise (HSMs) or Vault Pro (AWS KMS). To start a trial, contact [HashiCorp
+sales](mailto:sales@hashicorp.com).
+
+## Enabling/Disabling
+
+Seal Wrap is enabled by default on supporting seals. This implies that the seal
+must be available throughout Vault's runtime. Most cloud-based seals should be
+quite reliable, but, for instance, if using an HSM in a non-HA setup a
+connection interruption to the HSM will result in issues with Vault
+functionality.
+
+To disable seal wrapping, set `disable_sealwrap = true` in Vault's
+[configuration file][configuration]. This will not affect auto-unsealing functionality; Vault's
+master key will still be protected by the seal wrapping mechanism. It will
+simply prevent other storage entries within Vault from being seal wrapped.
+
+_N.B._: This is a lazy downgrade; as keys are accessed or written their seal
+wrapping status will change. Similarly, if the flag is removed, it will be a
+lazy upgrade (which is the case when initially upgrading to a seal
+wrap-supporting version of Vault).
+
+## FIPS 140-2 Compliance
+
+Vault's Seal Wrap feature has been evaluated by Leidos for compliance with
+FIPS 140-2 requirements. When used with a FIPS 140-2-compliant HSM, Vault will
+store Critical Security Parameters (CSPs) in a manner that is compliant with
+KeyStorage and KeyTransit requirements. This is on by default for many parts of
+Vault and opt-in for each individual mount; see the Activating Seal Wrapping
+section below for details.
+
+[Download the current compliance letter](/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf)
+
+### Updates Since The Latest FIPS Compliance Audit
+
+The following are values that take advantage of seal wrapping in the current
+release of Vault that have not yet been asserted as compliant by Leidos. The
+mechanism for seal wrapping is the same, they simply were not specifically
+evaluated by the auditors.
+
+- Root tokens
+- Replication secondary activation tokens
+- Client authentication information for the GCP Auth Backend
+- Client authentication information for the Kubernetes Auth Backend
+
+## Activating Seal Wrapping
+
+For some values, seal wrapping is always enabled with a supporting seal. This
+includes the recovery key, any stored key shares, the master key, the keyring,
+and more; essentially, any Critical Security Parameter (CSP) within Vault's
+core. If upgrading from a version of Vault that did not support seal wrapping,
+the next time these values are read they will be seal-wrapped and stored.
+
+Backend mounts within Vault can also take advantage of seal wrapping. Seal
+wrapping can be activated at mount time for a given mount by mounting the
+backend with the `seal_wrap` configuration value set to `true`. (This value
+cannot currently be changed later.)
+
+A given backend's author can specify which values should be seal-wrapped by
+identifying where CSPs are stored. If no specific CSPs are identifiable, all
+data for the backend may be seal-wrapped.
+
+To see the current list of seal-wrapped data per backend type, see the latest
+audit letter and updates in the FIPS 140-2 Compliance section above.
+
+Note that it is often an order of magnitude or two slower to write to and read
+from HSMs or remote seals. However, values will be cached in memory
+un-seal-wrapped (but still encrypted by Vault's built-in cryptographic barrier)
+in Vault, which will mitigate this for read-heavy workloads.
+
+## Seal Wrap and Replication
+
+Seal wrapping takes place below the replication logic. As a result, it is
+transparent to replication. Replication will convey which values should be
+seal-wrapped, but it is up to the seal on the local cluster to implement it.
+In practice, this means that seal wrapping can be used without needing to have
+the replicated keys on both ends of the connection; each cluster can have
+distinct keys in an HSM or in KMS.
+
+In addition, it is possible to replicate from a Shamir-protected primary
+cluster to clusters that use HSMs when seal wrapping is required in downstream
+datacenters but not in the primary.
+
+Because of the level of flexibility targeted for replication, values sent over
+replication connections do not currently meet KeyTransit requirements for FIPS
+140-2. Vault's clustering implementation does support best practices guidance
+given in FIPS 140-2, but the cryptographic implementation of TLS is not FIPS
+140-2 certified. We may look into providing certified TLS in the future for
+replication traffic; in the meantime, a transparent TCP proxy that supports
+certified FIPS 140-2 TLS (such as
+[stunnel](https://www.stunnel.org/index.html)) can be used for replication
+traffic if meeting KeyTransit requirements for replication is necessary.
+
+[configuration]: /docs/configuration/index.html
diff --git a/website/pages/docs/enterprise/sentinel/examples.mdx b/website/pages/docs/enterprise/sentinel/examples.mdx
new file mode 100644
index 000000000000..0d0d85fad272
--- /dev/null
+++ b/website/pages/docs/enterprise/sentinel/examples.mdx
@@ -0,0 +1,152 @@
+---
+layout: docs
+page_title: Sentinel Examples
+sidebar_title: Examples
+description: An overview of how Sentinel interacts with Vault Enterprise.
+---
+
+# Examples
+
+Following are some examples that help to introduce concepts. If you are
+unfamiliar with writing Sentinel policies in Vault, please read through to
+understand some best practices.
+
+## MFA and CIDR Check on Login
+
+The following Sentinel policy requires the incoming user to successfully
+validate with an Okta MFA push request before authenticating with LDAP.
+Additionally, it ensures that only users on the 10.20.0.0/16 subnet are able to
+authenticate using LDAP.
+
+```python
+import "sockaddr"
+import "mfa"
+import "strings"
+
+# We expect logins to come only from our private IP range
+cidrcheck = rule {
+    sockaddr.is_contained(request.connection.remote_addr, "10.20.0.0/16")
+}
+
+# Require Ping MFA validation to succeed
+ping_valid = rule {
+    mfa.methods.ping.valid
+}
+
+main = rule when strings.has_prefix(request.path, "auth/ldap/login") {
+    ping_valid and cidrcheck
+}
+```
+
+Note the `rule when` construct on the `main` rule. This scopes the policy to
+the given condition.
+
+Vault takes a default-deny approach to security. Without such scoping, because
+active Sentinel policies must all pass successfully, the user would be forced
+to start with a passing status and then define the conditions under which
+access is denied, breaking the default-deny concept.
+
+By instead indicating the conditions under which the `main` rule (and thus, in
+this example, the entire policy) should be evaluated, the policy instead
+describes the conditions under which a matching request is successful. This
+keeps the default-deny feeling of Vault; if the evaluation condition isn't met,
+the policy is simply a no-op.
+
+## Allow Only Specific Identity Entities or Groups
+
+```python
+main = rule {
+    identity.entity.name is "jeff" or
+    identity.entity.id is "fe2a5bfd-c483-9263-b0d4-f9d345efdf9f" or
+    "sysops" in identity.groups.names or
+    "14c0940a-5c07-4b97-81ec-0d423accb8e0" in keys(identity.groups.by_id)
+}
+```
+
+This example shows accessing Identity properties to make decisions, showing
+that for Identity values IDs or names can be used for reference.
+
+In general, it is more secure to use IDs. While convenient, entity names and
+group names can be switched from one entity to another, because their only
+constraint is that they must be unique. Using IDs guarantees that only that
+specific entity or group is sufficient; if the group or entity are deleted and
+recreated with the same name, the match will fail.
+
+## Instantly Disallow All Previously-Generated Tokens
+
+Imagine a break-glass scenario where it is discovered that there have been
+compromises of some unknown number of previously-generated tokens.
+
+In such a situation it would be possible to revoke all previous tokens, but
+this may take a while for a number of reasons, from requiring revocation of
+generated secrets to the simple delay required to remove many entries from
+storage. In addition, it could revoke tokens and generated secrets that later
+forensic analysis shows were not compromised, unnecessarily widening the impact
+of the mass revocation.
+
+In Vault's ACL system a simple deny could be put into place, but this is a very
+coarse-grained control and would require forethought to ensure that a policy
+that can be modified in such a way is attached to every token. It also would
+not prevent access to login paths or other unauthenticated paths.
+
+Sentinel offers much more fine-grained control:
+
+```python
+import "time"
+
+main = rule when not request.unauthenticated {
+    time.load(token.creation_time).unix >
+      time.load("2017-09-17T13:25:29Z").unix
+}
+```
+
+Created as an EGP on `*`, this will block all access to any path Sentinel
+operates on with a token created before the given time. Tokens created after
+this time, since they were not a part of the compromise, will not be subject to
+this restriction.
+
+## Delegate EGP Policy Management Under a Path
+
+The following policy gives token holders with this policy (via their tokens or
+their Identity entities/groups) the ability to write EGP policies that can only
+take effect at Vault paths below certain prefixes. This effectively delegates
+policy management to the team for their own key-value spaces.
+
+```python
+import "strings"
+
+data_match = func() {
+    # Make sure there is request data
+    if length(request.data else 0) is 0 {
+        return false
+    }
+
+    # Make sure request data includes paths
+    if length(request.data.paths else 0) is 0 {
+        return false
+    }
+
+    # For each path, verify that it is in the allowed list
+    for strings.split(request.data.paths, ",") as path {
+        # Make it easier for users who might be used to starting paths with
+        # slashes
+        sanitizedPath = strings.trim_prefix(path, "/")
+        if not strings.has_prefix(sanitizedPath, "dev-kv/teama/") and
+           not strings.has_prefix(sanitizedPath, "prod-kv/teama/") {
+            return false
+        }
+    }
+
+    return true
+}
+
+# Only care about writing; reading can be allowed by normal ACLs
+precond = rule {
+    request.operation in ["create", "update"] and
+    strings.has_prefix(request.path, "sys/policies/egp/")
+}
+
+main = rule when precond {
+    strings.has_prefix(request.path, "sys/policies/egp/teama-") and data_match()
+}
+```
diff --git a/website/pages/docs/enterprise/sentinel/index.mdx b/website/pages/docs/enterprise/sentinel/index.mdx
new file mode 100644
index 000000000000..f734d5041be3
--- /dev/null
+++ b/website/pages/docs/enterprise/sentinel/index.mdx
@@ -0,0 +1,115 @@
+---
+layout: docs
+page_title: Vault Enterprise Sentinel Integration
+sidebar_title: Sentinel
+description: An overview of how Sentinel interacts with Vault Enterprise.
+---
+
+# Overview
+
+Vault Enterprise integrates HashiCorp Sentinel to provide a rich set of access
+control functionality. Because Vault is a security-focused product trusted with
+high-risk secrets and assets, and because of its default-deny stance,
+integration with Vault is implemented in a defense-in-depth fashion. This takes
+the form of multiple types of policies and a fixed evaluation order.
+
+## Policy Types
+
+Vault's policy system has been expanded to support three types of policies:
+
+- `ACLs` - These are the [traditional Vault
+  policies](/docs/concepts/policies.html) and remain unchanged.
+
+- `Role Governing Policies (RGPs)` - RGPs are Sentinel policies that are tied
+  to particular tokens, Identity entities, or Identity groups. They have access
+  to a rich set of controls across various aspects of Vault.
+
+- `Endpoint Governing Policies (EGPs)` - EGPs are Sentinel policies that are
+  tied to particular paths instead of tokens. They have access to as much
+  request information as possible, but they can take effect even on
+  unauthenticated paths, such as login paths.
+
+Not every unauthenticated path supports EGPs. For instance, the paths related
+to root token generation cannot support EGPs because it's already the mechanism
+of last resort if, for instance, all clients are locked out of Vault due to
+misconfigured EGPs.
+
+Like with ACLs, [root tokens](/docs/concepts/tokens.html#root-tokens) tokens
+are not subject to Sentinel policy checks.
+
+Sentinel execution should be considered to be significantly slower than normal
+ACL policy checking. If high performance is needed, testing should be performed
+appropriately when introducing Sentinel policies.
+
+## Policy Evaluation
+
+During evaluation, all policy types, if they exist, must grant access.
+Evaluation uses the following logic:
+
+1. If the request is unauthenticated, skip to step 3. Otherwise, evaluate the
+   token's ACL policies. These must grant access; as always, a failure to be
+   granted capabilities on a path via ACL policies denies the request.
+2. RGPs attached to the token are evaluated. All policies must pass according
+   to their enforcement level.
+3. EGPs set on the requested path, and any prefix-matching EGPs set on
+   less-specific paths, are evaluated. All policies must pass according to
+   their enforcement level.
+
+Any failure at any of these steps results in a denied request.
+
+## Policy Overriding
+
+Vault supports normal Sentinel overriding behavior. Requests to override can be
+specified on the command line via the `policy-override` flag or in HTTP
+requests by setting the `X-Vault-Policy-Override` header to `true`.
+
+Override requests are visible in Vault's audit log; in addition, override
+requests and their eventual status (whether they ended up being required) are
+logged as warnings in Vault's server logs.
+
+## MFA
+
+Sentinel policies support the [Identity-based MFA
+system](/docs/enterprise/mfa/index.html) in Vault Enterprise. Within a single
+request, multiple checks of any named MFA method will only trigger
+authentication behavior for that method once, regardless of whether its
+validity is checked via ACLs, RGPs, or EGPs.
+
+EGPs can be used to require MFA on otherwise unauthenticated paths, such as
+login paths. On such paths, the request data will perform a lookahead to try to
+discover the appropriate Identity information to use for MFA. It may be
+necessary to pre-populate Identity entries or supply additional parameters with
+the request if you require more information to use MFA than the endpoint is
+able to glean from the original request alone.
+
+# Using Sentinel
+
+## Configuration
+
+Sentinel policies can be configured via the `sys/policies/rgp/` and
+`sys/policies/egp/` endpoints; see [the
+documentation](/api/system/policies.html) for more information.
+
+Once set, RGPs can be assigned to Identity entities and groups or to tokens
+just like ACL policies. As a result, they cannot share names with ACL policies.
+
+When setting an EGP, a list of paths must be provided specifying on which paths
+that EGP should take effect. Endpoints can have multiple distinct EGPs set on
+them; all are evaluated for each request. Paths can use a glob character (`*`)
+as the last character of the path to perform a prefix match; a path that
+consists only of a `*` will apply to the root of the API. Since requests are
+subject to an EGPs exactly matching the requested path and any glob EGPs
+sitting further up the request path, an EGP with a path of `*` will thus take
+effect on all requests.
+
+## Properties and Examples
+
+See the [Examples](/docs/enterprise/sentinel/examples.html) page for examples
+of Sentinel in action, and the
+[Properties](/docs/enterprise/sentinel/properties.html) page for detailed
+property documentation.
+
+## Learn
+
+Refer to the [Sentinel Policies](https://learn.hashicorp.com/vault/identity-access-management/iam-sentinel)
+guide for a step-by-step tutorial.
diff --git a/website/pages/docs/enterprise/sentinel/properties.mdx b/website/pages/docs/enterprise/sentinel/properties.mdx
new file mode 100644
index 000000000000..9a0919e7a240
--- /dev/null
+++ b/website/pages/docs/enterprise/sentinel/properties.mdx
@@ -0,0 +1,183 @@
+---
+layout: docs
+page_title: Sentinel Properties
+sidebar_title: Properties
+description: An overview of how Sentinel interacts with Vault Enterprise.
+---
+
+# Properties
+
+Vault injects a rich set of data into the running Sentinel environment,
+allowing for very fine-grained controls. The set of available properties are
+enumerated on this page.
+
+The following properties are available for use in Sentinel policies.
+
+## Namespace Properties
+
+The `namespace` (Sentinel) namespace gives access to information about the
+namespace in which the request is running. (This may or may not match the
+client's chosen namespace, if a request reaches into a child namespace).
+
+| Name   | Type     | Description                    |
+| :----- | :------- | :----------------------------- |
+| `id`   | `string` | The namespace ID               |
+| `path` | `string` | The root path of the namespace |
+
+## Request Properties
+
+The following properties are available in the `request` namespace.
+
+| Name                     | Type                  | Description                                                                                 |
+| :----------------------- | :-------------------- | :------------------------------------------------------------------------------------------ |
+| `connection.remote_addr` | `string`              | TCP/IP source address/port of the client                                                    |
+| `data`                   | `map (string -> any)` | Raw request data                                                                            |
+| `operation`              | `string`              | Operation type, e.g. "read" or "update"                                                     |
+| `path`                   | `string`              | Path, with any leading `/` trimmed                                                          |
+| `policy_override`        | `bool`                | `true` if a `soft-mandatory` policy override was requested                                  |
+| `unauthenticated`        | `bool`                | `true` if the requested path is an unauthenticated path                                     |
+| `wrapping.ttl`           | `duration`            | The requested response-wrapping TTL in nanoseconds, suitable for use with the `time` import |
+| `wrapping.ttl_seconds`   | `int`                 | The requested response-wrapping TTL in seconds                                              |
+
+### Replication Properties
+
+The following properties exists at the `replication.mode` namespace.
+
+| Name          | Type     | Description                                                                                                    |
+| :------------ | :------- | :------------------------------------------------------------------------------------------------------------- |
+| `dr`          | `string` | The state of DR replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary"          |
+| `replication` | `string` | The state of performance replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary" |
+
+## Token Properties
+
+The following properties, if available, are in the `token` namespace. The
+namespace will not exist if there is no token information attached to a
+request, e.g. when logging in.
+
+| Name                       | Type                     | Description                                                                                                                        |
+| :------------------------- | :----------------------- | :--------------------------------------------------------------------------------------------------------------------------------- |
+| `creation_time`            | `string`                 | The timestamp of the token's creation, in RFC3339 format                                                                           |
+| `creation_time_unix`       | `int`                    | The timestamp of the token's creation, in seconds since Unix epoch UTC                                                             |
+| `creation_ttl`             | `duration`               | The TTL the token was first created with in nanoseconds, suitable for use with the `time` import                                   |
+| `creation_ttl_seconds`     | `int`                    | The TTL the token was first created with in seconds                                                                                |
+| `display_name`             | `string`                 | The display name set on the token, if any                                                                                          |
+| `entity_id`                | `string`                 | The Identity entity ID attached to the token, if any                                                                               |
+| `explicit_max_ttl`         | `duration`               | If the token has an explicit max TTL, the duration of the explicit max TTL in nanoseconds, suitable for use with the `time` import |
+| `explicit_max_ttl_seconds` | `int`                    | If the token has an explicit max TTL, the duration of the explicit max TTL in seconds                                              |
+| `metadata`                 | `map (string -> string)` | Metadata set on the token                                                                                                          |
+| `num_uses`                 | `int`                    | The number of uses remaining on a use-count-limited token; 0 if the token has no use-count limit                                   |
+| `path`                     | `string`                 | The request path that resulted in creation of this token                                                                           |
+| `period`                   | `duration`               | If the token has a period, the duration of the period in nanoseconds, suitable for use with the `time` import                      |
+| `period_seconds`           | `int`                    | If the token has a period, the duration of the period in seconds                                                                   |
+| `policies`                 | `list (string)`          | Policies directly attached to the token                                                                                            |
+| `role`                     | `string`                 | If created via a token role, the role that created the token                                                                       |
+| `type`                     | `string`                 | The type of token, currently will be either `batch` or `service`                                                                   |
+
+## Token Namespace Properties
+
+The following properties, if available, are in the `token.namespace` namespace.
+The (Sentinel) namespace will not exist if there is no token information attached to a
+request, e.g. when logging in.
+
+| Name   | Type     | Description                    |
+| :----- | :------- | :----------------------------- |
+| `id`   | `string` | The namespace ID               |
+| `path` | `string` | The root path of the namespace |
+
+## Identity Properties
+
+The following properties, if available, are in the `identity` namespace. The
+namespace may not exist if there is no token information attached to the
+request; however, at login time the user's request data will be used to attempt
+to find any existing Identity information, or create some information to pass
+to MFA functions.
+
+### Entity Properties
+
+These exist at the `identity.entity` namespace.
+
+| Name                | Type                     | Description                                                   |
+| :------------------ | :----------------------- | :------------------------------------------------------------ |
+| `creation_time`     | `string`                 | The entity's creation time in RFC3339 format                  |
+| `id`                | `string`                 | The entity's ID                                               |
+| `last_update_time`  | `string`                 | The entity's last update (modify) time in RFC3339 format      |
+| `metadata`          | `map (string -> string)` | Metadata associated with the entity                           |
+| `name`              | `string`                 | The entity's name                                             |
+| `merged_entity_ids` | `list (string)`          | A list of IDs of entities that have been merged into this one |
+| `aliases`           | `list (alias)`           | List of aliases associated with this entity                   |
+| `policies`          | `list (string)`          | List of the policies set on this entity                       |
+
+### Alias Properties
+
+These can be retrieved from `identity.entity.aliases`.
+
+| Name                     | Type                     | Description                                                                                                                                   |
+| :----------------------- | :----------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------- |
+| `creation_time`          | `string`                 | The alias's creation time in RFC3339 format                                                                                                   |
+| `id`                     | `string`                 | The alias's ID                                                                                                                                |
+| `last_update_time`       | `string`                 | The alias's last update (modify) time in RFC3339 format                                                                                       |
+| `metadata`               | `map (string -> string)` | Metadata associated with the alias                                                                                                            |
+| `merged_from_entity_ids` | `list (string)`          | If this alias was attached to the current entity via one or more merges, the original entity/entities will be in this list                    |
+| `mount_accessor`         | `string`                 | The immutable accessor of the mount that created this alias                                                                                   |
+| `mount_path`             | `string`                 | The path of the mount that created this alias; unlike the accessor, there is no guarantee that the current path represents the original mount |
+| `mount_type`             | `string`                 | The type of the mount that created this alias                                                                                                 |
+| `name`                   | `string`                 | The alias's name                                                                                                                              |
+
+### Groups Properties
+
+These exist at the `identity.groups` namespace.
+
+| Name      | Type                    | Description                                                                                                                                     |
+| :-------- | :---------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------- |
+| `by_id`   | `map (string -> group)` | A map of group ID to group information                                                                                                          |
+| `by_name` | `map (string -> group)` | A map of group name to group information; unlike the group ID, there is no guarantee that the current name will always represent the same group |
+
+### Group Properties
+
+These can be retrieved from the `identity.groups` maps.
+
+| Name                | Type                     | Description                                                        |
+| :------------------ | :----------------------- | :----------------------------------------------------------------- |
+| `creation_time`     | `string`                 | The group's creation time in RFC3339 format                        |
+| `id`                | `string`                 | The group's ID                                                     |
+| `last_update_time`  | `string`                 | The group's last update (modify) time in RFC3339 format            |
+| `metadata`          | `map (string -> string)` | Metadata associated with the group                                 |
+| `name`              | `string`                 | The group's name                                                   |
+| `member_entity_ids` | `list (string)`          | A list of IDs of entities that are directly assigned to this group |
+| `parent_group_ids`  | `list (string)`          | A list of IDs of groups that are parents of this group             |
+| `policies`          | `list (string)`          | List of the policies set on this group                             |
+
+## MFA Properties
+
+These properties exist at the `mfa` namespace.
+
+| Name      | Type                     | Description                               |
+| :-------- | :----------------------- | :---------------------------------------- |
+| `methods` | `map (string -> method)` | A map of method name to method properties |
+
+### MFA Method Properties
+
+These properties can be accessed via the `mfa.methods` selector.
+
+| Name    | Type   | Description                                                                                                                                                                                                                                   |
+| :------ | :----- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `valid` | `bool` | Whether the method has successfully been validated; if validation has not been attempted, this will trigger the validation attempt. The result of the validation attempt will be used for this method for all policies for the given request. |
+
+## Control Group Properties
+
+These properties exist at the `controlgroup` namespace.
+
+| Name                   | Type                   | Description                                 |
+| :--------------------- | :--------------------- | :------------------------------------------ |
+| `time`, `request_time` | `string`               | The original request time in RFC3339 format |
+| `authorizations`       | `list (authorization)` | List of control group authorizations        |
+
+### Control Group Authorization
+
+These properties can be accessed via the `controlgroup.authorizations` selector.
+
+| Name     | Type              | Description                                                |
+| :------- | :---------------- | :--------------------------------------------------------- |
+| `time`   | `string`          | The authorization time in RFC3339 format                   |
+| `entity` | `identity.entity` | The identity entity for the authorizer.                    |
+| `groups` | `identity.groups` | The map of identity groups associated with the authorizer. |
diff --git a/website/pages/docs/index.mdx b/website/pages/docs/index.mdx
new file mode 100644
index 000000000000..4070f4fb2f28
--- /dev/null
+++ b/website/pages/docs/index.mdx
@@ -0,0 +1,8 @@
+---
+layout: docs
+page_title: Documentation
+---
+
+# Documentation
+
+Welcome to the Vault documentation! This documentation is more of a reference guide for all available features and options of Vault. If you're just getting started with Vault, please start with the [introduction](what-is-vault) instead, and work your way up to the [Getting Started](intro/getting-started/install) guide.
diff --git a/website/pages/docs/install/index.mdx b/website/pages/docs/install/index.mdx
new file mode 100644
index 000000000000..5b91332e1e77
--- /dev/null
+++ b/website/pages/docs/install/index.mdx
@@ -0,0 +1,76 @@
+---
+layout: docs
+page_title: Install Vault
+sidebar_title: Installing Vault
+description: |-
+  Installing Vault is simple. You can download a precompiled binary or compile
+  from source. This page details both methods.
+---
+
+# Install Vault
+
+Installing Vault is simple. There are two approaches to installing Vault:
+
+1. Using a [precompiled binary](#precompiled-binaries)
+
+1. Installing [from source](#compiling-from-source)
+
+Downloading a precompiled binary is easiest, and we provide downloads over TLS
+along with SHA256 sums to verify the binary. We also distribute a PGP signature
+with the SHA256 sums that can be verified.
+
+## Precompiled Binaries
+
+To install the precompiled binary, [download](/downloads.html) the appropriate
+package for your system. Vault is currently packaged as a zip file. We do not
+have any near term plans to provide system packages.
+
+Once the zip is downloaded, unzip it into any directory. The `vault` binary
+inside is all that is necessary to run Vault (or `vault.exe` for Windows). Any
+additional files, if any, aren't required to run Vault.
+
+Copy the binary to anywhere on your system. If you intend to access it from the
+command-line, make sure to place it somewhere on your `PATH`.
+
+## Compiling from Source
+
+To compile from source, you will need [Go](https://golang.org) installed and
+configured properly (including a `GOPATH` environment variable set), as well
+as a copy of [`git`](https://www.git-scm.com/) in your `PATH`.
+
+1. Clone the Vault repository from GitHub into your `GOPATH`:
+
+
+    ```shell
+    $ mkdir -p $GOPATH/src/github.com/hashicorp && cd $_
+    $ git clone https://github.com/hashicorp/vault.git
+    $ cd vault
+    ```
+
+1. Bootstrap the project. This will download and compile libraries and tools
+   needed to compile Vault:
+
+
+    ```shell
+    $ make bootstrap
+    ```
+
+1. Build Vault for your current system and put the
+   binary in `./bin/` (relative to the git checkout). The `make dev` target is
+   just a shortcut that builds `vault` for only your local build environment (no
+   cross-compiled targets).
+
+
+    ```shell
+    $ make dev
+    ```
+
+## Verifying the Installation
+
+To verify Vault is properly installed, run `vault -h` on your system. You should
+see help output. If you are executing it from the command line, make sure it is
+on your PATH or you may get an error about Vault not being found.
+
+```shell
+$ vault -h
+```
diff --git a/website/pages/docs/internals/architecture.mdx b/website/pages/docs/internals/architecture.mdx
new file mode 100644
index 000000000000..21140097a351
--- /dev/null
+++ b/website/pages/docs/internals/architecture.mdx
@@ -0,0 +1,174 @@
+---
+layout: docs
+page_title: Architecture
+sidebar_title: Architecture
+description: Learn about the internal architecture of Vault.
+---
+
+# Architecture
+
+Vault is a complex system that has many different pieces. To help both users and
+developers of Vault build a mental model of how it works, this page documents
+the system architecture.
+
+~> **Advanced Topic!** This page covers technical details of Vault. You don't
+need to understand these details to effectively use Vault. The details are
+documented here for those who wish to learn about them without having to go
+spelunking through the source code. However, if you're an operator of Vault, we
+recommend learning about the architecture due to the importance of Vault in an
+environment.
+
+# Glossary
+
+Before describing the architecture, we provide a glossary of terms to help
+clarify what is being discussed:
+
+- **Storage Backend** - A storage backend is responsible for durable storage of
+  _encrypted_ data. Backends are not trusted by Vault and are only expected to
+  provide durability. The storage backend is configured when starting the Vault
+  server.
+
+- **Barrier** - The barrier is cryptographic steel and concrete around the
+  Vault. All data that flows between Vault and the storage backend passes
+  through the barrier. The barrier ensures that only encrypted data is written
+  out, and that data is verified and decrypted on the way in. Much like a bank
+  vault, the barrier must be "unsealed" before anything inside can be accessed.
+
+- **Secrets Engine** - A secrets engine is responsible for managing secrets.
+  Simple secrets engines like the "kv" secrets engine simply return the same
+  secret when queried. Some secrets engines support using policies to
+  dynamically generate a secret each time they are queried. This allows for
+  unique secrets to be used which allows Vault to do fine-grained revocation and
+  policy updates. As an example, a MySQL secrets engine could be configured with
+  a "web" policy. When the "web" secret is read, a new MySQL user/password pair
+  will be generated with a limited set of privileges for the web server.
+
+- **Audit Device** - An audit device is responsible for managing audit logs.
+  Every request to Vault and response from Vault goes through the configured
+  audit devices. This provides a simple way to integrate Vault with multiple
+  audit logging destinations of different types.
+
+- **Auth Method** - An auth method is used to authenticate users or applications
+  which are connecting to Vault. Once authenticated, the auth method returns the
+  list of applicable policies which should be applied. Vault takes an
+  authenticated user and returns a client token that can be used for future
+  requests. As an example, the `userpass` auth method uses a username and
+  password to authenticate the user. Alternatively, the `github` auth method
+  allows users to authenticate via GitHub.
+
+- **Client Token** - A client token (aka "Vault Token") is conceptually
+  similar to a session cookie on a web site. Once a user authenticates, Vault
+  returns a client token which is used for future requests. The token is used by
+  Vault to verify the identity of the client and to enforce the applicable ACL
+  policies. This token is passed via HTTP headers.
+
+- **Secret** - A secret is the term for anything returned by Vault which
+  contains confidential or cryptographic material. Not everything returned by
+  Vault is a secret, for example system configuration, status information, or
+  policies are not considered secrets. Secrets always have an associated lease.
+  This means clients cannot assume that the secret contents can be used
+  indefinitely. Vault will revoke a secret at the end of the lease, and an
+  operator may intervene to revoke the secret before the lease is over. This
+  contract between Vault and its clients is critical, as it allows for changes
+  in keys and policies without manual intervention.
+
+- **Server** - Vault depends on a long-running instance which operates as a
+  server. The Vault server provides an API which clients interact with and
+  manages the interaction between all the secrets engines, ACL enforcement, and
+  secret lease revocation. Having a server based architecture decouples clients
+  from the security keys and policies, enables centralized audit logging and
+  simplifies administration for operators.
+
+# High-Level Overview
+
+A very high level overview of Vault looks like this:
+
+[![Architecture Overview](/img/layers.png)](/img/layers.png)
+
+Let's begin to break down this picture. There is a clear separation of
+components that are inside or outside of the security barrier. Only the storage
+backend and the HTTP API are outside, all other components are inside the
+barrier.
+
+The storage backend is untrusted and is used to durably store encrypted data.
+When the Vault server is started, it must be provided with a storage backend so
+that data is available across restarts. The HTTP API similarly must be started
+by the Vault server on start so that clients can interact with it.
+
+Once started, the Vault is in a _sealed_ state. Before any operation can be
+performed on the Vault it must be unsealed. This is done by providing the unseal
+keys. When the Vault is initialized it generates an encryption key which is used
+to protect all the data. That key is protected by a master key. By default,
+Vault uses a technique known as [Shamir's secret sharing
+algorithm](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing) to split the
+master key into 5 shares, any 3 of which are required to reconstruct the master
+key.
+
+[![Vault Shamir Secret Sharing Algorithm](/img/vault-shamir-secret-sharing.svg)](/img/vault-shamir-secret-sharing.svg)
+
+The number of shares and the minimum threshold required can both be specified.
+Shamir's technique can be disabled, and the master key used directly for
+unsealing. Once Vault retrieves the encryption key, it is able to decrypt the
+data in the storage backend, and enters the _unsealed_ state. Once unsealed,
+Vault loads all of the configured audit devices, auth methods, and secrets
+engines.
+
+The configuration of those audit devices, auth methods, and secrets engines must
+be stored in Vault since they are security sensitive. Only users with the
+correct permissions should be able to modify them, meaning they cannot be
+specified outside of the barrier. By storing them in Vault, any changes to them
+are protected by the ACL system and tracked by audit logs.
+
+After the Vault is unsealed, requests can be processed from the HTTP API to the
+Core. The core is used to manage the flow of requests through the system,
+enforce ACLs, and ensure audit logging is done.
+
+When a client first connects to Vault, it needs to authenticate. Vault provides
+configurable auth methods providing flexibility in the authentication mechanism
+used. Human friendly mechanisms such as username/password or GitHub might be
+used for operators, while applications may use public/private keys or tokens to
+authenticate. An authentication request flows through core and into an auth
+method, which determines if the request is valid and returns a list of
+associated policies.
+
+Policies are just a named ACL rule. For example, the "root" policy is built-in
+and permits access to all resources. You can create any number of named policies
+with fine-grained control over paths. Vault operates exclusively in a whitelist
+mode, meaning that unless access is explicitly granted via a policy, the action
+is not allowed. Since a user may have multiple policies associated, an action is
+allowed if any policy permits it. Policies are stored and managed by an internal
+policy store. This internal store is manipulated through the system backend,
+which is always mounted at `sys/`.
+
+Once authentication takes place and an auth method provides a set of applicable
+policies, a new client token is generated and managed by the token store. This
+client token is sent back to the client, and is used to make future requests.
+This is similar to a cookie sent by a website after a user logs in. The client
+token may have a lease associated with it depending on the auth method
+configuration. This means the client token may need to be periodically renewed
+to avoid invalidation.
+
+Once authenticated, requests are made providing the client token. The token is
+used to verify the client is authorized and to load the relevant policies. The
+policies are used to authorize the client request. The request is then routed to
+the secrets engine, which is processed depending on its type. If the secrets
+engine returns a secret, the core registers it with the expiration manager and
+attaches a lease ID. The lease ID is used by clients to renew or revoke their
+secret. If a client allows the lease to expire, the expiration manager
+automatically revokes the secret.
+
+The core handles logging of requests and responses to the audit broker, which
+fans the request out to all the configured audit devices. Outside of the request
+flow, the core performs certain background activity. Lease management is
+critical, as it allows expired client tokens or secrets to be revoked
+automatically. Additionally, Vault handles certain partial failure cases by
+using write ahead logging with a rollback manager. This is managed transparently
+within the core and is not user visible.
+
+# Getting in Depth
+
+This has been a brief high-level overview of the architecture of Vault. There
+are more details available for each of the sub-systems.
+
+For other details, either consult the code, ask in IRC or reach out to the
+mailing list.
diff --git a/website/pages/docs/internals/high-availability.mdx b/website/pages/docs/internals/high-availability.mdx
new file mode 100644
index 000000000000..a91e5a41cb7b
--- /dev/null
+++ b/website/pages/docs/internals/high-availability.mdx
@@ -0,0 +1,67 @@
+---
+layout: docs
+page_title: High Availability
+sidebar_title: High Availability
+description: Learn about the high availability design of Vault.
+---
+
+# High Availability
+
+Vault is primarily used in production environments to manage secrets.
+As a result, any downtime of the Vault service can affect downstream clients.
+Vault is designed to support a highly available deploy to ensure a machine
+or process failure is minimally disruptive.
+
+~> **Advanced Topic!** This page covers technical details
+of Vault. You don't need to understand these details to
+effectively use Vault. The details are documented here for
+those who wish to learn about them without having to go
+spelunking through the source code. However, if you're an
+operator of Vault, we recommend learning about the architecture
+due to the importance of Vault in an environment.
+
+# Design Overview
+
+The primary design goal in making Vault highly available (HA) was to
+minimize downtime and not horizontal scalability. Vault is typically
+bound by the IO limits of the storage backend rather than the compute
+requirements. This simplifies the HA approach and allows more complex
+coordination to be avoided.
+
+Certain storage backends, such as Consul, provide additional coordination
+functions that enable Vault to run in an HA configuration. When supported
+by the backend, Vault will automatically run in HA mode without additional
+configuration.
+
+When running in HA mode, Vault servers have two additional states they
+can be in: standby and active. For multiple Vault servers sharing a storage
+backend, only a single instance will be active at any time while all other
+instances are hot standbys.
+
+The active server operates in a standard fashion and processes all requests.
+The standby servers do not process requests, and instead redirect to the active
+Vault. Meanwhile, if the active server is sealed, fails, or loses network connectivity
+then one of the standbys will take over and become the active instance.
+
+It is important to note that only _unsealed_ servers act as a standby.
+If a server is still in the sealed state, then it cannot act as a standby
+as it would be unable to serve any requests should the active server fail.
+
+# Performance Standby Nodes (Enterprise)
+
+Performance Standby Nodes are just like traditional High Availability standby
+nodes but they can service read-only requests from users or applications.
+Read-only requests are requests that do not modify Vault's storage. This allows
+for Vault to quickly scale its ability to service these kinds of operations,
+providing near-linear request-per-second scaling in many common scenarios for
+some secrets engines like K/V and Transit. By spreading traffic across
+performance standby nodes, clients can scale these IOPS horizontally to handle
+extremely high traffic workloads.
+
+If a request comes into a Performance Standby Node that causes a storage write
+the request will be forwarded onto the active server. If the request is
+read-only the request will be serviced locally on the Performance Standby.
+
+Just like traditional HA standbys if the active node is sealed, fails, or loses
+network connectivity then a performance standby can take over and become the
+active instance.
diff --git a/website/pages/docs/internals/index.mdx b/website/pages/docs/internals/index.mdx
new file mode 100644
index 000000000000..f7ff6dbe83d8
--- /dev/null
+++ b/website/pages/docs/internals/index.mdx
@@ -0,0 +1,18 @@
+---
+layout: docs
+page_title: Internals
+sidebar_title: Internals
+description: >-
+  This section covers the internals of Vault and explains technical details of
+  Vaults operation.
+---
+
+# Vault Internals
+
+This section covers the internals of Vault and explains the technical
+details of how Vault functions, its architecture and security properties.
+
+-> **Note:** Knowledge of Vault internals is not
+required to use Vault. If you aren't interested in the internals
+of Vault, you may safely skip this section. If you're operating Vault,
+we recommend understanding the internals.
diff --git a/website/pages/docs/internals/plugins.mdx b/website/pages/docs/internals/plugins.mdx
new file mode 100644
index 000000000000..6984e2659969
--- /dev/null
+++ b/website/pages/docs/internals/plugins.mdx
@@ -0,0 +1,167 @@
+---
+layout: docs
+page_title: Plugin System
+sidebar_title: Plugins
+description: Learn about Vault's plugin system.
+---
+
+# Plugin System
+
+All Vault auth and secret backends are considered plugins. This simple concept
+allows both built-in and external plugins to be treated like Legos. Any plugin
+can exist at multiple different locations. Different versions of a plugin may
+be at each one, with each version differing from Vault's version.
+
+## Built-In Plugins
+
+Built-in plugins are shipped with Vault, often for commonly used implementations,
+and require no additional operator intervention to run. Built-in plugins are
+just like any other backend code inside Vault.
+
+To use a different or edited version of a built-in plugin, you would first edit
+the plugin's code or navigate to the Vault version holding the version of the
+plugin you desire. Then, you'd `$ cd` into the `cmd/:plugin-name` directory
+contained alongside that plugin's code. For instance, for AppRole, you would:
+`$ cd vault/builtin/credential/approle/cmd/approle`. Once in that directory,
+you would run `$ go build` to obtain a new binary for the AppRole plugin. Then
+you would add it to the plugin catalog as per normal, and enable it.
+
+# Plugin Architecture
+
+Vault's plugins are completely separate, standalone applications that Vault
+executes and communicates with over RPC. This means the plugin process does not
+share the same memory space as Vault and therefore can only access the
+interfaces and arguments given to it. This also means a crash in a plugin can not
+crash the entirety of Vault.
+
+It is possible to enable a custom plugin with a name that's identical to a
+built-in plugin. In such a situation, Vault will always choose the custom plugin
+when enabling it.
+
+## Plugin Communication
+
+Vault creates a mutually authenticated TLS connection for communication with the
+plugin's RPC server. While invoking the plugin process, Vault passes a [wrapping
+token](https://www.vaultproject.io/docs/concepts/response-wrapping.html) to the
+plugin process' environment. This token is single use and has a short TTL. Once
+unwrapped, it provides the plugin with a uniquely generated TLS certificate and
+private key for it to use to talk to the original Vault process.
+
+The [`api_addr`][api_addr] must be set in order for the plugin process establish
+communication with the Vault server during mount time. If the storage backend
+has HA enabled and supports automatic host address detection (e.g. Consul),
+Vault will automatically attempt to determine the `api_addr` as well.
+
+~> Note: Reading the original connection's TLS connection state is not supported
+in plugins.
+
+## Plugin Registration
+
+An important consideration of Vault's plugin system is to ensure the plugin
+invoked by Vault is authentic and maintains integrity. There are two components
+that a Vault operator needs to configure before external plugins can be run, the
+plugin directory and the plugin catalog entry.
+
+### Plugin Directory
+
+The plugin directory is a configuration option of Vault, and can be specified in
+the [configuration file](https://www.vaultproject.io/docs/configuration/index.html).
+This setting specifies a directory in which all plugin binaries must live;
+_this value cannot be a symbolic link_. A plugin
+can not be added to Vault unless it exists in the plugin directory. There is no
+default for this configuration option, and if it is not set plugins can not be
+added to Vault.
+
+~> Warning: A Vault operator should take care to lock down the permissions on
+this directory to ensure a plugin can not be modified by an unauthorized user
+between the time of the SHA check and the time of plugin execution.
+
+### Plugin Catalog
+
+The plugin catalog is Vault's list of approved plugins. The catalog is stored in
+Vault's barrier and can only be updated by a Vault user with sudo permissions.
+Upon adding a new plugin, the plugin name, SHA256 sum of the executable, and the
+command that should be used to run the plugin must be provided. The catalog will
+make sure the executable referenced in the command exists in the plugin
+directory. When added to the catalog the plugin is not automatically executed,
+it instead becomes visible to backends and can be executed by them. For more
+information on the plugin catalog please see the [Plugin Catalog API
+docs](/api/system/plugins-catalog.html).
+
+An example plugin submission looks like:
+
+```
+$ vault write sys/plugins/catalog/database/myplugin-database-plugin \
+    sha256=<expected SHA256 Hex value of the plugin binary> \
+    command="myplugin"
+Success! Data written to: sys/plugins/catalog/database/myplugin-database-plugin
+```
+
+### Plugin Execution
+
+When a backend wants to run a plugin, it first looks up the plugin, by name, in
+the catalog. It then checks the executable's SHA256 sum against the one
+configured in the plugin catalog. Finally Vault runs the command configured in
+the catalog, sending along the JWT formatted response wrapping token and mlock
+settings (like Vault, plugins support [the use of mlock when available](https://www.vaultproject.io/docs/configuration/index.html#disable_mlock)).
+
+# Plugin Development
+
+~> Advanced topic! Plugin development is a highly advanced topic in Vault, and
+is not required knowledge for day-to-day usage. If you don't plan on writing any
+plugins, we recommend not reading this section of the documentation.
+
+Because Vault communicates to plugins over a RPC interface, you can build and
+distribute a plugin for Vault without having to rebuild Vault itself. This makes
+it easy for you to build a Vault plugin for your organization's internal use,
+for a proprietary API that you don't want to open source, or to prototype
+something before contributing it back to the main project.
+
+In theory, because the plugin interface is HTTP, you could even develop a plugin
+using a completely different programming language! (Disclaimer, you would also
+have to re-implement the plugin API which is not a trivial amount of work.)
+
+Developing a plugin is simple. The only knowledge necessary to write
+a plugin is basic command-line skills and basic knowledge of the
+[Go programming language](http://golang.org).
+
+Your plugin implementation needs to satisfy the interface for the plugin
+type you want to build. You can find these definitions in the docs for the
+backend running the plugin.
+
+```go
+package main
+
+import (
+	"os"
+
+	myPlugin "your/plugin/import/path"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/plugin"
+)
+
+func main() {
+	apiClientMeta := &api.PluginAPIClientMeta{}
+	flags := apiClientMeta.FlagSet()
+	flags.Parse(os.Args[1:])
+
+	tlsConfig := apiClientMeta.GetTLSConfig()
+	tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
+
+	err := plugin.Serve(&plugin.ServeOpts{
+		BackendFactoryFunc: myPlugin.Factory,
+		TLSProviderFunc:    tlsProviderFunc,
+	})
+	if err != nil {
+		logger := hclog.New(&hclog.LoggerOptions{})
+
+		logger.Error("plugin shutting down", "error", err)
+		os.Exit(1)
+	}
+}
+```
+
+And that's basically it! You would just need to change `myPlugin` to your actual
+plugin. For more information on how to register and enable your plugin, check out the [Building Plugin Backends](https://learn.hashicorp.com/vault/developer/plugin-backends) tutorial.
+
+[api_addr]: /docs/configuration/index.html#api_addr
diff --git a/website/pages/docs/internals/replication.mdx b/website/pages/docs/internals/replication.mdx
new file mode 100644
index 000000000000..d7db31485758
--- /dev/null
+++ b/website/pages/docs/internals/replication.mdx
@@ -0,0 +1,167 @@
+---
+layout: docs
+page_title: Replication
+sidebar_title: Replication
+description: Learn about the details of multi-datacenter replication within Vault.
+---
+
+# Replication (Vault Enterprise)
+
+Vault Enterprise 0.7 adds support for multi-datacenter replication. Before
+using this feature, it is useful to understand the intended use cases, design
+goals, and high level architecture.
+
+Replication is based on a primary/secondary (1:N) model with asynchronous
+replication, focusing on high availability for global deployments. The
+trade-offs made in the design and implementation of replication reflect these
+high level goals.
+
+# Use Cases
+
+Vault replication is based on a number of common use cases:
+
+- **Multi-Datacenter Deployments**: A common challenge is providing Vault to
+  applications across many datacenters in a highly-available manner. Running a
+  single Vault cluster imposes high latency of access for remote clients,
+  availability loss or outages during connectivity failures, and limits
+  scalability.
+
+- **Backup Sites**: Implementing a robust business continuity plan around the
+  loss of a primary datacenter requires the ability to quickly and easily fail
+  to a hot backup site.
+
+- **Scaling Throughput**: Applications that use Vault for
+  Encryption-as-a-Service or cryptographic offload may generate a very high
+  volume of requests for Vault. Replicating keys between multiple clusters
+  allows load to be distributed across additional servers to scale request
+  throughput.
+
+# Design Goals
+
+Based on the use cases for Vault Replication, we had a number of design goals
+for the implementation:
+
+- **Availability**: Global deployments of Vault require high levels of
+  availability, and can tolerate reduced consistency. During full connectivity,
+  replication is nearly real-time between the primary and secondary clusters.
+  Degraded connectivity between a primary and secondary does not impact the
+  primary's ability to service requests, and the secondary will continue to
+  service reads on last-known data.
+
+- **Conflict Free**: Certain replication techniques allow for potential write
+  conflicts to take place. Particularly, any active/active configuration where
+  writes are allowed to multiple sites require a conflict resolution strategy.
+  This varies from techniques that allow for data loss like last-write-wins, or
+  techniques that require manual operator resolution like allowing multiple
+  values per key. We avoid the possibility of conflicts to ensure there is no
+  data loss or manual intervention required.
+
+- **Transparent to Clients**: Vault replication should be transparent to
+  clients of Vault, so that existing thin clients work unmodified. The Vault
+  servers handle the logic of request forwarding to the primary when necessary,
+  and multi-hop routing is performed internally to ensure requests are
+  processed.
+
+- **Simple to Operate**: Operating a replicated cluster should be simple to
+  avoid administrative overhead and potentially introducing security gaps.
+  Setup of replication is very simple, and secondaries can handle being
+  arbitrarily behind the primary, avoiding the need for operator intervention
+  to copy data or snapshot the primary.
+
+# Architecture
+
+The architecture of Vault replication is based on the design goals, focusing on
+the intended use cases. When replication is enabled, a cluster is set as either
+a _primary_ or _secondary_. The primary cluster is authoritative, and is the
+only cluster allowed to perform actions that write to the underlying data
+storage, such as modifying policies or secrets. Secondary clusters can service
+all other operations, such as reading secrets or sending data through
+`transit`, and forward any writes to the primary cluster. Disallowing multiple
+primaries ensures the cluster is conflict free and has an authoritative state.
+
+The primary cluster uses log shipping to replicate changes to all of the
+secondaries. This ensures writes are visible globally in near real-time when
+there is full network connectivity. If a secondary is down or unable to
+communicate with the primary, writes are not blocked on the primary and reads
+are still serviced on the secondary. This ensures the availability of Vault.
+When the secondary is initialized or recovers from degraded connectivity it
+will automatically reconcile with the primary.
+
+Lastly, clients can speak to any Vault server without a thick client. If a
+client is communicating with a standby instance, the request is automatically
+forwarded to an active instance. Secondary clusters will service reads locally
+and forward any write requests to the primary cluster. The primary cluster is
+able to service all request types.
+
+An important optimization Vault makes is to avoid replication of tokens or
+leases between clusters. Policies and secrets are the minority of data managed
+by Vault and tend to be relatively stable. Tokens and leases are much more
+dynamic, as they are created and expire rapidly. Keeping tokens and leases
+locally reduces the amount of data that needs to be replicated, and distributes
+the work of TTL management between the clusters. The caveat is that clients
+will need to re-authenticate if they switch the Vault cluster they are
+communicating with.
+
+# Implementation Details
+
+It is important to understand the high-level architecture of replication to
+ensure the trade-offs are appropriate for your use case. The implementation
+details may be useful for those who are curious or want to understand more
+about the performance characteristics or failure scenarios.
+
+Using replication requires a storage backend that supports transactional
+updates, such as Consul. This allows multiple key/value updates to be
+performed atomically. Replication uses this to maintain a
+[Write-Ahead-Log][wal] (WAL) of all updates, so that the key update happens
+atomically with the WAL entry creation. The WALs are then used to perform log
+shipping between the Vault clusters. When a secondary is closely synchronized
+with a primary, Vault directly streams new WALs to be applied, providing near
+real-time replication. A bounded set of WALs are maintained for the
+secondaries, and older WALs are garbage collected automatically.
+
+When a secondary is initialized or is too far behind the primary there may not
+be enough WALs to synchronize. To handle this scenario, Vault maintains a
+[merkle index][merkle] of the encrypted keys. Any time a key is updated or
+deleted, the merkle index is updated to reflect the change. When a secondary
+needs to reconcile with a primary, they compare their merkle indexes to
+determine which keys are out of sync. The structure of the index allows this to
+be done very efficiently, usually requiring only two round trips and a small
+amount of data. The secondary uses this information to reconcile and then
+switches back into WAL streaming mode.
+
+Performance is an important concern for Vault, so WAL entries are batched and
+the merkle index is not flushed to disk with every operation. Instead, the
+index is updated in memory for every operation and asynchronously flushed to
+disk. As a result, a crash or power loss may cause the merkle index to become
+out of sync with the underlying keys. Vault uses the [ARIES][aries] recovery
+algorithm to ensure the consistency of the index under those failure
+conditions.
+
+Log shipping traditionally requires the WAL stream to be synchronized, which
+can introduce additional complexity when a new primary cluster is promoted.
+Vault uses the merkle index as the source of truth, allowing the WAL streams to
+be completely distinct and unsynchronized. This simplifies administration of
+Vault Replication for operators.
+
+# Caveats
+
+- **Read-After-Write Consistency**: All write requests are forwarded from
+  secondaries to the primary cluster in order to avoid potential conflicts.
+  While replication is near real-time, it is not instantaneous, meaning there
+  is a potential for a client to write to a secondary and a subsequent read to
+  return an old value. Secondaries attempt to mask this from an individual
+  client making subsequent requests by stalling write requests until the write
+  is replicated or a timeout is reached (2 seconds). If the timeout is reached,
+  the client will receive a warning.
+
+- **Stale Reads**: Secondary clusters service reads based on their
+  locally-replicated data. During normal operation updates from a primary are
+  received in near real-time by secondaries. However, during an outage or
+  network service disruption, replication may stall and secondaries may have
+  stale data. The cluster will automatically recover and reconcile any stale
+  data once the outage has recovered, but reads in the intervening period may
+  receive stale data.
+
+[wal]: https://en.wikipedia.org/wiki/Write-ahead_logging
+[merkle]: https://en.wikipedia.org/wiki/Merkle_tree
+[aries]: https://en.wikipedia.org/wiki/Algorithms_for_Recovery_and_Isolation_Exploiting_Semantics
diff --git a/website/pages/docs/internals/rotation.mdx b/website/pages/docs/internals/rotation.mdx
new file mode 100644
index 000000000000..28150fe8a225
--- /dev/null
+++ b/website/pages/docs/internals/rotation.mdx
@@ -0,0 +1,56 @@
+---
+layout: docs
+page_title: Key Rotation
+sidebar_title: Key Rotation
+description: Learn about the details of key rotation within Vault.
+---
+
+# Key Rotation
+
+Vault has multiple encryption keys that are used for various purposes. These keys support
+rotation so that they can be periodically changed or in response to a potential leak or
+compromise. It is useful to first understand the
+[high-level architecture](/docs/internals/architecture.html) before learning about key rotation.
+
+As a review, Vault starts in a _sealed_ state. Vault is unsealed by providing the unseal keys.
+By default, Vault uses a technique known as [Shamir's secret sharing algorithm](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
+to split the master key into 5 shares, any 3 of which are required to reconstruct the master
+key. The master key is used to protect the encryption key, which is ultimately used to protect
+data written to the storage backend.
+
+[![Vault Shamir Secret Sharing Algorithm](/img/vault-shamir-secret-sharing.svg)](/img/vault-shamir-secret-sharing.svg)
+
+To support key rotation, we need to support changing the unseal keys, master key, and the
+backend encryption key. We split this into two separate operations, `rekey` and `rotate`.
+
+The `rekey` operation is used to generate a new master key. When this is being done,
+it is possible to change the parameters of the key splitting, so that the number of shares
+and the threshold required to unseal can be changed. To perform a rekey a threshold of the
+current unseal keys must be provided. This is to prevent a single malicious operator from
+performing a rekey and invalidating the existing master key.
+
+Performing a rekey is fairly straightforward. The rekey operation must be initialized with
+the new parameters for the split and threshold. Once initialized, the current unseal keys
+must be provided until the threshold is met. Once met, Vault will generate the new master
+key, perform the splitting, and re-encrypt the encryption key with the new master key.
+The new unseal keys are then provided to the operator, and the old unseal keys are no
+longer usable.
+
+The `rotate` operation is used to change the encryption key used to protect data written
+to the storage backend. This key is never provided or visible to operators, who only
+have unseal keys. This simplifies the rotation, as it does not require the current key
+holders unlike the `rekey` operation. When `rotate` is triggered, a new encryption key
+is generated and added to a keyring. All new values written to the storage backend are
+encrypted with the new key. Old values written with previous encryption keys can still
+be decrypted since older keys are saved in the keyring. This allows key rotation to be
+done online, without an expensive re-encryption process.
+
+Both the `rekey` and `rotate` operations can be done online and in a highly available
+configuration. Only the active Vault instance can perform either of the operations
+but standby instances can still assume an active role after either operation. This is
+done by providing an online upgrade path for standby instances. If the current encryption
+key is `N` and a rotation installs `N+1`, Vault creates a special "upgrade" key, which
+provides the `N+1` encryption key protected by the `N` key. This upgrade key is only available
+for a few minutes enabling standby instances to do a periodic check for upgrades.
+This allows standby instances to update their keys and stay in-sync with the active Vault
+without requiring operators to perform another unseal.
diff --git a/website/pages/docs/internals/security.mdx b/website/pages/docs/internals/security.mdx
new file mode 100644
index 000000000000..9891ad4c04fb
--- /dev/null
+++ b/website/pages/docs/internals/security.mdx
@@ -0,0 +1,161 @@
+---
+layout: docs
+page_title: Security Model
+sidebar_title: Security Model
+description: Learn about the security model of Vault.
+---
+
+# Security Model
+
+Due to the nature of Vault and the confidentiality of data it is managing,
+the Vault security model is very critical. The overall goal of Vault's security
+model is to provide [confidentiality, integrity, availability, accountability,
+authentication](https://en.wikipedia.org/wiki/Information_security).
+
+This means that data at rest and in transit must be secure from eavesdropping
+or tampering. Clients must be appropriately authenticated and authorized
+to access data or modify policy. All interactions must be auditable and traced
+uniquely back to the origin entity. The system must be robust against intentional
+attempts to bypass any of its access controls.
+
+# Threat Model
+
+The following are the various parts of the Vault threat model:
+
+- Eavesdropping on any Vault communication. Client communication with Vault
+  should be secure from eavesdropping as well as communication from Vault to
+  its storage backend.
+
+- Tampering with data at rest or in transit. Any tampering should be detectable
+  and cause Vault to abort processing of the transaction.
+
+- Access to data or controls without authentication or authorization. All requests
+  must be proceeded by the applicable security policies.
+
+- Access to data or controls without accountability. If audit logging
+  is enabled, requests and responses must be logged before the client receives
+  any secret material.
+
+- Confidentiality of stored secrets. Any data that leaves Vault to rest in the
+  storage backend must be safe from eavesdropping. In practice, this means all
+  data at rest must be encrypted.
+
+- Availability of secret material in the face of failure. Vault supports
+  running in a highly available configuration to avoid loss of availability.
+
+The following are not parts of the Vault threat model:
+
+- Protecting against arbitrary control of the storage backend. An attacker
+  that can perform arbitrary operations against the storage backend can
+  undermine security in any number of ways that are difficult or impossible to protect
+  against. As an example, an attacker could delete or corrupt all the contents
+  of the storage backend causing total data loss for Vault. The ability to control
+  reads would allow an attacker to snapshot in a well-known state and rollback state
+  changes if that would be beneficial to them.
+
+- Protecting against the leakage of the existence of secret material. An attacker
+  that can read from the storage backend may observe that secret material exists
+  and is stored, even if it is kept confidential.
+
+- Protecting against memory analysis of a running Vault. If an attacker is able
+  to inspect the memory state of a running Vault instance then the confidentiality
+  of data may be compromised.
+
+# External Threat Overview
+
+Given the architecture of Vault, there are 3 distinct systems we are concerned
+with for Vault. There is the client, which is speaking to Vault over an API.
+There is Vault or the server more accurately, which is providing an API and
+serving requests. Lastly, there is the storage backend, which the server is
+utilizing to read and write data.
+
+There is no mutual trust between the Vault client and server. Clients use
+[TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) to verify the
+identity of the server and to establish a secure communication channel. Servers
+require that a client provides a client token for every request which is used
+to identify the client. A client that does not provide their token is only
+permitted to make login requests.
+
+The storage backends used by Vault are also untrusted by design. Vault uses a
+security barrier for all requests made to the backend. The security barrier
+automatically encrypts all data leaving Vault using a 256-bit [Advanced
+Encryption Standard
+(AES)](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) cipher in
+the [Galois Counter Mode
+(GCM)](https://en.wikipedia.org/wiki/Galois/Counter_Mode) with 96-bit nonces.
+The nonce is randomly generated for every encrypted object. When data is read
+from the security barrier the GCM authentication tag is verified during the
+decryption process to detect any tampering.
+
+Depending on the backend used, Vault may communicate with the backend over TLS
+to provide an added layer of security. In some cases, such as a file backend
+this is not applicable. Because storage backends are untrusted, an eavesdropper
+would only gain access to encrypted data even if communication with the backend
+was intercepted.
+
+# Internal Threat Overview
+
+Within the Vault system, a critical security concern is an attacker attempting
+to gain access to secret material they are not authorized to. This is an internal
+threat if the attacker is already permitted some level of access to Vault and is
+able to authenticate.
+
+When a client first authenticates with Vault, an auth method is used to verify
+the identity of the client and to return a list of associated ACL policies.
+This association is configured by operators of Vault ahead of time. For
+example, GitHub users in the "engineering" team may be mapped to the
+"engineering" and "ops" Vault policies. Vault then generates a client token
+which is a randomly generated, serialized value and maps it to the policy list.
+This client token is then returned to the client.
+
+On each request a client provides this token. Vault then uses it to check that
+the token is valid and has not been revoked or expired, and generates an ACL
+based on the associated policies. Vault uses a strict default deny or whitelist
+enforcement. This means unless an associated policy allows for a given action,
+it will be denied. Each policy specifies a level of access granted to a path in
+Vault. When the policies are merged (if multiple policies are associated with a
+client), the highest access level permitted is used. For example, if the
+"engineering" policy permits read/update access to the "eng/" path, and the
+"ops" policy permits read access to the "ops/" path, then the user gets the
+union of those. Policy is matched using the most specific defined policy, which
+may be an exact match or the longest-prefix match glob pattern.
+
+Certain operations are only permitted by "root" users, which is a distinguished
+policy built into Vault. This is similar to the concept of a root user on a
+Unix system or an Administrator on Windows. Although clients could be provided
+with root tokens or associated with the root policy, instead Vault supports the
+notion of "sudo" privilege. As part of a policy, users may be granted "sudo"
+privileges to certain paths, so that they can still perform security sensitive
+operations without being granted global root access to Vault.
+
+Lastly, Vault supports using a [Two-man
+rule](https://en.wikipedia.org/wiki/Two-man_rule) for unsealing using [Shamir's
+Secret Sharing
+technique](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing). When Vault
+is started, it starts in a _sealed_ state. This means that the encryption key
+needed to read and write from the storage backend is not yet known. The process
+of unsealing requires providing the master key so that the encryption key can
+be retrieved. The risk of distributing the master key is that a single
+malicious actor with access to it can decrypt the entire Vault. Instead,
+Shamir's technique allows us to split the master key into multiple shares or
+parts. The number of shares and the threshold needed is configurable, but by
+default Vault generates 5 shares, any 3 of which must be provided to
+reconstruct the master key.
+
+By using a secret sharing technique, we avoid the need to place absolute trust
+in the holder of the master key, and avoid storing the master key at all. The
+master key is only retrievable by reconstructing the shares. The shares are not
+useful for making any requests to Vault, and can only be used for unsealing.
+Once unsealed the standard ACL mechanisms are used for all requests.
+
+To make an analogy, a bank puts security deposit boxes inside of a vault. Each
+security deposit box has a key, while the vault door has both a combination and
+a key. The vault is encased in steel and concrete so that the door is the only
+practical entrance. The analogy to Vault, is that the cryptosystem is the
+steel and concrete protecting the data. While you could tunnel through the
+concrete or brute force the encryption keys, it would be prohibitively time
+consuming. Opening the bank vault requires two-factors: the key and the
+combination. Similarly, Vault requires multiple shares be provided to
+reconstruct the master key. Once unsealed, each security deposit boxes still
+requires the owner provide a key, and similarly the Vault ACL system protects
+all the secrets stored.
diff --git a/website/pages/docs/internals/telemetry.mdx b/website/pages/docs/internals/telemetry.mdx
new file mode 100644
index 000000000000..933a0f9cd0fb
--- /dev/null
+++ b/website/pages/docs/internals/telemetry.mdx
@@ -0,0 +1,345 @@
+---
+layout: docs
+page_title: Telemetry
+sidebar_title: Telemetry
+description: Learn about the telemetry data available in Vault.
+---
+
+# Telemetry
+
+The Vault server process collects various runtime metrics about the performance of different libraries and subsystems. These metrics are aggregated on a ten second interval and are retained for one minute.
+
+To view the raw data, you must send a signal to the Vault process: on Unix-style operating systems, this is `USR1` while on Windows it is `BREAK`. When the Vault process receives this signal it will dump the current telemetry information to the process's `stderr`.
+
+This telemetry information can be used for debugging or otherwise getting a better view of what Vault is doing.
+
+Telemetry information can also be streamed directly from Vault to a range of metrics aggregation solutions as described in the [telemetry Stanza documentation][telemetry-stanza].
+
+The following is an example telemetry dump snippet:
+
+```text
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.expire.num_leases': 5100.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.num_goroutines': 39.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.sys_bytes': 222746880.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.malloc_count': 109189192.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.free_count': 108408240.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.heap_objects': 780953.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_runs': 232.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.alloc_bytes': 72954392.000
+[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_pause_ns': 150293024.000
+[2017-12-19 20:37:50 +0000 UTC][S] 'vault.merkle.flushDirty': Count: 100 Min: 0.008 Mean: 0.027 Max: 0.183 Stddev: 0.024 Sum: 2.681 LastUpdated: 2017-12-19 20:37:59.848733035 +0000 UTC m=+10463.692105920
+[2017-12-19 20:37:50 +0000 UTC][S] 'vault.merkle.saveCheckpoint': Count: 4 Min: 0.021 Mean: 0.054 Max: 0.110 Stddev: 0.039 Sum: 0.217 LastUpdated: 2017-12-19 20:37:57.048458148 +0000 UTC m=+10460.891835029
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.alloc_bytes': 73326136.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.sys_bytes': 222746880.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.malloc_count': 109195904.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.free_count': 108409568.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.heap_objects': 786342.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_pause_ns': 150293024.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.expire.num_leases': 5100.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.num_goroutines': 39.000
+[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_runs': 232.000
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.route.rollback.consul-': Count: 1 Sum: 0.013 LastUpdated: 2017-12-19 20:38:01.968471579 +0000 UTC m=+10465.811842067
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.consul-': Count: 1 Sum: 0.073 LastUpdated: 2017-12-19 20:38:01.968502743 +0000 UTC m=+10465.811873131
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.pki-': Count: 1 Sum: 0.070 LastUpdated: 2017-12-19 20:38:01.96867005 +0000 UTC m=+10465.812041936
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.route.rollback.auth-app-id-': Count: 1 Sum: 0.012 LastUpdated: 2017-12-19 20:38:01.969146401 +0000 UTC m=+10465.812516689
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.identity-': Count: 1 Sum: 0.063 LastUpdated: 2017-12-19 20:38:01.968029888 +0000 UTC m=+10465.811400276
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.database-': Count: 1 Sum: 0.066 LastUpdated: 2017-12-19 20:38:01.969394215 +0000 UTC m=+10465.812764603
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.barrier.get': Count: 16 Min: 0.010 Mean: 0.015 Max: 0.031 Stddev: 0.005 Sum: 0.237 LastUpdated: 2017-12-19 20:38:01.983268118 +0000 UTC m=+10465.826637008
+[2017-12-19 20:38:00 +0000 UTC][S] 'vault.merkle.flushDirty': Count: 100 Min: 0.006 Mean: 0.024 Max: 0.098 Stddev: 0.019 Sum: 2.386 LastUpdated: 2017-12-19 20:38:09.848158309 +0000 UTC m=+10473.691527099
+```
+
+You'll note that log entries are prefixed with the metric type as follows:
+
+- **[C]** is a counter
+- **[G]** is a gauge
+- **[S]** is a summary
+
+The following sections describe available Vault metrics. The metrics interval can be assumed to be 10 seconds when manually triggering metrics output using the above described signals.
+
+## Audit Metrics
+
+These metrics relate to auditing.
+
+| Metric                             | Description                                                                                                                                                                                                                                                                                                                                                                                                                                               | Unit     | Type    |
+| :--------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------ |
+| `vault.audit.log_request`          | Duration of time taken by all audit log requests across all audit log devices                                                                                                                                                                                                                                                                                                                                                                             | ms       | summary |
+| `vault.audit.log_response`         | Duration of time taken by audit log responses across all audit log devices                                                                                                                                                                                                                                                                                                                                                                                | ms       | summary |
+| `vault.audit.log_request_failure`  | Number of audit log request failures. **NOTE**: This is a particularly important metric. Any non-zero value here indicates that there was a failure to make an audit log request to any of the configured audit log devices; **when Vault cannot log to any of the configured audit log devices it ceases all user operations**, and you should begin troubleshooting the audit log devices immediately if this metric continually increases.             | failures | counter |
+| `vault.audit.log_response_failure` | Number of audit log response failures. **NOTE**: This is a particularly important metric. Any non-zero value here indicates that there was a failure to receive a response to a request made to one of the configured audit log devices; **when Vault cannot log to any of the configured audit log devices it ceases all user operations**, and you should begin troubleshooting the audit log devices immediately if this metric continually increases. | failures | counter |
+
+**NOTE:** In addition, there are audit metrics for each enabled audit device represented as `vault.audit.<type>.log_request`. For example, if a file audit device is enabled, its metrics would be `vault.audit.file.log_request` and `vault.audit.file.log_response` .
+
+## Core Metrics
+
+These metrics represent operational aspects of the running Vault instance.
+
+| Metric                               | Description                                                                                                                                                                                         | Unit | Type    |
+| :----------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--- | :------ |
+| `vault.barrier.delete`               | Duration of time taken by DELETE operations at the barrier                                                                                                                                          | ms   | summary |
+| `vault.barrier.get`                  | Duration of time taken by GET operations at the barrier                                                                                                                                             | ms   | summary |
+| `vault.barrier.put`                  | Duration of time taken by PUT operations at the barrier                                                                                                                                             | ms   | summary |
+| `vault.barrier.list`                 | Duration of time taken by LIST operations at the barrier                                                                                                                                            | ms   | summary |
+| `vault.core.check_token`             | Duration of time taken by token checks handled by Vault core                                                                                                                                        | ms   | summary |
+| `vault.core.fetch_acl_and_token`     | Duration of time taken by ACL and corresponding token entry fetches handled by Vault core                                                                                                           | ms   | summary |
+| `vault.core.handle_request`          | Duration of time taken by requests handled by Vault core                                                                                                                                            | ms   | summary |
+| `vault.core.handle_login_request`    | Duration of time taken by login requests handled by Vault core                                                                                                                                      | ms   | summary |
+| `vault.core.leadership_setup_failed` | Duration of time taken by cluster leadership setup failures which have occurred in a highly available Vault cluster. This should be monitored and alerted on for overall cluster leadership status. | ms   | summary |
+| `vault.core.leadership_lost`         | Duration of time taken by cluster leadership losses which have occurred in a highly available Vault cluster. This should be monitored and alerted on for overall cluster leadership status.         | ms   | summary |
+| `vault.core.post_unseal`             | Duration of time taken by post-unseal operations handled by Vault core                                                                                                                              | ms   | gauge   |
+| `vault.core.pre_seal`                | Duration of time taken by pre-seal operations                                                                                                                                                       | ms   | gauge   |
+| `vault.core.seal-with-request`       | Duration of time taken by requested seal operations                                                                                                                                                 | ms   | gauge   |
+| `vault.core.seal`                    | Duration of time taken by seal operations                                                                                                                                                           | ms   | gauge   |
+| `vault.core.seal-internal`           | Duration of time taken by internal seal operations                                                                                                                                                  | ms   | gauge   |
+| `vault.core.step_down`               | Duration of time taken by cluster leadership step downs. This should be monitored and alerted on for overall cluster leadership status.                                                             | ms   | summary |
+| `vault.core.unseal`                  | Duration of time taken by unseal operations                                                                                                                                                         | ms   | summary |
+
+## Runtime Metrics
+
+These metrics represent runtime aspects of the running Vault instance.
+
+| Metric                            | Description                                                                                                                                                  | Unit       | Type    |
+| :-------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------- | :------ |
+| `vault.runtime.alloc_bytes`       | Number of bytes allocated by the Vault process. This could burst from time to time, but should return to a steady state value.                               | bytes      | gauge   |
+| `vault.runtime.free_count`        | Number of freed objects                                                                                                                                      | objects    | gauge   |
+| `vault.runtime.heap_objects`      | Number of objects on the heap. This is a good general memory pressure indicator worth establishing a baseline and thresholds for alerting.                   | objects    | gauge   |
+| `vault.runtime.malloc_count`      | Cumulative count of allocated heap objects                                                                                                                   | objects    | gauge   |
+| `vault.runtime.num_goroutines`    | Number of goroutines. This serves as a general system load indicator worth establishing a baseline and thresholds for alerting.                              | goroutines | gauge   |
+| `vault.runtime.sys_bytes`         | Number of bytes allocated to Vault. This includes what is being used by Vault's heap and what has been reclaimed but not given back to the operating system. | bytes      | gauge   |
+| `vault.runtime.total_gc_pause_ns` | The total garbage collector pause time since Vault was last started                                                                                          | ms         | summary |
+| `vault.runtime.total_gc_runs`     | Total number of garbage collection runs since Vault was last started                                                                                         | operations | gauge   |
+
+## Policy and Token Metrics
+
+These metrics relate to policies and tokens.
+
+| Metric                                    | Description                                                                 | Unit   | Type    |
+| :---------------------------------------- | :-------------------------------------------------------------------------- | :----- | :------ |
+| `vault.expire.fetch-lease-times`          | Time taken to fetch lease times                                             | ms     | summary |
+| `vault.expire.fetch-lease-times-by-token` | Time taken to fetch lease times by token                                    | ms     | summary |
+| `vault.expire.num_leases`                 | Number of all leases which are eligible for eventual expiry                 | leases | gauge   |
+| `vault.expire.revoke`                     | Time taken to revoke a token                                                | ms     | summary |
+| `vault.expire.revoke-force`               | Time taken to forcibly revoke a token                                       | ms     | summary |
+| `vault.expire.revoke-prefix`              | Time taken to revoke tokens on a prefix                                     | ms     | summary |
+| `vault.expire.revoke-by-token`            | Time taken to revoke all secrets issued with a given token                  | ms     | summary |
+| `vault.expire.renew`                      | Time taken to renew a lease                                                 | ms     | summary |
+| `vault.expire.renew-token`                | Time taken to renew a token which does not need to invoke a logical backend | ms     | summary |
+| `vault.expire.register`                   | Time taken for register operations                                          | ms     | summary |
+
+These operations take a request and response with an associated lease and register a lease entry with lease ID
+
+| Metric                       | Description                                                                                   | Unit  | Type    |
+| :--------------------------- | :-------------------------------------------------------------------------------------------- | :---- | :------ |
+| `vault.expire.register-auth` | Time taken for register authentication operations which create lease entries without lease ID | ms    | summary |
+| `vault.policy.get_policy`    | Time taken to get a policy                                                                    | ms    | summary |
+| `vault.policy.list_policies` | Time taken to list policies                                                                   | ms    | summary |
+| `vault.policy.delete_policy` | Time taken to delete a policy                                                                 | ms    | summary |
+| `vault.policy.set_policy`    | Time taken to set a policy                                                                    | ms    | summary |
+| `vault.token.create`         | The time taken to create a token                                                              | ms    | summary |
+| `vault.token.create_root`    | Number of created root tokens. Does not decrease on revocation.                               | token | counter |
+| `vault.token.createAccessor` | The time taken to create a token accessor                                                     | ms    | summary |
+| `vault.token.lookup`         | The time taken to look up a token                                                             | ms    | summary |
+| `vault.token.revoke`         | Time taken to revoke a token                                                                  | ms    | summary |
+| `vault.token.revoke-tree`    | Time taken to revoke a token tree                                                             | ms    | summary |
+| `vault.token.store`          | Time taken to store an updated token entry without writing to the secondary index             | ms    | summary |
+
+## Auth Methods Metrics
+
+These metrics relate to supported authentication methods.
+
+| Metric                              | Description                                                                                                   | Unit | Type    |
+| :---------------------------------- | :------------------------------------------------------------------------------------------------------------ | :--- | :------ |
+| `vault.rollback.attempt.auth-token` | Time taken to perform a rollback operation for the [token auth method][token-auth-backend]                    | ms   | summary |
+| `vault.rollback.attempt.auth-ldap`  | Time taken to perform a rollback operation for the [LDAP auth method][ldap-auth-backend]                      | ms   | summary |
+| `vault.rollback.attempt.cubbyhole`  | Time taken to perform a rollback operation for the [Cubbyhole secret backend][cubbyhole-secrets-engine]       | ms   | summary |
+| `vault.rollback.attempt.secret`     | Time taken to perform a rollback operation for the [K/V secret backend][kv-secrets-engine]                    | ms   | summary |
+| `vault.rollback.attempt.sys`        | Time taken to perform a rollback operation for the system backend                                             | ms   | summary |
+| `vault.route.rollback.auth-ldap`    | Time taken to perform a route rollback operation for the [LDAP auth method][ldap-auth-backend]                | ms   | summary |
+| `vault.route.rollback.auth-token`   | Time taken to perform a route rollback operation for the [token auth method][token-auth-backend]              | ms   | summary |
+| `vault.route.rollback.cubbyhole`    | Time taken to perform a route rollback operation for the [Cubbyhole secret backend][cubbyhole-secrets-engine] | ms   | summary |
+| `vault.route.rollback.secret`       | Time taken to perform a route rollback operation for the [K/V secret backend][kv-secrets-engine]              | ms   | summary |
+| `vault.route.rollback.sys`          | Time taken to perform a route rollback operation for the system backend                                       | ms   | summary |
+
+## Merkle Tree and Write Ahead Log Metrics
+
+These metrics relate to internal operations on Merkle Trees and Write Ahead Logs (WAL)
+
+| Metric                        | Description                                                                 | Unit | Type    |
+| :---------------------------- | :-------------------------------------------------------------------------- | :--- | :------ |
+| `vault.merkle_flushdirty`     | Time taken to flush any dirty pages to cold storage                         | ms   | summary |
+| `vault.merkle_savecheckpoint` | Time taken to save the checkpoint                                           | ms   | summary |
+| `vault.wal_deletewals`        | Time taken to delete a Write Ahead Log (WAL)                                | ms   | summary |
+| `vault.wal_gc_deleted`        | Number of Write Ahead Logs (WAL) deleted during each garbage collection run | WAL  | counter |
+| `vault.wal_gc_total`          | Total Number of Write Ahead Logs (WAL) on disk                              | WAL  | counter |
+| `vault.wal_loadWAL`           | Time taken to load a Write Ahead Log (WAL)                                  | ms   | summary |
+| `vault.wal_persistwals`       | Time taken to persist a Write Ahead Log (WAL)                               | ms   | summary |
+| `vault.wal_flushready`        | Time taken to flush a ready Write Ahead Log (WAL) to storage                | ms   | summary |
+
+## Replication Metrics
+
+These metrics relate to [Vault Enterprise Replication](https://www.vaultproject.io/docs/enterprise/replication/index.html). The following metrics are not available in telemetry unless replication is in an unhealthy state: `replication.fetchRemoteKeys`, `replication.merkleDiff`, and `replication.merkleSync`.
+
+| Metric                                                  | Description                                                                                                                                | Unit            | Type    |
+| :------------------------------------------------------ | :----------------------------------------------------------------------------------------------------------------------------------------- | :-------------- | :------ |
+| `logshipper.streamWALs.missing_guard`                   | Number of incidences where the starting Merkle Tree index used to begin streaming WAL entries is not matched/found                         | missing guards  | counter |
+| `logshipper.streamWALs.guard_found`                     | Number of incidences where the starting Merkle Tree index used to begin streaming WAL entries is matched/found                             | found guards    | counter |
+| `replication.fetchRemoteKeys`                           | Time taken to fetch keys from a remote cluster participating in replication prior to Merkle Tree based delta generation                    | ms              | summary |
+| `replication.merkleDiff`                                | Time taken to perform a Merkle Tree based delta generation between the clusters participating in replication                               | ms              | summary |
+| `replication.merkleSync`                                | Time taken to perform a Merkle Tree based synchronization using the last delta generated between the clusters participating in replication | ms              | summary |
+| `replication.merkle.commit_index`                       | The last committed index in the Merkle Tree.                                                                                               | sequence number | gauge   |
+| `replication.wal.last_wal`                              | The index of the last WAL                                                                                                                  | sequence number | gauge   |
+| `replication.wal.last_dr_wal`                           | The index of the last DR WAL                                                                                                               | sequence number | gauge   |
+| `replication.wal.last_performance_wal`                  | The index of the last Performance WAL                                                                                                      | sequence number | gauge   |
+| `replication.fsm.last_remote_wal`                       | The index of the last remote WAL                                                                                                           | sequence number | gauge   |
+| `replication.rpc.server.auth_request`                   | Duration of time taken by auth request                                                                                                     | ms              | summary |
+| `replication.rpc.server.bootstrap_request`              | Duration of time taken by bootstrap request                                                                                                | ms              | summary |
+| `replication.rpc.server.conflicting_pages_request`      | Duration of time taken by conflicting pages request                                                                                        | ms              | summary |
+| `replication.rpc.server.echo`                           | Duration of time taken by echo                                                                                                             | ms              | summary |
+| `replication.rpc.server.forwarding_request`             | Duration of time taken by forwarding request                                                                                               | ms              | summary |
+| `replication.rpc.server.guard_hash_request`             | Duration of time taken by guard hash request                                                                                               | ms              | summary |
+| `replication.rpc.server.persist_alias_request`          | Duration of time taken by persist alias request                                                                                            | ms              | summary |
+| `replication.rpc.server.persist_persona_request`        | Duration of time taken by persist persona request                                                                                          | ms              | summary |
+| `replication.rpc.server.stream_wals_request`            | Duration of time taken by stream wals request                                                                                              | ms              | summary |
+| `replication.rpc.server.sub_page_hashes_request`        | Duration of time taken by sub page hashes request                                                                                          | ms              | summary |
+| `replication.rpc.server.sync_counter_request`           | Duration of time taken by sync counter request                                                                                             | ms              | summary |
+| `replication.rpc.server.upsert_group_request`           | Duration of time taken by upsert group request                                                                                             | ms              | summary |
+| `replication.rpc.client.conflicting_pages`              | Duration of time taken by client conflicting pages request                                                                                 | ms              | summary |
+| `replication.rpc.client.fetch_keys`                     | Duration of time taken by client fetch keys request                                                                                        | ms              | summary |
+| `replication.rpc.client.forward`                        | Duration of time taken by client forward request                                                                                           | ms              | summary |
+| `replication.rpc.client.guard_hash`                     | Duration of time taken by client guard hash request                                                                                        | ms              | summary |
+| `replication.rpc.client.persist_alias`                  | Duration of time taken by                                                                                                                  | ms              | summary |
+| `replication.rpc.client.register_auth`                  | Duration of time taken by client register auth request                                                                                     | ms              | summary |
+| `replication.rpc.client.register_lease`                 | Duration of time taken by client register lease request                                                                                    | ms              | summary |
+| `replication.rpc.client.stream_wals`                    | Duration of time taken by client s                                                                                                         | ms              | summary |
+| `replication.rpc.client.sub_page_hashes`                | Duration of time taken by client sub page hashes request                                                                                   | ms              | summary |
+| `replication.rpc.client.sync_counter`                   | Duration of time taken by client sync counter request                                                                                      | ms              | summary |
+| `replication.rpc.client.upsert_group`                   | Duration of time taken by client upstert group request                                                                                     | ms              | summary |
+| `replication.rpc.client.wrap_in_cubbyhole`              | Duration of time taken by client wrap in cubbyhole request                                                                                 | ms              | summary |
+| `replication.rpc.dr.server.echo`                        | Duration of time taken by DR echo request                                                                                                  | ms              | summary |
+| `replication.rpc.dr.server.fetch_keys_request`          | Duration of time taken by DR fetch keys request                                                                                            | ms              | summary |
+| `replication.rpc.standby.server.echo`                   | Duration of time taken by standby echo request                                                                                             | ms              | summary |
+| `replication.rpc.standby.server.register_auth_request`  | Duration of time taken by standby register auth request                                                                                    | ms              | summary |
+| `replication.rpc.standby.server.register_lease_request` | Duration of time taken by standby register lease request                                                                                   | ms              | summary |
+| `replication.rpc.standby.server.wrap_token_request`     | Duration of time taken by standby wrap token request                                                                                       | ms              | summary |
+
+## Secrets Engines Metrics
+
+These metrics relate to the supported [secrets engines][secrets-engines].
+
+| Metric                                   | Description                                                                                                                                                                | Unit   | Type    |
+| :--------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----- | :------ |
+| `database.Initialize`                    | Time taken to initialize a database secret engine across all database secrets engines                                                                                      | ms     | summary |
+| `database.&lt;name&gt;.Initialize`       | Time taken to initialize a database secret engine for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Initialize`                       | ms     | summary |
+| `database.Initialize.error`              | Number of database secrets engine initialization operation errors across all database secrets engines                                                                      | errors | counter |
+| `database.&lt;name&gt;.Initialize.error` | Number of database secrets engine initialization operation errors for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Initialize.error` | errors | counter |
+| `database.Close`                         | Time taken to close a database secret engine across all database secrets engines                                                                                           | ms     | summary |
+| `database.&lt;name&gt;.Close`            | Time taken to close a database secret engine for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Close`                                 | ms     | summary |
+| `database.Close.error`                   | Number of database secrets engine close operation errors across all database secrets engines                                                                               | errors | counter |
+| `database.&lt;name&gt;.Close.error`      | Number of database secrets engine close operation errors for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Close.error`               | errors | counter |
+| `database.CreateUser`                    | Time taken to create a user across all database secrets engines                                                                                                            | ms     | summary |
+| `database.&lt;name&gt;.CreateUser`       | Time taken to create a user for the named database secrets engine `<name>`                                                                                                 | ms     | summary |
+| `database.CreateUser.error`              | Number of user creation operation errors across all database secrets engines                                                                                               | errors | counter |
+| `database.&lt;name&gt;.CreateUser.error` | Number of user creation operation errors for the named database secrets engine `<name>`, for example: `database.postgresql-prod.CreateUser.error`                          | errors | counter |
+| `database.RenewUser`                     | Time taken to renew a user across all database secrets engines                                                                                                             | ms     | summary |
+| `database.&lt;name&gt;.RenewUser`        | Time taken to renew a user for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RenewUser`                                               | ms     | summary |
+| `database.RenewUser.error`               | Number of user renewal operation errors across all database secrets engines                                                                                                | errors | counter |
+| `database.&lt;name&gt;.RenewUser.error`  | Number of user renewal operations for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RenewUser.error`                                  | errors | counter |
+| `database.RevokeUser`                    | Time taken to revoke a user across all database secrets engines                                                                                                            | ms     | summary |
+| `database.&lt;name&gt;.RevokeUser`       | Time taken to revoke a user for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RevokeUser`                                             | ms     | summary |
+| `database.RevokeUser.error`              | Number of user revocation operation errors across all database secrets engines                                                                                             | errors | counter |
+| `database.&lt;name&gt;.RevokeUser.error` | Number of user revocation operations for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RevokeUser.error`                              | errors | counter |
+
+## Storage Backend Metrics
+
+These metrics relate to the supported [storage backends][storage-backends].
+
+| Metric                      | Description                                                                                                            | Unit | Type    |
+| :-------------------------- | :--------------------------------------------------------------------------------------------------------------------- | :--- | :------ |
+| `vault.azure.put`           | Duration of a PUT operation against the [Azure storage backend][azure-storage-backend]                                 | ms   | summary |
+| `vault.azure.get`           | Duration of a GET operation against the [Azure storage backend][azure-storage-backend]                                 | ms   | summary |
+| `vault.azure.delete`        | Duration of a DELETE operation against the [Azure storage backend][azure-storage-backend]                              | ms   | summary |
+| `vault.azure.list`          | Duration of a LIST operation against the [Azure storage backend][azure-storage-backend]                                | ms   | summary |
+| `vault.cassandra.put`       | Duration of a PUT operation against the [Cassandra storage backend][cassandra-storage-backend]                         | ms   | summary |
+| `vault.cassandra.get`       | Duration of a GET operation against the [Cassandra storage backend][cassandra-storage-backend]                         | ms   | summary |
+| `vault.cassandra.delete`    | Duration of a DELETE operation against the [Cassandra storage backend][cassandra-storage-backend]                      | ms   | summary |
+| `vault.cassandra.list`      | Duration of a LIST operation against the [Cassandra storage backend][cassandra-storage-backend]                        | ms   | summary |
+| `vault.cockroachdb.put`     | Duration of a PUT operation against the [CockroachDB storage backend][cockroachdb-storage-backend]                     | ms   | summary |
+| `vault.cockroachdb.get`     | Duration of a GET operation against the [CockroachDB storage backend][cockroachdb-storage-backend]                     | ms   | summary |
+| `vault.cockroachdb.delete`  | Duration of a DELETE operation against the [CockroachDB storage backend][cockroachdb-storage-backend]                  | ms   | summary |
+| `vault.cockroachdb.list`    | Duration of a LIST operation against the [CockroachDB storage backend][cockroachdb-storage-backend]                    | ms   | summary |
+| `vault.consul.put`          | Duration of a PUT operation against the [Consul storage backend][consul-storage-backend]                               | ms   | summary |
+| `vault.consul.get`          | Duration of a GET operation against the [Consul storage backend][consul-storage-backend]                               | ms   | summary |
+| `vault.consul.delete`       | Duration of a DELETE operation against the [Consul storage backend][consul-storage-backend]                            | ms   | summary |
+| `vault.consul.list`         | Duration of a LIST operation against the [Consul storage backend][consul-storage-backend]                              | ms   | summary |
+| `vault.couchdb.put`         | Duration of a PUT operation against the [CouchDB storage backend][couchdb-storage-backend]                             | ms   | summary |
+| `vault.couchdb.get`         | Duration of a GET operation against the [CouchDB storage backend][couchdb-storage-backend]                             | ms   | summary |
+| `vault.couchdb.delete`      | Duration of a DELETE operation against the [CouchDB storage backend][couchdb-storage-backend]                          | ms   | summary |
+| `vault.couchdb.list`        | Duration of a LIST operation against the [CouchDB storage backend][couchdb-storage-backend]                            | ms   | summary |
+| `vault.dynamodb.put`        | Duration of a PUT operation against the [DynamoDB storage backend][dynamodb-storage-backend]                           | ms   | summary |
+| `vault.dynamodb.get`        | Duration of a GET operation against the [DynamoDB storage backend][dynamodb-storage-backend]                           | ms   | summary |
+| `vault.dynamodb.delete`     | Duration of a DELETE operation against the [DynamoDB storage backend][dynamodb-storage-backend]                        | ms   | summary |
+| `vault.dynamodb.list`       | Duration of a LIST operation against the [DynamoDB storage backend][dynamodb-storage-backend]                          | ms   | summary |
+| `vault.etcd.put`            | Duration of a PUT operation against the [etcd storage backend][etcd-storage-backend]                                   | ms   | summary |
+| `vault.etcd.get`            | Duration of a GET operation against the [etcd storage backend][etcd-storage-backend]                                   | ms   | summary |
+| `vault.etcd.delete`         | Duration of a DELETE operation against the [etcd storage backend][etcd-storage-backend]                                | ms   | summary |
+| `vault.etcd.list`           | Duration of a LIST operation against the [etcd storage backend][etcd-storage-backend]                                  | ms   | summary |
+| `vault.gcs.put`             | Duration of a PUT operation against the [Google Cloud Storage storage backend][gcs-storage-backend]                    | ms   | summary |
+| `vault.gcs.get`             | Duration of a GET operation against the [Google Cloud Storage storage backend][gcs-storage-backend]                    | ms   | summary |
+| `vault.gcs.delete`          | Duration of a DELETE operation against the [Google Cloud Storage storage backend][gcs-storage-backend]                 | ms   | summary |
+| `vault.gcs.list`            | Duration of a LIST operation against the [Google Cloud Storage storage backend][gcs-storage-backend]                   | ms   | summary |
+| `vault.gcs.lock.unlock`     | Duration of an UNLOCK operation against the [Google Cloud Storage storage backend][gcs-storage-backend] in HA mode     | ms   | summary |
+| `vault.gcs.lock.lock`       | Duration of a LOCK operation against the [Google Cloud Storage storage backend][gcs-storage-backend] in HA mode        | ms   | summary |
+| `vault.gcs.lock.value`      | Duration of a VALUE operation against the [Google Cloud Storage storage backend][gcs-storage-backend] in HA mode       | ms   | summary |
+| `vault.mssql.put`           | Duration of a PUT operation against the [MS-SQL storage backend][mssql-storage-backend]                                | ms   | summary |
+| `vault.mssql.get`           | Duration of a GET operation against the [MS-SQL storage backend][mssql-storage-backend]                                | ms   | summary |
+| `vault.mssql.delete`        | Duration of a DELETE operation against the [MS-SQL storage backend][mssql-storage-backend]                             | ms   | summary |
+| `vault.mssql.list`          | Duration of a LIST operation against the [MS-SQL storage backend][mssql-storage-backend]                               | ms   | summary |
+| `vault.mysql.put`           | Duration of a PUT operation against the [MySQL storage backend][mysql-storage-backend]                                 | ms   | summary |
+| `vault.mysql.get`           | Duration of a GET operation against the [MySQL storage backend][mysql-storage-backend]                                 | ms   | summary |
+| `vault.mysql.delete`        | Duration of a DELETE operation against the [MySQL storage backend][mysql-storage-backend]                              | ms   | summary |
+| `vault.mysql.list`          | Duration of a LIST operation against the [MySQL storage backend][mysql-storage-backend]                                | ms   | summary |
+| `vault.postgres.put`        | Duration of a PUT operation against the [PostgreSQL storage backend][postgresql-storage-backend]                       | ms   | summary |
+| `vault.postgres.get`        | Duration of a GET operation against the [PostgreSQL storage backend][postgresql-storage-backend]                       | ms   | summary |
+| `vault.postgres.delete`     | Duration of a DELETE operation against the [PostgreSQL storage backend][postgresql-storage-backend]                    | ms   | summary |
+| `vault.postgres.list`       | Duration of a LIST operation against the [PostgreSQL storage backend][postgresql-storage-backend]                      | ms   | summary |
+| `vault.s3.put`              | Duration of a PUT operation against the [Amazon S3 storage backend][s3-storage-backend]                                | ms   | summary |
+| `vault.s3.get`              | Duration of a GET operation against the [Amazon S3 storage backend][s3-storage-backend]                                | ms   | summary |
+| `vault.s3.delete`           | Duration of a DELETE operation against the [Amazon S3 storage backend][s3-storage-backend]                             | ms   | summary |
+| `vault.s3.list`             | Duration of a LIST operation against the [Amazon S3 storage backend][s3-storage-backend]                               | ms   | summary |
+| `vault.spanner.put`         | Duration of a PUT operation against the [Google Cloud Spanner storage backend][spanner-storage-backend]                | ms   | summary |
+| `vault.spanner.get`         | Duration of a GET operation against the [Google Cloud Spanner storage backend][spanner-storage-backend]                | ms   | summary |
+| `vault.spanner.delete`      | Duration of a DELETE operation against the [Google Cloud Spanner storage backend][spanner-storage-backend]             | ms   | summary |
+| `vault.spanner.list`        | Duration of a LIST operation against the [Google Cloud Spanner storage backend][spanner-storage-backend]               | ms   | summary |
+| `vault.spanner.lock.unlock` | Duration of an UNLOCK operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] in HA mode | ms   | summary |
+| `vault.spanner.lock.lock`   | Duration of a LOCK operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] in HA mode    | ms   | summary |
+| `vault.spanner.lock.value`  | Duration of a VALUE operation against the [Google Cloud Spanner storage backend][gcs-storage-backend] in HA mode       | ms   | summary |
+| `vault.swift.put`           | Duration of a PUT operation against the [Swift storage backend][swift-storage-backend]                                 | ms   | summary |
+| `vault.swift.get`           | Duration of a GET operation against the [Swift storage backend][swift-storage-backend]                                 | ms   | summary |
+| `vault.swift.delete`        | Duration of a DELETE operation against the [Swift storage backend][swift-storage-backend]                              | ms   | summary |
+| `vault.swift.list`          | Duration of a LIST operation against the [Swift storage backend][swift-storage-backend]                                | ms   | summary |
+| `vault.zookeeper.put`       | Duration of a PUT operation against the [ZooKeeper storage backend][zookeeper-storage-backend]                         | ms   | summary |
+| `vault.zookeeper.get`       | Duration of a GET operation against the [ZooKeeper storage backend][zookeeper-storage-backend]                         | ms   | summary |
+| `vault.zookeeper.delete`    | Duration of a DELETE operation against the [ZooKeeper storage backend][zookeeper-storage-backend]                      | ms   | summary |
+| `vault.zookeeper.list`      | Duration of a LIST operation against the [ZooKeeper storage backend][zookeeper-storage-backend]                        | ms   | summary |
+
+[secrets-engines]: /docs/secrets/index.html
+[storage-backends]: /docs/configuration/storage/index.html
+[telemetry-stanza]: /docs/configuration/telemetry.html
+[cubbyhole-secrets-engine]: /docs/secrets/cubbyhole/index.html
+[kv-secrets-engine]: /docs/secrets/kv/index.html
+[ldap-auth-backend]: /docs/auth/ldap.html
+[token-auth-backend]: /docs/auth/token.html
+[azure-storage-backend]: /docs/configuration/storage/azure.html
+[cassandra-storage-backend]: /docs/configuration/storage/cassandra.html
+[cockroachdb-storage-backend]: /docs/configuration/storage/cockroachdb.html
+[consul-storage-backend]: /docs/configuration/storage/consul.html
+[couchdb-storage-backend]: /docs/configuration/storage/couchdb.html
+[dynamodb-storage-backend]: /docs/configuration/storage/dynamodb.html
+[etcd-storage-backend]: /docs/configuration/storage/etcd.html
+[gcs-storage-backend]: /docs/configuration/storage/google-cloud-storage.html
+[spanner-storage-backend]: /docs/configuration/storage/google-cloud-spanner.html
+[mssql-storage-backend]: /docs/configuration/storage/mssql.html
+[mysql-storage-backend]: /docs/configuration/storage/mysql.html
+[postgresql-storage-backend]: /docs/configuration/storage/postgresql.html
+[s3-storage-backend]: /docs/configuration/storage/s3.html
+[swift-storage-backend]: /docs/configuration/storage/swift.html
+[zookeeper-storage-backend]: /docs/configuration/storage/zookeeper.html
diff --git a/website/pages/docs/internals/token.mdx b/website/pages/docs/internals/token.mdx
new file mode 100644
index 000000000000..1963848de282
--- /dev/null
+++ b/website/pages/docs/internals/token.mdx
@@ -0,0 +1,52 @@
+---
+layout: docs
+page_title: Token Authentication
+sidebar_title: Token Authentication
+description: Learn about the client token authentication in Vault.
+---
+
+# Token Authentication
+
+The `token` auth method is built-in and is at the core of
+client authentication. Other auth methods may be used to
+authenticate a client, but they eventually result in the generation of a client
+token managed by the `token` backend.
+
+Every token has a number of properties:
+
+- ID - The primary ID of a token is a randomly generated value
+- Display Name - Optionally, a human readable display name
+- Metadata - Metadata used for audit logging
+- Number of Uses - Optionally, a restricted use count
+- Parent ID - Optionally, a parent token which created this child token
+- Policies - An associated list of ACL policies
+- Source Path - The path at which the token was generated (e.g. `auth/github/login`)
+
+The properties of a token are immutable once created. The exception to this
+is the number of uses, which is decremented on each request. Each of these
+properties enable Vault to do a number of interesting things.
+
+Each token maintains the source path, or the login path, that was used
+to create the token. This is used to allow source based revocation. For example,
+if we believe our GitHub organization was compromised, we may want to revoke
+all tokens generated via `auth/github/login`. This would be done by using the
+`sys/revoke-prefix/` API with the `auth/github/` prefix. Revoking the
+prefix will revoke all client tokens generated at that path, as well as all
+dynamic secrets generated by those tokens. This provides a powerful "break glass"
+procedure during a potential compromise.
+
+If a token is created by another auth method, they do not have
+a parent token. However, any tokens created by the `auth/token/create` API
+have a parent token, namely the token used to make that request. By maintaining
+this parent-child relationship, Vault models token trees. Child tokens can
+be created with a subset of the parent policies, allowing for dropping of
+privileges. When a token is revoked, the entire sub-tree of tokens is revoked
+with it. This allows clients to safely generate child tokens and then revoke
+them all along with the root.
+
+Child tokens are very useful, especially when combined with limited use tokens.
+When a token is created, its use count can be optionally specified. Providing
+a use count of one makes a _one time token_. This means the token can be used
+for a single request before being automatically revoked. This can be generalized
+to any number of uses. Limited use tokens cannot be used to create sub-tokens,
+but they can be a powerful way to allow extremely limited access to Vault.
diff --git a/website/pages/docs/partnerships/index.mdx b/website/pages/docs/partnerships/index.mdx
new file mode 100644
index 000000000000..08aa43b44293
--- /dev/null
+++ b/website/pages/docs/partnerships/index.mdx
@@ -0,0 +1,133 @@
+---
+layout: docs
+page_title: Vault Integration Program
+description: Guide to partnership integrations and creating plugins for Vault.
+---
+
+# Vault Integration Program
+
+The HashiCorp Vault Integration Program allows vendors to integrate their products to work with Vault. Vault has a relatively large surface area and thereby a large set of possible integrations some of which require the vendor integration code, like other integrations that result in the solution working tightly with Vault.
+
+Vendors integrating their solutions via the Vault Integration Process provide their customers a verified and seamless user experience. The Vault Integration Program currently only supports coding with the Go programming language (run time integrations).
+
+This program is intended to be largely a self-service process with links and guidance to information sources, clearly defined steps, and checkpoints.
+
+## Types of Vault Integrations
+
+From a high-level perspective, Vault is a tool used to manage secrets and protect sensitive data. It helps secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. For a full description of the current features please refer to the Vault website [Vault Website](/). Vault provides a unified interface to any secret, while providing tight access control and support with detailed recording from integrated audit logs.
+
+The diagram below depicts the key Vault integration categories and types.
+
+![Integration Categories](/img/integration-program-vaulteco.png)
+
+Main Vault categories for partners to integrate with include:
+
+**Authentication Methods**: Authentication (or Auth) methods are components in Vault that perform authentication and are responsible for assigning identity along with a set of policies to a user. Vault supports multiple auth methods/identity models to better support your business use case. You can find more information about Vault Auth Methods [here](/docs/auth/).
+
+**Runtime Integrations**: Plugin backends are components in Vault that can be implemented separately from Vault's built-in features. Runtime integrations are sometimes referred to a Direct Application Integration. These backends can be either authentication, secrets engines or other security features. You can find more information about Vault Direct Application Integration [here]("https://learn.hashicorp.com/vault/developer/sm-app-integration").
+
+**Audit/Monitoring & Compliance**: Audit/Monitoring and Compliance are components in Vault that keep a detailed log of all requests and response to Vault. Because every operation with Vault is an API request/response, the audit log contains every authenticated interaction with Vault, including errors. Vault supports multiple audit devices to support your business use case. You can find more information about Vault Audit Devices [here](/docs/audit/).
+
+HSM (Hardware Security Module) integrations provide an added level of security and compliance. The HSM communicates with Vault using the PKCS#11 protocol thereby resulting in the integration to primarily involve verification of the operation of the functionality. You can find more information about Vault HSM [here](/docs/enterprise/hsm/index.html).
+
+**Secrets Engines**: Secrets engine are components which store, generate, or encrypt data. Secrets engines are provided some set of data, that take some action on that data, and then return a result. Some secrets engines store and read data, like encrypted in-memory data structure, other secrets engines connect to other services. Examples of secrets engines include Identity modules of Cloud providers like AWS, Azure IAM models, Cloud (LDAP), database or key management. You can find more information about Vault Secrets Engines here.
+
+## Development Process
+
+The Vault integration development process is divided into six steps. By following these steps, Vault integrations can be developed alongside HashiCorp to ensure that the integrations are able to be verified and supported in Vault as quickly as possible. A visual representation of the self-guided steps is depicted below.
+
+![Development Process](/img/integration-program-devprocess.png)
+
+1.  Engage: Initial contact between vendor and HashiCorp
+2.  Enable: Information and articles to aid with the development of the integration
+3.  Develop and Test: Integration development and testing process
+4.  Review: HashiCorp code review and verification of integration (iterative process)
+5.  Release: Verified integration made available and listed on the HashiCorp website once the HashiCorp technology partnership agreement has been executed
+6.  Support: Ongoing maintenance and support of the integration by the vendor.
+
+### 1. Engage
+
+Please begin by providing some basic information about the integration that is being built via a simple [webform]("https://docs.google.com/forms/d/e/1FAIpQLSfQL1uj-mL59bd2EyCPI31LT9uvVT-xKyoHAb5FKIwWwwJ1qQ/viewform").
+
+This information is recorded and used by HashiCorp to track the integration through various stages. The information is also used to notify the integration developer of any overlapping work, perhaps coming from the community so you may better focus resources.
+
+Vault has a large and active community and ecosystem of partners that may have already started working on a similar integration. We'll do our best to connect similar parties to avoid duplicate work.
+
+### 2. Enable
+
+While not mandatory, HashiCorp encourages vendors to sign and MNDA (Mutual Non-Disclosure Agreement) to allow for open dialog and sharing of ideas during the integration process.
+
+In an effort to support our self-serve model we’ve included links to resources, documentation, examples and best practices to guide you through the Vault integration development and testing process.
+
+- [Writing vendor extension guide]("https://learn.hashicorp.com/vault#operations-and-development")
+- Sample development implemented by a [partner]("https://www.hashicorp.com/integrations/venafi/vault/")
+- Example vendor extensions for reference: [Aqua]("https://www.hashicorp.com/integrations/aqua-security/vault/"), [Demisto]("https://www.demisto.com/integrations/?_sf_s=hashicorp")
+- Contributing to Vault [guidelines]("https://github.com/hashicorp/vault/blob/master/CONTRIBUTING.md")
+- [Vault Community Forum]("https://discuss.hashicorp.com/c/vault")
+- [Vault's source code]("https://github.com/hashicorp/vault")
+
+We encourage vendors to closely follow the above guidance. Adopting the same structure and coding patterns helps expedite the review and release cycles.
+
+### 3. Develop and Test
+
+Vault requires all code-level integrations to be written in the [Go]("https://golang.org/") programming language and contain an [MPL-2.0]("https://en.wikipedia.org/wiki/Mozilla_Public_License") open source license. The only knowledge necessary to write a plugin is basic command-line skills and knowledge of the Go programming language. When writing in Go-Language, HashiCorp has found the integration development process to be straightforward and simple when vendors pay close attention and follow the resources and by adopting the same structure and coding patterns helps expedite the review and release cycles. Please remember that all integration major steps should contain acceptance testing and the appropriate documentation.
+
+Auth Methods
+
+- [Auth Methods documentation](/docs/auth/index.html)
+- [Example of how to build, install, and maintain auth method plugins plugin]("https://www.hashicorp.com/blog/building-a-vault-secure-plugin")
+- [Sample plugin code]("https://github.com/hashicorp/vault-auth-plugin-example")
+
+Runtime Integration
+
+- [Plugins documentation](/docs/internals/plugins.html)
+- [Guide to building Vault plugin backends]("https://www.vaultproject.io/guides/operations/plugin-backends.html")
+- [Vault Direct Application Integration]("https://learn.hashicorp.com/vault?track=getting-started#getting-started")
+
+Audit, Monitoring & Compliance Integration
+
+- [HSM documentation](/docs/enterprise/hsm/index.html)
+- [Configuration information](/docs/configuration/seal/pkcs11.html)
+- [Audit devices documentation](/docs/audit/index.html)
+
+Secrets Engine Integration
+
+- [Secret engine documentation](/docs/secrets/index.html)
+- There is currently no empty sample secrets plugin; however, the [AliCloud Secrets Plugin]("https://github.com/hashicorp/vault-plugin-secrets-alicloud") was written recently and is fairly simple
+- [Storage configuration documentation](/docs/configuration/storage/index.html)
+
+### 4. Review
+
+During the review process, HashiCorp will provide feedback on the newly developed integration. This is an important step to allow HashiCorp to review and verify your Vault integration. Please send the integration code and other relevant logs for verification to: vault-integration-dev@hashicorp.com.
+
+For Auth, Secret and Storage plugins please submit a GitHub pull request (PR) against the [Vault project]("https://github.com/hashicorp/vault"). In some cases the vendor may need to provide HashiCorp with a permanent test account so that the integration can be verified on an ongoing basis.
+
+The review process can take a while to complete and may require some iterations through the code to address and problems identified by the HashiCorp team.
+
+### 5. Release
+
+At this stage, it is expected that the integration is fully complete, the necessary documentation has been written, the acceptance tests have all passed, and that HashiCorp has reviewed the integration. Once the plugin has been validated and accepted by HashiCorp, the plugin can be hosted anywhere so it can more easily be downloaded then installed within Vault.
+
+Once the integration has been released the vendor is requested to sign the HashiCorp Technology Partner Agreement so that we can have their integration be listed on the HashiCorp website.
+
+### 6. Support
+
+Many vendors view the release step to be the end of the journey, while at HashiCorp we view it to be the beginning of the journey. Getting the integration built is just the first step in enabling users to leverage it against their infrastructure. Once development is completed, on-going effort is required to support the developed integration maintain the provider and address any issues in a timely manner.
+
+The expectation from the vendor/partner is to create a mechanism for them to track and resolve all critical issues as soon as possible within 48 hours and all other issues within 5 business days. This is a requirement given the critical nature of Vault to customer’s operation. Vendors who choose to not support their integration will not be considered a verified integration and cannot be listed on the website.
+
+## Checklist
+
+Below is a checklist of steps that should be followed during the Vault integration development process. This reiterates the steps described above.
+
+- Fill out the [Vault Integration webform](https://docs.google.com/forms/d/e/1FAIpQLSfQL1uj-mL59bd2EyCPI31LT9uvVT-xKyoHAb5FKIwWwwJ1qQ/viewform)
+- Develop and test Vault integration along with the acceptance tests and documentation, send to vault-integration-dev@hashicorp.com, to schedule an initial review
+- Address review feedback and finalize the development process
+- Provide HashiCorp with credentials for underlying infrastructure for test purposes
+- Demo the integration and/or send the test logs to HashiCorp to vault-integration-dev@hashicorp.com
+- Execute HashiCorp Partner Agreement Documents, review logo guidelines, partner listing and more
+- Plan to continue supporting the integration with additional functionality and responding to customer issues
+
+## Contact Us
+
+For any questions or feedback, please contact us at: [vault-integration-dev@hashicorp.com](mailto:vault-integration-dev@hashicorp.com)
diff --git a/website/pages/docs/platform/aws-mp/index.mdx b/website/pages/docs/platform/aws-mp/index.mdx
new file mode 100644
index 000000000000..cf795957dc55
--- /dev/null
+++ b/website/pages/docs/platform/aws-mp/index.mdx
@@ -0,0 +1,25 @@
+---
+layout: docs
+page_title: AWS Marketplace
+sidebar_title: AWS Marketplace
+description: >-
+  This section documents the official AWS Marketplace AMIs for Vault Open Source
+  and Vault Enterprise.
+---
+
+# AWS Marketplace
+
+Vault can be deployed onto Amazon Web Services (AWS) using HashiCorp’s official AWS Marketplace offerings. HashiCorp packages the latest version of both Vault Open Source and Vault Enterprise as Amazon Machine Images (AMIs).
+
+There are two varieties of Vault AMIs available through the AWS Marketplace. Vault Open Source is available as a public listing and can be subscribed to using the standard process for the AWS Marketplace. Vault Enterprise is also available through the AWS Marketplace. To learn more about consuming Vault Enterprise through the AWS Marketplace, please reach out to our sales team at the following address: <aws-marketplace@hashicorp.com>
+
+The AWS Marketplace listings can be found below.
+
+- [HashiCorp Vault OSS](http://aws.amazon.com/marketplace/pp/B07YLYPLYB)
+- [HashiCorp Vault Enterprise](http://aws.amazon.com/marketplace/pp/B07YLXD9TD)
+
+## Use Cases
+
+The Vault AMIs listed in the AWS Marketplace are intended to serve as an easy starting point for a Vault installation. Vault AMIs are built on top of a minimal Ubuntu distribution and contain up to date packages for both Vault and the underlying operating system dependencies.
+
+The Open Source Vault AMI is intended for development and test use cases. This listing will launch a non-HA Vault instance with Vault running and the Vault UI available. For production use cases, please see the [Architecture](/docs/platform/aws-mp/run.html#Architecture) section of this documentation.
diff --git a/website/pages/docs/platform/aws-mp/run.mdx b/website/pages/docs/platform/aws-mp/run.mdx
new file mode 100644
index 000000000000..4641a5b00234
--- /dev/null
+++ b/website/pages/docs/platform/aws-mp/run.mdx
@@ -0,0 +1,46 @@
+---
+layout: docs
+page_title: Running Vault
+sidebar_title: Running Vault
+description: >-
+  Vault can be launched from within the AWS Marketplace from the official Vault
+  Marketplace Listings.
+---
+
+# Running Vault
+
+## Launching the Vault AMI
+
+When Vault is first launched from an official Marketplace AMI, it will come up in an uninitialized state and must be initialized via the [API](https://www.vaultproject.io/api/system/init.html), [CLI](/docs/commands/operator/init.html), or UI. The Marketplace AMI listens on port 8200 by default. It is recommended to restrict ingress networking to the Vault instance as much as possible when initially deploying Vault (through EC2 security groups or otherwise) because anyone with network access to Vault will be able to initialize it. To learn more about the default listener configuration, or to make changes, please see the [Vault Deployment Guide](https://learn.hashicorp.com/vault/operations/ops-deployment-guide#listener-stanza).
+
+Additionally on first launch, a new self-signed [certificate](/docs/configuration/listener/tcp.html#tls_cert_file) and [key](/docs/configuration/listener/tcp.html#tls_key_file) (unique to the EC2 instance) will be generated to secure Vault traffic using TLS. This is provided as a “more secure” (vs. unencrypted TCP traffic) temporary solution, but it is strongly recommended to replace these with your own certificate and key. Please note that when using a self-signed certificate, Vault clients will need to [skip](/docs/commands/#vault_skip_verify) the verification of Vault’s certificate, which voids Vault’s [security model](/docs/internals/security.html).
+
+In order to begin using a newly launched Vault instance or cluster, it must be [unsealed](/docs/concepts/seal.html) first. HashiCorp generally recommends using the [AWS KMS Seal](/docs/configuration/seal/awskms.html) when running Vault on AWS.
+
+## Viewing the Vault UI
+
+The Vault UI is enabled by default. You can view the UI by navigating to `https://VAULT_INSTANCE_PUBLIC_IP:8200/` in a web browser. Please note that your web browser will likely show a security warning that the default self-signed TLS certificate `(Organization: HashiCorp, Common Name: Vault)` is not trusted, and that this can be ignored at your own risk until Vault’s certificate and key are replaced with your own valid ones.
+
+## Upgrading Vault
+
+New Vault AMIs are added to the AWS Marketplace listing regularly and contain the latest versions of Vault and updated operating system packages. However, new AMIs are not built and tested to support in-place upgrades of your existing Vault installation.
+
+To upgrade a Vault instance launched from an official AWS Marketplace AMI, please follow the normal upgrade instructions for a [non-HA installation](https://www.vaultproject.io/docs/upgrading/index.html#non-ha-installations).
+
+# Architecture
+
+HashiCorp’s AWS Marketplace offerings provide an easy way to deploy Vault in a single-instance configuration using the [Filesystem storage backend](/docs/configuration/storage/filesystem.html), but for production use, we recommend running Vault on AWS with the same [general architecture](/docs/internals/architecture.html) as running it anywhere else. While the Filesystem storage backend is officially supported by HashiCorp, it does not support High Availability. Because Vault data is stored on disk in this configuration, it is subject to the durability and availability of Amazon Elastic Block Store (EBS) and should be backed up accordingly.
+
+For additional guidance on best practices for running Vault in production, please refer to the [production hardening guide](https://learn.hashicorp.com/vault/day-one/production-hardening).
+
+# Getting Support
+
+## Open Source
+
+For the Open Source Vault AMI, support can be obtained through the community channels: <https://www.vaultproject.io/community>
+
+See the Vault Project on Github.com: <https://github.com/hashicorp/vault>
+
+## Enterprise
+
+For customers that purchase the Enterprise Vault AMI through the AWS Marketplace, Enterprise Support is also available from HashiCorp. To learn more: <https://support.hashicorp.com/hc/en-us>
diff --git a/website/pages/docs/platform/index.mdx b/website/pages/docs/platform/index.mdx
new file mode 100644
index 000000000000..88905ca85d82
--- /dev/null
+++ b/website/pages/docs/platform/index.mdx
@@ -0,0 +1,11 @@
+---
+layout: docs
+page_title: Platforms
+sidebar_title: Platforms
+description: This section covers running Vault on various platforms (such as Kubernetes).
+---
+
+# Platforms
+
+This section covers running Vault on various platforms (such as Kubernetes) and
+explains architecture, configuration, installation and security considerations.
diff --git a/website/pages/docs/platform/k8s/helm/configuration.mdx b/website/pages/docs/platform/k8s/helm/configuration.mdx
new file mode 100644
index 000000000000..c5dbd0abfe32
--- /dev/null
+++ b/website/pages/docs/platform/k8s/helm/configuration.mdx
@@ -0,0 +1,472 @@
+---
+layout: docs
+page_title: Configuration
+sidebar_title: Configuration
+description: This section documents configuration options for the Vault Helm chart
+---
+
+# Configuration
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+The chart is highly customizable using
+[Helm configuration values](https://docs.helm.sh/using_helm/#customizing-the-chart-before-installing).
+Each value has a default tuned for an optimal getting started experience
+with Vault. Before going into production, please review the parameters below
+and consider if they're appropriate for your deployment.
+
+- `global` - These global values affect multiple components of the chart.
+
+  - `enabled` (`boolean: true`) - The master enabled/disabled configuration. If this is true, most components will be installed by default. If this is false, no components will be installed by default and manually opting-in is required, such as by setting `server.enabled` to true.
+
+  - `imagePullSecrets` (`string: ""`) - Defines secrets to be used when pulling images from private registries.
+
+    - `name`: (`string: required`) - Name of the secret containing files required for authentication to private image registries.
+
+  - `tlsDisable` (`boolean: true`) - When set to `true`, changes URLs from `https` to `http` (such as the `VAULT_ADDR=http://127.0.0.1:8200` environment variable set on the Vault pods).
+
+- `injector` - Values that configure running a Vault Agent Injector Admission Webhook Controller within Kubernetes.
+
+  - `enabled` (`boolean: true`) - When set to `true`, the Vault Agent Injector Admission Webhook controller will be created.
+
+  - `image` - Values that configure the Vault Agent Injector Docker image.
+
+    - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
+
+    - `tag` (`string: "0.1.2"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+
+    - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
+
+  - `agentImage` - Values that configure the Vault Agent sidecar image.
+
+    - `repository` (`string: "vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
+
+    - `tag` (`string: "1.3.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
+
+  - `resources` (`string: ""`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources.<br /> **Setting this is highly recommended.**
+
+    ```yaml
+    # Resources are defined as a formatted multi-line string:
+    resources: |
+      requests:
+        memory: "10Gi"
+      limits:
+        memory: "10Gi"
+    ```
+
+  - `namespaceSelector` (`string: ""`) - The selector used by the admission webhook controller to limit what namespaces where injection can happen. If set to null, all non-system namespaces are eligible for injection.
+
+    ```yaml
+    # Selectors are defined as a formatted multi-line string.
+    # In this example, all namespaces with the label "injection: enabled" are eligible:
+    namespaceSelector: |
+      matchLabels:
+        injection: enabled
+    ```
+
+  - `certs` - The certs section configures how the webhook TLS certs are configured. These are the TLS certs for the Kube apiserver communicating to the webhook. By default, the injector will generate and manage its own certs, but this requires the ability for the injector to update its own `MutatingWebhookConfiguration`. In a production environment, custom certs should probably be used. Configure the values below to enable this.
+
+    - `secretName` (`string: ""`) - secretName is the name of the Kubernetes secret that has the TLS certificate and private key to serve the injector webhook. If this is null, then the injector will default to its automatic management mode.
+
+    - `caBundle` (`string: ""`) - The PEM-encoded CA public certificate bundle for the TLS certificate served by the injector. This must be specified as a string and can't come from a secret because it must be statically configured on the Kubernetes `MutatingAdmissionWebhook` resource. This only needs to be specified if `secretName` is not null.
+
+    - `certName` (`string: "tls.crt"`) - The name of the certificate file within the `secretName` secret.
+
+    - `keyName` (`string: "tls.key"`) - The name of the key file within the `secretName` secret.
+
+- `server` - Values that configure running a Vault server within Kubernetes.
+
+  - `image` - Values that configure the Vault Docker image.
+
+    - `repository` (`string: "vault"`) - The name of the Docker image for the containers running Vault.
+
+    - `tag` (`string: "1.3.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+
+    - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
+
+    - `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.**
+
+      ```yaml
+      # Resources are defined as a formatted multi-line string:
+      resources: |
+        requests:
+          memory: "10Gi"
+        limits:
+          memory: "10Gi"
+      ```
+
+    * `ingress` - Values that configure Ingress services for Vault.
+
+      - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created.
+
+      - `annotations` (`string`) - This value defines additional annotations to add to the Ingress service. This should be formatted as a multi-line string.
+
+      ```yaml
+      annotations: |
+        kubernetes.io/ingress.class: nginx
+        kubernetes.io/tls-acme: "true"
+      ```
+
+      - `hosts` - Values that configure the Ingress host rules.
+
+        - `host` (`string: required`): Name of the host to use for Ingress.
+
+        - `paths` (`string: required`): This value defines the types of host rules for the Ingress service.
+
+        ```yaml
+        paths:
+          - backend:
+            serviceName: service2
+            servicePort: 80
+        ```
+
+    * `tls` - Values that configure the Ingress TLS rules.
+
+      - `hosts` (`string: null)`: Name of the hosts defined in the Common Name of the TLS Certificate. This should be formated as a multi-line string.
+
+      - `secretName` (`string: null)`: Name of the secret containing the required TLS files such as certificates and keys.
+
+      ```yaml
+      hosts:
+        - sslexample.foo.com
+        - sslexample.bar.com
+       secretName: testsecret-tls
+      ```
+
+    * `authDelegator` - Values that configure the Cluster Role Binding attached to the Vault service account.
+
+      - `enabled` (`boolean: true`) - When set to `true`, a Cluster Role Binding will be bound to the Vault service account. This Cluster Role Binding has the necessary privileges for Vault to use the [Kubernetes Auth Method](/docs/auth/kubernetes.html).
+
+    * `readinessProbe` - Values that configure the readiness probe for the Vault pods.
+
+      - `enabled` (`boolean: true`) - When set to `true`, a readiness probe will be applied to the Vault pods.
+
+      - `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value.
+
+    ```yaml
+    readinessProbe:
+      enabled: true
+      path: /v1/sys/health?standbyok=true
+    ```
+
+    - `livelinessProbes` - Values that configure the liveliness probe for the Vault pods.
+
+      - `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
+
+      - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value.
+
+      - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
+
+    ```yaml
+    livelinessProbe:
+      enabled: true
+      path: /v1/sys/health?standbyok=true
+      initialDelaySeconds: 60
+    ```
+
+    - `extraContainers` (`array: []`) - The extra containers to be applied to the Vault server pods.
+
+    ```yaml
+    extraContainers:
+      - name: mycontainer
+        image: 'app:0.0.0'
+        env: ...
+    ```
+
+    ```yaml
+    # Extra Environment Variables are defined as key/value strings.
+    extraEnvironmentVars:
+      GOOGLE_REGION: global
+      GOOGLE_PROJECT: myproject
+      GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
+    ```
+
+    - `extraEnvironmentVars` - The extra environment variables to be applied to the Vault server. This should be a multi-line key/value string.
+
+    ```yaml
+    # Extra Environment Variables are defined as key/value strings.
+    extraEnvironmentVars:
+      GOOGLE_REGION: global
+      GOOGLE_PROJECT: myproject
+      GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
+    ```
+
+    - `extraArgs` (`string: null`) - The extra arguments to be applied to the Vault server startup command.
+
+      ```yaml
+      extraArgs: '-config=/path/to/extra/config.hcl -log-format=json'
+      ```
+
+    - `extraSecretEnvironmentVars` (`string: null`) - The extra environment variables populated from a secret to be applied to the Vault server. This should be a multi-line key/value string.
+
+      - `envName` (`string: required`) -
+        Name of the environment variable to be populated in the Vault container.
+
+      - `secretName` (`string: required`) -
+        Name of Kubernetes secret used to populate the environment variable defined by `envName`.
+
+      - `secretKey` (`string: required`) -
+        Name of the key where the requested secret value is located in the Kubernetes secret.
+
+      ```yaml
+      # Extra Environment Variables populated from a secret.
+      extraSecretEnvironmentVars:
+        - envName: AWS_SECRET_ACCESS_KEY
+          secretName: vault
+          secretKey: AWS_SECRET_ACCESS_KEY
+      ```
+
+    - `extraVolumes` (`array: []`) - A list of extra volumes to mount to Vault servers. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates. The value of this should be a list of objects. Each object supports the following keys:
+
+      - `type` (`string: required`) -
+        Type of the volume, must be one of "configMap" or "secret". Case sensitive.
+
+      - `name` (`string: required`) -
+        Name of the configMap or secret to be mounted. This also controls the path
+        that it is mounted to. The volume will be mounted to `/vault/userconfig/<name>` by default
+        unless `path` is configured.
+
+      - `path` (`string: /vault/userconfigs`) -
+        Name of the path where a configMap or secret is mounted. If not specified
+        the volume will be mounted to `/vault/userconfig/<name of volume>`.
+
+      ```yaml
+      extraVolumes:
+        - type: 'secret'
+          name: 'vault-certs'
+          path: '/etc/pki'
+      ```
+
+    - `affinity` - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to `null`.
+
+    ```yaml
+    # Recommended default server affinity:
+    affinity: |
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+          matchLabels:
+            app: {{ template "vault.name" . }}
+            release: "{{ .Release.Name }}"
+            component: server
+          topologyKey: kubernetes.io/hostname
+    ```
+
+    - `tolerations` (`array []`) - This value defines the [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) that are acceptable when being scheduled.
+
+    ```yaml
+    tolerations:
+      - key: 'node.kubernetes.io/unreachable'
+        operator: 'Exists'
+        effect: 'NoExecute'
+        tolerationSeconds: 6000
+    ```
+
+    - `nodeSelector` - This value defines additional node selection criteria for more control over where the Vault servers are deployed.
+
+    ```yaml
+    nodeSelector:
+      disktype: ssd
+    ```
+
+    - `extraLabels` - This value defines additional labels for server pods. This should be formatted as a multi-line string.
+
+    ```yaml
+    extraLabels: |
+      "sample/label1": "foo"
+      "sample/label2": "bar"
+    ```
+
+    - `annotations` - This value defines additional annotations for server pods. This should be a formatted as a multi-line string.
+
+    ```yaml
+    annotations: |
+      "sample/annotation1": "foo"
+      "sample/annotation2": "bar"
+    ```
+
+    - `service` - Values that configure the Kubernetes service created for Vault.
+
+      - `enabled` (`boolean: true`) - When set to `true`, a Kubernetes service will be created for Vault.
+
+      - `clusterIP` (`string`) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes. By default the Vault service will be given a Cluster IP address, set to `None` to disable. When disabled Kubernetes will create a "headless" service. Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer.
+
+      - `type` (`string: "ClusterIP"`) - Sets the type of service to create, such as `NodePort`.
+
+      - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod.
+
+      - `targetPort` (`int: 8200`) - Port on which the service is listening.
+
+      - `nodePort` (`int:`) - When type is set to `NodePort`, the bound node port can be configured using this value. A random port will be assigned if this is left blank.
+
+      - `annotations` (`string`) - This value defines additional annotations for the service. This should be formatted as a multi-line string.
+
+      ```yaml
+      annotations: |
+        "sample/annotation1": "foo"
+        "sample/annotation2": "bar"
+      ```
+
+    - `serviceAccount` - Values that configure the Kubernetes service account created for Vault.
+
+      - `annotations` (`string`) - This value defines additional annotations for the service account. This should be formatted as a multi-line string.
+
+      ```yaml
+      annotations: |
+        "sample/annotation1": "foo"
+        "sample/annotation2": "bar"
+      ```
+
+    - `extraVolumes` - This configures the `Service` resource created for the Vault server.
+
+      - `enabled` (`boolean: true`) -
+        Enables a service to allow other pods running in Kubernetes to communicate with the Vault server.
+
+    - `dataStorage` - This configures the volume used for storing Vault data when not using external storage such as Consul.
+
+      - `enabled` (`boolean: true`) -
+        Enables a persistent volume to be created for storing Vault data when not using an external storage service.
+
+      - `size` (`string: 10Gi`) -
+        Size of the volume to be created for Vault's data storage when not using an external storage service.
+
+      - `storageClass` (`string: null`) -
+        Name of the storage class to use when creating the data storage volume.
+
+      - `accessMode` (`string: ReadWriteOnce`) -
+        Type of access mode of the storage device. See the [official Kubernetes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) for more information.
+
+    - `auditStorage` - This configures the volume used for storing Vault's audit logs. See the [Vault documentation](/docs/audit) for more information.
+
+      - `enabled` (`boolean: true`) -
+        Enables a persistent volume to be created for storing Vault's audit logs.
+
+      - `size` (`string: 10Gi`) -
+        Size of the volume to be created for Vault's audit logs.
+
+      - `storageClass` (`string: null`) -
+        Name of the storage class to use when creating the audit storage volume.
+
+      - `accessMode` (`string: ReadWriteOnce`) -
+        Type of access mode of the storage device.
+
+    - `dev` - This configures `dev` mode for the Vault server.
+
+      - `enabled` (`boolean: false`) -
+        Enables `dev` mode for the Vault server. This mode is useful for experimenting with Vault without needing to unseal.
+
+      ~> **Security Warning:** Never, ever, ever run a "dev" mode server in production. It is insecure and will lose data on every restart (since it stores data in-memory). It is only made for development or experimentation.
+
+    - `standalone` - This configures `standalone` mode for the Vault server.
+
+      - `enabled` (`boolean: true`) -
+        Enables `standalone` mode for the Vault server. This mode uses the `file` storage backend and requires a volume for persistence (`dataStorage`).
+
+      - `config` (`string: "{}"`) -
+        A raw string of extra HCL or JSON [configuration](https://www.vaultproject.io/docs/configuration/index.html) for Vault servers.
+        This will be saved as-is into a ConfigMap that is read by the Vault servers.
+        This can be used to add additional configuration that isn't directly exposed by the chart.
+
+      ```yaml
+      # ExtraConfig values are formatted as a multi-line string:
+      config: |
+        api_addr = "http://POD_IP:8200"
+
+        listener "tcp" {
+          tls_disable = 1
+          address     = "0.0.0.0:8200"
+        }
+
+        storage "file" {
+          path = "/vault/data"
+        }
+      ```
+
+      This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
+
+      ```shell
+      --set server.standalone.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
+      ```
+
+    - `ha` - This configures `ha` mode for the Vault server.
+
+      - `enabled` (`boolean: false`) -
+        Enables `ha` mode for the Vault server. This mode uses a highly available backend storage (such as Consul) to store Vault's data. By default this is configured to use [Consul Helm](https://github.com/hashicorp/consul-helm). For a complete list of storage backends, see the [Vault documentation](/docs/configuration).
+
+      - `replicas` (`int: 5`) -
+        The number of pods to deploy to create a highly available cluster of Vault servers.
+
+      - `updatePartition` (`int: 0`) -
+        If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated. If set to `0`, this disables parition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
+
+      - `config` (`string: "{}"`) -
+        A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
+        This will be saved as-is into a ConfigMap that is read by the Vault servers.
+        This can be used to add additional configuration that isn't directly exposed by the chart.
+
+      ```yaml
+      # ExtraConfig values are formatted as a multi-line string:
+      config: |
+        ui = true
+        api_addr = "http://POD_IP:8200"
+        listener "tcp" {
+            tls_disable = 1
+            address     = "0.0.0.0:8200"
+        }
+
+        storage "consul" {
+            path = "vault"
+            address = "HOST_IP:8500"
+        }
+      ```
+
+      This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
+
+      ```shell
+      --set server.ha.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
+      ```
+
+    * `disruptionBudget` - Values that configures the disruption budget policy. See the [official Kubernetes documentation](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for more information.
+
+      - `enabled` (`boolean: true`) -
+        Enables disruption budget policy to limit the number of pods that are down simultaneously from voluntary disruptions.
+
+      - `maxUnavailable` (`int: null`) -
+        The maximum number of unavailable pods. By default, this will be automatically
+        computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set
+        this to `0`, you will need to add a `--set 'server.disruptionBudget.maxUnavailable=0'`
+        flag to the helm chart installation command because of a limitation in the Helm
+        templating language.
+
+- `ui` - Values that configure the Vault UI.
+
+  - `enabled` (`boolean: false`) - If true, the UI will be enabled. The UI will only be enabled on Vault servers. If `server.enabled` is false, then this setting has no effect. To expose the UI in some way, you must configure `ui.service`.
+
+  - `serviceType` (`string: ClusterIP`) -
+    The service type to register. This defaults to `ClusterIP`.
+    The available service types are documented on
+    [the Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types).
+
+  - `serviceNodePort` (`int: null`) -
+    Sets the Node Port value when using `serviceType: NodePort` on the Vault UI service.
+
+  - `externalPort` (`int: 8200`) -
+    Sets the external port value of the service.
+
+  - `loadBalancerSourceRanges` (`string`) - This value defines additional source CIDRs when using `serviceType: LoadBalancer`. This should be formatted as a multi-line string.
+
+  ```yaml
+  loadBalancerSourceRanges:
+    - 10.0.0.0/16
+    - 120.78.23.3/32
+  ```
+
+  - `loadBalancerIP` (`string`) - This value defines the IP address of the load balancer when using `serviceType: LoadBalancer`.
+
+  - `annotations` (`string`) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string.
+
+  ```yaml
+  annotations: |
+    "sample/annotation1": "foo"
+    "sample/annotation2": "bar"
+  ```
diff --git a/website/pages/docs/platform/k8s/helm/examples.mdx b/website/pages/docs/platform/k8s/helm/examples.mdx
new file mode 100644
index 000000000000..f9d09d9ec746
--- /dev/null
+++ b/website/pages/docs/platform/k8s/helm/examples.mdx
@@ -0,0 +1,211 @@
+---
+layout: docs
+page_title: Examples
+sidebar_title: Examples
+description: This section documents configuration options for the Vault Helm chart
+---
+
+# Helm Chart Examples
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+The following are different configuration examples to support a variety of
+deployment models.
+
+## Standalone Server with Load Balanced UI
+
+The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
+
+```yaml
+global:
+  enabled: true
+
+server:
+  image:
+    repository: 'vault'
+    tag: '1.3.1'
+
+  standalone:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+      storage "file" {
+        path = "/vault/data"
+      }
+
+  service:
+    enabled: true
+
+  dataStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: null
+    accessMode: ReadWriteOnce
+
+ui:
+  enabled: true
+  serviceType: LoadBalancer
+```
+
+## Standalone Server with TLS
+
+The below `values.yaml` can be used to set up a single server Vault cluster using TLS.
+This assumes that a Kubernetes `secret` exists with the server certificate, key and
+certificate authority:
+
+```yaml
+global:
+  enabled: true
+  tlsDisable: false
+
+server:
+  image:
+    repository: 'vault'
+    tag: '1.3.1'
+
+  extraVolumes:
+    - type: secret
+      name: vault-server-tls
+
+  standalone:
+    enabled: true
+    config: |
+      listener "tcp" {
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+        tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+        tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
+        tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
+      }
+
+      storage "file" {
+        path = "/vault/data"
+      }
+
+  service:
+    enabled: true
+
+  dataStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: null
+    accessMode: ReadWriteOnce
+```
+
+## Standalone Server with Audit Storage
+
+The below `values.yaml` can be used to set up a single server Vault cluster with
+auditing enabled.
+
+```yaml
+global:
+  enabled: true
+
+server:
+  image:
+    repository: 'vault'
+    tag: '1.3.1'
+
+  standalone:
+    enabled: true
+    config: |
+      listener "tcp" {
+        tls_disable = true
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      storage "file" {
+        path = "/vault/data"
+      }
+
+  service:
+    enabled: true
+
+  dataStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: null
+    accessMode: ReadWriteOnce
+
+  auditStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: null
+    accessMode: ReadWriteOnce
+```
+
+After Vault has been deployed, initialized and unsealed, auditing can be enabled
+by running the following command against the Vault pod:
+
+```bash
+$ kubectl exec -ti <POD NAME> --  vault audit enable file file_path=/vault/audit/vault_audit.log
+```
+
+## Highly Available Vault Cluster with Consul
+
+The below `values.yaml` can be used to set up a five server Vault cluster using
+Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
+
+```yaml
+global:
+  enabled: true
+
+server:
+  image:
+    repository: "vault"
+    tag: "1.3.1"
+
+  extraEnvironmentVars:
+    GOOGLE_REGION: global
+    GOOGLE_PROJECT: myproject
+    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
+
+  extraVolumes: []
+    - type: secret
+      name: my-gcp-iam
+
+  affinity: |
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchLabels:
+              app: {{ template "vault.name" . }}
+              release: "{{ .Release.Name }}"
+              component: server
+          topologyKey: kubernetes.io/hostname
+
+  service:
+    enabled: true
+
+  ha:
+    enabled: true
+    replicas: 5
+
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+
+      seal "gcpckms" {
+         project     = "myproject"
+         region      = "global"
+         key_ring    = "vault-unseal-kr"
+         crypto_key  = "vault-unseal-key"
+      }
+```
diff --git a/website/pages/docs/platform/k8s/helm/index.mdx b/website/pages/docs/platform/k8s/helm/index.mdx
new file mode 100644
index 000000000000..672bc0a56d45
--- /dev/null
+++ b/website/pages/docs/platform/k8s/helm/index.mdx
@@ -0,0 +1,61 @@
+---
+layout: docs
+page_title: Helm - Kubernetes
+sidebar_title: Helm Chart
+description: >-
+  The Vault Helm chart is the recommended way to install and configure Vault on
+  Kubernetes.
+---
+
+# Helm Chart
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+The [Vault Helm chart](https://github.com/hashicorp/vault-helm)
+is the recommended way to install and configure Vault on Kubernetes.
+In addition to running Vault itself, the Helm chart is the primary
+method for installing and configuring Vault to integrate with other
+services such as Consul for High Availability deployments.
+
+This page assumes general knowledge of [Helm](https://v2.helm.sh/) and
+how to use it. Using Helm to install Vault will require that Helm is
+properly installed and configured with your Kubernetes cluster.
+
+-> **Important:** The Helm chart is new and
+may still change significantly over time. Please always run Helm with
+`--dry-run` before any install or upgrade to verify changes.
+
+~> **Security Warning:** By default, the chart will install an insecure configuration
+of Vault. This provides a less complicated out-of-box experience for new users,
+but is not appropriate for a production setup. It is highly recommended to use
+a [properly secured Kubernetes cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/).
+See the [architecture reference](/docs/platform/k8s/run.html#architecture)
+for a Vault Helm production deployment checklist.
+
+## Using the Helm Chart
+
+To use the Helm chart, you must download or clone the
+[vault-helm GitHub repository](https://github.com/hashicorp/vault-helm)
+and run Helm against the directory. We plan to transition to using a real
+Helm repository soon. When running Helm, we highly recommend you always
+checkout a specific tagged release of the chart to avoid any
+instabilities from master.
+
+Prior to this, you must have Helm installed and configured both in your
+Kubernetes cluster and locally on your machine. The steps to do this are
+out of the scope of this document. Please refer to the
+[Helm documentation](https://helm.sh/) for more information.
+
+Example chart usage:
+
+```sh
+# Clone the chart repo
+$ git clone https://github.com/hashicorp/vault-helm.git
+$ cd vault-helm
+
+# Checkout a tagged version
+$ git checkout v0.3.3
+
+# Run Helm
+$ helm install --dry-run ./
+```
diff --git a/website/pages/docs/platform/k8s/helm/run.mdx b/website/pages/docs/platform/k8s/helm/run.mdx
new file mode 100644
index 000000000000..dac21db8adba
--- /dev/null
+++ b/website/pages/docs/platform/k8s/helm/run.mdx
@@ -0,0 +1,420 @@
+---
+layout: docs
+page_title: Running Vault - Kubernetes
+sidebar_title: Running Vault
+description: >-
+  Vault can run directly on Kubernetes in various configurations.  For
+  pure-Kubernetes worloads, this enables Vault to also exist purely within
+  Kubernetes.
+---
+
+# Running Vault on Kubernetes
+
+Vault can run directly on Kubernetes in various modes: `dev,` `standalone` and `ha`.
+For pure-Kubernetes workloads, this enables Vault to also exist purely
+within Kubernetes.
+
+This page starts with a large how-to section for various specific tasks.
+
+!> **IMPORTANT NOTE:** Vault Enterprise is currently not supported. We are actively
+working a version for Vault Enterprise and it will be available in the future.
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+## Helm Chart
+
+The [Vault Helm chart](https://github.com/hashicorp/vault-helm)
+is the recommended way to install and configure Vault on Kubernetes.
+In addition to running Vault itself, the Helm chart is the primary
+method for installing and configuring Vault to integrate with other
+services such as Consul for High Availability deployments.
+
+While the Helm chart exposes dozens of useful configurations and automatically
+sets up complex resources, it **does not automatically operate Vault.**
+You are still responsible for learning how to monitor, backup,
+upgrade, etc. the Vault cluster.
+
+The Helm chart has no required configuration and will install a Vault
+cluster with sane defaults out of the box. Prior to going to production,
+it is highly recommended that you
+[learn about the configuration options](/docs/platform/k8s/helm/configuration.html).
+
+~> **Security Warning:** By default, the chart will install an insecure configuration
+of Vault. This provides a less complicated out-of-box experience for new users,
+but is not appropriate for a production setup. It is highly recommended to use
+a [properly secured Kubernetes cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/).
+See the [architecture reference](/docs/platform/k8s/run.html#architecture)
+for a production deployment checklist.
+
+## How-To
+
+### Installing Vault
+
+To install Vault, clone the vault-helm repository, checkout the latest release, and install
+Vault. You can run `helm install` with the `--dry-run` flag to see the
+resources it would configure. In a production environment, you should always
+use the `--dry-run` flag prior to making any changes to the Vault cluster
+via Helm. See the [chart configuration values](/docs/platform/k8s/helm.html#configuration-values-)
+for additional configuration options.
+
+```sh
+# Clone the chart repo
+$ git clone https://github.com/hashicorp/vault-helm.git
+$ cd vault-helm
+
+# Checkout a tagged version
+$ git checkout v0.3.3
+
+# Run Helm
+$ helm install --name vault ./
+...
+```
+
+!> **IMPORTANT NOTE:** Vault Helm will not initialize and unseal Vault automatically.
+Initialization is required after installation followed by unsealing. Vault can be
+configured to auto-unseal using KMS providers such as
+[Google Cloud Platform](/docs/platform/k8s/run.html#google-kms-auto-unseal). This
+allows the pods to auto unseal if they're rescheduled in Kubernetes.
+
+If standalone or HA mode are being used, the Vault pods must be initialized and unsealed.
+For HA deployments, only one of the Vault pods needs to be initialized.
+
+```sh
+$ kubectl exec -ti vault-0 -- vault operator init
+$ kubectl exec -ti vault-0 -- vault operator unseal
+```
+
+For HA deployments, unseal the remaining pods:
+
+```sh
+$ kubectl exec -ti <NAME OF POD> -- vault operator unseal
+```
+
+### Viewing the Vault UI
+
+The Vault UI is enabled by default when using the Helm chart.
+For security reasons, it isn't exposed via a Service by default so you must
+use `kubectl port-forward` to visit the UI. Once the port is forwarded as
+shown below, navigate your browser to `http://localhost:8200`.
+
+```
+$ kubectl port-forward vault-0 8200:8200
+...
+```
+
+The UI can also be exposed via a Kubernetes Service. To do this, configure
+the [`ui.service` chart values](/docs/platform/k8s/helm.html#v-ui).
+
+### Upgrading Vault on Kubernetes
+
+To upgrade Vault on Kubernetes, we follow the same pattern as
+[generally upgrading Vault](/docs/upgrading.html), except we can use
+the Helm chart to update the Vault server Statefulset. It is important to understand
+how to [generally upgrade Vault](/docs/upgrading.html) before reading this
+section.
+
+The Vault Statefulset uses `OnDelete` update strategy. It is critical to use `OnDelete` instead
+of `RollingUpdate` because standbys must be updated before the active primary. A
+failover to an older version of Vault must always be avoided.
+
+!> **IMPORTANT NOTE:** Always back up your data before upgrading! Vault does not
+make backward-compatibility guarantees for its data store. Simply replacing the
+newly-installed Vault binary with the previous version will not cleanly
+downgrade Vault, as upgrades may perform changes to the underlying data
+structure that make the data incompatible with a downgrade. If you need to roll
+back to a previous version of Vault, you should roll back your data store as
+well.
+
+#### Upgrading Vault Servers
+
+To initiate the upgrade, change the `server.image` values to the
+desired Vault version. For illustrative purposes, the example below will
+use `vault:123.456`.
+
+```yaml
+server:
+  image:
+    repository: 'vault'
+    tag: '123.456'
+```
+
+Next, run the upgrade. You should run this with `--dry-run` first to verify
+the changes that will be sent to the Kubernetes cluster.
+
+```shell
+$ helm upgrade vault ./
+...
+```
+
+This should cause no changes (although the resource will be updated). If
+everything is stable, `helm upgrade` can be run.
+
+The `helm upgrade` command should have updated the Statefulset template for
+the Vault servers, however, no pods have been deleted. The pods must be manually
+deleted to upgrade. Deleting the pods will not delete any persisted data.
+
+If Vault is not deployed using `ha` mode, the single Vault server may be deleted by
+running:
+
+```bash
+$ kubectl delete pod <name of Vault pod>
+```
+
+If Vault is deployed using `ha` mode, the standby pods must be upgraded first.
+To identify which pod is currently the active primary, run the following commad
+on each Vault pod:
+
+```bash
+$ kubectl exec -ti <name of pod> -- vault status | grep "HA Mode"
+```
+
+Next, delete every pod that is not the active primary:
+
+```bash
+$ kubectl delete pod <name of Vault pods>
+```
+
+If auto-unseal is not being used, the newly scheduled Vault standby pods will need
+to be unsealed:
+
+```bash
+$ kubectl exec -ti <name of pod> -- vault operator unseal
+```
+
+Finally, once the standby nodes have been updated and unsealed, delete the active
+primary:
+
+```bash
+$ kubectl delete pod <name of Vault primary>
+```
+
+Similar to the standby nodes, the former primary will also need to be unsealed:
+
+```bash
+$ kubectl exec -ti <name of pod> -- vault operator unseal
+```
+
+After a few moments the Vault cluster should elect a new active primary. The Vault
+cluster is now upgraded!
+
+### Protecting Sensitive Vault Configurations
+
+Vault Helm renders a Vault configuration file during installation and stores the
+file in a Kubernetes configmap. Some configurations require sensitive data to be
+included in the configuration file and would not be encrypted at rest once created
+in Kubernetes.
+
+The following example shows how to add extra configuration files to Vault Helm
+to protect sensitive configurations from being in plaintext at rest using Kubernetes
+secrets.
+
+First, create a partial Vault configuration with the sensitive settings Vault will
+load during startup:
+
+```yaml
+cat <<EOF >>config.hcl
+storage "mysql" {
+username = "user1234"
+password = "secret123!"
+database = "vault"
+}
+EOF
+```
+
+Next, create a Kubernetes secret containing this partial configuration:
+
+```bash
+kubectl create secret generic vault-storage-config \
+    --from-file=config.hcl
+```
+
+Finally, mount this secret as an extra volume and add an additional `-config` flag
+to the Vault startup command:
+
+```bash
+helm install --name=vault \
+  --set='server.extraVolumes[0].type=secret' \
+  --set='server.extraVolumes[0].name=vault-storage-config' \
+  --set='server.extraArgs=-config=/vault/userconfig/vault-storage-config/config.hcl' .
+```
+
+#### Google KMS Auto Unseal
+
+The following example demonstrates configuring Vault Helm to use
+[Google KMS for Auto Unseal](/docs/configuration/seal/gcpckms.html).
+
+In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials. The `credentials.json`
+file will need to be mounted as a secret to the Vault container.
+
+##### Create the Secret
+
+First, create the secret in Kubernetes:
+
+```bash
+kubectl create secret generic kms-creds --from-file=credentials.json
+```
+
+Vault Helm will mount this to `/vault/userconfig/kms-creds/credentials.json`.
+
+##### Config Example
+
+The following is an example of how to configure Vault Helm to use Google KMS:
+
+```yaml
+global:
+  enabled: true
+
+server:
+  image:
+    repository: 'vault'
+    tag: '1.3.1'
+
+  extraEnvironmentVars:
+    GOOGLE_REGION: global
+    GOOGLE_PROJECT: <PROJECT NAME>
+    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
+
+  extraVolumes:
+    - type: 'secret'
+      name: 'kms-creds'
+
+  ha:
+    enabled: true
+    replicas: 3
+
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      seal "gcpckms" {
+        project     = "<NAME OF PROJECT>"
+        region      = "global"
+        key_ring    = "<NAME OF KEYRING>"
+        crypto_key  = "<NAME OF KEY>"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+```
+
+#### Amazon EKS Auto Unseal
+
+The following example demonstrates configuring Vault Helm to use
+[AWS EKS for Auto Unseal](/docs/configuration/seal/awskms.html).
+
+In order to authenticate and use EKS in AWS, Vault Helm needs credentials. The AWS access key
+ID and key will be mounted as secret environment variables in the Vault pods.
+
+##### Create the Secret
+
+First, create a secret with your EKS access key/secret:
+
+```bash
+kubectl create secret generic eks-creds\
+  --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID?}" \
+  --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY?}"
+```
+
+##### Config Example
+
+The following is an example of how to configure Vault Helm to use AWS EKS:
+
+```yaml
+global:
+  enabled: true
+
+server:
+  image:
+    repository: 'vault'
+    tag: '1.3.1'
+
+  extraSecretEnvironmentVars:
+    - envName: AWS_ACCESS_KEY_ID
+      secretName: eks-creds
+      secretKey: AWS_ACCESS_KEY_ID
+    - envName: AWS_SECRET_ACCESS_KEY
+      secretName: eks-creds
+      secretKey: AWS_SECRET_ACCESS_KEY
+
+  ha:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      seal "awskms" {
+        region     = "KMS_REGION_HERE"
+        kms_key_id = "KMS_KEY_ID_HERE"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+```
+
+## Architecture
+
+We recommend running Vault on Kubernetes with the same
+[general architecture](/docs/internals/architecture.html)
+as running it anywhere else. There are some benefits Kubernetes can provide
+that eases operating a Vault cluster and we document those below. The standard
+[production deployment guide](https://learn.hashicorp.com/vault/day-one/production-hardening) is still an
+important read even if running Vault within Kubernetes.
+
+### Production Deployment Checklist
+
+_End-to-End TLS._ Vault should always be used with TLS in production. If
+intermediate load balancers or reverse proxies are used to front Vault,
+they should not terminate TLS. This way traffic is always encrypted in transit
+to Vault and minimizes risks introduced by intermediate layers. See the
+[official documentation](/docs/platform/k8s/helm.html#standalone-server-with-tls)
+for example on configuring Vault Helm to use TLS.
+
+_Single Tenancy._ Vault should be the only main process running on a machine.
+This reduces the risk that another process running on the same machine is
+compromised and can interact with Vault. This can be accomplished by using Vault
+Helm's `affinity` configurable. See the
+[official documentation](/docs/platform/k8s/helm.html#highly-available-vault-cluster-with-consul)
+for example on configuring Vault Helm to use affinity rules.
+
+_Enable Auditing._ Vault supports several auditing backends. Enabling auditing
+provides a history of all operations performed by Vault and provides a forensics
+trail in the case of misuse or compromise. Audit logs securely hash any sensitive
+data, but access should still be restricted to prevent any unintended disclosures.
+Vault Helm includes a configurable `auditStorage` option that will provision a persistent
+volume to store audit logs. See the
+[official documentation](/docs/platform/k8s/helm.html#standalone-server-with-audit-storage)
+for an example on configuring Vault Helm to use auditing.
+
+_Immutable Upgrades._ Vault relies on an external storage backend for persistence,
+and this decoupling allows the servers running Vault to be managed immutably.
+When upgrading to new versions, new servers with the upgraded version of Vault
+are brought online. They are attached to the same shared storage backend and
+unsealed. Then the old servers are destroyed. This reduces the need for remote
+access and upgrade orchestration which may introduce security gaps. See the
+[upgrade section](/docs/platform/k8s/run.html#how-to) for instructions
+on upgrading Vault on Kubernetes.
+
+_Upgrade Frequently._ Vault is actively developed, and updating frequently is
+important to incorporate security fixes and any changes in default settings such
+as key lengths or cipher suites. Subscribe to the Vault mailing list and
+GitHub CHANGELOG for updates.
+
+_Restrict Storage Access._ Vault encrypts all data at rest, regardless of which
+storage backend is used. Although the data is encrypted, an attacker with arbitrary
+control can cause data corruption or loss by modifying or deleting keys. Access
+to the storage backend should be restricted to only Vault to avoid unauthorized
+access or operations.
diff --git a/website/pages/docs/platform/k8s/index.mdx b/website/pages/docs/platform/k8s/index.mdx
new file mode 100644
index 000000000000..4a67d0452a99
--- /dev/null
+++ b/website/pages/docs/platform/k8s/index.mdx
@@ -0,0 +1,41 @@
+---
+layout: docs
+page_title: Kubernetes
+sidebar_title: Kubernetes
+description: This section documents the official integration between Vault and Kubernetes.
+---
+
+# Kubernetes
+
+Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart.  
+The helm chart allows users to deploy Vault in various configurations:
+
+- Dev mode: a single in-memory Vault server for testing Vault
+- Standalone mode (default): a single Vault server persisting to a volume using the file storage backend
+- HA mode: a cluster of Vault servers that use an HA storage backend such as Consul (default)
+
+## Use Cases
+
+**Running a Vault Service:** The Vault server cluster can run directly on Kubernetes.  
+This can be used by applications running within Kubernetes as well as external to
+Kubernetes, as long as they can communicate to the server via the network.
+
+**Accessing and Storing Secrets:** Applications using the Vault service running in
+Kubernetes can access and store secrets from Vault using a number of different
+[secret engines](/docs/secrets) and [authentication methods](/docs/auth).
+
+**Running a Highly Available Vault Service:** By using pod affinities, highly available
+backend storage (such as Consul) and [auto-unseal](/docs/concepts/seal.html#auto-unseal),
+Vault can become a highly available service in Kubernetes.
+
+**Encryption as a Service:** Applications using the Vault service running in Kubernetes
+can leverage the [Transit secret engine](/docs/secrets/transit)
+as "encryption as a service". This allows applications to offload encryption needs
+to Vault before storing data at rest.
+
+**Audit Logs for Vault:** Operators can choose to attach a persistent volume
+to the Vault cluster which can be used to [store audit logs](/docs/audit).
+
+**And more!** Vault can run directly on Kubernetes, so in addition to the
+native integrations provided by Vault itself, any other tool built for
+Kubernetes can choose to leverage Vault.
diff --git a/website/pages/docs/platform/k8s/injector/examples.mdx b/website/pages/docs/platform/k8s/injector/examples.mdx
new file mode 100644
index 000000000000..02624f74a0d3
--- /dev/null
+++ b/website/pages/docs/platform/k8s/injector/examples.mdx
@@ -0,0 +1,233 @@
+---
+layout: docs
+page_title: Vault Agent Sidecar Injector Examples
+sidebar_title: Examples
+description: This section documents examples of using the Vault Agent Injector.
+---
+
+# Vault Agent Injector Examples
+
+The following are different configuration examples to support a variety of
+deployment models.
+
+~> A common mistake is to set the annotation on the Deployment or other resource.
+Ensure that the injector annotations are specified on the pod specification when
+using higher level constructs such as deployments, jobs or statefulsets.
+
+## Before Using the Vault Agent Injector
+
+Before applying Vault Agent injection annotations to pods, the following requirements
+should be satisfied:
+
+- Kubernetes auth method should be configured and enabled in Vault,
+- Pod should have a service account,
+- desired secrets exist within Vault,
+- the service account should be bound to a Vault role with a policy enabling access to desired secrets.
+
+For more information on configuring the Vault Kubernetes auth method,
+[see the official documentation](/docs/auth/kubernetes.html#configuration).
+
+## Debugging
+
+If an error occurs with a mutation request, Kubernetes will attach the error to the
+owner of the pod. Check the following for errors:
+
+- If the pod was created by a deployment or statefulset, check for errors in the `replicaset`
+  that owns the pod.
+- If the pod was created by a job, check the `job` for errors.
+
+## Patching Existing Pods
+
+To patch existing pods, a Kubernetes patch can be applied to add the required annoations
+to pods. When applying a patch, the pods will be rescheduled.
+
+First, create the patch:
+
+```bash
+cat <<EOF >> ./patch.yaml
+spec:
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-inject-status: "update"
+        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
+        vault.hashicorp.com/agent-inject-template-db-creds: |
+          {{- with secret "database/creds/db-app" -}}
+          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable
+          {{- end }}
+        vault.hashicorp.com/role: "db-app"
+        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
+        vault.hashicorp.com/client-cert: "/vault/tls/client.crt"
+        vault.hashicorp.com/client-key: "/vault/tls/client.key"
+        vault.hashicorp.com/tls-secret: "vault-tls-client"
+EOF
+```
+
+Next, apply the patch:
+
+```bash
+kubectl patch deployment <MY DEPLOYMENT> --patch "$(cat patch.yaml)"
+```
+
+The pod should now be rescheduled with additional containers. The pod can be inspected
+using the `kubectl describe` command:
+
+```bash
+kubectl describe pod <name of pod>
+```
+
+## Deployments, StatefulSets, etc.
+
+The annotations for configuring Vault Agent injection must be on the pod
+specification. Since higher level resources such as Deployments wrap pod
+specification templates, Vault Agent Injector can be used with all of these
+higher level constructs, too.
+
+An example Deployment below shows how to enable Vault Agent injection:
+
+```yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: app-example
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app-example-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app-example
+  template:
+    metadata:
+      labels:
+        app: app-example
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
+        vault.hashicorp.com/agent-inject-template-db-creds: |
+          {{- with secret "database/creds/db-app" -}}
+          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable
+          {{- end }}
+        vault.hashicorp.com/role: "db-app"
+        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
+        vault.hashicorp.com/client-cert: "/vault/tls/client.crt"
+        vault.hashicorp.com/client-key: "/vault/tls/client.key"
+        vault.hashicorp.com/tls-secret: "vault-tls-client"
+    spec:
+      containers:
+        - name: app
+          image: "app:1.0.0"
+      serviceAccountName: app-example
+```
+
+## ConfigMap Example
+
+The following example creates a deployment that mounts a Kubernetes ConfigMap
+containing Vault Agent configuration files. For a complete list of the Vault
+Agent configuration settings, [see the Agent documentation](/docs/agent/template/index.html#vault-agent-templates).
+
+```yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: app-example
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app-example-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app-example
+  template:
+    metadata:
+      labels:
+        app: app-example
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-configmap: "my-configmap"
+        vault.hashicorp.com/tls-secret: "vault-tls-client"
+    spec:
+      containers:
+        - name: app
+          image: "app:1.0.0"
+      serviceAccountName: app-example
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: my-configmap
+data:
+  config.hcl: |
+    "auto_auth" = {
+      "method" = {
+        "config" = {
+          "role" = "db-app"
+        }
+        "type" = "kubernetes"
+      }
+
+      "sink" = {
+        "config" = {
+          "path" = "/home/vault/.token"
+        }
+
+        "type" = "file"
+      }
+    }
+
+    "exit_after_auth" = false
+    "pid_file" = "/home/vault/.pid"
+
+    "template" = {
+      "contents" = "{{- with secret \"database/creds/db-app\" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
+      "destination" = "/vault/secrets/db-creds"
+    }
+
+    "vault" = {
+      "address" = "https://vault.demo.svc.cluster.local:8200"
+      "ca_cert" = "/vault/tls/ca.crt"
+      "client_cert" = "/vault/tls/client.crt"
+      "client_key" = "/vault/tls/client.key"
+    }
+  config-init.hcl: |
+    "auto_auth" = {
+      "method" = {
+        "config" = {
+          "role" = "db-app"
+        }
+        "type" = "kubernetes"
+      }
+
+      "sink" = {
+        "config" = {
+          "path" = "/home/vault/.token"
+        }
+
+        "type" = "file"
+      }
+    }
+
+    "exit_after_auth" = true
+    "pid_file" = "/home/vault/.pid"
+
+    "template" = {
+      "contents" = "{{- with secret \"database/creds/db-app\" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
+      "destination" = "/vault/secrets/db-creds"
+    }
+
+    "vault" = {
+      "address" = "https://vault.demo.svc.cluster.local:8200"
+      "ca_cert" = "/vault/tls/ca.crt"
+      "client_cert" = "/vault/tls/client.crt"
+      "client_key" = "/vault/tls/client.key"
+    }
+```
diff --git a/website/pages/docs/platform/k8s/injector/index.mdx b/website/pages/docs/platform/k8s/injector/index.mdx
new file mode 100644
index 000000000000..15769fe9c1c8
--- /dev/null
+++ b/website/pages/docs/platform/k8s/injector/index.mdx
@@ -0,0 +1,268 @@
+---
+layout: docs
+page_title: Agent Sidecar Injector Overview
+sidebar_title: Agent Injector
+description: >-
+  The Vault Agent Sidecar Injector is a Kubernetes admission webhook that adds
+  Vault Agent containers to pods for consuming Vault secrets.
+---
+
+# Agent Sidecar Injector
+
+The Vault Agent Injector alters pod specifications to include Vault Agent
+containers that render Vault secrets to a shared memory volume using
+[Vault Agent Templates](/docs/agent/template/index.html).
+By rendering secrets to a shared volume, containers within the pod can consume
+Vault secrets without being Vault aware.
+
+The injector is a [Kubernetes Mutation Webhook Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/).
+The controller intercepts pod events and applies mutations to the pod if annotations exist within
+the request. This functionality is provided by the [vault-k8s](https://github.com/hashicorp/vault-k8s)
+project and can be automatically installed and configured using the
+[Vault Helm](https://github.com/hashicorp/vault-helm) chart.
+
+## Overview
+
+The Vault Agent Injector works by intercepting pod `CREATE` and `UPDATE`
+events in Kubernetes. The controller parses the event and looks for the metadata
+annotation `vault.hashicorp.com/agent-inject: true`. If found, the controller will
+alter the pod specification based on other annotations present.
+
+### Mutations
+
+At a minimum, every container in the pod will be configured to mount a shared
+memory volume. This volume is mounted to `/vault/secrets` and will be used by the Vault
+Agent containers for sharing secrets with the other containers in the pod.
+
+Next, two types of Vault Agent containers can be injected: init and sidecar. The
+init container will prepopulate the shared memory volume with the requested
+secrets prior to the other containers starting. The sidecar container will
+continue to authenticate and render secrets to the same location as the pod runs.
+Using annotations, the initialization and sidecar containers may be disabled.
+
+Last, two additional types of volumes can be optionally mounted to the Vault Agent
+containers. The first is secret volume containing TLS requirements such as client
+and CA (certificate authority) certificates and keys. This volume is useful when
+communicating and verifying the Vault server's authenticity using TLS. The second
+is a configuration map containing Vault Agent configuration files. This volume is
+useful to customize Vault Agent beyond what the provided annotations offer.
+
+### Authenticating with Vault
+
+The primary method of authentication with Vault when using the Vault Agent Injector
+is the service account attached to the pod. At this time, no other authentication
+method is supported by the controller.
+
+The service account must be bound to a Vault role and a policy granting access to
+the secrets desired.
+
+A service account must be present to use the Vault Agent Injector. It is _not_
+recommended to bind Vault roles to the default service account provided to pods
+if no service account is defined.
+
+### Requesting Secrets
+
+There are two methods of configuring the Vault Agent containers to render secrets:
+
+- the `vault.hashicorp.com/agent-inject-secret` annotation, or
+- a configuration map containing Vault Agent configuration files.
+
+Only one of these methods may be used at any time.
+
+#### Secrets via Annotations
+
+To configure secret injection using annotations, the user must supply:
+
+- one or more _secret_ annotations, and
+- the Vault role used to access those secrets.
+
+The annotation must have the format:
+
+```yaml
+vault.hashicorp.com/agent-inject-secret-<unique-name>: /path/to/secret
+```
+
+The unique name will be the filename of the rendered secret and must be unique if
+multiple secrets are defined by the user. For example, consider the following
+secret annotations:
+
+```yaml
+vault.hashicorp.com/agent-inject-secret-foo: database/roles/app
+vault.hashicorp.com/agent-inject-secret-bar: consul/creds/app
+vault.hashicorp.com/role: 'app'
+```
+
+The first annotation will be rendered to `/vault/secrets/foo` and the second
+annotation will be rendered to `/vault/secrets/bar`.
+
+It's possible to set the file format of the using the annotation. For example the
+following secret will be rendered to `/vault/secrets/foo.txt`:
+
+```yaml
+vault.hashicorp.com/agent-inject-secret-foo.txt: database/roles/app
+vault.hashicorp.com/role: 'app'
+```
+
+The secret unique name must consist of alphanumeric characters, `.`, `_` or `-`.
+
+##### Secret Templates
+
+~> Vault Agent uses the Consul Template project to render secrets. For more information
+on writing templates, see the [Consul Template documentation](https://github.com/hashicorp/consul-template).
+
+How the secret is rendered to the file is also configurable. To configure the template
+used, the user must supply a _template_ annotation using the same unique name of
+the secret. The annotation must have the following format:
+
+```yaml
+vault.hashicorp.com/agent-inject-template-<unique-name>: |
+  < 
+    TEMPLATE
+    HERE
+  >
+```
+
+For example, consider the following:
+
+```yaml
+vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app'
+vault.hashicorp.com/agent-inject-template-foo: |
+  {{- with secret "database/creds/db-app" -}}
+  postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable
+  {{- end }}
+vault.hashicorp.com/role: 'app'
+```
+
+The rendered secret would look like this within the container:
+
+```bash
+$ cat /vault/secrets/foo
+postgres://v-kubernet-pg-app-q0Z7WPfVN:A1a-BUEuQR52oAqPrP1J@postgres:5432/mydb?sslmode=disable
+```
+
+~> The default left and right template delimiters are `{{` and `}}`.
+
+If no template is provided the following generic template is used:
+
+```
+{{ with secret "/path/to/secret" }}
+    {{ range $k, $v := .Data }}
+        {{ $k }}: {{ $v }}
+    {{ end }}
+{{ end }}
+```
+
+For example, the following annotation will use the default template to render
+PostgreSQL secrets found at the configured path:
+
+```yaml
+vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/pg-app'
+vault.hashicorp.com/role: 'app'
+```
+
+The rendered secret would look like this within the container:
+
+```bash
+$ cat /vault/secrets/foo
+password: A1a-BUEuQR52oAqPrP1J
+username: v-kubernet-pg-app-q0Z7WPfVNqqTJuoDqCTY-1576529094
+```
+
+#### Vault Agent Configuration Map
+
+For advanced use cases, it may be required to define Vault Agent configuration
+files to mount instead of using secret and template annotations. The Vault Agent
+Injector supports mounting ConfigMaps by specifying the name using the `vault.hashicorp.com/agent-configmap`
+annotation. The configuration files will be mounted to `/vault/configs`.
+
+The configuration map must contain either one or both of the following files:
+
+- `config-init.hcl` used by the init container. This must have `exit_after_auth` set to `true`.
+- `config.hcl` used by the sidecar container. This must have `exit_after_auth` set to `false`.
+
+An example of mounting a Vault Agent configmap [can be found here](/docs/platform/k8s/injector/examples.html#configmap-example).
+
+## Annotations
+
+- `vault.hashicorp.com/agent-inject` - configures whether injection is explicitly
+  enabled or disabled for a pod. This should be set to a `true` or `false` value.
+  Defaults to `false`.
+
+- `vault.hashicorp.com/agent-inject-status` - blocks further mutations
+  by adding the value `injected` to the pod after a successful mutation.
+
+- `vault.hashicorp.com/agent-inject-secret` - configures Vault Agent
+  to retrieve the secrets from Vault required by the container. The name of the
+  secret is any unique string after `vault.hashicorp.com/agent-inject-secret-`,
+  such as `vault.hashicorp.com/agent-inject-secret-foobar`. The value is the path
+  in Vault where the secret is located.
+
+- `vault.hashicorp.com/agent-inject-template` - configures Vault Agent
+  what template to use for rendering the secrets. The name of the template is any
+  unique string after `vault.hashicorp.com/agent-inject-template-`, such as
+  `vault.hashicorp.com/agent-inject-template-foobar`. This should map to the same
+  unique value provided in `vault.hashicorp.com/agent-inject-secret-`. If not provided,
+  a default generic template is used.
+
+- `vault.hashicorp.com/role` - configures the Vault role used by the Vault Agent
+  auto-auth method. Required when `vault.hashicorp.com/agent-configmap` is not set.
+
+- `vault.hashicorp.com/agent-configmap` - name of the configuration map where Vault
+  Agent configuration file and templates can be found.
+
+- `vault.hashicorp.com/agent-pre-populate` - configures whether an init container
+  is included to pre-populate the shared memory volume with secrets prior to the
+  containers starting.
+
+- `vault.hashicorp.com/agent-pre-populate-only` - configures whether an init container
+  is the only injected container. If true, no sidecar container will be injected
+  at runtime of the pod.
+
+- `vault.hashicorp.com/agent-image` - name of the Vault docker image to use. This
+  value overrides the default image configured in the controller and is usually
+  not needed. Defaults to `vault:1.3.1`.
+
+- `vault.hashicorp.com/service` - name of the Vault service to use. This value
+  overrides the default service configured in the controller and is usually not
+  needed.
+
+- `vault.hashicorp.com/agent-limits-cpu` - configures the CPU limits on the Vault
+  Agent containers. Defaults to `500m`.
+
+- `vault.hashicorp.com/agent-limits-mem` - configures the memory limits on the Vault
+  Agent containers. Defaults to `128Mi`.
+
+- `vault.hashicorp.com/agent-requests-cpu` - configures the CPU requests on the
+  Vault Agent containers. Defaults to `250m`.
+
+- `vault.hashicorp.com/agent-requests-mem` - configures the memory requests on the
+  Vault Agent containers. Defaults to `64Mi`.
+
+- `vault.hashicorp.com/tls-secret` - name of the Kubernetes secret containing TLS
+  Client and CA certificates and keys. This is mounted to `/vault/tls`.
+
+- `vault.hashicorp.com/tls-server-name` - name of the Vault server to verify the
+  authenticity of the server when communicating with Vault over TLS.
+
+- `vault.hashicorp.com/tls-skip-verify` - if true, configures the Vault Agent to
+  skip verification of Vault's TLS certificate. It's not recommended to set this
+  value to true in a production environment.
+
+- `vault.hashicorp.com/ca-cert` - path of the CA certificate used to verify Vault's
+  TLS.
+
+- `vault.hashicorp.com/ca-key` - path of the CA public key used to verify Vault's
+  TLS.
+
+- `vault.hashicorp.com/client-cert` - path of the client certificate used when
+  communicating with Vault via mTLS.
+
+- `vault.hashicorp.com/client-key` - path of the client public key used when communicating
+  with Vault via mTLS.
+
+- `vault.hashicorp.com/client-max-retries` - configures number of Vault Agent retry
+  attempts when 5xx errors are encountered. Defaults to 2.
+
+- `vault.hashicorp.com/client-timeout` - configures the request timeout threshold,
+  in seconds, of the Vault Agent when communicating with Vault. Defaults to `60s`
+  and accepts value types of `60`, `60s` or `1m`.
diff --git a/website/pages/docs/platform/k8s/injector/installation.mdx b/website/pages/docs/platform/k8s/injector/installation.mdx
new file mode 100644
index 000000000000..9a709ab3b71f
--- /dev/null
+++ b/website/pages/docs/platform/k8s/injector/installation.mdx
@@ -0,0 +1,63 @@
+---
+layout: docs
+page_title: Agent Sidecar Injector Installation
+sidebar_title: Installation
+description: The Vault Agent Sidecar Injector can be installed using Vault Helm.
+---
+
+# Installing the Agent Injector
+
+The following are the different methods of installing the Agent Injector in
+Kubernetes.
+
+~> The Vault Agent Injector requires Vault 1.3.1.
+
+To install the Vault Agent injector, enable the injection feature using
+[Helm values](/docs/platform/k8s/helm/configuration.html) and
+upgrade the installation using `helm upgrade` for existing installs or
+`helm install` for a fresh install.
+
+To install a new instance of Vault and the Vault Agent Injector, run the following:
+
+```bash
+helm install --name=vault \
+  --set="injector.enabled=true" \
+  https://github.com/hashicorp/vault-helm/archive/v0.3.3.tar.gz
+```
+
+Other values in the Helm chart can be used to limit the namespaces the injector
+runs in, TLS options and more.
+
+## TLS Options
+
+Admission webhook controllers require TLS to run within Kubernetes. At this time
+the Vault Agent Injector supports two TLS options:
+
+- Auto TLS generation (default)
+- Manual TLS
+
+### Auto TLS
+
+By default, the Vault Agent Injector will bootstrap TLS by generating a certificate
+authority and creating a certificate/key to be used by the controller. If using
+Vault Helm, the chart will automatically create the neccessary DNS entries for the
+controller's service used to verify the certificate.
+
+### Manual TLS
+
+If desired, users can supply their own TLS certificates, key and certificate authority.
+The following is required to configure TLS manually:
+
+- Server certificate/key
+- Base64 PEM encoded Certificate Authority bundle
+
+For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration.html#certs).
+
+## Namespace Selector
+
+By default, the Vault Agent Injector will process all namespaces in Kubernetes except
+the system namespaces `kube-system` and `kube-public`. To limit what namespaces
+the injector can work in a namespace selector can be defined to match labels attached
+to namespaces.
+
+For more information on configuring namespace selection, see the [Vault Helm namespaceSelector value](/docs/platform/k8s/helm/configuration.html#namespaceselector).
diff --git a/website/pages/docs/plugin/index.mdx b/website/pages/docs/plugin/index.mdx
new file mode 100644
index 000000000000..400847f78c4b
--- /dev/null
+++ b/website/pages/docs/plugin/index.mdx
@@ -0,0 +1,55 @@
+---
+layout: docs
+page_title: Custom Plugin Backends
+sidebar_title: Plugin Backends
+description: >-
+  Plugin backends are mountable backends that are implemented using Vault's
+  plugin system.
+---
+
+# Custom Plugin Backends
+
+Plugin backends are the components in Vault that can be implemented separately from Vault's
+builtin backends. These backends can be either authentication or secrets engines.
+
+The [`api_addr`][api_addr] must be set in order for the plugin process to establish
+communication with the Vault server during mount time. If the storage backend
+has HA enabled and supports automatic host address detection (e.g. Consul),
+Vault will automatically attempt to determine the `api_addr` as well.
+
+Detailed information regarding the plugin system can be found in the
+[internals documentation](https://www.vaultproject.io/docs/internals/plugins.html).
+
+# Enabling/Disabling Plugin Backends
+
+Before a plugin backend can be mounted, it needs to be registered via the
+[plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog). After
+the plugin is registered, it can be mounted by specifying the registered plugin name:
+
+```text
+$ vault secrets enable -path=my-secrets passthrough-plugin
+Success! Enabled the passthrough-plugin secrets engine at: my-secrets/
+```
+
+Listing secrets engines will display secrets engines that are mounted as
+plugins:
+
+```text
+$ vault secrets list
+Path         Type       Accessor            Plugin              Default TTL  Max TTL  Force No Cache  Replication Behavior  Description
+my-secrets/  plugin     plugin_deb84140     passthrough-plugin  system       system   false           replicated
+```
+
+Disabling a plugin backend is the identical to disabling internal secrets engines:
+
+```text
+$ vault secrets disable my-secrets
+```
+
+# Upgrading Plugins
+
+Upgrade instructions can be found in the [Upgrading Plugins - Guides][upgrading_plugins]
+page.
+
+[api_addr]: /docs/configuration/index.html#api_addr
+[upgrading_plugins]: /docs/upgrading/plugins.html
diff --git a/website/pages/docs/secrets/ad/index.mdx b/website/pages/docs/secrets/ad/index.mdx
new file mode 100644
index 000000000000..1876d485eed5
--- /dev/null
+++ b/website/pages/docs/secrets/ad/index.mdx
@@ -0,0 +1,347 @@
+---
+layout: docs
+page_title: Active Directory - Secrets Engines
+sidebar_title: Active Directory
+description: >-
+  The Active Directory secrets engine for Vault generates passwords dynamically
+  based on
+
+  roles.
+---
+
+# Active Directory Secrets Engine
+
+The Active Directory (AD) secrets engine is a plugin residing [here](https://github.com/hashicorp/vault-plugin-secrets-active-directory).
+It has two main features.
+
+The first feature (password rotation) is where the AD secrets engine rotates AD passwords dynamically.
+This is designed for a high-load environment where many instances may be accessing
+a shared password simultaneously. With a simple set up and a simple creds API,
+it doesn't require instances to be manually registered in advance to gain access.
+As long as access has been granted to the creds path via a method like
+[AppRole](https://www.vaultproject.io/api/auth/approle/index.html), they're available. Passwords are
+lazily rotated based on preset TTLs and can have a length configured to meet your needs.
+
+The second feature (service account check-out) is where a library of service accounts can
+be checked out by a person or by machines. Vault will automatically rotate the password
+each time a service account is checked in. Service accounts can be voluntarily checked in, or Vault
+will check them in when their lending period (or, "ttl", in Vault's language) ends.
+
+## Password Rotation
+
+### A Note on Lazy Rotation
+
+To drive home the point that passwords are rotated "lazily", consider this scenario:
+
+- A password is configured with a TTL of 1 hour.
+- All instances of a service using this password are off for 12 hours.
+- Then they wake up and again request the password.
+
+In this scenario, although the password TTL was set to 1 hour, the password wouldn't be rotated for 12 hours when it
+was next requested. "Lazy" rotation means passwords are rotated when all of the following conditions are true:
+
+- They are over their TTL
+- They are requested
+
+Therefore, the AD TTL can be considered a soft contract. It's fulfilled when the given password is next requested.
+
+To ensure your passwords are rotated as expected, we'd recommend you configure services to request each password at least
+twice as often as its TTL.
+
+### A Note on Escaping
+
+**It is up to the administrator** to provide properly escaped DNs. This
+includes the user DN, bind DN for search, and so on.
+
+The only DN escaping performed by this method is on usernames given at login
+time when they are inserted into the final bind DN, and uses escaping rules
+defined in RFC 4514.
+
+Additionally, Active Directory has escaping rules that differ slightly from the
+RFC; in particular it requires escaping of '#' regardless of position in the DN
+(the RFC only requires it to be escaped when it is the first character), and
+'=', which the RFC indicates can be escaped with a backslash, but does not
+contain in its set of required escapes. If you are using Active Directory and
+these appear in your usernames, please ensure that they are escaped, in
+addition to being properly escaped in your configured DNs.
+
+For reference, see [RFC 4514](https://www.ietf.org/rfc/rfc4514.txt) and this
+[TechNet post on characters to escape in Active
+Directory](http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx).
+
+### Quick Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the Active Directory secrets engine:
+
+    ```text
+    $ vault secrets enable ad
+    Success! Enabled the ad secrets engine at: ad/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+2.  Configure the credentials that Vault uses to communicate with Active Directory
+    to generate passwords:
+
+    ```text
+    $ vault write ad/config \
+        binddn=$USERNAME \
+        bindpass=$PASSWORD \
+        url=ldaps://138.91.247.105 \
+        userdn='dc=example,dc=com'
+    ```
+
+    The `$USERNAME` and `$PASSWORD` given must have access to modify passwords
+    for the given account. It is possible to delegate access to change
+    passwords for these accounts to the one Vault is in control of, and this is
+    usually the highest-security solution.
+
+    If you'd like to do a quick, insecure evaluation, also set `insecure_tls` to true. However, this is NOT RECOMMENDED
+    in a production environment. In production, we recommend `insecure_tls` is false (its default) and is used with a valid
+    `certificate`.
+
+3.  Configure a role that maps a name in Vault to an account in Active Directory.
+    When applications request passwords, password rotation settings will be managed by
+    this role.
+
+    ```text
+    $ vault write ad/roles/my-application \
+        service_account_name="my-application@example.com"
+    ```
+
+4.  Grant "my-application" access to its creds at `ad/creds/my-application` using an
+    auth method like [AppRole](https://www.vaultproject.io/api/auth/approle/index.html).
+
+### FAQ
+
+#### What if someone directly rotates an Active Directory password that Vault is managing?
+
+If an administrator at your company rotates a password that Vault is managing,
+the next time an application asks _Vault_ for that password, Vault won't know
+it.
+
+To maintain that application's up-time, Vault will need to return to a state of
+knowing the password. Vault will generate a new password, update it, and return
+it to the application(s) asking for it. This all occurs automatically, without
+human intervention.
+
+Thus, we wouldn't recommend that administrators directly rotate the passwords
+for accounts that Vault is managing. This may lead to behavior the
+administrator wouldn't expect, like finding very quickly afterwards that their
+new password has already been changed.
+
+The password `ttl` on a role can be updated at any time to ensure that the
+responsibility of updating passwords can be left to Vault, rather than
+requiring manual administrator updates.
+
+#### Why does Vault return the last password in addition to the current one?
+
+Active Directory promises _eventual consistency_, which means that new
+passwords may not be propagated to all instances immediately. To deal with
+this, Vault returns the current password with the last password if it's known.
+That way, if a new password isn't fully operational, the last password can also
+be used.
+
+## Service Account Check-Out
+
+Vault offers the ability to check service accounts in and out. This is a separate,
+different set of functionality from the password rotation feature above. Let's walk
+through how to use it, with explanation at each step.
+
+First we'll need to enable the AD secrets engine and tell it how to talk to our AD
+server just as we did above.
+
+```text
+$ vault secrets enable ad
+Success! Enabled the ad secrets engine at: ad/
+
+$ vault write ad/config \
+    binddn=$USERNAME \
+    bindpass=$PASSWORD \
+    url=ldaps://138.91.247.105 \
+    userdn='dc=example,dc=com'
+```
+
+Our next step is to designate a set of service accounts for check-out.
+
+```text
+$ vault write ad/library/accounting-team \
+    service_account_names=fizz@example.com,buzz@example.com \
+    ttl=10h \
+    max_ttl=20h \
+    disable_check_in_enforcement=false
+```
+
+In this example, the service account names of `fizz@example.com` and `buzz@example.com` have
+already been created on the remote AD server. They've been set aside solely for Vault to handle.
+The `ttl` is how long each check-out will last before Vault checks in a service account,
+rotating its password during check-in. The `max_ttl` is the maximum amount of time it can live
+if it's renewed. These default to `24h`. Also by default, a service account must be checked in
+by the same Vault entity or client token that checked it out. However, if this behavior causes
+problems, set `disable_check_in_enforcement=true`.
+
+When a library of service accounts has been created, view their status at any time to see if they're
+available or checked out.
+
+```text
+$ vault read ad/library/accounting-team/status
+Key                 Value
+---                 -----
+buzz@example.com    map[available:true]
+fizz@example.com    map[available:true]
+```
+
+To check out any service account that's available, simply execute:
+
+```text
+$ vault write -f ad/library/accounting-team/check-out
+Key                     Value
+---                     -----
+lease_id                ad/library/accounting-team/check-out/EpuS8cX7uEsDzOwW9kkKOyGW
+lease_duration          10h
+lease_renewable         true
+password                ?@09AZKh03hBORZPJcTDgLfntlHqxLy29tcQjPVThzuwWAx/Twx4a2ZcRQRqrZ1w
+service_account_name    fizz@example.com
+```
+
+If the default `ttl` for the check-out is higher than needed, set the check-out to last
+for a shorter time by using:
+
+```text
+$ vault write ad/library/accounting-team/check-out ttl=30m
+Key                     Value
+---                     -----
+lease_id                ad/library/accounting-team/check-out/gMonJ2jB6kYs6d3Vw37WFDCY
+lease_duration          30m
+lease_renewable         true
+password                ?@09AZerLLuJfEMbRqP+3yfQYDSq6laP48TCJRBJaJu/kDKLsq9WxL9szVAvL/E1
+service_account_name    buzz@example.com
+```
+
+This can be a nice way to say, "Although I _can_ have a check-out for 24 hours, if I
+haven't checked it in after 30 minutes, I forgot or I'm a dead instance, so you can just
+check it back in."
+
+If no service accounts are available for check-out, Vault will return a 400 Bad Request.
+
+```text
+$ vault write -f ad/library/accounting-team/check-out
+Error writing data to ad/library/accounting-team/check-out: Error making API request.
+
+URL: PUT http://localhost:8200/v1/ad/library/accounting-team/check-out
+Code: 400. Errors:
+
+* No service accounts available for check-out.
+```
+
+To extend a check-out, renew its lease.
+
+```text
+$ vault lease renew ad/library/accounting-team/check-out/0C2wmeaDmsToVFc0zDiX9cMq
+Key                Value
+---                -----
+lease_id           ad/library/accounting-team/check-out/0C2wmeaDmsToVFc0zDiX9cMq
+lease_duration     10h
+lease_renewable    true
+```
+
+Renewing a check-out means its current password will live longer, since passwords are rotated
+anytime a password is _checked in_ either by a caller, or by Vault because the check-out `ttl`
+ends.
+
+To check a service account back in for others to use, call:
+
+```text
+$ vault write -f ad/library/accounting-team/check-in
+Key          Value
+---          -----
+check_ins    [fizz@example.com]
+```
+
+Most of the time this will just work, but if multiple service accounts checked out by the same
+caller, Vault will need to know which one(s) to check in.
+
+```text
+$ vault write ad/library/accounting-team/check-in service_account_names=fizz@example.com
+Key          Value
+---          -----
+check_ins    [fizz@example.com]
+```
+
+To perform a check-in, Vault verifies that the caller _should_ be able to check in a given service account.
+To do this, Vault looks for either the same [entity ID](https://learn.hashicorp.com/vault/identity-access-management/iam-identity)
+used to check out the service account, or the same client token.
+
+If a caller is unable to check in a service account, or simply doesn't try,
+Vault will check it back in automatically when the `ttl` expires. However, if that is too long,
+service accounts can be forcibly checked in by a highly privileged user through:
+
+```text
+$ vault write -f ad/library/manage/accounting-team/check-in
+Key          Value
+---          -----
+check_ins    [fizz@example.com]
+```
+
+Or, alternatively, revoking the secret's lease has the same effect.
+
+```text
+$ vault lease revoke ad/library/accounting-team/check-out/PvBVG0m7pEg2940Cb3Jw3KpJ
+All revocation operations queued successfully!
+```
+
+### Troubleshooting
+
+#### Old passwords are still valid for a period of time.
+
+During testing, we found that by default, many versions of Active Directory
+perpetuate old passwords for a short while. After we discovered this behavior,
+we found articles discussing it by searching for "AD password caching" and "OldPasswordAllowedPeriod". We
+also found [an article from Microsoft](https://support.microsoft.com/en-us/help/906305/new-setting-modifies-ntlm-network-authentication-behavior)
+discussing how to configure this behavior. This behavior appears to vary by AD
+version. We recommend you test the behavior of your particular AD server,
+and edit its settings to gain the desired behavior.
+
+#### I get a lot of 400 Bad Request's when trying to check out service accounts.
+
+This will occur when there aren't enough service accounts for those requesting them. Let's
+suppose our "accounting-team" service accounts are the ones being requested. When Vault
+receives a check-out call but none are available, Vault will log at debug level:
+"'accounting-team' had no check-outs available". Vault will also increment a metric
+containing the strings "active directory", "check-out", "unavailable", and "accounting-team".
+
+Once it's known _which_ library needs more service accounts for checkout, fix this issue
+by merely creating a new service account for it to use in Active Directory, then adding it to
+Vault like so:
+
+```text
+$ vault write ad/library/accounting-team \
+    service_account_names=fizz@example.com,buzz@example.com,new@example.com
+```
+
+In this example, fizz and buzz were pre-existing but were still included in the call
+because we'd like them to exist in the resulting set. The new account was appended to
+the end.
+
+#### Sometimes Vault gives me a password but then AD says it's not valid.
+
+Active Directory is eventually consistent, meaning that it can take some time for word
+of a new password to travel across all AD instances in a cluster. In larger clusters, we
+have observed the password taking over 10 seconds to propagate fully. The simplest way to
+handle this is to simply wait and retry using the new password.
+
+## Learn
+
+Refer to the [Active Directory Service Account Check-out](https://learn.hashicorp.com/vault/secrets-management/ad-secrets) guide
+for a step-by-step tutorial.
+
+## API
+
+The Active Directory secrets engine has a full HTTP API. Please see the
+[Active Directory secrets engine API](/api/secret/ad/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/alicloud/index.mdx b/website/pages/docs/secrets/alicloud/index.mdx
new file mode 100644
index 000000000000..ea13ac5140f8
--- /dev/null
+++ b/website/pages/docs/secrets/alicloud/index.mdx
@@ -0,0 +1,212 @@
+---
+layout: docs
+page_title: AliCloud - Secrets Engines
+sidebar_title: AliCloud
+description: >-
+  The AliCloud secrets engine for Vault generates access tokens or STS
+  credentials
+
+  dynamically based on RAM policies or roles.
+---
+
+# AliCloud Secrets Engine
+
+The AliCloud secrets engine dynamically generates AliCloud access tokens based on RAM
+policies, or AliCloud STS credentials based on RAM roles. This generally
+makes working with AliCloud easier, since it does not involve clicking in the web UI.
+The AliCloud access tokens are time-based and are automatically revoked when the Vault
+lease expires. STS credentials are short-lived, non-renewable, and expire on their own.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the AliCloud secrets engine:
+
+    ```text
+    $ vault secrets enable alicloud
+    Success! Enabled the alicloud secrets engine at: alicloud/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  [Create a custom policy](https://www.alibabacloud.com/help/doc-detail/28640.htm)
+    in AliCloud that will be used for the access key you will give Vault. See "Example
+    RAM Policy for Vault".
+
+1.  [Create a user](https://www.alibabacloud.com/help/faq-detail/28637.htm) in AliCloud
+    with a name like "hashicorp-vault", and directly apply the new custom policy to that user
+    in the "User Authorization Policies" section.
+
+1.  Create an access key for that user in AliCloud, which is an action available in
+    AliCloud's UI on the user's page.
+
+1.  Configure that access key as the credentials that Vault will use to communicate with
+    AliCloud to generate credentials:
+
+    ```text
+    $ vault write alicloud/config \
+        access_key=0wNEpMMlzy7szvai \
+        secret_key=PupkTg8jdmau1cXxYacgE736PJj4cA
+    ```
+
+    Alternatively, the AliCloud secrets engine can pick up credentials set as environment variables,
+    or credentials available through instance metadata. Since it checks current credentials on every API call,
+    changes in credentials will be picked up almost immediately without a Vault restart.
+
+    If available, we recommend using instance metadata for these credentials as they are the most
+    secure option. To do so, simply ensure that the instance upon which Vault is running has sufficient
+    privileges, and do not add any config.
+
+1.  Configure a role describing how credentials will be granted.
+
+    To generate access tokens using only policies that have already been created in AliCloud:
+
+    ```text
+    $ vault write alicloud/role/policy-based \
+        remote_policies='name:AliyunOSSReadOnlyAccess,type:System' \
+        remote_policies='name:AliyunRDSReadOnlyAccess,type:System'
+    ```
+
+    To generate access tokens using only policies that will be dynamically created in AliCloud by
+    Vault:
+
+    ```text
+    $ vault write alicloud/role/policy-based \
+        inline_policies=-<<EOF
+    [
+        {
+          "Statement": [
+            {
+              "Action": "rds:Describe*",
+              "Effect": "Allow",
+              "Resource": "*"
+            }
+          ],
+          "Version": "1"
+        },
+        {...}
+    ]
+    EOF
+    ```
+
+    Both `inline_policies` and `remote_policies` may be used together. However, neither may be
+    used configuring how to generate STS credentials, like so:
+
+    ```text
+    $ vault write alibaba/role/role-based \
+          role_arn='acs:ram::5138828231865461:role/hastrustedactors'
+    ```
+
+    Any `role_arn` specified must have added "trusted actors" when it was being created. These
+    can only be added at role creation time. Trusted actors are entities that can assume the role.
+    Since we will be assuming the role to gain credentials, the `access_key` and `secret_key` in
+    the config must qualify as a trusted actor.
+
+### Helpful Links
+
+- [More on roles](https://www.alibabacloud.com/help/doc-detail/28649.htm)
+- [More on policies](https://www.alibabacloud.com/help/doc-detail/28652.htm)
+
+### Example RAM Policy for Vault
+
+While AliCloud credentials can be supplied by environment variables, an explicit
+setting in the `alicloud/config`, or through instance metadata, the resulting
+credentials need sufficient permissions to issue secrets. The necessary permissions
+vary based on the ways roles are configured.
+
+This is an example RAM policy that would allow you to create credentials using
+any type of role:
+
+```json
+{
+  "Statement": [
+    {
+      "Action": [
+        "ram:CreateAccessKey",
+        "ram:DeleteAccessKey",
+        "ram:CreatePolicy",
+        "ram:DeletePolicy",
+        "ram:AttachPolicyToUser",
+        "ram:DetachPolicyFromUser",
+        "ram:CreateUser",
+        "ram:DeleteUser",
+        "sts:AssumeRole"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ],
+  "Version": "1"
+}
+```
+
+However, the policy you use should only allow the actions you actually need
+for how your roles are configured.
+
+If any roles are using `inline_policies`, you need the following actions:
+
+- `"ram:CreateAccessKey"`
+- `"ram:DeleteAccessKey"`
+- `"ram:AttachPolicyToUser"`
+- `"ram:DetachPolicyFromUser"`
+- `"ram:CreateUser"`
+- `"ram:DeleteUser"`
+
+If any roles are using `remote_policies`, you need the following actions:
+
+- All listed for `inline_policies`
+- `"ram:CreatePolicy"`
+- `"ram:DeletePolicy"`
+
+If any roles are using `role_arn`, you need the following actions:
+
+- `"sts:AssumeRole"`
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new access key by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read alicloud/creds/policy-based
+    Key                Value
+    ---                -----
+    lease_id           alicloud/creds/policy-based/f3e92392-7d9c-09c8-c921-575d62fe80d8
+    lease_duration     768h
+    lease_renewable    true
+    access_key         0wNEpMMlzy7szvai
+    secret_key         PupkTg8jdmau1cXxYacgE736PJj4cA
+    ```
+
+    The `access_key` and `secret_key` returned are also known is an
+    `"AccessKeyId"`and `"AccessKeySecret"`, respectively, in the Alibaba's
+    docs.
+
+    Retrieving creds for a role using a `role_arn` will carry the additional
+    fields of `expiration` and `security_token`, like so:
+
+    ```text
+    $ vault read alicloud/creds/role-based
+    Key                Value
+    ---                -----
+    lease_id           alicloud/creds/role-based/f3e92392-7d9c-09c8-c921-575d62fe80d9
+    lease_duration     59m59s
+    lease_renewable    false
+    access_key         STS.L4aBSCSJVMuKg5U1vFDw
+    secret_key         wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pKCNZ9
+    security_token     CAESrAIIARKAAShQquMnLIlbvEcIxO6wCoqJufs8sWwieUxu45hS9AvKNEte8KRUWiJWJ6Y+YHAPgNwi7yfRecMFydL2uPOgBI7LDio0RkbYLmJfIxHM2nGBPdml7kYEOXmJp2aDhbvvwVYIyt/8iES/R6N208wQh0Pk2bu+/9dvalp6wOHF4gkFGhhTVFMuTDRhQlNDU0pWTXVLZzVVMXZGRHciBTQzMjc0KgVhbGljZTCpnJjwySk6BlJzYU1ENUJuCgExGmkKBUFsbG93Eh8KDEFjdGlvbkVxdWFscxIGQWN0aW9uGgcKBW9zczoqEj8KDlJlc291cmNlRXF1YWxzEghSZXNvdXJjZRojCiFhY3M6b3NzOio6NDMyNzQ6c2FtcGxlYm94L2FsaWNlLyo=
+    expiration         2018-08-15T21:58:00Z
+    ```
+
+## API
+
+The AliCloud secrets engine has a full HTTP API. Please see the
+[AliCloud secrets engine API](/api/secret/alicloud/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/aws/index.mdx b/website/pages/docs/secrets/aws/index.mdx
new file mode 100644
index 000000000000..50cebcc642a4
--- /dev/null
+++ b/website/pages/docs/secrets/aws/index.mdx
@@ -0,0 +1,457 @@
+---
+layout: docs
+page_title: AWS - Secrets Engines
+sidebar_title: AWS
+description: |-
+  The AWS secrets engine for Vault generates access keys dynamically based on
+  IAM policies.
+---
+
+# AWS Secrets Engine
+
+The AWS secrets engine generates AWS access credentials dynamically based on IAM
+policies. This generally makes working with AWS IAM easier, since it does not
+involve clicking in the web UI. Additionally, the process is codified and mapped
+to internal auth methods (such as LDAP). The AWS IAM credentials are time-based
+and are automatically revoked when the Vault lease expires.
+
+Vault supports three different types of credentials to retrieve from AWS:
+
+1. `iam_user`: Vault will create an IAM user for each lease, attach the managed
+   and inline IAM policies as specified in the role to the user, and if a
+   [permissions
+   boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+   is specified on the role, the permissions boundary will also be attached.
+   Vault will then generate an access key and secret key for the IAM user and
+   return them to the caller. IAM users have no session tokens and so no
+   session token will be returned.
+2. `assumed_role`: Vault will call
+   [sts:AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
+   and return the access key, secret key, and session token to the caller.
+3. `federation_token`: Vault will call
+   [sts:GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
+   passing in the supplied AWS policy document and return the access key, secret
+   key, and session token to the caller.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the AWS secrets engine:
+
+    ```text
+    $ vault secrets enable aws
+    Success! Enabled the aws secrets engine at: aws/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure the credentials that Vault uses to communicate with AWS to generate
+    the IAM credentials:
+
+    ```text
+    $ vault write aws/config/root \
+        access_key=AKIAJWVN5Z4FOFT7NLNA \
+        secret_key=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 \
+        region=us-east-1
+    ```
+
+    Internally, Vault will connect to AWS using these credentials. As such,
+    these credentials must be a superset of any policies which might be granted
+    on IAM credentials. Since Vault uses the official AWS SDK, it will use the
+    specified credentials. You can also specify the credentials via the standard
+    AWS environment credentials, shared file credentials, or IAM role/ECS task
+    credentials. (Note that you can't authorize vault with IAM role credentials if you plan
+    on using STS Federation Tokens, since the temporary security credentials
+    associated with the role are not authorized to use GetFederationToken.)
+
+    ~> **Notice:** Even though the path above is `aws/config/root`, do not use
+    your AWS root account credentials. Instead generate a dedicated user or
+    role.
+
+1.  Configure a Vault role that maps to a set of permissions in AWS as well as an
+    AWS credential type. When users generate credentials, they are generated
+    against this role. An example:
+
+    ```text
+    $ vault write aws/roles/my-role \
+        credential_type=iam_user \
+        policy_document=-<<EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "ec2:*",
+          "Resource": "*"
+        }
+      ]
+    }
+    EOF
+    ```
+
+    This creates a role named "my-role". When users generate credentials against
+    this role, Vault will create an IAM user and attach the specified policy
+    document to the IAM user. Vault will then create an access key and secret
+    key for the IAM user and return these credentials. You supply a
+    user inline policy and/or provide references to an existing AWS policy's full
+    ARN:
+
+    ```text
+    $ vault write aws/roles/my-other-role \
+        policy_arns=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess,arn:aws:iam::aws:policy/IAMReadOnlyAccess \
+        credential_type=iam_user \
+        policy_document=-<<EOF
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": "ec2:*",
+                  "Resource": "*"
+                }
+              ]
+            }
+            EOF
+
+    ```
+
+    For more information on IAM policies, please see the
+    [AWS IAM policy documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html).
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read aws/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           aws/creds/my-role/f3e92392-7d9c-09c8-c921-575d62fe80d8
+    lease_duration     768h
+    lease_renewable    true
+    access_key         AKIAIOWQXTLW36DV7IEA
+    secret_key         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
+    security_token     <nil>
+    ```
+
+    Each invocation of the command will generate a new credential.
+
+    Unfortunately, IAM credentials are eventually consistent with respect to
+    other Amazon services. If you are planning on using these credential in a
+    pipeline, you may need to add a delay of 5-10 seconds (or more) after
+    fetching credentials before they can be used successfully.
+
+    If you want to be able to use credentials without the wait, consider using
+    the STS method of fetching keys. IAM credentials supported by an STS token
+    are available for use as soon as they are generated.
+
+## Example IAM Policy for Vault
+
+The `aws/config/root` credentials need permission to manage dynamic IAM users.
+Here is an example AWS IAM policy that grants the most commonly required
+permissions Vault needs:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:AttachUserPolicy",
+        "iam:CreateAccessKey",
+        "iam:CreateUser",
+        "iam:DeleteAccessKey",
+        "iam:DeleteUser",
+        "iam:DeleteUserPolicy",
+        "iam:DetachUserPolicy",
+        "iam:ListAccessKeys",
+        "iam:ListAttachedUserPolicies",
+        "iam:ListGroupsForUser",
+        "iam:ListUserPolicies",
+        "iam:PutUserPolicy",
+        "iam:RemoveUserFromGroup"
+      ],
+      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"]
+    }
+  ]
+}
+```
+
+Vault also supports AWS Permissions Boundaries when creating IAM users. If you
+wish to enforce that Vault always attaches a permissions boundary to an IAM
+user, you can use a policy like:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateAccessKey",
+        "iam:DeleteAccessKey",
+        "iam:DeleteUser",
+        "iam:ListAccessKeys",
+        "iam:ListAttachedUserPolicies",
+        "iam:ListGroupsForUser",
+        "iam:ListUserPolicies",
+        "iam:RemoveUserFromGroup"
+      ],
+      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:AttachUserPolicy",
+        "iam:CreateUser",
+        "iam:DeleteUserPolicy",
+        "iam:DetachUserPolicy",
+        "iam:PutUserPolicy"
+      ],
+      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"],
+      "Condition": {
+        "StringEquals": {
+          "iam:PermissionsBoundary": [
+            "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/PolicyName"
+          ]
+        }
+      }
+    }
+  ]
+}
+```
+
+where the "iam:PermissionsBoundary" condition contains the list of permissions
+boundary policies that you wish to ensure that Vault uses. This policy will
+ensure that Vault uses one of the permissions boundaries specified (not all of
+them).
+
+## STS credentials
+
+The above demonstrated usage with `iam_user` credential types. As mentioned,
+Vault also supports `assumed_role` and `federation_token` credential types.
+
+### STS Federation Tokens
+
+~> **Notice:** Due to limitations in AWS, in order to use the `federation_token`
+credential type, Vault **must** be configured with IAM user credentials. AWS
+does not allow temporary credentials (such as those from an IAM instance
+profile) to be used.
+
+An STS federation token inherits a set of permissions that are the combination
+(intersection) of four sets of permissions:
+
+1. The permissions granted to the `aws/config/root` credentials
+2. The user inline policy configured in the Vault role
+3. The managed policy ARNs configured in the Vault role
+4. An implicit deny policy on IAM or STS operations.
+
+Roles with a `credential_type` of `federation_token` can specify both a
+`policy_document` and `policy_arns` parameter in the Vault role.
+
+The `aws/config/root` credentials require IAM permissions for
+`sts:GetFederationToken` and the permissions to delegate to the STS
+federation token. For example, this policy on the `aws/config/root` credentials
+would allow creation of an STS federated token with delegated `ec2:*`
+permissions (or any subset of `ec2:*` permissions):
+
+```javascript
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": [
+      "ec2:*",
+      "sts:GetFederationToken"
+    ],
+    "Resource": "*"
+  }
+}
+```
+
+An `ec2_admin` role would then assign an inline policy with the same `ec2:*`
+permissions.
+
+```text
+$ vault write aws/roles/ec2_admin \
+    credential_type=federation_token \
+    policy_document=@policy.json
+```
+
+The policy.json file would contain an inline policy with similar permissions,
+less the `sts:GetFederationToken` permission. (We could grant
+`sts:GetFederationToken` permissions, but STS attaches attach an implicit deny
+that overrides the allow.)
+
+```javascript
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "ec2:*",
+    "Resource": "*"
+  }
+}
+```
+
+To generate a new set of STS federation token credentials, we simply write to
+the role using the aws/sts endpoint:
+
+```text
+$ vault write aws/sts/ec2_admin ttl=60m
+Key            	Value
+lease_id       	aws/sts/ec2_admin/31d771a6-fb39-f46b-fdc5-945109106422
+lease_duration 	60m0s
+lease_renewable	true
+access_key     	ASIAJYYYY2AA5K4WIXXX
+secret_key     	HSs0DYYYYYY9W81DXtI0K7X84H+OVZXK5BXXXX
+security_token 	AQoDYXdzEEwasAKwQyZUtZaCjVNDiXXXXXXXXgUgBBVUUbSyujLjsw6jYzboOQ89vUVIehUw/9MreAifXFmfdbjTr3g6zc0me9M+dB95DyhetFItX5QThw0lEsVQWSiIeIotGmg7mjT1//e7CJc4LpxbW707loFX1TYD1ilNnblEsIBKGlRNXZ+QJdguY4VkzXxv2urxIH0Sl14xtqsRPboV7eYruSEZlAuP3FLmqFbmA0AFPCT37cLf/vUHinSbvw49C4c9WQLH7CeFPhDub7/rub/QU/lCjjJ43IqIRo9jYgcEvvdRkQSt70zO8moGCc7pFvmL7XGhISegQpEzudErTE/PdhjlGpAKGR3d5qKrHpPYK/k480wk1Ai/t1dTa/8/3jUYTUeIkaJpNBnupQt7qoaXXXXXXXXXX
+```
+
+### STS AssumeRole
+
+The `assumed_role` credential type is typically used for cross-account
+authentication or single sign-on (SSO) scenarios. In order to use an
+`assumed_role` credential type, you must configure outside of Vault:
+
+1. An IAM role
+2. IAM inline policies and/or managed policies attached to the IAM role
+3. IAM trust policy attached to the IAM role to grant privileges for Vault to
+   assume the role
+
+`assumed_role` credentials offer a few benefits over `federation_token`:
+
+1. Assumed roles can invoke IAM and STS operations, if granted by the role's
+   IAM policies.
+2. Assumed roles support cross-account authentication
+3. Temporary credentials (such as those granted by running Vault on an EC2
+   instance in an IAM instance profile) can retrieve `assumed_role` credentials
+   (but cannot retrieve `federation_token` credentials).
+
+The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole`
+against the target role:
+
+```javascript
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "sts:AssumeRole",
+    "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
+  }
+}
+```
+
+You must attach a trust policy to the target IAM role to assume, allowing
+the aws/root/config credentials to assume the role.
+
+```javascript
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```
+
+When specifying a Vault role with a `credential_type` of `assumed_role`, you can
+specify more than one IAM role ARN. If you do so, Vault clients can select which
+role ARN they would like to assume when retrieving credentials from that role.
+
+Further, you can specify both a `policy_document` and `policy_arns` parameters;
+if specified, each acts as a
+filter on the IAM permissions granted to the assumed role. For an action to be
+allowed, it must be permitted by both the IAM policy on the AWS role that is
+assumed, the `policy_document` specified on the Vault role (if specified), and
+the managed policies specified by the `policy_arns` parameter. (The
+`policy_document` parameter is passed in as the `Policy` parameter to the
+[sts:AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
+API call, while the `policy_arns` parameter is passed in as the `PolicyArns`
+parameter to the same call.)
+
+Note: When multiple `role_arns` are specified, clients requesting credentials
+can specify any of the role ARNs that are defined on the Vault role in order to
+retrieve credentials. However, when a `policy_document` is specified, that will
+apply to ALL role credentials retrieved from AWS.
+
+Let's create a "deploy" policy using the arn of our role to assume:
+
+```text
+$ vault write aws/roles/deploy \
+    role_arns=arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume \
+    credential_type=assumed_role
+```
+
+To generate a new set of STS assumed role credentials, we again write to
+the role using the aws/sts endpoint:
+
+```text
+$ vault write aws/sts/deploy ttl=60m
+Key            	Value
+lease_id       	aws/sts/deploy/31d771a6-fb39-f46b-fdc5-945109106422
+lease_duration 	60m0s
+lease_renewable	true
+access_key     	ASIAJYYYY2AA5K4WIXXX
+secret_key     	HSs0DYYYYYY9W81DXtI0K7X84H+OVZXK5BXXXX
+security_token 	AQoDYXdzEEwasAKwQyZUtZaCjVNDiXXXXXXXXgUgBBVUUbSyujLjsw6jYzboOQ89vUVIehUw/9MreAifXFmfdbjTr3g6zc0me9M+dB95DyhetFItX5QThw0lEsVQWSiIeIotGmg7mjT1//e7CJc4LpxbW707loFX1TYD1ilNnblEsIBKGlRNXZ+QJdguY4VkzXxv2urxIH0Sl14xtqsRPboV7eYruSEZlAuP3FLmqFbmA0AFPCT37cLf/vUHinSbvw49C4c9WQLH7CeFPhDub7/rub/QU/lCjjJ43IqIRo9jYgcEvvdRkQSt70zO8moGCc7pFvmL7XGhISegQpEzudErTE/PdhjlGpAKGR3d5qKrHpPYK/k480wk1Ai/t1dTa/8/3jUYTUeIkaJpNBnupQt7qoaXXXXXXXXXX
+```
+
+## Troubleshooting
+
+### Dynamic IAM user errors
+
+If you get an error message similar to either of the following, the root credentials that you wrote to `aws/config/root` have insufficient privilege:
+
+```text
+$ vault read aws/creds/deploy
+* Error creating IAM user: User: arn:aws:iam::000000000000:user/hashicorp is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::000000000000:user/vault-root-1432735386-4059
+
+$ vault revoke aws/creds/deploy/774cfb27-c22d-6e78-0077-254879d1af3c
+Revoke error: Error making API request.
+
+URL: PUT http://127.0.0.1:8200/v1/sys/revoke/aws/creds/deploy/774cfb27-c22d-6e78-0077-254879d1af3c
+Code: 400. Errors:
+
+* invalid request
+```
+
+If you get stuck at any time, simply run `vault path-help aws` or with a subpath for
+interactive help output.
+
+### STS federated token errors
+
+Vault generates STS tokens using the IAM credentials passed to `aws/config`.
+
+Those credentials must have two properties:
+
+- They must have permissions to call `sts:GetFederationToken`.
+- The capabilities of those credentials have to be at least as permissive as those requested
+  by policies attached to the STS creds.
+
+If either of those conditions are not met, a "403 not-authorized" error will be returned.
+
+See http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html for more details.
+
+Vault 0.5.1 or later is recommended when using STS tokens to avoid validation
+errors for exceeding the AWS limit of 32 characters on STS token names.
+
+## API
+
+The AWS secrets engine has a full HTTP API. Please see the
+[AWS secrets engine API](/api/secret/aws/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/azure/index.mdx b/website/pages/docs/secrets/azure/index.mdx
new file mode 100644
index 000000000000..08fb6b925fec
--- /dev/null
+++ b/website/pages/docs/secrets/azure/index.mdx
@@ -0,0 +1,261 @@
+---
+layout: docs
+page_title: Azure - Secrets Engine
+sidebar_title: Azure
+description: |-
+  The Azure Vault secrets engine dynamically generates Azure
+  service principals and role assignments.
+---
+
+# Azure Secrets Engine
+
+The Azure secrets engine dynamically generates Azure service principals along
+with role and group assignments. Vault roles can be mapped to one or more Azure
+roles, and optionally group assignments, providing a simple, flexible way to
+manage the permissions granted to generated service principals.
+
+Each service principal is associated with a Vault lease. When the lease expires
+(either during normal revocation or through early revocation), the service
+principal is automatically deleted.
+
+If an existing service principal is specified as part of the role configuration,
+a new password will be dynamically generated instead of a new service principal.
+The password will be deleted when the lease is revoked.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the Azure secrets engine:
+
+   ```text
+   $ vault secrets enable azure
+   Success! Enabled the azure secrets engine at: azure/
+   ```
+
+   By default, the secrets engine will mount at the name of the engine. To
+   enable the secrets engine at a different path, use the `-path` argument.
+
+1. Configure the secrets engine with account credentials:
+
+   ```text
+   $ vault write azure/config \
+   subscription_id=$AZURE_SUBSCRIPTION_ID \
+   tenant_id=$AZURE_TENANT_ID \
+   client_id=$AZURE_CLIENT_ID \
+   client_secret=$AZURE_CLIENT_SECRET
+
+   Success! Data written to: azure/config
+   ```
+
+   If you are running Vault inside an Azure VM with MSI enabled, `client_id` and
+   `client_secret` may be omitted. For more information on authentication, see the [authentication](#authentication) section below.
+
+1. Configure a role. A role may be set up with either an existing service principal, or
+   a set of Azure roles that will be assigned to a dynamically created service principal.
+
+To configure a role called "my-role" with an existing service principal:
+
+```text
+$ vault write azure/roles/my-role application_object_id=<existing_app_obj_id> ttl=1h
+```
+
+Alternatively, to configure the role to create a new service principal with Azure roles:
+
+```text
+$ vault write azure/roles/my-role ttl=1h azure_roles=-<<EOF
+    [
+        {
+            "role_name": "Contributor",
+            "scope":  "/subscriptions/<uuid>/resourceGroups/Website"
+        }
+    ]
+EOF
+```
+
+Roles may also have their own TTL configuration that is separate from the mount's
+TTL. For more information on roles see the [roles](#roles) section below.
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permissions, it can generate credentials. The usage pattern is the same
+whether an existing or dynamic service principal is used.
+
+To generate a credential using the "my-role" role:
+
+```text
+$ vault read azure/creds/my-role
+
+Key                Value
+---                -----
+lease_id           azure/creds/sp_role/1afd0969-ad23-73e2-f974-962f7ac1c2b4
+lease_duration     60m
+lease_renewable    true
+client_id          408bf248-dd4e-4be5-919a-7f6207a307ab
+client_secret      ad06228a-2db9-4e0a-8a5d-e047c7f32594
+```
+
+This endpoint generates a renewable set of credentials. The application can login
+using the `client_id`/`client_secret` and will have access provided by configured service
+principal or the Azure roles set in the "my-role" configuration.
+
+## Roles
+
+Vault roles let you configure either an existing service principal or a set of Azure roles, along with
+role-specific TTL parameters. If an existing service principal is not provided, the configured Azure
+roles will be assigned to a newly created service principal. The Vault role may optionally specify
+role-specific `ttl` and/or `max_ttl` values. When the lease is created, the more restrictive of the
+mount or role TTL value will be used.
+
+### Application Object IDs
+
+If an existing service principal is to be used, the Application Object ID must be set on the Vault role.
+This ID can be found by inspecting the desired Application with the `az` CLI tool, or via the Azure Portal. Note
+that the Application **Object** ID must be provided, not the Application ID.
+
+### Azure Roles
+
+If dynamic service principals are used, Azure roles must be configured on the Vault role.
+Azure roles are provided as a JSON list, with each element describing an Azure role and scope to be assigned.
+Azure roles may be specified using the `role_name` parameter ("Owner"), or `role_id`
+("/subscriptions/.../roleDefinitions/...").
+`role_id` is the definitive ID that's used during Vault operation; `role_name` is a convenience during
+role management operations. All roles _must exist_ when the configuration is written or the operation will fail. The role lookup priority is:
+
+1. If `role_id` is provided, it is validated and the corresponding `role_name` updated.
+1. If only `role_name` is provided, a case-insensitive search-by-name is made, succeeding
+   only if _exactly one_ matching role is found. The `role_id` field will updated with the matching role ID.
+
+The `scope` must be provided for every role assignment.
+
+### Azure Groups
+
+If dynamic service principals are used, a list of Azure groups may be configured on the Vault role.
+When the service principal is created, it will be assigned to these groups. Similar to the format used
+for specifying Azure roles, Azure groups may be referenced by either their `group_name` or `object_id`.
+Group specification by name must yield a single matching group.
+
+Example of role configuration:
+
+```text
+$ vault write azure/roles/my-role ttl=1h max_ttl=24h azure_roles=@az_roles.json azure_groups=@az_groups.json
+
+$ cat az_roles.json
+[
+  {
+    "role_name": "Contributor",
+    "scope":  "/subscriptions/<uuid>/resourceGroups/Website"
+  },
+  {
+    "role_id": "/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
+    "scope":  "/subscriptions/<uuid>"
+  },
+  {
+    "role_name": "This won't matter as it will be overwritten",
+    "role_id": "/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
+    "scope":  "/subscriptions/<uuid>/resourceGroups/Database"
+  }
+]
+
+$ cat az_groups.json
+[
+  {
+    "group_name": "foo",
+  },
+  {
+    "group_name": "This won't matter as it will be overwritten",
+    "object_id": "a6a834a6-36c3-4575-8e2b-05095963d603"
+  }
+]
+```
+
+## Authentication
+
+The Azure secrets backend must have sufficient permissions to read Azure role information and manage
+service principals. The authentication parameters can be set in the backend configuration or as environment variables. Environment variables will take precedence.
+The individual parameters are described in the [configuration][config] section of the API docs.
+
+If the client ID or secret are not present and Vault is running on and Azure VM, Vault will attempt to use
+[Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview) to access Azure. Note that when MSI is used, tenant and subscription IDs must still be explicitly provided in the configuration or environment variables.
+
+The following Azure roles and Azure Active Directory (AAD) permissions are required, regardless of which authentication method is used:
+
+- "Owner" role for the subscription scope
+- "Read and write all applications" permission in AAD
+
+These permissions can be configured through the Azure Portal, CLI tool, or PowerShell.
+In your Azure subscription, your account must have `Microsoft.Authorization/*/Write`
+access to assign an AD app to a role. This action is granted through the [Owner](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) role or
+[User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator) role. If your account is assigned to the Contributor role, you
+don't have adequate permission. You will receive an error when attempting to assign the service
+principal to a role.
+
+## Choosing between dynamic or existing service principals
+
+Dynamic service principals are preferred if the desired Azure resources can be provided
+via the RBAC system and Azure roles defined in the Vault role. This form of credential is
+completely decoupled from any other clients, is not subject to permission changes after
+issuance, and offers the best audit granularity.
+
+Access to some Azure services cannot be provided with the RBAC system, however. In these
+cases, an existing service principal can be set up with the necessary access, and Vault
+can create new passwords for this service principal. Any changes to the service principal
+permissions affect all clients. Furthermore, Azure does not provide any logging with
+regard to _which_ credential was used for an operation.
+
+An important limitation when using an existing service principal is that Azure limits the
+number of passwords for a single Application. This limit is based on Application object
+size and isn't firmly specified, but in practice hundreds of passwords can be issued per
+Application. An error will be returned if the object size is reached. This limit can be
+managed by reducing the role TTL, or by creating another Vault role against a different
+Azure service principal configured with the same permissions.
+
+## Additional Notes
+
+- **If a referenced Azure role doesn't exist, a credential will not be generated.**
+  Service principals will only be generated if _all_ role assignments are successful.
+  This is important to note if you're using custom Azure role definitions that might be deleted
+  at some point.
+
+- Azure roles are assigned only once, when the service principal is created. If the
+  Vault role changes the list of Azure roles, these changes will not be reflected in
+  any existing service principal, even after token renewal.
+
+- The time required to issue a credential is roughly proportional to the number of
+  Azure roles that must be assigned. This operation make take some time (10s of seconds
+  are common, and over a minute has been seen).
+
+- Service principal credential timeouts are not used. Vault will revoke access by
+  deleting the service principal.
+
+- The Application Name for dynamic service principals will be prefixed with `vault-`. Similarly
+  the `keyId` of any passwords added to an existing service principal will begin with
+  `ffffff`. These may be used to search for Vault-created credentials using the `az` tool
+  or Portal.
+
+## Help &amp; Support
+
+The Azure secrets engine is written as an external Vault plugin and
+thus exists outside the main Vault repository. It is automatically bundled with
+Vault releases, but the code is managed separately.
+
+Please report issues, add feature requests, and submit contributions to the
+[vault-plugin-secrets-azure repo][repo] on GitHub.
+
+## Learn
+
+Refer to the [Azure Secrets
+Engine](https://learn.hashicorp.com/vault/secrets-management/azure-creds) guide
+for a step-by-step tutorial.
+
+## API
+
+The Azure secrets engine has a full HTTP API. Please see the [Azure secrets engine API docs][api]
+for more details.
+
+[api]: /api/secret/azure/index.html
+[config]: /api/secret/azure/index.html#configure
+[repo]: https://github.com/hashicorp/vault-plugin-secrets-azure
diff --git a/website/pages/docs/secrets/cassandra/index.mdx b/website/pages/docs/secrets/cassandra/index.mdx
new file mode 100644
index 000000000000..55317225206b
--- /dev/null
+++ b/website/pages/docs/secrets/cassandra/index.mdx
@@ -0,0 +1,104 @@
+---
+layout: docs
+page_title: Cassandra - Secrets Engines
+sidebar_title: Cassandra <sup>DEPRECATED</sup>
+description: >-
+  The Cassandra secrets engine for Vault generates database credentials to
+  access Cassandra.
+---
+
+# Cassandra Secrets Engine
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[Cassandra database plugin](/docs/secrets/databases/cassandra.html).
+
+The Cassandra secrets engine for Vault generates database credentials
+dynamically based on configured roles. This means that services that need
+to access a database no longer need to hardcode credentials: they can request
+them from Vault, and use Vault's leasing mechanism to more easily roll keys.
+
+Additionally, it introduces a new ability: with every service accessing
+the database with unique credentials, it makes auditing much easier when
+questionable data access is discovered: you can track it down to the specific
+instance of a service based on the Cassandra username.
+
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
+
+## Quick Start
+
+The first step to using the Cassandra secrets engine is to mount it. Unlike the
+`kv` secrets engine, the `cassandra` secrets engine is not mounted by default.
+
+```text
+$ vault secrets enable cassandra
+Success! Enabled the cassandra secrets engine at: cassandra/
+```
+
+Next, Vault must be configured to connect to Cassandra. This is done by
+writing one or more hosts, a username, and a password:
+
+```text
+$ vault write cassandra/config/connection \
+    hosts=localhost \
+    username=cassandra \
+    password=cassandra
+```
+
+In this case, we've configured Vault with the user "cassandra" and password "cassandra",
+It is important that the Vault user is a superuser, in order to manage other user accounts.
+
+The next step is to configure a role. A role is a logical name that maps
+to a policy used to generated those credentials. For example, lets create
+a "readonly" role:
+
+```text
+$ vault write cassandra/roles/readonly \
+    creation_cql="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \
+    GRANT SELECT ON ALL KEYSPACES TO {{username}};"
+Success! Data written to: cassandra/roles/readonly
+```
+
+By writing to the `roles/readonly` path we are defining the `readonly` role.
+This role will be created by evaluating the given `creation_cql` statements. By
+default, the `{{username}}` and `{{password}}` fields will be populated by
+Vault with dynamically generated values. This CQL statement is creating
+the named user, and then granting it `SELECT` or read-only privileges
+to keyspaces. More complex `GRANT` queries can be used to
+customize the privileges of the role. See the [CQL Reference Manual](https://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html)
+for more information.
+
+To generate a new set of credentials, we simply read from that role:
+Vault is now configured to create and manage credentials for Cassandra!
+
+```text
+$ vault read cassandra/creds/readonly
+Key                Value
+---                -----
+lease_id           cassandra/creds/test/7a23e890-3a26-531d-529b-92d18d1fa63f
+lease_duration     3600
+lease_renewable    true
+password           dfa80eea-ccbe-b228-ebf7-e2f62b245e71
+username           vault-root-1434647667-9313
+```
+
+By reading from the `creds/readonly` path, Vault has generated a new
+set of credentials using the `readonly` role configuration. Here we
+see the dynamically generated username and password, along with a one
+hour lease.
+
+Using ACLs, it is possible to restrict using the `cassandra` secrets engine such
+that trusted operators can manage the role definitions, and both
+users and applications are restricted in the credentials they are
+allowed to read.
+
+If you get stuck at any time, simply run `vault path-help cassandra` or with a
+subpath for interactive help output.
+
+## API
+
+The Cassandra secrets engine has a full HTTP API. Please see the
+[Cassandra secrets engine API](/api/secret/cassandra/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/consul/index.mdx b/website/pages/docs/secrets/consul/index.mdx
new file mode 100644
index 000000000000..203a9e4abc2a
--- /dev/null
+++ b/website/pages/docs/secrets/consul/index.mdx
@@ -0,0 +1,127 @@
+---
+layout: docs
+page_title: Consul - Secrets Engines
+sidebar_title: Consul
+description: The Consul secrets engine for Vault generates tokens for Consul dynamically.
+---
+
+# Consul Secrets Engine
+
+The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
+dynamically based on Consul ACL policies.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the Consul secrets engine:
+
+    ```text
+    $ vault secrets enable consul
+    Success! Enabled the consul secrets engine at: consul/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+2.  In Consul versions below 1.4, acquire a [management token][consul-mgmt-token] from Consul, using the
+    `acl_master_token` from your Consul configuration file or another management
+    token:
+
+    ```sh
+    $ curl \
+        --header "X-Consul-Token: my-management-token" \
+        --request PUT \
+        --data '{"Name": "sample", "Type": "management"}' \
+        https://consul.rocks/v1/acl/create
+    ```
+
+    Vault must have a management type token so that it can create and revoke ACL
+    tokens. The response will return a new token:
+
+    ```json
+    {
+      "ID": "7652ba4c-0f6e-8e75-5724-5e083d72cfe4"
+    }
+    ```
+
+    For Consul 1.4 and above, use the command line to generate a token with the appropriate policy:
+
+    ```sh
+    $ CONSUL_HTTP_TOKEN=d54fe46a-1f57-a589-3583-6b78e334b03b consul acl token create -policy-name=global-management
+    AccessorID:   865dc5e9-e585-3180-7b49-4ddc0fc45135
+    SecretID:     ef35f0f1-885b-0cab-573c-7c91b65a7a7e
+    Description:
+    Local:        false
+    Create Time:  2018-10-22 17:40:24.128188 -0700 PDT
+    Policies:
+        00000000-0000-0000-0000-000000000001 - global-management
+    ```
+
+3.  Configure Vault to connect and authenticate to Consul:
+
+    ```text
+    $ vault write consul/config/access \
+        address=127.0.0.1:8500 \
+        token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4
+    Success! Data written to: consul/config/access
+    ```
+
+4.  Configure a role that maps a name in Vault to a Consul ACL policy. Depending on your Consul version,
+    you will either provide a policy document and a token_type, or a set of policies.
+    When users generate credentials, they are generated against this role. For Consul versions below 1.4:
+
+    ```text
+    $ vault write consul/roles/my-role policy=$(base64 <<< 'key "" { policy = "read" }')
+    Success! Data written to: consul/roles/my-role
+    ```
+
+    The policy must be base64-encoded. The policy language is [documented by Consul](https://www.consul.io/docs/internals/acl.html).
+
+    For Consul versions 1.4 and above, [generate a policy in Consul](https://www.consul.io/docs/guides/acl.html), and proceed to link it to the role:
+
+    ```text
+    $ vault write consul/roles/my-role policies=readonly
+    Success! Data written to: consul/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+```text
+$ vault read consul/creds/my-role
+Key                Value
+---                -----
+lease_id           consul/creds/my-role/b2469121-f55f-53c5-89af-a3ba52b1d6d8
+lease_duration     768h
+lease_renewable    true
+token              642783bf-1540-526f-d4de-fe1ac1aed6f0
+```
+
+When using Consul 1.4, the response will include the accessor for the token
+
+```text
+$ vault read consul/creds/my-role
+Key                Value
+---                -----
+lease_id           consul/creds/my-role/7miMPnYaBCaVWDS9clNE0Nv3
+lease_duration     768h
+lease_renewable    true
+accessor           6d5a0348-dffe-e87b-4266-2bec03800abb
+token              bc7a42c0-9c59-23b4-8a09-7173c474dc42
+```
+
+## API
+
+The Consul secrets engine has a full HTTP API. Please see the
+[Consul secrets engine API](/api/secret/consul/index.html) for more
+details.
+
+[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create
diff --git a/website/pages/docs/secrets/cubbyhole/index.mdx b/website/pages/docs/secrets/cubbyhole/index.mdx
new file mode 100644
index 000000000000..1d522e60ddbc
--- /dev/null
+++ b/website/pages/docs/secrets/cubbyhole/index.mdx
@@ -0,0 +1,64 @@
+---
+layout: docs
+page_title: Cubbyhole - Secrets Engines
+sidebar_title: Cubbyhole
+description: >-
+  The cubbyhole secrets engine can store arbitrary secrets scoped to a single
+  token.
+---
+
+# Cubbyhole Secrets Engine
+
+The `cubbyhole` secrets engine is used to store arbitrary secrets within the
+configured physical storage for Vault namespaced to a token. In `cubbyhole`,
+paths are scoped per token. No token can access another token's cubbyhole. When
+the token expires, its cubbyhole is destroyed.
+
+Also unlike the `kv` secrets engine, because the cubbyhole's lifetime is
+linked to that of an authentication token, there is no concept of a TTL or
+refresh interval for values contained in the token's cubbyhole.
+
+Writing to a key in the `cubbyhole` secrets engine will completely replace the
+old value.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+The `cubbyhole` secrets engine is enabled by default. It cannot be disabled,
+moved, or enabled multiple times.
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials. The `cubbyhole` secrets
+engine allows for writing keys with arbitrary values.
+
+1. Write arbitrary data:
+
+   ```text
+   $ vault write cubbyhole/my-secret my-value=s3cr3t
+   Success! Data written to: cubbyhole/my-secret
+   ```
+
+1. Read arbitrary data:
+
+   ```text
+   $ vault read cubbyhole/my-secret
+   Key         Value
+   ---         -----
+   my-value    s3cr3t
+   ```
+
+## Learn
+
+Refer to the [Cubbyhole Response Wrapping](https://learn.hashicorp.com/vault/secrets-management/sm-cubbyhole)
+guide for a step-by-step tutorial.
+
+## API
+
+The Cubbyhole secrets engine has a full HTTP API. Please see the
+[Cubbyhole secrets engine API](/api/secret/cubbyhole/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/databases/cassandra.mdx b/website/pages/docs/secrets/databases/cassandra.mdx
new file mode 100644
index 000000000000..d507fa3303ba
--- /dev/null
+++ b/website/pages/docs/secrets/databases/cassandra.mdx
@@ -0,0 +1,82 @@
+---
+layout: docs
+page_title: Cassandra - Database - Secrets Engines
+sidebar_title: Cassandra
+description: |-
+  Cassandra is one of the supported plugins for the database secrets engine.
+  This plugin generates database credentials dynamically based on configured
+  roles for the Cassandra database.
+---
+
+# Cassandra Database Secrets Engine
+
+Cassandra is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the Cassandra database.
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-cassandra-database \
+        plugin_name="cassandra-database-plugin" \
+        hosts=127.0.0.1 \
+        protocol_version=4 \
+        username=cassandra \
+        password=cassandra \
+        allowed_roles=my-role
+    ```
+
+1.  Configure a role that maps a name in Vault to an SQL statement to execute to
+    create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-cassandra-database \
+        creation_statements="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \
+              GRANT SELECT ON ALL KEYSPACES TO {{username}};" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [Cassandra database
+plugin API](/api/secret/databases/cassandra.html) page.
+
+For more information on the database secrets engine's HTTP API please see the [Database secret
+secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/custom.mdx b/website/pages/docs/secrets/databases/custom.mdx
new file mode 100644
index 000000000000..5f57abab810a
--- /dev/null
+++ b/website/pages/docs/secrets/databases/custom.mdx
@@ -0,0 +1,117 @@
+---
+layout: docs
+page_title: Custom - Database - Secrets Engines
+sidebar_title: Custom
+description: |-
+  The database secrets engine allows new functionality to be added through a
+  plugin interface without needing to modify vault's core code. This allows you
+  write your own code to generate credentials in any database you wish. It also
+  allows databases that require dynamically linked libraries to be used as
+  plugins while keeping Vault itself statically linked.
+---
+
+# Custom Database Secrets Engines
+
+The database secrets engine allows new functionality to be added through a
+plugin interface without needing to modify vault's core code. This allows you
+write your own code to generate credentials in any database you wish. It also
+allows databases that require dynamically linked libraries to be used as plugins
+while keeping Vault itself statically linked.
+
+~> **Advanced topic!** Plugin development is a highly advanced topic in Vault,
+and is not required knowledge for day-to-day usage. If you don't plan on writing
+any plugins, we recommend not reading this section of the documentation.
+
+Please read the [Plugins internals](/docs/internals/plugins.html) docs for more
+information about the plugin system before getting started building your
+Database plugin.
+
+## Plugin Interface
+
+All plugins for the database secrets engine must implement the same simple interface.
+
+```go
+type Database interface {
+	Type() (string, error)
+	CreateUser(ctx context.Context, statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error)
+	RenewUser(ctx context.Context, statements Statements, username string, expiration time.Time) error
+	RevokeUser(ctx context.Context, statements Statements, username string) error
+	RotateRootCredentials(ctx context.Context, statements []string) (config map[string]interface{}, err error)
+	Init(ctx context.Context, config map[string]interface{}, verifyConnection bool) (saveConfig map[string]interface{}, err error)
+	Close() error
+}
+```
+
+You'll notice the first parameter to a number of those functions is a
+`Statements` struct. This struct is used to pass the Role's configured
+statements to the plugin on function call. The struct is defined as:
+
+```go
+type Statements struct {
+	Creation   []string
+	Revocation []string
+	Rollback   []string
+	Renewal    []string
+}
+```
+
+It is up to your plugin to replace the `{{name}}`, `{{password}}`, and
+`{{expiration}}` in these statements with the proper values.
+
+The `Initialize` function is passed a map of keys to values, this data is what the
+user specified as the configuration for the plugin. Your plugin should use this
+data to make connections to the database. It is also passed a boolean value
+specifying whether or not your plugin should return an error if it is unable to
+connect to the database.
+
+## Serving your plugin
+
+Once your plugin is built you should pass it to vault's `plugins` package by
+calling the `Serve` method:
+
+```go
+package main
+
+import (
+    "github.com/hashicorp/vault/api/plugins"
+)
+
+func main() {
+    plugins.Serve(new(MyPlugin), nil)
+}
+```
+
+Replacing `MyPlugin` with the actual implementation of your plugin.
+
+The second parameter to `Serve` takes in an optional vault `api.TLSConfig` for
+configuring the plugin to communicate with vault for the initial unwrap call.
+This is useful if your vault setup requires client certificate checks. This
+config wont be used once the plugin unwraps its own TLS cert and key.
+
+## Running your plugin
+
+The above main package, once built, will supply you with a binary of your
+plugin. We also recommend if you are planning on distributing your plugin to
+build with [gox](https://github.com/mitchellh/gox) for cross platform builds.
+
+To use your plugin with the database secrets engine you need to place the binary in the
+plugin directory as specified in the [plugin internals](/docs/internals/plugins.html) docs.
+
+You should now be able to register your plugin into the vault catalog. To do
+this your token will need sudo permissions.
+
+```text
+$ vault write sys/plugins/catalog/database/myplugin-database-plugin \
+    sha256="..." \
+    command="myplugin"
+Success! Data written to: sys/plugins/catalog/database/myplugin-database-plugin
+```
+
+Now you should be able to configure your plugin like any other:
+
+```text
+$ vault write database/config/myplugin \
+    plugin_name=myplugin-database-plugin \
+    allowed_roles="readonly" \
+    myplugins_connection_details="..."
+```
diff --git a/website/pages/docs/secrets/databases/elasticdb.mdx b/website/pages/docs/secrets/databases/elasticdb.mdx
new file mode 100644
index 000000000000..91936afda767
--- /dev/null
+++ b/website/pages/docs/secrets/databases/elasticdb.mdx
@@ -0,0 +1,177 @@
+---
+layout: docs
+page_title: Elasticsearch - Database - Secrets Engines
+sidebar_title: Elasticsearch
+description: >-
+  Elasticsearch is one of the supported plugins for the database secrets engine.
+  This
+
+  plugin generates database credentials dynamically based on configured roles
+
+  for Elasticsearch.
+---
+
+# Elasticsearch Database Secrets Engine
+
+Elasticsearch is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+Elasticsearch.
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Getting Started
+
+To take advantage of this plugin, you must first enable Elasticsearch's native realm of security by activating X-Pack. These
+instructions will walk you through doing this using Elasticsearch 7.1.1.
+
+### Enable X-Pack Security in Elasticsearch
+
+Read [Securing the Elastic Stack](https://www.elastic.co/guide/en/elastic-stack-overview/7.1/elasticsearch-security.html) and
+follow [its instructions for enabling X-Pack Security](https://www.elastic.co/guide/en/elasticsearch/reference/7.1/setup-xpack.html).
+
+### Enable Encrypted Communications
+
+This plugin communicates with Elasticsearch's security API. ES requires TLS for these communications so they can be
+encrypted.
+
+To set up TLS in Elasticsearch, first read [encrypted communications](https://www.elastic.co/guide/en/elastic-stack-overview/7.1/encrypting-communications.html)
+and go through its instructions on [encrypting HTTP client communications](https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls.html#tls-http).
+
+After enabling TLS on the Elasticsearch side, you'll need to convert the .p12 certificates you generated to other formats so they can be
+used by Vault. [Here is an example using OpenSSL](https://stackoverflow.com/questions/15144046/converting-pkcs12-certificate-into-pem-using-openssl)
+to convert our .p12 certs to the pem format.
+
+Also, on the instance running Elasticsearch, we needed to install our newly generated CA certificate that was originally in the .p12 format.
+We did this by converting the .p12 CA cert to a pem, and then further converting that
+[pem to a crt](https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key), adding that crt to `/usr/share/ca-certificates/extra`,
+and using `sudo dpkg-reconfigure ca-certificates`.
+
+The above instructions may vary if you are not using an Ubuntu machine. Please ensure you're using the methods specific to your operating
+environment. Describing every operating environment is outside the scope of these instructions.
+
+### Set Up Passwords
+
+When done, verify that you've enabled X-Pack by running `$ $ES_HOME/bin/elasticsearch-setup-passwords interactive`. You'll
+know it's been set up successfully if it takes you through a number of password-inputting steps.
+
+### Create a Role for Vault
+
+Next, in Elasticsearch, we recommend that you create a user just for Vault to use in managing secrets.
+
+To do this, first create a role that will allow Vault the minimum privileges needed to administer users and passwords by performing a
+POST to Elasticsearch. To do this, we used the `elastic` superuser whose password we created in the
+`$ $ES_HOME/bin/elasticsearch-setup-passwords interactive` step.
+
+```
+$ curl \
+    -X POST \
+    -H "Content-Type: application/json" \
+    -d '{"cluster": ["manage_security"]}' \
+    http://elastic:$PASSWORD@localhost:9200/_xpack/security/role/vault
+```
+
+Next, create a user for Vault associated with that role.
+
+```
+$ curl \
+    -X POST \
+    -H "Content-Type: application/json" \
+    -d @data.json \
+    http://elastic:$PASSWORD@localhost:9200/_xpack/security/user/vault
+```
+
+The contents of `data.json` in this example are:
+
+```
+{
+ "password" : "myPa55word",
+ "roles" : [ "vault" ],
+ "full_name" : "Hashicorp Vault",
+ "metadata" : {
+   "plugin_name": "Vault Plugin Database Elasticsearch",
+   "plugin_url": "https://github.com/hashicorp/vault-plugin-database-elasticsearch"
+ }
+}
+```
+
+Now, Elasticsearch is configured and ready to be used with Vault.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-elasticsearch-database \
+        plugin_name="elasticsearch-database-plugin" \
+        allowed_roles="internally-defined-role,externally-defined-role" \
+        username=vault \
+        password=myPa55word \
+        url=http://localhost:9200 \
+        ca_cert=/usr/share/ca-certificates/extra/elastic-stack-ca.crt.pem \
+        client_cert=$ES_HOME/config/certs/elastic-certificates.crt.pem \
+        client_key=$ES_HOME/config/certs/elastic-certificates.key.pem
+    ```
+
+1.  Configure a role that maps a name in Vault to a role definition in Elasticsearch.
+    This is considered the most secure type of role because nobody can perform
+    a privilege escalation by editing a role's privileges out-of-band in
+    Elasticsearch:
+
+    ```text
+    $ vault write database/roles/internally-defined-role \
+          db_name=my-elasticsearch-database \
+          creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["read"]}]}}' \
+          default_ttl="1h" \
+          max_ttl="24h"
+    Success! Data written to: database/roles/internally-defined-role
+    ```
+
+1.  Alternatively, configure a role that maps a name in Vault to a pre-existing
+    role definition in Elasticsearch:
+
+    ```text
+    $ vault write database/roles/externally-defined-role \
+          db_name=my-elasticsearch-database \
+          creation_statements='{"elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]}' \
+          default_ttl="1h" \
+          max_ttl="24h"
+    Success! Data written to: database/roles/externally-defined-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [Elasticsearch database
+plugin API](/api/secret/databases/elasticdb.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/hanadb.mdx b/website/pages/docs/secrets/databases/hanadb.mdx
new file mode 100644
index 000000000000..b91fa1cd309b
--- /dev/null
+++ b/website/pages/docs/secrets/databases/hanadb.mdx
@@ -0,0 +1,81 @@
+---
+layout: docs
+page_title: HANA - Database - Secrets Engines
+sidebar_title: HanaDB
+description: |-
+  HANA is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the HANA database.
+---
+
+# HANA Database Secrets Engine
+
+HANA is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the HANA database.
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-hana-database \
+        plugin_name=hana-database-plugin \
+        connection_url="hdb://{{username}}:{{password}}@localhost:1433" \
+        allowed_roles="my-role" \
+        username="username" \
+        password="password"
+    ```
+
+1.  Configure a role that maps a name in Vault to an SQL statement to execute to
+    create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-hana-database \
+        creation_statements="CREATE USER {{name}} PASSWORD {{password}} VALID UNTIL '{{expiration}}';\
+            CALL GRANT_ACTIVATED_ROLE ( 'sap.hana.admin.roles::Monitoring', '{{name}}' );" \
+        default_ttl="12h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [HANA database
+plugin API](/api/secret/databases/hanadb.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/index.mdx b/website/pages/docs/secrets/databases/index.mdx
new file mode 100644
index 000000000000..8cf8f455d9bc
--- /dev/null
+++ b/website/pages/docs/secrets/databases/index.mdx
@@ -0,0 +1,132 @@
+---
+layout: docs
+page_title: Database - Secrets Engines
+sidebar_title: Databases
+description: |-
+  The database secrets engine generates database credentials dynamically based
+  on configured roles. It works with a number of different databases through a
+  plugin interface. There are a number of builtin database types and an exposed
+  framework for running custom database types for extendability.
+---
+
+# Databases
+
+The database secrets engine generates database credentials dynamically based on
+configured roles. It works with a number of different databases through a plugin
+interface. There are a number of builtin database types and an exposed framework
+for running custom database types for extendability. This means that services
+that need to access a database no longer need to hardcode credentials: they can
+request them from Vault, and use Vault's leasing mechanism to more easily roll
+keys.
+
+Since every service is accessing the database with unique credentials, it makes
+auditing much easier when questionable data access is discovered. You can track
+it down to the specific instance of a service based on the SQL username.
+
+Vault makes use of its own internal revocation system to ensure that users
+become invalid within a reasonable time of the lease expiring.
+
+### Static Roles
+
+The database secrets engine supports the concept of "static roles", which are
+a 1-to-1 mapping of Vault Roles to usernames in a database. The current password
+for the database user is stored and automatically rotated by Vault on a
+configurable period of time. This is in contrast to dynamic secrets, where a
+unique username and password pair are generated with each credential request.
+When credentials are requested for the Role, Vault returns the current
+password for the configured database user, allowing anyone with the proper
+Vault policies to have access to the user account in the database.
+
+Not all database types support static roles at this time. Please consult the
+specific database documentation on the left navigation to see if a given
+database backend supports static roles.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the database secrets engine:
+
+   ```text
+   $ vault secrets enable database
+   Success! Enabled the database secrets engine at: database/
+   ```
+
+   By default, the secrets engine will enable at the name of the engine. To
+   enable the secrets engine at a different path, use the `-path` argument.
+
+1. Configure Vault with the proper plugin and connection information:
+
+   ```text
+   $ vault write database/config/my-database \
+       plugin_name="..." \
+       connection_url="..." \
+       allowed_roles="..." \
+       username="..." \
+       password="..."
+   ```
+
+   This secrets engine can configure multiple database connections. For details
+   on the specific configuration options, please see the database-specific
+   documentation.
+
+1. Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential:
+
+   ```text
+   $ vault write database/roles/my-role \
+       db_name=my-database \
+       creation_statements="..." \
+       default_ttl="1h" \
+       max_ttl="24h"
+   Success! Data written to: database/roles/my-role
+   ```
+
+   The `{{name}}` and `{{password}}` fields will be populated by the plugin
+   with dynamically generated values. In some plugins the `{{expiration}}`
+   field is also be supported.
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## Custom Plugins
+
+This secrets engine allows custom database types to be run through the exposed
+plugin interface. Please see the [custom database
+plugin](/docs/secrets/databases/custom.html) for more information.
+
+## Password Generation
+
+Password generation for both static and dynamic database credentials occurs via the ''GetPassword()'' function. For static credentials, the ''SetCredentials()''function is also used on the output of ''GetPassword().''
+
+Please see the [DB plugin credentials source code](https://github.com/hashicorp/vault/blob/master/sdk/database/dbplugin/database.pb.go) for more information.
+
+## Learn
+
+Refer to the following step-by-step tutorials for more information:
+
+- [Secrets as a Service: Dynamic Secrets](https://learn.hashicorp.com/vault/secrets-management/sm-dynamic-secrets)
+- [Database Root Credential Rotation](https://learn.hashicorp.com/vault/secrets-management/db-root-rotation)
+- [Database Static Roles and Credential Rotation](https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation)
+
+## API
+
+The database secrets engine has a full HTTP API. Please see the [Database secret
+secrets engine API](/api/secret/databases/index.html) for more details.
diff --git a/website/pages/docs/secrets/databases/influxdb.mdx b/website/pages/docs/secrets/databases/influxdb.mdx
new file mode 100644
index 000000000000..e438ace04799
--- /dev/null
+++ b/website/pages/docs/secrets/databases/influxdb.mdx
@@ -0,0 +1,81 @@
+---
+layout: docs
+page_title: Influxdb - Database - Secrets Engines
+sidebar_title: Influxdb
+description: |-
+  Influxdb is one of the supported plugins for the database secrets engine.
+  This plugin generates database credentials dynamically based on configured
+  roles for the Influxdb database.
+---
+
+# Influxdb Database Secrets Engine
+
+Influxdb is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the Influxdb database.
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-influxdb-database \
+        plugin_name="influxdb-database-plugin" \
+        host=127.0.0.1 \
+        username=influx-root \
+        password=influx-toor \
+        allowed_roles=my-role
+    ```
+
+1.  Configure a role that maps a name in Vault to an SQL statement to execute to
+    create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-influxdb-database \
+        creation_statements="CREATE USER \"{{username}}\" WITH PASSWORD '{{password}}'; \
+              GRANT ALL ON \"vault\" TO \"{{username}}\";" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [Influxdb database
+plugin API](/api/secret/databases/influxdb.html) page.
+
+For more information on the database secrets engine's HTTP API please see the [Database secret
+secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/mongodb.mdx b/website/pages/docs/secrets/databases/mongodb.mdx
new file mode 100644
index 000000000000..68fddbb3d62a
--- /dev/null
+++ b/website/pages/docs/secrets/databases/mongodb.mdx
@@ -0,0 +1,80 @@
+---
+layout: docs
+page_title: MongoDB - Database - Secrets Engines
+sidebar_title: MongoDB
+description: |-
+  MongoDB is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the MongoDB database.
+---
+
+# MongoDB Database Secrets Engine
+
+MongoDB is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the MongoDB database.
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-mongodb-database \
+        plugin_name=mongodb-database-plugin \
+        allowed_roles="my-role" \
+        connection_url="mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true" \
+        username="admin" \
+        password="Password!"
+    ```
+
+1.  Configure a role that maps a name in Vault to a MongoDB command that executes and
+    creates the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-mongodb-database \
+        creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [MongoDB database
+plugin API](/api/secret/databases/mongodb.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/mssql.mdx b/website/pages/docs/secrets/databases/mssql.mdx
new file mode 100644
index 000000000000..44bbf41ab3c2
--- /dev/null
+++ b/website/pages/docs/secrets/databases/mssql.mdx
@@ -0,0 +1,160 @@
+---
+layout: docs
+page_title: MSSQL - Database - Secrets Engines
+sidebar_title: MSSQL
+description: |-
+
+  MSSQL is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the MSSQL database.
+---
+
+# MSSQL Database Secrets Engine
+
+MSSQL is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the MSSQL database.
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-mssql-database \
+        plugin_name=mssql-database-plugin \
+        connection_url='sqlserver://{{username}}:{{password}}@localhost:1433' \
+        allowed_roles="my-role" \
+        username="sa" \
+        password="yourStrong(!)Password"
+    ```
+
+    In this case, we've configured Vault with the user "sa" and password
+    "yourStrong(!)Password", connecting to an instance at "localhost" on port 1433. It is
+    not necessary that Vault has the sa login, but the user must have privileges
+    to create logins and manage processes. The fixed server roles
+    `securityadmin` and `processadmin` are examples of built-in roles that grant
+    these permissions. The user also must have privileges to create database
+    users and grant permissions in the databases that Vault manages. The fixed
+    database roles `db_accessadmin` and `db_securityadmin` are examples or
+    built-in roles that grant these permissions.
+
+1.  Configure a role that maps a name in Vault to an SQL statement to execute to
+    create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-mssql-database \
+        creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\
+            CREATE USER [{{name}}] FOR LOGIN [{{name}}];\
+            GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## Example for Azure SQL Database
+
+Here is a complete example using Azure SQL Database. Note that databases in Azure SQL Database are [contained databases](https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-databases) and that we do not create a login for the user; instead, we associate the password directly with the user itself. Also note that you will need a separate connection and role for each Azure SQL database for which you want to generate dynamic credentials. You can use a single database backend mount for all these databases or use a separate mount for of them. In this example, we use a custom path for the database backend.
+
+First, we mount a database backend at the azuresql path with `vault secrets enable -path=azuresql database`. Then we configure a connection called "testvault" to connect to a database called "test-vault", using "azuresql" at the beginning of our path:
+
+```shell
+$ vault write azuresql/config/testvault \
+    plugin_name=mssql-database-plugin \
+    connection_url='server=hashisqlserver.database.windows.net;port=1433; \
+    user id=admin;password=pAssw0rd;database=test-vault;app name=vault;' \
+    allowed_roles="test"
+```
+
+Now we add a role called "test" for use with the "testvault" connection:
+
+```shell
+$ vault write azuresql/roles/test \
+    db_name=testvault \
+    creation_statements="CREATE USER [{{name}}] WITH PASSWORD = '{{password}}';" \
+    revocation_statements="DROP USER IF EXISTS [{{name}}]" \
+    default_ttl="1h" \
+    max_ttl="24h"
+```
+
+We can now use this role to dynamically generate credentials for the Azure SQL database, test-vault:
+
+```
+$ vault read azuresql/creds/test
+Key            	Value
+---            	-----
+lease_id       	azuresql/creds/test/2e5b1e0b-a081-c7e1-5622-39f58e79a719
+lease_duration 	1h0m0s
+lease_renewable	true
+password       	A1a-48w04t1xzw1s33z3
+username       	v-token-test-tr2t4x9pxvq1z8878s9s-1513446795
+```
+
+When we no longer need the backend, we can unmount it with `vault unmount azuresql`. Now, you can use the MSSQL Database Plugin with your Azure SQL databases.
+
+## Amazon RDS
+
+The MSSQL plugin supports databases running on [Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html),
+but there are differences that need to be accomodated. A key limitation is that Amazon RDS doesn't support
+the "sysadmin" role, which is used by default during Vault's revocation process for MSSQL. The workaround
+is to add custom revocation statements to roles, for example:
+
+```shell
+vault write database/roles/my-role revocation_statements="\
+   USE my_database; \
+   IF EXISTS \
+     (SELECT name \
+      FROM sys.database_principals \
+      WHERE name = N'{{name}}') \
+   BEGIN \
+     DROP USER [{{name}}] \
+   END \
+
+   IF EXISTS \
+     (SELECT name \
+      FROM master.sys.server_principals \
+      WHERE name = N'{{name}}') \
+   BEGIN \
+     DROP LOGIN [{{name}}] \
+   END"
+```
+
+## API
+
+The full list of configurable options can be seen in the [MSSQL database
+plugin API](/api/secret/databases/mssql.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/mysql-maria.mdx b/website/pages/docs/secrets/databases/mysql-maria.mdx
new file mode 100644
index 000000000000..2e4b60865343
--- /dev/null
+++ b/website/pages/docs/secrets/databases/mysql-maria.mdx
@@ -0,0 +1,140 @@
+---
+layout: docs
+page_title: MySQL/MariaDB - Database - Secrets Engines
+sidebar_title: MySQL/MariaDB
+description: |-
+  MySQL is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the MySQL database.
+---
+
+# MySQL/MariaDB Database Secrets Engine
+
+MySQL is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the MySQL database, and also supports [Static
+Roles](/docs/secrets/databases/index.html#static-roles).
+
+This plugin has a few different instances built into vault, each instance is for
+a slightly different MySQL driver. The only difference between these plugins is
+the length of usernames generated by the plugin as different versions of mysql
+accept different lengths. The available plugins are:
+
+- mysql-database-plugin
+- mysql-aurora-database-plugin
+- mysql-rds-database-plugin
+- mysql-legacy-database-plugin
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-mysql-database \
+        plugin_name=mysql-database-plugin \
+        connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
+        allowed_roles="my-role" \
+        username="root" \
+        password="mysql"
+    ```
+
+1.  Configure a role that maps a name in Vault to an SQL statement to execute to
+    create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-mysql-database \
+        creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## Examples
+
+### Using wildcards in grant statements
+
+MySQL supports using wildcards in grant statements. These are sometimes needed
+by applications which expect access to a large number of databases inside MySQL.
+This can be realized by using a wildcard in the grant statement. For example if
+you want the user created by Vault to have access to all databases starting with
+`fooapp_` you could use the following creation statement:
+
+```text
+CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON `fooapp\_%`.* TO '{{name}}'@'%';
+```
+
+MySQL expects the part in which the wildcards are to be placed inside backticks.
+If you want to add this creation statement to Vault via the Vault CLI you cannot
+simply paste the above statement on the CLI because the shell will interpret the
+text between the backticks as something that must be executed. The easiest way to
+get around this is to encode the creation statement as Base64 and feed this to Vault.
+For example:
+
+```text
+$ vault write database/roles/my-role \
+    db_name=mysql \
+    creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OIGBmb29hcHBcXyVgLiogVE8gJ3t7bmFtZX19J0AnJSc7" \
+    default_ttl="1h" \
+    max_ttl="24h"
+```
+
+### Rotating root credentials in MySQL 5.6
+
+The default root rotation setup for MySQL uses the `ALTER USER` syntax present
+in MySQL 5.7 and up. For MySQL 5.6, the [root rotation
+statements](/api/secret/databases/index.html#root_rotation_statements)
+must be configured to use the old `SET PASSWORD` syntax. For example:
+
+```text
+$ vault write database/config/my-mysql-database \
+    plugin_name=mysql-database-plugin \
+    connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
+    root_rotation_statements="SET PASSWORD = PASSWORD('{{password}}')" \
+    allowed_roles="my-role" \
+    username="root" \
+    password="mysql"
+```
+
+For a guide in root credential rotation, see [Database Root Credential
+Rotation](/guides/secret-mgmt/db-root-rotation.html).
+
+## API
+
+The full list of configurable options can be seen in the [MySQL database plugin
+API](/api/secret/databases/mysql-maria.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/oracle.mdx b/website/pages/docs/secrets/databases/oracle.mdx
new file mode 100644
index 000000000000..edc08b218c3c
--- /dev/null
+++ b/website/pages/docs/secrets/databases/oracle.mdx
@@ -0,0 +1,102 @@
+---
+layout: docs
+page_title: Oracle - Database - Secrets Engines
+sidebar_title: Oracle
+description: |-
+  Oracle is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the Oracle database.
+---
+
+# Oracle Database Secrets Engine
+
+Oracle is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the Oracle database.
+
+The Oracle database plugin is not bundled in the core Vault code tree and can be
+found at its own git repository here:
+[hashicorp/vault-plugin-database-oracle](https://github.com/hashicorp/vault-plugin-database-oracle)
+
+See the [Database Backend](/docs/secrets/databases/index.html) docs for more
+information about setting up the Database Backend.
+
+## Setup
+
+The Oracle Database Plugin does not live in the core Vault code tree and can be found
+at its own git repository here: [hashicorp/vault-plugin-database-oracle](https://github.com/hashicorp/vault-plugin-database-oracle)
+
+For linux/amd64, pre-built binaries can be found at [the releases page](https://releases.hashicorp.com/vault-plugin-database-oracle)
+
+Before running the plugin you will need to have the the Oracle Instant Client
+library installed. These can be downloaded from Oracle. The libraries will need to
+be placed in the default library search path or defined in the ld.so.conf configuration files.
+
+If you are running Vault with [mlock enabled](/docs/configuration/index.html#disable_mlock),
+you will need to enable ipc_lock capabilities for the plugin binary.
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Download and register the plugin:
+
+    ```text
+    $ vault write sys/plugins/catalog/database/oracle-database-plugin \
+        sha256="..." \
+        command=vault-plugin-database-oracle
+    ```
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-oracle-database \
+        plugin_name=oracle-database-plugin \
+        connection_url="system/Oracle@localhost:1521/OraDoc.localhost" \
+        allowed_roles="my-role"
+    ```
+
+1.  Configure a role that maps a name in Vault to an SQL statement to execute to
+    create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-oracle-database \
+        creation_statements="CREATE USER {{name}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{name}}; GRANT CREATE SESSION TO {{name}};" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [Oracle database plugin
+API](/api/secret/databases/oracle.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/databases/postgresql.mdx b/website/pages/docs/secrets/databases/postgresql.mdx
new file mode 100644
index 000000000000..f331bb3e20b6
--- /dev/null
+++ b/website/pages/docs/secrets/databases/postgresql.mdx
@@ -0,0 +1,82 @@
+---
+layout: docs
+page_title: PostgreSQL - Database - Secrets Engines
+sidebar_title: PostgreSQL
+description: |-
+  PostgreSQL is one of the supported plugins for the database secrets engine.
+  This plugin generates database credentials dynamically based on configured
+  roles for the PostgreSQL database.
+---
+
+# PostgreSQL Database Secrets Engine
+
+PostgreSQL is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the PostgreSQL database, and also supports [Static
+Roles](/docs/secrets/databases/index.html#static-roles).
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-postgresql-database \
+        plugin_name=postgresql-database-plugin \
+        allowed_roles="my-role" \
+        connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \
+        username="root" \
+        password="root"
+    ```
+
+1.  Configure a role that maps a name in Vault to an SQL statement to execute to
+    create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-postgresql-database \
+        creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [PostgreSQL database
+plugin API](/api/secret/databases/postgresql.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/pages/docs/secrets/gcp/index.mdx b/website/pages/docs/secrets/gcp/index.mdx
new file mode 100644
index 000000000000..2f6604a6c5dd
--- /dev/null
+++ b/website/pages/docs/secrets/gcp/index.mdx
@@ -0,0 +1,507 @@
+---
+layout: docs
+page_title: Google Cloud - Secrets Engines
+sidebar_title: Google Cloud
+description: |-
+  The Google Cloud secrets engine for Vault dynamically generates Google Cloud
+  service account keys and OAuth tokens based on IAM policies.
+---
+
+# Google Cloud Secrets Engine
+
+The Google Cloud Vault secrets engine dynamically generates Google Cloud service
+account keys and OAuth tokens based on IAM policies. This enables users to gain
+access to Google Cloud resources without needing to create or manage a dedicated
+service account.
+
+The benefits of using this secrets engine to manage Google Cloud IAM service accounts are:
+
+- **Automatic cleanup of GCP IAM service account keys** - each Service Account
+  key is associated with a Vault lease. When the lease expires (either during
+  normal revocation or through early revocation), the service account key is
+  automatically revoked.
+
+- **Quick, short-term access** - users do not need to create new GCP Service
+  Accounts for short-term or one-off access (such as batch jobs or quick
+  introspection).
+
+- **Multi-cloud and hybrid cloud applications** - users authenticate to Vault
+  using a central identity service (such as LDAP) and generate GCP credentials
+  without the need to create or manage a new Service Account for that user.
+
+~> **NOTE: Deprecation of `access_token` Leases**: In previous versions of this secrets engine
+(released with Vault <= 0.11.1), a lease was generated with access tokens. If you're using
+an old version of the plugin, please upgrade. Read more in the
+[upgrade guide](#deprecation-of-access-token-leases)
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the Google Cloud secrets engine:
+
+    ```text
+    $ vault secrets enable gcp
+    Success! Enabled the gcp secrets engine at: gcp/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure the secrets engine with account credentials, or leave blank or unwritten
+    to use Application Default Credentials.
+
+    ```text
+    $ vault write gcp/config credentials=@my-credentials.json
+    Success! Data written to: gcp/config
+    ```
+
+    If you are running Vault from inside [Google Compute Engine][gce] or [Google
+    Kubernetes Engine][gke], the instance or pod service account can be used in
+    place or specifying the credentials JSON file.
+    For more information on authentication, see the [authentication section](#authentication) below.
+
+1.  Configure a roleset. Rolesets determine the permissions that Service Account
+    credentials generated by Vault will have on GCP resources.
+
+    To configure a roleset that generates OAuth2 access tokens (preferred):
+
+    ```text
+    $ vault write gcp/roleset/my-token-roleset \
+        project="my-project" \
+        secret_type="access_token"  \
+        token_scopes="https://www.googleapis.com/auth/cloud-platform" \
+        bindings=-<<EOF
+          resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
+            roles = ["roles/viewer"]
+          }
+        EOF
+    ```
+
+    To configure a roleset that generates GCP Service Account keys:
+
+    ```text
+    $ vault write gcp/roleset/my-key-roleset \
+        project="my-project" \
+        secret_type="service_account_key"  \
+        bindings=-<<EOF
+          resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
+            roles = ["roles/viewer"]
+          }
+        EOF
+    ```
+
+    Alternatively, provide a file for the `bindings` argument like so:
+
+    ```text
+    $ vault write gcp/roleset/my-roleset
+        bindings=@mybindings.hcl
+        ...
+    ```
+
+    For more information on role bindings and sample role bindings, please see
+    the [roleset bindings](#roleset-bindings) section below.
+
+    For more information on the differences between OAuth2 access tokens and
+    Service Account keys, see the [things to note](#things-to-note) section
+    below.
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials. Depending on how the roleset
+was configured, you can generate OAuth2 tokens or service account keys.
+
+### Access Tokens
+
+To generate OAuth2 tokens, read from `gcp/token/...`. The roleset must have been
+created as type `access_token`:
+
+```text
+$ vault read gcp/token/my-token-roleset
+
+Key                Value
+---                -----
+expires_at_seconds    1537402548
+token                 ya29.c.ElodBmNPwHUNY5gcBpnXcE4ywG4w1k...
+token_ttl             3599
+```
+
+This endpoint generates a non-renewable, non-revocable static OAuth2 access token
+with a lifetime of one hour, where `token_ttl` is given in seconds and the
+`expires_at_seconds` is the expiry time for the token, given as a Unix timestamp.
+The `token` value then can be used as a HTTP Authorization Bearer token in requests
+to GCP APIs:
+
+```sh
+$ curl -H "Authorization: Bearer ya29.c.ElodBmNPwHUNY5gcBpnXcE4ywG4w1k..."
+```
+
+### Service Account Keys
+
+To generate service account keys, read from `gcp/key/...`. The roleset must have
+been created as type `service_account_key`:
+
+```text
+$ vault read gcp/key/my-key-roleset
+
+Key                 Value
+---                 -----
+lease_id            gcp/key/my-key-roleset/ce563a99-5e55-389b...
+lease_duration      30m
+lease_renewable     true
+key_algorithm       KEY_ALG_RSA_2048
+key_type            TYPE_GOOGLE_CREDENTIALS_FILE
+private_key_data    ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsC...
+```
+
+This endpoint generates a new [GCP IAM service account key][iam-keys] associated
+with the roleset's Service Account. When the lease expires (or is revoked
+early), the Service Account key will be deleted.
+
+**There is a default limit of 10 keys per Service Account.** For more
+information on this limit and recommended mitigation, please see the [things to
+note](#things-to-note) section below.
+
+## Roleset Bindings
+
+Roleset bindings define a list of resources and the associated IAM roles on that
+resource. Roleset bindings are used as the `binding` argument when creating or
+updating a roleset and are specified in the following format using HCL:
+
+```hcl
+resource NAME {
+  roles = [ROLE, [ROLE...]]
+}
+```
+
+For example:
+
+```hcl
+resource "buckets/my-bucket" {
+  roles = [
+    "roles/storage.objectAdmin",
+    "roles/storage.legacyBucketReader",
+  ]
+}
+
+# At instance level, using self-link
+resource "https://www.googleapis.com/compute/v1/projects/my-project/zone/my-zone/instances/my-instance" {
+  roles = [
+    "roles/compute.instanceAdmin.v1"
+  ]
+}
+
+# At project level
+resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
+  roles = [
+    "roles/compute.instanceAdmin.v1",
+    "roles/iam.serviceAccountUser",  # required if managing instances that run as service accounts
+  ]
+}
+
+# At folder level
+resource "//cloudresourcemanager.googleapis.com/folders/123456" {
+  roles = [
+    "roles/compute.viewer",
+    "roles/deploymentmanager.viewer",
+  ]
+}
+
+```
+
+The top-level `resource` block defines the resource or resource path for which
+IAM policy information will be bound. The resource path may be specified in a
+few different formats:
+
+- **Project-level self-link** - a URI with scheme and host, generally
+  corresponding to the `self_link` attribute of a resource in GCP. This must
+  include the resource nested in the parent project.
+
+  ```text
+  # compute alpha zone
+  https://www.googleapis.com/compute/alpha/projects/my-project/zones/us-central1-c
+  ```
+
+- **Full resource name** - a schema-less URI consisting of a DNS-compatible API
+  service name and resource path. See the [full resource name API
+  documentation][resource-name-full] for more information.
+
+  ```text
+  # Compute snapshot
+  //compute.googleapis.com/project/my-project/snapshots/my-compute-snapshot
+
+  # Pubsub snapshot
+  //pubsub.googleapis.com/project/my-project/snapshots/my-pubsub-snapshot
+
+  # Resource manager
+  //cloudresourcemanager.googleapis.com/projects/my-project"
+  ```
+
+- **Relative resource name** - A path-noscheme URI path, usually as accepted by
+  the API. Use this if the version or service are apparent from the resource
+  type. Please see the [relative resource name API
+  documentation][resource-name-relative] for more information.
+
+  ```text
+  # Storage bucket objects
+  buckets/my-bucket
+  buckets/my-bucket/objects/my-object
+
+  # PubSub topics
+  projects/my-project/topics/my-pubsub-topic
+  ```
+
+The nested `roles` attribute is an array of strings names of [GCP IAM
+roles][iam-roles]. The roles may be specified in the following formats:
+
+- **Global role name** - these are global roles built into Google Cloud. For the
+  full list of available roles, please see the [list of predefined GCP
+  roles][predefined-roles].
+
+  ```text
+  roles/viewer
+  roles/bigquery.user
+  roles/billing.admin
+  ```
+
+- **Organization-level custom role** - these are roles that are created at the
+  organization level by organization owners.
+
+  ```text
+  organizations/my-organization/roles/my-custom-role
+  ```
+
+  For more information, please see the documentation on [GCP custom
+  roles][custom-roles].
+
+- **Project-level custom role** - these are roles that are created at a
+  per-project level by project owners.
+
+  ```text
+  projects/my-project/roles/my-custom-role
+  ```
+
+  For more information, please see the documentation on [GCP custom
+  roles][custom-roles].
+
+## Authentication
+
+The Google Cloud Vault secrets backend uses the official Google Cloud Golang
+SDK. This means it supports the common ways of [providing credentials to Google
+Cloud][cloud-creds]. In addition to specifying `credentials` directly via Vault
+configuration, you can also get configuration from the following values **on the
+Vault server**:
+
+1. The environment variables `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
+   as the **path** to a Google Cloud credentials file, typically for a service
+   account. If this environment variable is present, the resulting credentials are
+   used. If the credentials are invalid, an error is returned.
+
+1. Default instance credentials. When no environment variable is present, the
+   default service account credentials are used. This is useful when running Vault
+   on [Google Compute Engine][gce] or [Google Kubernetes Engine][gke]
+
+For more information on service accounts, please see the [Google Cloud Service
+Accounts documentation][service-accounts].
+
+To use this storage backend, the service account must have the following
+minimum scope(s):
+
+```text
+https://www.googleapis.com/auth/cloud-platform
+```
+
+### Required Permissions
+
+The credentials given to Vault must have the following permissions:
+
+```text
+# Service Account + Key Admin
+iam.serviceAccounts.create
+iam.serviceAccounts.delete
+iam.serviceAccounts.get
+iam.serviceAccounts.list
+iam.serviceAccounts.update
+iam.serviceAccountKeys.create
+iam.serviceAccountKeys.delete
+iam.serviceAccountKeys.get
+iam.serviceAccountKeys.list
+
+# IAM Policy Changes
+<service>.<resource>.getIamPolicy
+<service>.<resource>.setIamPolicy
+```
+
+where `<service>` and `<resource>` correspond to permissions which will be
+granted, for example:
+
+```text
+# Projects
+resourcemanager.projects.getIamPolicy
+resourcemanager.projects.setIamPolicy
+
+# All compute
+compute.*.getIamPolicy
+compute.*.setIamPolicy
+```
+
+You can either:
+
+- Create a [custom role][custom-roles] using these permissions, and assign this
+  role at a project-level
+
+- Assign the set of roles required to get resource-specific
+  `getIamPolicy/setIamPolicy` permissions. At a minimum you will need to assign
+  `roles/iam.serviceAccountAdmin` and `roles/iam.serviceAccountKeyAdmin` so
+  Vault can manage service accounts and keys.
+
+## Things to Note
+
+### Access Tokens vs. Service Account Keys
+
+Advantages of `access_tokens`:
+
+- Can generate infinite number of tokens per roleset
+
+Disadvantages of `access_tokens`:
+
+- Cannot be used with some client libraries or tools
+- Have a static life-time of 1 hr that cannot be modified, revoked, or extended.
+
+Advantages of `service_account_keys`:
+
+- Controllable life-time through Vault, allowing for longer access
+- Can be used by all normal GCP tooling
+
+Disadvantages of `service_account_keys`:
+
+- Infinite lifetime in GCP (i.e. if they are not managed properly, leaked keys can live forever)
+- Limited to 10 per roleset/service account.
+
+When generating OAuth access tokens, Vault will still
+generate a dedicated service account and key. This private key is stored in Vault
+and is never accessible to other users, and the underlying key can
+be rotated. See the [GCP API documentation][api] for more information on
+rotation.
+
+### Service Accounts are Tied to Rolesets
+
+Service Accounts are created when the roleset is created (or updated) rather
+than each time a secret is generated. This may be different from how other
+secrets engines behave, but it is for good reasons:
+
+- IAM Service Account creation and permission propagation can take up to 60
+  seconds to complete. By creating the Service Account in advance, we speed up
+  the timeliness of future operations and reduce the flakiness of automated
+  workflows.
+
+- Each GCP project has a limit on the number of IAM Service Accounts. You can
+  [request additional quota][quotas]. The quota increase is processed by humans,
+  so it is best to request this additional quota in advance. This limit is
+  currently 100, **including system-managed Service Accounts**. If Service
+  Accounts were created per secret, this quota limit would reduce the number of
+  secrets that can be generated.
+
+### Service Account Keys Quota Limits
+
+GCP IAM has a hard limit (currently 10) on the number of Service Account keys.
+Attempts to generate more keys will result in an error. If you find yourself
+running into this limit, consider the following:
+
+- Have shorter TTLs or revoke access earlier. If you are not using past Service
+  Account keys, consider rotating and freeing quota earlier.
+
+- Create additional rolesets which share the same set of permissions. Additional
+  rolesets can be created with the same set of permissions. This will create a
+  new service account and increases the number of keys you can create.
+
+- Where possible, use OAuth2 access tokens instead of Service Account keys.
+
+### Resources Must Exist at Roleset Creation
+
+Because we the bindings for the Service Account are set during roleset creation,
+resources that do not exist will fail the `getIamPolicy` API call.
+
+### Roleset Creation May Partially Fail
+
+Every Service Account creation, key creation, and IAM policy change is a GCP API
+call per resource. If an API call to one of these resources fails, the roleset
+creation fails and Vault will attempt to rollback.
+
+These rollbacks are API calls, so they may also fail. The secrets engine uses a
+WAL to ensure that unused bindings are cleaned up. In the case of quota limits,
+you may need to clean these up manually.
+
+### Do Not Modify Vault-owned IAM Accounts
+
+While Vault will initially create and assign permissions to IAM service
+accounts, it is possible that an external user deletes or modifies this service
+account. These changes are difficult to detect, and it is best to prevent this
+type of modification through IAM permissions.
+
+Vault roleset Service Accounts will have emails in the format:
+
+```
+vault<roleset-prefix>-<creation-unix-timestamp>@...
+```
+
+Communicate with your teams (or use IAM permissions) to not modify these
+resources.
+
+## Help &amp; Support
+
+The Google Cloud Vault secrets engine is written as an external Vault plugin and
+thus exists outside the main Vault repository. It is automatically bundled with
+Vault releases, but the code is managed separately.
+
+Please report issues, add feature requests, and submit contributions to the
+[vault-plugin-secrets-gcp repo on GitHub][repo].
+
+## API
+
+The GCP secrets engine has a full HTTP API. Please see the [GCP secrets engine API docs][api]
+for more details.
+
+[api]: https://vaultproject.io/api/secret/gcp/index.html
+[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
+[custom-roles]: https://cloud.google.com/iam/docs/creating-custom-roles
+[gce]: https://cloud.google.com/compute/
+[gke]: https://cloud.google.com/kubernetes-engine/
+[iam-keys]: https://cloud.google.com/iam/docs/service-accounts#service_account_keys
+[iam-roles]: https://cloud.google.com/iam/docs/understanding-roles
+[predefined-roles]: https://cloud.google.com/iam/docs/understanding-roles#predefined_roles
+[repo]: https://github.com/hashicorp/vault-plugin-secrets-gcp
+[resource-name-full]: https://cloud.google.com/apis/design/resource_names#full_resource_name
+[resource-name-relative]: https://cloud.google.com/apis/design/resource_names#relative_resource_name
+[quotas]: https://cloud.google.com/compute/quotas
+[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
+
+## Upgrade Guides
+
+### Deprecation of Access Token Leases
+
+~> **NOTE**: This only affects access tokens. There is no change to the `service_account_key` secret type
+
+Previous versions of this secrets engine (Vault <= 0.11.1) created a lease for
+each access token secret. We have removed them after discovering that these
+tokens, specifically Google OAuth2 tokens for IAM service accounts, are
+non-revocable and have a static 60 minute lifetime. To match the current
+limitations of the GCP APIs, the secrets engine will no longer allow for
+revocation or manage the token TTL - more specifically, **the access_token
+response will no longer include `lease_id` or other lease information**. This
+change does not reflect any change to the actual underlying OAuth tokens or GCP
+service accounts.
+
+To upgrade:
+
+- Remove references from `lease_id`, `lease_duration` or other `lease_*`
+  attributes when reading responses for the access tokens secrets endpoint (i.e.
+  from `gcp/token/$roleset`). See the [documentation for access
+  tokens](#access-tokens) to see the new format for the response.
+
+- Be aware of leftover leases from previous versions. While these old leases
+  will still be revocable, they will not actually invalidate their associated
+  access token, and that token will still be useable for up to one hour.
diff --git a/website/pages/docs/secrets/gcpkms/index.mdx b/website/pages/docs/secrets/gcpkms/index.mdx
new file mode 100644
index 000000000000..b2a314f4d577
--- /dev/null
+++ b/website/pages/docs/secrets/gcpkms/index.mdx
@@ -0,0 +1,448 @@
+---
+layout: docs
+page_title: Google Cloud KMS - Secrets Engines
+sidebar_title: Google Cloud KMS
+description: |-
+  The Google Cloud KMS secrets engine for Vault interfaces with Google Cloud
+  KMS for encryption/decryption of data and KMS key management through Vault.
+---
+
+# Google Cloud KMS Secrets Engine
+
+The Google Cloud KMS Vault secrets engine provides encryption and key management
+via [Google Cloud KMS][kms]. It supports management of keys, including creation,
+rotation, and revocation, as well as encrypting and decrypting data with managed
+keys. This enables management of KMS keys through Vault's policies and IAM
+system.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the Google Cloud KMS secrets engine:
+
+   ```text
+   $ vault secrets enable gcpkms
+   Success! Enabled the gcpkms secrets engine at: gcpkms/
+   ```
+
+   By default, the secrets engine will mount at the name of the engine. To
+   enable the secrets engine at a different path, use the `-path` argument.
+
+1. Configure the secrets engine with account credentials and/or scopes:
+
+   ```text
+   $ vault write gcpkms/config \
+       credentials=@my-credentials.json
+   Success! Data written to: gcpkms/config
+   ```
+
+   If you are running Vault from inside [Google Compute Engine][gce] or [Google
+   Kubernetes Engine][gke], the instance or pod service account can be used in
+   place or specifying the credentials JSON file. For more information on
+   authentication, see the [authentication section](#authentication) below.
+
+1. Create a Google Cloud KMS key:
+
+   ```text
+   $ vault write gcpkms/keys/my-key \
+     key_ring=projects/my-project/locations/my-location/keyRings/my-keyring \
+     rotation_period=72h
+   ```
+
+   The `key_ring` parameter is specified in the following format:
+
+   ```text
+   projects/<project>/locations/<location>/keyRings/<keyring>
+   ```
+
+   where:
+
+   - `<project>` - the name of the GCP project (e.g. "my-project")
+   - `<location>` - the location of the KMS key ring (e.g. "us-east1", "global")
+   - `<keyring>` - the name of the KMS key ring (e.g. "my-keyring")
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can be used to encrypt, decrypt, and manage keys. The
+following sections describe the different ways in which keys can be managed.
+
+### Symmetric Encryption/Decryption
+
+This section describes using a Cloud KMS key for symmetric
+encryption/decryption. This is one of the most common types of encryption.
+Google Cloud manages the key ring which is used to encrypt and decrypt data.
+
+<table>
+  <thead>
+    <tr>
+      <th>Purpose</th>
+      <th>Supported Algorithms</th>
+    </tr>
+    <tr>
+      <td valign="top">
+        <code>encrypt_decrypt</code>
+      </td>
+      <td valign="top">
+        <code>symmetric_encryption</code>
+      </td>
+    </tr>
+  </thead>
+</table>
+
+1.  Create or use an existing key eligible for symmetric encryption/decryption:
+
+    ```text
+    $ vault write gcpkms/keys/my-key \
+        key_ring=projects/.../my-keyring \
+        purpose=encrypt_decrypt \
+        algorithm=symmetric_encryption
+    ```
+
+1.  Encrypt plaintext data using the `/encrypt` endpoint with a named key:
+
+    ```text
+    $ vault write gcpkms/encrypt/my-key plaintext="hello world"
+    Key            Value
+    ---            -----
+    ciphertext     CiQAuMv0lTiKjrF43Lgr4...
+    key_version    1
+    ```
+
+    Unlike Vault's transit backend, plaintext data does not need to be base64
+    encoded. The endpoint will automatically convert data.
+
+    Note that Vault is not _storing_ this data. The caller is responsible for
+    storing the resulting ciphertext.
+
+1.  Decrypt ciphertext using the `/decrypt` endpoint with a named key:
+
+    ```text
+    $ vault write gcpkms/decrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
+    Key          Value
+    ---          -----
+    plaintext    hello world
+    ```
+
+    For easier scripting, it is also possible to extract the plaintext directly:
+
+    ```text
+    $ vault write -field=plaintext gcpkms/decrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
+    hello world
+    ```
+
+1.  Rotate the underlying encryption key. This will generate a new crypto key
+    version on Google Cloud KMS and set that version as the active key.
+
+    ```text
+    $ vault write -f gcpkms/keys/rotate/my-key
+    WARNING! The following warnings were returned from Vault:
+
+      * The crypto key version was rotated successfully, but it can take up to 2
+      hours for the new crypto key version to become the primary. In practice, it
+      is usually much shorter. Be sure to issue a read operation and verify the
+      key version if you require new data to be encrypted with this key.
+
+    Key            Value
+    ---            -----
+    key_version    2
+    ```
+
+    As the message says, rotation is not immediate. Depending on a number of
+    factors, the propagation of the new key can take quite some time. If you
+    have a need to immediately encrypt data with this new key, query the API to
+    wait for the key to become the primary. Alternatively, you can specify the
+    `key_version` parameter to lock to the exact key for use with encryption.
+
+1.  Re-encrypt already-encrypted ciphertext to be encrypted with a new version of
+    the crypto key. Vault will decrypt the value using the appropriate key in the
+    keyring and then encrypt the resulting plaintext with the newest key in the
+    keyring.
+
+    ```text
+    $ vault write gcpkms/reencrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
+    Key            Value
+    ---            -----
+    ciphertext     CiQAuMv0lZTTozQA/ElqM...
+    key_version    2
+    ```
+
+    This process **does not** reveal the plaintext data. As such, a Vault policy
+    could grant an untrusted process the ability to re-encrypt ciphertext data,
+    since the process would not be able to get access to the plaintext data.
+
+1.  Trim old key versions by deleting Cloud KMS crypto key versions that are
+    older than the `min_version` allowed on the key.
+
+    ```text
+    $ vault write gcpkms/keys/config/my-key min_version=10
+    ```
+
+    Then delete all keys older than version 10. This will make it impossible to
+    encrypt, decrypt, or sign values with the older key by conventional means.
+
+    ```text
+    $ vault write -f gcpkms/keys/trim/my-key
+    ```
+
+1.  Delete the key to delete all key versions and Vault's record of the key.
+
+    ```text
+    $ vault delete gcpkms/keys/my-key
+    ```
+
+    This will make it impossible to encrypt, decrypt, or sign values by
+    conventional means.
+
+### Asymmetric Decryption
+
+This section describes using a Cloud KMS key for asymmetric decryption. In this
+model Google Cloud manages the key ring and exposes the public key via an API
+endpoint. The public key is used to encrypt data offline and produce ciphertext.
+When the plaintext is desired, the user submits the ciphertext to Cloud KMS
+which decrypts the value using the corresponding private key.
+
+<table>
+  <thead>
+    <tr>
+      <th>Purpose</th>
+      <th>Supported Algorithms</th>
+    </tr>
+    <tr>
+      <td valign="top">
+        <code>asymmetric_decrypt</code>
+      </td>
+      <td valign="top">
+        <code>rsa_decrypt_oaep_2048_sha256</code>
+        <br />
+        <code>rsa_decrypt_oaep_3072_sha256</code>
+        <br />
+        <code>rsa_decrypt_oaep_4096_sha256</code>
+      </td>
+    </tr>
+  </thead>
+</table>
+
+1.  Create or use an existing key eligible for symmetric encryption/decryption:
+
+    ```text
+    $ vault write gcpkms/keys/my-key \
+        key_ring=projects/.../my-keyring \
+        purpose=asymmetric_decrypt \
+        algorithm=rsa_decrypt_oaep_4096_sha256
+    ```
+
+1.  Retrieve the public key from Cloud KMS:
+
+    ```text
+    $ gcloud alpha kms keys versions get-public-key <crypto-key-version> \
+        --location <location> \
+        --keyring <key-ring> \
+        --key <key> \
+        --output-file ~/mykey.pub
+    ```
+
+1.  Encrypt plaintext data with the public key. Note this varies widely between
+    programming languages. The following example uses OpenSSL, but you can use your
+    language's built-ins as well.
+
+    ```text
+    $ openssl pkeyutl -in ~/my-secret-file \
+        -encrypt -pubin \
+        -inkey ~/mykey.pub \
+        -pkeyopt rsa_padding_mode:oaep \
+        -pkeyopt rsa_oaep_md:sha256 \
+        -pkeyopt rsa_mgf1_md:sha256
+    ```
+
+    Note that this encryption happens offline (meaning outside of Vault), and
+    the encryption is happening with a _public_ key. Only Cloud KMS has the
+    corresponding _private_ key.
+
+1.  Decrypt ciphertext using the `/decrypt` endpoint with a named key:
+
+    ```text
+    $ vault write gcpkms/decrypt/my-key key_verison=1 ciphertext=CiQAuMv0lTiKjrF43Lgr4...
+    Key          Value
+    ---          -----
+    plaintext    hello world
+    ```
+
+### Asymmetric Signing
+
+This section describes using a Cloud KMS key for asymmetric signing. In this
+model Google Cloud manages the key ring and exposes the public key via an API
+endpoint. A message or digest is signed with the corresponding private key, and
+can be verified by anyone with the corresponding public key.
+
+<table>
+  <thead>
+    <tr>
+      <th>Purpose</th>
+      <th>Supported Algorithms</th>
+    </tr>
+    <tr>
+      <td valign="top">
+        <code>asymmetric_sign</code>
+      </td>
+      <td valign="top">
+        <code>rsa_sign_pss_2048_sha256</code>
+        <br />
+        <code>rsa_sign_pss_3072_sha256</code>
+        <br />
+        <code>rsa_sign_pss_4096_sha256</code>
+        <br />
+        <code>rsa_sign_pkcs1_2048_sha256</code>
+        <br />
+        <code>rsa_sign_pkcs1_3072_sha256</code>
+        <br />
+        <code>rsa_sign_pkcs1_4096_sha256</code>
+        <br />
+        <code>ec_sign_p256_sha256</code>
+        <br />
+        <code>ec_sign_p384_sha384</code>
+      </td>
+    </tr>
+  </thead>
+</table>
+
+1.  Create or use an existing key eligible for symmetric encryption/decryption:
+
+    ```text
+    $ vault write gcpkms/keys/my-key \
+        key_ring=projects/.../my-keyring \
+        purpose=asymmetric_sign \
+        algorithm=ec_sign_p384_sha384
+    ```
+
+1.  Calculate the base64-encoded binary digest. Use the hashing algorithm that
+    corresponds to they key type:
+
+    ```text
+    $ export DIGEST=$(openssl dgst -sha256 -binary /my/file | base64)
+    ```
+
+    Ask Cloud KMS to sign the digest:
+
+    ```text
+    $ vault write gcpkms/sign/my-key key_version=1 digest=$DIGEST
+    Key          Value
+    ---          -----
+    signature    MGYCMQDbOS2462SKMsGdh2GQ...
+    ```
+
+1.  Verify the signature of the digest:
+
+    ```text
+    $ vault write gcpkms/verify/my-key key_version=1 digest=$DIGEST signature=$SIGNATURE
+    Key      Value
+    ---      -----
+    valid    true
+    ```
+
+    Note: it is also possible to verify this signature without Vault. Download
+    the public key from Cloud KMS, and use a tool like OpenSSL or your
+    programming language primitives to verify the signature.
+
+## Authentication
+
+The Google Cloud KMS Vault secrets backend uses the official Google Cloud Golang
+SDK. This means it supports the common ways of [providing credentials to Google
+Cloud][cloud-creds]. In addition to specifying `credentials` directly via Vault
+configuration, you can also get configuration from the following values **on the
+Vault server**:
+
+1. The environment variables `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
+   as the **path** to a Google Cloud credentials file, typically for a service
+   account. If this environment variable is present, the resulting credentials are
+   used. If the credentials are invalid, an error is returned.
+
+1. Default instance credentials. When no environment variable is present, the
+   default service account credentials are used. This is useful when running Vault
+   on [Google Compute Engine][gce] or [Google Kubernetes Engine][gke]
+
+For more information on service accounts, please see the [Google Cloud Service
+Accounts documentation][service-accounts].
+
+To use this secrets engine, the service account must have the following
+minimum scope(s):
+
+```text
+https://www.googleapis.com/auth/kms
+```
+
+### Required Permissions
+
+The credentials given to Vault must have the following role:
+
+```text
+roles/cloudkms.admin
+```
+
+If Vault will not be creating keys, you can reduce the permissions. For example,
+to create keys out of band and have Vault manage the encryption/decryption, you
+only need the following permissions:
+
+```text
+roles/cloudkms.cryptoKeyEncrypterDecrypter
+```
+
+To sign and verify, you only need the following permissions:
+
+```text
+roles/cloudkms.signerVerifier
+```
+
+For more information, please see the [Google Cloud KMS IAM documentation][kms-iam].
+
+## FAQ
+
+**How is this different than Vault's transit secrets engine?**<br />
+Vault's [transit][vault-transit] secrets engine uses in-memory keys to
+encrypt/decrypt keys. In general it will be faster and more performant. However,
+users who need physical, off-site, or out-of-band key management can use the
+[Google Cloud KMS][kms] secrets engine to get those benefits while leveraging
+Vault's policy and identity system.
+
+**Can Vault use an existing KMS key?**<br />
+You can use the `/register` endpoint to configure Vault to talk to an existing
+Google Cloud KMS key. As long as the IAM permissions are correct, Vault will be
+able to encrypt/decrypt data and rotate the key. See the [api][api] for more
+information.
+
+**Can this be used with a hardware key like an HSM?**<br />
+Yes! You can set `protection_level` to "hsm" when creating a key, or use an
+existing Cloud KMS key that is backed by an HSM.
+
+**How much does this cost?**<br />
+The plugin is free and open source. KMS costs vary by key type and the number of
+operations. Please see the [Cloud KMS pricing page][kms-pricing] for more
+details.
+
+## Help &amp; Support
+
+The Google Cloud KMS Vault secrets engine is written as an external Vault
+plugin. The code lives outside the main Vault repository. It is automatically
+bundled with Vault releases, but the code is managed separately.
+
+Please report issues, add feature requests, and submit contributions to the
+[vault-plugin-secrets-gcpkms repo on GitHub][repo].
+
+## API
+
+The Google Cloud KMS secrets engine has a full HTTP API. Please see the
+[Google Cloud KMS secrets engine API docs][api] for more details.
+
+[api]: /api/secret/gcpkms/index.html
+[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
+[gce]: https://cloud.google.com/compute/
+[gke]: https://cloud.google.com/kubernetes-engine/
+[kms]: https://cloud.google.com/kms
+[kms-iam]: https://cloud.google.com/kms/docs/reference/permissions-and-roles
+[kms-pricing]: https://cloud.google.com/kms/pricing
+[repo]: https://github.com/hashicorp/vault-plugin-secrets-gcpkms
+[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
+[vault-transit]: /docs/secrets/transit/index.html
diff --git a/website/pages/docs/secrets/identity/index.mdx b/website/pages/docs/secrets/identity/index.mdx
new file mode 100644
index 000000000000..383174a06914
--- /dev/null
+++ b/website/pages/docs/secrets/identity/index.mdx
@@ -0,0 +1,320 @@
+---
+layout: docs
+page_title: Identity - Secrets Engines
+sidebar_title: Identity
+description: The Identity secrets engine for Vault manages client identities.
+---
+
+# Identity Secrets Engine
+
+Name: `identity`
+
+The Identity secrets engine is the identity management solution for Vault. It
+internally maintains the clients who are recognized by Vault. Each client is
+internally termed as an `Entity`. An entity can have multiple `Aliases`. For
+example, a single user who has accounts in both GitHub and LDAP, can be mapped
+to a single entity in Vault that has 2 aliases, one of type GitHub and one of
+type LDAP. When a client authenticates via any of the credential backend
+(except the Token backend), Vault creates a new entity and attaches a new
+alias to it, if a corresponding entity doesn't already exist. The entity identifier will
+be tied to the authenticated token. When such tokens are put to use, their
+entity identifiers are audit logged, marking a trail of actions performed by
+specific users.
+
+Identity store allows operators to **manage** the entities in Vault. Entities
+can be created and aliases can be tied to entities, via the ACL'd API. There
+can be policies set on the entities which adds capabilities to the tokens that
+are tied to entity identifiers. The capabilities granted to tokens via the
+entities are **an addition** to the existing capabilities of the token and
+**not** a replacement. The capabilities of the token that get inherited from
+entities are computed dynamically at request time. This provides flexibility in
+controlling the access of tokens that are already issued.
+
+This secrets engine will be mounted by default. This secrets engine cannot be
+disabled or moved.
+
+## Concepts
+
+### Entities and Aliases
+
+Each user will have multiple accounts with various identity providers. Users
+can now be mapped as `Entities` and their corresponding accounts with
+authentication providers can be mapped as `Aliases`. In essence, each entity is
+made up of zero or more aliases.
+
+### Entity Management
+
+Entities in Vault **do not** automatically pull identity information from
+anywhere. It needs to be explicitly managed by operators. This way, it is
+flexible in terms of administratively controlling the number of entities to be
+synced against Vault. In some sense, Vault will serve as a _cache_ of
+identities and not as a _source_ of identities.
+
+### Entity Policies
+
+Vault policies can be assigned to entities which will grant _additional_
+permissions to the token on top of the existing policies on the token. If the
+token presented on the API request contains an identifier for the entity and if
+that entity has a set of policies on it, then the token will be capable of
+performing actions allowed by the policies on the entity as well.
+
+This is a paradigm shift in terms of _when_ the policies of the token get
+evaluated. Before identity, the policy names on the token were immutable (not
+the contents of those policies though). But with entity policies, along with
+the immutable set of policy names on the token, the evaluation of policies
+applicable to the token through its identity will happen at request time. This
+also adds enormous flexibility to control the behavior of already issued
+tokens.
+
+Its important to note that the policies on the entity are only a means to grant
+_additional_ capabilities and not a replacement for the policies on the token.
+To know the full set of capabilities of the token with an associated entity
+identifier, the policies on the token should be taken into account.
+
+### Mount Bound Aliases
+
+Vault supports multiple authentication backends and also allows enabling the
+same type of authentication backend on different mount paths. The alias name of
+the user will be unique within the backend's mount. But identity store needs to
+uniquely distinguish between conflicting alias names across different mounts of
+these identity providers. Hence, the alias name in combination with the
+authentication backend mount's accessor, serve as the unique identifier of an
+alias.
+
+### Implicit Entities
+
+Operators can create entities for all the users of an auth mount beforehand and
+assign policies to them, so that when users login, the desired capabilities to
+the tokens via entities are already assigned. But if that's not done, upon a
+successful user login from any of the authentication backends, Vault will
+create a new entity and assign an alias against the login that was successful.
+
+Note that the tokens created using the token authentication backend will not
+have an associated identity information. Logging in using the authentication
+backends is the only way to create tokens that have a valid entity identifiers.
+
+### Identity Auditing
+
+If the token used to make API calls have an associated entity identifier, it
+will be audit logged as well. This leaves a trail of actions performed by
+specific users.
+
+### Identity Groups
+
+In version 0.9, Vault identity has support for groups. A group can contain
+multiple entities as its members. A group can also have subgroups. Policies set
+on the group is granted to all members of the group. During request time, when
+the token's entity ID is being evaluated for the policies that it has access
+to; along with the policies on the entity itself, policies that are inherited
+due to group memberships are also granted.
+
+### Group Hierarchical Permissions
+
+Entities can be direct members of groups, in which case they inherit the
+policies of the groups they belong to. Entities can also be indirect members of
+groups. For example, if a GroupA has GroupB as subgroup, then members of GroupB
+are indirect members of GroupA. Hence, the members of GroupB will have access
+to policies on both GroupA and GroupB.
+
+### External vs Internal Groups
+
+By default, the groups created in identity store are called the internal
+groups. The membership management of these groups should be carried out
+manually. A group can also be created as an external group. In this case, the
+entity membership in the group is managed semi-automatically. External group
+serves as a mapping to a group that is outside of the identity store. External
+groups can have one (and only one) alias. This alias should map to a notion of
+group that is outside of the identity store. For example, groups in LDAP, and
+teams in GitHub. A username in LDAP, belonging to a group in LDAP, can get its
+entity ID added as a member of a group in Vault automatically during _logins_
+and _token renewals_. This works only if the group in Vault is an external
+group and has an alias that maps to the group in LDAP. If the user is removed
+from the group in LDAP, that change gets reflected in Vault only upon the
+subsequent login or renewal operation.
+
+## Identity Tokens
+
+Identity information is used throughout Vault, but it can also be exported for
+use by other applications. An authorized user/application can request a token
+that encapsulates identity information for their associated entity. These
+tokens are signed JWTs following the [OIDC ID
+token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) structure.
+The public keys used to authenticate the tokens are published by Vault on an
+unauthenticated endpoint following OIDC discovery and JWKS conventions, which
+should be a directly usable by JWT/OIDC libraries. An introspection endpoint is
+also provided by Vault for token verification.
+
+### Roles and Keys
+
+OIDC-compliant ID tokens are generated against a role which allows configuration
+of token claims via a templating system, token ttl, and a way to specify which
+"key" will be used to sign the token. The role template is an optional parameter
+to customize the token contents and is described in the next section. Token TTL
+controls the expiration time of the token, after which verification library will
+consider the token invalid. All roles have a Vault-generated `client_id`
+attribute that is returned when the role is read. This value cannot be changed
+and will be added to the token's `aud` parameter. JWT/OIDC libraries will often
+require this value.
+
+A role's `key` parameter links a role to an existing named key (multiple roles
+may refer to the same key). It is not possible to generate an unsigned ID token.
+
+A named key is a public/private key pair generated by Vault. The private key is
+used to sign the identity tokens, and the public key is used by clients to
+verify the signature. Key are regularly rotated, whereby a new key pair is
+generated and the previous _public_ key is retained for a limited time for
+verification purposes.
+
+A named key's configuration specifies a rotation period, a verification ttl,
+signing algorithm and allowed client IDs. Rotation period specifies the
+frequency at which a new signing key is generated and the private portion of the
+previous signing key is deleted. Verification ttl is the time a public key is
+retained for verification, after being rotated. By default, keys are rotated
+every 24 hours, and continue to be available for verification for 24 hours after
+their rotation.
+
+A key's list of allowed client IDs limits which roles may reference the key. The
+parameter may be set to `*` to allow all roles. The validity evaluation is made
+when a token is requested, not during configuration.
+
+### Token Contents and Templates
+
+Identity tokens will always contain, at a minimum, the claims required by OIDC:
+
+- `iss` - Issuer URL
+- `sub` - Requester's entity ID
+- `aud` - `client_id` for the role
+- `iss` - Time of issue
+- `exp` - Expiration time for the token
+
+In addition, the operator may configure per-role templates that allow a variety
+of other entity information to be added to the token. The templates are
+structured as JSON with replaceable parameters. The parameter syntax is the same
+as that used for [ACL Path Templating](/docs/concepts/policies.html).
+
+For example:
+
+```json
+{
+  "color": {{identity.entity.metadata.color}},
+  "userinfo": {
+     "username": {{identity.entity.aliases.usermap_123.metadata.username}},
+     "groups": {{identity.entity.group_names}}
+
+  "nbf": {{time.now}},
+}
+```
+
+When a token is requested, the resulting template might be populated as:
+
+```json
+{
+  "color": "green",
+  "userinfo": {
+     "username": "bob",
+     "groups": ["web", "engr", "default"]
+
+  "nbf": 1561411915,
+}
+```
+
+which would be merged with the base OIDC claims into the final token:
+
+```json
+{
+  "iss": "https://10.1.1.45:8200/v1/identity/oidc",
+  "sub": "a2cd63d3-5364-406f-980e-8d71bb0692f5",
+  "aud": "SxSouteCYPBoaTFy94hFghmekos",
+  "iss": 1561411915,
+  "exp": 1561412215,
+  "color": "green",
+  "userinfo": {
+    "username": "bob",
+    "groups": ["web", "engr", "default"]
+  },
+  "nbf": 1561411915
+}
+```
+
+Note how the template is merged, with top level template keys becoming top level
+token keys. For this reason, templates may not contain top level keys that
+overwrite the standard OIDC claims.
+
+Template parameters that are not present for an entity, such as a metadata that
+isn't present, or an alias accessor which doesn't exist, are simply empty
+strings or objects, depending on the data type.
+
+Templates are configured on the role and may be optionally encoded as base64.
+
+The full list of template parameters is shown below:
+
+| Name                                                                   | Description                                                                             |
+| :--------------------------------------------------------------------- | :-------------------------------------------------------------------------------------- |
+| `identity.entity.id`                                                   | The entity's ID                                                                         |
+| `identity.entity.name`                                                 | The entity's name                                                                       |
+| `identity.entity.groups.ids`                                           | The IDs of the groups the entity is a member of                                         |
+| `identity.entity.groups.names`                                         | The names of the groups the entity is a member of                                       |
+| `identity.entity.metadata`                                             | Metadata associated with the entity                                                     |
+| `identity.entity.metadata.<<metadata key>>`                            | Metadata associated with the entity for the given key                                   |
+| `identity.entity.aliases.<<mount accessor>>.id`                        | Entity alias ID for the given mount                                                     |
+| `identity.entity.aliases.<<mount accessor>>.name`                      | Entity alias name for the given mount                                                   |
+| `identity.entity.aliases.<<mount accessor>>.metadata`                  | Metadata associated with the alias for the given mount                                  |
+| `identity.entity.aliases.<<mount accessor>>.metadata.<<metadata key>>` | Metadata associated with the alias for the given mount and metadata key                 |
+| `time.now`                                                             | Current time as integral seconds since the Epoch                                        |
+| `time.now.plus.<<duration>>`                                           | Current time plus a Go-parsable [duration](https://golang.org/pkg/time/#ParseDuration)  |  |
+| `time.now.minus.<<duration>>`                                          | Current time minus a Go-parsable [duration](https://golang.org/pkg/time/#ParseDuration) |  |
+
+### Token Generation
+
+An authenticated client may request a token using the [token generation
+endpoint](api/secret/identity/tokens.html#generate-a-signed-id-token). The token
+will be generated per the requested role's specifications, for the requester's
+entity. It is not possible to generate tokens for an arbitrary entity.
+
+### Verifying Authenticity of ID Tokens Generated by Vault
+
+An identity token may be verified by the client party using the public keys
+published by Vault, or via a Vault-provided introspection endpoint.
+
+Vault will serve standard "[.well-known](https://tools.ietf.org/html/rfc5785)"
+endpoints that allow easy integration with OIDC verification libraries.
+Configuring the libraries will typically involve providing an issuer URL and
+client ID. The library will then handle key requests and can validate the
+signature and claims requirements on tokens. This approach has the advantage of
+only requiring _access_ to Vault, not _authorization_, as the .well-known
+endpoints are unauthenticated.
+
+Alternatively, the token may be sent to Vault for verification via an
+[introspection endpoint](api/secret/identity/tokens.html#introspect-a-signed-id-token).
+The response will indicate whether the token is "active" or not, as well as any
+errors that occurred during validation. Beyond simply allowing the client to
+delegate verification to Vault, using this endpoint incorporates the additional
+check of whether the entity is still active or not, which is something that
+cannot be determined from the token alone. Unlike the .well-known endpoint, accessing the
+introspection endpoint does require a valid Vault token and sufficient
+authorization.
+
+### Issuer Considerations
+
+The identity token system has one configurable parameter: issuer. The issuer
+`iss` claim is particularly important for proper validation of the token by
+clients, and special consideration should be given when using Identity Tokens
+with [performance replication](docs/enterprise/replication/index.html).
+Consumers of the token will request public keys from Vault using the issuer URL,
+so it must be network reachable. Furthermore, the returned set of keys will include
+an issuer that must match the request.
+
+By default Vault will set the issuer to the Vault instance's
+[`api_addr`](docs/configuration/index.html#api_addr). This means that tokens
+issued in a given cluster should be validated within that same cluster.
+Alternatively, the [`issuer`](api/secret/identity/tokens.html#issuer) parameter
+may be configured explicitly. This address must point to the identity/oidc path
+for the Vault instance (e.g.
+`https://vault-1.example.com:8200/v1/identity/oidc`) and should be
+reachable by any client trying to validate identity tokens.
+
+## API
+
+The Identity secrets engine has a full HTTP API. Please see the
+[Identity secrets engine API](/api/secret/identity/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/index.mdx b/website/pages/docs/secrets/index.mdx
new file mode 100644
index 000000000000..be176700ad3c
--- /dev/null
+++ b/website/pages/docs/secrets/index.mdx
@@ -0,0 +1,72 @@
+---
+layout: docs
+page_title: Secrets Engines
+sidebar_title: Secrets Engines
+description: Secrets engines are mountable engines that store or generate secrets in Vault.
+---
+
+# Secrets Engines
+
+Secrets engines are components which store, generate, or encrypt data. Secrets
+engines are incredibly flexible, so it is easiest to think about them in terms
+of their function. Secrets engines are provided some set of data, they take some
+action on that data, and they return a result.
+
+Some secrets engines simply store and read data - like encrypted
+Redis/Memcached. Other secrets engines connect to other services and generate
+dynamic credentials on demand. Other secrets engines provide encryption as a
+service, totp generation, certificates, and much more.
+
+Secrets engines are enabled at a "path" in Vault. When a request comes to Vault,
+the router automatically routes anything with the route prefix to the secrets
+engine. In this way, each secrets engine defines its own paths and properties.
+To the user, secrets engines behave similar to a virtual filesystem, supporting
+operations like read, write, and delete.
+
+## Secrets Engines Lifecycle
+
+Most secrets engines can be enabled, disabled, tuned, and moved via the CLI or
+API. Previous versions of Vault called these "mounts", but that term was
+overloaded.
+
+- **Enable** - This enables a secrets engine at a given path. With few
+  exceptions, secrets engines can be enabled at multiple paths. Each secrets
+  engine is isolated to its path. By default, they are enabled at their "type"
+  (e.g. "aws" enables at "aws/").
+
+- **Disable** - This disables an existing secrets engine. When a secrets engine
+  is disabled, all of its secrets are revoked (if they support it), and all of
+  the data stored for that engine in the physical storage layer is deleted.
+
+- **Move** - This moves the path for an existing secrets engine. This process
+  revokes all secrets, since secret leases are tied to the path they were
+  created at. The configuration data stored for the engine persists through the
+  move.
+
+- **Tune** - This tunes global configuration for the secrets engine such as the
+  TTLs.
+
+Once a secrets engine is enabled, you can interact with it directly at its path
+according to its own API. Use `vault path-help` to determine the paths it
+responds to.
+
+Note that mount points cannot conflict with each other in Vault. There are
+two broad implications of this fact. The first is that you cannot have
+a mount which is prefixed with an existing mount. The second is that you
+cannot create a mount point that is named as a prefix of an existing mount.
+As an example, the mounts `foo/bar` and `foo/baz` can peacefully coexist
+with each other whereas `foo` and `foo/baz` cannot
+
+## Barrier View
+
+Secrets engines receive a _barrier view_ to the configured Vault physical
+storage. This is a lot like a [chroot](https://en.wikipedia.org/wiki/Chroot).
+
+When a secrets engine is enabled, a random UUID is generated. This becomes the
+data root for that engine. Whenever that engine writes to the physical storage
+layer, it is prefixed with that UUID folder. Since the Vault storage layer
+doesn't support relative access (such as `../`), this makes it impossible for a
+enabled secrets engine to access other data.
+
+This is an important security feature in Vault - even a malicious engine
+cannot access the data from any other engine.
diff --git a/website/pages/docs/secrets/kmip/index.mdx b/website/pages/docs/secrets/kmip/index.mdx
new file mode 100644
index 000000000000..40baa16e1b21
--- /dev/null
+++ b/website/pages/docs/secrets/kmip/index.mdx
@@ -0,0 +1,177 @@
+---
+layout: docs
+page_title: KMIP - Secrets Engines
+sidebar_title: KMIP <sup>ENTERPRISE</sup>
+description: |-
+  The KMIP secrets engine allows Vault to act as a KMIP server provider and
+  handle the lifecycle of it KMIP managed objects.
+---
+
+# KMIP Secrets Engine
+
+The KMIP secrets engine allows Vault to act as a [Key Management
+Interoperability Protocol](#kmip-spec) (KMIP) server provider and handle
+the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows
+services and applications to perform cryptographic operations without having to
+manage cryptographic material, otherwise known as managed objects, by delegating
+its storage and lifecycle to a key management server.
+
+## Setup
+
+The KMIP secrets engine must be configured before it can start accepting KMIP
+requests.
+
+1.  Enable the KMIP secrets engine
+
+    ```text
+    $ vault secrets enable kmip
+    Success! Enabled the kmip secrets engine at: kmip/
+    ```
+
+1.  Configure the secrets engine with the desired listener addresses to use and
+    TLS parameters, or leave unwritten to use default values
+
+    ```text
+    $ vault write kmip/config listen_addrs=0.0.0.0:5696
+    ```
+
+## Usage
+
+### Scopes and Roles
+
+The KMIP secrets engine uses the concept of scopes to partition KMIP managed
+object storage into multiple named buckets. Within a scope, roles can be created
+which dictate the set of allowed operations that the particular role can perform.
+TLS client certificates can be generated for a role, which services and applications
+can then use when sending KMIP requests against Vault's KMIP secret engine.
+
+In order to generate client certificates for KMIP clients to interact with Vault's
+KMIP server, we must first create a scope and role and specify the desired set of
+allowed operations for it.
+
+1.  Create a scope:
+
+    ```text
+    $ vault write -f kmip/scope/my-service
+    Success! Data written to: kmip/scope/my-service
+    ```
+
+1.  Create a role within the scope, specifying the set of operations to allow or
+    deny.
+
+    ```text
+    $ vault write kmip/scope/my-service/role/admin operation_all=true
+      Success! Data written to: kmip/scope/my-service/role/admin
+    ```
+
+### Client Certificate Generation
+
+Once a scope and role has been created, client certificates can be generated for
+that role. The client certificate can then be provided to applications and
+services that support KMIP to establish communication with Vault's KMIP server.
+Scope and role identifiers are embedded in the certificate,
+which will be used when evaluating permissions during a KMIP request.
+
+1.  Generate a client certificate. This returns the CA Chain, the certificate,
+    and the private key.
+
+    ```text
+    $ vault write -f kmip/scope/my-service/role/admin/credential/generate
+      Key              Value
+      ---              -----
+      ca_chain         [-----BEGIN CERTIFICATE-----
+      MIICNTCCAZigAwIBAgIUKqNFb3Zy+8ypIhTDs/2/8f/xEI8wCgYIKoZIzj0EAwIw
+      HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MjQyN1oX
+      DTI5MDYyMTE4MjQ1N1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
+      dGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAbniGNXHOiPvSb0I
+      fbc1B9QkOmdT2Ecx2WaQPLISplmO0Jm0u0z11CGuf3Igby7unnCNvCuCXrKJFCsQ
+      8JGhwknNAG3eesSZxG4tklA6FMZjE9ETUtYfjH7Z4vuJSw/fxOeey7fhrqAzhV3P
+      GRkvA9EQUHJOeV4rEpiINP/fneHNfsn1o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
+      VR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUR0o0v4rPiBU9RwQfEUucx3JwbPAw
+      HwYDVR0jBBgwFoAUMhORultSN+ABogxQdkt7KChD0wQwCgYIKoZIzj0EAwIDgYoA
+      MIGGAkF1IvkIaXNkVfe+q0V78CnX0XIJuvmPpgjN8AQzqLci8txikd9gF1zt8fFQ
+      gIKERm2QPrshSV9srHDB0YnThRKuiQJBNcDjCfYOzqKlBHifT4WT4OX1U6nP/Y2b
+      imGaLJK9VIwfcJOpVCFGp7Xi8QGV6rJIFiQAqzqCy69vcU6nVMsvens=
+      -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
+      MIICKjCCAYugAwIBAgIUerDfApmkq0VYychkhlxEnBlIDUcwCgYIKoZIzj0EAwIw
+      HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MjQyNloX
+      DTI5MDYyMTE4MjQ1NlowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb
+      MBAGByqGSM49AgEGBSuBBAAjA4GGAAQBA466Axrrz+HWanNe35gPVvB7OE7TWZcc
+      QZw1QSMQ+QIQMu5NcdfvZfh68exhe1FiJezKB+zeoJWp1Q/kqhyh7fsAFUuIcJDO
+      okZYPTmjPh3h5IZLPg5r7Pw1j99rLHhc/EXF9wYVy2UeH/2IqGJ+cncmVgqczlG8
+      m36g9OXd6hkofhCjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
+      AgEKMB0GA1UdDgQWBBQyE5G6W1I34AGiDFB2S3soKEPTBDAfBgNVHSMEGDAWgBQy
+      E5G6W1I34AGiDFB2S3soKEPTBDAKBggqhkjOPQQDAgOBjAAwgYgCQgGtPVCtgDc1
+      0SrTsVpEtUMYQKbOWnTKNHZ9h5jSna8n9aY+70Ai3U57q3FL95iIhZRW79PRpp65
+      d6tWqY51o2hHpwJCAK+eE7xpdnqh5H8TqAXKVuSoC0WEsovYCD03c8Ih3jWcZn6N
+      kbz2kXPcAk+dE6ncnwhwqNQgsJQGgQzJroH+Zzvb
+      -----END CERTIFICATE-----]
+      certificate      -----BEGIN CERTIFICATE-----
+      MIICOzCCAZygAwIBAgIUN5V7bLAGu8QIUFxlIugg8fBb+eYwCgYIKoZIzj0EAwIw
+      KjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x
+      OTA2MjQxODQ3MTdaFw0xOTA2MjUxODQ3NDdaMCAxDjAMBgNVBAsTBWNqVVNJMQ4w
+      DAYDVQQDEwVkdjRZbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEANVsHV8CHYpW
+      CBKbYVEx/sLphk67SdWxbII4Sc9Rj1KymApD4gPmS+rw0FDMZGFbn1sAfpqMBqMj
+      ylv72o9izbYSALHnYT+AaE0NFn4eGWZ2G0p56cVmfXm3ZI959E+3gvZK6X5Jnzm4
+      FKXTDKGA4pocYec/rnYJ5X8sbAJKHvk1OeO+o2cwZTAOBgNVHQ8BAf8EBAMCA6gw
+      EwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFBEIsBo3HiBIg2l2psaQoYkT
+      D1RNMB8GA1UdIwQYMBaAFEdKNL+Kz4gVPUcEHxFLnMdycGzwMAoGCCqGSM49BAMC
+      A4GMADCBiAJCAc8DV23DJsHV4fdmbmssu0eDIgNH+PrRKdYgqiHptbuVjF2qbILp
+      Z34dJRVN+R9B+RprZXkYiv7gJ/47KSUKzRZpAkIByMjZqLtcypamJM/t+/O1BSst
+      CWcblb45FIxAmO4hE00Q5wnwXNxNnDHXWiuGdSNmIBjpb9nM5wehQlbkx7HzvPk=
+      -----END CERTIFICATE-----
+      private_key      -----BEGIN EC PRIVATE KEY-----
+      MIHcAgEBBEIB9Nn7M28VUVW6g5IlOTS3bHIZYM/zqVy+PvYQxn2lFbg1YrQzfd7h
+      sdtCjet0lc7pvtoOwd1dFiATOGg98OVN7MegBwYFK4EEACOhgYkDgYYABADVbB1f
+      Ah2KVggSm2FRMf7C6YZOu0nVsWyCOEnPUY9SspgKQ+ID5kvq8NBQzGRhW59bAH6a
+      jAajI8pb+9qPYs22EgCx52E/gGhNDRZ+HhlmdhtKeenFZn15t2SPefRPt4L2Sul+
+      SZ85uBSl0wyhgOKaHGHnP652CeV/LGwCSh75NTnjvg==
+      -----END EC PRIVATE KEY-----
+      serial_number    317328055225536560033788492808123425026102524390
+    ```
+
+### Supported KMIP Operations
+
+The KMIP protocol supports a wide [variety of operations](#kmip-ops) that can be
+issued by clients to perform certain actions, such as key management,
+encryption, signing, etc. The KMIP secrets engine currently supports a subset of
+KMIP operations.
+
+Supported KMIP operations:
+
+```text
+operation_activate
+operation_add_attribute
+operation_create
+operation_destroy
+operation_discover_versions
+operation_get
+operation_get_attribute_list
+operation_get_attributes
+operation_locate
+operation_register
+operation_rekey
+operation_revoke
+```
+
+Additionally, there are two pseudo-operations that can be used to allow or deny
+all operation capabilities to a role. These operations are mutually exclusive to
+all other operations. That is, if it's provided during role creation or update,
+no other operations can be provided. Similarly, if an existing role contains a
+pseudo-operation, and it is then updated with a set supported operation, it will
+be overwritten with the newly set of provided operations.
+
+Pseudo-operations:
+
+```text
+operation_all
+operation_none
+```
+
+## Learn
+
+Refer to the [KMIP Secrets Engine](https://learn.hashicorp.com/vault/secrets-management/kmip-engine)
+guide for a step-by-step tutorial.
+
+[kmip-spec]: http://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.html
+[kmip-ops]: http://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html#_Toc490660840
diff --git a/website/pages/docs/secrets/kv/index.mdx b/website/pages/docs/secrets/kv/index.mdx
new file mode 100644
index 000000000000..23f62a4085a3
--- /dev/null
+++ b/website/pages/docs/secrets/kv/index.mdx
@@ -0,0 +1,43 @@
+---
+layout: docs
+page_title: KV - Secrets Engines
+sidebar_title: Key/Value
+description: The KV secrets engine can store arbitrary secrets.
+---
+
+# KV Secrets Engine
+
+The `kv` secrets engine is used to store arbitrary secrets within the
+configured physical storage for Vault. This backend can be run in one of two
+modes. It can be a generic Key-Value store that stores one value for a key.
+Versioning can be enabled and a configurable number of versions for each key
+will be stored.
+
+## KV Version 1
+
+When running the `kv` secrets backend non-versioned only the most recently
+written value for a key will be preserved. The benefits of non-versioned `kv`
+is a reduced storage size for each key since no additional metadata or history
+is stored. Additionally, requests going to a backend configured this way will be
+more performant because for any given request there will be fewer storage calls
+and no locking.
+
+More information about running in this mode can be found in the [K/V Version 1
+Docs](/docs/secrets/kv/kv-v1.html)
+
+## KV Version 2
+
+When running v2 of the `kv` backend a key can retain a configurable number of
+versions. This defaults to 10 versions. The older versions' metadata and data
+can be retrieved. Additionally, Check-and-Set operations can be used to avoid
+overwriting data unintentionally.
+
+When a version is deleted the underlying data is not removed, rather it is
+marked as deleted. Deleted versions can be undeleted. To permanently remove a
+version's data the destroy command or API endpoint can be used. Additionally all
+versions and metadata for a key can be deleted by deleting on the metadata
+command or API endpoint. Each of these operations can be ACL'ed differently,
+restricting who has permissions to soft delete, undelete, or fully remove data.
+
+More information about running in this mode can be found in the [K/V Version 2
+Docs](/docs/secrets/kv/kv-v2.html)
diff --git a/website/pages/docs/secrets/kv/kv-v1.mdx b/website/pages/docs/secrets/kv/kv-v1.mdx
new file mode 100644
index 000000000000..b134a1a4f85e
--- /dev/null
+++ b/website/pages/docs/secrets/kv/kv-v1.mdx
@@ -0,0 +1,112 @@
+---
+layout: docs
+page_title: KV - Secrets Engines
+sidebar_title: K/V Version 1
+description: The KV secrets engine can store arbitrary secrets.
+---
+
+# KV Secrets Engine - Version 1
+
+The `kv` secrets engine is used to store arbitrary secrets within the
+configured physical storage for Vault.
+
+Writing to a key in the `kv` backend will replace the old value; sub-fields are
+not merged together.
+
+Key names must always be strings. If you write non-string values directly via
+the CLI, they will be converted into strings. However, you can preserve
+non-string values by writing the key/value pairs to Vault from a JSON file or
+using the HTTP API.
+
+This secrets engine honors the distinction between the `create` and `update`
+capabilities inside ACL policies.
+
+~> **Note**: Path and key names are _not_ obfuscated or encrypted; only the
+values set on keys are. You should not store sensitive information as part of a
+secret's path.
+
+## Setup
+
+To enable a version 1 kv store:
+
+```
+vault secrets enable -version=1 kv
+```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials. The `kv` secrets engine
+allows for writing keys with arbitrary values.
+
+1. Write arbitrary data:
+
+   ```text
+   $ vault kv put kv/my-secret my-value=s3cr3t
+   Success! Data written to: kv/my-secret
+   ```
+
+1. Read arbitrary data:
+
+   ```text
+   $ vault kv get kv/my-secret
+   Key                 Value
+   ---                 -----
+   my-value            s3cr3t
+   ```
+
+1. List the keys:
+
+   ```text
+   $ vault kv list kv/
+   Keys
+   ----
+   my-secret
+   ```
+
+1. Delete a key:
+
+   ```
+   $ vault kv delete kv/my-secret
+   Success! Data deleted (if it existed) at: kv/my-secret
+   ```
+
+## TTLs
+
+Unlike other secrets engines, the KV secrets engine does not enforce TTLs
+for expiration. Instead, the `lease_duration` is a hint for how often consumers
+should check back for a new value.
+
+If provided a key of `ttl`, the KV secrets engine will utilize this value
+as the lease duration:
+
+```text
+$ vault kv put kv/my-secret ttl=30m my-value=s3cr3t
+Success! Data written to: kv/my-secret
+```
+
+Even with a `ttl` set, the secrets engine _never_ removes data on its own. The
+`ttl` key is merely advisory.
+
+When reading a value with a `ttl`, both the `ttl` key _and_ the refresh interval
+will reflect the value:
+
+```text
+$ vault kv get kv/my-secret
+Key                 Value
+---                 -----
+my-value            s3cr3t
+ttl                 30m
+```
+
+## Learn
+
+Refer to the [Static Secrets: Key/Value Secrets
+Engine](https://learn.hashicorp.com/vault/secrets-management/sm-static-secrets)
+guide for a step-by-step tutorial.
+
+## API
+
+The KV secrets engine has a full HTTP API. Please see the
+[KV secrets engine API](/api/secret/kv/kv-v1.html) for more
+details.
diff --git a/website/pages/docs/secrets/kv/kv-v2.mdx b/website/pages/docs/secrets/kv/kv-v2.mdx
new file mode 100644
index 000000000000..817824ca13cd
--- /dev/null
+++ b/website/pages/docs/secrets/kv/kv-v2.mdx
@@ -0,0 +1,406 @@
+---
+layout: docs
+page_title: KV - Secrets Engines
+sidebar_title: K/V Version 2
+description: The KV secrets engine can store arbitrary secrets.
+---
+
+# KV Secrets Engine - Version 2
+
+The `kv` secrets engine is used to store arbitrary secrets within the
+configured physical storage for Vault.
+
+Key names must always be strings. If you write non-string values directly via
+the CLI, they will be converted into strings. However, you can preserve
+non-string values by writing the key/value pairs to Vault from a JSON file or
+using the HTTP API.
+
+This secrets engine honors the distinction between the `create` and `update`
+capabilities inside ACL policies.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+A v2 `kv` secrets engine can be enabled by:
+
+```text
+$ vault secrets enable -version=2 kv
+```
+
+Or, you can pass `kv-v2` as the secrets engine type:
+
+```text
+$ vault secrets enable kv-v2
+```
+
+Additionally, when running a dev-mode server, the v2 `kv` secrets engine is enabled by default at the
+path `secret/` (for non-dev servers, it is currently v1). It can be disabled, moved, or enabled multiple times at
+different paths. Each instance of the KV secrets engine is isolated and unique.
+
+## Upgrading from Version 1
+
+An existing version 1 kv store can be upgraded to a version 2 kv store via the CLI or API, as shown below. This will start an upgrade process to upgrade the existing key/value data to a versioned format. The mount will be inaccessible during this process. This process could take a long time, so plan accordingly.
+
+Once upgraded to version 2, the former paths at which the data was accessible will no longer suffice. You will need to adjust user policies to add access to the version 2 paths as detailed in the [ACL Rules section below](/docs/secrets/kv/kv-v2.html#acl-rules). Similarly, users/applications will need to update the paths at which they interact with the kv data once it has been upgraded to version 2.
+
+An existing version 1 kv can be upgraded to a version 2 KV store with the CLI command:
+
+```text
+$ vault kv enable-versioning secret/
+Success! Tuned the secrets engine at: secret/
+```
+
+or via the API:
+
+```text
+$ cat payload.json
+{
+  "options": {
+      "version": "2"
+  }
+}
+
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/mounts/secret/tune
+```
+
+## ACL Rules
+
+The version 2 kv store uses a prefixed API, which is different from the
+version 1 API. Before upgrading from a version 1 kv the ACL rules
+should be changed. Also different paths in the version 2 API can be ACL'ed
+differently.
+
+Writing and reading versions are prefixed with the `data/` path. This policy
+that worked for the version 1 kv:
+
+```
+path "secret/dev/team-1/*" {
+  capabilities = ["create", "update", "read"]
+}
+```
+
+Should be changed to:
+
+```
+path "secret/data/dev/team-1/*" {
+  capabilities = ["create", "update", "read"]
+}
+```
+
+There are different levels of data deletion for this backend. To grant a policy
+the permissions to delete the latest version of a key:
+
+```
+path "secret/data/dev/team-1/*" {
+  capabilities = ["delete"]
+}
+```
+
+To allow the policy to delete any version of a key:
+
+```
+path "secret/delete/dev/team-1/*" {
+  capabilities = ["update"]
+}
+```
+
+To allow a policy to undelete data:
+
+```
+path "secret/undelete/dev/team-1/*" {
+  capabilities = ["update"]
+}
+```
+
+To allow a policy to destroy versions:
+
+```
+path "secret/destroy/dev/team-1/*" {
+  capabilities = ["update"]
+}
+```
+
+To allow a policy to list keys:
+
+```
+path "secret/metadata/dev/team-1/*" {
+  capabilities = ["list"]
+}
+```
+
+To allow a policy to view metadata for each version:
+
+```
+path "secret/metadata/dev/team-1/*" {
+  capabilities = ["read"]
+}
+```
+
+To allow a policy to permanently remove all versions and metadata for a key:
+
+```
+path "secret/metadata/dev/team-1/*" {
+  capabilities = ["delete"]
+}
+```
+
+See the [API Specification](/api/secret/kv/kv-v2.html) for more
+information.
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials. The `kv` secrets engine
+allows for writing keys with arbitrary values.
+
+### Writing/Reading arbitrary data
+
+1. Write arbitrary data:
+
+   ```text
+   $ vault kv put secret/my-secret my-value=s3cr3t
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:20:22.985303Z
+   deletion_time    n/a
+   destroyed        false
+   version          1
+   ```
+
+1. Read arbitrary data:
+
+   ```text
+   $ vault kv get secret/my-secret
+   ====== Metadata ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:20:22.985303Z
+   deletion_time    n/a
+   destroyed        false
+   version          1
+
+   ====== Data ======
+   Key         Value
+   ---         -----
+   my-value    s3cr3t
+   ```
+
+1. Write another version, the previous version will still be accessible. The
+   `-cas` flag can optionally be passed to perform a check-and-set operation. If
+   not set the write will be allowed. If set to `-cas=0` a write will only be allowed
+   if the key doesn’t exist. If the index is non-zero the write will only be
+   allowed if the key’s current version matches the version specified in the
+   cas parameter.
+
+   ```text
+   $ vault kv put -cas=1 secret/my-secret my-value=new-s3cr3t
+   e
+   -
+   Z
+   a
+   e
+   2
+   ```
+
+1. Reading now will return the newest version of the data:
+
+   ```text
+   $ vault kv get secret/my-secret
+   ====== Metadata ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:22:23.369372Z
+   deletion_time    n/a
+   destroyed        false
+   version          2
+
+   ====== Data ======
+   Key         Value
+   ---         -----
+   my-value    new-s3cr3t
+   ```
+
+1. Previous versions can be accessed with the `-version` flag:
+
+   ```text
+   $ vault kv get -version=1 secret/my-secret
+   ====== Metadata ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:20:22.985303Z
+   deletion_time    n/a
+   destroyed        false
+   version          1
+
+   ====== Data ======
+   Key         Value
+   ---         -----
+   my-value    s3cr3t
+   ```
+
+### Deleting and Destroying Data
+
+When deleting data the standard `vault kv delete` command will perform a
+soft delete. It will mark the version as deleted and populate a `deletion_time`
+timestamp. Soft deletes do not remove the underlying version data from storage,
+which allows the version to be undeleted. The `vault kv undelete` command
+handles undeleting versions.
+
+A version's data is permanently deleted only when the key has more versions than
+are allowed by the max-versions setting, or when using `vault kv destroy`. When
+the destroy command is used the underlying version data will be removed and the
+key metadata will be marked as destroyed. If a version is cleaned up by going
+over max-versions the version metadata will also be removed from the key.
+
+See the commands below for more information:
+
+1. The latest version of a key can be deleted with the delete command, this also
+   takes a `-versions` flag to delete prior versions:
+
+   ```text
+   $ vault kv delete secret/my-secret
+   t
+   ```
+
+1. Versions can be undeleted:
+
+   ```text
+   $ vault kv undelete -versions=2 secret/my-secret
+   Success! Data written to: secret/undelete/my-secret
+
+   $ vault kv get secret/my-secret
+   ====== Metadata ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:23:21.834403Z
+   deletion_time    n/a
+   destroyed        false
+   version          2
+
+   ====== Data ======
+   Key         Value
+   ---         -----
+   my-value    short-lived-s3cr3t
+   ```
+
+1. Destroying a version permanently deletes the underlying data:
+
+   ```text
+   $ vault kv destroy -versions=2 secret/my-secret
+   Success! Data written to: secret/destroy/my-secret
+   ```
+
+### Key Metadata
+
+All versions and key metadata can be tracked with the metadata command & API.
+Deleting the metadata key will cause all metadata and versions for that key to
+be permanently removed.
+
+See the commands below for more information:
+
+1. All metadata and versions for a key can be viewed:
+
+   ```text
+   $ vault kv metadata get secret/my-secret
+   ========== Metadata ==========
+   Key                     Value
+   ---                     -----
+   cas_required            false
+   created_time            2019-06-19T17:20:22.985303Z
+   current_version         2
+   delete_version_after    0s
+   max_versions            0
+   oldest_version          0
+   updated_time            2019-06-19T17:22:23.369372Z
+
+   ====== Version 1 ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:20:22.985303Z
+   deletion_time    n/a
+   destroyed        false
+
+   ====== Version 2 ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:22:23.369372Z
+   deletion_time    n/a
+   destroyed        true
+   ```
+
+1. The metadata settings for a key can be configured:
+
+   ```text
+   $ vault kv metadata put -max-versions 2 -delete-version-after="3h25m19s" secret/my-secret
+   Success! Data written to: secret/metadata/my-secret
+   ```
+
+   Delete-version-after settings will apply only to new versions. Max versions
+   changes will be applied on next write:
+
+   ```text
+   $ vault kv put secret/my-secret my-value=newer-s3cr3t
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:31:16.662563Z
+   deletion_time    2019-06-19T20:56:35.662563Z
+   destroyed        false
+   version          4
+   ```
+
+   Once a key has more versions than max versions the oldest versions
+   are cleaned up:
+
+   ```text
+   $ vault kv metadata get secret/my-secret
+   ========== Metadata ==========
+   Key                     Value
+   ---                     -----
+   cas_required            false
+   created_time            2019-06-19T17:20:22.985303Z
+   current_version         4
+   delete_version_after    3h25m19s
+   max_versions            2
+   oldest_version          3
+   updated_time            2019-06-19T17:31:16.662563Z
+
+   ====== Version 3 ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:23:21.834403Z
+   deletion_time    n/a
+   destroyed        true
+
+   ====== Version 4 ======
+   Key              Value
+   ---              -----
+   created_time     2019-06-19T17:31:16.662563Z
+   deletion_time    2019-06-19T20:56:35.662563Z
+   destroyed        false
+   ```
+
+1. Permanently delete all metadata and versions for a key:
+
+   ```text
+   $ vault kv metadata delete secret/my-secret
+   Success! Data deleted (if it existed) at: secret/metadata/my-secret
+   ```
+
+## Learn
+
+Refer to the [Versioned Key/Value Secrets
+Engine](https://learn.hashicorp.com/vault/secrets-management/sm-versioned-kv)
+guide for a step-by-step tutorial.
+
+## API
+
+The KV secrets engine has a full HTTP API. Please see the
+[KV secrets engine API](/api/secret/kv/kv-v2.html) for more
+details.
diff --git a/website/pages/docs/secrets/mongodb/index.mdx b/website/pages/docs/secrets/mongodb/index.mdx
new file mode 100644
index 000000000000..8cfb32c725bc
--- /dev/null
+++ b/website/pages/docs/secrets/mongodb/index.mdx
@@ -0,0 +1,129 @@
+---
+layout: docs
+page_title: MongoDB - Secrets Engines
+sidebar_title: MongoDB <sup>DEPRECATED</sup>
+description: >-
+  The mongodb secrets engine for Vault generates database credentials to access
+  MongoDB.
+---
+
+# MongoDB Secrets Engine
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[MongoDB database plugin](/docs/secrets/databases/mongodb.html).
+
+The `mongodb` secrets engine for Vault generates MongoDB database credentials
+dynamically based on configured roles. This means that services that need
+to access a MongoDB database no longer need to hard-code credentials: they
+can request them from Vault and use Vault's leasing mechanism to more easily
+roll them.
+
+Additionally, it introduces a new ability: with every service accessing
+the database with unique credentials, it makes auditing much easier when
+questionable data access is discovered: you can track it down to the specific
+instance of a service based on the MongoDB username.
+
+Vault makes use of its own internal revocation system to ensure that users
+become invalid within a reasonable time of the lease expiring.
+
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
+
+## Quick Start
+
+The first step to using the mongodb secrets engine is to mount it. Unlike the
+`kv` secrets engine, the `mongodb` secrets engine is not mounted by default.
+
+```
+$ vault secrets enable mongodb
+Success! Enabled the mongodb secrets engine at: mongodb/
+```
+
+Next, we must tell Vault how to connect to MongoDB. This is done by providing
+a standard connection string (URI):
+
+```
+$ vault write mongodb/config/connection uri="mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
+Key	Value
+---	-----
+
+The following warnings were returned from the Vault server:
+* Read access to this endpoint should be controlled via ACLs as it will return the connection URI as it is, including passwords, if any.
+```
+
+In this case, we've configured Vault with the username `admin` and password
+`Password!`, connecting to an instance at `mongodb.acme.com` on port `27017`
+with TLS. The user must have privileges to manage users and their roles in the
+databases Vault will manage users in. The built-in role `userAdminAnyDatabase`
+is the simplest way to grant the necessary permissions if we want Vault to
+manage all users in all databases.
+
+Optionally, we can configure the lease settings for the credentials generated
+by Vault. This is done by writing to the `config/lease` key:
+
+```
+$ vault write mongodb/config/lease ttl=1h max_ttl=24h
+Success! Data written to: mongodb/config/lease
+```
+
+This restricts each user to being valid or leased for 1 hour at a time, with
+a maximum total use period of 24 hours. This forces an application to renew
+its credentials at least hourly and to recycle them once per day.
+
+The next step is to configure a role. A role is a logical name that maps
+to a policy used to generate MongoDB credentials for that role.
+
+Note that MongoDB also uses roles. The roles you define in Vault are distinct
+from the built-in and user-defined roles in MongoDB. In fact, when defining
+a Vault role you may specify the MongoDB roles that should be assigned to
+users created for that Vault role.
+
+For example, let's create a "readonly" role:
+
+```
+$ vault write mongodb/roles/readonly db=foo roles='[ "readWrite", { "role": "read", "db": "bar" } ]'
+Success! Data written to: mongodb/roles/readonly
+```
+
+By writing to the `roles/readonly` path we are defining the `readonly` role.
+Each time Vault is asked for credentials for this role, it will create a
+user in the specified MongoDB database with the MongoDB roles provided. The
+username and password of each user created will be dynamically generated by
+Vault. Just like when creating a user directly using `db.createUser`, the
+`roles` JSON array can specify both built-in roles and user-defined roles
+for both the database the user is created in and for other databases. Please
+consult the MongoDB documentation for more details on Role-Based Access
+Control in MongoDB. In this example, Vault will create a user in the `foo`
+database with the `readWrite` built-in role on that database and the `read`
+built-in role on the `bar` database.
+
+To generate a new set of credentials for a given role, we simply read from
+the credentials path for that role:
+
+```
+$ vault read mongodb/creds/readonly
+Key                Value
+---                -----
+lease_id           mongodb/creds/readonly/91685212-3040-7dde-48b1-df997c5dc8e7
+lease_duration     3600
+lease_renewable    true
+db                 foo
+password           c3faa86d-0f93-9649-de91-c431765e62dd
+username           vault-token-48729def-b0ca-2b17-d7b9-3ca7cb86f0ae
+```
+
+By reading from the `creds/readonly` path, Vault has generated a new set of
+credentials using the `readonly` role configuration. Here we see the
+dynamically generated username and password, along with a one hour lease.
+
+Using ACLs, it is possible to restrict using the `mongodb` secrets engine such that
+trusted operators can manage the role definitions, and both users and
+applications are restricted in the credentials they are allowed to read.
+
+## API
+
+The MongoDB secrets engine has a full HTTP API. Please see the
+[MongoDB secrets engine API](/api/secret/mongodb/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/mssql/index.mdx b/website/pages/docs/secrets/mssql/index.mdx
new file mode 100644
index 000000000000..48d19b510f98
--- /dev/null
+++ b/website/pages/docs/secrets/mssql/index.mdx
@@ -0,0 +1,120 @@
+---
+layout: docs
+page_title: MSSQL - Secrets Engines
+sidebar_title: MSSQL <sup>DEPRECATED</sup>
+description: >-
+  The MSSQL secrets engine for Vault generates database credentials to access
+  Microsoft Sql Server.
+---
+
+# MSSQL Secrets Engine
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[MSSQL database plugin](/docs/secrets/databases/mssql.html).
+
+The MSSQL secrets engine for Vault generates database credentials
+dynamically based on configured roles. This means that services that need
+to access a database no longer need to hardcode credentials: they can request
+them from Vault, and use Vault's leasing mechanism to more easily roll keys.
+
+Additionally, it introduces a new ability: with every service accessing
+the database with unique credentials, it makes auditing much easier when
+questionable data access is discovered: you can track it down to the specific
+instance of a service based on the SQL username.
+
+Vault makes use of its own internal revocation system to ensure that users
+become invalid within a reasonable time of the lease expiring.
+
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
+
+## Quick Start
+
+The first step to using the mssql secrets engine is to mount it. Unlike the `kv`
+secrets engine, the `mssql` secrets engine is not mounted by default.
+
+```
+$ vault secrets enable mssql
+Success! Enabled the mssql secrets engine at: mssql/
+```
+
+Next, we must configure Vault to know how to connect to the MSSQL
+instance. This is done by providing a DSN (Data Source Name):
+
+```
+$ vault write mssql/config/connection \
+    connection_string="server=localhost;port=1433;user id=sa;password=Password!;database=AdventureWorks;app name=vault;"
+Success! Data written to: mssql/config/connection
+```
+
+In this case, we've configured Vault with the user "sa" and password "Password!",
+connecting to an instance at "localhost" on port 1433. It is not necessary
+that Vault has the sa login, but the user must have privileges to create
+logins and manage processes. The fixed server roles `securityadmin` and
+`processadmin` are examples of built-in roles that grant these permissions. The
+user also must have privileges to create database users and grant permissions in
+the databases that Vault manages. The fixed database roles `db_accessadmin` and
+`db_securityadmin` are examples or built-in roles that grant these permissions.
+
+Optionally, we can configure the lease settings for credentials generated
+by Vault. This is done by writing to the `config/lease` key:
+
+```
+$ vault write mssql/config/lease \
+    ttl=1h \
+    max_ttl=24h
+Success! Data written to: mssql/config/lease
+```
+
+This restricts each credential to being valid or leased for 1 hour
+at a time, with a maximum use period of 24 hours. This forces an
+application to renew their credentials at least hourly, and to recycle
+them once per day.
+
+The next step is to configure a role. A role is a logical name that maps
+to a policy used to generate those credentials. For example, lets create
+a "readonly" role:
+
+```
+$ vault write mssql/roles/readonly \
+    sql="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; USE AdventureWorks; CREATE USER [{{name}}] FOR LOGIN [{{name}}]; GRANT SELECT ON SCHEMA::dbo TO [{{name}}]"
+Success! Data written to: mssql/roles/readonly
+```
+
+By writing to the `roles/readonly` path we are defining the `readonly` role.
+This role will be created by evaluating the given `sql` statements. By
+default, the `{{name}}` and `{{password}}` fields will be populated by
+Vault with dynamically generated values. This SQL statement is creating
+the named login on the server, user on the AdventureWorks database, and
+then granting it `SELECT` on the `dbo` schema. More complex `GRANT` queries
+can be used to customize the privileges of the role.
+
+To generate a new set of credentials, we simply read from that role:
+
+```
+$ vault read mssql/creds/readonly
+Key               Value
+---               -----
+lease_id          mssql/creds/readonly/cdf23ac8-6dbd-4bf9-9919-6acaaa86ba6c
+lease_duration    3600
+password          ee202d0d-e4fd-4410-8d14-2a78c5c8cb76
+username          root-a147d529-e7d6-4a16-8930-4c3e72170b19
+```
+
+By reading from the `creds/readonly` path, Vault has generated a new
+set of credentials using the `readonly` role configuration. Here we
+see the dynamically generated username and password, along with a one
+hour lease.
+
+Using ACLs, it is possible to restrict using the mssql secrets engine such
+that trusted operators can manage the role definitions, and both
+users and applications are restricted in the credentials they are
+allowed to read.
+
+## API
+
+The MSSQL secrets engine has a full HTTP API. Please see the
+[MSSQL secrets engine API](/api/secret/mssql/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/mysql/index.mdx b/website/pages/docs/secrets/mysql/index.mdx
new file mode 100644
index 000000000000..067e0835d28e
--- /dev/null
+++ b/website/pages/docs/secrets/mysql/index.mdx
@@ -0,0 +1,131 @@
+---
+layout: docs
+page_title: MySQL - Secrets Engines
+sidebar_title: MySQL <sup>DEPRECATED</sup>
+description: >-
+  The MySQL secrets engine for Vault generates database credentials to access
+  MySQL.
+---
+
+# MySQL Secrets Engine
+
+Name: `mysql`
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[MySQL/MariaDB database plugin](/docs/secrets/databases/mysql-maria.html).
+
+The MySQL secrets engine for Vault generates database credentials
+dynamically based on configured roles. This means that services that need
+to access a database no longer need to hardcode credentials: they can request
+them from Vault, and use Vault's leasing mechanism to more easily roll keys.
+
+Additionally, it introduces a new ability: with every service accessing
+the database with unique credentials, it makes auditing much easier when
+questionable data access is discovered: you can track it down to the specific
+instance of a service based on the SQL username.
+
+Vault makes use of its own internal revocation system to ensure that users
+become invalid within a reasonable time of the lease expiring.
+
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
+
+## Quick Start
+
+The first step to using the mysql secrets engine is to mount it. Unlike the `kv`
+secrets engine, the `mysql` secrets engine is not mounted by default.
+
+```
+$ vault secrets enable mysql
+Success! Enabled the mysql secrets engine at: mysql/
+```
+
+Next, we must configure Vault to know how to connect to the MySQL
+instance. This is done by providing a [DSN (Data Source Name)](https://github.com/go-sql-driver/mysql#dsn-data-source-name):
+
+```
+$ vault write mysql/config/connection \
+    connection_url="root:root@tcp(192.168.33.10:3306)/"
+Success! Data written to: mysql/config/connection
+```
+
+In this case, we've configured Vault with the user "root" and password "root,
+connecting to an instance at "192.168.33.10" on port 3306. It is not necessary
+that Vault has the root user, but the user must have privileges to create
+other users, namely the `GRANT OPTION` privilege.
+
+For using UNIX socket use: `root:root@unix(/path/to/socket)/`.
+
+Optionally, we can configure the lease settings for credentials generated
+by Vault. This is done by writing to the `config/lease` key:
+
+```
+$ vault write mysql/config/lease \
+    lease=1h \
+    lease_max=24h
+Success! Data written to: mysql/config/lease
+```
+
+This restricts each credential to being valid or leased for 1 hour
+at a time, with a maximum use period of 24 hours. This forces an
+application to renew their credentials at least hourly, and to recycle
+them once per day.
+
+The next step is to configure a role. A role is a logical name that maps
+to a policy used to generate those credentials. For example, lets create
+a "readonly" role:
+
+```
+$ vault write mysql/roles/readonly \
+    sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
+Success! Data written to: mysql/roles/readonly
+```
+
+By writing to the `roles/readonly` path we are defining the `readonly` role.
+This role will be created by evaluating the given `sql` statements. By
+default, the `{{name}}` and `{{password}}` fields will be populated by
+Vault with dynamically generated values. This SQL statement is creating
+the named user, and then granting it `SELECT` or read-only privileges
+to tables in the database. More complex `GRANT` queries can be used to
+customize the privileges of the role. See the [MySQL manual](https://dev.mysql.com/doc/refman/5.7/en/grant.html)
+for more information.
+
+To generate a new set of credentials, we simply read from that role:
+
+```
+$ vault read mysql/creds/readonly
+Key               Value
+---               -----
+lease_id          mysql/creds/readonly/bd404e98-0f35-b378-269a-b7770ef01897
+lease_duration    3600
+password          132ae3ef-5a64-7499-351e-bfe59f3a2a21
+username          readonly-aefa635a-18
+```
+
+By reading from the `creds/readonly` path, Vault has generated a new
+set of credentials using the `readonly` role configuration. Here we
+see the dynamically generated username and password, along with a one
+hour lease.
+
+Using ACLs, it is possible to restrict using the mysql secrets engine such
+that trusted operators can manage the role definitions, and both
+users and applications are restricted in the credentials they are
+allowed to read.
+
+Optionally, you may configure both the number of characters from the role name
+that are truncated to form the display name portion of the mysql username
+interpolated into the `{{name}}` field: the default is 10.
+
+You may also configure the total number of characters allowed in the entire
+generated username (the sum of the display name and uuid portions); the
+default is 16. Note that versions of MySQL prior to 5.8 have a 16 character
+total limit on user names, so it is probably not safe to increase this above
+the default on versions prior to that.
+
+## API
+
+The MySQL secrets engine has a full HTTP API. Please see the
+[MySQL secrets engine API](/api/secret/mysql/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/nomad/index.mdx b/website/pages/docs/secrets/nomad/index.mdx
new file mode 100644
index 000000000000..bbbf5ced521e
--- /dev/null
+++ b/website/pages/docs/secrets/nomad/index.mdx
@@ -0,0 +1,118 @@
+---
+layout: docs
+page_title: Nomad Secret Backend
+sidebar_title: Nomad
+description: The Nomad secret backend for Vault generates tokens for Nomad dynamically.
+---
+
+# Nomad Secret Backend
+
+Name: `Nomad`
+
+The Nomad secret backend for Vault generates
+[Nomad](https://www.nomadproject.io)
+API tokens dynamically based on pre-existing Nomad ACL policies.
+
+This page will show a quick start for this backend. For detailed documentation
+on every path, use `vault path-help` after mounting the backend.
+
+~> **Version information** ACLs are only available on Nomad 0.7.0 and above.
+
+## Quick Start
+
+The first step to using the vault backend is to mount it.
+Unlike the `generic` backend, the `nomad` backend is not mounted by default.
+
+```
+$ vault secrets enable nomad
+Successfully mounted 'nomad' at 'nomad'!
+```
+
+Optionally, we can configure the lease settings for credentials generated
+by Vault. This is done by writing to the `config/lease` key:
+
+```
+$ vault write nomad/config/lease ttl=3600 max_ttl=86400
+Success! Data written to: nomad/config/lease
+```
+
+For a quick start, you can use the SecretID token provided by the [Nomad ACL bootstrap
+process](https://www.nomadproject.io/guides/acl.html#generate-the-initial-token), although this
+is discouraged for production deployments.
+
+```
+$ nomad acl bootstrap
+Accessor ID  = 95a0ee55-eaa6-2c0a-a900-ed94c156754e
+Secret ID    = c25b6ca0-ea4e-000f-807a-fd03fcab6e3c
+Name         = Bootstrap Token
+Type         = management
+Global       = true
+Policies     = n/a
+Create Time  = 2017-09-20 19:40:36.527512364 +0000 UTC
+Create Index = 7
+Modify Index = 7
+```
+
+The suggested pattern is to generate a token specifically for Vault, following the
+[Nomad ACL guide](https://www.nomadproject.io/guides/acl.html)
+
+Next, we must configure Vault to know how to contact Nomad.
+This is done by writing the access information:
+
+```
+$ vault write nomad/config/access \
+    address=http://127.0.0.1:4646 \
+    token=adf4238a-882b-9ddc-4a9d-5b6758e4159e
+Success! Data written to: nomad/config/access
+```
+
+In this case, we've configured Vault to connect to Nomad
+on the default port with the loopback address. We've also provided
+an ACL token to use with the `token` parameter. Vault must have a management
+type token so that it can create and revoke ACL tokens.
+
+The next step is to configure a role. A role is a logical name that maps
+to a set of policy names used to generate those credentials. For example, let's create
+a "monitoring" role that maps to a "readonly" policy:
+
+```
+$ vault write nomad/role/monitoring policies=readonly
+Success! Data written to: nomad/role/monitoring
+```
+
+The backend expects either a single or a comma separated list of policy names.
+
+To generate a new Nomad ACL token, we simply read from that role:
+
+```
+$ vault read nomad/creds/monitoring
+Key              Value
+---              -----
+lease_id         nomad/creds/monitoring/78ec3ef3-c806-1022-4aa8-1dbae39c760c
+lease_duration   768h0m0s
+lease_renewable  true
+accessor_id      a715994d-f5fd-1194-73df-ae9dad616307
+secret_id        b31fb56c-0936-5428-8c5f-ed010431aba9
+```
+
+Here we can see that Vault has generated a new Nomad ACL token for us.
+We can test this token out, by reading it in Nomad (by it's accessor):
+
+```
+$ nomad acl token info a715994d-f5fd-1194-73df-ae9dad616307
+Accessor ID  = a715994d-f5fd-1194-73df-ae9dad616307
+Secret ID    = b31fb56c-0936-5428-8c5f-ed010431aba9
+Name         = Vault example root 1505945527022465593
+Type         = client
+Global       = false
+Policies     = [readonly]
+Create Time  = 2017-09-20 22:12:07.023455379 +0000 UTC
+Create Index = 138
+Modify Index = 138
+```
+
+## API
+
+The Nomad secret backend has a full HTTP API. Please see the
+[Nomad secret backend API](/api/secret/nomad/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/pki/index.mdx b/website/pages/docs/secrets/pki/index.mdx
new file mode 100644
index 000000000000..251dfd323c4c
--- /dev/null
+++ b/website/pages/docs/secrets/pki/index.mdx
@@ -0,0 +1,683 @@
+---
+layout: docs
+page_title: PKI - Secrets Engines
+sidebar_title: PKI (Certificates)
+description: The PKI secrets engine for Vault generates TLS certificates.
+---
+
+# PKI Secrets Engine
+
+The PKI secrets engine generates dynamic X.509 certificates. With this secrets
+engine, services can get certificates without going through the usual manual
+process of generating a private key and CSR, submitting to a CA, and waiting for
+a verification and signing process to complete. Vault's built-in authentication
+and authorization mechanisms provide the verification functionality.
+
+By keeping TTLs relatively short, revocations are less likely to be needed,
+keeping CRLs short and helping the secrets engine scale to large workloads. This
+in turn allows each instance of a running application to have a unique
+certificate, eliminating sharing and the accompanying pain of revocation and
+rollover.
+
+In addition, by allowing revocation to mostly be forgone, this secrets engine
+allows for ephemeral certificates. Certificates can be fetched and stored in
+memory upon application startup and discarded upon shutdown, without ever being
+written to disk.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the PKI secrets engine:
+
+   ```text
+   $ vault secrets enable pki
+   Success! Enabled the pki secrets engine at: pki/
+   ```
+
+   By default, the secrets engine will mount at the name of the engine. To
+   enable the secrets engine at a different path, use the `-path` argument.
+
+1. Increase the TTL by tuning the secrets engine. The default value of 30 days may be too short, so increase it to 1 year:
+
+   ```text
+   $ vault secrets tune -max-lease-ttl=8760h pki
+   Success! Tuned the secrets engine at: pki/
+   ```
+
+   Note that individual roles can restrict this value to be shorter on a
+   per-certificate basis. This just configures the global maximum for this
+   secrets engine.
+
+1. Configure a CA certificate and private key. Vault can accept an existing key
+   pair, or it can generate its own self-signed root. In general, we recommend
+   maintaining your root CA outside of Vault and providing Vault a signed
+   intermediate CA.
+
+   ```text
+   $ vault write pki/root/generate/internal \
+       common_name=my-website.com \
+       ttl=8760h
+
+   Key              Value
+   ---              -----
+   certificate      -----BEGIN CERTIFICATE-----...
+   expiration       1536807433
+   issuing_ca       -----BEGIN CERTIFICATE-----...
+   serial_number    7c:f1:fb:2c:6e:4d:99:0e:82:1b:08:0a:81:ed:61:3e:1d:fa:f5:29
+   ```
+
+   The returned certificate is purely informative. The private key is safely
+   stored internally in Vault.
+
+1. Update the CRL location and issuing certificates. These values can be updated
+   in the future.
+
+   ```text
+   $ vault write pki/config/urls \
+       issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
+       crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
+   Success! Data written to: pki/config/urls
+   ```
+
+1. Configure a role that maps a name in Vault to a procedure for generating a
+   certificate. When users or machines generate credentials, they are generated
+   against this role:
+
+   ```text
+   $ vault write pki/roles/example-dot-com \
+       allowed_domains=my-website.com \
+       allow_subdomains=true \
+       max_ttl=72h
+   Success! Data written to: pki/roles/example-dot-com
+   ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by writing to the `/issue` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault write pki/issue/example-dot-com \
+        common_name=www.my-website.com
+
+    Key                 Value
+    ---                 -----
+    certificate         -----BEGIN CERTIFICATE-----...
+    issuing_ca          -----BEGIN CERTIFICATE-----...
+    private_key         -----BEGIN RSA PRIVATE KEY-----...
+    private_key_type    rsa
+    serial_number       1d:2e:c6:06:45:18:60:0e:23:d6:c5:17:43:c0:fe:46:ed:d1:50:be
+    ```
+
+    The output will include a dynamically generated private key and certificate
+    which corresponds to the given role and expires in 72h (as dictated by our
+    role definition). The issuing CA and trust chain is also returned for
+    automation simplicity.
+
+## Considerations
+
+To successfully deploy this secrets engine, there are a number of important
+considerations to be aware of, as well as some preparatory steps that should be
+undertaken. You should read all of these _before_ using this secrets engine or
+generating the CA to use with this secrets engine.
+
+### Be Careful with Root CAs
+
+Vault storage is secure, but not as secure as a piece of paper in a bank vault.
+It is, after all, networked software. If your root CA is hosted outside of
+Vault, don't put it in Vault as well; instead, issue a shorter-lived
+intermediate CA certificate and put this into Vault. This aligns with industry
+best practices.
+
+Since 0.4, the secrets engine supports generating self-signed root CAs and
+creating and signing CSRs for intermediate CAs. In each instance, for security
+reasons, the private key can _only_ be exported at generation time, and the
+ability to do so is part of the command path (so it can be put into ACL
+policies).
+
+If you plan on using intermediate CAs with Vault, it is suggested that you let
+Vault create CSRs and do not export the private key, then sign those with your
+root CA (which may be a second mount of the `pki` secrets engine).
+
+### One CA Certificate, One Secrets Engine
+
+In order to vastly simplify both the configuration and codebase of the PKI
+secrets engine, only one CA certificate is allowed per secrets engine. If you
+want to issue certificates from multiple CAs, mount the PKI secrets engine at
+multiple mount points with separate CA certificates in each.
+
+This also provides a convenient method of switching to a new CA certificate
+while keeping CRLs valid from the old CA certificate; simply mount a new secrets
+engine and issue from there.
+
+A common pattern is to have one mount act as your root CA and to use this CA
+only to sign intermediate CA CSRs from other PKI secrets engines.
+
+### Keep certificate lifetimes short, for CRL's sake
+
+This secrets engine aligns with Vault's philosophy of short-lived secrets. As
+such it is not expected that CRLs will grow large; the only place a private key
+is ever returned is to the requesting client (this secrets engine does _not_
+store generated private keys, except for CA certificates). In most cases, if the
+key is lost, the certificate can simply be ignored, as it will expire shortly.
+
+If a certificate must truly be revoked, the normal Vault revocation function can
+be used; alternately a root token can be used to revoke the certificate using
+the certificate's serial number. Any revocation action will cause the CRL to be
+regenerated. When the CRL is regenerated, any expired certificates are removed
+from the CRL (and any revoked, expired certificate are removed from secrets
+engine storage).
+
+This secrets engine does not support multiple CRL endpoints with sliding date
+windows; often such mechanisms will have the transition point a few days apart,
+but this gets into the expected realm of the actual certificate validity periods
+issued from this secrets engine. A good rule of thumb for this secrets engine
+would be to simply not issue certificates with a validity period greater than
+your maximum comfortable CRL lifetime. Alternately, you can control CRL caching
+behavior on the client to ensure that checks happen more often.
+
+Often multiple endpoints are used in case a single CRL endpoint is down so that
+clients don't have to figure out what to do with a lack of response. Run Vault in HA mode, and the CRL endpoint should be available even if a particular node
+is down.
+
+### You must configure issuing/CRL/OCSP information _in advance_
+
+This secrets engine serves CRLs from a predictable location, but it is not
+possible for the secrets engine to know where it is running. Therefore, you must
+configure desired URLs for the issuing certificate, CRL distribution points, and
+OCSP servers manually using the `config/urls` endpoint. It is supported to have
+more than one of each of these by passing in the multiple URLs as a
+comma-separated string parameter.
+
+### Safe Minimums
+
+Since its inception, this secrets engine has enforced SHA256 for signature
+hashes rather than SHA1. As of 0.5.1, a minimum of 2048 bits for RSA keys is
+also enforced. Software that can handle SHA256 signatures should also be able to
+handle 2048-bit keys, and 1024-bit keys are considered unsafe and are disallowed
+in the Internet PKI.
+
+### Token Lifetimes and Revocation
+
+When a token expires, it revokes all leases associated with it. This means that
+long-lived CA certs need correspondingly long-lived tokens, something that is
+easy to forget. Starting with 0.6, root and intermediate CA certs no longer have
+associated leases, to prevent unintended revocation when not using a token with
+a long enough lifetime. To revoke these certificates, use the `pki/revoke`
+endpoint.
+
+## Quick Start
+
+#### Mount the backend
+
+The first step to using the PKI backend is to mount it. Unlike the `kv`
+backend, the `pki` backend is not mounted by default.
+
+```text
+$ vault secrets enable pki
+Successfully mounted 'pki' at 'pki'!
+```
+
+#### Configure a CA certificate
+
+Next, Vault must be configured with a CA certificate and associated private
+key. We'll take advantage of the backend's self-signed root generation support,
+but Vault also supports generating an intermediate CA (with a CSR for signing)
+or setting a PEM-encoded certificate and private key bundle directly into the
+backend.
+
+Generally you'll want a root certificate to only be used to sign CA
+intermediate certificates, but for this example we'll proceed as if you will
+issue certificates directly from the root. As it's a root, we'll want to set a
+long maximum life time for the certificate; since it honors the maximum mount
+TTL, first we adjust that:
+
+```text
+$ vault secrets tune -max-lease-ttl=87600h pki
+Successfully tuned mount 'pki'!
+```
+
+That sets the maximum TTL for secrets issued from the mount to 10 years. (Note
+that roles can further restrict the maximum TTL.)
+
+Now, we generate our root certificate:
+
+```text
+$ vault write pki/root/generate/internal common_name=myvault.com ttl=87600h
+Key             Value
+---             -----
+certificate     -----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUJqrw/9EDZbp4DExaLjh0vSAHyBgwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyMzIwWhcNMjcx
+MjA2MTkyMzQ5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKY/vJ6sRFym+yFYUneoVtDmOCaDKAQiGzQw0IXL
+wgMBBb82iKpYj5aQjXZGIl+VkVnCi+M2AQ/iYXWZf1kTAdle4A6OC4+VefSIa2b4
+eB7R8aiGTce62jB95+s5/YgrfIqk6igfpCSXYLE8ubNDA2/+cqvjhku1UzlvKBX2
+hIlgWkKlrsnybHN+B/3Usw9Km/87rzoDR3OMxLV55YPHiq6+olIfSSwKAPjH8LZm
+uM1ITLG3WQUl8ARF17Dj+wOKqbUG38PduVwKL5+qPksrvNwlmCP7Kmjncc6xnYp6
+5lfr7V4DC/UezrJYCIb0g/SvtxoN1OuqmmvSTKiEE7hVOAcCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFECKdYM4gDbM
+kxRZA2wR4f/yNhQUMB8GA1UdIwQYMBaAFECKdYM4gDbMkxRZA2wR4f/yNhQUMBYG
+A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCCJKZPcjjn
+7mvD2+sr6lx4DW/vJwVSW8eTuLtOLNu6/aFhcgTY/OOB8q4n6iHuLrEt8/RV7RJI
+obRx74SfK9BcOLt4+DHGnFXqu2FNVnhDMOKarj41yGyXlJaQRUPYf6WJJLF+ZphN
+nNsZqHJHBfZtpJpE5Vywx3pah08B5yZHk1ItRPEz7EY3uwBI/CJoBb+P5Ahk6krc
+LZ62kFwstkVuFp43o3K7cRNexCIsZGx2tsyZ0nyqDUFsBr66xwUfn3C+/1CDc9YL
+zjq+8nI2ooIrj4ZKZCOm2fKd1KeGN/CZD7Ob6uNhXrd0Tjwv00a7nffvYQkl/1V5
+BT55jevSPVVu
+-----END CERTIFICATE-----
+expiration      1828121029
+issuing_ca      -----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUJqrw/9EDZbp4DExaLjh0vSAHyBgwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyMzIwWhcNMjcx
+MjA2MTkyMzQ5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKY/vJ6sRFym+yFYUneoVtDmOCaDKAQiGzQw0IXL
+wgMBBb82iKpYj5aQjXZGIl+VkVnCi+M2AQ/iYXWZf1kTAdle4A6OC4+VefSIa2b4
+eB7R8aiGTce62jB95+s5/YgrfIqk6igfpCSXYLE8ubNDA2/+cqvjhku1UzlvKBX2
+hIlgWkKlrsnybHN+B/3Usw9Km/87rzoDR3OMxLV55YPHiq6+olIfSSwKAPjH8LZm
+uM1ITLG3WQUl8ARF17Dj+wOKqbUG38PduVwKL5+qPksrvNwlmCP7Kmjncc6xnYp6
+5lfr7V4DC/UezrJYCIb0g/SvtxoN1OuqmmvSTKiEE7hVOAcCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFECKdYM4gDbM
+kxRZA2wR4f/yNhQUMB8GA1UdIwQYMBaAFECKdYM4gDbMkxRZA2wR4f/yNhQUMBYG
+A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCCJKZPcjjn
+7mvD2+sr6lx4DW/vJwVSW8eTuLtOLNu6/aFhcgTY/OOB8q4n6iHuLrEt8/RV7RJI
+obRx74SfK9BcOLt4+DHGnFXqu2FNVnhDMOKarj41yGyXlJaQRUPYf6WJJLF+ZphN
+nNsZqHJHBfZtpJpE5Vywx3pah08B5yZHk1ItRPEz7EY3uwBI/CJoBb+P5Ahk6krc
+LZ62kFwstkVuFp43o3K7cRNexCIsZGx2tsyZ0nyqDUFsBr66xwUfn3C+/1CDc9YL
+zjq+8nI2ooIrj4ZKZCOm2fKd1KeGN/CZD7Ob6uNhXrd0Tjwv00a7nffvYQkl/1V5
+BT55jevSPVVu
+-----END CERTIFICATE-----
+serial_number   26:aa:f0:ff:d1:03:65:ba:78:0c:4c:5a:2e:38:74:bd:20:07:c8:18
+```
+
+The returned certificate is purely informational; it and its private key are
+safely stored in the backend mount.
+
+#### Set URL configuration
+
+Generated certificates can have the CRL location and the location of the
+issuing certificate encoded. These values must be set manually and typically to FQDN associated to the Vault server, but can be changed at any time.
+
+```text
+$ vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"
+Success! Data written to: pki/ca/urls
+```
+
+#### Configure a role
+
+The next step is to configure a role. A role is a logical name that maps to a
+policy used to generate those credentials. For example, let's create an
+"example-dot-com" role:
+
+```text
+$ vault write pki/roles/example-dot-com \
+    allowed_domains=example.com \
+    allow_subdomains=true max_ttl=72h
+Success! Data written to: pki/roles/example-dot-com
+```
+
+#### Issue Certificates
+
+By writing to the `roles/example-dot-com` path we are defining the
+`example-dot-com` role. To generate a new certificate, we simply write
+to the `issue` endpoint with that role name: Vault is now configured to create
+and manage certificates!
+
+```text
+$ vault write pki/issue/example-dot-com \
+    common_name=blah.example.com
+Key                 Value
+---                 -----
+certificate         -----BEGIN CERTIFICATE-----
+MIIDvzCCAqegAwIBAgIUWQuvpMpA2ym36EoiYyf3Os5UeIowDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyNDA1WhcNMTcx
+MjExMTkyNDM1WjAbMRkwFwYDVQQDExBibGFoLmV4YW1wbGUuY29tMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1CU93lVgcLXGPxRGTRT3GM5wqytCo7Z6
+gjfoHyKoPCAqjRdjsYgp1FMvumNQKjUat5KTtr2fypbOnAURDCh4bN/omcj7eAqt
+ldJ8mf8CtKUaaJ1kp3R6RRFY/u96BnmKUG8G7oDeEDsKlXuEuRcNbGlGF8DaM/O1
+HFa57cM/8yFB26Nj5wBoG5Om6ee5+W+14Qee8AB6OJbsf883Z+zvhJTaB0QM4ZUq
+uAMoMVEutWhdI5EFm5OjtMeMu2U+iJl2XqqgQ/JmLRjRdMn1qd9TzTaVSnjoZ97s
+jHK444Px1m45einLqKUJ+Ia2ljXYkkItJj9Ut6ZSAP9fHlAtX84W3QIDAQABo4H/
+MIH8MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwHQYDVR0OBBYEFH/YdObW6T94U0zuU5hBfTfU5pt1MB8GA1UdIwQYMBaAFECK
+dYM4gDbMkxRZA2wR4f/yNhQUMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYf
+aHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jYTAbBgNVHREEFDASghBibGFo
+LmV4YW1wbGUuY29tMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly8xMjcuMC4wLjE6
+ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCDXbHV68VayweB2tkb
+KDdCaveaTULjCeJUnm9UT/6C0YqC/RxTAjdKFrilK49elOA3rAtEL6dmsDP2yH25
+ptqi2iU+y99HhZgu0zkS/p8elYN3+l+0O7pOxayYXBkFf5t0TlEWSTb7cW+Etz/c
+MvSqx6vVvspSjB0PsA3eBq0caZnUJv2u/TEiUe7PPY0UmrZxp/R/P/kE54yI3nWN
+4Cwto6yUwScOPbVR1d3hE2KU2toiVkEoOk17UyXWTokbG8rG0KLj99zu7my+Fyre
+sjV5nWGDSMZODEsGxHOC+JgNAC1z3n14/InFNOsHICnA5AnJzQdSQQjvcZHN2NyW
++t4f
+-----END CERTIFICATE-----
+issuing_ca          -----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUJqrw/9EDZbp4DExaLjh0vSAHyBgwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyMzIwWhcNMjcx
+MjA2MTkyMzQ5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKY/vJ6sRFym+yFYUneoVtDmOCaDKAQiGzQw0IXL
+wgMBBb82iKpYj5aQjXZGIl+VkVnCi+M2AQ/iYXWZf1kTAdle4A6OC4+VefSIa2b4
+eB7R8aiGTce62jB95+s5/YgrfIqk6igfpCSXYLE8ubNDA2/+cqvjhku1UzlvKBX2
+hIlgWkKlrsnybHN+B/3Usw9Km/87rzoDR3OMxLV55YPHiq6+olIfSSwKAPjH8LZm
+uM1ITLG3WQUl8ARF17Dj+wOKqbUG38PduVwKL5+qPksrvNwlmCP7Kmjncc6xnYp6
+5lfr7V4DC/UezrJYCIb0g/SvtxoN1OuqmmvSTKiEE7hVOAcCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFECKdYM4gDbM
+kxRZA2wR4f/yNhQUMB8GA1UdIwQYMBaAFECKdYM4gDbMkxRZA2wR4f/yNhQUMBYG
+A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCCJKZPcjjn
+7mvD2+sr6lx4DW/vJwVSW8eTuLtOLNu6/aFhcgTY/OOB8q4n6iHuLrEt8/RV7RJI
+obRx74SfK9BcOLt4+DHGnFXqu2FNVnhDMOKarj41yGyXlJaQRUPYf6WJJLF+ZphN
+nNsZqHJHBfZtpJpE5Vywx3pah08B5yZHk1ItRPEz7EY3uwBI/CJoBb+P5Ahk6krc
+LZ62kFwstkVuFp43o3K7cRNexCIsZGx2tsyZ0nyqDUFsBr66xwUfn3C+/1CDc9YL
+zjq+8nI2ooIrj4ZKZCOm2fKd1KeGN/CZD7Ob6uNhXrd0Tjwv00a7nffvYQkl/1V5
+BT55jevSPVVu
+-----END CERTIFICATE-----
+private_key         -----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1CU93lVgcLXGPxRGTRT3GM5wqytCo7Z6gjfoHyKoPCAqjRdj
+sYgp1FMvumNQKjUat5KTtr2fypbOnAURDCh4bN/omcj7eAqtldJ8mf8CtKUaaJ1k
+p3R6RRFY/u96BnmKUG8G7oDeEDsKlXuEuRcNbGlGF8DaM/O1HFa57cM/8yFB26Nj
+5wBoG5Om6ee5+W+14Qee8AB6OJbsf883Z+zvhJTaB0QM4ZUquAMoMVEutWhdI5EF
+m5OjtMeMu2U+iJl2XqqgQ/JmLRjRdMn1qd9TzTaVSnjoZ97sjHK444Px1m45einL
+qKUJ+Ia2ljXYkkItJj9Ut6ZSAP9fHlAtX84W3QIDAQABAoIBAQCf5YIANfF+gkNt
+/+YM6yRi+hZJrU2I/1zPETxPW1vaFZR8y4hEoxCEDD8JCRm+9k+w1TWoorvxgkEv
+r1HuDALYbNtwLd/71nCHYCKyH1b2uQpyl07qOAyASlb9r5oVjz4E6eobkd3N9fJA
+QN0EdK+VarN968mLJsD3Hxb8chGdObBCQ+LO+zdqQLaz+JwhfnK98rm6huQtYK3w
+ccd0OwoVmtZz2eJl11TJkB9fi4WqJyxl4wST7QC80LstB1deR78oDmN5WUKU12+G
+4Mrgc1hRwUSm18HTTgAhaA4A3rjPyirBohb5Sf+jJxusnnay7tvWeMnIiRI9mqCE
+dr3tLrcxAoGBAPL+jHVUF6sxBqm6RTe8Ewg/8RrGmd69oB71QlVUrLYyC96E2s56
+19dcyt5U2z+F0u9wlwR1rMb2BJIXbxlNk+i87IHmpOjCMS38SPZYWLHKj02eGfvA
+MjKKqEjNY/md9eVAVZIWSEy63c4UcBK1qUH3/5PNlyjk53gCOI/4OXX/AoGBAN+A
+Alyd6A/pyHWq8WMyAlV18LnzX8XktJ07xrNmjbPGD5sEHp+Q9V33NitOZpu3bQL+
+gCNmcrodrbr9LBV83bkAOVJrf82SPaBesV+ATY7ZiWpqvHTmcoS7nglM2XTr+uWR
+Y9JGdpCE9U5QwTc6qfcn7Eqj7yNvvHMrT+1SHwsjAoGBALQyQEbhzYuOF7rV/26N
+ci+z+0A39vNO++b5Se+tk0apZlPlgb2NK3LxxR+LHevFed9GRzdvbGk/F7Se3CyP
+cxgswdazC6fwGjhX1mOYsG1oIU0V6X7f0FnaqWETrwf1M9yGEO78xzDfgozIazP0
+s0fQeR9KXsZcuaotO3TIRxRRAoGAMFIDsLRvDKm1rkL0B0czm/hwwDMu/KDyr5/R
+2M2OS1TB4PjmCgeUFOmyq3A63OWuStxtJboribOK8Qd1dXvWj/3NZtVY/z/j1P1E
+Ceq6We0MOZa0Ae4kyi+p/kbAKPgv+VwSoc6cKailRHZPH7quLoJSIt0IgbfRnXC6
+ygtcLNMCgYBwiPw2mTYvXDrAcO17NhK/r7IL7BEdFdx/w8vNJQp+Ub4OO3Iw6ARI
+vXxu6A+Qp50jra3UUtnI+hIirMS+XEeWqJghK1js3ZR6wA/ZkYZw5X1RYuPexb/4
+6befxmnEuGSbsgvGqYYTf5Z0vgsw4tAHfNS7TqSulYH06CjeG1F8DQ==
+-----END RSA PRIVATE KEY-----
+private_key_type    rsa
+serial_number       59:0b:af:a4:ca:40:db:29:b7:e8:4a:22:63:27:f7:3a:ce:54:78:8a
+```
+
+Vault has now generated a new set of credentials using the `example-dot-com`
+role configuration. Here we see the dynamically generated private key and
+certificate.
+
+Using ACLs, it is possible to restrict using the pki backend such that trusted
+operators can manage the role definitions, and both users and applications are
+restricted in the credentials they are allowed to read.
+
+If you get stuck at any time, simply run `vault path-help pki` or with a
+subpath for interactive help output.
+
+## Setting Up Intermediate CA
+
+In the Quick Start guide, certificates were issued directly from the root
+certificate authority. As described in the example, this is not a recommended
+practice. This guide builds on the previous guide's root certificate authority
+and creates an intermediate authority using the root authority to sign the
+intermediate's certificate.
+
+#### Mount the backend
+
+To add another certificate authority to our Vault instance, we have to mount it
+at a different path.
+
+```text
+$ vault secrets enable -path=pki_int pki
+Successfully mounted 'pki' at 'pki_int'!
+```
+
+#### Configure an Intermediate CA
+
+```text
+$ vault secrets tune -max-lease-ttl=43800h pki_int
+Successfully tuned mount 'pki_int'!
+```
+
+That sets the maximum TTL for secrets issued from the mount to 5 years. This
+value should be less than or equal to the root certificate authority.
+
+Now, we generate our intermediate certificate signing request:
+
+```text
+$ vault write pki_int/intermediate/generate/internal common_name="myvault.com Intermediate Authority" ttl=43800h
+Key Value
+csr -----BEGIN CERTIFICATE REQUEST-----
+MIICsjCCAZoCAQAwLTErMCkGA1UEAxMibXl2YXVsdC5jb20gSW50ZXJtZWRpYXRl
+IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJU1Qh8l
+BW16WHAu34Fy92FnSy4219WVlKw1xwpKxjd95xH6WcxXozOs6oHFQ9c592bz51F8
+KK3FFJYraUrGONI5Cz9qHbzC1mFCmjnXVXCoeNKIzEBG0Y+ehH7MQ1SvDCyvaJPX
+ItFXaGf6zENiGsApw3Y3lFr0MjPzZDBH1p4Nq3aA6L2BaxvO5vczdQl5tE2ud/zs
+GIdCWnl1ThDEeiX1Ppduos/dx3gaZa9ly3iCuDMKIL9yK5XTBTgKB6ALPApekLQB
+kcUFbOuMzjrDSBe9ytu65yICYp26iAPPA8aKTj5cUgscgzEvQS66rSAVG/unrWxb
+wbl8b7eQztCmp60CAwEAAaBAMD4GCSqGSIb3DQEJDjExMC8wLQYDVR0RBCYwJIIi
+bXl2YXVsdC5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0eTANBgkqhkiG9w0BAQsF
+AAOCAQEAZA9A1QvTdAd45+Ay55FmKNWnis1zLjbmWNJURUoDei6i6SCJg0YGX1cZ
+WkD0ibxPYihSsKRaIUwC2bE8cxZM57OSs7ISUmyPQAT2IHTHvuGK72qlFRBlFOzg
+SHEG7gfyKdrALphyF8wM3u4gXhcnY3CdltjabL3YakZqd3Ey4870/0XXeo5c4k7w
+/+n9M4xED4TnXYCGfLAlu5WWKSeCvu9mHXnJcLo1MiYjX7KGey/xYYbfxHSPm4ul
+tI6Vf59zDRscfNmq37fERD3TiKP0QZNGTSRvnrxrx2RUQGXFywM8l4doG8nS5BxU
+2jP20cdv0lJFvHr9663/8B/+F5L6Yw==
+-----END CERTIFICATE REQUEST-----
+```
+
+Take the signing request from the intermediate authority and sign it using
+another certificate authority, in this case the root certificate authority
+generated in the first example.
+
+```text
+$ vault write pki/root/sign-intermediate csr=@pki_int.csr format=pem_bundle ttl=43800h
+Key             Value
+certificate     -----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIUENxQD7KIJi1zE/jEiYqAG1VC4NwwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMTI4MTcwNzIzWhcNMjIx
+MTI3MTcwNzUzWjAtMSswKQYDVQQDEyJteXZhdWx0LmNvbSBJbnRlcm1lZGlhdGUg
+QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5seNV4Yd
+uCMX0POUUuSzCBiR3Cyf9b9tGsCX7UfvZmjPs+Fl/X+Ovq6UtHM9RuTGlyfFrCWy
+pflO7mc0H8PBzlvhv1WQet5aRyUOXkG6iYmooG9iobIY8z/TZCaCF605pgygfOaS
+DIlwOdJkfiXxGpQ00pfIwe/Y2OK2I5e36u0E2EA6kXvcfexLjQGFPbod+H0R29Ro
+/GwOJ6MpSHqB77mF025x1y08EtqT1z1kFCiDzFSkzNZEZYWljhDS6ZRY9ctzKufm
+5CkUwmvCVRI2CivDJvmfhXyv0DRoq4IhYdJHo179RSObq3BY9f9LQ0balNLiM0Ft
+O8f0urTqUAbySwIDAQABo4GTMIGQMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBSQgTfcMrKYzyckP6t/0iVQkl0ZBDAfBgNVHSMEGDAW
+gBRccsCARqs3wQDjW7JMNXS6pWlFSDAtBgNVHREEJjAkgiJteXZhdWx0LmNvbSBJ
+bnRlcm1lZGlhdGUgQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQABNg2HxccY
+DwRpsJ+sxA0BgDyF+tYtOlXViVNv6Z+nOU0nNhQSCjfzjYWmBg25nfKaFhQSC3b7
+fIW+e7it/FLVrCgaqdysoxljqhR0gXMAy8S/ubmskPWjJiKauJB5bfB59Uf2GP6j
+zimZDu6WjWvvgkKcJqJEbOOS9DWBvCTdmmml1NMXZtcytpod2Y7mxninqNRx3qpx
+Pst4vgAbyM/3zLSzkyUD+MXIyRXwxktFlyEYBHvMd9OoHzLO6WLxk22FyQQ+w4by
+NfXJY4r5pj6a4lJ6pPuqyfBhidYMTdY3AI7w/QRGk4qQv1iDmnZspk2AxdbR5Lwe
+YmChIML/f++S
+-----END CERTIFICATE-----
+expiration      1669568873
+issuing_ca      -----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUdR44qhhyh3CZjnCtflGKQlTI8NswDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMTI4MTYxODA2WhcNMjcx
+MTI2MTYxODM1WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBANTPnQ2CUkuLrYT4V6/IIK/gWFZXFG4lWTmgM5Zh
+PDquMhLEikZCbZKbupouBI8MOr5i8tycENaTnSs9dBwVEOWAHbLkliVgvCKgLi0F
+PfPM87FnBoKVctO2ip8AdmYcAt/wc096dWBG6eKLVP5xsAe7NcYDtF/inHgEZ22q
+ZjGVEyC6WntIASgULoHGgHakPp1AHLhGm8nL5YbusWY7RgZIlNeGWLVoneG0pxdV
+7W1SPO67dsQyq58mTxMIGVUj5YE1q7/C6OhCTnAHc+sRm0oUehPfO8kY4NHpCJGv
+nDRdJi6k6ewk94c0KK2tUUM/TN6ZSRfx6ccgfPH8zNcVPVcCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFxywIBGqzfB
+AONbskw1dLqlaUVIMB8GA1UdIwQYMBaAFFxywIBGqzfBAONbskw1dLqlaUVIMBYG
+A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBgvsgpBuVR
+iKVdXXpFyoQLImuoaHZgaj5tuUDqnMoxOA1XWW6SVlZmGfDQ7+u5NBkp2cGSDRGm
+ARHJTeURvdZIwdFdGkNqfAZjutRjjQOnXgS65ujZd7AnlZq1v0ZOZqVVk9YEOhOe
+Rh2MjnHGNuiLBib1YNQHNuRef1mPwIE2Gm/Tz/z3JPHtkKNIKbn60zHrIIM/OT2Z
+HYjcMUcqXtKGYfNjVspJm3lSDUoyJdaq80Afmy2Ez1Vt9crGG3Dj8mgs59lEhEyo
+MDVhOP116M5HJfQlRPVd29qS8pFrjBvXKjJSnJNG1UFdrWBJRJ3QrBxUQALKrJlR
+g5lvTeymHjS/
+-----END CERTIFICATE-----
+serial_number   10:dc:50:0f:b2:88:26:2d:73:13:f8:c4:89:8a:80:1b:55:42:e0:dc
+```
+
+Now set the intermediate certificate authorities signing certificate to the
+root-signed certificate.
+
+```text
+$ vault write pki_int/intermediate/set-signed certificate=@signed_certificate.pem
+Success! Data written to: pki_int/intermediate/set-signed
+```
+
+The intermediate certificate authority is now configured and ready to issue
+certificates.
+
+#### Set URL configuration
+
+Generated certificates can have the CRL location and the location of the
+issuing certificate encoded. These values must be set manually, but can be
+changed at any time.
+
+```text
+$ vault write pki_int/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki_int/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki_int/crl"
+Success! Data written to: pki_int/ca/urls
+```
+
+#### Configure a role
+
+The next step is to configure a role. A role is a logical name that maps to a
+policy used to generate those credentials. For example, let's create an
+"example-dot-com" role:
+
+```text
+$ vault write pki_int/roles/example-dot-com \
+    allowed_domains=example.com \
+    allow_subdomains=true max_ttl=72h
+Success! Data written to: pki_int/roles/example-dot-com
+```
+
+#### Issue Certificates
+
+By writing to the `roles/example-dot-com` path we are defining the
+`example-dot-com` role. To generate a new certificate, we simply write
+to the `issue` endpoint with that role name: Vault is now configured to create
+and manage certificates!
+
+```text
+$ vault write pki_int/issue/example-dot-com \
+    common_name=blah.example.com
+Key                 Value
+---                 -----
+certificate         -----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUPiAyxq+nIE6xlWf7hrzLkPQxtvMwDQYJKoZIhvcNAQEL
+BQAwMzExMC8GA1UEAxMoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1
+dGhvcml0eTAeFw0xNjA5MjcwMDA5MTNaFw0xNjA5MjcwMTA5NDNaMBsxGTAXBgNV
+BAMTEGJsYWguZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDJAYB04IVdmSC/TimaA6BbXlvgBTZHL5wBUTmO4iHhenL0eDEXVe2Fd7Yq
+75LiBJmcC96hKbqh5rwS8KwN9ElZI52/mSMC+IvoNlYHAf7shwfsjrVx3q7/bTFg
+lz6wECn1ugysxynmMvgQD/pliRkxTQ7RMh4Qlh75YG3R9BHy9ZddklZp0aNaitts
+0uufHnN1UER/wxBCZdWTUu34KDL9I6yE7Br0slKKHPdEsGlFcMkbZhvjslZ7DGvO
+974S0qtOdKiawJZbpNPg0foGZ3AxesDUlkHmmgzUNes/sjknDYTHEfeXM6Uap0j6
+XvyhCxqdeahb/Vtibg0z9I0IusJbAgMBAAGjgY8wgYwwDgYDVR0PAQH/BAQDAgOo
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU/5oy0rL7
+TT0wX7KZK7qcXqgayNwwHwYDVR0jBBgwFoAUgM37P8oXmA972ztLfw+b1eIY5now
+GwYDVR0RBBQwEoIQYmxhaC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+CT2vI6/taeLTw6ZulUhLXEXYXWZu1gF8n2COjZzbZXmHxQAoZ3GtnSNwacPHAyIj
+f3cA9Moo552y39LUtWk+wgFtQokWGK7LXglLaveNUBowOHq/xk0waiIinJcgTG53
+Z/qnbJnTjAOG7JwVJplWUIiS1avCksrHt7heE2EGRGJALqyLZ119+PW6ogtCLUv1
+X8RCTw/UkIF/LT+sLF0bXWy4Hn38Gjwj1MVv1l76cEGOVSHyrYkN+6AMnAP58L5+
+IWE9tN3oac4x7jhbuNpfxazIJ8Q6l/Up5U5Evfbh6N1DI0/gFCP20fMBkHwkuLfZ
+2ekZoSeCgFRDlHGkr7Vv9w==
+-----END CERTIFICATE-----
+issuing_ca          -----BEGIN CERTIFICATE-----
+MIIDijCCAnKgAwIBAgIUB28DoGwgGFKL7fbOu9S4FalHLn0wDQYJKoZIhvcNAQEL
+BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y
+aXR5MB4XDTE2MDkyNzAwMDgyMVoXDTI2MDkxNjE2MDg1MVowMzExMC8GA1UEAxMo
+VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSCiSij4wy1wiMwvZt+rtU3IaO6ZTn9
+LfIPuGsR5/QSJk37pCZQco1LgoE/rTl+/xu3bDovyHDmgObghC6rzVOX2Tpi7kD+
+DOZpqxOsaS8ebYgxB/XJTSxyEJuSAcpSNLqqAiZivuQXdaD0N7H3Or0awwmKE9mD
+I0g8CF4fPDmuuOG0ASn9fMqXVVt5tXtEqZ9yJYfNOXx3FOPjRVOZf+kvSc31wCKe
+i/KmR0AQOmToKMzq988nLqFPTi9KZB8sEU20cGFeTQFol+m3FTcIru94EPD+nLUn
+xtlLELVspYb/PP3VpvRj9b+DY8FGJ5nfSJl7Rkje+CD4VxJpSadin3kCAwEAAaOB
+mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+gM37P8oXmA972ztLfw+b1eIY5nowHwYDVR0jBBgwFoAUj4YAIxRwrBy0QMRKLnD0
+kVidIuYwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi
+IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAA4buJuPNJvA1kiATLw1dVU2J
+HPubk2Kp26Mg+GwLn7Vz45Ub133JCYfF3/zXLFZZ5Yub9gWTtjScrvNfQTAbNGdQ
+BdnUlMmIRmfB7bfckhryR2R9byumeHATgNKZF7h8liNHI7X8tTzZGs6wPdXOLlzR
+TlM3m1RNK8pbSPOkfPb06w9cBRlD8OAbNtJmuypXA6tYyiiMYBhP0QLAO3i4m1ns
+aAjAgEjtkB1rQxW5DxoTArZ0asiIdmIcIGmsVxfDQIjFlRxAkafMs74v+5U5gbBX
+wsOledU0fLl8KLq8W3OXqJwhGLK65fscrP0/omPAcFgzXf+L4VUADM4XhW6Xyg==
+-----END CERTIFICATE-----
+ca_chain            [-----BEGIN CERTIFICATE-----
+MIIDijCCAnKgAwIBAgIUB28DoGwgGFKL7fbOu9S4FalHLn0wDQYJKoZIhvcNAQEL
+BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y
+aXR5MB4XDTE2MDkyNzAwMDgyMVoXDTI2MDkxNjE2MDg1MVowMzExMC8GA1UEAxMo
+VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSCiSij4wy1wiMwvZt+rtU3IaO6ZTn9
+LfIPuGsR5/QSJk37pCZQco1LgoE/rTl+/xu3bDovyHDmgObghC6rzVOX2Tpi7kD+
+DOZpqxOsaS8ebYgxB/XJTSxyEJuSAcpSNLqqAiZivuQXdaD0N7H3Or0awwmKE9mD
+I0g8CF4fPDmuuOG0ASn9fMqXVVt5tXtEqZ9yJYfNOXx3FOPjRVOZf+kvSc31wCKe
+i/KmR0AQOmToKMzq988nLqFPTi9KZB8sEU20cGFeTQFol+m3FTcIru94EPD+nLUn
+xtlLELVspYb/PP3VpvRj9b+DY8FGJ5nfSJl7Rkje+CD4VxJpSadin3kCAwEAAaOB
+mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+gM37P8oXmA972ztLfw+b1eIY5nowHwYDVR0jBBgwFoAUj4YAIxRwrBy0QMRKLnD0
+kVidIuYwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi
+IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAA4buJuPNJvA1kiATLw1dVU2J
+HPubk2Kp26Mg+GwLn7Vz45Ub133JCYfF3/zXLFZZ5Yub9gWTtjScrvNfQTAbNGdQ
+BdnUlMmIRmfB7bfckhryR2R9byumeHATgNKZF7h8liNHI7X8tTzZGs6wPdXOLlzR
+TlM3m1RNK8pbSPOkfPb06w9cBRlD8OAbNtJmuypXA6tYyiiMYBhP0QLAO3i4m1ns
+aAjAgEjtkB1rQxW5DxoTArZ0asiIdmIcIGmsVxfDQIjFlRxAkafMs74v+5U5gbBX
+wsOledU0fLl8KLq8W3OXqJwhGLK65fscrP0/omPAcFgzXf+L4VUADM4XhW6Xyg==
+-----END CERTIFICATE-----]
+private_key         -----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAyQGAdOCFXZkgv04pmgOgW15b4AU2Ry+cAVE5juIh4Xpy9Hgx
+F1XthXe2Ku+S4gSZnAveoSm6oea8EvCsDfRJWSOdv5kjAviL6DZWBwH+7IcH7I61
+cd6u/20xYJc+sBAp9boMrMcp5jL4EA/6ZYkZMU0O0TIeEJYe+WBt0fQR8vWXXZJW
+adGjWorbbNLrnx5zdVBEf8MQQmXVk1Lt+Cgy/SOshOwa9LJSihz3RLBpRXDJG2Yb
+47JWewxrzve+EtKrTnSomsCWW6TT4NH6BmdwMXrA1JZB5poM1DXrP7I5Jw2ExxH3
+lzOlGqdI+l78oQsanXmoW/1bYm4NM/SNCLrCWwIDAQABAoIBAQCCbHMJY1Wl8eIJ
+v5HG2WuHXaaHqVoavo2fXTDXwWryfx1v+zz/Q0YnQBH3shPAi/OQCTOfpw/uVWTb
+dUZul3+wUyfcVmUdXGCLgBY53dWna8Z8e+zHwhISsqtDXV/TpelUBDCNO324XIIR
+Cg0TLO4nyzQ+ESLo6D+Y2DTp8lBjMEkmKTd8CLXR2ycEoVykN98qPZm8keiLGO91
+I8K7aRd8uOyQ6HUfJRlzFHSuwaLReErxGTEPI4t/wVqh2nP2gGBsn3apiJ0ul6Jz
+NlYO5PqiwpeDk4ibhQBpicnm1jnEcynH/WtGuKgMNB0M4SBRBsEguO7WoKx3o+qZ
+iVIaPWDhAoGBAO05UBvyJpAcz/ZNQlaF0EAOhoxNQ3h6+6ZYUE52PgZ/DHftyJPI
+Y+JJNclY91wn91Yk3ROrDi8gqhzA+2Lelxo1kuZDu+m+bpzhVUdJia7tZDNzRIhI
+24eP2GdochooOZ0qjvrik4kuX43amBhQ4RHsBjmX5CnUlL5ZULs8v2xnAoGBANjq
+VLAwiIIqJZEC6BuBvVYKaRWkBCAXvQ3j/OqxHRYu3P68PZ58Q7HrhrCuyQHTph2v
+fzfmEMPbSCrFIrrMRmjUG8wopL7GjZjFl8HOBHFwzFiz+CT5DEC+IJIRkp4HM8F/
+PAzjB2wCdRdSjLTD5ph0/xQIg5xfln7D+wqU0QHtAoGBAKkLF0/ivaIiNftw0J3x
+WxXag/yErlizYpIGCqvuzII6lLr9YdoViT/eJYrmb9Zm0HS9biCu2zuwDijRSBIL
+RieyF40opUaKoi3+0JMtDwTtO2MCd8qaCH3QfkgqAG0tTuj1Q8/6F2JA/myKYamq
+MMhhpYny9+7rAlemM8ZJIqtvAoGBAKOI3zpKDNCdd98A4v7B7H2usZUIJ7gOTZDo
+XqiNyRENWb2PK6GNq/e6SrxvuclvyKA+zFnXULJoYtsj7tAH69lieGaOCc5uoRgZ
+eBU7/euMj/McE6vEO3GgJawaJYCQi3uJMjvA+bp7i81+hehOfU5ZfmmbFaZSBoMh
+u+U5Vu3tAoGBANnBIbHfD3E7rqnqdpH1oRRHLA1VdghzEKgyUTPHNDzPJG87RY3c
+rRqeXepblud3qFjD60xS9BzcBijOvZ4+KHk6VIMpkyqoeNVFCJbBVCw+JGMp88+v
+e9t+2iwryh5+rnq+pg6anmgwHldptJc1XEFZA2UUQ89RP7kOGQF6IkIS
+-----END RSA PRIVATE KEY-----
+private_key_type    rsa
+serial_number       3e:20:32:c6:af:a7:20:4e:b1:95:67:fb:86:bc:cb:90:f4:31:b6:f3
+```
+
+Vault has now generated a new set of credentials using the `example-dot-com`
+role configuration. Here we see the dynamically generated private key and
+certificate. The issuing CA certificate and CA trust chain are returned as well.
+The CA Chain returns all the intermediate authorities in the trust chain. The root
+authority is not included since that will usually be trusted by the underlying
+OS.
+
+## Learn
+
+Refer to the [Build Your Own Certificate Authority (CA)](https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine)
+guide for a step-by-step tutorial.
+
+## API
+
+The PKI secrets engine has a full HTTP API. Please see the
+[PKI secrets engine API](/api/secret/pki/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/postgresql/index.mdx b/website/pages/docs/secrets/postgresql/index.mdx
new file mode 100644
index 000000000000..fca0c243e856
--- /dev/null
+++ b/website/pages/docs/secrets/postgresql/index.mdx
@@ -0,0 +1,121 @@
+---
+layout: docs
+page_title: PostgreSQL - Secrets Engines
+sidebar_title: PostgreSQL <sup>DEPRECATED</sup>
+description: >-
+  The PostgreSQL secrets engine for Vault generates database credentials to
+  access PostgreSQL.
+---
+
+# PostgreSQL Secrets Engine
+
+Name: `postgresql`
+
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[PostgreSQL database plugin](/docs/secrets/databases/postgresql.html).
+
+The PostgreSQL secrets engine for Vault generates database credentials
+dynamically based on configured roles. This means that services that need
+to access a database no longer need to hardcode credentials: they can request
+them from Vault, and use Vault's leasing mechanism to more easily roll keys.
+
+Additionally, it introduces a new ability: with every service accessing
+the database with unique credentials, it makes auditing much easier when
+questionable data access is discovered: you can track it down to the specific
+instance of a service based on the SQL username.
+
+Vault makes use both of its own internal revocation system as well as the
+`VALID UNTIL` setting when creating PostgreSQL users to ensure that users
+become invalid within a reasonable time of the lease expiring.
+
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
+
+## Quick Start
+
+The first step to using the PostgreSQL secrets engine is to mount it. Unlike the
+`kv` secrets engine, the `postgresql` secrets engine is not mounted by default.
+
+```text
+$ vault secrets enable postgresql
+Success! Enabled the postgresql secrets engine at: postgresql/
+```
+
+Next, Vault must be configured to connect to the PostgreSQL. This is done by
+writing either a PostgreSQL URL or PG connection string:
+
+```text
+$ vault write postgresql/config/connection \
+    connection_url="postgresql://root:vaulttest@vaulttest.ciuvljjni7uo.us-west-1.rds.amazonaws.com:5432/postgres"
+```
+
+In this case, we've configured Vault with the user "root" and password "vaulttest",
+connecting to a PostgreSQL instance in AWS RDS. The "postgres" database name is being used.
+It is important that the Vault user have the `GRANT OPTION` privilege to manage users.
+
+Optionally, we can configure the lease settings for credentials generated
+by Vault. This is done by writing to the `config/lease` key:
+
+```
+$ vault write postgresql/config/lease lease=1h lease_max=24h
+Success! Data written to: postgresql/config/lease
+```
+
+This restricts each credential to being valid or leased for 1 hour
+at a time, with a maximum use period of 24 hours. This forces an
+application to renew their credentials at least hourly, and to recycle
+them once per day.
+
+The next step is to configure a role. A role is a logical name that maps
+to a policy used to generated those credentials. For example, lets create
+a "readonly" role:
+
+```text
+$ vault write postgresql/roles/readonly \
+    sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
+Success! Data written to: postgresql/roles/readonly
+```
+
+By writing to the `roles/readonly` path we are defining the `readonly` role.
+This role will be created by evaluating the given `sql` statements. By
+default, the `{{name}}`, `{{password}}` and `{{expiration}}` fields will be populated by
+Vault with dynamically generated values. This SQL statement is creating
+the named user, and then granting it `SELECT` or read-only privileges
+to tables in the database. More complex `GRANT` queries can be used to
+customize the privileges of the role. See the [PostgreSQL manual](http://www.postgresql.org/docs/9.4/static/sql-grant.html)
+for more information.
+
+To generate a new set of credentials, we simply read from that role:
+Vault is now configured to create and manage credentials for Postgres!
+
+```text
+$ vault read postgresql/creds/readonly
+Key               Value
+---               -----
+lease_id          postgresql/creds/readonly/c888a097-b0e2-26a8-b306-fc7c84b98f07
+lease_duration    3600
+password          34205e88-0de1-68b7-6267-72d8e32c5d3d
+username          root-1430162075-7887
+```
+
+By reading from the `creds/readonly` path, Vault has generated a new
+set of credentials using the `readonly` role configuration. Here we
+see the dynamically generated username and password, along with a one
+hour lease.
+
+Using ACLs, it is possible to restrict using the postgresql secrets engine such
+that trusted operators can manage the role definitions, and both
+users and applications are restricted in the credentials they are
+allowed to read.
+
+If you get stuck at any time, simply run `vault path-help postgresql` or with a
+subpath for interactive help output.
+
+## API
+
+The PostgreSQL secrets engine has a full HTTP API. Please see the
+[PostgreSQL secrets engine API](/api/secret/postgresql/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/rabbitmq/index.mdx b/website/pages/docs/secrets/rabbitmq/index.mdx
new file mode 100644
index 000000000000..51460ccf2dfe
--- /dev/null
+++ b/website/pages/docs/secrets/rabbitmq/index.mdx
@@ -0,0 +1,102 @@
+---
+layout: docs
+page_title: RabbitMQ - Secrets Engines
+sidebar_title: RabbitMQ
+description: >-
+  The RabbitMQ secrets engine for Vault generates user credentials to access
+  RabbitMQ.
+---
+
+# RabbitMQ Secrets Engine
+
+The RabbitMQ secrets engine generates user credentials dynamically based on
+configured permissions and virtual hosts. This means that services that need to
+access a virtual host no longer need to hardcode credentials.
+
+With every service accessing the messaging queue with unique credentials,
+auditing is much easier when questionable data access is discovered. Easily
+track issues down to a specific instance of a service based on the RabbitMQ
+username.
+
+Vault makes use both of its own internal revocation system as well as the
+deleting RabbitMQ users when creating RabbitMQ users to ensure that users become
+invalid within a reasonable time of the lease expiring.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the RabbitMQ secrets engine:
+
+    ```text
+    $ vault secrets enable rabbitmq
+    Success! Enabled the rabbitmq secrets engine at: rabbitmq/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure the credentials that Vault uses to communicate with RabbitMQ to
+    generate credentials:
+
+    ```text
+    $ vault write rabbitmq/config/connection \
+        connection_uri="http://localhost:15672" \
+        username="admin" \
+        password="password"
+    Success! Data written to: rabbitmq/config/connection
+    ```
+
+    It is important that the Vault user have the administrator privilege to
+    manager users.
+
+1.  Configure a role that maps a name in Vault to virtual host permissions:
+
+    ```text
+    $ vault write rabbitmq/roles/my-role \
+        vhosts='{"/":{"write": ".*", "read": ".*"}}'
+    Success! Data written to: rabbitmq/roles/my-role
+    ```
+
+    By writing to the `roles/my-role` path we are defining the `my-role` role.
+    This role will be created by evaluating the given `vhosts`, `vhost_topics`
+    and `tags` statements. By default, no tags, no virtual hosts or topic
+    permissions are assigned to a role. If no topic permissions are defined
+    and the default authorisation backend is used, publishing to a topic
+    exchange or consuming from a topic is always authorised. You can read
+    more about [RabbitMQ management tags][rmq-perms]
+    and [RabbitMQ topic authorization][rmq-topics].
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new credential by reading from the `/creds` endpoint with the name
+    of the role:
+
+    ```text
+    $ vault read rabbitmq/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           rabbitmq/creds/my-role/37d70d04-f24d-760a-e06e-b9b21087f0f4
+    lease_duration     768h
+    lease_renewable    true
+    password           a98af72b-b6c9-b4b1-fe37-c73a572befed
+    username           token-590f1fe2-1094-a4d6-01a7-9d4ff756a085
+    ```
+
+    Using ACLs, it is possible to restrict using the rabbitmq secrets engine
+    such that trusted operators can manage the role definitions, and both users
+    and applications are restricted in the credentials they are allowed to read.
+
+## API
+
+The RabbitMQ secrets engine has a full HTTP API. Please see the
+[RabbitMQ secrets engine API](/api/secret/rabbitmq/index.html) for more
+details.
+
+[rmq-perms]: https://www.rabbitmq.com/management.html#permissions
+[rmq-topics]: https://www.rabbitmq.com/access-control.html#topic-authorisation
diff --git a/website/pages/docs/secrets/ssh/dynamic-ssh-keys.mdx b/website/pages/docs/secrets/ssh/dynamic-ssh-keys.mdx
new file mode 100644
index 000000000000..8b4358f0f344
--- /dev/null
+++ b/website/pages/docs/secrets/ssh/dynamic-ssh-keys.mdx
@@ -0,0 +1,194 @@
+---
+layout: docs
+page_title: Dynamic SSH Keys - SSH - Secrets Engines
+sidebar_title: Dynamic Key
+description: |-
+  When using this type, the administrator registers a secret key with
+  appropriate sudo privileges on the remote machines. For every authorized
+  credential request, Vault creates a new SSH key pair and appends the
+  newly-generated public key to the authorized_keys file for the configured
+  username on the remote host. Vault uses a configurable install script to
+  achieve this.
+---
+
+# Dynamic SSH Keys
+
+~> **Deprecated**: There are several serious drawbacks and security implications
+inherent in this type. Because of these drawbacks, please use the SSH CA or OTP
+types whenever possible.
+
+When using this type, the administrator registers a secret key with appropriate
+`sudo` privileges on the remote machines; for every authorized credential
+request, Vault creates a new SSH key pair and appends the newly-generated public
+key to the `authorized_keys` file for the configured username on the remote
+host. Vault uses a configurable install script to achieve this.
+
+The secrets engine does not prompt for `sudo` passwords; the `NOPASSWD` option for
+sudoers should be enabled at all remote hosts for the Vault administrative
+user.
+
+The private key returned to the user will be leased and can be renewed if
+desired. Once the key is given to the user, Vault will not know when it gets
+used or how many time it gets used. Therefore, Vault **WILL NOT** and cannot
+audit the SSH session establishments.
+
+When the credential lease expires, Vault removes the secret key from the remote
+machine.
+
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
+
+### Drawbacks
+
+The dynamic key type has several serious drawbacks:
+
+1. _Audit logs are unreliable_: Vault can only log when users request
+   credentials, not when they use the given keys. If user A and user B both
+   request access to a machine, and are given a lease valid for five minutes,
+   it is impossible to know whether two accesses to that user account on the
+   remote machine were A, A; A, B; B, A; or B, B.
+2. _Generating dynamic keys consumes entropy_: Unless equipped with a hardware
+   entropy generating device, a machine can quickly run out of entropy when
+   generating SSH keys. This will cause further requests for various Vault
+   operations to stall until more entropy is available, which could take a
+   significant amount of time, after which the next request for a new SSH key
+   will use the generated entropy and cause stalling again.
+3. This type makes connections to client hosts; when this happens the host key
+   is _not_ verified.
+
+### sudo
+
+In order to adjust the `authorized_keys` file for the desired user, Vault
+connects via SSH to the remote machine as a separate user, and uses `sudo` to
+gain the privileges required. An example `sudoers` file is shown below.
+
+File: `/etc/sudoers`
+
+```hcl
+# This is a sample sudoers statement; you should modify it
+# as appropriate to satisfy your security needs.
+vaultadmin   ALL=(ALL)NOPASSWD: ALL
+```
+
+### Configuration
+
+Next, infrastructure configuration must be registered with Vault via roles.
+First, however, the shared secret key must be specified.
+
+### Mount the secrets engine
+
+```text
+$ vault secrets enable ssh
+Successfully mounted 'ssh' at 'ssh'!
+```
+
+#### Registering the shared secret key
+
+Register a key with a name; this key must have administrative capabilities on
+the remote hosts.
+
+```text
+$ vault write ssh/keys/dev_key \
+    key=@dev_shared_key.pem
+```
+
+#### Create a Role
+
+Next, create a role. All of the machines contained within this CIDR block list
+should be accessible using the registered shared secret key.
+
+```text
+$ vault write ssh/roles/dynamic_key_role \
+    key_type=dynamic \
+    key=dev_key \
+    admin_user=username \
+    default_user=username \
+    cidr_list=x.x.x.x/y
+Success! Data written to: ssh/roles/dynamic_key_role
+```
+
+`cidr_list` is a comma separated list of CIDR blocks for which a role can
+generate credentials. If this is empty, the role can only generate credentials
+if it belongs to the set of zero-address roles.
+
+Zero-address roles, configured via `/ssh/config/zeroaddress` endpoint, takes
+comma separated list of role names that can generate credentials for any IP
+address.
+
+Use the `install_script` option to provide an install script if the remote
+hosts do not resemble a typical Linux machine. The default script is compiled
+into the Vault binary, but it is straight forward to specify an alternate. The
+script takes three arguments which are explained in the comments.
+
+To see the default, see
+[linux_install_script.go](https://github.com/hashicorp/vault/blob/master/builtin/logical/ssh/linux_install_script.go)
+
+### Create a credential
+
+Create a dynamic key for an IP of the remote host that is covered by
+`dynamic_key_role`'s CIDR list.
+
+```text
+$ vault write ssh/creds/dynamic_key_role ip=x.x.x.x
+Key            	Value
+lease_id       	ssh/creds/dynamic_key_role/8c4d2042-23bc-d6a8-42c2-6ff01cb83cf8
+lease_duration 	600
+lease_renewable	true
+ip             	x.x.x.x
+key            	-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA5V/Y95qfGaUXRPkKNK9jgDHXPD2n5Ein+QTNnLSGrHtJUH7+
+pgs/5Hc4//124P9qHNmjIYQVyvcLreFgSrQCq4K8193hmypBYtsvCgvpc+jEwaGA
+zK0QV7uc1z8KL7FuRAxpHJwB6+nubOzzqM03xsViHRhaWhYVHw2Vl4oputSHE7R9
+ugaTRg67wge4Nyi5RRL0RQcmW15/Vop8B6HpBSmZQy3enjg+32KbOWCMMTAPuF9/
+DgxSgZQaFMjGN4RjDreZI8Vv5zIiFJzZ3KVOWy8piI0PblLnDpU4Q0QSQ9A+Vr7b
+JS22Lbet1Zbapl/n947/r1wGObLCc5Lilu//1QIDAQABAoIBAHWLfdO9sETjHp6h
+BULkkpgScpuTeSN6vGHXvUrOFKn1cCfJPNR4tWBuXI6LJM2+9nEccwXs+4IMwjZ0
+ZfVCdI/SKtZxBXmP2PxBGMUMP7G/mn0kN64sDlD3ezOvQZgZVEmZFpCrvixYsG+v
+qlpZ+HhrlJEWds7tvBsyyfNjwWjVIpm08zBmteFj4zu7OEcmGXEHDoxDXxyVP2BG
+eLU/fM5JA2UEjfCQ1MIZ3rBtPePdz4LRpb+ajklqrUj1OHoiDrXa8EAf0/wDP9re
+c1iH4bn7ZjYK0+IhZ+Pmw6gUftzZNWSC2kOLnZLdN/K7hgh0l0r0K/1eeXt43upB
+WALNuiECgYEA8PM2Ob3XXKALF86PUewne4fCz9iixr/cIpvrEGrh9lyQRO8X5Jxb
+ug38jEql4a574C6TSXfzxURza4P6lnfa0LvymmW0bhxZ5nev9kcAVnLKvpOUArTR
+32k9bKXd6zp8Q9ZyVNwHRxcVs4YgwfJlcx8geC4o6YRiIjvcBQ9RVHkCgYEA87OK
+lZDFBeEY/HVOxAQNXS5fgTd4U4DbwEJLv7SPk02v9oDkGHkpgMs4PcsIpCzsTpJ0
+oXMfLSxZ1lmZiuUvAupKj/7RjJ0XyjSMfm1Zs81epWj+boVfM4amZNHVLIWgddmM
+XzXEZKByvi1gs7qFcjQz2DEbZltWO6dX14O4Fz0CgYEAlWSWyHJWZ02r0xT1c7vS
+NxtTxH7zXftzR9oYgtNiStfVc4gy7kGr9c3aOjnGZAlFMRhvpevDrxnj3lO0OTsS
+5rzBjM1mc6cMboLjDPW01eTSpBroeE0Ym0arGQQ2djSK+5yowsixknhTsj2FbfsW
+v6wa+6jTIQY9ujAXGOQIbzECgYAYuXlw7SwgCZNYYappFqQodQD5giAyEJu66L74
+px/96N7WWoNJvFkqmPOOyV+KEIi0/ATbMGvUUHCY36RFRDU9zXldHJQz+Ogl+qja
+VsvIAyj8DSfrHJrpBlsxVVyUVMZPzo+ARVs0flbF1qK9+Ul6qbMs1uaZvuCD0tmF
+ovZ1XQKBgQDB0s7SDmAMgVjG8UBZgUru9vsDrxERT2BloptnnAjSiarLF5M+qeZO
+7L4NLyVP39Z83eerEonzDAHHbvhPyi6n2YmnYhGjeP+lPZIVqGF9cpZD3q48YHZc
+3ePn2/oLZrXKWOMyMwp2Uj+0SArCW+xMnoNp50sYNVR/JK3BPIdkag==
+-----END RSA PRIVATE KEY-----
+key_type       	dynamic
+port           	22
+username       	username
+```
+
+### Establish an SSH session
+
+Save the key to a file (e.g. `dyn_key.pem`) and then use it to establish an SSH
+session.
+
+```text
+$ ssh -i dyn_key.pem username@<IP of remote host>
+username@<IP of remote host>:~$
+```
+
+### Automate it!
+
+Creation of new key, saving to a file, and using it to establish an SSH session
+can all be done with a single Vault CLI command.
+
+```text
+$ vault ssh -role dynamic_key_role username@<IP of remote host>
+username@<IP of remote host>:~$
+```
+
+## API
+
+The SSH secret secrets engine has a full HTTP API. Please see the
+[SSH secret secrets engine API](/api/secret/ssh/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/ssh/index.mdx b/website/pages/docs/secrets/ssh/index.mdx
new file mode 100644
index 000000000000..be05eedddc0e
--- /dev/null
+++ b/website/pages/docs/secrets/ssh/index.mdx
@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: SSH - Secrets Engines
+sidebar_title: SSH
+description: |-
+  The Vault SSH secrets engine provides secure authentication and authorization
+  for access to machines via the SSH protocol. There are multiple modes to the
+  Vault SSH secrets engine including signed SSH certificates, dynamic SSH keys,
+  and one-time passwords.
+---
+
+# SSH Secrets Engine
+
+Name: `ssh`
+
+The Vault SSH secrets engine provides secure authentication and authorization
+for access to machines via the SSH protocol. The Vault SSH secrets engine helps
+manage access to machine infrastructure, providing several ways to issue SSH
+credentials.
+
+The Vault SSH secrets engine supports the following modes. Each mode is
+individually documented on its own page.
+
+- [Signed SSH Certificates](/docs/secrets/ssh/signed-ssh-certificates.html)
+- [One-time SSH Passwords](/docs/secrets/ssh/one-time-ssh-passwords.html)
+- [Dynamic SSH Keys](/docs/secrets/ssh/dynamic-ssh-keys.html) <sup>DEPRECATED</sup>
+
+All guides assume a basic familiarity with the SSH protocol.
+
+## API
+
+The SSH secrets engine has a full HTTP API. Please see the
+[SSH secrets engine API](/api/secret/ssh/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/ssh/one-time-ssh-passwords.mdx b/website/pages/docs/secrets/ssh/one-time-ssh-passwords.mdx
new file mode 100644
index 000000000000..c0514f945a22
--- /dev/null
+++ b/website/pages/docs/secrets/ssh/one-time-ssh-passwords.mdx
@@ -0,0 +1,121 @@
+---
+layout: docs
+page_title: One-Time SSH Passwords (OTP) - SSH - Secrets Engines
+sidebar_title: SSH OTP
+description: |-
+  The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server
+  to issue a One-Time Password every time a client wants to SSH into a remote
+  host using a helper command on the remote host to perform verification.
+---
+
+# One-Time SSH Passwords
+
+The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server to
+issue a One-Time Password every time a client wants to SSH into a remote host
+using a helper command on the remote host to perform verification.
+
+An authenticated client requests credentials from the Vault server and, if
+authorized, is issued an OTP. When the client establishes an SSH connection to
+the desired remote host, the OTP used during SSH authentication is received by
+the Vault helper, which then validates the OTP with the Vault server. The Vault
+server then deletes this OTP, ensuring that it is only used once.
+
+Since the Vault server is contacted during SSH connection establishment, every
+login attempt and the correlating Vault lease information is logged to the audit
+secrets engine.
+
+See [Vault-SSH-Helper](https://github.com/hashicorp/vault-ssh-helper) for
+details on the helper.
+
+This page will show a quick start for this secrets engine. For detailed
+documentation on every path, use `vault path-help` after mounting the secrets
+engine.
+
+### Drawbacks
+
+The main concern with the OTP secrets engine type is the remote host's
+connection to Vault; if compromised, an attacker could spoof the Vault server
+returning a successful request. This risk can be mitigated by using TLS for the
+connection to Vault and checking certificate validity; future enhancements to
+this secrets engine may allow for extra security on top of what TLS provides.
+
+### Mount the secrets engine
+
+```text
+$ vault secrets enable ssh
+Successfully mounted 'ssh' at 'ssh'!
+```
+
+### Create a Role
+
+Create a role with the `key_type` parameter set to `otp`. All of the machines
+represented by the role's CIDR list should have helper properly installed and
+configured.
+
+```text
+$ vault write ssh/roles/otp_key_role \
+    key_type=otp \
+    default_user=username \
+    cidr_list=x.x.x.x/y,m.m.m.m/n
+Success! Data written to: ssh/roles/otp_key_role
+```
+
+### Create a Credential
+
+Create an OTP credential for an IP of the remote host that belongs to
+`otp_key_role`.
+
+```text
+$ vault write ssh/creds/otp_key_role ip=x.x.x.x
+Key            	Value
+lease_id       	ssh/creds/otp_key_role/73bbf513-9606-4bec-816c-5a2f009765a5
+lease_duration 	600
+lease_renewable	false
+port           	22
+username       	username
+ip             	x.x.x.x
+key            	2f7e25a2-24c9-4b7b-0d35-27d5e5203a5c
+key_type       	otp
+```
+
+### Establish an SSH session
+
+```text
+$ ssh username@x.x.x.x
+Password: <Enter OTP>
+username@x.x.x.x:~$
+```
+
+### Automate it!
+
+A single CLI command can be used to create a new OTP and invoke SSH with the
+correct parameters to connect to the host.
+
+```text
+$ vault ssh -role otp_key_role -mode otp username@x.x.x.x
+OTP for the session is `b4d47e1b-4879-5f4e-ce5c-7988d7986f37`
+[Note: Install `sshpass` to automate typing in OTP]
+Password: <Enter OTP>
+```
+
+The OTP will be entered automatically using `sshpass` if it is installed.
+
+```text
+$ vault ssh -role otp_key_role -mode otp -strict-host-key-checking=no username@x.x.x.x
+username@<IP of remote host>:~$
+```
+
+Note: `sshpass` cannot handle host key checking. Host key checking can be
+disabled by setting `-strict-host-key-checking=no`.
+
+## Learn
+
+Refer to the [SSH Secrets Engine: One-Time SSH
+Password](https://learn.hashicorp.com/vault/secrets-management/sm-ssh-otp) guide
+for a step-by-step tutorial.
+
+## API
+
+The SSH secrets engine has a full HTTP API. Please see the
+[SSH secrets engine API](/api/secret/ssh/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/ssh/signed-ssh-certificates.mdx b/website/pages/docs/secrets/ssh/signed-ssh-certificates.mdx
new file mode 100644
index 000000000000..eff848adea0a
--- /dev/null
+++ b/website/pages/docs/secrets/ssh/signed-ssh-certificates.mdx
@@ -0,0 +1,488 @@
+---
+layout: docs
+page_title: Signed SSH Certificates - SSH - Secrets Engines
+sidebar_title: Signed Certificates
+description: >-
+  The signed SSH certificates is the simplest and most powerful in terms of
+
+  setup complexity and in terms of being platform agnostic. When using this
+
+  type, an SSH CA signing key is generated or configured at the secrets engine's
+  mount.
+
+  This key will be used to sign other SSH keys.
+---
+
+# Signed SSH Certificates
+
+The signed SSH certificates is the simplest and most powerful in terms of setup
+complexity and in terms of being platform agnostic. By leveraging Vault's
+powerful CA capabilities and functionality built into OpenSSH, clients can SSH
+into target hosts using their own local SSH keys.
+
+In this section, the term "**client**" refers to the person or machine
+performing the SSH operation. The "**host**" refers to the target machine. If
+this is confusing, substitute "client" with "user".
+
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
+
+## Client Key Signing
+
+Before a client can request their SSH key be signed, the Vault SSH secrets engine must
+be configured. Usually a Vault administrator or security team performs these
+steps. It is also possible to automate these actions using a configuration
+management tool like Chef, Puppet, Ansible, or Salt.
+
+### Signing Key &amp; Role Configuration
+
+The following steps are performed in advance by a Vault administrator, security
+team, or configuration management tooling.
+
+1.  Mount the secrets engine. Like all secrets engines in Vault, the SSH secrets engine
+    must be mounted before use.
+
+    ```text
+    $ vault secrets enable -path=ssh-client-signer ssh
+    Successfully mounted 'ssh' at 'ssh-client-signer'!
+    ```
+
+    This enables the SSH secrets engine at the path "ssh-client-signer". It is
+    possible to mount the same secrets engine multiple times using different
+    `-path` arguments. The name "ssh-client-signer" is not special - it can be
+    any name, but this documentation will assume "ssh-client-signer".
+
+1.  Configure Vault with a CA for signing client keys using the `/config/ca`
+    endpoint. If you do not have an internal CA, Vault can generate a keypair for
+    you.
+
+    ```text
+    $ vault write ssh-client-signer/config/ca generate_signing_key=true
+    Key             Value
+    ---             -----
+    public_key      ssh-rsa AAAAB3NzaC1yc2EA...
+    ```
+
+    If you already have a keypair, specify the public and private key parts as
+    part of the payload:
+
+    ```text
+    $ vault write ssh-client-signer/config/ca \
+        private_key="..." \
+        public_key="..."
+    ```
+
+    Regardless of whether it is generated or uploaded, the client signer public
+    key is accessible via the API at the `/public_key` endpoint.
+
+1.  Add the public key to all target host's SSH configuration. This process can
+    be manual or automated using a configuration management tool. The public key is
+    accessible via the API and does not require authentication.
+
+    ```text
+    $ curl -o /etc/ssh/trusted-user-ca-keys.pem http://127.0.0.1:8200/v1/ssh-client-signer/public_key
+    ```
+
+    ```text
+    $ vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
+    ```
+
+    Add the path where the public key contents are stored to the SSH
+    configuration file as the `TrustedUserCAKeys` option.
+
+    ```text
+    # /etc/ssh/sshd_config
+    # ...
+    TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+    ```
+
+    Restart the SSH service to pick up the changes.
+
+1.  Create a named Vault role for signing client keys.
+
+    Because of the way some SSH certificate features are implemented, options
+    are passed as a map. The following example adds the `permit-pty` extension
+    to the certificate.
+
+    ```text
+    $ vault write ssh-client-signer/roles/my-role -<<"EOH"
+    {
+      "allow_user_certificates": true,
+      "allowed_users": "*",
+      "default_extensions": [
+        {
+          "permit-pty": ""
+        }
+      ],
+      "key_type": "ca",
+      "default_user": "ubuntu",
+      "ttl": "30m0s"
+    }
+    EOH
+    ```
+
+### Client SSH Authentication
+
+The following steps are performed by the client (user) that wants to
+authenticate to machines managed by Vault. These commands are usually run from
+the client's local workstation.
+
+1.  Locate or generate the SSH public key. Usually this is `~/.ssh/id_rsa.pub`.
+    If you do not have an SSH keypair, generate one:
+
+    ```text
+    $ ssh-keygen -t rsa -C "user@example.com"
+    ```
+
+1.  Ask Vault to sign your **public key**. This file usually ends in `.pub` and
+    the contents begin with `ssh-rsa ...`.
+
+    ```text
+    $ vault write ssh-client-signer/sign/my-role \
+        public_key=@$HOME/.ssh/id_rsa.pub
+
+    Key             Value
+    ---             -----
+    serial_number   c73f26d2340276aa
+    signed_key      ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1...
+    ```
+
+    The result will include the serial and the signed key. This signed key is
+    another public key.
+
+    To customize the signing options, use a JSON payload:
+
+    ```text
+    $ vault write ssh-client-signer/sign/my-role -<<"EOH"
+    {
+      "public_key": "ssh-rsa AAA...",
+      "valid_principals": "my-user",
+      "key_id": "custom-prefix",
+      "extension": {
+        "permit-pty": ""
+      }
+    }
+    EOH
+    ```
+
+1.  Save the resulting signed, public key to disk. Limit permissions as needed.
+
+    ```text
+    $ vault write -field=signed_key ssh-client-signer/sign/my-role \
+        public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
+    ```
+
+    If you are saving the certificate directly beside your SSH keypair, suffix
+    the name with `-cert.pub` (`~/.ssh/id_rsa-cert.pub`). With this naming
+    scheme, OpenSSH will automatically use it during authentication.
+
+1.  (Optional) View enabled extensions, principals, and metadata of the signed
+    key.
+
+    ```text
+    $ ssh-keygen -Lf ~/.ssh/signed-cert.pub
+    ```
+
+1.  SSH into the host machine using the signed key. You must supply both the
+    signed public key from Vault **and** the corresponding private key as
+    authentication to the SSH call.
+
+    ```text
+    $ ssh -i signed-cert.pub -i ~/.ssh/id_rsa username@10.0.23.5
+    ```
+
+## Host Key Signing
+
+For an added layers of security, we recommend enabling host key signing. This is
+used in conjunction with client key signing to provide an additional integrity
+layer. When enabled, the SSH agent will verify the target host is valid and
+trusted before attempting to SSH. This will reduce the probability of a user
+accidentally SSHing into an unmanaged or malicious machine.
+
+### Signing Key Configuration
+
+1.  Mount the secrets engine. For the most security, mount at a different path from the
+    client signer.
+
+    ```text
+    $ vault secrets enable -path=ssh-host-signer ssh
+    Successfully mounted 'ssh' at 'ssh-host-signer'!
+    ```
+
+1.  Configure Vault with a CA for signing host keys using the `/config/ca`
+    endpoint. If you do not have an internal CA, Vault can generate a keypair for
+    you.
+
+    ```text
+    $ vault write ssh-host-signer/config/ca generate_signing_key=true
+    Key             Value
+    ---             -----
+    public_key      ssh-rsa AAAAB3NzaC1yc2EA...
+    ```
+
+    If you already have a keypair, specify the public and private key parts as
+    part of the payload:
+
+    ```text
+    $ vault write ssh-host-signer/config/ca \
+        private_key="..." \
+        public_key="..."
+    ```
+
+    Regardless of whether it is generated or uploaded, the host signer public
+    key is accessible via the API at the `/public_key` endpoint.
+
+1.  Extend host key certificate TTLs.
+
+    ```text
+    $ vault secrets tune -max-lease-ttl=87600h ssh-host-signer
+    ```
+
+1.  Create a role for signing host keys. Be sure to fill in the list of allowed
+    domains, set `allow_bare_domains`, or both.
+
+    ```text
+    $ vault write ssh-host-signer/roles/hostrole \
+        key_type=ca \
+        ttl=87600h \
+        allow_host_certificates=true \
+        allowed_domains="localdomain,example.com" \
+        allow_subdomains=true
+    ```
+
+1.  Sign the host's SSH public key.
+
+    ```text
+    $ vault write ssh-host-signer/sign/hostrole \
+        cert_type=host \
+        public_key=@/etc/ssh/ssh_host_rsa_key.pub
+    Key             Value
+    ---             -----
+    serial_number   3746eb17371540d9
+    signed_key      ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...
+    ```
+
+1.  Set the resulting signed certificate as `HostCertificate` in the SSH
+    configuration on the host machine.
+
+    ```text
+    $ vault write -field=signed_key ssh-host-signer/sign/hostrole \
+        cert_type=host \
+        public_key=@/etc/ssh/ssh_host_rsa_key.pub > /etc/ssh/ssh_host_rsa_key-cert.pub
+    ```
+
+    Set permissions on the certificate to be `0640`:
+
+    ```text
+    $ chmod 0640 /etc/ssh/ssh_host_rsa_key-cert.pub
+    ```
+
+    Add host key and host certificate to the SSH configuration file.
+
+    ```text
+    # /etc/ssh/sshd_config
+    # ...
+
+    # For client keys
+    TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+
+    # For host keys
+    HostKey /etc/ssh/ssh_host_rsa_key
+    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+    ```
+
+    Restart the SSH service to pick up the changes.
+
+### Client-Side Host Verification
+
+1.  Retrieve the host signing CA public key to validate the host signature of
+    target machines.
+
+    ```text
+    $ curl http://127.0.0.1:8200/v1/ssh-host-signer/public_key
+    ```
+
+    ```text
+    $ vault read -field=public_key ssh-host-signer/config/ca
+    ```
+
+1.  Add the resulting public key to the `known_hosts` file with authority.
+
+    ```text
+    # ~/.ssh/known_hosts
+    @cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAA...
+    ```
+
+1.  SSH into target machines as usual.
+
+## Troubleshooting
+
+When initially configuring this type of key signing, enable `VERBOSE` SSH
+logging to help annotate any errors in the log.
+
+```text
+# /etc/ssh/sshd_config
+# ...
+LogLevel VERBOSE
+```
+
+Restart SSH after making these changes.
+
+By default, SSH logs to `/var/log/auth.log`, but so do many other things. To
+extract just the SSH logs, use the following:
+
+```sh
+$ tail -f /var/log/auth.log | grep --line-buffered "sshd"
+```
+
+If you are unable to make a connection to the host, the SSH server logs may
+provide guidance and insights.
+
+### Name is not a listed principal
+
+If the `auth.log` displays the following messages:
+
+```text
+# /var/log/auth.log
+key_cert_check_authority: invalid certificate
+Certificate invalid: name is not a listed principal
+```
+
+The certificate does not permit the username as a listed principal for
+authenticating to the system. This is most likely due to an OpenSSH bug (see
+[known issues](#known-issues) for more information). This bug does not respect
+the `allowed_users` option value of "\*". Here are ways to work around this
+issue:
+
+1.  Set `default_user` in the role. If you are always authenticating as the same
+    user, set the `default_user` in the role to the username you are SSHing into the
+    target machine:
+
+    ```text
+    $ vault write ssh/roles/my-role -<<"EOH"
+    {
+      "default_user": "YOUR_USER",
+      // ...
+    }
+    EOH
+    ```
+
+1.  Set `valid_principals` during signing. In situations where multiple users may
+    be authenticating to SSH via Vault, set the list of valid principles during key
+    signing to include the current username:
+
+    ```text
+    $ vault write ssh-client-signer/sign/my-role -<<"EOH"
+    {
+      "valid_principals": "my-user"
+      // ...
+    }
+    EOH
+    ```
+
+### No Prompt After Login
+
+If you do not see a prompt after authenticating to the host machine, the signed
+certificate may not have the `permit-pty` extension. There are two ways to add
+this extension to the signed certificate.
+
+- As part of the role creation
+
+  ```text
+  $ vault write ssh-client-signer/roles/my-role -<<"EOH"
+  {
+    "default_extensions": [
+      {
+        "permit-pty": ""
+      }
+    ]
+    // ...
+  }
+  EOH
+  ```
+
+- As part of the signing operation itself:
+
+  ```text
+  $ vault write ssh-client-signer/sign/my-role -<<"EOH"
+  {
+    "extension": {
+      "permit-pty": ""
+    }
+    // ...
+  }
+  EOH
+  ```
+
+### No Port Forwarding
+
+If port forwarding from the guest to the host is not working, the signed
+certificate may not have the `permit-port-forwarding` extension. Add the
+extension as part of the role creation or signing process to enable port
+forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
+
+```json
+{
+  "default_extensions": [
+    {
+      "permit-port-forwarding": ""
+    }
+  ]
+}
+```
+
+### No X11 Forwarding
+
+If X11 forwarding from the guest to the host is not working, the signed
+certificate may not have the `permit-X11-forwarding` extension. Add the
+extension as part of the role creation or signing process to enable X11
+forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
+
+```json
+{
+  "default_extensions": [
+    {
+      "permit-X11-forwarding": ""
+    }
+  ]
+}
+```
+
+### No Agent Forwarding
+
+If agent forwarding from the guest to the host is not working, the signed
+certificate may not have the `permit-agent-forwarding` extension. Add the
+extension as part of the role creation or signing process to enable agent
+forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
+
+```json
+{
+  "default_extensions": [
+    {
+      "permit-agent-forwarding": ""
+    }
+  ]
+}
+```
+
+### Known Issues
+
+- On SELinux-enforcing systems, you may need to adjust related types so that the
+  SSH daemon is able to read it. For example, adjust the signed host certificate
+  to be an `sshd_key_t` type.
+
+- On some versions of SSH, you may get the following error:
+
+  ```text
+  no separate private key for certificate
+  ```
+
+  This is a bug introduced in OpenSSH version 7.2 and fixed in 7.5. See
+  [OpenSSH bug 2617](https://bugzilla.mindrot.org/show_bug.cgi?id=2617) for
+  details.
+
+## API
+
+The SSH secrets engine has a full HTTP API. Please see the
+[SSH secrets engine API](/api/secret/ssh/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/totp/index.mdx b/website/pages/docs/secrets/totp/index.mdx
new file mode 100644
index 000000000000..e5bb20e2d90a
--- /dev/null
+++ b/website/pages/docs/secrets/totp/index.mdx
@@ -0,0 +1,125 @@
+---
+layout: docs
+page_title: TOTP - Secrets Engines
+sidebar_title: TOTP
+description: The TOTP secrets engine for Vault generates time-based one-time use passwords.
+---
+
+# TOTP Secrets Engine
+
+The TOTP secrets engine generates time-based credentials according to the TOTP
+standard. The secrets engine can also be used to generate a new key and validate
+passwords generated by that key.
+
+The TOTP secrets engine can act as both a generator (like Google Authenticator)
+and a provider (like the Google.com sign in service).
+
+## As a Generator
+
+The TOTP secrets engine can act as a TOTP code generator. In this mode, it can
+replace traditional TOTP generators like Google Authenticator. It provides an
+added layer of security since the ability to generate codes is guarded by
+policies and the entire process is audited.
+
+### Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the TOTP secrets engine:
+
+    ```text
+    $ vault secrets enable totp
+    Success! Enabled the totp secrets engine at: totp/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure a named key. The name of this key will be a human identifier as to
+    its purpose.
+
+    ```text
+    $ vault write totp/keys/my-key \
+        url="otpauth://totp/Vault:test@test.com?secret=Y64VEVMBTSXCYIWRSHRNDZW62MPGVU2G&issuer=Vault"
+    Success! Data written to: totp/keys/my-key
+    ```
+
+    The `url` corresponds to the secret key or value from the barcode provided
+    by the third-party service.
+
+### Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1.  Generate a new time-based OTP by reading from the `/code` endpoint with the
+    name of the key:
+
+    ```text
+    $ vault read totp/code/my-key
+    Key     Value
+    ---     -----
+    code    260610
+    ```
+
+    Using ACLs, it is possible to restrict using the TOTP secrets engine such
+    that trusted operators can manage the key definitions, and both users and
+    applications are restricted in the credentials they are allowed to read.
+
+## As a Provider
+
+The TOTP secrets engine can also act as a TOTP provider. In this mode, it can be
+used to generate new keys and validate passwords generated using those keys.
+
+### Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1.  Enable the TOTP secrets engine:
+
+    ```text
+    $ vault secrets enable totp
+    Success! Enabled the totp secrets engine at: totp/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Create a named key, using the `generate` option. This tells Vault to be the
+    provider:
+
+    ```text
+    $ vault write totp/keys/my-user \
+        generate=true \
+        issuer=Vault \
+        account_name=user@test.com
+
+    Key        Value
+    ---        -----
+    barcode    iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BA...
+    url        otpauth://totp/Vault:user@test.com?algorithm=SHA1&digits=6&issuer=Vault&period=30&secret=V7MBSK324I7KF6KVW34NDFH2GYHIF6JY
+    ```
+
+    The response includes a base64-encoded barcode and OTP url. Both are
+    equivalent. Give these to the user who is authenticating with TOTP.
+
+### Usage
+
+1. As a user, validate a TOTP code generated by a third-party app:
+
+   ```text
+   $ vault write totp/code/my-user code=886531
+   Key      Value
+   ---      -----
+   valid    true
+   ```
+
+## API
+
+The TOTP secrets engine has a full HTTP API. Please see the
+[TOTP secrets engine API](/api/secret/totp/index.html) for more
+details.
diff --git a/website/pages/docs/secrets/transit/index.mdx b/website/pages/docs/secrets/transit/index.mdx
new file mode 100644
index 000000000000..6fb08e9d6cc4
--- /dev/null
+++ b/website/pages/docs/secrets/transit/index.mdx
@@ -0,0 +1,233 @@
+---
+layout: docs
+page_title: Transit - Secrets Engines
+sidebar_title: Transit
+description: >-
+  The transit secrets engine for Vault encrypts/decrypts data in-transit. It
+  doesn't store any secrets.
+---
+
+# Transit Secrets Engine
+
+The transit secrets engine handles cryptographic functions on data in-transit.
+Vault doesn't store the data sent to the secrets engine. It can also be viewed
+as "cryptography as a service" or "encryption as a service". The transit secrets
+engine can also sign and verify data; generate hashes and HMACs of data; and act
+as a source of random bytes.
+
+The primary use case for `transit` is to encrypt data from applications while
+still storing that encrypted data in some primary data store. This relieves the
+burden of proper encryption/decryption from application developers and pushes
+the burden onto the operators of Vault.
+
+Key derivation is supported, which allows the same key to be used for multiple
+purposes by deriving a new key based on a user-supplied context value. In this
+mode, convergent encryption can optionally be supported, which allows the same
+input values to produce the same ciphertext.
+
+Datakey generation allows processes to request a high-entropy key of a given
+bit length be returned to them, encrypted with the named key. Normally this will
+also return the key in plaintext to allow for immediate use, but this can be
+disabled to accommodate auditing requirements.
+
+## Working Set Management
+
+The Transit engine supports versioning of keys. Key versions that are earlier
+than a key's specified `min_decryption_version` gets archived, and the rest of
+the key versions belong to the working set. This is a performance consideration
+to keep key loading fast, as well as a security consideration: by disallowing
+decryption of old versions of keys, found ciphertext corresponding to obsolete
+(but sensitive) data can not be decrypted by most users, but in an emergency
+the `min_decryption_version` can be moved back to allow for legitimate
+decryption.
+
+Currently this archive is stored in a single storage entry. With some storage
+backends, notably those using Raft or Paxos for HA capabilities, frequent
+rotation may lead to a storage entry size for the archive that is larger than
+the storage backend can handle. For frequent rotation needs, using named keys
+that correspond to time bounds (e.g. five-minute periods floored to the closest
+multiple of five) may provide a good alternative, allowing for several keys to
+be live at once and a deterministic way to decide which key to use at any given
+time.
+
+## Key Types
+
+As of now, the transit secrets engine supports the following key types (all key
+types also generate separate HMAC keys):
+
+- `aes128-gcm96`: AES-GCM with a 128-bit AES key and a 96-bit nonce; supports
+  encryption, decryption, key derivation, and convergent encryption
+- `aes256-gcm96`: AES-GCM with a 256-bit AES key and a 96-bit nonce; supports
+  encryption, decryption, key derivation, and convergent encryption (default)
+- `chacha20-poly1305`: ChaCha20-Poly1305 with a 256-bit key; supports
+  encryption, decryption, key derivation, and convergent encryption
+- `ed25519`: Ed25519; supports signing, signature verification, and key
+  derivation
+- `ecdsa-p256`: ECDSA using curve P-256; supports signing and signature
+  verification
+- `ecdsa-p384`: ECDSA using curve P-384; supports signing and signature
+  verification
+- `ecdsa-p521`: ECDSA using curve P-521; supports signing and signature
+  verification
+- `rsa-2048`: 2048-bit RSA key; supports encryption, decryption, signing, and
+  signature verification
+- `rsa-4096`: 4096-bit RSA key; supports encryption, decryption, signing, and
+  signature verification
+
+## Convergent Encryption
+
+Convergent encryption is a mode where the same set of plaintext+context always
+result in the same ciphertext. It does this by deriving a key using a key
+derivation function but also by deterministically deriving a nonce. Because
+these properties differ for any combination of plaintext and ciphertext over a
+keyspace the size of 2^256, the risk of nonce reuse is near zero.
+
+This has many practical uses. A key usage mode is to allow values to be stored
+encrypted in a database, but with limited lookup/query support, so that rows
+with the same value for a specific field can be returned from a query.
+
+To accommodate for any needed upgrades to the algorithm, different versions of
+convergent encryption have historically been supported:
+
+- Version 1 required the client to provide their own nonce, which is highly
+  flexible but if done incorrectly can be dangerous. This was only in Vault
+  0.6.1, and keys using this version cannot be upgraded.
+- Version 2 used an algorithmic approach to deriving the parameters. However,
+  the algorithm used was susceptible to offline plaintext-confirmation attacks,
+  which could allow attackers to brute force decryption if the plaintext size
+  was small. Keys using version 2 can be upgraded by simply performing a rotate
+  operation to a new key version; existing values can then be rewrapped against
+  the new key version and will use the version 3 algorithm.
+- Version 3 uses a different algorithm designed to be resistant to offline
+  plaintext-confirmation attacks. It is similar to AES-SIV in that it uses a
+  PRF to generate the nonce from the plaintext.
+
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the Transit secrets engine:
+
+   ```text
+   $ vault secrets enable transit
+   Success! Enabled the transit secrets engine at: transit/
+   ```
+
+   By default, the secrets engine will mount at the name of the engine. To
+   enable the secrets engine at a different path, use the `-path` argument.
+
+1. Create a named encryption key:
+
+   ```text
+   $ vault write -f transit/keys/my-key
+   Success! Data written to: transit/keys/my-key
+   ```
+
+   Usually each application has its own encryption key.
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can use this secrets engine.
+
+1.  Encrypt some plaintext data using the `/encrypt` endpoint with a named key:
+
+    **NOTE:** All plaintext data **must be base64-encoded**. The reason for this
+    requirement is that Vault does not require that the plaintext is "text". It
+    could be a binary file such as a PDF or image. The easiest safe transport
+    mechanism for this data as part of a JSON payload is to base64-encode it.
+
+    ```text
+    $ vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")
+
+    Key           Value
+    ---           -----
+    ciphertext    vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
+    ```
+
+    The returned ciphertext starts with `vault:v1:`. The first prefix (`vault`)
+    identifies that it has been wrapped by Vault. The `v1` indicates the key
+    version 1 was used to encrypt the plaintext; therefore, when you rotate
+    keys, Vault knows which version to use for decryption. The rest is a base64
+    concatenation of the initialization vector (IV) and ciphertext.
+
+    Note that Vault does not _store_ any of this data. The caller is responsible
+    for storing the encrypted ciphertext. When the caller wants the plaintext,
+    it must provide the ciphertext back to Vault to decrypt the value.
+
+    !> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial
+    of service attack. This can be tuned per [`listener`
+    block](/docs/configuration/listener/tcp.html) in the Vault server
+    configuration.
+
+1.  Decrypt a piece of data using the `/decrypt` endpoint with a named key:
+
+    ```text
+    $ vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
+
+    Key          Value
+    ---          -----
+    plaintext    bXkgc2VjcmV0IGRhdGEK
+    ```
+
+    The resulting data is base64-encoded (see the note above for details on
+    why). Decode it to get the raw plaintext:
+
+    ```text
+    $ base64 --decode <<< "bXkgc2VjcmV0IGRhdGEK"
+    my secret data
+    ```
+
+    It is also possible to script this decryption using some clever shell
+    scripting in one command:
+
+    ```text
+    $ vault write -field=plaintext transit/decrypt/my-key ciphertext=... | base64 --decode
+    my secret data
+    ```
+
+    Using ACLs, it is possible to restrict using the transit secrets engine such
+    that trusted operators can manage the named keys, and applications can only
+    encrypt or decrypt using the named keys they need access to.
+
+1.  Rotate the underlying encryption key. This will generate a new encryption key
+    and add it to the keyring for the named key:
+
+    ```text
+    $ vault write -f transit/keys/my-key/rotate
+    Success! Data written to: transit/keys/my-key/rotate
+    ```
+
+    Future encryptions will use this new key. Old data can still be decrypted
+    due to the use of a key ring.
+
+1.  Upgrade already-encrypted data to a new key. Vault will decrypt the value
+    using the appropriate key in the keyring and then encrypted the resulting
+    plaintext with the newest key in the keyring.
+
+    ```text
+    $ vault write transit/rewrap/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
+
+    Key           Value
+    ---           -----
+    ciphertext    vault:v2:0VHTTBb2EyyNYHsa3XiXsvXOQSLKulH+NqS4eRZdtc2TwQCxqJ7PUipvqQ==
+    ```
+
+    This process **does not** reveal the plaintext data. As such, a Vault policy
+    could grant almost an untrusted process the ability to "rewrap" encrypted
+    data, since the process would not be able to get access to the plaintext
+    data.
+
+## Learn
+
+Refer to the [Encryption as a Service: Transit Secrets
+Engine](https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit)
+guide for a step-by-step tutorial.
+
+## API
+
+The Transit secrets engine has a full HTTP API. Please see the
+[Transit secrets engine API](/api/secret/transit/index.html) for more
+details.
diff --git a/website/pages/docs/upgrading/index.mdx b/website/pages/docs/upgrading/index.mdx
new file mode 100644
index 000000000000..703e92ad384e
--- /dev/null
+++ b/website/pages/docs/upgrading/index.mdx
@@ -0,0 +1,101 @@
+---
+layout: docs
+page_title: Upgrading Vault - Guides
+sidebar_title: Upgrade Guides
+description: |-
+  These are general upgrade instructions for Vault for both non-HA and HA
+  setups. Please ensure that you also read the version-specific upgrade notes.
+---
+
+# Upgrading Vault
+
+These are general upgrade instructions for Vault for both non-HA and HA setups.
+_Please ensure that you also read any version-specific upgrade notes which can be
+found in the sidebar._
+
+!> **IMPORTANT NOTE:** Always back up your data before upgrading! Vault does not
+make backward-compatibility guarantees for its data store. Simply replacing the
+newly-installed Vault binary with the previous version will not cleanly
+downgrade Vault, as upgrades may perform changes to the underlying data
+structure that make the data incompatible with a downgrade. If you need to roll
+back to a previous version of Vault, you should roll back your data store as
+well.
+
+## Testing the Upgrade
+
+It's always a good idea to try to ensure that the upgrade will be successful in
+your environment. The ideal way to do this is to take a snapshot of your data
+and load it into a test cluster. However, if you are issuing secrets to third
+party resources (cloud credentials, database credentials, etc.) ensure that you
+do not allow external network connectivity during testing, in case credentials
+expire. This prevents the test cluster from trying to revoke these resources
+along with the non-test cluster.
+
+## Non-HA Installations
+
+Upgrading non-HA installations of Vault is as simple as replacing the Vault
+binary with the new version and restarting Vault. Any upgrade tasks that can be
+performed for you will be taken care of when Vault is unsealed.
+
+Always use `SIGINT` or `SIGTERM` to properly shut down Vault.
+
+Be sure to also read and follow any instructions in the version-specific
+upgrade notes.
+
+## HA Installations
+
+This is our recommended upgrade procedure, and the procedure we use internally
+at HashiCorp. However, you should consider how to apply these steps to your
+particular setup since HA setups can differ on whether a load balancer is in
+use, what addresses clients are being given to connect to Vault (standby +
+leader, leader-only, or discovered via service discovery), etc.
+
+Whatever method you use, you should ensure that you never fail over from a
+newer version of Vault to an older version. Our suggested procedure is designed
+to prevent this.
+
+Please note that Vault does not support true zero-downtime upgrades, but with
+proper upgrade procedure the downtime should be very short (a few hundred
+milliseconds to a second depending on how the speed of access to the storage
+backend).
+
+Perform these steps on each standby:
+
+1. Properly shut down Vault on the standby node via `SIGINT` or `SIGTERM`
+2. Replace the Vault binary with the new version
+3. Start the standby node
+4. Unseal the standby node
+
+At this point all standby nodes will be upgraded and ready to take over. The
+upgrade will not be complete until one of the upgraded standby nodes takes over
+active duty. To do this:
+
+1. Properly shut down the remaining (active) node. Note: it is _**very
+   important**_ that you shut the node down properly. This causes the HA lock to
+   be released, allowing a standby node to take over with a very short delay.
+   If you kill Vault without letting it release the lock, a standby node will
+   not be able to take over until the lock's timeout period has expired. This
+   is backend-specific but could be ten seconds or more.
+2. Replace the Vault binary with the new version; ensure that `mlock()` capability is added to the new binary with [setcap](https://www.vaultproject.io/docs/configuration/index.html#disable_mlock)
+3. Start the node
+4. Unseal the node (it will now be a standby)
+
+Internal upgrade tasks will happen after one of the upgraded standby nodes
+takes over active duty.
+
+Be sure to also read and follow any instructions in the version-specific
+upgrade notes.
+
+## Replication Installations
+
+-> **Note:** Prior to any upgrade, be sure to also read and follow any instructions in the version-specific
+upgrade notes which are found in the navigation menu for this documentation.
+
+Upgrading installations of Vault which participate in [Enterprise Replication](/docs/enterprise/replication/index.html) requires the following basic order of operations:
+
+- **Upgrade the replication secondary instances first** using appropriate
+  guidance from the previous sections depending on whether each secondary
+  instance is Non-HA or HA
+- Verify functionality of each secondary instance after upgrading
+- When satisfied with functionality of upgraded secondary instances, upgrade
+  the primary instance
diff --git a/website/pages/docs/upgrading/plugins.mdx b/website/pages/docs/upgrading/plugins.mdx
new file mode 100644
index 000000000000..9f74e8fac3f6
--- /dev/null
+++ b/website/pages/docs/upgrading/plugins.mdx
@@ -0,0 +1,41 @@
+---
+layout: docs
+page_title: Upgrading Plugins - Guides
+sidebar_title: Upgrade Plugins
+description: These are general upgrade instructions for Vault plugins.
+---
+
+# Upgrading Vault Plugins
+
+The following procedure details steps for upgrading a plugin that has already
+been registered to the catalog on a running server. This procedure is applicable
+to secret, auth, and database plugins.
+
+## Upgrade Procedure
+
+Vault executes plugin binaries when they are configured and roles are established
+around them. The binary cannot be modified or replaced while running, so
+upgrades cannot be performed by simply swapping the binary and updating the hash
+in the plugin catalog.
+
+Instead, you can restart or reload a plugin with the
+`sys/plugins/reload/backend` [API][plugin_reload_api]. Follow these steps to
+replace or upgrade a Vault plugin binary:
+
+1. Register plugin_v1 to the catalog
+2. Mount the plugin backend
+3. Register plugin_v2 to the catalog under the same plugin name, but with
+   updated command to run plugin_v2 and updated sha256 of plugin_v2
+4. Trigger a plugin reload with `sys/plugins/reload/backend` to reload all
+   mounted backends using that plugin or a subset of the mounts using that plugin
+   with either the `plugin` or `mounts` parameter respectively.
+
+Until step 4, the mount will still use plugin_v1, and when the reload is
+triggered, Vault will kill plugin_v1’s process and start a plugin_v2 process.
+
+-> **Important:** Plugin reload of a new plugin binary must be
+performed on each Vault instance. Performing a plugin upgrade on a single
+instance or through a load balancer can result in mismatched
+plugin binaries within a cluster.
+
+[plugin_reload_api]: /api/system/plugins-reload-backend.html
diff --git a/website/pages/docs/upgrading/upgrade-to-0.10.0.mdx b/website/pages/docs/upgrading/upgrade-to-0.10.0.mdx
new file mode 100644
index 000000000000..e4ab74b3ca9f
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.10.0.mdx
@@ -0,0 +1,162 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.10.0 - Guides
+sidebar_title: Upgrade to 0.10.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.10.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.10.0 compared to 0.9.0. Please read it carefully.
+
+## Changes Since 0.9.6
+
+### Database Plugin Compatibility
+
+The database plugin interface was enhanced to support some additional
+functionality related to root credential rotation and supporting templated
+URL strings. The changes were made in a backwards-compatible way and all
+builtin plugins were updated with the new features. Custom plugins not built
+into Vault will need to be upgraded to support templated URL strings and
+root rotation. Additionally, the Initialize method was deprecated in favor
+of a new Init method that supports configuration modifications that occur in
+the plugin back to the primary data store.
+
+### Removal of Returned Secret Information
+
+For a long time Vault has returned configuration given to various secret
+engines and auth methods with secret values (such as secret API keys or
+passwords) still intact, and with a warning to the user on write that anyone
+with read access could see the secret. This was mostly done to make it easy for
+tools like Terraform to judge whether state had drifted. However, it also feels
+quite un-Vault-y to do this and we've never felt very comfortable doing so. In
+0.10 we have gone through and removed this bevhavior from the various backends;
+fields which contained secret values are simply no longer returned on read. We
+are working with the Terraform team to make changes to their provider to
+accommodate this as best as possible, and users of other tools may have to make
+adjustments, but in the end we felt that the ends did not justify the means and
+we needed to prioritize security over operational convenience.
+
+### LDAP Auth Method Case Sensitivity
+
+We now treat usernames and groups configured locally for policy assignment in a
+case insensitive fashion by default. Existing configurations will continue to
+work as they do now; however, the next time a configuration is written
+`case_sensitive_names` will need to be explicitly set to `true`.
+
+### TTL Handling Moved to Core
+
+All lease TTL handling has been centralized within the core of Vault to ensure
+consistency across all backends. Since this was previously delegated to
+individual backends, there may be some slight differences in TTLs generated
+from some backends.
+
+### Default `secret/` Mount is Deprecated
+
+In 0.12 we will stop mounting `secret/` by default at initialization time (it
+will still be available in `dev` mode).
+
+## Full List Since 0.9.0
+
+### Change to AWS Role Output
+
+The AWS authentication backend now allows binds for inputs as either a
+comma-delimited string or a string array. However, to keep consistency with
+input and output, when reading a role the binds will now be returned as string
+arrays rather than strings.
+
+### Change to AWS IAM Auth ARN Prefix Matching
+
+In order to prefix-match IAM role and instance profile ARNs in AWS auth
+backend, you now must explicitly opt-in by adding a `*` to the end of the ARN.
+Existing configurations will be upgraded automatically, but when writing a new
+role configuration the updated behavior will be used.
+
+### Backwards Compatible CLI Changes
+
+This upgrade guide is typically reserved for breaking changes, however it
+is worth calling out that the CLI interface to Vault has been completely
+revamped while maintaining backwards compatibility. This could lead to
+potential confusion while browsing the latest version of the Vault
+documentation on vaultproject.io.
+
+All previous CLI commands should continue to work and are backwards
+compatible in almost all cases.
+
+Documentation for previous versions of Vault can be accessed using
+the GitHub interface by browsing tags (eg [0.9.1 website tree](https://github.com/hashicorp/vault/tree/v0.9.1/website)) or by
+[building the Vault website locally](https://github.com/hashicorp/vault/tree/v0.9.1/website#running-the-site-locally).
+
+### `sys/health` DR Secondary Reporting
+
+The `replication_dr_secondary` bool returned by `sys/health` could be
+misleading since it would be `false` both when a cluster was not a DR secondary
+but also when the node is a standby in the cluster and has not yet fully
+received state from the active node. This could cause health checks on LBs to
+decide that the node was acceptable for traffic even though DR secondaries
+cannot handle normal Vault traffic. (In other words, the bool could only convey
+"yes" or "no" but not "not sure yet".) This has been replaced by
+`replication_dr_mode` and `replication_perf_mode` which are string values that
+convey the current state of the node; a value of `disabled` indicates that
+replication is disabled or the state is still being discovered. As a result, an
+LB check can positively verify that the node is both not `disabled` and is not
+a DR secondary, and avoid sending traffic to it if either is true.
+
+### PKI Secret Backend Roles Parameter Types
+
+For `ou` and `organization` in role definitions in the PKI secret backend,
+input can now be a comma-separated string or an array of strings. Reading a
+role will now return arrays for these parameters.
+
+### Plugin API Changes
+
+The plugin API has been updated to utilize golang's context.Context package.
+Many function signatures now accept a context object as the first parameter.
+Existing plugins will need to pull in the latest Vault code and update their
+function signatures to begin using context and the new gRPC transport.
+
+### AppRole Case Sensitivity
+
+In prior versions of Vault, `list` operations against AppRole roles would
+require preserving case in the role name, even though most other operations
+within AppRole are case-insensitive with respect to the role name. This has
+been fixed; existing roles will behave as they have in the past, but new roles
+will act case-insensitively in these cases.
+
+### Token Auth Backend Roles Parameter Types
+
+For `allowed_policies` and `disallowed_policies` in role definitions in the
+token auth backend, input can now be a comma-separated string or an array of
+strings. Reading a role will now return arrays for these parameters.
+
+### Transit Key Exporting
+
+You can now mark a key in the `transit` backend as `exportable` at any time,
+rather than just at creation time; however, once this value is set, it still
+cannot be unset.
+
+### PKI Secret Backend Roles Parameter Types
+
+For `allowed_domains` and `key_usage` in role definitions in the PKI secret
+backend, input can now be a comma-separated string or an array of strings.
+Reading a role will now return arrays for these parameters.
+
+### SSH Dynamic Keys Method Defaults to 2048-bit Keys
+
+When using the dynamic key method in the SSH backend, the default is now to use
+2048-bit keys if no specific key bit size is specified.
+
+### Consul Secret Backend Lease Handling
+
+The `consul` secret backend can now accept both strings and integer numbers of
+seconds for its lease value. The value returned on a role read will be an
+integer number of seconds instead of a human-friendly string.
+
+### Unprintable Characters Not Allowed in API Paths
+
+Unprintable characters are no longer allowed in names in the API (paths and
+path parameters), with an extra restriction on whitespace characters. Allowed
+characters are those that are considered printable by Unicode plus spaces.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.10.2.mdx b/website/pages/docs/upgrading/upgrade-to-0.10.2.mdx
new file mode 100644
index 000000000000..1fdd16dc13b4
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.10.2.mdx
@@ -0,0 +1,27 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.10.2 - Guides
+sidebar_title: Upgrade to 0.10.2
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.10.2. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.10.2 compared to 0.10.1. Please read it carefully.
+
+### Convergent Encryption version 3
+
+If you are using `transit`'s convergent encryption feature, which prior to this
+release was at version 2, we recommend
+[rotating](https://www.vaultproject.io/api/secret/transit/index.html#rotate-key)
+your encryption key (the new key will use version 3) and
+[rewrapping](https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data)
+your data to mitigate the chance of offline plaintext-confirmation attacks.
+
+### PKI duration return types
+
+The PKI backend now returns durations (e.g. when reading a role) as an integer
+number of seconds instead of a Go-style string.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.10.4.mdx b/website/pages/docs/upgrading/upgrade-to-0.10.4.mdx
new file mode 100644
index 000000000000..c10563d01468
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.10.4.mdx
@@ -0,0 +1,35 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.10.4 - Guides
+sidebar_title: Upgrade to 0.10.4
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.10.4. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.10.4 compared to 0.10.3. Please read it carefully.
+
+### Revocations of dynamic secrets leases now asynchronous
+
+Dynamic secret lease revocation are now queued/asynchronous rather
+than synchronous. This allows Vault to take responsibility for revocation
+even if the initial attempt fails. The previous synchronous behavior can be
+attained via the `-sync` CLI flag or `sync` API parameter. When in
+synchronous mode, if the operation results in failure it is up to the user
+to retry.
+
+### CLI Retries
+
+The CLI will no longer retry commands on 5xx errors. This was a
+source of confusion to users as to why Vault would "hang" before returning a
+5xx error. The Go API client still defaults to two retries.
+
+### Identity Entity Alias metadata
+
+You can no longer manually set metadata on
+entity aliases. All alias data (except the canonical entity ID it refers to)
+is intended to be managed by the plugin providing the alias information, so
+allowing it to be set manually didn't make sense.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.11.0.mdx b/website/pages/docs/upgrading/upgrade-to-0.11.0.mdx
new file mode 100644
index 000000000000..e0411efb00bd
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.11.0.mdx
@@ -0,0 +1,148 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.11.0 - Guides
+sidebar_title: Upgrade to 0.11.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.11.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.11.0 compared to 0.10.0. Please read it carefully.
+
+## Known Issues
+
+### Nomad Integration
+
+Users that integrate Vault with Nomad should hold off on upgrading. A modification to
+Vault's API is causing a runtime issue with the Nomad to Vault integration.
+
+### Minified JSON Policies
+
+Users that generate policies in minfied JSON may cause a parsing errors due to
+a regression in the policy parser when it encounters repeating brackets. Although
+HCL is the official language for policies in Vault, HCL is JSON compatible and JSON
+should work in place of HCL. To work around this error, pretty print the JSON policies
+or add spaces between repeating brackets. This regression will be addressed in
+a future release.
+
+### Common Mount Prefixes
+
+Before running the upgrade, users should run `vault secrets list` and `vault auth list`
+to check their mount table to ensure that mounts do not have common prefix "folders".  
+For example, if there is a mount with path `team1/` and a mount with path `team1/secrets`,
+Vault will fail to unseal. Before upgrade, these mounts must be remounted at a path that
+does not share a common prefix.
+
+## Changes Since 0.10.4
+
+### Request Timeouts
+
+A default request timeout of 90s is now enforced. This setting can be
+overwritten in the config file. If you anticipate requests taking longer than
+90s this setting should be configured before upgrading.
+
+### `sys/` Top Level Injection
+
+For the last two years for backwards compatibility data for various `sys/`
+routes has been injected into both the Secret's Data map and into the top level
+of the JSON response object. However, this has some subtle issues that pop up
+from time to time and is becoming increasingly complicated to maintain, so it's
+finally being removed.
+
+### Path Fallback for List Operations
+
+For a very long time Vault has automatically adjusted `list` operations to
+always end in a `/`, as list operations operates on prefixes, so all list
+operations by definition end with `/`. This was done server-side so affects all
+clients. However, this has also led to a lot of confusion for users writing
+policies that assume that the path that they use in the CLI is the path used
+internally. Starting in 0.11, ACL policies gain a new fallback rule for
+listing: they will use a matching path ending in `/` if available, but if not
+found, they will look for the same path without a trailing `/`. This allows
+putting `list` capabilities in the same path block as most other capabilities
+for that path, while not providing any extra access if `list` wasn't actually
+provided there.
+
+### Performance Standbys On By Default
+
+If your flavor/license of Vault Enterprise supports Performance Standbys, they
+are on by default. You can disable this behavior per-node with the
+`disable_performance_standby` configuration flag.
+
+### AWS Secret Engine Roles
+
+Roles in the AWS Secret Engine were previously ambiguous. For example, if the
+`arn` parameter had been specified, that could have been interpreted as the ARN
+of an AWS IAM policy to attach to an IAM user or it could have been the ARN of
+an AWS role to assume. Now, types are explicit, both in terms of what
+credential type is being requested (e.g., an IAM User or an Assumed Role?) as
+well as the parameters being sent to vault (e.g., the IAM policy document
+attached to an IAM user or used during a GetFederationToken call). All
+credential retrieval remains backwards compatible as does updating role data.
+However, the data returned when reading role data is now different and
+breaking, so anything which reads role data out of Vault will need to be
+updated to handle the new role data format.
+
+While creating/updating roles remains backwards compatible, the old parameters
+are now considered deprecated. You should use the new parameters as documented
+in the API docs.
+
+As part of this, the `/aws/creds/` and `/aws/sts/` endpoints have been merged,
+with the behavior only differing as specified below. The `/aws/sts/` endpoint
+is considered deprecated and should only be used when needing backwards
+compatibility.
+
+All roles will be automatically updated to the new role format when accessed.
+However, due to the way role data was previously being stored in Vault, it's
+possible that invalid data was stored that both make the upgrade impossible as
+well as would have made the role unable to retrieve credentials. In this
+situation, the previous role data is returned in an `invalid_data` key so you
+can inspect what used to be in the role and correct the role data if desired.
+One consequence of the prior AWS role storage format is that a single Vault
+role could have led to two different AWS credential types being retrieved when
+a `policy` parameter was stored. In this case, these legacy roles will be
+allowed to retrieve both IAM User and Federation Token credentials, with the
+credential type depending on the path used to access it (IAM User if accessed
+via the `/aws/creds/<role_name>` endpoint and Federation Token if accessed via
+the `/aws/sts/<role_name>` endpoint).
+
+## Full List Since 0.10.0
+
+### Revocations of dynamic secrets leases now asynchronous
+
+Dynamic secret lease revocation are now queued/asynchronous rather
+than synchronous. This allows Vault to take responsibility for revocation
+even if the initial attempt fails. The previous synchronous behavior can be
+attained via the `-sync` CLI flag or `sync` API parameter. When in
+synchronous mode, if the operation results in failure it is up to the user
+to retry.
+
+### CLI Retries
+
+The CLI will no longer retry commands on 5xx errors. This was a
+source of confusion to users as to why Vault would "hang" before returning a
+5xx error. The Go API client still defaults to two retries.
+
+### Identity Entity Alias metadata
+
+You can no longer manually set metadata on
+entity aliases. All alias data (except the canonical entity ID it refers to)
+is intended to be managed by the plugin providing the alias information, so
+allowing it to be set manually didn't make sense.
+
+### Convergent Encryption version 3
+
+If you are using `transit`'s convergent encryption feature, which prior to this
+release was at version 2, we recommend
+[rotating](https://www.vaultproject.io/api/secret/transit/index.html#rotate-key)
+your encryption key (the new key will use version 3) and
+[rewrapping](https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data)
+your data to mitigate the chance of offline plaintext-confirmation attacks.
+
+### PKI duration return types
+
+The PKI backend now returns durations (e.g. when reading a role) as an integer
+number of seconds instead of a Go-style string.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.11.2.mdx b/website/pages/docs/upgrading/upgrade-to-0.11.2.mdx
new file mode 100644
index 000000000000..2ef18323d72f
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.11.2.mdx
@@ -0,0 +1,24 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.11.2 - Guides
+sidebar_title: Upgrade to 0.11.2
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.11.2. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.11.2 compared to 0.11.1. Please read it carefully.
+
+### `sys/seal-status` Behavior Change
+
+The `sys/seal-status` endpoint now includes an initialized boolean in the
+output. If Vault is not initialized, it will return a 200 with this value
+set false instead of a 400
+
+### Mount Config Passthrough Headers
+
+The mount config option for `passthrough_request_headers` will now deny
+certain headers from being provided to backends based on a global denylist.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.11.6.mdx b/website/pages/docs/upgrading/upgrade-to-0.11.6.mdx
new file mode 100644
index 000000000000..43dd71e14378
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.11.6.mdx
@@ -0,0 +1,20 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.11.6 - Guides
+sidebar_title: Upgrade to 0.11.6
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.11.6. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.11.6 compared to 0.11.5. Please read it carefully.
+
+### Database Secret Engine Role Reads
+
+On role read, empty statements will be returned as empty
+slices instead of potentially being returned as JSON null values. This makes it
+more in line with other parts of Vault and makes it easier for statically typed
+languages to interpret the values.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.5.0.mdx b/website/pages/docs/upgrading/upgrade-to-0.5.0.mdx
new file mode 100644
index 000000000000..71ef522fb4e2
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.5.0.mdx
@@ -0,0 +1,142 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.5.0 - Guides
+sidebar_title: Upgrade to 0.5.0
+description: |-
+  This page contains the full list of breaking changes for Vault 0.5, including
+  actions you must take to facilitate a smooth upgrade path.
+---
+
+# Overview
+
+This page contains the list of breaking changes for Vault 0.5. Please read it
+carefully.
+
+Please note that these are changes to Vault itself. Client libraries maintained
+by HashiCorp have been updated with support for these changes, but if you are
+using community-supported libraries, you should ensure that they are ready for
+Vault 0.5 before upgrading.
+
+## Rekey Requires Nonce
+
+Vault now generates a nonce when a rekey operation is started in order to
+ensure that the operation cannot be hijacked. The nonce is output when the
+rekey operation is started and when rekey status is requested.
+
+The nonce must be provided as part of the request parameters when providing an
+unseal key. The nonce can be communicated from the request initiator to unseal
+key holders via side channels; the unseal key holders can then verify the nonce
+(by providing it) when they submit their unseal key.
+
+As a convenience, if using the CLI interactively to provide the unseal key, the
+nonce will be displayed for verification but the user will not be required to
+manually re-type it.
+
+## `TTL` Field in Token Lookup
+
+Previously, the `ttl` field returned when calling `lookup` or `lookup-self` on
+the token auth method displayed the TTL set at token creation. It
+now displays the time remaining (in seconds) for the token's validity period.
+The original behavior has been moved to a field named `creation_ttl`.
+
+## Grace Periods Removed
+
+Vault no longer uses grace periods internally for leases or token TTLs.
+Previously these were set by backends and could differ greatly from one backend
+to another, causing confusion. TTLs (the `lease_duration` field for a lease,
+or, for a token lookup, the `ttl`) are now exact.
+
+## `token-renew` CLI Command
+
+If the token given for renewal is the same as the token in use by the client,
+the `renew-self` endpoint will be used in the API rather than the `renew`
+endpoint. Since the `default` policy contains `auth/token/renew-self` this
+makes it much more likely that the request will succeed rather than somewhat
+confusingly failing due to a lack of permissions on `auth/token/renew`.
+
+## `status` CLI Command
+
+The `status` CLI command now returns an exit code of `0` for an unsealed Vault
+(as before), `2` for a sealed Vault, and `1` for an error. This keeps error
+return codes consistent across commands.
+
+## Transit Upsertion Behavior Uses Capabilities
+
+Previously, attempting to encrypt with a key that did not exist would create a
+key with default values. This was convenient but ultimately allowed a client to
+potentially escape an ACL policy restriction, albeit without any dangerous
+access. Now that Vault supports more granular capabilities in policies,
+upsertion behavior is controlled by whether the client has the `create`
+capability for the request (upsertion is allowed) or only the `update`
+capability (upsertion is denied).
+
+## etcd Physical Backend Uses `sync`
+
+The `etcd` physical backend now supports `sync` functionality and it is turned
+on by default, which maps to the upstream library's default. It can be
+disabled; see the configuration page for information.
+
+## S3 Physical Backend Prefers Environment Variables
+
+The `s3` physical backend now prefers environment variables over configuration
+file variables. This matches the behavior of the rest of the backends and of
+Vault generally.
+
+## Lease Default and Renewal Handling
+
+All backends now honor system and mount-specific default and maximum lease
+times, except when specifically overridden by backend configuration or role
+parameters, or when doing so would not make sense (e.g. AWS STS tokens cannot
+have a lifetime of greater than 1 hour).
+
+This allows for a _much_ more uniform approach to managing leases on both the
+operational side and the user side, and removes much ambiguity and uncertainty
+resulting from backend-hardcoded limits.
+
+However, also this means that the leases generated by the backends may return
+significantly different TTLs in 0.5 than in previous versions, unless they have
+been preconfigured. You can use the `mount-tune` CLI command or the
+`/sys/mounts/<mount point>/tune` endpoint to adjust default and max TTL
+behavior for any mount. This is supported in 0.4, so you can perform this
+tuning before upgrading.
+
+The following list details the ways in which lease handling has changed
+per-backend. In all cases the "mount TTL" means the mount-specific value for
+default or max TTL; however, if no value is set on a given mount, the system
+default/max values are used. This lists only the changes; any lease-issuing
+or renew function not listed here behaves the same as in 0.4.
+
+(As a refresher: the default TTL is the amount of time that the initial
+lease/token is valid for before it must be renewed; the maximum TTL is the
+amount of time a lease or token is valid for before it can no longer be renewed
+and must be reissued. A mount can be more restrictive with its maximum TTL, but
+cannot be less restrictive than the mount's maximum TTL.)
+
+#### Credential (Auth) Backends
+
+- `github` – The renewal function now uses the backend's configured maximum
+  TTL, if set; otherwise, the mount maximum TTL is used.
+- `ldap` – The renewal function now uses the mount default TTL instead of always
+  using one hour.
+- `token` – Tokens can no longer be renewed forever; instead, they now honor the
+  mount default/max TTL.
+- `userpass` – The renew function now uses the backend's configured maximum TTL,
+  if set; otherwise the mount maximum TTL is used.
+
+#### Secrets Engines
+
+- `aws` – New IAM roles no longer always have a default TTL of one hour, instead
+  honoring the configured default if available and the mount default TTL if not
+  (renewal always used the configured values if available). STS tokens return a
+  TTL corresponding to the lifetime of the token in AWS and cannot be renewed.
+- `cassandra` – `lease_grace_period` has been removed since Vault no longer uses
+  grace periods.
+- `consul` – The mount default TTL is now used as the default TTL if there is no
+  backend configuration parameter. Renewal now uses the mount default and
+  maximum TTLs.
+- `mysql` – The mount default TTL is now used as the default TTL if there is no
+  backend configuration parameter.
+- `postgresql` – The mount default TTL is now used as the default TTL if there
+  is no backend configuration parameter. In addition, there is no longer any
+  grace period with the time configured for password expiration within Postgres
+  itself.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.5.1.mdx b/website/pages/docs/upgrading/upgrade-to-0.5.1.mdx
new file mode 100644
index 000000000000..4a95725cc7e5
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.5.1.mdx
@@ -0,0 +1,60 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.5.1 - Guides
+sidebar_title: Upgrade to 0.5.1
+description: |-
+  This page contains the list of breaking changes for Vault 0.5.1. Please read
+  it carefully.
+---
+
+# Overview
+
+This page contains the list of breaking changes for Vault 0.5.1. Please read it
+carefully.
+
+## PKI Backend Disallows RSA Keys < 2048 Bits
+
+The PKI backend now refuses to issue a certificate, sign a CSR, or save a role
+that specifies an RSA key of less than 2048 bits. Smaller keys are considered
+unsafe and are disallowed in the Internet PKI. Although this may require
+updating your roles, we do not expect any other breaks from this; since its
+inception the PKI backend has mandated SHA256 hashes for its signatures, and
+software able to handle these certificates should be able to handle
+certificates with >= 2048-bit RSA keys as well.
+
+## PKI Backend Does Not Automatically Delete Expired Certificates
+
+The PKI backend now does not automatically delete expired certificates,
+including from the CRL. Doing so could lead to a situation where a time
+mismatch between the Vault server and clients could result in a certificate
+that would not be considered expired by a client being removed from the CRL.
+
+Vault strives for determinism and putting the operator in control, so expunging
+expired certificates has been moved to a new function at `pki/tidy`. You can
+flexibly determine whether to tidy up from the revocation list, the general
+certificate storage, or both. In addition, you can specify a safety buffer
+(defaulting to 72 hours) to ensure that any time discrepancies between your
+hosts is accounted for.
+
+## Cert auth method Performs Client Checking During Renewals
+
+The `cert` backend now performs a variant of channel binding at renewal time
+for increased security. In order to not overly burden clients, a notion of
+identity is used, as follows:
+
+- At both login and renewal time, the validity of the presented client
+  certificate is checked
+- At login time, the key ID of both the client certificate and its issuing
+  certificate are stored
+- At renewal time, the key ID of both the client certificate and its issuing
+  certificate must match those stored at login time
+
+Matching on the key ID rather than the serial number allows tokens to be
+renewed even if the CA or the client certificate used are rotated; so long as
+the same key was used to generate the certificate (via a CSR) and sign the
+certificate, renewal is allowed. As Vault encourages short-lived secrets,
+including client certificates (for instance, those issued by the `pki`
+backend), this is a useful approach compared to strict issuer/serial number
+checking.
+
+You can use the new `cert/config` endpoint to disable this behavior.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.6.0.mdx b/website/pages/docs/upgrading/upgrade-to-0.6.0.mdx
new file mode 100644
index 000000000000..a81efd5c0c59
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.6.0.mdx
@@ -0,0 +1,55 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.6.0 - Guides
+sidebar_title: Upgrade to 0.6.0
+description: |-
+  This page contains the list of breaking changes for Vault 0.6. Please read it
+  carefully.
+---
+
+# Overview
+
+This page contains the list of breaking changes for Vault 0.6 compared to the
+previous release. Please read it carefully.
+
+## PKI Backend Does Not Issue Leases for CA Certificates
+
+When a token expires, it revokes all leases associated with it. This means that
+long-lived CA certs need correspondingly long-lived tokens, something that is
+easy to forget, resulting in an unintended revocation of the CA certificate
+when the token expires. To prevent this, root and intermediate CA certs no
+longer have associated leases. To revoke these certificates, use the
+`pki/revoke` endpoint.
+
+CA certificates that have already been issued and acquired leases will report
+to the lease manager that revocation was successful, but will not actually be
+revoked and placed onto the CRL.
+
+## The `auth/token/revoke-prefix` Endpoint Has Been Removed
+
+As part of addressing a minor security issue, this endpoint has been removed in
+favor of using `sys/revoke-prefix` for prefix-based revocation of both tokens
+and secrets leases.
+
+## Go API Uses `json.Number` For Decoding
+
+When using the Go API, it now calls `UseNumber()` on the decoder object. As a
+result, rather than always decode as a `float64`, numbers are returned as a
+`json.Number`, where they can be converted, with proper error checking, to
+`int64`, `float64`, or simply used as a `string` value. This fixes some display
+errors where numbers were being decoded as `float64` and printed in scientific
+notation.
+
+## List Operations Return `404` On No Keys Found
+
+Previously, list operations on an endpoint with no keys found would return an
+empty response object. Now, a `404` will be returned instead.
+
+## Consul TTL Checks Automatically Registered
+
+If using the Consul HA storage backend, Vault will now automatically register
+itself as the `vault` service and perform its own health checks/lifecycle
+status management. This behavior can be adjusted or turned off in Vault's
+configuration; see the
+[documentation](/docs/configuration/index.html#check_timeout)
+for details.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.6.1.mdx b/website/pages/docs/upgrading/upgrade-to-0.6.1.mdx
new file mode 100644
index 000000000000..24458557a0e4
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.6.1.mdx
@@ -0,0 +1,104 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.6.1 - Guides
+sidebar_title: Upgrade to 0.6.1
+description: |-
+  This page contains the list of breaking changes for Vault 0.6.1. Please read
+  it carefully.
+---
+
+# Overview
+
+This page contains the list of breaking changes for Vault 0.6.1. Please read it
+carefully.
+
+## Standby Nodes Must Be 0.6.1 As Well
+
+Once an active node is running 0.6.1, only standby nodes running 0.6.1+ will be
+able to form an HA cluster. If following our [general upgrade
+instructions](/guides/upgrading/index.html) this will
+not be an issue.
+
+## Health Endpoint Status Code Changes
+
+Prior to 0.6.1, the health endpoint would return a `500` (Internal Server
+Error) for both a sealed and uninitialized state. In both states this was
+confusing, since it was hard to tell, based on the status code, an actual
+internal error from Vault from a Vault that was simply uninitialized or sealed,
+not to mention differentiating between those two states.
+
+In 0.6.1, a sealed Vault will return a `503` (Service Unavailable) status code.
+As before, this can be adjusted with the `sealedcode` query parameter. An
+uninitialized Vault will return a `501` (Not Implemented) status code. This can
+be adjusted with the `uninitcode` query parameter.
+
+This removes ambiguity/confusion and falls more in line with the intention of
+each status code (including `500`).
+
+## Root Token Creation Restrictions
+
+Root tokens (tokens with the `root` policy) can no longer be created except by
+another root token or the
+[`generate-root`](/api/system/generate-root.html)
+endpoint or CLI command.
+
+## PKI Backend Certificates Will Contain Default Key Usages
+
+Issued certificates from the `pki` backend against roles created or modified
+after upgrading will contain a set of default key usages. This increases
+compatibility with some software that requires strict adherence to RFCs, such
+as OpenVPN.
+
+This behavior is fully adjustable; see the [PKI backend
+documentation](/docs/secrets/pki/index.html) for
+details.
+
+## DynamoDB Does Not Support HA By Default
+
+If using DynamoDB and want to use HA support, you will need to explicitly
+enable it in Vault's configuration; see the
+[documentation](/docs/configuration/index.html#ha_enabled)
+for details.
+
+If you are already using DynamoDB in an HA fashion and wish to keep doing so,
+it is _very important_ that you set this option **before** upgrading your Vault
+instances. Without doing so, each Vault instance will believe that it is
+standalone and there could be consistency issues.
+
+## LDAP Auth Method Forgets Bind Password and Insecure TLS Settings
+
+Due to a bug, these two settings are forgotten if they have been configured in
+the LDAP backend prior to 0.6.1. If you are using these settings with LDAP,
+please be sure to re-submit your LDAP configuration to Vault after the upgrade,
+so ensure that you have a valid token to do so before upgrading if you are
+relying on LDAP authentication for permissions to modify the backend itself.
+
+## LDAP Auth Method Does Not Search `memberOf`
+
+The LDAP backend went from a model where all permutations of storing and
+filtering groups were tried in all cases to one where specific filters are
+defined by the administrator. This vastly increases overall directory
+compatibility, especially with Active Directory when using nested groups, but
+unfortunately has the side effect that `memberOf` is no longer searched for by
+default, which is a breaking change for many existing setups.
+
+`Scenario 2` in the [updated
+documentation](/docs/auth/ldap.html) shows an
+example of configuring the backend to query `memberOf`. It is recommended that
+a test Vault server be set up and that successful authentication can be
+performed using the new configuration before upgrading a primary or production
+Vault instance.
+
+In addition, if LDAP is relied upon for authentication, operators should ensure
+that they have valid tokens with policies allowing modification of LDAP
+parameters before upgrading, so that once an upgrade is performed, the new
+configuration can be specified successfully.
+
+## App-ID is Deprecated
+
+With the addition of of the new [AppRole
+backend](/docs/auth/approle.html), App-ID is
+deprecated. There are no current plans to remove it, but we encourage using
+AppRole whenever possible, as it offers enhanced functionality and can
+accommodate many more types of authentication paradigms. App-ID will receive
+security-related fixes only.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.6.2.mdx b/website/pages/docs/upgrading/upgrade-to-0.6.2.mdx
new file mode 100644
index 000000000000..127393524d99
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.6.2.mdx
@@ -0,0 +1,76 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.6.2 - Guides
+sidebar_title: Upgrade to 0.6.2
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.6.2. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.6.2. Please read it carefully.
+
+## Request Forwarding On By Default
+
+In 0.6.1 this feature was in beta and required opting-in, but is now enabled by
+default. This can be disabled via the `"disable_clustering"` parameter in
+Vault's [config](/docs/configuration/index.html), or
+per-request with the `X-Vault-No-Request-Forwarding` header.
+
+## AppRole Role Constraints
+
+Creating or updating a role now requires at least one constraint to be enabled,
+whereas previously it was sufficient to require only the role ID by itself.
+Currently there are two constraints: `bind_secret_id` and `bound_cidr_list`.
+`bind_secret_id` is enabled by default. Roles which were previously using only
+the role ID for authentication will continue to work but will require a
+constraint to be specified if updated.
+
+## Convergent Encryption v2
+
+New keys in `transit` using convergent mode will use a new nonce derivation
+mechanism rather than require the user to supply a nonce. While not explicitly
+increasing security, it minimizes the likelihood that a user will use the mode
+improperly and impact the security of their keys. Keys in convergent mode that
+were created in 0.6.1 will continue to work with the same mechanism
+(user-supplied nonce).
+
+## `etcd` HA Off By Default
+
+Following in the footsteps of `dynamodb`, the `etcd` storage backend now
+requires that `ha_enabled` be explicitly specified in the configuration file.
+The backend currently has known broken HA behavior, so this flag discourages
+use by default without explicitly enabling it. If you are using this
+functionality, when upgrading, you should set `ha_enabled` to `"true"` _before_
+starting the new versions of Vault.
+
+## Reading Wrapped Responses From `cubbyhole/response` Is Deprecated
+
+The `sys/wrapping/unwrap` endpoint should be used instead as it provides
+additional security, auditing, and other benefits. The ability to read directly
+will be removed in a future release.
+
+## Default/Max Lease/Token TTLs Now 32 Days
+
+In previous versions of Vault the default was 30 days, but changing it to 32
+days allows some operations (e.g. reauthenticating, renewing, etc.) to be
+performed via a monthly cron job.
+
+## AppRole Secret ID Endpoints Changed
+
+Secret ID and Secret ID accessors are no longer part of request URLs. The `GET`
+and `DELETE` operations are now moved to new endpoints (`/lookup` and
+`/destroy`) which consumes the input from the body via `POST` (or `PUT`) and
+not the URL.
+
+## Behavior Change for `bound_iam_role_arn` in AWS-EC2 Backend
+
+In prior versions a bug caused the `bound_iam_role_arn` value in the `aws-ec2`
+auth method to actually use the instance profile ARN. This has been
+corrected, but as a result there is a behavior change. To match using the
+instance profile ARN, a new parameter `bound_iam_instance_profile_arn` has been
+added. Existing roles will automatically transfer the value over to the correct
+parameter, but the next time the role is updated, the new meanings will take
+effect.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.6.3.mdx b/website/pages/docs/upgrading/upgrade-to-0.6.3.mdx
new file mode 100644
index 000000000000..16b1d31161de
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.6.3.mdx
@@ -0,0 +1,36 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.6.3 - Guides
+sidebar_title: Upgrade to 0.6.3
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.6.3. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.6.3. Please read it carefully.
+
+## LDAP Null Binds Disabled By Default
+
+When using the LDAP auth method, `deny_null_bind` has a default value of
+`true`, preventing a successful user authentication when an empty password
+is provided. If you utilize passwordless LDAP binds, `deny_null_bind` must
+be set to `false`. Upgrades will keep previous behavior until the LDAP
+configuration information is rewritten, at which point the new behavior
+will be utilized.
+
+## Request Size Limitation
+
+A maximum request size of 32MB is imposed to prevent a denial of service attack
+with arbitrarily large requests.
+
+## Any Audit Device Successfully Activated Allows Active Duty
+
+Previously, when a new Vault node was taking over service in an HA cluster, all
+audit devices were required to be active successfully to take over active
+duty. This behavior now matches the behavior of the audit logging system
+itself: at least one audit device must successfully be activated. The server
+log contains an error when this occurs. This helps keep a Vault HA cluster
+working when there is a misconfiguration on a standby node.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.6.4.mdx b/website/pages/docs/upgrading/upgrade-to-0.6.4.mdx
new file mode 100644
index 000000000000..f21f0e117eaf
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.6.4.mdx
@@ -0,0 +1,84 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.6.4 - Guides
+sidebar_title: Upgrade to 0.6.4
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.6.4. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.6.4. Please read it carefully.
+
+Note: both of these are security sensitive changes.
+
+## Changes to `default` Policy Addition Rules for `auth/token/create`
+
+An issue was reported indicating that in some cases, the stated behavior of the
+`default` policy being added to tokens unless specifically requested could lead
+to a privilege escalation scenario if the parent token did not itself have the
+`default` policy. In most cases (e.g. using the default `default` policy) the
+escalated privileges are unlikely to be dangerous, but this behavior is
+undesired.
+
+As such, we have modified the rules around `default` in a few ways when
+creating tokens using this endpoint:
+
+1. If a token creation request does not specify desired policies, the parent's
+   policies will be used (as normal) but `default` will not be automatically
+   added, so the child token will only have `default` if the parent does
+2. If a token creation request specifies desired policies, `default` will be
+   added automatically if and only if the parent token has `default`
+3. If the parent token has `sudo` capability on the token creation endpoint,
+   `default` is always added; since `sudo` capability on this endpoint allows
+   adding any policy, this is not privilege escalation with respect to the
+   parent token-holder
+4. When using token store roles, `default` is always added to the list of child
+   token policies unless `default` is contained in `disallowed_policies`
+
+**Regardless of provenance**, if a token being created has the `default` policy
+and `no_default_policy` has been set `true` for the request, the `default`
+policy will be stripped from the final set of policies.
+
+## Many Users Should Run `auth/token/tidy`
+
+While investigating a report of accessor entries not being removed correctly
+from Vault's data store, a security issue was discovered: if limited use-count
+tokens are being used and expire due to the use-count dropping to zero (rather
+than due to the token's TTL expiring or the token being explicitly revoked),
+several pieces of Vault's token revocation logic would not be properly run.
+This included cleaning up the associated accessor entry from the data store,
+but more importantly, included the logic used to immediately expire leases
+associated with the token.
+
+These leases would not live forever; they would still be expired when their TTL
+ran out. This limits the severity of this issue, but it is still a potentially
+serious bug depending on each particular operational scenario.
+
+To mitigate this issue we have taken the following steps:
+
+1. Updated the token revocation logic to be more resilient to failures that can
+   happen as it performs its various steps; the revocation will now properly
+   only be considered successful if no error has occurred. In addition, the
+   token entry will remain in the data store (but _not_ be usable for
+   performing Vault functions) until all aspects of revocation report success,
+   allowing future revocation requests to succeed if the underlying cause of the
+   failure has been addressed.
+
+2. Added a function `auth/token/tidy` that can both clean up the leaked
+   accessor entries and expire the leases associated with those accessors'
+   tokens.
+
+In most cases, running `auth/token/tidy` should expire all outstanding
+leases that were generated by these revoked limited-use-count tokens.
+
+If you are both using limited-use-count tokens _and_ you are using them to
+issue leased secrets, you should consider upgrading to 0.6.4 and running the
+`auth/token/tidy` endpoint immediately. Please note that running this function
+involves a lot of requests to the data store, so plan load accordingly.
+
+Note: response wrapping tokens do not allow generating leases but have still
+been subject to leaking the accessor entries, so if you have been a heavy user
+of response wrapping you should still consider running the tidy function.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.7.0.mdx b/website/pages/docs/upgrading/upgrade-to-0.7.0.mdx
new file mode 100644
index 000000000000..9203e28e141e
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.7.0.mdx
@@ -0,0 +1,39 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.7.0 - Guides
+sidebar_title: Upgrade to 0.7.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.7.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.7.0 compared to the most recent release. Please read it carefully.
+
+## List Operations Always Use Trailing Slash
+
+Any list operation, whether via the `GET` or `LIST` HTTP verb, will now
+internally canonicalize the path to have a trailing slash. This makes policy
+writing more predictable, as it means clients will no longer work or fail
+based on which client they're using or which HTTP verb they're using. However,
+it also means that policies allowing `list` capability must be carefully
+checked to ensure that they contain a trailing slash; some policies may need
+to be split into multiple stanzas to accommodate.
+
+## PKI Defaults to Unleased Certificates
+
+When issuing certificates from the PKI backend, by default, no leases will be
+issued. If you want to manually revoke a certificate, its serial number can be
+used with the `pki/revoke` endpoint. Issuing leases is still possible by
+enabling the `generate_lease` toggle in PKI role entries (this will default to
+`true` for upgrades, to keep existing behavior), which will allow using lease
+IDs to revoke certificates. For installations issuing large numbers of
+certificates (tens to hundreds of thousands, or millions), this will
+significantly improve Vault startup time since leases associated with these
+certificates will not have to be loaded; however note that it also means that
+revocation of a token used to issue certificates will no longer add these
+certificates to a CRL. If this behavior is desired or needed, consider keeping
+leases enabled and ensuring lifetimes are reasonable, and issue long-lived
+certificates via a different role with leases disabled.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.8.0.mdx b/website/pages/docs/upgrading/upgrade-to-0.8.0.mdx
new file mode 100644
index 000000000000..f221c53067ce
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.8.0.mdx
@@ -0,0 +1,53 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.8.0 - Guides
+sidebar_title: Upgrade to 0.8.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.8.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.8.0 compared to the most recent release. Please read it carefully.
+
+## Enterprise Upgrade Procedure
+
+If you are upgrading from Vault Enterprise, you should take one of the
+following upgrade paths. Please note that reindexing stops the ability of the
+node to process requests while the indexing is happening. As a result, you may
+want to plan the upgrade for a time when either no writes to the primary are
+expected and secondaries can handle traffic (if using replication), or when
+there is a maintenance window.
+
+There are two reindex processes that need to happen during the upgrade, for two
+different indexes. One will happen automatically when the cluster is upgraded
+to 0.8.0. _This happens even if you are not currently using replication._ The
+other can be done in one of a few ways, as follows.
+
+### If Not Using Replication
+
+If not using replication, no further action needs to be taken.
+
+### If Using Replication
+
+#### Option 1: Reindex the Primary, then Upgrade Secondaries
+
+The first option is to issue a write to [`sys/replication/reindex`][reindex] on the
+primary (it is not necessary on the secondaries). When the reindex on the
+primary is finished, upgrade the secondaries, then upgrade the primary.
+
+#### Option 2: Upgrade All Nodes Simultaneously
+
+The second option is to upgrade all nodes to 0.8.0 at the same time. This
+removes the need to perform an explicit reindex but may equate to more down
+time since secondaries will not be able to service requests while the primary
+is performing an explicit reindex.
+
+## `sys/revoke-force` Requires `sudo` Capability
+
+This path was meant to require `sudo` capability but was not implemented this
+way. It now requires `sudo` capability to run.
+
+[reindex]: https://www.vaultproject.io/api/system/replication.html#reindex-replication
diff --git a/website/pages/docs/upgrading/upgrade-to-0.9.0.mdx b/website/pages/docs/upgrading/upgrade-to-0.9.0.mdx
new file mode 100644
index 000000000000..ba93f4d64b63
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.9.0.mdx
@@ -0,0 +1,122 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.9.0 - Guides
+sidebar_title: Upgrade to 0.9.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.9.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.9.0 compared to the most recent release. Please read it carefully.
+
+### PKI Root Generation (Since 0.8.1)
+
+Calling [`pki/root/generate`][generate-root] when a CA cert/key already exists will now return a
+`204` instead of overwriting an existing root. If you want to recreate the
+root, first run a delete operation on `pki/root` (requires `sudo` capability),
+then generate it again.
+
+### Token Period in AWS IAM Auth (Since 0.8.2)
+
+In prior versions of Vault, if authenticating via AWS IAM and requesting a
+periodic token, the period was not properly respected. This could lead to
+tokens expiring unexpectedly, or a token lifetime being longer than expected.
+Upon token renewal with Vault 0.8.2 the period will be properly enforced.
+
+### SSH CLI Parameters (Since 0.8.2)
+
+`vault ssh` users should supply `-mode` and `-role` to reduce the number of API
+calls. A future version of Vault will mark these optional values are required.
+Failure to supply `-mode` or `-role` will result in a warning.
+
+### Vault Plugin Init (Since 0.8.2)
+
+Vault plugins will first briefly run a restricted version of the plugin to
+fetch metadata, and then lazy-load the plugin on first request to prevent
+crash/deadlock of Vault during the unseal process. Plugins will need to be
+built with the latest changes in order for them to run properly.
+
+### Policy Input Format Standardization (Since 0.8.3)
+
+For all built-in authentication backends, policies can now be specified as a
+comma-delimited string or an array if using JSON as API input; on read,
+policies will be returned as an array; and the `default` policy will not be
+forcefully added to policies saved in configurations. Please note that the
+`default` policy will continue to be added to generated tokens, however, rather
+than backends adding `default` to the given set of input policies (in some
+cases, and not in others), the stored set will reflect the user-specified set.
+
+### PKI `sign-self-issued` modifies `Issuer` in generated certificates (Since 0.8.3)
+
+In 0.8.2 the endpoint would not modify the Issuer in the generated certificate,
+leaving the output self-issued. Although theoretically valid, in practice
+crypto stacks were unhappy validating paths containing such certs. As a result,
+`sign-self-issued` now encodes the signing CA's Subject DN into the Issuer DN
+of the generated certificate.
+
+### `sys/raw` requires enabling (Since 0.8.3)
+
+While the `sys/raw` endpoint can be extremely useful in break-glass or support
+scenarios, it is also extremely dangerous. As of now, a configuration file
+option `raw_storage_endpoint` must be set in order to enable this API endpoint.
+Once set, the available functionality has been enhanced slightly; it now
+supports listing and decrypting most of Vault's core data structures, except
+for the encryption keyring itself.
+
+### `generic` is now `kv` (Since 0.8.3)
+
+To better reflect its actual use, the `generic` backend is now `kv`. Using
+`generic` will still work for backwards compatibility.
+
+### HSM Users Need to Specify New Config Options (In 0.9)
+
+When using Vault with an HSM, a new parameter is required: `hmac_key_label`.
+This performs a similar function to `key_label` but for the HMAC key Vault will
+use. Vault will generate a suitable key if this value is specified and
+`generate_key` is set true. See [the seal configuration page][pkcs11-seal] for
+more information.
+
+### API HTTP client behavior (In 0.9)
+
+When calling `NewClient` the API no longer modifies the provided
+client/transport. In particular this means it will no longer enable redirection
+limiting and HTTP/2 support on custom clients. It is suggested that if you want
+to make changes to an HTTP client that you use one created by `DefaultConfig`
+as a starting point.
+
+### AWS EC2 client nonce behavior (In 0.9)
+
+The client nonce generated by the backend that gets returned along with the
+authentication response will be audited in plaintext. If this is undesired, the
+clients can choose to supply a custom nonce to the login endpoint. The custom
+nonce set by the client will from now on, not be returned back with the
+authentication response, and hence not audit logged.
+
+### AWS Auth role options (In 0.9)
+
+The API will now error when trying to create or update a role with the
+mutually-exclusive options `disallow_reauthentication` and
+`allow_instance_migration`.
+
+### SSH CA role read changes (In 0.9)
+
+When reading back a role from the `ssh` backend, the TTL/max TTL values will
+now be an integer number of seconds rather than a string. This better matches
+the API elsewhere in Vault.
+
+### SSH role list changes (In 0.9)
+
+When listing roles from the `ssh` backend via the API, the response data will
+additionally return a `key_info` map that will contain a map of each key with a
+corresponding object containing the `key_type`.
+
+### More granularity in audit logs (In 0.9)
+
+Audit request and response entries are still in RFC3339 format but now have a
+granularity of nanoseconds.
+
+[generate-root]: https://www.vaultproject.io/api/secret/pki/index.html#generate-root
+[pkcs11-seal]: https://www.vaultproject.io/docs/configuration/seal/pkcs11.html
diff --git a/website/pages/docs/upgrading/upgrade-to-0.9.1.mdx b/website/pages/docs/upgrading/upgrade-to-0.9.1.mdx
new file mode 100644
index 000000000000..d18c8f75ce23
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.9.1.mdx
@@ -0,0 +1,56 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.9.1 - Guides
+sidebar_title: Upgrade to 0.9.1
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.9.1. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.9.1 compared to 0.9.0. Please read it carefully.
+
+### AppRole Case Sensitivity
+
+In prior versions of Vault, `list` operations against AppRole roles would
+require preserving case in the role name, even though most other operations
+within AppRole are case-insensitive with respect to the role name. This has
+been fixed; existing roles will behave as they have in the past, but new roles
+will act case-insensitively in these cases.
+
+### Token Auth Backend Roles Parameter Types
+
+For `allowed_policies` and `disallowed_policies` in role definitions in the
+token auth backend, input can now be a comma-separated string or an array of
+strings. Reading a role will now return arrays for these parameters.
+
+### Transit Key Exporting
+
+You can now mark a key in the `transit` backend as `exportable` at any time,
+rather than just at creation time; however, once this value is set, it still
+cannot be unset.
+
+### PKI Secret Backend Roles Parameter Types
+
+For `allowed_domains` and `key_usage` in role definitions in the PKI secret
+backend, input can now be a comma-separated string or an array of strings.
+Reading a role will now return arrays for these parameters.
+
+### SSH Dynamic Keys Method Defaults to 2048-bit Keys
+
+When using the dynamic key method in the SSH backend, the default is now to use
+2048-bit keys if no specific key bit size is specified.
+
+### Consul Secret Backend Lease Handling
+
+The `consul` secret backend can now accept both strings and integer numbers of
+seconds for its lease value. The value returned on a role read will be an
+integer number of seconds instead of a human-friendly string.
+
+### Unprintable Characters Not Allowed in API Paths
+
+Unprintable characters are no longer allowed in names in the API (paths and
+path parameters), with an extra restriction on whitespace characters. Allowed
+characters are those that are considered printable by Unicode plus spaces.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.9.2.mdx b/website/pages/docs/upgrading/upgrade-to-0.9.2.mdx
new file mode 100644
index 000000000000..ab8815cb1f3a
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.9.2.mdx
@@ -0,0 +1,56 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.9.2 - Guides
+sidebar_title: Upgrade to 0.9.2
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.9.2. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.9.2 compared to 0.9.1. Please read it carefully.
+
+### Backwards Compatible CLI Changes
+
+This upgrade guide is typically reserved for breaking changes, however it
+is worth calling out that the CLI interface to Vault has been completely
+revamped while maintaining backwards compatibility. This could lead to
+potential confusion while browsing the latest version of the Vault
+documentation on vaultproject.io.
+
+All previous CLI commands should continue to work and are backwards
+compatible in almost all cases.
+
+Documentation for previous versions of Vault can be accessed using
+the GitHub interface by browsing tags (eg [0.9.1 website tree](https://github.com/hashicorp/vault/tree/v0.9.1/website)) or by
+[building the Vault website locally](https://github.com/hashicorp/vault/tree/v0.9.1/website#running-the-site-locally).
+
+### `sys/health` DR Secondary Reporting
+
+The `replication_dr_secondary` bool returned by `sys/health` could be
+misleading since it would be `false` both when a cluster was not a DR secondary
+but also when the node is a standby in the cluster and has not yet fully
+received state from the active node. This could cause health checks on LBs to
+decide that the node was acceptable for traffic even though DR secondaries
+cannot handle normal Vault traffic. (In other words, the bool could only convey
+"yes" or "no" but not "not sure yet".) This has been replaced by
+`replication_dr_mode` and `replication_perf_mode` which are string values that
+convey the current state of the node; a value of `disabled` indicates that
+replication is disabled or the state is still being discovered. As a result, an
+LB check can positively verify that the node is both not `disabled` and is not
+a DR secondary, and avoid sending traffic to it if either is true.
+
+### PKI Secret Backend Roles Parameter Types
+
+For `ou` and `organization` in role definitions in the PKI secret backend,
+input can now be a comma-separated string or an array of strings. Reading a
+role will now return arrays for these parameters.
+
+### Plugin API Changes
+
+The plugin API has been updated to utilize golang's context.Context package.
+Many function signatures now accept a context object as the first parameter.
+Existing plugins will need to pull in the latest Vault code and update their
+function signatures to begin using context and the new gRPC transport.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.9.3.mdx b/website/pages/docs/upgrading/upgrade-to-0.9.3.mdx
new file mode 100644
index 000000000000..b04ed1f421ab
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.9.3.mdx
@@ -0,0 +1,16 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.9.3 - Guides
+sidebar_title: Upgrade to 0.9.3
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.9.3. Please read it carefully.
+---
+
+# Overview
+
+Due to a rapid release following 0.9.2, there are no version-specific upgrade
+instructions although any upgrade notices for 0.9.2 apply if you are coming
+from a previous version.
+
+Please see the [0.9.2 upgrade guide](/guides/upgrading/upgrade-to-0.9.2.html) for notes on upgrading to 0.9.3.
diff --git a/website/pages/docs/upgrading/upgrade-to-0.9.6.mdx b/website/pages/docs/upgrading/upgrade-to-0.9.6.mdx
new file mode 100644
index 000000000000..15c9712a37fd
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-0.9.6.mdx
@@ -0,0 +1,27 @@
+---
+layout: docs
+page_title: Upgrading to Vault 0.9.6 - Guides
+sidebar_title: Upgrade to 0.9.6
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 0.9.6. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.9.6 compared to 0.9.5. Please read it carefully.
+
+### Change to AWS Role Output
+
+The AWS authentication backend now allows binds for inputs as either a
+comma-delimited string or a string array. However, to keep consistency with
+input and output, when reading a role the binds will now be returned as string
+arrays rather than strings.
+
+### Change to AWS IAM Auth ARN Prefix Matching
+
+In order to prefix-match IAM role and instance profile ARNs in AWS auth
+backend, you now must explicitly opt-in by adding a `*` to the end of the ARN.
+Existing configurations will be upgraded automatically, but when writing a new
+role configuration the updated behavior will be used.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.0.0.mdx b/website/pages/docs/upgrading/upgrade-to-1.0.0.mdx
new file mode 100644
index 000000000000..0060287c5d5d
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.0.0.mdx
@@ -0,0 +1,49 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.0.0 - Guides
+sidebar_title: Upgrade to 1.0.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 1.0.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 0.11.5 compared to 1.0.0. Please read it carefully.
+
+## Token Format Change
+
+Tokens are now prefixed by a designation to indicate what type of token they are. Service tokens start with s. and batch tokens start with b.. Existing tokens will still work (they are all of service type and will be considered as such). Prefixing allows us to be more efficient when consuming a token, which keeps the critical path of requests faster.
+
+## Key Encoding Enforcement
+
+Vault will no longer accept updates when the storage key has invalid UTF-8 character encoding.
+
+## Upsert in Mount Tuning Endpoints
+
+Mount/Auth tuning the options map on backends will now upsert any provided values, and keep any of the existing values in place if not provided. The options map itself cannot be unset once it's set, but the keypairs within the map can be unset if an empty value is provided, with the exception of the version keypair which is handled differently for KVv2 purposes.
+
+## Agent Reauthentication
+
+Agent no longer automatically reauthenticates when new credentials are detected. It's not strictly necessary and in some cases was causing reauthentication much more often than intended.
+
+## HSM Key Regeneration Removed
+
+Vault no longer supports destroying and regenerating encryption keys on an HSM; it only supports creating them. Although this has never been a source of a customer incident, it is simply a code path that is too trivial to activate, especially by mistyping regenerate_key instead of generate_key.
+
+## Seal Upgrade before Migration
+
+When upgrading from Vault 0.8.x, the seal type in the barrier config storage entry will be upgraded from "hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals. If performing seal migration, the barrier config should first be upgraded prior to starting migration.
+
+## Pooled API Client
+
+The Go API client now uses a connection-pooling HTTP client by default. For CLI operations this makes no difference but it should provide significant performance benefits for those writing custom clients using the Go API library. As before, this can be changed to any custom HTTP client by the caller.
+
+## Plugin Catalog Changes
+
+Builtin Secret Engines and Auth Methods are integrated deeper into the plugin system. The plugin catalog can now override builtin plugins with custom versions of the same name. Additionally the plugin system now requires a plugin type field when configuring plugins, this can be "auth", "database", or "secret".
+
+## Removed Endpoints
+
+Paths within auth/token that allow specifying a token or accessor in the URL have been removed. These have been deprecated since March 2016 and undocumented, but were retained for backwards compatibility. They shouldn't be used due to the possibility of those paths being logged, so at this point they are simply being removed.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.1.0.mdx b/website/pages/docs/upgrading/upgrade-to-1.1.0.mdx
new file mode 100644
index 000000000000..b6068556d1d0
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.1.0.mdx
@@ -0,0 +1,47 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.1.0 - Guides
+sidebar_title: Upgrade to 1.1.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 1.1.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 1.0.3 compared to 1.1.0. Please read it carefully.
+
+## JWT Backend Changes
+
+Specifying the group claims parameter has changed to use a standards based lookup. The groups_claim_delimiter_pattern
+has been removed and if the groups claim is not at the top level, it can now be specified as a JSONPointer.
+
+Additionally, roles now have a "role type" parameter with a default type of "oidc". To configure new JWT roles, a role
+type of "jwt" must be explicitly specified.
+
+## Deprecated CLI Commands Removed
+
+CLI commands deprecated in 0.9.2 are now removed. Please see the CLI help output for updated commands.
+
+## Additional Changes
+
+- Vault no longer automatically mounts a k/v backend at the "secret/" path when initializing Vault.
+- Vault's cluster port will now be opened on HA standby nodes.
+- Vault no longer supports running netRPC plugins. These were deprecated in favor of gRPC based plugins and any plugin built since 0.9.4 defaults to gRPC. Older plugins may need to be recompiled against the latest Vault dependencies.
+
+## Known Issues
+
+-> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
+
+During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
+require an automatically-triggered reindex, either if upgrading from a pre-0.8
+version of Vault or if a previously-issued reindex operation has failed in the
+past. In these reindex scenarios, the secondary cluster will perform a complete
+WAL replay, which can take a long time and is a partially blocking operation.
+
+This is fixed in [Vault
+1.1.3](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#113-june-5th-2019),
+and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
+We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
+running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.1.1.mdx b/website/pages/docs/upgrading/upgrade-to-1.1.1.mdx
new file mode 100644
index 000000000000..6e1370aa592d
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.1.1.mdx
@@ -0,0 +1,69 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.1.1 - Guides
+sidebar_title: Upgrade to 1.1.1
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 1.1.1. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 1.1.0 compared to 1.1.1. Please read it carefully.
+
+## Known Issues
+
+### Issue with some KVv2 mounts
+
+There is a known issue that could cause the upgrade to 1.1.1 to fail under
+certain circumstances. This issue occurs when a KV version 2 mount exists but
+contains no data. This will be fixed in 1.1.2. Additionally a work around does
+exist: prior to upgrading ensure all KV v2 mounts have at least one key written
+to it.
+
+### Change in LDAP Group CN handling
+
+A bug fix to allow group CNs to be found from an LDAP server in lowercase `cn`
+as well as uppercase `CN` had an unintended consequence. If prior to that a
+group used `cn`, as in `cn=foo,ou=bar` then the group that would need to be put
+into place in the LDAP plugin to match against policies is `cn=foo,ou=bar`
+since the CN would not be correctly found. After the change, the CN was
+correctly found, but this would result in the group name being parsed as `foo`
+and would not match groups using the full DN. In 1.1.5+, there is a boolean
+config setting `use_pre111_group_cn_behavior` to allow reverting to the old
+matching behavior; we also attempt to upgrade exiting configs to have that
+defaulted to true.
+
+### Long WAL replay
+
+-> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
+
+During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
+require an automatically-triggered reindex, either if upgrading from a pre-0.8
+version of Vault or if a previously-issued reindex operation has failed in the
+past. In these reindex scenarios, the secondary cluster will perform a complete
+WAL replay, which can take a long time and is a partially blocking operation.
+
+This is fixed in [Vault
+1.1.3](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#113-june-5th-2019),
+and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
+We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
+running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
+
+## JWT/OIDC Plugin
+
+Logins of role_type "oidc" via the /login path are no longer allowed.
+
+## ACL Wildcards
+
+New ordering defines which policy wins when there are multiple inexact matches
+and at least one path contains `+`. `+*` is now illegal in policy paths. The
+previous behavior simply selected any matching segment-wildcard path that
+matched.
+
+## Replication
+
+Due to technical limitations, mounting and unmounting was not previously
+possible from a performance secondary. These have been resolved, and these
+operations may now be run from a performance secondary.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.1.2.mdx b/website/pages/docs/upgrading/upgrade-to-1.1.2.mdx
new file mode 100644
index 000000000000..0d650e30c2cb
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.1.2.mdx
@@ -0,0 +1,29 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.1.2 - Guides
+sidebar_title: Upgrade to 1.1.2
+description: |-
+  This page explains a known issue upgrading to Vault 1.1.2 for Enterprise
+  users.  Please read it carefully.
+---
+
+# Overview
+
+This page explains a known issue upgrading to Vault 1.1.2 for Enterprise users.
+Please read it carefully.
+
+## Known Issues
+
+-> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
+
+During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
+require an automatically-triggered reindex, either if upgrading from a pre-0.8
+version of Vault or if a previously-issued reindex operation has failed in the
+past. In these reindex scenarios, the secondary cluster will perform a complete
+WAL replay, which can take a long time and is a partially blocking operation.
+
+This is fixed in [Vault
+1.1.3](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#113-june-5th-2019),
+and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
+We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
+running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.2.0.mdx b/website/pages/docs/upgrading/upgrade-to-1.2.0.mdx
new file mode 100644
index 000000000000..647c259a97d9
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.2.0.mdx
@@ -0,0 +1,120 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.2.0 - Guides
+sidebar_title: Upgrade to 1.2.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 1.2.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 1.2.0 compared to 1.1.0. Please read it carefully.
+
+## Known Issues
+
+### AppRole Upgrade Issue
+
+Due to a bug, on upgrade AppRole roles cannot be read properly. If using AppRole, do not upgrade until this issue is fixed in 1.2.1.
+
+## Changes/Deprecations
+
+### Path Character Handling
+
+Due to underlying changes in Go's runtime past version 1.11.5, Vault is now
+stricter about what characters it will accept in path names. Whereas before it
+would filter out unprintable characters (and this could be turned off), control
+characters and other invalid characters are now rejected within Go's HTTP
+library before the request is passed to Vault, and this cannot be disabled. To
+continue using these (e.g. for already-written paths), they must be properly
+percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes `%00`, and so on).
+
+### AWSKMS Seal Region
+
+The user-configured regions on the AWSKMS seal stanza will now be preferred
+over regions set in the enclosing environment.
+
+### Audit Logging of Empty Values
+
+All values in audit logs now are omitted if they are empty. This helps reduce
+the size of audit log entries by not reproducing keys in each entry that
+commonly don't contain any value, which can help in cases where audit log
+entries are above the maximum UDP packet size and others.
+
+### Rollback Logging
+
+Rollback will no longer display log messages when it runs; it will only display
+messages if an error occurs.
+
+### Database Plugins
+
+Database plugins now default to 4 max open connections rather than 2. This
+should be safe in nearly all cases and fixes some issues where a single
+operation could fail with the default configuration because it needed three
+connections just for that operation. However, this could result in an increase
+in held open file descriptors for each database configuration, so ensure that
+there is sufficient overhead.
+
+### AppRole Various Changes
+
+- AppRole uses new, common token fields for values that overlap with other auth
+  methods. `period` and `policies` will continue to work, with priority being
+  given to the `token_` prefixed versions of these fields, but the values for
+  those will only be returned on read if they were set initially.
+- `default` is no longer automatically added to policies after submission. It
+  was a no-op anyways since Vault's core would always add it, and changing this
+  behavior allows AppRole to support the new `token_no_default_policy`
+  parameter
+- The long-deprecated `bound_cidr_list` is no longer returned when reading a
+  role.
+
+### Token Store Roles Changes
+
+Token store roles use new, common token fields for the values that overlap with
+other auth backends. `period`, `explicit_max_ttl`, and `bound_cidrs` will
+continue to work, with priority being given to the `token_` prefixed versions
+of those parameters. They will also be returned when doing a read on the role
+if they were used to provide values initially; however, in Vault 1.4 if
+`period` or `explicit_max_ttl` is zero they will no longer be returned.
+(`explicit_max_ttl` was already not returned if empty.)
+
+### Go API/SDK Changes
+
+Vault now uses Go's official dependency management system, Go Modules, to
+manage dependencies. As a result to both reduce transitive dependencies for API
+library users and plugin authors, and to work around various conflicts, we have
+moved various helpers around, mostly under an `sdk/` submodule. A couple of
+functions have also moved from plugin helper code to the `api/` submodule. If
+you are a plugin author, take a look at some of our official plugins and the
+paths they are importing for guidance.
+
+### Change in LDAP Group CN handling
+
+A bug fix put in place in Vault 1.1.1 to allow group CNs to be found from an
+LDAP server in lowercase `cn` as well as uppercase `CN` had an unintended
+consequence. If prior to that a group used `cn`, as in `cn=foo,ou=bar` then the
+group that would need to be put into place in the LDAP plugin to match against
+policies is `cn=foo,ou=bar` since the CN would not be correctly found. After
+the change, the CN was correctly found, but this would result in the group name
+being parsed as `foo` and would not match groups using the full DN. In 1.1.5+,
+there is a boolean config setting `use_pre111_group_cn_behavior` to allow
+reverting to the old matching behavior; we also attempt to upgrade exiting
+configs to have that defaulted to true.
+
+### JWT/OIDC Plugin
+
+Logins of role_type "oidc" via the /login path are no longer allowed.
+
+### ACL Wildcards
+
+New ordering put into place in Vault 1.1.1 defines which policy wins when there
+are multiple inexact matches and at least one path contains `+`. `+*` is now
+illegal in policy paths. The previous behavior simply selected any matching
+segment-wildcard path that matched.
+
+### Replication
+
+Due to technical limitations, mounting and unmounting was not previously
+possible from a performance secondary. These have been resolved, and these
+operations may now be run from a performance secondary.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.2.1.mdx b/website/pages/docs/upgrading/upgrade-to-1.2.1.mdx
new file mode 100644
index 000000000000..9f7c33e7c4bc
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.2.1.mdx
@@ -0,0 +1,23 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.2.1 - Guides
+sidebar_title: Upgrade to 1.2.1
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 1.2.1. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 1.2.1 compared to 1.2.0. Please read it carefully.
+
+## Known Issues
+
+### AppRole Upgrade Issue
+
+Vault 1.2.1 contains a known issue where an existing AppRole role
+may not be read or updated under a specific scenario. The role in
+question needs to have been created before Vault 1.0.0, and then updated
+between 1.0.0 and 1.1.5. If using AppRole, do not upgrade to until
+his issue is fixed in 1.2.2.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.2.4.mdx b/website/pages/docs/upgrading/upgrade-to-1.2.4.mdx
new file mode 100644
index 000000000000..362cc447f5ab
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.2.4.mdx
@@ -0,0 +1,42 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.2.4 - Guides
+sidebar_title: Upgrade to 1.2.4
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 1.2.4. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 1.2.4 compared to 1.2.3. Please read it carefully.
+
+## Detached Leases From Tokens in non-root Namespaces
+
+In a non-root namespace, revocation of a token scoped to a non-root namespace
+did not trigger the expected revocation of dynamic secret leases associated with
+that token. As a result, dynamic secret leases in non-root namespaces may
+outlive the token that created them. This vulnerability, CVE-2019-18616, affects
+Vault Enterprise 0.11.0 and newer.
+
+## Mount Filtering in Disaster Recovery Secondary Clusters
+
+Disaster Recovery secondary clusters did not delete already-replicated data
+after a mount filter has been created on an upstream Performance secondary
+cluster. As a result, encrypted secrets may remain replicated on a Disaster
+Recovery secondary cluster after application of a mount filter excluding those
+secrets from replication. This vulnerability, CVE-2019-18617, affects Vault
+Enterprise 0.8 and newer.
+
+## Golang crypto/dsa CVE
+
+Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which
+corresponds to CVE-2019-17596.
+
+## AWS Region Detection in Agent and CLI
+
+If a custom sts_endpoint is configured, Vault Agent and the CLI should provide
+the corresponding region via the region parameter (which already existed as a
+CLI parameter, and has now been added to Agent). The automatic region detection
+added to the CLI and Agent in 1.2 has been removed.
diff --git a/website/pages/docs/upgrading/upgrade-to-1.3.0.mdx b/website/pages/docs/upgrading/upgrade-to-1.3.0.mdx
new file mode 100644
index 000000000000..d01f043a29d3
--- /dev/null
+++ b/website/pages/docs/upgrading/upgrade-to-1.3.0.mdx
@@ -0,0 +1,41 @@
+---
+layout: docs
+page_title: Upgrading to Vault 1.3.0 - Guides
+sidebar_title: Upgrade to 1.3.0
+description: |-
+  This page contains the list of deprecations and important or breaking changes
+  for Vault 1.3.0. Please read it carefully.
+---
+
+# Overview
+
+This page contains the list of deprecations and important or breaking changes
+for Vault 1.3.0 compared to 1.2.4. Please read it carefully.
+
+## Secondary cluster activation
+
+There has been a change to the way that activating performance and DR secondary
+clusters works when using public keys for encryption of the parameters rather
+than a wrapping token. This flow was experimental and never documented. It is
+now officially supported and documented but is not backwards compatible with
+older Vault releases.
+
+## Cluster cipher suites
+
+On its cluster port, Vault will no longer advertise the full TLS 1.2 cipher
+suite list by default. Although this port is only used for Vault-to-Vault
+communication and would always pick a strong cipher, it could cause false flags
+on port scanners and other security utilities that assumed insecure ciphers were
+being used. The previous behavior can be achieved by setting the value of the
+(undocumented) cluster_cipher_suites config flag to tls12.
+
+## API/Agent Renewal Behavior
+
+The API now allows multiple options for how it deals with renewals. The legacy
+behavior in the Agent/API is for the renewer (now called the lifetime watcher)
+to exit on a renew error, leading to a reauthentication. The new default
+behavior is for the lifetime watcher to ignore 5XX errors and simply retry as
+scheduled, using the existing lease duration. It is also possible, within
+custom code, to disable renewals entirely, which allows the lifetime watcher to
+simply return when it believes it is time for your code to renew or
+reauthenticate.
diff --git a/website/pages/docs/use-cases/index.mdx b/website/pages/docs/use-cases/index.mdx
new file mode 100644
index 000000000000..54b66699085b
--- /dev/null
+++ b/website/pages/docs/use-cases/index.mdx
@@ -0,0 +1,56 @@
+---
+layout: docs
+page_title: Use Cases
+sidebar_title: Use Cases
+description: >-
+  This page lists some concrete use cases for Vault, but the possible use cases
+  are much broader than what we cover.
+---
+
+# Use Cases
+
+Before understanding use cases, it's useful to know [what Vault is](/intro/index.html).
+This page lists some concrete use cases for Vault, but the possible use cases are
+much broader than what we cover.
+
+#### General Secret Storage
+
+At a bare minimum, Vault can be used for the storage of any secrets. For
+example, Vault would be a fantastic way to store sensitive environment variables,
+database credentials, API keys, etc.
+
+Compare this with the current way to store these which might be
+plaintext in files, configuration management, a database, etc. It would be
+much safer to query these using `vault read` or the API. This protects
+the plaintext version of these secrets as well as records access in the Vault
+audit log.
+
+#### Employee Credential Storage
+
+While this overlaps with "General Secret Storage", Vault is a good mechanism
+for storing credentials that employees share to access web services. The
+audit log mechanism lets you know what secrets an employee accessed and
+when an employee leaves, it is easier to roll keys and understand which keys
+have and haven't been rolled.
+
+#### API Key Generation for Scripts
+
+The "dynamic secrets" feature of Vault is ideal for scripts: an AWS
+access key can be generated for the duration of a script, then revoked.
+The keypair will not exist before or after the script runs, and the
+creation of the keys are completely logged.
+
+This is an improvement over using something like Amazon IAM but still
+effectively hardcoding limited-access access tokens in various places.
+
+#### Data Encryption
+
+In addition to being able to store secrets, Vault can be used to
+encrypt/decrypt data that is stored elsewhere. The primary use of this is
+to allow applications to encrypt their data while still storing it in the
+primary data store.
+
+The benefit of this is that developers do not need to worry about how to
+properly encrypt data. The responsibility of encryption is on Vault
+and the security team managing it, and developers just encrypt/decrypt
+data as needed.
diff --git a/website/pages/docs/vs/chef-puppet-etc.mdx b/website/pages/docs/vs/chef-puppet-etc.mdx
new file mode 100644
index 000000000000..cd5585f26916
--- /dev/null
+++ b/website/pages/docs/vs/chef-puppet-etc.mdx
@@ -0,0 +1,51 @@
+---
+layout: docs
+page_title: 'Vault vs. Chef, Puppet, etc.'
+sidebar_title: 'Chef, Puppet, etc.'
+description: >-
+  Comparison between Vault and configuration management solutions such as Chef,
+  Puppet, etc.
+---
+
+# Vault vs. Chef, Puppet, etc.
+
+A big part of configuring software is setting up secrets: configuring a
+web application to talk to a service, configuring the credentials of a
+database, etc. Because of this, configuration management systems all face
+a problem of safely storing these secrets.
+
+Chef, Puppet, etc. all solve this in a similar way: single-key
+encrypted storage. Chef has encrypted data bags, Puppet has encrypted
+Hiera, and so on. The encrypted data is always one secret (a password,
+a key, etc.) away from being decrypted, and this secret is generally
+not well protected since in an elastic environment, every server needs
+to somehow get this secret to decrypt the data. Additionally, access to
+the encrypted data isn't always logged, so if there is an intrusion, it
+isn't clear what data has been accessed and by who.
+
+Vault is not tied to any specific configuration management system. You can
+read secrets from configuration management, but you can also use the API
+directly to read secrets from applications. This means that configuration
+management requires fewer secrets, and in many cases doesn't ever have to
+persist them to disk.
+
+Vault encrypts the data onto physical storage and requires multiple
+keys to even read it. If an attacker were to gain access to the physical
+encrypted storage, it couldn't be read without multiple keys which are generally
+distributed to multiple individuals. This is known as _unsealing_, and happens
+once whenever Vault starts.
+
+For an unsealed Vault, every interaction is logged in via the audit devices.
+Even erroneous requests (invalid access tokens, for example) are logged.
+To access any data, an access token is required. This token is usually
+associated with an identity coming from a system such as GitHub, LDAP, etc.
+This identity is also written to the audit log.
+
+Access tokens can be given fine-grained control over what secrets can be
+accessed. It is rare to have a single key that can access all secrets. This
+makes it easier to have fine-grained access for consumers of Vault.
+
+For tips on how to integrate Vault using configuration management, please see
+[Using HashiCorp's Vault with Chef](https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef/).
+Although this post is about Chef, the principles can be broadly applied to many
+of the tools listed here.
diff --git a/website/pages/docs/vs/consul.mdx b/website/pages/docs/vs/consul.mdx
new file mode 100644
index 000000000000..e07c8d3596d7
--- /dev/null
+++ b/website/pages/docs/vs/consul.mdx
@@ -0,0 +1,30 @@
+---
+layout: docs
+page_title: Vault vs. Consul
+sidebar_title: Consul
+description: Comparison between Vault and attempting to store secrets with Consul.
+---
+
+# Vault vs. Consul
+
+[Consul](https://www.consul.io) is a system for service discovery, monitoring,
+and configuration that is distributed and highly available. Consul also
+supports an ACL system to restrict access to keys and service information.
+
+While Consul can be used to store secret information and gate access using
+ACLs, it is not designed for that purpose. As such, data is not encrypted
+in transit nor at rest, it does not have pluggable authentication mechanisms,
+and there is no per-request auditing mechanism.
+
+Vault is designed from the ground up as a secret management solution. As such,
+it protects secrets in transit and at rest. It provides multiple authentication
+and audit logging mechanisms. Dynamic secret generation allows Vault to avoid
+providing clients with root privileges to underlying systems and makes
+it possible to do key rolling and revocation.
+
+The strength of Consul is that it is fault tolerant and highly scalable.
+By using Consul as a backend to Vault, you get the best of both. Consul
+is used for durable storage of encrypted data at rest and provides coordination
+so that Vault can be highly available and fault tolerant. Vault provides
+the higher level policy management, secret leasing, audit logging, and automatic
+revocation.
diff --git a/website/pages/docs/vs/custom.mdx b/website/pages/docs/vs/custom.mdx
new file mode 100644
index 000000000000..dbb3c2351f64
--- /dev/null
+++ b/website/pages/docs/vs/custom.mdx
@@ -0,0 +1,27 @@
+---
+layout: docs
+page_title: Vault vs. Custom Solutions
+sidebar_title: Custom Solutions
+description: Comparison between Vault and writing a custom solution.
+---
+
+# Vault vs. Custom Solutions
+
+Many organizations resort to custom solutions for storing secrets,
+whether that be Dropbox, encrypted disk images, encrypted SQL columns,
+etc.
+
+These systems require time and resources to build and maintain.
+Storing secrets is also an incredibly important piece of infrastructure
+that must be done correctly. This increases the pressure to maintain
+the internal systems.
+
+Vault is designed for secret storage. It provides a simple interface
+on top of a strong security model to meet your secret storage needs.
+
+Furthermore, Vault is an open source tool. This means that the tool is
+as good as the entire community working together to improve it. This
+isn't just features and bug fixes, but finding potential security holes.
+Additionally, since it is open source, your own security teams can
+review and contribute to Vault and verify it meets your standards
+for security.
diff --git a/website/pages/docs/vs/dropbox.mdx b/website/pages/docs/vs/dropbox.mdx
new file mode 100644
index 000000000000..fd883b11d0ab
--- /dev/null
+++ b/website/pages/docs/vs/dropbox.mdx
@@ -0,0 +1,16 @@
+---
+layout: docs
+page_title: Vault vs. Dropbox
+sidebar_title: Dropbox
+description: Comparison between Vault and attempting to store secrets with Dropbox.
+---
+
+# Vault vs. Dropbox
+
+It is an unfortunate truth that many organizations, big and small, often use Dropbox as a mechanism for storing secrets. It is so common that we've decided to make a special section for it instead of throwing it under the "custom solutions" header.
+
+Dropbox is not made for storing secrets. Even if you're using something such as an encrypted disk image within Dropbox, it is subpar versus a real secret storage server.
+
+A real secret management tool such as Vault has a stronger security model, integrates with many different authentication services, stores audit logs, can generate dynamic secrets, and more.
+
+And, due to `vault` CLI, using `vault` on a developer machine is simple!
diff --git a/website/pages/docs/vs/hsm.mdx b/website/pages/docs/vs/hsm.mdx
new file mode 100644
index 000000000000..625268f967cb
--- /dev/null
+++ b/website/pages/docs/vs/hsm.mdx
@@ -0,0 +1,44 @@
+---
+layout: docs
+page_title: Vault vs. HSMs
+sidebar_title: HSMs
+description: Comparison between Vault and HSM systems.
+---
+
+# Vault vs. HSMs
+
+A [hardware security module
+(HSM)](https://en.wikipedia.org/wiki/Hardware_security_module) is a hardware
+device that is meant to secure various secrets using protections against access
+and tampering at both the software and hardware layers.
+
+The primary issue with HSMs is that they are expensive and not very cloud
+friendly. An exception to the latter is Amazon's CloudHSM service, which is
+friendly for AWS users but still costs more than \$14k per year per instance,
+and not as useful for heterogenous cloud architectures.
+
+Once an HSM is up and running, configuring it is generally very tedious, and
+the API to request secrets is also difficult to use. Example: CloudHSM requires
+SSH and setting up various keypairs manually. It is difficult to automate. APIs
+tend to require the use of specific C libraries (e.g. PKCS#11) or
+vendor-specific libraries.
+
+However, although configuring and running an HSM can be a challenge, they come
+with a significant advantage in that they conform to government-mandated
+compliance requirements (e.g. FIPS 140), which often require specific hardware
+protections and security models in addition to software.
+
+Vault doesn't replace an HSM. Instead, they can be complementary; a compliant
+HSM can protect Vault's master key to help Vault comply with regulatory
+requirements, and Vault can provide easy client APIs for tasks such as
+encryption and decryption.
+
+Vault can also do many things that HSMs cannot currently do, such as generating
+_dynamic secrets_. Instead of storing AWS access keys directly within Vault,
+Vault can generate access keys according to a specific policy on the fly. Vault
+has the potential of doing this for any system through its mountable secret
+backend system.
+
+For many companies' security requirements, Vault alone is enough. For companies
+that can afford an HSM or with specific regulatory requirements, it can be used
+with Vault to get the best of both worlds.
diff --git a/website/pages/docs/vs/index.mdx b/website/pages/docs/vs/index.mdx
new file mode 100644
index 000000000000..65ef76f5fa90
--- /dev/null
+++ b/website/pages/docs/vs/index.mdx
@@ -0,0 +1,23 @@
+---
+layout: docs
+page_title: Vault vs. Other Software
+sidebar_title: Vault vs. Other Software
+description: >-
+  Comparisons between Vault and other software that claim to store secrets in
+  some capacity.
+---
+
+# Vault vs. Other Software
+
+There are a number of other options in the market currently that claim
+to store secrets in some capacity. This section compares Vault to these
+other software choices.
+
+Due to the bias of the comparisons being on the Vault website, we attempt
+to only use facts. If you find something that is invalid or out of date
+in the comparisons, please
+[open an issue](https://github.com/hashicorp/vault/issues) and we'll
+address it as soon as possible.
+
+Use the navigation on the left to read comparisons of Vault versus other
+systems.
diff --git a/website/pages/docs/vs/keywhiz.mdx b/website/pages/docs/vs/keywhiz.mdx
new file mode 100644
index 000000000000..1d9a49abb74b
--- /dev/null
+++ b/website/pages/docs/vs/keywhiz.mdx
@@ -0,0 +1,42 @@
+---
+layout: docs
+page_title: Vault vs. Keywhiz
+sidebar_title: Keywhiz
+description: Comparison between Vault and Keywhiz.
+---
+
+# Vault vs. Keywhiz
+
+Keywhiz is a secret management solution built by Square. Keywhiz has a
+client/server architecture based on a RESTful API. Clients of Keywhiz access
+secrets through the API by authenticating with a client certificate or cookie.
+To allow for flexible consumption of secrets by arbitrary software, clients may
+also make use of a FUSE filesystem to expose secrets as files on disk, and use
+Unix file permissions for access control. Human operators may authenticate
+using a cookie-based authentication either via command line utilities or
+through a management web interface.
+
+Vault similarly is designed as a comprehensive secret management solution. The
+client interaction with Vault is flexible both for authentication and usage of
+secrets. Vault supports [mTLS authentication](/docs/auth/cert.html) along with
+many [other mechanisms](/docs/auth/index.html). The goal is to make it easy
+to authenticate as a machine for programmatic access and as a human for
+operator usage.
+
+Vault and Keywhiz expose secrets via an API. The Vault [ACL
+system](/docs/concepts/policies.html) is used to protect secrets and gate
+access, similarly to the Keywhiz ACL system. With Vault, all auditing is done
+server side using [audit devices](/docs/audit/index.html).
+
+Keywhiz focuses on storage and distribution of secrets and supports rotation
+through secret versioning, which is possible in the Keywhiz UI and command-line
+utilities. Vault also supports dynamic secrets and generating credentials
+on-demand for fine-grained security controls, but adds first class support for
+non-repudiation. Key rotation is a first class concern for Keywhiz and Vault,
+so that no external systems need to be used.
+
+Lastly, Vault forces a mandatory lease contract with clients. All secrets read
+from Vault have an associated lease which enables operators to audit key usage,
+perform key rolling, and ensure automatic revocation. Vault provides multiple
+revocation mechanisms to give operators a clear "break glass" procedure after a
+potential compromise.
diff --git a/website/pages/docs/vs/kms.mdx b/website/pages/docs/vs/kms.mdx
new file mode 100644
index 000000000000..9f0c493cb0ed
--- /dev/null
+++ b/website/pages/docs/vs/kms.mdx
@@ -0,0 +1,38 @@
+---
+layout: docs
+page_title: Vault vs. Amazon Key Management Service
+sidebar_title: Amazon KMS
+description: Comparison between Vault and Amazon Key Management Service.
+---
+
+# Vault vs. Amazon KMS
+
+Amazon Key Management Service (KMS) is a service provided in the AWS ecosystem
+for encryption key management. It is backed by Hardware Security Modules (HSM)
+for physical security.
+
+Vault and KMS differ in the scope of problems they are trying to solve. KMS is
+focused on securely storing encryption keys and supporting cryptographic
+operations (encrypt and decrypt) using those keys. It supports access controls
+and auditing as well.
+
+In contrast, Vault provides a comprehensive secret management solution. The
+[`transit` backend](/docs/secrets/transit/index.html) provides similar
+capabilities as KMS, allowing for encryption keys to be stored and
+cryptographic operations to be performed. However, Vault goes much further than
+just key management.
+
+The flexible secrets engines allow Vault to handle any type of secret data,
+including database credentials, API keys, PKI keys, and encryption keys. Vault
+also supports dynamic secrets, generating credentials on-demand for
+fine-grained security controls, auditing, and non-repudiation.
+
+Lastly, Vault forces a mandatory lease contract with clients. All secrets read
+from Vault have an associated lease which enables operations to audit key
+usage, perform key rolling, and ensure automatic revocation. Vault provides
+multiple revocation mechanisms to give operators a clear "break glass"
+procedure after a potential compromise.
+
+Vault is an open source tool that can be deployed to any environment, and does
+not require any special hardware. This makes it well suited for cloud
+environments where HSMs are not available or are cost prohibitive.
diff --git a/website/pages/docs/what-is-vault/index.mdx b/website/pages/docs/what-is-vault/index.mdx
new file mode 100644
index 000000000000..f89638ce08df
--- /dev/null
+++ b/website/pages/docs/what-is-vault/index.mdx
@@ -0,0 +1,76 @@
+---
+layout: docs
+page_title: Introduction
+sidebar_title: What is Vault?
+description: >-
+  Welcome to the intro guide to Vault! This guide is the best place to start
+  with Vault. We cover what Vault is, what problems it can solve, how it
+  compares to existing software, and contains a quick start for using Vault.
+---
+
+# Introduction to Vault
+
+Welcome to the introduction guide to HashiCorp Vault! This guide is the best
+place to get started with Vault. This guide covers what Vault is, what problems
+it can solve, how it compares to existing software, and contains a quick start
+for using Vault.
+
+If you are already familiar with the basics of Vault, the
+[documentation](/docs/index.html) provides a better reference guide for all
+available features as well as internals.
+
+## What is Vault?
+
+Vault is a tool for securely accessing _secrets_. A secret is anything that you
+want to tightly control access to, such as API keys, passwords, or certificates.
+Vault provides a unified interface to any secret, while providing tight access
+control and recording a detailed audit log.
+
+A modern system requires access to a multitude of secrets: database credentials,
+API keys for external services, credentials for service-oriented architecture
+communication, etc. Understanding who is accessing what secrets is already very
+difficult and platform-specific. Adding on key rolling, secure storage, and
+detailed audit logs is almost impossible without a custom solution. This is
+where Vault steps in.
+
+Examples work best to showcase Vault. Please see the
+[use cases](/intro/use-cases.html).
+
+The key features of Vault are:
+
+- **Secure Secret Storage**: Arbitrary key/value secrets can be stored
+  in Vault. Vault encrypts these secrets prior to writing them to persistent
+  storage, so gaining access to the raw storage isn't enough to access
+  your secrets. Vault can write to disk, [Consul](https://www.consul.io),
+  and more.
+
+- **Dynamic Secrets**: Vault can generate secrets on-demand for some
+  systems, such as AWS or SQL databases. For example, when an application
+  needs to access an S3 bucket, it asks Vault for credentials, and Vault
+  will generate an AWS keypair with valid permissions on demand. After
+  creating these dynamic secrets, Vault will also automatically revoke them
+  after the lease is up.
+
+- **Data Encryption**: Vault can encrypt and decrypt data without storing
+  it. This allows security teams to define encryption parameters and
+  developers to store encrypted data in a location such as SQL without
+  having to design their own encryption methods.
+
+- **Leasing and Renewal**: All secrets in Vault have a _lease_ associated
+  with them. At the end of the lease, Vault will automatically revoke that
+  secret. Clients are able to renew leases via built-in renew APIs.
+
+- **Revocation**: Vault has built-in support for secret revocation. Vault
+  can revoke not only single secrets, but a tree of secrets, for example
+  all secrets read by a specific user, or all secrets of a particular type.
+  Revocation assists in key rolling as well as locking down systems in the
+  case of an intrusion.
+
+## Next Steps
+
+See the page on [Vault use cases](/intro/use-cases.html) to see the
+multiple ways Vault can be used. Then see
+[how Vault compares to other software](/intro/vs/index.html)
+to see how it fits into your existing infrastructure. Finally, continue onwards with
+the [getting started guide](/intro/getting-started/index.html) to use
+Vault to read, write, and create real secrets and see how it works in practice.
diff --git a/website/pages/downloads/index.jsx b/website/pages/downloads/index.jsx
new file mode 100644
index 000000000000..b076cf74643e
--- /dev/null
+++ b/website/pages/downloads/index.jsx
@@ -0,0 +1,33 @@
+import fetch from 'isomorphic-unfetch'
+import { VERSION } from '../../data/version.js'
+import ProductDownloader from '@hashicorp/react-product-downloader'
+import Head from 'next/head'
+
+export default function DownloadsPage({ downloadData }) {
+  return (
+    <div id="p-downloads" className="g-container">
+      <Head>
+        <title key="title">Downloads | Vault by HashiCorp</title>
+      </Head>
+      <ProductDownloader
+        product="Vault"
+        version={VERSION}
+        downloads={downloadData}
+      />
+    </div>
+  )
+}
+
+export async function unstable_getStaticProps() {
+  return fetch(`https://releases.hashicorp.com/vault/${VERSION}/index.json`)
+    .then(r => r.json())
+    .then(r => {
+      // TODO: restructure product-downloader to run this logic internally
+      return r.builds.reduce((acc, build) => {
+        if (!acc[build.os]) acc[build.os] = {}
+        acc[build.os][build.arch] = build.url
+        return acc
+      }, {})
+    })
+    .then(r => ({ props: { downloadData: r } }))
+}
diff --git a/website/pages/downloads/style.css b/website/pages/downloads/style.css
new file mode 100644
index 000000000000..812de6d11a98
--- /dev/null
+++ b/website/pages/downloads/style.css
@@ -0,0 +1,4 @@
+#p-downloads {
+  margin-top: 72px;
+  margin-bottom: 72px;
+}
diff --git a/website/pages/guides/encryption/index.mdx b/website/pages/guides/encryption/index.mdx
new file mode 100644
index 000000000000..832921910fa8
--- /dev/null
+++ b/website/pages/guides/encryption/index.mdx
@@ -0,0 +1,34 @@
+---
+layout: guides
+page_title: Encryption as a Service - Guides
+sidebar_title: Encryption as a Service
+description: |-
+  The transit secrets engine handles cryptographic functions on data in-transit.
+  Vault doesn't store the data sent to the secrets engine. It can also be viewed
+  as "cryptography as a service" or "encryption as a service".
+---
+
+# Encryption as a Service
+
+Vault provides Encryption as a Service (EaaS) to enable security teams to
+fortify data during transit and at rest. So even if an intrusion occurs, your
+data is encrypted and the attacker would never get a hold of the raw data.
+
+This guide walks you through Encryption as a Service topics.
+
+- [Encryption as a Service](/guides/encryption/transit.html) guide walks you
+  through the usage of the `transit` secrets engine in Vault.
+  Read this guide first before proceeding to the [Transit Secrets
+  Re-wrapping](/guides/encryption/transit-rewrap.html) guide or [Java Application
+  Demo](/guides/encryption/spring-demo.html) guide.
+
+- [Java Application Demo](/guides/encryption/spring-demo.html) guide walks
+  through a sample application which relies on Vault to generate database
+  credentials as well as encrypting sensitive data. This guide is for anyone who
+  wishes to reproduce the demo introduced in
+  the [Manage secrets, access, and encryption in the public cloud with Vault](https://www.hashicorp.com/resources/solutions-engineering-webinar-series-episode-2-vault)
+  webinar.
+
+- [Transit Secrets Re-wrapping](/guides/encryption/transit-rewrap.html) guide
+  demonstrates one possible way to re-wrap data after rotating an encryption key
+  in the transit engine in Vault.
diff --git a/website/pages/guides/encryption/spring-demo.mdx b/website/pages/guides/encryption/spring-demo.mdx
new file mode 100644
index 000000000000..159d91d21bc0
--- /dev/null
+++ b/website/pages/guides/encryption/spring-demo.mdx
@@ -0,0 +1,683 @@
+---
+layout: guides
+page_title: Java Application Demo - Guides
+sidebar_title: Java Application Demo
+description: |-
+  This guide discusses the concepts necessary to help users
+  understand Vault's AppRole authentication pattern and how to use it to
+  securely introduce a Vault authentication token to a target server,
+  application, container, etc. in a Java environment.
+---
+
+# Java Sample App using Spring Cloud Vault
+
+Once you have learned the fundamentals of Vault, the next step is to start
+integrating your system with Vault to secure your organization's secrets.
+
+The purpose of this guide is to go through the working implementation demo
+introduced in the [Manage secrets, access, and encryption in the public cloud
+with
+Vault](https://www.hashicorp.com/resources/solutions-engineering-webinar-series-episode-2-vault)
+webinar.
+
+[![YouTube](/img/vault-java-demo-1.png)](https://youtu.be/NxL2-XuZ3kc)
+
+The Java application in this demo leverages the [_Spring Cloud
+Vault_](https://cloud.spring.io/spring-cloud-vault/) library which provides
+lightweight client-side support for connecting to Vault in a distributed
+environment.
+
+## Reference Material
+
+- [Encryption as a Service](/guides/encryption/transit.html)
+- [Manage secrets, access, and encryption in
+  the public cloud with
+  Vault](https://www.hashicorp.com/resources/solutions-engineering-webinar-series-episode-2-vault)
+- [Spring Cloud Vault](https://cloud.spring.io/spring-cloud-vault/)
+- [Transit Secrets Engine](/docs/secrets/transit/index.html)
+- [Secrets as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
+
+## Estimated Time to Complete
+
+15 minutes
+
+## Challenge
+
+Incidents of data breaches which expose sensitive information make headlines more
+often than we like to hear. It becomes more and more important to protect data
+by encrypting it whether the data is in-transit or at-rest. However, creating
+a highly secure and sophisticated solution by yourself requires time and resources
+which are in demand when an organization is facing a constant threat.
+
+## Solution
+
+Vault centralizes management of cryptographic services used to protect your
+data. Your system can communicate with Vault easily through the Vault API to
+encrypt and decrypt your data, and the encryption keys never have to leave the
+Vault.
+
+![Encryption as a Service](/img/vault-eaas.png)
+
+## Prerequisites
+
+To perform the tasks described in this guide:
+
+- Install [HashiCorp Vagrant](https://www.vagrantup.com/intro/getting-started/install.html)
+- Clone or download the demo assets from the [hashicorp/vault-guides](https://github.com/hashicorp/vault-guides/tree/master/secrets/spring-cloud-vault)
+  GitHub repository
+
+## Steps
+
+-> For the purposes of this guide, you are going to provision a Linux machine
+locally using Vagrant. However, the GitHub repository provides supporting files
+to provision the environment demonstrated in the webinar.
+
+After downloading the [demo assets](#prerequisites) from the GitHub repository,
+you should find the following folders:
+
+| Folder          | Description                                           |
+| --------------- | ----------------------------------------------------- |
+| `aws`           | Supporting files to deploy the demo app to AWS        |
+| `kubernetes`    | Supporting files to deploy the demo app to Kubernetes |
+| `nomad`         | Supporting files to deploy the demo app to Nomad      |
+| `scripts`       | Scripts to setup PostgreSQL and Vault                 |
+| `src/main`      | Sample app source code                                |
+| `vagrant-local` | Vagrant file to deploy the demo locally               |
+
+<br />
+
+In this guide, you will perform the following:
+
+1. [Review the demo application implementation](#step1)
+1. [Deploy and review the demo environment](#step2)
+1. [Run the demo application](#step3)
+1. [Reload the Static Secrets](#step4)
+
+![Encryption as a Service](/img/vault-java-demo-10.png)
+
+### <a name="step1"></a>Step 1: Review the demo application implementation
+
+The source code can be found under the `src/main` directory.
+
+```plaintext
+├── java
+│   └── com
+│       └── hashicorp
+│           └── vault
+│               └── spring
+│                   └── demo
+│                       ├── BeanUtil.java
+│                       ├── Order.java
+│                       ├── OrderAPIController.java
+│                       ├── OrderRepository.java
+│                       ├── Secret.java
+│                       ├── SecretController.java
+│                       ├── TransitConverter.java
+│                       └── VaultDemoOrderServiceApplication.java
+└── resources
+    └── application.yaml
+```
+
+The demo Java application leverages the Spring Cloud Vault library to
+communicate with Vault.
+
+In the `TransitConverter` class, the `convertToDatabaseColumn` method invokes a
+Vault operation to encrypt the `order`. Similarly, the
+`convertToEntityAttribute` method decrypts the `order` data.
+
+```plaintext
+...
+	@Override
+	public String convertToDatabaseColumn(String customer) {
+		VaultOperations vaultOps = BeanUtil.getBean(VaultOperations.class);
+		Plaintext plaintext = Plaintext.of(customer);
+		String cipherText = vaultOps.opsForTransit().encrypt("order", plaintext).getCiphertext();
+		return cipherText;
+	}
+
+	@Override
+	public String convertToEntityAttribute(String customer) {
+		VaultOperations vaultOps = BeanUtil.getBean(VaultOperations.class);
+		Ciphertext ciphertext = Ciphertext.of(customer);
+        String plaintext = vaultOps.opsForTransit().decrypt("order", ciphertext).asString();
+		return plaintext;
+...
+```
+
+The `VaultDemoOrderServiceApplication` class defines the `main` method.
+
+```plaintext
+public class VaultDemoOrderServiceApplication  {
+
+	private static final Logger logger = LoggerFactory.getLogger(VaultDemoOrderServiceApplication.class);
+
+	@Autowired
+    	private SessionManager sessionManager;
+
+	@Value("${spring.datasource.username}")
+	private String dbUser;
+
+	@Value("${spring.datasource.password}")
+	private String dbPass;
+
+	public static void main(String[] args) {
+		SpringApplication.run(VaultDemoOrderServiceApplication.class, args);
+	}
+
+	@PostConstruct
+	public void initIt() throws Exception {
+		logger.info("Got Vault Token: " + sessionManager.getSessionToken().getToken());
+		logger.info("Got DB User: " + dbUser);
+	}
+}
+```
+
+The `OrderAPIController` class defines the API endpoint (`api/orders`).
+
+### <a name="step2"></a>Step 2: Deploy and review the demo environment
+
+Now let's run the demo app and examine how it behaves.
+
+~> To keep it simple and lightweight, you are going to run a Linux virtual
+machine locally using Vagrant.
+
+#### Task 1: Run Vagrant
+
+In the **`vault-guides/secrets/spring-cloud-vault/vagrant-local`** folder,
+a `Vagrantfile` is provided which spins up a Linux machine where the demo
+components are installed and configured.
+
+```shell
+# Change the working directory to vagrant-local
+$ cd /vault-guides/secrets/spring-cloud-vault/vagrant-local
+
+# Create and configure a Linux machine. This takes about 3 minutes
+$ vagrant up
+...
+demo: Success! Data written to: database/roles/order
+demo: Success! Enabled the transit secrets engine at: transit/
+demo: Success! Data written to: transit/keys/order
+demo: Success! Data written to: secret/spring-vault-demo
+
+# Verify that the virtual machine was successfully created and running
+$ vagrant status
+Current machine states:
+demo                      running (virtualbox)
+...
+
+# Connect to the demo machine
+$ vagrant ssh demo
+```
+
+There are 3 Docker containers running on the machine: `spring`, `vault`, and `postgres`.
+
+```plaintext
+[vagrant@demo ~]$ docker ps
+CONTAINER ID     IMAGE            COMMAND                  CREATED           STATUS           NAMES
+684d8fb23ae5     spring           "java -Djava.secur..."   7 minutes ago     Up 7 minutes     spring
+dc6a3454b323     vault:0.10.0     "docker-entrypoint..."   7 minutes ago     Up 7 minutes     vault
+4093a45c209f     postgres         "docker-entrypoint..."   7 minutes ago     Up 7 minutes     postgres
+```
+
+#### Task 2: Examine the Vault environment
+
+During the demo machine provisioning, the `/scripts/vault.sh` script was
+executed to perform the following:
+
+- Created a policy named, **`order`**
+- Enabled the `transit` secret engine and created an encryption key named, **`order`**
+- Enabled the `database` secret engine and created a role named, **`order`**
+
+View the `vault` log:
+
+```plaintext
+[vagrant@demo ~]$  docker logs vault
+...
+==> Vault shutdown triggered
+==> Vault server configuration:
+             Api Address: http://0.0.0.0:8200
+                     Cgo: disabled
+         Cluster Address: https://0.0.0.0:8201
+              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")
+               Log Level: info
+                   Mlock: supported: true, enabled: false
+                 Storage: inmem
+                 Version: Vault v0.10.0
+             Version Sha: 5dd7f25f5c4b541f2da62d70075b6f82771a650d
+WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
+and starts unsealed with a single unseal key. The root token is already
+authenticated to the CLI, so you can immediately begin using Vault.
+You may need to set the following environment variable:
+    $ export VAULT_ADDR='http://0.0.0.0:8200'
+The unseal key and root token are displayed below in case you want to
+seal/unseal the Vault or re-authenticate.
+Unseal Key: 2QIPWPDykRG/xWWl0quSHiXq8u+pFg3yEq0sgJPhMbA=
+Root Token: root
+...
+```
+
+Notice that the log indicates that the Vault server is running in the `dev`
+mode, and the root token is `root`.
+
+You can visit the Vault UI at http://localhost:8200/ui. Enter **`root`** and
+click **Sign In**.
+
+Select the **`transit/`** secrets engine, and you should find an encryption key
+named, "`order`".
+
+![Vault UI](/img/vault-java-demo-2.png)
+
+Under the **Policies**, verify that the `order` policy exists.
+
+![Vault UI](/img/vault-java-demo-3.png)
+
+This `order` policy is for the application. It permits `read` on the
+`database/creds/order` path so that the demo app can get a dynamically generated
+database credential from Vault. Therefore, the PostgreSQL credentials are not
+hard-coded anywhere.
+
+```plaintext
+path "database/creds/order"
+{
+  capabilities = ["read"]
+}
+```
+
+An `update` permission allows the app to request data encryption and decryption
+using the `order` encryption key in Vault.
+
+```plaintext
+...
+path "transit/decrypt/order" {
+  capabilities = ["update"]
+}
+
+path "transit/encrypt/order" {
+  capabilities = ["update"]
+}
+...
+```
+
+#### Task 3: Examine the Spring container
+
+Remember that the `VaultDemoOrderServiceApplication` class logs messages during
+the successful execution of `initIt()`:
+
+```plaintext
+...
+  @PostConstruct
+  	public void initIt() throws Exception {
+  		logger.info("Got Vault Token: " + sessionManager.getSessionToken().getToken());
+  		logger.info("Got DB User: " + dbUser);
+...
+```
+
+Verify that the log indicates that the demo app obtained a database
+credentials from Vault successfully:
+
+```plaintext
+[vagrant@demo ~]$  docker logs spring | grep Got
+...VaultDemoOrderServiceApplication : Got Vault Token: root
+...VaultDemoOrderServiceApplication : Got DB User: v-token-order-rywqz61432yyx2x27w8r-1524067226
+```
+
+Create a new shell session in the `spring` container.
+
+```plaintext
+[vagrant@demo ~]$  docker exec -it spring sh
+/ #
+```
+
+Find the `bootstrap.yaml` file:
+
+```plaintext
+/ #  ls -al
+total 36720
+drwxr-xr-x    1 root     root            51 Apr 18 16:00 .
+drwxr-xr-x    1 root     root            51 Apr 18 16:00 ..
+-rwxr-xr-x    1 root     root             0 Apr 18 16:00 .dockerenv
+-rwxr--r--    1 root     root      37587245 Apr 18 15:59 app.jar
+drwxr-xr-x    2 root     root          4096 Jan  9 19:37 bin
+-rw-r--r--    1 1000     1000           426 Apr 17 17:58 bootstrap.yaml
+...
+
+/ # cat bootstrap.yaml
+spring.application.name: spring-vault-demo
+spring.cloud.vault:
+    authentication: TOKEN
+    token: ${VAULT_TOKEN}
+    host: localhost
+    port: 8200
+    scheme: http
+    fail-fast: true
+    config.lifecycle.enabled: true
+    generic:
+      enabled: true
+      backend: secret
+    database:
+        enabled: true
+        role: order
+        backend: database
+spring.datasource:
+  url: jdbc:postgresql://localhost:5432/postgres
+```
+
+The client token was injected into the `spring` container as an environment
+variable (`VAULT_TOKEN`) by Vagrant.
+
+Enter `exit` to close the shell session in the `spring` container.
+
+#### Task 4: Examine the PostgreSQL database
+
+Connect to the PostgreSQL database running in the `postgres` container:
+
+```plaintext
+[vagrant@demo ~]$ docker exec -it postgres psql -U postgres -d postgres
+psql (10.3 (Debian 10.3-1.pgdg90+1))
+Type "help" for help.
+
+
+postgres=# \d orders
+                                          Table "public.orders"
+    Column     |            Type             | Collation | Nullable |              Default
+---------------+-----------------------------+-----------+----------+------------------------------------
+ id            | bigint                      |           | not null | nextval('orders_id_seq'::regclass)
+ customer_name | character varying(60)       |           | not null |
+ product_name  | character varying(20)       |           | not null |
+ order_date    | timestamp without time zone |           | not null |
+Indexes:
+    "orders_pkey" PRIMARY KEY, btree (id)
+```
+
+Let's list the existing database roles.
+
+```plaintext
+postgres-# \du
+                                                     List of roles
+                   Role name                   |                         Attributes                         | Member of
+-----------------------------------------------+------------------------------------------------------------+-----------
+ postgres                                      | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
+ v-token-order-rywqz61432yyx2x27w8r-1524067226 | Password valid until 2018-04-18 20:56:31+00                | {}
+```
+
+Notice that there is a role name starting with `v-token-order-` which was
+dynamically created by the database secret engine.
+
+~> **NOTE:** To learn more
+about the database secret engine, read the [Secrets as a Service: Dynamic
+Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide.
+
+Enter `\q` to exit out of the `psql` session, or you can open another terminal
+and SSH into the demo virtual machine.
+
+### <a name="step3"></a>Step 3: Run the demo application
+
+If everything looked fine in [Step 2](#step2), you are ready to write some data.
+
+![Vault UI](/img/vault-java-demo-9.png)
+
+You have [verified in the `spring` log](#task-3-examine-the-sprig-container)
+that the demo app successfully retrieved a database credential from the Vault
+server during its initialization.
+
+The next step is to send a new order request via the demo app's _orders_ API
+(http://localhost:8080/api/orders).
+
+```shell
+# Create a new order data
+[vagrant@demo ~]$ tee payload.json<<EOF
+{
+  "customerName": "John",
+  "productName": "Nomad"
+}
+EOF
+
+# Send a request using cURL
+[vagrant@demo ~]$ curl --request POST --header "Content-Type: application/json" \
+                       --data @payload.json http://localhost:8080/api/orders | jq
+{
+  "id": 2,
+  "customerName": "John",
+  "productName": "Nomad",
+  "orderDate": "2018-04-18T22:07:42.916+0000"
+}
+```
+
+**NOTE:** Alternatively, you can use tool such as
+[Postman](https://www.getpostman.com/apps) instead of cURL to invoke the API if
+you prefer.
+
+![Postman](/img/vault-java-demo-4.png)
+
+The order data you sent gets encrypted by Vault. The database only sees the
+ciphertext. Let's verify that the order information stored in the database
+is encrypted.
+
+```plaintext
+[vagrant@demo ~]$ docker exec -it postgres psql -U postgres -d postgres
+
+postgres=# select * from orders;
+ id |                     customer_name                     | product_name |       order_date
+----+-------------------------------------------------------+--------------+-------------------------
+  1 | vault:v1:Qj0lx5DSZvwcHeMOX/5UX/ErHTaDPA3mVlSSpaXd1tbM | VE           | 2018-04-18 21:56:37.924
+  2 | vault:v1:UwL3HnyqTUac5ElS5WYAuNg3NdIMFtd6vvwukL+FaKun | Nomad        | 2018-04-18 22:07:42.916
+(2 rows)
+
+postgres=# \q
+```
+
+> In this demo, Vault encrypts the customer names; therefore, the values in the
+> **`customer_name`** column do not display the names in a human readable
+> manner (e.g. "James" and "John").
+
+Now, retrieve the order data via the orders API:
+
+```plaintext
+[vagrant@demo ~]$ curl --header "Content-Type: application/json" \
+                       http://localhost:8080/api/orders | jq
+[
+ {
+   "id": 1,
+   "customerName": "James",
+   "productName": "VE",
+   "orderDate": "2018-04-18T21:56:37.924+0000"
+ },
+ {
+   "id": 2,
+   "customerName": "John",
+   "productName": "Nomad",
+   "orderDate": "2018-04-18T22:07:42.916+0000"
+ }
+]
+```
+
+The customer names should be readable. Remember that the **`order`** policy
+permits the demo app to encrypt and decrypt data using the `order` encryption
+key in Vault.
+
+#### Web UI
+
+Vault UI makes it easy to decrypt the data.
+
+In the **Secrets** tab, select **`transit/` > `orders`**, and select **Key
+actions**.
+
+![Web UI](/img/vault-java-demo-5.png)
+
+Select **Decrypt** from the transit actions. Now, copy the ciphertext from the
+**`orders`** table and paste it in.
+
+![Web UI](/img/vault-java-demo-6.png)
+
+Click **Decrypt**.
+
+![Web UI](/img/vault-java-demo-7.png)
+
+Finally, click **Decode from base64** to reveal the customer name.
+
+![Web UI](/img/vault-java-demo-8.png)
+
+### <a name="step4"></a>Step 4: Reloading the Static Secrets
+
+Now, let's test another API endpoint, **`api/secret`** provided by the demo app.
+A plain old Java object, `Secret` defines a get method for `key` and `value`.
+The `SecretController.java` defines an API endpoint, **`api/secret`**.
+
+```plaintext
+package com.hashicorp.vault.spring.demo;
+...
+
+@RefreshScope
+@RestController
+public class SecretController {
+
+	@Value("${secret:n/a}")
+	String secret;
+
+	@RequestMapping("/api/secret")
+	public Secret secret() {
+		return new Secret("secret", secret);
+	}
+}
+```
+
+Remember from [Step 2](#task-2-examine-the-vault-environment) that the
+**`order`** policy granted permissions on the `secret/spring-vault-demo` path.
+
+```plaintext
+path "secret/spring-vault-demo" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+...
+```
+
+<br />
+
+The demo app retrieved the secret from `secret/spring-vault-demo` and has a
+local copy. If someone (or perhaps another app) updates the secret, it makes the
+secret held by the demo app to be obsolete.
+
+![Static Secret](/img/vault-java-demo-11.png)
+
+Spring offers [Spring Boot
+Actuator](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready)
+which can be used to facilitate the reloading of the static secret.
+
+#### Task 1: Read the secret
+
+The initial key-value was set by Vagrant during the provisioning. (See the
+`Vagrantfile` at line 48.)
+
+Let's invoke the demo app's secret API (**`api/secret`**):
+
+```plaintext
+$ curl -s http://localhost:8080/api/secret | jq
+{
+  "key": "secret",
+  "value": "hello-vault"
+}
+```
+
+This is the secret that the demo app knows about.
+
+#### Task 2: Update the Secrets
+
+Now, update the secret stored in Vault using API:
+
+```shell
+# Update the value via API
+$ curl --header "X-Vault-Token: root" \
+       --request POST \
+       --data '{ "secret": "my-api-key" }' \
+       http://127.0.0.1:8200/v1/secret/spring-vault-demo
+
+# Verify that the secret value was updated
+$ curl --header "X-Vault-Token: root" \
+       http://127.0.0.1:8200/v1/secret/spring-vault-demo | jq
+{
+ "request_id": "514601e4-a790-3dc6-14b0-537d6982a6c6",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 2764800,
+ "data": {
+   "secret": "my-api-key"
+ },
+...
+}
+```
+
+#### Task 3: Refresh the secret on demo app
+
+Run the demo app's secret API again:
+
+```plaintext
+$ curl -s http://localhost:8080/api/secret | jq
+{
+  "key": "secret",
+  "value": "hello-vault"
+}
+```
+
+The current value stored in Vault is now `my-api-key`; however, the demo app
+still holds `hello-vault`.
+
+Spring provides an
+[actuator](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready)
+which can be leveraged to refresh the secret value. At line 54 of the
+`vault-guides/secrets/spring-cloud-vault/pom.xml`, you see that the actuator was
+added to the project.
+
+```plaintext
+...
+<dependency>
+  <groupId>org.springframework.boot</groupId>
+  <artifactId>spring-boot-starter-actuator</artifactId>
+</dependency>
+...
+```
+
+Let's refresh the secret using the actuator:
+
+```plaintext
+$ curl -s --request POST http://localhost:8080/actuator/refresh | jq
+[
+  "secret"
+]
+```
+
+Read back the secret from the demo app again:
+
+```plaintext
+$ curl -s http://localhost:8080/api/secret | jq
+{
+  "key": "secret",
+  "value": "my-api-key"
+}
+```
+
+It should display the correct value.
+
+---
+
+When you are done exploring the demo implementation, you can destroy the virtual
+machine:
+
+```plaintext
+$ vagrant destroy
+demo: Are you sure you want to destroy the 'demo' VM? [y/N] y
+==> demo: Forcing shutdown of VM...
+==> demo: Destroying VM and associated drives...
+```
+
+~> In the webinar, the demo environment was running in a public cloud, and Nomad
+and Consul were also installed and configured. If you wish to build a similar
+environment using Kubernetes, the assets in the `vault-guides/secrets/spring-cloud-vault/kubernetes`
+folder provides you with some guidance.
+
+## Next steps
+
+[AppRole](/docs/auth/approle.html) is an authentication mechanism within Vault
+to allow machines or apps to acquire a token to interact with Vault. Read the
+[AppRole Pull Authentication](/guides/identity/authentication.html) guide
+which introduces the steps to generate tokens for machines or apps by enabling
+AppRole auth method.
diff --git a/website/pages/guides/encryption/transit-rewrap.mdx b/website/pages/guides/encryption/transit-rewrap.mdx
new file mode 100644
index 000000000000..11e6e52f2c0d
--- /dev/null
+++ b/website/pages/guides/encryption/transit-rewrap.mdx
@@ -0,0 +1,640 @@
+---
+layout: guides
+page_title: Transit Secrets Re-wrapping - Guides
+sidebar_title: Transit Secrets Re-wrapping
+description: >-
+  The goal of this guide is to demonstrate one possible way to re-wrap data
+  after
+
+  rotating an encryption key in the transit engine in Vault.
+---
+
+# Transit Secrets Engine
+
+In addition to being able to store secrets, Vault can encrypt/decrypt data that
+is stored elsewhere. The primary use of this is to allow applications to encrypt
+their data while still storing it in their primary data store. Vault does not
+store the data.
+
+The [`transit` secret engine](/docs/secrets/transit/index.html) handles
+cryptographic functions on data-in-transit, and often referred to as
+**_Encryption as a Service_** (EaaS). Both small amounts of arbitrary data, and
+large files such as images, can be protected with the transit engine. This EaaS
+function can augment or eliminate the need for Transparent Data Encryption (TDE)
+with databases to encrypt the contents of a bucket, volume, and disk, etc.
+
+![Encryption as a Service](/img/vault-encryption.png)
+
+## Encryption Key Rotation
+
+One of the benefits of using the Vault EaaS is its ability to easily rotate the
+encryption keys. Keys can be rotated manually by a human, or an automated
+process which invokes the key rotation API endpoint through `cron`, a CI
+pipeline, a periodic Nomad batch job, Kubernetes Job, etc.
+
+The goal of this guide is to demonstrate an example for re-wrapping data after
+rotating an encryption key in the transit engine in Vault.
+
+## Reference Material
+
+- [Encryption as a Service](/guides/encryption/transit.html)
+- [Transit Secret Engine](/docs/secrets/transit/index.html)
+- [Transit Secret Engine API](/api/secret/transit/index.html)
+- [Transparent Data Encryption in the Modern Datacenter](https://www.hashicorp.com/blog/transparent-data-encryption-in-the-modern-datacenter)
+
+## Estimated Time to Complete
+
+30 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves two personas:
+
+- **security engineer** with privileged permissions to manage the encryption keys
+- **app** with un-privileged permissions rewraps secrets via API
+
+## Challenge
+
+Vault maintains the versioned keyring and the operator can decide
+the minimum version allowed for decryption operations. When data is
+encrypted using Vault, the resulting ciphertext is prepended with the version of
+the key used to encrypt it.
+
+The following example shows data that was encrypted using the fourth version of
+a particular encryption key:
+
+```
+vault:v4:ueizdCqCJ/YhowQSvmJyucnLfIUMd4S/nLTpGTcz64HXoY69dwOrqerFzOlhqg==
+```
+
+For example, an organization could decide that a key should be rotated _once a
+week_, and that the minimum version allowed to decrypt records is the current
+version as well as the previous two versions. If the current version is five,
+then Vault would decrypt records that were sent to it with the following
+prefixes:
+
+- vault:**v5**:lkjasfdlkjafdlkjsdflajsdf==
+- vault:**v4**:asdfas9pirapirteradr33vvv==
+- vault:**v3**:ouoiujarontoiue8987sdjf^1==
+
+In this example, what would happen if you send Vault data that was encrypted
+with the first or second version of the key (`vault:v1:...` or `vault:v2:...`)?
+
+Vault would refuse to decrypt the data as the key used is less than the minimum
+key version allowed.
+
+## Solution
+
+Luckily, Vault provides an easy way of re-wrapping encrypted data when a key is
+rotated. Using the rewrap API endpoint, a non-privileged Vault entity can send
+data encrypted with an older version of the key to have it re-encrypted with the
+latest version. The application performing the re-wrapping never interacts with
+the decrypted data. The process of rotating the encryption key and rewrapping
+records could (and should) be completely **automated**. Records could be updated
+slowly over time to lessen database load, or all at once at the time of
+rotation. The exact implementation will depend heavily on the needs of each
+particular organization or application.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+The following tools are required in order to successfully run the sample
+application provided in this guide:
+
+- [.NET Core](https://www.microsoft.com/net/download)
+- [Docker](https://docs.docker.com/install/)
+
+Download the sample application code from
+[vault-guides](https://github.com/hashicorp/vault-guides/tree/master/encryption/vault-transit-rewrap)
+repository to perform the steps described in this guide.
+
+The `vault-transit-rewrap-example` contains the following:
+
+```bash
+.
+├── AppDb.cs
+├── DBHelper.cs
+├── Program.cs
+├── README.md
+├── Record.cs
+├── VaultClient.cs
+├── WebHelper.cs
+└── rewrap_example.csproj
+```
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+an appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Manage transit secret engine
+path "transit/keys/*" {
+  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
+}
+
+# Enable transit secret engine
+path "sys/mounts/transit" {
+  capabilities = [ "create", "update" ]
+}
+
+# Write ACL policies
+path "sys/policy/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Create tokens for verification & test
+path "auth/token/create" {
+  capabilities = [ "create", "update", "sudo" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+This guide introduces a sample _.Net_ application which automates the
+re-wrapping of the data using the latest encryption key.
+
+For the purpose of this guide, a MySQL database runs locally using Docker.
+However, these steps would work for an existing MySQL database by supplying the
+proper network information to your environment.
+
+You are going to perform the following steps:
+
+1. [Test database setup (Docker)](#step1)
+1. [Enable the transit secret engine](#step2)
+1. [Generate a new token for sample app](#step3)
+1. [Run the sample application](#step4)
+1. [Rotate the encryption keys](#step5)
+1. [Re-wrapping data programmatically](#step6)
+
+### <a name="step1"></a>Step 1: Test database setup (Docker)
+
+You need a database to test with. You can create one to test with easily using
+Docker:
+
+```bash
+# Pull the latest mysql container image
+docker pull mysql/mysql-server:5.7
+
+# Create a directory for our data (change the following line if running on Windows)
+mkdir ~/rewrap-data
+
+# Run the container.  The following command creates a database named 'my_app',
+# specifies the root user password as 'root', and adds a user named vault
+docker run --name mysql-rewrap \
+  -p 3306:3306 \
+  -v ~/rewrap-data/var/lib/mysql \
+  -e MYSQL_ROOT_PASSWORD=root \
+  -e MYSQL_ROOT_HOST=% \
+  -e MYSQL_DATABASE=my_app \
+  -e MYSQL_USER=vault \
+  -e MYSQL_PASSWORD=vaultpw \
+  -d mysql/mysql-server:5.7
+```
+
+### <a name="step2"></a>Step 2: Enable the transit secret engine
+
+(**Persona:** security engineer)
+
+#### CLI command
+
+Enable the `transit` secret engine by executing the following command:
+
+```bash
+$ vault secrets enable transit
+```
+
+Create an encryption key to use for transit named, "my_app_key".
+
+```bash
+$ vault write -f transit/keys/my_app_key
+```
+
+#### API call using cURL
+
+Enable the `transit` secret engine via API, use the `/sys/mounts` endpoint:
+
+```bash
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data <PARAMETERS> \
+       <VAULT_ADDRESS>/v1/sys/mounts/transit
+```
+
+Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
+parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
+
+To crate a new encryption key, use the `transit/keys/<key_name>` endpoint:
+
+```bash
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data <PARAMETERS> \
+       <VAULT_ADDRESS>/v1/transit/keys/<KEY_NAME>
+```
+
+Where `<PARAMETERS>` holds [configuration
+parameters](/api/secret/transit/index.html#create-key) to specify the key type.
+
+**Example:**
+
+```shell
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type": "transit"}' \
+       https://localhost:8200/v1/sys/mounts/transit
+```
+
+The above example passes the **type** (`transit`) in the request payload which
+at the `sys/mounts/transit` endpoint.
+
+Next, create an encryption key to use for transit named, "my_app_key".
+
+```bash
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       https://localhost:8200/v1/transit/keys/my_app_key
+```
+
+### <a name="step3"></a>Step 3: Generate a new token for sample app
+
+(**Persona:** security engineer)
+
+Before generating a token, create a limited scope policy named, "**rewrap_example**"
+for the sample application.
+
+The ACL policy (`rewrap_example.hcl`) looks as follows:
+
+```shell
+path "transit/keys/my_app_key" {
+  capabilities = ["read"]
+}
+
+path "transit/rewrap/my_app_key" {
+  capabilities = ["update"]
+}
+
+# This last policy is needed to seed the database as part of the example.
+# It can be omitted if seeding is not required
+path "transit/encrypt/my_app_key" {
+  capabilities = ["update"]
+}
+```
+
+#### CLI command
+
+Create `rewrap_example` policy:
+
+```shell
+$ vault policy write rewrap_example ./rewrap_example.hcl
+```
+
+Finally, create a token to use the `rewrap_example` policy:
+
+```shell
+$ vault token create -policy=rewrap_example
+```
+
+**Example:**
+
+```shell
+$ vault token create -policy=rewrap_example
+Key                Value
+---                -----
+token              68396128-82d8-002e-f289-1106944fee9f
+token_accessor     75f05f43-6a5f-2eb1-5bb8-0de3c7cf0996
+token_duration     768h
+token_renewable    true
+token_policies     [default rewrap_example]
+```
+
+The generated token is what the sample application uses to connect to Vault.
+
+#### API call using cURL
+
+To create a policy via API, use the `/sys/policy` endpoint:
+
+```plaintext
+$ curl --request PUT --header "X-Vault-Token: ..." \
+       --data @payload.json \
+       https://localhost:8200/v1/sys/policy/rewrap_example
+
+$ cat payload.json
+{
+  "policy": "path \"transit/keys/my_app_key\" { capabilities = [\"read\"] } path \"transit/rewrap/my_app_key\" ... }"
+}
+```
+
+Finally, create a token to use the `rewrap_example` policy:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." --request POST  \
+       --data '{ "policies": ["rewrap_example"] }' \
+       https://localhost:8200/v1/auth/token/create | jq
+{
+ "request_id": "da8bde73-99ab-b435-a344-fb963b3a599f",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": null,
+ "wrap_info": null,
+ "warnings": null,
+ "auth": {
+   "client_token": "997107d5-9049-8b4b-8f39-a33a458fd02d",
+   "accessor": "d400076b-4143-4d63-7473-a8cc52c73ba3",
+   "policies": [
+     "default",
+     "rewrap-example"
+   ],
+   "metadata": null,
+   "lease_duration": 2764800,
+   "renewable": true,
+   "entity_id": ""
+ }
+}
+```
+
+The generated token is what the sample application uses to connect to Vault.
+
+### <a name="step4"></a>Step 4: Run the sample application
+
+(**Persona:** app)
+
+You are now ready to run the app. Be sure to [download](#prerequisites) the
+sample application code before beginning.
+
+**Sample application**
+
+| File                  | Description                                                                                                                                                                                                          |
+| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Program.cs            | Starting point of this sample app (the `Main()` method) is in this file. It reads the environment variable values, connects to Vault and the MySQL database. If the `user_data` table does not exist, it creates it. |
+| DBHelper.cs           | Defines a method to create the `user_data` table if it does not exist. Finds and updates records that need to be rewrapped with the new key.                                                                         |
+| AppDb.cs              | Connects to the MySQL database.                                                                                                                                                                                      |
+| Record.cs             | Sample data record template.                                                                                                                                                                                         |
+| VaultClient.cs        | Defines methods necessary to rewrap transit data.                                                                                                                                                                    |
+| WebHelper.cs          | Helper code to seed the initial table schema.                                                                                                                                                                        |
+| rewrap_example.csproj | Project file for this sample app.                                                                                                                                                                                    |
+
+The sample app retrieves the user token, Vault address, and the name of the
+transit key through environment variables. Be sure to supply the token created
+in [Step 3](#step3):
+
+```bash
+$ VAULT_TOKEN=<APP_TOKEN> \
+     VAULT_ADDR=<VAULT_ADDRESS> \
+     VAULT_TRANSIT_KEY=my_app_key \
+     SHOULD_SEED_USERS=true \
+     dotnet run
+```
+
+> If you need to seed test data you can do so by including the
+> `SHOULD_SEED_USERS=true`.
+
+**Example:**
+
+```bash
+$ VAULT_TOKEN=$TOKEN VAULT_ADDR=http://localhost:8200 VAULT_TRANSIT_KEY=my_app_key SHOULD_SEED_USERS=true dotnet run
+
+Connecting to Vault server...
+Created (if not exist) my_app DB
+Create (if not exist) user_data table
+Seeded the database...
+Moving rewrap...
+Current Key Version: 5
+Found 0 records to rewrap.
+```
+
+You can inspect the contents of the database with:
+
+```bash
+$ docker exec -it mysql-rewrap mysql -uroot -proot
+...
+mysql> DESC user_data;
+mysql> SELECT * FROM user_data WHERE dob LIKE "vault:v1%" limit 10;
+...data...
+```
+
+### <a name="step5"></a>Step 5: Rotate the encryption keys
+
+(**Persona:** security engineer)
+
+The encryption key (`my_app_key`) can be rotated easily.
+
+#### CLI command
+
+To rotate the key, you write to the `transit/keys/<KEY_NAME>/rotate` path.
+
+```bash
+$ vault write -f transit/keys/my_app_key/rotate
+Success! Data written to: transit/keys/my_app_key/rotate
+```
+
+Run the command a few times to generate several versions of the encryption key
+for testing.
+
+To view the key information:
+
+```bash
+$ vault read transit/keys/my_app_key
+Key                       Value
+---                       -----
+allow_plaintext_backup    false
+deletion_allowed          false
+derived                   false
+exportable                false
+keys                      map[5:1519623974 6:1519623980 1:1519620952 2:1519623255 3:1519623285 4:1519623603]
+latest_version            6
+min_decryption_version    1
+min_encryption_version    0
+name                      my_app_key
+supports_decryption       true
+supports_derivation       true
+supports_encryption       true
+supports_signing          false
+type                      aes256-gcm96
+```
+
+You can see that in the above example the current version of the key is six.
+There is no restriction about a minimum encryption key version, and any of the key
+versions can decrypt the data (`min_decryption_version`).
+
+Let's enforce the use of the encryption key at version five or later to decrypt
+data.
+
+```shell
+# replace '5' with the appropriate version
+$ vault write transit/keys/my_app_key/config min_decryption_version=5
+
+# Verify the changes were successful
+$ vault read transit/keys/my_app_key
+Key                       Value
+---                       -----
+allow_plaintext_backup    false
+deletion_allowed          false
+derived                   false
+exportable                false
+keys                      map[5:1519623974 6:1519623980]
+latest_version            6
+min_decryption_version    5
+min_encryption_version    0
+name                      my_app_key
+supports_decryption       true
+supports_derivation       true
+supports_encryption       true
+supports_signing          false
+type                      aes256-gcm96
+```
+
+#### API call using cURL
+
+To rotate the encryption key via API, use the `transit/keys/<KEY_NAME>/rotate` endpoint:
+
+```bash
+$ curl --request POST --header "X-Vault-Token: ..." \
+       https://localhost:8200/v1/transit/keys/my_app_key/rotate
+```
+
+Run the command a few times to generate several versions of the encryption key
+for testing.
+
+```shell
+# Verify the changes were successful
+$ curl --request GET --header "X-Vault-Token: ..." \
+      https://localhost:8200/v1/transit/keys/my_app_key | jq
+{
+  "request_id": "ed13436a-4816-2f51-0552-6a001e823548",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "allow_plaintext_backup": false,
+    "deletion_allowed": false,
+    "derived": false,
+    "exportable": false,
+    "keys": {
+      "1": 1519620952,
+      "2": 1519623255,
+      "3": 1519623285,
+      "4": 1519623603,
+      "5": 1519623974,
+      "6": 1519623980
+    },
+    "latest_version": 6,
+    "min_decryption_version": 1,
+    "min_encryption_version": 0,
+    "name": "my_app_key",
+    ...
+  },
+  ...
+}
+```
+
+You can see that in the above example the current version of the key is six.
+There is no restriction about the minimum encryption key version, and any of the key
+versions can decrypt the data (`min_decryption_version`).
+
+Let's enforce the use of the encryption key at version five or later to decrypt the
+data.
+
+```shell
+$ curl --request POST --header "X-Vault-Token: ..." \
+       --data '{ "min_decryption_version": 5 }'
+       https://localhost:8200/v1/transit/keys/my_app_key/config
+
+# Verify the changes were successful
+$ curl --request GET --header "X-Vault-Token: ..." \
+       https://localhost:8200/v1/transit/keys/my_app_key | jq
+{
+ ...
+ "data": {
+   ...
+   "keys": {
+     "5": 1519623974,
+     "6": 1519623980
+   },
+   "latest_version": 6,
+   "min_decryption_version": 5,
+   "min_encryption_version": 0,
+   "name": "my_app_key",
+   ...
+  },
+}
+```
+
+### <a name="step6"></a>Step 6: Programmatically re-wrap the data
+
+(**Persona:** app)
+
+Now you have records in the database and you have updated our minimum key
+version. You can run the application again and should see it update records as
+appropriate. Remember you can inspect records using the MySQL shell (see above).
+
+**Example:**
+
+```shell
+$ VAULT_TOKEN=2616214b-6868-3589-b443-0330d7915882 VAULT_ADDR=http://localhost:8200 \
+          VAULT_TRANSIT_KEY=my_app_key SHOULD_SEED_USERS=true dotnet run
+Connecting to Vault server...
+Created (if not exist) my_app DB
+Create (if not exist) user_data table
+Seeded the database...
+Current Key Version: 6
+Found 3500 records to rewrap.
+Wrapped another 10 records: 10 so far...
+Wrapped another 10 records: 20 so far...
+Wrapped another 10 records: 30 so far...
+...
+```
+
+#### Validation
+
+The application has now re-wrapped all records with the latest key. You can
+verify this by running the application again, or by inspecting the records using the
+MySQL client.
+
+```bash
+$ docker exec -it mysql-rewrap mysql -uroot -proot
+...
+mysql> DESC user_data;
+mysql> SELECT * FROM user_data WHERE dob LIKE "vault:v1%" limit 10;
+Empty set (0.00 sec)
+
+mysql> SELECT * FROM user_data WHERE dob LIKE "vault:v6%" limit 10;
+...data...
+```
+
+### Conclusion
+
+An application similar to this could be scheduled via cron, run periodically as
+a [Nomad batch
+job](https://www.nomadproject.io/docs/job-specification/periodic.html), or
+executed in a variety of other ways. You could also modify it to re-wrap a
+limited number of records at a time so as to not put undue strain on the
+database. The final implementation should be based upon the needs and design
+goals specific to each organization or application.
+
+## Next Steps
+
+Since the main focus of this guide was to programmatically rewrap your secrets
+using the latest encryption key, the token used by the sample application was
+generated manually. In a production environment, you'll want to pass the token in
+a more secure manner. Refer to the [Cubbyhole Response
+Wrapping](/guides/secret-mgmt/cubbyhole.html) guide to wrap the token so that only the
+expecting app can unwrap to obtain the token.
+
+Also, refer to the [AppRole Pull
+Authentication](/guides/identity/authentication.html) to generate tokens for
+apps using the AppRole auth method.
diff --git a/website/pages/guides/encryption/transit.mdx b/website/pages/guides/encryption/transit.mdx
new file mode 100644
index 000000000000..c4eba58920af
--- /dev/null
+++ b/website/pages/guides/encryption/transit.mdx
@@ -0,0 +1,620 @@
+---
+layout: guides
+page_title: Encryption as a Service - Guides
+sidebar_title: Encryption as a Service
+description: >-
+  HashiCorp Vault's transit secrets engine handles cryptographic functions on
+  data in-transit. It can also viewed as _encryption as a service_.
+---
+
+# Encryption as a Service: Transit Secrets Engine
+
+Vault's `transit` secrets engine handles cryptographic functions on
+data-in-transit. Vault doesn't store the data sent to the secrets engine, so it
+can also be viewed as **_encryption as a service_**.
+
+Although the `transit` secrets engine provides additional features (sign and
+verify data, generate hashes and HMACs of data, and act as a source of random
+bytes), its primary use case is to encrypt data. This relieves the burden of
+proper encryption/decryption from application developers and pushes the burden
+onto the operators of Vault.
+
+## Reference Materials
+
+- [Transit Secret Engine](/docs/secrets/transit/index.html)
+- [Transit Secret Engine API](/api/secret/transit/index.html)
+- [Transparent Data Encryption in the Modern Datacenter](https://www.hashicorp.com/blog/transparent-data-encryption-in-the-modern-datacenter)
+
+~> **NOTE:** An [interactive
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-transit) is
+also available if you do not have a Vault environment to perform the steps
+described in this guide.
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves two personas:
+
+- **operator** with privileged permissions to manage the encryption keys
+- **app** with un-privileged permissions encrypt/decrypt secrets via API
+
+## Challenge
+
+Think of the following scenario:
+
+_Example Inc._ recently made headlines for a massive data breach which exposed
+millions of their users' payment card accounts online. When they tracked down the
+problem they found that a new HVAC system with management software had been put
+into their data centers and had created vulnerabilities in their networks and
+exposed ports and IPs to the databases publicly.
+
+## Solutions
+
+The `transit` secrets engine enables security teams to fortify data during
+transit and at rest. So even if an intrusion occurs, your data is encrypted with
+AES 256-bit CBC encryption (TLS in transit). Even if an attacker were able to
+access the raw data, they would only have encrypted bits. This means attackers
+would need to compromise multiple systems before exfiltrating data.
+
+![Encryption as a Service](/img/vault-encryption.png)
+
+This guide demonstrates the basics of the `transit` secrets engine.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Enable transit secrets engine
+path "sys/mounts/transit" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# To read enabled secrets engines
+path "sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+# Manage the transit secrets engine
+path "transit/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+You will perform the following:
+
+1. [Configure Transit Secret Engine](#step1)
+1. [Encrypt Secrets](#step2)
+1. [Decrypt a cipher-text](#step3)
+1. [Rotate the Encryption Key](#step4)
+1. [Update Key Configuration](#step5)
+
+### <a name="step1"></a>Step 1: Configure Transit Secret Engine
+
+(**Persona:** operator)
+
+The `transit` secrets engine must be configured before it can perform its
+operations. This step is usually done by an **operator** or configuration
+management tool.
+
+#### CLI command
+
+Enable the `transit` secret engine by executing the following command:
+
+```plaintext
+$ vault secrets enable transit
+```
+
+> By default, the secrets engine will mount at the name of the engine. If you
+> wish to enable it at a different path, use the `-path` argument.
+
+> **Example:** `vault secrets enable -path=encryption transit`
+
+Now, create an encryption key ring named, `orders` by executing the following
+command:
+
+```plaintext
+$ vault write -f transit/keys/orders
+```
+
+#### API call using cURL
+
+Enable `transit` secret engine using `/sys/mounts` endpoint:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data <PARAMETERS> \
+       <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
+```
+
+Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
+parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
+
+**Example:**
+
+The following example enables transit secret engine at `sys/mounts/transit`
+path, and passed the secret engine type (`transit`) in the request payload.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type":"transit"}' \
+       https://127.0.0.1:8200/v1/sys/mounts/transit
+```
+
+Now, create an encryption key ring named, `orders` using the `transit/keys`
+endpoint:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       https://127.0.0.1:8200/v1/transit/keys/orders
+```
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and then login.
+
+1. Select **Enable new engine** and select **Transit** from **Secrets engine type**
+   drop-down list.
+   ![Enable new engine](/img/vault-secrets-enable.png)
+
+1. Click **Enable Engine**.
+
+1. Select **Create encryption key** and enter `orders` in the **Name** field.
+   ![Create a key](/img/vault-transit-1.png)
+
+1. Click **Create encryption key** to complete.
+
+<br />
+
+~> **NOTE:** Typically, you want to create an encryption key ring for each
+application.
+
+### <a name="step2"></a>Step 2: Encrypt Secrets
+
+(**Persona:** operator)
+
+Once the `transit` secrets engine has been configured, any client with a valid
+token with proper permission can send data to encrypt.
+
+Here, you are going to encrypt a plaintext, _"credit-card-number"_.
+
+-> **NOTE:** You can pass non-text binary file such as a PDF or image.
+When you encrypt a plaintext, it must be base64-encoded.
+
+#### CLI command
+
+To encrypt your secret, use the `transit/encrypt` endpoint:
+
+```plaintext
+$ vault write transit/encrypt/<key_ring_name>
+```
+
+Execute the following command to encrypt a plaintext:
+
+```plaintext
+$ vault write transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number")
+
+Key           Value
+---           -----
+ciphertext    vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=
+```
+
+Vault does _NOT_ store any of this data. The output you received is the
+ciphertext. You can store this ciphertext at the desired location (e.g. MySQL
+database) or pass it to another application.
+
+#### API call using cURL
+
+To encrypt your secret, use the [`transit/encrypt`
+endpoint](/api/secret/transit/index.html#encrypt-data).
+
+**Example:**
+
+```shell
+# Generate base64-encoded plaintext
+$ base64 <<< "credit-card-number"
+Y3JlZGl0LWNhcmQtbnVtYmVyCg==
+
+# Pass the base64-encoded plaintext in the request payload
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"plaintext": "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="}' \
+       https://127.0.0.1:8200/v1/transit/encrypt/orders | jq
+{
+  "request_id": "f483d9b6-8132-782e-1665-ad432c2461ab",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "ciphertext": "vault:v1:/9hdQutaWpZR72s3+VSCLK1JNhV1wKM49hYVjh7RjmuxIy/OvshtgV4L4uVB+aQ="
+  },
+  ...
+}
+```
+
+Vault does _NOT_ store any of this data. The output you received is the
+ciphertext. You can store this ciphertext at the desired location (e.g. MySQL
+database) or pass it to another application.
+
+#### Web UI
+
+1. Select the **orders** encryption key.
+
+1. Select **Key actions**.
+   ![Key action](/img/vault-transit-2.png)
+
+1. Make sure that **Encrypt** is selected under **TRANSIT ACTIONS**, and then
+   enter "credit-card-number" in the **Plaintext** field.
+   ![Encrypt plaintext](/img/vault-transit-3.png)
+
+1. Click **Encode to base64** to encode the plaintext.
+
+1. Click **Encrypt**.
+   Vault does _NOT_ store any of this data. The output you received is the
+   ciphertext. You can click **Copy** to copy the resulting ciphertext and store it
+   at the desired location (e.g. MySQL database) or pass it to another application.
+   ![Encrypt plaintext](/img/vault-transit-4.png)
+
+### <a name="step3"></a>Step 3: Decrypt a cipher-text
+
+(**Persona:** operator)
+
+Any client with a valid token with proper permission can decrypt the ciphertext
+generated by Vault. To decrypt the ciphertext, invoke the `transit/decrypt`
+endpoint.
+
+#### CLI command
+
+Execute the following command to decrypt the ciphertext resulted in [Step
+2](#step2):
+
+```plaintext
+$ vault write transit/decrypt/orders \
+        ciphertext="vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=" \
+
+Key          Value
+---          -----
+plaintext    Y3JlZGl0LWNhcmQtbnVtYmVyCg==
+```
+
+The resulting data is base64-encoded. To reveal the original plaintext, run the
+following command:
+
+```plaintext
+$ base64 --decode <<< "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="
+credit-card-number
+```
+
+#### API call using cURL
+
+Use the `transit/decrypt` endpoint to decrypt the ciphertext resulted in [Step
+2](#step2):
+
+**Example:**
+
+```shell
+# Pass the ciphertext in the request payload to decode
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"ciphertext": "vault:v1:/9hdQutaWpZR72s3+VSCLK1JNhV1wKM49hYVjh7RjmuxIy/OvshtgV4L4uVB+aQ="}' \
+       https://127.0.0.1:8200/v1/transit/decrypt/orders | jq
+{
+   "request_id": "062d7998-8932-76f2-f96c-5938a55ff005",
+   "lease_id": "",
+   "renewable": false,
+   "lease_duration": 0,
+   "data": {
+     "plaintext": "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="
+   },
+   ...
+}
+
+# The resulting data is base64-encoded that it must be decoded to reveal the plaintext
+$ base64 --decode <<< "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="
+credit-card-number
+```
+
+#### Web UI
+
+1. Select the **orders** encryption key.
+
+1. Select **Key actions**.
+
+1. Make sure that **Decrypt** is selected under **TRANSIT ACTIONS**, and then
+   enter the ciphertext you wish to decrypt.
+   ![Decrypt ciphertext](/img/vault-transit-5.png)
+
+1. Click **Decrypt**.
+
+1. The resulting data is base64-encoded. Click **Decode from base64** to reveal
+   the plaintext.
+
+### <a name="step4"></a>Step 4: Rotate the Encryption Key
+
+(**Persona:** operator)
+
+One of the benefits of using the Vault `transit` secrets engine is its ability
+to easily rotate the encryption keys. Keys can be rotated manually by a human,
+or an automated process which invokes the key rotation API endpoint through
+cron, a CI pipeline, a periodic Nomad batch job, Kubernetes Job, etc.
+
+Vault maintains the versioned keyring and the operator can decide the minimum
+version allowed for decryption operations. When data is encrypted using Vault,
+the resulting ciphertext is prepended with the version of the key used to
+encrypt it.
+
+#### CLI command
+
+To rotate the encryption key, invoke the `transit/keys/<key_ring_name>/rotate`
+endpoint.
+
+```plaintext
+$ vault write -f transit/keys/orders/rotate
+```
+
+Let's encrypt another data:
+
+```plaintext
+$ vault write transit/encrypt/orders plaintext=$(base64 <<< "visa-card-number")
+Key           Value
+---           -----
+ciphertext    vault:v2:45f9zW6cglbrzCjI0yCyC6DBYtSBSxnMgUn9B5aHcGEit71xefPEmmjMbrk3
+```
+
+Compare the ciphertexts from [Step 2](#step2).
+
+```
+ciphertext    vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=
+```
+
+Notice that the first ciphertext starts with "**`vault:v1:`**". After rotating
+the encryption key, the ciphertext starts with "**`vault:v2:`**". This indicates
+that the data gets encrypted using the latest version of the key after the
+rotation.
+
+Execute the following command to rewrap your ciphertext from [Step 2](#step2)
+with the latest version of the encryption key:
+
+```plaintext
+$ vault write transit/rewrap/orders \
+        ciphertext="vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U="
+Key           Value
+---           -----
+ciphertext    vault:v2:kChHZ9w4ILRfw+DzO53IZ8m5PyB2yp2/tKbub34uB+iDqtDRB+NLCPrpzTtJHJ4=
+```
+
+Notice that the resulting ciphertext now starts with "`vault:v2:`".
+
+This operation does not reveal the plaintext data. But Vault will decrypt the
+value using the appropriate key in the keyring and then encrypted the resulting
+plaintext with the newest key in the keyring.
+
+#### API call using cURL
+
+To rotate the encryption key, invoke the `transit/keys/<key_ring_name>/rotate`
+endpoint.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST
+       https://127.0.0.1:8200/v1/transit/keys/orders/rotate
+```
+
+Let's encrypt another data:
+
+```shell
+# Generate base64-encoded plaintext
+$ base64 <<< "visa-card-number"
+dmlzYS1jYXJkLW51bWJlcgo=
+
+# Pass the base64-encoded plaintext in the request payload
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"plaintext": "dmlzYS1jYXJkLW51bWJlcgo="}' \
+       https://127.0.0.1:8200/v1/transit/encrypt/orders | jq
+{
+  ...
+  "data": {
+    "ciphertext": "vault:v2:et873RqkfLlS268LqYspVUnqhqZm0flNwhthe4ZzfcuZQab1TnirQ8/hMNYA"
+  },
+  ...
+}
+```
+
+Compare the ciphertexts from [Step 2](#step2).
+
+```
+ciphertext    vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=
+```
+
+Notice that the first ciphertext starts with "**`vault:v1:`**". After rotating
+the encryption key, the ciphertext starts with "**`vault:v2:`**". This indicates
+that the data gets encrypted using the latest version of the key after the
+rotation.
+
+Execute the `transit/rewrap` endpoint to rewrap your ciphertext from [Step 2](#step2)
+with the latest version of the encryption key:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"ciphertext": "vault:v1:/9hdQutaWpZR72s3+VSCLK1JNhV1wKM49hYVjh7RjmuxIy/OvshtgV4L4uVB+aQ="}' \
+       https://127.0.0.1:8200/v1/transit/rewrap/orders | jq
+{
+ ...
+ "data": {
+   "ciphertext": "vault:v2:ykqXDP65tLVSrqxoNZh51gIobYQSwNGT+SbiD/2nl8rrhF2md+wplBGdXlhDzd4="
+ },
+ ...
+```
+
+Notice that the resulting ciphertext now starts with "`vault:v2:`".
+
+This operation does not reveal the plaintext data. But Vault will decrypt the
+value using the appropriate key in the keyring and then encrypted the resulting
+plaintext with the newest key in the keyring.
+
+## <a name="step5"></a>Step 5: Update Key Configuration
+
+(**Persona:** operator)
+
+The operators can [update the encryption key
+configuration](/api/secret/transit/index.html#update-key-configuration) to
+specify the minimum version of ciphertext allowed to be decrypted, the minimum
+version of the key that can be used to encrypt the plaintext, the key is allowed
+to be deleted, etc.
+
+This helps further tightening the data encryption rule.
+
+#### CLI Command
+
+Execute the key rotation command a few times to generate multiple versions of
+the key:
+
+```plaintext
+$ vault write -f transit/keys/orders/rotate
+```
+
+Now, read the `orders` key information:
+
+```plaintext
+$ vault read transit/keys/orders
+
+Key                       Value
+---                       -----
+...
+keys                      map[6:1531439714 1:1531439594 2:1531439667 3:1531439714 4:1531439714 5:1531439714]
+latest_version            6
+min_decryption_version    1
+min_encryption_version    0
+...
+```
+
+In the example, the current version of the key is **6**. However, there is no
+restriction about the minimum encryption key version, and any of the key
+versions can decrypt the data (`min_decryption_version`).
+
+Run the following command to enforce the use of the encryption key at version
+**5** or later to decrypt the data.
+
+```plaintext
+$ vault write transit/keys/orders/config min_decryption_version=5
+```
+
+Now, verify the `orders` key configuration:
+
+```plaintext
+$ vault read transit/keys/orders
+
+Key                       Value
+---                       -----
+allow_plaintext_backup    false
+deletion_allowed          false
+derived                   false
+exportable                false
+keys                      map[5:1531811719 6:1531811721]
+latest_version            6
+min_decryption_version    5
+min_encryption_version    0
+...
+```
+
+#### API call using cURL
+
+Execute the `transit/keys/<key_ring_name>/rotate` endpoint a few times key
+rotation command a few times to generate multiple versions of the key:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST
+       https://127.0.0.1:8200/v1/transit/keys/orders/rotate
+```
+
+Read the `transit/keys/orders` endpoint to review the `orders` key
+detail:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       https://127.0.0.1:8200/v1/transit/keys/orders | jq
+{
+  ...
+   "keys": {
+     "1": 1531804669,
+      "2": 1531810236,
+      "3": 1531811712,
+      "4": 1531811715,
+      "5": 1531811719,
+      "6": 1531811721
+   },
+   "latest_version": 6,
+   "min_decryption_version": 1,
+   "min_encryption_version": 0,
+   ...
+```
+
+In the example, the current version of the key is **6**. However, there is no
+restriction about the minimum encryption key version, and any of the key
+versions can decrypt the data (`min_decryption_version`).
+
+Run the following command to enforce the use of the encryption key at version
+**5** or later to decrypt the data.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST
+       --data '{"min_decryption_version": 5}'
+       https://127.0.0.1:8200/v1/transit/keys/orders/config
+```
+
+Now, verify the `orders` key configuration:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       https://127.0.0.1:8200/v1/transit/keys/orders | jq
+{
+  ...
+  "keys": {
+     "5": 1531811719,
+     "6": 1531811721
+   },
+   "latest_version": 6,
+   "min_decryption_version": 5,
+   "min_encryption_version": 0,
+   ...
+```
+
+<br />
+
+-> **NOTE:** Notice that the output only displays two valid encryption key
+versions (`5` and `6`).
+
+## Next steps
+
+[Transit Secrets Re-wrapping](/guides/encryption/transit-rewrap.html) guide
+introduces a sample application which re-wraps data after rotating an encryption
+key in the transit engine in Vault.
diff --git a/website/pages/guides/getting-started/index.mdx b/website/pages/guides/getting-started/index.mdx
new file mode 100644
index 000000000000..e3c6bdb6254f
--- /dev/null
+++ b/website/pages/guides/getting-started/index.mdx
@@ -0,0 +1,13 @@
+---
+layout: guides
+page_title: Guides
+sidebar_title: Getting Started
+description: This section takes you to the Getting Started section.
+---
+
+# Vault Getting Started
+
+Welcome to the Vault guides section! If you are just getting started with Vault,
+please start with the [Vault introduction](/intro/getting-started/install.html)
+instead and then continue on to the guides. The guides provide examples of
+common Vault workflows and actions for both beginner and advanced Vault users.
diff --git a/website/pages/guides/identity/approle-trusted-entities.mdx b/website/pages/guides/identity/approle-trusted-entities.mdx
new file mode 100644
index 000000000000..78a0d057e525
--- /dev/null
+++ b/website/pages/guides/identity/approle-trusted-entities.mdx
@@ -0,0 +1,904 @@
+---
+layout: guides
+page_title: AppRole With Terraform & Chef - Guides
+sidebar_title: AppRole with Terraform and Chef
+description: |-
+  This guide discusses the concepts necessary to help users
+  understand Vault's AppRole authentication pattern and how to use it to
+  securely introduce a Vault authentication token to a target server,
+  application, container, etc.x
+---
+
+# Vault AppRole with Terraform and Chef Demo
+
+In the [AppRole Pull
+Authentication](/guides/identity/authentication.html#advanced-features) guide,
+the question of how best to deliver the Role ID and Secret ID were brought up,
+and the role of trusted entities (Terraform, Chef, Nomad, Kubernetes, etc.) was
+mentioned.
+
+![AppRole auth method workflow](/img/vault-approle-workflow2.png)
+
+This _intermediate_ Vault guide aims to provide a **simple**, **end-to-end**
+example of how to use Vault's [AppRole authentication
+method](/docs/auth/approle.html), along with Terraform and Chef, to address the
+challenge of the **_secure introduction_** of an initial token to a target
+system.
+
+The purpose of this guide is to provide the instruction to reproduce the working
+implementation demo introduced in the [Delivering Secret Zero: Vault AppRole
+with Terraform and
+Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
+webinar.
+
+[![YouTube](/img/vault-approle-youtube.png)](https://youtu.be/OIcIzFWjThM)
+
+-> **NOTE:** This is a proof of concept and **NOT SUITABLE FOR PRODUCTION USE**.
+
+## Reference Material
+
+- [AppRole Auth Method](/docs/auth/approle.html)
+- [Authenticating Applications with HashiCorp Vault AppRole](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle)
+- [Delivering Secret Zero: Vault AppRole with Terraform and
+  Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
+
+## Estimated Time to Complete
+
+20 minutes
+
+## Challenge
+
+The goal of the AppRole authentication method is to provide a mechanism for the
+secure introduction of secrets to target systems (servers, applications,
+containers, etc.).
+
+The question becomes what systems within our environment do we trust to handle
+or deliver the `RoleID` and `SecretID` to our target systems.
+
+## Solution
+
+Use _Trusted Entities_ to deliver the AppRole authentication values. For
+example, use Terraform to deliver your `RoleID` or embed it into your AMI or
+Dockerfile. Then you might use Jenkins or Chef to obtain the
+[response-wrapped](/guides/secret-mgmt/cubbyhole.html) `SecretID` and deliver it
+to the target system.
+
+AppRole allows us to securely introduce the authentication token to the target
+system by preventing any single system from having full access to an
+authentication token that does not belong to. This helps us maintain the
+security principles of **least privilege** and **non-repudiation**.
+
+The important thing to note here is that regardless of what systems are
+considered as _Trusted Entities_, the same pattern applies.
+
+For example:
+
+- With Chef, you might use the [Vault Ruby Gem](https://github.com/hashicorp/vault-ruby)
+  for simplified interaction with Vault APIs
+- Terraform provides a Vault provider: [Provider: Vault - Terraform by HashiCorp](https://www.terraform.io/docs/providers/vault/index.html)
+- For Jenkins, you might use the Vault CLI or APIs directly, as described here:
+  [Reading Vault Secrets in your Jenkins pipeline](http://nicolas.corrarello.com/general/vault/security/ci/2017/04/23/Reading-Vault-Secrets-in-your-Jenkins-pipeline.html)
+
+## Prerequisites
+
+This guide assumes that you are proficient enough to perform basic Terraform
+tasks. If you are not familiar with Terraform, refer to the [online
+documentation](https://www.terraform.io/intro/getting-started/install.html).
+
+The following AWS resources are required to perform this demo:
+
+- An [Amazon S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html)
+- An [IAM user credential with administrator permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html)
+  (to be able to create additional IAM policies and instance profiles)
+
+### Download demo assets
+
+Clone or download the demo assets from the
+[hashicorp/vault-guides](https://github.com/hashicorp/vault-guides/tree/master/identity/vault-chef-approle)
+GitHub repository to perform the steps described in this guide.
+
+The following assets can be found in the repository:
+
+- Chef cookbook (**`/chef/cookbooks`**): A sample cookbook with a recipe that installs NGINX
+  and demonstrates Vault Ruby Gem functionality used to interact with Vault APIs.
+- Terraform configurations (**`/terraform-aws`**):
+  - **`/terraform-aws/mgmt-node`**: Configuration to set up a management
+    server running both Vault and Chef Server, for demo purposes.
+  - **`/terraform-aws/chef-node`**: Configuration to set up a Chef node and
+    bootstrap it with the Chef Server, passing in Vault's AppRole RoleID and the
+    appropriate Chef run-list.
+- Vault configuration (**`/scripts`**): Data scripts used to configure the
+  appropriate mounts and policies in Vault for this demo.
+
+## Steps
+
+The scenario in this guide uses Terraform and Chef as trusted entities to
+deliver `RoleID` and `SecretID`.
+
+![AppRole auth method workflow](/img/vault-approle-tf-chef.png)
+
+For the simplicity of the demonstration, both Vault and Chef are installed on
+the same node. Terraform provisions the node which contains the `RoleID` as an
+environment variable. Chef pulls the `SecretID` from Vault.
+
+Provisioning for this demo happens in 2 phases:
+
+- [Phase 1 - Provision our Vault plus Chef Server](#phase1)
+  - [Step 1: Provision the Vault and Chef Server](#step-1-provision-the-vault-and-chef-server)
+  - [Step 2: Initialize and Unseal Vault](#step-2-initialize-and-unseal-vault)
+  - [Step 3: AppRole Setup](#step-3-approle-setup)
+  - [Step 4: Configure Tokens for Terraform and Chef](#step-4-configure-tokens-for-terraform-and-chef)
+  - [Step 5: Save the Token in a Chef Data Bag](#step-5-save-the-token-in-a-chef-data-bag)
+  - [Step 6: Write Secrets](#step-6-write-secrets)
+- [Phase 2 - Provision our Chef Node to Show AppRole Login](#phase2)
+
+## <a name="phase1"></a>Phase 1: Provision our Vault & Chef Server
+
+### Step 1: Provision the Vault and Chef Server
+
+This provides a quick and simple Vault and Chef Server configuration to help you
+get started.
+
+**NOTE:** This is done for demonstration purpose and **NOT a recommended
+practice** for production.
+
+In this phase, you use Terraform to spin up a server (and associated AWS
+resources) with both Vault and Chef Server installed. Once this server is up and
+running, you'll complete the appropriate configuration steps in Vault to set up
+our AppRole and tokens for use in the demo.
+
+~> If using _Terraform Enterprise_, [create a
+Workspace](https://www.terraform.io/docs/enterprise/getting-started/workspaces.html)
+for this repo and set the appropriate Terraform/Environment variables using the
+`terraform.tfvars.example` file as a reference. Follow the instructions in the
+documentation to perform the appropriate setup in Terraform Enterprise.
+
+#### Using Terraform Open Source:
+
+**Task 1:** Change the working directory (`cd`) to
+`identity/vault-chef-approle/terraform-aws/mgmt-node`.
+
+```shell
+.
+├── main.tf
+├── outputs.tf
+├── templates
+│   └── userdata-mgmt-node.tpl
+├── terraform.tfvars.example
+└── variables.tf
+```
+
+**Task 2:** Update the `terraform.tfvars.example` file to match your account and
+rename it to `terraform.tfvars`.
+
+At minimum, replace the following variable with appropriate values:
+
+- **`s3_bucket_name`**
+- **`vpc_id`**
+- **`subnet_id`**
+- **`key_name`**
+- **`ec2_pem`**
+
+> NOTE: If your VPC, subnet and EC2 key pair were created on a region other than
+> `us-east-1`, be sure to set the **`aws_region`** value to match your chosen region.
+
+**Task 3:** Perform a `terraform init` to pull down the necessary provider resources.
+Then `terraform plan` to verify your changes and the resources that will be
+created. If all looks good, then perform a `terraform apply` to provision the
+resources. The Terraform output will display the public IP address to SSH into
+your server.
+
+```plaintext
+$ terraform init
+Initializing provider plugins...
+...
+Terraform has been successfully initialized!
+
+
+$ terraform plan
+...
+Plan: 5 to add, 0 to change, 0 to destroy.
+
+
+$ terraform apply
+...
+Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
+
+Outputs:
+vault-public-ip = 192.0.2.0
+```
+
+The Terraform output will display the public IP address to SSH into
+your server.
+
+For example:
+
+```plaintext
+$ ssh -i "/path/to/EC2/private_key.pem" ubuntu@192.0.2.0
+```
+
+**Task 4:** Initial setup of the Chef server takes several minutes. Once you can
+SSH into your mgmt server, run `tail -f /var/log/tf-user-data.log` to see when
+the initial configuration is complete.
+
+```plaintext
+$ tail -f /var/log/tf-user-data.log
+```
+
+When you see the following message, the initial setup is complete.
+
+```plaintext
++ echo '2018/03/27 21:53:06 /var/lib/cloud/instance/scripts/part-001: Complete'
+```
+
+You can find the following subfolders in
+your home directory:
+
+- **`/home/ubuntu/vault-chef-approle-demo`**: root of our project
+- **`/home/ubuntu/vault-chef-approle-demo/chef`**: root of our Chef app; this is
+  where our `knife` configuration is located (`.chef/knife.rb`)
+- **`/home/ubuntu/vault-chef-approle-demo/scripts`**: there's a
+  `vault-approle-setup.sh` script located here to help automate the setup of
+  Vault, or you can follow along in the rest of this README to configure Vault
+  manually
+
+### Step 2: Initialize and Unseal Vault
+
+Before moving on, set your working environment variables in your mgmt server:
+
+```plaintext
+$ export VAULT_ADDR=http://127.0.0.1:8200
+$ export VAULT_SKIP_VERIFY=true
+```
+
+Before you can do anything in Vault, you need to initialize and unseal it.
+Perform **_one_** of the following:
+
+- **Option 1:** Run the `/home/ubuntu/demo_setup.sh` script to get up and running, and proceed to
+  [Phase 2 - Provision our Chef Node to Show AppRole Login](#phase2).
+- **Option 2:** Continue onto [Step 3: AppRole Setup](#step-3-approle-setup) to
+  set up the demo environment **_manually_**.
+
+### Step 3: AppRole Setup
+
+First, initialize and unseal the Vault server using a shortcut.
+
+~> This is a convenient shortcut for demo. **_DO NOT DO THIS IN PRODUCTION!!!_**
+
+Refer to the [online documentation for initializing and unsealing](/intro/getting-started/deploy.html#initializing-the-vault) Vault for more details.
+
+```shell
+# Initialize the Vault server and write out the unseal keys and root token into files
+$ curl --silent
+       --request PUT \
+       --data '{"secret_shares": 1, "secret_threshold": 1}' \
+       ${VAULT_ADDR}/v1/sys/init | tee \
+       >(jq -r .root_token > /home/ubuntu/vault-chef-approle-demo/root-token) \
+       >(jq -r .keys[0] > /home/ubuntu/vault-chef-approle-demo/unseal-key)
+
+# Unseal vault
+$ vault operator unseal $(cat /home/ubuntu/vault-chef-approle-demo/unseal-key)
+
+# Set the root token to VAULT_TOKEN env var
+$ export VAULT_TOKEN=$(cat /home/ubuntu/vault-chef-approle-demo/root-token)
+```
+
+In the next few steps, you will create a number of policies and tokens within
+Vault. Below is a table that summarizes them:
+
+| Policy                          | Description                                                                                                                                                                                                                                                                                                                                                | Token Attachment                                              |
+| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| `app-1-secret-read`             | Sets the policy for the final token that will be delivered via the AppRole login                                                                                                                                                                                                                                                                           | None. This will be delivered to the client upon AppRole login |
+| `app-1-approle-roleid-get`      | Sets the policy for the token that you'll give to Terraform to deliver the RoleID (only)                                                                                                                                                                                                                                                                   | `roleid-token`                                                |
+| `terraform-token-create`        | The Terraform Vault provider doesn't use the token supplied to it directly. This is to prevent the token from being exposed in Terraform's state file. Instead, the Token given to Terraform needs to have the capability to create child tokens with short TTLs. See [here](https://www.terraform.io/docs/providers/vault/index.html#token) for more info | `roleid-token`                                                |
+| `app-1-approle-secretid-create` | Sets the policy for the token that you'll store in the Chef Data Bag. This will only be able to pull our AppRole's SecretID                                                                                                                                                                                                                                | `secretid-token`                                              |
+
+These setups only need to be performed upon initial creation of an AppRole, and
+would typically be done by a Vault administrator.
+
+Now that you have your Vault server unsealed, you can begin to set up necessary
+policies, AppRole auth method, and tokens.
+
+#### Task 1: Set up our AppRole policy
+
+This is the policy that will be attached to _secret zero_ which you are
+delivering to our application (**app-1**).
+
+**API call using cURL**
+
+```bash
+# Policy to apply to AppRole token
+$ tee app-1-secret-read.json <<EOF
+{"policy":"path \"secret/app-1\" {capabilities = [\"read\", \"list\"]}"}
+EOF
+
+# Create the app-1-secret-read policy in Vault
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request PUT \
+       --data @app-1-secret-read.json \
+       $VAULT_ADDR/v1/sys/policy/app-1-secret-read
+```
+
+<br />
+\*\*CLI command\*\*
+
+```bash
+# Policy to apply to AppRole token
+$ tee app-1-secret-read.hcl <<EOF
+path "secret/app-1" {
+  capabilities = ["read", "list"]
+}
+EOF
+
+# Create the app-1-secret-read policy in Vault
+$ vault policy write app-1-secret-read app-1-secret-read.hcl
+```
+
+#### Task 2: Enable the AppRole authentication method
+
+**API call using cURL**
+
+```bash
+# Payload for invoking sys/auth API endpoint
+$ tee approle.json <<EOF
+{
+  "type": "approle",
+  "description": "Demo AppRole auth method"
+}
+EOF
+
+# Enable AppRole auth backend
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request POST \
+       --data @approle.json \
+       $VAULT_ADDR/v1/sys/auth/approle
+```
+
+<br />
+\*\*CLI command\*\*
+
+```plaintext
+$ vault auth enable -description="Demo AppRole auth method" approle
+```
+
+#### Task 3: Configure the AppRole
+
+Now, you are going to create an AppRole role named, **app-1**.
+
+**API call using cURL**
+
+```bash
+# Payload containing AppRole auth method configuration
+# TTL is set to 10 minutes, and Max TTL to be 30 minutes
+$ tee app-1-approle-role.json <<EOF
+{
+    "role_name": "app-1",
+    "bind_secret_id": true,
+    "secret_id_ttl": "10m",
+    "secret_id_num_uses": "1",
+    "token_ttl": "10m",
+    "token_max_ttl": "30m",
+    "period": 0,
+    "policies": [
+        "app-1-secret-read"
+    ]
+}
+EOF
+
+# AppRole backend configuration
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request POST \
+       --data @app-1-approle-role.json \
+       $VAULT_ADDR/v1/auth/approle/role/app-1
+```
+
+<br />
+\*\*CLI command\*\*
+
+```bash
+# TTL is set to 10 minutes, and Max TTL to be 30 minutes
+$ vault write auth/approle/role/app-1 policies="app-1-secret-read" token_ttl="10m" token_max_ttl="30m"
+```
+
+### Step 4: Configure Tokens for Terraform and Chef
+
+Now, you're ready to configure the policies and tokens to Terraform and Chef to
+interact with Vault. Remember, the point here is that you are giving each system
+a _limited_ token that is only able to pull either the `RoleID` or `SecretID`,
+_but not both_.
+
+![AppRole auth method workflow](/img/vault-approle-tf-chef-2.png)
+
+#### Task 1: Create a policy and token for Terraform
+
+Create a token with appropriate policies allowing Terraform to pull
+the `RoleID` from Vault:
+
+**API call using cURL**
+
+```bash
+# Policy file granting to retrieve RoleID from Vault
+$ tee app-1-approle-roleid-get.hcl <<EOF
+{"policy":"path \"auth/approle/role/app-1/role-id\" {capabilities = [\"read\"]}"}
+EOF
+
+# Create the app-1-approle-roleid-get policy in Vault
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request PUT \
+       --data @app-1-approle-roleid-get.hcl \
+       $VAULT_ADDR/v1/sys/policy/app-1-approle-roleid-get
+
+# For Terraform
+# See: https://www.terraform.io/docs/providers/vault/index.html#token
+# Policy granting to create tokens required by Terraform
+$ tee terraform-token-create.hcl <<EOF
+{"policy":"path \"/auth/token/create\" {capabilities = [\"update\"]}"}
+EOF
+
+# Create the app-1-approle-roleid-get policy in Vault
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request PUT \
+       --data @terraform-token-create.hcl \
+       $VAULT_ADDR/v1/sys/policy/terraform-token-create
+
+# Payload to configure token for Terraform to pull RoleID
+$ tee roleid-token-config.json <<EOF
+{
+  "policies": [
+    "app-1-approle-roleid-get",
+    "terraform-token-create"
+  ],
+  "meta": {
+    "user": "terraform-demo"
+  },
+  "ttl": "720h",
+  "renewable": true
+}
+EOF
+
+# Get token and save it in roleid-token.json
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request POST \
+       --data @roleid-token-config.json \
+       $VAULT_ADDR/v1/auth/token/create > roleid-token.json
+```
+
+The token and associated metadata will be written out to the file
+`roleid-token.json`. The `client_token` value is what you'll give to Terraform.
+The file should look similar to the following:
+
+```plaintext
+$ cat roleid-token.json | jq
+{
+  "request_id": "2e1d05eb-988d-4cf7-7b6a-d2668de31536",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "6a7ad093-42ab-885e-3d67-6d51a5583da6",
+    "accessor": "f6170506-ee0f-5a59-8478-e0aac2d3259f",
+    "policies": [
+      "app-1-approle-roleid-get",
+      "default",
+      "terraform-token-create"
+    ],
+    "metadata": {
+      "user": "terraform-demo"
+    },
+    "lease_duration": 2592000,
+    "renewable": true,
+    "entity_id": ""
+  }
+}
+```
+
+<br />
+\*\*CLI command\*\*
+
+```bash
+# Policy file granting to retrieve RoleID from Vault
+$ tee app-1-approle-roleid-get.hcl <<EOF
+path "auth/approle/role/app-1/role-id" {
+  capabilities = [ "read" ]
+}
+EOF
+
+# Create the app-1-approle-roleid-get policy in Vault
+$ vault policy write app-1-approle-roleid-get app-1-approle-roleid-get.hcl
+
+# For Terraform
+# See: https://www.terraform.io/docs/providers/vault/index.html#token
+# Policy granting to create tokens required by Terraform
+$ tee terraform-token-create.hcl <<EOF
+path "auth/token/create" {
+  capabilities = [ "update" ]
+}
+EOF
+
+# Create the app-1-approle-roleid-get policy in Vault
+$ vault policy write terraform-token-create terraform-token-create.hcl
+
+# Get token and save it in roleid-token.txt
+$ vault token create -policy="app-1-approle-roleid-get" -policy="terraform-token-create" \
+      -metadata="user"="terraform-user" > roleid-token.txt
+```
+
+The token and associated metadata will be written out to the file
+`roleid-token.txt`. The `token` value is what you'll give to Terraform.
+The file should look similar to the following:
+
+```plaintext
+$ cat roleid-token.txt
+Key                Value
+---                -----
+token              2600aeda-6385-c163-7171-543b1e1fabcf
+token_accessor     6ef835e3-4948-8c61-1e89-3625ca31fd84
+token_duration     768h
+token_renewable    true
+token_policies     [app-1-approle-roleid-get default terraform-token-create]
+token_meta_user    terraform-demo
+```
+
+#### Task 2: Create a policy and token for Chef
+
+Create a token with appropriate policies allowing Chef to pull the `SecretID`
+from Vault:
+
+**API call using cURL**
+
+```bash
+# Policy file granting to retrieve SecretID
+$ tee app-1-approle-secretid-create.hcl <<EOF
+{"policy":"path \"auth/approle/role/app-1/secret-id\" {capabilities = [\"update\"]}"}
+EOF
+
+# Create the app-1-approle-secretid-create policy in Vault
+$ curl --silent \
+    --location \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+    --request PUT \
+    --data @app-1-approle-secretid-create.hcl \
+    $VAULT_ADDR/v1/sys/policy/app-1-approle-secretid-create
+
+# Payload to invoke auth/token/create endpoint
+$ tee secretid-token-config.json <<EOF
+{
+  "policies": [
+    "app-1-approle-secretid-create"
+  ],
+  "meta": {
+    "user": "chef-demo"
+  },
+  "ttl": "720h",
+  "renewable": true
+}
+EOF
+
+# Get token for Chef to get SecretID from Vault and store it in secretid-token.json
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request POST \
+       --data @secretid-token-config.json \
+       $VAULT_ADDR/v1/auth/token/create > secretid-token.json
+```
+
+The resulting file should look like this:
+
+```plaintext
+$ cat secretid-token.json | jq
+{
+  "request_id": "6f6ad8a1-fedb-b838-60ce-87999f01aff6",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "cdfdb7a0-d7a6-3769-927d-0ace297726ea",
+    "accessor": "88e8aaca-1584-4881-3368-d9cb5cd7ddae",
+    "policies": [
+      "app-1-approle-secretid-create",
+      "default"
+    ],
+    "metadata": {
+      "user": "chef-demo"
+    },
+    "lease_duration": 2592000,
+    "renewable": true,
+    "entity_id": ""
+  }
+}
+```
+
+<br />
+\*\*CLI command\*\*
+
+```bash
+# Policy file granting to retrieve SecretID
+$ tee app-1-approle-secretid-create.hcl <<EOF
+path "auth/approle/role/app-1/secret-id" {
+  capabilities = [ "update" ]
+}
+EOF
+
+# Create the app-1-approle-secretid-create policy in Vault
+$ vault policy write app-1-approle-secretid-create app-1-approle-secretid-create.hcl
+
+# Get token for Chef to get SecretID from Vault and store it in secretid-token.txt
+$ vault token create -policy="app-1-approle-secretid-create" \
+      -metadata="user"="chef-demo" > secretid-token.txt
+```
+
+The resulting file should look like this:
+
+```plaintext
+$ cat secretid-token.txt
+Key                Value
+---                -----
+token              20d69183-59cb-c953-6dea-34f5f1bbe5f7
+token_accessor     a17e7a43-c14a-b96a-0014-9149d218e74a
+token_duration     768h
+token_renewable    true
+token_policies     [app-1-approle-secretid-create default]
+token_meta_user    chef-demo
+```
+
+### Step 5: Save the Token in a Chef Data Bag
+
+At this point, you have a client token generated for Terraform and another for
+Chef server to log into Vault. For the sake of simplicity, you can put the
+Chef's client token (`secretid-token.json`) in a [Data
+Bag](https://docs.chef.io/data_bags.html) which is fine because this token can
+**_only_** retrieve `SecretID` from Vault which is not much of a use without a
+corresponding `RoleID`.
+
+Now, create a Chef Data Bag and put the `SecretID` token (`secretid-token.json`)
+along with the rest of its metadata.
+
+```bash
+$ cd /home/ubuntu/vault-chef-approle-demo/chef/
+
+# Use the path for where you created this file in the previous step
+# You're just adding an 'id' field to the file as that's a required field for data bags
+$ cat /home/ubuntu/secretid-token.json | jq --arg id approle-secretid-token '. + {id: $id}' > secretid-token.json
+
+$ knife data bag create secretid-token
+
+$ knife data bag from file secretid-token secretid-token.json
+
+$ knife data bag list
+
+$ knife data bag show secretid-token
+
+$ knife data bag show secretid-token approle-secretid-token
+```
+
+The last step should show the following output:
+
+```plaintext
+$ knife data bag show secretid-token approle-secretid-token
+WARNING: Unencrypted data bag detected, ignoring any provided secret options.
+auth:
+  accessor:       88e8aaca-1584-4881-3368-d9cb5cd7ddae
+  client_token:   cdfdb7a0-d7a6-3769-927d-0ace297726ea
+  entity_id:
+  lease_duration: 2592000
+  metadata:
+  policies:
+    app-1-approle-secretid-create
+    default
+  renewable:      true
+data:
+id:             approle-secretid-token
+lease_duration: 0
+lease_id:
+renewable:      false
+request_id:     6f6ad8a1-fedb-b838-60ce-87999f01aff6
+warnings:
+wrap_info:
+```
+
+### Step 6: Write Secrets
+
+Let's write some test data in the `secret/app-1` path so that the target app
+will have some secret to retrieve from Vault at a later step.
+
+**API call using cURL**
+
+```bash
+# Write some demo secrets
+$ tee demo-secrets.json <<'EOF'
+{
+  "username": "app-1-user",
+  "password": "$up3r$3cr3t!"
+}
+EOF
+
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request POST \
+       --data @demo-secrets.json \
+       $VAULT_ADDR/v1/secret/app-1
+
+# Verify that you can read back the data:
+$ curl --silent \
+       --location \
+       --header "X-Vault-Token: $VAULT_TOKEN" \
+       --request GET \
+       $VAULT_ADDR/v1/secret/app-1 | jq
+{
+  "request_id": "1f73c7ee-27fa-bad0-9c77-b330eef1ea88",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 2764800,
+  "data": {
+    "password": "$up3r$3cr3t!",
+    "username": "app-1-user"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+<br />
+\*\*CLI command\*\*
+
+```bash
+# Write some demo secrets
+$ vault write secret/app-1 username="app-1-user" password="\$up3r\$3cr3t!"
+
+# Verify that you can read back the data:
+$ vault read secret/app-1
+Key                 Value
+---                 -----
+refresh_interval    768h
+password            $up3r$3cr3t!
+username            app-1-user
+```
+
+-> At this point, just about all the pieces are in place. Remember, these setup
+steps will only need to be performed upon initial creation of an AppRole, and
+would typically be done by a Vault administrator.
+
+## <a name="phase2"></a>Phase 2: Provision our Chef Node to Show AppRole Login
+
+To complete the demo, run the **`chef-node`** Terraform configuration to see how
+everything talks to each other.
+
+#### Task 1: Change the working directory
+
+Open another terminal on your host machine (**not** the `mgmt-node`)
+and `cd` into the `identity/vault-chef-approle/terraform-aws/chef-node`
+directory:
+
+```plaintext
+$ cd identity/vault-chef-approle/terraform-aws/chef-node
+```
+
+#### Task 2: Update terraform.tfvars.example
+
+Replace the variable values in `terraform.tfvars.example` to match your
+environment and save it as `terraform.tfvars` like you have done at [Step 1](#step-1-provision-the-vault-and-chef-server).
+
+Note the following:
+
+- Update the **`vault_address`** and **`chef_server_address`** variables with
+  the IP address of our `mgmt-node` from above.
+- Update the **`vault_token`** variable with the `RoleID` token from **Task 1**
+  in [Step 4](#step-4-configure-tokens-for-terraform-and-chef).
+  - If you ran the `demo-setup.sh` script (_Option 1_), retrieve the
+    `client_token` in the `/home/ubuntu/vault-chef-approle-demo/roleid-token.json`
+    file:
+
+```plaintext
+$ cat ~/vault-chef-approle-demo/roleid-token.json | jq ".auth.client_token"
+```
+
+#### Task 3: Run Terraform
+
+Perform a `terraform init` to pull down the necessary provider
+resources. Then `terraform plan` to verify your changes and the resources that
+will be created. If all looks good, then perform a `terraform apply` to
+provision the resources.
+
+The Terraform output will display the public IP address to SSH into your
+server.
+
+> **NOTE:** If the `terraform apply` fails with "`io: read/write on closed pipe`"
+> error, this is a [known
+> issue](https://github.com/hashicorp/terraform/issues/17638) with Terraform
+> 0.11.4 and 0.11.5. Please try again with another Terraform version.
+
+At this point, Terraform will perform the following actions:
+
+- Pull a `RoleID` from our Vault server
+- Provision an AWS instance
+- Write the `RoleID` to the AWS instance as an environment variable
+- Run the Chef provisioner to bootstrap the AWS instance with our Chef Server
+- Run our Chef recipe which will install NGINX, perform our AppRole login, get
+  our secrets, and output them to our `index.html` file
+
+![AppRole auth method workflow](/img/vault-approle-tf-chef-3.png)
+
+The Chef recipe can be found at
+`identity/vault-chef-approle/chef/cookbooks/vault_chef_approle_demo/recipes/default.rb`.
+
+```shell
+...
+# Configure address for Vault Gem
+Vault.address = ENV['VAULT_ADDR']
+
+# Get AppRole RoleID from our environment variables (delivered via Terraform)
+var_role_id = ENV['APPROLE_ROLEID']
+
+# Get Vault token from data bag (used to retrieve the SecretID)
+vault_token_data = data_bag_item('secretid-token', 'approle-secretid-token')
+
+# Set Vault token (used to retrieve the SecretID)
+Vault.token = vault_token_data['auth']['client_token']
+
+# Get AppRole SecretID from Vault
+var_secret_id = Vault.approle.create_secret_id('app-1').data[:secret_id]
+...
+```
+
+#### Task 4: Verification
+
+Once Terraform completes the `apply` operation, it will output the public IP
+address of our new server. You can plug that IP address into a browser to see
+the output. It should look similar to the following:
+
+```plaintext
+Role ID:
+f6286b97-246e-9fb4-4d9f-0c9465451851
+
+Secret ID:
+72f4b60c-26d0-d947-5026-153943174831
+
+AppRole Token:
+d11d81e4-0ba1-fefc-03f8-e5f06793b60d
+
+Read Our Secrets:
+{:password=>"$up3r$3cr3t!", :username=>"app-1-user"}
+```
+
+## Additional References
+
+The following is a curated list of webinars, blogs and GitHub repositories that
+add additional context to fill out the concepts discussed in the webinar and
+demonstrated in the code:
+
+- [Managing Secrets in a Container Environment by Jeff Mitchell](https://www.youtube.com/watch?v=skENC9aXgco)
+- [Using HashiCorp's Vault with Chef written by Seth Vargo](https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef)
+- [Manage Secrets with Chef and HashiCorps Vault by Seth Vargo & JJ Asghar](https://blog.chef.io/2016/12/12/manage-secrets-with-chef-and-hashicorps-vault/)
+  - [Associated GitHub repository](https://github.com/sethvargo/vault-chef-webinar)
+- [Vault AppRole Authentication written by Alan Thatcher](http://blog.alanthatcher.io/vault-approle-authentication/)
+- [Integrating Chef and HashiCorp Vault written by Alan Thatcher](http://blog.alanthatcher.io/integrating-chef-and-hashicorp-vault/)
+- [Vault Ruby Client](https://github.com/hashicorp/vault-ruby)
+
+## Next Steps
+
+Watch the video recording of the [Delivering Secret Zero: Vault AppRole with
+Terraform and
+Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
+webinar which talks about the usage of AppRole with Terraform and Chef as its
+trusted entities.
diff --git a/website/pages/guides/identity/authentication.mdx b/website/pages/guides/identity/authentication.mdx
new file mode 100644
index 000000000000..89bc34deeb10
--- /dev/null
+++ b/website/pages/guides/identity/authentication.mdx
@@ -0,0 +1,664 @@
+---
+layout: guides
+page_title: AppRole Pull Authentication - Guides
+sidebar_title: AppRole Pull Authentication
+description: |-
+  Authentication is a process in Vault by which user or machine-supplied
+  information is verified to create a token with pre-configured policy.
+---
+
+# Authentication
+
+Before a client can interact with Vault, it must authenticate against an [**auth
+method**](/docs/auth/index.html) to acquire a token. This token has policies attached so
+that the behavior of the client can be governed.
+
+Since tokens are the core method for authentication within Vault, there is a
+**token** auth method (often referred to as **_token store_**). This is a special
+auth method responsible for creating and storing tokens.
+
+### Auth Methods
+
+Auth methods perform authentication to verify the user or machine-supplied
+information. Some of the supported auth methods are targeted towards users
+while others are targeted toward machines or apps. For example,
+[**LDAP**](/docs/auth/ldap.html) auth method enables user authentication using
+an existing LDAP server while [**AppRole**](/docs/auth/approle.html) auth
+method is recommended for machines or apps.
+
+The [Getting Started](/intro/getting-started/authentication.html) guide walks you
+through how to enable the GitHub auth method for user authentication.
+
+This introductory guide focuses on generating tokens for machines or apps by
+enabling the [**AppRole**](/docs/auth/approle.html) auth method.
+
+## Reference Material
+
+- [AppRole Auth Method](/docs/auth/approle.html)
+- [AppRole Auth Method (API)](/api/auth/approle/index.html)
+- [Authenticating Applications with HashiCorp Vault AppRole](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves two personas:
+
+- **`admin`** with privileged permissions to configure an auth method
+- **`app`** is the consumer of secrets stored in Vault
+
+## Challenge
+
+Think of a scenario where a DevOps team wants to configure Jenkins to read
+secrets from Vault so that it can inject the secrets to an app's environment
+variables (e.g. `MYSQL_DB_HOST`) at deployment time.
+
+Instead of hardcoding secrets in each build script as plain text, Jenkins
+retrieves secrets from Vault.
+
+As a user, you can authenticate with Vault using your LDAP credentials, and
+Vault generates a token. This token has policies granting you permission to perform
+the appropriate operations.
+
+How can a Jenkins server programmatically request a token so that it can read
+secrets from Vault?
+
+## Solution
+
+Enable **AppRole** auth method so that the Jenkins server can obtain a Vault
+token with appropriate policies attached. Since each AppRole has attached
+policies, you can write fine-grained policies limiting which app can access
+which path.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+an appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Mount the AppRole auth method
+path "sys/auth/approle" {
+  capabilities = [ "create", "read", "update", "delete", "sudo" ]
+}
+
+# Configure the AppRole auth method
+path "sys/auth/approle/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+
+# Create and manage roles
+path "auth/approle/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Write ACL policies
+path "sys/policy/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Write test data
+# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
+path "secret/mysql/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+[AppRole](/docs/auth/approle.html) is an authentication mechanism within Vault
+to allow machines or apps to acquire a token to interact with Vault. It uses
+**Role ID** and **Secret ID** for login.
+
+The basic workflow is:
+![AppRole auth method workflow](/img/vault-approle-workflow.png)
+
+> For the purpose of introducing the basics of AppRole, this guide walks you
+> through a very simple scenario involving only two personas (admin and app).
+> Please refer to the [Advanced Features](#advanced-features) section for
+> further discussions after completing the following steps.
+
+In this guide, you are going to perform the following steps:
+
+1. [Enable AppRole auth method](#step1)
+1. [Create a role with policy attached](#step2)
+1. [Get Role ID and Secret ID](#step3)
+1. [Login with Role ID & Secret ID](#step4)
+1. [Read secrets using the AppRole token](#step5)
+
+Step 1 through 3 need to be performed by an `admin` user. Step 4 and 5 describe
+the commands that an `app` runs to get a token and read secrets from Vault.
+
+### <a name="step1"></a>Step 1: Enable AppRole auth method
+
+(**Persona:** admin)
+
+Like many other auth methods, AppRole must be enabled before it can be used.
+
+#### CLI command
+
+Enable `approle` auth method by executing the following command:
+
+```shell
+$ vault auth enable approle
+```
+
+#### API call using cURL
+
+Enable `approle` auth method by mounting its endpoint at `/sys/auth/approle`:
+
+```shell
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data <PARAMETERS> \
+       <VAULT_ADDRESS>/v1/sys/auth/approle
+```
+
+Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
+parameters](/api/system/auth.html#enable-auth-method) of the method.
+
+**Example:**
+
+```shell
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type": "approle"}' \
+       http://127.0.0.1:8200/v1/sys/auth/approle
+```
+
+The above example passes the **type** (`approle`) in the request payload
+at the `sys/auth/approle` endpoint.
+
+### <a name="step2"></a>Step 2: Create a role with policy attached
+
+(**Persona:** admin)
+
+When you enabled the AppRole auth method, it gets mounted at the
+**`/auth/approle`** path. In this example, you are going to create a role for
+the **`app`** persona (`jenkins` in our scenario).
+
+The scenario in this guide requires the `app` to have the
+following policy (`jenkins-pol.hcl`):
+
+```shell
+# Login with AppRole
+path "auth/approle/login" {
+  capabilities = [ "create", "read" ]
+}
+
+# Read test data
+# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
+path "secret/mysql/*" {
+  capabilities = [ "read" ]
+}
+
+```
+
+#### CLI command
+
+Before creating a role, create a `jenkins` policy:
+
+```shell
+$ vault policy write jenkins jenkins-pol.hcl
+```
+
+The command to create a new AppRole:
+
+```shell
+$ vault write auth/approle/role/<ROLE_NAME> [parameters]
+```
+
+> There are a number of
+> [parameters](/api/auth/approle/index.html#create-new-approle) that you can set
+> on a role. If you want to limit the use of the generated secret ID, set
+> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
+> specify `token_num_uses` and `token_ttl`. You may never want the app token to
+> expire. In such a case, specify the `period` so that the token generated by
+> this AppRole is a periodic token. To learn more about periodic token, refer to
+> the [Tokens and Leases](/guides/identity/lease.html#step4) guide.
+
+**Example:**
+
+The following example creates a role named `jenkins` with `jenkins` policy
+attached. (NOTE: This example creates a role operates in [**pull**
+mode](/docs/auth/approle.html).)
+
+```shell
+$ vault write auth/approle/role/jenkins policies="jenkins"
+
+# Read the jenkins role
+$ vault read auth/approle/role/jenkins
+
+  Key               	Value
+  ---               	-----
+  bind_secret_id    	true
+  bound_cidr_list
+  period            	0
+  policies          	[jenkins]
+  secret_id_num_uses	0
+  secret_id_ttl     	0
+  token_max_ttl     	0
+  token_num_uses    	0
+  token_ttl         	0
+```
+
+**NOTE:** To attach multiple policies, pass the policy names as a comma
+separated string.
+
+```shell
+$ vault write auth/approle/role/jenkins policies="jenkins,anotherpolicy"
+```
+
+#### API call using cURL
+
+Before creating a role, create `jenkins` policy:
+
+```shell
+$ curl --header "X-Vault-Token: ..." --request PUT --data @payload.json \
+     http://127.0.0.1:8200/v1/sys/policy/jenkins
+
+$ cat payload.json
+{
+  "policy": "path \"auth/approle/login\" {  capabilities = [ \"create\", \"read\" ] } ... }"
+}
+```
+
+Now, you are ready to create a role.
+
+**Example:**
+
+The following example creates a role named `jenkins` with a `jenkins` policy
+attached. (NOTE: This example creates a role which operates in [**pull**
+mode](/docs/auth/approle.html).)
+
+```shell
+$ curl --header "X-Vault-Token: ..." --request POST \
+       --data '{"policies":"jenkins"}' \
+       http://127.0.0.1:8200/v1/auth/approle/role/jenkins
+```
+
+> There are a number of
+> [parameters](/api/auth/approle/index.html#create-new-approle) that you can set
+> on a role. If you want to limit the use of the generated secret ID, set
+> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
+> specify `token_num_uses` and `token_ttl`. You may never want the app token to
+> expire. In such a case, specify the `period` so that the token generated by
+> this AppRole is a periodic token. To learn more about periodic tokens, refer to
+> the [Tokens and Leases](/guides/identity/lease.html#step4) guide.
+
+**NOTE:** To attach multiple policies, pass the policy names as a comma
+separated string.
+
+```shell
+$ curl --header "X-Vault-Token:..."
+       --request POST \
+       --data '{"policies":"jenkins,anotherpolicy"}' \
+       http://127.0.0.1:8200/v1/auth/approle/role/jenkins
+```
+
+To read the jenkins role you just created:
+
+```shell
+$ curl --header "X-Vault-Token: ..." --request GET \
+        http://127.0.0.1:8200/v1/auth/approle/role/jenkins | jq
+{
+  "request_id": "b18054ad-1ab5-8d83-eeed-193d97026ee7",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "bind_secret_id": true,
+    "bound_cidr_list": "",
+    "period": 0,
+    "policies": [
+      "jenkins"
+    ],
+    "secret_id_num_uses": 0,
+    "secret_id_ttl": 0,
+    "token_max_ttl": 0,
+    "token_num_uses": 0,
+    "token_ttl": 0
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+### <a name="step3"></a>Step 3: Get Role ID and Secret ID
+
+(**Persona:** admin)
+
+**Role ID** and **Secret ID** are like a username and password that a machine or
+app uses to authenticate.
+
+Since the example created a `jenkins` role which operates in pull mode, Vault
+will generate the Secret ID. You can set properties such as usage-limit, TTLs,
+and expirations on the secret IDs to control its lifecycle.
+
+#### CLI command
+
+Now, you need to fetch the Role ID and Secret ID of a role.
+
+To read the Role ID:
+
+```shell
+$ vault read auth/approle/role/<ROLE_NAME>/role-id
+```
+
+To generate a new Secret ID:
+
+```shell
+$ vault write -f auth/approle/role/<ROLE_NAME>/secret-id
+```
+
+NOTE: The `-f` flag forces the `write` operation to continue without any data
+values specified. Alternatively, you can set
+[parameters](/api/auth/approle/index.html#generate-new-secret-id) such as
+`cidr_list`.
+
+**Example:**
+
+```shell
+$ vault read auth/approle/role/jenkins/role-id
+  Key    	Value
+  ---    	-----
+  role_id	675a50e7-cfe0-be76-e35f-49ec009731ea
+
+$ vault write -f auth/approle/role/jenkins/secret-id
+  Key               	Value
+  ---               	-----
+  secret_id         	ed0a642f-2acf-c2da-232f-1b21300d5f29
+  secret_id_accessor	a240a31f-270a-4765-64bd-94ba1f65703c
+```
+
+If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
+the role in [Step 2](#step2), the generated secret ID carries out the conditions.
+
+#### API call using cURL
+
+To read the Role ID:
+
+```shell
+$ curl --header "X-Vault-Token:..." \
+       --request GET \
+       <VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/role-id
+```
+
+To generate a new Secret ID:
+
+```shell
+$ curl --header "X-Vault-Token:..." \
+       --request POST \
+       --data <PARAMETERS>
+       <VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/secret-id
+```
+
+You can pass
+[parameters](/api/auth/approle/index.html#generate-new-secret-id) in the request
+payload, or invoke the API with an empty payload.
+
+**Example:**
+
+```shell
+$ curl --header "X-Vault-Token:..." --request GET \
+       http://127.0.0.1:8200/v1/auth/approle/role/jenkins/role-id | jq
+
+$ curl --header "X-Vault-Token:..." --request POST \
+       http://127.0.0.1:8200/v1/auth/approle/role/jenkins/secret-id | jq
+```
+
+If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
+the role in [Step 2](#step2), the generated secret ID carries out the conditions.
+
+### <a name="step4"></a>Step 4: Login with Role ID & Secret ID
+
+(**Persona:** app)
+
+The client (in this case, Jenkins) uses the role ID and secret ID passed by the
+admin to authenticate with Vault. If Jenkins did not receive the role ID and/or
+secret ID, the admin needs to investigate.
+
+-> Refer to the [Advanced Features](#advanced-features) section for further
+discussion on distributing the role ID and secret ID to the client app
+securely.
+
+#### CLI command
+
+To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID.
+
+**Example:**
+
+```shell
+$ vault write auth/approle/login role_id="675a50e7-cfe0-be76-e35f-49ec009731ea" \
+  secret_id="ed0a642f-2acf-c2da-232f-1b21300d5f29"
+
+  Key                 	Value
+  ---                 	-----
+  token               	eeaf890e-4b0f-a687-4190-c75b1d6d70bc
+  token_accessor      	fcee5d4e-7281-8bb0-2901-e743c52e0502
+  token_duration      	768h0m0s
+  token_renewable     	true
+  token_policies      	[jenkins]
+  token_meta_role_name	"jenkins"
+```
+
+Now you have a **client token** with `default` and `jenkins` policies attached.
+
+#### API call using cURL
+
+To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID
+in the request payload.
+
+**Example:**
+
+```plaintext
+$ cat payload.json
+  {
+    "role_id": "675a50e7-cfe0-be76-e35f-49ec009731ea",
+    "secret_id": "ed0a642f-2acf-c2da-232f-1b21300d5f29"
+  }
+
+$ curl --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/approle/login | jq
+{
+  "request_id": "fccae32b-1e6a-9a9c-7666-f5cb07805c1e",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc",
+    "accessor": "fcee5d4e-7281-8bb0-2901-e743c52e0502",
+    "policies": [
+      "default",
+      "jenkins"
+    ],
+    "metadata": {
+      "role_name": "jenkins"
+    },
+    "lease_duration": 2764800,
+    "renewable": true,
+    "entity_id": "54e0b765-6daf-0ff5-70b9-32c0d491f473"
+  }
+}
+```
+
+Now you have a **client token** with `default` and `jenkins` policies attached.
+
+### <a name="step5"></a>Step 5: Read secrets using the AppRole token
+
+(**Persona:** app)
+
+Once receiving a token from Vault, the client can make future requests using
+this token.
+
+#### CLI command
+
+**Example:**
+
+You can pass the `client_token` returned in [Step 4](#step4) as a part of the
+CLI command.
+
+```shell
+$ VAULT_TOKEN=3e7dd0ac-8b3e-8f88-bb37-a2890455ca6e vault kv get secret/mysql/webapp
+No value found at secret/mysql/webapp
+```
+
+Alternatively, you can first authenticate with Vault using the `client_token`.
+
+```shell
+$ vault login eeaf890e-4b0f-a687-4190-c75b1d6d70bc
+Successfully authenticated! You are now logged in.
+token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc
+token_duration: 2762013
+token_policies: [default jenkins]
+
+$ vault kv get secret/mysql/webapp
+No value found at secret/mysql/webapp
+```
+
+Since there is no value at `secret/mysql/webapp`, it returns a "no value
+found" message.
+
+**Optional:** Using the `admin` user's token, you can store some secrets in the
+`secret/mysql/webapp` path.
+
+```shell
+$ vault kv put secret/mysql/webapp @mysqldb.txt
+
+$ cat mysqldb.txt
+{
+  "url": "foo.example.com:35533",
+  "db_name": "users",
+  "username": "admin",
+  "password": "pa$$w0rd"
+}
+```
+
+Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
+This time, it should return the values you just created.
+
+#### API call using cURL
+
+You can now pass the `client_token` returned in [Step 4](#step4) in the
+**`X-Vault-Token`** or **`Authorization`** header.
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc" \
+       --request GET \
+       http://127.0.0.1:8200/v1/secret/data/mysql/webapp | jq
+{
+  "errors": []
+}
+```
+
+Since there is no value at `secret/mysql/webapp`, it returns an empty array.
+
+**Optional:** Using the **`admin`** user's token, create some secrets in the
+`secret/mysql/webapp` path.
+
+```shell
+$ curl --header "X-Vault-Token: ..." --request POST --data @mysqldb.txt \
+
+$ cat mysqldb.text
+{
+  "url": "foo.example.com:35533",
+  "db_name": "users",
+  "username": "admin",
+  "password": "p@ssw0rd"
+}
+```
+
+Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
+This time, it should return the values you just created.
+
+## Advanced Features
+
+The Role ID is equivalent to a username, and Secret ID is the corresponding
+password. The app needs both to log in with Vault. Naturally, the next question
+becomes how to deliver those values to the expected client.
+
+A common solution involves **three personas** instead of two: `admin`, `app`, and
+`trusted entity`. The `trusted entity` delivers the Role ID and Secret ID to the
+client by separate means.
+
+For example, Terraform as a trusted entity can deliver the Role ID onto the
+virtual machine. When the app runs on the virtual machine, the Role ID already
+exists on the virtual machine.
+
+![AppRole auth method workflow](/img/vault-approle-workflow2.png)
+
+The secret ID can be delivered using [**response
+wrapping**](/docs/concepts/response-wrapping.html) to transmit the _reference_
+to the secret ID rather than the actual value.
+
+In [Step 3](#step3), you executed the following command to retrieve the Secret
+ID:
+
+```shell
+$ vault write -f auth/approle/role/jenkins/secret-id
+```
+
+Instead, use response wrapping by passing the **`-wrap-ttl`** parameter:
+
+```shell
+$ vault write -wrap-ttl=60s -f auth/approle/role/jenkins/secret-id
+
+Key                          	Value
+---                          	-----
+wrapping_token:              	9bbe23b7-5f8c-2aec-83dc-e97e94a2e632
+wrapping_accessor:           	cb5bdc8f-0cdb-35ff-0e68-9de57a79c3bf
+wrapping_token_ttl:          	1m0s
+wrapping_token_creation_time:	2018-01-08 21:29:38.826611 -0800 PST
+wrapping_token_creation_path:	auth/approle/role/jenkins/secret-id
+```
+
+Send this `wrapping_token` to the client so that the response can be unwrapped and
+obtain the Secret ID.
+
+```shell
+$ VAULT_TOKEN=9bbe23b7-5f8c-2aec-83dc-e97e94a2e632 vault unwrap
+
+Key               	Value
+---               	-----
+secret_id         	575f23e4-01ad-25f7-2661-9c9bdbb1cf81
+secret_id_accessor	7d8a40b7-a6fd-a634-579b-b7d673ff86fb
+```
+
+NOTE: To retrieve the Secret ID alone, you can use `jq` as follows:
+
+```shell
+$ VAULT_TOKEN=2577044d-cf86-a065-e28f-e2a14ea6eaf7 vault unwrap -format=json | jq -r ".data.secret_id"
+
+b07d7a47-1d0d-741d-20b4-ae0de7c6d964
+```
+
+## Next steps
+
+Read the [_AppRole with Terraform and
+Chef_](/guides/identity/approle-trusted-entities.html) guide to better
+understand the role of trusted entities using Terraform and Chef as an example.
+
+To learn more about response wrapping, go to the [Cubbyhole Response
+Wrapping](/guides/secret-mgmt/cubbyhole.html) guide.
diff --git a/website/pages/guides/identity/control-groups.mdx b/website/pages/guides/identity/control-groups.mdx
new file mode 100644
index 000000000000..d8ed2ed9a50e
--- /dev/null
+++ b/website/pages/guides/identity/control-groups.mdx
@@ -0,0 +1,652 @@
+---
+layout: guides
+page_title: Control Groups - Guides
+sidebar_title: Control Groups
+description: |-
+  Vault Enterprise has a support for Control Group Authorization which adds
+  additional authorization factors to be required before satisfying a request.
+---
+
+# Control Groups
+
+~> **Enterprise Only:** Control Groups is a part of _Vault Enterprise Premium_.
+
+Control Groups add additional authorization factors to be required before
+processing requests to increase the governance, accountability, and security of
+your secrets. When a control group is required for a request, the requesting
+client receives the [wrapping token](/docs/concepts/response-wrapping.html) in
+return. Only when all authorizations are satisfied, the wrapping token can be
+used to unwrap the requested secrets.
+
+## Reference Material
+
+- [Vault Enterprise Control Group Support](/docs/enterprise/control-groups/index.html)
+- [Policies](http://localhost:4567/docs/concepts/policies.html)
+- [Identity Groups](/docs/secrets/identity/index.html)
+- [Control Group API](/api/system/control-group.html)
+- [Sentinel Policies](/docs/enterprise/sentinel/index.html)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves three personas:
+
+- **`admin`** with privileged permissions to create policies and identities
+- **processor** with permission to approve secret access
+- **controller** with limited permission to access secrets
+
+## Challenge
+
+In order to operate in EU, a company must abide by the [General Data Protection
+Regulation (GDPR)](https://www.eugdpr.org/) as of May 2018. The regulation
+enforces two or more controllers jointly determine the purposes and means of
+processing ([Chapter 4: Controller and
+Processor](https://gdpr-info.eu/chapter-4/)).
+
+Consider the following scenarios:
+
+- Anytime an authorized user requests to read data at "`EU_GDPR_data/orders/*`",
+  at least two people from the _Security_ group must approve to ensure that the
+  user has a valid business reason for requesting the data.
+
+- Anytime a database configuration is updated, it requires that one person from
+  the _DBA_ and one person from _Security_ group must approve it.
+
+## Solution
+
+Use **_Control Groups_** in your policies to implement dual controller
+authorization required.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a **_Vault
+Enterprise_** environment.
+
+This guide assumes that you have some hands-on experience with [ACL
+policies](/docs/concepts/policies.html) as well as
+[Identities](/docs/secrets/identity/index.html). If you are not familiar,
+go through the following guides first:
+
+- [Policies](/guides/identity/policies.html)
+- [Identity - Entities & Groups](/guides/identity/identity.html)
+
+### Policy requirements
+
+Since this guide demonstrates the creation of policies, log in with a highly
+privileged token such as **`root`**.
+Otherwise, required permissions to perform
+the steps in this guide are:
+
+```shell
+# Create and manage ACL policies via CLI
+path "sys/policy/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create and manage ACL policies via Web UI
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# To enable secret engines
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+
+# Setting up test data
+path "EU_GDPR_data/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Manage userpass auth method
+path "auth/userpass/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# List, create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "read", "update", "delete"]
+}
+
+# Create and manage entities and groups
+path "identity/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+## Steps
+
+The scenario in this guide is that a user, **`Bob Smith`** has
+_read-only_ permission on the "**`EU_GDPR_data/orders/*`**" path; however,
+someone in the **`acct_manager`** group must approve it before he can actually
+read the data.
+
+As a member of the **`acct_manager`** group, **`Ellen Wright`** can authorize
+Bob's request.
+
+![Scenario](/img/vault-ctrl-grp-1.png)
+
+You are going to perform the following:
+
+1. [Implement a control group](#step1)
+1. [Deploy the policies](#step2)
+1. [Setup entities and a group](#step3)
+1. [Verification](#step4)
+1. [ACL Policies vs. Sentinel Policies](#step5)
+
+-> Step 1, 2 and 3 are the tasks need to be performed by administrators or
+operators who have the privileges to create policies and configure entities and
+groups.
+
+### <a name="step1"></a>Step 1: Implement a control group
+
+(**Persona:** admin)
+
+1.  Author a policy named, **`read-gdpr-order.hcl`**.
+
+    Bob needs "`read`" permit on "`EU_GDPR_data/orders/*`":
+
+    ```hcl
+    path "EU_GDPR_data/orders/*" {
+    	capabilities = [ "read" ]
+    }
+    ```
+
+    Now, add control group to this policy:
+
+    ```hcl
+    path "EU_GDPR_data/orders/*" {
+    	capabilities = [ "read" ]
+
+    	control_group = {
+    		factor "authorizer" {
+    			identity {
+    				group_names = [ "acct_manager" ]
+    				approvals = 1
+    			}
+    		}
+    	}
+    }
+    ```
+
+    For the purpose of this guide, the number of **`approvals`** is set to
+    **`1`** to keep it simple and easy to test. Any member of the identity
+    group, **`acct_manager`** can approve the read request. Although this
+    example has only one factor (`authorizer`), you can add as many factor
+    blocks as you need.
+
+1.  Now, write another policy for the **`acct_manager`** group named
+    **`acct_manager.hcl`**.
+
+    ```hcl
+    # To approve the request
+    path "sys/control-group/authorize" {
+        capabilities = ["create", "update"]
+    }
+
+    # To check control group request status
+    path "sys/control-group/request" {
+        capabilities = ["create", "update"]
+    }
+    ```
+
+    > **NOTE:** The important thing here is that the authorizer (`acct_manager`)
+    > must have `create` and `update` permission on the
+    > **`sys/control-group/authorize`** endpoint so that they can approve the request.
+
+1.  Enable key/value secrets engine at **`EU_GDPR_data`** and write some mock data:
+
+    ```shell
+    # Enable kv-v1 at EU_GDPR_data
+    $ vault secrets enable -path=EU_GDPR_data -version=1 kv
+
+    # Write some mock data
+    $ vault kv put EU_GDPR_data/orders/acct1 order_number="12345678" product_id="987654321"
+    ```
+
+### <a name="step2"></a>Step 2: Deploy the policies
+
+(**Persona:** admin)
+
+Deploy the `read-gdpr-order` and `acct_manager` policies that you wrote.
+
+#### CLI command
+
+```shell
+# Create read-gdpr-order policy
+$ vault policy write read-gdpr-order read-gdpr-order.hcl
+
+# Create acct_manager policy
+$ vault policy write acct_manager acct_manager.hcl
+```
+
+#### API call using cURL
+
+```shell
+# Construct API request payload to create read-gdpr-read policy
+$ tee payload-1.json <<EOF
+{
+  "policy": "path \"EU_GDPR_data/orders/*\" {capabilities = [ \"read\" ]control_group = {factor \"authorizer\" ..."
+}
+EOF
+
+# Create read-gdpr-order policy
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT \
+       --data @payload-1.json \
+       http://127.0.0.1:8200/v1/sys/policies/acl/read-gdpr-order
+
+# Construct API request payload to create acct_manager policy
+$ tee payload-2.json <<EOF
+{
+ "policy": "path \"sys/control-group/authorize\" {capabilities = [\"create\", \"update\"]} ..."
+}
+EOF
+
+# Create acct_manager policy
+$ curl --header "X-Vault-Token: ..." \
+      --request PUT \
+      --data @payload-2.json \
+      http://127.0.0.1:8200/v1/sys/policies/acl/acct_manager
+```
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
+then login.
+
+1. Click the **Policies** tab, and then select **Create ACL policy**.
+
+1. Toggle **Upload file**, and click **Choose a file** to select your **`read-gdpr-order.hcl`** file you authored at [Step 1](#step1).
+
+   ![Create Policy](/img/vault-ctrl-grp-2.png)
+
+   This loads the policy and sets the **Name** to be `read-gdpr-order`.
+
+1. Click **Create Policy** to complete.
+
+1. Repeat the steps to create a policy for **`acct_manager`**.
+
+### <a name="step3"></a>Step 3: Setup entities and a group
+
+(**Persona:** admin)
+
+-> This step only demonstrates CLI commands and Web UI to create
+entities and groups. Refer to the [Identity - Entities and
+Groups](/guides/identity/identity.html) guide if you need the full details.
+
+Now you have policies, let's create a user, **`bob`** and an **`acct_manager`**
+group with **`ellen`** as a group member.
+
+> **NOTE:** For the purpose of this guide, use `userpass` auth method to create
+> user `bob` and `ellen` so that the scenario can be easily tested.
+
+#### CLI command
+
+The following command uses [`jq`](https://stedolan.github.io/jq/download/) tool
+to parse JSON output.
+
+```shell
+# Enable userpass
+$ vault auth enable userpass
+
+# Create a user, bob
+$ vault write auth/userpass/users/bob password="training"
+
+# Create a user, ellen
+$ vault write auth/userpass/users/ellen password="training"
+
+# Retrieve the userpass mount accessor and save it in a file named, accessor.txt
+$ vault auth list -format=json | jq -r '.["userpass/"].accessor' > accessor.txt
+
+# Create Bob Smith entity and save the identity ID in the entity_id_bob.txt
+$ vault write -format=json identity/entity name="Bob Smith" policies="read-gdpr-order" \
+        metadata=team="Processor" \
+        | jq -r ".data.id" > entity_id_bob.txt
+
+# Add an entity alias for the Bob Smith entity
+$ vault write identity/entity-alias name="bob" \
+       canonical_id=$(cat entity_id_bob.txt) \
+       mount_accessor=$(cat accessor.txt)
+
+# Create Ellen Wright entity and save the identity ID in the entity_id_ellen.txt
+$ vault write -format=json identity/entity name="Ellen Wright" policies="default" \
+        metadata=team="Acct Controller" \
+        | jq -r ".data.id" > entity_id_ellen.txt
+
+# Add an entity alias for the Ellen Wright entity
+$ vault write identity/entity-alias name="ellen" \
+       canonical_id=$(cat entity_id_ellen.txt) \
+       mount_accessor=$(cat accessor.txt)
+
+# Finally, create acct_manager group and add Ellen Wright entity as a member
+$ vault write identity/group name="acct_manager" \
+      policies="acct_manager" \
+      member_entity_ids=$(cat entity_id_ellen.txt)
+```
+
+#### Web UI
+
+1.  Click the **Access** tab, and select **Enable new method**.
+
+1.  Select **Username & Password** from the **Type** drop-down menu.
+
+1.  Click **Enable Method**.
+
+1.  Click the Vault CLI shell icon (**`>_`**) to open a command shell. Enter the
+    following command to create a new user, **`bob`**:
+
+    ```plaintext
+    $ vault write auth/userpass/users/bob password="training"
+    ```
+
+    ![Create Policy](/img/vault-ctrl-grp-3.png)
+
+1.  Enter the following command to create a new user, **`ellen`**:
+
+    ```plaintext
+    $ vault write auth/userpass/users/ellen password="training"
+    ```
+
+1.  Click the icon (**`>_`**) again to hide the shell.
+
+1.  From the **Access** tab, select **Entities** and then **Create entity**.
+
+1.  Populate the **Name**, **Policies** and **Metadata** fields as shown below.
+
+    ![Create Entity](/img/vault-ctrl-grp-7.png)
+
+1.  Click **Create**.
+
+1.  Select **Add alias**. Enter **`bob`** in the **Name** field and select
+    **`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
+
+1.  Return to the **Entities** tab and then **Create entity**.
+
+1.  Populate the **Name**, **Policies** and **Metadata** fields as shown below.
+
+    ![Create Entity](/img/vault-ctrl-grp-4.png)
+
+1.  Click **Create**.
+
+1.  Select **Add alias**. Enter **`ellen`** in the **Name** field and select
+    **`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
+
+1.  Click **Create**.
+
+1.  Select the **`Ellen Wright`** entity and copy its **ID** displayed under the
+    **Details** tab.
+
+1.  Click **Groups** from the left navigation, and select **Create group**.
+
+1.  Enter **`acct_manager`** in the **Name**, and again enter **`acct_manager`**
+    in the **Policies** fields.
+
+1.  Enter the `Ellen Wright` entity ID in the **Member Entity IDs** field, and
+    then click **Create**.
+
+### <a name="step4"></a>Step 4: Verification
+
+(**Persona:** bob and ellen)
+
+Now, let's see how the control group works.
+
+#### CLI Command
+
+1.  Log in as **`bob`**.
+
+    ```plaintext
+    $ vault login -method=userpass username="bob" password="training"
+    ```
+
+1.  Request to read "`EU_GDPR_data/orders/acct1`":
+
+    ```plaintext
+    $ vault kv get EU_GDPR_data/orders/acct1
+
+    Key                              Value
+    ---                              -----
+    wrapping_token:                  1f1411bc-2f18-551a-5e58-0fe44432e9a5
+    wrapping_accessor:               bbb4deef-e06d-9b2a-64a9-56f815c69ee7
+    wrapping_token_ttl:              24h
+    wrapping_token_creation_time:    2018-08-08 09:36:32 -0700 PDT
+    wrapping_token_creation_path:    EU_GDPR_data/orders/acct1
+    ```
+
+    The response includes `wrapping_token` and `wrapping_accessor`.
+    Copy this **`wrapping_accessor`** value.
+
+1.  Now, a member of `acct_manager` must approve this request. Log in as
+    **`ellen`** who is a member of `acct_manager` group.
+
+    ```plaintext
+    $ vault login -method=userpass username="ellen" password="training"
+    ```
+
+1.  As a user, `ellen`, you can check and authorize bob's request using the
+    following commands.
+
+    ```shell
+    # To check the current status
+    $ vault write sys/control-group/request accessor=<wrapping_accessor>
+
+    # To approve the request
+    $ vault write sys/control-group/authorize accessor=<wrapping_accessor>
+    ```
+
+    **Example:**
+
+    ```shell
+    # Check the current status
+    $ vault write sys/control-group/request accessor=bbb4deef-e06d-9b2a-64a9-56f815c69ee7
+    Key               Value
+    ---               -----
+    approved          false
+    authorizations    <nil>
+    request_entity    map[name:Bob Smith id:38700386-723d-3d65-43b7-4fb44d7e6c30]
+    request_path      EU_GDPR_data/orders/acct1
+
+    # Approve the request
+    $ vault write sys/control-group/authorize accessor=bbb4deef-e06d-9b2a-64a9-56f815c69ee7
+    Key         Value
+    ---         -----
+    approved    true
+    ```
+
+    Now, the `approved` status is `true`.
+
+1.  Since the control group requires one approval from a member of `acct_manager`
+    group, the condition has been met. Log back in as `bob` and unwrap the secret.
+
+    **Example:**
+
+    ```shell
+    # Log back in as bob - you can use the bob's token: vault login <bob_token>
+    $ vault login -method=userpass username="bob" password="training"
+
+    # Unwrap the secrets by passing the wrapping_token
+    $ vault unwrap 1f1411bc-2f18-551a-5e58-0fe44432e9a5
+    Key                 Value
+    ---                 -----
+    refresh_interval    768h
+    order_number        12345678
+    product_id          987654321
+    ```
+
+#### API call using cURL
+
+1.  Log in as **`bob`**.
+
+    ```plaintext
+    $ curl --request POST \
+           --data '{"password": "training"}' \
+           http://127.0.0.1:8200/v1/auth/userpass/login/bob | jq
+    ```
+
+    Copy the generated **`client_token`** value.
+
+1.  Request to `EU_GDPR_data/orders/acct1`:
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: <bob_client_token>" \
+           http://127.0.0.1:8200/v1/EU_GDPR_data/orders/acct1 | jq
+    {
+       ...
+       "wrap_info": {
+         "token": "20a2f2b3-8bea-4e16-980b-82724dcdc38b",
+         "accessor": "9910cb38-600c-29d8-1c39-764a1c89a481",
+         "ttl": 86400,
+         "creation_time": "2018-08-08T10:13:06-07:00",
+         "creation_path": "EU_GDPR_data/orders/acct1"
+       },
+       ...
+    }
+    ```
+
+    The response includes **`wrap_info`** instead of the actual data.
+    Copy the **`accessor`** value.
+
+1.  Now, a member of `acct_manager` must approve this request. Log in as
+    **`ellen`** who is a member of `acct_manager` group.
+
+    ```plaintext
+    $ curl --request POST \
+            --data '{"password": "training"}' \
+            http://127.0.0.1:8200/v1/auth/userpass/login/ellen | jq
+    ```
+
+    Copy the generated **`client_token`** value.
+
+1.  As a user, `ellen`, you can check the current status and then authorize bob's
+    request. (NOTE: Be sure to replace `<accessor>` with the `accessor` value you
+    copied earlier.)
+
+    ```shell
+    # To check the current status using sys/control-group/request endpoint
+    $ curl --header "X-Vault-Token: <ellen_client_token>" \
+            --request POST \
+            --data '{"accessor": "<accessor>"}' \
+            http://127.0.0.1:8200/v1/sys/control-group/request | jq
+    {
+        ...
+        "data": {
+          "approved": false,
+          "authorizations": null,
+          "request_entity": {
+            "id": "38700386-723d-3d65-43b7-4fb44d7e6c30",
+            "name": "Bob Smith"
+          },
+          "request_path": "EU_GDPR_data/orders/acct1"
+        },
+        ...
+    }
+
+    # Now, authorize the request using sys/control-group/authorize endpoint
+    $ curl --header "X-Vault-Token: <ellen_client_token>" \
+              --request POST \
+              --data '{"accessor": "<accessor>"}' \
+              http://127.0.0.1:8200/v1/sys/control-group/authorize | jq
+    {
+        ...
+        "data": {
+          "approved": true
+        },
+        ...
+    }
+    ```
+
+    Now, the `approved` status is `true`.
+
+1.  The `bob` user should be able to unwrap the secrets.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: <bob_client_token>" \
+           --request POST \
+           --data '{"token": "<wrapping_token>"}' \
+           http://127.0.0.1:8200/v1/sys/wrapping/unwrap | jq
+    {
+       ...
+       "data": {
+         "order_number": "12345678",
+         "product_id": "987654321"
+       },
+       ...
+    }
+    ```
+
+#### Web UI
+
+The user, **`ellen`** can approve the data access request via UI.
+
+1. Open the Vault sign in page in a web browser (e.g.
+   http://127.0.0.1:8200/ui/vault/auth?with=userpass). In the **Userpass** tab,
+   enter **`ellen`** in the **Username** field, and **`training`** in the
+   **Password** field.
+
+1. Click **Sign in**.
+
+1. Select the **Access** tab, and then **Control Groups**.
+
+1. Enter the **`wrapping_accessor`** value in the **Accessor** field and click
+   **Lookup**. ![Control Groups](/img/vault-ctrl-grp-5.png)
+
+1. _Awaiting authorization_ message displays. ![Control
+Groups](/img/vault-ctrl-grp-6.png)
+
+1. Click **Authorize**. The message changes to "_Thanks! You have given
+   authorization_."
+
+> Bob needs to request data access via CLI or API. Once the access request was
+> approved, use the CLI or API to unwrap the secrets.
+
+### <a name="step5"></a>Step 5: ACL Policy vs. Sentinel Policy
+
+Although the [**`read-gdpr-order.hcl`**](#step1) was written as ACL policy, you
+can implement Control Groups in either ACL or Sentinel policies.
+
+Using Sentinel, the same policy may look something like:
+
+```hcl
+import "controlgroup"
+
+control_group = func() {
+  numAuthzs = 0
+  for controlgroup.authorizations as authz {
+      if "acct_manager" in authz.groups.by_name {
+         numAuthzs = numAuthzs + 1
+      }
+  }
+  if numAuthzs >= 1 {
+      return true
+  }
+  return false
+}
+
+main = rule {
+   control_group()
+}
+```
+
+Deploy this policy as an Endpoint Governing Policy attached to
+"**`EU_GDPR_data/orders/*`**" path.
+
+-> Refer to the [Sentinel
+Properties](/docs/enterprise/sentinel/properties.html#control-group-properties)
+documentation for the list of available properties associated with control
+groups.
+
+## Next steps
+
+To protect your secrets, it may become necessary to write finer-grained
+policies to introspect different aspects of incoming requests. If you have not
+already done so, read [Sentinel](https://docs.hashicorp.com/sentinel/)
+documentation to learn more about what you can accomplish writing policies as a
+code.
diff --git a/website/pages/guides/identity/identity.mdx b/website/pages/guides/identity/identity.mdx
new file mode 100644
index 000000000000..c43004c73641
--- /dev/null
+++ b/website/pages/guides/identity/identity.mdx
@@ -0,0 +1,1096 @@
+---
+layout: guides
+page_title: 'Identity: Entities and Groups - Guides'
+sidebar_title: Identity - Entities & Groups
+description: |-
+  This guide demonstrates the commands to create entities, entity aliases, and
+  groups.  For the purpose of the demonstration, userpass auth method will be
+  used.
+---
+
+# Identity - Entities and Groups
+
+Vault supports multiple authentication methods and also allows enabling the same
+type of authentication method on different mount paths. Each Vault client may
+have multiple accounts with various identity providers that are enabled on the
+Vault server.
+
+Vault clients can be mapped as **_entities_** and their corresponding accounts
+with authentication providers can be mapped as **_aliases_**. In essence, each
+entity is made up of zero or more aliases. Identity secrets engine internally
+maintains the clients who are recognized by Vault.
+
+## Reference Material
+
+- [Identity Secrets Engine](/docs/secrets/identity/index.html)
+- [Identity Secrets Engine (API)](/api/secret/identity/index.html)
+- [External vs Internal Groups](/docs/secrets/identity/index.html#external-vs-internal-groups)
+
+~> **NOTE:** An [interactive
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-identity) is
+also available if you do not have a Vault environment to perform the steps
+described in this guide.
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The steps described in this guide are typically performed by **operations**
+persona.
+
+## Challenge
+
+Bob has accounts in both Github and LDAP. Both Github and LDAP auth methods are
+enabled on the Vault server that he can authenticate using either one of his
+accounts. Although both accounts belong to Bob, there is no association between
+the two accounts to set some common properties.
+
+## Solution
+
+Create an _entity_ representing Bob, and associate aliases representing each of
+his accounts as the entity member. You can set additional policies and metadata
+on the entity level so that both accounts can inherit.
+
+When Bob authenticates using either one of his accounts, the entity identifier
+will be tied to the authenticated token. When such tokens are put to use, their
+entity identifiers are audit logged, marking a trail of actions performed by
+specific users.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
+with Vault. However, it is recommended that root tokens are used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+an appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Configure auth methods
+path "sys/auth" {
+  capabilities = [ "read", "list" ]
+}
+
+# Configure auth methods
+path "sys/auth/*" {
+  capabilities = [ "create", "update", "read", "delete", "list", "sudo" ]
+}
+
+# Manage userpass auth methods
+path "auth/userpass/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+
+# Manage github auth methods
+path "auth/github/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+
+# Display the Policies tab in UI
+path "sys/policies" {
+  capabilities = [ "read", "list" ]
+}
+
+# Create and manage ACL policies from UI
+path "sys/policies/acl/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Create and manage policies
+path "sys/policy" {
+  capabilities = [ "read", "list" ]
+}
+
+# Create and manage policies
+path "sys/policy/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# List available secret engines to retrieve accessor ID
+path "sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+# Create and manage entities and groups
+path "identity/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+In this lab, you are going to learn the API-based commands to create entities,
+entity aliases, and groups. For the purpose of the training, you are going to
+leverage the userpass auth method. The challenge exercise walks you through
+creating an external group by mapping a GitHub group to an identity group.
+
+1. [Create an Entity with Alias](#step1)
+2. [Test the Entity](#step2)
+3. [Create an Internal Group](#step3)
+4. [Create an External Group](#step4)
+
+### <a name="step1"></a>Step 1: Create an Entity with Alias
+
+You are going to create a new entity with base policy assigned. The entity
+defines two entity aliases with each has a different policy assigned.
+
+**Scenario:** A user, Bob Smith at ACME Inc. happened to have two sets of
+credentials: `bob` and `bsmith`. He can authenticate with Vault using either
+one of his accounts. To manage his accounts and link them to identity `Bob Smith` in QA team, you are going to create an entity for Bob.
+
+![Entity Bob Smith](/img/vault-entity-1.png)
+
+-> For the simplicity of this guide, you are going to work with the `userpass`
+auth method. However, in reality, the user `bob` might be a username exists in
+Active Directory, and `bsmith` might be Bob's username in GitHub.
+
+#### Scenario Policies
+
+**`base.hcl`**
+
+```hcl
+path "secret/training_*" {
+   capabilities = ["create", "read"]
+}
+```
+
+**`test.hcl`**
+
+```hcl
+path "secret/test" {
+   capabilities = [ "create", "read", "update", "delete" ]
+}
+```
+
+**`team-qa.hcl`**
+
+```hcl
+path "secret/team-qa" {
+   capabilities = [ "create", "read", "update", "delete" ]
+}
+```
+
+~> **NOTE:** If you are running [K/V Secrets Engine v2](/api/secret/kv/kv-v2.html)
+at `secret`, set the policies path accordingly: `secret/data/training_*`,
+`secret/data/test`, and `secret/data/team-qa`.
+
+Now, you are going to create `bob` and `bsmith` users with appropriate policies
+attached.
+
+#### CLI command
+
+1. Create policies: `base`, `test`, and `team-qa`.
+
+   ```shell
+   # Create base policy
+   $ vault policy write base base.hcl
+
+   # Create test policy
+   $ vault policy write test test.hcl
+
+   # Create team-qa policy
+   $ vault policy write team-qa team-qa.hcl
+
+   # List all policies to verify that 'base', 'test' and 'team-qa' policies exist
+   $ vault policy list
+   base
+   default
+   team-qa
+   test
+   root
+   ```
+
+1. Enable the `userpass` auth method.
+
+   ```plaintext
+   $ vault auth enable userpass
+   ```
+
+1. Create a new user in userpass:
+
+   - username: bob
+   - password: training
+   - policy: test
+
+   ```plaintext
+   $ vault write auth/userpass/users/bob password="training" policies="test"
+   ```
+
+1. Create another user in userpass:
+
+   - username: bsmith
+   - password: training
+   - policy: team-qa
+
+   ```plaintext
+   $ vault write auth/userpass/users/bsmith password="training" policies="team-qa"
+   ```
+
+1. Execute the following command to discover the mount accessor for the userpass auth method:
+
+   ```plaintext
+   $ vault auth list -detailed
+   Path                  Type        Accessor                ...
+   ----                  ----        --------                ...
+   token/                token       auth_token_bec8530a     ...
+   userpass/             userpass    auth_userpass_70eba76b  ...
+   ```
+
+   In the output, locate the **Accessor** value for `userpass`.
+
+   Run the following command to store the userpass accessor value in a file named, `accessor.txt`.
+
+   ```plaintext
+   $ vault auth list -format=json | jq -r '.["userpass/"].accessor' > accessor.txt
+   ```
+
+1. Create an entity for `bob-smith`.
+
+   ```plaintext
+   $ vault write identity/entity name="bob-smith" policies="base" \
+        metadata=organization="ACME Inc." \
+        metadata=team="QA"
+
+   Key        Value
+   ---        -----
+   aliases    <nil>
+   id         631256b1-8523-9838-5501-d0a1e2cdad9c
+   ```
+
+   -> Make a note of the generated entity ID (**`id`**).
+
+1. Now, add the user `bob` to the `bob-smith` entity by creating an entity alias:
+
+   ```plaintext
+   $ vault write identity/entity-alias name="bob" \
+       canonical_id=<entity_id> \
+       mount_accessor=<userpass_accessor>
+   ```
+
+   The `<userpass_accessor>` value is stored in `accessor.txt`.
+
+   **Example:**
+
+   ```plaintext
+   $ vault write identity/entity-alias name="bob" \
+         canonical_id="631256b1-8523-9838-5501-d0a1e2cdad9c" \
+         mount_accessor=$(cat accessor.txt)
+
+   Key             Value
+   ---             -----
+   canonical_id    631256b1-8523-9838-5501-d0a1e2cdad9c
+   id              873f7b12-dec8-c182-024e-e3f065d8a9f1
+   ```
+
+1. Repeat the step to add user `bsmith` to the `bob-smith` entity.
+
+   **Example:**
+
+   ```plaintext
+   $ vault write identity/entity-alias name="bsmith" \
+          canonical_id="631256b1-8523-9838-5501-d0a1e2cdad9c" \
+          mount_accessor=$(cat accessor.txt)
+
+   Key             Value
+   ---             -----
+   canonical_id    631256b1-8523-9838-5501-d0a1e2cdad9c
+   id              55d46747-b99e-6a82-05f5-61bb60fd7d15
+   ```
+
+1. Review the entity details.
+
+   ```plaintext
+   $ vault read identity/entity/id/<entity_id>
+   ```
+
+   The output should include the entity aliases, metadata (organization, and
+   team), and base policy.
+
+#### API call using cURL
+
+1. Create policies: `base`, `test`, and `team-qa`.
+
+   To create a policy, use the `/sys/policy` endpoint:
+
+   ```shell
+   $ curl --header "X-Vault-Token: <TOKEN>" \
+          --request PUT \
+          --data <PAYLOAD> \
+          <VAULT_ADDRESS>/v1/sys/policy/<POLICY_NAME>
+   ```
+
+   Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
+   stringified policy.
+
+   **Example:**
+
+   ```shell
+   # Create the API request payload, payload-1.json
+   $ tee payload-1.json <<EOF
+   {
+     "policy": "path \"secret/training_*\" {\n capabilities = [\"create\", \"read\"]\n}"
+   }
+   EOF
+
+   # Create base policy
+   $ curl --header "X-Vault-Token: ..." \
+          --request PUT \
+          --data @payload-1.json \
+          http://127.0.0.1:8200/v1/sys/policy/base
+
+   # Create the API request payload, payload-2.json
+   $ tee payload-2.json <<EOF
+   {
+     "policy": "path \"secret/test\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\" ]\n }"
+   }
+   EOF
+
+   # Create base policy
+   $ curl --header "X-Vault-Token: ..." \
+          --request PUT \
+          --data @payload-2.json \
+          http://127.0.0.1:8200/v1/sys/policy/test
+
+   # Create the API request payload, payload-1.json
+   $ tee payload-3.json <<EOF
+   {
+     "policy": "path \"secret/team-qa\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\" ]\n }"
+   }
+   EOF
+
+   # Create base policy
+   $ curl --header "X-Vault-Token: ..." \
+          --request PUT \
+          --data @payload-3.json \
+          http://127.0.0.1:8200/v1/sys/policy/team-qa
+
+   # List all policies to verify that 'base', 'test' and 'team-qa' policies exist
+   $ curl --header "X-Vault-Token: ..." \
+          http://127.0.0.1:8200/v1/sys/policy | jq
+   ```
+
+1. Enable the `userpass` auth method.
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data '{"type": "userpass"}' \
+          http://127.0.0.1:8200/v1/sys/auth/userpass
+   ```
+
+1. Create a new user in userpass:
+
+   - username: bob
+   - password: training
+   - policy: test
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data '{"password": "training", "policies": "test"}' \
+          http://127.0.0.1:8200/v1/auth/userpass/users/bob
+   ```
+
+1. Create another user in userpass:
+
+   - username: bsmith
+   - password: training
+   - policy: team-qa
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data '{"password": "training", "policies": "team-qa"}' \
+          http://127.0.0.1:8200/v1/auth/userpass/users/bsmith
+   ```
+
+1. Execute the following command to discover the mount accessor for the userpass
+   auth method.
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          http://127.0.0.1:8200/v1/sys/auth | jq
+    {
+      ...
+      "userpass/": {
+        "accessor": "auth_userpass_9b6cd254",
+       ...
+      },
+      ...
+   ```
+
+   -> Make a note of the userpass accessor value (**`auth_userpass_XXXXX`**).
+
+1. Create an entity for bob-smith.
+
+   ```plaintext
+   $ tee payload.json <<EOF
+   {
+     "name": "bob-smith",
+     "metadata": {
+       "organization": "ACME Inc.",
+       "team": "QA"
+     },
+     "policies": ["base"]
+   }
+   EOF
+
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data @payload.json \
+          http://127.0.0.1:8200/v1/identity/entity
+   {
+     "request_id": "4d4d340f-f4c9-0201-c87e-42cc140a383a",
+     "lease_id": "",
+     "renewable": false,
+     "lease_duration": 0,
+     "data": {
+       "aliases": null,
+       "id": "6ded4d31-481f-040b-11ad-c6db0cb4d211"
+     },
+     ...
+   ```
+
+   -> Make a note of the generated entity ID (**`id`**).
+
+1. Now, add the user `bob` to the `bob-smith` entity by creating an entity alias.
+   In the request body, you need to pass the userpass name as `name`, the userpass
+   accessor value as `mount_accessor`, and the entity id as `canonical_id`.
+
+   **Example:**
+
+```plaintext
+$ tee payload-bob.json <<EOF
+{
+  "name": "bob",
+  "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
+  "mount_accessor": "auth_userpass_9b6cd254"
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+        --request POST \
+        --data @payload-bob.json \
+        http://127.0.0.1:8200/v1/identity/entity-alias
+```
+
+1. Repeat the step to add user `bsmith` to the `bob-smith` entity.
+
+   **Example:**
+
+   ```plaintext
+   $ tee payload-bsmith.json <<EOF
+   {
+     "name": "bsmith",
+     "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
+     "mount_accessor": "auth_userpass_9b6cd254"
+   }
+   EOF
+
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data @payload-bsmith.json \
+          http://127.0.0.1:8200/v1/identity/entity-alias
+   ```
+
+1. Review the entity details. (**NOTE:** Be sure to enter the entity ID matching
+   your environment.)
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          http://127.0.0.1:8200/v1/identity/entity/id/<ENTITY_ID>
+   {
+      "request_id": "cc0793bf-fafe-4b2c-fd82-88855712845c",
+      "lease_id": "",
+      "renewable": false,
+      "lease_duration": 0,
+      "data": {
+        "aliases": [
+          {
+            "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
+            ...
+            "mount_type": "userpass",
+            "name": "bob"
+          },
+          {
+            "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
+            ...
+            "mount_type": "userpass",
+            "name": "bsmith"
+          }
+        ],
+        ...
+   ```
+
+   The `bob` and `bsmith` users should appear in the entity alias list.
+
+#### Web UI
+
+1.  Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui)
+    and then login.
+
+1.  Click the **Policies** tab, and then select **Create ACL policy**.
+
+1.  Enter **`base`** in the **Name** field, and paste in the [`base.hcl` policy
+    rules](#scenario-policies) in the **Policy** text editor.
+
+    ![Create Policy](/img/vault-policy-2.png)
+
+1.  Click **Create Policy** to complete.
+
+1.  Repeat the steps to create policies for **`test`** and **`team-qa`** as well.
+
+    ![Create Policy](/img/vault-policy-1.png)
+
+1.  Click the **Access** tab, and select **Enable new method**.
+
+1.  Select **Username & Password** from the **Type** drop-down menu.
+
+    ![Create Policy](/img/vault-auth-method-2.png)
+
+1.  Click **Enable Method**.
+
+1.  Click the Vault CLI shell icon (**`>_`**) to open a command shell. Enter the
+    following command to create a new user, **`bob`**:
+
+    ```plaintext
+    $ vault write auth/userpass/users/bob password="training" policies="test"
+    ```
+
+    ![Create Policy](/img/vault-auth-method-3.png)
+
+1.  Enter the following command to create a new user, **`bsmith`**:
+
+    ```plaintext
+    $ vault write auth/userpass/users/bsmith password="training" policies="team-qa"
+    ```
+
+    ![Create Policy](/img/vault-auth-method-4.png)
+
+1.  Click the icon (**`>_`**) again to hide the shell.
+
+1.  From the **Access** tab, select **Entities** and then **Create entity**.
+
+1.  Populate the **Name**, **Policies** and **Metadata** fields as shown below:
+
+    ![Create Policy](/img/vault-entity-4.png)
+
+1.  Click **Create**.
+
+1.  Select **Add alias**. Enter **`bob`** in the **Name** field and select
+    **`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
+
+    ![Create Policy](/img/vault-entity-5.png)
+
+1.  Click **Create**.
+
+1.  Return to the **Entities** list. Select **Add alias** from the **`bob-smith`**
+    entity menu.
+
+    ![Create Policy](/img/vault-entity-6.png)
+
+1.  Enter **`bsmith`** in the **Name** field and select **`userpass/ (userpass)`** from the
+    **Auth Backend** drop-down list, and then click **Create**.
+
+### <a name="step2"></a>Step 2: Test the Entity
+
+To better understand how a token inherits the capabilities from the entity's
+policy, you are going to test it by logging in as `bob`.
+
+### CLI Command
+
+First, login as `bob`.
+
+```plaintext
+$ vault login -method=userpass username=bob password=training
+
+Key                    Value
+---                    -----
+token                  ac318416-0dc1-4311-67e4-b58381c86fde
+token_accessor         79cced7b-51df-9523-920f-a1579687516b
+token_duration         768h
+token_renewable        true
+token_policies         ["default" "test"]
+identity_policies      ["base"]
+policies               ["base" "default" "test"]
+token_meta_username    bob
+```
+
+> Upon a successful authentication, a token will be returned. Notice that the
+> output displays **`token_policies`** and **`identity_policies`**. The generated
+> token has both `test` and `base` policies attached.
+
+The `test` policy grants CRUD operations on the `secret/test` path.
+Test to make sure that you can write secrets in the path.
+
+```plaintext
+$ vault kv put secret/test owner="bob"
+Success! Data written to: secret/test
+```
+
+Although the username `bob` does not have `base` policy attached, the token
+inherits the capabilities granted in the base policy because `bob` is a member
+of the `bob-smith` entity, and the entity has base policy attached.
+
+Check to see that the bob's token inherited the capabilities.
+
+```plaintext
+$ vault token capabilities secret/training_test
+create, read
+```
+
+> The `base` policy grants create and read capabilities on
+> `secret/training_*` path; therefore, `bob` is permitted to run create and
+> read operations against any path starting with `secret/training_*`.
+
+What about the `secret/team-qa` path?
+
+```plaintext
+$ vault token capabilities secret/team-qa
+deny
+```
+
+
+The user `bob` only inherits capability from its associating entity's policy.
+The user can access the `secret/team-qa` path only if he logs in with
+`bsmith` credentials.
+
+~> Log back in with the token you used to configure the entity before proceed to
+[Step 3](#step3).
+
+#### API call using cURL
+
+First, login as `bob`.
+
+```plaintext
+$ curl --request POST \
+       --data '{"password": "training"}' \
+       http://127.0.0.1:8200/v1/auth/userpass/login/bob
+{
+ ...
+ "auth": {
+   "client_token": "b3c2ac10-9f8f-4e64-9a1c-337236ba20f6",
+   "accessor": "92204429-6555-772e-cf51-52492d7f1686",
+   "policies": [
+     "base",
+     "default",
+     "test"
+   ],
+   "token_policies": [
+      "default",
+      "test"
+    ],
+    "identity_policies": [
+      "base"
+    ],
+   ...
+```
+
+> Upon a successful authentication, a token will be returned. Notice that the
+> output displays **`token_policies`** and **`identity_policies`**. The generated
+> token has both `test` and `base` policies attached.
+
+The `test` policy grants CRUD operations on the `secret/test` path. Test
+to make sure that you can write secrets in the path.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"owner": "bob"}' \
+       http://127.0.0.1:8200/v1/secret/test
+```
+
+Although the username `bob` does not have `base` policy attached, the token
+inherits the capabilities granted in the base policy because `bob` is a member
+of the `bob-smith` entity, and the entity has base policy attached.
+
+Check to see that the bob's token inherited the capabilities.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+         --request POST \
+         --data '{"paths": ["secret/training_test"]}'
+         http://127.0.0.1:8200/v1/sys/capabilities-self | jq
+{
+ "secret/training_test": [
+   "create",
+   "read"
+ ],
+ ...
+```
+
+> The `base` policy grants create and read capabilities on
+> `secret/training_*` path; therefore, `bob` is permitted to run create and
+> read operations against any path starting with `secret/training_*`.
+
+What about the `secret/team-qa` path?
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"paths": ["secret/team-qa"]}'
+       http://127.0.0.1:8200/v1/sys/capabilities-self | jq
+{
+ "secret/team-qa": [
+   "deny"
+ ],
+ ...
+```
+
+
+The user `bob` only inherits capability from its associating entity's policy.
+The user can access the `secret/team-qa` path only if he logs in with
+`bsmith` credentials.
+
+!> **NOTE:** Log back in with the token you used to configure the entity before proceed to
+[Step 3](#step3).
+
+### <a name="step3"></a>Step 3: Create an Internal Group
+
+Now, you are going to create an internal group named, **`engineers`**. Its
+member is `bob-smith` entity that you created in [Step 1](#step1).
+
+![Entity Bob Smith](/img/vault-entity-3.png)
+
+The group policy, `team-eng` defines the following: **`team-eng.hcl`**
+
+```plaintext
+path "secret/team/eng" {
+  capabilities = [ "create", "read", "update", "delete"]
+}
+```
+
+#### CLI Command
+
+1.  Create a new policy named, `team-eng`:
+
+    ```plaintext
+    $ vault policy write team-eng ./team-eng.hcl
+    ```
+
+1.  Create an internal group named, `engineers` and add `bob-smith` entity as a
+    group member and attach `team-eng`.
+
+    ```plaintext
+    $ vault write identity/group name="engineers" \
+          policies="team-eng" \
+          member_entity_ids=<entity_id> \
+          metadata=team="Engineering" \
+          metadata=region="North America"
+    ```
+
+    Where `<entity_id>` is the value you copied at [Step 1](#step1).
+
+    **Example:**
+
+    ```plaintext
+    $ vault write identity/group name="engineers" \
+          policies="team-eng" \
+          member_entity_ids="631256b1-8523-9838-5501..."  \
+          metadata=team="Engineering" \
+          metadata=region="North America"
+    Key     Value
+    ---     -----
+    id      81bdac90-284a-7b8c-6289-5fa7693bcb4a
+    name    engineers
+    ```
+
+Now, when you login as `bob` or `bsmith`, its generated token inherits the
+group-level policy, **`team-eng`**. You can perform similar tests demonstrated
+in [Step 2](#step2) to verify that.
+
+#### API call using cURL
+
+1. Create a new policy named, `team-eng`:
+
+   ```shell
+   # API request payload containing stringified policy
+   $ tee payload.json <<EOF
+   {
+     "policy": "path \"secret/team/eng\" {\n capabilities = [\"create\", \"read\", \"delete\", \"update\"]\n }"
+   }
+   EOF
+
+   # Create base policy
+   $ curl --header "X-Vault-Token: ..." \
+          --request PUT \
+          --data @payload-1.json \
+          http://127.0.0.1:8200/v1/sys/policy/team-eng
+   ```
+
+1. Create an internal group named, `engineers` and add `bob-smith` entity as a
+   group member and attach `team-eng`.
+
+   ```shell
+   # API request msg payload.  Be sure to replace <ENTITY_ID> with correct value
+   $ tee payload-group.json <<EOF
+   {
+     "name": "engineers",
+     "policies": ["team-eng"],
+     "member_entity_ids": ["<ENTITY_ID>"],
+     "metadata": {
+       "team": "Engineering",
+       "region": "North America"
+     }
+   }
+   EOF
+
+   # Use identity/group endpoint
+   $ curl --header "X-Vault-Token: ..." \
+           --request PUT \
+           --data @payload-group.json \
+           http://127.0.0.1:8200/v1/identity/group | jq
+   {
+       "request_id": "2b6eefd6-67a6-31c7-dbc3-11c1c132e2cf",
+       "lease_id": "",
+       "renewable": false,
+       "lease_duration": 0,
+       "data": {
+         "id": "d62157aa-b5f6-b6fe-aa40-0ffc54defc41",
+         "name": "engineers"
+       },
+       ...
+   ```
+
+Now, when you login as `bob` or `bsmith`, its generated token inherits the
+group-level policy, **`team-eng`**. You can perform similar tests demonstrated
+in [Step 2](#step2) to verify that.
+
+#### Web UI
+
+1. Click the **Policies** tab, and then select **Create ACL policy**.
+
+1. Enter **`team-eng`** in the **Name** field, and paste in the [`team-eng.hcl` policy
+   rules](#step3) in the **Policy** text editor, and then click **Create Policy**.
+
+1. Click the **Access** tab and select **Entities**.
+
+1. Select the **`bob-smith`** entity and copy its **ID** displayed under the
+   **Details** tab.
+
+1. Now, click **Groups** from the left navigation, and select **Create group**.
+
+1. Enter the group information as shown below.
+
+   ![Group](/img/vault-entity-7.png)
+
+   ~> **NOTE:** Make sure to enter the `bob-smith` entity **ID** you copied in the
+   **Member Entity IDs** field.
+
+1. Click **Create**.
+
+Now, when you login as `bob` or `bsmith`, its generated token inherits the
+group-level policy, **`team-eng`**. You can perform similar tests demonstrated
+in [Step 3](#step3) to verify that.
+
+> **Summary:** By default, Vault creates an internal group. When you create an
+> internal group, you specify the **_group members_** rather than **_group
+> alias_**. Group _aliases_ are mapping between Vault and external identity providers
+> (e.g. LDAP, GitHub, etc.). Therefore, you define group aliases only when you
+> create **external** groups. For internal groups, you specify `member_entity_ids`
+> and/or `member_group_ids`.
+
+### <a name="step4"></a>Step 4: Create an External Group
+
+It is common for organizations to enable auth methods such as LDAP, Okta and
+perhaps GitHub to handle the Vault user authentication, and individual user's
+group memberships are defined within those identity providers.
+
+In order to manage the group-level authorization, you can create an external
+group to link Vault with the external identity provider (auth provider) and
+attach appropriate policies to the group.
+
+#### Example Scenario
+
+Any user who belongs to **`training`** team in GitHub organization,
+**`example-inc`** are permitted to perform all operations against the
+`secret/education` path.
+
+**NOTE:** This scenario assumes that the GitHub organization, `example-inc`
+exists as well as `training` team within the organization.
+
+### CLI Command
+
+```shell
+# Write a new policy file
+# If you are running KV v2, set the path to "secret/data/education" instead
+$ tee education.hcl <<EOF
+path "secret/education" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+EOF
+
+# Create a new policy named 'education'
+$ vault policy write education education.hcl
+
+# Enable GitHub auth method
+$ vault auth enable github
+
+# Retrieve the mount accessor for the GitHub auth method and save it in accessor.txt
+$ vault auth list -format=json | jq -r '.["github/"].accessor' > accessor.txt
+
+# Configure to point to your GitHub organization (e.g. hashicorp)
+$ vault write auth/github/config organization=example-inc
+
+# Create an external group named, "education"
+# Be sure to copy the generated group ID
+$ vault write identity/group name="education" \
+       policies="education" \
+       type="external" \
+       metadata=organization="Product Education"
+
+# Create a group alias where canonical_id is the group ID
+# 'name' is the actual GitHub team name (NOTE: Use slugified team name.)
+$ vault write identity/group-alias name="training" \
+       mount_accessor=$(cat accessor.txt) \
+       canonical_id="<group_ID>"
+```
+
+#### API call using cURL
+
+```shell
+# API request payload containing stringfied policy
+# If you are running KV v2, set the path to "secret/data/education" instead
+$ tee payload-pol.json <<EOF
+{
+  "policy": "path \"secret/education\" {\n capabilities = [\"create\", \"read\", \"delete\", \"update\", \"list\"]\n }"
+}
+EOF
+
+# Create education policy
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT \
+       --data @payload-pol.json \
+       http://127.0.0.1:8200/v1/sys/policy/education
+
+# Enable GitHub Auth Method at github
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type": "github"}' \
+       http://127.0.0.1:8200/v1/sys/auth/github
+
+# Configure GitHub auth method by setting organization
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"organization": "example-inc"}' \
+       http://127.0.0.1:8200/v1/auth/github/config
+
+# Get the github accessor value (**`auth_github_XXXXX`**)
+$ curl --header "X-Vault-Token: ..." \
+      http://127.0.0.1:8200/v1/sys/auth | jq
+{
+  ...
+  "userpass/": {
+    "accessor": "auth_github_91010f60",
+   ...
+  },
+  ...
+}
+
+# API request msg payload to create an external group
+$ tee payload-edu.json <<EOF
+{
+   "name": "education",
+   "policies": ["education"],
+   "type": "external",
+   "metadata": {
+     "organization": "Product Education"
+   }
+}
+EOF
+
+# Create an external group named, "education"
+# Be sure to copy the group ID (id)
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload-edu.json \
+       http://127.0.0.1:8200/v1/identity/group | jq
+{
+   "request_id": "a8161086-13db-f982-4216-7d996eae3fd9",
+   "lease_id": "",
+   "renewable": false,
+   "lease_duration": 0,
+   "data": {
+     "id": "ea18cb62-2478-d370-b726-a77d1700de80",
+     "name": "education"
+   },
+  ...
+
+# API request msg payload to create a group aliases, training
+$ tee payload-training.json <<EOF
+{
+  "canonical_id": "<GROUP_ID>",
+  "mount_accessor": "auth_github_XXXXX",
+  "name": "training"
+}
+EOF
+
+# Create 'training' group alias
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload-training.json \
+       http://127.0.0.1:8200/v1/identity/group-alias | jq
+```
+
+#### Web UI
+
+1.  Click the **Policies** tab, and then select **Create ACL policy**.
+
+1.  Enter **`education`** in the **Name** field, and enter the following policy
+    in the **Policy** text editor, and then click **Create Policy**. (**NOTE:** If
+    you are running KV v2, set the path to **`secret/data/education`** instead.)
+
+    ```plaintext
+    path "secret/education" {
+      capabilities = [ "create", "read", "update", "delete", "list" ]
+    }
+    ```
+
+1.  Click the **Access** tab and select **Auth Methods**.
+
+1.  Select **Enable new method**.
+
+1.  Select **GitHub** from the **Type** drop-down menu, and then enter
+    **`example-inc`** in the **Organization** field.
+
+1.  Click **Enable Method**.
+
+1.  Click the **Access** tab and select **Groups**.
+
+1.  Select **Create group**. Enter the group information as shown below.
+
+    ![Create Policy](/img/vault-entity-9.png)
+
+1.  Click **Create**.
+
+1.  Select **Add alias** and enter **`training`** in the **Name** field. Select
+    **github/ (github)** from the **Auth Backend** drop-down list.
+
+    ![Create Policy](/img/vault-entity-10.png)
+
+1.  Click **Create**.
+
+> **Summary:** At this point, any GitHub user who belongs to `training`
+> team within the `example-inc` organization can authenticate with Vault. The
+> generated token for the user has `education` policy attached.
+
+## Next steps
+
+Now that you have learned about managing user identity using entities and
+groups, read the [AppRole Pull
+Authentication](/guides/identity/authentication.html) guide to learn how apps or
+machines can authenticate with Vault.
diff --git a/website/pages/guides/identity/index.mdx b/website/pages/guides/identity/index.mdx
new file mode 100644
index 000000000000..ece0c29ef9d7
--- /dev/null
+++ b/website/pages/guides/identity/index.mdx
@@ -0,0 +1,57 @@
+---
+layout: guides
+page_title: Identity and Access Management - Guides
+sidebar_title: Identity and Access Management
+description: >-
+  Once a Vault instance has been installed, the next step is to configure auth
+
+  backends, secret backends, and manage keys. Vault configuration guides
+  addresses
+
+  key concepts in configuring your Vault application.
+---
+
+# Identity and Access Management
+
+This guide walks you through Identity and Access Management topics.
+
+- [Secure Introduction of Vault Clients](/guides/identity/secure-intro.html)
+  explains the mechanism of the client authentication against a Vault server.
+
+- [Policies](/guides/identity/policies.html) are used to instrument
+  Role-Based Access Control (RBAC) by specifying access privileges. Authoring of
+  policies is probably the first step the Vault administrator performs. This guide
+  walks you through creating example policies for `admin` and `provisioner` users.
+
+- [ACL Policy Path Templating](/guides/identity/policy-templating.html) guide
+  demonstrates templated policy paths to allow non-static paths.
+
+- [AppRole Pull Authentication](/guides/identity/authentication.html) guide
+  that introduces the steps to generate tokens for machines or apps by enabling
+  AppRole auth method.
+
+- [AppRole with Terraform and Chef](/guides/identity/approle-trusted-entities.html)
+  guide explains how AppRole auth method integrates with Terraform and Chef.
+  This guide is for anyone who wishes to reproduce the demo introduced during
+  the [Delivering Secret Zero: Vault AppRole with Terraform and
+  Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
+  webinar.
+
+- [Token and Leases](/guides/identity/lease.html) guide helps you
+  understand how tokens and leases work in Vault. The understanding of the
+  lease hierarchy and expiration mechanism helps you plan for break glass
+  procedures and more.
+
+- [Identity - Entities & Groups](/guides/identity/identity.html) guide
+  demonstrates the usage of _Entities_ and _Groups_ to manage Vault clients'
+  identity.
+
+## Vault Enterprise
+
+- [Sentinel Policies](/guides/identity/sentinel.html) guide
+  walks through the creation and usage of _Role Governing Policies_ (RGPs) and
+  _Endpoint Governing Policies_ (EGPs) in Vault.
+
+- [Control Groups](/guides/identity/control-groups.html) can be used to enforce
+  additional authorization factors before the request can be completed. This
+  guide walks through the implementation of a Control Group.
diff --git a/website/pages/guides/identity/lease.mdx b/website/pages/guides/identity/lease.mdx
new file mode 100644
index 000000000000..086135844251
--- /dev/null
+++ b/website/pages/guides/identity/lease.mdx
@@ -0,0 +1,830 @@
+---
+layout: guides
+page_title: Tokens and Leases - Guides
+sidebar_title: Tokens and Leases
+description: |-
+  Tokens are the core method for authentication within Vault. For every
+  authentication token and dynamic secret, Vault creates a lease
+  containing information such as duration, renewability, and more.
+  Understanding the lifecycle of leases means understanding the lifecycle of
+  tokens in some sense.
+---
+
+# Tokens and Leases
+
+Almost everything in Vault has an associated lease, and when the lease is
+expired, the secret is revoked. Tokens are not an exception. Every non-root
+token has a time-to-live (TTL) associated with it. When a token expires and it's
+not renewed, the token is automatically revoked.
+
+## Lease Hierarchy
+
+When a new token or secret is created, it is a child of the creator. If the
+parent is revoked or expires, so do all its children regardless of their own
+leases. A child may be a token, secret, or authentication created by a parent. A
+parent is almost always a **token**.
+
+Suppose a hierarchy exists with respective TTL as follows:
+
+```
+    b519c6aa... (3h)
+        6a2cf3e7... (4h)
+        1d3fd4b2... (1h)
+            794b6f2f... (2h)
+```
+
+In this scenario, the lease ID of `1d3fd4b2..` will expire in an hour. If a
+token or secret with a lease is not renewed before the lease expires, it will be
+revoked by the Vault server. When it's revoked, it takes its child
+(`794b6f2f...`) although the child has one more hour before it expires. Then,
+two hours later, `b519c6aa...` will be revoked and takes its child
+(`6a2cf3e7...`) with it.
+
+## Reference Material
+
+- The [Validation](/guides/secret-mgmt/dynamic-secrets.html#validation) section of the
+  [Secret as a Service](/guides/secret-mgmt/dynamic-secrets.html) guide demonstrates lease
+  renewal and revocation
+- [Tokens documentation](/docs/concepts/tokens.html)
+- [Token Auth Method (API)](/api/auth/token/index.html)
+- [Lease, Renew, and Revoke](/docs/concepts/lease.html)
+
+~> **NOTE:** An [interactive
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-tokens) is
+also available if you do not have a Vault environment to perform the steps
+described in this guide.
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves one persona:
+
+- **`admin`** with privileged permissions to create and manage tokens
+
+See the [policy requirements](#policy-requirements) section for details.
+
+## Challenge
+
+Consider the following scenarios often encountered outside of Vault:
+
+- There is no **break glass** procedure available for revoking
+  access to credentials in the event of a breach
+- Credentials for external systems (e.g. AWS, MySQL) are shared
+- Need temporal access to a database in a specific scenario
+
+## Solution
+
+Vault has built-in support for secret revocation. Vault can revoke not only
+a single secret, but also a tree of secrets. For example, Vault can revoke all
+secrets read by a specific **user** or all secrets of a specific **type**.
+Revocation assists in key rolling as well as locking down systems in the case of
+an intrusion.
+
+If a user or machine needs a temporal access to Vault, you can set a short TTL
+or a number of uses to a token so the token is automatically revoked at the
+end of its life.
+
+This also allows for organizations to plan and train for various
+"break glass" procedures.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
+with Vault. However, it is recommended that root tokens are used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+an appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# List available auth method - Step 1
+path "sys/auth" {
+  capabilities = [ "read" ]
+}
+
+# Read default token configuration
+path "sys/auth/token/tune" {
+  capabilities = [ "read", "sudo" ]
+}
+
+# Create and manage tokens (renew, lookup, revoke, etc.)
+path "auth/token/*" {
+  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
+}
+
+# For Advanced Features - list available secret engines
+path "sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+# For Advanced Features - tune the database secret engine TTL
+path "sys/mounts/database/tune" {
+  capabilities = [ "update" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+Tokens are the core method for authentication within Vault. Tokens can be used
+directly or dynamically generated by the auth methods. Regardless, the clients
+need valid tokens to interact with Vault.
+
+This guide demonstrates the lifecycle of tokens.
+
+1. [Read token auth method configuration](#step1)
+1. [Create short-lived tokens](#step2)
+1. [Create tokens with use limit](#step3)
+1. [Periodic tokens](#step4)
+1. [Orphan tokens](#step5)
+1. [Revoke tokens](#step6)
+
+### <a name="step1"></a>Step 1: Read token auth method configuration
+
+When you create leases with no specific TTL values, the default value applies
+to the lease.
+
+```shell
+$ vault auth list
+
+Path       Type      Accessor                Default TTL  Max TTL  Replication Behavior  Description
+approle/   approle   auth_approle_53f0fb08   system       system   replicated
+github/    github    auth_github_b770f4c8    system       system   replicated
+token/     token     auth_token_2ad69043     system       system   replicated            token based credentials
+userpass/  userpass  auth_userpass_d326d2f9  system       system   replicated
+```
+
+The system max TTL is **32 days**, but you can override it to be longer or
+shorter in Vault's configuration file.
+
+Another option is to tune the mount configuration to override the system
+defaults by calling the **`/sys/mounts/<PATH>/tune`** endpoint (e.g.
+`/sys/mounts/database/tune`). For the auth method system configuration, call
+**`/sys/auth/<METHOD>/tune`** endpoint.
+
+NOTE: Refer to the [Advanced Features](#advanced-features) section for tuning
+the system configuration.
+
+#### CLI command
+
+Read the default TTL settings for **token** auth method:
+
+```shell
+$ vault read sys/auth/token/tune
+
+Key              	Value
+---              	-----
+default_lease_ttl	2764800
+force_no_cache   	false
+max_lease_ttl    	2764800
+```
+
+#### API call using cURL
+
+Use `/sys/auth/token/tune` endpoint to read the default TTL settings for **token** auth
+method:
+
+```shell
+$ curl --header "X-Vault-Token: <TOKEN>" \
+     --request GET \
+     <VAULT_ADDRESS>/v1/sys/auth/token/tune
+```
+
+Where `<TOKEN>` is your valid token with read permission on the
+`sys/auth/token/tune` path.
+
+**Example:**
+
+```shell
+$ curl --header "X-Vault-Token: ..." --request GET \
+      http://127.0.0.1:8200/v1/sys/auth/token/tune | jq
+{
+  "default_lease_ttl": 2764800,
+  "max_lease_ttl": 2764800,
+  "force_no_cache": false,
+  "request_id": "630fd49d-f704-540f-0641-41516087654f",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "default_lease_ttl": 2764800,
+    "force_no_cache": false,
+    "max_lease_ttl": 2764800
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+-> **NOTE:** The returned TTL value is in seconds (2764800 seconds = 32 days).
+
+### <a name="step2"></a>Step 2: Create short-lived tokens
+
+Create a new token with TTL of 30 seconds which means that the token gets
+automatically revoked after 30 seconds.
+
+#### CLI command
+
+To view optional parameters to create tokens:
+
+```shell
+$ vault token create -help
+```
+
+There are a number of parameters you can set. To specify the token TTL, pass
+the value using `-ttl` parameter.
+
+**Example:**
+
+```shell
+# Create a token with TTL of 30 seconds
+$ vault token create -ttl=30s
+Key            	Value
+---            	-----
+token          	3b2b1285-844b-4b40-6afa-623f39c1b738
+token_accessor 	2b2b5b83-7f22-fecd-03f0-4e25bf64da11
+token_duration 	30s
+token_renewable	true
+token_policies 	[admin]
+
+# Test the new token
+$ VAULT_TOKEN=3b2b1285-844b-4b40-6afa-623f39c1b738 vault token lookup
+Key             	Value
+---             	-----
+accessor        	2b2b5b83-7f22-fecd-03f0-4e25bf64da11
+creation_time   	1515702047
+creation_ttl    	30
+display_name    	token
+expire_time     	2018-01-11T20:21:17.900969673Z
+explicit_max_ttl	0
+id              	3b2b1285-844b-4b40-6afa-623f39c1b738
+issue_time      	2018-01-11T20:20:47.90096937Z
+meta            	<nil>
+num_uses        	0
+orphan          	false
+path            	auth/token/create
+policies        	[admin]
+renewable       	true
+ttl             	8
+```
+
+**NOTE:** The `vault token lookup` command returns the token's properties.
+In this example, it shows that this token has 8 more seconds before it expires.
+
+When you execute a Vault command using the new token immediately following its
+creation, it should work. Wait for 30 seconds and try again. It returns
+**`Code: 403. Errors:`** which indicates a forbidden API call due to expired
+token usage.
+
+You can **renew** the token's TTL as long as the token has not expired.
+
+```shell
+$ vault token renew <TOKEN>
+```
+
+If you want to renew and extend the token's TTL, pass the desired extension:
+
+```shell
+$ vault token renew <TOKEN> <EXTENSION>
+```
+
+Or with revamped cli:
+
+```shell
+$ vault token renew -increment=<EXTENSION> <TOKEN>
+```
+
+The extension value can be an integer number of seconds (e.g. 3600) or a string
+duration (e.g. "1h").
+
+#### API call using cURL
+
+Use the `auth/token/create` endpoint to create a new token. There are a number of
+optional [parameters](/api/auth/token/index.html#create-token) that you can pass
+in the request payload.
+
+**Example:**
+
+The following example sets the `ttl` parameter.
+
+```shell
+# Create a new token with TTl of 30 seconds
+$ curl --header "X-Vault-Token: ..." --request POST \
+     --data '{"ttl": "30s"}' \
+     http://127.0.0.1:8200/v1/auth/token/create | jq
+{
+  ...
+ "auth": {
+   "client_token": "f7d88963-1aba-64d7-11a0-9282ae7681d0",
+   "accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6",
+   "policies": [
+     "admin"
+   ],
+   "metadata": null,
+   "lease_duration": 30,
+   "renewable": true
+ }
+}
+
+# Pass the returned token (`client_token`) in the `X-Vault-Token` header to test
+$ curl --header "X-Vault-Token: f7d88963-1aba-64d7-11a0-9282ae7681d0" \
+     --request GET \
+     http://127.0.0.1:8200/v1/auth/token/lookup-self | jq
+{
+  ...
+ "data": {
+   "accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6",
+   "creation_time": 1515702669,
+   "creation_ttl": 30,
+    ...
+   "renewable": true,
+   "ttl": 14
+ },
+ ...
+}
+```
+
+When you invoke the API using the new token immediately following its
+creation, it should work. Wait for 30 seconds and try again. It returns
+**`Code: 403. Errors:`** which indicates a forbidden API call due to expired
+token usage.
+
+#### Renew the token:
+
+```shell
+$ curl --header "X-Vault-Token: ..." --request POST \
+       http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq
+
+# Renew token with 1 hour extension
+$ curl --header "X-Vault-Token: ..." --request POST \
+       --data '{"increment": "3600"}' \
+       http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq
+```
+
+-> **NOTE:** Tokens can be renewed as long as its life hasn't reached its max
+TTL. For example, if the token's TTL is 1 hour and max TTL is 24 hours, you can
+renew the token up to 24 hours from its creation time. Once 24 hours has passed from
+the token's creation time, the token is revoked by Vault. For long running
+processes, this may introduce complexity. In such case, use [periodic tokens](#step4).
+
+### <a name="step3"></a>Step 3: Create tokens with use limit
+
+In addition to TTL and max TTL, tokens may be limited to a number of uses. Use
+limit tokens expire at the end of their last use regardless of their remaining
+TTLs. On the same note, use limit tokens expire at the end of their TTLs
+regardless of their remaining uses.
+
+To create tokens with a use limit, set the number of uses when you
+create them.
+
+#### CLI command
+
+Create a token with the `-use-limit` property argument.
+
+**Example:**
+
+```shell
+$ vault token create -policy=default -use-limit=2
+
+Key            	Value
+---            	-----
+token          	bd39178e-176e-cc91-3930-94f7b0194de5
+token_accessor 	a230f5ab-b59f-db0b-855d-36ea4319b58e
+token_duration 	768h0m0s
+token_renewable	true
+token_policies 	[default]
+```
+
+This creates a token with the _default_ policy and a use limit of 2.
+
+#### Verification
+
+```shell
+$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault token lookup
+
+Key             	Value
+---             	-----
+accessor        	a230f5ab-b59f-db0b-855d-36ea4319b58e
+creation_time   	1515710251
+creation_ttl    	2764800
+display_name    	token
+expire_time     	2018-02-12T22:37:31.715486503Z
+explicit_max_ttl	0
+id              	bd39178e-176e-cc91-3930-94f7b0194de5
+issue_time      	2018-01-11T22:37:31.715486221Z
+meta            	<nil>
+num_uses        	1
+orphan          	false
+path            	auth/token/create
+policies        	[default]
+renewable       	true
+ttl             	2764769
+
+
+$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault write cubbyhole/token \
+    value=bd39178e-176e-cc91-3930-94f7b0194de5
+
+Success! Data written to: cubbyhole/token
+
+
+$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault read cubbyhole/token
+Error reading cubbyhole/token: Error making API request.
+
+URL: GET http://127.0.0.1:8200/v1/cubbyhole/token
+Code: 403. Errors:
+
+* permission denied
+```
+
+The first command read the token's properties and then wrote a value to the cubbyhole
+secret engine. This exhausted the use limit of 2 for this token. Therefore,
+the attempt to read the secret from the cubbyhole failed.
+
+#### API call using cURL
+
+Set the `num_uses` property in the request payload.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." --request POST  \
+       --data '{ "policies": ["default"], "num_uses":2 }' \
+       http://127.0.0.1:8200/v1/auth/token/create | jq
+{
+  "request_id": "0e98ff80-2825-7f50-6522-b6f95d596ef4",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668",
+    "accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968",
+    "policies": [
+      "default"
+    ],
+    "metadata": null,
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
+
+This creates a token with the _default_ policy and a use limit of 2.
+
+#### Verification
+
+```text
+$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
+       --request GET \
+       http://127.0.0.1:8200/v1/auth/token/lookup-self | jq
+{
+  "request_id": "77be1321-c0ca-e099-6f92-4ad87133b044",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968",
+    "creation_time": 1515711922,
+    "creation_ttl": 2764800,
+    "display_name": "token",
+    "expire_time": "2018-02-12T23:05:22.746137253Z",
+    "explicit_max_ttl": 0,
+    "id": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668",
+    "issue_time": "2018-01-11T23:05:22.746136892Z",
+    "meta": null,
+    "num_uses": 1,
+    ...
+}
+
+$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
+       --request POST \
+       --data '{ "value": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668" }' \
+       http://127.0.0.1:8200/v1/cubbyhole/token
+
+
+$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
+       --request GET \
+       http://127.0.0.1:8200/v1/cubbyhole/token | jq
+{
+  "errors": [
+    "permission denied"
+  ]
+}
+```
+
+The first command read the token's properties and then wrote a value to the cubbyhole
+secret engine. This exhausted the use limit of 2 for this token. Therefore,
+the attempt to read the secret from the cubbyhole failed.
+
+### <a name="step4"></a>Step 4: Periodic tokens
+
+**Root** or **sudo** users have the ability to generate **periodic tokens**.
+Periodic tokens have a TTL, but no max TTL; therefore, they may live for an
+infinite duration of time so long as they are renewed within their TTL. This
+is useful for long-running services that cannot handle regenerating a token.
+
+#### CLI command
+
+First, create a token role with a specific `period`. When you set `period`,
+tokens created for this role will have no max TTL. Instead, the `period` becomes
+the token renewal period. This value can be an integer value in seconds (e.g.
+
+2764800. or a string duration (e.g. 72h).
+
+```shell
+$ vault write auth/token/roles/<ROLE_NAME> allowed_policies="<POLICY_NAMES>" period=<RENEWAL_PERIOD>
+```
+
+**Example:**
+
+```shell
+$ vault write auth/token/roles/zabbix allowed_policies="default" period="24h"
+```
+
+Now, generate a token:
+
+```shell
+$ vault token create -role=zabbix
+
+Key            	Value
+---            	-----
+token          	de91ebba-20ad-18ba-fa43-08e1932de301
+token_accessor 	1f8abad0-c1db-9399-15ee-dd4b6230386c
+token_duration 	24h0m0s
+token_renewable	true
+token_policies 	[default]
+```
+
+#### API call using cURL
+
+First, create a token role by setting `period`. When you set `period`, tokens
+created for this role will have no max TTL. Instead, the `period` becomes the
+token renewal period. This value can be an integer value in seconds (e.g.
+
+2764800. or a string duration (e.g. 72h).
+
+**Example:**
+
+```shell
+# API request payload
+$ tee payload.json <<EOF
+{
+	"allowed_policies": [
+		"default"
+	],
+	"period": "24h"
+}
+EOF
+
+# Create a token role called 'zabbix'
+$ curl --header "X-Vault-Token: ..." --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/auth/token/roles/zabbix
+```
+
+This creates a token role named `zabbix` with `default` policies attached.
+Its renewal period is set to 24 hours.
+
+Now, generate a token:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." --request POST \
+     http://127.0.0.1:8200/v1/auth/token/create/zabbix | jq
+{
+  ...
+  "auth": {
+    "client_token": "a59c0d41-8df7-ba8e-477e-9bfb394f28a0",
+    "accessor": "c2023006-ce8d-532b-136f-330223ccf464",
+    "policies": [
+      "default"
+    ],
+    "metadata": null,
+    "lease_duration": 86400,
+    "renewable": true,
+    "entity_id": ""
+  }
+```
+
+Generated tokens are renewable indefinitely as long as they are renewed
+before the lease duration expires. The token renew command was covered in
+[Step 2](#step2).
+
+#### Additional Note: Periodic Tokens with AppRole
+
+It probably makes better sense to create **AppRole** periodic tokens since we
+are talking about long-running apps that need to be able to renew their token
+indefinitely.
+
+-> For more details about AppRole, read the [AppRole Pull
+Authentication](/guides/identity/authentication.html) guide.
+
+To create AppRole periodic tokens, create your AppRole role with
+`period` specified.
+
+**Example:**
+
+```plaintext
+$ vault write auth/approle/role/jenkins policies="jenkins" period="72h"
+```
+
+Or
+
+```shell
+# Sample request payload
+$ tee payload.json <<EOF
+{
+  "allowed_policies": [
+		"jenkins"
+	],
+  "period": "72h"
+}
+EOF
+
+# Create a role named 'jenkins'
+$ curl --header "X-Vault-Token:..." --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/auth/approle/role/jenkins
+```
+
+### <a name="step5"></a>Step 5: Orphan tokens
+
+Orphan tokens are **not** children of their parent; therefore, orphan tokens do
+not expire when their parent does.
+
+**NOTE:** Orphan tokens still expire when their own max TTL is reached.
+
+#### CLI command
+
+The following CLI command requires **root** token or **sudo** capability on the
+`auth/token/create` path.
+
+```shell
+$ vault token create -orphan
+```
+
+#### API call using cURL
+
+To create an orphan token, use the **`auth/token/create-orphan`** endpoint:
+
+```shell
+$ curl --header "X-Vault-Token:..." --request POST \
+       http://127.0.0.1:8200/v1/auth/token/create-orphan | jq
+```
+
+Also, you can create an orphan token using the **`auth/token/create`** endpoint with
+`no-parent` parameter set to true.
+
+```shell
+$ curl --header "X-Vault-Token:..." --request POST \
+       --data '{ "no_parent": true }' \
+       http://127.0.0.1:8200/v1/auth/token/create | jq
+```
+
+!> **NOTE:** The **`auth/token/create`** endpoint requires **root** token or
+**sudo** capability to create an orphan token while
+**`auth/token/create-orphan`** endpoint does not.
+
+### <a name="step6"></a>Step 6: Revoke tokens and leases
+
+Revoking a token and all its children.
+
+#### CLI command
+
+To revoke a specific token:
+
+```shell
+$ vault token revoke <TOKEN>
+```
+
+To revoke all leases under a specific path:
+
+```shell
+$ vault lease revoke -prefix <PATH>
+```
+
+**Example:**
+
+```shell
+# Revoke a specific token
+$ vault token revoke eeaf890e-4b0f-a687-4190-c75b1d6d70bc
+
+# Revoke all leases for database auth method
+$ vault lease revoke -prefix database/creds
+
+# Revoke all tokens
+$ vault lease revoke -prefix auth/token/create
+
+# Revoke all tokens by accessor
+$ vault token revoke -accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11
+```
+
+#### API call using cURL
+
+To revoke a specific token, call `/auth/token/revoke` endpoint. If you want to revoke tokens/secrets under a specific path, call `/sys/leases/revoke-prefix/<PATH>`.
+
+**Example:**
+
+```shell
+# Revoke a specific token
+$ curl --header "X-Vault-Token:..." --request POST \
+       --data '{ "token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc" }' \
+       http://127.0.0.1:8200/v1/auth/token/revoke
+
+# Revoke all secrets for database auth method
+$ curl --header "X-Vault-Token:..." --request POST \
+       http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/database/creds
+
+# Revoke all tokens
+$ curl --header "X-Vault-Token:..." --request POST \
+       http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/auth/token/create
+
+# Revoke all tokens by accessor
+$ curl --header "X-Vault-Token: ..." --request POST \
+       --data '{ "accessor": "2b2b5b83-7f22-fecd-03f0-4e25bf64da11" }' \
+       http://127.0.0.1:8200/v1/auth/token/revoke-accessor
+```
+
+## Advanced Features
+
+It is important to understand lease configuration to avoid having your
+secret leases expire earlier than you expected.
+
+#### 1. Determine the TTLs specific to the mount
+
+```shell
+$ vault secrets list
+
+Path        Type       Accessor            Plugin  Default TTL  Max TTL  Force No Cache  Replication Behavior  Seal Wrap  Description
+cubbyhole/  cubbyhole  cubbyhole_36021b8e  n/a     n/a          n/a      false           local                 false      per-token private secret storage
+database/   database   database_e21b9b4f   n/a     system       system   false           replicated            false
+identity/   identity   identity_035fe03b   n/a     n/a          n/a      false           replicated            false      identity store
+pki/        pki        pki_9ae09eb3        n/a     system       system   false           replicated            false
+secret/     kv         kv_2e59ba96         n/a     system       system   false           replicated            false      key/value secret storage
+ssh/        ssh        ssh_ea06b9bb        n/a     system       system   false           replicated            false
+sys/        system     system_f5b5ecac     n/a     n/a          n/a      false           replicated            false      system endpoints used for control, policy and debugging
+transit/    transit    transit_07fc2df9    n/a     system       system   false           replicated            false
+```
+
+Notice the **Default TTL** and **Max TTL** columns.
+
+#### 2. Tune the system TTLs
+
+Override the global defaults by specifying `default_lease_ttl` and
+`max_lease_ttl` to meet your requirements.
+
+**Example:**
+
+The following example assumes that you have a database secret engine configured.
+
+```shell
+$ vault write sys/mounts/database/tune default_lease_ttl="8640"
+```
+
+Or
+
+```shell
+$ curl --header "X-Vault-Token:..." --request POST \
+       --data '{ "max_lease_ttl": 129600}' \
+       http://127.0.0.1:8200/v1/sys/mounts/database/tune
+```
+
+#### 3. Check the role specific TTLs
+
+Depending on the auth method, there may be more specific TTLs configured (e.g.
+roles, groups, users) as you have done so in [Step 4](#step4).
+
+```shell
+$ vault read auth/token/roles/zabbix
+
+Key                	Value
+---                	-----
+allowed_policies   	[default]
+disallowed_policies	[]
+explicit_max_ttl   	0
+name               	zabbix
+orphan             	false
+path_suffix
+period             	86400
+renewable          	true
+```
+
+## Next steps
+
+Now that you have learned the lifecycle of tokens and leases, read the [AppRole Pull
+Authentication](/guides/identity/authentication.html) guide to learn how to generate
+tokens for apps or machines.
diff --git a/website/pages/guides/identity/policies.mdx b/website/pages/guides/identity/policies.mdx
new file mode 100644
index 000000000000..649e6edd84e5
--- /dev/null
+++ b/website/pages/guides/identity/policies.mdx
@@ -0,0 +1,646 @@
+---
+layout: guides
+page_title: Policies - Guides
+sidebar_title: Policies
+description: Policies in Vault control what a user can access.
+---
+
+# Policies
+
+In Vault, we use policies to govern the behavior of clients and instrument
+Role-Based Access Control (RBAC) by specifying access privileges
+(_authorization_).
+
+When you first initialize Vault, the
+[**`root`**](/docs/concepts/policies.html#root-policy) policy gets created by
+default. The `root` policy is a special policy that gives superuser access to
+_everything_ in Vault. This allows the superuser to set up initial policies,
+tokens, etc.
+
+In addition, another built-in policy,
+[**`default`**](/docs/concepts/policies.html#default-policy), is created. The
+`default` policy is attached to all tokens and provides common permissions.
+
+Everything in Vault is path based, and admins write policies to grant or forbid
+access to certain paths and operations in Vault. Vault operates on a **secure by
+default** standard, and as such, an empty policy grants **no permissions** in the
+system.
+
+### HashiCorp Configuration Language (HCL)
+
+Policies written in [HCL](https://github.com/hashicorp/hcl) format are often
+referred as **_ACL Policies_**. [Sentinel](https://www.hashicorp.com/sentinel) is
+another framework for policy which is available in [Vault
+Enterprise](/docs/enterprise/index.html). Since Sentinel is an enterprise-only
+feature, this guide focuses on writing ACL policies as a foundation.
+
+**NOTE:** HCL is JSON compatible; therefore, JSON can be used as completely
+valid input.
+
+## Reference Material
+
+- [Policies](/docs/concepts/policies.html#default-policy) documentation
+- [Policy API](/api/system/policy.html) documentation
+- [Getting Started guide](/intro/getting-started/policies.html) on policies
+
+~> **NOTE:** An [interactive
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policies) is
+also available if you do not have a Vault environment to perform the steps
+described in this guide.
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The scenario described in this guide introduces the following personas:
+
+- **`root`** sets up initial policies for `admin`
+- **`admin`** is empowered with managing a Vault infrastructure for a team or
+  organizations
+- **`provisioner`** configures secret engines and creates policies for
+  client apps
+
+## Challenge
+
+Since Vault centrally secures, stores, and controls access to secrets across
+distributed infrastructure and applications, it is critical to control
+permissions before any user or machine can gain access.
+
+## Solution
+
+Restrict the use of root policy, and write fine-grained policies to practice
+**least privileged**. For example, if an app gets AWS credentials from Vault,
+write policy grants to `read` from AWS secret engine but not to `delete`, etc.
+
+Policies are attached to tokens and roles to enforce client permissions on
+Vault.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### Policy requirements
+
+Since this guide demonstrates the creation of an **`admin`** policy, log in with
+**`root`** token if possible. Otherwise, make sure that you have the following
+permissions:
+
+```shell
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# Create and manage ACL policies via CLI
+path "sys/policy/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create and manage ACL policies via API
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# To list policies - Step 3
+path "sys/policy"
+{
+  capabilities = ["read"]
+}
+
+# To perform Step 4
+path "sys/capabilities"
+{
+  capabilities = ["create", "update"]
+}
+
+# To perform Step 4
+path "sys/capabilities-self"
+{
+  capabilities = ["create", "update"]
+}
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage secret engines broadly across Vault
+path "sys/mounts/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List existing secret engines
+path "sys/mounts"
+{
+  capabilities = ["read"]
+}
+
+# Read health checks
+path "sys/health"
+{
+  capabilities = ["read", "sudo"]
+}
+```
+
+## Steps
+
+The basic workflow of creating policies is:
+
+![Policy Creation Workflow](/img/vault-policy-authoring-workflow.png)
+
+This guide demonstrates basic policy authoring and management tasks.
+
+1. [Write ACL policies in HCL format](#step1)
+1. [Create policies](#step2)
+1. [View existing policies](#step3)
+1. [Check capabilities of a token](#step4)
+
+### <a name="step1"></a>Step 1: Write ACL policies in HCL format
+
+Remember, an empty policy grants **no permission** in the system. Therefore, ACL
+policies are defined for each path.
+
+```shell
+path "<PATH>" {
+  capabilities = [ "<LIST_OF_CAPABILITIES>" ]
+}
+```
+
+-> The path can have a wildcard ("`*`") at the end to allow for
+namespacing. For example, "`secret/training_*`" grants permissions on any
+path starting with "`secret/training_`" (e.g. `secret/training_vault`).
+
+Define one or more [capabilities](/docs/concepts/policies.html#capabilities) on each path to control operations that are
+permitted.
+
+| Capability | Associated HTTP verbs |
+| ---------- | --------------------- |
+| create     | POST/PUT              |
+| read       | GET                   |
+| update     | POST/PUT              |
+| delete     | DELETE                |
+| list       | LIST                  |
+
+#### Policy requirements
+
+The first step in creating policies is to **gather policy requirements**.
+
+**Example:**
+
+**`admin`** is a type of user empowered with managing a Vault infrastructure for
+a team or organizations. Empowered with sudo, the Administrator is focused on
+configuring and maintaining the health of Vault cluster(s) as well as
+providing bespoke support to Vault users.
+
+`admin` must be able to:
+
+- Enable and manage auth methods broadly across Vault
+- Manage the key/value secret engines at `secret/` path
+- Create and manage ACL policies broadly across Vault
+- Read system health check
+
+**`provisioner`** is a type of user or service that will be used by an automated
+tool (e.g. Terraform) to provision and configure a namespace within a Vault
+secret engine for a new Vault user to access and write secrets.
+
+`provisioner` must be able to:
+
+- Enable and manage auth methods
+- Manage the key/value secret engines at `secret/` path
+- Create and manage ACL policies
+
+Now, you are ready to author policies to fulfill these requirements.
+
+#### Example policy for admin
+
+`admin-policy.hcl`
+
+```shell
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# List existing policies via CLI
+path "sys/policy"
+{
+  capabilities = ["read"]
+}
+
+# Create and manage ACL policies via CLI
+path "sys/policy/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create and manage ACL policies via API
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage secret engines broadly across Vault
+path "sys/mounts/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List existing secret engines
+path "sys/mounts"
+{
+  capabilities = ["read"]
+}
+
+# Read health checks
+path "sys/health"
+{
+  capabilities = ["read", "sudo"]
+}
+```
+
+#### Example policy for provisioner
+
+`provisioner-policy.hcl`
+
+```shell
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# List existing policies via CLI
+path "sys/policy"
+{
+  capabilities = ["read"]
+}
+
+# Create and manage ACL policies via CLI
+path "sys/policy/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create and manage ACL policies via API
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+```
+
+### <a name="step2"></a>Step 2: Create policies
+
+Now, create `admin` and `provisioner` policies in Vault.
+
+#### CLI command
+
+To create policies:
+
+```shell
+$ vault policy write <POLICY_NAME> <POLICY_FILE>
+```
+
+**Example:**
+
+```shell
+# Create admin policy
+$ vault policy write admin admin-policy.hcl
+
+# Create provisioner policy
+$ vault policy write provisioner provisioner-policy.hcl
+```
+
+**NOTE:** To update an existing policy, simply re-run the same command by
+passing your modified policy (`*.hcl`).
+
+#### API call using cURL
+
+To create a policy, use the
+[`sys/policies/acl`](/api/system/policies.html#create-update-acl-policy)
+endpoint:
+
+```shell
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request PUT \
+       --data <PAYLOAD> \
+       <VAULT_ADDRESS>/v1/sys/policies/acl/<POLICY_NAME>
+```
+
+Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
+stringified policy.
+
+-> **NOTE:** To create ACL policies, you can use the
+[`sys/policy`](/api/system/policy.html) endpoint as well.
+
+**Example:**
+
+```shell
+# Create the API request payload. Use stringified policy expression.
+$ tee admin-payload.json <<EOF
+{
+  "policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete auth methods\npath \"sys/auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"sudo\"]\n}\n\n# List auth methods\npath \"sys/auth\"\n{\n  capabilities = [\"read\"]\n}\n\n# List existing policies\npath \"sys/policies\"\n{\n  capabilities = [\"read\"]\n}\n\n# Create and manage ACL policies broadly across Vault\npath \"sys/policies/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete key/value secrets\npath \"secret/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# Manage and manage secret engines broadly across Vault.\npath \"sys/mounts/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List existing secret engines.\npath \"sys/mounts\"\n{\n  capabilities = [\"read\"]\n}\n\n# Read health checks\npath \"sys/health\"\n{\n  capabilities = [\"read\", \"sudo\"]\n}"
+}
+EOF
+
+# Create admin policy
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT \
+       --data @admin-payload.json \
+       http://127.0.0.1:8200/v1/sys/policies/acl/admin
+
+# Create the API requset payload for creating provisioner policy
+$ tee provisioner-payload.json <<EOF
+{
+  "policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete auth methods\npath \"sys/auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"sudo\"]\n}\n\n# List existing policies\npath \"sys/policy\"\n{\n  capabilities = [\"read\"]\n}\n\n# Create and manage ACL policies\npath \"sys/policy/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\n\n# List, create, update, and delete key/value secrets\npath \"secret/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}"
+}
+EOF
+
+# Create provisioner policy
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT \
+       --data @provisioner-payload.json \
+       http://127.0.0.1:8200/v1/sys/policies/acl/provisioner
+```
+
+**NOTE:** To update an existing policy, simply re-run the same command by
+passing your modified policy in the request payload (`*.json`).
+
+### <a name="step3"></a>Step 3: View existing policies
+
+Make sure that you see the policies you created in [Step 2](#step2).
+
+#### CLI command
+
+The following command lists existing policies:
+
+```shell
+$ vault policy list
+```
+
+To view a specific policy:
+
+```shell
+$ vault policy read <POLICY_NAME>
+```
+
+**Example:**
+
+```shell
+# Read admin policy
+$ vault policy read admin
+
+# Mount and manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "sys/auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "sudo"]
+}
+
+# Create and manage ACL policies broadly across Vault
+path "sys/policy/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+...
+```
+
+#### API call using cURL
+
+To list existing ACL policies, use the `sys/policies/acl` endpoint.
+
+```shell
+$ curl --request LIST --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policies/acl | jq
+```
+
+To read a specific policy, the endpoint path should be
+`sys/policies/acl/<POLICY_NAME>`.
+
+-> **NOTE:** To read existing ACL policies, you can use the `sys/policy`
+endpoint as well.
+
+**Example:**
+
+```shell
+# Read the admin policy
+$ curl --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policies/acl/admin | jq
+{
+  "request_id": "3f826e5c-70a0-2998-8082-fe34c67c59d1",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "name": "admin",
+    "policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n  capabilities = [\"create\", \"read\" ...
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+### <a name="step4"></a>Step 4: Check capabilities of a token
+
+This step shows how to print out the permitted capabilities of a token on a
+path. This can help verifying what operations are granted based on the policies
+attached to the token.
+
+#### CLI command
+
+The command is:
+
+```shell
+$ vault token capabilities <TOKEN> <PATH>
+```
+
+**Example:**
+
+First, create a token attached to `admin` policy.
+
+```shell
+$ vault token create -policy="admin"
+Key                  Value
+---                  -----
+token                2sHGlAHNj36LpqQ2Zevl2Owi
+token_accessor       4G4UIsQOMwifg7vMLqf6QIc3
+token_duration       768h
+token_renewable      true
+token_policies       ["admin" "default"]
+identity_policies    []
+policies             ["admin" "default"]
+```
+
+Now, fetch the capabilities of this token on the `sys/auth/approle` path.
+
+```plaintext
+$ vault token capabilities 2sHGlAHNj36LpqQ2Zevl2Owi sys/auth/approle
+create, delete, read, sudo, update
+```
+
+The result should match the policy rule you wrote on the `sys/auth/*` path. You
+can repeat the steps to generate a token for `provisioner` and check its
+capabilities on paths.
+
+In the absence of a token, it returns the capabilities of the current token
+invoking this command.
+
+```shell
+$ vault token capabilities sys/auth/approle
+root
+```
+
+#### API call using cURL
+
+Use the `sys/capabilities` endpoint.
+
+**Example:**
+
+First, create a token attached to the `admin` policy:
+
+```shell
+$ curl --request POST --header "X-Vault-Token: ..." --data '{ "policies":"admin" }' \
+       http://127.0.0.1:8200/v1/auth/token/create
+{
+   "request_id": "bd9b3216-f7e6-610c-4861-38b9112a1821",
+   "lease_id": "",
+   "renewable": false,
+   "lease_duration": 0,
+   "data": null,
+   "wrap_info": null,
+   "warnings": null,
+   "auth": {
+     "client_token": "3xlduc1vGMD7vKeGLyONAxdS",
+     "accessor": "FOoNv0YJSCqtPVCpW03qVeKd",
+     "policies": [
+       "admin",
+       "default"
+     ],
+     "token_policies": [
+       "admin",
+       "default"
+     ],
+     "metadata": null,
+     "lease_duration": 2764800,
+     "renewable": true,
+     "entity_id": ""
+   }
+}
+```
+
+Now, fetch the capabilities of this token on the `sys/auth/approle` path.
+
+```shell
+# Request payload
+$ tee payload.json <<EOF
+{
+  "token": "3xlduc1vGMD7vKeGLyONAxdS",
+  "path": "sys/auth/approle"
+}
+EOF
+
+$ curl --request POST --header "X-Vault-Token: ..." \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/capabilities | jq
+{
+  "sys/auth/approle": [
+    "create",
+    "delete",
+    "read",
+    "sudo",
+    "update"
+  ],
+  "capabilities": [
+    "create",
+    "delete",
+    "read",
+    "sudo",
+    "update"
+  ],
+  ...
+}
+```
+
+The result should match the policy rule you wrote on the `sys/auth/*` path. You can
+repeat the steps to generate a token for `provisioner` and check its
+capabilities on paths.
+
+To check the current token's capabilities permitted on a path, use
+the `sys/capabilities-self` endpoint.
+
+```plaintext
+$ curl --request POST --header "X-Vault-Token: ..." \
+       --data '{"path":"sys/auth/approle"}' \
+       http://127.0.0.1:8200/v1/sys/capabilities-self
+```
+
+## Next steps
+
+In this guide, you learned how to write policies based on given policy
+requirements. Next, the [AppRole Pull Authentication](/guides/identity/authentication.html)
+guide demonstrates how to associate policies to a role.
+
+To learn about Sentinel policies, refer to the [Sentinel
+Policies](/guides/identity/sentinel.html) guide.
diff --git a/website/pages/guides/identity/policy-templating.mdx b/website/pages/guides/identity/policy-templating.mdx
new file mode 100644
index 000000000000..b1f29f4db097
--- /dev/null
+++ b/website/pages/guides/identity/policy-templating.mdx
@@ -0,0 +1,610 @@
+---
+layout: guides
+page_title: ACL Policy Path Templating - Guides
+description: 'As of 0.11, ACL policies support templating to allow non-static policy paths.'
+---
+
+# ACL Policy Path Templating
+
+Vault operates on a **secure by default** standard, and as such, an empty policy
+grants **no permissions** in the system. Therefore, policies must be created to
+govern the behavior of clients and instrument Role-Based Access Control (RBAC)
+by specifying access privileges (_authorization_).
+
+Since everything in Vault is path based, policy authors must be aware of
+all existing paths as well as paths to be created.
+
+The [Policies](/guides/identity/policies.html) guide walks you through the
+creation of ACL policies in Vault.
+
+-> This guide highlights the use of ACL templating which was introduced in
+**Vault 0.11**.
+
+## Reference Material
+
+- [Templated Policies](/docs/concepts/policies.html#templated-policies)
+- [Policy API](/api/system/policy.html)
+- [Identity: Entities and Groups](/guides/identity/identity.html)
+- [Streamline Secrets Management with Vault Agent and Vault 0.11](https://youtu.be/zDnIqSB4tyA?t=24m37s)
+
+~> **NOTE:** An [interactive
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policy-templating)
+is also available if you do not have a Vault environment to perform the steps
+described in this guide.
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Challenge
+
+The only way to specify non-static paths in ACL policies was to use globs (`*`)
+at the end of paths.
+
+```hcl
+path "transit/keys/*" {
+  capabilities = [ "read" ]
+}
+
+path "secret/webapp_*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+This makes many management and delegation tasks challenging. For example,
+allowing a user to change their own password by invoking the
+`auth/userpass/users/<user_name>/password` endpoint can require either a policy
+for _every user_ or requires the use of Sentinel which is a part of [Vault
+Enterprise](/docs/enterprise/sentinel/index.html).
+
+## Solution
+
+As of **Vault 0.11**, ACL templating capability is available to allow a subset
+of user information to be used within ACL policy paths.
+
+-> **NOTE:** This feature leverages [Vault
+Identities](/docs/secrets/identity/index.html) to inject values into ACL policy
+paths.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have an environment
+with **Vault 0.11** or later. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault.
+
+Alternately, you can use the [Vault
+Playground](https://www.katacoda.com/hashicorp/scenarios/vault-playground)
+environment.
+
+~> This guide assumes that you know how to create ACL policies. If you don't,
+go through the interactive [Policy
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policies) or
+[Policies](/guides/identity/policies.html) guide first.
+
+### Policy requirements
+
+Since this guide demonstrates the creation of an `admin` policy, log in with the
+`root` token if possible. Otherwise, refer to the policy requirement in the
+[Policies](/guides/identity/policies.html#policy-requirements) guide.
+
+## Steps
+
+Assume that the following policy requirements were given:
+
+- Each _user_ can perform all operations on their allocated key/value secret
+  path (`user-kv/data/<user_name>`)
+- The education _group_ has a dedicated key/value secret store for each region where
+  all operations can be performed by the group members
+  (`group-kv/data/education/<region>`)
+- The _group_ members can update the group information such as metadata about
+  the group (`identity/group/id/<group_id>`)
+
+In this guide, you are going to perform the following steps:
+
+1. [Write templated ACL policies](#step1)
+1. [Deploy your policy](#step2)
+1. [Setup an entity and a group](#step3)
+1. [Test the ACL templating](#step4)
+
+### <a name="step1"></a>Step 1: Write templated ACL policies
+
+Policy authors can pass in a policy path containing double curly braces as
+templating delimiters: `{{<parameter>}}`.
+
+#### Available Templating Parameters
+
+| Name                                                                   | Description                                                             |
+| :--------------------------------------------------------------------- | :---------------------------------------------------------------------- |
+| `identity.entity.id`                                                   | The entity's ID                                                         |
+| `identity.entity.name`                                                 | The entity's name                                                       |
+| `identity.entity.metadata.<<metadata key>>`                            | Metadata associated with the entity for the given key                   |
+| `identity.entity.aliases.<<mount accessor>>.id`                        | Entity alias ID for the given mount                                     |
+| `identity.entity.aliases.<<mount accessor>>.name`                      | Entity alias name for the given mount                                   |
+| `identity.entity.aliases.<<mount accessor>>.metadata.<<metadata key>>` | Metadata associated with the alias for the given mount and metadata key |
+| `identity.groups.ids.<<group id>>.name`                                | The group name for the given group ID                                   |
+| `identity.groups.names.<<group name>>.id`                              | The group ID for the given group name                                   |
+| `identity.groups.ids.<<group id>>.metadata.<<metadata key>>`           | Metadata associated with the group for the given key                    |
+| `identity.groups.names.<<group name>>.metadata.<<metadata key>>`       | Metadata associated with the group for the given key                    |
+
+-> **NOTE:** Identity groups are not directly attached to a token and an entity
+can be associated with multiple groups. Therefore, in order to reference a
+group, the **group ID** or **group name** must be provided (e.g.
+`identity.groups.ids.59f001d5-dd49-6d63-51e4-357c1e7a4d44.name`).
+
+Example:
+
+This policy allows users to change their own password given that the username
+and password are defined in the `userpass` auth method. The mount accessor
+value (`auth_userpass_6671d643` in this example) can be read from the `sys/auth` endpoint.
+
+```hcl
+path "auth/userpass/users/{{identity.entity.aliases.auth_userpass_6671d643.name}}" {
+  capabilities = [ "update" ]
+  allowed_parameters = {
+    "password" = []
+  }
+}
+```
+
+#### Write the following policies:
+
+User template (`user-tmpl.hcl`)
+
+```hcl
+# Grant permissions on user specific path
+path "user-kv/data/{{identity.entity.name}}/*" {
+	capabilities = [ "create", "update", "read", "delete", "list" ]
+}
+
+# For Web UI usage
+path "user-kv/metadata" {
+  capabilities = ["list"]
+}
+```
+
+Group template (`group-tmpl.hcl`)
+
+```hcl
+# Grant permissions on the group specific path
+# The region is specified in the group metadata
+path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
+	capabilities = [ "create", "update", "read", "delete", "list" ]
+}
+
+# Group member can update the group information
+path "identity/group/id/{{identity.groups.names.education.id}}" {
+  capabilities = [ "update", "read" ]
+}
+
+# For Web UI usage
+path "group-kv/metadata" {
+  capabilities = ["list"]
+}
+
+path "identity/group/id" {
+  capabilities = [ "list" ]
+}
+```
+
+### <a name="step2"></a>Step 2: Deploy your policy
+
+- [CLI command](#step2-cli)
+- [API call using cURL](#step2-api)
+- [Web UI](#step2-ui)
+
+#### <a name="step2-cli"></a>CLI command
+
+```shell
+# Create the user-tmpl policy
+$ vault policy write user-tmpl user-tmpl.hcl
+
+# Create the group-tmpl policy
+$ vault policy write group-tmpl group-tmpl.hcl
+```
+
+#### <a name="step2-api"></a>API call using cURL
+
+To create a policy, use the `/sys/policies/acl` endpoint:
+
+```sh
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request PUT \
+       --data <PAYLOAD> \
+       <VAULT_ADDRESS>/v1/sys/policies/acl/<POLICY_NAME>
+```
+
+Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
+stringified policy.
+
+Example:
+
+```shell
+# API request payload for user-tmpl
+$ tee payload_user.json <<EOF
+{
+  "policy": "path "user-kv/data/{{identity.entity.name}}/*" {\n capabilities = [ "create", "update", "read", "delete", "list" ]\n } ..."
+}
+EOF
+
+# Create user-tmpl policy
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT
+       --data @payload_user.json \
+       http://127.0.0.1:8200/v1/sys/policies/acl/user-tmpl
+
+# API request payload for group-tmpl
+$ tee payload_group.json <<EOF
+{
+   "policy": "path "group-kv/data/{{identity.group.id}}/*" {\n capabilities = [ "create", "update", "read", "delete", "list" ]\n }"
+}
+EOF
+
+# Create group-tmpl policy
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT
+       --data @payload_group.json \
+       http://127.0.0.1:8200/v1/sys/policies/acl/group-tmpl
+```
+
+#### <a name="step2-ui"></a>Web UI
+
+Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
+then login.
+
+1. Click the **Policies** tab, and then select **Create ACL policy**.
+
+1. Toggle **Upload file**, and click **Choose a file** to select the
+   `user-tmpl.hcl` file you wrote at [Step 1](#step1).
+
+   ![Create Policy](/img/vault-ctrl-grp-2.png)
+
+   This loads the policy and sets the **Name** to `user-tmpl`.
+
+1. Click the **Create Policy** button.
+
+1. Repeat the steps to create the `group-tmpl` policy.
+
+### <a name="step3"></a>Step 3: Setup an entity and a group
+
+Let's create an entity, **`bob_smith`** with a user **`bob`** as its entity
+alias. Also, create a group, **`education`** and add the **`bob_smith`** entity
+as its group member.
+
+![Entity & Group](/img/vault-acl-templating.png)
+
+-> This step only demonstrates CLI commands and Web UI to create
+entities and groups. Refer to the [Identity - Entities and
+Groups](/guides/identity/identity.html) guide if you need the full details.
+
+- [CLI command](#step3-cli)
+- [Web UI](#step3-ui)
+
+#### <a name="step3-cli"></a>CLI command
+
+The following command uses [`jq`](https://stedolan.github.io/jq/download/) tool
+to parse JSON output.
+
+```shell
+# Enable userpass
+$ vault auth enable userpass
+
+# Create a user, bob
+$ vault write auth/userpass/users/bob password="training"
+
+# Retrieve the userpass mount accessor and save it in a file named, accessor.txt
+$ vault auth list -format=json | jq -r '.["userpass/"].accessor' > accessor.txt
+
+# Create bob_smith entity and save the identity ID in the entity_id.txt
+$ vault write -format=json identity/entity name="bob_smith" policies="user-tmpl" \
+        | jq -r ".data.id" > entity_id.txt
+
+# Add an entity alias for the bob_smith entity
+$ vault write identity/entity-alias name="bob" \
+       canonical_id=$(cat entity_id.txt) \
+       mount_accessor=$(cat accessor.txt)
+
+# Finally, create education group and add bob_smith entity as a member
+# Save the generated group ID in the group_id.txt file
+$ vault write -format=json identity/group name="education" \
+      policies="group-tmpl" \
+      metadata=region="us-west" \
+      member_entity_ids=$(cat entity_id.txt)  \
+      | jq -r ".data.id" > group_id.txt
+```
+
+#### <a name="step3-ui"></a>Web UI
+
+1.  Click the **Access** tab, and select **Enable new method**.
+
+1.  Select **Username & Password** from the **Type** drop-down menu.
+
+1.  Click **Enable Method**.
+
+1.  Click the Vault CLI shell icon (**`>_`**) to open a command shell. Enter the
+    following command to create a new user, **`bob`**.
+
+    ```plaintext
+    $ vault write auth/userpass/users/bob password="training"
+    ```
+
+    ![Create Policy](/img/vault-ctrl-grp-3.png)
+
+1.  Click the icon (**`>_`**) again to hide the shell.
+
+1.  From the **Access** tab, select **Entities** and then **Create entity**.
+
+1.  Enter **`bob_smith`** in the **Name** field and enter **`user-tmpl`** in the
+    **Policies** filed.
+
+1.  Click **Create**.
+
+1.  Select **Add alias**. Enter **`bob`** in the **Name** field and select
+    **`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
+
+1.  Select the **`bob_smith`** entity and copy its **ID** displayed under the
+    **Details** tab.
+
+1.  Click **Groups** from the left navigation, and select **Create group**.
+
+1.  Enter **`education`** in the **Name**, and enter **`group-tmpl`** in the
+    **Policies** fields. Under **Metadata**, enter **`region`** as a key and
+    **`us-west`** as the key value. Enter the `bob_smith` entity ID in the **Member
+    Entity IDs** field.
+    ![Group](/img/vault-acl-templating-2.png)
+
+1.  Click **Create**.
+
+### <a name="step4"></a>Step 4: Test the ACL templating
+
+- [CLI command](#step4-cli)
+- [API call using cURL](#step4-api)
+- [Web UI](#step4-ui)
+
+#### <a name="step4-cli"></a>CLI Command
+
+1.  Enable key/value v2 secrets engine at `user-kv` and `group-kv` paths.
+
+    ```plaintext
+    $ vault secrets enable -path=user-kv kv-v2
+
+    $ vault secrets enable -path=group-kv kv-v2
+    ```
+
+1.  Log in as **`bob`**.
+
+    ```plaintext
+    $ vault login -method=userpass username="bob" password="training"
+
+    Key                    Value
+    ---                    -----
+    token                  5f2b2594-f0b4-0a7b-6f51-767345091dcc
+    token_accessor         78b652dd-4320-f18f-b882-0732b7ae9ac9
+    token_duration         768h
+    token_renewable        true
+    token_policies         ["default"]
+    identity_policies      ["group-tmpl" "user-tmpl"]
+    policies               ["default" "group-tmpl" "user-tmpl"]
+    token_meta_username    bob
+    ```
+
+1.  Remember that `bob` is a member of the `bob_smith` entity; therefore, the
+    "`user-kv/data/{{identity.entity.name}}/*`" expression in the `user-tmpl` policy
+    translates to "**`user-kv/data/bob_smith/*`**". Let's test!
+
+    ```plaintext
+    $ vault kv put user-kv/bob_smith/apikey webapp="12344567890"
+    Key              Value
+    ---              -----
+    created_time     2018-08-30T18:28:30.845345444Z
+    deletion_time    n/a
+    destroyed        false
+    version          1
+    ```
+
+1.  The region was set to `us-west` for the `education` group that the
+    `bob_smith` belongs to. Therefore, the
+    "`group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*`"
+    expression in the `group-tmpl` policy translates to
+    "**`group-kv/data/education/us-west/*`**". Let's verify.
+
+    ```plaintext
+    $ vault kv put group-kv/education/us-west/db_cred password="ABCDEFGHIJKLMN"
+    Key              Value
+    ---              -----
+    created_time     2018-08-30T18:29:02.023749491Z
+    deletion_time    n/a
+    destroyed        false
+    version          1
+    ```
+
+1.  Verify that you can update the group information. The `group-tmpl` policy
+    permits "update" and "read" on the
+    "`identity/group/id/{{identity.groups.names.education.id}}`" path. In [Step
+    2](#step2), you saved the `education` group ID in the `group_id.txt` file.
+
+    ```plaintext
+    $ vault write identity/group/id/$(cat group_id.txt) \
+            policies="group-tmpl" \
+            metadata=region="us-west" \
+            metadata=contact_email="james@example.com"
+    ```
+
+    Read the group information to verify that the data has been updated.
+
+    ```plaintext
+    $ vault read identity/group/id/$(cat group_id.txt)
+
+    Key                  Value
+    ---                  -----
+    alias                map[]
+    creation_time        2018-08-29T20:38:49.383960564Z
+    id                   d6ee454e-915a-4bef-9e43-4ffd7762cd4c
+    last_update_time     2018-08-29T22:52:42.005544616Z
+    member_entity_ids    [1a272450-d147-c3fd-63ae-f16b65b5ee02]
+    member_group_ids     <nil>
+    metadata             map[contact_email:james@example.com region:us-west]
+    modify_index         3
+    name                 education
+    parent_group_ids     <nil>
+    policies             [group-tmpl]
+    type                 internal
+    ```
+
+#### <a name="step4-api"></a>API call using cURL
+
+1.  Enable key/value v2 secrets engine at `user-kv` and `group-kv` paths.
+
+    ```plaintext
+    $ tee payload.json <<EOF
+    {
+      "type": "kv",
+      "options": {
+        "version": "2"
+      }
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+           --request POST \
+           --data @payload.json \
+           https://127.0.0.1:8200/v1/sys/mounts/user-kv
+
+    $ curl --header "X-Vault-Token: ..." \
+           --request POST \
+           --data @payload.json \
+           https://127.0.0.1:8200/v1/sys/mounts/group-kv
+    ```
+
+1.  Log in as **`bob`**.
+
+    ```plaintext
+    $ curl --request POST \
+           --data '{"password": "training"}' \
+           http://127.0.0.1:8200/v1/auth/userpass/login/bob | jq
+    ```
+
+    Copy the generated **`client_token`** value for `bob`.
+
+1.  Remember that `bob` is a member of the `bob_smith` entity; therefore, the
+    "`user-kv/data/{{identity.entity.name}}/*`" expression in the `user-tmpl` policy
+    translates to "**`user-kv/data/bob_smith/*`**". Let's test!
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: <bob_client_token>" \
+            --request POST \
+            --data '{ "data": {"webapp": "12344567890"} }' \
+            http://127.0.0.1:8200/v1/user-kv/data/bob_smith/apikey
+    ```
+
+1.  The region was set to `us-west` for the `education` group that the
+    `bob_smith` belongs to. Therefore, the
+    "`group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*`"
+    expression in the `group-tmpl` policy translates to
+    "**`group-kv/data/education/us-west/*`**". Let's verify.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: <bob_client_token>" \
+            --request POST \
+            --data '{ "data": {"password": "ABCDEFGHIJKLMN"} }' \
+            http://127.0.0.1:8200/v1/group-kv/data/education/us-west/db_cred
+    ```
+
+1.  Verify that you can update the group information. The `group-tmpl` policy
+    permits "update" and "read" on the
+    "`identity/group/id/{{identity.groups.names.education.id}}`" path.
+
+    ```plaintext
+    $ tee group_info.json <<EOF
+    {
+      "metadata": {
+        "region": "us-west",
+        "contact_email": "james@example.com"
+      },
+      "policies": "group-tmpl"
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: <bob_client_token>" \
+            --request POST \
+            --data @group_info.json \
+            http://127.0.0.1:8200/v1/identity/group/id/<education_group_id>
+    ```
+
+    Where the group ID is the ID returned in [Step 2](#step2). (NOTE: If you performed
+    Step 2 using the CLI commands, the group ID is stored in the `group_id.txt`
+    file. If you performed the tasks via Web UI, copy the `education` group ID
+    from UI.)
+
+    Read the group information to verify that the data has been updated.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: <bob_client_token>" \
+            http://127.0.0.1:8200/v1/identity/group/id/<education_group_id>
+    ```
+
+#### <a name="step4-ui"></a>Web UI
+
+1. In **Secrets** tab, select **Enable new engine**.
+
+1. Select the radio-button for **KV**, and then click **Next**.
+
+1. Enter **`user-kv`** in the path field, and then select **2** for KV
+   version.
+
+1. Click **Enable Engine**.
+
+1. Return to **Secrets** and then select **Enable new engine** again.
+
+1. Select the radio-button for **KV**, and then click **Next**.
+
+1. Enter **`group-kv`** in the path field, and then select **2** for KV
+   version.
+
+1. Click **Enable Engine**.
+
+1. Now, sign out as the current user so that you can log in as `bob`. ![Sign
+off](/img/vault-acl-templating-3.png)
+
+1. In the Vault sign in page, select **Username** and then enter **`bob`** in
+   the **Username** field, and **`training`** in the **Password** field.
+
+1. Click **Sign in**.
+
+1. Remember that `bob` is a member of the `bob_smith` entity; therefore, the
+   "`user-kv/data/{{identity.entity.name}}/*`" expression in the `user-tmpl` policy
+   translates to "**`user-kv/data/bob_smith/*`**". Select **`user-kv`** secrets
+   engine, and then select **Create secret**.
+
+1. Enter **`bob_smith/apikey`** in the **PATH FOR THIS SECRET** field,
+   **`webapp`** in the key field, and **`12344567890`** in its value field.
+
+1. Click **Save**. You should be able to perform this successfully.
+
+1. The region was set to `us-west` for the `education` group that the
+   `bob_smith` belongs to. Therefore, the
+   "`group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*`"
+   expression in the `group-tmpl` policy translates to
+   "**`group-kv/data/education/us-west/*`**". From the **Secrets** tab, select
+   **`group-kv`** secrets engine, and then select **Create secret**.
+
+1. Enter **`education/us-west/db_cred`** in the **PATH FOR THIS SECRET** field.
+   Enter **`password`** in the key field, and **`ABCDEFGHIJKLMN`** in its value
+   field.
+
+1. Click **Save**. You should be able to perform this successfully.
+
+1. To verify that you can update the group information which is allowed by the
+   "`identity/group/id/{{identity.groups.names.education.id}}`" expression in the
+   `group-tmpl` policy, select the **Access** tab.
+
+1. Select **Groups**, and then **`education`**.
+
+1. Select **Edit group**. Add a new metadata where the key is
+   **`contact_email`** and its value is **`james@example.com`**.
+
+1. Click **Save**. The group metadata should be successfully updated.
+
+## Next steps
+
+To learn about Sentinel policies to implement finer-grained policies, refer to
+the [Sentinel Policies](/guides/identity/sentinel.html) guide.
diff --git a/website/pages/guides/identity/secure-intro.mdx b/website/pages/guides/identity/secure-intro.mdx
new file mode 100644
index 000000000000..e3de93c37808
--- /dev/null
+++ b/website/pages/guides/identity/secure-intro.mdx
@@ -0,0 +1,177 @@
+---
+layout: guides
+page_title: Secure Introduction of Vault Clients - Guides
+sidebar_title: Secure Introduction of Vault Clients
+description: |-
+  This introductory guide walk through the mechanism of Vault clients to
+  authenticate with Vault. There are two approaches at a high-level: platform
+  integration, and trusted orchestrator.
+---
+
+# Secure Introduction of Vault Clients
+
+A _secret_ is something that will elevate the risk if exposed to unauthorized
+entities and results in undesired consequences (e.g. unauthorized data access);
+therefore, only the **_trusted entities_** should have an access to your
+secrets.
+
+If you can securely get the first secret from an originator to a consumer, all
+subsequent secrets transmitted between this originator and consumer can be
+authenticated with the trust established by the successful distribution and user
+of that first secret. Getting the first secret to the consumer, is the **_secure
+introduction_** challenge.
+
+![Secure Introduction](/img/vault-secure-intro-1.png)
+
+The Vault authentication process verifies the secret consumer's identity and
+then generate a **token** to associate with that identity.
+[Tokens](/docs/concepts/tokens.html) are the core method for authentication
+within Vault which means that the secret consumer must first acquire a valid
+token.
+
+## Challenge
+
+How does a secret consumer (an application or machine) prove that it is the
+legitimate recipient for a secret so that it can acquire a token?
+
+How can you avoid persisting raw token values during our secure
+introduction?
+
+## Secure Introduction Approach
+
+Vault's auth methods perform authentication of its client and assigning a set of
+policies which defines the permitted operations for the client.
+
+![Auth Method](/img/vault-auth-method.png)
+
+There are three basic approaches to securely authenticate a secret consumer:
+
+- [Platform Integration](#platform-integration)
+- [Trusted Orchestrator](#trusted-orchestrator)
+- [Vault Agent](#vault-agent)
+
+## Platform Integration
+
+In the **Platform Integration** model, Vault trusts the underlying platform
+(e.g. AliCloud, AWS, Azure, GCP) which assigns a token or cryptographic identity
+(such as IAM token, signed JWT) to virtual machine, container, or serverless
+function.
+
+Vault uses the provided identifier to verify the identity of the client by
+interacting with the underlying platform. After the client identity is verified,
+Vault returns a token to the client that is bound to their identity and policies
+that grant access to secrets.
+
+![Platform Integration](/img/vault-secure-intro-2.png)
+
+For example, suppose we have an application running on a virtual machine in AWS
+EC2. When that instance is started, an IAM token is provided via the machine
+local metadata URL. That IAM token is provided to Vault, as part of the AWS Auth
+Method, to login and authenticate the client. Vault uses that token to query the
+AWS API and verify the token validity and fetch additional metadata about the
+instance (Account ID, VPC ID, AMI, Region, etc). These properties are used to
+determine the identity of the client and to distinguish between different roles
+(e.g. a Web server versus an API server).
+
+Once validated and assigned to a role, Vault generates a token that is
+appropriately scoped and returns it to the client. All future requests from the
+client are made with the associated token, allowing Vault to efficiently
+authenticate the client and check for proper authorizations when consuming
+secrets.
+
+![Vault AWS EC2 Authentication Flow](/img/vault-aws-ec2-auth-flow.png)
+
+### Use Case
+
+When the client app is running on a VM hosted on a supported cloud platform, you
+can leverage the corresponding auth method to authenticate with Vault.
+
+### Reference Materials:
+
+- [AWS Auth Method](/docs/auth/aws.html)
+- [Azure Auth Method](/docs/auth/azure.html)
+- [GCP Auth Method](/docs/auth/gcp.html)
+
+## Trusted Orchestrator
+
+In the **Trusted Orchestrator** model, you have an _orchestrator_ which is
+already authenticated against Vault with privileged permissions. The
+orchestrator launches new applications and inject a mechanism they can use to
+authenticate (e.g. AppRole, PKI cert, token, etc) with Vault.
+
+![Trusted Orchestrator](/img/vault-secure-intro-3.png)
+
+For example, suppose [Terraform](https://www.terraform.io/) is being used as a
+trusted orchestrator. This means Terraform already has a Vault token, with
+enough capabilities to generate new tokens or create new mechanisms to
+authenticate such as an AppRole. Terraform can interact with platforms such as
+VMware to provision new virtual machines. VMware does not provide a
+cryptographic identity, so a platform integration isn't possible. Instead,
+Terraform can provision a new AppRole credential, and SSH into the new machine
+to inject the credentials. Terraform is creating the new credential in Vault,
+and making that credential available to the new resource. In this way, Terraform
+is acting as a trusted orchestrator and extending trust to the new machine. The
+new machine, or application running on it, can use the injected credentials to
+authenticate against Vault.
+
+![AppRole auth method workflow](/img/vault-secure-intro-4.png)
+
+### Use Case
+
+When you are using an orchestrator tool such as Chef to launch applications,
+this model can be applied regardless of where the applications are running.
+
+### Reference Materials:
+
+- [AppRole Auth Method](/docs/auth/approle.html)
+  - [AppRole Pull Authentication](/guides/identity/authentication.html)
+  - [AppRole with Terraform and Chef Demo](/guides/identity/approle-trusted-entities.html)
+- [TLS Certificates Auth Method](/docs/auth/cert.html)
+- [Token Auth Method](/docs/auth/token.html)
+  - [Cubbyhole Response Wrapping](/guides/secret-mgmt/cubbyhole.html)
+
+## Vault Agent
+
+Vault agent is a client daemon which automates the workflow of client login and
+token refresh. It can be used with either [platform
+integration](#platform-integration) or [trusted
+orchestrator](#trusted-orchestrator) approaches.
+
+#### Vault agent auto-auth:
+
+- Automatically authenticates to Vault for those [supported auth
+  methods](/docs/agent/autoauth/methods/index.html)
+- Keeps token renewed (re-authenticates as needed) until the renewal is no
+  longer allowed
+- Designed with robustness and fault tolerance
+
+![Vault Agent](/img/vault-secure-intro-5.png)
+
+To leverage this feature, run the vault binary in agent mode (`vault agent -config=<config_file>`) on the client. The agent configuration file must specify
+the auth method and [sink](/docs/agent/autoauth/sinks/index.html) locations
+where the token to be written.
+
+When the agent is started, it will attempt to acquire a Vault token using the
+auth method specified in the agent configuration file. On successful
+authentication, the resulting token is written to the sink locations.
+Optionally, this token can be response-wrapped or encrypted. Whenever the
+current token value changes, the agent writes to the sinks. If authentication
+fails, the agent waits for a while and then retry.
+
+The client can simply retrieve the token from the sink and connect to Vault
+using the token. This simplifies client integration since the Vault agent
+handles the login and token refresh logic.
+
+### Reference Materials:
+
+- [Streamline Secrets Management with Vault Agent and Vault 0.11](https://youtu.be/zDnIqSB4tyA)
+- [Vault Agent documentation](/docs/agent/index.html)
+- [Auto-Auth documentation](/docs/agent/autoauth/index.html)
+
+## Next steps
+
+When a [platform integration](#platform-integration) is available that should be
+preferred, as it is generally the simpler solution and works independent of the
+orchestration mechanism. For a [trusted orchestrator](#trusted-orchestrator),
+specific documentation for that orchestrator should be consulted on Vault
+integration.
diff --git a/website/pages/guides/identity/sentinel.mdx b/website/pages/guides/identity/sentinel.mdx
new file mode 100644
index 000000000000..3e7ec530fe07
--- /dev/null
+++ b/website/pages/guides/identity/sentinel.mdx
@@ -0,0 +1,588 @@
+---
+layout: guides
+page_title: Sentinel - Guides
+sidebar_title: Sentinel Policies
+description: |-
+  Vault Enterprise supports Sentinel to provide a rich set of access control
+  functionality. This guide walks through the creation and usage of role
+  governing policies (RGPs) and endpoint governing policies (EGPs).
+---
+
+# Sentinel Policies
+
+~> **Enterprise Only:** Sentinel is a part of _Vault Enterprise Premium_.
+
+_Sentinel_ is a language framework for policy build to be embedded in Vault
+Enterprise to enable fine-grained, logic-based policy decisions which cannot be
+fully handled by the ACL policies.
+
+**Role Governing Policies (RGPs)** and **Endpoint Governing
+Policies (EGPs)** can be defined using Sentinel:
+
+- RGPs are tied to particular tokens, identity entities, or identity groups
+- EGPs are tied to particular paths (e.g. `aws/creds/`)
+
+> This guide walks you through the authoring of Sentinel policies in Vault. For
+> ACL policy authoring, refer to the [Policies](/guides/identity/policies.html)
+> guide.
+
+## Reference Material
+
+- [Sentinel Getting Started Guide](https://docs.hashicorp.com/sentinel/intro/getting-started/first-policy)
+- [Sentinel](https://docs.hashicorp.com/sentinel/) documentation
+- [Vault Sentinel](/docs/enterprise/sentinel/index.html) documentation
+- [Security and Fundamentals at Scale with Vault](https://www.youtube.com/watch?time_continue=121&v=yiPbKICFkvQ)
+- [Identity - Entities and Groups](/guides/identity/identity.html) guide
+
+## Estimated Time to Complete
+
+5 - 10 minutes
+
+## Challenge
+
+ACL policies are **_path-based_** that it has the following challenges:
+
+- Cannot grant permissions based on logics other than paths
+- Paths are merged in ACL policies which could potentially cause a conflict as
+  the number of policies grows
+
+What if the policy requirement was to grant read permission on `secret/orders`
+path **_only if_** the request came from an IP address within a certain CIDR?
+
+## Solution
+
+Use Sentinel policies (RGPs and/or EGPs) to fulfill more complex policy
+requirements.
+
+Sentinel can access properties of the incoming requests and make a decision
+based on a certain set of conditions. Available properties include:
+
+- **request** - Information about the request itself (path, operation type,
+  parameters, etc.)
+- **token** - Information about the token being used (creation time, attached
+  policies, etc.)
+- **identity** - Identity entities and all related data
+- **mfa** - Information about successful MFA validations
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a **_Vault
+Enterprise_** environment.
+
+### Policy requirements
+
+Since this guide demonstrates the creation of policies, log in with highly
+privileged token such as **`root`**. Required permissions are:
+
+```shell
+# To list policies
+path "sys/policies/*"
+{
+  capabilities = ["list"]
+}
+
+# Create and manage EGPs
+path "sys/policies/egp/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+```
+
+## Steps
+
+This guide demonstrates basic Sentinel policy authoring and management tasks.
+
+1. [Write Sentinel Policies](#step1)
+1. [Test the Sentinel Policies](#step2)
+1. [Deploy your EGP policies](#step3)
+1. [Delete Sentinel Policies](#step4)
+
+### <a name="step1"></a>Step 1: Write Sentinel Policies
+
+#### Anatomy of Sentinel Policies
+
+```hcl
+import "<library>"
+
+<variable> = <value>
+
+main = rule {
+     <conditions_to_evaluate>
+}
+```
+
+- **`import`** - Enables your policy to access reusable libraries. There are a
+  set of built-in [imports](https://docs.hashicorp.com/sentinel/imports/)
+  available to help define your policy rules.
+
+- **`main`** (required) - Every Sentinel policy must have a **`main`** rule
+  which is evaluated to determine the result of a policy.
+
+- **`rule`** - A first-class construct in Sentinel. It describes a set of
+  conditions resulting in either true or false. (NOTE: Refer to the [Boolean
+  Expressions](https://docs.hashicorp.com/sentinel/language/boolexpr) for the full
+  list of available operators in writing rules.)
+
+- **`<variable>`** - Variables are dynamically typed in Sentinel. You can define
+  its value explicitly or implicitly by the host system or [function](https://docs.hashicorp.com/sentinel/language/functions).
+
+~> **NOTE:** The Sentinel language supports many features such as functions,
+loops, slices, etc. You can learn about all of this in the [complete language
+guide](https://docs.hashicorp.com/sentinel/language/).
+
+#### Policy requirements
+
+In this guide, you are going to write Sentinel policies that fulfill the
+following requirements:
+
+1. Any incoming request against the "`secret/accounting/*`" to be performed
+   during the business hours (7:00 am to 6:00 pm during the work days).
+
+1. Any `create`, `update` and `delete` operations against Key/Value secret
+   engine (mounted at "`secret`") **must** come from an internal IP of
+   `122.22.3.4/32` CIDR.
+
+#### Sentinel Policies
+
+Requirement #1: **`business-hrs.sentinel`**
+
+```shell
+import "time"
+
+# Expect requests to only happen during work days (Monday through Friday)
+# 0 for Sunday and 6 for Saturday
+workdays = rule {
+    time.now.weekday > 0 and time.now.weekday < 6
+}
+
+# Expect requests to only happen during work hours (7:00 am - 6:00 pm)
+workhours = rule {
+    time.now.hour > 7 and time.now.hour < 18
+}
+
+main = rule {
+    workdays and workhours
+}
+```
+
+Requirement #2: **`cidr-check.sentinel`**
+
+```shell
+import "sockaddr"
+import "strings"
+
+# Only care about create, update, and delete operations against secret path
+precond = rule {
+    request.operation in ["create", "update", "delete"] and
+    strings.has_prefix(request.path, "secret/")
+}
+
+# Requests to come only from our private IP range
+cidrcheck = rule {
+    sockaddr.is_contained(request.connection.remote_addr, "122.22.3.4/32")
+}
+
+# Check the precondition before execute the cidrcheck
+main = rule when precond {
+    cidrcheck
+}
+```
+
+> **NOTE:** The **`main`** has conditional rule (`when precond`) to ensure that
+> the rule gets evaluated only if the request is relevant.
+
+~> Refer to the [Sentinel Properties](/docs/enterprise/sentinel/properties.html)
+documentation for available properties which Vault injects to Sentinel to allow
+fine-grained controls.
+
+### <a name="step2"></a>Step 2: Test the Sentinel Policies
+
+You can test the Sentinel policies prior to deployment in orders to validate
+syntax and to document expected behavior.
+
+1.  First, you need to download the [Sentinel simulator](https://docs.hashicorp.com/sentinel/downloads.html).
+
+    **Example:**
+
+    ```plaintext
+    $ wget https://releases.hashicorp.com/sentinel/0.3.1/sentinel_0.3.1_darwin_amd64.zip
+    $ unzip sentinel_0.3.1_darwin_amd64.zip -d /usr/local/bin
+    ```
+
+1.  Create a sub-folder named, **`test`** where `cidr-check.sentinel` and
+    `business-hrs.sentinel` policies are located. Under the `test` folder, you want
+    to create a sub-folder for each policy: **`cidr-check`** and **`business-hrs`**.
+
+    ```plaintext
+    $ mkdir -p test/business-hrs
+    $ mkdir -p test/cidr-check
+    ```
+
+    > **NOTE:** The test should be created under `/test/<policy_name>` folder.
+
+1.  Write a passing test case in a file named, **`success.json`** under
+    `test/business-hrs` directory.
+
+    ```plaintext
+    {
+        "global": {
+            "timespace": {
+                "weekday": 1,
+                "hour": 12
+            }
+        }
+    }
+    ```
+
+    Under **`global`**, you specify the mock test data. In this example, the
+    `weekday` is set to `1` which is **`Monday`** and `hour` is set to `12`
+    which is **`noon`**. Therefore, the `main` should return `true`.
+
+1.  Write a failing test in a file named, **`fail.json`** under `test/business-hrs`.
+
+    ```plaintext
+    {
+        "global": {
+            "timespace": {
+                "weekday": 0,
+                "hour": 12
+            }
+        }
+    }
+    ```
+
+    The mock data is set to **`Sunday`** at **`noon`**; therefore, Therefore, the `main` should return `false`.
+
+1.  Similarly, write a passing test case for `cidr-check` policy, **`test/cidr-check/success.json`**:
+
+    ```plaintext
+    {
+      "global": {
+        "request": {
+          "connection": {
+              "remote_addr": "122.22.3.4"
+          },
+          "operation": "create",
+          "path": "secret/orders"
+        }
+      }
+    ```
+
+    In this example, the `global` specifies the `create` operation is invoked on
+    `secret/orders` endpoint which initiated from an IP address `122.22.3.4`.
+    Therefore, the `main` should return `true`.
+
+1.  Write a failing test for `cidr-check` policy, **`test/cidr-check/fail.json`**.
+
+    ```plaintext
+    {
+      "global": {
+        "request": {
+          "connection": {
+            "remote_addr": "122.22.3.10"
+          },
+          "operation": "create",
+          "path": "secret/orders"
+        }
+      },
+      "test": {
+        "precond": true,
+        "main": false
+      }
+    }
+    ```
+
+    This test will fail because of the IP address mismatch. However, the
+    `precond` should pass since the requested operation is `create` and the
+    targeted endpoint is `secret/orders`.
+
+    > The optional **`test`** definition adds more context to why the test
+    > should fail. The expected behavior is that the test fails because `main`
+    > returns `false` but `precond` should return `true`.
+
+1.  Now, you have written both success and failure tests:
+
+    ```plaintext
+    ├── business-hrs.sentinel
+    ├── cidr-check.sentinel
+    └── test
+        ├── business-hrs
+        │   ├── fail.json
+        │   └── success.json
+        └── cidr-check
+            ├── fail.json
+            └── success.json
+    ```
+
+1.  Execute the test:
+
+    ```plaintext
+    $ sentinel test
+
+    PASS - business-hrs.sentinel
+      PASS - test/business-hrs/success.json  PASS - test/business-hrs/fail.json
+    PASS - cidr-check.sentinel
+      PASS - test/cidr-check/success.json  PASS - test/cidr-check/fail.json
+    ```
+
+    > **NOTE:** If you want to see the tracing and log output for those tests,
+    > run the command with `-verbose` flag.
+
+### <a name="step3"></a>Step 3: Deploy your EGP policies
+
+Sentinel policies has three **enforcement levels**:
+
+| Level          | Description                                                                |
+| -------------- | -------------------------------------------------------------------------- |
+| advisory       | The policy is allowed to fail. Can be used as a tool to educate new users. |
+| soft-mandatory | The policy must pass unless an override is specified.                      |
+| hard-mandatory | The policy must pass no matter what!                                       |
+
+<br />
+
+Since both policies are tied to specific paths, the policy type that you are
+going to create is Endpoint Governing Policies (EGPs).
+
+#### CLI command
+
+1.  Store the Base64 encoded `cidr-check.sentinel` policy in an environment
+    variable named `POLICY`.
+
+    ```plaintext
+    $ POLICY=$(base64 cidr-check.sentinel)
+    ```
+
+1.  Create a policy `cidr-check` with enforcement level of **hard-mandatory** to
+    reject all requests coming from IP addressed that are not internal.
+
+    ```plaintext
+    $ vault write sys/policies/egp/cidr-check \
+            policy="${POLICY}" \
+            paths="secret/*" \
+            enforcement_level="hard-mandatory"
+    ```
+
+1.  You can read the policy by executing the following command:
+
+    ```plaintext
+    $ vault read sys/policies/egp/cidr-check
+    ```
+
+1.  Repeat the steps to create a policy named `business-hrs`.
+
+    ```shell
+    # Encode the business-hrs policy
+    $ POLICY2=$(base64 business-hrs.sentinel)
+
+    # Create a policy with soft-mandatory enforcement-level
+    $ vault write sys/policies/egp/business-hrs \
+            policy="${POLICY2}" \
+            paths="secret/accounting/*" \
+            enforcement_level="soft-mandatory"
+
+    # To read the policy you just created
+    $ vault read sys/policies/egp/business-hrs
+    ```
+
+#### API call using cURL
+
+To create EGP policies, use the `/sys/policies/egp` endpoint:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request PUT \
+       --data <PAYLOAD> \
+       <VAULT_ADDRESS>/v1/sys/policies/egp/<POLICY_NAME>
+```
+
+Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the Base64 encoded
+policy, endpoint paths, and enforcement level.
+
+1.  Store the Base64 encoded `cidr-check.sentinel` policy in an environment
+    variable named `POLICY`.
+
+    ```plaintext
+    $ POLICY=$(base64 cidr-check.sentinel)
+    ```
+
+1.  Create API request payload.
+
+    ```plaintext
+    $ tee cidr-payload.json <<EOF
+    {
+      "policy": "${POLICY}",
+      "paths": ["secret/*"],
+      "enforcement_level": "hard-mandatory"
+    }
+    EOF
+    ```
+
+1.  Create a policy `cidr-check` with enforcement level of **hard-mandatory** to
+    reject all requests coming from IP addressed that are not internal.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+            --request PUT \
+            --data @cidr-payload.json \
+            http://127.0.0.1:8200/v1/sys/policies/egp/cidr-check
+    ```
+
+1.  Repeat the steps to create a policy named `business-hrs` with enforcement
+    level of soft-mandatory.
+
+    ```shell
+    # Encode the business-hrs policy
+    $ POLICY2=$(base64 business-hrs.sentinel)
+
+    # Create the request payload
+    $ tee buz-hrs-payload.json <<EOF
+    {
+      "policy": "${POLICY2}",
+      "paths": ["secret/accounting/*"],
+      "enforcement_level": "soft-mandatory"
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+            --request PUT \
+            --data @buz-hrs-payload.json \
+            http://127.0.0.1:8200/v1/sys/policies/egp/business-hrs
+    ```
+
+1.  You can list the EGPs that were created.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+           --request LIST \
+           http://127.0.0.1:8200/v1/sys/policies/egp | jq
+    ```
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
+then login.
+
+1. Select **Policies** and select the **Endpoint Governing Policies** tab.
+
+1. Select **Create EGP policy**.
+
+1. Enter **`business-hrs`** in the **Name** field.
+
+1. Enter the [**`business-hrs.sentinel`** policy](#sentinel-policies-1) in the
+   **Policy** editor.
+
+1. Select **soft-mandatory** from the **Enforcement level** drop-down list.
+
+1. Enter **`secret/accounting/*`** in the **Paths** field, and then click
+   **Create Policy**.
+
+![EGP](/img/vault-sentinel-1.png)
+
+1. Select **Endpoint Governing Policies** again, and then **Create EGP policy**.
+
+1. Enter **`cidr-check`** in the **Name** field.
+
+1. Enter the [**`cidr-check.sentinel`** policy](#sentinel-policies-1) in the
+   **Policy** editor.
+
+1. Leave the **Enforcement level** as hard-mandatory, and enter **`secret/*`**
+   in the **Paths** field.
+
+1. Click **Create Policy**.
+
+<br />
+
+~> **NOTE:** Unlike ACL policies, EGPs are a _prefix walk_ which allows policies
+to be applied at various points at Vault API. If you have EGPs tied to
+"**`secret/orders`**", "**`secret/*`**" and "**`*`**", all EGPs will be
+evaluated for a request on "**`secret/orders`**".
+
+#### Verification
+
+Once the policies were deployed, `create`, `update` and `delete` operations
+coming from an IP address other than `122.22.3.4` will be denied.
+
+```plaintext
+$ vault kv put secret/accounting/test acct_no="293472309423"
+
+Error writing data to secret/accounting/test: Error making API request.
+
+URL: PUT http://127.0.0.1:8200/v1/secret/accounting/test
+Code: 400. Errors:
+
+* 1 error occurred:
+
+* egp standard policy "cidr-check" evaluation resulted in denial.
+
+The specific error was:
+<nil>
+
+A trace of the execution for policy "cidr-check" is available:
+
+Result: false
+
+Description: Check the precondition before execute the cidrcheck
+
+Rule "main" (byte offset 442) = false
+  false (offset 314): sockaddr.is_contained
+
+Rule "cidrcheck" (byte offset 291) = false
+
+Rule "precond" (byte offset 113) = true
+  true (offset 134): request.operation in ["create", "update", "delete"]
+  true (offset 194): strings.has_prefix
+```
+
+Similarly, you will get an error if any request is made outside of the business
+hours defined by the `business-hrs` policy.
+
+!> **NOTE:** Like with ACL policies, **`root`** tokens are **_NOT_** subject to
+Sentinel policy checks.
+
+### <a name="step4"></a>Step 4: Delete Sentinel Policies
+
+#### CLI Command
+
+To delete EGPs:
+
+```shell
+# Delete the business-hrs EGP
+$ vault delete sys/policies/egp/business-hrs
+
+# Delete the cidr-check EGP
+$ vault delete sys/policies/egp/cidr-check
+```
+
+#### API call using cURL
+
+To delete EGPs:
+
+```shell
+# Delete the business-hrs EGP
+$ curl --header "X-Vault-Token: ..." \
+       --request DELETE \
+       http://127.0.0.1:8200/v1/sys/policies/egp/business-hrs
+
+# Delete the cidr-check EGP
+$ curl --header "X-Vault-Token: ..." \
+      --request DELETE \
+      http://127.0.0.1:8200/v1/sys/policies/egp/cidr-check
+```
+
+#### Web UI
+
+1. Select **Policies** and select the **Endpoint Governing Policies** tab.
+
+1. Select **Delete** from the policy menu for `business-hrs`.
+
+   ![Delete EGP](/img/vault-sentinel-2.png)
+
+1. When prompted, click **Delete** again to confirm.
+
+1. Repeat the steps to delete `cidr-check` policy.
+
+## Next steps
+
+Refer to the [Sentinel Properties](/docs/enterprise/sentinel/properties.html)
+documentation for the full list of properties available in Vault to write
+fine-grained policies to meet your organizational policy requirements.
diff --git a/website/pages/guides/index.mdx b/website/pages/guides/index.mdx
new file mode 100644
index 000000000000..b0985b15341f
--- /dev/null
+++ b/website/pages/guides/index.mdx
@@ -0,0 +1,23 @@
+---
+layout: guides
+page_title: Guides
+description: >-
+  This section provides various guides for common actions. Due to the nature of
+  Vault, some of these procedures can be complex, so our goal is to provide
+  guidance to do them safely.
+---
+
+# Vault Guides
+
+Welcome to the Vault guides! If you are just getting started with Vault, please
+start with the [Vault introduction][intro] instead and then continue on to the
+guides. The guides provide examples for common Vault workflows and actions for
+both users and operators of Vault. Due to the nature of Vault, some of these
+procedures can be complex, so our goal is to provide guidance to do them safely.
+
+<br />
+
+-> Please visit [_Katacoda_](https://www.katacoda.com/hashicorp) where a series
+of interactive tutorials are waiting for you to get started on learning Vault.
+
+[intro]: /intro/index.html
diff --git a/website/pages/guides/operations/autounseal-aws-kms.mdx b/website/pages/guides/operations/autounseal-aws-kms.mdx
new file mode 100644
index 000000000000..26ce62629d3b
--- /dev/null
+++ b/website/pages/guides/operations/autounseal-aws-kms.mdx
@@ -0,0 +1,280 @@
+---
+layout: guides
+page_title: Vault Auto-unseal using AWS KMS - Guides
+sidebar_title: Vault Auto-unseal with AWS KMS
+description: |-
+  In this guide, we'll show an example of how to use Terraform to provision an
+  instance that can utilize an encryption key from AWS Key Management Services
+  to unseal Vault.
+---
+
+# Vault Auto-unseal using AWS Key Management Service
+
+~> **Enterprise Only:** Vault auto-unseal feature is a part of _Vault Enterprise Pro_.
+
+When a Vault server is started, it starts in a
+[**_sealed_**](/docs/concepts/seal.html) state and it does not know how to
+decrypt data. Before any operation can be performed on the Vault, it must be
+unsealed. Unsealing is the process of constructing the master key necessary to
+decrypt the data encryption key.
+
+![Unseal with Shamir's Secret Sharing](/img/vault-autounseal.png)
+
+This guide demonstrates an example of how to use Terraform to provision an
+instance that can utilize an encryption key from [AWS Key Management Services
+(KMS)](https://aws.amazon.com/kms/) to unseal Vault.
+
+## Reference Material
+
+- [Vault Auto Unseal](/docs/configuration/seal/index.html)
+- [Configuration: `awskms` Seal](/docs/configuration/seal/awskms.html)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The steps described in this guide are typically performed by **operations**
+persona.
+
+## Challenge
+
+Vault unseal operation requires a quorum of existing unseal keys split by
+Shamir's Secret sharing algorithm. This is done so that the "_keys to the
+kingdom_" won't fall into one person's hand. However, this process is manual
+and can become painful when you have many Vault clusters as there are now
+many different key holders with many different keys.
+
+## Solution
+
+Vault Enterprise supports opt-in automatic unsealing via cloud technologies:
+Amazon KMS, Azure Key Vault or GCP Cloud KMS. This feature enables operators to
+delegate the unsealing process to trusted cloud providers to ease operations in
+the event of partial failure and to aid in the creation of new or ephemeral
+clusters.
+
+![Unseal with AWS KMS](/img/vault-autounseal-2.png)
+
+## Prerequisites
+
+This guide assumes the following:
+
+- Access to **Vault Enterprise 0.9.0 or later**
+- A URL to download Vault Enterprise from (an Amazon S3 bucket will suffice)
+- AWS account for provisioning cloud resources
+- [Terraform installed](https://www.terraform.io/intro/getting-started/install.html)
+  and basic understanding of its usage
+
+### Download demo assets
+
+Clone or download the demo assets from the
+[hashicorp/vault-guides](https://github.com/hashicorp/vault-guides/tree/master/operations/aws-kms-unseal/terraform-aws)
+GitHub repository to perform the steps described in this guide.
+
+## Steps
+
+This guide demonstrates how to implement and use the Auto-unseal feature using
+AWS KMS. Included is a Terraform configuration that has the following:
+
+- Ubuntu 16.04 LTS with Vault Enterprise
+- An instance profile granting the Amazon EC2 instance to an AWS KMS key
+- Vault configured with access to an AWS KMS key
+
+[![YouTube](/img/vault-autounseal-4.png)](https://youtu.be/iRyqOEDFIiY)
+
+You are going to perform the following steps:
+
+1. [Provision the Cloud Resources](#step-1-provision-the-cloud-resources)
+1. [Test the Auto-unseal Feature](#step-2-test-the-auto-unseal-feature)
+1. [Clean Up](#step-3-clean-up)
+
+### Step 1: Provision the Cloud Resources
+
+**Task 1:** Be sure to set your working directory to where the
+[`/operations/aws-kms-unseal/terraform-aws`](#download-demo-assets) folder is
+located.
+
+The working directory should contain the provided Terraform files:
+
+```bash
+~/git/vault-guides/operations/aws-kms-unseal/terraform$ tree
+.
+├── README.md
+├── instance-profile.tf
+├── instance.tf
+├── main.tf
+├── ssh-key.tf
+├── terraform.tfvars.example
+├── userdata.tpl
+└── variables.tf
+```
+
+**Task 2:** Set your AWS credentials as environment variables:
+
+```plaintext
+$ export AWS_ACCESS_KEY_ID = "<YOUR_AWS_ACCESS_KEY_ID>"
+
+$ export AWS_SECRET_ACCESS_KEY = "<YOUR_AWS_SECRET_ACCESS_KEY>"
+```
+
+Create a file named **`terraform.tfvars`** and specify your Vault Enterprise
+binary download URL.
+
+**Example:**
+
+```plaintext
+vault_url = "https://s3-us-west-2.amazonaws.com/hc-enterprise-binaries/vault/ent/0.10.3/vault-enterprise_0.10.3%2Bent_linux_amd64.zip"
+```
+
+**Task 3:** Perform a **`terraform init`** to pull down the necessary provider
+resources. Then **`terraform plan`** to verify your changes and the resources that
+will be created. If all looks good, then perform a **`terraform apply`** to
+provision the resources.
+
+```plaintext
+$ terraform init
+Initializing provider plugins...
+...
+Terraform has been successfully initialized!
+
+
+$ terraform plan
+...
+Plan: 15 to add, 0 to change, 0 to destroy.
+
+
+$ terraform apply
+...
+Apply complete! Resources: 15 added, 0 changed, 0 destroyed.
+
+Outputs:
+
+connections = Connect to Vault via SSH   ssh ubuntu@192.0.2.1 -i private.key
+Vault Enterprise web interface  http://192.0.2.1:8200/ui
+```
+
+**NOTE:** The Terraform output will display the public IP address to SSH into
+your server as well as the Vault Enterprise web interface address.
+
+### Step 2: Test the Auto-unseal Feature
+
+SSH into the provisioned EC2 instance.
+
+```plaintext
+$ ssh ubuntu@192.0.2.1 -i private.key
+...
+Are you sure you want to continue connecting (yes/no)? yes
+```
+
+When you are prompted, enter "yes" to continue.
+
+To verify that Vault has been installed, run `vault status` command which should
+return "_server is not yet initialized_" message.
+
+```plaintext
+$ export VAULT_ADDR=http://127.0.0.1:8200
+
+$ vault status
+Error checking seal status: Error making API request.
+
+URL: GET http://127.0.0.1:8200/v1/sys/seal-status
+Code: 400. Errors:
+
+* server is not yet initialized
+```
+
+Run the **`vault operator init`** command to initialize the Vault server by
+setting its key share to be **`1`** as follow:
+
+```plaintext
+$ vault operator init -stored-shares=1 -recovery-shares=1 -recovery-threshold=1 -key-shares=1 -key-threshold=1
+Recovery Key 1: oOxAQfxcZitjqZfF3984De8rUckPeahQDUvmJ1A4JrQ=
+Initial Root Token: 54c4dbe3-d45b-79d9-18d0-602831a6a991
+
+Vault initialized successfully.
+
+Recovery key initialized with 1 keys and a key threshold of 1. Please
+securely distribute the above keys.
+```
+
+Stop and start the Vault server:
+
+```plaintext
+$ sudo systemctl stop vault
+
+$ vault status
+Error checking seal status: Get http://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: getsockopt: connection refused
+
+$ sudo systemctl start vault
+```
+
+Check the Vault status to verify that it has been started and unsealed.
+
+```plaintext
+$ vault status
+Type: shamir
+Sealed: false
+Key Shares: 1
+Key Threshold: 1
+Unseal Progress: 0
+Unseal Nonce:
+Version: 0.9.6+prem.hsm
+Cluster Name: vault-cluster-01cf6f33
+Cluster ID: fb787d8a-b882-fee8-b461-445320cde311
+
+High-Availability Enabled: false
+```
+
+Log into Vault using the generated initial root token:
+
+```plaintext
+$ vault login 54c4dbe3-d45b-79d9-18d0-602831a6a991
+Successfully authenticated! You are now logged in.
+token: 54c4dbe3-d45b-79d9-18d0-602831a6a991
+token_duration: 0
+token_policies: [root]
+```
+
+Review the Vault configuration file (`/etc/vault.d/vault.hcl`).
+
+```plaintext
+$ cat /etc/vault.d/vault.hcl
+storage "file" {
+  path = "/opt/vault"
+}
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = 1
+}
+seal "awskms" {
+  kms_key_id = "d7c1ffd9-8cce-45e7-be4a-bb38dd205966"
+}
+ui=true
+```
+
+Notice the Vault configuration file defines the [`awskms`
+stanza](/docs/configuration/seal/awskms.html) which sets the AWS KMS key ID to
+use for encryption and decryption.
+
+At this point, you should be able to launch the Vault Enterprise UI by entering
+the address provided in the `terraform apply` outputs (e.g. http://192.0.2.1:8200/ui)
+and log in with your initial root token.
+
+![Vault Enterprise UI Login](/img/vault-autounseal-3.png)
+
+### Step 3: Clean Up
+
+Once completed, execute the following commands to clean up:
+
+```plaintext
+$ terraform destroy -force
+
+$ rm -rf .terraform terraform.tfstate* private.key
+```
+
+## Next steps
+
+Once you have a Vault environment setup, the next step is to write policies.
+Read [Policies](/guides/identity/policies.html) to learn how to write policies
+to govern the behavior of clients.
diff --git a/website/pages/guides/operations/deployment-guide.mdx b/website/pages/guides/operations/deployment-guide.mdx
new file mode 100644
index 000000000000..95253ddd448c
--- /dev/null
+++ b/website/pages/guides/operations/deployment-guide.mdx
@@ -0,0 +1,324 @@
+---
+layout: guides
+page_title: Vault Deployment Guide - Guides
+description: |-
+  This deployment guide covers the steps required to install and
+  configure a single HashiCorp Vault cluster as defined in the
+  Vault Reference Architecture.
+ea_version: 1
+---
+
+# Vault Deployment Guide
+
+This deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the [Vault Reference Architecture](/guides/operations/reference-architecture.html).
+
+Below are instructions for installing and configuring Vault on Linux hosts running the systemd system and service manager.
+
+## Reference Material
+
+This deployment guide is designed to work in combination with the [Vault Reference Architecture](/guides/operations/reference-architecture.html). Although not a strict requirement to follow the Vault Reference Architecture, please ensure you are familiar with the overall architecture design; for example installing Vault on multiple physical or virtual (with correct anti-affinity) hosts for high-availability and using Consul for the HA and storage backend.
+
+During the installation of Vault you should also review and apply the recommendations provided in the [Vault Production Hardening](/guides/operations/production.html) guide.
+
+## Overview
+
+To provide a highly-available single cluster architecture, we recommend Vault be deployed to more than one host, as shown in the [Vault Reference Architecture](/guides/operations/reference-architecture.html), and connected to a Consul cluster for persistent data storage.
+
+![Reference Diagram](/img/vault-ref-arch-2-02305ae7.png)
+
+The below setup steps should be completed on all Vault hosts.
+
+- [Download Vault](#download-vault)
+- [Install Vault](#install-vault)
+- [Configure systemd](#configure-systemd)
+- [Configure Consul](#configure-consul)
+- [Configure Vault](#configure-vault)
+- [Start Vault](#start-vault)
+
+## Download Vault
+
+Precompiled Vault binaries are available for download at [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/) and Vault Enterprise binaries are available for download by following the instructions made available to HashiCorp Vault customers.
+
+You should perform checksum verification of the zip packages using the SHA256SUMS and SHA256SUMS.sig files available for the specific release version. HashiCorp provides [a guide on checksum verification](https://www.hashicorp.com/security.html) for precompiled binaries.
+
+```text
+VAULT_VERSION="0.10.3"
+curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
+curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
+curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig
+```
+
+## Install Vault
+
+Unzip the downloaded package and move the `vault` binary to `/usr/local/bin/`. Check `vault` is available on the system path.
+
+```text
+unzip vault_${VAULT_VERSION}_linux_amd64.zip
+sudo chown root:root vault
+sudo mv vault /usr/local/bin/
+vault --version
+```
+
+The `vault` command features opt-in autocompletion for flags, subcommands, and arguments (where supported). Enable autocompletion.
+
+```text
+vault -autocomplete-install
+complete -C /usr/local/bin/vault vault
+```
+
+Give Vault the ability to use the mlock syscall without running the process as root. The mlock syscall prevents memory from being swapped to disk.
+
+```text
+sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
+```
+
+Create a unique, non-privileged system user to run Vault.
+
+```text
+sudo useradd --system --home /etc/vault.d --shell /bin/false vault
+```
+
+## Configure systemd
+
+Systemd uses [documented sane defaults](https://www.freedesktop.org/software/systemd/man/systemd.directives.html) so only non-default values must be set in the configuration file.
+
+Create a Vault service file at /etc/systemd/system/vault.service.
+
+```text
+sudo touch /etc/systemd/system/vault.service
+```
+
+Add the below configuration to the Vault service file:
+
+```text
+[Unit]
+Description="HashiCorp Vault - A tool for managing secrets"
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/vault.d/vault.hcl
+
+[Service]
+User=vault
+Group=vault
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+Capabilities=CAP_IPC_LOCK+ep
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+[Install]
+WantedBy=multi-user.target
+```
+
+The following parameters are set for the `[Unit]` stanza:
+
+- [`Description`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Description=) - Free-form string describing the vault service
+- [`Documentation`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Documentation=) - Link to the vault documentation
+- [`Requires`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=) - Configure a requirement dependency on the network service
+- [`After`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=) - Configure an ordering dependency on the network service being started before the vault service
+- [`ConditionFileNotEmpty`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#ConditionArchitecture=) - Check for a non-zero sized configuration file before vault is started
+
+The following parameters are set for the `[Service]` stanza:
+
+- [`User`, `Group`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#User=) - Run vault as the vault user
+- [`ProtectSystem`, `ProtectHome`, `PrivateTmp`, `PrivateDevices`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing) - Sandboxing settings to improve the security of the host by restricting vault privileges and access
+- [`SecureBits`, `Capabilities`, `CapabilityBoundingSet`, `AmbientCapabilities`](http://man7.org/linux/man-pages/man7/capabilities.7.html) - Configure the capabilities of the vault process
+- [`NoNewPrivileges`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NoNewPrivileges=) - Prevent vault and any child process from gaining new privileges
+- [`ExecStart`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=) - Start vault with the `server` argument and path to the configuration file
+- [`ExecReload`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecReload=) - Send vault a HUP signal to trigger a configuration reload in vault
+- [`KillMode`](https://www.freedesktop.org/software/systemd/man/systemd.kill.html#KillMode=) - Treat vault as a single process
+- [`KillSignal`](https://www.freedesktop.org/software/systemd/man/systemd.kill.html#KillSignal=) - Send SIGINT signal when shutting down vault
+- [`Restart`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartSec=) - Restart vault ([in a sealed state](/docs/concepts/seal.html)) unless it returned a clean exit code
+- [`RestartSec`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartSec=) - Restart vault after 5 seconds of it being considered 'failed'
+- [`TimeoutStopSec`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#TimeoutStopSec=) - Wait 30 seconds for a clean stop before sending a SIGKILL signal
+- [`StartLimitIntervalSec`, `StartLimitBurst`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval) - Limit vault to three start attempts in 60 seconds
+
+The following parameters are set for the `[Install]` stanza:
+
+- [`WantedBy`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=) - Creates a weak dependency on vault being started by the multi-user run level
+
+## Configure Consul
+
+When using Consul as the storage backend for Vault, we recommend using Consul's [ACL system](https://www.consul.io/docs/guides/acl.html) to restrict access to the path where Vault stores data. This access restriction is an added security measure in addition to the [encryption Vault uses to protect data](/docs/internals/architecture.html) written to the storage backend.
+
+The Consul website provides documentation on [bootstrapping the ACL system](https://www.consul.io/docs/guides/acl.html#bootstrapping-acls), generating a management token and using that token to add some initial tokens for Consul agents, UI access etc. You should complete the bootstrapping section of the Consul documentation before continuing with this guide.
+
+Vault requires a Consul token with specific policy to limit the requests Vault can make to Consul endpoints.
+
+On a host running a Consul agent, and using a Consul management token, create a Consul client token with specific policy for Vault:
+
+### Consul < 1.4
+
+```text
+CONSUL_TOKEN="6609e426-1aeb-4b0d-c302-3a7568fbc1f9"
+curl \
+    --request PUT \
+    --header "X-Consul-Token: ${CONSUL_TOKEN}" \
+    --data \
+'{
+  "Name": "Vault Token",
+  "Type": "client",
+  "Rules": "node \"\" { policy = \"write\" } service \"vault\" { policy = \"write\" } agent \"\" { policy = \"write\" }  key \"vault/\" { policy = \"write\" } session \"\" { policy = \"write\" } "
+}' http://127.0.0.1:8500/v1/acl/create
+```
+
+### Consul >= 1.4
+
+```text
+CONSUL_TOKEN="6609e426-1aeb-4b0d-c302-3a7568fbc1f9"
+curl \
+    --request PUT \
+    --header "X-Consul-Token: ${CONSUL_TOKEN}" \
+    --data \
+'{
+  "Name": "Vault Token",
+  "Type": "client",
+  "Rules": "node_prefix \"\" { policy = \"write\" } service \"vault\" { policy = \"write\" } agent_prefix \"\" { policy = \"write\" }  key_prefix \"vault/\" { policy = \"write\" } session_prefix \"\" { policy = \"write\" } "
+}' http://127.0.0.1:8500/v1/acl/create
+```
+
+The response includes the value you will use as the `token` parameter value in Vault's storage stanza configuration. An example response:
+
+```json
+{ "ID": "fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1" }
+```
+
+## Configure Vault
+
+Vault uses [documented sane defaults](/docs/configuration) so only non-default values must be set in the configuration file.
+
+Create a configuration file at /etc/vault.d/vault.hcl:
+
+```text
+sudo mkdir --parents /etc/vault.d
+sudo touch /etc/vault.d/vault.hcl
+sudo chown --recursive vault:vault /etc/vault.d
+sudo chmod 640 /etc/vault.d/vault.hcl
+```
+
+### Listener stanza
+
+The `listener` stanza configures the addresses and ports on which Vault will respond to requests.
+
+Add the below configuration to the Vault configuration file:
+
+```hcl
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  tls_cert_file = "/path/to/fullchain.pem"
+  tls_key_file  = "/path/to/privkey.pem"
+}
+```
+
+The following parameters are set for the `tcp` listener stanza:
+
+- [`address`](/docs/configuration/listener/tcp.html#address) `(string: "127.0.0.1:8200")` - Changing from the loopback address to allow external access to the Vault UI
+- [`tls_cert_file`](/docs/configuration/listener/tcp.html#tls_cert_file) `(string: <required-if-enabled>, reloads-on-SIGHUP)` - Must be set when using TLS
+- [`tls_key_file`](/docs/configuration/listener/tcp.html#tls_key_file) `(string: <required-if-enabled>, reloads-on-SIGHUP)` - Must be set when using TLS
+
+[More information about tcp listener configuration](/docs/configuration/listener/tcp.html).
+
+~> Vault should always be configured to use TLS to provide secure communication between clients and the Vault cluster. This requires a certificate file and key file be installed on each Linux host running Vault. The certificate file and key file must have permissions allowing the vault user/group to read them.
+
+### Seal stanza
+
+This is an **ENTERPRISE** feature.
+
+If you are deploying [Vault Enterprise](https://www.hashicorp.com/products/vault), you can include `seal` stanza configuration to specify the seal type to use for additional data protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the Vault master key. This stanza is optional, and if this is not configured, Vault will use the Shamir algorithm to cryptographically split the master key.
+
+If you are deploying Vault Enterprise, you should review the [seal configuration section](/docs/configuration/seal/index.html) of our documentation.
+
+An example PKCS #11 compatible HSM example is:
+
+```hcl
+seal "pkcs11" {
+  lib            = "/usr/vault/lib/libCryptoki2_64.so"
+  slot           = "0"
+  pin            = "AAAA-BBBB-CCCC-DDDD"
+  key_label      = "vault-hsm-key"
+  hmac_key_label = "vault-hsm-hmac-key"
+}
+```
+
+### Storage stanza
+
+The `storage` stanza configures the storage backend, which represents the location for the durable storage of Vault's data.
+
+Add the below configuration to the Vault configuration file:
+
+```hcl
+storage "consul" {
+  token = "{{ consul_token }}"
+}
+```
+
+The following parameters are set for the `consul` storage stanza:
+
+- [`token`](/docs/configuration/storage/consul.html#token) `(string: "")` - Specify the Consul ACL token with permission to read and write from `/vault` in Consul's key-value store
+
+[More information about consul storage configuration](/docs/configuration/storage/consul.html).
+
+~> Vault should always be configured to use a Consul token with a restrictive ACL policy to read and write from `/vault` in Consul's key-value store. This follows the principal of least privilege, ensuring Vault is unable to access Consul key-value data stored outside of the `/vault` path.
+
+### Telemetry stanza
+
+The `telemetry` stanza specifies various configurations for Vault to publish metrics to upstream systems.
+
+If you decide to configure Vault to publish telemetry data, you should review the [telemetry configuration section](/docs/configuration/telemetry.html) of our documentation.
+
+### High Availability Parameters
+
+The `api_addr` parameter configures the API address used in high availability scenarios, when client redirection is used instead of request forwarding. Client redirection is the fallback method used when request forwarding is turned off or there is an error performing the forwarding. As such, a redirect address is always required for all HA setups.
+
+This parameter value defaults to the `address` specified in the `listener` stanza, but Vault will log a `[WARN]` message if it is not explicitly configured.
+
+Add the below configuration to the Vault configuration file:
+
+```hcl
+api_addr = "{{ full URL to Vault API endpoint }}"
+```
+
+[More information about high availability configuration](/docs/configuration/#high-availability-parameters).
+
+### Vault UI
+
+Vault features a web-based user interface, allowing you to easily create, read, update, and delete secrets, authenticate, unseal, and more using a graphical user interface, rather than the CLI or API.
+
+Vault should not be deployed in a public internet facing environment, so enabling the Vault UI is typically of benefit to provide a more familiar experience to administrators who are not as comfortable working on the command line, or who do not have alternative access.
+
+Optionally, add the below configuration to the Vault configuration file to enable the Vault UI:
+
+```hcl
+ui = true
+```
+
+[More information about configuring the Vault UI](/docs/configuration/ui/index.html).
+
+## Start Vault
+
+Enable and start Vault using the systemctl command responsible for controlling systemd managed services. Check the status of the vault service using systemctl.
+
+```text
+sudo systemctl enable vault
+sudo systemctl start vault
+sudo systemctl status vault
+```
+
+## Next Steps
+
+- Read [Production Hardening](/guides/operations/production.html) to learn best
+  practices for a production hardening deployment of Vault.
diff --git a/website/pages/guides/operations/disaster-recovery.mdx b/website/pages/guides/operations/disaster-recovery.mdx
new file mode 100644
index 000000000000..4d4da3f47e0b
--- /dev/null
+++ b/website/pages/guides/operations/disaster-recovery.mdx
@@ -0,0 +1,595 @@
+---
+layout: guides
+page_title: Vault Disaster Recovery Replication Setup - Guides
+sidebar_title: Disaster Recovery Setup
+description: |-
+  This guide demonstrates step-by-step instruction of setting up a disaster
+  recovery (DR) replications.
+---
+
+# Vault Disaster Recovery Replication
+
+~> **Enterprise Only:** Disaster Recovery Replication is a part of _Vault Enterprise Pro_.
+
+It is inevitable for organizations to have a disaster recovery (DR) strategy to
+protect their Vault deployment against catastrophic failure of an entire
+cluster. Vault Enterprise supports multi-datacenter deployment where you can
+replicate data across datacenters for performance as well as disaster recovery.
+
+A cluster is the basic unit of Vault Enterprise replication which follows the
+leader-follower model. A leader cluster is referred to as the **primary**
+cluster and is considered the _system of record_. Data is streamed from the
+primary cluster to all **secondary** (follower) clusters.
+
+![Replication Pattern](/img/vault-ref-arch-8.png)
+
+~> **Important:** In DR replication, secondary clusters **_do not forward_**
+service read or write requests until they are promoted and become a new primary
+
+- they essentially act as a warm standby cluster.
+
+The [Mount Filter](/guides/operations/mount-filter.html) guide provides step-by-step
+instructions on setting up performance replication. This guide focuses on DR
+replication setup.
+
+## Reference Materials
+
+- [Performance Replication and Disaster Recovery (DR) Replication](/docs/enterprise/replication/index.html#performance-replication-and-disaster-recovery-dr-replication)
+- [DR Replication API](/api/system/replication-dr.html)
+- [Replication Setup & Guidance](/guides/operations/replication.html)
+- [Vault HA guide](/guides/operations/vault-ha-consul.html)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Prerequisites
+
+This intermediate Vault operations guide assumes that you have some working
+knowledge of Vault.
+
+You need two Vault Enterprise clusters: one behaves as the **primary cluster**,
+and another becomes the **secondary**.
+
+![DR Prerequisites](/img/vault-dr-0.png)
+
+## Steps
+
+This guide walk through the following operations:
+
+1. [Enable DR Primary Replication](#step1)
+1. [Enable DR Secondary Replication](#step2)
+1. [Promote DR Secondary to Primary](#step3)
+1. [Demote DR Primary to Secondary](#step4)
+1. [Disable DR Primary](#step5)
+
+### <a name="step1"></a>Step 1: Enable DR Primary Replication
+
+#### CLI command
+
+1. Enable DR replication on the **primary** cluster.
+
+   ```plaintext
+   $ vault write -f sys/replication/dr/primary/enable
+   WARNING! The following warnings were returned from Vault:
+
+   * This cluster is being enabled as a primary for replication. Vault will be
+   unavailable for a brief period and will resume service shortly.
+   ```
+
+1. Generate a secondary token.
+
+   ```plaintext
+   $ vault write sys/replication/dr/primary/secondary-token id="secondary"
+   ```
+
+   The output should look similar to:
+
+   ```plaintext
+   Key                              Value
+   ---                              -----
+   wrapping_token:                  eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzEzLjU3LjIwLjQxOjgyMDAiLCJleHAiOjE1MjkzMzkzMzEsImlhdCI6MTUyOTMzNzUzMSwianRpIjoiZDZmMmMzZTItMTZjNS1mNTU0LWYxMzAtNzMzZDE0OWNiNTIzIiwidHlwZSI6IndyYXBwaW5nIn0.MIGIAkIArsC3s1x7GYnEbaYwAbYUj-Wgp4B3Q3kVXL0BbaKvsECySV4Pwtm--i24OSQfI9zAlsG8ZypOWJdngRa59wlhWdQCQgG22-I-aNWPehjsqmwwEADU-u37LUrR6O0MsUCqtfWYwIM9o7PFP1wMZ4JwDGftQXUH6hIrkXZDxnnGsSCJ1Vl75w
+   wrapping_accessor:               bab0ea36-23f6-d21d-4ca6-a9c3673766a3
+   wrapping_token_ttl:              30m
+   wrapping_token_creation_time:    2018-06-18 15:58:51.645117216 +0000 UTC
+   wrapping_token_creation_path:    sys/replication/dr/primary/secondary-token
+   ```
+
+   -> Copy the generated **`wrapping_token`** which you will need to enable the DR
+   secondary cluster.
+
+#### API call using cURL
+
+1. Enable DR replication on the **primary** cluster by invoking **`/sys/replication/dr/primary/enable`** endpoint.
+
+   **Example:**
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data '{}' \
+          https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/enable
+    {
+      "request_id": "ef38af20-9c1f-138a-2d03-bbb6410fb0fc",
+      "lease_id": "",
+      "renewable": false,
+      "lease_duration": 0,
+      "data": null,
+      "wrap_info": null,
+      "warnings": [
+        "This cluster is being enabled as a primary for replication. Vault will be
+        unavailable for a brief period and will resume service shortly."
+      ],
+      "auth": null
+    }
+   ```
+
+1. Generate a secondary token by invoking **`/sys/replication/dr/primary/secondary-token`** endpoint.
+
+   **Example:**
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data '{ "id": "secondary"}' \
+          https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/secondary-token | jq
+    {
+      "request_id": "",
+      "lease_id": "",
+      "renewable": false,
+      "lease_duration": 0,
+      "data": null,
+      "wrap_info": {
+        "token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzEzLjU3LjIwLjQxOjgyMDAiLCJleHAiOjE1MjkzNDQzMjcsImlhdCI6MTUyOTM0MjUyNywianRpIjoiYmRiZTJiNzEtODgwMS05YjZjLTNjMTQtMzVkNDI3NDQ3MjEzIiwidHlwZSI6IndyYXBwaW5nIn0.MIGIAkIBmESVVq_83l9hixTN7Ot0v5XQMsQfi1zV9APooZWkLvbS2olBWSQnskykQQH6GskMOi-ypOlAabqxWmfoCLA8-TICQgHRdkbJGgAQtWmjc8Z-ZEgymMv8YZq6qQxbUtPXloyM-cf_1Y1qmdGDYWtjPqoF5m1Bt_WkAJl9MguVb04QMWSotw",
+        "accessor": "7e56e9da-178c-119d-1d01-807a203fa0b3",
+        "ttl": 1800,
+        "creation_time": "2018-06-18T17:22:07.129747708Z",
+        "creation_path": "sys/replication/dr/primary/secondary-token"
+      },
+      "warnings": null,
+      "auth": null
+    }
+   ```
+
+   -> Copy the generated **`token`** which you will need to enable the DR
+   secondary cluster.
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g.
+https://cluster-A.example.com:8200/ui) and then login.
+
+1. Select **Replication** and check the **Disaster Recovery (DR)** radio button.
+   ![DR Replication - primary](/img/vault-dr-1.png)
+
+1. Click **Enable replication**.
+
+1. Select the **Secondaries** tab, and then click **Add**.
+   ![DR Replication - primary](/img/vault-dr-2.png)
+
+1. Populate the **Secondary ID** field, and click **Generate token**.
+   ![DR Replication - primary](/img/vault-dr-3.png)
+
+1. Click **Copy** to copy the token which you will need to enable the DR secondary cluster.
+   ![DR Replication - primary](/img/vault-dr-4.png)
+
+### <a name="step2"></a>Step 2: Enable DR Secondary Replication
+
+The following operations must be performed on the DR secondary cluster.
+
+#### CLI command
+
+1. Enable DR replication on the **secondary** cluster.
+
+   ```plaintext
+   $ vault write sys/replication/dr/secondary/enable token="..."
+   ```
+
+   Where the `token` is the `wrapping_token` obtained from the primary cluster.
+
+   Expected output:
+
+   ```plaintext
+   WARNING! The following warnings were returned from Vault:
+
+   * Vault has successfully found secondary information; it may take a while to
+   perform setup tasks. Vault will be unavailable until these tasks and initial
+   sync complete.
+   ```
+
+   !> **NOTE:** This will immediately clear all data in the secondary cluster.
+
+#### API call using cURL
+
+1. Enable DR replication on the **secondary** cluster.
+
+   ```plaintext
+   $ tee payload.json <<EOF
+   {
+     "token": "..."
+   }
+   EOF
+
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data @payload.json \
+          https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/enable | jq
+   {
+      "request_id": "7a9730c1-b6fc-6557-5c0a-081e1f89ed2d",
+      "lease_id": "",
+      "renewable": false,
+      "lease_duration": 0,
+      "data": null,
+      "wrap_info": null,
+      "warnings": [
+        "Vault has successfully found secondary information; it may take a while
+        to perform setup tasks. Vault will be unavailable until these tasks and
+        initial sync complete."
+      ],
+      "auth": null
+    }
+   ```
+
+   Where the `token` in `payload.json` is the token obtained from the primary
+   cluster.
+
+   !> **NOTE:** This will immediately clear all data in the secondary cluster.
+
+#### Web UI
+
+1. Now, launch the Vault UI for the **secondary** cluster (e.g. https://cluster-B.example.com:8200/ui) and click **Replication**.
+
+1. Check the **Disaster Recovery (DR)** radio button and select **secondary** under the **Cluster mode**. Paste the token you copied from the primary in the **Secondary activation token** field.
+   ![DR Replication - secondary](/img/vault-dr-5.png)
+
+1. Click **Enable replication**.
+   ![DR Replication - secondary](/img/vault-dr-5.2.png)
+
+!> **NOTE:** This will immediately clear all data in the secondary cluster.
+
+### <a name="step3"></a>Step 3: Promote DR Secondary to Primary
+
+This step walks you through the promotion of the secondary cluster to become the
+new primary when a catastrophic failure causes the primary cluster to be
+inoperable. Refer to the [_Important Note about Automated DR
+Failover_](#important) section for more background information.
+
+First, you must generate a **DR operation token** which you need to promote the
+secondary cluster. The process, outlined below using API calls, is the similar to [_Generating a Root Token (via CLI)_](/guides/operations/generate-root.html).
+
+#### From Terminal
+
+1.  Generate an one time password (OTP) to use:
+
+    ```plaintext
+    $ vault operator generate-root -dr-token -generate-otp
+    HenFLWmt0AgrjWJp/RECzQ==
+    ```
+
+1.  Start the DR operation token generation process by invoking **`/sys/replication/dr/secondary/generate-operation-token/attempt`** endpoint.
+
+    **Example:**
+
+    ```plaintext
+    $ tee payload.json <<EOF
+    {
+      "otp": "HenFLWmt0AgrjWJp/RECzQ=="
+    }
+    EOF
+
+    $ curl --request PUT \
+         --data @payload.json \
+         https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt | jq
+     {
+       "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0",
+       "started": true,
+       "progress": 0,
+       "required": 3,
+       "complete": false,
+       "encoded_token": "",
+       "encoded_root_token": "",
+       "pgp_fingerprint": ""
+     }
+    ```
+
+    -> Distribute the generated **`nonce`** to each unseal key holder.
+
+1.  In order to generate a DR operation token, a quorum of unseal keys must be
+    entered by each key holder via **`/sys/replication/dr/secondary/generate-operation-token/update`** endpoint.
+
+    **Example:**
+
+    ```plaintext
+    $ tee payload_key1.json <<EOF
+    {
+      "key": "<primary_unseal_key_1>",
+      "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0"
+    }
+    EOF
+
+    $ curl --request PUT \
+            --data @payload_key1.json \
+            https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/generate-operation-token/update | jq
+      {
+        "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0",
+        "started": true,
+        "progress": 1,
+        "required": 3,
+        "complete": false,
+        "encoded_token": "",
+        "encoded_root_token": "",
+        "pgp_fingerprint": ""
+      }
+    ```
+
+    This operation must be executed by each unseal key holder. Once the quorum
+    has been reached, the output contains the encoded DR operation token
+    (`encoded_token`).
+
+    **Example:**
+
+    ```plaintext
+    $ curl --request PUT \
+          --data @payload_key3.json \
+          https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/generate-operation-token/update | jq
+    {
+      "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0",
+      "started": true,
+      "progress": 3,
+      "required": 3,
+      "complete": true,
+      "encoded_token": "dKNQqNmh3JfJcSZdGlkttQ==",
+      "encoded_root_token": "",
+      "pgp_fingerprint": ""
+    }
+    ```
+
+1.  Decode the generated DR operation token (`encoded_token`).
+
+    **Example:**
+
+    ```plaintext
+    $ vault operator generate-root -dr-token \
+            -decode="dKNQqNmh3JfJcSZdGlkttQ==" \
+            -otp="HenFLWmt0AgrjWJp/RECzQ=="
+
+    23e02f22-2ae6-94cc-d93f-5ee295e03e9d
+    ```
+
+1.  Finally, promote the DR secondary to become the primary by invoking the
+    **`sys/replication/dr/secondary/promote`** endpoint. The request payload must
+    contains the DR operation token.
+
+    **Example:**
+
+    ```plaintext
+    $ tee payload.json <<EOF
+    {
+          "dr_operation_token": "23e02f22-2ae6-94cc-d93f-5ee295e03e9d"
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+              --request POST \
+              --data @payload.json \
+              https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/promote | jq
+    {
+      "request_id": "3879546b-1dc7-8490-521b-80104ad761b5",
+      "lease_id": "",
+      "renewable": false,
+      "lease_duration": 0,
+      "data": null,
+      "wrap_info": null,
+      "warnings": [
+        "This cluster is being promoted to a replication primary. Vault will be unavailable
+        for a brief period and will resume service shortly."
+      ],
+      "auth": null
+    }
+    ```
+
+#### Web UI
+
+1.  Click on **Generate OTP** to generate an OTP. Then click **Copy OTP**.
+    ![DR Replication - secondary](/img/vault-dr-6.png)
+
+1.  Click **Generate Operation Token**.
+
+1.  A quorum of unseal keys must be entered to create a new operation token for
+    the DR secondary.
+
+    ![DR Replication - secondary](/img/vault-dr-7.png)
+
+    -> This operation must be performed by each unseal-key holder.
+
+1.  Once the quorum has been reached, the output displays the encoded DR operation token. Click **Copy CLI command**.
+
+    ![DR Replication - secondary](/img/vault-dr-8.png)
+
+1.  Execute the CLI command from a terminal to generate a DR operation token
+    using the OTP generated earlier. (Be sure to enter your OTP in the command.)
+
+    **Example:**
+
+    ```
+    $ vault operator generate-root -dr-token \
+            -otp="vZpZZf5UI1nvB3A5/7Xq9A==" \
+            -decode="cuplaFGYduDEY6ZVC5IfaA=="
+
+    cf703c0d-afcc-55b9-2b64-d66cf427f59c
+    ```
+
+1.  Now, click **Promote** tab, and then enter the generated DR operation token.
+
+    ![DR Replication - secondary](/img/vault-dr-9-1.png)
+
+1.  Click **Promote cluster**.
+
+    When you prompted, "_Are you sure you want to promote this cluster?_", click **Promote cluster** again to complete.
+
+    ![DR Replication - secondary](/img/vault-dr-9.png)
+
+> Once the secondary cluster was successfully promoted, you should be able to
+> log in using the original primary cluster's root token or via configured
+> authentication method. If desired, generate a [new root
+> token](/guides/operations/generate-root.html).
+
+### <a name="step4"></a>Step 4: Demote DR Primary to Secondary
+
+If the _original_ DR primary cluster becomes operational again, you may want to
+utilize the cluster by making it a DR secondary cluster. This step explains how
+to demote the original DR primary cluster to a secondary.
+
+~> Remember that there is only **one** primary cluster available to the clients
+in DR replication.
+
+#### CLI command
+
+Execute the following command to demote the original DR primary cluster to a
+secondary.
+
+```plaintext
+$ vault write -f sys/replication/dr/primary/demote
+
+WARNING! The following warnings were returned from Vault:
+
+  * This cluster is being demoted to a replication secondary. Vault will be
+  unavailable for a brief period and will resume service shortly.
+```
+
+This secondary cluster will not attempt to connect to a primary (see the
+update-primary call), but will maintain knowledge of its cluster ID and can be
+reconnected to the same DR replication set without wiping local storage.
+
+#### API call using cURL
+
+Invoke the **`sys/replication/dr/secondary/enable`** endpoint to demote the
+original DR primary cluster to a secondary.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/demote | jq
+{
+   "request_id": "8a40adac-6eb7-c798-48d0-f7cdd25fdd6f",
+   "lease_id": "",
+   "renewable": false,
+   "lease_duration": 0,
+   "data": null,
+   "wrap_info": null,
+   "warnings": [
+     "This cluster is being demoted to a replication secondary. Vault will be unavailable for a brief period and will resume service shortly."
+   ],
+   "auth": null
+}
+```
+
+This secondary cluster will not attempt to connect to a primary (see the
+update-primary call), but will maintain knowledge of its cluster ID and can be
+reconnected to the same DR replication set without wiping local storage.
+
+#### Web UI
+
+Select **Replication** and click **Demote cluster**.
+
+![DR Replication - demotion](/img/vault-dr-10.png)
+
+When you prompted, "_Are you sure you want to demote this cluster?_", click
+**Demote cluster** again to complete.
+
+![DR Replication - demotion](/img/vault-dr-12.png)
+
+### <a name="step5"></a>Step 5: Disable DR Primary
+
+Once the DR secondary cluster was promoted to be the **new primary**, you may
+want to disable the DR replication on the _original_ primary when it becomes
+operational again.
+
+~> Remember that there is only **one** primary cluster available to the clients
+in DR replication.
+
+#### CLI command
+
+Execute the following command to disable DR replication.
+
+```plaintext
+$ vault write -f sys/replication/dr/primary/disable
+
+WARNING! The following warnings were returned from Vault:
+
+  * This cluster is having replication disabled. Vault will be unavailable for
+    a brief period and will resume service shortly.
+```
+
+Any secondaries will no longer be able to connect.
+
+#### API call using cURL
+
+Invoke the **`sys/replication/dr/primary/disable`** endpoint to disable DR
+replication.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/disable | jq
+{
+   "request_id": "92a5f57a-2f7b-11be-b9dd-0f028396fba8",
+   "lease_id": "",
+   "renewable": false,
+   "lease_duration": 0,
+   "data": null,
+   "wrap_info": null,
+   "warnings": [
+     "This cluster is having replication disabled. Vault will be unavailable for a brief period and will resume service shortly."
+   ],
+   "auth": null
+}
+```
+
+Any secondaries will no longer be able to connect.
+
+#### Web UI
+
+Select **Replication** and click **Disable replication**.
+
+![DR Replication - demotion](/img/vault-dr-11.png)
+
+When you prompted, "_Are you sure you want to disable replication on this
+cluster?_", click **Disable** again to complete.
+
+![DR Replication - demotion](/img/vault-dr-13.png)
+
+Any secondaries will no longer be able to connect.
+
+!> **Caution:** Once this is done, re-enabling the DR replication as a primary
+will change the cluster's ID. Its connecting secondaries will require a wipe of
+the underlying storage even if they have connected before. If re-enabling DR
+replication as a secondary, its underlying storage will be wiped when connected
+to a primary.
+
+## <a name="important"></a>Important Note about Automated DR Failover
+
+Vault does not support an automatic failover/promotion of a DR secondary
+cluster, and this is a deliberate choice due to the difficulty in accurately
+evaluating why a failover should or shouldn't happen. For example, imagine a
+DR secondary loses its connection to the primary. Is it because the primary is
+down, or is it because networking between the two has failed?
+
+If the DR secondary promotes itself and clients start connecting to it, you now
+have two active clusters whose data sets will immediately start diverging.
+There's no way to understand simply from one perspective or the other which one
+of them is right.
+
+Vault's API supports programmatically performing various replication operations
+which allows the customer to write their own logic about automating some of
+these operations based on experience within their own environments. You can
+review the available replication APIs at the following links:
+
+- [Vault Replication API](/api/system/replication.html)
+- [DR Replication API](/api/system/replication-dr.html)
+- [Performance Replication API](/api/system/replication-performance.html)
+
+## Next steps
+
+Read [Production Hardening](/guides/operations/production.html) to learn more
+about the guidance on hardening the production deployments of Vault.
diff --git a/website/pages/guides/operations/generate-root.mdx b/website/pages/guides/operations/generate-root.mdx
new file mode 100644
index 000000000000..20107151f16a
--- /dev/null
+++ b/website/pages/guides/operations/generate-root.mdx
@@ -0,0 +1,157 @@
+---
+layout: guides
+page_title: Generate Root Tokens using Unseal Keys - Guides
+sidebar_title: Root Token Generation
+description: Generate a new root token using a threshold of unseal keys.
+---
+
+# Generate Root Tokens Using Unseal Keys
+
+It is generally considered a best practice to not persist
+[root tokens][root-tokens]. Instead a root token should be generated using
+Vault's `operator generate-root` command only when absolutely necessary. This
+guide demonstrates regenerating a root token.
+
+1. Unseal the vault using the existing quorum of unseal keys. You do not need to
+   be authenticated to generate a new root token, but the Vault must be unsealed
+   and a quorum of unseal keys must be available.
+
+   ```shell
+   $ vault operator unseal
+   # ...
+   ```
+
+### Using OTP
+
+In this method, an OTP is XORed with the generated token on final output.
+
+1. Generate a one-time password (OTP) to use for XORing the resulting token:
+
+   ```text
+   $ vault operator generate-root -generate-otp
+   mOXx7iVimjE6LXQ2Zna6NA==
+   ```
+
+   Save this OTP because you will need it to get the decoded final root token.
+
+1. Initialize a root token generation, providing the OTP code from the step
+   above:
+
+   ```text
+   $ vault operator generate-root -init -otp=mOXx7iVimjE6LXQ2Zna6NA==
+   Nonce              f67f4da3-4ae4-68fb-4716-91da6b609c3e
+   Started            true
+   Progress           0/5
+   Complete           false
+   ```
+
+   The nonce value should be distributed to all unseal key holders.
+
+1. Each unseal key holder provides their unseal key:
+
+   ```text
+   $ vault operator generate-root
+   Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
+   Unseal Key (will be hidden): ...
+   ```
+
+   If there is a tty, Vault will prompt for the key and automatically
+   complete the nonce value. If there is no tty, or if the value is piped
+   from stdin, the user must specify the nonce value from the `-init`
+   operation.
+
+   ```text
+   $ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
+   ```
+
+1. When the quorum of unseal keys are supplied, the final user will also get
+   the encoded root token.
+
+   ```text
+   $ vault operator generate-root
+   Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
+   Unseal Key (will be hidden):
+
+   Nonce         f67f4da3-4ae4-68fb-4716-91da6b609c3e
+   Started       true
+   Progress      5/5
+   Complete      true
+   Root Token    IxJpyqxn3YafOGhqhvP6cQ==
+   ```
+
+1. Decode the encoded token using the OTP:
+
+   ```text
+   $ vault operator generate-root \
+       -decode=IxJpyqxn3YafOGhqhvP6cQ== \
+       -otp=mOXx7iVimjE6LXQ2Zna6NA==
+
+   24bde68f-3df3-e137-cf4d-014fe9ebc43f
+   ```
+
+### Using PGP
+
+1. Initialize a root token generation, providing the path to a GPG public key
+   or keybase username of a user to encrypted the resulting token.
+
+   ```text
+   $ vault operator generate-root -init -pgp-key=keybase:sethvargo
+   Nonce              e24dec5e-f1ea-2dfe-ecce-604022006976
+   Started            true
+   Progress           0/5
+   Complete           false
+   PGP Fingerprint    e2f8e2974623ba2a0e933a59c921994f9c27e0ff
+   ```
+
+   The nonce value should be distributed to all unseal key holders.
+
+1. Each unseal key holder providers their unseal key:
+
+   ```text
+   $ vault operator generate-root
+   Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
+   Unseal Key (will be hidden): ...
+   ```
+
+   If there is a tty, Vault will prompt for the key and automatically
+   complete the nonce value. If there is no tty, or if the value is piped
+   from stdin, the user must specify the nonce value from the `-init`
+   operation.
+
+   ```text
+   $ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
+   ```
+
+1. When the quorum of unseal keys are supplied, the final user will also get
+   the encoded root token.
+
+   ```text
+   $ vault operator generate-root
+   Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
+   Unseal Key (will be hidden):
+
+   Nonce              e24dec5e-f1ea-2dfe-ecce-604022006976
+   Started            true
+   Progress           1/1
+   Complete           true
+   PGP Fingerprint    e2f8e2974623ba2a0e933a59c921994f9c27e0ff
+   Root Token         wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg...
+   ```
+
+1. Decrypt the encrypted token using associated private key:
+
+   ```text
+   $ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | gpg --decrypt
+
+   d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
+   ```
+
+   or via keybase:
+
+   ```text
+   $ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | keybase pgp decrypt
+
+   d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
+   ```
+
+[root-tokens]: /docs/concepts/tokens.html#root-tokens
diff --git a/website/pages/guides/operations/index.mdx b/website/pages/guides/operations/index.mdx
new file mode 100644
index 000000000000..5aa2324870b3
--- /dev/null
+++ b/website/pages/guides/operations/index.mdx
@@ -0,0 +1,83 @@
+---
+layout: guides
+page_title: Vault Operations - Guides
+sidebar_title: Vault Operations
+description: |-
+  Vault architecture guide covers Vault infrastructure discussions including
+  installation.
+---
+
+# Vault Operations
+
+Vault Operations guides address Vault infrastructure discussions. These
+guides are designed to help the operations team to plan and install a Vault
+cluster that meets your organization's needs.
+
+- [Vault Reference Architecture](/guides/operations/reference-architecture.html)
+  guide provides guidance in the best practices of _Vault Enterprise_ implementations
+  through use of a reference architecture. This example is to convey a general
+  architecture, which is likely to be adapted to accommodate the specific needs of
+  each implementation.
+
+- [Vault Deployment Guide](/guides/operations/deployment-guide.html) covers the
+  steps required to install and configure a single HashiCorp Vault cluster as
+  defined in the Vault Reference Architecture.
+
+- [Vault HA with Consul](/guides/operations/vault-ha-consul.html) guide
+  walks you through a simple Vault HA cluster implementation which is backed by
+  [HashiCorp Consul](https://www.consul.io/intro/index.html).
+
+- [Production Hardening](/guides/operations/production.html) guide provides
+  guidance on best practices for a production hardened deployment of Vault.
+  The recommendations are based on the [security model](/docs/internals/security.html)
+  and focus on defense in depth.
+
+- [Root Token Generation](/guides/operations/generate-root.html) guide
+  demonstrates the workflow of regenerating root tokens. It is considered to be a
+  best practice not to persist the initial **root** token. If a root token needs
+  to be regenerated, this guide helps you walk through the task.
+
+- [Rekeying & Rotating](/guides/operations/rekeying-and-rotating.html) guide
+  provides a high-level overview of Shamir's Secret Sharing Algorithm, and how to
+  perform _rekey_ and _rotate_ operations in Vault.
+
+- [Building Plugin Backends](/guides/operations/plugin-backends.html) guide
+  provides steps to build, register, and mount non-database external plugin
+  backends.
+
+## Vault Enterprise
+
+- [Replication Setup & Guidance](/guides/operations/replication.html)
+  walks you through the commands to activate the Vault servers in replication mode.
+  Please note that [Vault Replication](/docs/vault-enterprise/replication/index.html)
+  is a Vault Enterprise feature.
+
+- [Disaster Recovery Replication Setup](/guides/operations/disaster-recovery.html)
+  guide provides step-by-step instruction of setting up a disaster recovery (DR)
+  cluster.
+
+- [Mount Filter](/guides/operations/mount-filter.html)
+  guide demonstrates how to selectively filter out secret engines from being
+  replicated across clusters. This feature can help organizations to comply with
+  **_General Data Protection Regulation (GDPR)_**.
+
+- [Performance Standby Nodes](/guides/operations/performance-nodes.html) guide
+  describes how Vault HA works with performance standby nodes.
+
+- [Multi-Tenant Pattern with Namespaces](/guides/operations/multi-tenant.html)
+  guide discuss a pattern to isolate secrets using ACL Namespaces.
+
+- [Vault Auto-unseal using AWS Key Management Service (KMS)](/guides/operations/autounseal-aws-kms.html) guide demonstrates an example of
+  how to use Terraform to provision an instance that utilizes an encryption key
+  from AWS Key Management Service (KMS).
+
+- [Seal Wrap / FIPS 140-2](/guides/operations/seal-wrap.html)
+  guide demonstrates how Vault's seal wrap feature works to encrypt your secrets
+  leveraging FIPS 140-2 certified HSM.
+
+- [Vault Cluster Monitoring Guide](/guides/operations/monitoring.html) walks
+  you through Vault cluster monitoring with telemetry collected by
+  [Telegraf](https://www.influxdata.com/time-series-platform/telegraf/) and
+  forwarded to
+  [InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/) and
+  [Grafana](https://grafana.com/) for analysis.
diff --git a/website/pages/guides/operations/monitoring.mdx b/website/pages/guides/operations/monitoring.mdx
new file mode 100644
index 000000000000..877b5bcf92f5
--- /dev/null
+++ b/website/pages/guides/operations/monitoring.mdx
@@ -0,0 +1,27 @@
+---
+layout: guides
+page_title: Vault Cluster Monitoring - Guides
+sidebar_title: Vault Cluster Monitoring
+description: Learn how to set up and manage Vault Enterprise Performance Replication.
+---
+
+# Vault Cluster Monitoring
+
+~> [Download **Vault Cluster Monitoring Guide**](https://s3-us-west-2.amazonaws.com/hashicorp-education/whitepapers/Vault/Vault-Consul-Monitoring-Guide.pdf)
+
+This _Vault Cluster Monitoring Guide_ demonstrates monitoring of a Vault cluster
+configured with Consul as its storage backend.
+
+The guide walks you through:
+
+- How to set up a monitoring stack ([Telegraf](https://www.influxdata.com/time-series-platform/telegraf/), [InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/), and [Grafana](https://grafana.com/)).
+- How to configure Vault and Consul to send telemetry to a monitoring agent.
+- Which metrics are important to monitor, and why.
+
+![Dashboard Example](/img/vault_cluster.png)
+
+## Reference Materials
+
+- [Vault Deployment Reference Architecture](/guides/operations/reference-architecture.html)
+- [Vault High Availability](/guides/operations/vault-ha-consul.html)
+- [Production Hardening](/guides/operations/production.html)
diff --git a/website/pages/guides/operations/mount-filter.mdx b/website/pages/guides/operations/mount-filter.mdx
new file mode 100644
index 000000000000..d95dd6deb5ba
--- /dev/null
+++ b/website/pages/guides/operations/mount-filter.mdx
@@ -0,0 +1,505 @@
+---
+layout: guides
+page_title: Vault Mount Filter - Guides
+sidebar_title: Mount Filter
+description: |-
+  This guide demonstrates how to selectively filter out secret mounts for
+  Performance Replication.
+---
+
+# Vault Mount Filter
+
+~> **Enterprise Only:** Mount filter feature is a part of _Vault Enterprise Premium_.
+
+Mount filters are a new way of controlling which secrets are moved across
+clusters and physical regions as a result of replication. With mount filters,
+users can select which secret engines will be replicated as part of a
+performance replication relationship.
+
+By default, all non-local secret engines and associated data are replicated as
+part of replication. The mount filter feature allows users to whitelist or
+blacklist which secret engines are replicated, thereby allowing users to further
+control the movement of secrets across their infrastructure.
+
+![Performance Replication](/img/vault-mount-filter-2.png)
+
+## Reference Materials
+
+- Preparing for GDPR Compliance with HashiCorp Vault [webinar](https://www.hashicorp.com/resources/preparing-for-gdpr-compliance-with-hashicorp-vault)
+- Preparing for GDPR Compliance with HashiCorp Vault [blog post](https://www.hashicorp.com/blog/preparing-for-gdpr-compliance-with-hashicorp-vault)
+- [Create Mounts Filter (API)](/api/system/replication-performance.html#create-mounts-filter)
+- [Performance Replication and Disaster Recovery (DR) Replication](/docs/enterprise/replication/index.html#performance-replication-and-disaster-recovery-dr-replication)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Challenge
+
+[**General Data Protection Regulation (GDPR)**](https://www.eugdpr.org/) is designed
+to strengthen data protection and privacy for all individuals within the
+European Union. It requires that personally identifiable data not be physically
+transferred to locations outside the European Union unless the region or country
+has an equal rigor of data protection regulation as the EU.
+
+Failure to abide by GDPR will result in fines as high as 20 million EUR or 4% of
+the global annual revenue (whichever greater).
+
+## Solution
+
+Leverage Vault's **mount filter** feature to abide by data movements and
+sovereignty regulations while ensuring performance access across geographically
+distributed regions.
+
+The [**_Preparing for GDPR Compliance with HashiCorp
+Vault_**](https://www.hashicorp.com/resources/preparing-for-gdpr-compliance-with-hashicorp-vault)
+webinar discusses the GDPR compliance further in details.
+
+[![YouTube](/img/vault-mount-filter.png)](https://youtu.be/hmf6sN4W8pE)
+
+## Prerequisites
+
+This intermediate Vault operations guide assumes that you have some working
+knowledge of Vault.
+
+You need two Vault Enterprise clusters: one representing the EU cluster, and
+another representing the US cluster both backed by Consul for storage.
+
+## Steps
+
+**Scenario:** You have a Vault cluster in EU and wish to span across the United
+States by setting up a secondary cluster and enable the performance
+replication. However, some data must remain in EU and should **_not_** be
+replicated to the US cluster.
+
+![Guide Scenario](/img/vault-mount-filter-0.png)
+
+Leverage the mount filter feature to blacklist the secrets, that are subject to
+GDPR, from being replicated across the regions.
+
+1. [Segment GDPR and non-GDPR secret engines](#step1)
+1. [Enable performance replication with mount filter](#step2)
+1. [Verify the replication mount filter](#step3)
+1. [Enable a local secret engine](#step4)
+
+~> **NOTE:** Ensure that GDPR data is segmented by secret mount and blacklist
+the movement of those secret mounts to non-GDPR territories.
+
+### <a name="step1"></a>Step 1: Segment GDPR and non-GDPR secret engines
+
+In the EU cluster (primary cluster), enable key/value secret engines:
+
+- At **`EU_GDPR_data`** for GDPR data
+- At **`US_NON_GDPR_data`** for non-GDPR data localized for US
+
+#### CLI command
+
+```shell
+# For GDPR data
+$ vault secrets enable -path=EU_GDPR_data kv-v2
+
+# For non-GDPR data accessible in US
+$ vault secrets enable -path=US_NON_GDPR_data kv-v2
+```
+
+#### API call using cURL
+
+```shell
+# For GDPR data
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type":"kv-v2"}' \
+       https://eu-west-1.compute.com:8200/v1/sys/mounts/EU_GDPR_data
+
+# For non-GDPR data accessible in US
+$ curl --header "X-Vault-Token: ..." \
+      --request POST \
+      --data '{"type":"kv-v2"}' \
+      https://eu-west-1.compute.com:8200/v1/sys/mounts/US_NON_GDPR_data
+```
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g.
+https://eu-west-1.compute.com:8200/ui) and then login.
+
+Select **Enable new engine** and enter corresponding parameter values:
+
+![GDPR KV](/img/vault-mount-filter-3.png)
+
+![Non-GDPR KV](/img/vault-mount-filter-4.png)
+
+Click **Enable Engine** to complete.
+
+### <a name="step2"></a>Step 2: Enable performance replication with mount filter
+
+#### CLI command
+
+1. Enable performance replication on the **primary** cluster.
+
+   ```plaintext
+   $ vault write -f sys/replication/performance/primary/enable
+   WARNING! The following warnings were returned from Vault:
+
+   * This cluster is being enabled as a primary for replication. Vault will be
+   unavailable for a brief period and will resume service shortly.
+   ```
+
+1. Generate a secondary token.
+
+   ```plaintext
+   $ vault write sys/replication/performance/primary/secondary-token id="secondary"
+   Key                              Value
+   ---                              -----
+   wrapping_token:                  eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzE3Mi4zMS4yMC4xODA6ODIwMyIsImV4cCI6MTUyNTg0ODAxMywiaWF0IjoxNTI1ODQ2MjEzLCJqdGkiOiJlNTFiMjUxZi01ZTg2LTg4OWEtNGZmMy03NTQzMjRkNTdlMGQiLCJ0eXBlIjoid3JhcHBpbmcifQ.MIGGAkE2dDj3nmaoLHg7oldQ1iZPD0U8doyj3x3mQUVfTl8W99QYG8GM6VGVzhRPGvKctGriuo2oXN_8euWQb01M1y6n7gJBSu-qdXw-v2RieOyopAHls1bWhw4sO9Nlds8IDFA15vqkLXnq2g4_5lvlhxpP7B8dEOHvWXkHG4kJ_mKvrgR0dU0
+   wrapping_accessor:               6ded4fb0-5e8c-2a37-1b3e-823673220348
+   wrapping_token_ttl:              30m
+   wrapping_token_creation_time:    2018-05-09 06:10:13.437421436 +0000 UTC
+   wrapping_token_creation_path:    sys/replication/performance/primary/secondary-token
+   ```
+
+1. Create a **mount filter** to blacklist `EU_GDPR_data`.
+
+   ```plaintext
+   $ vault write sys/replication/performance/primary/mount-filter/secondary  \
+          mode="blacklist" paths="EU_GDPR_data/"
+   ```
+
+1. Enable performance replication on the **secondary** cluster.
+
+   ```plaintext
+   $ vault write sys/replication/performance/secondary/enable token="..."
+   ```
+
+   Where the `token` is the `wrapping_token` obtained from the primary cluster.
+
+   !> **NOTE:** This will immediately clear all data in the secondary cluster.
+
+#### API call using cURL
+
+1. Enable performance replication on the **primary** cluster.
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data '{"primary_cluster_addr":"https://eu-west-1.compute.com:8200"}' \
+          https://eu-west-1.compute.com:8200/v1/sys/replication/performance/primary/enable
+   ```
+
+1. Generate a secondary token.
+
+   ```plaintext
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data '{ "id": "secondary"}' \
+          https://eu-west-1.compute.com:8200/v1/sys/replication/performance/primary/secondary-token | jq
+     {
+      "request_id": "",
+      "lease_id": "",
+      "renewable": false,
+      "lease_duration": 0,
+      "data": null,
+      "wrap_info": {
+        "token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAzIiwiZXhwIjoxNTI1ODI5Njc2LCJpYXQiOjE1MjU4Mjc4NzYsImp0aSI6IjAwNmVkMDdjLWQ0MzYtZWViYy01OWYwLTdiMTU0ZGFmMDNiMCIsInR5cGUiOiJ3cmFwcGluZyJ9.MIGHAkF6saWWL-oRQMJIoUnaUOHNkcoHZCBwQs6mSMjPBopMi8DkGCJGBrh4jgV2mSzwFY1r5Ne7O66HmuMpm40MsYqjAQJCANSco_Sx5q6FmQSfoY-HtsVO1_YKWF4O6B7gYCvPKYkODMIwe5orCSgmIDyXHZt-REPm0sfdk4ZNyRCIRK5hDWyQ",
+        "accessor": "6ea2a4e2-2926-120f-f288-c2348c78fb3e",
+        "ttl": 1800,
+        "creation_time": "2018-05-09T01:04:36.514715311Z",
+        "creation_path": "sys/replication/performance/primary/secondary-token"
+      },
+      "warnings": null,
+      "auth": null
+    }
+   ```
+
+1. Create a **mount filter** to blacklist `EU_GDPR_data`.
+
+   ```plaintext
+   $ tee payload.json <<EOF
+   {
+     "mode": "blacklist",
+     "paths": [ "EU_GDPR_data/" ]
+   }
+   EOF
+
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data @payload.json \
+          https://eu-west-1.compute.com:8200/v1/sys/replication/performance/primary/mount-filter/secondary
+   ```
+
+1. Enable performance replication on the **secondary** cluster.
+
+   ```plaintext
+   $ tee payload.json <<EOF
+   {
+     "token": "..."
+   }
+   EOF
+
+   $ curl --header "X-Vault-Token: ..." \
+          --request POST \
+          --data @payload.json \
+          https://us-central.compute.com:8201/v1/sys/replication/performance/secondary/enable
+   ```
+
+   Where the `token` in `payload.json` is the token obtained from the primary
+   cluster.
+
+   !> **NOTE:** This will immediately clear all data in the secondary cluster.
+
+#### Web UI
+
+1. Select **Replication** and check the **Performance** radio button.
+   ![Performance Replication - primary](/img/vault-mount-filter-5.png)
+
+1. Click **Enable replication**.
+
+1. Select the **Secondaries** tab, and then click **Add**.
+   ![Performance Replication - primary](/img/vault-mount-filter-6.png)
+
+1. Populate the **Secondary ID** field, and then select **Configure performance
+   mount filtering** to set your mount filter options. You can filter by
+   whitelisting or blacklisting. For this example, select **Blacklist**.
+
+1. Check **EU_GDPR_data** to prevent it from being replicated to the secondary
+   cluster.
+   ![Performance Replication - primary](/img/vault-mount-filter-7.png)
+
+1. Click **Generate token**.
+   ![Performance Replication - primary](/img/vault-mount-filter-8.png)
+
+1. Click **Copy** to copy the token.
+
+1. Now, launch the Vault UI for the secondary cluster (e.g. https://us-central.compute.com:8201/ui), and then click **Replication**.
+
+1. Check the **Performance** radio button, and then select **secondary** under the **Cluster mode**. Paste the token you copied from the primary.
+   ![Performance Replication - secondary](/img/vault-mount-filter-9.png)
+
+1. Click **Enable replication**.
+
+<br />
+
+~> **NOTE:** At this point, the secondary cluster must be unsealed using the
+**primary cluster's unseal key**. If the secondary is in an HA cluster, ensure
+that each standby is sealed and unsealed with the primary’s unseal keys. The
+secondary cluster mirrors the configuration of its primary cluster's backends
+such as auth methods, secret engines, audit devices, etc. It uses the primary as
+the _source of truth_ and passes token requests to the primary.
+
+Restart the secondary vault server (e.g. `https://us-central.compute.com:8201`)
+and unseal it with the primary cluster's unseal key.
+
+```plaintext
+$ vault operator unseal
+Unseal Key (will be hidden): <primary_cluster_unseal_key>
+```
+
+The initial root token on the secondary no longer works. Use the auth methods
+configured on the primary cluster to log into the secondary.
+
+**Example:**
+
+Enable and configure the userpass auth method on the **primary** cluster and
+create a new username and password.
+
+```shell
+# Enable the userpass auth method on the primary
+$ vault auth enable userpass
+
+# Create a user with admin policy
+$ vault write auth/userpass/users/james password="passw0rd" policy="admin"
+```
+
+-> Alternatively, you can [generate a new root token](/guides/operations/generate-root.html)
+using the primary cluster's unseal key. However, it is recommended that root
+tokens are only used for just enough initial setup or in emergencies.
+
+Log into the **secondary** cluster using the enabled auth method.
+
+```plaintext
+$ vault login -method=userpass username=james password="passw0rd"
+```
+
+### <a name="step3"></a>Step 3: Verify the replication mount filter
+
+Once the replication completes, verify that the secrets stored in the
+`EU_GDPR_data` never get replicated to the US cluster.
+
+#### CLI command
+
+On the **EU** cluster, write some secrets:
+
+```shell
+# Write some secret at EU_GDPR_data/secret
+$ vault kv put EU_GDPR_data/secret pswd="password"
+Key              Value
+---              -----
+created_time     2018-05-10T18:00:38.912587665Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+# Write some secret at US_NON_GDPR_data/secret
+$ vault kv put US_NON_GDPR_data/secret apikey="my-api-key"
+Key              Value
+---              -----
+created_time     2018-05-10T18:04:37.554665851Z
+deletion_time    n/a
+destroyed        false
+version          1
+```
+
+From the **US** cluster, read the secrets:
+
+```shell
+# Read the secrets at EU_GDPR_data/secret
+$ vault kv get EU_GDPR_data/secret
+No value found at EU_GDPR_data/secret
+
+# Read the secrets at US_NON_GDPR_data/secret
+$ vault kv get US_NON_GDPR_data/secret
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2018-05-10T18:09:07.717250408Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+===== Data =====
+Key       Value
+---       -----
+apikey    my-api-key
+```
+
+#### API call using cURL
+
+On the **EU** cluster, write some secret:
+
+```shell
+# Create the request payload
+$ tee payload.json <<EOF
+{
+  "data": {
+    "pswd": "password"
+  }
+}
+EOF
+
+# Write some secret at EU_GDPR_data/secret
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       https://eu-west-1.compute.com:8200/v1/EU_GDPR_data/data/secret
+
+# Create the request payload
+$ tee payload-us.json <<EOF
+{
+ "data": {
+   "apikey": "my-api-key"
+ }
+}
+EOF
+
+# Write some secret at US_NON_GDPR_data/secret
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload-us.json \
+       https://eu-west-1.compute.com:8200/v1/US_NON_GDPR_data/data/secret
+```
+
+From the **US** cluster, read the secrets:
+
+```shell
+# Read the secrets at EU_GDPR_data/secret
+$ curl --header "X-Vault-Token: ..." \
+       https://us-central.compute.com:8201/v1/EU_GDPR_data/data/secret | jq
+{
+  "errors": []
+}
+
+# Read the secrets at US_NON_GDPR_data/secret
+$ curl --header "X-Vault-Token: ..." \
+       https://us-central.compute.com:8201/v1/US_NON_GDPR_data/data/secret | jq
+{
+  "request_id": "f5eedb5b-9406-c519-f5a5-070336c10205",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": [
+    "Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get' for this operation."
+  ],
+  "auth": null
+}
+```
+
+#### Web UI
+
+On the **EU** cluster, select **EU_GDPR_data** > **Create secret**:
+
+![Secrets](/img/vault-mount-filter-12.png)
+
+Enter the values and click **Save**. Repeat the step to write some secrets at
+the **US_NON_GDPR_data** path as well.
+
+On the **US** cluster, select **US_NON_GDPR_data**. You should be able to see
+the `apikey` under `US_NON_GDPR_data/secret`.
+
+![Secrets](/img/vault-mount-filter-13.png)
+
+The **EU_GDPR_data** data is not replicated, so you won't be able to see the
+secrets.
+
+### <a name="step4"></a>Step 4: Enable a local secret engine
+
+When replication is enabled, you can mark the secrets engine local only. Local
+secret engines are not replicated or removed by replication.
+
+Login to the **secondary** cluster and enable key/value secret engine at
+`US_ONLY_data` to store secrets only valid for the US region.
+
+#### CLI command
+
+Pass the `-local` flag:
+
+```plaintext
+$ vault secrets enable -local -path=US_ONLY_data kv-v2
+```
+
+#### API call using cURL
+
+Pass the `local` parameter in the API request:
+
+```plaintext
+$ tee payload.json <<EOF
+{
+  "type": "kv-v2",
+  "local": true
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       https://us-central.compute.com:8201/v1/sys/mounts/US_ONLY_data
+```
+
+#### Web UI
+
+Be sure to select the check box for **Local** to keep it mounted locally within
+the cluster.
+
+![Local Secret](/img/vault-mount-filter-10.png)
+
+<br />
+
+-> **NOTE:** `US_ONLY_data` only exists locally in the secondary cluster that
+you won't be able to see it from the primary cluster.
+
+## Next steps
+
+Read [Vault Deployment Reference
+Architecture](/guides/operations/reference-architecture.html) to learn more
+about the recommended deployment practices.
diff --git a/website/pages/guides/operations/multi-tenant.mdx b/website/pages/guides/operations/multi-tenant.mdx
new file mode 100644
index 000000000000..1e7b3c712014
--- /dev/null
+++ b/website/pages/guides/operations/multi-tenant.mdx
@@ -0,0 +1,995 @@
+---
+layout: guides
+page_title: Secure Multi-Tenancy with Namepaces - Guides
+sidebar_title: 'Multi-Tenant: Namespaces'
+description: This guide provides guidance in creating a multi-tenant environment.
+---
+
+# Secure Multi-Tenancy with Namespaces
+
+~> **Enterprise Only:** The namespaces feature is a part of _Vault Enterprise Pro_.
+
+Everything in Vault is path-based, and often uses the terms `path` and
+`namespace` interchangeably. The application namespace pattern is a useful
+construct for providing Vault as a service to internal customers, giving them
+the ability to implement secure multi-tenancy within Vault in order to provide
+isolation and ensure teams can self-manage their own environments.
+
+## Reference Material
+
+- [Namespaces](/docs/enterprise/namespaces/index.html)
+- [Streamline Secrets Management with Vault Agent and Vault 0.11](https://youtu.be/zDnIqSB4tyA)
+- [Vault Deployment Reference Architecture](/guides/operations/reference-architecture.html)
+- [Policies](/guides/identity/policies.html) guide
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The scenario described in this guide introduces the following personas:
+
+- **`operations`** is the cluster-level administrator with privileged policies
+- **`org-admin`** is the organization-level administrator
+- **`team-admin`** is the team-level administrator
+
+## Challenge
+
+When Vault is primarily used as a central location to manage secrets, multiple
+organizations within a company may need to be able to manage their secrets in a
+self-serving manner. This means that a company needs to implement a **_Vault as
+a Service_** model allowing each organization (tenant) to manage their own
+secrets and policies. The most importantly, tenants should be restricted to work
+only within their tenant scope.
+
+![Multi-Tenant](/img/vault-multi-tenant.png)
+
+## Solution
+
+Create a **namespace** dedicated to each team, organization, or app where
+they can perform all necessary tasks within their tenant namespace.
+
+Each namespace can have its own:
+
+- Policies
+- Auth Methods
+- Secret Engines
+- Tokens
+- Identity entities and groups
+
+~> Tokens are locked to a namespace or child-namespaces. Identity groups can
+pull in entities and groups from _other_ namespaces.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a **Vault
+Enterprise** environment.
+
+-> **NOTE:** The creation of namespaces should be performed by a user with a
+highly privileged token such as **`root`** to set up isolated environments for
+each organization, team, or application.
+
+## Steps
+
+**Scenario:** In this guide, you are going to create a namespace dedicated to
+the Education organization which has Training and Certification teams. Delegate
+operational tasks to the team admins so that the Vault cluster operators won't
+have to be involved.
+
+![Scenario](/img/vault-multi-tenant-2.png)
+
+In this guide, you are going to perform the following steps:
+
+1. [Create namespaces](#step1)
+1. [Write policies](#step2)
+1. [Setup entities and groups](#step3)
+1. [Test the organization admin user](#step4)
+1. [Test the team admin user](#step5)
+1. [Audit ambient credentials](#step6)
+
+### <a name="step1"></a>Step 1: Create namespaces
+
+(**Persona:** operations)
+
+#### CLI command
+
+To create a new namespace, run: **`vault namespace create <namespace_name>`**
+
+1.  Create a namespace dedicated to the **`education`** organizations:
+
+    ```plaintext
+    $ vault namespace create education
+    ```
+
+1.  Create child namespaces called `training` and `certification` under the
+    `education` namespace:
+
+    ```plaintext
+    $ vault namespace create -namespace=education training
+
+    $ vault namespace create -namespace=education certification
+    ```
+
+1.  List the created namespaces:
+
+    ```plaintext
+    $ vault namespace list
+    education/
+
+    $ vault namespace list -namespace=education
+    certification/
+    training/
+    ```
+
+#### API call using cURL
+
+To create a new namespace, invoke **`sys/namespaces`** endpoint:
+
+```shell
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       <VAULT_ADDRESS>/v1/sys/namespaces/<NS_NAME>
+```
+
+Where `<TOKEN>` is your valid token, and `<NS_NAME>` is the desired namespace
+name.
+
+1.  Create a namespace for the **`education`** organization:
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+           --request POST \
+           http://127.0.0.1:8200/v1/sys/namespaces/education
+    ```
+
+1.  Now, create a child namespace called **`training`** and **`certification`**
+    under `education`. To do so, pass the top-level namespace name in the
+    **`X-Vault-Namespace`** header.
+
+    ```shell
+    # Create a training namespace under education
+    # NOTE: Top-level namespace is in the API endpoint
+    $ curl --header "X-Vault-Token: ..." \
+            --header "X-Vault-Namespace: education" \
+            --request POST \
+            http://127.0.0.1:8200/v1/education/sys/namespaces/training
+
+    # Create a certification namespace under education
+    # NOTE: Pass the top-level namespace in the header
+    $ curl --header "X-Vault-Token: ..." \
+            --header "X-Vault-Namespace: education" \
+            --request POST \
+            http://127.0.0.1:8200/v1/sys/namespaces/certification
+    ```
+
+1.  List the created namespaces:
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+           --request LIST
+           http://127.0.0.1:8200/v1/sys/namespaces | jq
+    {
+       ...
+       "data": {
+         "keys": [
+           "education/"
+         ]
+       },
+       ...
+    ```
+
+
+    $ curl --header "X-Vault-Token: ..." \
+           --request LIST
+           http://127.0.0.1:8200/v1/education/sys/namespaces | jq
+     {
+       ...
+       "data": {
+         "keys": [
+           "certification/",
+           "training/"
+         ]
+       },
+       ...
+    ```
+
+#### Web UI
+
+1.  Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui)
+    and then login.
+
+1.  Select **Access**.
+
+1.  Select **Namespaces** and then click **Create a namespace**.
+
+1.  Enter **`education`** in the **Path** field.
+
+1.  Click **Save**.
+
+1.  To create child namespaces, select the down-arrow on the upper left corner of
+    the UI, and select **education** under **CURRENT NAMESPACE**.
+
+        ![NS Selection](/img/vault-multi-tenant-1.png)
+
+1.  Under the **Access** tab, select **Namespaces** and then click **Create a namespace**.
+
+1.  Enter **`training`** in the **Path** field, and click **Save**.
+
+1.  Select **Create a namespace** again, and then enter **`certification`** in
+    the **Path** field, and click **Save**.
+
+### <a name="step2"></a>Step 2: Write Policies
+
+(**Persona:** operations)
+
+In this scenario, there is an organization-level administrator who is a
+superuser within the scope of the **`education`** namespace. Also, there is a
+team-level administrator for **`training`** and **`certification`**.
+
+#### Policy for education admin
+
+**Requirements:**
+
+- Create and manage namespaces
+- Create and manage policies
+- Enable and manage secret engines
+- Create and manage entities and groups
+- Manage tokens
+
+**`edu-admin.hcl`**
+
+```shell
+# Manage namespaces
+path "sys/namespaces/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage policies via API
+path "sys/policies/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage policies via CLI
+path "sys/policy/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List policies via CLI
+path "sys/policy" {
+   capabilities = ["read", "update", "list"]
+}
+
+# Enable and manage secrets engines
+path "sys/mounts/*" {
+   capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# List available secret engines
+path "sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+# Create and manage entities and groups
+path "identity/*" {
+   capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Manage tokens
+path "auth/token/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+```
+
+#### Policy for training admin
+
+**Requirements:**
+
+- Create and manage child-namespaces
+- Create and manage policies
+- Enable and manage secret engines
+
+**`training-admin.hcl`**
+
+```shell
+# Manage namespaces
+path "sys/namespaces/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage policies via API
+path "sys/policies/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage policies via CLI
+path "sys/policy/*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List policies via CLI
+path "sys/policy" {
+  capabilities = ["read", "update", "list"]
+}
+
+# Enable and manage secrets engines
+path "sys/mounts/*" {
+   capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# List available secret engines
+path "sys/mounts" {
+  capabilities = [ "read" ]
+}
+```
+
+Now, let's deploy the policies!
+
+-> Also, refer to the [Additional Discussion](#policy-with-namespaces) section
+to learn more about policy authoring with namespaces.
+
+#### CLI command
+
+To target a specific namespace, you can do one of the following:
+
+- Set **`VAULT_NAMESPACE`** so that all subsequent CLI commands will be
+  executed against that particular namespace
+
+  ```plaintext
+  $ export VAULT_NAMESPACE=<namespace_name>
+  $ vault policy write <policy_name> <policy_file>
+  ```
+
+- Specify the target namespace with **`-namespace`** flag
+
+  ```plaintext
+  $ vault policy write -namespace=<namespace_name> <policy_name> <policy_file>
+  ```
+
+Since you have to deploy policies onto "`education`" and "`education/training`"
+namespaces, use "`-namespace`" flag instead of environment variable.
+
+Create **`edu-admin`** and **`training-admin`** policies.
+
+```shell
+# Create edu-admin policy under 'education' namespace
+$ vault policy write -namespace=education edu-admin edu-admin.hcl
+
+# Create training-admin policy under 'education/training' namespace
+$ vault policy write -namespace=education/training training-admin training-admin.hcl
+```
+
+#### API call using cURL
+
+To target a specific namespace, you can do one of the following:
+
+- Pass the target namespace in the **`X-Vault-Namespace`** header
+- Prepend the API endpoint with namespace name (e.g.
+  **`<namespace_name>`**`/sys/policies/acl`)
+
+Create **`edu-admin`** and **`training-admin`** policies.
+
+```shell
+# Create a request payload
+$ tee edu-payload.json <<EOF
+{
+  "policy": "path \"sys/namespaces/education/*\" {\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n } ... "
+}
+EOF
+
+# Create edu-admin policy under 'education' namespace
+$ curl --header "X-Vault-Token: ..." \
+       --header "X-Vault-Namespace: education" \
+       --request PUT \
+       --data @edu-payload.json \
+       https://127.0.0.1:8200/v1/sys/policies/acl/edu-admin
+
+# Create a request payload
+$ tee training-payload.json <<EOF
+{
+ "policy": "path \"sys/namespaces/education/training/*\" {\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n  }  ... "
+}
+EOF
+
+# Create training-admin policy under 'education/training' namespace
+# This example directs the target namespace in the API endpoint
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT \
+       --data @training-payload.json \
+       https://127.0.0.1:8200/v1/education/training/sys/policies/acl/training-admin
+```
+
+#### Web UI
+
+1. In the Web UI, make sure that the **CURRENT NAMESPACE** is set to
+   **education** in the upper left menu.
+
+1. Click the **Policies** tab, and then select **Create ACL policy**.
+
+1. Toggle **Upload file** sliding switch, and click **Choose a file** to select your
+   **`edu-admin.hcl`** file you authored. This loads the policy and sets the
+   **Name** to be `edu-admin`.
+
+1. Click **Create Policy** to complete.
+
+1. Set the **CURRENT NAMESPACE** to be **education/training** in the upper left
+   menu.
+   ![Namespace](/img/vault-multi-tenant-6.png)
+
+1. In the **Policies** tab, select **Create ACL policy**.
+
+1. Toggle **Upload file**, and click **Choose a file** to select your
+   **`training-admin.hcl`** file you authored.
+
+1. Click **Create Policy**.
+
+### <a name="step3"></a>Step 3: Setup entities and groups
+
+(**Persona:** operations)
+
+Bob who is an organization-level administrator (superuser) has two accounts:
+**`bob`** and **`bsmith`**. You will create an entity, **Bob Smith** to
+associate those two accounts.
+
+Also, you are going to create a group for the team-level administrator, **Team
+Admin**, and add Bob Smith entity as a group member so that Bob can inherit the
+`training-admin` policy to manage the child namespace if he ever has to take
+over.
+
+![Entities and Groups](/img/vault-multi-tenant-3.png)
+
+-> This step only demonstrates CLI commands and Web UI to create
+entities and groups. Refer to the [Identity - Entities and
+Groups](/guides/identity/identity.html) guide if you need the full details.
+Also, read the [Additional Discussion](#additional-discussion) section for
+an example of setting up external groups.
+
+#### CLI Command
+
+```shell
+# First, you need to enable userpass auth method
+$ vault auth enable -namespace=education userpass
+
+# Create a user 'bob'
+$ vault write -namespace=education \
+        auth/userpass/users/bob password="password"
+
+# Create an entity for Bob Smith with 'edu-admin' policy attached
+# Save the generated entity ID in entity_id.txt file
+$ vault write -namespace=education -format=json identity/entity name="Bob Smith" \
+        policies="edu-admin" | jq -r ".data.id" > entity_id.txt
+
+# Get the mount accessor for userpass auth method and save it in accessor.txt file
+$ vault auth list -namespace=education -format=json \
+        | jq -r '.["userpass/"].accessor' > accessor.txt
+
+# Create an entity alias for Bob Smith to attach 'bob'
+$ vault write -namespace=education identity/entity-alias name="bob" \
+        canonical_id=$(cat entity_id.txt) mount_accessor=$(cat accessor.txt)
+
+# Create a group, "Training Admin" in education/training namespace
+$ vault write -namespace=education/training identity/group \
+        name="Training Admin" policies="training-admin" \
+        member_entity_ids=$(cat entity_id.txt)
+
+# Enable userpass auth method in training namespace
+$ vault auth enable -namespace=education/training userpass
+
+# Create a user 'bsmith'
+$ vault write -namespace=education/training \
+        auth/userpass/users/bsmith password="password"
+
+# Get the mount accessor for userpass auth method and save it in accessor2.txt file
+$ vault auth list -namespace=education/training -format=json \
+        | jq -r '.["userpass/"].accessor' > accessor2.txt
+
+# Add 'bsmith' to Bob Smith entity as its alias
+$ vault write -namespace=education identity/entity-alias name="bsmith" \
+        canonical_id=$(cat entity_id.txt) mount_accessor=$(cat accessor2.txt)
+```
+
+#### Web UI
+
+1.  In the Web UI, make sure that the **CURRENT NAMESPACE** is set to
+    **education** in the upper left menu.
+
+1.  Click the **Access** tab, and select **Enable new method**.
+
+1.  Select **Username & Password** from the **Type** drop-down menu.
+
+1.  Click **Enable Method**.
+
+1.  Click the Vault CLI shell icon (**`>_`**) to open a command shell. Enter the
+    following command to create a new user, **`bob`**.
+
+    ```plaintext
+    vault write auth/userpass/users/bob password="password"
+    ```
+
+    ![Create Policy](/img/vault-multi-tenant-4.png)
+
+1.  Click the icon (**`>_`**) again to hide the shell.
+
+1.  From the **Access** tab, select **Entities** and then **Create entity**.
+
+1.  Enter **`Bob Smith`** in the **Name** field, and **`edu-admin`** in the
+    **Policies** field.
+
+1.  Click **Create**.
+
+1.  Select **Add alias**. Enter **`bob`** in the **Name** field and select
+    **`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
+
+1.  Click **Create**.
+
+1.  Click the **Access** tab and select **Entities**.
+
+1.  Select the **`bob-smith`** entity and copy its **ID** displayed under the
+    **Details** tab.
+
+1.  Now, set the **CURRENT NAMESPACE** to **education/training**.
+    ![Namespace](/img/vault-multi-tenant-6.png)
+
+1.  In the **Access** tab, select **Groups**, and select **Create group**.
+
+1.  Paste in the entity ID in the **Member Entity IDs** field you copied.
+
+1.  Enter **`Training Admin`** in the **Name** field, **`training-admin`** in the
+    **Policies** field, and click **Create**.
+
+1.  Click the **Access** tab, and select **Enable new method**.
+
+1.  Select **Username & Password** from the **Type** drop-down menu.
+
+1.  Click **Enable Method**. Copy the mount accessor value which you will user later.
+    ![Namespace](/img/vault-multi-tenant-8.png)
+
+1.  Click the Vault CLI shell icon (**`>_`**) to open a command shell. Enter the
+    following command to create a new user, **`bsmith`**.
+
+    ```plaintext
+    vault write auth/userpass/users/bsmith password="password"
+    ```
+
+1.  Set the **CURRENT NAMESPACE** back to **education**.
+
+1.  In the command shell, enter the following command. Be sure to replace the
+    `<Bob_Smith_entity_id>` with the value you copied at step 13, and
+    `<mount_accessor>` with the value you copied at step 20.
+
+    ```plaintext
+    vault write identity/entity-alias name="bsmith" \
+            canonical_id=<Bob_Smith_entity_id> mount_accessor=<mount_accessor>
+    ```
+
+### <a name="step4"></a>Step 4: Test the organization admin user
+
+(**Persona:** org-admin)
+
+#### CLI Command
+
+Log in as **`bob`** into the `education` namespace:
+
+```plaintext
+$ vault login -namespace=education -method=userpass username="bob" password="password"
+
+Key                    Value
+---                    -----
+token                  5ai0qpQeCdRHALzEY4Q8sW.28dk2
+token_accessor         9xXQmdx6Aq6zw1KX4gpzb.28dk2
+token_duration         768h
+token_renewable        true
+token_policies         ["default"]
+identity_policies      ["edu-admin"]
+policies               ["default" "edu-admin"]
+token_meta_username    bob
+```
+
+Notice that the user, `bob` only has `default` policy attached to his token
+(`token_policies`); however, he inherited the `edu-admin` policy from the `Bob Smith` entity (`identity_policies`).
+
+Test to make sure that `bob` can create a namespace, enable secrets engine, and
+whatever else that you want to verify.
+
+```shell
+# Set the target namespace as an env variable
+$ export VAULT_NAMESPACE="education"
+
+# Create a new namespace called 'web-app'
+$ vault namespace create web-app
+Success! Namespace created at: education/web-app/
+
+# Enable key/value v2 secrets engine at edu-secret
+$ vault secrets enable -path=edu-secret kv-v2
+Success! Enabled the kv-v2 secrets engine at: edu-secret/
+```
+
+Optionally, you can create new policies to test that `bob` can perform the
+operations as expected. When you are done testing, unset the VAULT_NAMESPACE
+environment variable.
+
+```plaintext
+$ unset VAULT_NAMESPACE
+```
+
+#### API call using cURL
+
+Log in as **`bob`** into the `education` namespace:
+
+```plaintext
+$ curl --header "X-Vault-Namespace: education" \
+       --request POST \
+       --data '{"password": "password"}' \
+       http://127.0.0.1:8200/v1/auth/userpass/login/bob | jq
+{
+   ...
+   "auth": {
+     "client_token": "5ai0qpQeCdRHALzEY4Q8sW.28dk2",
+     "accessor": "9xXQmdx6Aq6zw1KX4gpzb.28dk2",
+     "policies": [
+        "default",
+        "edu-admin"
+      ],
+      "token_policies": [
+        "default"
+      ],
+      "identity_policies": [
+        "edu-admin"
+      ],
+      "external_namespace_policies": {
+        "9dKXw": [
+          "training-admin"
+        ]
+      },
+     "metadata": {
+       "username": "bob"
+     },
+     ...
+   }
+}
+```
+
+Notice that the user, `bob` only has `default` policy attached to his token
+(`token_policies`); however, he inherited the `edu-admin` policy from the `Bob Smith` entity (`identity_policies`). Also, `training-admin` policy is listed
+under `external_namespace_policies` due to its membership to the Training Admin
+group in `education/training` namespace.
+
+Verify that `bob` can perform the operations permitted by the `edu-admin`
+policy.
+
+```shell
+# Create a new namespace called 'web-app'
+# Be sure to use generated bob's client token
+$ curl --header "X-Vault-Token: 5ai0qpQeCdRHALzEY4Q8sW.28dk2" \
+       --request POST \
+       http://127.0.0.1:8200/v1/education/sys/namespaces/web-app
+
+# Enable key/value v2 secrets engine at edu-secret
+$ curl --header "X-Vault-Token: 5ai0qpQeCdRHALzEY4Q8sW.28dk2" \
+       --request POST \
+       --data '{"type": "kv-v2"}' \
+       http://127.0.0.1:8200/v1/education/sys/mounts/edu-secret
+```
+
+#### Web UI
+
+1. Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui). If
+   you are already logged in, sign out.
+
+1. At the **Sign in to Vault**, set the **Namespace** to **`education`**.
+
+1. Select the **Userpass** tab, and enter **`bob`** in the **Username** field,
+   and **`password`** in the **Password** field.
+   ![Login](/img/vault-multi-tenant-5.png)
+
+1. Click **Sign in**. Notice that the CURRENT NAMESPACE is set to **education**
+   in the upper left corner of the UI.
+
+1. To add a new namespace, select **Access**.
+
+1. Select **Namespaces** and then click **Create a namespace**.
+
+1. Enter **`web-app`** in the **Path** field, and then click **Save**.
+
+1. Select **Secrets**, and then **Enable new engine**.
+
+1. Select **KV** from the **Secrets engine type** drop-down list, and enter
+   **`edu-secret`** in the **Path** field.
+
+1. Click **Enable Engine** to finish.
+
+### <a name="step5"></a>Step 5: Test the team admin user
+
+(**Persona:** team-admin)
+
+#### CLI Command
+
+Log in as **`bsmith`** into the **`education/training`** namespace:
+
+```plaintext
+$ vault login -namespace=education/training -method=userpass username="bsmith" password="password"
+
+Key                    Value
+---                    -----
+token                  5YNNjDDl6D8iW3eGQIlU0q.9dKXw
+token_accessor         6TVkDhdvEQXO2JaD64TVLv.9dKXw
+token_duration         768h
+token_renewable        true
+token_policies         ["default"]
+identity_policies      ["training-admin"]
+policies               ["default" "training-admin"]
+token_meta_username    bsmith
+```
+
+Notice that the user, `bsmith` inherited the `training-admin` policy from the
+`Training Admin` group (`training_admin`) which `Bob Smith` entity is a member
+of.
+
+Verify that `bsmith` can perform the operations permitted by the
+`training-admin` policy.
+
+```shell
+# Set the target namespace as an env variable
+$ export VAULT_NAMESPACE="education/training"
+
+# Create a new namespace called 'vault-training'
+$ vault namespace create vault-training
+Success! Namespace created at: education/training/vault-training/
+
+# Enable key/value v1 secrets engine at team-secret
+$ vault secrets enable -path=team-secret -version=1 kv
+Success! Enabled the kv secrets engine at: team-secret/
+```
+
+When you are done testing, unset the VAULT_NAMESPACE environment variable.
+
+```plaintext
+$ unset VAULT_NAMESPACE
+```
+
+#### API call using cURL
+
+Log in as **`bsmith`** into the `education` namespace:
+
+```plaintext
+$ curl --header "X-Vault-Namespace: education/training" \
+       --request POST \
+       --data '{"password": "password"}' \
+       http://127.0.0.1:8200/v1/auth/userpass/login/bsmith | jq
+{
+   ...
+   "auth": {
+     "client_token": "5YNNjDDl6D8iW3eGQIlU0q.9dKXw",
+      "accessor": "6TVkDhdvEQXO2JaD64TVLv.9dKXw",
+      "display_name": "education-training-auth-userpass-bsmith",
+      "policies": [
+        "default",
+        "training-admin"
+      ],
+      "token_policies": [
+        "default"
+      ],
+      "identity_policies": [
+        "training-admin"
+      ],
+      "external_namespace_policies": {
+        "28dk2": [
+          "edu-admin"
+        ]
+      },
+      "metadata": {
+        "username": "bsmith"
+      },
+     ...
+   }
+}
+```
+
+Notice that the user, `bsmith` inherited the `training-admin` policy from the
+`Training Admin` group which `Bob Smith` entity is a member of. Also,
+`edu-admin` policy is listed under `external_namespace_policies`.
+
+Verify that `bsmith` can perform the operations permitted by the
+`training-admin` policy.
+
+```shell
+# Create a new namespace called 'vault-training'
+# Be sure to use generated bsmith's client token
+$ curl --header "X-Vault-Token: 5YNNjDDl6D8iW3eGQIlU0q.9dKXw" \
+       --request POST \
+       http://127.0.0.1:8200/v1/education/training/sys/namespaces/web-app
+
+# Enable key/value v1 secrets engine at team-secret
+$ curl --header "X-Vault-Token: 5YNNjDDl6D8iW3eGQIlU0q.9dKXw" \
+       --request POST \
+       --data '{"type": "kv"}' \
+       http://127.0.0.1:8200/v1/education/training/sys/mounts/edu-secret
+```
+
+#### Web UI
+
+1. Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui). If
+   you are already logged in, sign out.
+
+1. At the **Sign in to Vault**, set the **Namespace** to
+   **`education/training`**.
+
+1. Select the **Userpass** tab, and enter **`bsmith`** in the **Username**
+   field, and **`password`** in the **Password** field.
+
+1. Click **Sign in**.
+
+1. To add a new namespace, select **Access**.
+
+1. Select **Namespaces** and then click **Create a namespace**.
+
+1. Enter **`vault-training`** in the **Path** field, and then click **Save**.
+
+1. Select **Secrets**, and then **Enable new engine**.
+
+1. Select **KV** from the **Secrets engine type** drop-down list, and enter
+   **`team-secret`** in the **Path** field.
+
+1. Click **Enable Engine** to finish.
+
+### <a name="step6"></a>Step 6: Audit ambient credentials
+
+(**Persona:** operator)
+
+Many auth and secrets providers, such as AWS, Azure, GCP, and AliCloud, use ambient
+credentials to authenticate API calls. For example, AWS may:
+
+1. Use an access key and secret key configured in Vault.
+1. If not present, check for environment variables such as "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY".
+1. If not present, load credentials configured in "~/.aws/credentials".
+1. If not present, use instance metadata.
+
+This becomes a problem if these ambient credentials are not intended to be used within
+a particular namespace.
+
+For example, suppose that your Vault server is running on an
+AWS EC2 instance. You give the owner of a namespace a particular set of permissions to
+use for AWS. However, that owner _does not_ configure them. So, Vault falls back to using
+the credentials available in instance metadata, leading to a privilege escalation.
+
+To handle this:
+
+- Ensure no environment variables are available that could grant a privilege escalation.
+- Ensure that any privileges granted through instance metadata (in this example) or other
+  ambient identity info represent a _loss_ of privilege.
+- Directly configure the correct credentials in namespaces, and restrict access to that
+  endpoint so credentials can't later be edited to use ambient credentials.
+
+<br />
+
+~> **Summary:** As this guide demonstrated, each namespace you created behaves
+as an **isolated** Vault environment. Once you sign into a namespace, there is
+no visibility into other namespaces regardless of its hierarchical relationship.
+Tokens, policies, and secrets engines are tied to its namespace; therefore, each
+client must acquire a valid token for each namespace to access their secrets.
+
+## Additional Discussion
+
+For the simplicity, this guide used the username and password (`userpass`) auth
+method which was enabled in the education namespace. However, most likely, your
+organization uses LDAP auth method which is enabled in the **root** namespace
+instead.
+
+Here are the steps to create the "Training Admin" group as described in this
+guide using the LDAP auth method enabled in the root namespace.
+
+1.  Enable and configure the desired auth method (e.g. LDAP) in the root
+    namespace.
+
+    ```plaintext
+    $ vault auth enable ldap
+
+    $ vault write auth/ldap/config \
+            url="ldap://ldap.example.com" \
+            userdn="ou=Users,dc=example,dc=com" \
+            groupdn="ou=Groups,dc=example,dc=com" \
+            groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
+            groupattr="cn" \
+            upndomain="example.com" \
+            certificate=@ldap_ca_cert.pem \
+            insecure_tls=false \
+            starttls=true
+    ```
+
+1.  Create an _external_ group in the root namespace.
+
+    ```shell
+    # Get the mount accessor for ldap auth method and save it in accessor.txt file
+    $ vault auth list -format=json \
+            | jq -r '.["ldap/"].accessor' > accessor.txt
+
+    # Create an external group and save the generated group ID in group_id.txt
+    $ vault write -format=json identity/group name="training_admin_root" \
+            type="external" \
+            | jq -r ".data.id" > group_id.txt
+
+    # Create a group alias - assuming that the group name in LDAP is "ops_training"
+    $ vault write -format=json identity/group-alias name="ops_training" \
+            mount_accessor=$(cat accessor.txt) \
+            canonical_id=$(cat group_id.txt)
+    ```
+
+1.  In the `education/training` namespace, create an _internal_ group which has
+    the external group (`training_admin_root`) as its member.
+
+    ```plaintext
+    $ vault write -namespace=education/training identity/group \
+            name="Training Admin" \
+            policies="training-admin" \
+            member_group_ids=$(cat group_id.txt)
+    ```
+
+### Policy with namespaces
+
+In this guide, you created policies in each namespace (`education` and
+`education/training`). Therefore, you did not have to specify the target
+namespace in the policy paths.
+
+If you want to create policies in the root namespace to control `education` and
+`education/training` namespaces, prepend the namespace in the paths.
+
+For example:
+
+```hcl
+# Manage policies in the 'education' namespace
+path "education/sys/policies/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage tokens in the 'education' namespace
+path "education/auth/token/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage policies under 'education/training' namespace
+path "education/training/sys/policies/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage tokens in the 'education/training' namespace
+path "education/training/auth/token/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+...
+```
+
+In [Step 2](#step2), you deployed the `training-admin` policy in the
+`education/training` namespace. The path is relative to the working namespace.
+So, if you want to create the `training-admin` policy in the **`education`**
+namespace instead, the paths starts with `training/` rather than
+`education/training/`.
+
+```hcl
+# Manage namespaces
+path "training/sys/namespaces/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage policies via API
+path "training/sys/policies/*" {
+   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage policies via CLI
+path "training/sys/policy/*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+...
+```
+
+~> **NOTE:** Important to remember that tokens are local to the namespace.
+Therefore, you need a valid token for the namespace you want to operate in. The
+token created in the `education` namespace is not valid in the
+`education/training` namespace. This is so that each namespace is completely
+isolated from one another to ensure a secure multi-tenant environment.
+
+## Next steps
+
+Refer to the [Sentinel Policies](/guides/identity/sentinel.html) guide if you
+need to write policies that allow you to embed finer control over the user
+access across those namespaces.
diff --git a/website/pages/guides/operations/performance-nodes.mdx b/website/pages/guides/operations/performance-nodes.mdx
new file mode 100644
index 000000000000..c35e26b001a7
--- /dev/null
+++ b/website/pages/guides/operations/performance-nodes.mdx
@@ -0,0 +1,83 @@
+---
+layout: guides
+page_title: Performance Standby Nodes - Guides
+description: |-
+  This guide will walk you through a simple Vault Highly Available (HA) cluster
+  implementation. While this is not an exhaustive or prescriptive guide that
+  can be used as a drop-in production example, it covers the basics enough to
+  inform your own production setup.
+---
+
+# Performance Standby Nodes
+
+~> **Enterprise Only:** Performance Standby Nodes feature is a part of _Vault Enterprise_.
+
+In [Vault High Availability](/guides/operations/vault-ha-consul.html) guide, it
+was explained that only one Vault server will be _active_ in a cluster and
+handles **all** requests (reads and writes). The rest of the servers become the
+_standby_ nodes and simply forward requests to the _active_ node.
+
+![HA Architecture](/img/vault-ha-consul-3.png)
+
+If you are running **_Vault Enterprise_ 0.11** or later with the Consul storage
+backend, those standby nodes can handle most read-only requests. For example,
+performance standbys can handle encryption/decryption of data using
+[transit](/docs/secrets/transit/index.html) keys, GET requests of key/value
+secrets and other requests that do not change underlying storage. This can
+provide considerable improvements in throughput for traffic of this type,
+resulting in aggregate performance increase linearly correlated to the number
+of performance standby nodes deployed in a cluster.
+
+## Reference Materials
+
+- [Performance Standby Nodes](/docs/enterprise/performance-standby/index.html)
+- [High Availability Mode](/docs/concepts/ha.html)
+- [Consul Storage Backend](/docs/configuration/storage/consul.html)
+- [Vault Reference Architecture](/guides/operations/reference-architecture.html)
+
+## Server Configuration
+
+Performance standbys are enabled by default when the Vault Enterprise license
+includes this feature. If you wish to disable the performance standbys, you can
+do so by setting the
+[`disable_performance_standby`](/docs/configuration/index.html#vault-enterprise-parameters)
+flag to `true`.
+
+Since any of the nodes in a cluster can get elected as active, it is recommended
+to keep this setting consistent across all nodes in the cluster.
+
+!> Consider a scenario where a node with performance standby _disabled_
+becomes the active node. The performance standby feature is
+disabled for the whole cluster although it is enabled on other nodes.
+
+## Enterprise Cluster
+
+A highly available Vault Enterprise cluster consists of multiple servers, and
+there will be only one active node. The rest can serve as performance standby
+nodes handling read-only requests locally.
+
+![Cluster Architecture](/img/vault-perf-standby-1.png)
+
+The number of performance standby nodes within a cluster depends on your Vault
+Enterprise license.
+
+Consider the following scenario:
+
+- A cluster contains **five** Vault servers
+- Your Vault Enterprise license allows **two** performance standby nodes
+
+![Cluster Architecture](/img/vault-perf-standby.png)
+
+In this scenario, the performance standby nodes running on VM 8 and VM 9 can
+process read-only requests. However, the _standby_ nodes running on VM 6 and VM
+10 simply forward all requests to the active node running on VM 7.
+
+> **NOTE:** The selection of performance standby node is determined by the
+> active node. When a node is selected, it gets promoted to become a performance
+> standby. This is a race condition that there is no configuration
+> parameter to specify which nodes to become performance standbys.
+
+## Next steps
+
+Read [Production Hardening](/guides/operations/production.html) to learn best
+practices for a production hardening deployment of Vault.
diff --git a/website/pages/guides/operations/plugin-backends.mdx b/website/pages/guides/operations/plugin-backends.mdx
new file mode 100644
index 000000000000..84d354ea74e0
--- /dev/null
+++ b/website/pages/guides/operations/plugin-backends.mdx
@@ -0,0 +1,124 @@
+---
+layout: guides
+page_title: Plugin Backends - Guides
+sidebar_title: Building Plugin Backends
+description: 'Learn how to build, register, and mount a custom plugin backend.'
+---
+
+# Introduction
+
+Plugin backends utilize the [plugin system][plugin-system] to enable third-party
+secrets engines and auth methods.
+
+It is worth noting that even though [database secrets engines][database-backend]
+operate under the same underlying plugin mechanism, they are slightly different
+in design than plugin backends demonstrated in this guide. The database secrets
+engine manages multiple plugins under the same backend mount point, whereas
+plugin backends are kv backends that function as either secret or auth methods.
+
+This guide provides steps to build, register, and mount non-database external
+plugin backends.
+
+## Setup Vault
+
+Set `plugin_directory` to the desired path in the Vault configuration file.
+The path should exist and have proper lockdown on access permissions.
+
+```hcl
+# /etc/vault/config.d/plugins.hcl
+plugin_directory = "/etc/vault/vault_plugins"
+```
+
+If the Vault server is already running, you will need to tell it to reload its
+configuration by sending SIGHUP. If you stop and start the Vault server, you
+will need to unseal it again.
+
+## Compile Plugin
+
+Build the custom binary, and move it inside the `plugin_directory` path
+configured above. This guide uses `mock-plugin` that comes from Vault's
+[`logical/plugin/mock`](https://github.com/hashicorp/vault/tree/master/logical/plugin/mock/mock-plugin) package.
+
+Download the source (you would probably use your own plugin):
+
+```sh
+$ go get -f -u -d github.com/hashicorp/vault
+# ...
+$ cd $GOPATH/src/github.com/hashicorp/vault/sdk/plugin/mock/mock-plugin
+```
+
+Compile the plugin:
+
+```sh
+$ go build -o my-mock-plugin
+```
+
+Put the plugin in the directory:
+
+```sh
+$ mv my-mock-plugin /etc/vault/vault_plugins
+```
+
+Alternatively, if you wanted a custom version of a plugin built into Vault, such as AppRole:
+
+```sh
+$ cd $GOPATH/src/github.com/hashicorp/vault/builtin/credential/approle/cmd/approle
+$ go build
+$ mv approle /etc/vault/vault_plugins
+```
+
+## Register in Plugin Catalog
+
+Calculate the SHA256 sum of the compiled plugin binary, and use that to register
+the plugin into Vault's plugin catalog:
+
+```sh
+$ shasum -a 256 /etc/vault/vault_plugins/my-mock-plugin
+2c071aafa1b30897e60b79643e77592cb9d1e8f803025d44a7f9bbfa4779d615  /etc/vault/vault_plugins/my-mock-plugin
+
+$ vault write sys/plugins/catalog/secret/my-mock-plugin \
+    sha256=2c071aafa1b30897e60b79643e77592cb9d1e8f803025d44a7f9bbfa4779d615 \
+    command=my-mock-plugin
+Success! Data written to: sys/plugins/catalog/secret/my-mock-plugin
+```
+
+## Enable Plugin
+
+Enabling the plugin varies depending on if it's a secrets engine or auth method:
+
+```sh
+$ vault secrets enable -path=my-secrets-plugin my-mock-plugin
+Success! Enabled the my-mock-plugin plugin at: my-secrets-plugin/
+```
+
+If you try to mount this particular plugin as an auth method instead of a
+secrets engine, you will get an error:
+
+```sh
+$ vault auth enable -path=my-auth-plugin my-mock-plugin
+# ...
+* cannot mount 'my-mock-plugin' of type 'secret' as an auth method
+```
+
+## Perform Operations
+
+Each plugin responds to read, write, list, and delete as its own behavior.
+
+```text
+$ vault write my-secrets-plugin/kv/foo value=bar
+Key      Value
+---      -----
+value    bar
+```
+
+## Disable Plugin
+
+When you are done using the plugin, disable it.
+
+```text
+$ vault secrets disable my-secrets-plugin
+Success! Disabled the secrets engine (if it existed) at: my-secrets-plugin/
+```
+
+[plugin-system]: /docs/internals/plugins.html
+[database-backend]: /docs/secrets/databases/index.html
diff --git a/website/pages/guides/operations/production.mdx b/website/pages/guides/operations/production.mdx
new file mode 100644
index 000000000000..ae4c20cbac80
--- /dev/null
+++ b/website/pages/guides/operations/production.mdx
@@ -0,0 +1,122 @@
+---
+layout: guides
+page_title: Production Hardening - Guides
+sidebar_title: Production Hardening
+description: >-
+  This guide provides guidance on best practices for a production hardened
+  deployment of HashiCorp Vault.
+---
+
+# Production Hardening
+
+This guide provides guidance on best practices for a production hardened
+deployment of Vault. The recommendations are based on the [security
+model](/docs/internals/security.html) and focus on defense in depth.
+
+~> **Apply When Possible!** This guide is meant to provide guidance for an
+_ideal_ deployment of Vault, not to document requirements. It is entirely
+possible to use Vault without applying any of the following recommendations.
+These are best practice recommendations that should be applied when possible
+and practical.
+
+# Recommendations
+
+- **End-to-End TLS**. Vault should always be used with TLS in production. If
+  intermediate load balancers or reverse proxies are used to front Vault, they
+  should _not_ terminate TLS. This way traffic is always encrypted in transit
+  to Vault and minimizes risks introduced by intermediate layers.
+
+- **Single Tenancy**. Vault should be the only main process running on a
+  machine. This reduces the risk that another process running on the same
+  machine is compromised and can interact with Vault. Similarly, running on
+  bare metal should be preferred to a VM, and a VM preferred to a container.
+  This reduces the surface area introduced by additional layers of abstraction
+  and other tenants of the hardware. Both VM and container based deployments
+  work, but should be avoided when possible to minimize risk.
+
+- **Firewall traffic**. Vault listens on well known ports, use a local firewall
+  to restrict all incoming and outgoing traffic to Vault and essential system
+  services like NTP. This includes restricting incoming traffic to permitted
+  subnets and outgoing traffic to services Vault needs to connect to, such as
+  databases.
+
+- **Disable SSH / Remote Desktop**. When running a Vault as a single tenant
+  application, users should never access the machine directly. Instead, they
+  should access Vault through its API over the network. Use a centralized
+  logging and telemetry solution for debugging. Be sure to restrict access to
+  logs as need to know.
+
+- **Disable Swap**. Vault encrypts data in transit and at rest, however it must
+  still have sensitive data in memory to function. Risk of exposure should be
+  minimized by disabling swap to prevent the operating system from paging
+  sensitive data to disk. Vault attempts to ["memory lock" to physical memory
+  automatically](/docs/configuration/index.html#disable_mlock), but disabling
+  swap adds another layer of defense.
+
+- **Don't Run as Root**. Vault is designed to run as an unprivileged user, and
+  there is no reason to run Vault with root or Administrator privileges, which
+  can expose the Vault process memory and allow access to Vault encryption
+  keys. Running Vault as a regular user reduces its privilege. Configuration
+  files for Vault should have permissions set to restrict access to only the
+  Vault user.
+
+- **Turn Off Core Dumps**. A user or administrator that can force a core dump
+  and has access to the resulting file can potentially access Vault encryption
+  keys. Preventing core dumps is a platform-specific process; on Linux setting
+  the resource limit `RLIMIT_CORE` to `0` disables core dumps. This can be
+  performed by process managers and is also exposed by various shells; in Bash
+  `ulimit -c 0` will accomplish this.
+
+- **Immutable Upgrades**. Vault relies on an external storage backend for
+  persistence, and this decoupling allows the servers running Vault to be
+  managed immutably. When upgrading to new versions, new servers with the
+  upgraded version of Vault are brought online. They are attached to the same
+  shared storage backend and unsealed. Then the old servers are destroyed. This
+  reduces the need for remote access and upgrade orchestration which may
+  introduce security gaps.
+
+- **Avoid Root Tokens**. Vault provides a root token when it is first
+  initialized. This token should be used to setup the system initially,
+  particularly setting up auth methods so that users may
+  authenticate. We recommend treating Vault [configuration as
+  code](https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration/),
+  and using version control to manage policies. Once setup, the root token
+  should be revoked to eliminate the risk of exposure. Root tokens can be
+  [generated when needed](/guides/operations/generate-root.html), and should be
+  revoked as soon as possible.
+
+- **Enable Auditing**. Vault supports several auditing backends. Enabling
+  auditing provides a history of all operations performed by Vault and provides
+  a forensics trail in the case of misuse or compromise. Audit logs [securely
+  hash](/docs/audit/index.html) any sensitive data, but access should still be
+  restricted to prevent any unintended disclosures.
+
+- **Upgrade Frequently**. Vault is actively developed, and updating frequently
+  is important to incorporate security fixes and any changes in default
+  settings such as key lengths or cipher suites. Subscribe to the [Vault
+  mailing list](https://groups.google.com/forum/#!forum/vault-tool) and [GitHub
+  CHANGELOG](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md) for
+  updates.
+
+- **Configure SELinux / AppArmor**. Using additional mechanisms like SELinux
+  and AppArmor can help provide additional layers of security when using Vault.
+  While Vault can run on many operating systems, we recommend Linux due to the
+  various security primitives mentioned here.
+
+- **Restrict Storage Access**. Vault encrypts all data at rest, regardless of
+  which storage backend is used. Although the data is encrypted, an [attacker
+  with arbitrary control](/docs/internals/security.html) can cause data
+  corruption or loss by modifying or deleting keys. Access to the storage
+  backend should be restricted to only Vault to avoid unauthorized access or
+  operations.
+
+- **Disable Shell Command History**. You may want the `vault` command itself to
+  not appear in history at all. Refer to [additional methods](/guides/secret-mgmt/static-secrets.html#additional-discussion)
+  for guidance.
+
+- **Tweak ulimits**. It is possible that your Linux distribution has strict process `ulimits`.
+  Consider to review `ulimits` for maximum amount of open files, connections, etc. before
+  going into production; they may need increasing.
+
+- **Docker Containers**. To leverage the ["memory lock"](/docs/configuration/index.html#disable_mlock)
+  feature inside the Vault container you will likely need to use the `overlayfs2` or another supporting driver.
diff --git a/website/pages/guides/operations/reference-architecture.mdx b/website/pages/guides/operations/reference-architecture.mdx
new file mode 100644
index 000000000000..c628d1d13d19
--- /dev/null
+++ b/website/pages/guides/operations/reference-architecture.mdx
@@ -0,0 +1,339 @@
+---
+layout: guides
+page_title: Vault Reference Architecture - Guides
+sidebar_title: Reference Architecture
+description: |-
+  This guide provides guidance in the best practices of Vault
+  implementations through use of a reference architecture.
+ea_version: 1
+---
+
+# Vault Reference Architecture
+
+The goal of this document is to recommend _HashiCorp Vault_ deployment
+practices. This reference architecture conveys a general architecture
+that should be adapted to accommodate the specific needs of each implementation.
+
+The following topics are addressed in this guide:
+
+- [Deployment Topology within One Datacenter](#one-dc)
+  - [Network Connectivity](#network-connectivity-details)
+  - [Deployment System Requirements](#deployment-system-requirements)
+  - [Hardware Considerations](#hardware-considerations)
+  - [Load Balancing](#load-balancing)
+  - [High Availability](#high-availability)
+- [Deployment Topology for Multiple Datacenters](#multi-dc)
+  - [Vault Replication](#vault-replication)
+- [Additional References](#additional-references)
+
+-> This document assumes Vault uses Consul as the [storage
+backend](/docs/internals/architecture.html) since that is the recommended
+storage backend for production deployments.
+
+## <a name="one-dc"></a>Deployment Topology within One Datacenter
+
+This section explains how to deploy a Vault open source cluster in one datacenter.
+Support for [multiple datacenters](#multi-dc) is included in Vault Enterprise through
+cluster replication.
+
+### Reference Diagram
+
+Eight Nodes with [Consul Storage Backend](/docs/configuration/storage/consul.html)
+![Reference diagram](/img/vault-ref-arch-2.png)
+
+#### Design Summary
+
+This design is the recommended architecture for production environments, as it
+provides flexibility and resilience. Consul servers are separate
+from the Vault servers so that software upgrades are easier to perform. Additionally,
+separate Consul and Vault servers allows for separate sizing for each.
+Vault to Consul backend connectivity is over HTTP and should be
+secured with TLS as well as a Consul token to provide encryption of all traffic.
+
+-> Refer to the online documentation to learn more about running [Consul in encrypted mode](https://www.consul.io/docs/agent/options.html#encrypt).
+
+#### Failure Tolerance
+
+Typical distribution in a cloud environment is to spread Consul/Vault nodes into
+separate Availability Zones (AZs) within a high bandwidth, low latency network,
+such as an AWS Region. The diagram below shows Vault and Consul spread between
+AZs, with Consul servers in Redundancy Zone configurations, promoting a single
+voting member per AZ, providing both Zone and Node level failure protection.
+
+-> Refer to the online documentation to learn more about the [Consul leader election process](https://www.consul.io/docs/guides/leader-election.html).
+
+![Failure tolerance|40%](/img/vault-ref-arch-3.png)
+
+### Network Connectivity Details
+
+![Network Connectivity Details](/img/vault-ref-arch.png)
+
+### Deployment System Requirements
+
+The following table provides guidelines for server sizing. Of particular note is
+the strong recommendation to avoid non-fixed performance CPUs, or "Burstable
+CPU" in AWS terms, such as T-series instances.
+
+#### Sizing for Vault Servers
+
+| Size  | CPU      | Memory       | Disk  | Typical Cloud Instance Types              |
+| ----- | -------- | ------------ | ----- | ----------------------------------------- |
+| Small | 2 core   | 4-8 GB RAM   | 25 GB | **AWS:** m5.large                         |
+|       |          |              |       | **Azure:** Standard_D2_v3                 |
+|       |          |              |       | **GCE:** n1-standard-2, n1-standard-4     |
+| Large | 4-8 core | 16-32 GB RAM | 50 GB | **AWS:** m5.xlarge, m5.2xlarge            |
+|       |          |              |       | **Azure:** Standard_D4_v3, Standard_D8_v3 |
+|       |          |              |       | **GCE:** n1-standard-8, n1-standard-16    |
+
+#### Sizing for Consul Servers
+
+| Size  | CPU      | Memory        | Disk   | Typical Cloud Instance Types              |
+| ----- | -------- | ------------- | ------ | ----------------------------------------- |
+| Small | 2 core   | 8-16 GB RAM   | 50 GB  | **AWS:** m5.large, m5.xlarge              |
+|       |          |               |        | **Azure:** Standard_D2_v3, Standard_D4_v3 |
+|       |          |               |        | **GCE:** n1-standard-4, n1-standard-8     |
+| Large | 4-8 core | 32-64+ GB RAM | 100 GB | **AWS:** m5.2xlarge, m5.4xlarge           |
+|       |          |               |        | **Azure:** Standard_D4_v3, Standard_D8_v3 |
+|       |          |               |        | **GCE:** n1-standard-16, n1-standard-32   |
+
+### Hardware Considerations
+
+The small size category would be appropriate for most initial production
+deployments, or for development/testing environments.
+
+The large size is for production environments where there is a consistent high
+workload. That might be a large number of transactions, a large number of
+secrets, or a combination of the two.
+
+In general, processing requirements will be dependent on encryption workload and
+messaging workload (operations per second, and types of operations). Memory
+requirements will be dependent on the total size of secrets/keys stored in
+memory and should be sized according to that data (as should the hard drive
+storage). Vault itself has minimal storage requirements, but the underlying
+storage backend should have a relatively high-performance hard disk subsystem.
+If many secrets are being generated/rotated frequently, this information will
+need to flush to disk often and can impact performance if slower hard drives are
+used.
+
+Consul servers function in this deployment is to serve as the storage backend
+for Vault. This means that all content stored for persistence in Vault is
+encrypted by Vault, and written to the storage backend at rest. This data is
+written to the key-value store section of Consul's Service Catalog, which is
+required to be stored in its entirety in-memory on each Consul server. This
+means that memory can be a constraint in scaling as more clients authenticate to
+Vault, more secrets are persistently stored in Vault, and more temporary secrets
+are leased from Vault. This also has the effect of requiring vertical scaling on
+Consul server's memory if additional space is required, as the entire Service
+Catalog is stored in memory on each Consul server.
+
+Furthermore, network throughput is a common consideration for Vault and Consul
+servers. As both systems are HTTPS API driven, all incoming requests,
+communications between Vault and Consul, underlying gossip communication between
+Consul cluster members, communications with external systems (per auth or secret
+engine configuration, and some audit logging configurations) and responses
+consume network bandwidth.
+
+Due to network performance considerations in Consul cluster operations,
+replication of Vault datasets across network boundaries should be achieved
+through Performance or DR Replication, rather than spreading the Consul cluster
+across network and physical boundaries. If a single consul cluster is spread
+across network segments that are distant or inter-regional, this can cause
+synchronization issues within the cluster or additional data transfer charges
+in some cloud providers.
+
+### Other Considerations
+
+[Vault Production Hardening Recommendations](/guides/operations/production.html)
+provides guidance on best practices for a production hardened deployment of
+Vault.
+
+## Load Balancing
+
+### <a name="consul-lb"></a>Load Balancing Using Consul Interface
+
+Consul can provide load balancing capabilities, but it requires that any Vault
+clients are Consul aware. This means that a client can either utilize Consul DNS
+or API interfaces to resolve the active Vault node. A client might access Vault
+via a URL like the following: `http://active.vault.service.consul:8200`
+
+This relies upon the operating system DNS resolution system, and
+the request could be forwarded to Consul for the actual IP address response.
+The operation can be completely transparent to legacy applications and would
+operate just as a typical DNS resolution operation.
+
+### <a name="external-lb"></a>Load Balancing Using External Load Balancer
+
+![Vault Behind a Load Balancer](/img/vault-ref-arch-9.png)
+
+External load balancers are supported as well, and would be placed in front of the
+Vault cluster, and would poll specific Vault URL's to detect the active node and
+route traffic accordingly. An HTTP request to the active node with the following
+URL will respond with a 200 status: `http://<Vault Node URL>:8200/v1/sys/health`
+
+The following is a sample configuration block from HAProxy to illustrate:
+
+```plaintext
+listen vault
+    bind 0.0.0.0:80
+    balance roundrobin
+    option httpchk GET /v1/sys/health
+    server vault1 192.168.33.10:8200 check
+    server vault2 192.168.33.11:8200 check
+    server vault3 192.168.33.12:8200 check
+```
+
+Note that the above block could be generated by Consul (with consul-template)
+when a software load balancer is used. This could be the case when the load
+balancer is software like Nginx, HAProxy, or Apache.
+
+**Example Consul Template for the above HAProxy block:**
+
+```plaintext
+listen vault
+   bind 0.0.0.0:8200
+   balance roundrobin
+   option httpchk GET /v1/sys/health{{range service "vault"}}
+   server {{.Node}} {{.Address}}:{{.Port}} check{{end}}
+```
+
+#### Client IP Address Handling
+
+There are two supported methods for handling client IP addressing behind a proxy
+or load balancer;
+[X-Forwarded-For Headers](https://www.vaultproject.io/docs/configuration/listener/tcp.html#x_forwarded_for_authorized_addrs)
+and [PROXY v1](https://www.vaultproject.io/docs/configuration/listener/tcp.html#proxy_protocol_authorized_addrs). Both require a trusted load balancer and require IP address whitelisting to
+adhere to security best practices.
+
+### High Availability
+
+A Vault cluster is the highly-available unit of deployment within one
+datacenter. A recommended approach is three Vault servers with a Consul storage
+backend. With this configuration, during a Vault server outage, failover is
+handled immediately without human intervention.
+
+To learn more about setting up your Vault servers in HA mode, read [_Vault HA
+with Consul_](/guides/operations/vault-ha-consul.html) guide.
+
+> High-availability with [Performance Standby
+> Nodes](/guides/operations/performance-nodes.html) and data-locality across
+> datacenters requires Vault Enterprise.
+
+## <a name="multi-dc"></a>Deployment Topology for Multiple Datacenters
+
+<img src="/img/vault-ref-arch-6.png" />
+
+### Vault Replication
+
+~> **Enterprise Only:** Vault replication feature is a part of _Vault Enterprise_.
+
+HashiCorp Vault Enterprise provides two modes of replication, **performance**
+and **disaster recovery**. The [Vault
+documentation](/docs/enterprise/replication/index.html) provides more detailed
+information on the replication capabilities within Vault Enterprise.
+
+![Replication Pattern](/img/vault-ref-arch-8.png)
+
+#### Performance Replication
+
+Vault performance replication allows for secrets management across many sites.
+Secrets, authentication methods, authorization policies and other details are
+replicated to be active and available in multiple locations.
+
+-> Refer to the [Vault Mount Filter](/guides/operations/mount-filter.html) guide
+about filtering out secret engines from being replicated across regions.
+
+#### Disaster Recovery Replication
+
+Vault disaster recovery replication ensures that a standby Vault cluster is kept
+synchronized with an active Vault cluster. This mode of replication includes
+data such as ephemeral authentication tokens, time-based token information as
+well as token usage data. This provides for aggressive recovery point objective
+in environments where preventing loss of ephemeral operational data is of the
+utmost concern.
+
+#### Cross-Region Disaster Recovery
+
+If your disaster recovery strategy is to plan for a loss of an entire data
+center, the following diagram illustrates a possible replication scenario.
+
+![Replication Pattern](/img/vault-ref-arch-4.png)
+
+In this scenario, if the Vault cluster in Region A fails and you promote the DR
+cluster in Region B to be the new primary, your applications will need to read
+and write secrets from the Vault cluster in Region B. This may or may not raise
+an issue for your applications, but you need to take that into a consideration
+during the planning.
+
+#### In-Region Disaster Recovery
+
+If your disaster recovery strategy is to plan for a loss of a cluster but not the
+entire data center, the following diagram illustrates a possible replication
+scenario.
+
+![Replication Pattern](/img/vault-ref-arch-7.png)
+
+-> Refer to the [Vault Disaster Recovery Setup](/guides/operations/disaster-recovery.html) guide for additional information.
+
+#### Corruption or Sabotage Disaster Recovery
+
+Another common scenario to protect against, more prevalent in cloud environments
+that provide very high levels of intrinsic resiliency, might be the purposeful
+or accidental corruption of data and configuration, and or a loss of cloud account
+control. Vault's DR Replication is designed to replicate live data, which would
+propagate intentional or accidental data corruption or deletion. To protect against
+these possibilities, you should backup Vault's storage backend. This is supported
+through the Consul Snapshot feature, which can be automated for regular archival
+backups. A cold site or new infrastructure could be re-hydrated from a Consul
+snapshot.
+
+-> Refer to the online documentation to learn more about [Consul snapshots](https://www.consul.io/docs/commands/snapshot.html).
+
+#### Replication Notes
+
+- There is no set limit on number of clusters within a replication set. Largest
+  deployments today are in the 30+ cluster range.
+- Any cluster within a Performance replication set can act as a Disaster
+  Recovery primary cluster.
+- A cluster within a Performance replication set can also replicate to multiple
+  Disaster Recovery secondary clusters.
+- While a Vault cluster can possess a replication role (or roles), there are no
+  special considerations required in terms of infrastructure, and clusters can
+  assume (or be promoted) to another role. Special circumstances related to mount
+  filters and HSM usage may limit swapping of roles, but those are based on
+  specific organization configurations.
+
+#### Considerations Related to Unseal proxy_protocol_behavior
+
+Using replication with Vault clusters integrated with HSM devices for automated
+unseal operations has some details that should be understood during the planning
+phase.
+
+- If a **performance** primary cluster utilizes an HSM, all other clusters
+  within that replication set must use an HSM as well.
+- If a **performance** primary cluster does NOT utilize an HSM (uses Shamir
+  secret sharing method), the clusters within that replication set can be mixed,
+  such that some may use an HSM, others may use Shamir.
+
+For sake of this discussion, the cloud auto-unseal feature is treated as an
+HSM.
+
+## Additional References
+
+- Vault [architecture](/docs/internals/architecture.html) documentation explains
+  each Vault component
+- To integrate Vault with existing LDAP server, refer to
+  [LDAP Auth Method](/docs/auth/ldap.html) documentation
+- Refer to the [AppRole Pull
+  Authentication](/guides/identity/authentication.html) guide to programmatically
+  generate a token for a machine or app
+- Consul is an integral part of running a resilient Vault cluster, regardless of
+  location. Refer to the online [Consul documentation](https://www.consul.io/intro/getting-started/install.html) to
+  learn more.
+
+## Next steps
+
+- Read [Production Hardening](/guides/operations/production.html) to learn best
+  practices for a production hardening deployment of Vault.
+
+- Read [Deployment Guide](/guides/operations/deployment-guide.html) to learn
+  the steps required to install and configure a single HashiCorp Vault cluster.
diff --git a/website/pages/guides/operations/rekeying-and-rotating.mdx b/website/pages/guides/operations/rekeying-and-rotating.mdx
new file mode 100644
index 000000000000..e87445e7785f
--- /dev/null
+++ b/website/pages/guides/operations/rekeying-and-rotating.mdx
@@ -0,0 +1,142 @@
+---
+layout: guides
+page_title: Rekeying & Rotating Vault - Guides
+sidebar_title: Rekeying & Rotating
+description: |-
+  Vault supports generating new unseal keys as well as rotating the underlying
+  encryption keys. This guide covers rekeying and rotating Vault's encryption
+  keys.
+---
+
+# Rekeying &amp; Rotating Vault
+
+~> **Advanced Topic** This guide presents an advanced topic that is not required
+for a basic understanding of Vault. Knowledge of this topic is not required for
+daily Vault use.
+
+## Background
+
+In order to prevent no one person from having complete access to the system,
+Vault employs [Shamir's Secret Sharing Algorithm][shamir]. Under this process,
+a secret is divided into a subset of parts such that a subset of those parts are
+needed to reconstruct the original secret. Vault makes heavy use of this
+algorithm as part of the [unsealing process](/docs/concepts/seal.html).
+
+When a Vault server is first initialized, Vault generates a master key and
+immediately splits this master key into a series of key shares following
+Shamir's Secret Sharing Algorithm. Vault never stores the master key, therefore,
+the only way to retrieve the master key is to have a quorum of unseal keys
+re-generate it.
+
+The master key is used to decrypt the underlying encryption key. Vault uses the
+encryption key to encrypt data at rest in a storage backend like the filesystem
+or Consul.
+
+Typically each of these key shares is distributed to trusted parties in the
+organization. These parties must come together to "unseal" the Vault by entering
+their key share.
+
+[![Vault Shamir Secret Sharing Algorithm](/img/vault-shamir-secret-sharing.svg)](/img/vault-shamir-secret-sharing.svg)
+
+[shamir]: https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
+
+In some cases, you may want to re-generate the master key and key shares. Here
+are a few examples:
+
+- Someone joins or leaves the organization
+- Security wants to change the number of shares or threshold of shares
+- Compliance mandates the master key be rotated at a regular interval
+
+In addition to rekeying the master key, there may be an independent desire to
+rotate the underlying encryption key Vault uses to encrypt data at rest.
+
+[![Vault Rekey vs Rotate](/img/vault-rekey-vs-rotate.svg)](/img/vault-rekey-vs-rotate.svg)
+
+In Vault, _rekeying_ and _rotating_ are two separate operations. The process for
+generating a new master key and applying Shamir's algorithm is called
+"rekeying". The process for generating a new encryption key for Vault to encrypt
+data at rest is called "rotating".
+
+Both rekeying the Vault and rotating Vault's underlying encryption key are fully
+online operations. Vault will continue to service requests uninterrupted during
+either of these processes.
+
+## Rekeying Vault
+
+Rekeying the Vault requires a quorum of unseal keys. Before continuing, you
+should ensure enough unseal key holders are available to assist with the
+rekeying to match the threshold configured when the keys were issued.
+
+First, initialize a rekeying operation. The flags represent the **newly
+desired** number of keys and threshold:
+
+```text
+$ vault operator rekey -init -key-shares=3 -key-threshold=2
+```
+
+This will generate a nonce value and start the rekeying process. All other
+unseal keys must also provide this nonce value. This nonce value is not a
+secret, so it is safe to distribute over insecure channels like chat, email, or
+carrier pigeon.
+
+```text
+Key               Value
+---               -----
+Nonce             dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
+Started           true
+Rekey Progress    0/1
+New Shares        3
+New Threshold     2
+```
+
+Each unseal key holder runs the following command and enters their unseal key:
+
+```text
+$ vault operator rekey -nonce=<nonce>
+Rekey operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
+Key (will be hidden):
+```
+
+When the final unseal key holder enters their key, Vault will output the new
+unseal keys:
+
+```text
+Key 1: EDj4NZK6z5Y9rpr+TtihTulfdHvFzXtBYQk36dmBczuQ
+Key 2: sCkM1i5BGGNDFk5GsqtVolWRPyd5mWn2eZG0gUySiCF7
+Key 3: e5DUvDIH0cPU8Q+hh1KNVkkMc9lliliPVe9u3Fzbzv38
+
+Operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
+
+Vault rekeyed with 3 keys and a key threshold of 2. Please
+securely distribute the above keys. When the vault is re-sealed,
+restarted, or stopped, you must provide at least 2 of these keys
+to unseal it again.
+
+Vault does not store the master key. Without at least 2 keys,
+your vault will remain permanently sealed.
+```
+
+Like the initialization process, Vault supports PGP encrypting the resulting
+unseal keys and creating backup encryption keys for disaster recovery.
+
+## Rotating the Encryption Key
+
+Unlike rekeying the Vault, rotating Vault's encryption key does not require a
+quorum of unseal keys. Anyone with the proper permissions in Vault can perform
+the encryption key rotation.
+
+To trigger a key rotation, execute the command:
+
+```text
+$ vault operator rotate
+```
+
+This will output the key version and installation time:
+
+```text
+Key Term: 2
+Installation Time: ...
+```
+
+This will add a new key to the keyring. All new values written to the storage
+backend will be encrypted with this new key.
diff --git a/website/pages/guides/operations/replication.mdx b/website/pages/guides/operations/replication.mdx
new file mode 100644
index 000000000000..c397d8707d11
--- /dev/null
+++ b/website/pages/guides/operations/replication.mdx
@@ -0,0 +1,175 @@
+---
+layout: guides
+page_title: Setting up Vault Enterprise Performance Replication - Guides
+sidebar_title: Replication Setup & Guidance
+description: Learn how to set up and manage Vault Enterprise Performance Replication.
+---
+
+# Replication Setup &amp; Guidance
+
+~> **Enterprise Only:** Vault replication feature is a part of _Vault Enterprise_.
+
+If you're unfamiliar with Vault Replication concepts, please first look at the
+[general information page](/docs/vault-enterprise/replication/index.html). More
+details can be found in the
+[replication internals](/docs/internals/replication.html) document.
+
+Vault replication also includes a complete API. For more information, please see
+the [Vault Replication API documentation](/api/system/replication.html)
+
+## Activating Performance Replication
+
+### Activating the Primary
+
+To activate the primary, run:
+
+    $ vault write -f sys/replication/performance/primary/enable
+
+There is currently one optional argument: `primary_cluster_addr`. This can be
+used to override the cluster address that the primary advertises to the
+secondary, in case the internal network address/pathing is different between
+members of a single cluster and primary/secondary clusters.
+
+### Fetching a Secondary Token
+
+To fetch a secondary bootstrap token, run:
+
+    $ vault write sys/replication/performance/primary/secondary-token id=<id>
+
+The value for `id` is opaque to Vault and can be any identifying value you want;
+this can be used later to revoke the secondary and will be listed when you read
+replication status on the primary. You will get back a normal wrapped response,
+except that the token will be JWT-formatted..
+
+### Activating a Secondary
+
+To activate a secondary using the fetched token, run:
+
+    $ vault write sys/replication/performance/secondary/enable token=<token>
+
+You must provide the full token value. Be very careful when running this
+command, as it will destroy all data currently stored in the secondary.
+
+There are a few optional arguments, with the one you'll most likely need being
+`primary_api_addr`, which can be used to override the API address of the
+primary cluster; otherwise the secondary will use the value embedded in the
+bootstrap token, which is the primary’s redirect address. If the primary has no
+redirect address (for instance, if it's not in an HA cluster), you'll need to
+set this value at secondary enable time.
+
+Once the secondary is activated and has bootstrapped, it will be ready for
+service and will maintain state with the primary. It is safe to seal/shutdown
+the primary and/or secondary; when both are available again, they will
+synchronize back into a replicated state.
+
+Note: if the secondary is in an HA cluster, you will need to ensure that each
+standby is sealed/unsealed with the new (primary’s) unseal keys. If one of the
+standbys takes over on active duty before this happens it will seal itself to
+remove it from rotation (e.g. if using Consul for service discovery), but if a
+standby does not attempt taking over it will throw errors. We hope to make this
+workflow better in a future update.
+
+### Secondary Tokens
+
+On a production system, after a secondary is activated, the enabled
+auth methods should be used to get tokens with appropriate policies,
+as policies and auth method configuration are replicated.
+
+The generate-root command can also be used to generate a root token local to
+the secondary cluster. After the secondary is activated, it will need to use the unseal or recovery keys from the Primary when generating a new root token or performing other commands that require unseal or recovery keys.
+
+#### Dev-Mode Root Tokens
+
+To ease development and testing, when both the primary and secondary are
+running in development mode, the initial root token created by the primary
+(including those with custom IDs specified with `-dev-root-token-id`) will be
+populated into the secondary upon activation. This allows a developer to keep a
+consistent `~/.vault-token` file or `VAULT_TOKEN` environment variable when
+working with both clusters.
+
+## Managing Vault Performance Replication
+
+Vault’s performance replication model is intended to allow horizontally scaling Vault’s
+functions rather than to act in a strict Disaster Recovery (DR) capacity. For more information on Vault's disaster recovery replication, look at the
+[general information page](/docs/vault-enterprise/replication/index.html).
+
+As a result, Vault performance replication acts on static items within Vault, meaning
+information that is not part of Vault’s lease-tracking system. In a practical
+sense, this means that all Vault information is replicated from the primary to
+secondaries except for tokens and secret leases.
+
+Because token information must be checked and possibly rewritten with each use
+(e.g. to decrement its use count), replicated tokens would require every call
+to be forwarded to the primary, decreasing rather than increasing total Vault
+throughput.
+
+Secret leases are tracked independently for two reasons: one, because every
+such lease is tied to a token and tokens are local to each cluster; and two,
+because tracking large numbers of leases is memory-intensive and tracking all
+leases in a replicated fashion could dramatically increase the memory
+requirements across all Vault nodes.
+
+We believe that this performance replication model provides significant utility for horizontally scaling Vault’s functionality. However, it does mean
+that certain principles must be kept in mind.
+
+### Always Use the Local Cluster
+
+First and foremost, when designing systems to take advantage of replicated
+Vault, you must ensure that they always use the same Vault cluster for all
+operations, as only that cluster will know about the client’s Vault token.
+
+### Enabling a Secondary Wipes Storage
+
+Replication relies on having a shared keyring between primary and secondaries
+and also relies on having a shared understanding of the data store state. As a
+result, when replication is enabled, all of the secondary’s existing storage
+will be wiped. This is irrevocable. Make a backup first if there is a remote
+chance you’ll need some of this data at some future point.
+
+Generally, activating as a secondary will be the first thing that is done upon
+setting up a new cluster for replication.
+
+### Replicated vs. Local Backend Mounts
+
+All backend mounts (of all types) that can be enabled within Vault default to
+being mounted as a replicated mount. This means that mounts cannot be enabled
+on a secondary, and mounts enabled on the primary will replicate to
+secondaries.
+
+Mounts can also be marked local (via the `-local` flag on the Vault CLI or
+setting the `local` parameter to `true` in the API). This can only be performed
+at mount time; if a mount is local but should have been replicated, or vice
+versa, you must disable the backend and mount a new instance at that path with
+the local flag enabled.
+
+Local mounts do not propagate data from the primary to secondaries, and local
+mounts on secondaries do not have their data removed during the syncing
+process. The exception is during initial bootstrapping of a secondary from a
+state where replication is disabled; all data, including local mounts, is
+deleted at this time (as the encryption keys will have changed so data in local
+mounts would be unable to be read).
+
+### Audit Devices
+
+In normal Vault usage, if Vault has at least one audit device configured and
+is unable to successfully log to at least one device, it will block further
+requests.
+
+Replicated audit mounts must be able to successfully log on all replicated
+clusters. For example, if using the file audit device, the configured path must
+be able to be written to by all secondaries. It may be useful to use at least
+one local audit mount on each cluster to prevent such a scenario.
+
+### Never Have Two Primaries
+
+The replication model is not designed for active-active usage and enabling two
+primaries should never be done, as it can lead to data loss if they or their
+secondaries are ever reconnected.
+
+### Disaster Recovery
+
+Local backend mounts are not replicated and their use will require existing DR
+mechanisms if DR is necessary in your implementation.
+
+If you need true DR, look at the
+[general information page](/docs/vault-enterprise/replication/index.html) for information on Vault's disaster recovery replication.
diff --git a/website/pages/guides/operations/seal-wrap.mdx b/website/pages/guides/operations/seal-wrap.mdx
new file mode 100644
index 000000000000..831520b96ae0
--- /dev/null
+++ b/website/pages/guides/operations/seal-wrap.mdx
@@ -0,0 +1,613 @@
+---
+layout: guides
+page_title: Seal Wrap / FIPS 140-2 - Guides
+sidebar_title: Seal Wrap / FIPS 140-2
+description: 'In this guide,'
+---
+
+# Seal Wrap / FIPS 140-2
+
+~> **Enterprise Only:** Vault's HSM auto-unseal and Seal Wrap features are a
+part of _Vault Enterprise_.
+
+**_Vault Enterprise_** integrates with [HSM platforms](/docs/enterprise/hsm/index.html)
+to opt-in automatic [unsealing](/docs/concepts/seal.html#unsealing).
+HSM integration provides three pieces of special functionality:
+
+- **Master Key Wrapping**: Vault protects its master key by transiting it through
+  the HSM for encryption rather than splitting into key shares
+- **Automatic Unsealing**: Vault stores its encrypted master key in storage,
+  allowing for automatic unsealing
+- **Seal Wrapping** to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters
+
+![Unseal with HSM](/img/vault-hsm-autounseal.png)
+
+In some large organizations, there is a fair amount of complexity in designating
+key officers, who might be available to unseal Vault installations as the most
+common pattern is to deploy Vault immutably. As such automating unseal using an
+HSM provides a simplified yet secure way of unsealing Vault nodes as they get
+deployed.
+
+Vault pulls its encrypted master key from storage and transit it through the
+HSM for decryption via **PKCS \#11 API**. Once the master key is decrypted,
+Vault uses the master key to decrypt the encryption key to resume with Vault
+operations.
+
+## Reference Material
+
+- [HashiCorp + AWS: Integrating CloudHSM with Vault Enterprise](https://www.hashicorp.com/resources/hashicorp-and-aws-integrating-cloudhsm-with-vault-e) webinar
+- [Seal Wrap documentation](/docs/enterprise/sealwrap/index.html)
+- [Vault Configuration - pkcs11 Seal](/docs/configuration/seal/pkcs11.html)
+- [Vault Enterprise HSM Support](/docs/enterprise/hsm/index.html)
+- [NIST SC-12: Cryptographic Key Establishment and Management](https://nvd.nist.gov/800-53/Rev4/control/SC-12)
+- [NIST SC-13: Cryptographic Protection](https://nvd.nist.gov/800-53/Rev4/control/SC-13)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Challenge
+
+The Federal Information Processing Standard (FIPS) 140-2 is a U.S. Government
+computer security standard used to accredit cryptography modules. If your
+product or service does not follow FIPS' security requirements, it may
+complicate your ability to operate with U.S. Government data.
+
+Aside from doing business with U.S. government, your organization may care about
+FIPS which approves various cryptographic ciphers for hashing, signature, key
+exchange, and encryption for security.
+
+## Solution
+
+Integrate Vault with FIPS 140-2 certified HSM and enable the **_Seal Wrap_**
+feature to protect your data.
+
+Vault encrypts secrets using 256-bit AES in GCM mode with a randomly generated
+nonce prior to writing them to its persistent storage. By enabling seal wrap,
+Vault wraps your secrets with **an extra layer of encryption** leveraging the
+HSM encryption and decryption.
+
+![Seal Wrap](/img/vault-seal-wrap.png)
+
+#### Benefits of the Seal Wrap:
+
+- Conformance with FIPS 140-2 directives on Key Storage and Key Transport as [certified by Leidos](/docs/enterprise/sealwrap/index.html#fips-140-2-compliance)
+- Supports FIPS level of security equal to HSM
+  - For example, if you use Level 3 hardware encryption on an HSM, Vault will be
+    using FIPS 140-2 Level 3 cryptography
+- Allows Vault to be deployed in high security [GRC](https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance)
+  environments (e.g. PCI-DSS, HIPAA) where FIPS guidelines important for external audits
+- Pathway for Vault's use in managing Department of Defense's (DOD) or North
+  Atlantic Treaty Organization (NATO) military secrets
+
+## Prerequisites
+
+This intermediate operations guide assumes that you have:
+
+- A [supported HSM](/docs/enterprise/hsm/index.html) cluster to be integrated
+  with Vault
+- Vault Enterprise Premium
+
+## Steps
+
+This guide walks you through the following steps:
+
+1. [Configure HSM Auto-unseal](#step1)
+1. [Enable Seal Wrap](#step2)
+1. [Test the Seal Wrap Feature](#step3)
+
+### <a name="step1"></a>Step 1: Configure HSM Auto-unseal
+
+When a Vault server is started, it normally starts in a sealed state where a
+quorum of existing unseal keys is required to unseal it. By integrating Vault
+with HSM, your Vault server can be automatically unsealed by the trusted HSM key
+provider.
+
+#### Task 1: Write a Vault configuration file
+
+To integrate your Vault Enterprise server with an HSM cluster, the configuration
+file must define the [`PKCS11 seal` stanza](/docs/configuration/seal/pkcs11.html)
+providing necessary connection information.
+
+**Example: `config-hsm.hcl`**
+
+```shell
+# Provide your AWS CloudHSM cluster connection information
+seal "pkcs11" {
+  lib = "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so"
+  slot = "1"
+  pin = "vault:Password1"
+  key_label = "hsm_demo"
+  hmac_key_label = "hsm_hmac_demo"
+  generate_key = "true"
+}
+
+# Configure the storage backend for Vault
+storage "file" {
+  path = "/tmp/vault"
+}
+
+# Addresses and ports on which Vault will respond to requests
+listener "tcp" {
+  address     = "127.0.0.1:8200"
+  tls_disable = 1
+}
+
+ui = true
+```
+
+> **NOTE:** For the purpose of this guide, the storage backend is set to the
+> local file system (`/tmp/vault`) to make the verification step easy.
+
+The example configuration defines the following in its **`seal`** stanza:
+
+- **`lib`** is set to the path to the PKCS \#11 library on the virtual machine
+  where Vault Enterprise is installed
+- **`slot`** should be set to the slot number to use
+- **`pin`** is the PKCS \#11 PIN for login
+- **`key_label`** defines the label of the key you want to use
+- **`hmac_key_label`** defines the label of the key you want to use for HMACing.
+  (NOTE: HMAC is optional and only used for mechanisms that do not support
+  authenticated data.)
+- **`generate_key`** is set to `true`. If no existing key with the label
+  specified by `key_label` can be found at Vault initialization time, Vault
+  generates a key
+
+~> **IMPORTANT:** Having Vault generate its own key is the easiest way to get up
+and running, but for security, Vault marks the key as **non-exportable**. If
+your HSM key backup strategy requires the key to be exportable, you should
+generate the key yourself. Refer to the [key generation attributes](/docs/configuration/seal/pkcs11.html#vault-key-generation-attributes).
+
+#### Task 2: Initialize your Vault Enterprise server
+
+Start the Vault server with your Vault configuration file. For example, if your
+configuration file is located at `/home/ec2-user/config-hsm.hcl`, the command
+would look like:
+
+```plaintext
+$ vault server -config=/home/ec2-user/config-hsm.hcl
+
+  SDK Version: 2.03
+==> Vault server configuration:
+
+   HSM PKCS#11 Version: 2.40
+           HSM Library: Cavium PKCS#11 Interface
+   HSM Library Version: 1.0
+   HSM Manufacturer ID: Cavium Networks
+              HSM Type: pkcs11
+                   Cgo: enabled
+            Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
+             Log Level: info
+                 Mlock: supported: true, enabled: false
+               Storage: file
+               Version: Vault v0.10.1+ent.hsm
+           Version Sha: 0e628142d6b6e5cabfdb9680a6d669d38f15574f
+
+==> Vault server started! Log data will stream in below:
+```
+
+<br />
+
+In another terminal, set the `VAULT_ADDR` environment variable, and [initialize](/intro/getting-started/deploy.html#initializing-the-vault) your Vault server.
+
+**Example:**
+
+```shell
+# Set the VAULT_ADDR environment variable
+$ export VAULT_ADDR="http://127.0.0.1:8200"
+
+# Initialize Vault
+$ vault operator init
+
+Recovery Key 1: 2bU2wOfmyMqYcsEYo4Mo9q4s/KAODgHHjcmZmFOo+XY=
+Initial Root Token: 8d726c6b-98ba-893f-23d5-be3d2fec480e
+
+Success! Vault is initialized
+
+Recovery key initialized with 1 key shares and a key threshold of 1. Please
+securely distribute the key shares printed above.
+```
+
+There is only a single master key created which is encrypted by the HSM using
+PKCS \#11, and then placed in the storage. When Vault needs to be unsealed, it
+grabs the HSM encrypted master key from the storage, round trips it through the
+HSM to decrypt the master key.
+
+~> **NOTE:** When Vault is initialized while using an HSM, rather than unseal
+keys being returned to the operator, **recovery keys** are returned. These are
+generated from an internal recovery key that is [split via Shamir's Secret
+Sharing](/docs/enterprise/hsm/behavior.html#initialization), similar to Vault's
+treatment of unseal keys when running without an HSM. Some Vault operations such
+as generation of a root token require these recovery keys.
+
+Login to the Vault using the generated root token to verify.
+
+```plaintext
+$ vault login 8d726c6b-98ba-893f-23d5-be3d2fec480e
+```
+
+#### Task 3: Verification
+
+Stop and restart the Vault server and then verify its status:
+
+```plaintext
+$ vault status
+
+Key                      Value
+---                      -----
+Recovery Seal Type       shamir
+Sealed                   false
+Total Recovery Shares    1
+Threshold                1
+Version                  0.10.1+ent.hsm
+Cluster Name             vault-cluster-80556565
+Cluster ID               40316cdd-3d42-ec36-e7b0-6a7a0684568c
+HA Enabled               false
+```
+
+The `Sealed` status is **`false`** which means that the Vault was automatically
+unsealed upon its start. You can proceed with Vault operations.
+
+### <a name="step2"></a>Step 2: Enable Seal Wrap
+
+-> **NOTE:** For FIPS 140-2 compliance, seal wrap requires FIPS
+140-2 Certified HSM which is supported by _Vault Enterprise Premium_.
+
+For some values, seal wrapping is **always enabled** including the recovery key, any
+stored key shares, the master key, the keyring, and more. When working with the
+key/value secret engine, you can enable seal wrap to wrap all data.
+
+### CLI command
+
+Check the enabled secret engines.
+
+```plaintext
+$ vault secrets list -format=json
+{
+  ...
+  "secret/": {
+    "type": "kv",
+    "description": "key/value secret storage",
+    "accessor": "kv_75820543",
+    "config": {
+      "default_lease_ttl": 0,
+      "max_lease_ttl": 0,
+      "force_no_cache": false
+    },
+    "options": {
+      "version": "1"
+    },
+    "local": false,
+    "seal_wrap": false
+  },
+  ...
+```
+
+Notice that the `seal_wrap` parameter is set to **`false`**.
+
+> For the purpose of comparing seal wrapped data against unwrapped data, enable
+> additional key/value secret engine at the `secret2/` path.
+
+```shell
+# Pass the '-seal-wrap' flag when you enable the KV workflow
+$ vault secrets enable -path=secret2/ -version=1 -seal-wrap kv
+```
+
+The above command enabled [key/value version 1](/docs/secrets/kv/kv-v1.html) with
+seal wrap feature enabled.
+
+```plaintext
+$ vault secrets list -format=json
+{
+  ...
+  "secret2/": {
+    "type": "kv",
+    "description": "",
+    "accessor": "kv_bdd74241",
+    "config": {
+      "default_lease_ttl": 0,
+      "max_lease_ttl": 0,
+      "force_no_cache": false
+    },
+    "options": {
+      "version": "1"
+    },
+    "local": false,
+    "seal_wrap": true
+  },
+  ...
+```
+
+Notice that the `seal_wrap` parameter is set to **`true`** at `secret2/`.
+
+#### API call using cURL
+
+Check the enabled secret engines.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/sys/mounts | jq
+...
+  "secret/": {
+    "accessor": "kv_f05b8b9c",
+    "config": {
+      "default_lease_ttl": 0,
+      "force_no_cache": false,
+      "max_lease_ttl": 0
+    },
+    "description": "key/value secret storage",
+    "local": false,
+    "options": {
+      "version": "2"
+    },
+    "seal_wrap": false,
+    "type": "kv"
+  },
+...
+```
+
+Notice that the `seal_wrap` parameter is set to **`false`**.
+
+> For the purpose of comparing seal wrapped data against unwrapped data, enable
+> additional key/value secret engine at the `secret2/` path.
+
+```shell
+# Set the seal_wrap parameter to true in the request payload
+$ tee payload.json <<EOF
+{
+  "type": "kv",
+  "options": {
+    "version": "1"
+  },
+  "seal_wrap": true
+}
+EOF
+
+# Enable kv secret engine at secret2/
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/mounts/secret2
+```
+
+The above command enabled [key/value version 1](/docs/secrets/kv/kv-v1.html) with
+seal wrap feature enabled.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/sys/mounts | jq
+{
+...
+  "secret2/": {
+    "accessor": "kv_724c81c9",
+    "config": {
+      "default_lease_ttl": 0,
+      "force_no_cache": false,
+      "max_lease_ttl": 0
+    },
+    "description": "",
+    "local": false,
+    "options": {
+      "version": "1"
+    },
+    "seal_wrap": true,
+    "type": "kv"
+  },
+  ...
+}
+```
+
+Notice that the `seal_wrap` parameter is set to **`true`** at `secret2/`.
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g. `http://127.0.0.1:8200/ui`) and
+then login.
+
+![Enable Secret Engine](/img/vault-seal-wrap-2.png)
+
+> For the purpose of comparing seal wrapped data against unwrapped data, enable
+> additional key/value secret engine at the `secret2/` path.
+
+Select **Enable new engine**.
+
+- Enter **`secret2`** in the path field
+- Select **Version 1** for KV version
+- Select the check box for **Seal Wrap**
+
+![Enable Secret Engine](/img/vault-seal-wrap-3.png)
+
+Click **Enable Engine**.
+
+### <a name="step3"></a>Step 3: Test the Seal Wrap Feature
+
+In this step, you are going to:
+
+1. Write some test data
+1. [View the encrypted secrets](#view-the-encrypted-secrets)
+
+#### CLI command
+
+Write a secret at `secret/unwrapped`.
+
+```shell
+# Write a key named 'password' with its value 'my-long-password'
+$ vault kv put secret/unwrapped password="my-long-password"
+
+# Read the path to verify
+$ vault kv get secret/unwrapped
+====== Data ======
+Key         Value
+---         -----
+password    my-long-password
+```
+
+Write the same secret at `secret2/wrapped`.
+
+```shell
+# Write a key named 'password' with its value 'my-long-password'
+$ vault kv put secret2/wrapped password="my-long-password"
+
+# Read the path to verify
+$ vault kv get secret2/wrapped
+====== Data ======
+Key         Value
+---         -----
+password    my-long-password
+```
+
+Using a valid token, you can write and read secrets the same way
+regardless of the seal wrap.
+
+#### API call using cURL
+
+Write a secret at `secret/unwrapped`.
+
+```shell
+# Create a payload
+$ tee payload.json <<EOF
+{
+  "data": {
+    "password": "my-long-password"
+  }
+}
+EOF
+
+# Write secret at 'secret/unwrapped'
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/secret/unwrapped
+
+# Read the path to verify
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/secret/unwrapped | jq
+{
+   "request_id": "cef0b061-3860-6a3c-8bba-1fdbf7be7bf1",
+   "lease_id": "",
+   "renewable": false,
+   "lease_duration": 2764800,
+   "data": {
+     "data": {
+       "password": "my-long-password"
+     }
+   },
+   "wrap_info": null,
+   "warnings": null,
+   "auth": null
+}
+```
+
+Write the same secret at `secret2/wrapped`.
+
+```shell
+# Write the same secret at 'secret2/wrapped'
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/secret2/wrapped
+
+# Read the path to verify
+$ curl --header "X-Vault-Token: ..." \
+      http://127.0.0.1:8200/v1/secret2/wrapped | jq
+{
+  "request_id": "cc9ce831-2ca7-7115-a899-ce33767bdc2c",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 2764800,
+  "data": {
+    "data": {
+      "password": "my-long-password"
+    }
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+Using a valid token, you can write and read secrets the same way regardless of
+the seal wrap.
+
+#### Web UI
+
+Select **secret** and click **Create secret**.
+
+![Enable Secret Engine](/img/vault-seal-wrap-4.png)
+
+Enter the following:
+
+- PATH FOR THIS SECTE: `unwrapped`
+- key: `password`
+- value: `my-long-password`
+
+![Enable Secret Engine](/img/vault-seal-wrap-5.png)
+
+Click **Save**.
+
+Repeat the same step for **secret2** to write the same secret at the
+`secret2/wrapped` path.
+
+![Enable Secret Engine](/img/vault-seal-wrap-6.png)
+Click **Save**.
+
+Using a valid token, you can write and read secrets the same way
+regardless of the seal wrap.
+
+#### View the encrypted secrets
+
+Remember that the Vault server was configured to use the local file system
+(`/tmp/vault`) as its storage backend in this example.
+
+```shell
+# Configure the storage backend for Vault
+storage "file" {
+  path = "/tmp/vault"
+}
+```
+
+SSH into the machine where the Vault server is running, and check the stored
+values in the `/tmp/vault` directory.
+
+```plaintext
+$ cd /tmp/vault/sdk/logical
+```
+
+Under the `/tmp/vault/sdk/logical` directory, there are two sub-directories. One
+maps to `secret/` and another maps to `secret2/` although you cannot tell by
+the folder names.
+
+View the secret at rest.
+
+```shell
+# One of the directory maps to secret/unwrapped
+$ cd 2da357cd-55f2-7eed-c46e-c477b70bed18
+
+# View its content - password value is encrypted
+$ cat _unwrapped
+{"Value":"AAAAAQICk547prhuhMiBXLq2lx8ZkMpSB3p+GKHAwuMhKrZGSeqsFevMS6YoqTVlbvpU9B4zWPZ2HA
+SeNZ3YMw=="}
+
+# Another directory maps to secret2/wrapped
+$ cd ../5bcea44d-28a3-87af-393b-c6d398fe41d8
+
+# View its content - password value is encrypted
+$ cat _wrapped
+{"Value":"ClBAg9oN7zBBaDBZcsilDAyGkL7soPe7vBA5+ADADuyzo8GuHZHb9UFN2nF1h0OpKEgCIkG3JNHcXt
+tZqCi6szcuNBgF3pwhWGwB4FREM3b5CRIQYK7239Q92gRGrcBBeZD6ghogEtSBDmZJBahk7n4lIYF3X4iBqmwZgH
+Vo4lzWur7rzncgASofCIIhENEEGghoc21fZGVtbyINaHNtX2htYWNfZGVtb3M="}
+```
+
+Secrets are encrypted regardless; however, the seal-wrapped value is
+significantly longer despite the fact that both values are the same,
+`my-long-password`.
+
+~> When Vault's Seal Wrap feature is used with a FIPS 140-2 certified HSM, Vault
+will store Critical Security Parameters (CSPs) in a manner that is compliant
+with KeyStorage and KeyTransit requirements.
+
+## Next steps
+
+This guide used the local file system as the storage backend to keep it simple.
+To learn more about making your Vault cluster highly available, read the [Vault
+HA with Consul](/guides/operations/vault-ha-consul.html) guide.
diff --git a/website/pages/guides/operations/vault-ha-consul.mdx b/website/pages/guides/operations/vault-ha-consul.mdx
new file mode 100644
index 000000000000..993f975d362b
--- /dev/null
+++ b/website/pages/guides/operations/vault-ha-consul.mdx
@@ -0,0 +1,652 @@
+---
+layout: guides
+page_title: Vault HA with Consul - Guides
+sidebar_title: Vault HA with Consul
+description: |-
+  This guide will walk you through a simple Vault Highly Available (HA) cluster
+  implementation. While this is not an exhaustive or prescriptive guide that
+  can be used as a drop-in production example, it covers the basics enough to
+  inform your own production setup.
+---
+
+# Vault High Availability (HA)
+
+Vault can run in a high availability (HA) mode to protect against outages by
+running multiple Vault servers. Vault is typically bound by the IO limits of the
+storage backend rather than the compute requirements. Certain storage backends,
+such as Consul, provide additional coordination functions that enable Vault to
+run in an HA configuration while others provide a more robust backup and
+restoration process.
+
+When running in HA mode, Vault servers have two additional states: **_standby_**
+and **_active_**. Within a Vault cluster, only a single instance will be
+_active_ and handles all requests (reads and writes) and all _standby_ nodes
+redirect requests to the _active_ node.
+
+![Reference Architecture](/img/vault-ha-consul-3.png)
+
+> **NOTE:** As of version **0.11**, those standby nodes can handle most
+> read-only requests and behave as read-replica nodes. This **Performance Standby
+> Nodes** feature is included in _Vault Enterprise Premium_, and also available
+> for _Vault Enterprise Pro_ with additional fee. This is particularly useful for
+> processing high volume Encryption as a Service ([Transit secrets
+> engine](/docs/secrets/transit/index.html)) requests. Read [Performance Standby
+> Nodes](/docs/enterprise/performance-standby/index.html) documentation and a [guide](/guides/operations/performance-nodes.html) for more details.
+
+~> This guide will walk you through a simple Vault Highly Available (HA) cluster
+implementation. While this is not an exhaustive or prescriptive guide that can
+be used as a drop-in production example, it covers the **basics** enough to
+inform your own production setup.
+
+## Reference Materials
+
+- [High Availability Mode](/docs/concepts/ha.html)
+- [Consul Storage Backend](/docs/configuration/storage/consul.html)
+- [High Availability Parameters](/docs/configuration/index.html#high-availability-parameters)
+- [Consul Agent Configuration](https://www.consul.io/docs/agent/options.html)
+
+## Estimated Time to Complete
+
+25 minutes
+
+## Prerequisites
+
+This intermediate Vault operations guide assumes that you have some working
+knowledge of Vault and Consul.
+
+## Steps
+
+Our goal in following this guide is to arrive at a Vault HA setup
+consisting of the following:
+
+- 2 Vault servers: 1 active and 1 standby
+- Cluster of 3 Consul servers
+
+### Reference Diagram
+
+This diagram lays out the simple architecture details for reference:
+
+![Reference Architecture](/img/vault-ha-consul.png)
+
+You perform the following:
+
+- [Step 1: Setup a Consul Server Cluster](#step1)
+- [Step 2: Start and Verify the Consul Cluster State](#step2)
+- [Step 3: Setup Consul Client Agents on Vault Nodes](#step3)
+- [Step 4: Configure the Vault Servers](#step4)
+- [Step 5: Start Vault and Verify the State](#step5)
+
+-> For the purpose of this guide, we will use the open source software editions of
+Vault and Consul; however, the setup is the same for Enterprise editions.
+
+### <a name="step1"></a>Step 1: Setup a Consul Server Cluster
+
+Our Consul servers in this guide will be defined by IP address only, but also
+referenced by a label:
+
+- **`consul_s1: 10.1.42.101`**
+- **`consul_s2: 10.1.42.102`**
+- **`consul_s3: 10.1.42.103`**
+
+The [Consul binary](https://www.consul.io/downloads.html) is presumed to be
+located in **`/usr/local/bin/consul`**, but if your case differs, you can adjust the
+path references accordingly.
+
+With that in mind, here is a basic Consul server configuration starting point:
+
+```plaintext
+{
+  "server": true,
+  "node_name": "$NODE_NAME",
+  "datacenter": "dc1",
+  "data_dir": "$CONSUL_DATA_PATH",
+  "bind_addr": "0.0.0.0",
+  "client_addr": "0.0.0.0",
+  "advertise_addr": "$ADVERTISE_ADDR",
+  "bootstrap_expect": 3,
+  "retry_join": ["$JOIN1", "$JOIN2", "$JOIN3"],
+  "ui": true,
+  "log_level": "DEBUG",
+  "enable_syslog": true,
+  "acl_enforce_version_8": false
+}
+```
+
+Note that some values contain variable placeholders while the rest have
+reasonable defaults. You should replace the following values in your own Consul
+server configuration based on the example:
+
+- **\$NODE_NAME** this is a unique label for the node; in our case, this will be
+  `consul_s1`, `consul_s2`, and `consul_s3` respectively.
+- **\$CONSUL_DATA_PATH**: absolute path to Consul data directory; ensure that
+  this directory is writable by the Consul process user.
+- **\$ADVERTISE_ADDR**: set to address that you prefer the Consul
+  servers advertise to the other servers in the cluster and should not be set to
+  `0.0.0.0`; for this guide, it should be set to the Consul server’s IP address in
+  each instance of the configuration file, or `10.1.42.101`,`10.1.42.102`, and
+  `10.1.42.103` respectively.
+- **\$JOIN1**, **\$JOIN2**, **\$JOIN3**: This example uses the `retry_join`
+  method of joining the server agents to form a cluster; as such, the values for
+  this guide would be `10.1.42.101`, `10.1.42.102`, and `10.1.42.103` respectively.
+
+Note that the web user interface is enabled (`"ui": true`), and Consul will be
+logging at DEBUG level to the system log (`"log_level": "DEBUG"`). For the
+purpose of this guide, the **`acl_enforce_version_8`** is set to `false` so that
+we do not need to be concerned with ACLs in this guide. However, you would want
+to enable ACLs in a production environment and follow the [Consul ACL Guide](https://www.consul.io/docs/guides/acl.html#acl-agent-master-token) for
+details.
+
+Create a configuration file for each Vault server and save it as
+**`/usr/local/etc/consul/client_agent.json`**.
+
+#### `consul_s1.json` Example
+
+    {
+      "server": true,
+      "node_name": "consul_s1",
+      "datacenter": "dc1",
+      "data_dir": "/var/consul/data",
+      "bind_addr": "0.0.0.0",
+      "client_addr": "0.0.0.0",
+      "advertise_addr": "10.1.42.101",
+      "bootstrap_expect": 3,
+      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
+      "ui": true,
+      "log_level": "DEBUG",
+      "enable_syslog": true,
+      "acl_enforce_version_8": false
+    }
+
+#### `consul_s2.json` Example
+
+    {
+      "server": true,
+      "node_name": "consul_s2",
+      "datacenter": "dc1",
+      "data_dir": "/var/consul/data",
+      "bind_addr": "0.0.0.0",
+      "client_addr": "0.0.0.0",
+      "advertise_addr": "10.1.42.102",
+      "bootstrap_expect": 3,
+      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
+      "ui": true,
+      "log_level": "DEBUG",
+      "enable_syslog": true,
+      "acl_enforce_version_8": false
+    }
+
+#### `consul_s3.json` Example
+
+    {
+      "server": true,
+      "node_name": "consul_s3",
+      "datacenter": "dc1",
+      "data_dir": "/var/consul/data",
+      "bind_addr": "0.0.0.0",
+      "client_addr": "0.0.0.0",
+      "advertise_addr": "10.1.42.103",
+      "bootstrap_expect": 3,
+      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
+      "ui": true,
+      "log_level": "DEBUG",
+      "enable_syslog": true,
+      "acl_enforce_version_8": false
+    }
+
+#### Consul Server `systemd` Unit file
+
+You have Consul binaries and a reasonably basic configuration and now you just
+need to start Consul on each server instance; `systemd` is popular in most
+contemporary Linux distributions, so with that in mind, here is an example
+`systemd` unit file:
+
+```plaintext
+### BEGIN INIT INFO
+# Provides:          consul
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Consul agent
+# Description:       Consul service discovery framework
+### END INIT INFO
+
+[Unit]
+Description=Consul server agent
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+User=consul
+Group=consul
+PIDFile=/var/run/consul/consul.pid
+PermissionsStartOnly=true
+ExecStartPre=-/bin/mkdir -p /var/run/consul
+ExecStartPre=/bin/chown -R consul:consul /var/run/consul
+ExecStart=/usr/local/bin/consul agent \
+    -config-file=/usr/local/etc/consul/client_agent.json \
+    -pid-file=/var/run/consul/consul.pid
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+KillSignal=SIGTERM
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Note that you might be interested in changing the values of the following
+depending on style, file system hierarchy standard adherence level, and so on:
+
+- **`-config-file`**
+- **`-pid-file`**
+
+Once the unit file is defined and saved (e.g.
+`/etc/systemd/system/consul.service`), be sure to perform a `systemctl daemon-reload`
+and then you can start your Consul service on each server.
+
+### <a name="step2"></a>Step 2: Start and Verify the Consul Cluster State
+
+Be sure that the ownership and permissions are correct on the directory you
+specified for the value of `data_dir`, and then start the Consul service on each
+system and verify the status:
+
+    $ sudo systemctl start consul
+    $ sudo systemctl status consul
+    ● consul.service - Consul server agent
+       Loaded: loaded (/etc/systemd/system/consul.service; enabled; vendor preset: enabled)
+       Active: active (running) since Mon 2018-03-19 17:33:14 UTC; 24h ago
+     Main PID: 2068 (consul)
+        Tasks: 13
+       Memory: 13.6M
+          CPU: 0m 52.784s
+       CGroup: /system.slice/consul.service
+               └─2068 /usr/local/bin/consul agent -config-file=/usr/local/etc/consul/client_agent.json -pid-file=/var/run/consul/consul.pid
+
+After starting all Consul server agents, let’s check the Consul cluster status:
+
+    $consul members
+    Node       Address           Status  Type    Build  Protocol  DC    Segment
+    consul_s1  10.1.42.101:8301  alive   server  1.0.6  2         dc1   <all>
+    consul_s2  10.1.42.102:8301  alive   server  1.0.6  2         dc1   <all>
+    consul_s3  10.1.42.103:8301  alive   server  1.0.6  2         dc1   <all>
+
+The cluster looks good and all 3 servers are shown; let’s make sure we have a
+leader before proceeding:
+
+    $consul operator raft list-peers
+    Node                   ID                                    Address           State     Voter  RaftProtocol
+    consul_s2              536b721f-645d-544a-c10d-85c2ca24e4e4  10.1.42.102:8300  follower  true   3
+    consul_s1              e10ba554-a4f9-6a8c-f662-81c8bb2a04f5  10.1.42.101:8300  follower  true   3
+    consul_s3              56370ec8-da25-e7dc-dfc6-bf5f27978a7a  10.1.42.103:8300  leader    true   3
+
+The above output shows that **`consul_s3`** is the current cluster leader in
+this example. Now, you are good to move on to the Vault server configuration.
+
+### <a name="step3"></a>Step 3: Setup Consul Client Agents on Vault Nodes
+
+The Vault server nodes require **both** the Consul and Vault binaries on each node. Consul will be configured as a **client** agent and Vault will be configured as a server.
+
+![Reference Architecture](/img/vault-ha-consul-2.png)
+
+#### Consul Client Agent Configuration
+
+Since Consul is used to provide a highly available storage backend, you need to
+configure local Consul client agents on the Vault servers which will communicate
+with the Consul server cluster for registering health checks, service discovery, and cluster HA failover coordination (cluster leadership).
+
+~> Note that [it is not recommended to connect the Vault servers directly to the
+Consul servers](/docs/configuration/storage/consul.html#address).
+
+The Consul client agents will be using the same address as the Vault servers for
+network communication to the Consul server cluster, but they will be binding the
+**`client_address`** only to the loopback interface such that Vault can connect to
+it over the loopback interface.
+
+Here is the example configuration for the Consul client agent:
+
+    {
+      "server": false,
+      "datacenter": "dc1",
+      "node_name": "$NODE_NAME",
+      "data_dir": "$CONSUL_DATA_PATH",
+      "bind_addr": "$BIND_ADDR",
+      "client_addr": "127.0.0.1",
+      "retry_join": ["$JOIN1", "$JOIN2", "$JOIN3"],
+      "log_level": "DEBUG",
+      "enable_syslog": true,
+      "acl_enforce_version_8": false
+    }
+
+Similar to what you have done in [Step 1](#step1), replace the following values
+in your own Consul client agent configuration accordingly:
+
+- **\$NODE_NAME** this is a unique label for the node; in
+  our case, this will be `consul_c1` and `consul_c2` respectively.
+- **\$CONSUL_DATA_PATH**: absolute path to Consul data directory; ensure that this
+  directory is writable by the Consul process user.
+- **\$BIND_ADDR**: this should be set
+  to address that you prefer the Consul servers advertise to the other servers in
+  the cluster and should not be set to `0.0.0.0`; for this guide, it should be set
+  to the Vault server’s IP address in each instance of the configuration file, or
+  `10.1.42.201` and `10.1.42.202` respectively.
+- **\$JOIN1**, **\$JOIN2**, **\$JOIN3**: This example uses the `retry_join` method of
+  joining the server agents to form a cluster; as such, the values for this guide
+  would be `10.1.42.101`, `10.1.42.102`, and `10.1.42.103` respectively.
+
+Create a configuration file for each Vault server and save it as
+**`/usr/local/etc/consul/client_agent.json`**.
+
+#### `consul_c1.json` Example
+
+    {
+      "server": false,
+      "datacenter": "dc1",
+      "node_name": "consul_c1",
+      "data_dir": "/var/consul/data",
+      "bind_addr": "10.1.42.201",
+      "client_addr": "127.0.0.1",
+      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
+      "log_level": "DEBUG",
+      "enable_syslog": true,
+      "acl_enforce_version_8": false
+    }
+
+#### `consul_c2.json` Example
+
+    {
+      "server": false,
+      "datacenter": "dc1",
+      "node_name": "consul_c2",
+      "data_dir": "/var/consul/data",
+      "bind_addr": "10.1.42.202",
+      "client_addr": "127.0.0.1",
+      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
+      "log_level": "DEBUG",
+      "enable_syslog": true,
+      "acl_enforce_version_8": false
+    }
+
+#### Consul Server `systemd` Unit file
+
+You have Consul binaries and a reasonably basic client agent configuration and
+now you just need to start Consul on each of the Vault server instances. Here
+is an example `systemd` unit file:
+
+    ### BEGIN INIT INFO
+    # Provides:          consul
+    # Required-Start:    $local_fs $remote_fs
+    # Required-Stop:     $local_fs $remote_fs
+    # Default-Start:     2 3 4 5
+    # Default-Stop:      0 1 6
+    # Short-Description: Consul agent
+    # Description:       Consul service discovery framework
+    ### END INIT INFO
+
+    [Unit]
+    Description=Consul client agent
+    Requires=network-online.target
+    After=network-online.target
+
+    [Service]
+    User=consul
+    Group=consul
+    PIDFile=/var/run/consul/consul.pid
+    PermissionsStartOnly=true
+    ExecStartPre=-/bin/mkdir -p /var/run/consul
+    ExecStartPre=/bin/chown -R consul:consul /var/run/consul
+    ExecStart=/usr/local/bin/consul agent \
+        -config-file=/usr/local/etc/consul/client_agent.json \
+        -pid-file=/var/run/consul/consul.pid
+    ExecReload=/bin/kill -HUP $MAINPID
+    KillMode=process
+    KillSignal=SIGTERM
+    Restart=on-failure
+    RestartSec=42s
+
+    [Install]
+    WantedBy=multi-user.target
+
+Change the following values as necessary:
+
+- **`-config-file`**
+- **`-pid-file`**
+
+Once the unit file is defined and saved (e.g.
+`/etc/systemd/system/consul.service`), be sure to perform a `systemctl daemon-reload` and then you can start your Consul service on each Vault server.
+
+Start the Consul and verify its cluster state to be sure that the ownership and
+permissions are correct on the directory you specified for the value of
+`data_dir`, and then start the Consul service on each system and verify the
+status:
+
+    $ sudo systemctl start consul
+    $ sudo systemctl status consul
+    ● consul.service - Consul client agent
+       Loaded: loaded (/etc/systemd/system/consul.service; enabled; vendor preset: enabled)
+       Active: active (running) since Tue 2018-03-20 19:36:49 UTC; 6s ago
+     Main PID: 23758 (consul)
+        Tasks: 11
+       Memory: 9.8M
+          CPU: 571ms
+       CGroup: /system.slice/consul.service
+               └─23758 /usr/local/bin/consul agent -config-file=/usr/local/etc/consul/client_agent.json -pid-file=/var/run/consul/consul.pid
+
+After starting all Consul client agents, check the Consul cluster status:
+
+    $consul members
+    Node        Address           Status  Type    Build  Protocol  DC    Segment
+    consul_s1   10.1.42.101:8301  alive   server  1.0.6  2         dc1   <all>
+    consul_s2   10.1.42.102:8301  alive   server  1.0.6  2         dc1   <all>
+    consul_s3   10.1.42.103:8301  alive   server  1.0.6  2         dc1   <all>
+    consul_c1   10.1.42.201:8301  alive   client  1.0.6  2         arus  <default>
+    consul_c2   10.1.42.202:8301  alive   client  1.0.6  2         arus  <default>
+
+The above output shows 3 Consul server agents and 2 Consul client agents in the
+cluster. Now, you are ready to configure the Vault servers.
+
+### <a name="step4"></a>Step 4: Configure the Vault Servers
+
+Now that we have a Consul cluster consisting of 3 servers and 2 client agents
+for our Vault servers, let’s get the configuration for Vault and a startup
+script together so that we can bootstrap the Vault HA setup.
+
+Our Vault servers in this guide are defined by IP address only, but referenced
+by a label as well:
+
+- **`vault_s1: 10.1.42.201`**
+- **`vault_s2: 10.1.42.202`**
+
+In our configuration file, we'll set up the following:
+
+- [**`tcp`**](/docs/configuration/listener/tcp.html) listener
+- [**`consul`**](/docs/configuration/storage/consul.html) storage backend
+- [High Availability parameters](/docs/configuration/index.html#high-availability-parameters)
+
+This section assumes the Vault binary is located at **`/usr/local/bin/vault`**
+
+#### Vault Configuration
+
+    listener "tcp" {
+      address          = "0.0.0.0:8200"
+      cluster_address  = "0.0.0.0:8201"
+      tls_disable      = "true"
+    }
+
+    storage "consul" {
+      address = "127.0.0.1:8500"
+      path    = "vault/"
+    }
+
+    api_addr =  "$API_ADDR"
+    cluster_addr = "$CLUSTER_ADDR"
+
+We're setting the following parameters for our `tcp` listener:
+
+- `address` (string: "127.0.0.1:8200") – Specifies the address to bind to for listening.
+- `cluster_address` (string: "127.0.0.1:8201") – Specifies the address to bind to for cluster server-to-server requests. This defaults to one port higher than the value of address. This does not usually need to be set, but can be useful in case Vault servers are isolated from each other in such a way that they need to hop through a TCP load balancer or some other scheme in order to talk.
+
+This configuration allows for listening on all interfaces (such that a Vault
+command against the loopback address would succeed, for example).
+
+We're also explicitly setting Vault's [HA parameters](/docs/configuration/index.html#high-availability-parameters) (`api_addr` and `cluster_addr`). Often, it's not necessary to configure these two parameters when using Consul as Vault's storage backend, as Consul will attempt to automatically discover and advertise the address of the active Vault node. However, certain cluster configurations might require them to be explicitly set (accessing Vault through a load balancer, for example).
+
+For the sake of simplicity, we will assume that clients in our scenario connect directly to the Vault nodes (rather than through a load balancer). Review the [Client Redirection](/docs/concepts/ha.html#client-redirection) documentation for more information on client access patterns and their implications.
+
+Note that some values contain variable placeholders while the rest have
+reasonable defaults. You should replace the following values in your own Vault
+server configuration based on the example:
+
+- **\$API_ADDR**: Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This can also be provided via the environment variable `VAULT_API_ADDR`. In general this should be set to a full URL that points to the value of the listener address. In our scenario, it will be `http://10.1.42.201:8200`
+  and `http://10.1.42.202:8200` respectively.
+
+- **\$CLUSTER_ADDR**: Specifies the address to advertise to other Vault servers in the cluster for request forwarding. This can also be provided via the environment variable `VAULT_CLUSTER_ADDR`. This is a full URL, like `api_addr`. In our scenario, it will be `https://10.1.42.201:8201` and
+  `https://10.1.42.202:8201` respectively.
+
+> Note that the scheme here (https) is ignored; all cluster members will always
+> use TLS with a private key/certificate.
+
+#### `vault_s1.hcl` Example
+
+    listener "tcp" {
+      address          = "0.0.0.0:8200"
+      cluster_address  = "10.1.42.201:8201"
+      tls_disable      = "true"
+    }
+
+    storage "consul" {
+      address = "127.0.0.1:8500"
+      path    = "vault/"
+    }
+
+    api_addr = "http://10.1.42.201:8200"
+    cluster_addr = "https://10.1.42.201:8201"
+
+#### `vault_s2.hcl` Example
+
+    listener "tcp" {
+      address          = "0.0.0.0:8200"
+      cluster_address  = "10.1.42.202:8201"
+      tls_disable      = "true"
+    }
+
+    storage "consul" {
+      address = "127.0.0.1:8500"
+      path    = "vault/"
+    }
+
+    api_addr = "http://10.1.42.202:8200"
+    cluster_addr = "https://10.1.42.202:8201"
+
+#### Vault Server `systemd` Unit file
+
+You have Vault binaries and a reasonably basic configuration along with local
+client agents configured. Now, you just need to start Vault on each server
+instance. Here is an example `systemd` unit file:
+
+    ### BEGIN INIT INFO
+    # Provides:          vault
+    # Required-Start:    $local_fs $remote_fs
+    # Required-Stop:     $local_fs $remote_fs
+    # Default-Start:     2 3 4 5
+    # Default-Stop:      0 1 6
+    # Short-Description: Vault server
+    # Description:       Vault secret management tool
+    ### END INIT INFO
+
+    [Unit]
+    Description=Vault secret management tool
+    Requires=network-online.target
+    After=network-online.target
+
+    [Service]
+    User=vault
+    Group=vault
+    PIDFile=/var/run/vault/vault.pid
+    ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault_server.hcl -log-level=debug
+    ExecReload=/bin/kill -HUP $MAINPID
+    KillMode=process
+    KillSignal=SIGTERM
+    Restart=on-failure
+    RestartSec=42s
+    LimitMEMLOCK=infinity
+
+    [Install]
+    WantedBy=multi-user.target
+
+Note that you might be interested in changing the values of the following
+depending on style, file system hierarchy standard adherence level, and so on:
+
+- **`-config`**
+- **`-log-level`**
+
+Once the unit file is defined and saved as e.g.
+`/etc/systemd/system/vault.service`, be sure to perform a `systemctl daemon-reload`
+and then you can start your Vault service on each server.
+
+### <a name="step5"></a>Step 5: Start Vault and Verify the State
+
+Start the Vault service on each system and verify the status:
+
+    $ sudo systemctl start vault
+    $ sudo systemctl status vault
+    ● vault.service - Vault secret management tool
+       Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled)
+       Active: active (running) since Tue 2018-03-20 20:42:10 UTC; 42s ago
+     Main PID: 2080 (vault)
+        Tasks: 12
+       Memory: 71.7M
+          CPU: 50s
+       CGroup: /system.slice/vault.service
+               └─2080 /usr/local/bin/vault server -config=/home/ubuntu/vault_nano/config/vault_server.hcl -log-level=debu
+
+Now you’ll need to move on to [initializing and
+unsealing](/intro/getting-started/deploy.html#initializing-the-vault) each Vault
+instance.
+
+Once that is done, check Vault status on each of the servers.
+
+The **active** Vault server:
+
+    $ vault status
+    Key             Value
+    ---             -----
+    Seal Type       shamir
+    Sealed          false
+    Total Shares    5
+    Threshold       3
+    Version         0.9.5
+    Cluster Name    vault
+    Cluster ID      0ee91bd1-55ec-c84f-3c1d-dcc7f4f644a8
+    HA Enabled      true
+    HA Cluster      https://10.1.42.201:8201
+    HA Mode         active
+
+The **standby** Vault server:
+
+    vault status
+    Key                     Value
+    ---                     -----
+    Seal Type               shamir
+    Sealed                  false
+    Total Shares            5
+    Threshold               3
+    Version                 0.9.5
+    Cluster Name            vaultron
+    Cluster ID              0ee91bd1-55ec-c84f-3c1d-dcc7f4f644a8
+    HA Enabled              true
+    HA Cluster              https://10.1.42.201:8201
+    HA Mode                 standby
+    Active Node Address:    http://10.1.42.201:8200
+
+Vault servers are now operational in HA mode at this point, and you should be
+able to write a secret from either the active or the standby Vault instance and
+see it succeed as a test of request forwarding. Also, you can shut down the
+active instance (`sudo systemctl stop vault`) to simulate a system failure and
+see the standby instance assumes the leadership.
+
+## Next steps
+
+Read [Production Hardening](/guides/operations/production.html) to learn best
+practices for a production hardening deployment of Vault.
diff --git a/website/pages/guides/secret-mgmt/app-integration.mdx b/website/pages/guides/secret-mgmt/app-integration.mdx
new file mode 100644
index 000000000000..142251687f24
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/app-integration.mdx
@@ -0,0 +1,415 @@
+---
+layout: guides
+page_title: Direct Application Integration - Guides
+sidebar_title: Direct Application Integration
+description: |-
+  This guide demonstrates the use of Consul Template and Envconsul tools. To
+  understand the difference between the two tools, you are going to retrieve the
+  same information from Vault.
+---
+
+# Direct Application Integration
+
+A modern system requires access to a multitude of secrets: database credentials,
+API keys for external services, credentials for service-oriented architecture
+communication, etc. Vault steps in to provide a centralized secret management
+system. The next step is to decide how your applications acquire the secrets
+from Vault.
+
+This guide introduces **_Consul Template_** and **_Envconsul_** to help you
+determine if these tools speed up the integration of your applications once
+secrets are securely managed by Vault.
+
+-> **NOTE:** Both [Consul Template](https://github.com/hashicorp/consul-template)
+and [Envconsul](https://github.com/hashicorp/consul-template) are open source
+tools.
+
+### Consul Template
+
+Despite its name, Consul Template does **not** require a Consul cluster to
+operate. It retrieves secrets from Vault and manages the acquisition and renewal
+lifecycle.
+
+### Envconsul
+
+Envconsul launches a subprocess which dynamically populates environment
+variables from secrets read from Vault. Your applications then read those
+environment variables. Despite its name, Envconsul does **not** require a
+Consul cluster to operate. It enables flexibility and portability for
+applications across systems.
+
+## Reference Material
+
+- [Consul Template](https://github.com/hashicorp/consul-template)
+- [Envconsul](https://github.com/hashicorp/consul-template)
+- [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Challenge
+
+If your application code or script contains some secrets (e.g. database
+credentials), it makes a good sense to manage the secrets using Vault. However,
+it means that your application will need to retrieve the secrets at runtime.
+Does that mean the application developers must make some code change?
+
+Is there an easy way to retrieve the secrets from Vault and populate the
+application code or script with secrets as needed?
+
+## Solution
+
+Both **_Consul Template_** and **_Envconsul_** provide first-class support for
+Vault. Leveraging these tools can minimize the level of changes introduced to
+your applications. Depending on the current application design, you may not need
+to make minimal to no code change.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need:
+
+- A [Vault environment](/intro/getting-started/install.html)
+- [Consul Template](https://releases.hashicorp.com/consul-template/)
+- [Envconsul](https://releases.hashicorp.com/envconsul/)
+- [PostgreSQL](#postgresql)
+
+### PostgreSQL
+
+This guide uses the database secrets engine to demonstrate the use of Consul
+Template and Envconsul. Therefore, you need a
+[PostgreSQL](https://www.postgresql.org/download/) server to connect to.
+
+~> Complete the [Secret as a Service: Dynamic
+Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide first if you are not
+familiar with `database` secrets engine.
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Enable database secrets engines at "database/" path
+path "sys/mounts/database" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Configure the database secret engine and create roles
+path "database/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Write ACL policies
+path "sys/policy/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Manage tokens for Consul Template & Envconsul to use
+path "auth/token/create" {
+  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+This guide demonstrates the use of Consul Template and Envconsul tools. To
+understand the difference between the two tools, you are going to retrieve the
+same information from Vault.
+
+1. [Setup Database Secrets Engine](#step1)
+1. [Generate Client Token](#step2)
+1. [Use Consul Template to Populate DB Credentials](#step3)
+1. [Use Envconsul to Retrieve DB Credentials](#step4)
+
+### <a name="step1"></a>Step 1: Setup Database Secrets Engine
+
+In this step, you are going to enable and configure the `database` secrets
+engine using `postgresql-database-plugin` where the database connection URL is
+`postgresql://root:rootpassword@localhost:5432/myapp`.
+
+> **NOTE:** Your database connection URL is most likely different from this
+> example. Be sure to use the correct [connection URL](http://localhost:4567/api/secret/databases/postgresql.html#connection_url) to
+> match your environment.
+
+~> Refer to the [PostgreSQL Database Secrets
+Engine](/docs/secrets/databases/postgresql.html) documentation or [Secret as a
+Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide if you
+are not familiar with `database` secrets engine. The detailed description of
+working with `database` secrets engine is out of scope for this guide.
+
+#### CLI command
+
+```shell
+# First, enable the database secrets engine
+$ vault secrets enable database
+
+# Configure the secret engine with appropriate parameter values
+$ vault write database/config/postgresql \
+      plugin_name=postgresql-database-plugin \
+      allowed_roles=* \
+      connection_url=postgresql://root:rootpassword@localhost:5432/myapp
+
+# Create readonly.sql to define a role permission in SQL
+$ tee readonly.sql <<EOF
+CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
+EOF
+
+# Create a role, "readonly"
+$ vault write database/roles/readonly db_name=postgresql creation_statements=@readonly.sql \
+    default_ttl=1h max_ttl=24h
+```
+
+#### API call using cURL
+
+```shell
+# Enable `database` secret engine using `/sys/mounts` endpoint
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type":"database"}' \
+       https://127.0.0.1:8200/v1/sys/mounts/database
+
+# Specify the database connection URL according to your environment
+$ tee payload.json <<EOF
+{
+	"plugin_name": "postgresql-database-plugin",
+	"allowed_roles": "*",
+	"connection_url": "postgresql://root:rootpassword@localhost:5432/myapp"
+}
+EOF
+
+# Configure the database secrets engine by passing the request payload
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/database/config/postgresql
+
+# Create the request payload to create a role
+$ tee payload.json <<EOF
+{
+  "db_name": "postgres",
+  "creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+   GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
+  "default_ttl": "1h",
+  "max_ttl": "24h"
+}
+EOF
+
+# Create a role named, readonly
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/database/roles/readonly
+```
+
+### <a name="step2"></a>Step 2: Generate Client Token
+
+Consul Template tool itself is a Vault client. Therefore, it must have a valid
+token with policies permitting it to retrieve secrets from `database` secret
+engine you just configured in [Step 1](#step1).
+
+First, create a policy definition file, `db_creds.hcl`. This policy allows read
+operation on the `database/creds/readonly` path to obtain the dynamically
+generated username and password to access the PostgreSQL database. In addition,
+the policy allows renewal of the lease if necessary.
+
+**`db_creds.hcl`**:
+
+```hcl
+path "database/creds/readonly" {
+  capabilities = [ "read" ]
+}
+
+path "/sys/leases/renew" {
+  capabilities = [ "update" ]
+}
+```
+
+Now, create a policy named, `db_creds` and generate a token with this policy
+attached.
+
+### CLI Command
+
+```shell
+# Create a `db_creds` policy
+$ vault policy write db_creds db_creds.hcl
+
+# Create a token with db_creds policy:
+$ vault token create -policy="db_creds"
+Key                  Value
+---                  -----
+token                89956bf1-6f4d-435d-4cf3-7496e9520a87
+token_accessor       319eddff-42a1-eb2b-801e-dd8a0c0b07b4
+token_duration       768h
+token_renewable      true
+token_policies       ["db_creds" "default"]
+identity_policies    []
+policies             ["db_creds" "default"]
+```
+
+**NOTE:** This is the token that Consul Template uses to talk to Vault.
+Copy the **`token`** value and proceed to [Step 3](#step3).
+
+#### API call using cURL
+
+```shell
+# Create an API request payload
+$ tee payload.json <<EOF
+{
+  "policy": "path \"database/creds/readonly\" {\n capabilities = [ \"read\" ]\n } \n path \"sys/leases/renew\" {\n capabilities = [ \"update\" ] \n}"
+}
+EOF
+
+# Create db_creds policy
+$ curl --header "X-Vault-Token: ..." \
+       --request PUT \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/policy/db_creds
+
+# Generate a new token with db_creds policy
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"policies": ["db_creds"]}' \
+       http://127.0.0.1:8200/v1/auth/token/create | jq
+{
+  ...
+   "auth": {
+     "client_token": "37413eca-96aa-1d47-d09d-d1cad322c419",
+     "accessor": "a05aa3ce-b5d6-9e82-da7f-181d78d475e4",
+     "policies": [
+       "db_creds",
+       "default"
+     ],
+     "token_policies": [
+       "db_creds",
+       "default"
+     ],
+     ...
+}
+```
+
+**NOTE:** This is the token that Consul Template uses to talk to Vault.
+Copy the **`client_token`** value and proceed to [Step 3](#step3).
+
+### <a name="step3"></a>Step 3: Use Consul Template to Populate DB Credentials
+
+Assume that your application requires PostgreSQL database credentials to read
+data. Its configuration file, **`config.yml`** looks like:
+
+```plaintext
+username: "<DB_USRENAME>"
+password: "<DB_PASSWORD>"
+database: "myapp"
+```
+
+To have Consul Template to populate the `<DB_USRENAME>` and `<DB_PASSWORD>`, you
+need to create a template file with Consul Template [templating
+language](https://github.com/hashicorp/consul-template#templating-language).
+
+1. Create a template file by replacing the username and password with
+   Consul Template syntax and save it as **`config.yml.tpl`**. The file should
+   contain the following:
+
+   ```plaintext
+   ---
+   {{- with secret "database/creds/readonly" }}
+   username: "{{ .Data.username }}"
+   password: "{{ .Data.password }}"
+   database: "myapp"
+   {{- end }}
+   ```
+
+   -> **NOTE:** This template reads secrets from `database/creds/readonly`
+   path in Vault. Set the `username` parameter value to "`.Data.username`" of
+   the secret output. Similarly, set the `password` to "`.Data.password`" value.
+
+1. Execute the `consul-template` command to populate `config.yml` file.
+
+   The Consul Template command is: `consul-template -template="<input_file>:<output_file>"`
+
+   The input file is the **`config.yml.tpl`** and specify the desired output
+   file name to be **`config.yml`**:
+
+   ```plaintext
+   $ VAULT_TOKEN=<token> consul-template -template="config.yml.tpl:config.yml" -once
+   ```
+
+   While `<token>` is the token you copied at [Step 2](#step2).
+
+1. Open the generated **`config.yml`** file to verify its content. It should
+   look similar to:
+
+   ```plaintext
+   $ cat config.yml
+   ---
+   username: "v-token-readonly-tu17xrtz345uz643980r-1527630039"
+   password: "A1a-7s0z9y223x2rp6v9"
+   database: "myapp"
+   ```
+
+   The `username` and `password` were retrieved from Vault and populated in the
+   `config.yml` file.
+
+> **Summary**: You need to create a templated version of your application
+> scripts to leverage Consul Template. However, it requires minimum effort to do
+> so in comparison to writing an application which invokes Vault API to accomplish
+> the same.
+
+### <a name="step4"></a>Step 4: Use Envconsul to Retrieve DB Credentials
+
+Create a file named, **`app.sh`** containing the following:
+
+```hcl
+#!/usr/bin/env bash
+
+cat <<EOT
+My connection info is:
+
+username: "${DATABASE_CREDS_READONLY_USERNAME}"
+password: "${DATABASE_CREDS_READONLY_PASSWORD}"
+database: "my-app"
+EOT
+```
+
+The main difference here is that the `app.sh` is reading **_environment
+variables_** to set `username` and `password` values; therefore, no templating
+is involved.
+
+-> Notice that the environment variable name is derived from the secret _path_
+with key name.
+
+Run the Envconsul tool using the Vault token you generated at [Step 2](#step2).
+
+```plaintext
+$ VAULT_TOKEN=<token> envconsul -upcase -secret database/creds/readonly ./app.sh
+
+My connection info is:
+
+username: "v-token-readonly-ww1tq33s7z5uprpxxy68-1527631219"
+password: "A1a-u54wut0v605qwz95"
+database: "my-app"
+```
+
+The output should display the `username` and `password` populated.
+
+The `-upcase` flag tells Envconsul to convert all environment variable keys to
+uppercase. Otherwise, the default uses lowercase (e.g. `database_creds_readonly_username`).
+
+> **Summary:** If your application is designed to read secrets from environment
+> variables, Envconsul requires minimal to no code change to integrate with Vault.
+
+## Next steps
+
+If the integration option is to directly invoke Vault API within your
+application, refer to the [_AppRole Pull
+Authentication_](/guides/identity/authentication.html) guide to learn about the
+AppRole auth method which is designed for applications.
diff --git a/website/pages/guides/secret-mgmt/cubbyhole.mdx b/website/pages/guides/secret-mgmt/cubbyhole.mdx
new file mode 100644
index 000000000000..ed6060a01652
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/cubbyhole.mdx
@@ -0,0 +1,553 @@
+---
+layout: guides
+page_title: Cubbyhole Response Wrapping - Guides
+sidebar_title: Cubbyhole Response Wrapping
+description: |-
+  Vault provides a capability to wrap Vault response and store it in a
+  "cubbyhole" where the holder of the one-time use wrapping token can unwrap to
+  uncover the secret.
+---
+
+# Cubbyhole
+
+The term _cubbyhole_ comes from an Americanism where you get a "locker" or "safe
+place" to store your belongings or valuables. In Vault, cubbyhole is your
+"locker". All secrets are namespaced under **your token**. If that token
+expires or is revoked, all the secrets in its cubbyhole are revoked as well.
+
+It is not possible to reach into another token's cubbyhole even as the root
+user. This is the key difference between the cubbyhole and the key/value secret
+engine. The secrets in the key/value secret engine are accessible to any token for as
+long as its policy allows it.
+
+## Reference Material
+
+- [Cubbyhole](/docs/secrets/cubbyhole/index.html)
+- [Response Wrapping](/docs/concepts/response-wrapping.html)
+
+~> **NOTE:** An [interactive
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-cubbyhole) is
+also available if you do not have a Vault environment to perform the steps
+described in this guide.
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves two personas:
+
+- **`admin`** with privileged permissions to create tokens
+- **`apps`** trusted entity retrieving secrets from Vault
+
+## Challenge
+
+In order to tightly manage the secrets, you set the scope of who can do what
+using the [Vault policy](/docs/concepts/policies.html) and attach that to
+tokens, roles, entities, etc.
+
+Think of a case where you have a trusted entity (Chef, Jenkins, etc.) which
+reads secrets from Vault. This trusted entity must obtain a token. If the
+trusted entity or its host machine was rebooted, it must re-authenticate with
+Vault using a valid token.
+
+How can you securely distribute the initial token to the trusted entity?
+
+## Solution
+
+Use Vault's **cubbyhole response wrapping** where the initial token is stored in
+the cubbyhole secret engine. The wrapped secret can be unwrapped using the
+single-use wrapping token. Even the user or the system created the initial token
+won't see the original value. The wrapping token is short-lived and can be
+revoked just like any other tokens so that the risk of unauthorized access can
+be minimized.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### <a name="policy"></a>Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Manage tokens
+path "auth/token/*" {
+  capabilities = [ "create", "read", "update", "delete", "sudo" ]
+}
+
+# Write ACL policies
+path "sys/policy/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Manage secret/dev secret engine - for Verification test
+path "secret/dev" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+Think of a scenario where apps read secrets from Vault. The `apps` need:
+
+- Policy granting "read" permission on the specific path (`secret/dev`)
+- Valid tokens to interact with Vault
+
+![Response Wrapping Scenario](/img/vault-cubbyhole.png)
+
+Setting the appropriate policies and token generation are done by the `admin`
+persona. For the `admin` to distribute the initial token to the app securely, it
+uses cubbyhole response wrapping. In this guide, you perform the following:
+
+1. [Create and wrap a token](#step1)
+2. [Unwrap the secret](#step2)
+
+**NOTE:** This guide demonstrates how the response wrapping works. To learn more
+about reading and writing secrets in Vault, refer to the [Static
+Secret](/guides/secret-mgmt/static-secrets.html) guide.
+
+### <a name="step1"></a>Step 1: Create and wrap a token
+
+(**Persona:** admin)
+
+To solve the [challenge](#challenge) addressed in this guide:
+
+1. More privileged token (`admin`) wraps a secret only the expecting client can
+   read
+2. The receiving client (`app`) unwraps the secret to obtain the token
+
+When the response to `vault token create` request is wrapped, Vault inserts the
+generated token into the cubbyhole of a single-use token, returning that
+single-use wrapping token. Retrieving the secret requires an unwrap operation
+against this wrapping token.
+
+In this scenario, an [admin user](#personas) creates a token using response
+wrapping. To perform the steps in this guide, first create a policy for the app.
+
+`apps-policy.hcl`:
+
+```shell
+# For testing, read-only on secret/dev path
+path "secret/dev" {
+  capabilities = [ "read" ]
+}
+```
+
+#### CLI command
+
+First create an `apps` policy:
+
+```shell
+$ vault policy write apps apps-policy.hcl
+Policy 'apps' written.
+```
+
+To create a token using response wrapping:
+
+```shell
+$ vault token create -policy=<POLICY_NAME> -wrap-ttl=<WRAP_TTL>
+```
+
+Where the `<WRAP_TTL>` can be either an integer number of seconds or a string
+duration of seconds (15s), minutes (20m), or hours (25h).
+
+**Example:**
+
+Generate a token for `apps` persona using response wrapping with TTL of 120
+seconds.
+
+```shell
+$ vault token create -policy=apps -wrap-ttl=120
+
+Key                          	Value
+---                          	-----
+wrapping_token:              	9ac59985-094f-a2de-aed8-bf688e436fbc
+wrapping_token_ttl:          	2m0s
+wrapping_token_creation_time:	2018-01-10 00:47:54.970185208 +0000 UTC
+wrapping_token_creation_path:	auth/token/create
+wrapped_accessor:            	195763a9-3f26-1fcf-6a1a-ee0a11e76cb1
+```
+
+The response is the wrapping token; therefore, the admin user does not even see
+the generated token from the `token create` command.
+
+#### API call using cURL
+
+First create an `apps` policy using `sys/policy` endpoint:
+
+```shell
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request PUT \
+       --data <PAYLOAD> \
+       <VAULT_ADDRESS>/v1/sys/policy/<POLICY_NAME>
+```
+
+Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes policy name and
+stringified policy.
+
+**Example:**
+
+```shell
+# Request payload
+$ cat payload.json
+{
+  "policy": "path \"secret/dev\" { capabilities = [ \"read\" ] }"
+}
+
+# API call to create a policy named, "apps"
+$ curl --header "X-Vault-Token: ..." --request PUT --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/policy/apps
+```
+
+Response wrapping is per-request and is triggered by providing to Vault the
+desired TTL for a response-wrapping token for that request. This is set using
+the **`X-Vault-Wrap-TTL`** header in the request and can be either an integer
+number of seconds or a string duration.
+
+```shell
+$ curl --header "X-Vault-Wrap-TTL: <TTL>" \
+       --header "X-Vault-Token: <TOKEN>" \
+       --request <HTTP_VERB> \
+       --data '<PARAMETERS>' \
+       <VAULT_ADDRESS>/v1/<ENDPOINT>
+```
+
+Where `<TTL>` can be either an integer number of seconds or a string duration of
+seconds (15s), minutes (20m), or hours (25h).
+
+**Example:**
+
+To wrap the response of token create request:
+
+```shell
+$ curl --header "X-Vault-Wrap-TTL: 120" \
+       --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"policies":["apps"]}' \
+       http://127.0.0.1:8200/v1/auth/token/create | jq
+{
+  "request_id": "",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": {
+    "token": "e095129f-123a-4fef-c007-1f6a487cfa78",
+    "ttl": 120,
+    "creation_time": "2018-01-10T01:43:38.025351336Z",
+    "creation_path": "auth/token/create",
+    "wrapped_accessor": "44e8253c-65b4-1690-1bf1-7902a7a6b2aa"
+  },
+  "warnings": null,
+  "auth": null
+}
+```
+
+This API call generates a token for `apps` persona using response wrapping with
+TTL of 60 seconds. The admin user does not even see the generated token.
+
+### <a name="step2"></a>Step 2: Unwrap the secret
+
+(**Persona:** apps)
+
+The `apps` persona receives a wrapping token from the `admin`. In order for the
+`apps` to acquire a valid token to read secrets from `secret/dev` path, it must
+run the unwrap operation using this token.
+
+-> **NOTE:** If a client has been expecting delivery of a response-wrapping
+token and none arrives, this may be due to an attacker intercepting the token
+and then preventing it from traveling further. This should cause an alert to
+trigger an immediate investigation.
+
+The following tasks will be performed to demonstrate the client operations:
+
+1. Create a token with **`default`** policy
+2. Authenticate with Vault using this `default` token (less privileged token)
+3. Unwrap the secret to obtain more privileged token (**`apps`** persona token)
+4. Verify that you can read `secret/dev` using the `apps`token
+
+#### CLI command
+
+First, create a token with `default` policy:
+
+```shell
+# Create a token with `default` policy
+$ vault token create -policy=default
+Key            	Value
+---            	-----
+token          	4522b2e8-27fe-bdc5-b932-d982f3166c6c
+token_accessor 	96108f48-7475-6190-b058-769a2e5ebc8e
+token_duration 	768h0m0s
+token_renewable	true
+token_policies 	[default]
+
+# Authenticate using the generated token
+$ vault login 4522b2e8-27fe-bdc5-b932-d982f3166c6c
+Successfully authenticated! You are now logged in.
+token: 4522b2e8-27fe-bdc5-b932-d982f3166c6c
+token_duration: 2764729
+token_policies: [default]
+
+# Verify that you do NOT have a permission to read secret/dev
+$ vault read secret/dev
+Error reading secret/dev: Error making API request.
+
+URL: GET http://<VAULT_ADDRESS>/v1/secret/dev
+Code: 403. Errors:
+
+* permission denied
+```
+
+The command to unwrap the wrapped secret is:
+
+```shell
+$ vault unwrap <WRAPPING_TOKEN>
+```
+
+Or
+
+```shell
+$ VAULT_TOKEN=<WRAPPING_TOKEN> vault unwrap
+```
+
+**Example:**
+
+```shell
+$ VAULT_TOKEN=9ac59985-094f-a2de-aed8-bf688e436fbc vault unwrap
+
+Key            	Value
+---            	-----
+token          	7bb915b2-8a44-48b0-a71d-72b590252016
+token_accessor 	195763a9-3f26-1fcf-6a1a-ee0a11e76cb1
+token_duration 	768h0m0s
+token_renewable	true
+token_policies 	[apps default]
+```
+
+Verify that this token has `apps` policy attached.
+
+Once the client acquired the token, future requests can be made using this
+token.
+
+```shell
+$ vault login 7bb915b2-8a44-48b0-a71d-72b590252016
+
+$ vault read secret/dev
+No value found at secret/dev
+```
+
+#### API call using cURL
+
+First, create a token with `default` policy:
+
+```shell
+# Create a new token default policy
+$ curl --header "X-Vault-Token: ..." --request POST \
+     --data '{"policies": "default"}' \
+     http://127.0.0.1:8200/v1/auth/token/create | jq
+{
+  ...
+  "auth": {
+    "client_token": "5fe14760-b0fd-22dc-403c-14a05003b67f",
+    "accessor": "e709610e-916e-f7e3-b93b-41f4dfdca7a0",
+    "policies": [
+      "default"
+    ],
+    ...
+ }
+}
+
+# Verify that you can NOT read secret/dev using default token
+$ curl --header "X-Vault-Token: 5fe14760-b0fd-22dc-403c-14a05003b67f" \
+       --request GET \
+       http://127.0.0.1:8200/v1/secret/dev | jq
+{
+ "errors": [
+   "permission denied"
+ ]
+}
+```
+
+Now, unwrap the secret using `/sys/wrapping/unwrap` endpoint:
+
+```shell
+$ curl --header "X-Vault-Token: <WRAPPING_TOKEN>" \
+       --request POST \
+       <VAULT_ADDRESS>/v1/sys/wrapping/unwrap
+```
+
+**Example:**
+
+```shell
+$ curl --header "X-Vault-Token: e095129f-123a-4fef-c007-1f6a487cfa78" \
+       --request POST \
+       http://127.0.0.1:8200/v1/sys/wrapping/unwrap | jq
+{
+  "request_id": "d704435d-c1cf-b8a3-52f6-ec50bc8246c4",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "af5f7682-aa55-fa37-5039-ee116df56600",
+    "accessor": "19b5407e-b304-7cde-e946-54942325d3c1",
+    "policies": [
+      "apps",
+      "default"
+    ],
+    "metadata": null,
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
+
+Once the client acquired the token, future requests can be made using this
+token.
+
+```plaintext
+$ curl --header "X-Vault-Token: af5f7682-aa55-fa37-5039-ee116df56600" \
+       --request GET \
+       http://127.0.0.1:8200/v1/secret/dev | jq
+{
+  "errors": []
+}
+```
+
+Since there is no data in `secret/dev`, it returns an empty array.
+
+## Additional Discussion
+
+The `cubbyhole` secret engine provides your own private secret storage space
+where no one else can read (including `root`). This comes handy when you want to
+store a password tied to your username that should not be shared with anyone.
+
+The cubbyhole secret engine is mounted at the **`cubbyhole/`** prefix by
+default. The secrets you store in the `cubbyhole/` path are tied to your token
+and all tokens are permitted to read and write to the `cubbyhole` secret engine
+by the [`default`](/docs/concepts/policies.html#default-policy) policy.
+
+```shell
+...
+# Allow a token to manage its own cubbyhole
+path "cubbyhole/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+...
+```
+
+To test the cubbyhole secret engine, perform the following steps. (NOTE: Keep
+using the `apps` token from [Step 2](#step2) to ensure that you are logged in with
+non-root token.)
+
+#### CLI command
+
+Commands to write and read secrets to the `cubbyhole` secret engine:
+
+```shell
+# Write key-value pair(s) in your cubbyhole
+$ vault write cubbyhole/<PATH> <KEY>=<VALUE>
+
+# Read values from your cubbyhole
+$ vault write cubbyhole/<PATH>
+```
+
+**Example:**
+
+Write secrets under `cubbyhole/private/` path, and read it back.
+
+```shell
+# Write "token" to cubbyhole/private/access-token path
+$ vault write cubbyhole/private/access-token token="123456789abcdefg87654321"
+Success! Data written to: cubbyhole/private/access-token
+
+# Read value from cubbyhole/private/access-token path
+$ vault read cubbyhole/private/access-token
+Key  	Value
+---  	-----
+token	123456789abcdefg87654321
+```
+
+Now, try to access the secret using the `root` token. It should NOT return the
+secret.
+
+```shell
+$ VAULT_TOKEN=<ROOT_TOKEN> vault read cubbyhole/private/access-token
+
+No value found at cubbyhole/private/access-token
+```
+
+#### API call using cURL
+
+The API to work with the `cubbyhole` secret engine is very similar to `secret` secret engine:
+
+```shell
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data <SECRETS> \
+       <VAULT_ADDRESS>/v1/cubbyhole/<PATH>
+```
+
+**Example:**
+
+Write secrets under `cubbyhole/private/` path, and read it back.
+
+```shell
+# Write "token" to cubbyhole/private/access-token path
+$ curl --header "X-Vault-Token: e095129f-123a-4fef-c007-1f6a487cfa78" --request POST \
+       --data '{"token": "123456789abcdefg87654321"}' \
+       http://127.0.0.1:8200/v1/cubbyhole/private/access-token
+
+# Read value from cubbyhole/private/access-token path
+$ curl --header "X-Vault-Token: e095129f-123a-4fef-c007-1f6a487cfa78" --request GET \
+       http://127.0.0.1:8200/v1/cubbyhole/private/access-token  | jq
+{
+ "request_id": "b2ff9f04-7a72-7eb0-672f-225b5eb652df",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": {
+   "token": "123456789abcdefg87654321"
+ },
+ "wrap_info": null,
+ "warnings": null,
+ "auth": null
+}
+```
+
+Now, try to access the secret using the `root` token. It should NOT return the
+secret.
+
+```shell
+$ curl --header "X-Vault-Token: root" --request GET \
+       http://127.0.0.1:8200/v1/cubbyhole/private/access-token  | jq
+{
+ "errors": []
+}
+```
+
+Also, refer to [Cubbyhole Secret Engine (API)](/api/secret/cubbyhole/index.html).
+
+## Next steps
+
+The use of [AppRole Pull Authentication](/guides/identity/authentication.html) is a good
+use case to leverage the response wrapping. Go through the guide if you have not
+done so. To better understand the lifecycle of Vault tokens, proceed to [Tokens
+and Leases](/guides/identity/lease.html) guide.
diff --git a/website/pages/guides/secret-mgmt/db-root-rotation.mdx b/website/pages/guides/secret-mgmt/db-root-rotation.mdx
new file mode 100644
index 000000000000..f905306b0f5b
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/db-root-rotation.mdx
@@ -0,0 +1,361 @@
+---
+layout: guides
+page_title: DB Root Credential Rotation - Guides
+sidebar_title: DB Root Credential Rotation
+description: |-
+  Vault enables the combined database secret engines to automate the rotation of
+  root credentials.
+---
+
+# Database Root Credential Rotation
+
+## Database Secrets Engine
+
+Vault's [database secrets engine](/docs/secrets/databases/index.html) provides a
+centralized workflow for managing credentials for various database systems. By
+leveraging this, every service instance gets a unique set of database
+credentials instead of sharing one. Having those credentials tied directly to
+each service instance and live only for the life of the service, any abnormal
+access pattern can be mapped to a specific service instance and its credential
+can be revoked immediately.
+
+This reduces the manual tasks performed by the database administrator and make
+the access to the database to be more efficient and secure.
+
+The [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
+guide demonstrates the primary workflow.
+
+## Reference Material
+
+- [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
+- [Database Secret Engine (API)](/api/secret/databases/index.html#rotate-root-credentials)
+- [PostgreSQL Database Plugin HTTP API](/api/secret/databases/postgresql.html)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Challenge
+
+Because Vault is managing the database credentials on behalf of the database
+administrator, it must also be given a set of highly privileged credentials
+which can grant and revoke access to the database system. Therefore, it is very
+common to give Vault the **root** credentials.
+
+However, these credentials are often long-lived and never change once configured
+on Vault. This may violate the _Governance, Risk and Compliance_ (GRC)
+surrounding that data stored in the database.
+
+## Solution
+
+Use the Vault's **`/database/rotate-root/:name`** API endpoint to rotate the
+root credentials stored for the database connection.
+
+![DB Root Credentials](/img/vault-db-root-rotation.png)
+
+~> **Best Practice:** Use this feature to rotate the root credentials
+immediately after the initial configuration of each database.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### PostgreSQL
+
+This guide requires that you have a PostgreSQL server to connect to. If you
+don't have one, install [PostgreSQL](https://www.postgresql.org/download/).
+
+- Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/online-resources/) for details
+- [PostgreSQL Wiki](https://wiki.postgresql.org/wiki/First_steps) gives you a
+  summary of basic commands to get started.
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Mount secret engines
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Configure the database secret engine and create roles
+path "database/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+Using Vault, you can easily rotate the root credentials for your database
+through the **`database/rotate-root/:name`** endpoint.
+
+This guide demonstrates the overall workflow to manage the database credentials
+including the root.
+
+You are going to perform the following:
+
+1. [Enable the database secret engine](#step1)
+1. [Configure PostgreSQL secret engine](#step2)
+1. [Verify the configuration (**_Optional_**)](#step3)
+1. [Rotate the root credentials](#step4)
+
+### <a name="step1"></a>Step 1: Enable the database secret engine
+
+#### CLI command
+
+Enable a database secret engine:
+
+```plaintext
+$ vault secrets enable database
+```
+
+**NOTE:** This example enables the database secret engine at the **`/database`**
+path in Vault.
+
+#### API call using cURL
+
+To enable a database secret engine, use the **`/sys/mounts`** endpoint.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type":"database"}' \
+       https://127.0.0.1:8200/v1/sys/mounts/database
+```
+
+**NOTE:** This example mounts database secret engine at **`/database`**,
+and passes the secret engine type ("`database`") in the request payload.
+
+### <a name="step2"></a>Step 2: Configure PostgreSQL secret engine
+
+In the [Secret as a Service: Dynamic
+Secrets](/guides/secret-mgmt/dynamic-secrets.html#step2) guide, the PostgreSQL
+plugin was configured with its root credentials embedded in the `connection_url`
+(`root` and `rootpassword`) as below:
+
+```plaintext
+$ vault write database/config/postgresql \
+      plugin_name=postgresql-database-plugin \
+      allowed_roles="*" \
+      connection_url=postgresql://root:rootpassword@postgres.host.address:5432/postgres
+```
+
+The username and password can be templated using the format,
+**`{{<field-name>}}`**.
+
+~> In order to leverage the database root credential rotation feature, you must
+use the templated credentials: **`{{username}}`** and **`{{password}}`**.
+
+#### CLI command
+
+```plaintext
+$ vault write database/config/postgresql \
+     plugin_name=postgresql-database-plugin \
+     connection_url="postgresql://{{username}}:{{password}}@postgres.host.address:5432/postgres" \
+     allowed_roles="*" \
+     username="root" \
+     password="rootpassword"
+```
+
+Notice that the `connection_url` value contains the templated credentials, and
+`username` and `password` parameters are also passed to initiate the connection.
+
+Create a role, `readonly`:
+
+```shell
+# Create readonly.sql defining the role privilege
+$ tee readonly.sql <<EOF
+CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
+EOF
+
+# Create a role named 'readonly' with TTL of 1 hr
+$ vault write database/roles/readonly db_name=postgresql \
+         creation_statements=@readonly.sql \
+         default_ttl=1h max_ttl=24h
+```
+
+#### API call using cURL
+
+```plaintext
+$ tee payload.json <<EOF
+{
+    "plugin_name": "postgresql-database-plugin",
+    "connection_url": "postgresql://{{username}}:{{password}}@postgres.host.address:5432/postgres",
+    "allowed_roles": "readonly",
+    "username": "root",
+    "password": "rootpassword"
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..."
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/database/config/postgresql
+```
+
+Notice that the `connection_url` value contains the templated credentials, and
+`username` and `password` parameters are also passed to initiate the connection.
+
+Create a role, `readonly`:
+
+```shell
+# Create the request payload
+$ tee payload.json <<EOF
+{
+	"db_name": "postgres",
+	"creation_statements": "CREATE ROLE '{{name}}' WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+  GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{name}}';",
+	"default_ttl": "1h",
+	"max_ttl": "24h"
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..."
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/database/roles/readonly
+```
+
+### <a name="step3"></a>Step 3: Verify the configuration (**_Optional_**)
+
+Before rotate the root credentials, make sure that the secret engine was
+configured correctly.
+
+#### CLI command
+
+```shell
+# Get a new set of credentials
+$ vault read database/creds/readonly
+Key                Value
+---                -----
+lease_id           database/creds/readonly/999c43f0-f79e-ba90-24a8-4de5af33a2e9
+lease_duration     1h
+lease_renewable    true
+password           A1a-u7wxtrpx09xp40yq
+username           v-root-readonly-x6q809467q98yp4yx4z4-1525378026e
+
+
+# Make sure that you can connect to the database using the Vault generated credentials
+$ psql -h postgres.host.address -p 5432 \
+       -U v-root-readonly-x6q809467q98yp4yx4z4-1525378026e postgres
+Password for user v-root-readonly-x6q809467q98yp4yx4z4-1525378026:
+
+postgres=> \du
+Role name                                       |                         Attributes                         | Member of
+------------------------------------------------+------------------------------------------------------------+----------
+postgres                                        | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
+v-root-readonly-x6q809467q98yp4yx4z4-1525378026 | Password valid until 2018-05-03 21:07:11+00                | {}
+
+postgres=> \q
+```
+
+#### API call using cURL
+
+```shell
+# Get a new set of credentials
+$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
+       http://127.0.0.1:8200/v1/database/creds/readonly | jq
+{
+   "request_id": "527970fd-f5e8-4de5-d4ed-1b7970eaef0b",
+   "lease_id": "database/creds/readonly/ac79265e-668c-242f-4f67-1dae33da094c",
+   "renewable": true,
+   "lease_duration": 3600,
+   "data": {
+     "password": "A1a-0tr8u15y0us2u08v",
+     "username": "v-root-readonly-x7v65y1xuprzxv9vpt80-1525378873"
+   },
+   "wrap_info": null,
+   "warnings": null,
+   "auth": null
+}
+
+# Make sure that you can connect to the database using the Vault generated credentials
+$ psql -h postgres.host.address -p 5432 \
+       -U v-root-readonly-x6q809467q98yp4yx4z4-1525378026e postgres
+Password for user v-root-readonly-x6q809467q98yp4yx4z4-1525378026:
+
+postgres=> \du
+Role name                                       |                         Attributes                         | Member of
+------------------------------------------------+------------------------------------------------------------+----------
+postgres                                        | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
+v-root-readonly-x6q809467q98yp4yx4z4-1525378026 | Password valid until 2018-05-03 21:07:11+00                | {}
+v-root-readonly-x7v65y1xuprzxv9vpt80-1525378873 | Password valid until 2018-05-03 21:21:18+00                | {}
+
+postgres=> \q
+```
+
+<br />
+
+This confirms that the Vault successfully connected to your PostgreSQL server
+and created a new user based on the privilege defined by `readonly.sql`.
+
+> The user credentials generated by the Vault has a limited TTL based on your
+> configuration (`default_ttl`). In addition, you can revoke them if necessary.
+
+### <a name="step4"></a>Step 4: Rotate the root credentials
+
+Vault provides an API endpoint to easily rotate the root database credentials.
+
+#### CLI command
+
+```plaintext
+$ vault write -force database/rotate-root/postgresql
+```
+
+#### API call using cURL
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       http://127.0.0.1:8200/v1/database/rotate-root/postgresql
+```
+
+This is all you need to do.
+
+---
+
+<br />
+
+Repeat [Step 3](#step3) to verify that Vault continues to generate database
+credentials after the root credential rotation.
+
+To verify that the root credential was rotated:
+
+```plaintext
+$ psql -h postgres.host.address -p 5432 -U root postgres
+Password for user root:
+```
+
+Entering the initial password (e.g. `rootpassword`) will **_not_** work since
+the password was rotated by the Vault.
+
+You can invoke the **`database/rotate-root/:name`** endpoint periodically to
+secure the root credential.
+
+~> **NOTE:** Once the root credential was rotated, only the Vault knows the new
+root password. This is the same for all root database credentials given to Vault.
+Therefore, you should create a separate superuser dedicated to the Vault usage
+which is not used for other purposes.
+
+## Next steps
+
+In this guide, you learned how to rotate the root database credentials.
+
+Read the [AppRole Pull Authentication](/guides/identity/authentication.html)
+guide to learn about generating a client token for your app so that it can
+request database credentials from Vault.
diff --git a/website/pages/guides/secret-mgmt/dynamic-secrets.mdx b/website/pages/guides/secret-mgmt/dynamic-secrets.mdx
new file mode 100644
index 000000000000..57e4c3814745
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/dynamic-secrets.mdx
@@ -0,0 +1,487 @@
+---
+layout: guides
+page_title: Secret as a Service - Guides
+sidebar_title: Secret as a Service
+description: Vault can dynamically generate secrets on-demand for some systems.
+---
+
+# Secret as a Service: Dynamic Secrets
+
+Vault can generate secrets on-demand for some systems. For example, when an app
+needs to access an Amazon S3 bucket, it asks Vault for AWS credentials. Vault
+will generate an AWS credential granting permissions to access the S3 bucket. In
+addition, Vault will automatically revoke this credential after the TTL is
+expired.
+
+The [Getting Started](/intro/getting-started/dynamic-secrets.html) guide walks
+you through the generation of dynamic AWS credentials.
+
+## Reference Material
+
+- [Getting Started - Dynamic Secrets](/intro/getting-started/dynamic-secrets.html)
+- [Secret Engines - Databases](/docs/secrets/databases/index.html)
+- [Role API](/api/secret/databases/index.html#create-role)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves two personas:
+
+- **`admin`** with privileged permissions to configure secret engines
+- **`apps`** read the secrets from Vault
+
+## Challenge
+
+Data protection is a top priority which means that the database credential
+rotation is a critical part of any data protection initiative. Each role has a
+different set of permissions granted to access the database. When a system is
+attacked by hackers, continuous credential rotation becomes necessary and needs
+to be automated.
+
+## Solution
+
+Applications ask Vault for database credential rather than setting them as
+environment variables. The administrator specifies the TTL of the database
+credentials to enforce its validity so that they are automatically revoked when
+they are no longer used.
+
+![Dynamic Secret Workflow](/img/vault-dynamic-secrets.png)
+
+Each app instance can get unique credentials that they don't have to share. By
+making those credentials to be short-lived, you reduced the change of the secret
+to being compromised. If an app was compromised, the credentials used by the app
+can be revoked rather than changing more global set of credentials.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### PostgreSQL
+
+This guide requires that you have a PostgreSQL server to connect to. If you
+don't have one, install [PostgreSQL](https://www.postgresql.org/download/) to
+perform the steps described in this guide.
+
+- Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/online-resources/) for details
+- [PostgreSQL Wiki](https://wiki.postgresql.org/wiki/First_steps) gives you a
+  summary of basic commands to get started.
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Mount secret engines
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Configure the database secret engine and create roles
+path "database/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Write ACL policies
+path "sys/policy/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Manage tokens for verification
+path "auth/token/create" {
+  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+In this guide, you are going to configure PostgreSQL secret engine, and create
+a read-only database role. The Vault generated PostgreSQL credentials will only
+have read permission.
+
+1. [Mount the database secret engine](#step1)
+2. [Configure PostgreSQL secret engine](#step2)
+3. [Create a role](#step3)
+4. [Request PostgreSQL credentials](#step4)
+5. [Validation](#validation)
+
+Step 1 through 3 need to be performed by an `admin` user. Step 4 describes
+the commands that an `app` runs to get a database credentials from Vault.
+
+### <a name="step1"></a>Step 1: Mount the database secret engine
+
+(**Persona:** admin)
+
+As most of the secret engines, the [database secret engine](/docs/secrets/databases/index.html)
+must be mounted.
+
+#### CLI command
+
+To mount a database secret engine:
+
+```plaintext
+$ vault secrets enable <PATH>
+```
+
+**Example:**
+
+```plaintext
+$ vault secrets enable database
+```
+
+**NOTE:** In this guide, the database secret engine is mounted at the `/database path` in
+Vault. However, it is possible to mount your secret engines at any location.
+
+#### API call using cURL
+
+Mount `database` secret engine using `/sys/mounts` endpoint:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data <PARAMETERS> \
+       <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
+```
+
+Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
+parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
+
+**Example:**
+
+The following example mounts database secret engine at `sys/mounts/database`
+path, and passed the secret engine type ("database") in the request payload.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type":"database"}' \
+       https://127.0.0.1:8200/v1/sys/mounts/database
+```
+
+**NOTE:** It is possible to mount your database secret engines at any location.
+
+### <a name="step2"></a>Step 2: Configure PostgreSQL secret engine
+
+(**Persona:** admin)
+
+The PostgreSQL secret engine needs to be configured with valid credentials. It
+is very common to give Vault the **root** credentials and let Vault manage the
+auditing and lifecycle credentials; it's much better than having one person
+manage the credentials.
+
+The following command configures the database secret engine using
+`postgresql-database-plugin` where the database connection URL is
+`postgresql://root:rootpassword@localhost:5432/myapp`. The allowed role is
+`readonly` which you will create in [Step 3](#step3).
+
+**NOTE:** If your
+database connection URL is different from this example, be sure to replace the
+command with correct URL to match your environment.
+
+#### CLI command
+
+**Example:**
+
+```plaintext
+$ vault write database/config/postgresql \
+      plugin_name=postgresql-database-plugin \
+      allowed_roles=readonly \
+      connection_url=postgresql://root:rootpassword@localhost:5432/myapp
+```
+
+#### API call using cURL
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." --request POST --data @payload.json \
+    http://127.0.0.1:8200/v1/database/config/postgresql
+
+$ cat payload.json
+{
+	"plugin_name": "postgresql-database-plugin",
+	"allowed_roles": "readonly",
+	"connection_url": "postgresql://root:rootpassword@localhost:5432/myapp"
+}
+```
+
+<br />
+
+~> **NOTE:** Read the [Database Root Credential Rotation](/guides/secret-mgmt/db-root-rotation.html)
+guide to learn about rotating the root credential immediately after the initial
+configuration of each database.
+
+### <a name="step3"></a>Step 3: Create a role
+
+(**Persona:** admin)
+
+In [Step 2](#step2), you configured the PostgreSQL secret engine by passing **`readonly`** role
+as an allowed member. The next step is to define the `readonly` role. A role is
+a logical name that maps to a policy used to generate credentials.
+
+-> Vault does not know what kind of PostgreSQL users you want to create. So,
+supply the information in SQL to create desired users.
+
+**Example:** `readonly.sql`
+
+```plaintext
+CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
+```
+
+The values within the `{{<value>}}` will be filled in by Vault. Notice that
+**`VALID_UNTIL`** clause. This tells PostgreSQL to revoke the credentials even
+if Vault is offline or unable to communicate with it.
+
+#### CLI command
+
+**Example:**
+
+```plaintext
+$ vault write database/roles/readonly db_name=postgresql creation_statements=@readonly.sql \
+    default_ttl=1h max_ttl=24h
+```
+
+The above command creates a role named, `readonly` with default TTL of 1
+hour, and max TTL of the credential is set to 24 hours. The `readonly.sql`
+statement is passed as the role creation statement.
+
+#### API call using cURL
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." --request POST --data @payload.json \
+    http://127.0.0.1:8200/v1/database/roles/readonly
+
+$ cat payload.json
+{
+	"db_name": "postgres",
+	"creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+  GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
+	"default_ttl": "1h",
+	"max_ttl": "24h"
+}
+```
+
+The `db_name`, `creation_statements`, `default_ttl`, and `max_ttl` are set in
+the `role-payload.json`.
+
+### <a name="step4"></a>Step 4: Request PostgreSQL credentials
+
+(**Persona:** apps)
+
+Now, you are switching to [`apps` persona](#personas). To get a new set of
+PostgreSQL credentials, the client app needs to be able to **read** from the
+`readonly` role endpoint. Therefore, the app's token must have a policy granting
+the read permission.
+
+`apps-policy.hcl`
+
+```shell
+# Get credentials from the database secret engine
+path "database/creds/readonly" {
+  capabilities = [ "read" ]
+}
+```
+
+#### CLI command
+
+First create an `apps` policy, and generate a token so that you can authenticate
+as an `apps` persona.
+
+**Example:**
+
+```shell
+# Create "apps" policy
+$ vault policy write apps apps-policy.hcl
+Policy 'apps' written.
+
+# Create a new token with app policy
+$ vault token create -policy="apps"
+Key            	Value
+---            	-----
+token          	e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
+token_accessor 	54700b7e-d828-a6c4-6141-96e71e002bd7
+token_duration 	768h0m0s
+token_renewable	true
+token_policies 	[apps default]
+```
+
+Use the returned token to perform the remaining.
+
+**NOTE:** [AppRole Pull Authentication](/guides/identity/authentication.html) guide
+demonstrates more sophisticated way of generating a token for your apps.
+
+```shell
+# Authenticate with Vault using the generated token first
+$ vault login e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
+Successfully authenticated! You are now logged in.
+token: e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
+token_duration: 2764277
+token_policies: [apps default]
+
+# Invoke the vault command
+$ vault read database/creds/readonly
+
+Key            	Value
+---            	-----
+lease_id       	database/creds/readonly/4b5c6e82-df88-0dec-c0cb-f07eee8f0329
+lease_duration 	1h0m0s
+lease_renewable	true
+password       	A1a-4urzp0wu92r5s1q0
+username       	v-token-readonly-9x3qrw452wwz4w6421xt-1515625519
+```
+
+**NOTE:** Re-run the command and notice that Vault returns a different set of
+credentials each time. This means that each app instance can acquire a unique
+set of credentials.
+
+#### API call using cURL
+
+First create an `apps` policy, and generate a token so that you can authenticate
+as an `app` persona.
+
+```shell
+# Payload to pass in the API call
+$ cat payload.json
+{
+  "policy": "path \"database/creds/readonly\" {capabilities = [ \"read\" ]}"
+}
+
+# Create "apps" policy
+$ curl --header "X-Vault-Token: ..." --request PUT \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/policy/apps
+
+# Generate a new token with apps policy
+$ curl --header "X-Vault-Token: ..." --request POST \
+       --data '{"policies": ["apps"]}' \
+       http://127.0.0.1:8200/v1/auth/token/create | jq
+{
+ "request_id": "e1737bc8-7e51-3943-42a0-2dbd6cb40e3e",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": null,
+ "wrap_info": null,
+ "warnings": null,
+ "auth": {
+   "client_token": "1c97b03a-6098-31cf-9d8b-b404e52dcb4a",
+   "accessor": "b10a3eb7-15fe-1924-600e-403cfda34c28",
+   "policies": [
+     "apps",
+     "default"
+   ],
+   "metadata": null,
+   "lease_duration": 2764800,
+   "renewable": true,
+   "entity_id": ""
+ }
+}
+```
+
+Be sure to use the returned token to perform the remaining.
+
+**NOTE:** [AppRole Pull Authentication](/guides/identity/authentication.html) guide
+demonstrates more sophisticated way of generating a token for your apps.
+
+```plaintext
+$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
+       --request GET \
+       http://127.0.0.1:8200/v1/database/creds/readonly | jq
+{
+  "request_id": "e0e5a6c1-5e69-5cf3-c9d2-020af192de36",
+  "lease_id": "database/creds/readonly/7aa462ab-98cb-fdcb-b226-f0a0d37644cc",
+  "renewable": true,
+  "lease_duration": 3600,
+  "data": {
+    "password": "A1a-2680ut032xqt16tq",
+    "username": "v-token-readonly-6s4su6z93472x0r2787t-1515625742"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+### Validation
+
+(1) Generate a new set of credentials.
+
+```plaintext
+$ vault read database/creds/readonly
+
+Key            	Value
+---            	-----
+lease_id       	database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
+lease_duration 	1h0m0s
+lease_renewable	true
+password       	A1a-w2xv2zsq4r5ru940
+username       	v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
+```
+
+The generated username is `v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434`.
+
+(2) Connect to the postgres as an admin user, and run the following psql commands.
+
+```plaintext
+$ psql -U postgres
+
+postgres > \du
+                                                       List of roles
+                    Role name                     |                         Attributes                         | Member of
+--------------------------------------------------+------------------------------------------------------------+-----------
+ postgres                                         | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
+ v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434 | Password valid until 2018-01-11 00:37:14+00                | {}
+
+postgres > \q
+```
+
+The `\du` command lists all users. You should be able to verify that the username generated by Vault exists.
+
+(3) Renew the lease for this credential by passing its **`lease_id`**.
+
+```plaintext
+$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
+
+Key            	Value
+---            	-----
+lease_id       	database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
+lease_duration 	1h0m0s
+lease_renewable	true
+```
+
+(4) Revoke the generated credentials.
+
+```plaintext
+$ vault lease revoke database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
+```
+
+**NOTE:** If you run the command with **`-prefix=true`** flag, it revokes all
+secrets under `database/creds/readonly`.
+
+Now, when you check the list of users in PostgreSQL, none of the Vault generated
+user name exists.
+
+## Next steps
+
+This guide discussed how to generate credentials on-demand so that the access
+credentials no longer need to be written to disk. Next, learn about the
+[Tokens and Leases](/guides/identity/lease.html) so that you can control the
+lifecycle of those credentials.
diff --git a/website/pages/guides/secret-mgmt/index.mdx b/website/pages/guides/secret-mgmt/index.mdx
new file mode 100644
index 000000000000..7e7d11f12aa9
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/index.mdx
@@ -0,0 +1,50 @@
+---
+layout: guides
+page_title: Secrets Management - Guides
+sidebar_title: Secrets Management
+description: |-
+  A very common use case of Vault is to manage your organization's secrets from
+  storing credentials and API keys to encrypting passwords for user signups.
+  Vault is meant to be a solution for all secret management needs.
+---
+
+# Secrets Management
+
+Vault is a tool for securely accessing secrets. A secret is anything that you
+want to tightly control access to, such as API keys, passwords, certificates,
+and more. Vault provides a unified interface to any secret while providing
+tight access control and recording a detailed audit log.
+
+Secrets Management guides demonstrate features in Vault to securely store your
+secrets.
+
+- [Static Secrets](/guides/secret-mgmt/static-secrets.html) guide walks you
+  through the steps to write secrets in Vault, and control who can access them.
+
+- [Versioned KV Secret Engine](/guides/secret-mgmt/versioned-kv.html) guide
+  demonstrates the secret versioning capabilities provided by KV Secret Engine v2.
+
+- [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
+  guide demonstrates the Vault feature to generate database credentials
+  on-demand so that each application or system can obtain its own credentials,
+  and its permissions can be tightly controlled.
+
+- [Database Root Credential Rotation](/guides/secret-mgmt/db-root-rotation.html)
+  guide walks you through the steps to enable the rotation of the database root
+  credentials for those managed by Vault.
+
+- [Cubbyhole Response Wrapping](/guides/secret-mgmt/cubbyhole.html) guide
+  demonstrates a secure method to distribute secrets by wrapping them where only
+  the expecting client can unwrap.
+
+- [One-Time SSH Password](/guides/secret-mgmt/ssh-otp.html) guide demonstrates
+  the use of SSH secrets engine to generate a one-time password (OTP) every time a
+  client wants to SSH into a remote host.
+
+- [Build Your Own Certificate Authority](/guides/secret-mgmt/pki-engine.html)
+  guide walks you through the use of the PKI secrets engine to generate dynamic
+  X.509 certificates.
+
+- [Direct Application Integration](/guides/secret-mgmt/app-integration.html)
+  guide demonstrates the usage of _Consul Template_ and _Envconsul_ tool to
+  retrieve secrets from Vault with no or minimum code change to your applications.
diff --git a/website/pages/guides/secret-mgmt/pki-engine.mdx b/website/pages/guides/secret-mgmt/pki-engine.mdx
new file mode 100644
index 000000000000..7cc75465ea1a
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/pki-engine.mdx
@@ -0,0 +1,679 @@
+---
+layout: guides
+page_title: Build Your Own Certificate Authority - Guides
+sidebar_title: Build Your Own CA
+description: |-
+  The PKI secrets engine generates dynamic X.509 certificates. With this secrets
+  engine, services can get certificates without going through the usual manual
+  process of generating a private key and CSR, submitting to a CA, and waiting
+  for a verification and signing process to complete. Vault's built-in
+  authentication and authorization mechanisms provide the verification
+  functionality.
+---
+
+# Build Your Own Certificate Authority (CA)
+
+Vault's PKI secrets engine can dynamically generate X.509 certificates on
+demand. This allows services to acquire certificates without going through the
+usual manual process of generating a private key and Certificates Signing
+Request (CSR), submitting to a CA, and then wait for the verification and
+signing process to complete.
+
+## Reference Material
+
+- [PKI (Certificates) Secrets Engine](/docs/secrets/pki/index.html)
+- [PKI Secrets Engine (API)](/api/secret/pki/index.html)
+- [RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate
+  Revocation List (CRL) Profile](https://tools.ietf.org/html/rfc5280)
+- [OpenSSL x509 Man Pages](https://www.openssl.org/docs/man1.1.0/apps/x509.html)
+
+## Estimated Time to Complete
+
+15 minutes
+
+## Personas
+
+The steps described in this guide are typically performed by **security
+engineer**.
+
+## Challenge
+
+Organizations should protect their website; however, the Traditional PKI process
+workflow takes a long time which motivates organizations to create certificates
+which do not expire for a year or more.
+
+## Solution
+
+Use Vault to create X509 certificates for usage in MTLS or other arbitrary PKI
+encryption. While this can be used to create web server certificates. If
+users do not import the CA chains, the browser will complain about self-signed
+certificates.
+
+Creating PKI certificates is generally a cumbersome process using traditional
+tools like `openssl` or even more advanced frameworks like CFSSL. These tools
+also require a human component to verify certificate distribution meets
+organizational security policies.
+
+Vault PKI secrets engine makes this a lot simpler. The PKI secrets engine can
+be an Intermediate-Only certificate authority which potentially allows for
+higher levels of security.
+
+1. Store CA outside the Vault (air gapped)
+1. Create CSRs for the intermediates
+1. Sign CSR outside Vault and import intermediate
+1. Issue leaf certificates from the Intermediate CA
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault.
+
+Alternatively, you can use the [Vault
+Playground](https://www.katacoda.com/hashicorp/scenarios/vault-playground)
+environment.
+
+### <a name="policy"></a>Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Enable secrets engine
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# List enabled secrets engine
+path "sys/mounts" {
+  capabilities = [ "read", "list" ]
+}
+
+# Work with pki secrets engine
+path "pki*" {
+  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+In this guide, you are going to first generate a self-signed root certificate.
+Then you are going to generate an intermediate certificate which is signed by
+the root. Finally, you are going to generate a certificate for
+`test.example.com` domain.
+
+![Overview](/img/vault-pki-4.png)
+
+In this guide, you perform the following:
+
+1. [Generate Root CA](#step1)
+1. [Generate Intermediate CA](#step2)
+1. [Create a Role](#step3)
+1. [Request Certificates](#step4)
+1. [Revoke Certificates](#step5)
+1. [Remove Expired Certificates](#step6)
+
+### <a name="step1"></a>Step 1: Generate Root CA
+
+In this step, you are going to generate a self-signed root certificate using
+PKI secrets engine.
+
+#### CLI command
+
+1. First, enable the `pki` secrets engine at `pki` path:
+
+   ```plaintext
+   $ vault secrets enable pki
+   ```
+
+1. Tune the `pki` secrets engine to issue certificates with a maximum time-to-live (TTL) of 87600 hours.
+
+   ```plaintext
+   $ vault secrets tune -max-lease-ttl=87600h pki
+   ```
+
+1. Generate the **_root_** certificate and save the certificate in `CA_cert.crt`.
+
+   ```plaintext
+   $ vault write -field=certificate pki/root/generate/internal common_name="example.com" \
+           ttl=87600h > CA_cert.crt
+   ```
+
+   This generates a new self-signed CA certificate and private key. Vault will
+   _automatically_ revoke the generated root at the end of its lease period
+   (TTL); the CA certificate will sign its own Certificate Revocation List
+   (CRL).
+
+1. Configure the CA and CRL URLs:
+
+   ```plaintext
+   $ vault write pki/config/urls \
+           issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
+           crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
+   ```
+
+#### API call using cURL
+
+1.  First, enable the `pki` secrets engine at `pki` path using `/sys/mounts` endpoint:
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: <TOKEN>" \
+           --request POST \
+           --data <PARAMETERS> \
+           <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
+    ```
+
+    Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
+    parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
+
+    **Example:**
+
+    The following example mounts `pki` secret engine.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+           --request POST \
+           --data '{"type":"pki"}' \
+           https://127.0.0.1:8200/v1/sys/mounts/pki
+    ```
+
+1.  Tune the `pki` secrets engine to issue certificates with a maximum
+    time-to-live (TTL) of 87600 hours.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+            --request POST \
+            --data '{"max_lease_ttl":"87600h"}' \
+            https://127.0.0.1:8200/v1/sys/mounts/pki/tune
+    ```
+
+1.  Generate the **_root_** certificate and extract the CA certificate and save
+    it as `CA_cert.crt`.
+
+    > **NOTE:** The following command uses `jq` tool to parse the output JSON.
+    > You can install [`jq`](https://stedolan.github.io/jq/download/) or manually
+    > copy and paste the certificate in a file, `CA_cert.crt`.
+
+    ```plaintext
+    $ tee payload.json <<EOF
+    {
+      "common_name": "example.com",
+      "ttl": "87600h"
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+            --request POST \
+            --data @payload.json \
+            https://127.0.0.1:8200/v1/pki/root/generate/internal \
+            | jq -r ".data.certificate" > CA_cert.crt
+    ```
+
+    This generates a new self-signed CA certificate and private key. Vault will
+    _automatically_ revoke the generated root at the end of its lease period
+    (TTL); the CA certificate will sign its own Certificate Revocation List
+    (CRL).
+
+1.  Configure the CA and CRL URLs:
+
+    ```plaintext
+    $ tee payload-url.json <<EOF
+    {
+      "issuing_certificates": "http://127.0.0.1:8200/v1/pki/ca",
+      "crl_distribution_points": "http://127.0.0.1:8200/v1/pki/crl"
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+           --request POST \
+           --data @payload-url.json \
+           https://127.0.0.1:8200/v1/pki/config/urls
+    ```
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
+then login.
+
+1. Select **Enable new engine**.
+1. Select **PKI** from the **Secrets engine type** drop-down list.
+1. Click **More options** to expand and set the **Maximum lease TTL** to **`87600 hours`**.
+1. Click **Enable Engine**.
+1. Select **Configure**.
+1. Click **Configure CA**.
+1. Leave **CA Type** as **root**, and **Type** to be **internal**. Enter
+   **`example.com`** in the **Common Name** field.
+1. Select **Options** and then set **TTL** field to be **87600 hours**.
+1. Click **Save**.
+1. Click **Copy Certificate** and save it in a file named, **`CA_cert.crt`**.
+1. Click the **URLs** tab, and then set:
+   - Issuing certificates: `http://127.0.0.1:8200/v1/pki/ca`
+   - CRL Distribution Points: `http://127.0.0.1:8200/v1/pki/crl`
+     ![Configure URL](/img/vault-pki-1.png)
+1. Click **Save**.
+
+<br />
+
+-> **NOTE:** To examine the generated root certificate, you can use
+[OpenSSL](https://www.openssl.org/source/).
+
+```shell
+# Print the certificate in text form
+$ openssl x509 -in CA_cert.crt -text
+
+# Print the validity dates
+$ openssl x509 -in CA_cert.crt -noout -dates
+```
+
+### <a name="step2"></a>Step 2: Generate Intermediate CA
+
+Now, you are going to create an intermediate CA using the root CA you regenerate
+in the previous step.
+
+#### CLI Command
+
+1.  First, enable the `pki` secrets engine at **`pki_int`** path:
+
+    ```plaintext
+    $ vault secrets enable -path=pki_int pki
+    ```
+
+1.  Tune the `pki_int` secrets engine to issue certificates with a maximum
+    time-to-live (TTL) of 43800 hours.
+
+    ```plaintext
+    $ vault secrets tune -max-lease-ttl=43800h pki_int
+    ```
+
+1.  Execute the following command to generate an intermediate and save the CSR as
+    `pki_intermediate.csr`:
+
+    ```plaintext
+    $ vault write -format=json pki_int/intermediate/generate/internal \
+            common_name="example.com Intermediate Authority" ttl="43800h" \
+            | jq -r '.data.csr' > pki_intermediate.csr
+    ```
+
+1.  Sign the intermediate certificate with the root certificate and save the
+    generated certificate as `intermediate.cert.pem`:
+
+    ```plaintext
+    $ vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
+            format=pem_bundle ttl="43800h" \
+            | jq -r '.data.certificate' > intermediate.cert.pem
+    ```
+
+1.  Once the CSR is signed and the root CA returns a certificate, it can be
+    imported back into Vault:
+
+    ```plaintext
+    $ vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
+    ```
+
+#### API call using cURL
+
+1.  First, enable the `pki` secrets engine at **`pki_int`** path:
+
+    **Example:**
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+           --request POST \
+           --data '{"type":"pki"}' \
+           https://127.0.0.1:8200/v1/sys/mounts/pki_int
+    ```
+
+1.  Tune the `pki_int` secrets engine to issue certificates with a maximum
+    time-to-live (TTL) of 43800 hours.
+
+    ```plaintext
+    $ curl --header "X-Vault-Token: ..." \
+            --request POST \
+            --data '{"max_lease_ttl":"43800h"}' \
+            https://127.0.0.1:8200/v1/sys/mounts/pki_int/tune
+    ```
+
+1.  Generate an intermediate using the `/pki_int/intermediate/generate/internal`
+    endpoint.
+
+    ```plaintext
+    $ tee payload-int.json <<EOF
+    {
+      "common_name": "example.com Intermediate Authority",
+      "ttl": "43800h"
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+            --request POST \
+            --data @payload-int.json \
+            https://127.0.0.1:8200/v1/pki_int/intermediate/generate/internal | jq
+    ```
+
+    Copy the generated CSR.
+
+1.  Sign the intermediate certificate with the root certificate and save the
+    certificate as `intermediate.cert.pem`.
+
+    -> **NOTE:** The API request payload should contain the CSR you obtained.
+
+    ```plaintext
+    $ tee payload-int-cert.json <<EOF
+    {
+      "csr": "...",
+      "format": "pem_bundle",
+      "ttl": "43800h"
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+            --request POST \
+            --data @payload-int-cert.json \
+            https://127.0.0.1:8200/v1/pki/root/sign-intermediate | jq
+    ```
+
+    > **NOTE:** The **`format`** in the payload specifies the format of the
+    > returned data. When `pem_bundle`, the certificate field will contain the
+    > certificate.
+
+    Copy the generated certificate.
+
+1.  Once the CSR is signed and the root CA returns a certificate, it can be
+    imported back into Vault using the `/pki_int/intermediate/set-signed` endpoint.
+
+    -> **NOTE:** The API request payload should contain the certificate you
+    obtained.
+
+    ```plaintext
+    $ tee payload-signed.json <<EOF
+    {
+      "certificate": "..."
+    }
+    EOF
+
+    $ curl --header "X-Vault-Token: ..." \
+            --request POST \
+            --data @payload-signed.json \
+            https://127.0.0.1:8200/v1/pki_int/intermediate/set-signed
+    ```
+
+#### Web UI
+
+1. Select **Enable new engine** in the **Secrets** tab.
+1. Select **PKI** from the **Secrets engine type** drop-down list.
+1. Enter **`pki_int`** in the **Path** field.
+1. Click **More options** to expand and set the **Maximum lease TTL** to **`43800 hours`**.
+1. Click **Enable Engine**.
+1. Select **Configure**.
+1. Click **Configure CA**.
+1. Select **intermediate** from **CA Type** drop-down list.
+1. Enter **`example.com Intermediate Authority`** in the **Common Name** field.
+1. Enter **`43800`** in the **TTL** field, choose **`hours`** and then click **Save**.
+1. Click **Copy CSR** and save it in a file, `pki_intermediate.csr`.
+1. Select **pki** from the **Secrets** tab to return to the root CA.
+1. Select **Configure** and then click **Sign intermediate**.
+1. Paste in the CSR in the **Certificate Signing Request (CSR)** field.
+1. Enter **`example.com`** in the **Common Name**.
+1. Select **pem_bundle** from the **Format** drop-down list, and then click
+   **Save**.
+1. Click **Copy Certificate** and save the generated certificate in a file, `intermediate.cert.pem`.
+1. Select **pki_int** from the **Secrets** tab to return to the intermediate CA.
+1. Select **Configure** and then click **Set signed intermediate**.
+1. Paste in the certificate in the **Signed Intermediate Certificate** field and
+   then click **Save**.
+
+### <a name="step3"></a>Step 3: Create a Role
+
+A role is a logical name that maps to a policy used to generate those
+credentials. It allows [configuration
+parameters](/api/secret/pki/index.html#create-update-role) to control
+certificate common names, alternate names, the key usages that they are valid
+for, and more.
+
+Calling out some of the parameters:
+
+- **`allowed_domains`** - specifies the domains of the role (used with
+  `allow_bare_domains` and `allow-subdomains` options)
+- **`allow_bare_domains`** - specifies if clients can request certificates
+  matching the value of the actual domains themselves
+- **`allow_subdomains`** - specifies if clients can request certificates with
+  CNs that are subdomains of the CNs allowed by the other role options (NOTE: This
+  includes wildcard subdomains.)
+- **`allow_glob_domains`** - allows names specified in allowed_domains to
+  contain glob patterns (e.g. ftp\*.example.com)
+
+In this step, you are going to create a role named, **`example-dot-com`**.
+
+#### CLI Command
+
+Create a role named **`example-dot-com`** which allows subdomains.
+
+```plaintext
+$ vault write pki_int/roles/example-dot-com \
+        allowed_domains="example.com" \
+        allow_subdomains=true \
+        max_ttl="720h"
+```
+
+#### API call using cURL
+
+Create a role named **`example-dot-com`** which allows subdomains.
+
+```plaintext
+$ tee payload-role.json <<EOF
+{
+  "allowed_domains": "example.com",
+  "allow_subdomains": true,
+  "max_ttl": "720h"
+}
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload-role.json \
+       https://127.0.0.1:8200/v1/pki_int/roles/example-dot-com
+```
+
+#### Web UI
+
+Create a role named **`example-dot-com`** which allows subdomains.
+
+1. Click **pki_int** and then select **Create role**.
+1. Enter **`example-dot-com`** in the **Role name** field.
+1. Select **Options** to expand, and then set the **Max TTL** to **`43800 hours`**. Select **Hide Options**.
+1. Select **Domain Handling** to expand, and then select the **Allow
+   subdomains** check-box. Enter **`example.com`** in the **Allowed domains**
+   field.
+   ![Create Role](/img/vault-pki-2.png)
+1. Click **Create role**.
+
+### <a name="step4"></a>Step 4: Request Certificates
+
+Keep certificate lifetimes to be short to align with Vault's philosophy of
+short-lived secrets.
+
+#### CLI Command
+
+Execute the following command to request a new certificate for `test.example.com`
+domain based on the `example-dot-com` role:
+
+```plaintext
+$ vault write pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"
+
+Key                 Value
+---                 -----
+certificate         -----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIUTQABMCAsXjG6ExFTX8201xKVH4IwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMB4XDTE4MDcyNDIxMTMxOVoX
+             ...
+
+-----END CERTIFICATE-----
+issuing_ca          -----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIUbMYp39mdj7dKX033ZjK18rx05x8wDQYJKoZIhvcNAQEL
+             ...
+
+-----END CERTIFICATE-----
+private_key         -----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAte1fqy2Ekj+EFqKV6N5QJlBgMo/U4IIxwLZI6a87yAC/rDhm
+W58liadXrwjzRgWeqVOoCRr/B5JnRLbyIKBVp6MMFwZVkynEPzDmy0ynuomSfJkM
+             ...
+
+-----END RSA PRIVATE KEY-----
+private_key_type    rsa
+serial_number       4d:00:01:30:20:2c:5e:31:ba:13:11:53:5f:cd:b4:d7:12:95:1f:82
+```
+
+The response contains the PEM-encoded private key, key type and certificate
+serial number.
+
+#### API call using cURL
+
+Invoke the **`/pki_int/issue/<role_name>`** endpoint to request a new certificate.
+
+**Example:**
+
+Request a certificate for `test.example.com` domain based on the
+`example-dot-com` role:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"common_name": "test.example.com", "ttl": "24h"}' \
+       https://127.0.0.1:8200/v1/pki_int/issue/example-dot-com | jq
+{
+ "request_id": "6fa8d77d-0758-33ae-b5ea-8b3d15014fd1",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": {
+   "certificate": "-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUG7H0Pzpqm+...-----END CERTIFICATE-----",
+   "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDNTCCAh2gAwIBAgIUQhIX9D...-----END CERTIFICATE-----",
+   "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAr6IsROOW5...-----END RSA PRIVATE KEY-----",
+   "private_key_type": "rsa",
+   "serial_number": "1b:b1:f4:3f:3a:6a:9b:e8:33:af:f7:1b:b1:4d:57:7f:65:65:39:c1"
+ },
+ "wrap_info": null,
+ "warnings": null,
+ "auth": null
+}
+```
+
+The response contains the PEM-encoded private key, key type and certificate
+serial number.
+
+#### Web UI
+
+1. Select **Secrets**.
+1. Select **pki_int** from the **Secrets Engines** list.
+1. Select **example-dot-com** under **Roles**.
+1. Enter **`test.example.com`** in the **Common Name** field.
+1. Select **Options** to expand, and then set the **TTL** to **`24 hours`**.
+1. Select **Hide Options** and then click **Generate**.
+   ![Issue Certificate](/img/vault-pki-3.png)
+
+   > The response contains the PEM-encoded private key, key type and certificate
+   > serial number.
+
+1. Click **Copy credentials** and save it in a file.
+
+<br />
+
+-> **NOTE:** A certificate can be rotated at any time by simply issuing a new
+certificate with the same CN.
+
+### <a name="step5"></a>Step 5: Revoke Certificates
+
+If a certificate must be revoked, you can easily perform the revocation action
+which will cause the CRL to be regenerated. When the CRL is regenerated, any
+expired certificates are removed from the CRL.
+
+#### CLI Command
+
+In a certain circumstances, you may wish to revoke an issued certificate.
+
+To revoke:
+
+```plaintext
+$ vault write pki_int/revoke serial_number=<serial_number>
+```
+
+**Example:**
+
+```plaintext
+$ vault write pki_int/revoke serial_number="48:97:82:dd:f0:d3:d9:7e:53:25:ba:fd:f6:77:3e:89:e5:65:cc:e7"
+Key                        Value
+---                        -----
+revocation_time            1532539632
+revocation_time_rfc3339    2018-07-25T17:27:12.165206399Z
+```
+
+#### API call using cURL
+
+Invoke the **`/pki_int/revoke`** endpoint to invoke a certificate using its
+serial number.
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"serial_number": "48:97:82:dd:f0:d3:d9:7e:53:25:ba:fd:f6:77:3e:89:e5:65:cc:e7"}' \
+       https://127.0.0.1:8200/v1/pki_int/revoke
+```
+
+#### Web UI
+
+1. Select **Secrets**.
+1. Select **pki_int** from the **Secrets Engines** list.
+1. Select the **eCertificates** tab.
+1. Select the serial number for the certificate you wish to revoke.
+1. Click **Revoke**. At the confirmation, click **Revoke** again.
+
+### <a name="step6"></a>Step 6: Remove Expired Certificates
+
+Keep the storage backend and CRL by periodically removing certificates that have
+expired and are past a certain buffer period beyond their expiration time.
+
+#### CLI Command
+
+To remove revoked certificate and clean the CRL.
+
+```plaintext
+$ vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+```
+
+#### API call using cURL
+
+Invoke the **`/pki_int/tidy`** endpoint to remove revoked certificate and clean
+the CRL.
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"tidy_cert_store": true, "tidy_revoked_certs": true}' \
+       https://127.0.0.1:8200/v1/pki_int/tidy
+```
+
+#### Web UI
+
+1. Select **Secrets**.
+1. Select **pki_int** from the **Secrets Engines** list.
+1. Select **Configure**.
+1. Select the **Tidy** tab.
+1. Select the check-box for **Tidy the Certificate Store** and **Tidy the Revocation List (CRL)**.
+1. Click **Save**.
+
+## Next steps
+
+Check out the [Streamline Certificate Management with HashiCorp
+Vault](https://www.hashicorp.com/resources/streamline-certificate-management-with-vault)
+webinar recording.
diff --git a/website/pages/guides/secret-mgmt/ssh-otp.mdx b/website/pages/guides/secret-mgmt/ssh-otp.mdx
new file mode 100644
index 000000000000..8b57a2ae3921
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/ssh-otp.mdx
@@ -0,0 +1,423 @@
+---
+layout: guides
+page_title: One-Time SSH Password - Guides
+sidebar_title: One-Time SSH Password
+description: |-
+  The one-time SSH password secrets engine allows Vault to issue a one-time
+  password (OTP) every time a client wants to SSH into a remote host using a
+  helper command on the remote host to perform verification.
+---
+
+# Vault SSH Secrets Engine: One-Time SSH Password
+
+In a distributed cloud environment, tenant and system is increasingly
+important part of the online security. If an attacker gains access to your
+virtual machines, they can get control of most running applications, local data
+as well as its connected machines and systems.
+
+The Vault SSH secrets engine provides secure authentication and authorization
+for access to machines via the SSH protocol. It supports [signed SSH
+certificate](/docs/secrets/ssh/signed-ssh-certificates.html) and one-time SSH
+password modes. This guide demonstrates the one-time SSH password mode.
+
+## Reference Material
+
+- [One-Time SSH Passwords](/docs/secrets/ssh/one-time-ssh-passwords.html)
+- [SSH Secrets Engine (API)](/api/secret/ssh/index.html)
+- [Vault SSH Helper](https://github.com/hashicorp/vault-ssh-helper)
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves two personas:
+
+- **`operations`** with privileged permissions to setup SSH secrets engine
+- **`client`** trusted entity to request SSH OTP from Vault
+
+## Challenge
+
+By default, SSH servers use password authentication with optional public key
+authentication. If any user on the system has a fairly weak password, this
+allows an attacker to hijack the SSH connection.
+
+## Solution
+
+Vault can create a one-time password (OTP) for SSH authentication on a network
+every time a client wants to SSH into a remote host using a helper command on
+the remote host to perform verification.
+
+![SSH OTP Workflow](/img/vault-ssh-otp-1.png)
+
+An authenticated client requests an OTP from the Vault server. If the client is
+authorized, Vault issues and returns an OTP. The client uses this OTP during the
+SSH authentication to connect to the desired target host.
+
+When the client establishes an SSH connection, the OTP is received by the
+**_Vault helper_** which validates the OTP with the Vault server. The Vault
+server then deletes this OTP, ensuring that it is **only used once**.
+
+~> Since the Vault server is contacted during SSH connection establishment, every
+login attempt and the correlating Vault lease information is logged to the audit
+secrets engine.
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault.
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for
+initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# To view in Web UI
+path "sys/mounts" {
+  capabilities = [ "read", "update" ]
+}
+
+# To configure the SSH secrets engine
+path "ssh/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# To enable secret engines
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+You will perform the following:
+
+1. [Install vault-ssh-helper](#step1)
+1. [Setup the SSH Secrets Engine](#step2)
+1. [Request an OTP](#step3)
+1. [Establish an SSH session](#step4)
+
+### <a name="step1"></a>Step 1: Install vault-ssh-helper
+
+(**Persona:** operations)
+
+The SSH secrets engine uses [Vault SSH
+Helper](https://github.com/hashicorp/vault-ssh-helper) to verify the OTP used
+during the SSH authentication. Therefore, the helper agent must be installed
+onto every **_target host_**.
+
+1.  Download and install the latest version of `vault-ssh-helper` from
+    [releases.hashicorp.com](https://releases.hashicorp.com/vault-ssh-helper).
+
+    **Example:**
+
+    ```shell
+    # Download the vault-ssh-helper
+    $ wget https://releases.hashicorp.com/vault-ssh-helper/0.1.4/vault-ssh-helper_0.1.4_linux_amd64.zip
+
+    # Unzip the vault-ssh-helper in /user/local/bin
+    $ sudo unzip -q vault-ssh-helper_0.1.4_linux_amd64.zip -d /usr/local/bin
+
+    # Make sure that vault-ssh-helper is executable
+    $ sudo chmod 0755 /usr/local/bin/vault-ssh-helper
+
+    # Set the usr and group of vault-ssh-helper to root
+    $ sudo chown root:root /usr/local/bin/vault-ssh-helper
+    ```
+
+1.  Create a Vault SSH Helper configuration file,
+    **`/etc/vault-ssh-helper.d/config.hcl`**.
+
+    ```hcl
+    vault_addr = "<VAULT_ADDRESS>"
+    ssh_mount_point = "ssh"
+    ca_cert = "/etc/vault-ssh-helper.d/vault.crt"
+    tls_skip_verify = false
+    allowed_roles = "*"
+    ```
+
+    Where the **`<VAULT_ADDRESS>`** is the address of the Vault server generating the OTP.
+
+    **Example:**
+
+    ```hcl
+    vault_addr = "https://198.51.100.10:8200"
+    ssh_mount_point = "ssh"
+    ca_cert = "/etc/vault-ssh-helper.d/vault.crt"
+    tls_skip_verify = false
+    allowed_roles = "*"
+    ```
+
+    > Refer to the [documentation](https://github.com/hashicorp/vault-ssh-helper#vault-ssh-helper-configuration)
+    > for the entire list of configuration properties.
+
+1.  Modify the **`/etc/pam.d/sshd`** file as follows:
+
+    ```shell
+    # PAM configuration for the Secure Shell service
+
+    # Standard Un*x authentication.
+    #@include common-auth
+    auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl
+    auth optional pam_unix.so not_set_pass use_first_pass nodelay
+
+    ...
+    ```
+
+    **NOTE:** `common-auth` is the standard Linux authentication module which is
+    commented out in favor of using our custom configuration.
+
+    > Refer to the
+    > [documentation](https://github.com/hashicorp/vault-ssh-helper#pam-configuration)
+    > for details about these parameter settings.
+
+1.  Modify the **`/etc/ssh/sshd_config`** file.
+
+    ```plaintext
+    ChallengeResponseAuthentication yes
+    PasswordAuthentication no
+    UsePAM yes
+    ```
+
+    This enables the keyboard-interactive authentication and PAM authentication
+    modules. The password authentication is disabled.
+
+1.  Restart the SSH service:
+
+    ```plaintext
+    $ sudo systemctl restart sshd
+    ```
+
+~> This step must be performed on **all** target hosts that you wish to connect
+using the Vault's one-time SSH password.
+
+### <a name="step2"></a>Step 2: Setup the SSH Secrets Engine
+
+(**Persona:** operations)
+
+On the **_Vault server_**, you must enable the SSH secrets engine before you can
+perform the operation. Then you are going to create a role named,
+`otp_key_role`.
+
+#### CLI command
+
+First, enable the SSH secrets engine.
+
+```plaintext
+$ vault secrets enable ssh
+```
+
+Next, create a role.
+
+```plaintext
+$ vault write ssh/roles/otp_key_role key_type=otp \
+        default_user=ubuntu \
+        cidr_list=0.0.0.0/0
+```
+
+This creates `otp_key_role` with `ubuntu` as its default username for which a
+credential will be generated.
+
+#### API call using cURL
+
+Enable `ssh` secret engine using `/sys/mounts` endpoint:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data <PARAMETERS> \
+       <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
+```
+
+Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
+parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
+
+**Example:**
+
+The following example enables SSH secret engine at `sys/mounts/ssh`
+path, and passed the secret engine type (`ssh`) in the request payload.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type":"ssh"}' \
+       https://127.0.0.1:8200/v1/sys/mounts/ssh
+```
+
+Now, create a role using the `ssh/roles/otp_key_role` endpoint.
+
+```plaintext
+$ tee payload.json <<EOF
+{
+  "key_type": "otp",
+  "default_user": "ubuntu",
+  "cidr_list": "0.0.0.0/0"
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json
+       https://127.0.0.1:8200/v1/ssh/roles/otp_key_role
+```
+
+This creates `otp_key_role` with `ubuntu` as its default username for which a
+credential will be generated.
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g. `http://127.0.0.1:8200/ui`) and
+then login.
+
+1. Select **Enable new engine** and select **SSH** from **Secrets engine type**
+   drop-down list.
+
+1. Click **Enable Engine**.
+
+1. Select **Create role**.
+
+1. Enter **`otp_key_role`** in the **Role name** field, select **otp** from the
+   **Key type** drop-down list, and then enter **`ubuntu`** in the **Default user**
+   field.
+
+1. Select **More options** to expand the optional parameter fields, and then
+   enter **`0.0.0.0/0`** in the **CIDR list** field.
+
+   ![Create Role](/img/vault-ssh-otp-2.png)
+
+1. Click **Create role**.
+
+<br />
+
+~> **NOTE:** Its recommended to create individual roles for each username to
+ensure absolute isolation between usernames. This is required for Dynamic Key
+type and OTP type. For the purpose of this guide, the **`cidr_list`** will be
+set to `0.0.0.0/0`. For production, be sure to set this parameter to be as
+granular as you can since there is no need to keep this role open to the world.
+
+### <a name="step3"></a>Step 3: Request an OTP
+
+(**Persona:** client)
+
+The client must have the following permission to request an OTP for
+`otp_key_role`.
+
+```hcl
+path "ssh/creds/otp_key_role" {
+  capabilities = [ "update" ]
+}
+```
+
+#### CLI command
+
+To generate an OTP credential for an IP of the remote host belongs to the
+`otp_key_role`:
+
+```plaintext
+$ vault write ssh/creds/otp_key_role ip=<REMOTE_HOST_IP>
+```
+
+**Example:**
+
+```plaintext
+$ vault write ssh/creds/otp_key_role ip=192.0.2.10
+Key                Value
+---                -----
+lease_id           ssh/creds/otp_key_role/234bb081-d22e-3762-3ae5-744110ea4d0a
+lease_duration     768h
+lease_renewable    false
+ip                 192.0.2.10
+key                f1cb47ad-6255-0be8-6bd8-5c4b3b01c8df
+key_type           otp
+port               22
+username           ubuntu
+```
+
+The **`key`** value is the OTP to use during SSH authentication.
+
+#### API call using cURL
+
+To generate an OTP credential for an IP of the remote host belongs to the
+`otp_key_role`:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"ip": "<REMOTE_HOST_IP>"}'
+       https://127.0.0.1:8200/v1/ssh/creds/otp_key_role
+```
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"ip": "192.0.2.10"}'
+       https://127.0.0.1:8200/v1/ssh/creds/otp_key_role  | jq
+{
+   "request_id": "83327e6b-cffb-ce77-c4e1-74a60dd69436",
+   "lease_id": "ssh/creds/otp_key_role/aebd080e-51a1-0fc6-ef5c-1e1c95ca729a",
+   "renewable": false,
+   "lease_duration": 2764800,
+   "data": {
+     "ip": "192.0.20.10",
+     "key": "6e472878-721a-b066-2cec-1bed0127ad44",
+     "key_type": "otp",
+     "port": 22,
+     "username": "ubuntu"
+   },
+   ...
+}
+```
+
+The **`key`** value is the OTP to use during SSH authentication.
+
+#### Web UI
+
+To generate an OTP credential for an IP of the remote host belongs to the
+`otp_key_role`:
+
+1. Select **`ssh`** under **Secrets Engines**.
+
+1. Select **otp_key_role** and enter **`ubuntu`** in the **Username** field, and
+   enter the target host's IP address (e.g. `192.0.2.10`) in the **IP Address**
+   field.
+
+1. Click **Generate**.
+
+1. Click **Copy credentials**. This copies the OTP (`key` value).
+
+### <a name="step4"></a>Step 4: Establish an SSH session
+
+Simply, use the OTP generated at [Step 3](#step3) to authenticate:
+
+```plaintext
+$ ssh ubuntu@192.0.2.10
+Password: <Enter OTP>
+```
+
+**NOTE:** If [`sshpass`](https://gist.github.com/arunoda/7790979) is installed,
+you can create a new OTP and SSH into the target host with single line of CLI
+command:
+
+```plaintext
+$ vault ssh -role otp_key_role -mode otp -strict-host-key-checking=no ubuntu@192.0.2.10
+```
+
+## Next steps
+
+Read the [Signed SSH
+Certificates](/docs/secrets/ssh/signed-ssh-certificates.html) documentation if
+you want to use signed SSH certificate so that the clients can use their local
+SSH keys to connect to the target hosts.
diff --git a/website/pages/guides/secret-mgmt/static-secrets.mdx b/website/pages/guides/secret-mgmt/static-secrets.mdx
new file mode 100644
index 000000000000..2dba5c094821
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/static-secrets.mdx
@@ -0,0 +1,634 @@
+---
+layout: guides
+page_title: Static Secrets - Guides
+sidebar_title: Static Secrets
+description: |-
+  Vault supports generating new unseal keys as well as rotating the underlying
+  encryption keys. This guide covers rekeying and rotating Vault's encryption
+  keys.
+---
+
+# Static Secrets - Key/Value Secret Engine
+
+Vault can be used to store any secret in a secure manner. The secrets may be
+SSL certificates and keys for your organization's domain, credentials to connect
+to a corporate database server, etc. Storing such sensitive information in
+plaintext is not desirable. This guide demonstrates the use case of Vault as a
+Secret Storage.
+
+## Reference Material
+
+- [Key/Value Secret Engine](/docs/secrets/kv/index.html)
+- [Key/Value Secret Engine API](/api/secret/kv/index.html)
+- [Client libraries](/api/libraries.html) for Vault API for commonly used languages
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Personas
+
+The end-to-end scenario described in this guide involves two personas:
+
+- **`devops`** with privileged permissions to write secrets
+- **`apps`** reads the secrets from Vault
+
+## Challenge
+
+Consider the following situations:
+
+- Developers use a single admin account to access a third-party app
+  (e.g. Splunk) and anyone who knows the user ID and password can log in as an
+  admin
+- SSH keys to connect to remote machines are shared and stored as a plaintext
+- API keys to invoke external system APIs are stored as a plaintext
+- An app integrates with LDAP, and its configuration information is in a
+  plaintext
+
+Organizations often seek an uniform workflow to securely store this sensitive
+information.
+
+## Solution
+
+Vault as centralized secret storage to secure any sensitive information. Vault
+encrypts these secrets using 256-bit AES in GCM mode with a randomly generated
+nonce prior to writing them to its persistent storage. The storage backend never
+sees the unencrypted value, so gaining access to the raw storage isn't enough to
+access your secrets.
+
+~> **NOTE:** This guide demonstrates secret management using [v2 of the KV
+secret engine](/docs/secrets/kv/kv-v2.html).
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for just
+enough initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# Write and manage secrets in key/value secret engine
+path "secret/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Create policies to permit apps to read secrets
+path "sys/policy/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Create tokens for verification & test
+path "auth/token/create" {
+  capabilities = [ "create", "update", "sudo" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+This guide demonstrates the basic steps to store secrets using Vault. The
+scenario here is to store the following secrets:
+
+- API key (Google API)
+- Root certificate of a production database (MySQL)
+
+To store your API key within the configured physical storage for Vault, use the
+**key/value** secret engine via **`secret/`** prefixed path.
+
+-> Key/Value secret engine passes through any operation back to the configured
+storage backend for Vault. For example, if your Vault server is configured with
+Consul as its storage backend, a "read" operation turns into a read from Consul
+at the same path.
+
+You will perform the following:
+
+1. [Enable KV Secret Engine v2](#step1)
+1. [Store the Google API key](#step2)
+1. [Store the root certificate for MySQL](#step3)
+1. [Generate a token for apps](#step4)
+1. [Retrieve the secrets](#step5)
+
+![Personas Introduction](/img/vault-static-secrets.png)
+
+Step 1 through 4 are performed by `devops` persona. Step 5 describes the
+commands that `apps` persona runs to read secrets from Vault.
+
+### <a name="step1"></a>Step 1: Enable KV Secret Engine v2
+
+(**Persona:** devops)
+
+Currently, when you start the Vault server in [**dev
+mode**](/intro/getting-started/dev-server.html#starting-the-dev-server), it
+automatically enables **v2** of the KV secret engine at **`secret/`**. If you
+start the Vault server in non-dev mode, the default is v1.
+
+If you are running the server in **dev** mode, skip to [Step 2](#step2).
+Otherwise, you must perform one of the following:
+
+- Option 1: Upgrade the v1 of KV secret engine to v2
+- Option 2: Enable the KV secret engine v2 at a different path
+
+#### CLI command
+
+Option 1: To upgrade from **v1** to **v2**:
+
+```plaintext
+$ vault kv enable-versioning secret/
+```
+
+Option 2: To enable the KV secret engine v2 at **`secret_v2/`**:
+
+```plaintext
+$ vault secrets enable -path=secret_v2/ kv-v2
+```
+
+Or
+
+```plaintext
+$ vault secrets enable -path=secret_v2/ -version=2 kv
+```
+
+#### API call using cURL
+
+Option 1: To upgrade from **v1** to **v2**:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data @payload.json \
+       <VAULT_ADDRESS>/v1/sys/mounts/secret/tune
+```
+
+Where `<TOKEN>` is your valid token, and `<VAULT_ADDRESS>` is where your vault
+server is running. The `payload.json` includes the version information.
+
+**Example:**
+
+```plaintext
+$ cat payload.json
+{
+  "options": {
+      "version": "2"
+  }
+}
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/mounts/secret/tune
+```
+
+Option 2: To enable the KV secret engine v2 at **`secret_v2/`**:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{"type":"kv-v2"}' \
+       https://127.0.0.1:8200/v1/sys/mounts/secret_v2
+```
+
+~> **NOTE:** This guide assumes that you are working with KV secret engine
+**v2** which is mounted at **`secret/`**.
+
+### <a name="step2"></a>Step 2: Store the Google API key
+
+(**Persona:** devops)
+
+Everything after the **`secret/`** path is a key-value pair to write to the
+secret engine. You can specify multiple values. If the value has a space, you
+need to surround it with quotes. Having keys with spaces is permitted, but
+strongly discouraged because it can lead to unexpected client-side behavior.
+
+Let's assume that the path convention in your organization is
+**`secret/<OWNER>/apikey/<APP>`** for API keys. To store the Google API key used
+by the engineering team, the path would be `secret/eng/apikey/Google`. If you
+have an API key for New Relic owned by the DevOps team, the path would look like
+`secret/devops/apikey/New_Relic`.
+
+#### CLI command
+
+To create key/value secrets:
+
+```plaintext
+$ vault kv put secret/<PATH> <KEY>=VALUE>
+```
+
+The `<PATH>` can be anything you want it to be, and your organization should
+decide on the naming convention that makes most sense.
+
+**Example:**
+
+```plaintext
+$ vault kv put secret/eng/apikey/Google key=AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
+Success! Data written to: secret/eng/apikey/Google
+```
+
+The secret key is "key" and its value is "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI" in
+this example.
+
+#### API call using cURL
+
+Use `/secret/data/<PATH>` endpoint to create secrets:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       --request POST \
+       --data @payload.json \
+       <VAULT_ADDRESS>/v1/secret/data/<PATH>
+```
+
+Where `<TOKEN>` is your valid token, and `secret/data/<PATH>` is the path to
+your secrets. The [`payload.json`](/api/secret/kv/kv-v2.html#parameters-2)
+contains the parameters to invoke the endpoint.
+
+**Example:**
+
+```plaintext
+$ tee payload.json <<EOF
+{
+  "data": {
+    "key": "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI"
+  }
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/secret/data/eng/apikey/Google
+```
+
+The secret key is "key" and its value is
+"AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI" in this example.
+
+### <a name="step3"></a>Step 3: Store the root certificate for MySQL
+
+(**Persona:** devops)
+
+For the purpose of this guide, generate a new self-sign certificate using
+[OpenSSL](https://www.openssl.org/source/).
+
+```plaintext
+$ openssl req --request509 -sha256 -nodes -newkey rsa:2048 -keyout selfsigned.key -out cert.pem
+```
+
+Generated `cert.pem` file:
+
+```plaintext
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjICCQC47CQCg4u0kDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFDASBgNVBAMM
+C2V4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5tZUBleGFtcGxlLmNvbTAeFw0x
+ODAxMTcwMTMzNThaFw0xODAyMTYwMTMzNThaMGcxCzAJBgNVBAYTAlVTMQswCQYD
+VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEUMBIGA1UEAwwLZXhhbXBs
+ZS5jb20xHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1cPTXpnOeUXU4tgblNLSS2rcA7eIqzc6gnMY
+Sh76WxOaN8VncyJw89/28QYOSYeWRn4fYywbPhHpFmrY6+1gW/8y0+Yoj7TL2Mvs
+5m1ZH9eOS6kcnnX/lr+HCfJpTHokKk/Vxr0/p6agkdZq0OYMPAmiuw1M4afd5abm
+8s5R99b4DgQyNvRYJp+JMddz2cM8t2AKQH4rq2NEf/GBHqHpHKmaxTyX5Rh7zg/g
+WJQ/DjxUVLpbRy+soiUJTZzamrO0iu9fcww+1Q4TZsMWizA4ChQFI7uegKkZ2Alv
+SNItsv01FQH3IB7pNWuna3IXXY789R0Qp0Ha5ScryVc9syg4cQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQBtUcuwL0rS/uhk4v53ALF+ryRoLF93wT+O9KOvK15Pi1dX
+oZ9yxu5GOGi59womsrDs1vNrBuIQNVQ69dbUYu1LkhgQGDUWQb8JpCp++WHWTIeP
+YTJ5C/Q1B3rXeQrVWPvO0bMCig+/G5DGtzZmKWMQGHhfOvSwrkA58YAwjC+rqexl
+skA+hQ2JiU4bzIxvlPLBOUA/p+TgUKtdzPY3lxyDO2p7+8ZD56B0PoW87zNJYRcu
+VdSr7er8UkUr5nVjcw/6MJeptmx6QaiHgTUSFf2HjFfzsBa/IY1VGr/8bOII+IFN
+iYQTLBNG0/q/PZGeMX/RHxmCzZz/7wE0CDPMLbyf
+-----END CERTIFICATE-----
+```
+
+**NOTE:** If you don't have OpenSSL, simply copy the above certificate and
+save it as `cert.pem`.
+
+#### CLI command
+
+The command is basically the same as the Google API key example. Now, the path
+convention for certificates is **`secret/<ENVIRONMENT>/cert/<SYSTEM>`**. To
+store the root certificate for production MySQL, the path becomes
+`secret/prod/cert/mysql`.
+
+**Example:**
+
+```plaintext
+$ vault kv put secret/prod/cert/mysql cert=@cert.pem
+```
+
+This example reads the root certificate from a PEM file from the disk, and store
+it under `secret/prod/cert/mysql` path.
+
+> **NOTE:** Any value begins with "@" is loaded from a file.
+
+#### API call using cURL
+
+To perform the same task using the Vault API, pass the token in the request header.
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @cert.pem \
+       http://127.0.0.1:8200/v1/secret/data/prod/cert/mysql
+```
+
+> **NOTE:** Any value begins with "@" is loaded from a file.
+
+### <a name="step4"></a>Step 4: Generate a token for apps
+
+(**Persona:** devops)
+
+To read the secrets, `apps` persona needs "read" permit on those secret engine
+paths. In this scenario, the `apps` policy must include the following:
+
+**Example:** `apps-policy.hcl`
+
+```shell
+# Read-only permit
+path "secret/data/eng/apikey/Google" {
+  capabilities = [ "read" ]
+}
+
+# Read-only permit
+path "secret/data/prod/cert/mysql" {
+  capabilities = [ "read" ]
+}
+```
+
+#### CLI command
+
+First create `apps` policy, and generate a token so that you can authenticate
+as an `apps` persona, and read the secrets.
+
+```shell
+# Create "apps" policy
+$ vault policy write apps apps-policy.hcl
+Policy 'apps' written.
+
+# Create a new token with app policy
+$ vault token create -policy="apps"
+Key            	Value
+---            	-----
+token          	e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
+token_accessor 	54700b7e--data828-a6c4-6141-96e71e002bd7
+token_duration 	768h0m0s
+token_renewable	true
+token_policies 	[apps default]
+```
+
+Now, `apps` can use this token to read the secrets.
+
+#### API call using cURL
+
+First create an `apps` policy, and generate a token so that you can authenticate
+as an `app` persona.
+
+**Example:**
+
+```shell
+# Payload to pass in the API call
+$ tee payload.json <<EOF
+{
+  "policy": "path \"secret/data/eng/apikey/Google\" { capabilities = [ \"read\" ] ...}"
+}
+EOF
+
+# Create "apps" policy
+$ curl --header "X-Vault-Token: ..." --request PUT \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/policy/apps
+
+# Generate a new token with apps policy
+$ curl --header "X-Vault-Token: ..." --request POST \
+       --data '{"policies": ["apps"]}' \
+       http://127.0.0.1:8200/v1/auth/token/create | jq
+{
+ "request_id": "e1737bc8-7e51-3943-42a0-2dbd6cb40e3e",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": null,
+ "wrap_info": null,
+ "warnings": null,
+ "auth": {
+   "client_token": "1c97b03a-6098-31cf-9d8b-b404e52dcb4a",
+   "accessor": "b10a3eb7-15fe-1924-600e-403cfda34c28",
+   "policies": [
+     "apps",
+     "default"
+   ],
+   "metadata": null,
+   "lease_duration": 2764800,
+   "renewable": true,
+   "entity_id": ""
+ }
+}
+```
+
+Now, `apps` can use this token to read the secrets.
+
+**NOTE:** For the purpose of this guide, you created a policy for `apps`
+persona, and generated a token for it. However, in a real world, you may have
+a dedicated `policy author`, or `admin` to write policies. Also, the
+consumer of the API key may be different from the consumer of the root
+certificate. Then each persona would have a policy based on what it needs to
+access.
+
+![Personas Introduction](/img/vault-static-secrets2.png)
+
+### <a name="step5"></a>Step 5: Retrieve the secrets
+
+(**Persona:** apps)
+
+Using the token from [Step 4](#step4), read the Google API key, and root certificate for
+MySQL.
+
+#### CLI command
+
+The command to read secret is:
+
+```plaintext
+$ vault kv get secret/<PATH>
+```
+
+**Example:**
+
+```shell
+# Authenticate with Vault using the generated token first
+$ vault login e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
+Successfully authenticated! You are now logged in.
+token: e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
+token_duration: 2764277
+token_policies: [apps default]
+
+# Read the API key
+$ vault kv get secret/eng/apikey/Google
+Key             	Value
+---             	-----
+refresh_interval	768h0m0s
+key             	AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
+```
+
+To return the key value alone, pass `-field=key` as an argument.
+
+```plaintext
+$ vault kv get -field=key secret/eng/apikey/Google
+AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
+```
+
+#### Root certificate example:
+
+The command is basically the same:
+
+```plaintext
+$ vault kv get -field=cert secret/prod/cert/mysql
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA6E2Uq0XqreZISgVMUu9pnoMsq+OoK1PI54rsA9vtDE6wiRk0GWhf5vD4DGf1
+...
+```
+
+#### API call using cURL
+
+Use `secret/` endpoint to retrieve secrets from key/value secret engine:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN_FROM_STEP4>" \
+       --request Get \
+       <VAULT_ADDRESS>/v1/secret/data/<PATH>
+```
+
+**Example:**
+
+Read the Google API key.
+
+```plaintext
+$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
+       --request GET \
+       http://127.0.0.1:8200/v1/secret/data/eng/apikey/Google | jq
+{
+"request_id": "5a2005ac-1149-2275-cab3-76cee71bf524",
+"lease_id": "",
+"renewable": false,
+"lease_duration": 2764800,
+"data": {
+  "key": "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI"
+},
+"wrap_info": null,
+"warnings": null,
+"auth": null
+}
+```
+
+**NOTE:** This example uses `jq` to parse the JSON output.
+
+Retrieve the key value with `jq`:
+
+```plaintext
+$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
+       --request GET \
+       http://127.0.0.1:8200/v1/secret/data/eng/apikey/Google | jq ".data.key"
+```
+
+#### Root certificate example:
+
+```plaintext
+$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
+       --request GET \
+       http://127.0.0.1:8200/v1/secret/data/prod/cert/mysql | jq ".data.cert"
+```
+
+## Additional Discussion
+
+### Q: How do I enter my secrets without appearing in history?
+
+As a precaution, you may wish to avoid passing your secret as a part of the CLI
+command so that the secret won't appear in the history file. Here are a few
+techniques you can use.
+
+#### Option 1: Use a dash "-"
+
+An easy technique is to use a dash "-" and then press Enter. This allows you to
+enter the secret in a new line. After entering the secret, press **`Ctrl+d`** to
+end the pipe and write the secret to the Vault.
+
+```plaintext
+$ vault kv put secret/eng/apikey/Google key=-
+
+AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
+<Ctrl+d>
+```
+
+#### Option 2: Read the secret from a file
+
+Using the Google API key example, you can create a file containing the key (apikey.txt):
+
+```plaintext
+{
+  "key": "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI"
+}
+```
+
+The CLI command would look like:
+
+```plaintext
+$ vault kv put secret/eng/apikey/Google @apikey.txt
+```
+
+#### Option 3: Disable all vault command history
+
+Sometimes, you may not even want the vault command itself to appear in history
+at all. The Option 1 and Option 2 prevents the secret to appear in the history;
+however, the vault command, `vault kv put secret/eng/apikey/Google` will appear
+in history.
+
+In bash:
+
+```plaintext
+$ export HISTIGNORE="&:vault*"
+```
+
+**NOTE:** This prevents the use of the Up arrow key for command history as well.
+
+### Q: How do I save multiple values?
+
+The two examples introduced in this guide only had a single key-value pair. You
+can pass multiple values in the command.
+
+```plaintext
+$ vault kv put secret/dev/config/mongodb url=foo.example.com:35533 db_name=users \
+ username=admin password=passw0rd
+```
+
+Or, read the secret from a file:
+
+```plaintext
+$ tee mongodb.txt <<EOF
+{
+    "url": "foo.example.com:35533",
+    "db_name": "users",
+    "username": "admin",
+    "password": "pa$$w0rd"
+}
+EOF
+
+$ vault kv put secret/dev/config/mongodb @mongodb.txt
+```
+
+## Next steps
+
+This guide introduced the CLI commands and API endpoints to read and write
+secrets in key/value secret engine. To keep it simple, the `devops` persona
+generated a token for `apps`. Read [AppRole Pull
+Authentication](/guides/identity/authentication.html) guide to learn about
+programmatically generate a token for apps.
diff --git a/website/pages/guides/secret-mgmt/versioned-kv.mdx b/website/pages/guides/secret-mgmt/versioned-kv.mdx
new file mode 100644
index 000000000000..2649f16e1374
--- /dev/null
+++ b/website/pages/guides/secret-mgmt/versioned-kv.mdx
@@ -0,0 +1,932 @@
+---
+layout: guides
+page_title: Versioned KV Secret Engine - Guides
+sidebar_title: Versioned KV Secret Engine
+description: |-
+  Vault 0.10.0 introduced version 2 of key-value secret engine which supports
+  versioning of your secrets so that you can undo the accidental deletion of
+  secrets, or compare the different versions of the secret.
+---
+
+# Versioned Key/Value Secret Engine
+
+The [Static Secrets](/guides/secret-mgmt/static-secrets.html) guide introduced
+the basics of working with key-value secret engine. **Vault 0.10** introduced [_K/V
+Secrets Engine v2 with Secret
+Versioning_](https://www.hashicorp.com/blog/vault-0-10). This guide
+demonstrates the new features introduced by the key-value secret engine v2.
+
+## Reference Material
+
+- [Static Secrets guide](/guides/secret-mgmt/static-secrets.html)
+- [KV Secrets Engine - Version 2](/docs/secrets/kv/kv-v2.html)
+- [KV Secrets Engine - Version 2 (API)](/api/secret/kv/kv-v2.html)
+
+~> **NOTE:** An [interactive
+tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-static-secrets) is
+also available if you do not have a Vault environment to perform the steps
+described in this guide.
+
+## Estimated Time to Complete
+
+10 minutes
+
+## Challenge
+
+The KV secret engine v1 does not provide a way to version or roll back secrets.
+This made it difficult to recover from unintentional data loss or overwrite when
+more than one user is writing at the same path.
+
+## Solution
+
+Run the **version 2** of KV secret engine which can retain a configurable
+number of secret versions. This enables older versions' data to be retrievable
+in case of unwanted deletion or updates of the data. In addition, its
+_Check-and-Set_ operations can be used to protect the data from being overwritten
+unintentionally.
+
+![Versioned KV](/img/vault-versioned-kv-1.png)
+
+## Prerequisites
+
+To perform the tasks described in this guide, you need to have a Vault
+environment. Refer to the [Getting
+Started](/intro/getting-started/install.html) guide to install Vault. Make sure
+that your Vault server has been [initialized and
+unsealed](/intro/getting-started/deploy.html).
+
+### Policy requirements
+
+-> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
+with Vault. However, it is recommended that root tokens are only used for
+initial setup or in emergencies. As a best practice, use tokens with
+appropriate set of policies based on your role in the organization.
+
+To perform all tasks demonstrated in this guide, your policy must include the
+following permissions:
+
+```shell
+# To view in Web UI
+path "sys/mounts" {
+  capabilities = [ "read", "update" ]
+}
+
+# Write and manage secrets in key-value secret engine
+path "secret*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# To enable secret engines
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+```
+
+If you are not familiar with policies, complete the
+[policies](/guides/identity/policies.html) guide.
+
+## Steps
+
+This guide demonstrates the basic commands for working with KV secret engine v2.
+
+You will perform the following:
+
+1. [Check the KV secret engine version](#step1)
+2. [Write secrets](#step2)
+3. [Retrieve a specific version of secret](#step3)
+4. [Specify the number of versions to keep](#step4)
+5. [Delete versions of secret](#step5)
+6. [Permanently delete data](#step6)
+
+### <a name="step1"></a>Step 1: Check the KV secret engine version
+
+(**Persona:** devops)
+
+Before beginning, verify that you are using the v2 of the KV secret engine.
+
+#### CLI command
+
+To check the KV secret engine version:
+
+```plaintext
+$ vault secrets list -format=json
+...
+"secret/": {
+  "type": "kv",
+  "description": "key/value secret storage",
+  "accessor": "kv_f05b8b9c",
+  "config": {
+    "default_lease_ttl": 0,
+    "max_lease_ttl": 0,
+    "force_no_cache": false
+  },
+  "options": {
+    "version": "2"
+  },
+  ...
+```
+
+The indicated **`version`** should be **`2`**. If the version is **`1`**,
+upgrade it to v2.
+
+```plaintext
+$ vault kv enable-versioning secret/
+```
+
+#### API call using cURL
+
+To check the KV secret engine version:
+
+```plaintext
+$ curl --header "X-Vault-Token: <TOKEN>" \
+       <VAULT_ADDRESS>/v1/sys/mounts
+```
+
+Where `<TOKEN>` is your valid token, and `<VAULT_ADDRESS>` is where your vault
+server is running.
+
+**Example:**
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/sys/mounts | jq
+...
+  "secret/": {
+    "accessor": "kv_f05b8b9c",
+    "config": {
+      "default_lease_ttl": 0,
+      "force_no_cache": false,
+      "max_lease_ttl": 0,
+      "plugin_name": ""
+    },
+    "description": "key/value secret storage",
+    "local": false,
+    "options": {
+      "version": "2"
+    },
+    "seal_wrap": false,
+    "type": "kv"
+  },
+...
+```
+
+The indicated **`version`** should be **`2`**. If the version is **`1`**,
+upgrade it to v2.
+
+```plaintext
+$ cat payload.json
+{
+  "options": {
+      "version": "2"
+  }
+}
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/sys/mounts/secret/tune
+```
+
+#### Web UI
+
+Open a web browser and launch the Vault UI (e.g. `http://127.0.0.1:8200/ui`) and
+then login.
+
+![Web UI](/img/vault-versioned-kv-2.png)
+
+If `secret/` does not indicates **`v2`**, you can upgrade it from `v1` to `v2`
+by executing the following CLI command:
+
+```plaintext
+$ vault kv enable-versioning secret/
+```
+
+Alternatively, you can enable KV secret engine v2 at a different path by
+clicking **Enable new engine**. Select **KV** from the **Secret engine type**
+drop-down list. Be sure that the **Version** is set to be **Version 2**.
+
+![Enabling kv-v2](/img/vault-versioned-kv-3.png)
+
+Click **Enable Engine** to complete.
+
+### <a name="step2"></a>Step 2: Write Secrets
+
+To understand how the versioning works, let's write some test data.
+
+#### CLI commands
+
+To write secrets, run `vault kv put` command instead of `vault write`:
+
+```plaintext
+$ vault kv put secret/customer/acme name="ACME Inc." contact_email="jsmith@acme.com"
+Key              Value
+---              -----
+created_time     2018-04-14T00:05:47.115378933Z
+deletion_time    n/a
+destroyed        false
+version          1
+```
+
+To update the existing secret, run the `vault kv put` command again:
+
+```plaintext
+$ vault kv put secret/customer/acme name="ACME Inc." contact_email="john.smith@acme.com"
+Key              Value
+---              -----
+created_time     2018-04-14T00:13:35.296018431Z
+deletion_time    n/a
+destroyed        false
+version          2
+```
+
+Now you have two versions of the `secret/customer/acme` data. Run `vault kv get`
+to read the data.
+
+```plaintext
+$ vault kv get secret/customer/acme
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2018-04-14T00:13:35.296018431Z
+deletion_time    n/a
+destroyed        false
+version          2
+
+======== Data ========
+Key              Value
+---              -----
+contact_email    john.smith@acme.com
+name             ACME Inc.
+```
+
+#### API call using cURL
+
+Write some data at `secret/customer/acme`:
+
+```plaintext
+$ tee payload.json <<EOF
+{
+  "data": {
+    "name": "ACME Inc.",
+    "contact_email": "jsmith@acme.com"
+  }
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/secret/data/customer/acme
+```
+
+Notice that the endpoint for KV v2 is **`/secret/data/<path>`**; therefore, to
+write secrets at `secret/customer/acme`, the API endpoint becomes
+`/secret/data/customer/acme`.
+
+Update the secret to create another version:
+
+```plaintext
+$ tee payload.json <<EOF
+{
+  "data": {
+    "name": "ACME Inc.",
+    "contact_email": "john.smith@acme.com"
+  }
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/secret/data/customer/acme
+```
+
+Now you have two versions of the `secret/customer/acme` data. Read back the secret.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/secret/data/customer/acme
+{
+   "request_id": "7233b69d-35d9-6c1b-ae81-9a679a03082d",
+   "lease_id": "",
+   "renewable": false,
+   "lease_duration": 0,
+   "data": {
+     "data": {
+       "contact_email": "john.smith@acme.com",
+       "name": "ACME Inc."
+     },
+     "metadata": {
+       "created_time": "2018-04-14T00:59:11.27903511Z",
+       "deletion_time": "",
+       "destroyed": false,
+       "version": 2
+     }
+   },
+   "wrap_info": null,
+   "warnings": null,
+   "auth": null
+}
+```
+
+#### Web UI
+
+In the Web UI, select `secret/` and then click **Create secret**.
+
+![Write Secret](/img/vault-versioned-kv-5.png)
+
+Click **Save**.
+
+To update the existing secret, select **Edit**, change the `contact_email`
+value, and then click **Save**.
+
+![Write Secret](/img/vault-versioned-kv-6.png)
+
+### <a name="step3"></a>Step 3: Retrieve a Specific Version of Secret
+
+You may run into a situation where you need to view the secret before an update.
+
+#### CLI commands
+
+To retrieve the version 1 of the secret written at `secret/customer/acme`:
+
+```plaintext
+$ vault kv get -version=1 secret/customer/acme
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2018-04-14T00:05:47.115378933Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+======== Data ========
+Key              Value
+---              -----
+contact_email    jsmith@acme.com
+name             ACME Inc.
+```
+
+To read the **metadata** of `secret/customer/acme`:
+
+```plaintext
+$ vault kv metadata get secret/customer/acme
+======= Metadata =======
+Key                Value
+---                -----
+created_time       2018-04-14T00:05:47.115378933Z
+current_version    2
+max_versions       0
+oldest_version     0
+updated_time       2018-04-14T00:13:35.296018431Z
+
+====== Version 1 ======
+Key              Value
+---              -----
+created_time     2018-04-14T00:05:47.115378933Z
+deletion_time    n/a
+destroyed        false
+
+====== Version 2 ======
+Key              Value
+---              -----
+created_time     2018-04-14T00:13:35.296018431Z
+deletion_time    n/a
+destroyed        false
+```
+
+#### API call using cURL
+
+To retrieve the version 1 of the secret written at `secret/customer/acme`:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/secret/data/customer/acme?version=1 | jq
+{
+ "request_id": "3bf5a2c1-d89b-9dd5-9bb5-0bc61a4a6d83",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": {
+   "data": {
+     "contact_email": "jsmith@acme.com",
+     "name": "ACME Inc."
+   },
+   "metadata": {
+     "created_time": "2018-04-14T00:05:47.115378933Z",
+     "deletion_time": "",
+     "destroyed": false,
+     "version": 1
+   }
+ },
+ "wrap_info": null,
+ "warnings": null,
+ "auth": null
+}
+```
+
+To read the **metadata** of `secret/customer/acme`:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
+{
+ "request_id": "34708262-59cd-9a94-247f-3b1db0909050",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": {
+   "created_time": "2018-04-14T00:05:47.115378933Z",
+   "current_version": 2,
+   "max_versions": 0,
+   "oldest_version": 0,
+   "updated_time": "2018-04-14T00:13:35.296018431Z",
+   "versions": {
+     "1": {
+       "created_time": "2018-04-14T00:05:47.115378933Z",
+       "deletion_time": "",
+       "destroyed": false
+     },
+     "2": {
+       "created_time": "2018-04-14T00:13:35.296018431Z",
+       "deletion_time": "",
+       "destroyed": false
+     }
+   }
+ },
+ "wrap_info": null,
+ "warnings": null,
+ "auth": null
+}
+```
+
+### <a name="step4"></a>Step 4: Specify the number of versions to keep
+
+By default, the `kv-v2` secret engine keeps up to 10 versions. Let's limit the
+maximum number of versions to keep to be 4.
+
+#### CLI command
+
+To set the `secret/` to keep up to 4 versions:
+
+```shell
+$ vault write secret/config max_versions=4
+Success! Data written to: secret/config
+
+# View the configuration settings
+$ vault read secret/config
+Key             Value
+---             -----
+cas_required    false
+max_versions    4
+```
+
+Alternatively, to limit the number of versions only on the
+**`secret/customer/acme`** path rather than the entire `secret/` engine:
+
+```plaintext
+$ vault kv metadata put -max-versions=4 secret/customer/acme
+```
+
+Overwrite the data a few more times to see what happens to the data.
+
+```plaintext
+$ vault kv metadata get secret/customer/acme
+======= Metadata =======
+Key                Value
+---                -----
+created_time       2018-04-14T00:42:25.677078177Z
+current_version    6
+max_versions       0
+oldest_version     3
+updated_time       2018-04-16T00:17:23.930473344Z
+
+====== Version 3 ======
+Key              Value
+---              -----
+created_time     2018-04-16T00:15:59.880368849Z
+deletion_time    n/a
+destroyed        false
+
+====== Version 4 ======
+Key              Value
+---              -----
+created_time     2018-04-16T00:16:18.941331243Z
+deletion_time    n/a
+destroyed        false
+
+====== Version 5 ======
+Key              Value
+---              -----
+created_time     2018-04-16T00:16:34.407951572Z
+deletion_time    n/a
+destroyed        false
+
+====== Version 6 ======
+Key              Value
+---              -----
+created_time     2018-04-16T00:17:23.930473344Z
+deletion_time    n/a
+destroyed        false
+```
+
+In this example, the current version is 6. Notice that version 1 and 2 do not
+show up in the metadata. Because the kv secret engine is configured to keep only
+4 versions, the oldest two versions are permanently deleted and you won't be
+able to read them.
+
+```plaintext
+$ vault kv get -version=1 secret/customer/acme
+No value found at secret/data/customer/data
+```
+
+#### API call using cURL
+
+To set the `secret/` to keep up to 4 versions:
+
+```plaintext
+$ tee payload.json<<EOF
+{
+  "max_versions": 4,
+  "cas_required": false
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json
+       http://127.0.0.1:8200/v1/secret/config
+```
+
+To view the configuration:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/secret/config | jq
+{
+ "request_id": "8addfed1-41eb-6a19-8342-93f493c51538",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": {
+   "cas_required": false,
+   "max_versions": 4
+ },
+ "wrap_info": null,
+ "warnings": null,
+ "auth": null
+}
+```
+
+Alternatively, to limit the number of versions only on the
+**`secret/customer/acme`** path rather than the entire `secret/` engine:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json
+       http://127.0.0.1:8200/v1/secret/metadata/customer/acme
+```
+
+Invoke the `secret/metadata/customer/acme` endpoint instead.
+
+Overwrite the data a few more times to see what happens to the data.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
+{
+ "request_id": "f2dd7f69-294c-e5c3-d582-f723005ea243",
+ "lease_id": "",
+ "renewable": false,
+ "lease_duration": 0,
+ "data": {
+   "created_time": "2018-04-14T00:42:25.677078177Z",
+   "current_version": 6,
+   "max_versions": 0,
+   "oldest_version": 3,
+   "updated_time": "2018-04-16T00:17:23.930473344Z",
+   "versions": {
+     "3": {
+       "created_time": "2018-04-16T00:15:59.880368849Z",
+       "deletion_time": "",
+       "destroyed": false
+     },
+     "4": {
+       "created_time": "2018-04-16T00:16:18.941331243Z",
+       "deletion_time": "",
+       "destroyed": false
+     },
+     "5": {
+       "created_time": "2018-04-16T00:16:34.407951572Z",
+       "deletion_time": "",
+       "destroyed": false
+     },
+     "6": {
+       "created_time": "2018-04-16T00:17:23.930473344Z",
+       "deletion_time": "",
+       "destroyed": false
+     }
+   }
+ },
+ "wrap_info": null,
+ "warnings": null,
+ "auth": null
+}
+```
+
+In this example, the current version is 6. Notice that version 1 and 2 do not
+show up in the metadata. Because the kv secret engine is configured to keep only
+4 versions, the oldest two versions are permanently deleted and you won't be
+able to read them.
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       http://127.0.0.1:8200/v1/secret/data/customer/acme?version=1 | jq
+{
+ "errors": []
+}
+```
+
+### <a name="step5"></a>Step 5: Delete versions of secret
+
+#### CLI command
+
+Let's delete versions 4 and 5:
+
+```shell
+$ vault kv delete -versions="4,5" secret/customer/acme
+Success! Data deleted (if it existed) at: secret/customer/acme
+
+# Check the metadata
+$ vault kv metadata get secret/customer/acme
+...
+====== Version 4 ======
+Key              Value
+---              -----
+created_time     2018-04-16T00:12:25.404198622Z
+deletion_time    2018-04-16T01:04:01.160426888Z
+destroyed        false
+
+====== Version 5 ======
+Key              Value
+---              -----
+created_time     2018-04-16T00:12:47.527981267Z
+deletion_time    2018-04-16T01:04:01.160427742Z
+destroyed        false
+...
+```
+
+The metadata on versions 4 and 5 reports its deletion timestamp
+(`deletion_time`); however, the `destroyed` parameter is set to `false`.
+
+If version 5 was deleted by mistake and you wish to recover, invoke the `vault kv undelete` command:
+
+```plaintext
+$ vault kv undelete -versions=5 secret/customer/acme
+Success! Data written to: secret/undelete/customer/acme
+```
+
+#### API call using cURL
+
+Let's delete versions 4 and 5:
+
+```shell
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{ "versions":[4,5] }'
+       http://127.0.0.1:8200/v1/secret/delete/customer/acme
+
+# Check the metadata
+$ curl --header "X-Vault-Token: ..." \
+      http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
+...
+"4": {
+   "created_time": "2018-04-16T00:16:18.941331243Z",
+   "deletion_time": "2018-04-16T01:17:42.003111567Z",
+   "destroyed": false
+ },
+ "5": {
+   "created_time": "2018-04-16T00:16:34.407951572Z",
+   "deletion_time": "2018-04-16T01:17:42.003111978Z",
+   "destroyed": false
+ },
+...
+```
+
+The metadata on versions 4 and 5 reports its deletion timestamp
+(`deletion_time`); however, the `destroyed` parameter is set to `false`.
+
+If version 5 was deleted by mistake and you wish to recover, invoke the
+`/secret/undelete` endpoint:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{ "versions":[5] }'
+       http://127.0.0.1:8200/v1/secret/undelete/customer/acme
+```
+
+### <a name="step6"></a>Step 6: Permanently delete data
+
+#### CLI command
+
+To permanently delete a version of secret:
+
+```shell
+$ vault kv destroy -versions=4 secret/customer/acme
+Success! Data written to: secret/destroy/customer/acme
+
+# Check the metadata
+$ vault kv metadata get secret/customer/acme
+...
+====== Version 4 ======
+Key              Value
+---              -----
+created_time     2018-04-16T00:12:25.404198622Z
+deletion_time    2018-04-16T01:04:01.160426888Z
+destroyed        true
+...
+```
+
+The metadata indicates that Version 4 is destroyed.
+
+If you wish to destroy all the keys and versions at `secret/customer/acme`,
+invoke the `vault kv metadata delete` command:
+
+```plaintext
+$ vault kv metadata delete secret/customer/acme
+Success! Data deleted (if it existed) at: secret/metadata/customer/acme
+```
+
+#### API call using cURL
+
+To permanently delete a version of secret:
+
+```shell
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data '{ "versions":[4] }'
+       http://127.0.0.1:8200/v1/secret/destroy/customer/acme
+
+# Check the metadata
+$ curl --header "X-Vault-Token: ..." \
+      http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
+...
+  "4": {
+    "created_time": "2018-04-16T00:16:18.941331243Z",
+    "deletion_time": "2018-04-16T01:17:42.003111567Z",
+    "destroyed": true
+  },
+...
+```
+
+The metadata indicates that Version 4 is destroyed.
+
+If you wish to destroy all the keys and versions at `secret/customer/acme`,
+invoke the `secret/metadata` endpoint:
+
+```plaintext
+$ curl --header "X-Vault-Token: ..." \
+       --request DELETE
+       http://127.0.0.1:8200/v1/secret/metadata/customer/acme
+```
+
+### Additional Discussion
+
+The v2 of KV secret engine supports a **_Check-And-Set_** operation to prevent
+unintentional secret overwrite. When you pass the `cas` flag to Vault, it first
+checks if the key already exists.
+
+By default, _Check-And-Set_ operation is not enabled on the KV secret engine;
+therefore, write is always allowed (no checking is performed).
+
+```plaintext
+$ vault read secret/config
+Key             Value
+---             -----
+cas_required    false
+max_versions    0
+```
+
+#### CLI command
+
+To enable the **_Check-And-Set_** operation:
+
+```shell
+# Enable cas_requied on the secret engine mounted at secret/
+$ vault write secret/config cas-required=true
+
+# Enable cas_requied only on the secret/partner path
+$ vault kv metadata put -cas-required=true secret/partner
+```
+
+Once check-and-set is enabled, every write operation requires `cas` value to be
+passed. If you are sure that you want to overwrite the existing key-value, set
+`cas` to match the current version. Set `cas` to `0` if you want to write the
+secret _only if_ the key does not exist.
+
+**Example:**
+
+```shell
+# To write if the key does not already exists
+$ vault kv put -cas=0 secret/partner name="Example Co." partner_id="123456789"
+Key              Value
+---              -----
+created_time     2018-04-16T22:58:15.798753323Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+# To overwrite the secret, you must specify the current version with -cas flag
+$ vault kv put -cas=1 secret/partner name="Example Co." partner_id="ABCDEFGHIJKLMN"
+Key              Value
+---              -----
+created_time     2018-04-16T23:00:28.66552289Z
+deletion_time    n/a
+destroyed        false
+version          2
+```
+
+#### API call using cURL
+
+To enable the **_Check-And-Set_** operation:
+
+```shell
+$ tee payload.json<<EOF
+{
+  "max_versions": 10,
+  "cas_required": true
+}
+EOF
+
+# Enable cas_requied on the secret engine mounted at secret/
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json
+       http://127.0.0.1:8200/v1/secret/config
+
+# Enable cas_requied only on the secret/partner path
+$ curl --header "X-Vault-Token: ..." \
+      --request POST \
+      --data @payload.json
+      http://127.0.0.1:8200/v1/secret/metadata/partner
+```
+
+Once check-and-set is enabled, every write operation requires `cas` value to be
+passed. If you are sure that you want to overwrite the existing key-value, set
+`cas` to match the current version. Set `cas` to `0` if you want to write the
+secret _only if_ the key does not exist.
+
+**Example:**
+
+```shell
+# Write if the key does not already exists
+$ tee payload.json <<EOF
+{
+  "options": {
+    "cas": 0
+  },
+  "data": {
+    "name": "Example Co.",
+    "partner_id": "123456789"
+  }
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/secret/data/partner
+
+# To overwrite the secret, you must pass the current version
+$ tee payload.json <<EOF
+{
+  "options": {
+    "cas": 1
+  },
+  "data": {
+    "name": "Example Co.",
+    "partner_id": "ABCDEFGHIJKLMN"
+  }
+}
+EOF
+
+$ curl --header "X-Vault-Token: ..." \
+       --request POST \
+       --data @payload.json \
+       http://127.0.0.1:8200/v1/secret/data/partner
+```
+
+<br />
+
+~> If the **`cas`** value is missing in your write request, the
+"`check-and-set parameter required for this call`" error will be returned. If
+the `cas` does not match the current version number, you will receive the
+"`check-and-set parameter did not match the current version`" message.
+
+## Next steps
+
+This guide introduced the CLI commands and API endpoints to read and write
+static secrets in the key-value secret engine. Read [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide to learn about the
+usage of database secret engine.
diff --git a/website/pages/home/index.jsx b/website/pages/home/index.jsx
new file mode 100644
index 000000000000..9f44461bdc2a
--- /dev/null
+++ b/website/pages/home/index.jsx
@@ -0,0 +1,268 @@
+import Hero from '@hashicorp/react-hero'
+import SectionHeader from '@hashicorp/react-section-header'
+import UseCases from '@hashicorp/react-use-cases'
+import TextAndContent from '@hashicorp/react-text-and-content'
+import Button from '@hashicorp/react-button'
+
+import BeforeAfterDiagram from '../../components/before-after-diagram'
+
+export default function Homepage() {
+  return (
+    <div id="page-home">
+      <div className="g-section-block page-wrap">
+        {/* Hero */}
+        <Hero
+          data={{
+            backgroundImage: {
+              alt: null,
+              size: 55617,
+              url:
+                'https://www.datocms-assets.com/2885/1539894412-vault-bg.jpg',
+              width: 3196
+            },
+            backgroundTheme: 'light',
+            buttons: [
+              {
+                external: false,
+                title: 'Download',
+                url: 'https://www.vaultproject.io/downloads.html'
+              },
+              {
+                external: false,
+                title: 'Get Started with Vault',
+                url:
+                  'https://www.vaultproject.io/intro/getting-started/index.html'
+              }
+            ],
+            centered: false,
+            description:
+              'Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.',
+            theme: 'vault-gray',
+            title: 'Manage Secrets and Protect Sensitive Data',
+            videos: [
+              {
+                name: 'UI',
+                playbackRate: 2,
+                src: [
+                  {
+                    srcType: 'mp4',
+                    url:
+                      'https://www.datocms-assets.com/2885/1543956852-vault-v1-0-ui-opt.mp4'
+                  }
+                ]
+              },
+              {
+                name: 'CLI',
+                playbackRate: 2,
+                src: [
+                  {
+                    srcType: 'mp4',
+                    url:
+                      'https://www.datocms-assets.com/2885/1543956847-vault-v1-0-cli-opt.mp4'
+                  }
+                ]
+              }
+            ]
+          }}
+        />
+
+        {/* Text Section */}
+
+        <section className="g-container remove-bottom-padding">
+          <SectionHeader
+            headline="Secure dynamic infrastructure across clouds and environments"
+            description="The shift from static, on-premise infrastructure to dynamic, multi-provider infrastructure changes the approach to security. Security in static infrastructure relies on dedicated servers, static IP addresses, and a clear network perimeter. Security in dynamic infrastructure is defined by ephemeral applications and servers, trusted sources of user and application identity, and software-based encryption."
+          />
+        </section>
+
+        {/* Before-After Diagram */}
+
+        <section className="g-container before-after">
+          <BeforeAfterDiagram
+            beforeImage={{
+              url:
+                'https://www.datocms-assets.com/2885/1539884846-static-infrastructure.svg',
+              format: 'svg'
+            }}
+            beforeHeadline="Static Infrastructure"
+            beforeContent={`Datacenters with inherently high-trust networks with clear network perimeters.
+
+#### Traditional Approach
+
+- High trust networks
+- A clear network perimeter
+- Security enforced by IP Address`}
+            afterImage={{
+              url:
+                'https://www.datocms-assets.com/2885/1539884849-dynamic-infrastructure.svg',
+              format: 'svg'
+            }}
+            afterHeadline="Dynamic Infrastructure"
+            afterContent={`Multiple clouds and private datacenters without a clear network perimeter.
+
+#### Vault Approach
+
+
+- Low-trust networks in public clouds
+- Unknown network perimeter across clouds
+- Security enforced by Identity`}
+          />
+        </section>
+
+        {/* Use cases */}
+
+        <section>
+          <div className="g-container">
+            <UseCases
+              theme="vault"
+              items={[
+                {
+                  title: 'Secrets Management',
+                  description:
+                    'Audit access, automatically Centrally store, access, and deploy secrets across applications, systems, and infrastructure',
+                  image: {
+                    alt: null,
+                    format: 'png',
+                    url:
+                      'https://www.datocms-assets.com/2885/1575422126-secrets.png'
+                  },
+                  link: {
+                    external: false,
+                    title: 'Learn more',
+                    url: '/use-cases/secrets-management'
+                  }
+                },
+                {
+                  title: 'Data Encryption',
+                  description:
+                    'Keep secrets and application data secure with one centralized workflow to encrypt data in flight and at rest',
+                  image: {
+                    alt: null,
+                    format: 'png',
+                    url:
+                      'https://www.datocms-assets.com/2885/1575422166-encryption.png'
+                  },
+                  link: {
+                    external: false,
+                    title: 'Learn more',
+                    url: '/use-cases/data-encryption'
+                  }
+                },
+                {
+                  title: 'Identity-based Access',
+                  description:
+                    'Authenticate and access different clouds, systems, and endpoints using trusted identities',
+                  image: {
+                    alt: null,
+                    format: 'png',
+                    url:
+                      'https://www.datocms-assets.com/2885/1575422201-identity.png'
+                  },
+                  link: {
+                    external: false,
+                    title: 'Learn more',
+                    url: '/use-cases/identity-based-access'
+                  }
+                }
+              ]}
+            />
+          </div>
+        </section>
+        {/* Principles / Text & Content Blocks */}
+
+        <section className="g-container">
+          <SectionHeader headline="Vault Principles" />
+
+          <TextAndContent
+            data={{
+              text: `### API-driven
+
+Use policy to codify, protect, and automate access to secrets`,
+              content: {
+                __typename: 'SbcCodeBlockRecord',
+                chrome: true,
+                code: `$ curl \n
+    --header "X-Vault-Token: ..." \n
+    --request POST \n
+    --data @payload.json \n
+    https://127.0.0.1:8200/v1/secret/config`
+              }
+            }}
+          />
+
+          <div className="g-text-and-content reverse">
+            <div className="text">
+              <div>
+                <h3>Identity Plugins</h3>
+                <p>Seamlessly integrate any trusted identity provider</p>
+              </div>
+            </div>
+            <div className="content logo-grid">
+              <ul className="g-logo-grid large">
+                {[
+                  'https://www.datocms-assets.com/2885/1510033601-aws_logo_rgb_fullcolor.svg',
+                  'https://www.datocms-assets.com/2885/1539799149-azure-stacked-color.svg',
+                  'https://www.datocms-assets.com/2885/1513617132-google-cloud.svg',
+                  'https://www.datocms-assets.com/2885/1556657783-oktalogo.svg',
+                  'https://www.datocms-assets.com/2885/1539817287-cf.svg',
+                  'https://www.datocms-assets.com/2885/1506527326-color.svg',
+                  'https://www.datocms-assets.com/2885/1506540149-black.svg',
+                  'https://www.datocms-assets.com/2885/1539876682-k8s.svg',
+                  'https://www.datocms-assets.com/2885/1506535057-black.svg'
+                ].map(logo => (
+                  <li key={logo}>
+                    <img src={logo} alt="company logo" />
+                  </li>
+                ))}
+              </ul>
+            </div>
+          </div>
+
+          <div className="g-text-and-content">
+            <div className="text">
+              <div>
+                <h3>Extend and integrate</h3>
+                <p>
+                  Securely manage secrets and access through a centralized
+                  workflow
+                </p>
+              </div>
+            </div>
+            <div className="content logo-grid">
+              <ul className="g-logo-grid large">
+                {[
+                  'https://www.datocms-assets.com/2885/1506540090-color.svg',
+                  'https://www.datocms-assets.com/2885/1506540114-color.svg',
+                  'https://www.datocms-assets.com/2885/1506527176-color.svg',
+                  'https://www.datocms-assets.com/2885/1510033601-aws_logo_rgb_fullcolor.svg',
+                  'https://www.datocms-assets.com/2885/1506540175-color.svg',
+                  'https://www.datocms-assets.com/2885/1508434209-consul_primarylogo_fullcolor.svg',
+                  'https://www.datocms-assets.com/2885/1539817686-microsoft-sql-server.svg',
+                  'https://www.datocms-assets.com/2885/1539818112-postgresql.svg',
+                  'https://www.datocms-assets.com/2885/1539799149-azure-stacked-color.svg'
+                ].map(logo => (
+                  <li key={logo}>
+                    <img src={logo} alt="company logo" />
+                  </li>
+                ))}
+              </ul>
+            </div>
+          </div>
+        </section>
+
+        <section className="g-container">
+          <SectionHeader
+            headline="Open Source and Enterprise"
+            description="Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds. Vault Enterprise addresses the organizational complexity of large user bases and compliance requirements with collaboration and governance features."
+          />
+          <div className="button-container">
+            <Button
+              title="Learn More"
+              url="https://www.hashicorp.com/products/vault/enterprise"
+            />
+          </div>
+        </section>
+      </div>
+    </div>
+  )
+}
diff --git a/website/pages/home/style.css b/website/pages/home/style.css
new file mode 100644
index 000000000000..1d3434b48c50
--- /dev/null
+++ b/website/pages/home/style.css
@@ -0,0 +1,32 @@
+#page-home {
+  & .g-section-block.page-wrap {
+    padding-top: 0;
+  }
+
+  & .g-section-block {
+    padding: 160px 0;
+  }
+
+  & .g-logo-grid li img {
+    max-height: 50%;
+    max-width: 50%;
+  }
+
+  & .g-container.remove-bottom-padding {
+    padding-bottom: 0;
+  }
+
+  & .g-section-header.infrastructure {
+    /* Override default max-width */
+    max-width: 1050px;
+
+    & h2 {
+      max-width: 784px;
+      margin: 0 auto;
+    }
+  }
+
+  & .g-container.before-after {
+    padding-top: 50px;
+  }
+}
diff --git a/website/pages/index.jsx b/website/pages/index.jsx
new file mode 100644
index 000000000000..35cb5c8e6660
--- /dev/null
+++ b/website/pages/index.jsx
@@ -0,0 +1,2 @@
+import Homepage from './home'
+export default Homepage
diff --git a/website/pages/intro/getting-started/apis.mdx b/website/pages/intro/getting-started/apis.mdx
new file mode 100644
index 000000000000..4615d84f2377
--- /dev/null
+++ b/website/pages/intro/getting-started/apis.mdx
@@ -0,0 +1,267 @@
+---
+layout: intro
+page_title: Using the HTTP APIs with Authentication
+sidebar_title: HTTP API
+description: Using the HTTP APIs for authentication and secret access.
+---
+
+# Using the HTTP APIs with Authentication
+
+All of Vault's capabilities are accessible via the HTTP API in addition to the
+CLI. In fact, most calls from the CLI actually invoke the HTTP API. In some
+cases, Vault features are not available via the CLI and can only be accessed
+via the HTTP API.
+
+Once you have started the Vault server, you can use `curl` or any other http
+client to make API calls. For example, if you started the Vault server in
+[dev mode](/docs/concepts/dev-server.html), you could validate the
+initialization status like this:
+
+```text
+$ curl http://127.0.0.1:8200/v1/sys/init
+```
+
+This will return a JSON response:
+
+```json
+{
+  "initialized": true
+}
+```
+
+## Accessing Secrets via the REST APIs
+
+Machines that need access to information stored in Vault will most likely
+access Vault via its REST API. For example, if a machine were using
+[AppRole](/docs/auth/approle.html) for authentication, the application would
+first authenticate to Vault which would return a Vault API token. The
+application would use that token for future communication with Vault.
+
+For the purpose of this guide, we will use the following configuration which
+disables TLS and uses a file-based backend. TLS is disabled here only for
+example purposes; it should never be disabled in production.
+
+```hcl
+backend "file" {
+  path = "vault"
+}
+
+listener "tcp" {
+  tls_disable = 1
+}
+```
+
+Save this file on disk as `config.hcl` and then start the Vault server:
+
+```text
+$ vault server -config=config.hcl
+```
+
+At this point, we can use Vault's API for all our interactions. For example, we
+can initialize Vault like this:
+
+```text
+$ curl \
+    --request POST \
+    --data '{"secret_shares": 1, "secret_threshold": 1}' \
+    http://127.0.0.1:8200/v1/sys/init
+```
+
+The response should be JSON and looks something like this:
+
+```json
+{
+  "keys": ["373d500274dd8eb95271cb0f868e4ded27d9afa205d1741d60bb97cd7ce2fe41"],
+  "keys_base64": ["Nz1QAnTdjrlSccsPho5N7SfZr6IF0XQdYLuXzXzi/kE="],
+  "root_token": "6fa4128e-8bd2-fd02-0ea8-a5e020d9b766"
+}
+```
+
+This response contains our initial root token. It also includes the unseal key.
+You can use the unseal key to unseal the Vault and use the root token to perform
+other requests in Vault that require authentication.
+
+To make this guide easy to copy-and-paste, we will be using the environment
+variable `$VAULT_TOKEN` to store the root token. You can export this Vault
+token in your current shell like this:
+
+```sh
+$ export VAULT_TOKEN=6fa4128e-8bd2-fd02-0ea8-a5e020d9b766
+```
+
+Using the unseal key (not the root token) from above, you can unseal the Vault
+via the HTTP API:
+
+```text
+$ curl \
+    --request POST \
+    --data '{"key": "Nz1QAnTdjrlSccsPho5N7SfZr6IF0XQdYLuXzXzi/kE="}' \
+    http://127.0.0.1:8200/v1/sys/unseal
+```
+
+Note that you should replace `Nz1QAnT...` with the generated key from your
+output. This will return a JSON response:
+
+```json
+{
+  "sealed": false,
+  "t": 1,
+  "n": 1,
+  "progress": 0,
+  "nonce": "",
+  "version": "1.2.3",
+  "cluster_name": "vault-cluster-9d524900",
+  "cluster_id": "d69ab1b0-7e9a-2523-0d05-b0bfd09caeea"
+}
+```
+
+Now any of the available auth methods can be enabled and configured.
+For the purposes of this guide lets enable [AppRole](/docs/auth/approle.html)
+authentication.
+
+Start by enabling the AppRole authentication.
+
+```text
+$ curl \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+    --request POST \
+    --data '{"type": "approle"}' \
+    http://127.0.0.1:8200/v1/sys/auth/approle
+```
+
+Notice that the request to enable the AppRole endpoint needed an authentication
+token. In this case we are passing the root token generated when we started
+the Vault server. We could also generate tokens using any other authentication
+mechanisms, but we will use the root token for simplicity.
+
+Now create an AppRole with desired set of [ACL
+policies](/docs/concepts/policies.html). In the following command, it is being
+specified that the tokens issued under the AppRole `my-role`, should be
+associated with `dev-policy` and the `my-policy`.
+
+```text
+$ curl \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+    --request POST \
+    --data '{"policies": ["dev-policy", "my-policy"]}' \
+    http://127.0.0.1:8200/v1/auth/approle/role/my-role
+```
+
+The AppRole backend, in its default configuration expects two hard to guess
+credentials, a role ID and a secret ID. This command fetches the role ID of the
+`my-role`.
+
+```text
+$ curl \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+     http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
+```
+
+The response will include a `data` key with the `role_id`:
+
+```json
+{
+  "data": {
+    "role_id": "86a32a73-1f2b-05e0-113a-dfa930145d72"
+  }
+}
+```
+
+This command creates a new secret ID under the `my-role`.
+
+```text
+$ curl \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+    --request POST \
+    http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
+```
+
+The response will include the `secret_id` in the `data` key:
+
+```json
+{
+  "data": {
+    "secret_id": "cd4b2002-3e3b-aceb-378d-5caa84dffd14",
+    "secret_id_accessor": "6b9b58f6-d11a-c73c-ffa8-04a47d42716b"
+  }
+}
+```
+
+These two credentials can be supplied to the login endpoint to fetch a new
+Vault token.
+
+```text
+$ curl \
+    --request POST \
+    --data '{"role_id": "86a32a73-1f2b-05e0-113a-dfa930145d72", "secret_id": "cd4b2002-3e3b-aceb-378d-5caa84dffd14"}' \
+    http://127.0.0.1:8200/v1/auth/approle/login
+```
+
+The response will be JSON, under the key `auth`:
+
+```json
+{
+  "auth": {
+    "client_token": "50617721-dfb5-1916-7b13-4091e169d28c",
+    "accessor": "ada8d354-47c0-5d9e-50f9-d74e6de2df9b",
+    "policies": ["default", "dev-policy", "my-policy"],
+    "metadata": {
+      "role_name": "my-role"
+    },
+    "lease_duration": 2764800,
+    "renewable": true
+  }
+}
+```
+
+The returned client token (`50617721...`) can be used to authenticate with
+Vault. This token will be authorized with specific capabilities on all the
+resources encompassed by the policies `default`, `dev-policy` and `my-policy`.
+
+The newly acquired token can be exported as a new `VAULT_TOKEN` and use it to
+authenticate Vault requests.
+
+```sh
+$ export VAULT_TOKEN="50617721-dfb5-1916-7b13-4091e169d28c"
+```
+
+```text
+$ curl \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+    --request POST \
+    --data '{"bar": "baz"}' \
+    http://127.0.0.1:8200/v1/secret/foo
+```
+
+This will create a new secret named "foo" with the given JSON contents. We can
+read this value back with the same token:
+
+```text
+$ curl \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+    http://127.0.0.1:8200/v1/secret/foo
+```
+
+This should return a response like this:
+
+```json
+{
+  "data": {
+    "bar": "baz"
+  },
+  "lease_duration": 2764800,
+  "renewable": false,
+  "request_id": "5e246671-ec05-6fc8-9f93-4fe4512f34ab"
+}
+```
+
+You can see the documentation on the [HTTP APIs](/api/index.html) for
+more details on other available endpoints.
+
+Congratulations! You now know all the basics to get started with Vault.
+
+## Next
+
+Next, we have a page dedicated to [next
+steps](/intro/getting-started/next-steps.html) depending on what you would like
+to achieve.
diff --git a/website/pages/intro/getting-started/authentication.mdx b/website/pages/intro/getting-started/authentication.mdx
new file mode 100644
index 000000000000..da5600d59eda
--- /dev/null
+++ b/website/pages/intro/getting-started/authentication.mdx
@@ -0,0 +1,284 @@
+---
+layout: intro
+page_title: Authentication - Getting Started
+sidebar_title: Authentication
+description: >-
+  Authentication to Vault gives a user access to use Vault. Vault can
+  authenticate using multiple methods.
+---
+
+# Authentication
+
+Now that we know how to use the basics of Vault, it is important to understand
+how to authenticate to Vault itself. Up to this point, we have not "logged in"
+to Vault. When starting the Vault server in `dev` mode, it automatically logs
+you in as the root user with admin permissions. In a non-dev setup, you would
+have had to authenticate first.
+
+On this page, we'll talk specifically about authentication. On the next page, we
+talk about [authorization](/intro/getting-started/policies.html). Authentication
+is the mechanism of assigning an identity to a Vault user. The access control
+and permissions associated with an identity are authorization, and will not be
+covered on this page.
+
+Vault has pluggable auth methods, making it easy to authenticate with Vault
+using whatever form works best for your organization. On this page we will use
+the token auth method and the GitHub auth method.
+
+## Background
+
+Authentication is the process by which user or machine-supplied information is
+verified and converted into a Vault token with matching policies attached. The
+easiest way to think about Vault's authentication is to compare it to a website.
+
+When a user authenticates to a website, they enter their username, password, and
+maybe 2FA code. That information is verified against external sources (a
+database most likely), and the website responds with a success or failure. On
+success, the website also returns a signed cookie that contains a session id
+which uniquely identifies that user for this session. That cookie and session id
+are automatically carried by the browser to future requests so the user is
+authenticated. Can you imagine how terrible it would be to require a user to
+enter their login credentials on each page?
+
+Vault behaves very similarly, but it is much more flexible and pluggable than a
+standard website. Vault supports many different authentication mechanisms, but
+they all funnel into a single "session token", which we call the "Vault token".
+
+Authentication is simply the process by which a user or machine gets a Vault
+token.
+
+## Tokens
+
+Token authentication is enabled by default in Vault and cannot be disabled. When
+you start a dev server with `vault server -dev`, it outputs your _root token_.
+The root token is the initial access token to configure Vault. It has root
+privileges, so it can perform any operation within Vault.
+
+You can create more tokens:
+
+```text
+$ vault token create
+Key                Value
+---                -----
+token              463763ae-0c3b-ff77-e137-af668941465c
+token_accessor     57b6b540-57c8-64c4-e9c6-0b18ab058144
+token_duration     ∞
+token_renewable    false
+token_policies     [root]
+```
+
+By default, this will create a child token of your current token that inherits
+all the same policies. The "child" concept here is important: tokens always have
+a parent, and when that parent token is revoked, children can also be revoked
+all in one operation. This makes it easy when removing access for a user, to
+remove access for all sub-tokens that user created as well.
+
+After a token is created, you can revoke it:
+
+```text
+$ vault token revoke 463763ae-0c3b-ff77-e137-af668941465c
+Success! Revoked token (if it existed)
+```
+
+In a [previous section](/intro/getting-started/dynamic-secrets.html#revoking-the-secret), we use the `vault lease revoke` command. This command
+is only used for revoking _leases_. For revoking _tokens_, use
+`vault token revoke`.
+
+To authenticate with a token:
+
+```text
+$ vault login a402d075-6d59-6129-1ac7-3718796d4346
+Success! You are now authenticated. The token information displayed below
+is already stored in the token helper. You do NOT need to run "vault login"
+again. Future Vault requests will automatically use this token.
+
+Key                Value
+---                -----
+token              a402d075-6d59-6129-1ac7-3718796d4346
+token_accessor     7636b2f8-0cf1-e110-9b18-8f8b5ecf8351
+token_duration     ∞
+token_renewable    false
+token_policies     [root]
+```
+
+This authenticates with Vault. It will verify your token and let you know what
+access policies the token is associated with. If you want to test the `vault login` command, create a new token first.
+
+### Best Practice
+
+In practice, operators should not use the `token create` command to generate
+Vault tokens for users or machines. Instead, those users or machines should
+authenticate to Vault using any of Vault's configured auth methods such as
+GitHub, LDAP, AppRole, etc. For legacy applications which cannot generate their
+own token, operators may need to create a token in advance. Auth methods are
+discussed in more detail in the next section.
+
+## Auth Methods
+
+Vault supports many auth methods, but they must be enabled before use. Auth
+methods give you flexibility. Enabling and configuration are typically performed
+by a Vault operator or security team. As an example of a human-focused auth
+method, let's authenticate via GitHub.
+
+First, enable the GitHub auth method:
+
+```text
+$ vault auth enable -path=github github
+Success! Enabled github auth method at: github/
+```
+
+Just like secrets engines, auth methods default to their TYPE as the PATH, so
+the following commands are equivalent:
+
+```text
+$ vault auth enable -path=github github
+$ vault auth enable github
+```
+
+Unlike secrets engines which are enabled at the root router, auth methods are
+always prefixed with `auth/` in their path. So the GitHub auth method we just
+enabled is accessible at `auth/github`. As another example:
+
+```text
+$ vault auth enable -path=my-github github
+Success! Enabled github auth method at: my-github/
+```
+
+This would make the GitHub auth method accessible at `auth/my-github`. You can
+use `vault path-help` to learn more about the paths.
+
+Next, configure the GitHub auth method. Each auth method has different
+configuration options, so please see the documentation for the full details. In
+this case, the minimal set of configuration is to map teams to policies.
+
+```text
+$ vault write auth/github/config organization=hashicorp
+```
+
+With the GitHub auth method enabled, we first have to configure it. For GitHub,
+we tell it what organization users must be a part of, and map a team to a
+policy:
+
+```text
+$ vault write auth/github/config organization=hashicorp
+Success! Data written to: auth/github/config
+
+$ vault write auth/github/map/teams/my-team value=default,my-policy
+Success! Data written to: auth/github/map/teams/my-team
+```
+
+The first command configures Vault to pull authentication data from the
+"hashicorp" organization on GitHub. The next command tells Vault to map any
+users who are members of the team "my-team" (in the hashicorp organization) to
+map to the policies "default" and "my-policy". These policies do not have to
+exist in the system yet - Vault will just produce a warning when we login.
+
+---
+
+As a user, you may want to find which auth methods are enabled and available:
+
+```text
+$ vault auth list
+Path       Type      Description
+----       ----      -----------
+github/    github    n/a
+token/     token     token based credentials
+```
+
+The `vault auth list` command will list all enabled auth methods. To learn more
+about how to authenticate to a particular auth method via the CLI, use the
+`vault auth help` command with the PATH or TYPE of an auth method:
+
+```text
+$ vault auth help github
+Usage: vault login -method=github [CONFIG K=V...]
+
+  The GitHub auth method allows users to authenticate using a GitHub
+  personal access token. Users can generate a personal access token from the
+  settings page on their GitHub account.
+
+  Authenticate using a GitHub token:
+
+      $ vault login -method=github token=abcd1234
+
+Configuration:
+
+  mount=<string>
+      Path where the GitHub credential method is mounted. This is usually
+      provided via the -path flag in the "vault login" command, but it can be
+      specified here as well. If specified here, it takes precedence over the
+      value for -path. The default value is "github".
+
+  token=<string>
+      GitHub personal access token to use for authentication.
+```
+
+Similarly, you can ask for help information about any CLI auth method, _even if
+it is not enabled_:
+
+```text
+$ vault auth help aws
+$ vault auth help userpass
+$ vault auth help token
+```
+
+As per the help output, authenticate to GitHub using the `vault login` command.
+Enter your [GitHub personal access token][gh-pat] and Vault will authenticate
+you.
+
+```text
+$ vault login -method=github
+GitHub Personal Access Token (will be hidden):
+Success! You are now authenticated. The token information displayed below
+is already stored in the token helper. You do NOT need to run "vault login"
+again. Future Vault requests will automatically use this token.
+
+Key                    Value
+---                    -----
+token                  7efb3969-8743-880f-e234-afca6e12d790
+token_accessor         f7bfb6a3-c41e-eb87-5317-88a0aad200ae
+token_duration         768h
+token_renewable        true
+token_policies         [default my-policy]
+token_meta_org         hashicorp
+token_meta_username    my-user
+```
+
+Success! As the output indicates, Vault has already saved the resulting token in
+its token helper, so you do not need to run `vault login` again. However, this
+new user we just created does not have many permissions in Vault. To continue,
+re-authenticate as the root token:
+
+```text
+$ vault login <initial-root-token>
+```
+
+You can revoke any logins from an auth method using `vault token revoke` with
+the `-mode` argument. For example:
+
+```text
+$ vault token revoke -mode path auth/github
+```
+
+Alternatively, if you want to completely disable the GitHub auth method:
+
+```text
+$ vault auth disable github
+Success! Disabled the auth method (if it existed) at: github/
+```
+
+This will also revoke any logins for that auth method.
+
+## Next
+
+In this page you learned about how Vault authenticates users. You learned about
+the built-in token system as well as enabling other auth methods. At this point
+you know how Vault assigns an _identity_ to a user.
+
+The multiple auth methods Vault provides let you choose the most appropriate
+authentication mechanism for your organization.
+
+In this next section, we'll learn about
+[authorization and policies](/intro/getting-started/policies.html).
+
+[gh-pat]: https://help.github.com/articles/creating-an-access-token-for-command-line-use/
diff --git a/website/pages/intro/getting-started/deploy.mdx b/website/pages/intro/getting-started/deploy.mdx
new file mode 100644
index 000000000000..b2d4f09eb690
--- /dev/null
+++ b/website/pages/intro/getting-started/deploy.mdx
@@ -0,0 +1,269 @@
+---
+layout: intro
+page_title: Deploy Vault - Getting Started
+sidebar_title: Deploy Vault
+description: >-
+  Learn how to deploy Vault into production, how to initialize it, configure it,
+  etc.
+---
+
+# Deploy Vault
+
+Up to this point, we have been working with the "dev" server, which
+automatically authenticated us, setup in-memory storage, etc. Now that you know
+the basics of Vault, it is important to learn how to deploy Vault into a real
+environment.
+
+On this page, we'll cover how to configure Vault, start Vault, the seal/unseal
+process, and scaling Vault.
+
+## Configuring Vault
+
+Vault is configured using [HCL][hcl] files. The configuration file for Vault is
+relatively simple:
+
+```hcl
+storage "consul" {
+  address = "127.0.0.1:8500"
+  path    = "vault/"
+}
+
+listener "tcp" {
+ address     = "127.0.0.1:8200"
+ tls_disable = 1
+}
+```
+
+Within the configuration file, there are two primary configurations:
+
+- `storage` - This is the physical backend that Vault uses for storage. Up to
+  this point the dev server has used "inmem" (in memory), but the example above
+  uses [Consul](https://www.consul.io), a much more production-ready backend.
+
+- `listener` - One or more listeners determine how Vault listens for API
+  requests. The example above listens on localhost port 8200 without TLS. In
+  your environment set `VAULT_ADDR=http://127.0.0.1:8200` so the Vault client
+  will connect without TLS.
+
+For now, copy and paste the configuration above to a file called `config.hcl`.
+It will configure Vault to expect an instance of Consul running locally.
+
+Starting a local Consul instance takes only a few minutes. Just follow the
+[Consul Getting Started Guide](https://www.consul.io/intro/getting-started/install.html)
+up to the point where you have installed Consul and started it with this command:
+
+```text
+$ consul agent -dev
+```
+
+## Starting the Server
+
+With the configuration in place, starting the server is simple, as shown below.
+Modify the `-config` flag to point to the proper path where you saved the
+configuration above.
+
+```text
+$ vault server -config=config.hcl
+==> Vault server configuration:
+
+         Log Level: info
+           Storage: consul
+        Listener 1: tcp (addr: "127.0.0.1:8200", tls: "disabled")
+
+==> Vault server started! Log data will stream in below:
+```
+
+-> If you get a warning message about mlock not being supported, that is okay.
+However, you should run Vault on a system that supports mlock for maximum
+security.
+
+Vault outputs some information about its configuration, and then blocks.
+This process should be run using a resource manager such as systemd or
+upstart.
+
+You'll notice that you can't execute any commands. We don't have any
+auth information! When you first setup a Vault server, you have to start
+by _initializing_ it.
+
+On Linux, Vault may fail to start with the following error:
+
+```text
+$ vault server -config=example.hcl
+Error initializing core: Failed to lock memory: cannot allocate memory
+
+This usually means that the mlock syscall is not available.
+Vault uses mlock to prevent memory from being swapped to
+disk. This requires root privileges as well as a machine
+that supports mlock. Please enable mlock on your system or
+disable Vault from using it. To disable Vault from using it,
+set the `disable_mlock` configuration option in your configuration
+file.
+```
+
+For guidance on dealing with this issue, see the discussion of
+`disable_mlock` in [Server Configuration](/docs/configuration/index.html).
+
+## Initializing the Vault
+
+Initialization is the process configuring the Vault. This only happens once when
+the server is started against a new backend that has never been used with Vault
+before. When running in HA mode, this happens once _per cluster_, not _per
+server_.
+
+During initialization, the encryption keys are generated, unseal keys are
+created, and the initial root token is setup. To initialize Vault use `vault operator init`. This is an _unauthenticated_ request, but it only works on brand new
+Vaults with no data:
+
+```text
+$ vault operator init
+Unseal Key 1: E4GnjX+VP9G50uWQNcwpCflzGAMKGR38BbQywgq4I6L8
+Unseal Key 2: PYMxcCOswEYMNz7N6UW53Up6nu6y+SjAPwTJOTtkju3d
+Unseal Key 3: yuJ5cSxC7tSBR5mMVJ/WJ9bfhhfGb+uwWw9FQR0JKILh
+Unseal Key 4: 0vdvEFHM9PHEGMctJrl2ylHqoKQK8DLkfMU6ntmDz6jv
+Unseal Key 5: cI8yglWJX+jPf/yQG7Sg6SPWzy0WyrBPvaFTOAYkPJTx
+
+Initial Root Token: 62421926-81b9-b202-86f8-8850176c0cf3
+
+Vault initialized with 5 key shares and a key threshold of 3. Please securely
+distribute the key shares printed above. When the Vault is re-sealed,
+restarted, or stopped, you must supply at least 3 of these keys to unseal it
+before it can start servicing requests.
+
+Vault does not store the generated master key. Without at least 3 key to
+reconstruct the master key, Vault will remain permanently sealed!
+
+It is possible to generate new unseal keys, provided you have a quorum of
+existing unseal keys shares. See "vault operator rekey" for more information.
+```
+
+Initialization outputs two incredibly important pieces of information:
+the _unseal keys_ and the _initial root token_. This is the
+**only time ever** that all of this data is known by Vault, and also the
+only time that the unseal keys should ever be so close together.
+
+For the purpose of this getting started guide, save all of these keys
+somewhere, and continue. In a real deployment scenario, you would never
+save these keys together. Instead, you would likely use Vault's PGP and
+Keybase.io support to encrypt each of these keys with the users' PGP keys.
+This prevents one single person from having all the unseal keys. Please
+see the documentation on [using PGP, GPG, and Keybase](/docs/concepts/pgp-gpg-keybase.html)
+for more information.
+
+## Seal/Unseal
+
+Every initialized Vault server starts in the _sealed_ state. From
+the configuration, Vault can access the physical storage, but it can't
+read any of it because it doesn't know how to decrypt it. The process
+of teaching Vault how to decrypt the data is known as _unsealing_ the
+Vault.
+
+Unsealing has to happen every time Vault starts. It can be done via
+the API and via the command line. To unseal the Vault, you
+must have the _threshold_ number of unseal keys. In the output above,
+notice that the "key threshold" is 3. This means that to unseal
+the Vault, you need 3 of the 5 keys that were generated.
+
+-> **Note:** Vault does not store any of the unseal key shards. Vault
+uses an algorithm known as
+[Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing)
+to split the master key into shards. Only with the threshold number of keys
+can it be reconstructed and your data finally accessed.
+
+Begin unsealing the Vault:
+
+```text
+$ vault operator unseal
+Unseal Key (will be hidden):
+Key                Value
+---                -----
+Sealed             true
+Total Shares       5
+Unseal Progress    1/3
+Unseal Nonce       786e7190-d1e2-84d2-520c-022efee5b71e
+Version            (version unknown)
+HA Enabled         true
+HA Mode            sealed
+```
+
+After pasting in a valid key and confirming, you'll see that the Vault is still
+sealed, but progress is made. Vault knows it has 1 key out of 3. Due to the
+nature of the algorithm, Vault doesn't know if it has the _correct_ key until
+the threshold is reached.
+
+Also notice that the unseal process is stateful. You can go to another computer,
+use `vault operator unseal`, and as long as it's pointing to the same server,
+that other computer can continue the unseal process. This is incredibly
+important to the design of the unseal process: multiple people with multiple
+keys are required to unseal the Vault. The Vault can be unsealed from multiple
+computers and the keys should never be together. A single malicious operator
+does not have enough keys to be malicious.
+
+Continue with `vault operator unseal` to complete unsealing the Vault. To unseal
+the vault you must use three _different_ keys, the same key repeated will not
+work. As you use keys, as long as they are correct, you should soon see output
+like this:
+
+```text
+$ vault operator unseal
+Unseal Key (will be hidden):
+# ...
+
+$ vault operator unseal
+Unseal Key (will be hidden):
+# ...
+```
+
+When the value for `Sealed` changes to `false`, the Vault is unsealed:
+
+```text
+Key             Value
+---             -----
+Sealed          false <--
+Total Shares    5
+Version         (version unknown)
+Cluster Name    vault-cluster-8a8b2c36
+Cluster ID      34e94a2e-2d8f-c7cc-271d-96fd438ccc6d
+HA Enabled      true
+HA Mode         standby
+HA Cluster      n/a
+```
+
+Feel free to play around with entering invalid keys, keys in different
+orders, etc. in order to understand the unseal process.
+
+Finally, authenticate as the initial root token (it was included in the output
+with the unseal keys):
+
+```text
+$ vault login 14d1316e-78f6-910b-a4cc-9ba6697ec814
+Success! You are now authenticated. The token information displayed below
+is already stored in the token helper. You do NOT need to run "vault login"
+again. Future Vault requests will automatically use this token.
+
+Key                Value
+---                -----
+token              14d1316e-78f6-910b-a4cc-9ba6697ec814
+token_accessor     a8bbcc57-9be6-6584-a7a6-46290962fd33
+token_duration     ∞
+token_renewable    false
+token_policies     [root]
+```
+
+As a root user, you can reseal the Vault with `vault operator seal`. A single
+operator is allowed to do this. This lets a single operator lock down the
+Vault in an emergency without consulting other operators.
+
+When the Vault is sealed again, it clears all of its state (including the
+encryption key) from memory. The Vault is secure and locked down from access.
+
+## Next
+
+You now know how to configure, initialize, and unseal/seal Vault. This is the
+basic knowledge necessary to deploy Vault into a real environment. Once the
+Vault is unsealed, you access it as you have throughout this getting started
+guide (which worked with an unsealed Vault).
+
+Next, we have a [short tutorial](/intro/getting-started/apis.html) on using the
+HTTP APIs to authenticate and access secrets.
+
+[hcl]: https://github.com/hashicorp/hcl
diff --git a/website/pages/intro/getting-started/dev-server.mdx b/website/pages/intro/getting-started/dev-server.mdx
new file mode 100644
index 000000000000..7281889c8933
--- /dev/null
+++ b/website/pages/intro/getting-started/dev-server.mdx
@@ -0,0 +1,117 @@
+---
+layout: intro
+page_title: Starting the Server - Getting Started
+sidebar_title: Starting the Server
+description: 'After installing Vault, the next step is to start the server.'
+---
+
+# Starting the Vault Server
+
+With Vault installed, the next step is to start a Vault server.
+
+Vault operates as a client/server application. The Vault server is the only
+piece of the Vault architecture that interacts with the data storage and
+backends. All operations done via the Vault CLI interact with the server over a
+TLS connection.
+
+In this page, we'll start and interact with the Vault server to understand how
+the server is started.
+
+## Starting the Dev Server
+
+First, we're going to start a Vault _dev server_. The dev server is a built-in,
+pre-configured server that is not very secure but useful for playing with Vault
+locally. Later in this guide we'll configure and start a real server.
+
+To start the Vault dev server, run:
+
+```text
+$ vault server -dev
+==> Vault server configuration:
+
+                     Cgo: disabled
+         Cluster Address: https://127.0.0.1:8201
+              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
+               Log Level: info
+                   Mlock: supported: false, enabled: false
+        Redirect Address: http://127.0.0.1:8200
+                 Storage: inmem
+                 Version: Vault v1.2.3
+             Version Sha: ...
+
+WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
+and starts unsealed with a single unseal key. The root token is already
+authenticated to the CLI, so you can immediately begin using Vault.
+
+You may need to set the following environment variable:
+
+    $ export VAULT_ADDR='http://127.0.0.1:8200'
+
+The unseal key and initial root token are displayed below in case you want to
+seal/unseal the Vault or re-authenticate.
+
+Unseal Key: 1aKM7rNnyW+7Jx1XDAXFswgkRVe+78JB28k/bel90jY=
+Root Token: root
+
+Development mode should NOT be used in production installations!
+
+==> Vault server started! Log data will stream in below:
+
+# ...
+```
+
+You should see output similar to that above. Vault does not fork, so it will
+continue to run in the foreground. Open another shell or terminal tab to run the
+remaining commands.
+
+The dev server stores all its data in-memory (but still encrypted), listens on
+`localhost` without TLS, and automatically unseals and shows you the unseal key
+and root access key. **Do not run a dev server in production!**
+
+With the dev server running, do the following three things before anything else:
+
+1.  Launch a new terminal session.
+
+2.  Copy and run the `export VAULT_ADDR ...` command from the terminal
+    output. This will configure the Vault client to talk to our dev server.
+
+3.  Save the unseal key somewhere. Don't worry about _how_ to save this
+    securely. For now, just save it anywhere.
+
+4.  Do the same as step 3, but with the root token. We'll use this later.
+
+## Verify the Server is Running
+
+As instructed, copy and execute `export VAULT_ADDR='http://127.0.0.1:8200'`.
+
+Verify the server is running by running the `vault status` command. This should
+succeed and exit with exit code 0.
+
+If it ran successfully, the output should look like the below:
+
+```text
+$ vault status
+Key             Value
+---             -----
+Sealed          false
+Total Shares    1
+Version         (version unknown)
+Cluster Name    vault-cluster-81109a1a
+Cluster ID      f6e0aa8a-700e-38b8-5dc5-4265c880b2a1
+HA Enabled      false
+```
+
+If the output looks different, especially if the numbers are different or the
+Vault is sealed, then restart the dev server and try again. The only reason
+these would ever be different is if you're running a dev server from going
+through this guide previously.
+
+We'll cover what this output means later in the guide.
+
+## Next
+
+Congratulations! You've started your first Vault server. We haven't stored
+any secrets yet, but we'll do that in the next section.
+
+Next, we're going to
+[read and write our first secrets](/intro/getting-started/first-secret.html).
diff --git a/website/pages/intro/getting-started/dynamic-secrets.mdx b/website/pages/intro/getting-started/dynamic-secrets.mdx
new file mode 100644
index 000000000000..1f404561a4bc
--- /dev/null
+++ b/website/pages/intro/getting-started/dynamic-secrets.mdx
@@ -0,0 +1,174 @@
+---
+layout: intro
+page_title: Dynamic Secrets - Getting Started
+sidebar_title: Dynamic Secrets
+description: >-
+  On this page we introduce dynamic secrets by showing you how to create AWS
+  access keys with Vault.
+---
+
+# Dynamic Secrets
+
+Now that you've experimented with the `kv` secrets engine, it is time to explore
+another feature of Vault: _dynamic secrets_.
+
+Unlike the `kv` secrets where you had to put data into the store yourself,
+dynamic secrets are generated when they are accessed. Dynamic secrets do not
+exist until they are read, so there is no risk of someone stealing them or
+another client using the same secrets. Because Vault has built-in revocation
+mechanisms, dynamic secrets can be revoked immediately after use, minimizing the
+amount of time the secret existed.
+
+-> **Note:** Before starting this page, please register for an
+[AWS account](https://aws.amazon.com). We won't be using any features that
+cost money, so you shouldn't be charged for anything. However, we are not
+responsible for any charges you may incur.
+
+## Enable the AWS Secrets Engine
+
+Unlike the `kv` secrets engine which is enabled by default, the AWS secrets
+engine must be enabled before use. This step is usually done via configuration
+management.
+
+```text
+$ vault secrets enable -path=aws aws
+Success! Enabled the aws secrets engine at: aws/
+```
+
+The AWS secrets engine is now enabled at `aws/`. As we covered in the previous
+sections, different secrets engines allow for different behavior. In this case,
+the AWS secrets engine generates dynamic, on-demand AWS access credentials.
+
+## Configuring the AWS Secrets Engine
+
+After enabling the AWS secrets engine, you must configure it to authenticate and
+communicate with AWS. This requires privileged account credentials. If you are
+unfamiliar with AWS, use your root account keys.
+
+~> Do not use your root account keys in production. This is a getting started
+guide and is not "best practices" for production installations.
+
+```text
+$ vault write aws/config/root \
+    access_key=AKIAI4SGLQPBX6CSENIQ \
+    secret_key=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
+Success! Data written to: aws/config/root
+```
+
+These credentials are now stored in this AWS secrets engine. The engine will use
+these credentials when communicating with AWS in future requests.
+
+## Creating a Role
+
+The next step is to configure a "role". A "role" in Vault is a human-friendly
+identifier to an action. Think of it as a symlink.
+
+Vault knows how to create an IAM user via the AWS API, but it does not know what
+permissions, groups, and policies you want to attach to that user. This is where
+roles come in - roles map your configuration options to those API calls.
+
+For example, here is an IAM policy that enables all actions on EC2. When Vault
+generates an access key, it will automatically attach this policy. The generated
+access key will have full access to EC2 (as dictated by this policy), but not
+IAM or other AWS services. If you are not familiar with AWS' IAM policies, that
+is okay - just use this one for now.
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ec2:*",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+As mentioned above, we need to map this policy document to a named role. To do
+that, write to `aws/roles/:name`:
+
+```text
+$ vault write aws/roles/my-role \
+    credential_type=iam_user \
+    policy_document=-<<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ec2:*",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+Success! Data written to: aws/roles/my-role
+```
+
+Again, we're using a special path here `aws/roles/:name` to write an IAM policy
+to Vault. We just told Vault:
+
+> When I ask for a credential for "my-role", create it and attach the IAM policy `{ "Version": "2012..." }`.
+
+## Generating the Secret
+
+Now that the AWS secrets engine is enabled and configured with a role, we can
+ask Vault to generate an access key pair for that role by reading from
+`aws/creds/:name` where `:name` corresponds to the name of an existing role:
+
+```text
+$ vault read aws/creds/my-role
+Key                Value
+---                -----
+lease_id           aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106e
+lease_duration     768h
+lease_renewable    true
+access_key         AKIAJELUDIANQGRXCTZQ
+secret_key         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
+security_token     <nil>
+```
+
+Success! The access and secret key can now be used to perform any EC2 operations
+within AWS. Notice that these keys are new, they are not the keys you entered
+earlier. If you were to run the command a second time, you would get a new
+access key pair. Each time you read from `aws/creds/:name`, Vault will connect
+to AWS and generate a new IAM user and key pair.
+
+Take careful note of the `lease_id` field in the output. This value is used for
+renewal, revocation, and inspection. Copy this `lease_id` to your clipboard.
+Note that the `lease_id` is the **full path**, not just the UUID at the end.
+
+## Revoking the Secret
+
+Vault will automatically revoke this credential after 768 hours (see
+`lease_duration` in the output), but perhaps we want to revoke it early. Once
+the secret is revoked, the access keys are no longer valid.
+
+To revoke the secret, use `vault lease revoke` with the lease ID that was outputted
+from `vault read` when you ran it:
+
+```text
+$ vault lease revoke aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106
+Success! Revoked lease: aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106e
+```
+
+Done! If you login to your AWS account, you will see that no IAM users exist. If
+you try to use the access keys that were generated, you will find that they no
+longer work.
+
+With such easy dynamic creation and revocation, you can hopefully begin to see
+how easy it is to work with dynamic secrets and ensure they only exist for the
+duration that they are needed.
+
+## Next
+
+On this page we experienced our first dynamic secret, and we also saw the
+revocation system in action. Dynamic secrets are incredibly powerful. As time
+goes on, we expect that more systems will support some sort of API to create
+access credentials, and Vault will be ready to get the most value out of this
+practice.
+
+Before going further, we're going to take a quick detour to learn about the
+[built-in help system](/intro/getting-started/help.html).
diff --git a/website/pages/intro/getting-started/first-secret.mdx b/website/pages/intro/getting-started/first-secret.mdx
new file mode 100644
index 000000000000..206d261eb495
--- /dev/null
+++ b/website/pages/intro/getting-started/first-secret.mdx
@@ -0,0 +1,113 @@
+---
+layout: intro
+page_title: Your First Secret - Getting Started
+sidebar_title: Your First Secret
+description: "With the Vault server running, let's read and write our first secret."
+---
+
+# Your First Secret
+
+Now that the dev server is up and running, let's get straight to it and
+read and write our first secret.
+
+One of the core features of Vault is the ability to read and write
+arbitrary secrets securely. On this page, we'll do this using the CLI,
+but there is also a complete
+[HTTP API](/api/index.html)
+that can be used to programmatically do anything with Vault.
+
+Secrets written to Vault are encrypted and then written to backend
+storage. For our dev server, backend storage is in-memory, but in production
+this would more likely be on disk or in [Consul](https://www.consul.io).
+Vault encrypts the value before it is ever handed to the storage driver.
+The backend storage mechanism _never_ sees the unencrypted value and doesn't
+have the means necessary to decrypt it without Vault.
+
+## Writing a Secret
+
+Let's start by writing a secret. This is done very simply with the
+`vault kv` command, as shown below:
+
+```text
+$ vault kv put secret/hello foo=world
+Success! Data written to: secret/hello
+```
+
+This writes the pair `foo=world` to the path `secret/hello`. We'll
+cover paths in more detail later, but for now it is important that the
+path is prefixed with `secret/`, otherwise this example won't work. The
+`secret/` prefix is where arbitrary secrets can be read and written.
+
+You can even write multiple pieces of data, if you want:
+
+```text
+$ vault kv put secret/hello foo=world excited=yes
+Success! Data written to: secret/hello
+```
+
+`vault kv put` is a very powerful command. In addition to writing data
+directly from the command-line, it can read values and key pairs from
+`STDIN` as well as files. For more information, see the
+[command documentation](/docs/commands/index.html).
+
+~> **Warning:** The documentation uses the `key=value` based entry
+throughout, but it is more secure to use files if possible. Sending
+data via the CLI is often logged in shell history. For real secrets,
+please use files. See the link above about reading in from `STDIN` for more information.
+
+## Getting a Secret
+
+As you might expect, secrets can be gotten with `vault get`:
+
+```text
+$ vault kv get secret/hello
+Key                 Value
+---                 -----
+refresh_interval    768h
+excited             yes
+foo                world
+```
+
+As you can see, the values we wrote are given back to us. Vault gets
+the data from storage and decrypts it.
+
+The output format is purposefully whitespace separated to make it easy
+to pipe into a tool like `awk`.
+
+This contains some extra information. Many secrets engines create leases for
+secrets that allow time-limited access to other systems, and in those cases
+`lease_id` would contain a lease identifier and `lease_duration` would contain
+the length of time for which the lease is valid, in seconds.
+
+Optional JSON output is very useful for scripts. For example below we use the
+`jq` tool to extract the value of the `excited` secret:
+
+```text
+$ vault kv get -format=json secret/hello | jq -r .data.data.excited
+yes
+```
+
+When supported, you can also get a field directly:
+
+```text
+$ vault kv get -field=excited secret/hello
+yes
+```
+
+## Deleting a Secret
+
+Now that we've learned how to read and write a secret, let's go ahead
+and delete it. We can do this with `vault delete`:
+
+```text
+$ vault kv delete secret/hello
+Success! Data deleted (if it existed) at: secret/hello
+```
+
+## Next
+
+In this section we learned how to use the powerful CRUD features of
+Vault to store arbitrary secrets. On its own this is already a useful
+but basic feature.
+
+Next, we'll learn the basics about [secrets engines](/intro/getting-started/secrets-engines.html).
diff --git a/website/pages/intro/getting-started/help.mdx b/website/pages/intro/getting-started/help.mdx
new file mode 100644
index 000000000000..50e48808bd53
--- /dev/null
+++ b/website/pages/intro/getting-started/help.mdx
@@ -0,0 +1,118 @@
+---
+layout: intro
+page_title: Built-in Help - Getting Started
+sidebar_title: Built-in Help
+description: >-
+  Vault has a built-in help system to learn about the available paths in Vault
+  and how to use them.
+---
+
+# Built-in Help
+
+You've now worked with `vault write` and `vault read` for multiple paths: the
+`kv` secrets engine with `kv/` and dynamic AWS credentials with the AWS secrets
+engine provider at `aws/`. In both cases, the structure and usage of each
+secrets engines differed, for example the AWS backend has special paths like
+`aws/config`.
+
+Instead of having to memorize or reference documentation constantly to determine
+what paths to use, Vault has a built-in help system. This help system can be
+accessed via the API or the command-line and generates human-readable help for
+any path.
+
+## Secrets Engines Overview
+
+This section assumes you have the AWS secrets engine enabled at `aws/`. If you
+do not, enable it before continuing:
+
+```text
+$ vault secrets enable -path=aws aws
+```
+
+With the secrets engine enabled, learn about it with the `vault path-help`
+command:
+
+```text
+$ vault path-help aws
+## DESCRIPTION
+
+The AWS backend dynamically generates AWS access keys for a set of
+IAM policies. The AWS access keys have a configurable lease set and
+are automatically revoked at the end of the lease.
+
+After mounting this backend, credentials to generate IAM keys must
+be configured with the "root" path and policies must be written using
+the "roles/" endpoints before any access keys can be generated.
+
+## PATHS
+
+The following paths are supported by this backend. To view help for
+any of the paths below, use the help command with any route matching
+the path pattern. Note that depending on the policy of your auth token,
+you may or may not be able to access certain paths.
+
+    ^config/lease$
+        Configure the default lease information for generated credentials.
+
+    ^config/root$
+        Configure the root credentials that are used to manage IAM.
+
+    ^creds/(?P<name>\w+)$
+        Generate an access key pair for a specific role.
+
+    ^roles/(?P<name>\w+)$
+        Read and write IAM policies that access keys can be made for.
+```
+
+The `vault path-help` command takes a path. By specifying a root path, it will
+give us the overview of that secrets engine. Notice how the help not only
+contains a description, but also the exact regular expressions used to match
+routes for this backend along with a brief description of what the route is for.
+
+## Path Help
+
+After seeing the overview, we can continue to dive deeper by getting help for an
+individual path. For this, just use `vault path-help` with a path that would
+match the regular expression for that path. Note that the path doesn't need to
+actually _work_. For example, we'll get the help below for accessing
+`aws/creds/my-non-existent-role`, even though we never created the role:
+
+```text
+$ vault path-help aws/creds/my-non-existent-role
+Request:        creds/my-non-existent-role
+Matching Route: ^creds/(?P<name>\w(([\w-.]+)?\w)?)$
+
+Generate an access key pair for a specific role.
+
+## PARAMETERS
+
+    name (string)
+        Name of the role
+
+## DESCRIPTION
+
+This path will generate a new, never before used key pair for
+accessing AWS. The IAM policy used to back this key pair will be
+the "name" parameter. For example, if this backend is mounted at "aws",
+then "aws/creds/deploy" would generate access keys for the "deploy" role.
+
+The access keys will have a lease associated with them. The access keys
+can be revoked by using the lease ID.
+```
+
+Within a path, we are given the parameters that this path requires. Some
+parameters come from the route itself. In this case, the `name` parameter is a
+named capture from the route regular expression. There is also a description of
+what that path does.
+
+Go ahead and explore more paths! Enable other secrets engines, traverse their
+help systems, and learn about what they do.
+
+## Next
+
+The help system may not be the most exciting feature of Vault, but it is
+indispensable in day-to-day usage. The help system lets you learn about how to
+use any backend within Vault without leaving the command line.
+
+Next, we will learn about
+[authentication](/intro/getting-started/authentication.html).
diff --git a/website/pages/intro/getting-started/index.mdx b/website/pages/intro/getting-started/index.mdx
new file mode 100644
index 000000000000..1f694fe0745f
--- /dev/null
+++ b/website/pages/intro/getting-started/index.mdx
@@ -0,0 +1,96 @@
+---
+layout: intro
+page_title: Install Vault - Getting Started
+sidebar_title: Getting Started
+description: The first step to using Vault is to get it installed.
+---
+
+# Install Vault
+
+Vault must first be installed on your machine. Vault is distributed as
+a [binary package](/downloads.html) for all supported platforms and
+architectures. This page will not cover how to compile Vault from source,
+but compiling from source is covered in the [documentation](/docs/install/index.html)
+for those who want to be sure they're compiling source they trust into
+the final binary.
+
+## Installing Vault
+
+To install Vault, find the [appropriate package](/downloads.html) for
+your system and download it. Vault is packaged as a zip archive.
+
+After downloading Vault, unzip the package. Vault runs as a single binary
+named `vault`. Any other files in the package can be safely removed and
+Vault will still function.
+
+The final step is to make sure that the `vault` binary is available on the `PATH`.
+See [this page](https://stackoverflow.com/questions/14637979/how-to-permanently-set-path-on-linux)
+for instructions on setting the PATH on Linux and Mac.
+[This page](https://stackoverflow.com/questions/1618280/where-can-i-set-path-to-make-exe-on-windows)
+contains instructions for setting the PATH on Windows.
+
+## Verifying the Installation
+
+After installing Vault, verify the installation worked by opening a new
+terminal session and checking that the `vault` binary is available. By executing
+`vault`, you should see help output similar to the following:
+
+```text
+$ vault
+Usage: vault <command> [args]
+
+Common commands:
+    read        Read data and retrieves secrets
+    write       Write data, configuration, and secrets
+    delete      Delete secrets and configuration
+    list        List data or secrets
+    login       Authenticate locally
+    server      Start a Vault server
+    status      Print seal and HA status
+    unwrap      Unwrap a wrapped secret
+
+Other commands:
+    audit          Interact with audit devices
+    auth           Interact with auth methods
+    lease          Interact with leases
+    operator       Perform operator-specific tasks
+    path-help      Retrieve API help for paths
+    policy         Interact with policies
+    secrets        Interact with secrets engines
+    ssh            Initiate an SSH session
+    token          Interact with tokens
+```
+
+If you get an error that the binary could not be found, then your `PATH`
+environment variable was not setup properly. Please go back and ensure that your
+`PATH` variable contains the directory where Vault was installed.
+
+Otherwise, Vault is installed and ready to go!
+
+## Command Completion
+
+Vault also includes command-line completion for subcommands, flags, and path
+arguments where supported. To install command-line completion, you must be using
+Bash, ZSH or Fish. Unfortunately other shells are not supported at this time.
+
+To install completions, run:
+
+```sh
+$ vault -autocomplete-install
+```
+
+This will automatically install the helpers in your `~/.bashrc` or `~/.zshrc`, or to
+`~/.config/fish/completions/vault.fish` for Fish users. Then restart your terminal
+or reload your shell:
+
+```sh
+$ exec $SHELL
+```
+
+Now when you type `vault <tab>`, Vault will suggest options. This is very
+helpful for beginners and advanced Vault users.
+
+## Next
+
+Now Vault is installed we can start our first Vault server! [Let's do
+that now](/intro/getting-started/dev-server.html).
diff --git a/website/pages/intro/getting-started/next-steps.mdx b/website/pages/intro/getting-started/next-steps.mdx
new file mode 100644
index 000000000000..0f2f73bec074
--- /dev/null
+++ b/website/pages/intro/getting-started/next-steps.mdx
@@ -0,0 +1,21 @@
+---
+layout: intro
+page_title: Next Steps - Getting Started
+sidebar_title: Next Steps
+description: >-
+  After completing the getting started guide, learn about what to do next with
+  Vault.
+---
+
+# Next Steps
+
+That concludes the getting started guide for Vault. Hopefully you're
+excited about the possibilities of Vault and ready to put this knowledge
+to use to improve your environment.
+
+We've covered the basics of all the core features of Vault in this guide.
+Due to the importance of securing secrets, we recommend reading the following
+as next steps.
+
+- [Documentation](/docs/index.html) - The documentation is an in-depth
+  reference guide to all the features of Vault.
diff --git a/website/pages/intro/getting-started/policies.mdx b/website/pages/intro/getting-started/policies.mdx
new file mode 100644
index 000000000000..e3637ec5fbf1
--- /dev/null
+++ b/website/pages/intro/getting-started/policies.mdx
@@ -0,0 +1,229 @@
+---
+layout: intro
+page_title: Policies - Getting Started
+sidebar_title: Policies
+description: Policies in Vault control what a user can access.
+---
+
+# Policies
+
+Policies in Vault control what a user can access. In the last section, we
+learned about _authentication_. This section is about _authorization_.
+
+For authentication Vault has multiple options or methods that can be enabled and
+used. For authorization and policies Vault always uses the same format. All auth
+methods map identities back to the core policies that are configured with Vault.
+
+There are some built-in policies that cannot be removed. For example, the `root`
+and `default` policies are required policies and cannot be deleted. The
+`default` policy provides a common set of permissions and is included on all
+tokens by default. The `root` policy gives a token super admin permissions,
+similar to a root user on a linux machine.
+
+## Policy Format
+
+Policies are authored in [HCL][hcl], but it is JSON compatible. Here is an
+example policy:
+
+```hcl
+# Normal servers have version 1 of KV mounted by default, so will need these
+# paths:
+path "secret/*" {
+  capabilities = ["create"]
+}
+path "secret/foo" {
+  capabilities = ["read"]
+}
+
+# Dev servers have version 2 of KV mounted by default, so will need these
+# paths:
+path "secret/data/*" {
+  capabilities = ["create"]
+}
+path "secret/data/foo" {
+  capabilities = ["read"]
+}
+```
+
+With this policy, a user could write any secret to `secret/`, except to
+`secret/foo`, where only read access is allowed. Policies default to deny, so
+any access to an unspecified path is not allowed.
+
+Do not worry about getting the exact policy format correct. Vault includes a
+command that will format the policy automatically according to specification. It
+also reports on any syntax errors.
+
+```text
+$ vault policy fmt my-policy.hcl
+```
+
+The policy format uses a prefix matching system on the API path to determine
+access control. The most specific defined policy is used, either an exact match
+or the longest-prefix glob match. Since everything in Vault must be accessed via
+the API, this gives strict control over every aspect of Vault, including
+enabling secrets engines, enabling auth methods, authenticating, as well as
+secret access.
+
+## Writing the Policy
+
+To write a policy using the command line, specify the path to a policy file to
+upload.
+
+```text
+$ vault policy write my-policy my-policy.hcl
+Success! Uploaded policy: my-policy
+```
+
+Here is an example you can copy-paste in the terminal:
+
+```text
+$ vault policy write my-policy -<<EOF
+# Normal servers have version 1 of KV mounted by default, so will need these
+# paths:
+path "secret/*" {
+  capabilities = ["create"]
+}
+path "secret/foo" {
+  capabilities = ["read"]
+}
+
+# Dev servers have version 2 of KV mounted by default, so will need these
+# paths:
+path "secret/data/*" {
+  capabilities = ["create"]
+}
+path "secret/data/foo" {
+  capabilities = ["read"]
+}
+EOF
+```
+
+To see the list of policies, run:
+
+```text
+$ vault policy list
+default
+my-policy
+root
+```
+
+To view the contents of a policy, run:
+
+```text
+$ vault policy read my-policy
+# Normal servers have version 1 of KV mounted by default, so will need these
+# paths:
+path "secret/*" {
+  capabilities = ["create"]
+}
+...
+```
+
+## Testing the Policy
+
+To use the policy, create a token and assign it to that policy:
+
+```text
+$ vault token create -policy=my-policy
+Key                Value
+---                -----
+token              a4ebda12-23bf-5cf4-f80e-803ee2f37aab
+token_accessor     aba6256e-401e-9591-31b2-a27048cb15ed
+token_duration     768h
+token_renewable    true
+token_policies     [default my-policy]
+
+$ vault login a4ebda12-23bf-5cf4-f80e-803ee2f37aab
+Success! You are now authenticated. The token information displayed below
+is already stored in the token helper. You do NOT need to run "vault login"
+again. Future Vault requests will automatically use this token.
+
+Key                Value
+---                -----
+token              a4ebda12-23bf-5cf4-f80e-803ee2f37aab
+token_accessor     aba6256e-401e-9591-31b2-a27048cb15ed
+token_duration     767h59m18s
+token_renewable    true
+token_policies     [default my-policy]
+```
+
+Verify that you can write any data to `secret/`, but only read from
+`secret/foo`:
+
+### Dev servers
+
+```text
+$ vault kv put secret/bar robot=beepboop
+Key              Value
+---              -----
+created_time     2018-05-22T18:05:42.537496856Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+$ vault kv put secret/foo robot=beepboop
+Error writing data to secret/data/foo: Error making API request.
+
+URL: PUT http://127.0.0.1:8200/v1/secret/data/foo
+Code: 403. Errors:
+
+* permission denied
+```
+
+### Non-dev servers
+
+```text
+$ vault kv put secret/bar robot=beepboop
+Success! Data written to: secret/bar
+
+$ vault kv put secret/foo robot=beepboop
+Error writing data to secret/foo: Error making API request.
+
+URL: PUT http://127.0.0.1:8200/v1/secret/foo
+Code: 403. Errors:
+
+* permission denied
+```
+
+You also do not have access to `sys` according to the policy, so commands like
+`vault policy list` or `vault secrets list` will not work. Re-authenticate as
+the initial root token to continue:
+
+```text
+$ vault login <initial-root-token>
+```
+
+## Mapping Policies to Auth Methods
+
+Vault is the single policy authority, unlike auth where you can enable multiple
+auth methods. Any enabled auth method must map identities to these core
+policies.
+
+We use the `vault path-help` system with your auth method to determine how the
+mapping is done, since it is specific to each auth method. For example, with
+GitHub, it is done by team using the `map/teams/<team>` path:
+
+```text
+$ vault write auth/github/map/teams/default value=my-policy
+Success! Data written to: auth/github/map/teams/default
+```
+
+For GitHub, the `default` team is the default policy set that everyone is
+assigned to no matter what team they're on.
+
+Other auth methods use alternate, but likely similar mechanisms for mapping
+policies to identity.
+
+## Next
+
+Policies are an important part of Vault. While using the root token is easiest
+to get up and running, you will want to restrict access to Vault very quickly,
+and the policy system is the way to do this.
+
+The syntax and function of policies is easy to understand and work with, and
+because auth methods all must map to the central policy system, you only have to
+learn this policy system.
+
+Next, we will cover how to [deploy Vault](/intro/getting-started/deploy.html).
+
+[hcl]: https://github.com/hashicorp/hcl
diff --git a/website/pages/intro/getting-started/secrets-engines.mdx b/website/pages/intro/getting-started/secrets-engines.mdx
new file mode 100644
index 000000000000..2964ed8407a9
--- /dev/null
+++ b/website/pages/intro/getting-started/secrets-engines.mdx
@@ -0,0 +1,145 @@
+---
+layout: intro
+page_title: Secrets Engines - Getting Started
+sidebar_title: Secrets Engines
+description: 'secrets engines are what create, read, update, and delete secrets.'
+---
+
+# Secrets Engines
+
+Previously, we saw how to read and write arbitrary secrets to Vault. You may
+have noticed all requests started with `secret/`. Try using a different prefix -
+Vault will return an error:
+
+```text
+$ vault write foo/bar a=b
+# ...
+* no handler for route 'foo/bar'
+```
+
+The path prefix tells Vault which secrets engine it should route
+traffic to. When a request comes to Vault, it matches the initial path part using a
+longest prefix match and then passes the request to the corresponding secrets
+engine enabled at that path.
+
+By default, Vault enables a secrets engine called `kv` at the path `secret/`.
+The kv secrets engine reads and writes raw data to the backend storage.
+
+Vault supports many other secrets engines besides `kv`, and this feature makes
+Vault flexible and unique. For example, the `aws` secrets engine generates AWS
+IAM access keys on demand. The `database` secrets engine generates on-demand,
+time-limited database credentials. These are just a few examples of the many
+available secrets engines.
+
+For simplicity and familiarity, Vault presents these secrets engines similar to
+a filesystem. A secrets engine is enabled at a path. Vault itself performs
+prefix routing on incoming requests and routes the request to the correct
+secrets engine based on the path at which they were enabled.
+
+This page discusses secrets engines and the operations they support. This
+information is important to both operators who will configure Vault and users
+who will interact with Vault.
+
+## Enable a Secrets Engine
+
+To get started, enable another instance of the `kv` secrets engine at a
+different path. Just like a filesystem, Vault can enable a secrets engine at
+many different paths. Each path is completely isolated and cannot talk to other
+paths. For example, a `kv` secrets engine enabled at `foo` has no ability to
+communicate with a `kv` secrets engine enabled at `bar`.
+
+```text
+$ vault secrets enable -path=kv kv
+Success! Enabled the kv secrets engine at: kv/
+```
+
+The path where the secrets engine is enabled defaults to the name of the secrets engine. Thus, the following commands are actually equivalent:
+
+```text
+$ vault secrets enable -path=kv kv
+$ vault secrets enable kv
+```
+
+To verify our success and get more information about the secrets engine, use the
+`vault secrets list` command:
+
+```text
+$ vault secrets list
+Path          Type         Description
+----          ----         -----------
+cubbyhole/    cubbyhole    per-token private secret storage
+kv/           kv           n/a
+secret/       kv           key/value secret storage
+sys/          system       system endpoints used for control, policy and debugging
+```
+
+This shows there are 4 enabled secrets engines on this Vault server. You can see
+the type of the secrets engine, the corresponding path, and an optional
+description (or "n/a" if none was given).
+
+~> The `sys/` path corresponds to the system backend. While the system backend
+is not specifically discussed in this guide, there is plentiful documentation on
+the system backend. Many of these operations interact with Vault's core system
+and is not required for beginners.
+
+Take a few moments to read and write some data to the new `kv` secrets engine
+enabled at `kv/`. Here are a few ideas to get started:
+
+```text
+$ vault write kv/my-secret value="s3c(eT"
+
+$ vault write kv/hello target=world
+
+$ vault write kv/airplane type=boeing class=787
+
+$ vault list kv
+```
+
+## Disable a Secrets Engine
+
+When a secrets engine is no longer needed, it can be disabled. When a secrets
+engine is disabled, all secrets are revoked and the corresponding Vault data and
+configuration is removed. Any requests to route data to the original path would
+result in an error, but another secrets engine could now be enabled at that
+path.
+
+If, for some reason, Vault is unable to delete the data or revoke the leases,
+the disabling operation will fail. If this happens, the secrets engine will
+remain enabled and available, but the request will return an error.
+
+```text
+$ vault secrets disable kv/
+Success! Disabled the secrets engine (if it existed) at: kv/
+```
+
+Note that this command takes a PATH to the secrets engine as an argument, not
+the TYPE of the secrets engine.
+
+In addition to disabling a secrets engine, it is also possible to "move" a
+secrets engine to a new path. This is still a disruptive command. All
+configuration data is retained, but any secrets are revoked, since secrets are
+closely tied to their engine's paths.
+
+## What is a Secrets Engine?
+
+Now that you've successfully enabled and disabled a secrets engine... what is
+it? What is the point of a secrets engine?
+
+As mentioned above, Vault behaves similarly to a [virtual filesystem][vfs]. The
+read/write/delete/list operations are forwarded to the corresponding secrets
+engine, and the secrets engine decides how to react to those operations.
+
+This abstraction is incredibly powerful. It enables Vault to interface directly
+with physical systems, databases, HSMs, etc. But in addition to these physical
+systems, Vault can interact with more unique environments like AWS IAM, dynamic
+SQL user creation, etc. all while using the same read/write interface.
+
+## Next
+
+You now know about secrets engines and how to operate on them. This is important
+knowledge to move forward and learn about other secrets engines.
+
+Next, we'll use the AWS backend to
+[generate dynamic secrets](/intro/getting-started/dynamic-secrets.html).
+
+[vfs]: https://en.wikipedia.org/wiki/Virtual_file_system
diff --git a/website/pages/intro/index.mdx b/website/pages/intro/index.mdx
new file mode 100644
index 000000000000..ef8c79e458a5
--- /dev/null
+++ b/website/pages/intro/index.mdx
@@ -0,0 +1,3 @@
+---
+layout: intro
+---
diff --git a/website/pages/partials/tokenfields.mdx b/website/pages/partials/tokenfields.mdx
new file mode 100644
index 000000000000..dee05ab23052
--- /dev/null
+++ b/website/pages/partials/tokenfields.mdx
@@ -0,0 +1,11 @@
+- `token_ttl` `(integer: 0 or string: "")` - The incremental lifetime for
+  generated tokens. This current value of this will be referenced at renewal
+  time.
+- `token_max_ttl` `(integer: 0 or string: "")` - The maximum lifetime for
+  generated tokens. This current value of this will be referenced at renewal
+  time.
+- `token_policies` `(array: [] or comma-delimited string: "")` - List of
+  policies to encode onto generated tokens. Depending on the auth method, this
+  list may be supplemented by user/group/other values.
+
+@include 'partials/tokenstorefields.mdx'
diff --git a/website/pages/partials/tokenstorefields.mdx b/website/pages/partials/tokenstorefields.mdx
new file mode 100644
index 000000000000..e0a1905419fc
--- /dev/null
+++ b/website/pages/partials/tokenstorefields.mdx
@@ -0,0 +1,22 @@
+- `token_bound_cidrs` `(array: [] or comma-delimited string: "")` - List of
+  CIDR blocks; if set, specifies blocks of IP addresses which can authenticate
+  successfully, and ties the resulting token to these blocks as well.
+- `token_explicit_max_ttl` `(integer: 0 or string: "")` - If set, will encode
+  an [explicit max
+  TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+  onto the token. This is a hard cap even if `token_ttl` and `token_max_ttl`
+  would otherwise allow a renewal.
+- `token_no_default_policy` `(bool: false)` - If set, the `default` policy will
+  not be set on generated tokens; otherwise it will be added to the policies set
+  in `token_policies`.
+- `token_num_uses` `(integer: 0)` - The maximum number of times a generated
+  token may be used (within its lifetime); 0 means unlimited.
+- `token_period` `(integer: 0 or string: "")` - The
+  [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
+  if any, to set on the token.
+- `token_type` `(string: "")` - The type of token that should be generated. Can
+  be `service`, `batch`, or `default` to use the mount's tuned default (which
+  unless changed will be `service` tokens). For token store roles, there are two
+  additional possibilities: `default-service` and `default-batch` which specify
+  the type to return unless the client requests a different type at generation
+  time.
diff --git a/website/pages/style.css b/website/pages/style.css
new file mode 100644
index 000000000000..f705566be72e
--- /dev/null
+++ b/website/pages/style.css
@@ -0,0 +1,166 @@
+/* Global Component Styles */
+@import '~@hashicorp/react-global-styles/style.css';
+@import '~@hashicorp/react-global-styles/code-highlighting.css';
+@import '~@hashicorp/react-global-styles/custom-properties/color.css';
+@import '~@hashicorp/react-global-styles/custom-properties/font.css';
+@import '~@hashicorp/react-global-styles/_temporary-to-remove/layout.css';
+
+:root {
+  --highlight-color: var(--brand);
+}
+
+@import '~@hashicorp/react-newsletter-signup-form/dist/style.css';
+@import '~@hashicorp/react-text-input/dist/style.css';
+@import '~@hashicorp/react-button/dist/style.css';
+@import '~@hashicorp/react-footer/dist/style.css';
+@import '~@hashicorp/react-consent-manager/dist/style.css';
+@import '~@hashicorp/react-checkbox-input/dist/style.css';
+@import '~@hashicorp/react-hero/dist/style.css';
+@import '~@hashicorp/react-section-header/dist/style.css';
+@import '~@hashicorp/react-use-cases/dist/style.css';
+@import '~@hashicorp/react-logo-grid/dist/style.css';
+@import '~@hashicorp/react-product-downloader/dist/style.css';
+@import '~@hashicorp/react-vertical-text-block-list/dist/style.css';
+@import '~@hashicorp/react-docs-sidenav/dist/style.css';
+@import '~@hashicorp/react-case-study-slider/dist/style.css';
+@import '~@hashicorp/react-content/dist/style.css';
+@import '~@hashicorp/react-text-and-content/dist/style.css';
+@import '~@hashicorp/react-code-block/dist/style.css';
+@import '~@hashicorp/react-consent-manager/dist/style.css';
+
+/* Global Components - Transpiled */
+@import '~@hashicorp/react-mega-nav/style.css';
+
+/* Local Components */
+@import '../components/docs-page/style.css';
+@import '../components/before-after-diagram/style.css';
+@import '../components/use-case-cta-section/style.css';
+@import '../components/subnav/style.css';
+
+/* Pages */
+@import './downloads/style.css';
+@import './community/style.css';
+@import './use-cases/style.css';
+
+/* Layout Styles */
+.g-section-block section {
+  padding-top: 96px;
+  padding-bottom: 96px;
+}
+
+.g-section-block section > .g-section-header + *,
+.g-section-block section > .g-container > .g-section-header + * {
+  margin-top: 72px;
+}
+
+.g-section-block section > * + *,
+.g-section-block section > .g-container > * + * {
+  margin-top: 96px;
+}
+
+.g-section-block .button-container {
+  display: -webkit-box;
+  display: flex;
+  flex-wrap: wrap;
+  -webkit-box-pack: center;
+  justify-content: center;
+  margin: auto -8px -16px;
+}
+
+.g-section-block section > * + .button-container,
+.g-section-block section > .g-container > * + .button-container {
+  margin-top: 40px;
+}
+
+.g-section-block .button-container > * {
+  margin: auto 8px 16px;
+}
+
+.g-section-block.theme-black-background-white-text {
+  background: var(--gray-1);
+  color: white;
+}
+
+/* Web Fonts */
+@font-face {
+  font-family: 'klavika-web';
+  src: url('/fonts/klavika/medium.woff2') format('woff2'),
+    url('/fonts/klavika/medium.woff') format('woff');
+  font-weight: 700;
+  font-style: normal;
+}
+
+/* Display Font (Gilmer) */
+@font-face {
+  font-family: 'gilmer-web';
+  src: url('/fonts/gilmer/light.woff2') format('woff2'),
+    url('/fonts/gilmer/light.woff') format('woff');
+  font-weight: 300;
+  font-style: normal;
+}
+
+@font-face {
+  font-family: 'gilmer-web';
+  src: url('/fonts/gilmer/regular.woff2') format('woff2'),
+    url('/fonts/gilmer/regular.woff') format('woff');
+  font-weight: 400;
+  font-style: normal;
+}
+
+@font-face {
+  font-family: 'gilmer-web';
+  src: url('/fonts/gilmer/medium.woff2') format('woff2'),
+    url('/fonts/gilmer/medium.woff') format('woff');
+  font-weight: 500;
+  font-style: normal;
+}
+
+@font-face {
+  font-family: 'gilmer-web';
+  src: url('/fonts/gilmer/bold.woff2') format('woff2'),
+    url('/fonts/gilmer/bold.woff') format('woff');
+  font-weight: 700;
+  font-style: normal;
+}
+
+/* Body Font (Metro) */
+@font-face {
+  font-family: 'metro-web';
+  src: url('/fonts/metro-sans/book.woff2') format('woff2'),
+    url('/fonts/metro-sans/book.woff') format('woff');
+  font-weight: 300;
+  font-style: normal;
+}
+
+@font-face {
+  font-family: 'metro-web';
+  src: url('/fonts/metro-sans/regular.woff2') format('woff2'),
+    url('/fonts/metro-sans/regular.woff') format('woff');
+  font-weight: 400;
+  font-style: normal;
+}
+
+@font-face {
+  font-family: 'metro-web';
+  src: url('/fonts/metro-sans/semi-bold.woff2') format('woff2'),
+    url('/fonts/metro-sans/semi-bold.woff') format('woff');
+  font-weight: 600;
+  font-style: normal;
+}
+
+@font-face {
+  font-family: 'metro-web';
+  src: url('/fonts/metro-sans/bold.woff2') format('woff2'),
+    url('/fonts/metro-sans/bold.woff') format('woff');
+  font-weight: 700;
+  font-style: normal;
+}
+
+/* Code Font (Deja Vu) */
+@font-face {
+  font-family: 'dejavu-sans-mono-web';
+  src: url('/fonts/dejavu/mono.woff2') format('woff2'),
+    url('/fonts/dejavu/mono.woff') format('woff');
+  font-style: normal;
+  font-weight: 400;
+}
diff --git a/website/pages/use-cases/data-encryption/index.jsx b/website/pages/use-cases/data-encryption/index.jsx
new file mode 100644
index 000000000000..6f37141aeab5
--- /dev/null
+++ b/website/pages/use-cases/data-encryption/index.jsx
@@ -0,0 +1,86 @@
+import SectionHeader from '@hashicorp/react-section-header'
+import Button from '@hashicorp/react-button'
+import TextAndContent from '@hashicorp/react-text-and-content'
+import BeforeAfterDiagram from '../../../components/before-after-diagram'
+import UseCaseCtaSection from '../../../components/use-case-cta-section'
+
+export default function DataEncryptionUseCase() {
+  return (
+    <div id="use-cases" className="g-section-block page-wrap">
+      {/* Header / Buttons */}
+      <section className="g-container">
+        <SectionHeader
+          headline="Encrypt Application Data in Low Trust Networks"
+          description="Keep application data secure with one centralized workflow to encrypt data in flight and at rest"
+          useH1={true}
+        />
+
+        <div className="button-container">
+          <Button title="Download" url="/downloads.html" />
+          <Button title="Get Started" url="/intro" theme="dark-outline" />
+        </div>
+      </section>
+
+      {/* Before/After Diagram */}
+      <section>
+        <div className="g-container">
+          <BeforeAfterDiagram
+            beforeImage={{
+              url:
+                'https://www.datocms-assets.com/2885/1539885046-data-protectionchallenge.svg',
+              format: 'svg'
+            }}
+            beforeHeadline="The Challenge"
+            beforeContent="All application data should be encrypted, but deploying a cryptography and key management infrastructure is expensive, hard to develop against, and not cloud or multi-datacenter friendly"
+            afterImage={{
+              url:
+                'https://www.datocms-assets.com/2885/1539885039-data-protectionsolution.svg',
+              format: 'svg'
+            }}
+            afterHeadline="The Solution"
+            afterContent="Vault provides encryption as a service with centralized key management to simplify encrypting data in transit and at rest across clouds and data centers"
+          />
+        </div>
+      </section>
+
+      {/* Features / Text and content */}
+      <section className="g-container">
+        <SectionHeader headline=" Encryption Features" />
+
+        <TextAndContent
+          data={{
+            text: `### API-driven Encryption
+
+Encrypt application data during transit and rest with AES 256-bit CBC data encryption and TLS in transit.`,
+            content: {
+              __typename: 'SbcImageRecord',
+              image: {
+                url: 'https://www.datocms-assets.com/2885/1539314348-eaas.png',
+                format: 'png'
+              }
+            }
+          }}
+        />
+
+        <TextAndContent
+          data={{
+            reverseDirection: true,
+            text: `### Encryption Key Rolling
+
+Update and roll new keys throughout distributed infrastructure while retaining the ability to decrypt encrypted data`,
+            content: {
+              __typename: 'SbcImageRecord',
+              image: {
+                url:
+                  'https://www.datocms-assets.com/2885/1539314609-encryption-key-rolling.png',
+                format: 'png'
+              }
+            }
+          }}
+        />
+      </section>
+
+      <UseCaseCtaSection />
+    </div>
+  )
+}
diff --git a/website/assets/img/use-cases/identity-based-access/challenge.png b/website/pages/use-cases/identity-based-access/img/challenge.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/challenge.png
rename to website/pages/use-cases/identity-based-access/img/challenge.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/aws.png b/website/pages/use-cases/identity-based-access/img/logos/aws.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/aws.png
rename to website/pages/use-cases/identity-based-access/img/logos/aws.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/azure.png b/website/pages/use-cases/identity-based-access/img/logos/azure.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/azure.png
rename to website/pages/use-cases/identity-based-access/img/logos/azure.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/gcp.png b/website/pages/use-cases/identity-based-access/img/logos/gcp.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/gcp.png
rename to website/pages/use-cases/identity-based-access/img/logos/gcp.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/kubernetes.png b/website/pages/use-cases/identity-based-access/img/logos/kubernetes.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/kubernetes.png
rename to website/pages/use-cases/identity-based-access/img/logos/kubernetes.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/nomad.png b/website/pages/use-cases/identity-based-access/img/logos/nomad.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/nomad.png
rename to website/pages/use-cases/identity-based-access/img/logos/nomad.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/okta.png b/website/pages/use-cases/identity-based-access/img/logos/okta.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/okta.png
rename to website/pages/use-cases/identity-based-access/img/logos/okta.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/pivotalcf.png b/website/pages/use-cases/identity-based-access/img/logos/pivotalcf.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/pivotalcf.png
rename to website/pages/use-cases/identity-based-access/img/logos/pivotalcf.png
diff --git a/website/assets/img/use-cases/identity-based-access/logos/ssh.png b/website/pages/use-cases/identity-based-access/img/logos/ssh.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/logos/ssh.png
rename to website/pages/use-cases/identity-based-access/img/logos/ssh.png
diff --git a/website/assets/img/use-cases/identity-based-access/screenshot-control-groups.png b/website/pages/use-cases/identity-based-access/img/screenshot-control-groups.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/screenshot-control-groups.png
rename to website/pages/use-cases/identity-based-access/img/screenshot-control-groups.png
diff --git a/website/assets/img/use-cases/identity-based-access/screenshot-entities.png b/website/pages/use-cases/identity-based-access/img/screenshot-entities.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/screenshot-entities.png
rename to website/pages/use-cases/identity-based-access/img/screenshot-entities.png
diff --git a/website/assets/img/use-cases/identity-based-access/screenshot-identity-groups.png b/website/pages/use-cases/identity-based-access/img/screenshot-identity-groups.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/screenshot-identity-groups.png
rename to website/pages/use-cases/identity-based-access/img/screenshot-identity-groups.png
diff --git a/website/assets/img/use-cases/identity-based-access/solution.png b/website/pages/use-cases/identity-based-access/img/solution.png
similarity index 100%
rename from website/assets/img/use-cases/identity-based-access/solution.png
rename to website/pages/use-cases/identity-based-access/img/solution.png
diff --git a/website/pages/use-cases/identity-based-access/index.jsx b/website/pages/use-cases/identity-based-access/index.jsx
new file mode 100644
index 000000000000..8f9a66b487ec
--- /dev/null
+++ b/website/pages/use-cases/identity-based-access/index.jsx
@@ -0,0 +1,192 @@
+import SectionHeader from '@hashicorp/react-section-header'
+import Button from '@hashicorp/react-button'
+import TextAndContent from '@hashicorp/react-text-and-content'
+import BeforeAfterDiagram from '../../../components/before-after-diagram'
+import UseCaseCtaSection from '../../../components/use-case-cta-section'
+
+export default function DataEncryptionUseCase() {
+  return (
+    <div id="use-cases" className="g-section-block page-wrap">
+      {/* Header / Buttons */}
+      <section className="g-container">
+        <SectionHeader
+          headline="Leverage Trusted Identities in Low Trust Networks"
+          description="Authenticate and access different clouds, systems, and endpoints using trusted identities"
+          useH1={true}
+        />
+
+        <div className="button-container">
+          <Button title="Download" url="/downloads.html" />
+          <Button title="Get Started" url="/intro" theme="dark-outline" />
+        </div>
+      </section>
+
+      {/* Before/After Diagram */}
+      <section>
+        <div className="g-container">
+          <BeforeAfterDiagram
+            beforeImage={{
+              url: require('./img/challenge.png'),
+              format: 'png'
+            }}
+            beforeHeadline="The Challenge"
+            beforeContent="With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl"
+            afterImage={{
+              url: require('./img/solution.png'),
+              format: 'png'
+            }}
+            afterHeadline="The Solution"
+            afterContent="Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets"
+          />
+        </div>
+      </section>
+
+      {/* Features / Text and content */}
+      <section className="g-container">
+        <SectionHeader headline="Identity-based Access Features" />
+
+        <div className="g-text-and-content">
+          <div className="text">
+            <div>
+              <h3 id="secure-plugins">Identity Plugins</h3>
+              <p>
+                Improve the extensibility of Vault with pluggable identity
+                backends
+              </p>
+            </div>
+          </div>
+          <div className="content logo-grid">
+            <ul className="g-logo-grid large">
+              {[
+                'aws',
+                'azure',
+                'gcp',
+                'kubernetes',
+                'nomad',
+                'okta',
+                'pivotalcf',
+                'ssh'
+              ].map(logo => (
+                <li key={logo}>
+                  <img
+                    src={require(`./img/logos/${logo}.png`)}
+                    alt="company logo"
+                  />
+                </li>
+              ))}
+            </ul>
+          </div>
+        </div>
+
+        <TextAndContent
+          data={{
+            reverseDirection: true,
+            text: `### Entities
+
+Integrated identities across platforms and using this information for policy and access control decisions.`,
+            content: {
+              __typename: 'SbcImageRecord',
+              image: {
+                url: require('./img/screenshot-entities.png'),
+                format: 'png'
+              }
+            }
+          }}
+        />
+
+        <TextAndContent
+          data={{
+            text: `### Control Groups
+
+Require multiple Identity Entities or members of Identity Groups to authorize an requested action.`,
+            content: {
+              __typename: 'SbcImageRecord',
+              image: {
+                url: require('./img/screenshot-control-groups.png'),
+                format: 'png'
+              }
+            }
+          }}
+        />
+
+        <TextAndContent
+          data={{
+            text: `### ACL Templates and Policy Control
+
+Create and manage policies that authorize access control throughout your infrastructure and organization`,
+            content: {
+              __typename: 'SbcCodeBlockRecord',
+              chrome: true,
+              code: `# User template (user-tmpl.hcl)
+# Grant permissions on user specific path
+
+path "user-kv/data/{{identity.entity.name}}/*" {
+  capabilities = [ "create", "update", "read", "delete", "list" ]
+}
+
+# For Web UI usage
+path "user-kv/metadata" {
+  capabilities = ["list"]
+}
+
+# Group template (group-tmpl.hcl)
+# Grant permissions on the group specific path
+# The region is specified in the group metadata
+path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
+  capabilities = [ "create", "update", "read", "delete", "list" ]
+}
+
+# Group member can update the group information
+path "identity/group/id/{{identity.groups.names.education.id}}" {
+  capabilities = [ "update", "read" ]
+}
+
+# For Web UI usage
+path "group-kv/metadata" {
+  capabilities = ["list"]
+}
+
+path "identity/group/id" {
+  capabilities = [ "list" ]
+}`
+            }
+          }}
+        />
+
+        <TextAndContent
+          data={{
+            reverseDirection: true,
+            text: `### Identity Groups
+
+Group trusted identities into logical groups for group-based access control.`,
+            content: {
+              __typename: 'SbcImageRecord',
+              image: {
+                url: require('./img/screenshot-identity-groups.png'),
+                format: 'png'
+              }
+            }
+          }}
+        />
+
+        <TextAndContent
+          data={{
+            text: `### Multi-factor Authentication
+
+Enforce MFA workflows when accessing a secret or a secret path`,
+            content: {
+              __typename: 'SbcCodeBlockRecord',
+              chrome: true,
+              code: `$ curl \
+--header "X-Vault-Token: ..." \\
+--header "X-Vault-MFA:my_totp:695452" \\
+http://127.0.0.1:8200/v1/secret/foo`
+            }
+          }}
+        />
+      </section>
+
+      <UseCaseCtaSection />
+    </div>
+  )
+}
diff --git a/website/pages/use-cases/secrets-management/index.jsx b/website/pages/use-cases/secrets-management/index.jsx
new file mode 100644
index 000000000000..b2a48cab75b4
--- /dev/null
+++ b/website/pages/use-cases/secrets-management/index.jsx
@@ -0,0 +1,241 @@
+import SectionHeader from '@hashicorp/react-section-header'
+import Button from '@hashicorp/react-button'
+import TextAndContent from '@hashicorp/react-text-and-content'
+import BeforeAfterDiagram from '../../../components/before-after-diagram'
+import UseCaseCtaSection from '../../../components/use-case-cta-section'
+
+export default function SecretsManagmentUseCase() {
+  return (
+    <div id="use-cases" className="g-section-block page-wrap">
+      <section className="g-container">
+        {/* Header / Buttons */}
+
+        <SectionHeader
+          headline="Secrets Management in Low Trust Networks"
+          description="Centrally store, access, and deploy secrets across applications, systems, and infrastructure"
+          useH1={true}
+        />
+
+        <div className="button-container">
+          <Button title="Download" url="/downloads.html" />
+          <Button title="Get Started" url="/intro" theme="dark-outline" />
+        </div>
+      </section>
+
+      {/* Before/After Diagram */}
+
+      <section>
+        <div className="g-container">
+          <BeforeAfterDiagram
+            beforeImage={{
+              url:
+                'https://www.datocms-assets.com/2885/1539885048-secrets-managementchallenge.svg',
+              format: 'svg'
+            }}
+            beforeHeadline="The Challenge"
+            beforeContent="Secrets for applications and systems need to be centralized and static IP-based solutions don't scale in dynamic environments with frequently changing applications and machines"
+            afterImage={{
+              url:
+                'https://www.datocms-assets.com/2885/1539885054-secrets-managementsolution.svg',
+              format: 'svg'
+            }}
+            afterHeadline="The Solution"
+            afterContent="Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity"
+          />
+        </div>
+      </section>
+
+      {/* Case study slider */}
+
+      <section className="g-section-block theme-black-background-white-text">
+        <div className="g-container">
+          <div className="g-case-study-slider">
+            <div className="case-study-container">
+              <div className="slider-container">
+                <div className="slider-frame single">
+                  <div className="case-study">
+                    <div className="feature-image">
+                      <a href="/resources/adobe-100-trillion-transactions-hashicorp-vault">
+                        <picture>
+                          <source
+                            type="image/webp"
+                            srcSet="https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=webp&amp;h=156.25&amp;q=80&amp;w=250 250w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=webp&amp;h=312.5&amp;q=80&amp;w=500 500w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=webp&amp;h=468.75&amp;q=80&amp;w=750 750w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=webp&amp;h=625&amp;q=80&amp;w=1000 1000w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=webp&amp;h=937.5&amp;q=80&amp;w=1500 1500w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=webp&amp;h=1250&amp;q=80&amp;w=2000 2000w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=webp&amp;h=1562.5&amp;q=80&amp;w=2500 2500w"
+                            sizes="100vw"
+                          />
+                          <img
+                            src="https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=312.5&amp;q=80&amp;w=500"
+                            srcSet="https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=156.25&amp;q=80&amp;w=250 250w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=312.5&amp;q=80&amp;w=500 500w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=468.75&amp;q=80&amp;w=750 750w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=625&amp;q=80&amp;w=1000 1000w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=937.5&amp;q=80&amp;w=1500 1500w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=1250&amp;q=80&amp;w=2000 2000w,https://www.datocms-assets.com/2885/1520367019-dan_mcteer_adobe_hashiconf2017.jpg?fit=crop&amp;fm=jpg&amp;h=1562.5&amp;q=80&amp;w=2500 2500w"
+                            sizes="100vw"
+                            alt="Dan McTeer at HashiConf 2017"
+                          />
+                        </picture>
+                      </a>
+                    </div>
+                    <div className="feature-content">
+                      <div className="single-logo">
+                        <img
+                          src="https://www.datocms-assets.com/2885/1539889072-1524097013-adobe-white-1.svg"
+                          alt="Adobe logo"
+                        />
+                      </div>
+                      <h3>
+                        Using Vault to Protect Adobe&apos;s Secrets and User
+                        Data Across Clouds and Datacenters
+                      </h3>
+                      <p>
+                        Securing secrets and application data is a complex task
+                        for globally distributed organizations. For Adobe,
+                        managing secrets for over 20 products across 100,000
+                        hosts, four regions, and trillions of transactions
+                        annually requires a different approach altogether.
+                      </p>
+                      <a
+                        className="g-btn primary-hashicorp-light"
+                        href="/resources/adobe-100-trillion-transactions-hashicorp-vault"
+                      >
+                        Read Case Study
+                      </a>
+                    </div>
+                  </div>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      </section>
+
+      {/* Features / Text and content */}
+      <section className="g-container">
+        <SectionHeader headline="Secret Management Features" />
+
+        <TextAndContent
+          data={{
+            text: `### Dynamic Secrets
+
+Dynamically create, revoke, and rotate secrets programmatically`,
+            content: {
+              __typename: 'SbcImageRecord',
+              image: {
+                url:
+                  'https://www.datocms-assets.com/2885/1538684923-dynamic-secrets-screenshot.jpg',
+                format: 'jpg',
+                size: 71545,
+                width: 668,
+                height: 504
+              }
+            }
+          }}
+        />
+
+        <TextAndContent
+          data={{
+            reverseDirection: true,
+            text: `### Secret Storage
+
+Encrypt data while at rest, in the storage backend of your choice`,
+            content: {
+              __typename: 'SbcCodeBlockRecord',
+              chrome: true,
+              code: `$ cat vault.config
+storage "consul" {
+    address = "127.0.0.1:8500"
+    path    = "vault"
+}
+listener "tcp" {
+    address = "127.0.0.1:8200"
+}
+telemetry {
+    statsite_address = "127.0.0.1:8125"
+    disable_hostname = true
+}`
+            }
+          }}
+        />
+
+        <div className="g-text-and-content">
+          <div className="text">
+            <div>
+              <h3>Identity Plugins</h3>
+              <p>
+                Improve the extensibility of Vault with pluggable identity
+                backends
+              </p>
+            </div>
+          </div>
+          <div className="content logo-grid">
+            <ul className="g-logo-grid large">
+              {[
+                'https://www.datocms-assets.com/2885/1506540090-color.svg',
+                'https://www.datocms-assets.com/2885/1506540114-color.svg',
+                'https://www.datocms-assets.com/2885/1506527176-color.svg',
+                'https://www.datocms-assets.com/2885/1508434209-consul_primarylogo_fullcolor.svg',
+                'https://www.datocms-assets.com/2885/1510033601-aws_logo_rgb_fullcolor.svg',
+                'https://www.datocms-assets.com/2885/1506540175-color.svg',
+                'https://www.datocms-assets.com/2885/1539818112-postgresql.svg',
+                'https://www.datocms-assets.com/2885/1539817686-microsoft-sql-server.svg'
+              ].map(logo => (
+                <li key={logo}>
+                  <img src={logo} alt="company logo" />
+                </li>
+              ))}
+            </ul>
+          </div>
+        </div>
+
+        <TextAndContent
+          data={{
+            reverseDirection: true,
+            text: `### Detailed Audit Logs
+
+Detailed audit log of all client interaction (authentication, token creation, secret access & revocation)`,
+            content: {
+              __typename: 'SbcCodeBlockRecord',
+              chrome: true,
+              code: `$ cat audit.log | jq {
+    "time": "2018-08-27T13:17:11.609621226Z",
+    "type": "response",
+    "auth": {
+        "client_token": "hmac-sha256:5c40f1e051ea75b83230a5bf16574090f697dfa22a78e437f12c1c9d226f45a5",
+        "accessor": "hmac-sha256:f254a2d442f172f0b761c9fd028f599ad91861ed16ac3a1e8d96771fd920e862",
+        "display_name": "token",
+        "metadata": null,
+        "entity_id": ""
+    }
+}`
+            }
+          }}
+        />
+
+        <TextAndContent
+          data={{
+            text: `### Leasing & Revoking Secrets
+
+Manage authorization and create time-based tokens for automatic revocation or manual revocation`,
+            content: {
+              __typename: 'SbcCodeBlockRecord',
+              chrome: true,
+              code: `$ vault read database/creds/readonly
+Key             Value
+---             -----
+lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
+lease_duration  1h0m0s
+lease_renewable true
+password        A1a-w2xv2zsq4r5ru940
+username        v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
+[...]
+$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
+Key             Value
+---             -----
+lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
+lease_duration  1h0m0s
+lease_renewable true
+$ vault lease revoke database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809`
+            }
+          }}
+        />
+      </section>
+
+      <UseCaseCtaSection />
+    </div>
+  )
+}
diff --git a/website/pages/use-cases/style.css b/website/pages/use-cases/style.css
new file mode 100644
index 000000000000..19a5809806d9
--- /dev/null
+++ b/website/pages/use-cases/style.css
@@ -0,0 +1,5 @@
+/* Shared styles in all /use-cases pages */
+#use-cases .g-logo-grid li img {
+  max-height: 50%;
+  max-width: 50%;
+}
diff --git a/website/prettier.config.js b/website/prettier.config.js
new file mode 100644
index 000000000000..1d0b501f25f1
--- /dev/null
+++ b/website/prettier.config.js
@@ -0,0 +1,4 @@
+module.exports = {
+  ...require('@hashicorp/nextjs-scripts/prettier.config.js')
+  /* Specify overrides here */
+}
diff --git a/website/public/css/nprogress.css b/website/public/css/nprogress.css
new file mode 100644
index 000000000000..3619227707fc
--- /dev/null
+++ b/website/public/css/nprogress.css
@@ -0,0 +1,81 @@
+/* Make clicks pass-through */
+#nprogress {
+  pointer-events: none;
+}
+
+#nprogress .bar {
+  background: #29d;
+
+  position: fixed;
+  z-index: 1031;
+  top: 0;
+  left: 0;
+
+  width: 100%;
+  height: 2px;
+}
+
+/* Fancy blur effect */
+#nprogress .peg {
+  display: block;
+  position: absolute;
+  right: 0px;
+  width: 100px;
+  height: 100%;
+  box-shadow: 0 0 10px #29d, 0 0 5px #29d;
+  opacity: 1;
+
+  -webkit-transform: rotate(3deg) translate(0px, -4px);
+  -ms-transform: rotate(3deg) translate(0px, -4px);
+  transform: rotate(3deg) translate(0px, -4px);
+}
+
+/* Remove these to get rid of the spinner */
+#nprogress .spinner {
+  display: block;
+  position: fixed;
+  z-index: 1031;
+  top: 15px;
+  right: 15px;
+}
+
+#nprogress .spinner-icon {
+  width: 18px;
+  height: 18px;
+  box-sizing: border-box;
+
+  border: solid 2px transparent;
+  border-top-color: #29d;
+  border-left-color: #29d;
+  border-radius: 50%;
+
+  -webkit-animation: nprogress-spinner 400ms linear infinite;
+  animation: nprogress-spinner 400ms linear infinite;
+}
+
+.nprogress-custom-parent {
+  overflow: hidden;
+  position: relative;
+}
+
+.nprogress-custom-parent #nprogress .spinner,
+.nprogress-custom-parent #nprogress .bar {
+  position: absolute;
+}
+
+@-webkit-keyframes nprogress-spinner {
+  0% {
+    -webkit-transform: rotate(0deg);
+  }
+  100% {
+    -webkit-transform: rotate(360deg);
+  }
+}
+@keyframes nprogress-spinner {
+  0% {
+    transform: rotate(0deg);
+  }
+  100% {
+    transform: rotate(360deg);
+  }
+}
diff --git a/website/assets/fonts/dejavu/DejaVuSansMono.woff b/website/public/fonts/dejavu/mono.woff
similarity index 100%
rename from website/assets/fonts/dejavu/DejaVuSansMono.woff
rename to website/public/fonts/dejavu/mono.woff
diff --git a/website/assets/fonts/dejavu/DejaVuSansMono.woff2 b/website/public/fonts/dejavu/mono.woff2
similarity index 100%
rename from website/assets/fonts/dejavu/DejaVuSansMono.woff2
rename to website/public/fonts/dejavu/mono.woff2
diff --git a/website/assets/fonts/gilmer/gilmer-bold.woff b/website/public/fonts/gilmer/bold.woff
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-bold.woff
rename to website/public/fonts/gilmer/bold.woff
diff --git a/website/assets/fonts/gilmer/gilmer-bold.woff2 b/website/public/fonts/gilmer/bold.woff2
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-bold.woff2
rename to website/public/fonts/gilmer/bold.woff2
diff --git a/website/assets/fonts/gilmer/gilmer-light.woff b/website/public/fonts/gilmer/light.woff
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-light.woff
rename to website/public/fonts/gilmer/light.woff
diff --git a/website/assets/fonts/gilmer/gilmer-light.woff2 b/website/public/fonts/gilmer/light.woff2
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-light.woff2
rename to website/public/fonts/gilmer/light.woff2
diff --git a/website/assets/fonts/gilmer/gilmer-medium.woff b/website/public/fonts/gilmer/medium.woff
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-medium.woff
rename to website/public/fonts/gilmer/medium.woff
diff --git a/website/assets/fonts/gilmer/gilmer-medium.woff2 b/website/public/fonts/gilmer/medium.woff2
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-medium.woff2
rename to website/public/fonts/gilmer/medium.woff2
diff --git a/website/assets/fonts/gilmer/gilmer-regular.woff b/website/public/fonts/gilmer/regular.woff
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-regular.woff
rename to website/public/fonts/gilmer/regular.woff
diff --git a/website/assets/fonts/gilmer/gilmer-regular.woff2 b/website/public/fonts/gilmer/regular.woff2
similarity index 100%
rename from website/assets/fonts/gilmer/gilmer-regular.woff2
rename to website/public/fonts/gilmer/regular.woff2
diff --git a/website/assets/fonts/klavika/500.woff b/website/public/fonts/klavika/medium.woff
similarity index 100%
rename from website/assets/fonts/klavika/500.woff
rename to website/public/fonts/klavika/medium.woff
diff --git a/website/assets/fonts/klavika/500.woff2 b/website/public/fonts/klavika/medium.woff2
similarity index 100%
rename from website/assets/fonts/klavika/500.woff2
rename to website/public/fonts/klavika/medium.woff2
diff --git a/website/assets/fonts/metro/metro-sans-bold.woff b/website/public/fonts/metro-sans/bold.woff
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-bold.woff
rename to website/public/fonts/metro-sans/bold.woff
diff --git a/website/assets/fonts/metro/metro-sans-bold.woff2 b/website/public/fonts/metro-sans/bold.woff2
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-bold.woff2
rename to website/public/fonts/metro-sans/bold.woff2
diff --git a/website/assets/fonts/metro/metro-sans-book.woff b/website/public/fonts/metro-sans/book.woff
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-book.woff
rename to website/public/fonts/metro-sans/book.woff
diff --git a/website/assets/fonts/metro/metro-sans-book.woff2 b/website/public/fonts/metro-sans/book.woff2
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-book.woff2
rename to website/public/fonts/metro-sans/book.woff2
diff --git a/website/assets/fonts/metro/metro-sans-regular.woff b/website/public/fonts/metro-sans/regular.woff
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-regular.woff
rename to website/public/fonts/metro-sans/regular.woff
diff --git a/website/assets/fonts/metro/metro-sans-regular.woff2 b/website/public/fonts/metro-sans/regular.woff2
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-regular.woff2
rename to website/public/fonts/metro-sans/regular.woff2
diff --git a/website/assets/fonts/metro/metro-sans-semi-bold.woff b/website/public/fonts/metro-sans/semi-bold.woff
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-semi-bold.woff
rename to website/public/fonts/metro-sans/semi-bold.woff
diff --git a/website/assets/fonts/metro/metro-sans-semi-bold.woff2 b/website/public/fonts/metro-sans/semi-bold.woff2
similarity index 100%
rename from website/assets/fonts/metro/metro-sans-semi-bold.woff2
rename to website/public/fonts/metro-sans/semi-bold.woff2
diff --git a/website/public/ie-custom-properties.js b/website/public/ie-custom-properties.js
new file mode 100644
index 000000000000..e06d9f6a6ea8
--- /dev/null
+++ b/website/public/ie-custom-properties.js
@@ -0,0 +1,631 @@
+/*! ie11CustomProperties.js v2.6.0 | MIT License | https://git.io/fjXMN */
+// c1.onElement helper
+!(function() {
+  'use strict'
+
+  if (!Element.prototype.matches)
+    Element.prototype.matches = Element.prototype.msMatchesSelector
+
+  var w = window
+  if (!w.c1) w.c1 = {}
+  var listeners = [],
+    root = document,
+    Observer
+
+  c1.onElement = function(selector, options /*, disconnectedCallback*/) {
+    if (typeof options === 'function') {
+      options = { parsed: options }
+    }
+    var listener = {
+      selector: selector,
+      immediate: options.immediate,
+      //disconnectedCallback: disconnectedCallback,
+      elements: new WeakMap()
+    }
+
+    if (options.parsed) {
+      listener.parsed = function(el) {
+        requestAnimationFrame(function() {
+          options.parsed(el)
+        })
+      }
+    }
+
+    var els = root.querySelectorAll(listener.selector),
+      i = 0,
+      el
+    while ((el = els[i++])) {
+      listener.elements.set(el, true)
+      listener.parsed && listener.parsed.call(el, el)
+      listener.immediate && listener.immediate.call(el, el)
+    }
+
+    listeners.push(listener)
+    if (!Observer) {
+      Observer = new MutationObserver(checkMutations)
+      Observer.observe(root, {
+        childList: true,
+        subtree: true
+      })
+    }
+    checkListener(listener)
+  }
+  function checkListener(listener, target) {
+    var i = 0,
+      el,
+      els = []
+    target && target.matches(listener.selector) && els.push(target)
+    if (loaded) {
+      // ok? check inside node on innerHTML - only when loaded
+      Array.prototype.push.apply(
+        els,
+        (target || root).querySelectorAll(listener.selector)
+      )
+    }
+    while ((el = els[i++])) {
+      if (listener.elements.has(el)) continue
+      listener.elements.set(el, true)
+      //listener.connectedCallback.call(el, el);
+      listener.parsed && listener.parsed.call(el, el)
+      listener.immediate && listener.immediate.call(el, el)
+    }
+  }
+  function checkListeners(inside) {
+    var i = 0,
+      listener
+    while ((listener = listeners[i++])) checkListener(listener, inside)
+  }
+  function checkMutations(mutations) {
+    var j = 0,
+      i,
+      mutation,
+      nodes,
+      target
+    while ((mutation = mutations[j++])) {
+      ;(nodes = mutation.addedNodes), (i = 0)
+      while ((target = nodes[i++]))
+        target.nodeType === 1 && checkListeners(target)
+    }
+  }
+
+  var loaded = false
+  document.addEventListener('DOMContentLoaded', function() {
+    loaded = true
+  })
+
+  // svg polyfills
+  function copyProperty(prop, from, to) {
+    var desc = Object.getOwnPropertyDescriptor(from, prop)
+    Object.defineProperty(to, prop, desc)
+  }
+  if (!('classList' in Element.prototype)) {
+    copyProperty('classList', HTMLElement.prototype, Element.prototype)
+  }
+  if (!('innerHTML' in Element.prototype)) {
+    copyProperty('innerHTML', HTMLElement.prototype, Element.prototype)
+  }
+  if (!('sheet' in SVGStyleElement.prototype)) {
+    Object.defineProperty(SVGStyleElement.prototype, 'sheet', {
+      get: function() {
+        var all = document.styleSheets
+        for (var i = 0, sheet; (sheet = all[i++]); ) {
+          if (sheet.ownerNode === this) return sheet
+        }
+      }
+    })
+  }
+  // if ('children' in HTMLElement.prototype && !('children' in Element.prototype)) {
+  // 	copyProperty('children', HTMLElement.prototype, Element.prototype);
+  // }
+  // if ('contains' in HTMLElement.prototype && !('contains' in Element.prototype)) {
+  // 	copyProperty('contains', HTMLElement.prototype, Element.prototype);
+  // }
+  // if ('getElementsByClassName' in HTMLElement.prototype && !('getElementsByClassName' in Element.prototype)) {
+  // 	copyProperty('getElementsByClassName', HTMLElement.prototype, Element.prototype);
+  // }
+})()
+
+// main logic
+!(function() {
+  'use strict'
+  var testEl = document.createElement('i')
+  testEl.style.setProperty('--x', 'y')
+  if (testEl.style.getPropertyValue('--x') === 'y' || !testEl.msMatchesSelector)
+    return
+
+  // cached regexps, better performance
+  const regFindSetters = /([\s{;])(--([A-Za-z0-9-_]+\s*:[^;!}{]+)(!important)?)(?=\s*([;}]|$))/g
+  const regFindGetters = /([{;]\s*)([A-Za-z0-9-_]+\s*:[^;}{]*var\([^!;}{]+)(!important)?(?=\s*([;}$]|$))/g
+  const regRuleIEGetters = /-ieVar-([^:]+):/g
+  const regRuleIESetters = /-ie-([^};]+)/g
+  const regHasVar = /var\(/
+  const regPseudos = /:(hover|active|focus|target|:before|:after)/
+
+  c1.onElement('link[rel="stylesheet"]', {
+    immediate: function(el) {
+      fetchCss(el.href, function(css) {
+        var newCss = rewriteCss(css)
+        if (css === newCss) return
+        newCss = relToAbs(el.href, newCss)
+        el.disabled = true
+        var style = document.createElement('style')
+        el.parentNode.insertBefore(style, el)
+        activateStyleElement(style, newCss)
+      })
+    }
+  })
+  c1.onElement('style', {
+    immediate: function(el) {
+      if (el.hasAttribute('ie-polyfilled')) return
+      if (el.ieCP_elementSheet) return
+      var css = el.innerHTML
+      var newCss = rewriteCss(css)
+      if (css === newCss) return
+      activateStyleElement(el, newCss)
+    }
+  })
+  c1.onElement('[ie-style]', {
+    immediate: function(el) {
+      var newCss = rewriteCss('{' + el.getAttribute('ie-style')).substr(1)
+      el.style.cssText += ';' + newCss
+      var found = parseRewrittenStyle(el.style)
+      if (found.getters) addGetterElement(el, found.getters, '%styleAttr')
+      if (found.setters) addSetterElement(el, found.setters)
+    }
+  })
+
+  function relToAbs(base, css) {
+    return css.replace(/url\(([^)]+)\)/g, function($0, $1) {
+      $1 = $1.trim().replace(/(^['"]|['"]$)/g, '')
+      if ($1.match(/^([a-z]+:|\/)/)) return $0
+      base = base.replace(/\?.*/, '')
+      return 'url(' + base + './../' + $1 + ')'
+    })
+  }
+
+  // ie has a bug, where unknown properties at pseudo-selectors are computed at the element
+  // #el::after { -content:'x'; } => getComputedStyle(el)['-content'] == 'x'
+  // should we add something like -ieVar-pseudo_after-content:'x'?
+  function rewriteCss(css) {
+    /* uncomment if spec finished and needed by someone
+  css = css.replace(/@property ([^{]+){([^}]+)}/, function($0, prop, body){
+    prop = prop.trim();
+    const declaration = {name:prop};
+    body.split(';').forEach(function(pair){
+      const x = pair.split(':');
+      if (x[1]) declaration[ x[0].trim() ] = x[1];
+    });
+    declaration['inherits'] = declaration['inherits'].trim()==='true' ? true : false;
+    declaration['initialValue'] = declaration['initial-value'];
+    CSS.registerProperty(declaration)
+    return '/*\n @property ... removed \n*'+'/';
+  });
+  */
+
+    css = css.replace(regFindSetters, function($0, $1, $2, $3, important) {
+      return $1 + '-ie-' + (important ? '❗' : '') + $3
+    }) // !imporant
+    return css.replace(regFindGetters, function($0, $1, $2, important) {
+      return $1 + '-ieVar-' + (important ? '❗' : '') + $2 + '; ' + $2
+    }) // keep the original, so chaining works "--x:var(--y)"
+  }
+
+  // beta
+  //const styles_of_getter_properties = {};
+
+  function parseRewrittenStyle(style) {
+    // less memory then parameter cssText?
+    // beta
+    //style['z-index']; // can access unknown properties in stylesheets only if accessed a dashed known property
+    const cssText = style.cssText
+    var matchesGetters = cssText.match(regRuleIEGetters),
+      j,
+      match
+    if (matchesGetters) {
+      var getters = [] // eg. [border,color]
+      for (j = 0; (match = matchesGetters[j++]); ) {
+        let propName = match.slice(7, -1)
+        if (propName[0] === '❗') propName = propName.substr(1)
+        getters.push(propName)
+        // beta
+        //if (!styles_of_getter_properties[propName]) styles_of_getter_properties[propName] = [];
+        //styles_of_getter_properties[propName].push(style);
+      }
+    }
+    var matchesSetters = cssText.match(regRuleIESetters)
+    if (matchesSetters) {
+      var setters = {} // eg. [--color:#fff, --padding:10px];
+      for (j = 0; (match = matchesSetters[j++]); ) {
+        let x = match.substr(4).split(':')
+        let propName = x[0]
+        let propValue = x[1]
+        if (propName[0] === '❗') propName = propName.substr(1)
+        setters[propName] = propValue
+      }
+    }
+    return { getters: getters, setters: setters }
+  }
+  function activateStyleElement(style, css) {
+    style.innerHTML = css
+    style.setAttribute('ie-polyfilled', true)
+    var rules = style.sheet.rules,
+      i = 0,
+      rule // cssRules = CSSRuleList, rules = MSCSSRuleList
+    while ((rule = rules[i++])) {
+      const found = parseRewrittenStyle(rule.style)
+      if (found.getters) addGettersSelector(rule.selectorText, found.getters)
+      if (found.setters) addSettersSelector(rule.selectorText, found.setters)
+
+      // mediaQueries: redraw the hole document
+      // better add events for each element?
+      const media =
+        rule.parentRule &&
+        rule.parentRule.media &&
+        rule.parentRule.media.mediaText
+      if (media && (found.getters || found.setters)) {
+        matchMedia(media).addListener(function() {
+          drawTree(document.documentElement)
+        })
+      }
+    }
+  }
+
+  function addGettersSelector(selector, properties) {
+    selectorAddPseudoListeners(selector)
+    c1.onElement(unPseudo(selector), function(el) {
+      addGetterElement(el, properties, selector)
+      drawElement(el)
+    })
+  }
+  function addGetterElement(el, properties, selector) {
+    var i = 0,
+      prop,
+      j
+    const selectors = selector.split(',') // split grouped selectors
+    el.setAttribute('iecp-needed', true)
+    if (!el.ieCPSelectors) el.ieCPSelectors = {}
+    while ((prop = properties[i++])) {
+      for (j = 0; (selector = selectors[j++]); ) {
+        const parts = selector.trim().split('::')
+        if (!el.ieCPSelectors[prop]) el.ieCPSelectors[prop] = []
+        el.ieCPSelectors[prop].push({
+          selector: parts[0],
+          pseudo: parts[1] ? '::' + parts[1] : ''
+        })
+      }
+    }
+  }
+  function addSettersSelector(selector, propVals) {
+    selectorAddPseudoListeners(selector)
+    c1.onElement(unPseudo(selector), function(el) {
+      addSetterElement(el, propVals)
+    })
+  }
+  function addSetterElement(el, propVals) {
+    if (!el.ieCP_setters) el.ieCP_setters = {}
+    for (var prop in propVals) {
+      // eg. {foo:#fff, bar:baz}
+      el.ieCP_setters['--' + prop] = 1
+    }
+    drawTree(el)
+  }
+
+  // beta
+  // function redrawStyleSheets() {
+  // 	for (var prop in styles_of_getter_properties) {
+  // 		let styles = styles_of_getter_properties[prop];
+  // 		for (var i=0, style; style=styles[i++];) {
+  // 			if (style.owningElement) continue;
+  // 			var value = style['-ieVar-'+prop];
+  // 			if (!value) continue;
+  // 			var value = styleComputeValueWidthVars(getComputedStyle(document.documentElement), value);
+  // 			style[prop] = value;
+  // 		}
+  // 	}
+  // }
+  // setTimeout(redrawStyleSheets,1000);
+  //setTimeout(redrawStyleSheets,2000);
+
+  const pseudos = {
+    hover: {
+      on: 'mouseenter',
+      off: 'mouseleave'
+    },
+    focus: {
+      on: 'focusin',
+      off: 'focusout'
+    },
+    active: {
+      on: 'CSSActivate',
+      off: 'CSSDeactivate'
+    }
+  }
+  function selectorAddPseudoListeners(selector) {
+    // ie11 has the strange behavoir, that groups of selectors are individual rules, but starting with the full selector:
+    // td, th, button { color:red } results in this rules:
+    // "td, th, button" | "th, th" | "th"
+    selector = selector.split(',')[0]
+    for (var pseudo in pseudos) {
+      var parts = selector.split(':' + pseudo)
+      if (parts.length > 1) {
+        var ending = parts[1].match(/^[^\s]*/) // ending elementpart of selector (used for not(:active))
+        let selector = unPseudo(parts[0] + ending)
+        const listeners = pseudos[pseudo]
+        c1.onElement(selector, function(el) {
+          el.addEventListener(listeners.on, drawTreeEvent)
+          el.addEventListener(listeners.off, drawTreeEvent)
+        })
+      }
+    }
+  }
+  let CSSActive = null
+  document.addEventListener('mousedown', function(e) {
+    setTimeout(function() {
+      if (e.target === document.activeElement) {
+        var evt = document.createEvent('Event')
+        evt.initEvent('CSSActivate', true, true)
+        CSSActive = e.target
+        CSSActive.dispatchEvent(evt)
+      }
+    })
+  })
+  document.addEventListener('mouseup', function() {
+    if (CSSActive) {
+      var evt = document.createEvent('Event')
+      evt.initEvent('CSSDeactivate', true, true)
+      CSSActive.dispatchEvent(evt)
+      CSSActive = null
+    }
+  })
+
+  function unPseudo(selector) {
+    return selector.replace(regPseudos, '').replace(':not()', '')
+  }
+
+  var uniqueCounter = 0
+
+  function _drawElement(el) {
+    // beta
+    // if (el === document.documentElement) redrawStyleSheets();
+
+    if (!el.ieCP_unique) {
+      // use el.uniqueNumber? but needs class for the css-selector => test performance
+      el.ieCP_unique = ++uniqueCounter
+      el.classList.add('iecp-u' + el.ieCP_unique)
+    }
+    var style = getComputedStyle(el)
+    if (el.ieCP_sheet)
+      while (el.ieCP_sheet.rules[0]) el.ieCP_sheet.deleteRule(0)
+    for (var prop in el.ieCPSelectors) {
+      var important = style['-ieVar-❗' + prop]
+      let valueWithVar = important || style['-ieVar-' + prop]
+      if (!valueWithVar) continue // todo, what if '0'
+
+      var value = styleComputeValueWidthVars(style, valueWithVar)
+
+      // beta
+      // var details = {};
+      // details.onpropertyneeded = function(prop){ prop = '-ie-'+prop.substr(2); !done[prop] && drawProp(prop); }
+      // var value = styleComputeValueWidthVars(style, valueWithVar, details);
+      // if (details.allByRoot !== false) continue; // dont have to draw root-properties
+
+      if (important) value += ' !important'
+      for (var i = 0, item; (item = el.ieCPSelectors[prop][i++]); ) {
+        // todo: split and use requestAnimationFrame?
+        if (item.selector === '%styleAttr') {
+          el.style[prop] = value
+        } else {
+          //let selector = item.selector.replace(/>? \.[^ ]+/, ' ', item.selector); // todo: try to equalize specificity
+          let selector = item.selector
+          elementStyleSheet(el).insertRule(
+            selector +
+              '.iecp-u' +
+              el.ieCP_unique +
+              item.pseudo +
+              ' {' +
+              prop +
+              ':' +
+              value +
+              '}',
+            0
+          ) // faster then innerHTML
+        }
+      }
+    }
+  }
+  function elementStyleSheet(el) {
+    if (!el.ieCP_sheet) {
+      var tag = document.createElement('style')
+      tag.ieCP_elementSheet = 1
+      //el.appendChild(tag); // yes! self-closing tags can have style as children, but - if i set innerHTML, the stylesheet is lost
+      document.head.appendChild(tag)
+      el.ieCP_sheet = tag.sheet
+    }
+    return el.ieCP_sheet
+  }
+  function drawTree(target) {
+    if (!target) return
+    var els = target.querySelectorAll('[iecp-needed]')
+    if (target.hasAttribute && target.hasAttribute('iecp-needed'))
+      drawElement(target) // self
+    for (var i = 0, el; (el = els[i++]); ) drawElement(el) // tree
+  }
+  // draw queue
+  let drawQueue = {}
+  let collecting = false
+  let drawing = false
+  function drawElement(el) {
+    drawQueue[el.uniqueNumber] = el
+    if (collecting) return
+    collecting = true
+    requestAnimationFrame(function() {
+      collecting = false
+      drawing = true
+      for (var nr in drawQueue) _drawElement(drawQueue[nr])
+      requestAnimationFrame(function() {
+        // mutationObserver will trigger delayed
+        drawing = false
+      })
+      drawQueue = {}
+    })
+  }
+
+  function drawTreeEvent(e) {
+    drawTree(e.target)
+  }
+
+  const regValueGetters = /var\(([^),]+)(\,(.+))?\)/g
+  function styleComputeValueWidthVars(style, valueWithVar, details) {
+    return valueWithVar.replace(regValueGetters, function(
+      full,
+      variable,
+      x,
+      fallback
+    ) {
+      variable = variable.trim()
+      // beta if (details && details.onpropertyneeded) details.onpropertyneeded(variable)  // draw depending CPs first while drawing the element
+      var pValue = style.getPropertyValue(variable)
+      if (details && style.lastPropertyServedBy !== document.documentElement)
+        details.allByRoot = false
+      if (pValue === '' && fallback !== undefined) pValue = fallback.trim() // fallback
+      return pValue
+    })
+  }
+
+  // mutation listener
+  var observer = new MutationObserver(function(mutations) {
+    if (drawing) return
+    for (var i = 0, mutation; (mutation = mutations[i++]); ) {
+      if (mutation.attributeName === 'ie-polyfilled') continue
+      if (mutation.attributeName === 'iecp-needed') continue
+      // recheck all selectors if it targets new elements?
+      drawTree(mutation.target)
+    }
+  })
+  setTimeout(function() {
+    observer.observe(document, { attributes: true, subtree: true })
+  })
+
+  // :target listener
+  var oldHash = location.hash
+  addEventListener('hashchange', function(e) {
+    var newEl = document.getElementById(location.hash.substr(1))
+    if (newEl) {
+      var oldEl = document.getElementById(oldHash.substr(1))
+      drawTree(newEl)
+      drawTree(oldEl)
+    } else {
+      drawTree(document)
+    }
+    oldHash = location.hash
+  })
+
+  // add owningElement to Element.style
+  var descriptor = Object.getOwnPropertyDescriptor(
+    HTMLElement.prototype,
+    'style'
+  )
+  var styleGetter = descriptor.get
+  descriptor.get = function() {
+    const style = styleGetter.call(this)
+    style.owningElement = this
+    return style
+  }
+  Object.defineProperty(HTMLElement.prototype, 'style', descriptor)
+
+  // add computedFor to computed style-objects
+  var originalGetComputed = getComputedStyle
+  window.getComputedStyle = function(el) {
+    var style = originalGetComputed.apply(this, arguments)
+    style.computedFor = el
+    //style.pseudoElt = pseudoElt; //not needed at the moment
+    return style
+  }
+
+  // getPropertyValue / setProperty hooks
+  const StyleProto = CSSStyleDeclaration.prototype
+
+  const oldGetP = StyleProto.getPropertyValue
+  StyleProto.getPropertyValue = function(property) {
+    this.lastPropertyServedBy = false
+    if (property[0] !== '-' || property[1] !== '-')
+      return oldGetP.apply(this, arguments)
+    const undashed = property.substr(2)
+    const ieProperty = '-ie-' + undashed
+    const iePropertyImportant = '-ie-❗' + undashed
+    let value = this[iePropertyImportant] || this[ieProperty]
+    if (this.computedFor) {
+      // computedStyle
+      if (value !== undefined) {
+        if (regHasVar.test(value)) {
+          value = styleComputeValueWidthVars(this, value)
+        }
+        this.lastPropertyServedBy = this.computedFor
+      } else {
+        if (!register[property] || register[property].inherits) {
+          // inherited
+          //let el = this.pseudoElt ? this.computedFor : this.computedFor.parentNode;
+          let el = this.computedFor.parentNode
+          while (el.nodeType === 1) {
+            // how slower would it be to getComputedStyle for every element, not just with defined ieCP_setters
+            if (el.ieCP_setters && el.ieCP_setters[property]) {
+              // i could make
+              // value = el.nodeType ? getComputedStyle(this.computedFor.parentNode).getPropertyValue(property)
+              // but i fear performance, stupid?
+              var style = getComputedStyle(el)
+              var tmpVal = style[iePropertyImportant] || style[ieProperty]
+              if (tmpVal !== undefined) {
+                value = tmpVal
+                if (regHasVar.test(value)) {
+                  // calculated style from current element not from the element the value was inherited from! (style, value)
+                  value = styleComputeValueWidthVars(this, value)
+                }
+                this.lastPropertyServedBy = el
+                break
+              }
+            }
+            el = el.parentNode
+          }
+        }
+      }
+    }
+    if (value === undefined && register[property])
+      value = register[property].initialValue
+    if (value === undefined) value = ''
+    return value
+  }
+
+  const oldSetP = StyleProto.setProperty
+  StyleProto.setProperty = function(property, value, prio) {
+    if (property[0] !== '-' || property[1] !== '-')
+      return oldSetP.apply(this, arguments)
+    if (this.owningElement) {
+      const el = this.owningElement
+      if (!el.ieCP_setters) el.ieCP_setters = {}
+      el.ieCP_setters[property] = 1
+      drawTree(el)
+    }
+    property = '-ie-' + (prio === 'important' ? '❗' : '') + property.substr(2)
+    this.cssText += '; ' + property + ':' + value + ';'
+    //this[property] = value;
+  }
+
+  if (!window.CSS) window.CSS = {}
+  const register = {}
+  CSS.registerProperty = function(options) {
+    register[options.name] = options
+  }
+
+  // utils
+  function fetchCss(url, callback) {
+    var request = new XMLHttpRequest()
+    request.open('GET', url)
+    request.overrideMimeType('text/css')
+    request.onload = function() {
+      if (request.status >= 200 && request.status < 400) {
+        callback(request.responseText)
+      }
+    }
+    request.send()
+  }
+})()
diff --git a/website/assets/img/atlas_workflow.png b/website/public/img/atlas_workflow.png
similarity index 100%
rename from website/assets/img/atlas_workflow.png
rename to website/public/img/atlas_workflow.png
diff --git a/website/assets/img/bg-icons.png b/website/public/img/bg-icons.png
similarity index 100%
rename from website/assets/img/bg-icons.png
rename to website/public/img/bg-icons.png
diff --git a/website/assets/img/bg-icons@2x.png b/website/public/img/bg-icons@2x.png
similarity index 100%
rename from website/assets/img/bg-icons@2x.png
rename to website/public/img/bg-icons@2x.png
diff --git a/website/assets/img/consul-arch.png b/website/public/img/consul-arch.png
similarity index 100%
rename from website/assets/img/consul-arch.png
rename to website/public/img/consul-arch.png
diff --git a/website/assets/img/consul-sessions.png b/website/public/img/consul-sessions.png
similarity index 100%
rename from website/assets/img/consul-sessions.png
rename to website/public/img/consul-sessions.png
diff --git a/website/assets/img/consul_web_ui.png b/website/public/img/consul_web_ui.png
similarity index 100%
rename from website/assets/img/consul_web_ui.png
rename to website/public/img/consul_web_ui.png
diff --git a/website/assets/img/docs-sidebar-chevron-active.svg b/website/public/img/docs-sidebar-chevron-active.svg
similarity index 100%
rename from website/assets/img/docs-sidebar-chevron-active.svg
rename to website/public/img/docs-sidebar-chevron-active.svg
diff --git a/website/assets/img/docs-sidebar-chevron.svg b/website/public/img/docs-sidebar-chevron.svg
similarity index 100%
rename from website/assets/img/docs-sidebar-chevron.svg
rename to website/public/img/docs-sidebar-chevron.svg
diff --git a/website/assets/img/download.svg b/website/public/img/download.svg
similarity index 100%
rename from website/assets/img/download.svg
rename to website/public/img/download.svg
diff --git a/website/assets/img/fastly.svg b/website/public/img/fastly.svg
similarity index 100%
rename from website/assets/img/fastly.svg
rename to website/public/img/fastly.svg
diff --git a/website/assets/img/fastly_logo.png b/website/public/img/fastly_logo.png
similarity index 100%
rename from website/assets/img/fastly_logo.png
rename to website/public/img/fastly_logo.png
diff --git a/website/assets/img/favicons/android-chrome-192x192.png b/website/public/img/favicons/android-chrome-192x192.png
similarity index 100%
rename from website/assets/img/favicons/android-chrome-192x192.png
rename to website/public/img/favicons/android-chrome-192x192.png
diff --git a/website/assets/img/favicons/android-chrome-512x512.png b/website/public/img/favicons/android-chrome-512x512.png
similarity index 100%
rename from website/assets/img/favicons/android-chrome-512x512.png
rename to website/public/img/favicons/android-chrome-512x512.png
diff --git a/website/assets/img/favicons/apple-touch-icon.png b/website/public/img/favicons/apple-touch-icon.png
similarity index 100%
rename from website/assets/img/favicons/apple-touch-icon.png
rename to website/public/img/favicons/apple-touch-icon.png
diff --git a/website/assets/img/favicons/favicon-16x16.png b/website/public/img/favicons/favicon-16x16.png
similarity index 100%
rename from website/assets/img/favicons/favicon-16x16.png
rename to website/public/img/favicons/favicon-16x16.png
diff --git a/website/assets/img/favicons/favicon-32x32.png b/website/public/img/favicons/favicon-32x32.png
similarity index 100%
rename from website/assets/img/favicons/favicon-32x32.png
rename to website/public/img/favicons/favicon-32x32.png
diff --git a/website/assets/img/favicons/favicon.ico b/website/public/img/favicons/favicon.ico
similarity index 100%
rename from website/assets/img/favicons/favicon.ico
rename to website/public/img/favicons/favicon.ico
diff --git a/website/assets/img/favicons/mstile-150x150.png b/website/public/img/favicons/mstile-150x150.png
similarity index 100%
rename from website/assets/img/favicons/mstile-150x150.png
rename to website/public/img/favicons/mstile-150x150.png
diff --git a/website/assets/img/favicons/safari-pinned-tab.svg b/website/public/img/favicons/safari-pinned-tab.svg
similarity index 100%
rename from website/assets/img/favicons/safari-pinned-tab.svg
rename to website/public/img/favicons/safari-pinned-tab.svg
diff --git a/website/assets/img/feather/check-circle.svg b/website/public/img/feather/check-circle.svg
similarity index 100%
rename from website/assets/img/feather/check-circle.svg
rename to website/public/img/feather/check-circle.svg
diff --git a/website/assets/img/feather/icon_chevron-up.svg b/website/public/img/feather/icon_chevron-up.svg
similarity index 100%
rename from website/assets/img/feather/icon_chevron-up.svg
rename to website/public/img/feather/icon_chevron-up.svg
diff --git a/website/assets/img/feather/icon_link.svg b/website/public/img/feather/icon_link.svg
similarity index 100%
rename from website/assets/img/feather/icon_link.svg
rename to website/public/img/feather/icon_link.svg
diff --git a/website/assets/img/feather/icon_list-menu.svg b/website/public/img/feather/icon_list-menu.svg
similarity index 100%
rename from website/assets/img/feather/icon_list-menu.svg
rename to website/public/img/feather/icon_list-menu.svg
diff --git a/website/assets/img/feature-config.svg b/website/public/img/feature-config.svg
similarity index 100%
rename from website/assets/img/feature-config.svg
rename to website/public/img/feature-config.svg
diff --git a/website/assets/img/feature-discovery.svg b/website/public/img/feature-discovery.svg
similarity index 100%
rename from website/assets/img/feature-discovery.svg
rename to website/public/img/feature-discovery.svg
diff --git a/website/assets/img/feature-health.svg b/website/public/img/feature-health.svg
similarity index 100%
rename from website/assets/img/feature-health.svg
rename to website/public/img/feature-health.svg
diff --git a/website/assets/img/feature-multi.svg b/website/public/img/feature-multi.svg
similarity index 100%
rename from website/assets/img/feature-multi.svg
rename to website/public/img/feature-multi.svg
diff --git a/website/assets/img/graphic-audit.png b/website/public/img/graphic-audit.png
similarity index 100%
rename from website/assets/img/graphic-audit.png
rename to website/public/img/graphic-audit.png
diff --git a/website/assets/img/graphic-audit@2x.png b/website/public/img/graphic-audit@2x.png
similarity index 100%
rename from website/assets/img/graphic-audit@2x.png
rename to website/public/img/graphic-audit@2x.png
diff --git a/website/assets/img/graphic-crud.png b/website/public/img/graphic-crud.png
similarity index 100%
rename from website/assets/img/graphic-crud.png
rename to website/public/img/graphic-crud.png
diff --git a/website/assets/img/graphic-crud@2x.png b/website/public/img/graphic-crud@2x.png
similarity index 100%
rename from website/assets/img/graphic-crud@2x.png
rename to website/public/img/graphic-crud@2x.png
diff --git a/website/assets/img/graphic-key.png b/website/public/img/graphic-key.png
similarity index 100%
rename from website/assets/img/graphic-key.png
rename to website/public/img/graphic-key.png
diff --git a/website/assets/img/graphic-key@2x.png b/website/public/img/graphic-key@2x.png
similarity index 100%
rename from website/assets/img/graphic-key@2x.png
rename to website/public/img/graphic-key@2x.png
diff --git a/website/assets/img/green-check.svg b/website/public/img/green-check.svg
similarity index 100%
rename from website/assets/img/green-check.svg
rename to website/public/img/green-check.svg
diff --git a/website/assets/img/hashicorp-logos/consul-white.svg b/website/public/img/hashicorp-logos/consul-white.svg
similarity index 100%
rename from website/assets/img/hashicorp-logos/consul-white.svg
rename to website/public/img/hashicorp-logos/consul-white.svg
diff --git a/website/assets/img/hashicorp-logos/h-logo.svg b/website/public/img/hashicorp-logos/h-logo.svg
similarity index 100%
rename from website/assets/img/hashicorp-logos/h-logo.svg
rename to website/public/img/hashicorp-logos/h-logo.svg
diff --git a/website/assets/img/hashicorp-logos/hashicorp-logo.svg b/website/public/img/hashicorp-logos/hashicorp-logo.svg
similarity index 100%
rename from website/assets/img/hashicorp-logos/hashicorp-logo.svg
rename to website/public/img/hashicorp-logos/hashicorp-logo.svg
diff --git a/website/assets/img/hashicorp-logos/nomad-white.svg b/website/public/img/hashicorp-logos/nomad-white.svg
similarity index 100%
rename from website/assets/img/hashicorp-logos/nomad-white.svg
rename to website/public/img/hashicorp-logos/nomad-white.svg
diff --git a/website/assets/img/hashicorp-logos/terraform-white.svg b/website/public/img/hashicorp-logos/terraform-white.svg
similarity index 100%
rename from website/assets/img/hashicorp-logos/terraform-white.svg
rename to website/public/img/hashicorp-logos/terraform-white.svg
diff --git a/website/assets/img/hashicorp-logos/vault-white.svg b/website/public/img/hashicorp-logos/vault-white.svg
similarity index 100%
rename from website/assets/img/hashicorp-logos/vault-white.svg
rename to website/public/img/hashicorp-logos/vault-white.svg
diff --git a/website/assets/img/hero.png b/website/public/img/hero.png
similarity index 100%
rename from website/assets/img/hero.png
rename to website/public/img/hero.png
diff --git a/website/assets/img/hero@2x.png b/website/public/img/hero@2x.png
similarity index 100%
rename from website/assets/img/hero@2x.png
rename to website/public/img/hero@2x.png
diff --git a/website/assets/img/homepage/callouts/encryption.png b/website/public/img/homepage/callouts/encryption.png
similarity index 100%
rename from website/assets/img/homepage/callouts/encryption.png
rename to website/public/img/homepage/callouts/encryption.png
diff --git a/website/assets/img/homepage/callouts/identity.png b/website/public/img/homepage/callouts/identity.png
similarity index 100%
rename from website/assets/img/homepage/callouts/identity.png
rename to website/public/img/homepage/callouts/identity.png
diff --git a/website/assets/img/homepage/callouts/secrets.png b/website/public/img/homepage/callouts/secrets.png
similarity index 100%
rename from website/assets/img/homepage/callouts/secrets.png
rename to website/public/img/homepage/callouts/secrets.png
diff --git a/website/assets/img/icon-terminal.png b/website/public/img/icon-terminal.png
similarity index 100%
rename from website/assets/img/icon-terminal.png
rename to website/public/img/icon-terminal.png
diff --git a/website/assets/img/icon-terminal@2x.png b/website/public/img/icon-terminal@2x.png
similarity index 100%
rename from website/assets/img/icon-terminal@2x.png
rename to website/public/img/icon-terminal@2x.png
diff --git a/website/assets/img/icons/alert-triangle.svg b/website/public/img/icons/alert-triangle.svg
similarity index 100%
rename from website/assets/img/icons/alert-triangle.svg
rename to website/public/img/icons/alert-triangle.svg
diff --git a/website/assets/img/icons/check-circle.svg b/website/public/img/icons/check-circle.svg
similarity index 100%
rename from website/assets/img/icons/check-circle.svg
rename to website/public/img/icons/check-circle.svg
diff --git a/website/assets/img/icons/close-icon.svg b/website/public/img/icons/close-icon.svg
similarity index 100%
rename from website/assets/img/icons/close-icon.svg
rename to website/public/img/icons/close-icon.svg
diff --git a/website/assets/img/icons/icon_archlinux.svg b/website/public/img/icons/icon_archlinux.svg
similarity index 100%
rename from website/assets/img/icons/icon_archlinux.svg
rename to website/public/img/icons/icon_archlinux.svg
diff --git a/website/assets/img/icons/icon_centos.svg b/website/public/img/icons/icon_centos.svg
similarity index 100%
rename from website/assets/img/icons/icon_centos.svg
rename to website/public/img/icons/icon_centos.svg
diff --git a/website/assets/img/icons/icon_darwin.svg b/website/public/img/icons/icon_darwin.svg
similarity index 100%
rename from website/assets/img/icons/icon_darwin.svg
rename to website/public/img/icons/icon_darwin.svg
diff --git a/website/assets/img/icons/icon_debian.svg b/website/public/img/icons/icon_debian.svg
similarity index 100%
rename from website/assets/img/icons/icon_debian.svg
rename to website/public/img/icons/icon_debian.svg
diff --git a/website/assets/img/icons/icon_freebsd.svg b/website/public/img/icons/icon_freebsd.svg
similarity index 100%
rename from website/assets/img/icons/icon_freebsd.svg
rename to website/public/img/icons/icon_freebsd.svg
diff --git a/website/assets/img/icons/icon_hashios.svg b/website/public/img/icons/icon_hashios.svg
similarity index 100%
rename from website/assets/img/icons/icon_hashios.svg
rename to website/public/img/icons/icon_hashios.svg
diff --git a/website/assets/img/icons/icon_linux.svg b/website/public/img/icons/icon_linux.svg
similarity index 100%
rename from website/assets/img/icons/icon_linux.svg
rename to website/public/img/icons/icon_linux.svg
diff --git a/website/assets/img/icons/icon_macosx.svg b/website/public/img/icons/icon_macosx.svg
similarity index 100%
rename from website/assets/img/icons/icon_macosx.svg
rename to website/public/img/icons/icon_macosx.svg
diff --git a/website/assets/img/icons/icon_netbsd.svg b/website/public/img/icons/icon_netbsd.svg
similarity index 100%
rename from website/assets/img/icons/icon_netbsd.svg
rename to website/public/img/icons/icon_netbsd.svg
diff --git a/website/assets/img/icons/icon_openbsd.svg b/website/public/img/icons/icon_openbsd.svg
similarity index 100%
rename from website/assets/img/icons/icon_openbsd.svg
rename to website/public/img/icons/icon_openbsd.svg
diff --git a/website/assets/img/icons/icon_rpm.svg b/website/public/img/icons/icon_rpm.svg
similarity index 100%
rename from website/assets/img/icons/icon_rpm.svg
rename to website/public/img/icons/icon_rpm.svg
diff --git a/website/assets/img/icons/icon_solaris.svg b/website/public/img/icons/icon_solaris.svg
similarity index 100%
rename from website/assets/img/icons/icon_solaris.svg
rename to website/public/img/icons/icon_solaris.svg
diff --git a/website/assets/img/icons/icon_windows.svg b/website/public/img/icons/icon_windows.svg
similarity index 100%
rename from website/assets/img/icons/icon_windows.svg
rename to website/public/img/icons/icon_windows.svg
diff --git a/website/assets/img/integration-program-devprocess.png b/website/public/img/integration-program-devprocess.png
similarity index 100%
rename from website/assets/img/integration-program-devprocess.png
rename to website/public/img/integration-program-devprocess.png
diff --git a/website/assets/img/integration-program-vaulteco.png b/website/public/img/integration-program-vaulteco.png
similarity index 100%
rename from website/assets/img/integration-program-vaulteco.png
rename to website/public/img/integration-program-vaulteco.png
diff --git a/website/assets/img/layers.png b/website/public/img/layers.png
similarity index 100%
rename from website/assets/img/layers.png
rename to website/public/img/layers.png
diff --git a/website/assets/img/logo-hashicorp.svg b/website/public/img/logo-hashicorp.svg
similarity index 100%
rename from website/assets/img/logo-hashicorp.svg
rename to website/public/img/logo-hashicorp.svg
diff --git a/website/assets/img/logo-text.svg b/website/public/img/logo-text.svg
similarity index 100%
rename from website/assets/img/logo-text.svg
rename to website/public/img/logo-text.svg
diff --git a/website/assets/img/logo.svg b/website/public/img/logo.svg
similarity index 100%
rename from website/assets/img/logo.svg
rename to website/public/img/logo.svg
diff --git a/website/assets/img/news/webinar-register-now.png b/website/public/img/news/webinar-register-now.png
similarity index 100%
rename from website/assets/img/news/webinar-register-now.png
rename to website/public/img/news/webinar-register-now.png
diff --git a/website/assets/img/oci/oci-role-based-authz.png b/website/public/img/oci/oci-role-based-authz.png
similarity index 100%
rename from website/assets/img/oci/oci-role-based-authz.png
rename to website/public/img/oci/oci-role-based-authz.png
diff --git a/website/assets/img/og-image.png b/website/public/img/og-image.png
similarity index 100%
rename from website/assets/img/og-image.png
rename to website/public/img/og-image.png
diff --git a/website/assets/img/social/github.svg b/website/public/img/social/github.svg
similarity index 100%
rename from website/assets/img/social/github.svg
rename to website/public/img/social/github.svg
diff --git a/website/assets/img/social/googleplus.svg b/website/public/img/social/googleplus.svg
similarity index 100%
rename from website/assets/img/social/googleplus.svg
rename to website/public/img/social/googleplus.svg
diff --git a/website/assets/img/social/linkedin.svg b/website/public/img/social/linkedin.svg
similarity index 100%
rename from website/assets/img/social/linkedin.svg
rename to website/public/img/social/linkedin.svg
diff --git a/website/assets/img/social/twitter.svg b/website/public/img/social/twitter.svg
similarity index 100%
rename from website/assets/img/social/twitter.svg
rename to website/public/img/social/twitter.svg
diff --git a/website/assets/img/social/youtube.svg b/website/public/img/social/youtube.svg
similarity index 100%
rename from website/assets/img/social/youtube.svg
rename to website/public/img/social/youtube.svg
diff --git a/website/public/img/use-cases/identity-based-access/challenge.png b/website/public/img/use-cases/identity-based-access/challenge.png
new file mode 100644
index 000000000000..6b7ea19a7eeb
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/challenge.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/aws.png b/website/public/img/use-cases/identity-based-access/logos/aws.png
new file mode 100644
index 000000000000..441ae71bd866
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/aws.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/azure.png b/website/public/img/use-cases/identity-based-access/logos/azure.png
new file mode 100644
index 000000000000..7925c58194bc
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/azure.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/gcp.png b/website/public/img/use-cases/identity-based-access/logos/gcp.png
new file mode 100644
index 000000000000..cb636704ed0d
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/gcp.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/kubernetes.png b/website/public/img/use-cases/identity-based-access/logos/kubernetes.png
new file mode 100644
index 000000000000..b8a0a9a2a58d
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/kubernetes.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/nomad.png b/website/public/img/use-cases/identity-based-access/logos/nomad.png
new file mode 100644
index 000000000000..0949360c413e
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/nomad.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/okta.png b/website/public/img/use-cases/identity-based-access/logos/okta.png
new file mode 100644
index 000000000000..5627aa0a331a
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/okta.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/pivotalcf.png b/website/public/img/use-cases/identity-based-access/logos/pivotalcf.png
new file mode 100644
index 000000000000..de4269a67de0
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/pivotalcf.png differ
diff --git a/website/public/img/use-cases/identity-based-access/logos/ssh.png b/website/public/img/use-cases/identity-based-access/logos/ssh.png
new file mode 100644
index 000000000000..60841d890e0d
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/logos/ssh.png differ
diff --git a/website/public/img/use-cases/identity-based-access/screenshot-control-groups.png b/website/public/img/use-cases/identity-based-access/screenshot-control-groups.png
new file mode 100644
index 000000000000..18ab76c191fe
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/screenshot-control-groups.png differ
diff --git a/website/public/img/use-cases/identity-based-access/screenshot-entities.png b/website/public/img/use-cases/identity-based-access/screenshot-entities.png
new file mode 100644
index 000000000000..c96d236aa8c2
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/screenshot-entities.png differ
diff --git a/website/public/img/use-cases/identity-based-access/screenshot-identity-groups.png b/website/public/img/use-cases/identity-based-access/screenshot-identity-groups.png
new file mode 100644
index 000000000000..9fda217662bc
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/screenshot-identity-groups.png differ
diff --git a/website/public/img/use-cases/identity-based-access/solution.png b/website/public/img/use-cases/identity-based-access/solution.png
new file mode 100644
index 000000000000..1fe5d0fe8bf5
Binary files /dev/null and b/website/public/img/use-cases/identity-based-access/solution.png differ
diff --git a/website/assets/img/vault-acl-templating-2.png b/website/public/img/vault-acl-templating-2.png
similarity index 100%
rename from website/assets/img/vault-acl-templating-2.png
rename to website/public/img/vault-acl-templating-2.png
diff --git a/website/assets/img/vault-acl-templating-3.png b/website/public/img/vault-acl-templating-3.png
similarity index 100%
rename from website/assets/img/vault-acl-templating-3.png
rename to website/public/img/vault-acl-templating-3.png
diff --git a/website/assets/img/vault-acl-templating.png b/website/public/img/vault-acl-templating.png
similarity index 100%
rename from website/assets/img/vault-acl-templating.png
rename to website/public/img/vault-acl-templating.png
diff --git a/website/assets/img/vault-approle-tf-chef-2.png b/website/public/img/vault-approle-tf-chef-2.png
similarity index 100%
rename from website/assets/img/vault-approle-tf-chef-2.png
rename to website/public/img/vault-approle-tf-chef-2.png
diff --git a/website/assets/img/vault-approle-tf-chef-3.png b/website/public/img/vault-approle-tf-chef-3.png
similarity index 100%
rename from website/assets/img/vault-approle-tf-chef-3.png
rename to website/public/img/vault-approle-tf-chef-3.png
diff --git a/website/assets/img/vault-approle-tf-chef.png b/website/public/img/vault-approle-tf-chef.png
similarity index 100%
rename from website/assets/img/vault-approle-tf-chef.png
rename to website/public/img/vault-approle-tf-chef.png
diff --git a/website/assets/img/vault-approle-workflow.png b/website/public/img/vault-approle-workflow.png
similarity index 100%
rename from website/assets/img/vault-approle-workflow.png
rename to website/public/img/vault-approle-workflow.png
diff --git a/website/assets/img/vault-approle-workflow2.png b/website/public/img/vault-approle-workflow2.png
similarity index 100%
rename from website/assets/img/vault-approle-workflow2.png
rename to website/public/img/vault-approle-workflow2.png
diff --git a/website/assets/img/vault-approle-youtube.png b/website/public/img/vault-approle-youtube.png
similarity index 100%
rename from website/assets/img/vault-approle-youtube.png
rename to website/public/img/vault-approle-youtube.png
diff --git a/website/assets/img/vault-auth-method-2.png b/website/public/img/vault-auth-method-2.png
similarity index 100%
rename from website/assets/img/vault-auth-method-2.png
rename to website/public/img/vault-auth-method-2.png
diff --git a/website/assets/img/vault-auth-method-3.png b/website/public/img/vault-auth-method-3.png
similarity index 100%
rename from website/assets/img/vault-auth-method-3.png
rename to website/public/img/vault-auth-method-3.png
diff --git a/website/assets/img/vault-auth-method-4.png b/website/public/img/vault-auth-method-4.png
similarity index 100%
rename from website/assets/img/vault-auth-method-4.png
rename to website/public/img/vault-auth-method-4.png
diff --git a/website/assets/img/vault-auth-method.png b/website/public/img/vault-auth-method.png
similarity index 100%
rename from website/assets/img/vault-auth-method.png
rename to website/public/img/vault-auth-method.png
diff --git a/website/assets/img/vault-auth-workflow.svg b/website/public/img/vault-auth-workflow.svg
similarity index 100%
rename from website/assets/img/vault-auth-workflow.svg
rename to website/public/img/vault-auth-workflow.svg
diff --git a/website/assets/img/vault-autounseal-2.png b/website/public/img/vault-autounseal-2.png
similarity index 100%
rename from website/assets/img/vault-autounseal-2.png
rename to website/public/img/vault-autounseal-2.png
diff --git a/website/assets/img/vault-autounseal-3.png b/website/public/img/vault-autounseal-3.png
similarity index 100%
rename from website/assets/img/vault-autounseal-3.png
rename to website/public/img/vault-autounseal-3.png
diff --git a/website/assets/img/vault-autounseal-4.png b/website/public/img/vault-autounseal-4.png
similarity index 100%
rename from website/assets/img/vault-autounseal-4.png
rename to website/public/img/vault-autounseal-4.png
diff --git a/website/assets/img/vault-autounseal.png b/website/public/img/vault-autounseal.png
similarity index 100%
rename from website/assets/img/vault-autounseal.png
rename to website/public/img/vault-autounseal.png
diff --git a/website/assets/img/vault-aws-ec2-auth-flow.png b/website/public/img/vault-aws-ec2-auth-flow.png
similarity index 100%
rename from website/assets/img/vault-aws-ec2-auth-flow.png
rename to website/public/img/vault-aws-ec2-auth-flow.png
diff --git a/website/assets/img/vault-ctrl-grp-1.png b/website/public/img/vault-ctrl-grp-1.png
similarity index 100%
rename from website/assets/img/vault-ctrl-grp-1.png
rename to website/public/img/vault-ctrl-grp-1.png
diff --git a/website/assets/img/vault-ctrl-grp-2.png b/website/public/img/vault-ctrl-grp-2.png
similarity index 100%
rename from website/assets/img/vault-ctrl-grp-2.png
rename to website/public/img/vault-ctrl-grp-2.png
diff --git a/website/assets/img/vault-ctrl-grp-3.png b/website/public/img/vault-ctrl-grp-3.png
similarity index 100%
rename from website/assets/img/vault-ctrl-grp-3.png
rename to website/public/img/vault-ctrl-grp-3.png
diff --git a/website/assets/img/vault-ctrl-grp-4.png b/website/public/img/vault-ctrl-grp-4.png
similarity index 100%
rename from website/assets/img/vault-ctrl-grp-4.png
rename to website/public/img/vault-ctrl-grp-4.png
diff --git a/website/assets/img/vault-ctrl-grp-5.png b/website/public/img/vault-ctrl-grp-5.png
similarity index 100%
rename from website/assets/img/vault-ctrl-grp-5.png
rename to website/public/img/vault-ctrl-grp-5.png
diff --git a/website/assets/img/vault-ctrl-grp-6.png b/website/public/img/vault-ctrl-grp-6.png
similarity index 100%
rename from website/assets/img/vault-ctrl-grp-6.png
rename to website/public/img/vault-ctrl-grp-6.png
diff --git a/website/assets/img/vault-ctrl-grp-7.png b/website/public/img/vault-ctrl-grp-7.png
similarity index 100%
rename from website/assets/img/vault-ctrl-grp-7.png
rename to website/public/img/vault-ctrl-grp-7.png
diff --git a/website/assets/img/vault-cubbyhole.png b/website/public/img/vault-cubbyhole.png
similarity index 100%
rename from website/assets/img/vault-cubbyhole.png
rename to website/public/img/vault-cubbyhole.png
diff --git a/website/assets/img/vault-db-root-rotation.png b/website/public/img/vault-db-root-rotation.png
similarity index 100%
rename from website/assets/img/vault-db-root-rotation.png
rename to website/public/img/vault-db-root-rotation.png
diff --git a/website/assets/img/vault-dr-0.png b/website/public/img/vault-dr-0.png
similarity index 100%
rename from website/assets/img/vault-dr-0.png
rename to website/public/img/vault-dr-0.png
diff --git a/website/assets/img/vault-dr-1.png b/website/public/img/vault-dr-1.png
similarity index 100%
rename from website/assets/img/vault-dr-1.png
rename to website/public/img/vault-dr-1.png
diff --git a/website/assets/img/vault-dr-10.png b/website/public/img/vault-dr-10.png
similarity index 100%
rename from website/assets/img/vault-dr-10.png
rename to website/public/img/vault-dr-10.png
diff --git a/website/assets/img/vault-dr-11.png b/website/public/img/vault-dr-11.png
similarity index 100%
rename from website/assets/img/vault-dr-11.png
rename to website/public/img/vault-dr-11.png
diff --git a/website/assets/img/vault-dr-12.png b/website/public/img/vault-dr-12.png
similarity index 100%
rename from website/assets/img/vault-dr-12.png
rename to website/public/img/vault-dr-12.png
diff --git a/website/assets/img/vault-dr-13.png b/website/public/img/vault-dr-13.png
similarity index 100%
rename from website/assets/img/vault-dr-13.png
rename to website/public/img/vault-dr-13.png
diff --git a/website/assets/img/vault-dr-2.png b/website/public/img/vault-dr-2.png
similarity index 100%
rename from website/assets/img/vault-dr-2.png
rename to website/public/img/vault-dr-2.png
diff --git a/website/assets/img/vault-dr-3.png b/website/public/img/vault-dr-3.png
similarity index 100%
rename from website/assets/img/vault-dr-3.png
rename to website/public/img/vault-dr-3.png
diff --git a/website/assets/img/vault-dr-4.png b/website/public/img/vault-dr-4.png
similarity index 100%
rename from website/assets/img/vault-dr-4.png
rename to website/public/img/vault-dr-4.png
diff --git a/website/assets/img/vault-dr-5.2.png b/website/public/img/vault-dr-5.2.png
similarity index 100%
rename from website/assets/img/vault-dr-5.2.png
rename to website/public/img/vault-dr-5.2.png
diff --git a/website/assets/img/vault-dr-5.png b/website/public/img/vault-dr-5.png
similarity index 100%
rename from website/assets/img/vault-dr-5.png
rename to website/public/img/vault-dr-5.png
diff --git a/website/assets/img/vault-dr-6.png b/website/public/img/vault-dr-6.png
similarity index 100%
rename from website/assets/img/vault-dr-6.png
rename to website/public/img/vault-dr-6.png
diff --git a/website/assets/img/vault-dr-7.png b/website/public/img/vault-dr-7.png
similarity index 100%
rename from website/assets/img/vault-dr-7.png
rename to website/public/img/vault-dr-7.png
diff --git a/website/assets/img/vault-dr-8.png b/website/public/img/vault-dr-8.png
similarity index 100%
rename from website/assets/img/vault-dr-8.png
rename to website/public/img/vault-dr-8.png
diff --git a/website/assets/img/vault-dr-9-1.png b/website/public/img/vault-dr-9-1.png
similarity index 100%
rename from website/assets/img/vault-dr-9-1.png
rename to website/public/img/vault-dr-9-1.png
diff --git a/website/assets/img/vault-dr-9.png b/website/public/img/vault-dr-9.png
similarity index 100%
rename from website/assets/img/vault-dr-9.png
rename to website/public/img/vault-dr-9.png
diff --git a/website/assets/img/vault-dynamic-secrets.png b/website/public/img/vault-dynamic-secrets.png
similarity index 100%
rename from website/assets/img/vault-dynamic-secrets.png
rename to website/public/img/vault-dynamic-secrets.png
diff --git a/website/assets/img/vault-eaas.png b/website/public/img/vault-eaas.png
similarity index 100%
rename from website/assets/img/vault-eaas.png
rename to website/public/img/vault-eaas.png
diff --git a/website/assets/img/vault-encryption.png b/website/public/img/vault-encryption.png
similarity index 100%
rename from website/assets/img/vault-encryption.png
rename to website/public/img/vault-encryption.png
diff --git a/website/assets/img/vault-entity-1.png b/website/public/img/vault-entity-1.png
similarity index 100%
rename from website/assets/img/vault-entity-1.png
rename to website/public/img/vault-entity-1.png
diff --git a/website/assets/img/vault-entity-10.png b/website/public/img/vault-entity-10.png
similarity index 100%
rename from website/assets/img/vault-entity-10.png
rename to website/public/img/vault-entity-10.png
diff --git a/website/assets/img/vault-entity-2.png b/website/public/img/vault-entity-2.png
similarity index 100%
rename from website/assets/img/vault-entity-2.png
rename to website/public/img/vault-entity-2.png
diff --git a/website/assets/img/vault-entity-3.png b/website/public/img/vault-entity-3.png
similarity index 100%
rename from website/assets/img/vault-entity-3.png
rename to website/public/img/vault-entity-3.png
diff --git a/website/assets/img/vault-entity-4.png b/website/public/img/vault-entity-4.png
similarity index 100%
rename from website/assets/img/vault-entity-4.png
rename to website/public/img/vault-entity-4.png
diff --git a/website/assets/img/vault-entity-5.png b/website/public/img/vault-entity-5.png
similarity index 100%
rename from website/assets/img/vault-entity-5.png
rename to website/public/img/vault-entity-5.png
diff --git a/website/assets/img/vault-entity-6.png b/website/public/img/vault-entity-6.png
similarity index 100%
rename from website/assets/img/vault-entity-6.png
rename to website/public/img/vault-entity-6.png
diff --git a/website/assets/img/vault-entity-7.png b/website/public/img/vault-entity-7.png
similarity index 100%
rename from website/assets/img/vault-entity-7.png
rename to website/public/img/vault-entity-7.png
diff --git a/website/assets/img/vault-entity-9.png b/website/public/img/vault-entity-9.png
similarity index 100%
rename from website/assets/img/vault-entity-9.png
rename to website/public/img/vault-entity-9.png
diff --git a/website/assets/img/vault-gcp-gce-auth-workflow.svg b/website/public/img/vault-gcp-gce-auth-workflow.svg
similarity index 100%
rename from website/assets/img/vault-gcp-gce-auth-workflow.svg
rename to website/public/img/vault-gcp-gce-auth-workflow.svg
diff --git a/website/assets/img/vault-gcp-iam-auth-workflow.svg b/website/public/img/vault-gcp-iam-auth-workflow.svg
similarity index 100%
rename from website/assets/img/vault-gcp-iam-auth-workflow.svg
rename to website/public/img/vault-gcp-iam-auth-workflow.svg
diff --git a/website/assets/img/vault-ha-consul-2.png b/website/public/img/vault-ha-consul-2.png
similarity index 100%
rename from website/assets/img/vault-ha-consul-2.png
rename to website/public/img/vault-ha-consul-2.png
diff --git a/website/assets/img/vault-ha-consul-3.png b/website/public/img/vault-ha-consul-3.png
similarity index 100%
rename from website/assets/img/vault-ha-consul-3.png
rename to website/public/img/vault-ha-consul-3.png
diff --git a/website/assets/img/vault-ha-consul.png b/website/public/img/vault-ha-consul.png
similarity index 100%
rename from website/assets/img/vault-ha-consul.png
rename to website/public/img/vault-ha-consul.png
diff --git a/website/assets/img/vault-hsm-autounseal.png b/website/public/img/vault-hsm-autounseal.png
similarity index 100%
rename from website/assets/img/vault-hsm-autounseal.png
rename to website/public/img/vault-hsm-autounseal.png
diff --git a/website/assets/img/vault-java-demo-1.png b/website/public/img/vault-java-demo-1.png
similarity index 100%
rename from website/assets/img/vault-java-demo-1.png
rename to website/public/img/vault-java-demo-1.png
diff --git a/website/assets/img/vault-java-demo-10.png b/website/public/img/vault-java-demo-10.png
similarity index 100%
rename from website/assets/img/vault-java-demo-10.png
rename to website/public/img/vault-java-demo-10.png
diff --git a/website/assets/img/vault-java-demo-11.png b/website/public/img/vault-java-demo-11.png
similarity index 100%
rename from website/assets/img/vault-java-demo-11.png
rename to website/public/img/vault-java-demo-11.png
diff --git a/website/assets/img/vault-java-demo-2.png b/website/public/img/vault-java-demo-2.png
similarity index 100%
rename from website/assets/img/vault-java-demo-2.png
rename to website/public/img/vault-java-demo-2.png
diff --git a/website/assets/img/vault-java-demo-3.png b/website/public/img/vault-java-demo-3.png
similarity index 100%
rename from website/assets/img/vault-java-demo-3.png
rename to website/public/img/vault-java-demo-3.png
diff --git a/website/assets/img/vault-java-demo-4.png b/website/public/img/vault-java-demo-4.png
similarity index 100%
rename from website/assets/img/vault-java-demo-4.png
rename to website/public/img/vault-java-demo-4.png
diff --git a/website/assets/img/vault-java-demo-5.png b/website/public/img/vault-java-demo-5.png
similarity index 100%
rename from website/assets/img/vault-java-demo-5.png
rename to website/public/img/vault-java-demo-5.png
diff --git a/website/assets/img/vault-java-demo-6.png b/website/public/img/vault-java-demo-6.png
similarity index 100%
rename from website/assets/img/vault-java-demo-6.png
rename to website/public/img/vault-java-demo-6.png
diff --git a/website/assets/img/vault-java-demo-7.png b/website/public/img/vault-java-demo-7.png
similarity index 100%
rename from website/assets/img/vault-java-demo-7.png
rename to website/public/img/vault-java-demo-7.png
diff --git a/website/assets/img/vault-java-demo-8.png b/website/public/img/vault-java-demo-8.png
similarity index 100%
rename from website/assets/img/vault-java-demo-8.png
rename to website/public/img/vault-java-demo-8.png
diff --git a/website/assets/img/vault-java-demo-9.png b/website/public/img/vault-java-demo-9.png
similarity index 100%
rename from website/assets/img/vault-java-demo-9.png
rename to website/public/img/vault-java-demo-9.png
diff --git a/website/assets/img/vault-mount-filter-0.png b/website/public/img/vault-mount-filter-0.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-0.png
rename to website/public/img/vault-mount-filter-0.png
diff --git a/website/assets/img/vault-mount-filter-10.png b/website/public/img/vault-mount-filter-10.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-10.png
rename to website/public/img/vault-mount-filter-10.png
diff --git a/website/assets/img/vault-mount-filter-11.png b/website/public/img/vault-mount-filter-11.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-11.png
rename to website/public/img/vault-mount-filter-11.png
diff --git a/website/assets/img/vault-mount-filter-12.png b/website/public/img/vault-mount-filter-12.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-12.png
rename to website/public/img/vault-mount-filter-12.png
diff --git a/website/assets/img/vault-mount-filter-13.png b/website/public/img/vault-mount-filter-13.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-13.png
rename to website/public/img/vault-mount-filter-13.png
diff --git a/website/assets/img/vault-mount-filter-2.png b/website/public/img/vault-mount-filter-2.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-2.png
rename to website/public/img/vault-mount-filter-2.png
diff --git a/website/assets/img/vault-mount-filter-3.png b/website/public/img/vault-mount-filter-3.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-3.png
rename to website/public/img/vault-mount-filter-3.png
diff --git a/website/assets/img/vault-mount-filter-4.png b/website/public/img/vault-mount-filter-4.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-4.png
rename to website/public/img/vault-mount-filter-4.png
diff --git a/website/assets/img/vault-mount-filter-5.png b/website/public/img/vault-mount-filter-5.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-5.png
rename to website/public/img/vault-mount-filter-5.png
diff --git a/website/assets/img/vault-mount-filter-6.png b/website/public/img/vault-mount-filter-6.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-6.png
rename to website/public/img/vault-mount-filter-6.png
diff --git a/website/assets/img/vault-mount-filter-7.png b/website/public/img/vault-mount-filter-7.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-7.png
rename to website/public/img/vault-mount-filter-7.png
diff --git a/website/assets/img/vault-mount-filter-8.png b/website/public/img/vault-mount-filter-8.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-8.png
rename to website/public/img/vault-mount-filter-8.png
diff --git a/website/assets/img/vault-mount-filter-9.png b/website/public/img/vault-mount-filter-9.png
similarity index 100%
rename from website/assets/img/vault-mount-filter-9.png
rename to website/public/img/vault-mount-filter-9.png
diff --git a/website/assets/img/vault-mount-filter.png b/website/public/img/vault-mount-filter.png
similarity index 100%
rename from website/assets/img/vault-mount-filter.png
rename to website/public/img/vault-mount-filter.png
diff --git a/website/assets/img/vault-multi-tenant-1.png b/website/public/img/vault-multi-tenant-1.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-1.png
rename to website/public/img/vault-multi-tenant-1.png
diff --git a/website/assets/img/vault-multi-tenant-2.png b/website/public/img/vault-multi-tenant-2.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-2.png
rename to website/public/img/vault-multi-tenant-2.png
diff --git a/website/assets/img/vault-multi-tenant-3.png b/website/public/img/vault-multi-tenant-3.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-3.png
rename to website/public/img/vault-multi-tenant-3.png
diff --git a/website/assets/img/vault-multi-tenant-4.png b/website/public/img/vault-multi-tenant-4.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-4.png
rename to website/public/img/vault-multi-tenant-4.png
diff --git a/website/assets/img/vault-multi-tenant-5.png b/website/public/img/vault-multi-tenant-5.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-5.png
rename to website/public/img/vault-multi-tenant-5.png
diff --git a/website/assets/img/vault-multi-tenant-6.png b/website/public/img/vault-multi-tenant-6.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-6.png
rename to website/public/img/vault-multi-tenant-6.png
diff --git a/website/assets/img/vault-multi-tenant-7.png b/website/public/img/vault-multi-tenant-7.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-7.png
rename to website/public/img/vault-multi-tenant-7.png
diff --git a/website/assets/img/vault-multi-tenant-8.png b/website/public/img/vault-multi-tenant-8.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant-8.png
rename to website/public/img/vault-multi-tenant-8.png
diff --git a/website/assets/img/vault-multi-tenant.png b/website/public/img/vault-multi-tenant.png
similarity index 100%
rename from website/assets/img/vault-multi-tenant.png
rename to website/public/img/vault-multi-tenant.png
diff --git a/website/assets/img/vault-perf-standby-1.png b/website/public/img/vault-perf-standby-1.png
similarity index 100%
rename from website/assets/img/vault-perf-standby-1.png
rename to website/public/img/vault-perf-standby-1.png
diff --git a/website/assets/img/vault-perf-standby.png b/website/public/img/vault-perf-standby.png
similarity index 100%
rename from website/assets/img/vault-perf-standby.png
rename to website/public/img/vault-perf-standby.png
diff --git a/website/assets/img/vault-pki-1.png b/website/public/img/vault-pki-1.png
similarity index 100%
rename from website/assets/img/vault-pki-1.png
rename to website/public/img/vault-pki-1.png
diff --git a/website/assets/img/vault-pki-2.png b/website/public/img/vault-pki-2.png
similarity index 100%
rename from website/assets/img/vault-pki-2.png
rename to website/public/img/vault-pki-2.png
diff --git a/website/assets/img/vault-pki-3.png b/website/public/img/vault-pki-3.png
similarity index 100%
rename from website/assets/img/vault-pki-3.png
rename to website/public/img/vault-pki-3.png
diff --git a/website/assets/img/vault-pki-4.png b/website/public/img/vault-pki-4.png
similarity index 100%
rename from website/assets/img/vault-pki-4.png
rename to website/public/img/vault-pki-4.png
diff --git a/website/assets/img/vault-pki-demo-2.png b/website/public/img/vault-pki-demo-2.png
similarity index 100%
rename from website/assets/img/vault-pki-demo-2.png
rename to website/public/img/vault-pki-demo-2.png
diff --git a/website/assets/img/vault-pki-demo.png b/website/public/img/vault-pki-demo.png
similarity index 100%
rename from website/assets/img/vault-pki-demo.png
rename to website/public/img/vault-pki-demo.png
diff --git a/website/assets/img/vault-policy-1.png b/website/public/img/vault-policy-1.png
similarity index 100%
rename from website/assets/img/vault-policy-1.png
rename to website/public/img/vault-policy-1.png
diff --git a/website/assets/img/vault-policy-2.png b/website/public/img/vault-policy-2.png
similarity index 100%
rename from website/assets/img/vault-policy-2.png
rename to website/public/img/vault-policy-2.png
diff --git a/website/assets/img/vault-policy-authoring-workflow.png b/website/public/img/vault-policy-authoring-workflow.png
similarity index 100%
rename from website/assets/img/vault-policy-authoring-workflow.png
rename to website/public/img/vault-policy-authoring-workflow.png
diff --git a/website/assets/img/vault-policy-workflow.svg b/website/public/img/vault-policy-workflow.svg
similarity index 100%
rename from website/assets/img/vault-policy-workflow.svg
rename to website/public/img/vault-policy-workflow.svg
diff --git a/website/assets/img/vault-ref-arch-2.png b/website/public/img/vault-ref-arch-2.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-2.png
rename to website/public/img/vault-ref-arch-2.png
diff --git a/website/assets/img/vault-ref-arch-3.png b/website/public/img/vault-ref-arch-3.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-3.png
rename to website/public/img/vault-ref-arch-3.png
diff --git a/website/assets/img/vault-ref-arch-4.png b/website/public/img/vault-ref-arch-4.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-4.png
rename to website/public/img/vault-ref-arch-4.png
diff --git a/website/assets/img/vault-ref-arch-5.png b/website/public/img/vault-ref-arch-5.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-5.png
rename to website/public/img/vault-ref-arch-5.png
diff --git a/website/assets/img/vault-ref-arch-6.png b/website/public/img/vault-ref-arch-6.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-6.png
rename to website/public/img/vault-ref-arch-6.png
diff --git a/website/assets/img/vault-ref-arch-7.png b/website/public/img/vault-ref-arch-7.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-7.png
rename to website/public/img/vault-ref-arch-7.png
diff --git a/website/assets/img/vault-ref-arch-8.png b/website/public/img/vault-ref-arch-8.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-8.png
rename to website/public/img/vault-ref-arch-8.png
diff --git a/website/assets/img/vault-ref-arch-9.png b/website/public/img/vault-ref-arch-9.png
similarity index 100%
rename from website/assets/img/vault-ref-arch-9.png
rename to website/public/img/vault-ref-arch-9.png
diff --git a/website/assets/img/vault-ref-arch.png b/website/public/img/vault-ref-arch.png
similarity index 100%
rename from website/assets/img/vault-ref-arch.png
rename to website/public/img/vault-ref-arch.png
diff --git a/website/assets/img/vault-rekey-vs-rotate.svg b/website/public/img/vault-rekey-vs-rotate.svg
similarity index 100%
rename from website/assets/img/vault-rekey-vs-rotate.svg
rename to website/public/img/vault-rekey-vs-rotate.svg
diff --git a/website/assets/img/vault-seal-wrap-2.png b/website/public/img/vault-seal-wrap-2.png
similarity index 100%
rename from website/assets/img/vault-seal-wrap-2.png
rename to website/public/img/vault-seal-wrap-2.png
diff --git a/website/assets/img/vault-seal-wrap-3.png b/website/public/img/vault-seal-wrap-3.png
similarity index 100%
rename from website/assets/img/vault-seal-wrap-3.png
rename to website/public/img/vault-seal-wrap-3.png
diff --git a/website/assets/img/vault-seal-wrap-4.png b/website/public/img/vault-seal-wrap-4.png
similarity index 100%
rename from website/assets/img/vault-seal-wrap-4.png
rename to website/public/img/vault-seal-wrap-4.png
diff --git a/website/assets/img/vault-seal-wrap-5.png b/website/public/img/vault-seal-wrap-5.png
similarity index 100%
rename from website/assets/img/vault-seal-wrap-5.png
rename to website/public/img/vault-seal-wrap-5.png
diff --git a/website/assets/img/vault-seal-wrap-6.png b/website/public/img/vault-seal-wrap-6.png
similarity index 100%
rename from website/assets/img/vault-seal-wrap-6.png
rename to website/public/img/vault-seal-wrap-6.png
diff --git a/website/assets/img/vault-seal-wrap.png b/website/public/img/vault-seal-wrap.png
similarity index 100%
rename from website/assets/img/vault-seal-wrap.png
rename to website/public/img/vault-seal-wrap.png
diff --git a/website/assets/img/vault-secrets-enable.png b/website/public/img/vault-secrets-enable.png
similarity index 100%
rename from website/assets/img/vault-secrets-enable.png
rename to website/public/img/vault-secrets-enable.png
diff --git a/website/assets/img/vault-secure-intro-1.png b/website/public/img/vault-secure-intro-1.png
similarity index 100%
rename from website/assets/img/vault-secure-intro-1.png
rename to website/public/img/vault-secure-intro-1.png
diff --git a/website/assets/img/vault-secure-intro-2.png b/website/public/img/vault-secure-intro-2.png
similarity index 100%
rename from website/assets/img/vault-secure-intro-2.png
rename to website/public/img/vault-secure-intro-2.png
diff --git a/website/assets/img/vault-secure-intro-3.png b/website/public/img/vault-secure-intro-3.png
similarity index 100%
rename from website/assets/img/vault-secure-intro-3.png
rename to website/public/img/vault-secure-intro-3.png
diff --git a/website/assets/img/vault-secure-intro-4.png b/website/public/img/vault-secure-intro-4.png
similarity index 100%
rename from website/assets/img/vault-secure-intro-4.png
rename to website/public/img/vault-secure-intro-4.png
diff --git a/website/assets/img/vault-secure-intro-5.png b/website/public/img/vault-secure-intro-5.png
similarity index 100%
rename from website/assets/img/vault-secure-intro-5.png
rename to website/public/img/vault-secure-intro-5.png
diff --git a/website/assets/img/vault-sentinel-1.png b/website/public/img/vault-sentinel-1.png
similarity index 100%
rename from website/assets/img/vault-sentinel-1.png
rename to website/public/img/vault-sentinel-1.png
diff --git a/website/assets/img/vault-sentinel-2.png b/website/public/img/vault-sentinel-2.png
similarity index 100%
rename from website/assets/img/vault-sentinel-2.png
rename to website/public/img/vault-sentinel-2.png
diff --git a/website/assets/img/vault-shamir-secret-sharing.svg b/website/public/img/vault-shamir-secret-sharing.svg
similarity index 100%
rename from website/assets/img/vault-shamir-secret-sharing.svg
rename to website/public/img/vault-shamir-secret-sharing.svg
diff --git a/website/assets/img/vault-ssh-otp-1.png b/website/public/img/vault-ssh-otp-1.png
similarity index 100%
rename from website/assets/img/vault-ssh-otp-1.png
rename to website/public/img/vault-ssh-otp-1.png
diff --git a/website/assets/img/vault-ssh-otp-2.png b/website/public/img/vault-ssh-otp-2.png
similarity index 100%
rename from website/assets/img/vault-ssh-otp-2.png
rename to website/public/img/vault-ssh-otp-2.png
diff --git a/website/assets/img/vault-static-secrets.png b/website/public/img/vault-static-secrets.png
similarity index 100%
rename from website/assets/img/vault-static-secrets.png
rename to website/public/img/vault-static-secrets.png
diff --git a/website/assets/img/vault-static-secrets2.png b/website/public/img/vault-static-secrets2.png
similarity index 100%
rename from website/assets/img/vault-static-secrets2.png
rename to website/public/img/vault-static-secrets2.png
diff --git a/website/assets/img/vault-transit-1.png b/website/public/img/vault-transit-1.png
similarity index 100%
rename from website/assets/img/vault-transit-1.png
rename to website/public/img/vault-transit-1.png
diff --git a/website/assets/img/vault-transit-2.png b/website/public/img/vault-transit-2.png
similarity index 100%
rename from website/assets/img/vault-transit-2.png
rename to website/public/img/vault-transit-2.png
diff --git a/website/assets/img/vault-transit-3.png b/website/public/img/vault-transit-3.png
similarity index 100%
rename from website/assets/img/vault-transit-3.png
rename to website/public/img/vault-transit-3.png
diff --git a/website/assets/img/vault-transit-4.png b/website/public/img/vault-transit-4.png
similarity index 100%
rename from website/assets/img/vault-transit-4.png
rename to website/public/img/vault-transit-4.png
diff --git a/website/assets/img/vault-transit-5.png b/website/public/img/vault-transit-5.png
similarity index 100%
rename from website/assets/img/vault-transit-5.png
rename to website/public/img/vault-transit-5.png
diff --git a/website/assets/img/vault-versioned-kv-1.png b/website/public/img/vault-versioned-kv-1.png
similarity index 100%
rename from website/assets/img/vault-versioned-kv-1.png
rename to website/public/img/vault-versioned-kv-1.png
diff --git a/website/assets/img/vault-versioned-kv-2.png b/website/public/img/vault-versioned-kv-2.png
similarity index 100%
rename from website/assets/img/vault-versioned-kv-2.png
rename to website/public/img/vault-versioned-kv-2.png
diff --git a/website/assets/img/vault-versioned-kv-3.png b/website/public/img/vault-versioned-kv-3.png
similarity index 100%
rename from website/assets/img/vault-versioned-kv-3.png
rename to website/public/img/vault-versioned-kv-3.png
diff --git a/website/assets/img/vault-versioned-kv-4.png b/website/public/img/vault-versioned-kv-4.png
similarity index 100%
rename from website/assets/img/vault-versioned-kv-4.png
rename to website/public/img/vault-versioned-kv-4.png
diff --git a/website/assets/img/vault-versioned-kv-5.png b/website/public/img/vault-versioned-kv-5.png
similarity index 100%
rename from website/assets/img/vault-versioned-kv-5.png
rename to website/public/img/vault-versioned-kv-5.png
diff --git a/website/assets/img/vault-versioned-kv-6.png b/website/public/img/vault-versioned-kv-6.png
similarity index 100%
rename from website/assets/img/vault-versioned-kv-6.png
rename to website/public/img/vault-versioned-kv-6.png
diff --git a/website/assets/img/vault_cluster.png b/website/public/img/vault_cluster.png
similarity index 100%
rename from website/assets/img/vault_cluster.png
rename to website/public/img/vault_cluster.png
diff --git a/website/source/.gitignore b/website/source/.gitignore
deleted file mode 100644
index 67550a149e2e..000000000000
--- a/website/source/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# Source folder
-node_modules/
diff --git a/website/source/404.html.md b/website/source/404.html.md
deleted file mode 100644
index 9843b008084a..000000000000
--- a/website/source/404.html.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-layout: "inner"
-page_title: "Not Found"
-noindex: true
-description: |-
-  Page not found!
----
-
-# Page Not Found
-
-Sorry, the page you tried to visit does not exist. This could be our fault,
-and if so we will fix that up right away.
-
-Please go back to get back on track.
diff --git a/website/source/_ember_steps.html.erb b/website/source/_ember_steps.html.erb
deleted file mode 100644
index aa036053703e..000000000000
--- a/website/source/_ember_steps.html.erb
+++ /dev/null
@@ -1,279 +0,0 @@
-<script type="text/x-handlebars" data-template-name="welcome">
-    <p>
-        This tutorial is great for getting familiar with the command line
-         interface to Vault. As soon as you opened this terminal, you are connected to a real in-memory Vault server.
-        Any commands you enter will work as they would with Vault normally, but leaving this page
-        will end the session.
-    </p>
-    <p>
-     Please note that this is running in a shared environment, so avoid setting any real secrets.
-    </p>
-    <p>
-        <strong>Use the command "next" to move forward</strong>.
-    </p>
-    <p>This will work throughout
-        the tutorial, along with "previous" to go back a step.
-    </p>
-</script>
-
-
-<script type="text/x-handlebars" data-template-name="steps">
-    <p>
-        This tutorial will walk you through the following:
-    </p>
-    <ul>
-        <li>- Initializing and unsealing your Vault</li>
-        <li>- Authorizing your requests to Vault</li>
-        <li>- Reading and writing versioned secrets</li>
-        <li>- Updating the stored secrets</li>
-        <li>- Deleting the existing secrets</li>
-        <li>- Sealing your Vault</li>
-    </ul>
-    <p>
-        <strong>Again, use "next" to move to the first step – initializing your Vault</strong>.
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="init">
-    <p>
-        To get started, we need to initialize an instance of Vault for you
-        to work with.
-    </p>
-    <p>
-        While initializing, you can configure the seal behavior
-        of Vault.
-        </p>
-    <p>
-        Initialize Vault now, with 1 unseal key for simplicity, using the command:
-    </p>
-    <p>
-        <code>vault operator init -key-shares=1 -key-threshold=1</code>
-    </p>
-    <p>
-        You'll notice Vault prints out several keys here. Don't clear your terminal,
-        as these are needed in the next few steps.
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="unseal">
-    <p>
-        When a Vault server is started, it starts in a sealed state.
-         In this state, Vault is configured to know where and how to access the
-         physical storage, but doesn't know how to decrypt any of it.
-    </p>
-    <p>
-        Vault encrypts data with an encryption key. This key is encrypted with the "master key", which
-        isn't stored. Decrypting the master key requires a threshold of shards. In this example,
-        we use one shard to decrypt this master key.
-    </p>
-    <p>
-        Unseal the Vault:
-    </p>
-    <p>
-        <code>vault operator unseal &lt;key 1&gt;</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="auth">
-    <p>
-        Before performing any operation with Vault, the
-        connecting client must be authenticated. Authentication is
-        the process of verifying a person or machine is who they say
-        they are and assigning an identity to them. This identity is then
-        used when making requests with Vault.
-    </p>
-    <p>
-        For simplicity, we'll use the root token we generated on init in Step 2. This
-        output should be available in the scrollback.
-    </p>
-    <p>
-        Authorize with a client token:
-    </p>
-    <p>
-        <code>vault login &lt;root token&gt;</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="list">
-    <p>
-        Vault's secrets engines are components which store, generate or encrypt data.
-        List which secret engines have been enabled and ready to use.
-    </p>
-    <p>
-        <code>vault secrets list</code>
-    </p>
-    <p>
-        Key/Value Version 2 secret engine is enabled at "secret/" which retains a configurable number of data versions.
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="secrets">
-    <p>
-        Now we can start reading and writing secrets with the default enabled
-        secrets engine. Secrets written to Vault are encrypted and then written
-        to the backend storage. The backend storage mechanism never sees the
-        unencrypted value and doesn't have the means necessary to decrypt it
-        without Vault.
-    </p>
-    <p>
-        <code>vault kv put secret/apikey key="my-test-key"</code>
-    </p>
-    <p>
-        Of course, you can then read this data too:
-    </p>
-    <p>
-        <code>vault kv get secret/apikey</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="update">
-    <p>
-        Let's update the stored data by running the "put" command again:
-    </p>
-    <p>
-        <code>vault kv put secret/apikey key="my-test-key" owner="dev"</code>
-    </p>
-    <p>
-        This creates version 2 of the data at secret/apikey.
-    </p>
-    <p>
-        What happens if you execute the following command?
-    </p>
-    <p>
-        <code>vault kv put secret/apikey owner="ops"</code>
-    </p>
-    <p>
-        Run the "get" command again to see what values are stored:
-    </p>
-    <p>
-        <code>vault kv get secret/apikey</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="patch">
-    <p>
-        The "put" operation updates the existing data.
-        When you want to partially update the data without overwriting the rest, use the "patch" command.
-    </p>
-    <p>
-        <code>vault kv patch secret/apikey year="2018"</code>
-    </p>
-    <p>
-        Run the "get" command again to verify that the year was simply added to the existing data:
-    </p>
-    <p>
-        <code>vault kv get secret/apikey</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="versions">
-    <p>
-        The following command retrieves the key metadata at secret/apikey:
-    </p>
-    <p>
-        <code>vault kv metadata get secret/apikey</code>
-    </p>
-    <p>
-        At this point, there are four versions of the data.
-        To retrieve the first version of the secret:
-    </p>
-    <p>
-        <code>vault kv get -version=1 secret/apikey</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="delete">
-    <p>
-        You can delete specific version(s) of the secret:
-    </p>
-    <p>
-        <code>vault kv delete -versions=1 secret/apikey</code>
-    </p>
-    <p>
-        Retrieve the version 1 of the data again.  Since the data was deleted, only the metadata gets displayed with data deletion time.
-    </p>
-    <p>
-        <code>vault kv get -version=1 secret/apikey</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="recover">
-    <p>
-        When the data was deleted unintentionally, you can recover by executing the "undelete" command:
-    </p>
-    <p>
-        <code>vault kv undelete -versions=1 secret/apikey</code>
-    </p>
-    <p>
-        Once the data was recovered, you should be able to retrieve the version 1 of the data successfully:
-    </p>
-    <p>
-        <code>vault kv get -version=1 secret/apikey</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="destroy">
-    <p>
-        To permanently delete the data version(s), perform the "destroy" operation instead of "delete":
-    </p>
-    <p>
-        <code>vault kv destroy -versions=1 secret/apikey</code>
-    </p>
-    <p>
-        Now, the version 1 of the data is no longer recoverable.
-    </p>
-    <p>
-        The following command deletes all versions and metadata at secret/apikey:
-    </p>
-    <p>
-        <code>vault kv metadata delete secret/apikey</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="help">
-    <p>
-        At this point, secret/apikey no longer exists.  You can verify it by executing the following command:
-    </p>
-    <p>
-        <code>vault kv list secret/</code>
-    </p>
-    <p>
-        To learn more about the K/V command:
-    </p>
-    <p>
-        <code>vault kv -h</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="seal">
-    <p>
-        There is also an API to seal the Vault. This will throw
-        away the encryption key and require another unseal process
-        to restore it. Sealing only requires a single operator
-        with root privileges. This is typically part of a rare "break glass
-        procedure".
-    </p>
-    <p>
-        This way, if there is a detected intrusion, the Vault data can be locked
-        quickly to try to minimize damages. It can't be accessed again
-        without access to the master key shards.
-    </p>
-    <p>
-        <code>vault operator seal</code>
-    </p>
-</script>
-
-<script type="text/x-handlebars" data-template-name="finish">
-    <p>
-        Thanks for trying out the Vault CLI. If you want to keep playing with
-        commands, use "fu" to go fullscreen.
-    </p>
-    <p>
-        Note that the Vault CLI uses the HTTP API, which gives you full access to Vault. Every aspect
-        of Vault can be controlled via this API.
-    </p>
-    <p>
-        We recommend reading through the <a href="/intro/index.html">intro guide</a> next, which will
-        provide more background information, use cases and examples.
-    </p>
-</script>
diff --git a/website/source/_ember_templates.html.erb b/website/source/_ember_templates.html.erb
deleted file mode 100644
index 23184ab273c3..000000000000
--- a/website/source/_ember_templates.html.erb
+++ /dev/null
@@ -1,32 +0,0 @@
-<!-- TODO Precompile ember templates -->
-
-<script type="text/x-handlebars" data-template-name="demo">
-{{outlet}}
-</script>
-
-<script type="text/x-handlebars" data-template-name="demo/step">
-
-<div class="instruction-wrapper">
-    <div class="instruction">
-        <p>
-        <strong>{{model.humanName}}</strong>
-        </p>
-
-        {{partial model.instructionTemplate}}
-    </div>
-</div>
-
-<span class="close-terminal" {{action "close"}}>&times;</span>
-
-<div {{bind-attr class=":demo-terminal fullscreen:fullscreen" }}>
-    <div class="log">{{renderedLogs}}</div>
-
-    <form {{action "submitText" on="submit"}}>
-        {{#unless isLoading}}${{/unless}} {{input value=currentText class="shell" autocomplete="off" spellcheck="false"}}
-    </form>
-
-    {{#if isLoading}}
-    <div class="loading-bar"></div>
-    {{/if}}
-</div>
-</script>
diff --git a/website/source/android-manifest.json.erb b/website/source/android-manifest.json.erb
deleted file mode 100644
index be0a4bb9bc33..000000000000
--- a/website/source/android-manifest.json.erb
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "name": "Vault",
-  "icons": [
-    {
-      "src": "<%= image_path('favicons/android-chrome-192x192.png') %>",
-      "sizes": "192x192",
-      "type": "image/png"
-    },
-    {
-      "src": "<%= image_path('favicons/android-chrome-512x512.png') %>",
-      "sizes": "512x512",
-      "type": "image/png"
-    }
-  ],
-  "theme_color": "#ffffff",
-  "background_color": "#ffffff",
-  "display": "standalone"
-}
diff --git a/website/source/api/auth/alicloud/index.html.md.erb b/website/source/api/auth/alicloud/index.html.md.erb
deleted file mode 100644
index d12416d7af82..000000000000
--- a/website/source/api/auth/alicloud/index.html.md.erb
+++ /dev/null
@@ -1,217 +0,0 @@
----
-layout: "api"
-page_title: "AliCloud - Auth Methods - HTTP API"
-sidebar_title: "AliCloud"
-sidebar_current: "api-http-auth-alicloud"
-description: |-
-  This is the API documentation for the Vault AliCloud auth method.
----
-
-# AliCloud Auth Method (API)
-
-This is the API documentation for the Vault AliCloud auth method. For
-general information about the usage and operation of the AliCloud method, please
-see the [Vault AliCloud auth method documentation](/docs/auth/alicloud.html).
-
-This documentation assumes the AliCloud auth method is mounted at the `/auth/alicloud`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create Role
-
-Registers a role. Only entities using the role registered using this endpoint 
-will be able to perform the login operation.
-
-| Method   | Path                             |
-| :------------------------------- | :--------------------- |
-| `POST`   | `/auth/alicloud/role/:role`      |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role. Must correspond with the name of the role reflected in the arn.
-- `arn` `(string: <required>)` - The role's arn.
-
-<%=partial("partials/tokenfields")%>
-
-### Sample Payload
-
-```json
-{
-  "arn": "acs:ram::5138828231865461:role/dev-role",
-  "policies": [
-    "dev",
-    "prod"
-  ]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
-```
-
-## Read Role
-
-Returns the previously registered role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/alicloud/role/:role`  |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "arn": "acs:ram::5138828231865461:role/dev-role",
-    "policies": [
-      "default",
-      "dev",
-      "prod"
-    ],
-    "ttl": 1800000,
-    "max_ttl": 1800000,
-    "period": 0
-  }
-}
-```
-
-## List Roles
-
-Lists all the roles that are registered with the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/alicloud/roles`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/alicloud/roles
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "dev-role",
-      "prod-role"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-Deletes the previously registered role.
-
-| Method   | Path                             |
-| :------------------------------- | :--------------------- |
-| `DELETE` | `/auth/alicloud/role/:role`      |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
-```
-
-## Login
-
-Fetch a token. This endpoint verifies the signature of the signed 
-GetCallerIdentity request.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/alicloud/login`       |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-- `identity_request_url` `(string: <required>)` - Base64-encoded HTTP URL used in
-  the signed request.
-- `identity_request_headers` `(string: <required>)` - Base64-encoded,
-  JSON-serialized representation of the sts:GetCallerIdentity HTTP request
-  headers. The JSON serialization assumes that each header key maps to either a
-  string value or an array of string values (though the length of that array
-  will probably only be one).
-
-
-### Sample Payload
-
-```json
-{
-  "role": "dev-role",
-  "identity_request_url": "aWRlbnRpdHlabrVxdWVzdF91cmw=",
-  "identity_request_headers": "aWRlimRpdHlfcmVxdWVzdF9oZWFkZXJz"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/alicloud/login
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "renewable": true,
-    "lease_duration": 1800000,
-    "metadata": {
-      "role_tag_max_ttl": "0",
-      "instance_id": "i-de0f1344",
-      "ami_id": "ami-fce36983",
-      "role": "dev-role",
-      "auth_type": "ec2",
-      "account_id":    "5138828231865461",
-      "user_id":       "216959339000654321",
-      "role_id":       "4657-abcd",
-      "arn":           "acs:ram::5138828231865461:assumed-role/dev-role/vm-ram-i-rj978rorvlg76urhqh7q",
-      "identity_type": "assumed-role",
-      "principal_id":  "vm-ram-i-rj978rorvlg76urhqh7q",
-      "request_id":    "D6E46F10-F26C-4AA0-BB69-FE2743D9AE62",
-      "role_name":     "dev-role"
-    },
-    "policies": [
-      "default",
-      "dev"
-    ],
-    "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
-    "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
-  }
-}
-```
diff --git a/website/source/api/auth/app-id/index.html.md b/website/source/api/auth/app-id/index.html.md
deleted file mode 100644
index 0a73c9896790..000000000000
--- a/website/source/api/auth/app-id/index.html.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-layout: "api"
-page_title: "AppID - Auth Methods - HTTP API"
-sidebar_title: "App ID <sup>DEPRECATED</sup>"
-sidebar_current: "api-http-auth-appid"
-description: |-
-  This is the API documentation for the Vault App ID auth method.
----
-
-# AppID Auth Method (API)
-
-~> This API is deprecated and will be removed in a future version of Vault.
-Please use AppRole instead.
-
-This is the API documentation for the Vault App ID auth method. For
-general information about the usage and operation of the App ID method, please
-see the [Vault App ID method documentation](/docs/auth/app-id.html).
-
-This documentation assumes the App ID method is mounted at the `/auth/app-id`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
diff --git a/website/source/api/auth/approle/index.html.md.erb b/website/source/api/auth/approle/index.html.md.erb
deleted file mode 100644
index c3bbc026b18c..000000000000
--- a/website/source/api/auth/approle/index.html.md.erb
+++ /dev/null
@@ -1,663 +0,0 @@
----
-layout: "api"
-page_title: "AppRole - Auth Methods - HTTP API"
-sidebar_title: "AppRole"
-sidebar_current: "api-http-auth-approle"
-description: |-
-  This is the API documentation for the Vault AppRole auth method.
----
-
-# AppRole Auth Method (API)
-
-This is the API documentation for the Vault AppRole auth method. For
-general information about the usage and operation of the AppRole method, please
-see the [Vault AppRole method documentation](/docs/auth/approle.html).
-
-This documentation assumes the AppRole method is mounted at the `/auth/approle`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## List Roles
-
-This endpoint returns a list the existing AppRoles in the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/approle/role`         |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/approle/role
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "dev",
-      "prod",
-      "test"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Create/Update AppRole
-
-Creates a new AppRole or updates an existing AppRole. This endpoint
-supports both `create` and `update` capabilities. There can be one or more
-constraints enabled on the role. It is required to have at least one of them
-enabled while creating or updating a role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
-- `bind_secret_id` `(bool: true)` - Require `secret_id` to be presented when
-  logging in using this AppRole.
-- `secret_id_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
-  blocks; if set, specifies blocks of IP addresses which can perform the login
-  operation.
-- `secret_id_num_uses` `(integer: 0)` - Number of times any particular SecretID
-  can be used to fetch a token from this AppRole, after which the SecretID will
-  expire.  A value of zero will allow unlimited uses.
-- `secret_id_ttl` `(string: "")` - Duration in either an integer number of
-  seconds (`3600`) or an integer time unit (`60m`) after which any SecretID
-  expires.
-- `enable_local_secret_ids` `(bool: false)` - If set, the secret IDs generated
-  using this role will be cluster local. This can only be set during role
-  creation and once set, it can't be reset later.
-
-<%=partial("partials/tokenfields")%>
-
-### Sample Payload
-
-```json
-{
-  "token_ttl": "10m",
-  "token_max_ttl": "15m",
-  "token_policies": [
-    "default"
-  ],
-  "period": 0,
-  "bind_secret_id": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1
-```
-
-## Read AppRole
-
-Reads the properties of an existing AppRole.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/approle/role/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "token_ttl": 1200,
-    "token_max_ttl": 1800,
-    "secret_id_ttl": 600,
-    "secret_id_num_uses": 40,
-    "token_policies": [
-      "default"
-    ],
-    "period": 0,
-    "bind_secret_id": true,
-    "bound_cidr_list": []
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Delete AppRole
-
-Deletes an existing AppRole from the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/approle/role/:role_name`    |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1
-```
-
-## Read AppRole Role ID
-
-Reads the RoleID of an existing AppRole.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/approle/role/:role_name/role-id` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "role_id": "e5a7b66e-5d08-da9c-7075-71984634b882"
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Update AppRole Role ID
-
-Updates the RoleID of an existing AppRole to a custom value.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name/role-id` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
-- `role_id` `(string: <required>)` - Value to be set as RoleID.
-
-### Sample Payload
-
-```json
-{
-  "role_id": "custom-role-id"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "role_id": "e5a7b66e-5d08-da9c-7075-71984634b882"
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Generate New Secret ID
-
-Generates and issues a new SecretID on an existing AppRole. Similar to
-tokens, the response will also contain a `secret_id_accessor` value which can
-be used to read the properties of the SecretID without divulging the SecretID
-itself, and also to delete the SecretID from the AppRole.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name/secret-id` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
-- `metadata` `(string: "")` -  Metadata to be tied to the SecretID. This should be
-  a JSON-formatted string containing the metadata in key-value pairs. This
-  metadata will be set on tokens issued with this SecretID, and is logged in
-  audit logs _in plaintext_.
-- `cidr_list` `(array: [])` -  Comma separated string or list of CIDR blocks
-  enforcing secret IDs to be used from specific set of IP addresses. If
-  `bound_cidr_list` is set on the role, then the list of CIDR blocks listed
-  here should be a subset of the CIDR blocks listed on the role.
-- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
-  blocks; if set, specifies blocks of IP addresses which can use the auth tokens
-  generated by this SecretID. Overrides any role-set value but must be a subset.
-
-### Sample Payload
-
-```json
-{
-  "metadata": "{ \"tag1\": \"production\" }"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780",
-    "secret_id": "841771dc-11c9-bbc7-bcac-6a3945a69cd9"
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## List Secret ID Accessors
-
-Lists the accessors of all the SecretIDs issued against the AppRole.
-This includes the accessors for "custom" SecretIDs as well.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/approle/role/:role_name/secret-id` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "ce102d2a-8253-c437-bf9a-aceed4241491",
-      "a1c8dee4-b869-e68d-3520-2040c1a0849a",
-      "be83b7e2-044c-7244-07e1-47560ca1c787",
-      "84896a0c-1347-aa90-a4f6-aca8b7558780",
-      "239b1328-6523-15e7-403a-a48038cdc45a"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Read AppRole Secret ID
-
-Reads out the properties of a SecretID.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name/secret-id/lookup` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
--  `secret_id` `(string: <required>)` - Secret ID attached to the role.
-
-### Sample Payload
-
-```json
-{
-  "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/lookup
-```
-
-## Destroy AppRole Secret ID
-
-Destroy an AppRole secret ID.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name/secret-id/destroy` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
--  `secret_id` `(string: <required>)` - Secret ID attached to the role.
-
-### Sample Payload
-
-```json
-{
-  "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/destroy
-```
-
-## Read AppRole Secret ID Accessor
-
-Reads out the properties of a SecretID.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name/secret-id-accessor/lookup` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
--  `secret_id_accessor` `(string: <required>)` - Secret ID accessor attached to the role.
-
-### Sample Payload
-
-```json
-{
-  "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/lookup
-```
-
-## Destroy AppRole Secret ID Accessor
-
-Destroy an AppRole secret ID by its accessor.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name/secret-id-accessor/destroy` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
--  `secret_id_accessor` `(string: <required>)` - Secret ID accessor attached to the role.
-
-### Sample Payload
-
-```json
-{
-  "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/destroy
-```
-
-## Create Custom AppRole Secret ID
-
-Assigns a "custom" SecretID against an existing AppRole. This is used in the
-"Push" model of operation.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/role/:role_name/custom-secret-id` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - Name of the AppRole.
--  `secret_id` `(string: <required>)` - SecretID to be attached to the Role.
-- `metadata` `(string: "")` -  Metadata to be tied to the SecretID. This should be
-  a JSON-formatted string containing the metadata in key-value pairs. This
-  metadata will be set on tokens issued with this SecretID, and is logged in
-  audit logs _in plaintext_.
-- `cidr_list` `(array: [])` - Comma separated string or list of CIDR blocks
-  enforcing secret IDs to be used from specific set of IP addresses. If
-  `bound_cidr_list` is set on the role, then the list of CIDR blocks listed
-  here should be a subset of the CIDR blocks listed on the role.
-- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
-  blocks; if set, specifies blocks of IP addresses which can use the auth tokens
-  generated by this SecretID. Overrides any role-set value but must be a subset.
-
-### Sample Payload
-
-```json
-{
-  "secret_id": "testsecretid"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/role/application1/custom-secret-id
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780",
-    "secret_id": "testsecretid"
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Login With AppRole
-
-Issues a Vault token based on the presented credentials. `role_id` is always
-required; if `bind_secret_id` is enabled (the default) on the AppRole,
-`secret_id` is required too. Any other bound authentication values on the
-AppRole (such as client IP CIDR) are also evaluated.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/approle/login`        |
-
-### Parameters
-
-- `role_id` `(string: <required>)` - RoleID of the AppRole.
--  `secret_id` `(string: <required>)` - SecretID belonging to AppRole.
-
-### Sample Payload
-
-```json
-{
-  "role_id": "59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8",
-  "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/approle/login
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "renewable": true,
-    "lease_duration": 1200,
-    "metadata": null,
-    "token_policies": [
-      "default"
-    ],
-    "accessor": "fd6c9a00-d2dc-3b11-0be5-af7ae0e1d374",
-    "client_token": "5b1a0318-679c-9c45-e5c6-d1b9a9035d49"
-  },
-  "warnings": null,
-  "wrap_info": null,
-  "data": null,
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Read, Update, or Delete AppRole Properties
-
-Updates the respective property in the existing AppRole. All of these
-parameters of the AppRole can be updated using the `/auth/approle/role/:role_name`
-endpoint directly. The endpoints for each field is provided separately
-to be able to delegate specific endpoints using Vault's ACL system.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/policies`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/secret-id-num-uses`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/secret-id-ttl`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/token-ttl`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/token-max-ttl`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/bind-secret-id`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/secret-id-bound-cidrs`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/token-bound-cidrs`  | `200/204` |
-| `GET/POST/DELETE`   | `/auth/approle/role/:role_name/period`  | `200/204` |
-
-Refer to `/auth/approle/role/:role_name` endpoint.
-
-## Tidy Tokens
-
-Performs some maintenance tasks to clean up invalid entries that may remain
-in the token store. Generally, running this is not needed unless upgrade
-notes or support personnel suggest it. This may perform a lot of I/O to the
-storage method so should be used sparingly.
-
-| Method   | Path                            |
-| :------------------------------ | :--------------------- |
-| `POST`   | `/auth/approle/tidy/secret-id`  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/approle/tidy/secret-id
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "b20b56e3-4699-5b19-cc6b-e74f7b787bbf",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": [
-    "Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
-  ],
-  "auth": null
-}
-```
diff --git a/website/source/api/auth/aws/index.html.md.erb b/website/source/api/auth/aws/index.html.md.erb
deleted file mode 100644
index 133d3492f30a..000000000000
--- a/website/source/api/auth/aws/index.html.md.erb
+++ /dev/null
@@ -1,1310 +0,0 @@
----
-layout: "api"
-page_title: "AWS - Auth Methods - HTTP API"
-sidebar_title: "AWS"
-sidebar_current: "api-http-auth-aws"
-description: |-
-  This is the API documentation for the Vault AWS auth method.
----
-
-# AWS Auth Method (API)
-
-This is the API documentation for the Vault AWS auth method. For
-general information about the usage and operation of the AWS method, please
-see the [Vault AWS method documentation](/docs/auth/aws.html).
-
-This documentation assumes the AWS method is mounted at the `/auth/aws`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Configure Client
-
-Configures the credentials required to perform API calls to AWS as well as
-custom endpoints to talk to AWS APIs. The instance identity document
-fetched from the PKCS#7 signature will provide the EC2 instance ID. The
-credentials configured using this endpoint will be used to query the status
-of the instances via DescribeInstances API. If static credentials are not
-provided using this endpoint, then the credentials will be retrieved from
-the environment variables `AWS_ACCESS_KEY`, `AWS_SECRET_KEY` and
-`AWS_REGION` respectively. If the credentials are still not found and if the
-method is configured on an EC2 instance with metadata querying
-capabilities, the credentials are fetched automatically.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/config/client`    |
-
-### Parameters
-
-- `max_retries` `(int: -1)` - Number of max retries the client should use for
-  recoverable errors. The default (`-1`) falls back to the AWS SDK's default
-  behavior.
-- `access_key` `(string: "")` - AWS Access key with permissions to query AWS
-  APIs. The permissions required depend on the specific configurations. If using
-  the `iam` auth method without inferencing, then no credentials are necessary.
-  If using the `ec2` auth method or using the `iam` auth method with
-  inferencing, then these credentials need access to `ec2:DescribeInstances`. If
-  additionally a `bound_iam_role` is specified, then these credentials also need
-  access to `iam:GetInstanceProfile`. If, however, an alternate sts
-  configuration is set for the target account, then the credentials must be
-  permissioned to call `sts:AssumeRole` on the configured role, and that role
-  must have the permissions described here.
-- `secret_key` `(string: "")` - AWS Secret key with permissions to query AWS
-  APIs.
-- `endpoint` `(string: "")` - URL to override the default generated endpoint for
-  making AWS EC2 API calls.
-- `iam_endpoint` `(string: "")` - URL to override the default generated endpoint
-  for making AWS IAM API calls.
-- `sts_endpoint` `(string: "")` - URL to override the default generated endpoint
-  for making AWS STS API calls. If set, `sts_region` should also be set.
-- `sts_region` `(string: "")` - Region to override the default region for making
-  AWS STS API calls. Should only be set if `sts_endpoint` is set. If so, should
-  be set to the region in which the custom `sts_endpoint` resides.
-- `iam_server_id_header_value` `(string: "")` - The value to require in the
-  `X-Vault-AWS-IAM-Server-ID` header as part of GetCallerIdentity requests that
-  are used in the iam auth method. If not set, then no value is required or
-  validated. If set, clients must include an X-Vault-AWS-IAM-Server-ID header in
-  the headers of login requests, and further this header must be among the
-  signed headers validated by AWS. This is to protect against different types of
-  replay attacks, for example a signed request sent to a dev server being resent
-  to a production server. Consider setting this to the Vault server's DNS name.
-
-### Sample Payload
-
-```json
-{
-  "access_key": "VKIAJBRHKH6EVTTNXDHA",
-  "secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/config/client
-```
-
-## Read Config
-
-Returns the previously configured AWS access credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/config/client`     |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/config/client
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "access_key": "VKIAJBRHKH6EVTTNXDHA",
-    "endpoint": "",
-    "iam_endpoint": "",
-    "sts_endpoint": "",
-    "sts_region": "",
-    "iam_server_id_header_value": ""
-  }
-}
-```
-
-## Delete Config
-
-Deletes the previously configured AWS access credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/aws/config/client`  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/config/client
-```
-
-## Configure Identity Integration
-
-This configures the way that Vault interacts with the
-[Identity](/docs/secrets/identity/index.html) store. The default (as of Vault
-1.0.3) is `role_id` for both values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/config/identity`  |
-
-### Parameters
-
-- `iam_alias` `(string: "role_id")` - How to generate the identity alias when
-  using the `iam` auth method. Valid choices are `role_id`, `unique_id`, and
-  `full_arn`  When `role_id` is selected, the randomly generated ID of the role
-  is used. When `unique_id` is selected, the [IAM Unique
-  ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
-  of the IAM principal (either the user or role) is used as the identity alias
-  name. When `full_arn` is selected, the ARN returned by the
-  `sts:GetCallerIdentity` call is used as the alias name. This is either
-  `arn:aws:iam::<account_id>:user/<optional_path/><user_name>` or
-  `arn:aws:sts::<account_id>:assumed-role/<role_name_without_path>/<role_session_name>`.
-  **Note**: if you select `full_arn` and then delete and recreate the IAM role,
-  Vault won't be aware and any identity aliases set up for the role name will
-  still be valid.
-
-- `ec2_alias` `(string: "role_id")` - Configures how to generate the identity
-  alias when using the `ec2` auth method. Valid choices are `role_id`,
-  `instance_id`, and `image_id`. When `role_id` is selected, the randomly
-  generated ID of the role is used. When `instance_id` is selected, the
-  instance identifier is used as the identity alias name. When `image_id` is
-  selected, AMI ID of the instance is used as the identity alias name.
-
-### Sample Payload
-
-```json
-{
-  "iam_alias": "unique_id"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    -- header "X-Vault-Token:..." \
-    --request POST
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/config/identity
-```
-
-## Read Identity Integration Configuration
-
-Returns the previously configured Identity integration configuration
-
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/config/identity`   |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token:..." \
-    http://127.0.0.1:8200/v1/auth/aws/config/identity
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "iam_alias": "full_arn"
-  }
-}
-```
-
-## Create Certificate Configuration
-
-Registers an AWS public key to be used to verify the instance identity
-documents. While the PKCS#7 signature of the identity documents have DSA
-digest, the identity signature will have RSA digest, and hence the public
-keys for each type varies respectively. Indicate the type of the public key
-using the "type" parameter.
-
-| Method   | Path                                         |
-| :------------------------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/config/certificate/:cert_name`    |
-
-### Parameters
-
-- `cert_name` `(string: <required>)` - Name of the certificate.
-- `aws_public_cert` `(string: <required>)` - Base64 encoded AWS Public key required to verify
-  PKCS7 signature of the EC2 instance metadata.
-- `type` `(string: "pkcs7")` - Takes the value of either "pkcs7" or "identity",
-  indicating the type of document which can be verified using the given
-  certificate. The PKCS#7 document will have a DSA digest and the identity
-  signature will have an RSA signature, and accordingly the public certificates
-  to verify those also vary. Defaults to "pkcs7".
-
-### Sample Payload
-
-```json
-{
-  "aws_public_cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQXEwQ0NRQ1d1a2paNVY0YVp6QUpCZ2NxaGtqT09BUURNRnd4Q3pBSkJnTlZCQVlUQWxWVE1Sa3cKRndZRFZRUUlFeEJYWVhOb2FXNW5kRzl1SUZOMFlYUmxNUkF3RGdZRFZRUUhFd2RUWldGMGRHeGxNU0F3SGdZRApWUVFLRXhkQmJXRjZiMjRnVjJWaUlGTmxjblpwWTJWeklFeE1RekFlRncweE1qQXhNRFV4TWpVMk1USmFGdzB6Ck9EQXhNRFV4TWpVMk1USmFNRnd4Q3pBSkJnTlZCQVlUQWxWVE1Sa3dGd1lEVlFRSUV4QlhZWE5vYVc1bmRHOXUKSUZOMFlYUmxNUkF3RGdZRFZRUUhFd2RUWldGMGRHeGxNU0F3SGdZRFZRUUtFeGRCYldGNmIyNGdWMlZpSUZObApjblpwWTJWeklFeE1RekNDQWJjd2dnRXNCZ2NxaGtqT09BUUJNSUlCSHdLQmdRQ2prdmNTMmJiMVZRNHl0LzVlCmloNU9PNmtLL24xTHpsbHI3RDhad3RRUDhmT0VwcDVFMm5nK0Q2VWQxWjFnWWlwcjU4S2ozbnNzU05wSTZiWDMKVnlJUXpLN3dMY2xuZC9Zb3pxTk5tZ0l5WmVjTjdFZ2xLOUlUSEpMUCt4OEZ0VXB0M1FieVlYSmRtVk1lZ042UApodmlZdDVKSC9uWWw0aGgzUGExSEpkc2tnUUlWQUxWSjNFUjExK0tvNHRQNm53dkh3aDYrRVJZUkFvR0JBSTFqCmsrdGtxTVZIdUFGY3ZBR0tvY1Rnc2pKZW02LzVxb216SnVLRG1iSk51OVF4dzNyQW90WGF1OFFlK01CY0psL1UKaGh5MUtIVnBDR2w5ZnVlUTJzNklMMENhTy9idXljVTFDaVlRazQwS05IQ2NIZk5pWmJkbHgxRTlycFVwN2JuRgpsUmEydjFudE1YM2NhUlZEZGJ0UEVXbWR4U0NZc1lGRGs0bVpyT0xCQTRHRUFBS0JnRWJtZXZlNWY4TElFL0dmCk1ObVA5Q001ZW92UU9HeDVobzhXcUQrYVRlYnMrazJ0bjkyQkJQcWVacXBXUmE1UC8ranJkS21sMXF4NGxsSFcKTVhyczNJZ0liNitoVUlCK1M4ZHo4L21tTzBicHI3NlJvWlZDWFlhYjJDWmVkRnV0N3FjM1dVSDkrRVVBSDVtdwp2U2VEQ09VTVlRUjdSOUxJTll3b3VISXppcVFZTUFrR0J5cUdTTTQ0QkFNREx3QXdMQUlVV1hCbGs0MHhUd1N3CjdIWDMyTXhYWXJ1c2U5QUNGQk5HbWRYMlpCclZOR3JOOU4yZjZST2swazlLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
-```
-
-## Read Certificate Configuration
-
-Returns the previously configured AWS public key.
-
-| Method   | Path                                     |
-| :--------------------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/config/certificate/:cert_name` |
-
-### Parameters
-
-- `cert_name` `(string: <required>)` - Name of the certificate.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
-```
-
-### Sample Response
-
-```json
-{
-        "data": {
-                "aws_public_cert": "-----BEGIN CERTIFICATE-----\nMIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw\nFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD\nVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z\nODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u\nIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl\ncnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e\nih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3\nVyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P\nhviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j\nk+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U\nhhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF\nlRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf\nMNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW\nMXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw\nvSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw\n7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K\n-----END CERTIFICATE-----\n",
-                "type": "pkcs7"
-        }
-}
-```
-
-## Delete Certificate Configuration
-
-Removes the previously configured AWS public key.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `DELETE` | `/auth/aws/config/certificate/:cert_name` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
-```
-
-## List Certificate Configurations
-
-Lists all the AWS public certificates that are registered with the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/aws/config/certificates` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/aws/config/certificates
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "cert1"
-    ]
-  }
-}
-```
-
-## Create STS Role
-
-Allows the explicit association of STS roles to satellite AWS accounts
-(i.e. those which are not the account in which the Vault server is
-running.) Vault will use credentials obtained by assuming these STS roles
-when validating IAM principals or EC2 instances in the particular AWS account.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/config/sts/:account_id` |
-
-### Parameters
-
-- `account_id` `(string: <required>)` - AWS account ID to be associated with
-  STS role. If set, Vault will use assumed credentials to verify any login
-  attempts from EC2 instances in this account.
-- `sts_role` `(string: <required>)` - AWS ARN for STS role to be assumed when
-  interacting with the account specified.  The Vault server must have
-  permissions to assume this role.
-
-### Sample Payload
-
-```json
-{
-  "sts_role": "arn:aws:iam:111122223333:role/myRole"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
-```
-
-## Read STS Role
-
-Returns the previously configured STS role.
-
-| Method   | Path                               |
-| :--------------------------------- | :--------------------- |
-| `GET`    | `/auth/aws/config/sts/:account_id` |
-
-### Parameters
-
-- `account_id` `(string: <required>)` - AWS account ID that has been
-  previously associated with STS role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "sts_role ": "arn:aws:iam:111122223333:role/myRole"
-  }
-}
-```
-
-## List STS Roles
-
-Lists all the AWS Account IDs for which an STS role is registered.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/aws/config/sts`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/aws/config/sts
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "111122223333",
-      "999988887777"
-    ]
-  }
-}
-```
-
-## Delete STS Role
-
-Deletes a previously configured AWS account/STS role association.
-
-| Method   | Path                               |
-| :--------------------------------- | :------------------|
-| `DELETE` | `/auth/aws/config/sts/:account_id` |
-
-### Parameters
-
-- `account_id` `(string: <required>)` - AWS account ID that has been
-  previously associated with STS role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
-```
-
-## Configure Identity Whitelist Tidy Operation
-
-Configures the periodic tidying operation of the whitelisted identity entries.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/config/tidy/identity-whitelist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
-  passed beyond the `roletag` expiration, before it is removed from the method
-  storage. Defaults to 72h.
-- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
-  periodic tidying of the `identity-whitelist/<instance_id>` entries.
-
-### Sample Payload
-
-```json
-{
-  "safety_buffer": "48h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-whitelist
-```
-
-## Read Identity Whitelist Tidy Settings
-
-Returns the previously configured periodic whitelist tidying settings.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/config/tidy/identity-whitelist` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-whitelist
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "safety_buffer": 600,
-    "disable_periodic_tidy": false
-  }
-}
-```
-
-## Delete Identity Whitelist Tidy Settings
-
-Deletes the previously configured periodic whitelist tidying settings.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`   | `/auth/aws/config/tidy/identity-whitelist` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-whitelist
-```
-
-## Configure Role Tag Blacklist Tidy Operation
-
-Configures the periodic tidying operation of the blacklisted role tag entries.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/config/tidy/roletag-blacklist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
-  passed beyond the `roletag` expiration, before it is removed from the method
-  storage. Defaults to 72h.
-- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
-  periodic tidying of the `roletag-blacklist/<instance_id>` entries.
-
-### Sample Payload
-
-```json
-{
-  "safety_buffer": "48h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-blacklist
-```
-
-## Read Role Tag Blacklist Tidy Settings
-
-Returns the previously configured periodic blacklist tidying settings.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/config/tidy/roletag-blacklist` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-blacklist
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "safety_buffer": 600,
-    "disable_periodic_tidy": false
-  }
-}
-```
-
-## Delete Role Tag Blacklist Tidy Settings
-
-Deletes the previously configured periodic blacklist tidying settings.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`   | `/auth/aws/config/tidy/roletag-blacklist` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-blacklist
-```
-
-## Create Role
-
-Registers a role in the method. Only those instances or principals which
-are using the role registered using this endpoint, will be able to perform
-the login operation. Constraints can be specified on the role, that are
-applied on the instances or principals attempting to login. At least one
-constraint must be specified on the role. The available constraints you
-can choose are dependent on the `auth_type` of the role and, if the
-`auth_type` is `iam`, then whether inferencing is enabled. A role will not
-let you configure a constraint if it is not checked by the `auth_type` and
-inferencing configuration of that role. For the constraints which accept a list
-of values, the authenticating instance/principal must match any one value in the
-list in order to satisfy that constraint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/role/:role`       |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role. Vault normalizes all role
-  names to lower case. If you create two roles, "Web-Workers" and "WEB-WORKERS",
-  they will both be normalized to "web-workers" and will be regarded as the same role.
-  This is to prevent unexpected behavior due to casing differences. At all points,
-  Vault can be provided the role in any casing, and it will internally handle
-  sending it to lower case and seeking it inside its storage engine.
-- `auth_type` `(string: "iam")` - The auth type permitted for this role. Valid
-  choices are "ec2" or "iam".  If no value is specified, then it will default to
-  "iam" (except for legacy `aws-ec2` auth types, for which it will default to
-  "ec2"). Only those bindings applicable to the auth type chosen will be allowed
-  to be configured on the role.
-- `bound_ami_id` `(list: [])` - If set, defines a constraint on the EC2
-  instances that they should be using one of the AMI ID specified by this parameter.
-  This constraint is checked during ec2 auth as well as the iam auth method only
-  when inferring an EC2 instance. This is a comma-separated string or JSON
-  array.
-- `bound_account_id` `(list: [])` - If set, defines a constraint on the EC2
-  instances that the account ID in its identity document to match one of the ones
-  specified by this parameter. This constraint is checked during ec2 auth as
-  well as the iam auth method only when inferring an EC2 instance. This is a
-  comma-separated string or JSON array.
-- `bound_region` `(list: [])` - If set, defines a constraint on the EC2
-  instances that the region in its identity document must match one of the
-  regions specified by this parameter. This constraint is only checked by the ec2 auth
-  method as well as the iam auth method only when inferring an ec2 instance.
-  This is a comma-separated string or JSON array.
-- `bound_vpc_id` `(list: [])` - If set, defines a constraint on the EC2
-  instance to be associated with a VPC ID that matches one of the values specified by
-  this parameter. This constraint is only checked by the ec2 auth method as well
-  as the iam auth method only when inferring an ec2 instance. This is a
-  comma-separated string or JSON array.
-- `bound_subnet_id` `(list: [])` - If set, defines a constraint on the EC2
-  instance to be associated with a subnet ID that matches one of the values specified
-  by this parameter. This constraint is only checked by the ec2 auth method as
-  well as the iam auth method only when inferring an ec2 instance. This is a
-  comma-separated string or a JSON array.
-- `bound_iam_role_arn` `(list: [])` - If set, defines a constraint on the
-  authenticating EC2 instance that it must match one of the IAM role ARNs specified by
-  this parameter.  Wildcards are supported at the end of the ARN to allow for
-  prefix matching. The configured IAM user or EC2 instance role must be allowed to
-  execute the `iam:GetInstanceProfile` action if this is specified. This
-  constraint is checked by the ec2 auth method as well as the iam auth method
-  only when inferring an EC2 instance. This is a comma-separated string or a
-  JSON array.
-- `bound_iam_instance_profile_arn` `(list: [])` - If set, defines a constraint
-  on the EC2 instances to be associated with an IAM instance profile ARN.
-  Wildcards are supported at the end of the ARN to allow for prefix matching.
-  This constraint is
-  checked by the ec2 auth method as well as the iam auth method only when
-  inferring an ec2 instance. This is a comma-separated string or a JSON array.
-- `bound_ec2_instance_id` `(list: [])` - If set, defines a constraint on the
-  EC2 instances to have one of these instance IDs. This constraint is checked by
-  the ec2 auth method as well as the iam auth method only when inferring an ec2
-  instance. This is a comma-separated string or a JSON array.
-- `role_tag` `(string: "")` - If set, enables the role tags for this role. The
-  value set for this field should be the 'key' of the tag on the EC2 instance.
-  The 'value' of the tag should be generated using `role/<role>/tag` endpoint.
-  Defaults to an empty string, meaning that role tags are disabled. This
-  constraint is valid only with the ec2 auth method and is not allowed when
-  `auth_type` is iam.
-- `bound_iam_principal_arn` `(list: [])` - Defines the list of IAM principals
-  that are permitted to login to the role using the iam auth method. Individual
-  values should look like "arn:aws:iam::123456789012:user/MyUserName" or
-  "arn:aws:iam::123456789012:role/MyRoleName". Wildcards are supported at the
-  end of the ARN, e.g., "arn:aws:iam::123456789012:\*" will match any IAM
-  principal in the AWS account 123456789012. When `resolve_aws_unique_ids` is
-  `false` and you are binding to IAM roles (as opposed to users) and you are not
-  using a wildcard at the end, then you must specify the ARN by omitting any
-  path component; see the documentation for `resolve_aws_unique_ids` below.
-  This constraint is only checked by
-  the iam auth method. Wildcards are supported at the end of the ARN, e.g.,
-  "arn:aws:iam::123456789012:role/\*" will match all roles in the AWS account.
-  This is a comma-separated string or JSON array.
-- `inferred_entity_type` `(string: "")` -  When set, instructs Vault to turn on
-  inferencing. The only current valid value is "ec2\_instance" instructing Vault
-  to infer that the role comes from an EC2 instance in an IAM instance profile.
-  This only applies to the iam auth method. If you set this on an existing role
-  where it had not previously been set, tokens that had been created prior will
-  not be renewable; clients will need to get a new token.
-- `inferred_aws_region` `(string: "")` - When role inferencing is activated, the
-  region to search for the inferred entities (e.g., EC2 instances). Required if
-  role inferencing is activated. This only applies to the iam auth method.
-- `resolve_aws_unique_ids` `(bool: true)` - When set, resolves the
-  `bound_iam_principal_arn` to the
-  [AWS Unique ID](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
-  for the bound principal ARN. This field is ignored when
-  `bound_iam_principal_arn` ends with a wildcard character.
-  This requires Vault to be able to call `iam:GetUser` or `iam:GetRole` on the
-  `bound_iam_principal_arn` that is being bound. Resolving to internal AWS IDs
-  more closely mimics the behavior of AWS services in that if an IAM user or
-  role is deleted and a new one is recreated with the same name, those new users
-  or roles won't get access to roles in Vault that were permissioned to the
-  prior principals of the same name. The default value for new roles is true,
-  while the default value for roles that existed prior to this option existing
-  is false (you can check the value for a given role using the GET method on the
-  role). Any authentication tokens created prior to this being supported won't
-  verify the unique ID upon token renewal.  When this is changed from false to
-  true on an existing role, Vault will attempt to resolve the role's bound IAM
-  ARN to the unique ID and, if unable to do so, will fail to enable this option.
-  Changing this from `true` to `false` is not supported; if absolutely
-  necessary, you would need to delete the role and recreate it explicitly
-  setting it to `false`. However; the instances in which you would want to do
-  this should be rare. If the role creation (or upgrading to use this) succeed,
-  then Vault has already been able to resolve internal IDs, and it doesn't need
-  any further IAM permissions to authenticate users. If a role has been deleted
-  and recreated, and Vault has cached the old unique ID, you should just call
-  this endpoint specifying the same `bound_iam_principal_arn` and, as long as
-  Vault still has the necessary IAM permissions to resolve the unique ID, Vault
-  will update the unique ID. (If it does not have the necessary permissions to
-  resolve the unique ID, then it will fail to update.) If this option is set to
-  false, then you MUST leave out the path component in `bound_iam_principal_arn`
-  for **roles** that do not specify a wildcard at the end, but not IAM users or
-  role bindings that have a wildcard. That is, if your IAM role ARN is of the
-  form `arn:aws:iam::123456789012:role/some/path/to/MyRoleName`, and
-  `resolve_aws_unique_ids` is `false`, you **must** specify a
-  `bound_iam_principal_arn` of `arn:aws:iam::123456789012:role/MyRoleName` for
-  authentication to work.
-- `allow_instance_migration` `(bool: false)` - If set, allows migration of the
-  underlying instance where the client resides. This keys off of pendingTime in
-  the metadata document, so essentially, this disables the client nonce check
-  whenever the instance is migrated to a new host and pendingTime is newer than
-  the previously-remembered time. Use with caution. This only applies to
-  authentications via the ec2 auth method. This is mutually exclusive with
-  `disallow_reauthentication`.
-- `disallow_reauthentication` `(bool: false)` - If set, only allows a single
-  token to be granted per instance ID. In order to perform a fresh login, the
-  entry in whitelist for the instance ID needs to be cleared using
-  `auth/aws/identity-whitelist/<instance_id>` endpoint. Defaults to 'false'.
-  This only applies to authentications via the ec2 auth method. This is mutually
-  exclusive with `allow_instance_migration`.
-
-<%=partial("partials/tokenfields")%>
-
-### Sample Payload
-
-```json
-{
-  "bound_ami_id": ["ami-fce36987"],
-  "bound_ec2_instance_id": ["i-12345678901234567"],
-  "role_tag": "",
-  "policies": [
-    "default",
-    "dev",
-    "prod"
-  ],
-  "max_ttl": 1800000,
-  "disallow_reauthentication": false,
-  "allow_instance_migration": false
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/role/dev-role
-```
-
-## Read Role
-
-Returns the previously registered role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/role/:role`        |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/role/dev-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "bound_ami_id": ["ami-fce36987"],
-    "role_tag": "",
-    "policies": [
-      "default",
-      "dev",
-      "prod"
-    ],
-    "max_ttl": 1800000,
-    "disallow_reauthentication": false,
-    "allow_instance_migration": false
-  }
-}
-```
-
-## List Roles
-
-Lists all the roles that are registered with the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/aws/roles`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/aws/roles
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "dev-role",
-      "prod-role"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-Deletes the previously registered role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/aws/role/:role`       |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/role/dev-role
-```
-
-## Create Role Tags
-
-Creates a role tag on the role, which help in restricting the capabilities
-that are set on the role. Role tags are not tied to any specific ec2
-instance unless specified explicitly using the `instance_id` parameter. By
-default, role tags are designed to be used across all instances that
-satisfies the constraints on the role. Regardless of which instances have
-role tags on them, capabilities defined in a role tag must be a strict
-subset of the given role's capabilities.  Note that, since adding and
-removing a tag is often a widely distributed privilege, care needs to be
-taken to ensure that the instances are attached with correct tags to not
-let them gain more privileges than what were intended.  If a role tag is
-changed, the capabilities inherited by the instance will be those defined
-on the new role tag. Since those must be a subset of the role
-capabilities, the role should never provide more capabilities than any
-given instance can be allowed to gain in a worst-case scenario.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/role/:role/tag`   |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-- `policies` `(array: [])` - Policies to be associated with the tag. If set,
-  must be a subset of the role's policies. If set, but set to an empty value,
-  only the 'default' policy will be given to issued tokens.
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using
-  this role.
-- `instance_id` `(string: "")` - Instance ID for which this tag is intended for.
-  If set, the created tag can only be used by the instance with the given ID.
-- `allow_instance_migration` `(bool: false)` - If set, allows migration of the
-  underlying instance where the client resides. This keys off of pendingTime in
-  the metadata document, so essentially, this disables the client nonce check
-  whenever the instance is migrated to a new host and pendingTime is newer than
-  the previously-remembered time. Use with caution. Defaults to 'false'.
-  Mutually exclusive with `disallow_reauthentication`.
-- `disallow_reauthentication` `(bool: false)` - If set, only allows a single
-  token to be granted per instance ID. This can be cleared with the
-  auth/aws/identity-whitelist endpoint. Defaults to 'false'. Mutually exclusive
-  with `allow_instance_migration`.
-
-### Sample Payload
-
-```json
-{
-  "policies": ["default", "dev-api"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/role/dev-api-and-web-role/tag
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "tag_value": "v1:09Vp0qGuyB8=:r=dev-role:p=default,dev-api:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/pJIdVyOI=",
-    "tag_key": "VaultRole"
-  }
-}
-```
-
-## Login
-
-Fetch a token. This endpoint verifies the pkcs7 signature of the instance
-identity document or the signature of the signed GetCallerIdentity request.
-With the ec2 auth method, or when inferring an EC2 instance, verifies that
-the instance is actually in a running state.  Cross checks the constraints
-defined on the role with which the login is being performed. With the ec2
-auth method, as an alternative to pkcs7 signature, the identity document
-along with its RSA digest can be supplied to this endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/login`            |
-
-### Sample Payload
-
-- `role` `(string: "")` - Name of the role against which the login is being
-  attempted.  If `role` is not specified, then the login endpoint looks for a
-  role bearing the name of the AMI ID of the EC2 instance that is trying to
-  login if using the ec2 auth method, or the "friendly name" (i.e., role name or
-  username) of the IAM principal authenticated. If a matching role is not found,
-  login fails.
-- `identity` `(string: <required-ec2>)` - Base64 encoded EC2 instance identity
-  document. This needs to be supplied along with the `signature` parameter. If
-  using `curl` for fetching the identity document, consider using the option
-  `-w 0` while piping the output to `base64` binary.
-- `signature` `(string: <required-ec2>)` - Base64 encoded SHA256 RSA signature of
-  the instance identity document. This needs to be supplied along with
-  `identity` parameter when using the ec2 auth method.
-- `pkcs7` `(string: <required-ec2>)` - PKCS7 signature of the identity document with
-  all `\n` characters removed.  Either this needs to be set *OR* both `identity`
-  and `signature` need to be set when using the ec2 auth method.
-- `nonce` `(string: "")` - The nonce to be used for subsequent login requests.
-  If this parameter is not specified at all and if reauthentication is allowed,
-  then the method will generate a random nonce, attaches it to the instance's
-  identity-whitelist entry and returns the nonce back as part of auth metadata.
-  This value should be used with further login requests, to establish client
-  authenticity. Clients can choose to set a custom nonce if preferred, in which
-  case, it is recommended that clients provide a strong nonce.  If a nonce is
-  provided but with an empty value, it indicates intent to disable
-  reauthentication. Note that, when `disallow_reauthentication` option is
-  enabled on either the role or the role tag, the `nonce` holds no significance.
-  This is ignored unless using the ec2 auth method.
-- `iam_http_request_method` `(string: <required-iam>)` - HTTP method used in the
-  signed request. Currently only POST is supported, but other methods may be
-  supported in the future. This is required when using the iam auth method.
-- `iam_request_url` `(string: <required-iam>)` - Base64-encoded HTTP URL used in
-  the signed request. Most likely just `aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=`
-  (base64-encoding of `https://sts.amazonaws.com/`) as most requests will
-  probably use POST with an empty URI. This is required when using the iam auth
-  method.
-- `iam_request_body` `(string: <required-iam>)` - Base64-encoded body of the
-  signed request. Most likely
-  `QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==` which is the
-  base64 encoding of `Action=GetCallerIdentity&Version=2011-06-15`. This is
-  required when using the iam auth method.
-- `iam_request_headers` `(string: <required-iam>)` - Key/value pairs of headers
-  for use in the `sts:GetCallerIdentity` HTTP requests headers. Can be either a
-  Base64-encoded, JSON-serialized string, or a JSON object of key/value pairs. The
-  JSON serialization assumes that each header key maps to either a string value or
-  an array of string values (though the length of that array will probably only be
-  one). If the `iam_server_id_header_value` is configured in Vault for the aws
-  auth mount, then the headers must include the X-Vault-AWS-IAM-Server-ID header,
-  its value must match the value configured, and the header must be included in
-  the signed headers.  This is required when using the iam auth method.
-
-
-### Sample Payload
-
-```json
-{}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/aws/login
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "renewable": true,
-    "lease_duration": 1800000,
-    "metadata": {
-      "role_tag_max_ttl": "0",
-      "instance_id": "i-de0f1344",
-      "ami_id": "ami-fce36983",
-      "role": "dev-role",
-      "auth_type": "ec2"
-    },
-    "policies": [
-      "default",
-      "dev"
-    ],
-    "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
-    "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
-  }
-}
-```
-
-## Place Role Tags in Blacklist
-
-Places a valid role tag in a blacklist. This ensures that the role tag
-cannot be used by any instance to perform a login operation again.  Note
-that if the role tag was previously used to perform a successful login,
-placing the tag in the blacklist does not invalidate the already issued
-token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/roletag-blacklist/:role_tag`            |
-
-### Parameters
-
-- `role_tag` `(string: <required>)` - Role tag to be blacklisted. This is the `tag_value` returned when the role tag is
-  created. The tag can be supplied as-is. In order to avoid any encoding problems, it can be base64
-  encoded.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
-```
-
-### Read Role Tag Blacklist Information
-
-Returns the blacklist entry of a previously blacklisted role tag.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/roletag-blacklist/:role_tag`            |
-
-### Parameters
-
-- `role_tag` `(string: <required>)` - Role tag to be blacklisted. The tag can be
-  supplied as-is. In order to avoid any encoding problems, it can be base64
-  encoded.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
-```
-
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "expiration_time": "2016-04-25T10:35:20.127058773-04:00",
-    "creation_time": "2016-04-12T22:35:01.178348124-04:00"
-  }
-}
-```
-
-## List Blacklist Tags
-
-Lists all the role tags that are blacklisted.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/aws/roletag-blacklist`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "v1:09Vp0qGuyB8=:a=ami-fce3c696:p=default,prod:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/"
-    ]
-  }
-}
-```
-
-## Delete Blacklist Tags
-
-Deletes a blacklisted role tag.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/aws/roletag-blacklist/:role_tag`       |
-
-### Parameters
-
-- `role_tag` `(string: <required>)` - Role tag to be blacklisted. The tag can be
-  supplied as-is. In order to avoid any encoding problems, it can be base64
-  encoded.
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/roletag-blacklist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
-```
-
-## Tidy Blacklist Tags
-
-Cleans up the entries in the blacklist based on expiration time on the entry and
-`safety_buffer`.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/tidy/roletag-blacklist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
-  passed beyond the `roletag` expiration, before it is removed from the method
-  storage. Defaults to 72h.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/aws/tidy/roletag-blacklist
-```
-
-### Read Identity Whitelist Information
-
-Returns an entry in the whitelist. An entry will be created/updated by every
-successful login.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/aws/identity-whitelist/:instance_id`            |
-
-### Parameters
-
-- `instance_id` `(string: <required>)` - EC2 instance ID. A successful login
-  operation from an EC2 instance gets cached in this whitelist, keyed off of
-  instance ID.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/aws/identity-whitelist/i-aab47d37
-```
-
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "pending_time": "2016-04-14T01:01:41Z",
-    "expiration_time": "2016-05-05 10:09:16.67077232 +0000 UTC",
-    "creation_time": "2016-04-14 14:09:16.67077232 +0000 UTC",
-    "client_nonce": "5defbf9e-a8f9-3063-bdfc-54b7a42a1f95",
-    "role": "dev-role"
-  }
-}
-```
-
-## List Identity Whitelist Entries
-
-  Lists all the instance IDs that are in the whitelist of successful logins.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/aws/identity-whitelist`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/aws/identity-whitelist
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "i-aab47d37"
-    ]
-  }
-}
-```
-
-## Delete Identity Whitelist Entries
-
-Deletes a cache of the successful login from an instance.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/aws/identity-whitelist/:instance_id`       |
-
-### Parameters
-
-- `instance_id` `(string: <required>)` - EC2 instance ID. A successful login
-  operation from an EC2 instance gets cached in this whitelist, keyed off of
-  instance ID.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/aws/identity-whitelist/i-aab47d37
-```
-
-## Tidy Identity Whitelist Entries
-
-Cleans up the entries in the whitelist based on expiration time and
-`safety_buffer`.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/aws/tidy/identity-whitelist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
-  passed beyond the `roletag` expiration, before it is removed from the method
-  storage. Defaults to 72h.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/aws/tidy/identity-whitelist
-```
diff --git a/website/source/api/auth/azure/index.html.md.erb b/website/source/api/auth/azure/index.html.md.erb
deleted file mode 100644
index 11e112c3ba2d..000000000000
--- a/website/source/api/auth/azure/index.html.md.erb
+++ /dev/null
@@ -1,322 +0,0 @@
----
-layout: "api"
-page_title: "Azure - Auth Methods - HTTP API"
-sidebar_title: "Azure"
-sidebar_current: "api-http-auth-azure"
-description: |-
-  This is the API documentation for the Vault Azure authentication
-  method plugin.
----
-
-# Azure Auth Method (API)
-
-This is the API documentation for the Vault Azure auth method
-plugin. To learn more about the usage and operation, see the
-[Vault Azure method documentation](/docs/auth/azure.html).
-
-This documentation assumes the plugin method is mounted at the
-`/auth/azure` path in Vault. Since it is possible to enable auth methods
-at any location, please update your API calls accordingly.
-
-## Configure
-
-Configures the credentials required for the plugin to perform API calls
-to Azure. These credentials will be used to query the metadata about the
-virtual machine.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/azure/config`         |
-
-### Parameters
-
-- `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization.
-- `resource` `(string: <required>)` - The configured URL for the application registered in Azure Active Directory.
-- `environment` `(string: 'AzurePublicCloud')` - The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
-- `client_id` `(string: '')` - The client id for credentials to query the Azure APIs.  Currently read permissions to query compute resources are required.
-- `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs. 
-
-### Sample Payload
-
-```json
-{
-  "tenant_id": "kd83...",
-  "resource": "https://vault.hashicorp.com/",
-  "client_id": "12ud...",
-  "client_secret": "DUJDS3..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/azure/config
-```
-
-# Read Config
-
-Returns the previously configured config, including credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/azure/config`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/auth/azure/config
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "tenant_id": "kd83...",
-    "resource": "https://vault.hashicorp.com/",
-    "client_id": "12ud...",
-    "client_secret": "DUJDS3..."
-  },
-  ...
-}
-
-```
-
-## Delete Config
-
-Deletes the previously configured Azure config and credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/azure/config`         |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/auth/azure/config
-```
-
-## Create Role
-
-Registers a role in the method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/azure/role/:name`       |
-
-### Parameters
-- `name` `(string: <required>)` - Name of the role.
-- `bound_service_principal_ids` `(array: [])` - The list of Service Principal IDs 
-  that login is restricted to.
-- `bound_group_ids` `(array: [])` - The list of group ids that login is restricted 
-  to.
-- `bound_locations` `(array: [])` - The list of locations that login is restricted to.
-- `bound_subscription_ids` `(array: [])` - The list of subscription IDs that login 
-  is restricted to.
-- `bound_resource_groups` `(array: [])` - The list of resource groups that
-  login is restricted to. 
-- `bound_scale_sets` `(array: [])` - The list of scale set names that the 
-  login is restricted to. 
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "token_policies": [
-    "default",
-    "dev",
-    "prod"
-  ],
-  "max_ttl": 1800000,
-  "max_jwt_exp": 10000,
-  "bound_resource_groups": [
-    "vault-dev",
-    "vault-staging",
-    "vault-prod"
-  ]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/azure/role/dev-role
-```
-
-## Read Role
-
-Returns the previously registered role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/azure/role/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/auth/azure/role/dev-role
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "token_policies": [
-        "default",
-        "dev",
-        "prod"
-    ],
-    "max_ttl": 1800000,
-    "max_jwt_exp": 10000,
-    "bound_resource_groups": [
-        "vault-dev",
-        "vault-staging",
-        "vault-prod"
-    ]
-  },
-  ...
-}
-
-```
-
-## List Roles
-
-Lists all the roles that are registered with the plugin.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/azure/role`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/auth/azure/role
-```
-
-### Sample Response
-
-```json  
-{
-  "data": {
-    "keys": [
-      "dev-role",
-      "prod-role"
-    ]
-  },
-  ...
-}
-```
-
-## Delete Role
-
-Deletes the previously registered role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/azure/role/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/auth/azure/role/dev-role
-```
-
-## Login
-
-Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
-a role name for some entity. It verifies the JWT signature to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/azure/login`          |
-
-### Sample Payload
-
-- `role` `(string: <required>)` - Name of the role against which the login is being
-  attempted.
-- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT) from Azure MSI.
-- `subscription_id` `(string: "")` - The subscription ID for the machine that
-  generated the MSI token.  This information can be obtained through instance
-  metadata.
-- `resource_group_name` `(string: "")` - The resource group for the machine that
-  generated the MSI token.  This information can be obtained through instance
-  metadata.
-- `vm_name` `(string: "")` - The virtual machine name for the machine that
-  generated the MSI token.  This information can be obtained through instance
-  metadata.  If vmss_name is provided, this value is ignored.
-- `vmss_name` `(string: "")` - The virtual machine scale set name for the machine 
-  that generated the MSI token.  This information can be obtained through instance
-  metadata.
-
-### Sample Payload
-
-```json
-{
-    "role": "dev-role",
-    "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/azure/login
-```
-
-### Sample Response
-
-```json
-{
-    "auth":{
-        "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
-        "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
-        "token_policies":[
-            "default",
-            "dev",
-            "prod"
-        ],
-        "lease_duration":2764800,
-        "renewable":true
-    },
-    ...
-}
-```
diff --git a/website/source/api/auth/cert/index.html.md.erb b/website/source/api/auth/cert/index.html.md.erb
deleted file mode 100644
index d7c2b517a9fe..000000000000
--- a/website/source/api/auth/cert/index.html.md.erb
+++ /dev/null
@@ -1,371 +0,0 @@
----
-layout: "api"
-page_title: "TLS Certificate - Auth Methods - HTTP API"
-sidebar_title: "TLS Certificates"
-sidebar_current: "api-http-auth-cert"
-description: |-
-  This is the API documentation for the Vault TLS Certificate authentication
-  method.
----
-
-# TLS Certificate Auth Method (API)
-
-This is the API documentation for the Vault TLS Certificate authentication
-method. For general information about the usage and operation of the TLS
-Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert.html).
-
-This documentation assumes the TLS Certificate method is mounted at the
-`/auth/cert` path in Vault. Since it is possible to enable auth methods at any
-location, please update your API calls accordingly.
-
-## Create CA Certificate Role
-
-Sets a CA cert and associated parameters in a role name.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/cert/certs/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the certificate role.
-- `certificate` `(string: <required>)` - The PEM-format CA certificate.
-- `allowed_names` `(string: "")` - DEPRECATED: Please use the individual
-  `allowed_X_sans` parameters instead. Constrain the Common and Alternative
-  Names in the client certificate with a [globbed pattern]
-  (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of patterns. Authentication requires at least one Name
-  matching at least one pattern. If not set, defaults to allowing all names.
-- `allowed_common_names` `(string: "" or array: [])` - Constrain the Common
-  Names in the client certificate with a [globbed pattern]
-  (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of patterns. Authentication requires at least one Name
-  matching at least one pattern. If not set, defaults to allowing all names.
-- `allowed_dns_sans` `(string: "" or array: [])` - Constrain the Alternative
-  Names in the client certificate with a [globbed pattern]
-  (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of patterns. Authentication requires at least one DNS
-  matching at least one pattern. If not set, defaults to allowing all dns.
-- `allowed_email_sans` `(string: "" or array: [])` - Constrain the Alternative
-  Names in the client certificate with a [globbed pattern]
-  (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of patterns. Authentication requires at least one
-  Email matching at least one pattern. If not set, defaults to allowing all
-  emails.
-- `allowed_uri_sans` `(string: "" or array: [])` - Constrain the Alternative
-  Names in the client certificate with a [globbed pattern]
-  (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of URI patterns. Authentication requires at least one
-  URI matching at least one pattern. If not set, defaults to allowing all URIs.
-- `allowed_organizational_units` `(string: "" or array: [])` - Constrain the
-  Organizational Units (OU) in the client certificate with a [globbed pattern]
-  (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of OU patterns. Authentication requires at least one
-  OU matching at least one pattern. If not set, defaults to allowing all OUs.
-- `required_extensions` `(string: "" or array: [])` - Require specific Custom
-  Extension OIDs to exist and match the pattern. Value is a comma separated
-  string or array of `oid:value`. Expects the extension value to be some type
-  of ASN1 encoded string. All conditions _must_ be met. Supports globbing on
-  `value`.
-- `display_name` `(string: "")` - The `display_name` to set on tokens issued
-  when authenticating against this CA certificate. If not set, defaults to the
-  name of the role.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
-  "display_name": "test",
-  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json
-    http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
-```
-
-## Read CA Certificate Role
-
-Gets information associated with the named role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/cert/certs/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the certificate role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
-    "display_name": "test",
-    "policies": "",
-    "allowed_names": "",
-    "required_extensions": "",
-    "ttl": 2764800,
-    "max_ttl": 2764800,
-    "period": 0
-  },
-  "warnings": null,
-  "auth": null
-}
-```
-
-## List Certificate Roles
-
-Lists configured certificate names.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/cert/certs`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/cert/certs
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "cert1",
-      "cert2"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Delete Certificate Role
-
-Deletes the named role and CA cert from the method mount.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/cert/certs/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the certificate role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/cert/certs/cert1
-```
-
-## Create CRL
-
-Sets a named CRL.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/cert/crls/:name`      |
-
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the CRL.
-- `crl` `(string: <required>)` - The PEM format CRL.
-
-### Sample Payload
-
-```json
-{
-  "crl": "-----BEGIN X509 CRL-----\n...\n-----END X509 CRL-----"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
-```
-
-## Read CRL
-
-Gets information associated with the named CRL (currently, the serial
-numbers contained within).  As the serials can be integers up to an
-arbitrary size, these are returned as strings.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/cert/crls/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the CRL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "serials": {
-      "13": {}
-    }
-  },
-  "lease_duration": 0,
-  "lease_id": "",
-  "renewable": false,
-  "warnings": null
-}
-```
-
-## Delete CRL
-
-Deletes the named CRL from the auth method mount.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/cert/crls/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the CRL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/cert/crls/cert1
-```
-
-## Configure TLS Certificate Method
-
-Configuration options for the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/cert/config`          |
-
-### Parameters
-
-- `disable_binding` `(boolean: false)` - If set, during renewal, skips the
-  matching of presented client identity with the client identity used during
-  login.
-
-### Sample Payload
-
-```json
-{
-  "disable_binding": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/cert/certs/cert1
-```
-
-## Login with TLS Certificate Method
-
-Log in and fetch a token. If there is a valid chain to a CA configured in the
-method and all role constraints are matched, a token will be issued. If the
-certificate has DNS SANs in it, each of those will be verified. If Common Name
-is required to be verified, then it should be a fully qualified DNS domain name
-and must be duplicated as a DNS SAN (see
-https://tools.ietf.org/html/rfc6125#section-2.3)
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/cert/login`           |
-
-### Parameters
-
-- `name` `(string: "")` - Authenticate against only the named certificate role,
-  returning its policy list if successful. If not set, defaults to trying all
-  certificate roles and returning any one that matches.
-
-### Sample Payload
-
-```json
-{
-  "name": "cert1"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --cert cert.pem \
-    --key key.pem \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/cert/login
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "client_token": "cf95f87d-f95b-47ff-b1f5-ba7bff850425",
-    "policies": [
-      "web",
-      "stage"
-    ],
-    "lease_duration": 3600,
-    "renewable": true,
-  }
-}
-```
diff --git a/website/source/api/auth/cf/index.html.md.erb b/website/source/api/auth/cf/index.html.md.erb
deleted file mode 100644
index 854b70efc237..000000000000
--- a/website/source/api/auth/cf/index.html.md.erb
+++ /dev/null
@@ -1,333 +0,0 @@
----
-layout: "api"
-page_title: "Cloud Foundry - Auth Methods - HTTP API"
-sidebar_title: "Cloud Foundry"
-sidebar_current: "api-http-auth-cf"
-description: |-
-  This is the API documentation for the Vault Cloud Foundry auth method.
----
-
-# Pivotal Cloud Foundry (CF) Auth Method (API)
-
-This is the API documentation for the Vault CF auth method. For
-general information about the usage and operation of the CF method, please
-see the [Vault CF method documentation](/docs/auth/cf.html).
-
-This documentation assumes the CF method is mounted at the `/auth/cf`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create Configuration
-
-Configure the root CA certificate to be used for verifying instance identity
-certificates, and configure access to the CF API. For detailed instructions
-on how to obtain these values, please see the [Vault CF method
-documentation](/docs/auth/cf.html).
-
-| Method   | Path                  |
-| :--------|---------------------- |
-| `POST`   | `/auth/cf/config`    |
-
-### Parameters
-
-- `identity_ca_certificates` `(array: [], required)` - The root CA certificate(s) 
-to be used for verifying that the `CF_INSTANCE_CERT` presented for logging in was
-issued by the proper authority.
-- `cf_api_addr` `(string: required)`: CF's full API address, to be used for verifying
-that a given `CF_INSTANCE_CERT` shows an application ID, space ID, and organization ID 
-that presently exist.
-- `cf_username` `(string: required)`: The username for authenticating to the CF API.
-- `cf_password` `(string: required)`: The password for authenticating to the CF API.
-- `cf_api_trusted_certificates` `(array: [])`: The certificate that's presented by the
-CF API. This configures Vault to trust this certificate when making API calls, resolving
-`x509: certificate signed by unknown authority` errors.
-- `login_max_seconds_not_before` `(int: 300)`: The maximum number of seconds in the past when a
-signature could have been created. The lower the value, the lower the risk of replay
-attacks.
-- `login_max_seconds_not_after` `(int: 60)`: In case of clock drift, the maximum number of
-seconds in the future when a signature could have been created. The lower the value, 
-the lower the risk of replay attacks.
-
-### Sample Payload
-
-```json
-{
-  "identity_ca_certificates": ["-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"],
-  "cf_api_addr": "https://api.sys.somewhere.cf-app.com",
-  "cf_username": "vault",
-  "cf_password": "pa55w0rd",
-  "cf_api_trusted_certificates": ["-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"],
-  "login_max_seconds_not_before": 5,
-  "login_max_seconds_not_after": 1
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/cf/config
-```
-
-## Read Config
-
-Returns the present CF configuration.
-
-| Method   | Path                  |
-| :--------|---------------------- |
-| `GET`    | `/auth/cf/config`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/cf/config
-```
-
-### Sample Response
-
-```json
-{
-  "identity_ca_certificates": ["-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"],
-  "cf_api_addr": "https://api.sys.somewhere.cf-app.com",
-  "cf_username": "vault",
-  "cf_api_trusted_certificates": ["-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"],
-  "login_max_seconds_not_before": 5,
-  "login_max_seconds_not_after": 1
-}
-```
-
-## Delete Config
-
-Deletes the present CF configuration.
-
-| Method   | Path                  |
-| :--------|---------------------- |
-| `DELETE` | `/auth/cf/config`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/cf/config
-```
-
-## Create Role
-
-Create a role in Vault granting a particular level of access to a particular group
-of CF instances. We recommend using the CF API or the CF CLI to gain the IDs you
-wish to target. 
-
-If you list no `bound` parameters, then any entity with a valid 
-`CF_INSTANCE_CERT` that's been issued by any configured `identity_ca_certificates`
-will be able to authenticate against this role.
-
-| Method   | Path                   |
-| :--------|----------------------- |
-| `POST`   | `/auth/cf/roles/:role`|
-
-### Parameters
-
-- `role` `(string: required)` - The name of the role.
-- `bound_application_ids` `(array: [])` - An optional list of application IDs 
-an instance must be a member of to qualify as a member of this role.
-- `bound_space_ids` `(array: [])` - An optional list of space IDs 
-an instance must be a member of to qualify as a member of this role.
-- `bound_organization_ids` `(array: [])` - An optional list of organization IDs 
-an instance must be a member of to qualify as a member of this role.
-- `bound_instance_ids` `(array: [])` - An optional list of instance IDs 
-an instance must be a member of to qualify as a member of this role. Please note that 
-every time you use `cf push` on an app, its instance ID changes. Also, instance IDs 
-are not verifiable as being presently alive using the CF API. Thus, we recommend against
-using this setting for most use cases.
-- `disable_ip_matching` `(bool: false)` - If set to true, disables the default behavior 
-that logging in must be performed from an acceptable IP address described by the 
-certificate presented. Should only be set to true if required, generally when a proxy
-is used to perform logins.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "bound_application_ids": ["09d7eb6a-afc2-49a0-bb32-858c22f2b346"],
-  "bound_space_ids": ["21005ebb-8943-433e-84e6-d9d9d7338853"],
-  "bound_organization_ids": ["9785a884-5e93-49bd-97ee-57bf7c2b20e0"],
-  "bound_instance_ids": ["f3e0f176-3f83-4efb-5842-2ff4"],
-  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
-  "policies": ["default"],
-  "ttl": "1h",
-  "max_ttl": "1h",
-  "period": "1h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/cf/roles/:role
-```
-
-## Read Role
-
-Returns a CF role.
-
-| Method   | Path                   |
-| :--------|----------------------- |
-| `GET`    | `/auth/cf/roles/:role`|
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/cf/roles/:role
-```
-
-### Sample Response
-
-```json
-{
-  "bound_application_ids": ["09d7eb6a-afc2-49a0-bb32-858c22f2b346"],
-  "bound_space_ids": ["21005ebb-8943-433e-84e6-d9d9d7338853"],
-  "bound_organization_ids": ["9785a884-5e93-49bd-97ee-57bf7c2b20e0"],
-  "bound_instance_ids": ["f3e0f176-3f83-4efb-5842-2ff4"],
-  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
-  "policies": ["default"],
-  "ttl": 2764790,
-  "max_ttl": 2764790,
-  "period": 2764790
-}
-```
-
-## Delete Role
-
-Deletes a CF role.
-
-| Method   | Path                   |
-| :--------|----------------------- |
-| `DELETE` | `/auth/cf/roles/:role`|
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/cf/roles/:role
-```
-
-## List Roles
-
-Returns a CF role.
-
-| Method   | Path                   |
-| :--------|----------------------- |
-| `LIST`   | `/auth/cf/roles`      |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST
-    http://127.0.0.1:8200/v1/auth/cf/roles
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "role1",
-      "role2"
-    ]
-  }
-}
-```
-
-## Login
-
-Log in to CF.
-
-Vault provides both an agent and a CLI tool for logging in that
-eliminates the need to build a signature yourself. However, if you do wish to 
-build the signature, its signing algorithm is viewable [here](https://github.com/hashicorp/vault-plugin-auth-cf/tree/master/signatures).
-The [plugin repo](https://github.com/hashicorp/vault-plugin-auth-cf) also contains
-a command-line tool (`generate-signature`) that can be compiled as a binary for generating a signature,
-and a test that outputs steps in generating the signature so they can be duplicated.
-
-However, at a high level, these are the steps for generating a signature:
-- Get and format the current time, ex. `2006-01-02T15:04:05Z`.
-- Get the full body of the file located at `CF_INSTANCE_CERT`.
-- Get the name of the role.
-- Concatenate them together in the above order, with no extra string used for joining them.
-- Create a SHA256 checksum of the resulting string (`checksum` below).
-- Sign the string using the key located at `CF_INSTANCE_KEY`. In Go, this is performed using
-the following line of code which you can more deeply inspect: 
-```
-rsa.SignPSS(rand.Reader, rsaPrivateKey, crypto.SHA256, checksum, nil)
-```
-- Convert the signature to a string.
-
-| Method   | Path                   |
-| :--------|----------------------- |
-| `POST`   | `/auth/cf/login`      |
-
-### Parameters
-
-- `role` `(string: required)` - The name of the role.
-- `cf_instance_cert` `(string: required)` - The full body of the file available at
-the path denoted by `CF_INSTANCE_CERT`.
-- `signing_time` `(string: required)` - The date and time used to construct the signature.
-- `signature` `(string: required)` - The signature generated by the algorithm described
-above using the `CF_INSTANCE_KEY`.
-
-### Sample Payload
-
-```json
-{
-  "role": "test-role",
-  "cf_instance_cert": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
-  "signing_time": "2006-01-02T15:04:05Z",
-  "signature": "MmyUjQ1OqxQmF0W6raVQDL-hlqqe1oG-7abA6Oi3NHwT-9lMfrYxsCwMnd2HKGMly2tCgetcoA2orfquoe6MkMuksx_KGH_KLObcAykt53z4rHceHKGvm7eGj60cjWFYtiNPic-lzUGERLbUeKLMi6NlThm9ueb7hhpyTUpEYtphV3gorbVxvlkrnuYSbgy2NGpOUY1N8dRzcxmHkYjh12XoWEw4Is5aFr6eFKbZ0vmLWBzhJ7_w20CFyTpRYB-6heGz1iR9qEG8mZk3_x4rZpT5mejJ5zmH2xlUjBJMndfcz47btEi2BO9pFVxK2wK-tKeUUFgx6RcomAopTskkmg=="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/cf/login
-```
-
-### Sample Response
-```json
-{
-  "auth": {
-    "renewable": true,
-    "lease_duration": 1800000,
-    "policies": [
-      "default",
-      "dev"
-    ],
-    "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
-    "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
-  }
-}
-```
diff --git a/website/source/api/auth/gcp/index.html.md.erb b/website/source/api/auth/gcp/index.html.md.erb
deleted file mode 100644
index 83627c3d9739..000000000000
--- a/website/source/api/auth/gcp/index.html.md.erb
+++ /dev/null
@@ -1,472 +0,0 @@
----
-layout: "api"
-page_title: "Google Cloud - Auth Methods - HTTP API"
-sidebar_title: "Google Cloud"
-sidebar_current: "api-http-auth-gcp"
-description: |-
-  This is the API documentation for the Vault Google Cloud authentication
-  method.
----
-
-# Google Cloud Auth Method (API)
-
-This is the API documentation for the Vault Google Cloud auth method. To learn
-more about the usage and operation, see the
-[Vault Google Cloud method documentation](/docs/auth/gcp.html).
-
-This documentation assumes the plugin method is mounted at the
-`/auth/gcp` path in Vault. Since it is possible to enable auth methods
-at any location, please update your API calls accordingly.
-
-## Configure
-
-Configures the credentials required for the plugin to perform API calls
-to Google Cloud. These credentials will be used to query the status of IAM
-entities and get service account or other Google public certificates
-to confirm signed JWTs passed in during login.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/gcp/config`           |
-
-### Parameters
-
-- `credentials` `(string: "")` - A JSON string containing the contents
-  of a GCP credentials file. The credentials file must have the following
-  [permissions](https://cloud.google.com/compute/docs/access/iam):
-
-    ```
-    iam.serviceAccounts.get
-    iam.serviceAccountKeys.get
-    ```
-
-    If this value is empty, Vault will try to use [Application Default
-    Credentials][gcp-adc] from the machine on which the Vault server is running.
-    
-    The project must have the `iam.googleapis.com` API [enabled](https://console.cloud.google.com/flows/enableapi?apiid=iam.googleapis.com).
-
-### Sample Payload
-
-```json
-{
-  "credentials": "{ \"type\": \"service_account\", \"project_id\": \"project-123456\", ...}"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/gcp/config
-```
-
-## Read Config
-
-Returns the configuration, if any, including credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/gcp/config`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/gcp/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "client_email": "service-account@project-123456.iam.gserviceaccount.com",
-    "client_id": "123456789101112131415",
-    "private_key_id": "97fd7ba59a96e1f3830296aedb4f50879e4d5382",
-    "project_id": "project-123456"
-  },
-}
-```
-
-## Create Role
-
-Registers a role in the method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/gcp/role/:name`       |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the role.
-
-- `type` `(string: <required>)` - The type of this role. Certain fields
-  correspond to specific roles and will be rejected otherwise. Please see below
-  for more information.
-
-- `bound_service_accounts` `(array: <required for iam>)` - An array of 
-   service account emails or IDs that login is restricted to,
-   either directly or through an associated instance. If set to
-  `*`, all service accounts are allowed (you can bind this further using
-  `bound_projects`.)
-  
-- `bound_projects` `(array: [])` - An array of GCP project IDs. Only entities 
-   belonging to this project can authenticate under the role.
-
-- `add_group_aliases` `(bool: false)` - If true, any auth token
-   generated under this token will have associated group aliases, namely
-   `project-$PROJECT_ID`, `folder-$PROJECT_ID`, and `organization-$ORG_ID`
-   for the entities project and all its folder or organization ancestors. This
-   requires Vault to have IAM permission `resourcemanager.projects.get`.
-
-<%= partial "partials/tokenfields" %>
-    
-#### `iam`-only Parameters
-
-The following parameters are only valid when the role is of type `"iam"`:
-
-- `max_jwt_exp` `(string: "15m")` - The number of seconds past the time of
-  authentication that the login param JWT must expire within. For example, if a
-  user attempts to login with a token that expires within an hour and this is
-  set to 15 minutes, Vault will return an error prompting the user to create a
-  new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not
-  allow the `exp` claim to be customized.
-
-- `allow_gce_inference` `(bool: true)` - A flag to determine if this role should
-   allow GCE instances to authenticate by inferring service accounts from the
-   GCE identity metadata token.
-
-#### `gce`-only Parameters
-
-The following parameters are only valid when the role is of type `"gce"`:
-
-- `bound_zones` `(array: [])`: The list of zones that a GCE instance must belong
-  to in order to be authenticated. If `bound_instance_groups` is provided, it is
-  assumed to be a zonal group and the group must belong to this zone.
-
-- `bound_regions` `(array: [])`: The list of regions that a GCE instance must
-  belong to in order to be authenticated. If `bound_instance_groups` is
-  provided, it is assumed to be a regional group and the group must belong to
-  this region. If `bound_zones` are provided, this attribute is ignored.
-
-- `bound_instance_groups` `(array: [])`: The instance groups that an authorized
-  instance must belong to in order to be authenticated. If specified, either
-  `bound_zones` or `bound_regions` must be set too.
-
-- `bound_labels` `(array: [])`: A comma-separated list of GCP labels formatted
-  as "key:value" strings that must be set on authorized GCE instances. Because
-  GCP labels are not currently ACL'd, we recommend that this be used in
-  conjunction with other restrictions.
-
-### Sample Payload
-
-Example `iam` role:
-
-```json
-{
-  "type": "iam",
-  "project_id": "project-123456",
-  "policies": ["prod"],
-  "ttl": "30m",
-  "max_ttl": "24h",
-  "max_jwt_exp": "5m",
-  "bound_service_accounts": [
-    "dev-1@project-123456.iam.gserviceaccount.com"
-  ]
-}
-```
-
-Example `gce` role:
-
-```json
-{
-  "type": "gce",
-  "project_id": "project-123456",
-  "policies": ["prod"],
-  "bound_zones": ["us-east1-b", "eu-west2-a"],
-  "ttl": "30m",
-  "max_ttl": "24h",
-  "bound_service_accounts": [
-    "dev-1@project-123456.iam.gserviceaccount.com"
-  ]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Edit Service Accounts on IAM Role
-
-Edit service accounts for an existing IAM role in the method.
-This allows you to add or remove service accounts from the list of
-service accounts on the role.
-
-| Method   | Path                                    |
-| :---------------------------------------| :------------------|
-| `POST`   | `/auth/gcp/role/:name/service-accounts` |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of an existing `iam` type role. This
-  will return an error if role is not an `iam` type role.
-
-- `add` `(array: [])` - The list of service accounts to add to the role's
-  service accounts.
-
-- `remove` `(array: [])` - The list of service accounts to remove from the
-  role's service accounts.
-
-### Sample Payload
-
-```json
-{
-  "add": [
-    "dev-1@project-123456.iam.gserviceaccount.com",
-    "123456789"
-  ],
-  "remove": [
-    "dev-2@project-123456.iam.gserviceaccount.com"
-  ]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Edit Labels on GCE Role
-
-Edit labels for an existing GCE role in the backend. This allows you to add or
-remove labels (keys, values, or both) from the list of keys on the role.
-
-| Method   | Path                                    |
-| :---------------------------------------| :------------------|
-| `POST`   | `/auth/gcp/role/:name/labels`           |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of an existing `gce` role. This will
-  return an error if role is not a `gce` type role.
-
-- `add` `(array: [])` - The list of `key:value` labels to add to the GCE role's
-  bound labels.
-
-- `remove` `(array: [])` - The list of label _keys_ to remove from the role's
-  bound labels. If any of the specified keys do not exist, no error is returned
-  (idempotent).
-
-### Sample Payload
-
-```json
-{
-  "add": [
-    "foo:bar",
-    "env:dev",
-    "key:value"
-  ],
-  "remove": [
-    "key1",
-    "key2"
-  ]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Read Role
-
-Returns the previously registered role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/gcp/role/:name`       |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the role to read.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "bound_labels": {
-      "env": "dev",
-      "foo": "bar",
-      "key": "value"
-    },
-    "bound_service_accounts": [
-      "dev-1@project-123456.iam.gserviceaccount.com"
-    ],
-    "bound_zones": [
-      "eu-west2-a",
-      "us-east1-b"
-    ],
-    "max_ttl": 86400,
-    "policies": [
-      "prod"
-    ],
-    "project_id": "project-123456",
-    "type": "gce",
-    "ttl": 1800
-  }
-}
-```
-
-## List Roles
-
-Lists all the roles that are registered with the plugin.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/gcp/roles`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/gcp/roles
-```
-
-### Sample Response
-
-```json  
-{
-  "data": {
-    "keys": [
-      "my-role",
-      "my-other-role"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-Deletes the previously registered role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/gcp/role/:role`       |
-
-### Parameters
-
-- `role` `(string: <required>)` - The name of the role to delete.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Login
-
-Login to retrieve a Vault token. This endpoint takes a signed JSON Web Token
-(JWT) and a role name for some entity. It verifies the JWT signature with Google
-Cloud to authenticate that entity and then authorizes the entity for the given
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/gcp/login`            |
-
-### Sample Payload
-
-- `role` `(string: <required>)` - The name of the role against which the login
-  is being attempted.
-
-- `jwt` `(string: <required>)` - A Signed [JSON Web Token][jwt].
-
-  - For `iam` type roles, this is a JWT signed with the
-  [`signJwt` method][signjwt-method] or a self-signed JWT.
-
-  - For `gce` type roles, this is an [identity metadata token][instance-token].
-
-
-### Sample Payload
-
-```json
-{
-  "role": "my-role",
-  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/gcp/login
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
-    "accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
-    "policies": [
-      "default",
-      "dev",
-      "prod"
-    ],
-    "metadata": {
-      "project_id": "my-project",
-      "role": "my-role",
-      "service_account_email": "dev1@project-123456.iam.gserviceaccount.com",
-      "service_account_id": "111111111111111111111"
-    },
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
-
-[gcp-adc]: https://developers.google.com/identity/protocols/application-default-credentials
-[jwt]: https://tools.ietf.org/html/rfc7519
-[signjwt-method]: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt
-[instance-token]: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature
diff --git a/website/source/api/auth/github/index.html.md.erb b/website/source/api/auth/github/index.html.md.erb
deleted file mode 100644
index 1977d52019d9..000000000000
--- a/website/source/api/auth/github/index.html.md.erb
+++ /dev/null
@@ -1,275 +0,0 @@
----
-layout: "api"
-page_title: "GitHub - Auth Methods - HTTP API"
-sidebar_title: "GitHub"
-sidebar_current: "api-http-auth-github"
-description: |-
-  This is the API documentation for the Vault GitHub auth method.
----
-
-# GitHub Auth Method (API)
-
-This is the API documentation for the Vault GitHub auth method. For
-general information about the usage and operation of the GitHub method, please
-see the [Vault GitHub method documentation](/docs/auth/github.html).
-
-This documentation assumes the GitHub method is enabled at the `/auth/github`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Configure Method
-
-Configures the connection parameters for GitHub. This path honors the
-distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/github/config`          |
-
-### Parameters
-
-- `organization` `(string: <required>)` - The organization users must be part
-  of.
-- `base_url` `(string: "")` - The API endpoint to use. Useful if you are running
-  GitHub Enterprise or an API-compatible authentication server.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "organization": "acme-org"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/github/config
-```
-
-## Read Configuration
-
-Reads the GitHub configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/github/config`        |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/github/config
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "organization": "acme-org",
-    "base_url": "",
-    "ttl": "",
-    "max_ttl": ""
-  },
-  "warnings": null
-}
-```
-
-## Map GitHub Teams
-
-Map a list of policies to a team that exists in the configured GitHub organization.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/github/map/teams/:team_name`   |
-
-### Parameters
-
-- `team_name` `(string)` - GitHub team name in "slugified" format
-- `value` `(string)` - Comma separated list of policies to assign
-
-### Sample Payload
-
-```json
-{
-  "value": "dev-policy"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/github/map/teams/dev
-```
-
-
-## Read Team Mapping
-
-Reads the GitHub team policy mapping.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/github/map/teams/:team_name`        |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/github/map/teams/dev
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "key": "dev",
-    "value": "dev-policy"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Map GitHub Users
-
-Map a list of policies to a specific GitHub user exists in the configured
-organization.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/github/map/users/:user_name`     |
-
-### Parameters
-
-- `user_name` `(string)` - GitHub user name
-- `value` `(string)` - Comma separated list of policies to assign
-
-### Sample Payload
-
-```json
-{
-  "value": "sethvargo-policy"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/github/map/users/sethvargo
-```
-
-The user with username `sethvargo` will be assigned the `sethvargo-policy`
-policy **in addition to** any team policies.
-
-## Read User Mapping
-
-Reads the GitHub user policy mapping.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/github/map/users/:user_name`        |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/github/map/users/sethvargo
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "764b6f88-efba-51bd-ed62-cf1c9e80e37a",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "key": "sethvargo",
-    "value": "sethvargo-policy"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-
-## Login
-
-Login using GitHub access token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/github/login`         |
-
-### Parameters
-
-- `token` `(string: <required>)` - GitHub personal API token.
-
-### Sample Payload
-
-```json
-{
-  "token": "ABC123..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/github/login
-```
-
-### Sample Response
-
-```javascript
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
-    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
-    "policies": ["default"],
-    "metadata": {
-      "username": "fred",
-      "org": "acme-org"
-    },
-  },
-  "lease_duration": 7200,
-  "renewable": true
-}
- ```
diff --git a/website/source/api/auth/index.html.md b/website/source/api/auth/index.html.md
deleted file mode 100644
index 5155de9f3ef8..000000000000
--- a/website/source/api/auth/index.html.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-layout: "api"
-page_title: "Auth Methods - HTTP API"
-sidebar_title: "Auth Methods"
-sidebar_current: "api-http-auth"
-description: |-
-  Each auth method publishes its own set of API paths and methods.
-  These endpoints are documented in this section.
----
-
-# Auth Methods
-
-Each auth method publishes its own set of API paths and methods. These endpoints
-are documented in this section. Auth methods are enabled at a path, but the
-documentation will assume the default paths for simplicity. If you are enabling
-at a different path, you should adjust your API calls accordingly.
-
-For the API documentation for a specific auth method, please choose a auth
-method from the navigation.
diff --git a/website/source/api/auth/jwt/index.html.md.erb b/website/source/api/auth/jwt/index.html.md.erb
deleted file mode 100644
index f4f27f021eae..000000000000
--- a/website/source/api/auth/jwt/index.html.md.erb
+++ /dev/null
@@ -1,413 +0,0 @@
----
-layout: "api"
-page_title: "JWT/OIDC - Auth Methods - HTTP API"
-sidebar_title: "JWT/OIDC"
-sidebar_current: "api-http-auth-jwt-oidc"
-description: |-
-  This is the API documentation for the Vault JWT/OIDC authentication
-  method plugin.
----
-
-# JWT/OIDC Auth Method (API)
-
-This is the API documentation for the Vault JWT/OIDC auth method
-plugin. To learn more about the usage and operation, see the
-[Vault JWT/OIDC method documentation](/docs/auth/jwt.html).
-
-This documentation assumes the plugin method is mounted at the
-`/auth/jwt` path in Vault. Since it is possible to enable auth methods
-at any location, please update your API calls accordingly.
-
-## Configure
-
-Configures the validation information to be used globally across all roles. One
-(and only one) of `oidc_discovery_url` and `jwt_validation_pubkeys` must be
-set.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/jwt/config`           |
-
-### Parameters
-
-- `oidc_discovery_url` `(string: <optional>)` - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
-- `oidc_discovery_ca_pem` `(string: <optional>)` - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
-- `oidc_client_id` `(string: <optional>)` - The OAuth Client ID from the provider for OIDC roles.
-- `oidc_client_secret` `(string: <optional>)` - The OAuth Client Secret from the provider for OIDC roles.
-- `jwks_url` `(string: <optional>)` - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
-- `jwks_ca_pem` `(string: <optional>)` - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
-- `jwt_validation_pubkeys` `(comma-separated string, or array of strings: <optional>)` - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
-- `bound_issuer` `(string: <optional>)` - The value against which to match the `iss` claim in a JWT.
-- `jwt_supported_algs` `(comma-separated string, or array of strings: <optional>)` - A list of supported signing algorithms. Defaults to [RS256]. ([Available algorithms](https://github.com/hashicorp/vault-plugin-auth-jwt/blob/master/vendor/github.com/coreos/go-oidc/jose.go#L7))
-- `default_role` `(string: <optional>)` - The default role to use if none is provided during login.
-
-### Sample Payload
-
-```json
-{
-  "oidc_discovery_url": "https://myco.auth0.com/",
-  "bound_issuer": "https://myco.auth0.com/"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/jwt/config
-```
-
-# Read Config
-
-Returns the previously configured config.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/jwt/config`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/auth/jwt/config
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "oidc_discovery_url": "https://myco.auth0.com/",
-    "oidc_discovery_ca_pem": [],
-    "bound_issuer": "https://myco.auth0.com/",
-    "jwt_validation_pubkeys": []
-  },
-  ...
-}
-```
-
-## Create Role
-
-Registers a role in the method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login. At least one of the bound values must be set.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/jwt/role/:name`       |
-
-### Parameters
-- `name` `(string: <required>)` - Name of the role.
-- `role_type` `(string: <optional>)` - Type of role, either "oidc" (default) or "jwt".
-- `bound_audiences` `(array: <optional>)` - List of `aud` claims to match against.
-   Any match is sufficient. Required for "jwt" roles, optional for "oidc" roles. 
-- `user_claim` `(string: <required>)` - The claim to use to uniquely identify
-  the user; this will be used as the name for the Identity entity alias created
-  due to a successful login. The claim value must be a string.
-- `clock_skew_leeway` `(int: <optional>)` - The amount of leeway to add to all claims to 
-  account for clock skew, in seconds.  Defaults to `60` seconds if set to `0` and can be disabled
-  if set to `-1`. Only applicable with "jwt" roles.
-- `expiration_leeway` `(int: <optional>)` - The amount of leeway to add to expiration (`exp`) claims to 
-  account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled
-  if set to `-1`. Only applicable with "jwt" roles. 
-- `not_before_leeway` `(int: <optional>)` - The amount of leeway to add to not before (`nbf`) claims to 
-  account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled
-  if set to `-1`. Only applicable with "jwt" roles. 
-- `bound_subject` `(string: <optional>)` - If set, requires that the `sub`
-  claim matches this value.
-- `bound_claims` `(map: <optional>)` - If set, a map of claims/values to match against.
-  The expected value may be a single string or a list of strings.
-- `groups_claim` `(string: <optional>)` - The claim to use to uniquely identify
-  the set of groups to which the user belongs; this will be used as the names
-  for the Identity group aliases created due to a successful login. The claim
-  value must be a list of strings.
-- `claim_mappings` `(map: <optional>)` - If set, a map of claims (keys) to be copied to
-  specified metadata fields (values).
-- `oidc_scopes` `(list: <optional>)` - If set, a list of OIDC scopes to be used with an OIDC role.
-  The standard scope "openid" is automatically included and need not be specified.
-- `allowed_redirect_uris` `(list: <required>)` - The list of allowed values for redirect_uri
-  during OIDC logins.
-- `verbose_oidc_logging` `(bool: false)` - Log received OIDC tokens and claims when debug-level
-  logging is active. Not recommended in production since sensitive information may be present
-  in OIDC responses.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "policies": [
-    "dev",
-    "prod"
-  ],
-  "bound_subject": "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@clients",
-  "bound_audiences": "https://myco.test",
-  "user_claim": "https://vault/user",
-  "groups_claim": "https://vault/groups",
-  "bound_claims": {
-    "department": "engineering",
-    "sector": "7g"
-  },
-  "claim_mappings": {
-    "preferred_language": "language",
-    "group": "group"
-  }
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
-```
-
-## Read Role
-
-Returns the previously registered role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/jwt/role/:name`        |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "bound_subject": "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@clients",
-    "bound_audiences": [
-      "https://myco.test"
-    ],
-    "bound_cidrs": [],
-    "user_claim": "https://vault/user",
-    "groups_claim": "https://vault/groups",
-    "policies": [
-      "dev",
-      "prod"
-    ],
-    "period": 0,
-    "ttl": 0,
-    "num_uses": 0,
-    "max_ttl": 0
-  },
-  ...
-}
-
-```
-
-## List Roles
-
-Lists all the roles that are registered with the plugin.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/jwt/role`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/auth/jwt/role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "dev-role",
-      "prod-role"
-    ]
-  },
-  ...
-}
-```
-
-## Delete Role
-
-Deletes the previously registered role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/jwt/role/:name`       |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
-```
-
-## OIDC Authorization URL Request
-
-Obtain an authorization URL from Vault to start an OIDC login flow.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/jwt/oidc/auth_url`    |
-
-### Parameters
-
-- `role` `(string: <optional>)` - Name of the role against which the login is being
-  attempted. Defaults to configured `default_role` if not provided.
-- `redirect_uri` `(string: <required>)` - Path to the callback to complete the login. This will be
-  of the form, "https://.../oidc/callback" where the leading portion is dependent on your Vault
-  server location, port, and the mount of the JWT plugin. This must be configured with Vault and the
-  provider. See [Redirect URIs](/docs/auth/jwt.html#redirect-uris) for more information.
-
-### Sample Payload
-
-```json
-{
-    "role": "dev-role",
-    "redirect_uri": "https://vault.myco.com:8200/ui/vault/auth/jwt/oidc/callback"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/jwt/oidc/auth_url
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "c701169c-64f8-26cc-0315-078e8c3ce897",
-  "data": {
-    "auth_url": "https://myco.auth0.com/authorize?client_id=r3qXcK2bezU3Sbmh0K16fatW6&nonce=851b69a9bfa5a6a5668111314414e3687891a599&redirect_uri=https%3A%2F%2Fvault.myco.com3A8200%2Fui%2Fvault%2Fauth%2Fjwt%2Foidc%2Fcallback&response_type=code&scope=openid+email+profile&state=1011e726d24960e09cfca2e04b36b38593cb6a22"
-  },
-  ...
-}
-```
-
-## OIDC Callback
-Exchange an authorization code for an OIDC ID Token. The ID token will be further validated
-against any bound claims, and if valid a Vault token will be returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/jwt/oidc/callback`    |
-
-### Parameters
-
-- `state` `(string: <required>)` - Opaque state ID that is part of the Authorization URL and will
-  be included in the the redirect following successful authenication on the provider.
-- `nonce` `(string: <required>)` - Opaque nonce that is part of the Authorization URL and will
-  be included in the the redirect following successful authenication on the provider.
-- `code` `(string: <required>)` - Provider-generated authorization code that Vault will exchange for
-  an ID token.
-
-### Sample Request
-
-```
-$ curl \
-    https://127.0.0.1:8200/v1/auth/jwt/oidc/callback?state=n2kfh3nsl&code=mn2ldl2nv98h2jl&nonce=ni42i2idj2jj
-```
-
-### Sample Response
-
-```json
-{
-    "auth":{
-        "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
-        "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
-        "policies":[
-            "default",
-            "dev",
-            "prod"
-        ],
-        "lease_duration":2764800,
-        "renewable":true
-    },
-    ...
-}
-```
-
-## JWT Login
-
-Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
-a role name for some entity. It verifies the JWT signature to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/jwt/login`            |
-
-### Parameters
-
-- `role` `(string: <optional>)` - Name of the role against which the login is being
-  attempted. Defaults to configured `default_role` if not provided.
-- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT).
-
-### Sample Payload
-
-```json
-{
-    "role": "dev-role",
-    "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/auth/jwt/login
-```
-
-### Sample Response
-
-```json
-{
-    "auth":{
-        "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
-        "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
-        "policies":[
-            "default",
-            "dev",
-            "prod"
-        ],
-        "lease_duration":2764800,
-        "renewable":true
-    },
-    ...
-}
-```
diff --git a/website/source/api/auth/kerberos/index.html.md.erb b/website/source/api/auth/kerberos/index.html.md.erb
deleted file mode 100644
index fdc30588e010..000000000000
--- a/website/source/api/auth/kerberos/index.html.md.erb
+++ /dev/null
@@ -1,407 +0,0 @@
----
-layout: "api"
-page_title: "Kerberos - Auth Methods - HTTP API"
-sidebar_title: "Kerberos"
-sidebar_current: "api-http-auth-kerberos"
-description: |-
-  This is the API documentation for the Vault Kerberos auth method plugin.
----
-
-# Kerberos Auth Method (API)
-
-This is the API documentation for the Vault Kerberos auth method plugin. To
-learn more about the usage and operation, see the
-[Vault Kerberos auth method](/docs/auth/kerberos.html).
-
-This documentation assumes the Kerberos auth method is mounted at the
-`auth/kerberos` path in Vault. Since it is possible to enable auth methods at
-any location, please update your API calls accordingly.
-
-The Kerberos auth method validates both Kerberos and LDAP authorization,
-so both configurations are required.
-
-## Configure Vault Kerberos
-
-This endpoint configures the keytab and service account to be used by Vault
-for verifying inbound SPNEGO tokens.
-
-| Method   | Path                         |
-| :------- | :--------------------------- |
-| `POST`   | `/auth/kerberos/config`      |
-
-- `keytab` `(string: <required>)` – A base 64 representation of the contents
-of the Kerberos keytab that will be used for verifying inbound SPNEGO tokens.
-It should contain an entry matching the service account given. This can be
-created through the following command: `$ base64 vault.keytab > vault.keytab.base64`.
-- `service_account` `(string: <required>)` – The service account associated
-with both the keytab entry and an LDAP service account created for Vault. Ex.:
-`"vault_svc"`.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/kerberos/config
-```
-
-### Sample Payload
-
-```json
-{
-  "keytab": "BQIAAAA6AAEACk1BVFJJWC5MQU4ACXZhdWx0X3N2YwAAAAFdzZSjAgAXABDwhEyRR9nRqkpP8KTn2A83AAAAAg==",
-  "service_account": "vault_svc"
-}
-```
-
-## Read Vault Kerberos
-
-This endpoint retrieves the service account for the Kerberos auth method.
-The keytab is not returned because it is sensitive information.
-
-| Method   | Path                         |
-| :------- | :--------------------------- |
-| `GET`    | `/auth/kerberos/config`      |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/kerberos/config
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "service_account": "vault_svc"
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Configure Kerberos LDAP
-
-This endpoint configures LDAP in the Kerberos auth method.
-
-| Method   | Path                         |
-| :------- | :--------------------------- |
-| `POST`   | `/auth/kerberos/config/ldap` |
-
-### Parameters
-
-- `url` `(string: <required>)` – The LDAP server to connect to. Examples:
-  `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. Multiple URLs can be
-  specified with commas, e.g. `ldap://ldap.myorg.com,ldap://ldap2.myorg.com`;
-  these will be tried in-order.
-- `case_sensitive_names` `(bool: false)` – If set, user and group names
-  assigned to policies within the backend will be case sensitive. Otherwise,
-  names will be normalized to lower case. Case will still be preserved when
-  sending the username to the LDAP server at login time; this is only for
-  matching local user/group definitions.
-- `starttls` `(bool: false)` – If true, issues a `StartTLS` command after
-  establishing an unencrypted connection.
-- `tls_min_version` `(string: tls12)` – Minimum TLS version to use. Accepted
-  values are `tls10`, `tls11` or `tls12`.
-- `tls_max_version` `(string: tls12)` – Maximum TLS version to use. Accepted
-  values are `tls10`, `tls11` or `tls12`.
-- `insecure_tls` `(bool: false)` – If true, skips LDAP server SSL certificate
-  verification - insecure, use with caution!
-- `certificate` `(string: "")` – CA certificate to use when verifying LDAP server
-  certificate, must be x509 PEM encoded.
-- `binddn` `(string: "")` – Distinguished name of object to bind when performing
-  user search.  Example: `cn=vault,ou=Users,dc=example,dc=com`
-- `bindpass` `(string: "")` – Password to use along with `binddn` when performing
-  user search.
-- `userdn` `(string: "")` – Base DN under which to perform user search. Example:
-  `ou=Users,dc=example,dc=com`
-- `userattr` `(string: "")` – Attribute on user attribute object matching the
-  username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
-- `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
-  user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
-- `upndomain` `(string: "")` – The _userPrincipalDomain_ used to construct the UPN
-  string for the authenticating user. The constructed UPN will appear as
-  `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind
-  as `username@example.com`.
-- `groupfilter` `(string: "")` – Go template used when constructing the group
-  membership query. The template can access the following context variables:
-  \[`UserDN`, `Username`\]. The default is
-  `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
-  which is compatible with several common directory schemas. To support
-  nested group resolution for Active Directory, instead use the following
-  query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
-- `groupdn` `(string: "")` – LDAP search base to use for group membership
-  search. This can be the root containing either groups or users.  Example:
-  `ou=Groups,dc=example,dc=com`
-- `groupattr` `(string: "")` – LDAP attribute to follow on objects returned by
-  `groupfilter` in order to enumerate user group membership. Examples: for
-  groupfilter queries returning _group_ objects, use: `cn`. For queries
-  returning _user_ objects, use: `memberOf`. The default is `cn`.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
-```
-
-### Sample Payload
-
-```json
-{
-  "binddn": "cn=vault,ou=Users,dc=example,dc=com",
-  "deny_null_bind": true,
-  "discoverdn": false,
-  "groupattr": "cn",
-  "groupdn": "ou=Groups,dc=example,dc=com",
-  "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
-  "insecure_tls": false,
-  "starttls": false,
-  "tls_max_version": "tls12",
-  "tls_min_version": "tls12",
-  "url": "ldaps://ldap.myorg.com:636",
-  "userattr": "samaccountname",
-  "userdn": "ou=Users,dc=example,dc=com"
-}
-```
-
-## Read Kerberos LDAP Configuration
-
-This endpoint retrieves the LDAP configuration for the Kerberos auth method.
-
-| Method   | Path                         |
-| :------- | :--------------------------- |
-| `GET`    | `/auth/kerberos/config/ldap` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "binddn": "cn=vault,ou=Users,dc=example,dc=com",
-    "bindpass": "",
-    "certificate": "",
-    "deny_null_bind": true,
-    "discoverdn": false,
-    "groupattr": "cn",
-    "groupdn": "ou=Groups,dc=example,dc=com",
-    "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
-    "insecure_tls": false,
-    "starttls": false,
-    "tls_max_version": "tls12",
-    "tls_min_version": "tls12",
-    "upndomain": "",
-    "url": "ldaps://ldap.myorg.com:636",
-    "userattr": "samaccountname",
-    "userdn": "ou=Users,dc=example,dc=com"
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## List Kerberos LDAP Groups
-
-This endpoint returns a list of existing LDAP groups in the Kerberos auth method.
-
-| Method   | Path                    |
-| :------- | :---------------------- |
-| `LIST`   | `/auth/kerberos/groups` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/kerberos/groups
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "scientists",
-      "engineers"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Read Kerberos LDAP Group
-
-This endpoint returns the policies associated with a Kerberos LDAP group.
-
-| Method   | Path                           |
-| :------- | :----------------------------- |
-| `GET`    | `/auth/kerberos/groups/:name`  |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the LDAP group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "policies": [
-      "admin",
-      "default"
-    ]
-  },
-  "renewable": false,
-  "lease_id": "",
-  "lease_duration": 0,
-  "warnings": null
-}
-```
-
-## Create/Update Kerberos LDAP Group
-
-This endpoint creates or updates LDAP group policies.
-
-| Method    | Path                           |
-| :-------- | :----------------------------- |
-| `POST`    | `/auth/kerberos/groups/:name`  |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the LDAP group.
-- `policies` `(string: "")` – Comma-separated list of policies associated to the
-  group.
-
-### Sample Payload
-
-```json
-{
-  "policies": "admin,default"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
-```
-
-## Delete Kerberos LDAP Group
-
-This endpoint deletes the LDAP group and policy association.
-
-| Method   | Path                           |
-| :------- | :----------------------------- |
-| `DELETE` | `/auth/kerberos/groups/:name`  |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the LDAP group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
-```
-
-## Login with Kerberos
-
-This endpoint allows you to log in with a valid Kerberos SPNEGO
-token. This token is obtained by the client, marshalled, and
-converted to base 64 using standard encoding.
-
-Example SPNEGO token (newlines added for readability):
-
-```
-YIIFSwYGKwYBBQUCoIIFPzCCBTugDTALBgkqhkiG9xIBAgKiggUoBIIFJGCCBSAGCSq
-GSIb3EgECAgEAboIFDzCCBQugAwIBBaEDAgEOogcDBQAgAAAAo4IEB2GCBAMwggP/oA
-MCAQWhDBsKTUFUUklYLkxBTqIvMC2gAwIBA6EmMCQbBEhUVFAbHDdlZmNjZTg4MGVkM
-y5tYXRyaXgubGFuOjgyMDCjggO3MIIDs6ADAgEXoQMCAQKiggOlBIIDoXky+VDSMXqT
-Z8XqUiIfzX3+t1ROgO49WYQPoqW1EJLA6vOVtsLITTuDUw8WaLIexki07up3wiO7bKn
-unPFN3Y6VaKZfGoubVBFnLwrxqiEqytk19fiuc0bUJD5fNX+BUeHjePPmE73kRcuchC
-L5+WkbY0X37cH5uKwCWI6TxpuEc74+mvmGOdAOdisC31MO6EBnOpTlxvKOXzShVk5Xa
-rkkHjTJyjoUslgm8JVdj/uB/+x16k0bFVOuWybfeCkn4FY7OeIxypxDJgk6uHU+5jpy
-XsdXK4w5GG+TK5BI6LXW8ZH6NOhcTZnRyt1/S4Wihd6HKhL8lH6H+wPWAnN4Ym8jiSg
-7O0nIkp9su1l/umJWnLnyUdsC9ekKmCYS9MLrmaUREnKMFfrYOF283gWVmfuSWd832Q
-9PIE93vUVTfetw1OwbJXEbG7ex3BotXPJ8yaDUAz4Zv0a6zQlj6JutE7LF3JvuuQeot
-QnwPhrZTrmv7ZbmGO3GmkzbMzIwcTXCCKX8ocOo8GLmtEigAPK23FOW2Y0p1meYjF0U
-xPzU6MPxfQWiXTWflqabXug7uZh8u76rzSEEceosPxoBqMm6hSmGc85+0bzy/E7AGJM
-5ELa2Ny2KpyniPiYCap44GsFZbGM1FwJeh1bG3dJungIn7po4X2wlg00wZVlbHsBzhP
-Hys0oxVzOQfrvx88G0fH80+vyzQiQAq4ZqmZqkO0zFSsdqG8ReJvpY0eGzN6/lGwcRl
-eav7Vum/s5MalXhYUdOjB4K3A5yQArHbbLfeZlhb7d4vttzPNkmaZ9ZNTyW1GSuqDtd
-+YJ0g70aN82KQMWiK3cbJcx/1jcmaN5gjSDm0xk19G2eb8VlRpwLFAazOlpPGozPl0Y
-PD45h3Yv3AA5aMVXvEi+NvSYR3z9VXxk6A8wFJxV5NZxV2hYwmxt0S+TYXFeudXzT+W
-ySoykcsxIU6rUevmJlEqZDyD3VcdnUOE9pxrIY/cqpdBBwatorF+jIK/ytcTBjvoM6c
-LL4g4n/isWMu8Xs6lSMxZzrC3Ewv9VYMzOEFxaHUXlyIC8GCN6t9DHZNzT91TC0u5Rj
-XuLqXENczg33dACvr+yhvin/0QNBQG+EXz/E4NiBBWqtTFa0BiTVTwyrKL5OyiLcIVe
-v4l8l9vyj/ABwDacr9ZGjhFbOShCTuFFWBPNnBwPqiRBV4y1gPP4abYBmeboLrUiqwZ
-81UrP2L8rCTEtYu9q3GmW/pIHqMIHnoAMCAReigd8EgdxwBViqyCyL0+J/k2bw0upNL
-h+4wzJcFBFC/wxX2aMvvIYdQv5nWwdNLMII3l/zQ0+eRdzpKfg1ZRT6x0D5278eQLto
-9r1CqKNW515u4kD5+pE8VOwZJMVe3FmduaH2gnTLAcoYXkBUE24hcr0ExSY6kTTBWPj
-U5dsmUsj3+qrN9JruEADqw99t/EWnN3iTsHh1rOQOd9jIJ1wCIkgvnLB8Rad+q5jguG
-8qQh1WDObTlNOnezDtiuLtRb03QDo8Q4Sm72IIcLDlffVvl7WAog5TpC8qM97+Wmv0C
-sWw
-```
-
-| Method   | Path                         |
-| :------- | :--------------------------- |
-| `POST`   | `/auth/kerberos/login`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "Authorization: Negotiate YIIFSw...sWw" \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/kerberos/login
-```
diff --git a/website/source/api/auth/kubernetes/index.html.md.erb b/website/source/api/auth/kubernetes/index.html.md.erb
deleted file mode 100644
index 1cf20edf8f20..000000000000
--- a/website/source/api/auth/kubernetes/index.html.md.erb
+++ /dev/null
@@ -1,286 +0,0 @@
----
-layout: "api"
-page_title: "Kubernetes - Auth Methods - HTTP API"
-sidebar_title: "Kubernetes"
-sidebar_current: "api-http-auth-kubernetes"
-description: |-
-  This is the API documentation for the Vault Kubernetes auth method plugin.
----
-
-# Kubernetes Auth Method (API)
-
-This is the API documentation for the Vault Kubernetes auth method plugin. To
-learn more about the usage and operation, see the
-[Vault Kubernetes auth method](/docs/auth/kubernetes.html).
-
-This documentation assumes the Kubernetes method is mounted at the
-`/auth/kubernetes` path in Vault. Since it is possible to enable auth methods at
-any location, please update your API calls accordingly.
-
-## Configure Method
-
-The Kubernetes auth method validates service account JWTs and verifies their
-existence with the Kubernetes TokenReview API. This endpoint configures the
-public key used to validate the JWT signature and the necessary information to
-access the Kubernetes API.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/kubernetes/config`    |
-
-### Parameters
- - `kubernetes_host` `(string: <required>)` - Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
- - `kubernetes_ca_cert` `(string: "")` - PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. NOTE: Every line must end with a newline: \n
- - `token_reviewer_jwt` `(string: "")` - A service account JWT used to access the TokenReview
-    API to validate other JWTs during login. If not set
-    the JWT used for login will be used to access the API.
- - `pem_keys` `(array: [])` - Optional list of PEM-formatted public keys or certificates
-    used to verify the signatures of Kubernetes service account
-    JWTs. If a certificate is given, its public key will be
-    extracted. Not every installation of Kubernetes exposes these
-    keys.
- - `issuer` `(string: "")` - Optional JWT issuer. If no issuer is specified, then this plugin will
-    use `kubernetes.io/serviceaccount` as the default issuer.
-
-### Sample Payload
-
-```json
-{
-  "kubernetes_host": "https://192.168.99.100:8443",
-  "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----",
-  "pem_keys": "-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----"
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/kubernetes/config
-```
-
-## Read Config
-
-Returns the previously configured config, including credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/kubernetes/config`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/kubernetes/config
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "kubernetes_host": "https://192.168.99.100:8443",
-    "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
-    "pem_keys": ["-----BEGIN CERTIFICATE-----.....", .....]
-  }
-}
-```
-
-## Create Role
-
-Registers a role in the auth method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/kubernetes/role/:name`|
-
-### Parameters
-- `name` `(string: <required>)` - Name of the role.
-- `bound_service_account_names` `(array: <required>)` - List of service account
-  names able to access this role. If set to "\*" all names are allowed, both this
-  and bound_service_account_namespaces can not be "\*".
-- `bound_service_account_namespaces` `(array: <required>)` - List of namespaces
-  allowed to access this role. If set to "\*" all namespaces are allowed, both
-  this and bound_service_account_names can not be set to "\*".
-- `audience` `(string: "")` - Optional Audience claim to verify in the JWT.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "bound_service_account_names": "vault-auth",
-  "bound_service_account_namespaces": "default",
-  "policies": [
-    "dev",
-    "prod"
-  ],
-  "max_ttl": 1800000,
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
-```
-## Read Role
-
-Returns the previously registered role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/kubernetes/role/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "bound_service_account_names": "vault-auth",
-    "bound_service_account_namespaces": "default",
-    "max_ttl": 1800000,
-    "ttl":0,
-    "period": 0,
-    "policies":[
-      "dev",
-      "prod"
-    ]
-  }
-}
-```
-
-## List Roles
-
-Lists all the roles that are registered with the auth method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/kubernetes/role`            |
-| `GET`   | `/auth/kubernetes/role?list=true`   |
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/kubernetes/role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "dev-role",
-      "prod-role"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-Deletes the previously registered role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/kubernetes/role/:role`|
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
-```
-
-## Login
-
-Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
-a role name for some entity. It verifies the JWT signature to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/kubernetes/login`            |
-
-### Sample Payload
-
-- `role` `(string: <required>)` - Name of the role against which the login is being
-  attempted.
-- `jwt` `(string: <required>)` - Signed [JSON Web
-  Token](https://tools.ietf.org/html/rfc7519) (JWT) for authenticating a service
-  account.
-
-### Sample Payload
-
-```json
-{
-  "role": "dev-role",
-  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/kubernetes/login
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "client_token": "62b858f9-529c-6b26-e0b8-0457b6aacdb4",
-    "accessor": "afa306d0-be3d-c8d2-b0d7-2676e1c0d9b4",
-    "policies": [
-      "default"
-    ],
-    "metadata": {
-      "role": "test",
-      "service_account_name": "vault-auth",
-      "service_account_namespace": "default",
-      "service_account_secret_name": "vault-auth-token-pd21c",
-      "service_account_uid": "aa9aa8ff-98d0-11e7-9bb7-0800276d99bf"
-    },
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
diff --git a/website/source/api/auth/ldap/index.html.md.erb b/website/source/api/auth/ldap/index.html.md.erb
deleted file mode 100644
index 519936b30e13..000000000000
--- a/website/source/api/auth/ldap/index.html.md.erb
+++ /dev/null
@@ -1,468 +0,0 @@
----
-layout: "api"
-page_title: "LDAP - Auth Methods - HTTP API"
-sidebar_title: "LDAP"
-sidebar_current: "api-http-auth-ldap"
-description: |-
-  This is the API documentation for the Vault LDAP auth method.
----
-
-# LDAP Auth Method (API)
-
-This is the API documentation for the Vault LDAP auth method. For
-general information about the usage and operation of the LDAP method, please
-see the [Vault LDAP method documentation](/docs/auth/ldap.html).
-
-This documentation assumes the LDAP method is mounted at the `/auth/ldap`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Configure LDAP
-
-This endpoint configures the LDAP auth method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`    | `/auth/ldap/config`         |
-
-### Parameters
-
-- `url` `(string: ldap://127.0.0.1)` – The LDAP server to connect to. Examples:
-  `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. Multiple URLs can be
-  specified with commas, e.g. `ldap://ldap.myorg.com,ldap://ldap2.myorg.com`;
-  these will be tried in-order.
-- `case_sensitive_names` `(bool: false)` – If set, user and group names
-  assigned to policies within the backend will be case sensitive. Otherwise,
-  names will be normalized to lower case. Case will still be preserved when
-  sending the username to the LDAP server at login time; this is only for
-  matching local user/group definitions.
-- `request_timeout` `(integer: 90 or string: "90s")` - Timeout, in seconds, for
-  the connection when making requests against the server before returning back
-  an error.
-- `starttls` `(bool: false)` – If true, issues a `StartTLS` command after
-  establishing an unencrypted connection.
-- `tls_min_version` `(string: tls12)` – Minimum TLS version to use. Accepted
-  values are `tls10`, `tls11` or `tls12`.
-- `tls_max_version` `(string: tls12)` – Maximum TLS version to use. Accepted
-  values are `tls10`, `tls11` or `tls12`.
-- `insecure_tls` `(bool: false)` – If true, skips LDAP server SSL certificate
-  verification - insecure, use with caution!
-- `certificate` `(string: "")` – CA certificate to use when verifying LDAP server
-  certificate, must be x509 PEM encoded.
-- `binddn` `(string: "")` – Distinguished name of object to bind when performing
-  user search.  Example: `cn=vault,ou=Users,dc=example,dc=com`
-- `bindpass` `(string: "")` – Password to use along with `binddn` when performing
-  user search.
-- `userdn` `(string: "")` – Base DN under which to perform user search. Example:
-  `ou=Users,dc=example,dc=com`
-- `userattr` `(string: "cn")` – Attribute on user attribute object matching the
-  username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
-- `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
-  user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
-- `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
-  string for the authenticating user. The constructed UPN will appear as
-  `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind
-  as `username@example.com`.
-- `groupfilter` `(string: "")` – Go template used when constructing the group
-  membership query. The template can access the following context variables:
-  \[`UserDN`, `Username`\]. The default is
-  `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
-  which is compatible with several common directory schemas. To support
-  nested group resolution for Active Directory, instead use the following
-  query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
-- `groupdn` `(string: "")` – LDAP search base to use for group membership
-  search. This can be the root containing either groups or users.  Example:
-  `ou=Groups,dc=example,dc=com`
-- `groupattr` `(string: "")` – LDAP attribute to follow on objects returned by
-  `groupfilter` in order to enumerate user group membership. Examples: for
-  groupfilter queries returning _group_ objects, use: `cn`. For queries
-  returning _user_ objects, use: `memberOf`. The default is `cn`.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/ldap/config
-```
-
-### Sample Payload
-
-```json
-{
-  "binddn": "cn=vault,ou=Users,dc=example,dc=com",
-  "deny_null_bind": true,
-  "discoverdn": false,
-  "groupattr": "cn",
-  "groupdn": "ou=Groups,dc=example,dc=com",
-  "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
-  "insecure_tls": false,
-  "starttls": false,
-  "tls_max_version": "tls12",
-  "tls_min_version": "tls12",
-  "url": "ldaps://ldap.myorg.com:636",
-  "userattr": "samaccountname",
-  "userdn": "ou=Users,dc=example,dc=com"
-}
-```
-
-## Read LDAP Configuration
-
-This endpoint retrieves the LDAP configuration for the auth method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/ldap/config`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/ldap/config
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "binddn": "cn=vault,ou=Users,dc=example,dc=com",
-    "bindpass": "",
-    "certificate": "",
-    "deny_null_bind": true,
-    "discoverdn": false,
-    "groupattr": "cn",
-    "groupdn": "ou=Groups,dc=example,dc=com",
-    "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
-    "insecure_tls": false,
-    "starttls": false,
-    "tls_max_version": "tls12",
-    "tls_min_version": "tls12",
-    "upndomain": "",
-    "url": "ldaps://ldap.myorg.com:636",
-    "userattr": "samaccountname",
-    "userdn": "ou=Users,dc=example,dc=com"
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## List LDAP Groups
-
-This endpoint returns a list of existing groups in the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/ldap/groups`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/ldap/groups
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "scientists",
-      "engineers"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Read LDAP Group
-
-This endpoint returns the policies associated with a LDAP group.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/ldap/groups/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the LDAP group
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/ldap/groups/admins
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "policies": [
-      "admin",
-      "default"
-    ]
-  },
-  "renewable": false,
-  "lease_id": ""
-  "lease_duration": 0,
-  "warnings": null
-}
-```
-
-## Create/Update LDAP Group
-
-This endpoint creates or updates LDAP group policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`    | `/auth/ldap/groups/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the LDAP group
-- `policies` `(string: "")` – Comma-separated list of policies associated to the
-  group.
-
-### Sample Payload
-
-```json
-{
-  "policies": "admin,default"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/ldap/groups/admins
-```
-
-## Delete LDAP Group
-
-This endpoint deletes the LDAP group and policy association.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/ldap/groups/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the LDAP group
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/ldap/groups/admins
-```
-
-## List LDAP Users
-
-This endpoint returns a list of existing users in the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/ldap/users`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/ldap/users
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "mitchellh",
-      "armon"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Read LDAP User
-
-This endpoint returns the policies associated with a LDAP user.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/ldap/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username of the LDAP user
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "policies": [
-      "admin",
-      "default"
-    ],
-    "groups": ""
-  },
-  "renewable": false,
-  "lease_id": ""
-  "lease_duration": 0,
-  "warnings": null
-}
-```
-
-## Create/Update LDAP User
-
-This endpoint creates or updates LDAP users policies and group associations.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`    | `/auth/ldap/users/:username`   |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username of the LDAP user
-- `policies` `(string: "")` – Comma-separated list of policies associated to the
-  user.
-- `groups` `(string: "")` – Comma-separated list of groups associated to the
-  user.
-
-### Sample Payload
-
-```json
-{
-  "policies": "admin,default"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
-```
-
-## Delete LDAP User
-
-This endpoint deletes the LDAP user and policy association.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/ldap/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username of the LDAP user
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
-```
-
-## Login with LDAP User
-
-This endpoint allows you to log in with LDAP credentials
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/ldap/login/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username of the LDAP user
-- `password` `(string: <required>)` – The password for the LDAP user
-
-### Sample Payload
-
-```json
-{
-  "password": "MyPassword1"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "auth": {
-    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
-    "policies": [
-      "admins",
-      "default"
-    ],
-    "metadata": {
-      "username": "mitchellh"
-    },
-    "lease_duration": 0,
-    "renewable": false
-  }
-}
-```
diff --git a/website/source/api/auth/oci/index.html.md.erb b/website/source/api/auth/oci/index.html.md.erb
deleted file mode 100644
index f33451bf0d00..000000000000
--- a/website/source/api/auth/oci/index.html.md.erb
+++ /dev/null
@@ -1,250 +0,0 @@
----
-layout: "api"
-page_title: "OCI - Auth Methods - HTTP API"
-sidebar_title: "OCI"
-sidebar_current: "api-http-auth-oci"
-description: |-
-  This is the API documentation for the Vault OCI auth method plugin.
----
-
-# OCI Auth Method (API)
-
-This is the API documentation for the Vault OCI auth method plugin. To
-learn more about the usage and operation, see the
-[Vault OCI auth method](/docs/auth/oci.html).
-
-This documentation assumes the OCI method is mounted at the
-`/auth/oci` path in Vault. Since it is possible to enable auth methods at
-any location, please update your API calls accordingly.
-
-## Configure Home Tenancy Method
-
-Configure your home tenancy in the Vault, so that only users or instances from your tenancy will be allowed to log into Vault, through the OCI Auth method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/oci/config`    |
-
-### Parameters
- - `home_tenancy_id` `(string: <required>)` - The Tenancy OCID of your OCI account.
-
-### Sample Payload
-
-```json
-{
-  "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/oci/config
-```
-
-## Read Config
-
-Returns the previously configured config.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/oci/config`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/oci/config
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
-  }
-}
-```
-
-## Create Role
-
-Create a Vault administrator role in the OCI Auth method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/oci/role/:name`|
-
-### Parameters
-- `name` `(string: <required>)` - Name of the role.
-- `ocid_list` `(string: <required>)` - A comma separated list of Group or Dynamic Group OCIDs that can take this role.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea",
-  "token_policies": [
-    "dev",
-    "prod"
-  ],
-  "token_ttl": 1800
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/oci/role/devrole
-```
-
-## Read Role
-
-Returns the previously registered role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/oci/role/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/oci/role/devrole
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "ocid_list": ["ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq","ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"],
-    "token_ttl": 1800,
-    "token_policies":[
-      "dev",
-      "prod"
-    ]
-  }
-}
-```
-
-## List Roles
-
-Lists all the roles that are registered with the auth method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/oci/role`            |
-| `GET`   | `/auth/oci/role?list=true`   |
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/oci/role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "devrole",
-      "prodrole"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-Deletes the previously registered role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/oci/role/:role`|
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role.
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/oci/role/devrole
-```
-
-## Login
-
-Fetch a token. This endpoint takes signed request headers and
-a role name for some entity. It verifies the signed request headers to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/oci/login/:role`            |
-
-### Parameters
-
-- `role` `(string: <required>)` - Name of the role against which the login is being attempted.
-- `request_headers` `(list: [])` - Signed request headers for authenticating. For details on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm)
-
-### Sample Payload
-
-```json
-{
-"request_headers": {
-           "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
-           "(request-target)": ["get /v1/auth/oci/login/devrole"],
-           "host": ["127.0.0.1"],
-           "content-type": ["application/json"],
-           "authorization": ["Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""]
-       }
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/oci/login/devrole
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "token": "62b8ssf9-529c-6b26-e0b8-045fcdb4",
-    "token_accessor": "afaff6d0-be3d-c8d2-b0d7-2676sss0d9b4",
-    "token_policies": [
-      "dev"
-    ],
-    "token_duration": 1800
-  }
-}
-```
diff --git a/website/source/api/auth/okta/index.html.md.erb b/website/source/api/auth/okta/index.html.md.erb
deleted file mode 100644
index 76d6b9414d76..000000000000
--- a/website/source/api/auth/okta/index.html.md.erb
+++ /dev/null
@@ -1,405 +0,0 @@
----
-layout: "api"
-page_title: "Okta - Auth Methods - HTTP API"
-sidebar_title: "Okta"
-sidebar_current: "api-http-auth-okta"
-description: |-
-  This is the API documentation for the Vault Okta auth method.
----
-
-# Okta Auth Method (API)
-
-This is the API documentation for the Vault Okta auth method. For
-general information about the usage and operation of the Okta method, please
-see the [Vault Okta method documentation](/docs/auth/okta.html).
-
-This documentation assumes the Okta method is mounted at the `/auth/okta`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create Configuration
-
-Configures the connection parameters for Okta. This path honors the
-distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/okta/config`          |
-
-### Parameters
-
-- `org_name` `(string: <required>)` - Name of the organization to be used in the
-  Okta API.
-- `api_token` `(string: "")` - Okta API token. This is required to query Okta
-  for user group membership. If this is not supplied only locally configured
-  groups will be enabled.
-- `base_url` `(string: "")` -  If set, will be used as the base domain
-  for API requests.  Examples are okta.com, oktapreview.com, and okta-emea.com.
-- `bypass_okta_mfa` `(bool: false)` - Whether to bypass an Okta MFA request.
-  Useful if using one of Vault's built-in MFA mechanisms, but this will also
-  cause certain other statuses to be ignored, such as `PASSWORD_EXPIRED`.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "org_name": "example",
-  "api_token": "abc123"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/okta/config
-```
-
-## Read Configuration
-
-Reads the Okta configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/okta/config`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/okta/config
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "org_name": "example",
-    "api_token": "abc123",
-    "base_url": "okta.com",
-    "ttl": "",
-    "max_ttl": ""
-  },
-  "warnings": null
-}
-```
-
-## List Users
-
-List the users configured in the Okta method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/okta/users`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/okta/users
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "fred",
-	    "jane"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Register User
-
-Registers a new user and maps a set of policies to it.  
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/okta/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Name of the user.
-- `groups` `(array: [])` - List or comma-separated string of groups associated with the user.
-- `policies` `(array: [])` - List or comma-separated string of policies associated with the user.
-
-```json
-{
-  "policies": [
-    "dev",
-    "prod"
-  ]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/okta/users/fred
-```
-
-## Read User
-
-Reads the properties of an existing username.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/okta/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Username for this user.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/okta/users/test-user
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "policies": [
-      "default",
-      "dev",
-    ],
-    "groups": []
-  },
-  "warnings": null
-}
-```
-
-## Delete User
-
-Deletes an existing username from the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`   | `/auth/okta/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Username for this user.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/okta/users/test-user
-```
-
-## List Groups
-
-List the groups configured in the Okta method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/okta/groups`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/okta/groups
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "admins",
-      "dev-users"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Register Group
-
-Registers a new group and maps a set of policies to it.  
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/okta/groups/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name of the group.
-- `policies` `(array: [])` - The list or comma-separated string of policies associated with the group.
-
-```json
-{
-  "policies": [
-    "dev",
-    "prod"
-  ]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/okta/groups/admins
-```
-
-## Read Group
-
-Reads the properties of an existing group.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/okta/groups/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name for the group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/okta/groups/admins
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "policies": [
-      "default",
-      "admin"
-    ]
-  },
-  "warnings": null
-}
-```
-
-## Delete Group
-
-Deletes an existing group from the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`   | `/auth/okta/groups/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` - The name for the group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/okta/users/test-user
-```
-
-## Login
-
-Login with the username and password.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/okta/login/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Username for this user.
-- `password` `(string: <required>)` - Password for the authenticating user.
-
-### Sample Payload
-
-```json
-{
-  "password": "Password!"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/okta/login/fred
-```
-
-### Sample Response
-
-```javascript
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
-    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
-    "policies": ["default"],
-    "metadata": {
-      "username": "fred",
-      "policies": "default"
-    },
-  },
-  "lease_duration": 7200,
-  "renewable": true
-}
- ```
diff --git a/website/source/api/auth/radius/index.html.md.erb b/website/source/api/auth/radius/index.html.md.erb
deleted file mode 100644
index 89fe98c9629f..000000000000
--- a/website/source/api/auth/radius/index.html.md.erb
+++ /dev/null
@@ -1,239 +0,0 @@
----
-layout: "api"
-page_title: "RADIUS - Auth Methods - HTTP API"
-sidebar_title: "RADIUS"
-sidebar_current: "api-http-auth-radius"
-description: |-
-  This is the API documentation for the Vault RADIUS auth method.
----
-
-# RADIUS Auth Method (API)
-
-This is the API documentation for the Vault RADIUS auth method. For
-general information about the usage and operation of the RADIUS method, please
-see the [Vault RADIUS method documentation](/docs/auth/radius.html).
-
-This documentation assumes the RADIUS method is mounted at the `/auth/radius`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Configure RADIUS
-
-Configures the connection parameters and shared secret used to communicate with
-RADIUS.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/radius/config`        |
-
-### Parameters
-
-- `host` `(string: <required>)` - The RADIUS server to connect to. Examples:
-  `radius.myorg.com`, `127.0.0.1`
-- `port` `(integer: 1812)` - The UDP port where the RADIUS server is listening
-   on. Defaults is 1812.
-- `secret` `(string: <required>)` - The RADIUS shared secret.
-- `unregistered_user_policies` `(string: "")` - A comma-separated list of
-  policies to be granted to unregistered users.
-- `dial_timeout` `(integer: 10)` - Number of second to wait for a backend
-  connection before timing out. Default is 10.
-- `nas_port` `(integer: 10)` - The NAS-Port attribute of the RADIUS request.
-  Defaults is 10.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "host": "radius.myorg.com",
-  "port": 1812,
-  "secret": "mySecret"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/radius/config
-```
-
-## Register User
-
-Registers a new user and maps a set of policies to it.  This path honors the
-distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/radius/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Username for this user.
-- `policies` `(string: "")` - Comma-separated list of policies.  If set to
-  empty string, only the `default` policy will be applicable to the user.
-
-```json
-{
-  "policies": "dev,prod",
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/radius/users/test-user
-```
-
-## Read User
-
-Reads the properties of an existing username.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/radius/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Username for this user.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/radius/users/test-user
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "policies": "default,dev"
-  },
-  "warnings": null
-}
-```
-
-## Delete User
-
-Deletes an existing username from the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`   | `/auth/radius/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Username for this user.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/radius/users/test-user
-```
-
-## List Users
-
-List the users registered with the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/radius/users`         |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/radius/users
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "devuser",
-	    "produser"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Login
-
-Login with the username and password.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/radius/login`         |
-| `POST`   | `/auth/radius/login/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - Username for this user.
-- `password` `(string: <required>)` - Password for the authenticating user.
-
-### Sample Payload
-
-```json
-{
-  "password": "Password!"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/radius/login/test-user
-```
-
-### Sample Response
-
-```javascript
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
-    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
-    "policies": ["default"],
-    "metadata": {
-      "username": "vishal"
-    },
-  },
-  "lease_duration": 7200,
-  "renewable": true
-}
- ```
diff --git a/website/source/api/auth/token/index.html.md.erb b/website/source/api/auth/token/index.html.md.erb
deleted file mode 100644
index f1654670b88a..000000000000
--- a/website/source/api/auth/token/index.html.md.erb
+++ /dev/null
@@ -1,830 +0,0 @@
----
-layout: "api"
-page_title: "Token - Auth Methods - HTTP API"
-sidebar_title: "Tokens"
-sidebar_current: "api-http-auth-token"
-description: |-
-  This is the API documentation for the Vault token auth method.
----
-
-# Token Auth Method (API)
-
-This is the API documentation for the Vault token auth method. For
-general information about the usage and operation of the token method, please
-see the [Vault Token method documentation](/docs/auth/token.html).
-
-## List Accessors
-
-This endpoint lists token accessor. This requires `sudo` capability, and access
-to it should be tightly controlled as the accessors can be used to revoke very
-large numbers of tokens and their associated leases at once.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/token/accessors`      |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/auth/token/accessors
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "warnings": null,
-  "wrap_info": null,
-  "data": {
-    "keys": [
-      "476ea048-ded5-4d07-eeea-938c6b4e43ec",
-      "bb00c093-b7d3-b0e9-69cc-c4d85081165b"
-    ]
-  },
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": ""
-}
-```
-
-## Create Token
-
-Creates a new token. Certain options are only available when called by a
-root token. If used via the `/auth/token/create-orphan` endpoint, a root
-token is not required to create an orphan token (otherwise set with the
-`no_parent` option). If used with a role name in the path, the token will
-be created against the specified role name; this may override options set
-during this call.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/create`         |
-| `POST`   | `/auth/token/create-orphan`  |
-| `POST`   | `/auth/token/create/:role_name`  |
-
-### Parameters
-
-- `id` `(string: "")` – The ID of the client token. Can only be specified by a
-  root token.  Otherwise, the token ID is a randomly generated value.
-- `role_name` `(string: "")` – The name of the token role.
-- `policies` `(array: "")` – A list of policies for the token. This must be a
-  subset of the policies belonging to the token making the request, unless root.
-  If not specified, defaults to all the policies of the calling token.
-- `meta` `(map: {})` – A map of string to string valued metadata. This is
-  passed through to the audit devices.
-- `no_parent` `(bool: false)` - If true and set by a root caller, the token will
-  not have the parent token of the caller. This creates a token with no parent.
-- `no_default_policy` `(bool: false)` - If true the `default` policy will not be
-  contained in this token's policy set.
-- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
-  to be renewed past its initial TTL.  Setting the value to `true` will allow
-  the token to be renewable up to the system/mount maximum TTL.
-- `lease` `(string: "")` - DEPRECATED; use `ttl` instead
-- `ttl` `(string: "")` - The TTL period of the token, provided as "1h", where
-  hour is the largest suffix. If not provided, the token is valid for the
-  [default lease TTL](/docs/configuration/index.html), or indefinitely if the
-  root policy is used.
-- `type` `(string: "")` - The token type. Can be "batch" or "service". Defaults
-  to the type specified by the role configuration named by `role_name`.
-- `explicit_max_ttl` `(string: "")` - If set, the token will have an explicit
-  max TTL set upon it. This maximum token TTL *cannot* be changed later, and
-  unlike with normal tokens, updates to the system/mount max TTL value will
-  have no effect at renewal time -- the token will never be able to be renewed
-  or used past the value set at issue time.
-- `display_name` `(string: "token")` - The display name of the token.
-- `num_uses` `(integer: 0)` - The maximum uses for the given token. This can be
-  used to create a one-time-token or limited use token. The value of 0 has no
-  limit to the number of uses.
-- `period` `(string: "")` - If specified, the token will be periodic; it will have
-  no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal
-  will use the given period. Requires a root/sudo token to use.
-- `entity_alias` `(string: "")` - Name of the entity alias to associate with 
-   during token creation. Only works in combination with `role_name` argument 
-   and used entity alias must be listed in `allowed_entity_aliases`. If this has 
-   been specified, the entity will not be inherited from the parent.
-
-### Sample Payload
-
-```json
-{
-  "policies": [
-    "web",
-    "stage"
-  ],
-  "meta": {
-    "user": "armon"
-  },
-  "ttl": "1h",
-  "renewable": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/create
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "f00341c1-fad5-f6e6-13fd-235617f858a1",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": [
-    "Policy \"stage\" does not exist",
-    "Policy \"web\" does not exist"
-  ],
-  "auth": {
-    "client_token": "s.wOrq9dO9kzOcuvB06CMviJhZ",
-    "accessor": "B6oixijqmeR4bsLOJH88Ska9",
-    "policies": [
-      "default",
-      "stage",
-      "web"
-    ],
-    "token_policies": [
-      "default",
-      "stage",
-      "web"
-    ],
-    "metadata": {
-      "user": "armon"
-    },
-    "lease_duration": 3600,
-    "renewable": true,
-    "entity_id": "",
-    "token_type": "service",
-    "orphan": false
-  }
-}
-```
-
-## Lookup a Token
-
-Returns information about the client token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`  | `/auth/token/lookup`          |
-
-### Parameters
-
-- `token` `(string: <required>)` - Token to lookup.
-
-### Sample Payload
-
-```json
-{
-  "token": "ClientToken"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/lookup
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
-    "creation_time": 1523979354,
-    "creation_ttl": 2764800,
-    "display_name": "ldap2-tesla",
-    "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
-    "expire_time": "2018-05-19T11:35:54.466476215-04:00",
-    "explicit_max_ttl": 0,
-    "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
-    "identity_policies": [
-      "dev-group-policy"
-    ],
-    "issue_time": "2018-04-17T11:35:54.466476078-04:00",
-    "meta": {
-      "username": "tesla"
-    },
-    "num_uses": 0,
-    "orphan": true,
-    "path": "auth/ldap2/login/tesla",
-    "policies": [
-      "default",
-      "testgroup2-policy"
-    ],
-    "renewable": true,
-    "ttl": 2764790
-  }
-}
-```
-
-## Lookup a Token (Self)
-
-Returns information about the current client token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/token/lookup-self`     |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/token/lookup-self
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
-    "creation_time": 1523979354,
-    "creation_ttl": 2764800,
-    "display_name": "ldap2-tesla",
-    "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
-    "expire_time": "2018-05-19T11:35:54.466476215-04:00",
-    "explicit_max_ttl": 0,
-    "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
-    "identity_policies": [
-      "dev-group-policy"
-    ],
-    "issue_time": "2018-04-17T11:35:54.466476078-04:00",
-    "meta": {
-      "username": "tesla"
-    },
-    "num_uses": 0,
-    "orphan": true,
-    "path": "auth/ldap2/login/tesla",
-    "policies": [
-      "default",
-      "testgroup2-policy"
-    ],
-    "renewable": true,
-    "ttl": 2764790
-  }
-}
-```
-
-## Lookup a Token (Accessor)
-
-Returns information about the client token from the accessor.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`  | `/auth/token/lookup-accessor`          |
-
-### Parameters
-
-- `accessor` `(string: <required>)` - Token accessor to lookup.
-
-### Sample Payload
-
-```json
-{
-  "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/lookup-accessor
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
-    "creation_time": 1523979354,
-    "creation_ttl": 2764800,
-    "display_name": "ldap2-tesla",
-    "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
-    "expire_time": "2018-05-19T11:35:54.466476215-04:00",
-    "explicit_max_ttl": 0,
-    "id": "",
-    "identity_policies": [
-      "dev-group-policy"
-    ],
-    "issue_time": "2018-04-17T11:35:54.466476078-04:00",
-    "meta": {
-      "username": "tesla"
-    },
-    "num_uses": 0,
-    "orphan": true,
-    "path": "auth/ldap2/login/tesla",
-    "policies": [
-      "default",
-      "testgroup2-policy"
-    ],
-    "renewable": true,
-    "ttl": 2763902
-  }
-}
-```
-
-## Renew a Token
-
-Renews a lease associated with a token. This is used to prevent the expiration
-of a token, and the automatic revocation of it. Token renewal is possible only
-if there is a lease associated with it.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/renew`          |
-
-### Parameters
-
-- `token` `(string: <required>)` - Token to renew. This can be part of the URL
-  or the body.
-- `increment` `(string: "")` - An optional requested lease increment can be
-  provided. This increment may be ignored.
-
-### Sample Payload
-
-```json
-{
-  "token": "ClientToken"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/renew
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "client_token": "ABCD",
-    "policies": [
-      "web",
-      "stage"
-    ],
-    "metadata": {
-      "user": "armon"
-    },
-    "lease_duration": 3600,
-    "renewable": true
-  }
-}
-```
-
-## Renew a Token (Self)
-
-Renews a lease associated with the calling token. This is used to prevent the
-expiration of a token, and the automatic revocation of it. Token renewal is
-possible only if there is a lease associated with it.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/renew-self`     |
-
-### Parameters
-
-- `increment` `(string: "")` - An optional requested lease increment can be
-  provided. This increment may be ignored.
-
-### Sample Payload
-
-```json
-{
-  "increment": "1h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/renew-self
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "client_token": "ABCD",
-    "policies": [
-      "web",
-      "stage"
-    ],
-    "metadata": {
-      "user": "armon"
-    },
-    "lease_duration": 3600,
-    "renewable": true
-  }
-}
-```
-
-## Renew a Token (Accessor)
-
-Renews a lease associated with a token using its accessor. This is used to
-prevent the expiration of a token, and the automatic revocation of it. Token
-renewal is possible only if there is a lease associated with it.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/renew-accessor`          |
-
-### Parameters
-
-- `accessor` `(string: <required>)` - Accessor associated with the token to
-renew.
-- `increment` `(string: "")` - An optional requested lease increment can be
-provided. This increment may be ignored.
-
-### Sample Payload
-
-```json
-{
-  "accessor": "7JFKXuXKXa2D44YfDiovZ9aq"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/renew-accessor
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "client_token": "",
-    "policies": [
-      "web",
-      "stage"
-    ],
-    "metadata": {
-      "user": "armon"
-    },
-    "lease_duration": 3600,
-    "renewable": true
-  }
-}
-```
-
-## Revoke a Token
-
-Revokes a token and all child tokens. When the token is revoked, all dynamic secrets
-generated with it are also revoked.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/revoke`         |
-
-### Parameters
-
-- `token` `(string: <required>)` - Token to revoke.
-
-### Sample Payload
-
-```json
-{
-  "token": "ClientToken"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/revoke
-```
-
-## Revoke a Token (Self)
-
-Revokes the token used to call it and all child tokens. When the token is
-revoked, all dynamic secrets generated with it are also revoked.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/revoke-self`     |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/token/revoke-self
-```
-
-## Revoke a Token Accessor
-
-Revoke the token associated with the accessor and all the child tokens.  This is
-meant for purposes where there is no access to token ID but there is need to
-revoke a token and its children.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/revoke-accessor` |
-
-### Parameters
-
-- `accessor` `(string: <required>)` - Accessor of the token.
-
-### Sample Payload
-
-```json
-{
-  "accessor": "2c84f488-2133-4ced-87b0-570f93a76830"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/revoke-accessor
-```
-
-## Revoke Token and Orphan Children
-
-Revokes a token but not its child tokens. When the token is revoked, all secrets
-generated with it are also revoked. All child tokens are orphaned, but can be
-revoked sub-sequently using `/auth/token/revoke/`. This is a root-protected
-endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/revoke-orphan`          |
-
-### Parameters
-
-- `token` `(string: <required>)` - Token to revoke. This can be part of the URL
-  or the body.
-
-### Sample Payload
-
-```json
-{
-  "token": "ClientToken"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/token/revoke-orphan
-```
-
-## Read Token Role
-
-Fetches the named role configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/auth/token/roles/:role_name`|
-
-### Parameters
-
-- `role_name` `(string: <required>)` - The name of the token role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/token/roles/nomad
-```
-
-### Sample Response
-
-```javascript
-{
-  "request_id": "075a19cd-4e56-a3ca-d956-7609819831ec",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "allowed_entity_aliases": [
-      "my-entity-alias"
-    ],
-    "allowed_policies": [],
-    "disallowed_policies": [],
-    "explicit_max_ttl": 0,
-    "name": "nomad",
-    "orphan": false,
-    "path_suffix": "",
-    "period": 0,
-    "renewable": true,
-    "token_explicit_max_ttl": 0,
-    "token_period": 0,
-    "token_type": "default-service"
-  },
-  "warnings": null
-}
-```
-
-## List Token Roles
-
-List available token roles.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/token/roles`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST
-    http://127.0.0.1:8200/v1/auth/token/roles
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "role1",
-      "role2"
-    ]
-  }
-}
-```
-
-## Create/Update Token Role
-
-Creates (or replaces) the named role. Roles enforce specific behavior when
-creating tokens that allow token functionality that is otherwise not
-available or would require `sudo`/root privileges to access. Role
-parameters, when set, override any provided options to the `create`
-endpoints. The role name is also included in the token path, allowing all
-tokens created against a role to be revoked using the
-`/sys/leases/revoke-prefix` endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/roles/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` – The name of the token role.
-- `allowed_policies` `(list: [])` – If set, tokens can be created with any
-  subset of the policies in this list, rather than the normal semantics of
-  tokens being a subset of the calling token's policies. The parameter is a
-  comma-delimited string of policy names. If at creation time
-  `no_default_policy` is not set and `"default"` is not contained in
-  `disallowed_policies`, the `"default"` policy will be added to the created
-  token automatically.
-- `disallowed_policies` `(list: [])` – If set, successful token creation via
-  this role will require that no policies in the given list are requested. The
-  parameter is a comma-delimited string of policy names. Adding `"default"` to
-  this list will prevent `"default"` from being added automatically to created
-  tokens.
-- `orphan` `(bool: false)` - If `true`, tokens created against this policy will
-  be orphan tokens (they will have no parent). As such, they will not be
-  automatically revoked by the revocation of any other token.
-- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
-  to be renewed past its initial TTL.  Setting the value to `true` will allow
-  the token to be renewable up to the system/mount maximum TTL.
-- `path_suffix` `(string: "")` - If set, tokens created against this role will
-  have the given suffix as part of their path in addition to the role name. This
-  can be useful in certain scenarios, such as keeping the same role name in the
-  future but revoking all tokens created against it before some point in time.
-  The suffix can be changed, allowing new callers to have the new suffix as part
-  of their path, and then tokens with the old suffix can be revoked via
-  `/sys/leases/revoke-prefix`.
-- `allowed_entity_aliases` `(string: "", or list: [])` - String or JSON list 
-  of allowed entity aliases. If set, specifies the entity aliases which are 
-  allowed to be used during token generation. This field supports globbing. 
-
-<%= partial "partials/tokenstorefields" %>
-
-### Sample Payload
-
-```json
-  "allowed_policies": [
-    "dev"
-  ],
-  "name": "nomad",
-  "orphan": false,
-  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
-  "renewable": true,
-  "allowed_entity_aliases": ["web-entity-alias", "app-entity-*"]
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST
-    --data @payload.json
-    http://127.0.0.1:8200/v1/auth/token/roles/nomad
-```
-
-## Delete Token Role
-
-This endpoint deletes the named token role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/token/roles/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: <required>)` - The name of the token role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/token/roles/admins
-```
-
-## Tidy Tokens
-
-Performs some maintenance tasks to clean up invalid entries that may remain
-in the token store. Generally, running this is not needed unless upgrade
-notes or support personnel suggest it. This may perform a lot of I/O to the
-storage method so should be used sparingly.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/auth/token/tidy`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/token/tidy
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "84437c7f-36a1-6c1d-381d-14ec99217e94",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": [
-    "Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
-  ],
-  "auth": null
-}
-```
diff --git a/website/source/api/auth/userpass/index.html.md.erb b/website/source/api/auth/userpass/index.html.md.erb
deleted file mode 100644
index 8d98ae431604..000000000000
--- a/website/source/api/auth/userpass/index.html.md.erb
+++ /dev/null
@@ -1,253 +0,0 @@
----
-layout: "api"
-page_title: "Userpass - Auth Methods - HTTP API"
-sidebar_title: "Username & Password"
-sidebar_current: "api-http-auth-userpass"
-description: |-
-  This is the API documentation for the Vault username and password
-  auth method.
----
-
-# Userpass Auth Method (HTTP API)
-
-This is the API documentation for the Vault Username & Password auth method. For
-general information about the usage and operation of the Username and Password method, please
-see the [Vault Userpass method documentation](/docs/auth/userpass.html).
-
-This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create/Update User
-
-Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`    | `/auth/userpass/users/:username`   |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username for the user.
-- `password` `(string: <required>)` - The password for the user. Only required
-  when creating the user.
-
-<%= partial "partials/tokenfields" %>
-
-### Sample Payload
-
-```json
-{
-  "password": "superSecretPassword",
-  "policies": "admin,default",
-  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-```
-
-## Read User
-
-Reads the properties of an existing username.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/auth/userpass/users/:username`   |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "max_ttl": 0,
-    "policies": ["default", "dev"],
-    "ttl": 0
-  },
-  "warnings": null
-}
-```
-
-## Delete User
-
-This endpoint deletes the user from the method.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/auth/userpass/users/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` - The username for the user.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-```
-
-## Update Password on User
-
-Update password for an existing user.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST` | `/auth/userpass/users/:username/password` |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username for the user.
-- `password` `(string: <required>)` - The password for the user.
-
-### Sample Payload
-
-```json
-{
-  "password": "superSecretPassword2",
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/password
-```
-
-## Update Policies on User
-
-Update policies for an existing user.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST` | `/auth/userpass/users/:username/policies` |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username for the user.
-- `policies` `(string: "")` – Comma-separated list of policies. If set to empty
-
-### Sample Payload
-
-```json
-{
-  "policies": ["policy1", "policy2"],
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/policies
-```
-
-## List Users
-
-List available userpass users.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/userpass/users`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST
-    http://127.0.0.1:8200/v1/auth/userpass/users
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "mitchellh",
-      "armon"
-    ]
-  }
-}
-```
-
-## Login
-
-Login with the username and password.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST` | `/auth/userpass/login/:username` |
-
-### Parameters
-
-- `username` `(string: <required>)` – The username for the user.
-- `password` `(string: <required>)` - The password for the user.
-
-### Sample Payload
-
-```json
-{
-  "password": "superSecretPassword2",
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
-    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
-    "policies": ["default"],
-    "metadata": {
-      "username": "mitchellh"
-    },
-    "lease_duration": 7200,
-    "renewable": true
-  }
-}
-```
diff --git a/website/source/api/libraries.html.md b/website/source/api/libraries.html.md
deleted file mode 100644
index 220697f5b56f..000000000000
--- a/website/source/api/libraries.html.md
+++ /dev/null
@@ -1,166 +0,0 @@
----
-layout: "api"
-page_title: "HTTP API: Libraries"
-sidebar_title: "Client Libraries"
-sidebar_current: "api-http-libraries"
-description: |-
-  List of official and community contributed libraries for interacting with the Vault HTTP API.
----
-
-# Libraries
-
-The programming libraries listed on this page can be used to consume the API more conveniently.
-Some are officially maintained while others are provided by the community.
-
-## Official
-
-These libraries are officially maintained by HashiCorp.
-
-### Go
-
-* [Vault Go Client](https://github.com/hashicorp/vault/tree/master/api)
-
-```shell
-$ go get github.com/hashicorp/vault/api
-```
-
-### Ruby
-
-* [Vault Ruby Client](https://github.com/hashicorp/vault-ruby)
-
-```shell
-$ gem install vault
-```
-
-## Community
-
-These libraries are provided by the community.
-
-### Ansible
-
-* [ansible-vault](https://github.com/jhaals/ansible-vault) lookup plugin without third-party dependencies.
-* [Ansible Modules Hashivault](https://pypi.python.org/pypi/ansible-modules-hashivault)
-
-```shell
-$ pip install ansible-modules-hashivault
-```
-
-### C&#35;
-
-* [VaultSharp](https://github.com/rajanadar/VaultSharp) (.NET Standard 2.0 & 1.3, .NET Core >= 1.0.0, .NET 4.5, .NET 4.6, Mono, iOS, Android, Mac, UWP etc.)
-
-```shell
-$ Install-Package VaultSharp
-```
-
-* [Vault.NET](https://github.com/Chatham/Vault.NET)
-
-```shell
-$ Install-Package Vault
-```
-
-### C++
-
-* [libvault](https://github.com/abedra/libvault)
-
-### Clojure
-
-* [vault-clj](https://github.com/amperity/vault-clj)
-
-### Elixir
-
-* [libvault](https://hex.pm/packages/libvault)
-* [vaultex](https://hex.pm/packages/vaultex)
-
-### Go
-
-* [vc](https://github.com/adfinis-sygroup/vault-client)
-
-```shell
-$ go get github.com/adfinis-sygroup/vault-client
-```
-
-### Haskell
-
-* [vault-tool](https://hackage.haskell.org/package/vault-tool)
-
-```shell
-$ cabal install vault-tool
-```
-
-
-* [gothic](http://hackage.haskell.org/package/gothic)
-
-```shell
-$ stack install gothic
-```
-
-### Java
-
-* [Spring Vault](https://github.com/spring-projects/spring-vault)
-* [vault-java-driver](https://github.com/BetterCloud/vault-java-driver)
-
-### Kotlin
-
-* [vault-kotlin](https://github.com/kunickiaj/vault-kotlin)
-
-### Node.js
-
-* [node-vault](https://github.com/kr1sp1n/node-vault)
-
-```shell
-$ npm install node-vault
-```
-
-### PHP
-
-* [vault-php-sdk](https://github.com/jippi/vault-php-sdk)
-
-```shell
-$ composer require jippi/vault-php-sdk
-```
-
-* [vault-php-sdk](https://github.com/violuke/vault-php-sdk) extended from jipppi
-
-```shell
-$ composer require violuke/vault-php-sdk
-```
-
-* [vault-php](https://github.com/CSharpRU/vault-php)
-
-```shell
-$ composer require csharpru/vault-php
-```
-
-### PowerShell
-
-* [Zyborg.Vault](https://github.com/zyborg/Zyborg.Vault)
-
-```PowerShell
-Install-Module Zyborg.Vault
-```
-
-### Python
-
-* [HVAC](https://github.com/ianunruh/hvac)
-
-```shell
-$ pip install hvac
-```
-
-* [Async-HVAC](https://github.com/Aloomaio/async-hvac)
-
-```shell
-$ pip install async-hvac
-```
-
-### R
-
-* [vaultr](https://github.com/vimc/vaultr)
-
-### Rust
-
-* [HashicorpVault](https://crates.io/crates/hashicorp_vault)
-
-### Scala
- * [scala-vault](https://github.com/janstenpickle/scala-vault)
diff --git a/website/source/api/overview.html.md b/website/source/api/overview.html.md
deleted file mode 100644
index 917ecbb6a9d6..000000000000
--- a/website/source/api/overview.html.md
+++ /dev/null
@@ -1,295 +0,0 @@
----
-layout: "api"
-page_title: "HTTP API"
-sidebar_title: "Overview"
-sidebar_current: "api-http-overview"
-description: |-
-  Vault has an HTTP API that can be used to control every aspect of Vault.
----
-
-# HTTP API
-
-The Vault HTTP API gives you full access to Vault via HTTP. Every aspect of
-Vault can be controlled via this API. The Vault CLI uses the HTTP API to access
-Vault.
-
-All API routes are prefixed with `/v1/`.
-
-This documentation is only for the v1 API, which is currently the only version.
-
-  ~> **Backwards compatibility:** At the current version, Vault does not yet
-  promise backwards compatibility even with the v1 prefix. We'll remove this
-  warning when this policy changes. At this point in time the core API (that
-  is, `sys/` routes) change very infrequently, but various secrets engines/auth
-  methods/etc. sometimes have minor changes to accommodate new features as
-  they're developed.
-
-## Transport
-
-The API is expected to be accessed over a TLS connection at all times, with a
-valid certificate that is verified by a well-behaved client. It is possible to
-disable TLS verification for listeners, however, so API clients should expect
-to have to do both depending on user settings.
-
-## Authentication
-
-Once Vault is unsealed, almost every other operation requires a _client token_.
-A user may have a client token sent to them.  The client token must be sent as
-either the `X-Vault-Token` HTTP Header or as `Authorization` HTTP Header using
-the `Bearer <token>` scheme.
-
-Otherwise, a client token can be retrieved via [authentication
-backends](/docs/auth/index.html).
-
-Each auth method has one or more unauthenticated login endpoints. These
-endpoints can be reached without any authentication, and are used for
-authentication to Vault itself. These endpoints are specific to each auth
-method.
-
-Responses from auth login methods that generate an authentication token are
-sent back to the client via JSON. The resulting token should be saved on the
-client or passed via the `X-Vault-Token` or `Authorization` header for future requests.
-
-## Namespaces
-
-If using the [Namespaces](/docs/enterprise/namespaces/index.html) feature, API
-operations are relative to the namespace value passed in via the
-`X-Vault-Namespace` header. For instance, if the request path is to
-`secret/foo`, and the header is set to `ns1/ns2/`, the final request path Vault
-uses will be `ns1/ns2/secret/foo`. Note that it is semantically equivalent to
-use a full path rather than the `X-Vault-Namespace` header, as the operation in
-Vault will always look up the correct namespace based on the final given path.
-Thus, it would be equivalent to the above example to set `X-Vault-Namespace` to
-`ns1/` and a request path of `ns2/secret/foo`, or to not set
-`X-Vault-Namespace` at all and use a request path of `ns1/ns2/secret/foo`.
-
-For example, the following two commands result in equivalent requests:
-
-```shell
-$ curl \
-    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-    -H "X-Vault-Namespace: ns1/ns2/" \
-    -X GET \
-    http://127.0.0.1:8200/v1/secret/foo
-```
-
-```shell
-$ curl \
-    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-    -X GET \
-    http://127.0.0.1:8200/v1/ns1/ns2/secret/foo
-```
-
-## API Operations
-
-With few documented exceptions, all request body data and response data from
-Vault is via JSON. Vault will set the `Content-Type` header appropriately but
-does not require that clients set it.
-
-Different plugins implement different APIs according to their functionality.
-The examples below are created with the `KVv1` backend, which acts like a very
-simple Key/Value store. Read the documentation for a particular backend for
-detailed information on its API; this simply provides a general overview.
-
-For `KVv1`, reading a secret via the HTTP API is done by issuing a GET:
-
-```text
-/v1/secret/foo
-```
-
-This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which
-is mounted by default on a fresh Vault install and is of type `kv`.
-
-Here is an example of reading a secret using cURL:
-
-```shell
-$ curl \
-    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-    -X GET \
-    http://127.0.0.1:8200/v1/secret/foo
-```
-
-A few endpoints consume query parameters via `GET` calls, but only if those
-parameters are not sensitive, as some load balancers will log these. Most
-endpoints that consume parameters use `POST` instead and put the parameters in
-the request body.
-
-You can list secrets as well. To do this, either issue a GET with the query
-parameter `list=true`, or you can use the `LIST` HTTP verb. For the `kv`
-backend, listing is allowed on directories only, and returns the keys in the
-given directory:
-
-```shell
-$ curl \
-    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-    -X LIST \
-    http://127.0.0.1:8200/v1/secret/
-```
-
-The API documentation uses `LIST` as the HTTP verb, but you can still use `GET`
-with the `?list=true` query string.
-
-To use an API that consumes data via request body, issue a `POST` or `PUT`:
-
-```text
-/v1/secret/foo
-```
-
-with a JSON body like:
-
-```javascript
-{
-  "value": "bar"
-}
-```
-
-Here is an example of writing a secret using cURL:
-
-```shell
-$ curl \
-    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-    -H "Content-Type: application/json" \
-    -X POST \
-    -d '{"value":"bar"}' \
-    http://127.0.0.1:8200/v1/secret/baz
-```
-
-Vault currently considers `PUT` and `POST` to be synonyms. Rather than trust a
-client's stated intentions, Vault backends can implement an existence check to
-discover whether an operation is actually a create or update operation based on
-the data already stored within Vault. This makes permission management via ACLs
-more flexible.
-
-For more examples, please look at the Vault API client.
-
-## The `X-Vault-Request` Header
-
-Requests that are sent to a [Vault Agent][agent] that is configured to use the
-`require_request_header` option must include the `X-Vault-Request` header
-entry, e.g.:
-
-```shell
-$ curl \
-    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-    -H "X-Vault-Request: true" \
-    -H "Content-Type: application/json" \
-    -X POST \
-    -d '{"value":"bar"}' \
-    http://127.0.0.1:8200/v1/secret/baz
-```
-
-The Vault CLI always adds this header to every request, regardless of whether
-the request is being sent to a Vault Agent or directly to a Vault Server. In
-addition, the Vauld SDK always adds this header to every request.
-
-## Help
-
-To retrieve the help for any API within Vault, including mounted backends, auth
-methods, etc. then append `?help=1` to any URL. If you have valid permission to
-access the path, then the help text will be return a markdown-formatted block in the `help` attribute of the response.
-
-Additionally, with the [OpenAPI generation](/api/system/internal-specs-openapi.html) in Vault, you will get back a small
-OpenAPI document in the `openapi` attribute. This document is relevant for the path you're looking up and any paths under it - also note paths in the OpenAPI document are relative to the initial path queried.
-
-Example request:
-
-```shell
-$ curl \
-    -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-    http://127.0.0.1:8200/v1/secret?help=1
-```
-
-Example response: 
-
-```javascript
-
-{
-  "help": "## DESCRIPTION\n\nThis backend provides a versioned key-value store. The kv backend reads and\nwrites arbitrary secrets to the storage backend. The secrets are\nencrypted/decrypted by Vault: they are never stored unencrypted in the backend\nand the backend never has an opportunity to see the unencrypted value. Each key\ncan have a configured number of versions, and versions can be retrieved based on\ntheir version numbers.\n\n## PATHS\n\nThe following paths are supported by this backend. To view help for\nany of the paths below, use the help command with any route matching\nthe path pattern. Note that depending on the policy of your auth token,\nyou may or may not be able to access certain paths.\n\n    ^.*$\n\n\n    ^config$\n        Configures settings for the KV store\n\n    ^data/(?P<path>.*)$\n        Write, Read, and Delete data in the Key-Value Store.\n\n    ^delete/(?P<path>.*)$\n        Marks one or more versions as deleted in the KV store.\n\n    ^destroy/(?P<path>.*)$\n        Permanently removes one or more versions in the KV store\n\n    ^metadata/(?P<path>.*)$\n        Configures settings for the KV store\n\n    ^undelete/(?P<path>.*)$\n        Undeletes one or more versions from the KV store.",
-  "openapi": {
-    "openapi": "3.0.2",
-    "info": {
-      "title": "HashiCorp Vault API",
-      "description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
-      "version": "1.0.0",
-      "license": {
-        "name": "Mozilla Public License 2.0",
-        "url": "https://www.mozilla.org/en-US/MPL/2.0"
-      }
-    },
-    "paths": {
-      "/.*": {},
-      "/config": {
-        "description": "Configures settings for the KV store",
-        "x-vault-create-supported": true,
-        "get": {
-          "summary": "Read the backend level settings.",
-          "tags": [
-            "secrets"
-          ],
-          "responses": {
-            "200": {
-              "description": "OK"
-            }
-          }
-        },
-     ...[output truncated]...
-     }
-  }
-}
-```
-
-
-## Error Response
-
-A common JSON structure is always returned to return errors:
-
-```javascript
-{
-  "errors": [
-    "message",
-    "another message"
-  ]
-}
-```
-
-This structure will be sent down for any HTTP status greater than
-or equal to 400.
-
-## HTTP Status Codes
-
-The following HTTP status codes are used throughout the API. Vault tries to
-adhere to these whenever possible, but in some cases may not -- feel free to
-file a bug in that case to point our attention to it!
-
-~> *Note*: Applications should be prepared to accept both `200` and `204` as
-success. `204` is simply an indication that there is no response body to parse,
-but API endpoints that indicate that they return a `204` may return a `200` if
-warnings are generated during the operation.
-
-- `200` - Success with data.
-- `204` - Success, no data returned.
-- `400` - Invalid request, missing or invalid data.
-- `403` - Forbidden, your authentication details are either incorrect, you
-  don't have access to this feature, or - if CORS is enabled - you made a
-  cross-origin request from an origin that is not allowed to make such
-  requests.
-- `404` - Invalid path. This can both mean that the path truly doesn't exist or
-  that you don't have permission to view a specific path. We use 404 in some
-  cases to avoid state leakage.
-- `429` - Default return code for health status of standby nodes. This will
-  likely change in the future.
-- `473` - Default return code for health status of performance standby nodes.
-- `500` - Internal server error. An internal error has occurred, try again
-  later. If the error persists, report a bug.
-- `502` - A request to Vault required Vault making a request to a third party;
-  the third party responded with an error of some kind.
-- `503` - Vault is down for maintenance or is currently sealed.  Try again
-  later.
-
-## Limits
-
-A maximum request size of 32MB is imposed to prevent a denial of service attack
-with arbitrarily large requests; this can be tuned per `listener` block in
-Vault's server configuration file.
-
-[agent]: /docs/agent/index.html#listener-stanza
diff --git a/website/source/api/relatedtools.html.md b/website/source/api/relatedtools.html.md
deleted file mode 100644
index d78cc495dec8..000000000000
--- a/website/source/api/relatedtools.html.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-layout: "api"
-page_title: "Related Tools"
-sidebar_title: "Related Tools"
-sidebar_current: "api-http-related"
-description: |-
-  Short list of third-party tools that work with or are related to Vault.
----
-
-# Related Tools
-
-## Hashicorp Tools
-
-* The [Terraform Vault provider](https://www.terraform.io/docs/providers/vault/index.html) can read from, write to, and configure Vault from [HashiCorp Terraform](https://www.terraform.io/)
-* [consul-template](https://github.com/hashicorp/consul-template) is a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data
-* [envconsul](https://github.com/hashicorp/envconsul) allows you to read and set environmental variables for processes from Consul and Vault data
-* The [vault-ssh-helper](https://github.com/hashicorp/vault-ssh-helper) can be used to enable one-time passwords for SSH authentication via Vault
-
-## Third-Party Tools
-
-The following list of tools is maintained by the community of Vault users; HashiCorp has not tested or approved them and makes no claims as to their suitability or security.
-
-* [HashiCorp Vault Jenkins plugin](https://plugins.jenkins.io/hashicorp-vault-plugin) - a Jenkins plugin for injecting Vault secrets into the build environment
-* [Spring Vault](http://projects.spring.io/spring-vault/) - a Java Spring project for working with Vault secrets
-* [vault-exec](https://github.com/kmanning/vault_exec) - a shell wrapper to execute arbitrary scripts using temporary AWS credentials managed by Vault
-* [pouch](https://github.com/tuenti/pouch) - A set of tools to manage provisioning of secrets on hosts based on the AppRole authentication method of Vault
-* [vault-aws-creds](https://github.com/jantman/vault-aws-creds) - Python helper to export Vault-provided temporary AWS creds into the environment
-* [goldfish](https://github.com/Caiyeon/goldfish) - A Vault UI panel written with VueJS and Vault native Go API.
-* [vaultenv](https://github.com/channable/vaultenv) - A tool that fetches secrets in parallel, puts them into the environment and then `exec`s the process that needs them
-* [vault-migrator](https://github.com/nebtex/vault-migrator) - A tool to migrate data between different Vault storage mechanisms
-* [Cryptr](https://github.com/adobe/cryptr) - a desktop Vault UI for Mac, Windows and Linux
-* [sequelize-vault](https://github.com/linyows/sequelize-vault) - A Sequelize plugin for easily integrating Vault secrets.
-* [ansible-modules-hashivault](https://github.com/TerryHowe/ansible-modules-hashivault) - An Ansible module for configuring most things in Vault including secrets, backends and policies.
-* [Docker credential helper](https://github.com/morningconsult/docker-credential-vault-login) - A program that automatically reads Docker credentials from your Vault server and passes them to the Docker daemon to authenticate to your Docker registry when pulling an image
-* [Cruise Daytona](https://github.com/cruise-automation/daytona) - An alternative implementation of the Vault client CLI for services and containers. Its core features are the abilty to automate authentication, fetching of secrets, and automated token renewal. Support for AWS, GCP, & Kubernetes Vault Auth Backends.
-* [Vault-CRD](https://vault.koudingspawn.de/) - Synchronize secrets stored in HashiCorp Vault to Kubernetes Secrets for better GitOps without secrets stored in git manifest files.
-* [nc-vault-env](https://github.com/namecheap/nc-vault-env) - JS CLI tool that fetches secrets in parallel, puts them into the environment and then `exec`s the process that needs them. Supports auth token renewal, multiple auth backends, verbose logging and dummy mode.
-
-Want to add your own project, or one that you use? Additions are welcome via [pull requests](https://github.com/hashicorp/vault/blob/master/website/source/api/relatedtools.html.md).
diff --git a/website/source/api/secret/ad/index.html.md b/website/source/api/secret/ad/index.html.md
deleted file mode 100644
index 5b67b456fcc5..000000000000
--- a/website/source/api/secret/ad/index.html.md
+++ /dev/null
@@ -1,442 +0,0 @@
----
-layout: "api"
-page_title: "Active Directory - Secrets Engines - HTTP API"
-sidebar_title: "Active Directory"
-sidebar_current: "api-http-secret-active-directory"
-description: |-
-  This is the API documentation for the Vault Active Directory secrets engine.
----
-
-# Active Directory Secrets Engine (API)
-
-This is the API documentation for the Vault AD secrets engine. For general
-information about the usage and operation of the AD secrets engine, please see
-the [Vault Active Directory documentation](/docs/secrets/ad/index.html).
-
-This documentation assumes the AD secrets engine is enabled at the `/ad` path
-in Vault. Since it is possible to enable secrets engines at any location, please
-update your API calls accordingly.
-
-## Configuration
-
-The `config` endpoint configures the LDAP connection and binding parameters, as well as the password rotation configuration.
-
-### Password parameters
-
-* `ttl` (string, optional) - The default password time-to-live in seconds. Once the ttl has passed, a password will be rotated the next time it's requested.
-* `max_ttl` (string, optional) - The maximum password time-to-live in seconds. No role will be allowed to set a custom ttl greater than the `max_ttl`.
-* `length` (string, optional) - The desired password length. Defaults to 64. Minimum is 14.
-* `formatter` (string, optional) - Text into which the base64 password should be inserted, formatted like so: `mycustom{{PASSWORD}}`.
-
-To meet Microsoft's password complexity requirements, all passwords begin with "?@09AZ" unless a `formatter` is provided. 
-The `formatter` is for organizations with different, custom password requirements. It allows an organization to supply
-text that fulfills those requirements. `{{PASSWORD}}` must appear exactly once and can be anywhere in the text.
-
-### Connection parameters
-
-* `url` (string, optional) - The LDAP server to connect to. Examples: `ldaps://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. This can also be a comma-delineated list of URLs, e.g. `ldaps://ldap.myorg.com,ldaps://ldap.myorg.com:636`, in which case the servers will be tried in-order if there are errors during the connection process.  Default is `ldap://127.0.0.1`.
-* `case_sensitive_names` `(bool: false)` – If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case. Case will still be preserved when sending the username to the LDAP server at login time; this is only for matching local user/group definitions.
-* `request_timeout` `(integer: 90 or string: "90s")` - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
-* `starttls` (bool, optional) - If true, issues a `StartTLS` command after establishing an unencrypted connection.
-* `insecure_tls` - (bool, optional) - If true, skips LDAP server SSL certificate verification - insecure, use with caution!
-* `certificate` - (string, optional) - CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
-
-### Binding parameters
-
-* `binddn` (string, required) - Distinguished name of object to bind when performing user and group search. Example: `cn=vault,ou=Users,dc=example,dc=com`
-* `bindpass` (string, required) - Password to use along with `binddn` when performing user search.
-* `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
-* `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `username@example.com`.
-
-### Other parameters
-
-* `last_rotation_tolerance` (string, optional) - Tolerance duration to use when checking the last rotation time. 
-Active Directory often shows a "pwdLastSet" time after Vault's because it takes
-a while for password updates to be propagated across a large cluster. By default, if Active Directory's last rotation time is
-within 5 seconds of Vault's, Vault considers itself to have been the last entity that rotated the password. However, if it's been 
-more than 5 seconds, Vault thinks that something rotated the password out-of-band, and re-rotates it so it will "know" it and be
-able to continue returning it. This may be too low for larger Active Directory clusters, and too high for smaller ones.
-
-## Config management
-
-At present, this endpoint does not confirm that the provided AD credentials are
-valid AD credentials with proper permissions.
-
-| Method   | Path                   |
-| :--------------------- | :--------------------- |
-| `POST`   | `/ad/config`           |
-| `GET`    | `/ad/config`           |
-| `DELETE` | `/ad/config`           |
-
-### Sample Post Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ad/config
-```
-
-### Sample Post Payload
-
-```json
-{
-  "binddn": "domain-admin",
-  "bindpass": "pa$$w0rd",
-  "url": "ldaps://127.0.0.11",
-  "userdn": "dc=example,dc=com"
-}
-```
-
-### Sample Get Response Data
-
-```json
-{
-  "binddn": "domain-admin",
-  "certificate": "",
-  "insecure_tls": false,
-  "length": 64,
-  "max_ttl": 2764800,
-  "starttls": false,
-  "tls_max_version": "tls12",
-  "tls_min_version": "tls12",
-  "ttl": 2764800,
-  "upndomain": "",
-  "url": "ldaps://127.0.0.11",
-  "userdn": "dc=example,dc=com"
-}
-
-```
-
-## Role management
-
-The `roles` endpoint configures how Vault will manage the passwords for individual service accounts.
-
-### Parameters
-
-* `service_account_name` (string, required) - The name of a pre-existing service account in Active Directory that maps to this role.
-* `ttl` (string, optional) - The password time-to-live in seconds. Defaults to the configuration `ttl` if not provided.
-
-When adding a role, Vault verifies its associated service account exists.
-
-| Method   | Path                   |
-| :--------------------- | :--------------------- |
-| `GET`    | `/ad/roles`            |
-| `POST`   | `/ad/roles/:role_name` |
-| `GET`    | `/ad/roles/:role_name` |
-| `DELETE` | `/ad/roles/:role_name` |
-
-### Sample Post Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ad/roles/my-application
-```
-
-### Sample Post Payload
-
-```json
-{
-  "service_account_name": "my-application@example.com",
-  "ttl": 100
-}
-```
-
-### Sample Get Role Response
-
-```json
-{
-  "last_vault_rotation": "2018-05-24T17:14:38.677370855Z",
-  "password_last_set": "2018-05-24T17:14:38.6038495Z",
-  "service_account_name": "my-application@example.com",
-  "ttl": 100
-}
-```
-
-### Sample List Roles Response
-
-Performing a `LIST` on the `/ad/roles` endpoint will list the names of all the roles Vault contains.
-
-```json
-[
-  "my-application"
-]
-```
-
-## Retrieving passwords
-
-The `creds` endpoint offers the credential information for a given role.
-
-| Method   | Path                   |
-| :--------------------- | :--------------------- |
-| `GET`    | `/ad/creds/:role_name` |
-
-### Sample Get Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/ad/creds/my-application
-```
-
-### Sample Get Response
-
-```json
-{
-  "current_password": "?@09AZnh4Q5N4O5zdLk/4F8aIMgsnpDM6tSQEZCge3Mz1wXcZEgZhOa6OR748F96",
-  "last_password": "?@09AZSen9TzUwK7ZhafS7B0GuWGraQjfWEna5SwnmF/tVaKFqjXhhGV/Z0v/pBJ",
-  "username": "my-application"
-}
-```
-
-## Library management
-
-The `library` endpoint configures the sets of service accounts that Vault will offer for check-out.
-
-### Parameters
-
-* `name` (string: "", required): The name of the set of service accounts.
-* `service_account_names` (string: "", or list: [] required): The names of all the service accounts that can be 
-checked out from this set. These service accounts must only be used by Vault, and may only be in one set. These 
-service accounts must already exist in Active Directory.
-* `ttl` (duration: "24h", optional): The maximum amount of time a single check-out lasts before Vault 
-automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
-* `max_ttl` (duration: "24h", optional): The maximum amount of time a check-out last with renewal before Vault 
-automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
-* `disable_check_in_enforcement` (bool: false, optional): Disable enforcing that service accounts must be 
-checked in by the entity or client token that checked them out. Defaults to false.
-
-When adding a service account to the library, Vault verifies it already exists in Active Directory.
-
-| Method   | Path                    |
-| :------- | :---------------------- |
-| `LIST`   | `/ad/library`           |
-| `POST`   | `/ad/library/:set_name` |
-| `GET`    | `/ad/library/:set_name` |
-| `DELETE` | `/ad/library/:set_name` |
-
-### Sample Post Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ad/library/accounting-team
-```
-
-### Sample Post Payload
-
-```json
-{
-  "service_account_names": ["fizz@example.com", "buzz@example.com"],
-  "ttl": "10h",
-  "max_ttl": "20h",
-  "disable_check_in_enforcement": false
-}
-```
-
-### Sample Get Response
-
-```json
-{
-  "service_account_names": ["fizz@example.com", "buzz@example.com"],
-  "ttl": "10h",
-  "max_ttl": "20h",
-  "disable_check_in_enforcement": false
-}
-```
-
-### Sample List Response
-
-Performing a `LIST` on the `/ad/library` endpoint will list the names of all the sets of service accounts Vault contains.
-
-```json
-[
-  "accounting-team"
-]
-```
-
-## Check-out management
-
-These endpoints help manage check-outs.
-
-### Check a credential out
-
-Returns a `200` if a credential is available, and a `400` if no credential is available.
-
-* `name` (string: "", required): The name of the set of service accounts.
-* `ttl` (duration: "", optional): The maximum amount of time a check-out lasts before Vault 
-automatically checks it back in. Setting it to zero reflects an unlimited lending period.
-Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
-
-| Method   | Path                              |
-| :------- | :-------------------------------- |
-| `POST`   | `/ad/library/:set_name/check-out` |
-
-### Sample Post Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ad/library/accounting-team/check-out
-```
-
-### Sample Post Payload
-
-```json
-{
-  "ttl": "1h"
-}
-```
-
-### Sample Post Response
-```json
-{
-  "request_id": "364a17d4-e5ab-998b-ceee-b49929229e0c",
-  "lease_id": "ad/library/accounting-team/check-out/aoBsaBEI4PK96VnukubvYDlZ",
-  "renewable": true,
-  "lease_duration": 36000,
-  "data": {
-    "password": "?@09QW0KZ8DSBu3deIu7XLY1NZqzwhozmMAZ6v0IcZJGOjs5GvpVMvOeW7/duls2",
-    "service_account_name": "fizz@example.com"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-### Check a credential in
-
-By default, check-in must be called by the same entity or client token used for check-out.
-To disable this behavior, use the `disable_check_in_enforcement` toggle on the library set. Or, use
-the `ad/library/manage/:set_name/check-in` behavior to force check-in of the account. Access to the
-"manage" endpoint should only be granted to highly privileged Vault users, like Vault operators.
-
-If a caller attempts to check in a service account they're not authorized to check in, they will
-receive an error response. If they attempt to check in a service account they _are_ authorized to
-check in, but it's _already_ checked in, they will receive a successful response but the account
-will not be included in the `check_ins` listed. `check_ins` shows which service accounts were checked
-in _by this particular call_.
-
-* `name` (string: "", required): The name of the set of service accounts.
-* `service_account_names` (string: "", or list: [] optional): The names of all the service accounts to be
-checked in. May be omitted if only one is checked out. 
-
-| Method   | Path                                    |
-| :------- | :-------------------------------------- |
-| `POST`   | `/ad/library/:set_name/check-in`        |
-| `POST`   | `/ad/library/manage/:set_name/check-in` |
-
-### Sample Post Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ad/library/accounting-team/check-in
-```
-
-### Sample Post Payload
-
-```json
-{
-  "service_account_names": ["fizz@example.com"]
-}
-```
-
-### Sample Post Response
-```json
-{
-  "request_id": "db45c714-3f68-b748-95bc-8f7467637a52",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "check_ins": ["fizz@example.com"]
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-### Check the status of service accounts
-
-| Method   | Path                           |
-| :------- | :----------------------------- |
-| `GET`    | `/ad/library/:set_name/status` |
-
-### Sample Get Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ad/library/accounting-team/status
-```
-
-### Sample Get Response
-```json
-{
-  "request_id": "9e44c8b5-d142-5867-2a11-49f3ba71215a",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "buzz@example.com": {
-      "available": true
-    },
-    "fizz@example.com": {
-      "available": false,
-      "borrower_client_token": "4c653e473bf7e27c6759fccc3def20c44d776279",
-      "borrower_entity_id": "631256b1-8523-9838-5501-d0a1e2cdad9c"
-    }
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Rotate Root Credentials
-
-Rotate the `bindpass` to a new one known only to Vault.
-
-### Risks
-
-1. When the `bindpass` is rotated, it successfully gets rotated in Active Directory but Vault can't store it so it becomes unknown.
-2. If the `binddn` in use applies to more than one entity in Active Directory, root credential rotation will fail because it's unclear which entity to perform the operation for.
-
-### Mitigating Risks
-
-1. Always have another account that can provision a new `binddn` and `bindpass` to replace one whose password becomes unknown.
-2. Ensure the `binddn` in use only applies to one entity by including all distinguished name parameters possible. For example, use `"CN=vault-ad-test,CN=Users,DC=example,DC=com"` instead of `"CN=vault-ad-test"`.
-
-### Endpoints
-
-| Method   | Path                   |
-| :--------------------- | :----------------------------------------- |
-| `GET`    | `/ad/rotate-root`      | `204 (empty body) or 200 with warning`     |
-
-Generally, `rotate-root` returns a 204. However, if `rotate-root` is already in progress, it may return a 200 with a warning that root credential rotation is already in progress.
-
-### Sample Get Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ad/rotate-root
-```
diff --git a/website/source/api/secret/alicloud/index.html.md b/website/source/api/secret/alicloud/index.html.md
deleted file mode 100644
index 72f64ce60c2e..000000000000
--- a/website/source/api/secret/alicloud/index.html.md
+++ /dev/null
@@ -1,215 +0,0 @@
----
-layout: "api"
-page_title: "AliCloud - Secrets Engines - HTTP API"
-sidebar_title: "AliCloud"
-sidebar_current: "docs-http-secret-alicloud"
-description: |-
-  This is the API documentation for the Vault AliCloud secrets engine.
----
-
-# AliCloud Secrets Engine (API)
-
-This is the API documentation for the Vault AliCloud secrets engine. For general
-information about the usage and operation of the AliCloud secrets engine, please see
-the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html).
-
-This documentation assumes the AliCloud secrets engine is enabled at the `/alicloud` path
-in Vault. Since it is possible to enable secrets engines at any location, please
-update your API calls accordingly.
-
-## Config management
-
-This endpoint configures the root RAM credentials to communicate with AliCloud. AliCloud
-will use credentials in the following order:
-
-1. [Environment variables](https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/auth/credentials/providers/env.go)
-2. A static credential configuration set at this endpoint
-3. Instance metadata (recommended)
-
-To use instance metadata, leave the static credential configuration unset.
-
-At present, this endpoint does not confirm that the provided AliCloud credentials are
-valid AliCloud credentials with proper permissions.
-
-Please see the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) for
-the policies that should be attached to the access key you provide.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/alicloud/config`           |
-| `GET`    | `/alicloud/config`           |
-
-### Parameters
-
-* `access_key` (string, required) - The ID of an access key with appropriate policies.
-* `secret_key` (string, required) - The secret for that key.
-
-### Sample Post Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/alicloud/config
-```
-
-### Sample Post Payload
-
-```json
-{
-  "access_key": "0wNEpMMlzy7szvai",
-  "secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
-}
-```
-
-### Sample Get Response Data
-
-```json
-{
-    "access_key": "0wNEpMMlzy7szvai"
-}
-```
-
-## Role management
-
-The `role` endpoint configures how Vault will generate credentials for users of each role.
-
-### Parameters
-
-* `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
-* `remote_policies` (string, optional) - The names and types of a pre-existing policies to be applied to the generate access token. Example: "name:AliyunOSSReadOnlyAccess,type:System".
-* `inline_policies` (string, optional) - The policy document JSON to be generated and attached to the access token.
-* `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) regarding trusted actors.
-* `ttl` (int, optional) - The duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
-* `max_ttl` (int, optional) - The maximum allowed lifetime of tokens issued using this role.
-
-| Method   | Path                        |
-| :---------------------------| :--------------------- |
-| `GET`    | `/alicloud/role`            |
-| `POST`   | `/alicloud/role/:role_name` |
-| `GET`    | `/alicloud/role/:role_name` |
-| `DELETE` | `/alicloud/role/:role_name` |
-
-### Sample Post Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/alicloud/role/my-application
-```
-
-### Sample Post Payload Using Policies
-
-```json
-{
-  "remote_policies": [
-    "name:AliyunOSSReadOnlyAccess,type:System",
-    "name:AliyunRDSReadOnlyAccess,type:System"
-  ],
-  "inline_policies": "[{\"Statement\": [{\"Action\": [\"ram:Get*\",\"ram:List*\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}],\"Version\": \"1\"}]"
-}
-```
-
-### Sample Get Role Response Using Policies
-
-```json
-{
-	"inline_policies": [{
-		"hash": "49796debb24d39b7a61485f9b0c97e04",
-		"policy_document": {
-			"Statement": [{
-				"Action": ["ram:Get*", "ram:List*"],
-				"Effect": "Allow",
-				"Resource": "*"
-			}],
-			"Version": "1"
-		}
-	}],
-	"max_ttl": 0,
-	"remote_policies": [{
-		"name": "AliyunOSSReadOnlyAccess",
-		"type": "System"
-	}, {
-		"name": "AliyunRDSReadOnlyAccess",
-		"type": "System"
-	}],
-	"role_arn": "",
-	"ttl": 0
-}
-```
-
-### Sample Post Payload Using Assume-Role
-
-```json
-{
-  "role_arn": "acs:ram::5138828231865461:role/hastrustedactors"
-}
-```
-
-### Sample Get Role Response Using Assume-Role
-
-```json
-{
-	"inline_policies": null,
-	"max_ttl": 0,
-	"remote_policies": null,
-	"role_arn": "acs:ram::5138828231865461:role/hastrustedactors",
-	"ttl": 0
-}
-```
-
-### Sample List Roles Response
-
-Performing a `LIST` on the `/alicloud/roles` endpoint will list the names of all the roles Vault contains.
-
-```json
-[
-  "policy-based",
-  "role-based"
-]
-```
-
-## Generate RAM Credentials
-
-This endpoint generates dynamic RAM credentials based on the named role. This
-role must be created before queried.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/alicloud/creds/:name`      |
-
-### Parameters
-
-* `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/alicloud/creds/example-role
-```
-
-### Sample Response for Roles Using Policies
-
-```json
-{
-  "access_key": "0wNEpMMlzy7szvai",
-  "secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
-}
-
-```
-
-### Sample Response for Roles Using Assume-Role
-
-```json
-{
-	"access_key": "STS.L4aBSCSJVMuKg5U1vFDw",
-	"expiration": "2018-08-15T22:04:07Z",
-	"secret_key": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pKCNZ9",
-	"security_token": "CAESrAIIARKAAShQquMnLIlbvEcIxO6wCoqJufs8sWwieUxu45hS9AvKNEte8KRUWiJWJ6Y+YHAPgNwi7yfRecMFydL2uPOgBI7LDio0RkbYLmJfIxHM2nGBPdml7kYEOXmJp2aDhbvvwVYIyt/8iES/R6N208wQh0Pk2bu+/9dvalp6wOHF4gkFGhhTVFMuTDRhQlNDU0pWTXVLZzVVMXZGRHciBTQzMjc0KgVhbGljZTCpnJjwySk6BlJzYU1ENUJuCgExGmkKBUFsbG93Eh8KDEFjdGlvbkVxdWFscxIGQWN0aW9uGgcKBW9zczoqEj8KDlJlc291cmNlRXF1YWxzEghSZXNvdXJjZRojCiFhY3M6b3NzOio6NDMyNzQ6c2FtcGxlYm94L2FsaWNlLyo="
-}
-```
diff --git a/website/source/api/secret/aws/index.html.md b/website/source/api/secret/aws/index.html.md
deleted file mode 100644
index dc7f731a8e9a..000000000000
--- a/website/source/api/secret/aws/index.html.md
+++ /dev/null
@@ -1,475 +0,0 @@
----
-layout: "api"
-page_title: "AWS - Secrets Engines - HTTP API"
-sidebar_title: "AWS"
-sidebar_current: "api-http-secret-aws"
-description: |-
-  This is the API documentation for the Vault AWS secrets engine.
----
-
-# AWS Secrets Engine (API)
-
-This is the API documentation for the Vault AWS secrets engine. For general
-information about the usage and operation of the AWS secrets engine, please see
-the [Vault AWS documentation](/docs/secrets/aws/index.html).
-
-This documentation assumes the AWS secrets engine is enabled at the `/aws` path
-in Vault. Since it is possible to enable secrets engines at any location, please
-update your API calls accordingly.
-
-## Configure Root IAM Credentials
-
-This endpoint configures the root IAM credentials to communicate with AWS. There
-are multiple ways to pass root IAM credentials to the Vault server, specified
-below with the highest precedence first. If credentials already exist, this will
-overwrite them.
-
-The official AWS SDK is used for sourcing credentials from env vars, shared
-files, or IAM/ECS instances.
-
-- Static credentials provided to the API as a payload
-
-- Credentials in the `AWS_ACCESS_KEY`, `AWS_SECRET_KEY`, and `AWS_REGION`
-  environment variables **on the server**
-
-- Shared credentials files
-
-- Assigned IAM role or ECS task role credentials
-
-At present, this endpoint does not confirm that the provided AWS credentials are
-valid AWS credentials with proper permissions.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/aws/config/root`           |
-
-### Parameters
-
-- `max_retries` `(int: -1)` - Number of max retries the client should use for
-  recoverable errors. The default (`-1`) falls back to the AWS SDK's default
-  behavior.
-
-- `access_key` `(string: <required>)` – Specifies the AWS access key ID.
-
-- `secret_key` `(string: <required>)` – Specifies the AWS secret access key.
-
-- `region` `(string: <optional>)` – Specifies the AWS region. If not set it
-  will use the `AWS_REGION` env var, `AWS_DEFAULT_REGION` env var, or
-  `us-east-1` in that order.
-
-- `iam_endpoint` `(string: <optional>)` – Specifies a custom HTTP IAM endpoint to use.
-
-- `sts_endpoint` `(string: <optional>)` – Specifies a custom HTTP STS endpoint to use.
-
-### Sample Payload
-
-```json
-{
-  "access_key": "AKIA...",
-  "secret_key": "2J+...",
-  "region": "us-east-1"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/aws/config/root
-```
-
-## Read Root Configuration
-
-This endpoint allows you to read non-secure values that have been configured in the
-`config/root` endpoint. In particular, the `secret_key` parameter is never returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/aws/config/root`           |
-
-### Sample Request
-```
-$ curl
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/aws/config/root
-
-```
-
-### Sample Response
-```json
-{
-  "data": {
-    "access_key": "AKIAEXAMPLE",
-    "region": "us-west-2",
-    "iam_endpoint": "https://iam.amazonaws.com",
-    "sts_endpoint": "https://sts.us-west-2.amazonaws.com",
-    "max_retries": -1
-  }
-}
-```
-
-## Rotate Root IAM Credentials
-
-When you have configured Vault with static credentials, you can use this
-endpoint to have Vault rotate the access key it used. Note that, due to AWS
-eventual consistency, after calling this endpoint, subsequent calls from Vault
-to AWS may fail for a few seconds until AWS becomes consistent again.
-
-
-In order to call this endpoint, Vault's AWS access key MUST be the only access
-key on the IAM user; otherwise, generation of a new access key will fail. Once
-this method is called, Vault will now be the only entity that knows the AWS
-secret key is used to access AWS.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/aws/config/rotate-root`    |
-
-### Parameters
-
-There are no parameters to this operation.
-
-### Sample Request
-
-```$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8211/v1/aws/config/rotate-root
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "access_key": "AKIA..."
-  }
-}
-```
-
-The new access key Vault uses is returned by this operation.
-
-## Configure Lease
-
-This endpoint configures lease settings for the AWS secrets engine. It is
-optional, as there are default values for `lease` and `lease_max`.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/aws/config/lease`          |
-
-### Parameters
-
-- `lease` `(string: <required>)` – Specifies the lease value provided as a
-  string duration with time suffix. "h" (hour) is the largest suffix.
-
-- `lease_max` `(string: <required>)` – Specifies the maximum lease value
-  provided as a string duration with time suffix. "h" (hour) is the largest
-  suffix.
-
-### Sample Payload
-
-```json
-{
-  "lease": "30m",
-  "lease_max": "12h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/aws/config/lease
-```
-
-## Read Lease
-
-This endpoint returns the current lease settings for the AWS secrets engine.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/aws/config/lease`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/aws/config/lease
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "lease": "30m0s",
-    "lease_max": "12h0m0s"
-  }
-}
-```
-
-## Create/Update Role
-
-This endpoint creates or updates the role with the given `name`. If a role with
-the name does not exist, it will be created. If the role exists, it will be
-updated with the new attributes.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/aws/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create. This
-  is part of the request URL.
-
-- `credential_type` `(string: <required>)` – Specifies the type of credential to be used when
-  retrieving credentials from the role. Must be one of `iam_user`,
-  `assumed_role`, or `federation_token`.
-
-- `role_arns` `(list: [])` – Specifies the ARNs of the AWS roles this Vault role
-  is allowed to assume. Required when `credential_type` is `assumed_role` and
-  prohibited otherwise. This is a comma-separated string or JSON array.
-
-- `policy_arns` `(list: [])` – Specifies a list of AWS managed policy ARN. The
-  behavior depends on the credential type. With `iam_user`, the policies will
-  be attached to IAM users when they are requested. With `assumed_role` and
-  `federation_token`, the policy ARNs will act as a filter on what the
-  credentials can do, similar to `policy_document`.
-  When `credential_type` is `iam_user` or `federation_token`, at
-  least one of `policy_arns` or `policy_document` must be specified. This is a
-  comma-separated string or JSON array.
-
-- `policy_document` `(string)` – The IAM policy document for the role. The
-  behavior depends on the credential type. With `iam_user`, the policy document
-  will be attached to the IAM user generated and augment the permissions the IAM
-  user has. With `assumed_role` and `federation_token`, the policy document will
-  act as a filter on what the credentials can do, similar to `policy_arns`.
-
-- `default_sts_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not
-  specified when STS credentials are requested, and a default TTL is specified
-  on the role, then this default TTL will be used. Valid only when
-  `credential_type` is one of `assumed_role` or `federation_token`.
-
-- `max_sts_ttl` `(string)` - The max allowed TTL for STS credentials (credentials
-  TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is one of 
-  `assumed_role` or `federation_token`.
-
-- `user_path` `(string)` - The path for the user name. Valid only when
-  `credential_type` is `iam_user`. Default is `/`
-
-- `permissions_boundary_arn` `(string)` - The ARN of the [AWS Permissions
-  Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-  to attach to IAM users created in the role. Valid only when `credential_type`
-  is `iam_user`. If not specified, then no permissions boundary policy will be
-  attached.
-
-Legacy parameters:
-
-These parameters are supported for backwards compatibility only. They cannot be
-mixed with the parameters listed above.
-
-- `policy` `(string: <required unless arn provided>)` – Specifies the IAM policy
-  in JSON format.
-
-- `arn` `(string: <required unless policy provided>)` – Specifies the full ARN
-  reference to the desired existing policy.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/aws/roles/example-role
-```
-
-### Sample Payloads
-
-Using an inline IAM policy:
-
-```json
-{
-  "credential_type": "federation_token",
-  "policy_document": "{\"Version\": \"...\"}"
-}
-```
-
-Using an ARN:
-
-```json
-{
-  "credential_type": "assumed_role",
-  "role_arns": "arn:aws:iam::123456789012:role/DeveloperRole"
-}
-```
-
-## Read Role
-
-This endpoint queries an existing role by the given name. If the role does not
-exist, a 404 is returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/aws/roles/:name`           |
-
-If invalid role data was supplied to the role from an earlier version of Vault,
-then it will show up in the response as `invalid_data`.
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/aws/roles/example-role
-```
-
-### Sample Responses
-
-For an inline IAM policy:
-
-```json
-{
-  "data": {
-    "policy_document": "{\"Version\": \"...\"}",
-    "policy_arns": [],
-    "credential_types": ["assumed_role"],
-    "role_arns": [],
-  }
-}
-```
-
-For a role ARN:
-
-```json
-{
-  "data": {
-    "policy_document": "",
-    "policy_arns": [],
-    "credential_types": ["assumed_role"],
-    "role_arns": ["arn:aws:iam::123456789012:role/example-role"]
-  }
-}
-```
-
-## List Roles
-
-This endpoint lists all existing roles in the secrets engine.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/aws/roles`                 |
-
-### Sample Request
-
-```
-$ curl
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/aws/roles
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "example-role"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-This endpoint deletes an existing role by the given name. If the role does not
-exist, a 404 is returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`  | `/aws/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/aws/roles/example-role
-```
-
-## Generate Credentials
-
-This endpoint generates credentials based on the named role. This role must be
-created before queried.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/aws/creds/:name`           |
-| `GET`    | `/aws/sts/:name`             |
-
-The `/aws/creds` and `/aws/sts` endpoints are almost identical. The exception is
-when retrieving credentials for a role that was specified with the legacy `arn`
-or `policy` parameter. In this case, credentials retrieved through `/aws/sts`
-must be of either the `assumed_role` or `federation_token` types, and
-credentials retrieved through `/aws/creds` must be of the `iam_user` type.
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to generate
-  credentials against. This is part of the request URL.
-- `role_arn` `(string)` – The ARN of the role to assume if `credential_type` on
-  the Vault role is `assumed_role`. Must match one of the allowed role ARNs in
-  the Vault role. Optional if the Vault role only allows a single AWS role ARN;
-  required otherwise.
-- `ttl` `(string: "3600s")` – Specifies the TTL for the use of the STS token.
-  This is specified as a string with a duration suffix. Valid only when
-  `credential_type` is `assumed_role` or `federation_token`. When not specified,
-  the `default_sts_ttl` set for the role will be used. If that is also not set, then
-  the default value of `3600s` will be used. AWS places limits
-  on the maximum TTL allowed. See the AWS documentation on the `DurationSeconds`
-  parameter for
-  [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
-  (for `assumed_role` credential types) and
-  [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
-  (for `federation_token` credential types) for more details.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/aws/creds/example-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "access_key": "AKIA...",
-    "secret_key": "xlCs...",
-    "security_token": null
-  }
-}
-```
diff --git a/website/source/api/secret/azure/index.html.md b/website/source/api/secret/azure/index.html.md
deleted file mode 100644
index 8e64871fdf9d..000000000000
--- a/website/source/api/secret/azure/index.html.md
+++ /dev/null
@@ -1,241 +0,0 @@
----
-layout: "api"
-page_title: "Azure - Secrets Engines - HTTP API"
-sidebar_title: "Azure"
-sidebar_current: "api-http-secret-azure"
-description: |-
-  This is the API documentation for the Vault Azure secrets engine.
----
-
-# Azure Secrets Engine (API)
-
-This is the API documentation for the Vault Azure
-secrets engine. For general information about the usage and operation of
-the Azure secrets engine, please see the main [Azure secrets documentation][docs].
-
-This documentation assumes the Azure secrets engine is enabled at the `/azure` path
-in Vault. Since it is possible to mount secrets engines at any path, please
-update your API calls accordingly.
-
-## Configure Access
-
-Configures the credentials required for the plugin to perform API calls
-to Azure. These credentials will be used to query roles and create/delete
-service principals. Environment variables will override any parameters set in the config.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `POST`   | `/azure/config`            |
-
-- `subscription_id` (`string: <required>`) - The subscription id for the Azure Active Directory.
-  This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.
-- `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
-  This value can also be provided with the AZURE_TENANT_ID environment variable.
-- `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
-  with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
-- `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
-  provided with the AZURE_CLIENT_ID environment variable. See [authentication](#Authentication) for more details.
-- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
-  environment variable. If not specified, Vault will use Azure Public Cloud.
-
-### Sample Payload
-
-```json
-{
-  "subscription_id": "94ca80...",
-  "tenant_id": "d0ac7e...",
-  "client_id": "e607c4...",
-  "client_secret": "9a6346...",
-  "environment": "AzureGermanCloud"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/azure/config
-```
-
-## Read Config
-
-Return the stored configuration, omitting `client_secret`.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `GET`    | `/azure/config`            |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/azure/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "subscription_id": "94ca80...",
-    "tenant_id": "d0ac7e...",
-    "client_id": "e607c4...",
-    "environment": "AzureGermanCloud"
-  },
-  ...
-}
-```
-
-## Delete Config
-
-Deletes the stored Azure configuration and credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/azure/config`         |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/azure/config
-```
-
-
-## Create/Update Role
-
-Create or update a Vault role. Either `application_object_id` or
-`azure_roles` must be provided, and these resources must exist for this
-call to succeed. See the Azure secrets [roles docs][roles] for more
-information about roles.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `POST`   | `/azure/roles/:name`     |
-
-
-### Parameters
-
-- `azure_roles` (`string: ""`) - List of Azure roles to be assigned to the generated service
-   principal. The array must be in JSON format, properly escaped as a string. See [roles docs][roles]
-   for details on role definition.
-- `azure_groups` (`string: ""`) - List of Azure groups that the generated service principal will be
-   assigned to. The array must be in JSON format, properly escaped as a string. See [groups docs][groups]
-   for more details.
-- `application_object_id` (`string: ""`) - Application Object ID for an existing service principal that will
-   be used instead of creating dynamic service principals. If present, `azure_roles` will be ignored. See
-   [roles docs][roles] for details on role definition.
-- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
-   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
-- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
-   suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-
-### Sample Payload
-
-```json
-{
-  "azure_roles": "[
-    {
-      \"role_name\": \"Contributor\",
-      \"scope\":  \"/subscriptions/<uuid>/resourceGroup/Website\"
-    },
-    {
-      \"role_id\": \"/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>\",
-      \"scope\":  \"/subscriptions/<uuid>\"
-    }
-  ]",
-  "ttl": 3600,
-  "max_ttl": "24h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/azure/roles/my-role
-```
-
-
-## List Roles
-
-Lists all of the roles that are registered with the plugin.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `LIST`   | `/azure/roles`           |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/azure/roles
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-     "keys": [
-       "my-role-one",
-       "my-role-two"
-     ]
-   }
- }
-```
-
-## Generate Credentials
-
-This endpoint generates a new service principal based on the named role.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `GET`    | `/azure/creds/:name`     |
-
-### Parameters
-
-- `name` (`string: <required>`) - Specifies the name of the role to create credentials against.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/azure/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "client_id": "408bf248-dd4e-4be5-919a-7f6207a307ab",
-    "client_secret": "ad06228a-2db9-4e0a-8a5d-e047c7f32594",
-    ...
-  }
-}
-```
-
-## Revoking/Renewing Secrets
-
-See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
-
-
-[docs]: /docs/secrets/azure/index.html
-[roles]: /docs/secrets/azure/index.html#roles
-[groups]: /docs/secrets/azure/index.html#azure-groups
diff --git a/website/source/api/secret/cassandra/index.html.md b/website/source/api/secret/cassandra/index.html.md
deleted file mode 100644
index c3e65fbaa23f..000000000000
--- a/website/source/api/secret/cassandra/index.html.md
+++ /dev/null
@@ -1,250 +0,0 @@
----
-layout: "api"
-page_title: "Cassandra - Secrets Engines - HTTP API"
-sidebar_title: "Cassandra <sup>DEPRECATED</sup>"
-sidebar_current: "api-http-secret-cassandra"
-description: |-
-  This is the API documentation for the Vault Cassandra secrets engine.
----
-
-# Cassandra Secrets Engine (API)
-
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the API documentation for
-the new implementation of this backend at
-[Cassandra database plugin HTTP API](/api/secret/databases/cassandra.html).
-
-This is the API documentation for the Vault Cassandra secrets engine. For
-general information about the usage and operation of the Cassandra backend,
-please see the
-[Vault Cassandra backend documentation](/docs/secrets/cassandra/index.html).
-
-This documentation assumes the Cassandra backend is mounted at the `/cassandra`
-path in Vault. Since it is possible to enable secrets engines at any location,
-please update your API calls accordingly.
-
-## Configure Connection
-
-This endpoint configures the connection information used to communicate with
-Cassandra.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/cassandra/config/connection` |
-
-### Parameters
-
-- `hosts` `(string: <required>)` – Specifies a set of comma-delineated Cassandra
-  hosts to connect to.
-
-- `username` `(string: <required>)` – Specifies the username to use for
-  superuser access.
-
-- `password` `(string: <required>)` – Specifies the password corresponding to
-  the given username.
-
-- `tls` `(bool: true)` – Specifies whether to use TLS when connecting to
-  Cassandra.
-
-- `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the
-  server certificate when using TLS.
-
-- `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a
-  certificate and private key; a certificate, private key, and issuing CA
-  certificate; or just a CA certificate.
-
-- `pem_json` `(string: "")` – Specifies JSON containing a certificate and
-  private key; a certificate, private key, and issuing CA certificate; or just a
-  CA certificate. For convenience format is the same as the output of the
-  `issue` command from the `pki` backend; see
-  [the pki documentation](/docs/secrets/pki/index.html).
-
-- `protocol_version` `(int: 2)` – Specifies the CQL protocol version to use.
-
-- `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
-
-- `consistency` `(string: "")` – Specifies the consistency option to use.  See
-  the [gocql
-  definition](https://github.com/gocql/gocql/blob/master/frame.go#L188) for
-  valid options.
-
-TLS works as follows:
-
-- If `tls` is set to true, the connection will use TLS; this happens
-  automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
-
-- If `insecure_tls` is set to true, the connection will not perform verification
-  of the server certificate; this also sets `tls` to true
-
-- If only `issuing_ca` is set in `pem_json`, or the only certificate in
-  `pem_bundle` is a CA certificate, the given CA certificate will be used for
-  server certificate verification; otherwise the system CA certificates will be
-  used
-
-- If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`,
-  client auth will be turned on for the connection
-
-`pem_bundle` should be a PEM-concatenated bundle of a private key + client
-certificate, an issuing CA certificate, or both. `pem_json` should contain the
-same information; for convenience, the JSON format is the same as that output by
-the issue command from the PKI backend.
-
-### Sample Payload
-
-```json
-{
-  "hosts": "cassandra1.local",
-  "username": "user",
-  "password": "pass"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/cassandra/config/connection
-```
-
-## Create Role
-
-This endpoint creates or updates the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/cassandra/roles/:name`     |
-
-### Parameters
-
-- `creation_cql` `(string: "")` – Specifies the CQL statements executed to
-  create and configure the new user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{username}}' and
-  '{{password}}' values will be substituted; it is required that these
-  parameters are in single quotes. The default creates a non-superuser user with
-  no authorization grants.
-
-- `rollback_cql` `(string: "")` – Specifies the CQL statements executed to
-  attempt a rollback if an error is encountered during user creation. The
-  default is to delete the user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{username}}' and
-  '{{password}}' values will be substituted; it is required that these
-  parameters are in single quotes.
-
-- `lease` `(string: "")` – Specifies the lease value provided as a string
-  duration with time suffix. "h" hour is the largest suffix.
-
-- `consistency` `(string: "Quorum")` – Specifies the consistency level value
-  provided as a string. Determines the consistency level used for operations
-  performed on the Cassandra database.
-
-### Sample Payload
-
-```json
-{
-  "creation_cql": "CREATE USER ..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/cassandra/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/cassandra/roles/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/cassandra/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "creation_cql": "CREATE USER...",
-    "rollback_cql": "DROP USER...",
-    "lease": "12h",
-    "consistency": "Quorum"
-  }
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/cassandra/roles/:name`     | `204 (no body)`        |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/cassandra/roles/my-role
-```
-
-## Generate Credentials
-
-This endpoint generates a new set of dynamic credentials based on the named
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/cassandra/creds/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/cassandra/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "username": "vault-root-1430158508-126",
-    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
-  }
-}
-```
diff --git a/website/source/api/secret/consul/index.html.md b/website/source/api/secret/consul/index.html.md
deleted file mode 100644
index 6536b1e5822f..000000000000
--- a/website/source/api/secret/consul/index.html.md
+++ /dev/null
@@ -1,268 +0,0 @@
----
-layout: "api"
-page_title: "Consul - Secrets Engines - HTTP API"
-sidebar_title: "Consul"
-sidebar_current: "api-http-secret-consul"
-description: |-
-  This is the API documentation for the Vault Consul secrets engine.
----
-
-# Consul Secrets Engine (API)
-
-This is the API documentation for the Vault Consul secrets engine. For general
-information about the usage and operation of the Consul secrets engine, please
-see the [Vault Consul documentation](/docs/secrets/consul/index.html).
-
-This documentation assumes the Consul secrets engine is enabled at the `/consul`
-path in Vault. Since it is possible to enable secrets engines at any location,
-please update your API calls accordingly.
-
-## Configure Access
-
-This endpoint configures the access information for Consul. This access
-information is used so that Vault can communicate with Consul and generate
-Consul tokens.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/consul/config/access`      |
-
-### Parameters
-
-- `address` `(string: <required>)` – Specifies the address of the Consul
-  instance, provided as `"host:port"` like `"127.0.0.1:8500"`.
-
-- `scheme` `(string: "http")` – Specifies the URL scheme to use.
-
-- `token` `(string: <required>)` – Specifies the Consul ACL token to use. This
-  must be a management type token.
-
-### Sample Payload
-
-```json
-{
-  "address": "127.0.0.1:8500",
-  "scheme": "https",
-  "token": "adha..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --header "X-Vault-Token: ..." \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/consul/config/access
-```
-
-## Create/Update Role
-
-This endpoint creates or updates the Consul role definition. If the role does
-not exist, it will be created. If the role already exists, it will receive
-updated attributes.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/consul/roles/:name`        |
-
-### Parameters for Consul versions 1.4 and above
-
-- `name` `(string: <required>)` – Specifies the name of an existing role against
-  which to create this Consul credential. This is part of the request URL.
-
-- `token_type` `(string: "client")` - Specifies the type of token to create when
-  using this role. Valid values are `"client"` or `"management"`.
-
-- `policy` `(string: <policy or policies>)` – Specifies the base64 encoded ACL policy. The
-  ACL format can be found in the [Consul ACL
-  documentation](https://www.consul.io/docs/internals/acl.html). This is
-  required unless the `token_type` is `management`.
-
-- `policies` `(list: <policy or policies>)` – The list of policies to assign to the generated
-  token.  This is only available in Consul 1.4 and greater.
-
-- `local` `(bool: false)` - Indicates that the token should not be replicated 
-  globally and instead be local to the current datacenter.  Only available in Consul
-  1.4 and greater.
-
-- `ttl` `(duration: "")` – Specifies the TTL for this role. This is provided
-  as a string duration with a time suffix like `"30s"` or `"1h"` or as seconds. If not
-  provided, the default Vault TTL is used.
-
-- `max_ttl` `(duration: "")` – Specifies the max TTL for this role. This is provided
-  as a string duration with a time suffix like `"30s"` or `"1h"` or as seconds. If not
-  provided, the default Vault Max TTL is used.
-
-### Sample Payload
-
-To create management tokens:
-
-```json
-{
-  "token_type": "management"
-}
-```
-
-To create a client token with a custom policy:
-
-```json
-{
-  "policy": "abd2...=="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --header "X-Vault-Token: ..." \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/consul/roles/example-role
-```
-
-### Parameters for Consul version below 1.4
-
-- `lease` `(string: "")` – Specifies the lease for this role. This is provided
-  as a string duration with a time suffix like `"30s"` or `"1h"`. If not
-  provided, the default Vault lease is used.
-
-- `policies` `(string: <required>)` – Comma separated list of policies to be applied
-  to the tokens.
-
-### Sample payload
-```json
-{
-  "policies": "global-management"
-}
-```
-
-### Sample request
-
-```sh
-curl \
-→     --request POST \
-→     --header "X-Vault-Token: ..."\
-→     --data @payload.json \
-→     http://127.0.0.1:8200/v1/consul/roles/example-role
-```
-
-## Read Role
-
-This endpoint queries for information about a Consul role with the given name.
-If no role exists with that name, a 404 is returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/consul/roles/:name`        |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to query. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/consul/roles/example-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "policy": "abd2...==",
-    "lease": "1h0m0s",
-    "token_type": "client"
-  }
-}
-```
-
-## List Roles
-
-This endpoint lists all existing roles in the secrets engine.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/consul/roles`              |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/consul/roles
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "example-role"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-This endpoint deletes a Consul role with the given name. Even if the role does
-not exist, this endpoint will still return a successful response.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/consul/roles/:name`        |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --request DELETE \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/consul/roles/example-role
-```
-
-## Generate Credential
-
-This endpoint generates a dynamic Consul token based on the given role
-definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/consul/creds/:name`        |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of an existing role against
-  which to create this Consul credential. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/consul/creds/example-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "token": "973a31ea-1ec4-c2de-0f63-623f477c2510"
-  }
-}
-```
diff --git a/website/source/api/secret/cubbyhole/index.html.md b/website/source/api/secret/cubbyhole/index.html.md
deleted file mode 100644
index cc4d369c59e0..000000000000
--- a/website/source/api/secret/cubbyhole/index.html.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-layout: "api"
-page_title: "Cubbyhole - Secrets Engines - HTTP API"
-sidebar_title: "Cubbyhole"
-sidebar_current: "api-http-secret-cubbyhole"
-description: |-
-  This is the API documentation for the Vault Cubbyhole secrets engine.
----
-
-# Cubbyhole Secrets Engine (API)
-
-This is the API documentation for the Vault Cubbyhole secrets engine. For
-general information about the usage and operation of the Cubbyhole secrets
-engine, please see the
-[Vault Cubbyhole documentation](/docs/secrets/cubbyhole/index.html).
-
-This documentation assumes the Cubbyhole secrets engine is enabled at the
-`/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
-any location, please update your API calls accordingly.
-
-## Read Secret
-
-This endpoint retrieves the secret at the specified location.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/cubbyhole/:path`           |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to read.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/cubbyhole/my-secret
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "foo": "bar"
-  },
-  "lease_duration": 0,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## List Secrets
-
-This endpoint returns a list of secret entries at the specified location.
-Folders are suffixed with `/`. The input must be a folder; list on a file will
-not return a value. The values themselves are not accessible via this command.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/cubbyhole/:path`           |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secrets to list.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/cubbyhole/my-secret
-```
-
-### Sample Response
-
-The example below shows output for a query path of `cubbyhole/` when there are
-secrets at `cubbyhole/foo` and `cubbyhole/foo/bar`; note the difference in the
-two entries.
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["foo", "foo/"]
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Create/Update Secret
-
-This endpoint stores a secret at the specified location.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/cubbyhole/:path`           |
-| `PUT`    | `/cubbyhole/:path`           |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secrets to
-  create/update. This is specified as part of the URL.
-
-- `:key` `(string: "")` – Specifies a key, paired with an associated value, to
-  be held at the given location. Multiple key/value pairs can be specified, and
-  all will be returned on a read operation. A key called `ttl` will trigger some
-  special behavior; see above for details.
-
-### Sample Payload
-
-```json
-{
-  "foo": "bar",
-  "zip": "zap"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/cubbyhole/my-secret
-```
-
-## Delete Secret
-
-This endpoint deletes the secret at the specified location.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/cubbyhole/:path`           |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to delete.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/cubbyhole/my-secret
-```
diff --git a/website/source/api/secret/databases/cassandra.html.md b/website/source/api/secret/databases/cassandra.html.md
deleted file mode 100644
index d400b6587598..000000000000
--- a/website/source/api/secret/databases/cassandra.html.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-layout: "api"
-page_title: "Cassandra - Database - Secrets Engines - HTTP API"
-sidebar_title: "Cassandra"
-sidebar_current: "api-http-secret-databases-cassandra"
-description: |-
-  The Cassandra plugin for Vault's database secrets engine generates database credentials to access Cassandra servers.
----
-
-# Cassandra Database Plugin HTTP API
-
-The Cassandra database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the Cassandra database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Secrets Engine](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-
-- `hosts` `(string: <required>)` – Specifies a set of comma-delineated Cassandra
-  hosts to connect to.
-
-- `port` `(int: 9042)` – Specifies the default port to use if none is provided
-  as part of the host URI. Defaults to Cassandra's default transport port, 9042.
-
-- `username` `(string: <required>)` – Specifies the username to use for
-  superuser access.
-
-- `password` `(string: <required>)` – Specifies the password corresponding to
-  the given username.
-
-- `tls` `(bool: true)` – Specifies whether to use TLS when connecting to
-  Cassandra.
-
-- `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the
-  server certificate when using TLS.
-
-- `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a
-  certificate and private key; a certificate, private key, and issuing CA
-  certificate; or just a CA certificate.
-
-- `pem_json` `(string: "")` – Specifies JSON containing a certificate and
-  private key; a certificate, private key, and issuing CA certificate; or just a
-  CA certificate. For convenience format is the same as the output of the
-  `issue` command from the `pki` secrets engine; see
-  [the pki documentation](/docs/secrets/pki/index.html).
-
-- `skip_verification` `(bool: false)` - Skip permissions checks when a connection to Cassandra
-is first created. These checks ensure that Vault is able to create roles, but can be resource
-intensive in clusters with many roles.
-
-- `protocol_version` `(int: 2)` – Specifies the CQL protocol version to use.
-
-- `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
-
-- `local_datacenter` `(string: "")` – If set, enables host selection policy 
-which will prioritize and use hosts which are in the local datacenter before 
-hosts in all other datacenters (for example "dc-01").
-
-- `socket_keep_alive` `(string: "0s")` – the keep-alive period for an active
-	network connection. If zero, keep-alives are not enabled.
-
-- `consistency` `(string: "")` – Specifies the consistency option to use.  See
-  the [gocql
-  definition](https://github.com/gocql/gocql/blob/master/frame.go#L188) for
-  valid options.
-
-TLS works as follows:
-
-- If `tls` is set to true, the connection will use TLS; this happens
-  automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
-
-- If `insecure_tls` is set to true, the connection will not perform verification
-  of the server certificate; this also sets `tls` to true
-
-- If only `issuing_ca` is set in `pem_json`, or the only certificate in
-  `pem_bundle` is a CA certificate, the given CA certificate will be used for
-  server certificate verification; otherwise the system CA certificates will be
-  used
-
-- If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`,
-  client auth will be turned on for the connection
-
-`pem_bundle` should be a PEM-concatenated bundle of a private key + client
-certificate, an issuing CA certificate, or both. `pem_json` should contain the
-same information; for convenience, the JSON format is the same as that output by
-the issue command from the PKI secrets engine.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "cassandra-database-plugin",
-  "allowed_roles": "readonly",
-  "hosts": "cassandra1.local",
-  "username": "user",
-  "password": "pass"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/cassandra/config/connection
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(list: [])` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{username}}' and '{{password}}' values will be substituted. If not
-  provided, defaults to a generic create user statements that creates a
-  non-superuser.
-
-- `revocation_statements` `(list: [])` – Specifies the database statements to
-  be executed to revoke a user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{username}}' value will be
-  substituted. If not provided defaults to a generic drop user statement.
-
-- `rollback_statements` `(list: [])` – Specifies the database statements to be
-  executed to rollback a create operation in the event of an error. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{username}}' value will be substituted. If not provided, defaults to
-  a generic drop user statement
diff --git a/website/source/api/secret/databases/elasticdb.html.md b/website/source/api/secret/databases/elasticdb.html.md
deleted file mode 100644
index 46abdcbb1e3e..000000000000
--- a/website/source/api/secret/databases/elasticdb.html.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-layout: "api"
-page_title: "Elasticsearch - Database - Secrets Engines - HTTP API"
-sidebar_title: "Elasticsearch"
-sidebar_current: "api-http-secret-databases-elasticsearch"
-description: |-
-  The Elasticsearch plugin for Vault's database secrets engine generates database credentials to access Elasticsearch.
----
-
-# Elasticsearch Database Plugin HTTP API
-
-The Elasticsearch database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates credentials dynamically based on
-configured roles for Elasticsearch.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-
-- `url` `(string: <required>)` - The URL for Elasticsearch's API ("http://localhost:9200").
-- `username` `(string: <required>)` - The username to be used in the connection URL ("vault"). 
-- `password` `(string: <required>)` - The password to be used in the connection URL ("pa55w0rd").
-- `ca_cert` `(string: "")` - The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
-- `ca_path` `(string: "")` - The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
-- `client_cert` `(string: "")` - The path to the certificate for the Elasticsearch client to present for communication.
-- `client_key` `(string: "")` - The path to the key for the Elasticsearch client to use for communication.
-- `tls_server_name` `(string: "")` - This, if set, is used to set the SNI host when connecting via 1TLS.
-- `insecure` `(bool: false)` - Not recommended. Default to false. Can be set to true to disable SSL verification.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "elasticsearch-database-plugin",
-  "allowed_roles": "internally-defined-role,externally-defined-role",
-  "url": "http://localhost:9200",
-  "username": "vault",
-  "password": "myPa55word",
-  "ca_cert": "/usr/share/ca-certificates/extra/elastic-stack-ca.crt.pem",
-  "client_cert": "$ES_HOME/config/certs/elastic-certificates.crt.pem",
-  "client_key": "$ES_HOME/config/certs/elastic-certificates.key.pem"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/my-elasticsearch-database
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(string: <required>)` – Using JSON, either defines an
-  `elasticsearch_role_definition` or a group of pre-existing `elasticsearch_roles`.
-  The object specified by the `elasticsearch_role_definition` is the JSON directly
-  passed through to the Elasticsearch API, so you can pass through anything shown
-  [here](https://www.elastic.co/guide/en/elasticsearch/reference/6.6/security-api-put-role.html).
-  For `elasticsearch_roles`, add the names of the roles only. They must pre-exist
-  in Elasticsearch. Defining roles in Vault is more secure than using pre-existing
-  roles because a privilege escalation could be performed by editing the roles used
-  out-of-band in Elasticsearch.
-
-### Sample Creation Statements
-```json
-{
-  "elasticsearch_role_definition": {
-    "indices": [{
-      "names": ["*"],
-      "privileges": ["read"]
-    }]
-  }
-}
-```
-```json
-{
-  "elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]
-}
-```
\ No newline at end of file
diff --git a/website/source/api/secret/databases/hanadb.html.md b/website/source/api/secret/databases/hanadb.html.md
deleted file mode 100644
index a808569ce78e..000000000000
--- a/website/source/api/secret/databases/hanadb.html.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-layout: "api"
-page_title: "HANA - Database - Secrets Engines - HTTP API"
-sidebar_title: "HanaDB"
-sidebar_current: "api-http-secret-databases-hanadb"
-description: |-
-  The HANA plugin for Vault's database secrets engine generates database credentials to access HANA servers.
----
-
-# HANA Database Plugin HTTP API
-
-The HANA database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the HANA database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [database
-secrets engine](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         | Produces               |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-- `connection_url` `(string: <required>)` - Specifies the HANA DSN.  This field
-  can be templated and supports passing the username and password
-  parameters in the following format {{field_name}}.  A templated connection URL is
-  required when using root credential rotation.
-
-- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
-  connections to the database.
-
-- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If larger than
-  `max_open_connections` it will be reduced to be equal.
-
-- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
-  time a connection may be reused. If <= 0s connections are reused forever.
-
-- `username` `(string: "")` - The root credential username used in the connection URL.
-
-- `password` `(string: "")` - The root credential password used in the connection URL.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "hana-database-plugin",
-  "allowed_roles": "readonly",
-  "connection_url": "hdb://{{username}}:{{password}}@localhost:1433",
-  "max_open_connections": 5,
-  "max_connection_lifetime": "5s",
-  "username": "username",
-  "password": "password
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/hana
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(llist: <required>)` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{name}}', '{{password}}', and '{{expiration}}' values will be
-  substituted.
-  - The expiration time will be HANA server time plus the role's `default_ttl`.
-    If `default_ttl` is 0 or not set, a SQL HdbError 438 will be returned.
-
-- `revocation_statements` `(list: [])` – Specifies the database statements to
-  be executed to revoke a user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{name}}' value will be
-  substituted. If not provided, defaults to dropping the user only if they have
-  no dependent objects.
diff --git a/website/source/api/secret/databases/index.html.md b/website/source/api/secret/databases/index.html.md
deleted file mode 100644
index 9a19f4e154d4..000000000000
--- a/website/source/api/secret/databases/index.html.md
+++ /dev/null
@@ -1,599 +0,0 @@
----
-layout: "api"
-page_title: "Database - Secrets Engines - HTTP API"
-sidebar_title: "Databases"
-sidebar_current: "api-http-secret-databases"
-description: |-
-  Top page for database secrets engine information
----
-
-# Database Secrets Engine (API)
-
-This is the API documentation for the Vault Database secrets engine. For
-general information about the usage and operation of the database secrets engine,
-please see the
-[Vault database secrets engine documentation](/docs/secrets/databases/index.html).
-
-This documentation assumes the database secrets engine is enabled at the
-`/database` path in Vault. Since it is possible to enable secrets engines at any
-location, please update your API calls accordingly.
-
-## Configure Connection
-
-This endpoint configures the connection string used to communicate with the
-desired database. In addition to the parameters listed here, each Database
-plugin has additional, database plugin specific,  parameters for this endpoint.
-Please read the HTTP API for the plugin you'd wish to configure to see the full
-list of additional parameters.
-
-~> This endpoint distinguishes between `create` and `update` ACL capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-- `name` `(string: <required>)` – Specifies the name for this database
-  connection. This is specified as part of the URL.
-
-- `plugin_name` `(string: <required>)` - Specifies the name of the plugin to use
-  for this connection.
-
-- `verify_connection` `(bool: true)` – Specifies if the connection is verified
-  during initial configuration. Defaults to true.
-
-- `allowed_roles` `(list: [])` - List of the roles allowed to use this connection. 
-  Defaults to empty (no roles), if contains a "*" any role can use this connection.
-
-- `root_rotation_statements` `(list: [])` - Specifies the database statements to be 
-  executed to rotate the root user's credentials. See the plugin's API page for more 
-  information on support and formatting for this parameter.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "mysql-database-plugin",
-  "allowed_roles": "readonly",
-  "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
-  "username": "root",
-  "password": "mysql"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/mysql
-```
-
-## Read Connection
-
-This endpoint returns the configuration settings for a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/database/config/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the connection to read.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/database/config/mysql
-```
-
-### Sample Response
-
-```json
-{
-	"data": {
-		"allowed_roles": [
-			"readonly"
-		],
-		"connection_details": {
-			"connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
-      "username": "root"
-		},
-		"plugin_name": "mysql-database-plugin"
-	},
-}
-```
-
-## List Connections
-
-This endpoint returns a list of available connections. Only the connection names
-are returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/database/config`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/database/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": ["db-one", "db-two"]
-  }
-}
-```
-
-## Delete Connection
-
-This endpoint deletes a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/database/config/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the connection to delete.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/database/config/mysql
-```
-
-## Reset Connection
-
-This endpoint closes a connection and it's underlying plugin and restarts it
-with the configuration stored in the barrier.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/reset/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the connection to reset.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/database/reset/mysql
-```
-
-## Rotate Root Credentials
-
-This endpoint is used to rotate the root superuser credentials stored for
-the database connection.  This user must have permissions to update its own
-password.
-
-| Method   | Path                          |
-| :---------------------------- | :--------------------- |
-| `POST`   | `/database/rotate-root/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the connection to rotate.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/database/rotate-root/mysql
-```
-
-## Create Role
-
-This endpoint creates or updates a role definition.
-
-~> This endpoint distinguishes between `create` and `update` ACL capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/roles/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create. This
-  is specified as part of the URL.
-
-- `db_name` `(string: <required>)` - The name of the database connection to use
-  for this role.
-
-- `default_ttl` `(string/int: 0)` - Specifies the TTL for the leases
-  associated with this role. Accepts time suffixed strings ("1h") or an integer
-  number of seconds. Defaults to system/engine default TTL time.
-
-- `max_ttl` `(string/int: 0)` - Specifies the maximum TTL for the leases
-  associated with this role. Accepts time suffixed strings ("1h") or an integer
-  number of seconds. Defaults to system/mount default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](https://www.vaultproject.io/docs/concepts/tokens.html#the-general-case).
-
-- `creation_statements` `(list: <required>)` – Specifies the database
-  statements executed to create and configure a user. See the plugin's API page
-  for more information on support and formatting for this parameter.
-
-- `revocation_statements` `(list: [])` – Specifies the database statements to
-  be executed to revoke a user. See the plugin's API page for more information
-  on support and formatting for this parameter.
-
-- `rollback_statements` `(list: [])` – Specifies the database statements to be
-  executed rollback a create operation in the event of an error. Not every
-  plugin type will support this functionality. See the plugin's API page for
-  more information on support and formatting for this parameter.
-
-- `renew_statements` `(list: [])` – Specifies the database statements to be
-  executed to renew a user. Not every plugin type will support this
-  functionality. See the plugin's API page for more information on support and
-  formatting for this parameter.
-
-
-
-### Sample Payload
-
-```json
-{
-    "db_name": "mysql",
-    "creation_statements": ["CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'", "GRANT SELECT ON *.* TO '{{name}}'@'%'"],
-    "default_ttl": "1h",
-    "max_ttl": "24h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/database/roles/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/database/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-    "data": {
-		"creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';", "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
-		"db_name": "mysql",
-		"default_ttl": 3600,
-		"max_ttl": 86400,
-		"renew_statements": [],
-		"revocation_statements": [],
-		"rollback_statements": []
-	},
-}
-```
-
-## List Roles
-
-This endpoint returns a list of available roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/database/roles`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/database/roles
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["dev", "prod"]
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/database/roles/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/database/roles/my-role
-```
-
-## Generate Credentials
-
-This endpoint generates a new set of dynamic credentials based on the named
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/database/creds/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/database/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "username": "root-1430158508-126",
-    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
-  }
-}
-```
-
-## Create Static Role
-
-This endpoint creates or updates a static role definition. Static Roles are a
-1-to-1 mapping of a Vault Role to a user in a database which are automatically
-rotated based on the configured `rotation_period`. Not all databases support
-Static Roles, please see the database-specific documentation.
-
-~> This endpoint distinguishes between `create` and `update` ACL capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/static-roles/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create. This
-  is specified as part of the URL.
-
-- `username` `(string: <required>)` – Specifies the database username that this
-  Vault role corresponds to. 
-
-- `rotation_period` `(string/int: <required>)` – Specifies the amount of time
-  Vault should wait before rotating the password. The minimum is 5 seconds.
-
-- `db_name` `(string: <required>)` - The name of the database connection to use
-  for this role.
-
-- `rotation_statements` `(list: [])` – Specifies the database statements to be
-  executed to rotate the password for the configured database user. Not every
-  plugin type will support this functionality. See the plugin's API page for
-  more information on support and formatting for this parameter.
-
-
-
-### Sample Payload
-
-```json
-{
-    "db_name": "mysql",
-    "username": "static-database-user",
-    "rotation_statements": ["ALTER USER "{{name}}" WITH PASSWORD '{{password}}';"],
-    "rotation_period": "1h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/static-roles/my-static-role
-```
-
-## Read Static Role
-
-This endpoint queries the static role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/database/static-roles/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the static role to read.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/database/static-roles/my-static-role
-```
-
-### Sample Response
-
-```json
-{
-    "data": {
-		"db_name": "mysql",
-    "username":"static-user",
-    "rotation_statements": ["ALTER USER "{{name}}" WITH PASSWORD '{{password}}';"],
-    "rotation_period":"1h",
-	},
-}
-```
-
-## List Static Roles
-
-This endpoint returns a list of available static roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/database/static-roles`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/database/static-roles
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["dev-static", "prod-static"]
-  }
-}
-```
-
-## Delete Static Role
-
-This endpoint deletes the static role definition and revokes the database user.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/database/static-roles/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the static role to
-  delete. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/database/static-roles/my-role
-```
-
-## Get Static Credentials
-
-This endpoint returns the current credentials based on the named static role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/database/static-creds/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the static role to get
-  credentials for. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/database/static-creds/my-static-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "username": "static-user",
-    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
-    "last_vault_rotation": "2019-05-06T15:26:42.525302-05:00",
-    "rotation_period": 30,
-    "ttl": 28,
-  }
-}
-```
-
-## Rotate Static Role Credentials
-
-This endpoint is used to rotate the Static Role credentials stored for a given
-role name. While Static Roles are rotated automatically by Vault at configured
-rotation periods, users can use this endpoint to manually trigger a rotation to
-change the stored password and reset the TTL of the Static Role's password.
-
-| Method   | Path                          |
-| :---------------------------- | :--------------------- |
-| `POST`   | `/database/rotate-role/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the Static Role to
-  trigger the password rotation for. The name is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/database/rotate-role/my-static-role
-```
diff --git a/website/source/api/secret/databases/influxdb.html.md b/website/source/api/secret/databases/influxdb.html.md
deleted file mode 100644
index a336d94cd5d2..000000000000
--- a/website/source/api/secret/databases/influxdb.html.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-layout: "api"
-page_title: "Influxdb - Database - Secrets Engines - HTTP API"
-sidebar_title: "Influxdb"
-sidebar_current: "api-http-secret-databases-influxdb"
-description: |-
-  The Influxdb plugin for Vault's database secrets engine generates database credentials to access Influxdb servers.
----
-
-# Influxdb Database Plugin HTTP API
-
-The Influxdb database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the Influxdb database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Secrets Engine](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-- `host` `(string: <required>)` – Specifies a Influxdb
-  host to connect to.
-
-- `port` `(int: 8086)` – Specifies the default port to use if none is provided
-  as part of the host URI. Defaults to Influxdb's default transport port, 8086.
-
-- `username` `(string: <required>)` – Specifies the username to use for
-  superuser access.
-
-- `password` `(string: <required>)` – Specifies the password corresponding to
-  the given username.
-
-- `tls` `(bool: true)` – Specifies whether to use TLS when connecting to
-  Influxdb.
-
-- `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the
-  server certificate when using TLS.
-
-- `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a
-  certificate and private key; a certificate, private key, and issuing CA
-  certificate; or just a CA certificate.
-
-- `pem_json` `(string: "")` – Specifies JSON containing a certificate and
-  private key; a certificate, private key, and issuing CA certificate; or just a
-  CA certificate. For convenience format is the same as the output of the
-  `issue` command from the `pki` secrets engine; see
-  [the pki documentation](/docs/secrets/pki/index.html).
-
-- `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
-
-TLS works as follows:
-
-- If `tls` is set to true, the connection will use TLS; this happens
-  automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
-
-- If `insecure_tls` is set to true, the connection will not perform verification
-  of the server certificate; this also sets `tls` to true
-
-- If only `issuing_ca` is set in `pem_json`, or the only certificate in
-  `pem_bundle` is a CA certificate, the given CA certificate will be used for
-  server certificate verification; otherwise the system CA certificates will be
-  used
-
-- If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`,
-  client auth will be turned on for the connection
-
-`pem_bundle` should be a PEM-concatenated bundle of a private key + client
-certificate, an issuing CA certificate, or both. `pem_json` should contain the
-same information; for convenience, the JSON format is the same as that output by
-the issue command from the PKI secrets engine.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "influxdb-database-plugin",
-  "allowed_roles": "readonly",
-  "host": "influxdb1.local",
-  "username": "user",
-  "password": "pass"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/influxdb/config/connection
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(list: [])` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{username}}' and '{{password}}' values will be substituted. If not
-  provided, defaults to a generic create user statements that creates a
-  non-superuser.
-
-- `revocation_statements` `(list: [])` – Specifies the database statements to
-  be executed to revoke a user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{username}}' value will be
-  substituted. If not provided defaults to a generic drop user statement.
-
-- `rollback_statements` `(list: [])` – Specifies the database statements to be
-  executed to rollback a create operation in the event of an error. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{username}}' value will be substituted. If not provided, defaults to
-  a generic drop user statement
diff --git a/website/source/api/secret/databases/mongodb.html.md b/website/source/api/secret/databases/mongodb.html.md
deleted file mode 100644
index 2c3c6b42780b..000000000000
--- a/website/source/api/secret/databases/mongodb.html.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-layout: "api"
-page_title: "MongoDB - Database - Secrets Engines - HTTP API"
-sidebar_title: "MongoDB"
-sidebar_current: "api-http-secret-databases-mongodb"
-description: |-
-  The MongoDB plugin for Vault's database secrets engine generates database credentials to access MongoDB servers.
----
-
-# MongoDB Database Plugin HTTP API
-
-The MongoDB database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the MongoDB database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-
-- `connection_url` `(string: <required>)` – Specifies the MongoDB standard
-  connection string (URI).   This field can be templated and supports passing the 
-  username and password parameters in the following format {{field_name}}.  A 
-  templated connection URL is required when using root credential rotation.
-- `write_concern` `(string: "")` - Specifies the MongoDB [write
-  concern][mongodb-write-concern]. This is set for the entirety of the session,
-  maintained for the lifecycle of the plugin process. Must be a serialized JSON
-  object, or a base64-encoded serialized JSON object. The JSON payload values
-  map to the values in the [Safe][mgo-safe] struct from the mgo driver.
-- `username` `(string: "")` - The root credential username used in the connection URL. 
-- `password` `(string: "")` - The root credential password used in the connection URL. 
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "mongodb-database-plugin",
-  "allowed_roles": "readonly",
-  "connection_url": "mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true",
-  "write_concern": "{ \"wmode\": \"majority\", \"wtimeout\": 5000 }",
-  "username": "admin",
-  "password": "Password!"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/mongodb
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(string: <required>)` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  serialized JSON object, or a base64-encoded serialized JSON object.
-  The object can optionally contain a "db" string for session connection,
-  and must contain a "roles" array. This array contains objects that holds
-  a "role", and an optional "db" value, and is similar to the BSON document that
-  is accepted by MongoDB's `roles` field. Vault will transform this array into
-  such format. For more information regarding the `roles` field, refer to
-  [MongoDB's documentation](https://docs.mongodb.com/manual/reference/method/db.createUser/).
-
-- `revocation_statements` `(string: "")` – Specifies the database statements to
-  be executed to revoke a user. Must be a serialized JSON object, or a base64-encoded
-  serialized JSON object. The object can optionally contain a "db" string. If no
-  "db" value is provided, it defaults to the "admin" database.
-
-### Sample Creation Statement
-
-```json
-{
-  "db": "admin",
-  "roles": [
-    {
-      "role": "read",
-      "db": "foo"
-    }
-  ]
-}
-```
-[mongodb-write-concern]: https://docs.mongodb.com/manual/reference/write-concern/
-[mgo-safe]: https://godoc.org/gopkg.in/mgo.v2#Safe
diff --git a/website/source/api/secret/databases/mssql.html.md b/website/source/api/secret/databases/mssql.html.md
deleted file mode 100644
index 9cb8869d4817..000000000000
--- a/website/source/api/secret/databases/mssql.html.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-layout: "api"
-page_title: "MSSQL - Database - Secrets Engines - HTTP API"
-sidebar_title: "MSSQL"
-sidebar_current: "api-http-secret-databases-mssql"
-description: |-
-  The MSSQL plugin for Vault's database secrets engine generates database credentials to access MSSQL servers.
----
-
-# MSSQL Database Plugin HTTP API
-
-The MSSQL database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the MSSQL database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-- `connection_url` `(string: <required>)` - Specifies the MSSQL DSN. This field
-  can be templated and supports passing the username and password
-  parameters in the following format {{field_name}}.  A templated connection URL is
-  required when using root credential rotation.
-
-- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
-  connections to the database.
-
-- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If larger than
-  `max_open_connections` it will be reduced to be equal.
-
-- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
-  time a connection may be reused. If <= 0s connections are reused forever.
-
-- `username` `(string: "")` - The root credential username used in the connection URL. 
-
-- `password` `(string: "")` - The root credential password used in the connection URL. 
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "mssql-database-plugin",
-  "allowed_roles": "readonly",
-  "connection_url": "sqlserver://{{username}}:{{password}}@localhost:1433",
-  "max_open_connections": 5,
-  "max_connection_lifetime": "5s",
-  "username": "sa",
-  "password": "yourStrong(!)Password"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/mssql
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(list: <required>)` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{name}}' and '{{password}}' values will be substituted.
-
-- `revocation_statements` `(list: [])` – Specifies the database statements to
-  be executed to revoke a user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{name}}' value will be
-  substituted. If not provided defaults to a generic drop user statement.
diff --git a/website/source/api/secret/databases/mysql-maria.html.md b/website/source/api/secret/databases/mysql-maria.html.md
deleted file mode 100644
index cbd963441ea6..000000000000
--- a/website/source/api/secret/databases/mysql-maria.html.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-layout: "api"
-page_title: "MySQL/MariaDB - Database - Secrets Engines - HTTP API"
-sidebar_title: "MySQL/MariaDB"
-sidebar_current: "api-http-secret-databases-mysql-maria"
-description: |-
-  The MySQL/MariaDB plugin for Vault's database secrets engine generates database credentials to access MySQL and MariaDB servers.
----
-
-# MySQL/MariaDB Database Plugin HTTP API
-
-The MySQL database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the MySQL database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-- `connection_url` `(string: <required>)` - Specifies the MySQL DSN. This field
-  can be templated and supports passing the username and password
-  parameters in the following format {{field_name}}.  A templated connection URL is
-  required when using root credential rotation.
-
-- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
-  connections to the database.
-
-- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If larger than
-  `max_open_connections` it will be reduced to be equal.
-
-- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
-  time a connection may be reused. If <= 0s connections are reused forever.
-
-- `username` `(string: "")` - The root credential username used in the connection URL.
-
-- `password` `(string: "")` - The root credential password used in the connection URL.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "mysql-database-plugin",
-  "allowed_roles": "readonly",
-  "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
-  "max_open_connections": 5,
-  "max_connection_lifetime": "5s",
-  "username": "root",
-  "password": "mysql"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/mysql
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(list: <required>)` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{name}}' and '{{password}}' values will be substituted. The
-  generated password will be a random alphanumeric 20 character string.
-
-- `revocation_statements` `(list: [])` – Specifies the database statements to
-  be executed to revoke a user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{name}}' value will be
-  substituted. If not provided defaults to a generic drop user statement.
diff --git a/website/source/api/secret/databases/oracle.html.md b/website/source/api/secret/databases/oracle.html.md
deleted file mode 100644
index 00c1f847db14..000000000000
--- a/website/source/api/secret/databases/oracle.html.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-layout: "api"
-page_title: "Oracle - Database - Secrets Engines - HTTP API"
-sidebar_title: "Oracle"
-sidebar_current: "api-http-secret-databases-oracle-maria"
-description: |-
-  The Oracle plugin for Vault's database secrets engine generates database credentials to access Oracle servers.
----
-
-# Oracle Database Plugin HTTP API
-
-The Oracle database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the Oracle database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-- `connection_url` `(string: <required>)` - Specifies the Oracle DSN.
-
-- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
-  connections to the database.
-
-- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If larger than
-  `max_open_connections` it will be reduced to be equal.
-
-- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
-  time a connection may be reused. If <= 0s connections are reused forever.
-
-- `username` `(string: "")` - The root credential username used in the connection URL.
-
-- `password` `(string: "")` - The root credential password used in the connection URL.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "oracle-database-plugin",
-  "allowed_roles": "readonly",
-  "connection_url": "{{username}}/{{password}}@localhost:1521/OraDoc.localhost",
-  "max_open_connections": 5,
-  "max_connection_lifetime": "5s",
-  "username": "system",
-  "password": "Oracle"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/oracle
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(string: <required>)` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{name}}' and '{{password}}' values will be substituted.
-
-- `revocation_statements` `(string: "")` – Specifies the database statements to
-  be executed to revoke a user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{name}}' value will be
-  substituted. If not provided defaults to a generic drop user statement.
diff --git a/website/source/api/secret/databases/postgresql.html.md b/website/source/api/secret/databases/postgresql.html.md
deleted file mode 100644
index 6e13b0f11306..000000000000
--- a/website/source/api/secret/databases/postgresql.html.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-layout: "api"
-page_title: "PostgreSQL - Database - Secrets Engines - HTTP API"
-sidebar_title: "PostgreSQL"
-sidebar_current: "api-http-secret-databases-postgresql"
-description: |-
-  The PostgreSQL plugin for Vault's database secrets engine generates database credentials to access PostgreSQL servers.
----
-
-# PostgreSQL Database Plugin HTTP API
-
-The PostgreSQL database plugin is one of the supported plugins for the database
-secrets engine. This plugin generates database credentials dynamically based on
-configured roles for the PostgreSQL database.
-
-## Configure Connection
-
-In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
-has a number of parameters to further configure a connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/database/config/:name`     |
-
-### Parameters
-- `connection_url` `(string: <required>)` - Specifies the PostgreSQL DSN. This field
-  can be templated and supports passing the username and password
-  parameters in the following format {{field_name}}.  A templated connection URL is
-  required when using root credential rotation.
-
-- `max_open_connections` `(int: 2)` - Specifies the maximum number of open
-  connections to the database.
-
-- `max_idle_connections` `(int: 0)` - Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If larger than
-  `max_open_connections` it will be reduced to be equal.
-
-- `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of
-  time a connection may be reused. If <= 0s connections are reused forever.
-
-- `username` `(string: "")` - The root credential username used in the connection URL.
-
-- `password` `(string: "")` - The root credential password used in the connection URL.
-
-### Sample Payload
-
-```json
-{
-  "plugin_name": "postgresql-database-plugin",
-  "allowed_roles": "readonly",
-  "connection_url": "postgresql://{{username}}:{{password}}@localhost:5432/postgres",
-  "max_open_connections": 5,
-  "max_connection_lifetime": "5s",
-  "username": "username",
-  "password": "password"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/postgresql
-```
-
-## Statements
-
-Statements are configured during role creation and are used by the plugin to
-determine what is sent to the database on user creation, renewing, and
-revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
-
-### Parameters
-
-The following are the statements used by this plugin. If not mentioned in this
-list the plugin does not support that statement type.
-
-- `creation_statements` `(list: <required>)` – Specifies the database
-  statements executed to create and configure a user. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{name}}', '{{password}}' and '{{expiration}}' values will be
-  substituted. The generated password will be a random alphanumeric 20 character
-  string.
-
-- `revocation_statements` `(list: [])` – Specifies the database statements to
-  be executed to revoke a user. Must be a semicolon-separated string, a
-  base64-encoded semicolon-separated string, a serialized JSON string array, or
-  a base64-encoded serialized JSON string array. The '{{name}}' value will be
-  substituted. If not provided defaults to a generic drop user statement.
-
-- `rollback_statements` `(list: [])` – Specifies the database statements to be
-  executed rollback a create operation in the event of an error. Not every
-  plugin type will support this functionality. Must be a semicolon-separated
-  string, a base64-encoded semicolon-separated string, a serialized JSON string
-  array, or a base64-encoded serialized JSON string array. The '{{name}}' value
-  will be substituted.
-
-- `renew_statements` `(list: [])` – Specifies the database statements to be
-  executed to renew a user. Not every plugin type will support this
-  functionality. Must be a semicolon-separated string, a base64-encoded
-  semicolon-separated string, a serialized JSON string array, or a
-  base64-encoded serialized JSON string array. The '{{name}}' and
-  '{{expiration}}' values will be substituted.
-
-- `rotation_statements` `(list: [])` – Specifies the database statements to be
-  executed to rotate the password for a given username. Must be a
-  semicolon-separated string, a base64-encoded semicolon-separated string, a
-  serialized JSON string array, or a base64-encoded serialized JSON string
-  array. The '{{name}}' and '{{password}}' values will be substituted. The
-  generated password will be a random alphanumeric 20 character string.
diff --git a/website/source/api/secret/gcp/index.html.md b/website/source/api/secret/gcp/index.html.md
deleted file mode 100644
index 7484719cb29e..000000000000
--- a/website/source/api/secret/gcp/index.html.md
+++ /dev/null
@@ -1,397 +0,0 @@
----
-layout: "api"
-page_title: "Google Cloud - Secrets Engines - HTTP API"
-sidebar_title: "Google Cloud"
-sidebar_current: "api-http-secret-gcp"
-description: |-
-  This is the API documentation for the Vault Google Cloud secrets engine.
----
-
-# Google Cloud Secrets Engine (API)
-
-This is the API documentation for the Vault Google Cloud Platform (GCP)
-secrets engine. For general information about the usage and operation of
-the GCP secrets engine, please see [these docs](/docs/secrets/gcp/index.html).
-
-This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
-in Vault. Since it is possible to mount secrets engines at any path, please
-update your API calls accordingly.
-
-## Write Config
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `POST`   | `/gcp/config`            |
-
-This endpoint configures shared information for the secrets engine.
-
-### Parameters
-
-- `credentials` (`string:""`) - JSON credentials (either file contents or '@path/to/file')
-    See docs for [alternative ways](/docs/secrets/gcp/index.html#passing-credentials-to-vault)
-    to pass in to this parameter, as well as the
-    [required permissions](/docs/secrets/gcp/index.html#required-permissions).
-
-- `ttl` (`int: 0 || string:"0s"`) – Specifies default config TTL for long-lived credentials
-    (i.e. service account keys). Accepts integer number of seconds or Go duration format string.
-
-- `max_ttl` (`int: 0 || string:"0s"`)– Specifies the maximum config TTL for long-lived credentials
-    (i.e. service account keys). Accepts integer number of seconds or Go duration format string.**
-
-### Sample Payload
-
-```json
-{
-  "credentials": "<JSON string>",
-  "ttl": 3600,
-  "max_ttl": 14400
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcp/config
-```
-
-## Read Config
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `GET`    | `/gcp/config`            |
-
-Credentials will be omitted from returned data.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/gcp/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "ttl": "1h",
-    "max_ttl": "4h"
-  }
-}
-```
-
-## Create/Update Roleset
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `POST`   | `/gcp/roleset/:name`     |
-
-This method allows you to create a roleset or update an existing roleset. See [roleset docs](/docs/secrets/gcp/index.html#rolesets) for the GCP secrets backend
-to learn more about what happens when you create or update a roleset.
-
-
-**If you update a roleset's bindings, this will effectively revoke any secrets
-generated under this roleset.**
-
-### Parameters
-
-- `name` (`string: <required>`): Required. Name of the role. Cannot be updated.
-- `secret_type` (`string: "access_token"`): Type of secret generated for this role set. Accepted values: `access_token`, `service_account_key`. Cannot be updated.
-- `project` (`string: <required>`): Name of the GCP project that this roleset's service account will belong to. Cannot be updated.
-- `bindings` (`string: <required>`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)
-- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
-
-### Sample Payload
-
-```json
-{
-  "secret_type": "access_token",
-  "project": "mygcpproject",
-  "bindings": "...",
-  "token_scopes": [
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/bigquery"
-  ]
-}
-```
-
-#### Sample Bindings:
-See [bindings format docs](/docs/secrets/gcp/index.html#roleset-bindings) for more information.
-
-```hcl
-resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
-  roles = [
-    "roles/viewer"
-  ],
-}
-
-resource "https://selflink/to/my/resource" {
-  roles = [
-    "project/mygcpproject/roles/projcustomrole",
-    "organizations/myorg/roles/orgcustomrole"
-  ],
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
-```
-
-## Rotate Roleset Account
-
-| Method   | Path                             |
-| :--------------------------------| :--------------------- |
-| `POST`    | `/gcp/roleset/:name/rotate`     | `204 (empty body)``    |
-
-This will rotate the service account this roleset uses to generate secrets.
-(this also replaces the key `access_token` roleset). This can be used to invalidate
-old secrets generated by the roleset or fix issues if a roleset's service account
-(and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    https://127.0.0.1:8200/v1/consul/gcp/roleset/my-token-roleset/rotate
-```
-
-## Rotate Roleset Account Key (`access_token` Roleset Only)
-
-| Method   | Path                             |
-| :--------------------------------| :--------------------- |
-| `POST`    | `/gcp/roleset/:name/rotate-key` | `204 (empty body)``    |
-
-This will rotate the service account key this roleset uses to generate
-access tokens. This does not recreate the roleset service account.
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    https://127.0.0.1:8200/v1/consul/gcp/roleset/my-token-roleset/rotate-key
-```
-
-## Read Roleset
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `GET`    | `/gcp/roleset/:name`     |
-
-### Parameters
-
-- `name` (`string:<required>`): Name of the roleset to delete.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/consul/gcp/roleset/my-token-roleset
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "secret_type": "access_token",
-    "service_account_email": "vault-myroleset-XXXXXXXXXX@myproject.gserviceaccounts.com",
-    "service_account_project": "service-account-project",
-    "bindings": {
-      "project/mygcpproject": [
-        "roles/viewer"
-      ],
-      "https://selflink/to/my/resource": [
-        "project/mygcpproject/roles/projcustomrole",
-        "organizations/myorg/roles/orgcustomrole"
-      ]
-    },
-    "token_scopes" : [
-      "https://www.googleapis.com/auth/cloud-platform"
-    ]
-  }
-}
-```
-
-## List Rolesets
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `LIST`   | `/gcp/rolesets`          |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/gcp/rolesets
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-     "keys": [
-       "my-token-roleset",
-       "my-sakey-roleset"
-     ]
-   }
- }
-```
-
-## Delete Roleset
-
-This endpoint deletes an existing roleset by the given name.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `DELETE`    | `/gcp/roleset/:name`     |
-
-### Parameters
-
-- `name` (`string:<required>`): Name of the roleset to delete.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
-```
-
-## Generate Secret (IAM Service Account Creds): OAuth2 Access Token
-
-
-| Method            | Path                            |
-| :-----------------------------  | :------------------------ |
-| `GET` / `POST`    | `/gcp/token/:roleset`           |
-
-Generates an OAuth2 token with the scopes defined on the roleset. This OAuth access token can
-be used in GCP API calls, e.g. `curl -H "Authorization: Bearer $TOKEN" ...`
-
-Tokens are non-revocable and non-renewable and have a static TTL of an hour. The TTL configured
-for the backend (either through the default system TTLs or through the `config/` endpoint)
-do not apply.
-
-### Parameters
-
-- `roleset` (`string:<required>`): Name of an roleset with secret type `access_token` to generate access_token under.
-
-### Sample Request
-
-```sh
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/gcp/token/my-token-roleset
-```
-
-### Sample Response
-
-```json
-{
-  "request_id":"<uuid>",
-  "data": {
-    "token":"ya29.c.Elp5Be3ga87...",
-    "expires_at_seconds": 1537400046,
-    "token_ttl": 3599
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Generate Secret (IAM Service Account Creds): Service Account Key
-
-
-| Method            | Path                            |
-| :-----------------------------  | :------------------------ |
-| `GET` / `POST`    | `/gcp/key/:roleset`             |
-
-If using `GET` ('read'), the  optional parameters will be set to their defaults. Use `POST` if you
-want to specify different values for these params.
-
-These keys are renewable and have TTL/max TTL as defined by either the backend config
-or the system default if config was not defined.
-
-### Parameters
-
-- `roleset` (`string:<required>`): Name of an roleset with secret type `service_account_key` to generate key under.
-- `key_algorithm` (`string:"KEY_ALG_RSA_2048"`): Key algorithm used to generate key. Defaults to 2k RSA key
-    You probably should not choose other values (i.e. 1k), but accepted values are
-    `enum(`[`ServiceAccountKeyAlgorithm`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)`)`
-- `key_type` (`string:"TYPE_GOOGLE_CREDENTIALS_FILE`): Private key type to generate. Defaults to JSON credentials file.
-    Accepted values are `enum(`[`ServiceAccountPrivateKeyType`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType)`)`
-
-
-### Sample Payload
-```json
-{
-  "key_algorithm": "TYPE_GOOGLE_CREDENTIALS_FILE",
-  "key_type": "KEY_ALG_RSA_2048"
-}
-```
-
-### Sample Request
-
-```sh
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/gcp/key/my-key-roleset
-```
-
-```sh
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcp/key/my-key-roleset
-```
-
-### Sample Response
-
-```json
-{
-  "request_id":"<uuid>",
-  "lease_id":"gcp/key/my-key-roleset/<uuid>",
-  "renewable":true,
-  "lease_duration":3600,
-  "data": {
-    "private_key_data":"<base64-encoded private key data>",
-    "key_algorithm": "TYPE_GOOGLE_CREDENTIALS_FILE",
-    "key_type": "KEY_ALG_RSA_2048"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Revoking/Renewing Secrets
-
-See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
-Note this only applies to service account keys.
diff --git a/website/source/api/secret/gcpkms/index.html.md b/website/source/api/secret/gcpkms/index.html.md
deleted file mode 100644
index c9454b682b6b..000000000000
--- a/website/source/api/secret/gcpkms/index.html.md
+++ /dev/null
@@ -1,865 +0,0 @@
----
-layout: "api"
-page_title: "Google Cloud KMS - Secrets Engines - HTTP API"
-sidebar_title: "Google Cloud KMS"
-sidebar_current: "api-http-secret-gcpkms"
-description: |-
-  This is the API documentation for the Vault Google Cloud KMS secrets engine.
----
-
-# Google Cloud KMS Secrets Engine (API)
-
-This is the API documentation for the Vault Google Cloud KMS secrets engine. For
-general information about the usage and operation of the Google Cloud KMS
-secrets engine, please see the
-[Google Cloud KMS documentation](/docs/secrets/gcpkms/index.html).
-
-This documentation assumes the Google Cloud KMS secrets engine is enabled at the
-`/gcpkms` path in Vault. Since it is possible to enable secrets engines at any
-location, please update your API calls accordingly.
-
-## Configure Credentials
-
-This endpoint configures the Google Cloud KMS secrets engine with credentials
-and manages the requested scope(s) for authentication.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `POST`   | `gcpkms/config`          |
-
-### Example Policy
-
-```hcl
-path "gcpkms/config" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `credentials` (`string: ""`) -
-The credentials to use for authenticating to Google Cloud. Leave this blank to
-use the Default Application Credentials or instance metadata authentication.
-
-- `scopes` (`array<string>: []`) -
-The list of full-URL scopes to request when authenticating. By default, this
-requests https://www.googleapis.com/auth/cloudkms.
-
-### Sample Payload
-
-```json
-{
-  "credentials": "< JSON credentials... >"
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/config
-```
-
-## Read Configuration
-
-This endpoint returns the configuration endpoint for the Google Cloud KMS
-secrets engine. The credentials are not returned.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `GET`    | `gcpkms/config`          |
-
-### Example Policy
-
-```hcl
-path "gcpkms/config" {
-  capabilities = ["read"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/gcpkms/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "scopes": [
-      "https://www.googleapis.com/auth/cloudkms"
-    ]
-  }
-}
-```
-
-## Delete Configuration
-
-This endpoint deletes any configuration for the Google Cloud KMS secrets engine.
-If there is no configuration, the endpoint still returns successfully.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `DELETE` | `gcpkms/config`          |
-
-### Example Policy
-
-```hcl
-path "gcpkms/config" {
-  capabilities = ["delete"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/gcpkms/config
-```
-
-
-## Decrypt Ciphertext
-
-This endpoint uses the named encryption key to decrypt the ciphertext string. For symmetric key types, the provided ciphertext must come from a previous invocation of the `/encrypt` endpoint. For asymmetric key types, the provided ciphertext must be from the encrypt operation against the corresponding key version's public key.
-
-| Method   | Path                       |
-| :--------------------------| :------------------------ |
-| `POST`   | `gcpkms/decrypt/:key`      |
-
-### Example Policy
-
-```hcl
-path "gcpkms/decrypt/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key in Vault to use for decryption. This key must already exist in
-Vault and must map back to a Google Cloud KMS key.
-This is specified as part of the URL.
-
-- `additional_authenticated_data` (`string: ""`) -
-Optional data that was specified during encryption of this payload.
-
-- `ciphertext` (`string: ""`) -
-Ciphertext to decrypt as previously returned from an encrypt operation. This
-must be base64-encoded ciphertext as previously returned from an encrypt
-operation.
-
-- `key_version` (`int: 0`) -
-Integer version of the crypto key version to use for decryption. This is
-required for asymmetric keys. For symmetric keys, Cloud KMS will choose the
-correct version automatically.
-
-### Sample Payload
-
-```json
-{
-  "ciphertext": "CiQAuMv0..."
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/decrypt/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "plaintext": "hello world"
-  }
-}
-```
-
-## Encrypt Plaintext
-
-This endpoint uses the named encryption key to encrypt arbitrary plaintext
-string data. The response will be base64-encoded encrypted ciphertext.
-
-| Method   | Path                       |
-| :--------------------------| :------------------------ |
-| `POST`   | `gcpkms/encrypt/:key`      |
-
-### Example Policy
-
-```hcl
-path "gcpkms/encrypt/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key in Vault to use for encryption. This key must already exist in
-Vault and must map back to a Google Cloud KMS key.
-This is specified as part of the URL.
-
-- `additional_authenticated_data` (`string: ""`) -
-Optional base64-encoded data that, if specified, must also be provided to
-decrypt this payload.
-
-- `key_version` (`int: 0`) -
-Integer version of the crypto key version to use for encryption. If unspecified,
-this defaults to the latest active crypto key version.
-
-- `plaintext` (`string: ""`) -
-Plaintext value to be encrypted. This can be a string or binary, but the size
-is limited. See the Google Cloud KMS documentation for information on size
-limitations by key types.
-
-### Sample Payload
-
-```json
-{
-  "plaintext": "hello world"
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/encrypt/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "ciphertext": "CiQAuMv0...",
-    "key_version": "1"
-  }
-}
-```
-
-## Re-Encrypt Existing Ciphertext
-
-This endpoint uses the named encryption key to re-encrypt the underlying
-cryptokey to the latest version for this ciphertext without disclosing the
-original plaintext value to the requestor. This is similar to "rewrapping" in
-Vault's transit secrets engine.
-
-| Method   | Path                       |
-| :--------------------------| :------------------------ |
-| `POST`   | `gcpkms/reencrypt/:key`    |
-
-### Example Policy
-
-```hcl
-path "gcpkms/reencrypt/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key to use for encryption. This key must already exist in Vault and
-Google Cloud KMS.
-This is specified as part of the URL.
-
-- `additional_authenticated_data` (`string: ""`) -
-Optional data that, if specified, must also be provided during decryption.
-
-- `ciphertext` (`string: ""`) -
-Ciphertext to be re-encrypted to the latest key version. This must be ciphertext
-that Vault previously generated for this named key.
-
-- `key_version` (`int: 0`) -
-Integer version of the crypto key version to use for re-encryption. If unspecified,
-this defaults to the latest active crypto key version.
-
-### Sample Payload
-
-```json
-{
-  "ciphertext": "CiQAuMv0..."
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/reencrypt/my-key
-```
-
-### Sample Response
-```json
-{
-  "data": {
-    "ciphertext": "0lX848IG...",
-    "key_version": "3"
-  },
-}
-```
-
-## Sign Digest
-
-This endpoint uses the named encryption key to sign digest string data. The
-response will include the base64-encoded signature.
-
-| Method   | Path                       |
-| :--------------------------| :------------------------ |
-| `POST`   | `gcpkms/sign/:key`         |
-
-### Example Policy
-
-```hcl
-path "gcpkms/sign/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key in Vault to use for signing. This key must already exist in
-Vault and must map back to a Google Cloud KMS key.
-This is specified as part of the URL.
-
-- `key_version` (`int: <required>`) -
-Integer version of the crypto key version to use for signing.
-
-- `digest` (`string: <required>`) -
-Digest to sign. This digest is the base64 encoded binary value, and must match
-the signing algorithm digest of the Cloud KMS key, for example:
-
-    ```text
-    $ openssl dgst -sha256 -binary /my/file | base64
-    ```
-
-### Sample Payload
-
-```json
-{
-  "key_version": "1",
-  "digest": "LoM6lxd8YS+hUynZwrlCG20ViUUqqbNNNmh7HCtOkSc="
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/sign/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "signature": "MGYCMQCOfWMc21jBevoRRo4zGjYsCXer8s..."
-  }
-}
-```
-
-## Verify Digest
-
-This endpoint uses the named encryption key to verify a signature and digest
-string data.
-
-| Method   | Path                       |
-| :--------------------------| :------------------------ |
-| `POST`   | `gcpkms/verify/:key`       |
-
-### Example Policy
-
-```hcl
-path "gcpkms/verify/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key in Vault to use for verifying. This key must already exist in
-Vault and must map back to a Google Cloud KMS key.
-This is specified as part of the URL.
-
-- `key_version` (`int: <required>`) -
-Integer version of the crypto key version to use for verifying.
-
-- `digest` (`string: <required>`) -
-Digest that was signed. This digest is the base64 encoded binary value, and must match
-the signing algorithm digest of the Cloud KMS key. For example:
-
-    ```text
-    $ openssl dgst -sha256 -binary /my/file | base64
-    ```
-
-- `signature` (`string: <required>`) -
-Signature of the digest as returned from a signing operation.
-
-### Sample Payload
-
-```json
-{
-  "key_version": "1",
-  "digest": "LoM6lxd8YS+hUynZwrlCG20ViUUqqbNNNmh7HCtOkSc=",
-  "signature": "MGQCMEN2rgg6sj2vUEC3IcKDD+UprtMnxDoB3..."
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/verify/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "valid": true
-  }
-}
-```
-
-## List Keys
-
-This endpoint lists the named keys available for use in Vault. It does not list
-all Google Cloud KMS keys.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `LIST`   | `gcpkms/keys`            |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys" {
-  capabilities = ["list"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/gcpkms/keys
-```
-
-### Sample Response
-```json
-{
-  "data": {
-    "keys": [
-      "my-key"
-    ]
-  }
-}
-```
-
-## Create/Update Google Cloud KMS key
-
-This endpoint is used to create or update a Google Cloud KMS key. In addition to
-registering the key in Vault, this endpoint will also create the corresponding
-Google Cloud KMS key with the given configuration options.
-
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `POST`   | `gcpkms/keys/:key`       |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key in Vault.
-This is specified as part of the URL.
-
-- `crypto_key` (`string: ""`) -
-Name of the crypto key to use. If the given crypto key does not exist, Vault
-will try to create it. This defaults to the name of the key given to Vault as
-the parameter if unspecified.
-
-- `key_ring` (`string: ""`) -
-Full Google Cloud resource ID of the key ring with the project and location
-(e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given
-key ring does not exist, Vault will try to create it during a create operation.
-
-- `label` (`map<string>string: nil`) -
-Arbitrary key=value label to apply to the crypto key. To specify multiple
-labels, specify this argument multiple times (e.g. label="a=b" label="c=d").
-
-- `rotation_period` (`string: ""`) -
-Amount of time between crypto key version rotations. This is specified as a
-time duration value like 72h (72 hours). The smallest possible value is 24h.
-
-### Sample Payload
-
-```json
-{
-  "key_ring": "projects/my-project/locations/my-location/keyRings/my-keyring",
-  "labels": {
-    "foo": "bar"
-  },
-  "rotation_period": "72h",
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/keys/my-key
-```
-
-## Delete Google Cloud KMS Key
-
-This endpoint deletes a key from both Vault and Google Cloud KMS. This will
-disable all crypto key versions for this crypto key in Google Cloud KMS and
-delete Vault's reference to the crypto key.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `DELETE` | `gcpkms/keys/:key`       |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/my-key" {
-  capabilities = ["delete"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/gcpkms/keys/my-key
-```
-
-## Read Google Cloud KMS Key
-
-This endpoint reads data about a Google Cloud KMS crypto key, including the key
-status and current primary key version.
-
-| Method   | Path                     |
-| :------------------------| :------------------------ |
-| `GET`    | `gcpkms/keys/:key`       |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/my-key" {
-  capabilities = ["read"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/gcpkms/keys/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "id": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
-    "labels": {
-      "foo": "bar"
-    },
-    "next_rotation_time_seconds": 1536613424,
-    "primary_version": "3",
-    "purpose": "encrypt_decrypt",
-    "rotation_schedule_seconds": 259200,
-    "state": "enabled"
-  }
-}
-```
-
-## Read Vault Key Configuration
-
-This endpoint reads data about a Vault's configuration of the key.
-
-| Method   | Path                      |
-| :-------------------------| :------------------------ |
-| `GET`    | `gcpkms/keys/config/:key` |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/config/my-key" {
-  capabilities = ["read"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "name": "my-key",
-    "crypto_key": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
-    "min_version": 10
-  }
-}
-```
-
-## Update Vault Key Configuration
-
-This endpoint is used to update Vault's information about an existing key.
-
-
-| Method   | Path                      |
-| :-------------------------| :------------------------ |
-| `POST`   | `gcpkms/keys/config/:key` |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key in Vault.
-This is specified as part of the URL.
-
-- `min_version` (`int: 0`) -
-Minimum allowed crypto key version. If set to a positive value, key versions
-less than the given value are not permitted to be used. If set to 0 or a
-negative value, there is no minimum key version.
-
-- `max_version` (`int: 0`) -
-Maximum allowed crypto key version. If set to a positive value, key versions
-greater than the given value are not permitted to be used. If set to 0 or a
-negative value, there is no maximum key version.
-
-### Sample Payload
-
-```json
-{
-  "min_version": 10
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
-```
-
-## Deregister Crypto Key
-
-This endpoint deregisters an existing reference Vault has to a crypto key in
-Google Cloud KMS. The underlying Google Cloud KMS key remains unchanged.
-
-| Method   | Path                          |
-| :-----------------------------| :------------------------ |
-| `POST`   | `gcpkms/keys/deregister/:key` |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/deregister/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    https://127.0.0.1:8200/v1/gcpkms/keys/deregister/my-key
-```
-
-## Register Crypto Key
-
-This endpoint registers an existing crypto key in Google Cloud KMS and makes it
-available for encryption and decryption in Vault.
-
-| Method   | Path                        |
-| :---------------------------| :------------------------ |
-| `POST`   | `gcpkms/keys/register/:key` |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/register/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Parameters
-
-- `key` (`string: ""`) -
-Name of the key to register in Vault. This will be the named used to refer to
-the underlying crypto key when encrypting or decrypting data.
-This is specified as part of the URL.
-
-- `crypto_key` (`string: ""`) -
-Full resource ID of the crypto key including the project, location, key ring,
-and crypto key like "projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s". This
-crypto key must already exist in Google Cloud KMS unless verify is set to
-"false".
-
-- `verify` (`bool: true`) -
-Verify that the given Google Cloud KMS crypto key exists and is accessible
-before creating the storage entry in Vault. Set this to "false" if the key will
-not exist at creation time.
-
-### Sample Payload
-
-```json
-{
-  "crypto_key": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
-  "verify": true,
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/gcpkms/keys/register/my-key
-```
-
-## Rotate Crypto Key
-
-This endpoint rotates a crypto key by creating a new crypto key version for the
-corresponding Google Cloud KMS key and updates the new crypto key to be the
-primary key for future encryptions.
-
-**It can take up to 2 hours for a new crypto key version to become the primary,
-so be sure to issue a read operation if you require new data to be encrypted
-with this key.**
-
-| Method   | Path                      |
-| :-------------------------| :------------------------ |
-| `POST`   | `gcpkms/keys/rotate/:key` |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/rotate/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    https://127.0.0.1:8200/v1/gcpkms/keys/rotate/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "key_version": "3"
-  }
-}
-```
-
-## Trim KMS Key Versions
-
-This endpoint deletes old crypto key versions that are older than the key's specified `min_version`.
-
-**Data encrypted with older key versions will be irrecoverable!**
-
-| Method   | Path                      |
-| :-------------------------| :------------------ |
-| `POST`   | `gcpkms/keys/trim/:key`   |
-
-### Example Policy
-
-```hcl
-path "gcpkms/keys/trim/my-key" {
-  capabilities = ["create", "update"]
-}
-```
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    https://127.0.0.1:8200/v1/gcpkms/keys/trim/my-key
-```
diff --git a/website/source/api/secret/identity/entity-alias.html.md b/website/source/api/secret/identity/entity-alias.html.md
deleted file mode 100644
index 6369d47a4a93..000000000000
--- a/website/source/api/secret/identity/entity-alias.html.md
+++ /dev/null
@@ -1,212 +0,0 @@
----
-layout: "api"
-page_title: "Identity Secret Backend: Entity Alias - HTTP API"
-sidebar_title: "Entity Alias"
-sidebar_current: "api-http-secret-identity-entity-alias"
-description: |-
-  This is the API documentation for managing entity aliases in the identity store.
----
-
-## Create an Entity Alias
-
-This endpoint creates a new alias for an entity.
-
-| Method   | Path                       |
-| :------------------------- | :----------------------|
-| `POST`   | `/identity/entity-alias`   |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the alias. Name should be the identifier
-  of the client in the authentication source. For example, if the alias belongs
-  to userpass backend, the name should be a valid username within userpass
-  backend. If alias belongs to GitHub, it should be the GitHub username.
-
-- `id` `(string: <optional>)` - ID of the entity alias. If set, updates the
-  corresponding entity alias.
-
-- `canonical_id` `(string: <required>)` - Entity ID to which this alias belongs to.
-
-- `mount_accessor` `(string: <required>)` - Accessor of the mount to which the
-  alias should belong to.
-
-### Sample Payload
-
-```json
-{
-  "name": "testuser",
-  "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
-  "mount_accessor": "auth_userpass_e50b1a44"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/entity-alias
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
-    "id": "34982d3d-e3ce-5d8b-6e5f-b9bb34246c31"
-  }
-}
-```
-
-## Read Entity Alias by ID
-
-This endpoint queries the entity alias by its identifier.
-
-| Method   | Path                             |
-| :------------------------------- | :--------------------- |
-| `GET`    | `/identity/entity-alias/id/:id`  |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of entity alias.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "creation_time": "2017-07-25T21:41:09.820717636Z",
-    "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
-    "id": "34982d3d-e3ce-5d8b-6e5f-b9bb34246c31",
-    "last_update_time": "2017-07-25T21:41:09.820717636Z",
-    "metadata": {
-      "group": "san_francisco",
-      "region": "west"
-    },
-    "mount_accessor": "auth_userpass_e50b1a44",
-    "mount_path": "userpass/",
-    "mount_type": "userpass",
-    "name": "testuser"
-  }
-}
-```
-
-## Update Entity Alias by ID
-
-This endpoint is used to update an existing entity alias.
-
-| Method   | Path                              |
-| :-------------------------------- | :--------------------- |
-| `POST`    | `/identity/entity-alias/id/:id`  |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of the entity alias.
-
-- `name` `(string: <required>)` - Name of the alias. Name should be the identifier
-  of the client in the authentication source. For example, if the alias belongs
-  to userpass backend, the name should be a valid username within userpass
-  backend. If alias belongs to GitHub, it should be the GitHub username.
-
-- `canonical_id` `(string: <required>)` - Entity ID to which this alias belongs to.
-
-- `mount_accessor` `(string: <required>)` - Accessor of the mount to which the
-  alias should belong to.
-
-### Sample Payload
-
-```json
-{
-  "name": "testuser",
-  "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
-  "mount_accessor": "auth_userpass_e50b1a44"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3",
-    "id": "34982d3d-e3ce-5d8b-6e5f-b9bb34246c31"
-  }
-}
-```
-
-### Delete Entity Alias by ID
-
-This endpoint deletes an alias from its corresponding entity.
-
-| Method     | Path                             |
-| :------------------------------- | :----------------------|
-| `DELETE`   | `/identity/entity-alias/id/:id`  |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of the entity alias.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
-```
-
-### List Entity Aliases by ID
-
-This endpoint returns a list of available entity aliases by their identifiers.
-
-| Method   | Path                                  |
-| :------------------------------------ | :--------------------- |
-| `LIST`   | `/identity/entity-alias/id`           |
-| `GET`    | `/identity/entity-alias/id?list=true` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/entity-alias/id
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "2e8217fa-8cb6-8aec-9e22-3196d74ca2ba",
-      "91ebe973-ec86-84db-3c7c-f760415326de",
-      "92308b08-4139-3ec6-7af2-8e98166b4e0c",
-      "a3b042e6-5cc1-d5a9-8874-d53a51954de2",
-      "d5844921-017f-e496-2a9a-23d4a2f3e8a3"
-    ]
-  }
-}
-```
-
diff --git a/website/source/api/secret/identity/entity.html.md b/website/source/api/secret/identity/entity.html.md
deleted file mode 100644
index ee4f7c297683..000000000000
--- a/website/source/api/secret/identity/entity.html.md
+++ /dev/null
@@ -1,415 +0,0 @@
----
-layout: "api"
-page_title: "Identity Secret Backend: Entity - HTTP API"
-sidebar_title: "Entity"
-sidebar_current: "api-http-secret-identity-entity"
-description: |-
-  This is the API documentation for managing entities in the identity store.
----
-
-## Create an Entity
-
-This endpoint creates or updates an Entity.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `POST`   | `/identity/entity`  |
-
-### Parameters
-
-- `name` `(string: entity-<UUID>)` – Name of the entity.
-
-- `id` `(string: <optional>)` - ID of the entity. If set, updates the
-  corresponding existing entity.
-
-- `metadata` `(key-value-map: {})` – Metadata to be associated with the
-  entity.
-
-- `policies` `(list of strings: [])` – Policies to be tied to the entity.
-
-- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
-  entities' associated tokens cannot be used, but are not revoked.
-
-### Sample Payload
-
-```json
-{
-  "metadata": {
-    "organization": "hashicorp",
-    "team": "vault"
-  },
-  "policies": ["eng-dev", "infra-dev"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/entity
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
-    "aliases": null
-  }
-}
-```
-
-## Read Entity by ID
-
-This endpoint queries the entity by its identifier.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/identity/entity/id/:id`    |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of the entity.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "bucket_key_hash": "177553e4c58987f4cc5d7e530136c642",
-    "creation_time": "2017-07-25T20:29:22.614756844Z",
-    "disabled": false,
-    "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
-    "last_update_time": "2017-07-25T20:29:22.614756844Z",
-    "metadata": {
-      "organization": "hashicorp",
-      "team": "vault"
-    },
-    "name": "entity-c323de27-2ad2-5ded-dbf3-0c7ef98bc613",
-    "aliases": [],
-    "policies": [
-      "eng-dev",
-      "infra-dev"
-    ]
-  }
-}
-```
-
-## Update Entity by ID
-
-This endpoint is used to update an existing entity.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/identity/entity/id/:id`    |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of the entity.
-
-- `name` `(string: entity-<UUID>)` – Name of the entity.
-
-- `metadata` `(key-value-map: {})` – Metadata to be associated with the entity.
-
-- `policies` `(list of strings: [])` – Policies to be tied to the entity.
-
-- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
-  entities' associated tokens cannot be used, but are not revoked.
-
-### Sample Payload
-
-```json
-{
-  "name":"updatedEntityName",
-  "metadata": {
-    "organization": "hashicorp",
-    "team": "nomad"
-  },
-  "policies": ["eng-developers", "infra-developers"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
-    "aliases": null
-  }
-}
-```
-
-## Delete Entity by ID
-
-This endpoint deletes an entity and all its associated aliases.
-
-| Method     | Path                        |
-| :-------------------------- | :----------------------|
-| `DELETE`   | `/identity/entity/id/:id`   |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of the entity.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
-```
-
-## List Entities by ID
-
-This endpoint returns a list of available entities by their identifiers.
-
-| Method   | Path                            |
-| :------------------------------ | :--------------------- |
-| `LIST`   | `/identity/entity/id`           |
-| `GET`    | `/identity/entity/id?list=true` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/entity/id
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "02fe5a88-912b-6794-62ed-db873ef86a95",
-      "3bf81bc9-44df-8138-57f9-724a9ae36d04",
-      "627fba68-98c9-c012-71ba-bfb349585ce1",
-      "6c4c805b-b384-3d0e-4d51-44d349887b96",
-      "70a72feb-35d1-c775-0813-8efaa8b4b9b5",
-      "f1092a67-ce34-48fd-161d-c13a367bc1cd",
-      "faedd89a-0d82-c197-c8f9-93a3e6cf0cd0"
-    ]
-  }
-}
-```
-
-## Create/Update Entity by Name
-
-This endpoint is used to create or update an entity by a given name.
-
-| Method   | Path                             |
-| :------------------------------- | :--------------------- |
-| `POST`   | `/identity/entity/name/:name`    |
-
-### Parameters
-
-- `name` `(string: entity-<UUID>)` – Name of the entity.
-
-- `metadata` `(key-value-map: {})` – Metadata to be associated with the entity.
-
-- `policies` `(list of strings: [])` – Policies to be tied to the entity.
-
-- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
-  entities' associated tokens cannot be used, but are not revoked.
-
-### Sample Payload
-
-```json
-{
-  "metadata": {
-    "organization": "hashicorp",
-    "team": "nomad"
-  },
-  "policies": ["eng-developers", "infra-developers"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/entity/name/testentityname
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "aliases": null,
-    "id": "0826be06-577c-a076-3942-2f92da0310ce"
-  }
-}
-```
-
-## Read Entity by Name
-
-This endpoint queries the entity by its name.
-
-| Method   | Path                             |
-| :------------------------------- | :--------------------- |
-| `GET`    | `/identity/entity/name/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the entity.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/identity/entity/name/testentityname
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "aliases": [],
-    "creation_time": "2018-09-19T17:20:27.705389973Z",
-    "direct_group_ids": [],
-    "disabled": false,
-    "group_ids": [],
-    "id": "0826be06-577c-a076-3942-2f92da0310ce",
-    "inherited_group_ids": [],
-    "last_update_time": "2018-09-19T17:20:27.705389973Z",
-    "merged_entity_ids": null,
-    "metadata": {
-      "organization": "hashicorp",
-      "team": "nomad"
-    },
-    "name": "testentityname",
-    "policies": [
-      "eng-developers",
-      "infra-developers"
-    ]
-  }
-}
-```
-
-## Delete Entity by Name
-
-This endpoint deletes an entity and all its associated aliases, given the
-entity name.
-
-| Method     | Path                            |
-| :------------------------------ | :----------------------|
-| `DELETE`   | `/identity/entity/name/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the entity.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/entity/name/testentityname
-```
-
-## List Entities by Name
-
-This endpoint returns a list of available entities by their names.
-
-| Method   | Path                              |
-| :-------------------------------- | :--------------------- |
-| `LIST`   | `/identity/entity/name`           |
-| `GET`    | `/identity/entity/name?list=true` |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/entity/name
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "testentityname",
-    ]
-  }
-}
-```
-
-## Merge Entities
-
-This endpoint merges many entities into one entity.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/identity/entity/merge`     |
-
-### Parameters
-
-- `from_entity_ids` `(array: <required>)` - Entity IDs which needs to get
-  merged.
-
-- `to_entity_id` `(string: <required>)` - Entity ID into which all the other
-  entities need to get merged.
-
-- `force` `(bool: false)` - Setting this will follow the 'mine' strategy for
-  merging MFA secrets. If there are secrets of the same type both in entities
-  that are merged from and in entity into which all others are getting merged,
-  secrets in the destination will be unaltered. If not set, this API will throw
-  an error containing all the conflicts.
-
-### Sample Payload
-
-```json
-{
-  "to_entity_id": "f2cdefbe-f510-a226-77fa-989a48ba6abc",
-  "from_entity_ids": ["1ade80ec-ba5c-8eed-91e2-b9dcd41d6fff", "270976d0-9bab-14a5-4b92-3861805ef73d"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
-```
-
-
diff --git a/website/source/api/secret/identity/group-alias.html.md b/website/source/api/secret/identity/group-alias.html.md
deleted file mode 100644
index 0cf23bdc32fb..000000000000
--- a/website/source/api/secret/identity/group-alias.html.md
+++ /dev/null
@@ -1,200 +0,0 @@
----
-layout: "api"
-page_title: "Identity Secret Backend: Group Alias - HTTP API"
-sidebar_title: "Group Alias"
-sidebar_current: "api-http-secret-identity-group-alias"
-description: |-
-  This is the API documentation for managing the group aliases in the identity store.
----
-
-## Create a Group Alias
-
-This endpoint creates or updates a group alias.
-
-| Method   | Path                     |
-| :----------------------- | :----------------------|
-| `POST`   | `/identity/group-alias`  |
-
-### Parameters
-
-- `name` `(string: entity-<UUID>)` – Name of the group alias.
-
-- `id` `(string: <optional>)` - ID of the group alias. If set, updates the
-  corresponding existing group alias.
-
-- `mount_accessor` `(string: "")` – Mount accessor which this alias belongs
-  to.
-
-- `canonical_id` `(string: "")` - ID of the group to which this is an alias.
-
-
-### Sample Payload
-
-```json
-{
-  "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
-  "mount_accessor": "auth_github_232a90dc",
-  "name": "dev-team"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/group-alias
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
-    "id": "ca726050-d8ac-6f1f-4210-3b5c5b613824"
-  }
-}
-```
-
-## Update Group Alias by ID
-
-This endpoint is used to update an existing group alias.
-
-| Method   | Path                              |
-| :-------------------------------- | :--------------------- |
-| `POST`    | `/identity/group-alias/id/:id`   |
-
-### Parameters
-
-- `id` `(string: <optional>)` - ID of the group alias.
-
-- `name` `(string: entity-<UUID>)` – Name of the group alias.
-
-- `mount_accessor` `(string: "")` – Mount accessor which this alias belongs
-  to.
-
-- `canonical_id` `(string: "")` - ID of the group to which this is an alias.
-
-### Sample Payload
-
-```json
-{
-  "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
-  "mount_accessor": "auth_github_232a90dc",
-  "name": "dev-team"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
-    "id": "ca726050-d8ac-6f1f-4210-3b5c5b613824"
-  }
-}
-```
-
-## Read Group Alias by ID
-
-This endpoint queries the group alias by its identifier.
-
-| Method   | Path                              |
-| :-------------------------------- | :--------------------- |
-| `GET`    | `/identity/group-alias/id/:id`    |
-
-### Parameters
-
-- `id` `(string: <required>)` – ID of the group alias.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "canonical_id": "b86920ea-2831-00ff-15c5-a3f923f1ee3b",
-    "creation_time": "2017-11-13T20:09:41.661694Z",
-    "id": "ca726050-d8ac-6f1f-4210-3b5c5b613824",
-    "last_update_time": "2017-11-13T20:09:41.661694Z",
-    "merged_from_canonical_ids": null,
-    "metadata": null,
-    "mount_accessor": "auth_github_232a90dc",
-    "mount_path": "",
-    "mount_type": "github",
-    "name": "dev-team"
-  }
-}
-```
-
-## Delete Group Alias by ID
-
-This endpoint deletes a group alias.
-
-| Method     | Path                             |
-| :------------------------------- | :----------------------|
-| `DELETE`   | `/identity/group-alias/id/:id`   |
-
-## Parameters
-
-- `id` `(string: <required>)` – ID of the group alias.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
-```
-
-## List Group Alias by ID
-
-This endpoint returns a list of available group aliases by their identifiers.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `LIST`   | `/identity/group-alias/id`                |
-| `GET`    | `/identity/group-alias/id?list=true`      |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/group-alias/id
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "ca726050-d8ac-6f1f-4210-3b5c5b613824"
-    ]
-  }
-}
-```
diff --git a/website/source/api/secret/identity/group.html.md b/website/source/api/secret/identity/group.html.md
deleted file mode 100644
index 399fcf811855..000000000000
--- a/website/source/api/secret/identity/group.html.md
+++ /dev/null
@@ -1,391 +0,0 @@
----
-layout: "api"
-page_title: "Identity Secret Backend: Group - HTTP API"
-sidebar_title: "Group"
-sidebar_current: "api-http-secret-identity-group"
-description: |-
-  This is the API documentation for managing groups in the identity store.
----
-
-## Create a Group
-
-This endpoint creates or updates a Group.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `POST`   | `/identity/group`   |
-
-### Parameters
-
-- `name` `(string: entity-<UUID>)` – Name of the group.
-
-- `id` `(string: <optional>)` - ID of the group. If set, updates the
-  corresponding existing group.
-
-- `type` `(string: "internal")` - Type of the group, `internal` or `external`.
-  Defaults to `internal`.
-
-- `metadata` `(key-value-map: {})` – Metadata to be associated with the
-  group.
-
-- `policies` `(list of strings: [])` – Policies to be tied to the group.
-
-- `member_group_ids` `(list of strings: [])` -  Group IDs to be assigned as
-  group members.
-
-- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
-  group members.
-
-### Sample Payload
-
-```json
-{
-  "metadata": {
-    "hello": "world"
-  },
-  "policies": ["grouppolicy1", "grouppolicy2"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/group
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "id": "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
-    "name": "group_ab813d63"
-  }
-}
-```
-
-## Read Group by ID
-
-This endpoint queries the group by its identifier.
-
-| Method   | Path                        |
-| :-------------------------- | :--------------------- |
-| `GET`    | `/identity/group/id/:id`    |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of the group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "alias": {},
-    "creation_time": "2017-11-13T19:36:47.102945Z",
-    "id": "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
-    "last_update_time": "2017-11-13T19:36:47.102945Z",
-    "member_entity_ids": [],
-    "member_group_ids": null,
-    "metadata": {
-      "hello": "world"
-    },
-    "modify_index": 1,
-    "name": "group_ab813d63",
-    "policies": [
-      "grouppolicy1",
-      "grouppolicy2"
-    ],
-    "type": "internal"
-  }
-}
-```
-
-## Update Group by ID
-
-This endpoint is used to update an existing group.
-
-| Method   | Path                        |
-| :-------------------------- | :--------------------- |
-| `POST`    | `/identity/group/id/:id`   |
-
-### Parameters
-
-- `id` `(string: <required>)` – Identifier of the entity.
-
-- `name` `(string: entity-<UUID>)` – Name of the group.
-
-- `type` `(string: "internal")` - Type of the group, `internal` or `external`.
-  Defaults to `internal`.
-
-- `metadata` `(key-value-map: {})` – Metadata to be associated with the
-  group.
-
-- `policies` `(list of strings: [])` – Policies to be tied to the group.
-
-- `member_group_ids` `(list of strings: [])` -  Group IDs to be assigned as
-  group members.
-
-- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
-  group members.
-
-### Sample Payload
-
-```json
-{
-  "name": "testgroupname",
-  "metadata": {
-    "hello": "everyone"
-  },
-  "policies": ["grouppolicy2", "grouppolicy3"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "id": "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
-    "name": "testgroupname"
-  }
-}
-```
-
-## Delete Group by ID
-
-This endpoint deletes a group.
-
-| Method     | Path                       |
-| :------------------------- | :----------------------|
-| `DELETE`   | `/identity/group/id/:id`   |
-
-## Parameters
-
-- `id` `(string: <required>)` – Identifier of the group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
-```
-
-## List Groups by ID
-
-This endpoint returns a list of available groups by their identifiers.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `LIST`   | `/identity/group/id`           |
-| `GET`    | `/identity/group/id?list=true` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/group/id
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "052567cf-1580-6f20-50c8-d38bc46dae6e",
-      "26da8035-6691-b89e-67ac-ebf9ea7f9893",
-      "363926d8-dd8b-c9f0-21f8-7b248be80ce1",
-      "5c4a5720-7408-c113-1dcc-9ede725d0ac8",
-      "d55e0f34-5c16-38ae-87af-324c9b656c43",
-      "e4e56e04-0dec-9b68-9b20-a450975d898e"
-    ]
-  }
-}
-```
-
-## Create/Update Group by Name
-
-This endpoint is used to create or update a group by its name.
-
-| Method   | Path                            |
-| :------------------------------ | :--------------------- |
-| `POST`    | `/identity/group/name/:name`   |
-
-
-### Parameters
-
-- `name` `(string: entity-<UUID>)` – Name of the group.
-
-- `type` `(string: "internal")` - Type of the group, `internal` or `external`.
-  Defaults to `internal`.
-
-- `metadata` `(key-value-map: {})` – Metadata to be associated with the
-  group.
-
-- `policies` `(list of strings: [])` – Policies to be tied to the group.
-
-- `member_group_ids` `(list of strings: [])` -  Group IDs to be assigned as
-  group members.
-
-- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
-  group members.
-
-### Sample Payload
-
-```json
-{
-  "metadata": {
-    "hello": "everyone"
-  },
-  "policies": ["grouppolicy2", "grouppolicy3"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/group/name/testgroupname
-```
-
-### Sample Response
-```json
-{
-  "request_id": "b98b4a3d-a9f1-e151-11e1-ad91cfb08351",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "id": "5a3a04a0-0c3a-a4c3-74e8-26b1adbeaece",
-    "name": "testgroupname"
-  },
-  "warnings": null
-}
-```
-
-## Read Group by Name
-
-This endpoint queries the group by its name.
-
-| Method   | Path                            |
-| :------------------------------ | :--------------------- |
-| `GET`    | `/identity/group/name/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/identity/group/name/testgroupname
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "alias": {},
-    "creation_time": "2018-09-19T22:02:04.395128091Z",
-    "id": "5a3a04a0-0c3a-a4c3-74e8-26b1adbeaece",
-    "last_update_time": "2018-09-19T22:02:04.395128091Z",
-    "member_entity_ids": [],
-    "member_group_ids": null,
-    "metadata": {
-      "foo": "bar"
-    },
-    "modify_index": 1,
-    "name": "testgroupname",
-    "parent_group_ids": null,
-    "policies": [
-      "grouppolicy1",
-      "grouppolicy2"
-    ],
-    "type": "internal"
-  }
-}
-```
-
-## Delete Group by Name
-
-This endpoint deletes a group, given its name.
-
-| Method     | Path                           |
-| :----------------------------- | :----------------------|
-| `DELETE`   | `/identity/group/name/:name`   |
-
-## Parameters
-
-- `name` `(string: <required>)` – Name of the group.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/group/name/testgroupname
-```
-
-## List Groups by Name
-
-This endpoint returns a list of available groups by their names.
-
-| Method   | Path                             |
-| :------------------------------- | :--------------------- |
-| `LIST`   | `/identity/group/name`           |
-| `GET`    | `/identity/group/name?list=true` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/group/name
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "testgroupname"
-    ]
-  }
-}
-```
diff --git a/website/source/api/secret/identity/index.html.md b/website/source/api/secret/identity/index.html.md
deleted file mode 100644
index ec650dfa795f..000000000000
--- a/website/source/api/secret/identity/index.html.md
+++ /dev/null
@@ -1,23 +0,0 @@
----
-layout: "api"
-page_title: "Identity - Secrets Engines - HTTP API"
-sidebar_title: "Identity"
-sidebar_current: "api-http-secret-identity"
-description: |-
-  This is the API documentation for the Vault Identity secrets engine.
----
-
-# Identity Secrets Engine (API)
-
-This is the API documentation for the Vault Identity secrets engine. For general
-information about the usage and operation of the Identity secrets engine, please
-see the [Vault Identity documentation](/docs/secrets/identity/index.html).
-
-## API Sections
-
- * [Entity](entity.html)
- * [Entity Alias](entity-alias.html)
- * [Group](group.html)
- * [Group Alias](group-alias.html)
- * [Identity Tokens](tokens.html)
- * [Lookup](lookup.html)
diff --git a/website/source/api/secret/identity/lookup.html.md b/website/source/api/secret/identity/lookup.html.md
deleted file mode 100644
index f0fa9e57f245..000000000000
--- a/website/source/api/secret/identity/lookup.html.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-layout: "api"
-page_title: "Identity Secret Backend: Lookup - HTTP API"
-sidebar_title: "Lookup"
-sidebar_current: "api-http-secret-identity-lookup"
-description: |-
-  This is the API documentation for entity and group lookups from identity
-  store.
----
-
-## Lookup an Entity
-
-This endpoint queries the entity based on the given criteria. The criteria can
-be `name`, `id`, `alias_id`, or a combination of `alias_name` and
-`alias_mount_accessor`.
-
-| Method   | Path                       |
-| :------------------------- | :----------------------|
-| `POST`   | `/identity/lookup/entity`  |
-
-### Parameters
-
-- `name` `(string: "")` – Name of the entity.
-
-- `id` `(string: "")` - ID of the entity.
-
-- `alias_id` `(string: "")` - ID of the alias.
-
-- `alias_name` `(string: "")` - Name of the alias. This should be supplied in
-  conjunction with `alias_mount_accessor`.
-
-- `alias_mount_accessor` `(string: "")` - Accessor of the mount to which the
-  alias belongs to. This should be supplied in conjunction with `alias_name`.
-
-### Sample Payload
-
-```json
-{
-  "id": "043fedec-967d-b2c9-d3af-0c467b04e1fd"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/lookup/entity
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "aliases": [],
-    "creation_time": "2017-11-13T21:01:33.543497Z",
-    "direct_group_ids": [],
-    "group_ids": [],
-    "id": "043fedec-967d-b2c9-d3af-0c467b04e1fd",
-    "inherited_group_ids": [],
-    "last_update_time": "2017-11-13T21:01:33.543497Z",
-    "merged_entity_ids": null,
-    "metadata": null,
-    "name": "entity_43cc451b",
-    "policies": null
-  }
-}
-```
-
-## Lookup a Group
-
-This endpoint queries the group based on the given criteria. The criteria can
-be `name`, `id`, `alias_id`, or a combination of `alias_name` and
-`alias_mount_accessor`.
-
-| Method   | Path                       |
-| :------------------------- | :----------------------|
-| `POST`   | `/identity/lookup/group`   |
-
-### Parameters
-
-- `name` `(string: "")` – Name of the group.
-
-- `id` `(string: "")` - ID of the group.
-
-- `alias_id` `(string: "")` - ID of the alias.
-
-- `alias_name` `(string: "")` - Name of the alias. This should be supplied in
-  conjunction with `alias_mount_accessor`.
-
-- `alias_mount_accessor` `(string: "")` - Accessor of the mount to which the
-  alias belongs to. This should be supplied in conjunction with `alias_name`.
-
-### Sample Payload
-
-```json
-{
-  "id": "70a4bdef-9da3-4460-b524-bb08542eef25"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/lookup/group
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "alias": {},
-    "creation_time": "2017-11-13T21:06:44.475587Z",
-    "id": "70a4bdef-9da3-4460-b524-bb08542eef25",
-    "last_update_time": "2017-11-13T21:06:44.475587Z",
-    "member_entity_ids": [],
-    "member_group_ids": null,
-    "metadata": null,
-    "modify_index": 1,
-    "name": "group_eaf2aab1",
-    "policies": null,
-    "type": "internal"
-  }
-}
-```
diff --git a/website/source/api/secret/identity/tokens.html.md b/website/source/api/secret/identity/tokens.html.md
deleted file mode 100644
index 6c372425da6b..000000000000
--- a/website/source/api/secret/identity/tokens.html.md
+++ /dev/null
@@ -1,495 +0,0 @@
----
-layout: "api"
-page_title: "Identity Secret Backend: Identity Tokens - HTTP API"
-sidebar_title: "Identity Tokens"
-sidebar_current: "api-http-secret-identity-tokens"
-description: |-
-  This is the API documentation for configuring, acquiring, and validating vault issued identity tokens.
----
-
-## Configure the Identity Tokens Backend
-
-This endpoint updates configurations for OIDC-compliant identity tokens issued by Vault.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `POST`   | `identity/oidc/config`  |
-
-### Parameters
-
-- `issuer` `(string: "")` – Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.
-
-### Sample Payload
-
-```json
-{
-  "issuer": "https://example.com:1234"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/oidc/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": null,
-  "warnings": [
-    "If \"issuer\" is set explicitly, all tokens must be validated against that address, including those issued by secondary clusters. Setting issuer to \"\" will restore the default behavior of using the cluster's api_addr as the issuer."
-  ],
-}
-```
-
-## Read Configurations for the Identity Tokens Backend
-
-This endpoint queries vault identity tokens configurations.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `GET`   | `identity/oidc/config`  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/identity/oidc/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "issuer": "https://example.com:1234"
-  },
-}
-```
-
-## Create a Named Key
-
-This endpoint creates or updates a named key which is used by a role to sign tokens.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `POST`   | `identity/oidc/key/:name`  |
-
-### Parameters
-
-- `name` `(string)` – Name of the named key.
-
-- `rotation_period` `(int or time string: "24h")` - How often to generate a new signing key. Can be specified as a number of seconds or as a time string like "30m" or "6h".
-
-- `verification_ttl` `(int or time string: "24h")` - Controls how long the public portion of a signing key will be available for verification after being rotated.
-
-- `allowed_client_ids` `(list: [])` - Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.
-
-- `algorithm` `(string: "RS256")` - Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
-
-### Sample Payload
-
-```json
-{
-  "rotation_period":"12h",
-  "verification_ttl":43200
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
-```
-
-## Read a Named Key
-
-This endpoint queries a named key and returns its configurations.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `GET`   | `identity/oidc/key/:name`  |
-
-### Parameters
-
-- `name` `(string)` – Name of the key.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "algorithm": "RS256",
-    "rotation_period": 43200,
-    "verification_ttl": 43200
-  },
-}
-```
-
-## Delete a Named Key
-
-This endpoint deletes a named key.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `DELETE`   | `identity/oidc/key/:name`  |
-
-### Parameters
-
-- `name` `(string)` – Name of the key.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
-```
-
-## List Named Keys
-
-This endpoint will List all named keys.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `LIST`   | `identity/oidc/key`  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/oidc/key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "named-key-001",
-      "named-key-002"
-    ]
-  },
-}
-```
-
-## Rotate a Named Key
-
-This endpoint rotates a named key.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `POST`   | `identity/oidc/key/:name/rotate`  |
-
-### Parameters
-
-- `name` `(string)` – Name of the key to be rotated.
-
-- `verification_ttl` `(string: <optional>)` - Controls how long the public portion of the key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
-
-### Sample Payload
-
-```json
-{
-  "verification_ttl": 0
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001/rotate
-```
-
-## Create or Update a Role
-
-Create or update a role. ID tokens are generated against a role and signed against a named key.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `POST`   | `identity/oidc/role/:name`  |
-
-### Parameters
-
-- `name` `(string)` – Name of the role.
-
-- `key` `(string)` – A configured named key, the key must already exist.
-
-- `template` `(string: <optional>)` - The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
-
-- `ttl` `(int or time string: "24h")` - TTL of the tokens generated against the role. Can be specified as a number of seconds or as a time string like "30m" or "6h".
-
-### Sample Payload
-
-```json
-{
-  "key": "named-key-001",
-  "ttl":"12h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/oidc/role/role-001
-```
-
-## Read a Role
-
-This endpoint queries a role and returs its configuration.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `GET`   | `identity/oidc/role/:name`  |
-
-### Parameters
-
-- `name` `(string)` – Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/identity/oidc/role/role-001
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "client_id": "PGE8tf4RmJkDwvjI1FgARkXEmH",
-    "key": "named-key-001",
-    "template": "",
-    "ttl": 43200
-  },
-}
-```
-
-## Delete a Role
-
-This endpoint deletes a role.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `DELETE`   | `identity/oidc/role/:name`  |
-
-### Parameters
-
-- `name` `(string)` – Name of the role.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/identity/oidc/role/role-001
-```
-
-## List Roles
-
-This endpoint will list all signing keys.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `LIST`   | `identity/oidc/role`  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/identity/oidc/role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "role-001",
-      "role-002",
-      "testrole"
-    ]
-  },
-}
-```
-
-## Generate a Signed ID Token
-
-Use this endpoint to generate a signed ID (OIDC) token.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `GET`   | `identity/oidc/token/:name`  |
-
-### Parameters
-
-- `name` `(string: "")` – The name of the role against which to generate a signed ID token
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/oidc/token/role-001
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "client_id": "P6CfCzyHsQY4pMcA6kWAOCItA7",
-    "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJkMGI4YjlkLWYwNGQtNzFlYy1iNjc0LWM3MzU4NDMyYmM1YiJ9.eyJhdWQiOiJQNkNmQ3p5SHNRWTRwTWNBNmtXQU9DSXRBNyIsImV4cCI6MTU2MTQ4ODQxMiwiaWF0IjoxNTYxNDAyMDEyLCJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tOjEyMzQiLCJzdWIiOiI2YzY1ZWFmNy1kNGY0LTEzMzMtMDJiYy0xYzc1MjE5YzMxMDIifQ.IcbWTmks7P5eVtwmIBl5rL1B88MI55a9JJuYVLIlwE9aP_ilXpX5fE38CDm5PixDDVJb8TI2Q_FO4GMMH0ymHDO25ZvA917WcyHCSBGaQlgcS-WUL2fYTqFjSh-pezszaYBgPuGvH7hJjlTZO6g0LPCyUWat3zcRIjIQdXZum-OyhWAelQlveEL8sOG_ldyZ8v7fy7GXDxfJOK1kpw5AX9DXJKylbwZTBS8tLb-7edq8uZ0lNQyWy9VPEW_EEIZvGWy0AHua-Loa2l59GRRP8mPxuMYxH_c88x1lsSw0vH9E3rU8AXLyF3n4d40PASXEjZ-7dnIf4w4hf2P4L0xs_g",
-    "ttl": 86400
-  },
-}
-```
-
-## Introspect a signed ID Token
-
-This endpoint can verify the authenticity and active state of a signed ID token.
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `POST`   | `identity/oidc/introspect`  |
-
-### Parameters
-
-- `token` `(string)` – A signed OIDC compliant ID token
-
-- `client_id` `(string: <optional>)` - Specifying the client ID optimizes validation time
-
-### Sample Payload
-
-```json
-{
-  "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImE4NDQ4YmVkLTk4ZTMtMDNhMC01ODY4LTdmOWYyZDc5NWY2NSJ9.eyJhdWQiOiJpUDdyV1A4dmhDVFFpOTAydGhaR0hUazJMbyIsImV4cCI6MTU2MTQ4OTE0OSwiaWF0IjoxNTYxNDAyNzQ5LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgyMDAvdjEvaWRlbnRpdHkvb2lkYyIsInN1YiI6IjQ1NDQxZTg3LWMyMWQtYzY5NS0wNGM3LWU0YmU4MGU1M2Y0ZiJ9.IYZx1bBofBgwphLZggugFUE7V3ZLFDNr0UYv3hhc4RlIu5WgFZPRjpKVXPdORozYJJB_37aJW6qm5j8nNSz4WrWUmMcrVxoZi2VBExu-GcHHniEPRryR9t_45rqP2MycLBz0dICOjFDWvfkp6ddyCsQfkRnplPGCaN67MUEdgYQf5QNyxaG-yabRPiATY_OtXSjiNsMhJe6ZloYTZZc9gTTfKcKQf4mfy5yRY6471qkqeTuYNhKjwdkEnCSaEjHmCdZOYC5DAet16eQ7ankcwBno17_zs7vbPmkXNttALOrjSQgGe1td1SCfZeg5UOs7_IPk0qqdwOdyQ8wsrDmSyg"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/identity/oidc/introspect
-```
-
-### Sample Response
-
-
-```json
-
-{
-  "active": true
-}
-```
-
-## Read .well-known Configurations
-
-Query this path to retrieve a set of claims about the identity tokens' configuration. The response is a compliant [OpenID Provider Configuration Response](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
-
-| Method   | Path                |
-| :------------------ | :----------------------|
-| `GET`   | `identity/oidc/.well-known/openid-configuration`  |
-
-### Sample Request
-
-```
-$ curl \
-    --request GET \
-    http://127.0.0.1:8200/v1/identity/oidc/.well-known/openid-configuration
-```
-
-### Sample Response
-
-```json
-{
-  "issuer": "https://example.com:1234",
-  "authorization_endpoint": "",
-  "token_endpoint": "",
-  "jwks_uri": "https://example.com:1234/.well-known/keys",
-  "response_types_supported": null,
-  "subject_types_supported": [
-    "public"
-  ],
-  "id_token_signing_alg_values_supported": [
-    "RS256"
-  ],
-  "scopes_supported": null,
-  "token_endpoint_auth_methods_supported": null,
-  "claims_supported": null
-}
-```
-
-## Read Active Public Keys
-Query this path to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.
-
-### Sample Request
-
-```
-$ curl \
-    --request GET \
-    http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys
-```
-
-### Sample Response
-
-```json
-{
-  "keys": [
-    {
-      "use": "sig",
-      "kty": "RSA",
-      "kid": "94178020-55b5-e18d-b32b-1010ba5a35b4",
-      "alg": "RS256",
-      "n": "1bt-V8T7g0zr7koNbdppFrUM5YrnybPDOt-cK3MKmL1FcN3aOltCw9tCYStHgm8mIz_DJ1HgIjA-DcK_O9gacEGFCidUuudV8O4TixToHEVyRe1yXu-Q98hwkm9JtFF9PvMzDXhn4s3bLanOZzO15JAdVCo0JnwSIT9Ay3LxPLbWHYbPj7ROScuvic99OyvWz87qBK-AoXmxo9lRNY39LtieMr1D2iq0HvtjHkfiarr34CSTcuksknOsY49BU5ktrs_YJSEVpeRQ8RywY1sWrq8w_UmGsNFfPr--crXQw0ekJCXzmotsRHE5jwMuhjuucVlnyQFBYEdfDB_iPbC7Hw",
-      "e": "AQAB"
-    }
-  ]
-}
-```
diff --git a/website/source/api/secret/index.html.md b/website/source/api/secret/index.html.md
deleted file mode 100644
index 81ed4ae97bc2..000000000000
--- a/website/source/api/secret/index.html.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-layout: "api"
-page_title: "Secrets Engines - HTTP API"
-sidebar_title: "Secrets Engines"
-sidebar_current: "api-http-secret"
-description: |-
-  Each secrets engine publishes its own set of API paths and methods. These
-  endpoints are documented in this section.
----
-
-# Secrets Engines
-
-Each secrets engine publishes its own set of API paths and methods. These
-endpoints are documented in this section. secrets engines are enabled at a path,
-but the documentation will assume the default paths for simplicity. If you are
-enabled at a different path, you should adjust your API calls accordingly.
-
-For the API documentation for a specific secrets engine, please choose a secrets
-engine from the navigation.
diff --git a/website/source/api/secret/kmip/index.html.md b/website/source/api/secret/kmip/index.html.md
deleted file mode 100644
index 82701e9cf144..000000000000
--- a/website/source/api/secret/kmip/index.html.md
+++ /dev/null
@@ -1,549 +0,0 @@
----
-layout: "api"
-page_title: "KMIP - Secrets Engines - HTTP API"
-sidebar_title: "KMIP <sup>ENTERPRISE</sup>"
-sidebar_current: "api-http-secret-kmip"
-description: |-
-  This is the API documentation for the Vault KMIP secrets engine.
----
-
-# KMIP Secrets Engine (API)
-
-This is the API documentation for the Vault KMIP secrets engine. For general 
-information about the usage and operation of
-the KMIP secrets engine, please see [these docs](/docs/secrets/kmip/index.html).
-
-This documentation assumes the KMIP secrets engine is enabled at the `/kmip` path
-in Vault. Since it is possible to mount secrets engines at any path, please
-update your API calls accordingly.
-
-## Write Config
-
-| Method | Path           |
-|:-------|:---------------|
-| `POST` | `/kmip/config` |
-
-This endpoint configures shared information for the secrets engine. After writing
-to it the KMIP engine will generate a CA and start listening for KMIP requests.
-If the server was already running and any non-client settings are changed, the 
-server will be restarted using the new settings.
-
-### Parameters
-
-- `listen_addrs` (`list: ["127.0.0.1:5696"] || string`) - Address and port the 
-   KMIP server should listen on. Can be given as a JSON list or a 
-   comma-separated string list. If multiple values are given, all will be 
-   listened on.
-   
-- `connection_timeout` (`int: 1 || string:"1s"`) - Duration in either an integer 
-   number of seconds (10) or an integer time unit (10s) within which connections
-   must become ready.
-
-- `server_hostnames` (`list: ["localhost"] || string`) - Hostnames to include in 
-   the server's TLS certificate as SAN DNS names. The first will be used as the 
-   common name (CN).
-
-- `server_ips` (`list: [] || string`) - IPs to include in the server's TLS 
-   certificate as SAN IP addresses. Localhost (IPv4 and IPv6) will be automatically
-   included.
-   
-- `tls_ca_key_type` (`string: "ec"`) - CA key type, `rsa` or `ec`.
-
-- `tls_ca_key_bits` (`int: 521`) - CA key bits, valid values depend on key type.
-
-- `tls_min_version` (`string: "tls12"`) - Minimum TLS version to accept.
-
-- `default_tls_client_key_type` (`string: "ec"`): - Client certificate key type, 
-  `rsa` or `ec`.
-
-- `default_tls_client_key_bits` (`int: 521`): - Client certificate key bits, valid 
-  values depend on key type.
-  
-- `default_tls_client_ttl` (`int: 86400 || string:"24h"`) – Client certificate 
-  TTL in either an integer number of seconds (10) or an integer time unit (10s).
-
-### Sample Payload
-
-```json
-{
-    "listen_addrs":                "127.0.0.1:5696,192.168.1.2:9000",
-    "connection_timeout":          "1s",
-    "server_hostnames":            "myhostname1,myhostname2",
-    "server_ips":                  "192.168.1.2",
-    "tls_ca_key_type":             "ec",
-    "tls_ca_key_bits":             521,
-    "tls_min_version":             "tls11",
-    "default_tls_client_key_type": "ec",
-    "default_tls_client_key_bits": 224,
-    "default_tls_client_ttl":      86400,
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/kmip/config
-```
-
-## Read Config
-
-| Method | Path           |
-|:-------|:---------------|
-| `GET`  | `/kmip/config` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/kmip/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "listen_addrs":                ["127.0.0.1:5696", "192.168.1.2:9000"],
-    "connection_timeout":          "1s",
-    "server_hostnames":            ["myhostname1", "myhostname2"],
-    "server_ips":                  ["192.168.1.2"],
-    "tls_ca_key_type":             "ec",
-    "tls_ca_key_bits":             521,
-    "tls_min_version":             "tls11",
-    "default_tls_client_key_type": "ec",
-    "default_tls_client_key_bits": 224,
-    "default_tls_client_ttl":      86400,
-  }
-}
-```
-
-## Read CA
-
-| Method | Path       |
-|:-------|:-----------|
-| `GET`  | `/kmip/ca` |
-
-Returns the CA certificates in PEM format. Returns an error if config has never
-been written.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/kmip/ca
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "ca_pem": "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUApNsRil/dzQy3XT+yjZQEpcA49kwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MzIzM1oX\nDTI5MDYyMTE4MzMwM1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAGWJGwPjGGoXivBv\nLJwR+fIG3z6Ei06bhZgTaRW/U3eA5oivxubxOVZPe1BJGWCsIVNjxMZAN4Pswki7\nAHme9bdJAUbQw33tC1iAb0wjzIpoPv1+pdSk6wYZTCKzOYWCbsTb3SOIetpk7sQw\niM17agwIRK9qGvX3Q4PBfEKEpstAjoaJo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUKMwPpRxU2Uzydv21bc8ePfUpGFEw\nHwYDVR0jBBgwFoAUwrPrJc9EsU6kTWJ5hXkJV4PEq9swCgYIKoZIzj0EAwIDgYwA\nMIGIAkIBRCarRMer42Ni/fKQBTi+uFk+2sPyCxCYDWTfMFAusC51dC2F91mUL77R\nkHxauSkh5gcZVAch/dg/L0ewP0AZUBUCQgE1VqoBN9klFky7LHfl62p6PgprH7d1\nYCvYVbWdBNnEdrL2P9aKsuCewdqycZVJLmM36cHnOAEGg1yea8soQL0Ylw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIICKTCCAYugAwIBAgIUOBgW1GCH+n5gC6m8Ff5jq+5DmO8wCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MzIzM1oX\nDTI5MDYyMTE4MzMwM1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA7vkbmKJR+SVBTJjAFnma0ynTIi64doZA\n5oOXIAExvOyyI2KBNfqXxgzt/51u9vvixQf3VX/1Jph+0fkIcIYUEmIBFAH7Th1X\n0EOOdmMHfN0YkXDEUUdKIZyQxgA7o3DF+JAVg1cdBV7S8jZyXik7pL+IFnlYdfvN\nUZcArUkMfKo1cZajZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBTCs+slz0SxTqRNYnmFeQlXg8Sr2zAfBgNVHSMEGDAWgBTC\ns+slz0SxTqRNYnmFeQlXg8Sr2zAKBggqhkjOPQQDAgOBiwAwgYcCQgGjKAC371/5\npxgYdLVBmVC6Aa+oOvwGfnich2YLSLbThySED7+fXl1BY43VU703ad6M34fStf6z\nwFZvVZVK188DCQJBJcSZ7YA3PjOre+epJHtAba+1CkAdbSAeGhBDgHdIEP1/FDvx\n+U2QYeVZ7kAVnkzPxa17V0yqjxDtQDTiOw/ZV5c=\n-----END CERTIFICATE-----"
-  },
-}
-```
-
-## Write scope
-
-| Method | Path                 |
-|:-------|:---------------------|
-| `POST` | `/kmip/scope/:scope` |
-
-Creates a new scope with the given name.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope
-```
-
-## List scopes
-
-| Method | Path          |
-|:-------|:--------------|
-| `LIST` | `/kmip/scope` |
-
-List existing scopes.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/kmip/scope
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "myscope"
-    ]
-  },
-}
-```
-
-## Delete scope
-
-| Method   | Path                 |
-|:---------|:---------------------|
-| `DELETE` | `/kmip/scope/:scope` |
-
-Delete a scope by name.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `force` (`bool: false`) - Force scope deletion. If KMIP managed objects have
-  been created within the scope this param must be provided or the deletion will
-  fail. This value should be supplied as a query parameter, or as an argument in
-  the CLI.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope?force=false
-```
-
-## Write role
-
-| Method | Path                            |
-|:-------|:--------------------------------|
-| `POST` | `/kmip/scope/:scope/role/:role` |
-
-Creates or updates a role. 
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `role` (`string: <required>`) - Name of role. This is part of the request URL.
-- `operation_none` (`bool: false`) - Remove all permissions
-  from this role. May not be specified with any other 
-  `operation_` params.
-- `operation_all` (`bool: false`) - Grant all permissions
-  to this role. May not be specified with any other 
-  `operation_` params.
-- `operation_activate` (`bool: false`) - Grant permission to use the KMIP 
-  `Activate` operation.
-- `operation_add_attribute` (`bool: false`) - Grant permission to use the KMIP 
-  `Add Attribute` operation.
-- `operation_create` (`bool: false`) - Grant permission to use the KMIP 
-  `Create` operation.
-- `operation_destroy` (`bool: false`) - Grant permission to use the KMIP 
-  `Destroy` operation.
-- `operation_discover_versions` (`bool: false`) - Grant permission to use the KMIP 
-  `Discover Version` operation.
-- `operation_get` (`bool: false`) - Grant permission to use the KMIP 
-  `Get` operation.
-- `operation_get_attribute_list` (`bool: false`) - Grant permission to use the KMIP 
-  `Get Attribute List` operation.
-- `operation_get_attributes` (`bool: false`) - Grant permission to use the KMIP 
-  `Get Attributes` operation.
-- `operation_locate` (`bool: false`) - Grant permission to use the KMIP 
-  `Locate` operation.
-- `operation_register` (`bool: false`) - Grant permission to use the KMIP 
-  `Register` operation.
-- `operation_rekey` (`bool: false`) - Grant permission to use the KMIP 
-  `Rekey` operation.
-- `operation_revoke` (`bool: false`) - Grant permission to use the KMIP 
-  `Revoke` operation.
-
-
-### Sample Payload
-
-```json
-{
-  "operation_activate": true,
-  "operation_add_attribute": true,
-  "operation_create": true,
-  "operation_destroy": true,
-  "operation_discover_versions": true,
-  "operation_get": true,
-  "operation_get_attribute_list": true,
-  "operation_get_attributes": true,
-  "operation_locate": true,
-  "operation_register": true,
-  "operation_rekey": true,
-  "operation_revoke": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole
-```
-
-## Read role
-
-| Method | Path                            |
-|:-------|:--------------------------------|
-| `GET`  | `/kmip/scope/:scope/role/:role` |
-
-Read a role.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `role` (`string: <required>`) - Name of role. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "operation_activate": true,
-    "operation_add_attribute": true,
-    "operation_create": true,
-    "operation_destroy": true,
-    "operation_discover_versions": true,
-    "operation_get": true,
-    "operation_get_attribute_list": true,
-    "operation_get_attributes": true,
-    "operation_locate": true,
-    "operation_register": true,
-    "operation_rekey": true,
-    "operation_revoke": true
-  },
-}
-```
-
-## List roles
-
-| Method | Path                      |
-|:-------|:--------------------------|
-| `LIST` | `/kmip/scope/:scope/role` |
-
-List roles with a scope.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "myrole"
-    ]
-  },
-}
-```
-
-## Delete role
-
-| Method   | Path                            |
-|:---------|:--------------------------------|
-| `DELETE` | `/kmip/scope/:scope/role/:role` |
-
-Delete a role by name.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `role` (`string: <required>`) - Name of role. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole
-```
-
-
-## Generate credential
-
-| Method | Path                                                |
-|:-------|:----------------------------------------------------|
-| `POST` | `/kmip/scope/:scope/role/:role/credential/generate` |
-
-Create a new client certificate tied to the given role and scope.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `role` (`string: <required>`) - Name of role. This is part of the request URL.
-- `format` (`string: "pem"`) - Format to return the certificate, private key,
-  and CA chain in.  One of `pem`, `pem_bundle`, or `der`.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/generate
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "ca_chain": [
-      "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUKOGtsdXdMjjGni52EsaMQ7ozhCEwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4NTgyMVoX\nDTI5MDYyMTE4NTg1MVowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEATHNhNvU0GMtzl6A\nPbNaCoF0jV3z09RCfLKEqMl/MXv/AlPcfiqCQeOWBwWHv76epPWkCCo+IlNq8ldQ\neVe52p6mABMvRjE6BZ/eLea27zImI6waK7nZ2hqx0npb8ivdbwmrgp0NQnv0sJ+o\nPeLa2vh9wDK1NJebmOv0yRAbCw2CH7Rbo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQU2naFRym+xfFvZm2TNRBXNf3MJSsw\nHwYDVR0jBBgwFoAUFrA/R807R0BnIt395KzaXdP4n00wCgYIKoZIzj0EAwIDgYwA\nMIGIAkIAkb8EdHCXgPpQsKYedMz4X2j5CFSVdZTWsPVw1XuSXIsIsc6018V4z9Kp\nkPacsHZTBR636y2toqRPDG4y9MLqFFkCQgCV1jEkiNhhKc+ZWuDjerdqNvLnCbe+\n7t4fiG9zQgWwh6IxL11cNyGVz9gS9af32DtuYf0xwFLOwLgn1RadC9Pd7Q==\n-----END CERTIFICATE-----",
-      "-----BEGIN CERTIFICATE-----\nMIICKTCCAYugAwIBAgIUOcs4pXlp+UgGiUKfKlcxIE/woPEwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4NTgyMVoX\nDTI5MDYyMTE4NTg1MVowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcst7uNwu77WtLDkbz4ILYDiQ3BgS++qU\nOoNKcKyvNe8YX6PtrdQWPTaxT4MZNHZvTv+BAQTQqGLKrstpkjXPh+sBn7V4trkT\nMCtxUjIGneURUXS4IC/KJEA60P7ep7MrGnJfG/N4m+Q/a6BuxKhdEavXtepniCMz\npHw4DCpW/9m2t16jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBQWsD9HzTtHQGci3f3krNpd0/ifTTAfBgNVHSMEGDAWgBQW\nsD9HzTtHQGci3f3krNpd0/ifTTAKBggqhkjOPQQDAgOBiwAwgYcCQR7iNoA4nBV3\ndSn8nfafklFvHZxoKR1j3nn+56z4JHD6TNr//GNqQiqnM3P//Tce+E4KzEax4xRg\nhaLURgPLNBjOAkIAqW+1/+v9D0vXOU1WPc+/oFvhSjYnr5qqcTL7by5fsmMXzAIe\nLODXiODxdppXXnMZPCPZh6MGgUwEGYeCnaXopWc=\n-----END CERTIFICATE-----"
-    ],
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIICOzCCAZygAwIBAgIUeOkn0HAdoh31nGkVKdafpCNuhFEwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x\nOTA2MjQxOTAwMDlaFw0xOTA2MjUxOTAwMzlaMCAxDjAMBgNVBAsTBWlsVjYzMQ4w\nDAYDVQQDEwUyRnlWTjCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAA0rIy0h2DL3\nzmTXVj2v22Kz0N1EUUATlRgBj1XBsBA1Pdd7CSZoefmh/u6Z8TjtRX9Z1aj9Bb/d\nJxS3zB4mguULAF4k7bLH1gKXMVC6NYjjk3mfxH5jG4QY8S8n6uyqzNgI5KRJ2Hyj\nm8549Nvq3rvs8yOVXPSOGzkJ5KdUmSvXicMQo2cwZTAOBgNVHQ8BAf8EBAMCA6gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFEuzruLILCil5Fp32ZjE4AhD\nU268MB8GA1UdIwQYMBaAFNp2hUcpvsXxb2ZtkzUQVzX9zCUrMAoGCCqGSM49BAMC\nA4GMADCBiAJCAeeuaIsgO9ro7opzZ9y9hSHkKB5WA5Qc7ePoSiKHNNbVvIJMkjRQ\nC9YtUMQNnQ8wE6D/9xvR+9OBIi7t16iHGPGbAkIA6WIG6HHRNUXnHPIiW8iy/04O\nfVqZgJHJEeyGQbwdaehs+Z5xOz6TA4Z3uZOAMnPcb+KDwchnQ8CJnmT/KnnT5D8=\n-----END CERTIFICATE-----",
-    "private_key": "-----BEGIN EC PRIVATE KEY-----\nMIHcAgEBBEIBB4xDj9SUtb6Z466lVQIf3ucy21q5S2Fp9bzTQ0Ch5Vg2+DhUZUa1\nDjKvDdICY6hLPBFAwcOUFdDXr4kH/i8wuRWgBwYFK4EEACOhgYkDgYYABAANKyMt\nIdgy985k11Y9r9tis9DdRFFAE5UYAY9VwbAQNT3XewkmaHn5of7umfE47UV/WdWo\n/QW/3ScUt8weJoLlCwBeJO2yx9YClzFQujWI45N5n8R+YxuEGPEvJ+rsqszYCOSk\nSdh8o5vOePTb6t677PMjlVz0jhs5CeSnVJkr14nDEA==\n-----END EC PRIVATE KEY-----",
-    "serial_number": "728181095563584845125173905844944137943705466376"
-  },
-}
-```
-
-## Lookup credential
-
-| Method | Path                                              |
-|:-------|:--------------------------------------------------|
-| `GET`  | `/kmip/scope/:scope/role/:role/credential/lookup` |
-
-Read a certificate by serial number. The private key cannot be obtained except
-at generation time.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `role` (`string: <required>`) - Name of role. This is part of the request URL.
-- `serial_number` (`string: <required>`) - Serial number of certificate to revoke.
-- `format` (`string: "pem"`) - Format to return the certificate, private key,
-  and CA chain in.  One of `pem`, `pem_bundle`, or `der`.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/lookup?serial_number=728181095563584845125173905844944137943705466376
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "ca_chain": [
-      "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUGptwpwpVvxlx3sBniJ7TRGD9gCkwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE5MDY0N1oX\nDTI5MDYyMTE5MDcxN1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEADO48mMu5V2PTbcg\nq0JPB5ReWwnUHhfFh/+XLP8ZM112JpOFutlcUYYZ23jAlvrlYZ+m1E0ASr0592ZM\n9CwIXy3zAJChPrV3tiofhINR5PPqCF42FcfNj4l7VN/XeYMN6dslX+O4dPn/DsbH\nZi7kWr5KSOR939ULFaRMYe3l2MxaYZ2do2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUPP7VJOGk3qR0qKqx3TLN1R8JDiQw\nHwYDVR0jBBgwFoAUBHr+hhaorPU2jIF35DTBDhL7uWowCgYIKoZIzj0EAwIDgYwA\nMIGIAkIA7G82rqLYb6bKrQZzhpNwvVIFOSocEJrUbP0E0D8dEeOmKs43C70P5e0s\nTrrpNAMEsK6vXWtM+QcrZZp+yyM6k3QCQgG8cxFIl8tgoMKWe0+cDeOoHtczopRy\nSk+Tt7DNNP9sfYK11g7w8xzbtW4ZuZKKoYRbxN+eQHn5c+8akMSt4h71Dg==\n-----END CERTIFICATE-----",
-      "-----BEGIN CERTIFICATE-----\nMIICKDCCAYugAwIBAgIUWv6jrjNbsvdX43l4s10HaJkSxOMwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE5MDY0N1oX\nDTI5MDYyMTE5MDcxN1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAP6C8d9ZUalKBM1NdALtEMlv+dwFnK88F\n8bp7i6hV55vER45FtKKciQwWoA91FjfWTrDYPHb1X4OPZvcjQGnIJ1AAj+BSzEWr\neJXNo46RxLLl+cndiVDqlbJlhE9qVn9ueLHhPIPNSFZneY9cTj5+EOPyKiBCo4xB\ndTtVr29lLu/JwM2jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBQEev6GFqis9TaMgXfkNMEOEvu5ajAfBgNVHSMEGDAWgBQE\nev6GFqis9TaMgXfkNMEOEvu5ajAKBggqhkjOPQQDAgOBigAwgYYCQUlJqNoWCz4H\npjMNphxD4A8lfWtIrajGUhSxE9+JWRzoPpEJSwVobvryU2SO5u0sfqxtcmX/sBjY\n12N5QVFfqpB3AkErsjg8eMkh+OMalmWxRYtTuZt+i4DPm1CKEVIkUT8ZBXYTIl9V\nG3TG8lmby/8e+YUwJEKVvOy6tVI8ExEoVslwKw==\n-----END CERTIFICATE-----"
-    ],
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIICOjCCAZygAwIBAgIUf4zFBobFJMkSIvM7CfceSVfYNggwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x\nOTA2MjQxOTA3MTBaFw0xOTA2MjUxOTA3NDBaMCAxDjAMBgNVBAsTBW5BcUswMQ4w\nDAYDVQQDEwU0Qjd2STCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAdxHrbr/EXUz\nzWCd9HMUDus6r/3QF1Y3u9dPD2UwM76J3aICmykkm7xoYpoyg4chBEDxBWh2YkGT\na4WFMoXBa+k1AZhdvlj8tjOUlYZrTCLB9FBPCGz3JB4f5cmbG5JVsQ8qnBPiyV3e\nU21cWM6mWlhZKHWIdBU2pj+eXW78K5LMu2sWo2cwZTAOBgNVHQ8BAf8EBAMCA6gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFAT0QZOpZCTMCz7F8+BvF2xs\nZSfkMB8GA1UdIwQYMBaAFDz+1SThpN6kdKiqsd0yzdUfCQ4kMAoGCCqGSM49BAMC\nA4GLADCBhwJBPxBV4DgPi5zihRnxu7zTNeqe/xlvrEt1uTff8QtW3JsigbBDHV+A\nxBe7vc8mL8VQPG7BFKvvxuQvOAeeQ+AR8ZoCQgDtbaWgLtfbzKvwlY48e6dLeBpK\nDu1DaZq+79EON2lhWQ+ULHblJc5cK0F6Ff5OC89aDnV1TWQDHeR91mZdYiWZZQ==\n-----END CERTIFICATE-----",
-    "serial_number": "728181095563584845125173905844944137943705466376"
-  },
-}
-```
-
-## List credential serial numbers
-
-| Method | Path                                       |
-|:-------|:-------------------------------------------|
-| `LIST` | `/kmip/scope/:scope/role/:role/credential` |
-
-List the serial numbers of all certificates within a role.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `role` (`string: <required>`) - Name of role. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "728181095563584845125173905844944137943705466376"
-    ]
-  },
-}
-```
-
-## Revoke credential
-
-| Method | Path                                              |
-|:-------|:--------------------------------------------------|
-| `POST` | `/kmip/scope/:scope/role/:role/credential/revoke` |
-
-Delete a certificate, thereby revoking it.
-
-### Parameters
-
-- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
-- `role` (`string: <required>`) - Name of role. This is part of the request URL.
-- `serial_number` (`string: ""`) - Serial number of certificate to revoke.
-  Exactly one of `serial_number` or `certificate` must be provided.
-- `certificate` (`string: """`) - Certificate to revoke, in PEM format.
-  Exactly one of `serial_number` or `certificate` must be provided.
-
-### Sample Payload
-
-```json
-{
-    "serial_number": "728181095563584845125173905844944137943705466376"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/revoke
-```
diff --git a/website/source/api/secret/kv/index.html.md b/website/source/api/secret/kv/index.html.md
deleted file mode 100644
index 68e2620307e4..000000000000
--- a/website/source/api/secret/kv/index.html.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-layout: "api"
-page_title: "KV - Secrets Engines - HTTP API"
-sidebar_title: "Key/Value"
-sidebar_current: "api-http-secret-kv"
-description: |-
-  This is the API documentation for the Vault KV secrets engine.
----
-
-# KV Secrets Engine (API)
-
-This backend can be run in one of two versions. Each of which have a distinct API.
-Choose the version below you are running. For more information on the KV secrets
-engine see the [Vault kv documentation](/docs/secrets/kv/index.html).
-
- - [KV Version 1 API](/api/secret/kv/kv-v1.html)
- 
- - [KV Version 2 API](/api/secret/kv/kv-v2.html)
diff --git a/website/source/api/secret/kv/kv-v1.html.md b/website/source/api/secret/kv/kv-v1.html.md
deleted file mode 100644
index 51f301804095..000000000000
--- a/website/source/api/secret/kv/kv-v1.html.md
+++ /dev/null
@@ -1,168 +0,0 @@
----
-layout: "api"
-page_title: "KV - Secrets Engines - HTTP API"
-sidebar_title: "K/V Version 1"
-sidebar_current: "api-http-secret-kv-v1"
-description: |-
-  This is the API documentation for the Vault KV secrets engine.
----
-
-# KV Secrets Engine - Version 1 (API)
-
-This is the API documentation for the Vault KV secrets engine. For general
-information about the usage and operation of the kv secrets engine, please
-see the [Vault kv documentation](/docs/secrets/kv/index.html).
-
-This documentation assumes the kv secrets engine is enabled at the
-`/secret` path in Vault. Since it is possible to enable secrets engines at any
-location, please update your API calls accordingly.
-
-## Read Secret
-
-This endpoint retrieves the secret at the specified location.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/secret/:path`              |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to read.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/secret/my-secret
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "foo": "bar",
-    "ttl": "1h"
-  },
-  "lease_duration": 3600,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-_Note_: the `lease_duration` field, which will be populated if a "ttl" field
-was included in the data, is advisory. No lease is created. This is a way for
-writers to indicate how often a given value should be re-read by the client.
-See the [Vault KV secrets engine documentation](/docs/secrets/kv/index.html)
-for more details.
-
-## List Secrets
-
-This endpoint returns a list of key names at the specified location. Folders are
-suffixed with `/`. The input must be a folder; list on a file will not return a
-value. Note that no policy-based filtering is performed on keys; do not encode
-sensitive information in key names. The values themselves are not accessible via
-this command.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/secret/:path`              |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secrets to list.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/secret/my-secret
-```
-
-### Sample Response
-
-The example below shows output for a query path of `secret/` when there are
-secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
-entries.
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["foo", "foo/"]
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Create/Update Secret
-
-This endpoint stores a secret at the specified location. If the value does not
-yet exist, the calling token must have an ACL policy granting the `create`
-capability. If the value already exists, the calling token must have an ACL
-policy granting the `update` capability.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/secret/:path`              |
-| `PUT`    | `/secret/:path`              |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secrets to
-  create/update. This is specified as part of the URL.
-
-- `:key` `(string: "")` – Specifies a key, paired with an associated value, to
-  be held at the given location. Multiple key/value pairs can be specified, and
-  all will be returned on a read operation. A key called `ttl` will trigger
-  some special behavior. See the [Vault KV secrets engine
-  documentation](/docs/secrets/kv/index.html) for details.
-
-### Sample Payload
-
-```json
-{
-  "foo": "bar",
-  "zip": "zap"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/secret/my-secret
-```
-
-## Delete Secret
-
-This endpoint deletes the secret at the specified location.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/secret/:path`              |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to delete.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/secret/my-secret
-```
diff --git a/website/source/api/secret/kv/kv-v2.html.md b/website/source/api/secret/kv/kv-v2.html.md
deleted file mode 100644
index 47310614daa9..000000000000
--- a/website/source/api/secret/kv/kv-v2.html.md
+++ /dev/null
@@ -1,497 +0,0 @@
----
-layout: "api"
-page_title: "KV - Secrets Engines - HTTP API"
-sidebar_title: "K/V Version 2"
-sidebar_current: "api-http-secret-kv-v2"
-description: |-
-  This is the API documentation for the Vault KV secrets engine.
----
-
-# KV Secrets Engine - Version 2 (API)
-
-This is the API documentation for the Vault KV secrets engine while running in
-versioned mode. For general information about the usage and operation of the kv
-secrets engine, please see the [Vault kv
-documentation](/docs/secrets/kv/index.html).
-
-This documentation assumes the kv secrets engine is enabled at the
-`/secret` path in Vault and that versioning has been enabled. Since it is
-possible to enable secrets engines at any location, please update your API calls
-accordingly.
-
-
-## Configure the KV Engine
-
-This path configures backend level settings that are applied to every key in the
-key-value store.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/secret/config`             |
-
-### Parameters
-
-- `max_versions` `(int: 0)` – The number of versions to keep per key. This value
-  applies to all keys, but a key's metadata setting can overwrite this value.
-  Once a key has more than the configured allowed versions the oldest version
-  will be permanently deleted. Defaults to 10.
-
-- `cas_required` `(bool: false)` – If true all keys will require the cas
-  parameter to be set on all write requests.
-
-- `delete_version_after` `(string:"0s")` – If set, specifies the length
-  of time before a version is deleted.
-  Accepts [Go duration format string][duration-godoc].
-
-[duration-godoc]: https://golang.org/pkg/time/#ParseDuration
-
-### Sample Payload
-
-```json
-{
-  "max_versions": 5,
-  "cas_required": false,
-  "delete_version_after": "3h25m19s"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/secret/config
-```
-
-## Read KV Engine configuration
-
-This path retrieves the current configuration for the secrets backend at the
-given path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/secret/config`             |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/secret/config
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "cas_required": false,
-    "max_versions": 0,
-    "delete_version_after": "3h25m19s"
-  }
-}
-```
-
-
-## Read Secret Version
-
-This endpoint retrieves the secret at the specified location.
-
-| Method   | Path                         |
-| :--------------------------- | :------------------------------- |
-| `GET`    | `/secret/data/:path?version=:version-number`         |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to read.
-  This is specified as part of the URL.
-- `version` `(int: 0)` - Specifies the version to return. If not set the latest
-  version is returned.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/secret/data/my-secret?version=2
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "data": {
-        "foo": "bar"
-    },
-    "metadata": {
-      "created_time": "2018-03-22T02:24:06.945319214Z",
-      "deletion_time": "",
-      "destroyed": false,
-      "version": 2
-    }
-  },
-}
-```
-
-## Create/Update Secret
-
-This endpoint creates a new version of a secret at the specified location. If
-the value does not yet exist, the calling token must have an ACL policy granting
-the `create` capability. If the value already exists, the calling token must
-have an ACL policy granting the `update` capability.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/secret/data/:path`         |
-
-### Parameters
-
-- `options` `(Map: <optional>)` – An object that holds option settings.
-
-    - `cas` `(int: <optional>)` - Set the "cas" value to use a Check-And-Set
-      operation. If not set the write will be allowed. If set to 0 a write will
-      only be allowed if the key doesn’t exist. If the index is non-zero the
-      write will only be allowed if the key’s current version matches the
-      version specified in the cas parameter.
-
-- `data` `(Map: <required>)` – The contents of the data map will be stored and
-  returned on read.
-
-### Sample Payload
-
-```json
-{
-  "options": {
-      "cas": 0
-  },
-  "data": {
-	  "foo": "bar",
-	  "zip": "zap"
-	}
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/secret/data/my-secret
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "created_time": "2018-03-22T02:36:43.986212308Z",
-    "deletion_time": "",
-    "destroyed": false,
-    "version": 1
-  }
-}
-```
-
-## Delete Latest Version of Secret
-
-This endpoint issues a soft delete of the secret's latest version at the
-specified location. This marks the version as deleted and will stop it from
-being returned from reads, but the underlying data will not be removed. A
-delete can be undone using the `undelete` path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/secret/data/:path`         |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to delete.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/secret/data/my-secret
-```
-
-## Delete Secret Versions
-
-This endpoint issues a soft delete of the specified versions of the secret. This
-marks the versions as deleted and will stop them from being returned from reads,
-but the underlying data will not be removed. A delete can be undone using the
-`undelete` path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/secret/delete/:path`       |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to delete.
-  This is specified as part of the URL.
-- `versions` `([]int: <required>)` - The versions to be deleted. The versioned
-  data will not be deleted, but it will no longer be returned in normal get
-  requests.
-
-### Sample Payload
-
-```json
-{
-    "versions": [1, 2]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/secret/delete/my-secret
-```
-
-## Undelete Secret Versions
-
-Undeletes the data for the provided version and path in the key-value store.
-This restores the data, allowing it to be returned on get requests.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/secret/undelete/:path`     |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to undelete.
-  This is specified as part of the URL.
-
-- `versions` `([]int: <required>)` - The versions to undelete. The versions will
-  be restored and their data will be returned on normal get requests.
-
-### Sample Payload
-
-```json
-{
-    "versions": [1, 2]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/secret/undelete/my-secret
-```
-
-## Destroy Secret Versions
-
-Permanently removes the specified version data for the provided key and version
-numbers from the key-value store.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/secret/destroy/:path`      |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to destroy.
-  This is specified as part of the URL.
-
-- `versions` `([]int: <required>)` - The versions to destroy. Their data will be
-  permanently deleted.
-
-### Sample Payload
-
-```json
-{
-    "versions": [1, 2]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/secret/destroy/my-secret
-```
-
-## List Secrets
-
-This endpoint returns a list of key names at the specified location. Folders are
-suffixed with `/`. The input must be a folder; list on a file will not return a
-value. Note that no policy-based filtering is performed on keys; do not encode
-sensitive information in key names. The values themselves are not accessible via
-this command.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/secret/metadata/:path`     |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secrets to list.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    https://127.0.0.1:8200/v1/secret/metadata/my-secret
-```
-
-### Sample Response
-
-The example below shows output for a query path of `secret/` when there are
-secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
-entries.
-
-```json
-{
-  "data": {
-    "keys": ["foo", "foo/"]
-  },
-}
-```
-
-## Read Secret Metadata
-
-This endpoint retrieves the metadata and versions for the secret at the
-specified path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/secret/metadata/:path`     |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to read.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/secret/metadata/my-secret
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "created_time": "2018-03-22T02:24:06.945319214Z",
-    "current_version": 3,
-    "max_versions": 0,
-    "oldest_version": 0,
-    "updated_time": "2018-03-22T02:36:43.986212308Z",
-    "versions": {
-      "1": {
-        "created_time": "2018-03-22T02:24:06.945319214Z",
-        "deletion_time": "",
-        "destroyed": false
-      },
-      "2": {
-        "created_time": "2018-03-22T02:36:33.954880664Z",
-        "deletion_time": "",
-        "destroyed": false
-      },
-      "3": {
-        "created_time": "2018-03-22T02:36:43.986212308Z",
-        "deletion_time": "",
-        "destroyed": false
-      }
-    }
-  }
-}
-```
-
-
-## Update Metadata
-
-This endpoint creates a new version of a secret at the specified location. If
-the value does not yet exist, the calling token must have an ACL policy granting
-the `create` capability. If the value already exists, the calling token must
-have an ACL policy granting the `update` capability.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/secret/metadata/:path`     |
-
-### Parameters
-
-- `max_versions` `(int: 0)` – The number of versions to keep per key. If not
-  set, the backend’s configured max version is used. Once a key has more than
-  the configured allowed versions the oldest version will be permanently
-  deleted.
-
-- `cas_required` `(bool: false)` – If true the key will require the cas
-  parameter to be set on all write requests. If false, the backend’s
-  configuration will be used.
-
-- `delete_version_after` `(string:"0s")` – Set the `delete_version_after` value
-  to a duration to specify the `deletion_time` for all new versions
-  written to this key. If not set, the backend's `delete_version_after` will be
-  used. If the value is greater than the backend's `delete_version_after`, the
-  backend's `delete_version_after` will be used. Accepts [Go duration
-  format string][duration-godoc].
-
-### Sample Payload
-
-```json
-{
-  "max_versions": 5,
-  "cas_required": false,
-  "delete_version_after": "3h25m19s"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    https://127.0.0.1:8200/v1/secret/metadata/my-secret
-```
-
-## Delete Metadata and All Versions
-
-This endpoint permanently deletes the key metadata and all version data for the
-specified key. All version history will be removed.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`   | `/secret/metadata/:path`   |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the secret to delete.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    https://127.0.0.1:8200/v1/secret/metadata/my-secret
-```
diff --git a/website/source/api/secret/mongodb/index.html.md b/website/source/api/secret/mongodb/index.html.md
deleted file mode 100644
index 21a7d34a68c0..000000000000
--- a/website/source/api/secret/mongodb/index.html.md
+++ /dev/null
@@ -1,351 +0,0 @@
----
-layout: "api"
-page_title: "MongoDB - Secrets Engines - HTTP API"
-sidebar_title: "MongoDB <sup>DEPRECATED</sup>"
-sidebar_current: "api-http-secret-mongodb"
-description: |-
-  This is the API documentation for the Vault MongoDB secrets engine.
----
-
-# MongoDB Secrets Engine (API)
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the API documentation for
-the new implementation of this secrets engine at
-[MongoDB database plugin HTTP API](/api/secret/databases/mongodb.html).
-
-This is the API documentation for the Vault MongoDB secrets engine. For general
-information about the usage and operation of the MongoDB secrets engine, please
-see the
-[Vault MongoDB secrets engine documentation](/docs/secrets/mongodb/index.html).
-
-This documentation assumes the MongoDB secrets engine is enabled at the
-`/mongodb` path in Vault. Since it is possible to enable secrets engines at any
-location, please update your API calls accordingly.
-
-## Configure Connection
-
-This endpoint configures the standard connection string (URI) used to
-communicate with MongoDB.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mongodb/config/connection` |
-
-### Parameters
-
-- `url` `(string: <required>)` – Specifies the MongoDB standard connection
-  string (URI).
-
-- `verify_connection` `(bool: true)` – Specifies if the connection is verified
-  during initial configuration.
-
-### Sample Payload
-
-```json
-{
-  "url": "mongodb://db1.example.net,db2.example.net:2500/?replicaSet=test"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mongodb/config/connection
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": [
-    "Read access to this endpoint should be controlled via ACLs as it will return the connection URI as it is, including passwords, if any."
-  ],
-  "auth": null
-}
-```
-
-## Read Connection
-
-This endpoint queries the connection configuration. Access to this endpoint
-should be controlled via ACLs as it will return the connection URI as it is,
-including passwords, if any.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mongodb/config/connection` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mongodb/config/connection
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "uri": "mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Configure Lease
-
-This endpoint configures the default lease TTL settings for credentials
-generated by the mongodb secrets engine.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mongodb/config/lease`      |
-
-### Parameters
-
-- `lease` `(string: <required>)` – Specifies the lease value provided as a
-  string duration with time suffix. "h" (hour) is the largest suffix.
-
-- `lease_max` `(string: <required>)` – Specifies the maximum lease value
-  provided as a string duration with time suffix. "h" (hour) is the largest
-  suffix.
-
-### Sample Payload
-
-```json
-{
-  "lease": "12h",
-  "lease_max": "24h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mongodb/config/lease
-```
-
-## Read Lease
-
-This endpoint queries the lease configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mongodb/config/lease`      |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mongodb/config/lease
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "max_ttl": 60,
-    "ttl": 60
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Create Role
-
-This endpoint creates or updates a role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mongodb/roles/:name`       |
-
-### Parameters
-
-- `db` `(string: <required>)` – Specifies the name of the database users should
-  be created in for this role.
-
-- `roles` `(string: "")` – Specifies the MongoDB roles to assign to the users
-  generated for this role.
-
-### Sample Payload
-
-```json
-{
-  "db": "my-db",
-  "roles": "[\"readWrite\",{\"db\":\"bar\",\"role\":\"read\"}]"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mongodb/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mongodb/roles/:name`       |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mongodb/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "db": "foo",
-    "roles": "[\"readWrite\",{\"db\":\"bar\",\"role\":\"read\"}]"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## List Roles
-
-This endpoint returns a list of available roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/mongodb/roles`             |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/mongodb/roles
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "keys": [
-      "dev",
-      "prod"
-    ]
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/mongodb/roles/:name`       |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/mongodb/roles/my-role
-```
-
-## Generate Credentials
-
-This endpoint generates a new set of dynamic credentials based on the named
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mongodb/creds/:name`       |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mongodb/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "mongodb/creds/readonly/e64e79d8-9f56-e379-a7c5-373f9b4ee3d8",
-  "renewable": true,
-  "lease_duration": 3600,
-  "data": {
-    "db": "foo",
-    "password": "de0f7b50-d700-54e5-4e81-5c3724283999",
-    "username": "vault-token-b32098cb-7ff2-dcf5-83cd-d5887cedf81b"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
diff --git a/website/source/api/secret/mssql/index.html.md b/website/source/api/secret/mssql/index.html.md
deleted file mode 100644
index 91fcb8ab4782..000000000000
--- a/website/source/api/secret/mssql/index.html.md
+++ /dev/null
@@ -1,250 +0,0 @@
----
-layout: "api"
-page_title: "MSSQL - Secrets Engines - HTTP API"
-sidebar_title: "MSSQL <sup>DEPRECATED</sup>"
-sidebar_current: "api-http-secret-mssql"
-description: |-
-  This is the API documentation for the Vault MSSQL secrets engine.
----
-
-# MSSQL Secrets Engine (API)
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the API documentation for
-the new implementation of this secrets engine at
-[MSSQL database plugin HTTP API](/api/secret/databases/mssql.html).
-
-This is the API documentation for the Vault MSSQL secrets engine. For general
-information about the usage and operation of the MSSQL secrets engine, please
-see the [Vault MSSQL documentation](/docs/secrets/mssql/index.html).
-
-This documentation assumes the MSSQL secrets engine is enabled at the `/mssql`
-path in Vault. Since it is possible to enable secrets engines at any location,
-please update your API calls accordingly.
-
-## Configure Connection
-
-This endpoint configures the connection DSN used to communicate with Microsoft
-SQL Server.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mssql/config/connection`   |
-
-### Parameters
-
-- `connection_string` `(string: <required>)` – Specifies the MSSQL DSN.
-
-- `max_open_connections` `(int: 2)` – Specifies the maximum number of open
-  connections to the database.
-
-- `max_idle_connections` `(int: 0)` – Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If larger than
-  `max_open_connections` it will be reduced to be equal.
-
-### Sample Payload
-
-```json
-{
-  "connection_string": "Server=myServerAddress;Database=myDataBase;User Id=myUsername; Password=myPassword;"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mssql/config/connection
-```
-
-## Configure Lease
-
-This endpoint configures the lease settings for generated credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mysql/config/lease`        |
-
-### Parameters
-
-- `lease` `(string: <required>)` – Specifies the lease value provided as a
-  string duration with time suffix. "h" (hour) is the largest suffix.
-
-- `lease_max` `(string: <required>)` – Specifies the maximum lease value
-  provided as a string duration with time suffix. "h" (hour) is the largest
-  suffix.
-
-### Sample Payload
-
-```json
-{
-  "lease": "12h",
-  "lease_max": "24h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mssql/config/lease
-```
-
-## Create Role
-
-This endpoint creates or updates the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mssql/roles/:name`         |
-
-### Parameters
-
-- `sql` `(string: <required>)` – Specifies the SQL statements executed to create
-  and configure the role.  The '{{name}}' and '{{password}}' values will be
-  substituted. Must be a semicolon-separated string, a base64-encoded
-  semicolon-separated string, a serialized JSON string array, or a
-  base64-encoded serialized JSON string array.
-
-### Sample Payload
-
-```json
-{
-  "sql": "CREATE LOGIN ..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mssql/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mssql/roles/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mssql/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "sql": "CREATE LOGIN..."
-  }
-}
-```
-
-## List Roles
-
-This endpoint returns a list of available roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/mssql/roles`               |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/mssql/roles
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["dev", "prod"]
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/mssql/roles/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/mssql/roles/my-role
-```
-
-## Generate Credentials
-
-This endpoint generates a new set of dynamic credentials based on the named
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mssql/creds/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mssql/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "username": "root-a147d529-e7d6-4a16-8930-4c3e72170b19",
-    "password": "ee202d0d-e4fd-4410-8d14-2a78c5c8cb76"
-  }
-}
-```
diff --git a/website/source/api/secret/mysql/index.html.md b/website/source/api/secret/mysql/index.html.md
deleted file mode 100644
index f384f7d63c99..000000000000
--- a/website/source/api/secret/mysql/index.html.md
+++ /dev/null
@@ -1,271 +0,0 @@
----
-layout: "api"
-page_title: "MySQL - Secrets Engines - HTTP API"
-sidebar_title: "MySQL <sup>DEPRECATED</sup>"
-sidebar_current: "api-http-secret-mysql"
-description: |-
-  This is the API documentation for the Vault MySQL secrets engine.
----
-
-# MySQL Secrets Engine (API)
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the API documentation for
-the new implementation of this secrets engine at
-[MySQL/MariaDB database plugin HTTP API](/api/secret/databases/mysql-maria.html).
-
-This is the API documentation for the Vault MySQL secrets engine. For general
-information about the usage and operation of the MySQL secrets engine, please
-see the [Vault MySQL documentation](/docs/secrets/mysql/index.html).
-
-This documentation assumes the MySQL secrets engine is enabled at the `/mysql`
-path in Vault. Since it is possible to enable secrets engines at any location,
-please update your API calls accordingly.
-
-## Configure Connection
-
-This endpoint configures the connection DSN used to communicate with MySQL.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mysql/config/connection`   |
-
-### Parameters
-
-- `connection_url` `(string: <required>)` – Specifies the MySQL DSN.
-
-- `max_open_connections` `(int: 2)` – Specifies the maximum number of open
-  connections to the database.
-
-- `max_idle_connections` `(int: 0)` – Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If larger than
-  `max_open_connections` it will be reduced to be equal.
-
-- `verify_connection` `(bool: true)` – Specifies if the connection is verified
-  during initial configuration.
-
-### Sample Payload
-
-```json
-{
-  "connection_url": "mysql:host=localhost;dbname=testdb"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mysql/config/connection
-```
-
-## Configure Lease
-
-This endpoint configures the lease settings for generated credentials. If not
-configured, leases default to 1 hour. This is a root protected endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mysql/config/lease`        |
-
-### Parameters
-
-- `lease` `(string: <required>)` – Specifies the lease value provided as a
-  string duration with time suffix. "h" (hour) is the largest suffix.
-
-- `lease_max` `(string: <required>)` – Specifies the maximum lease value
-  provided as a string duration with time suffix. "h" (hour) is the largest
-  suffix.
-
-### Sample Payload
-
-```json
-{
-  "lease": "12h",
-  "lease_max": "24h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mysql/config/lease
-```
-
-## Create Role
-
-This endpoint creates or updates the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/mysql/roles/:name`         |
-
-### Parameters
-
-- `sql` `(string: <required>)` – Specifies the SQL statements executed to create
-  and configure a user. Must be a semicolon-separated string, a base64-encoded
-  semicolon-separated string, a serialized JSON string array, or a
-  base64-encoded serialized JSON string array. The '{{name}}' and
-  '{{password}}' values will be substituted.
-
-- `revocation_sql` `(string: "")` – Specifies the SQL statements executed to
-  revoke a user. Must be a semicolon-separated string, a base64-encoded
-  semicolon-separated string, a serialized JSON string array, or a
-  base64-encoded serialized JSON string array. The '{{name}}' value will be
-  substituted.
-
-- `rolename_length` `(int: 4)` – Specifies how many characters from the role
-  name will be used to form the mysql username interpolated into the '{{name}}'
-  field of the sql parameter.  
-
-- `displayname_length` `(int: 4)` – Specifies how many characters from the token
-  display name will be used to form the mysql username interpolated into the
-  '{{name}}' field of the sql parameter.  
-
-- `username_length` `(int: 16)` – Specifies the maximum total length in
-  characters of the mysql username interpolated into the '{{name}}' field of the
-  sql parameter.
-
-### Sample Payload
-
-```json
-{
-  "sql": "CREATE USER ..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/mysql/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mysql/roles/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mysql/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "sql": "CREATE USER..."
-  }
-}
-```
-
-## List Roles
-
-This endpoint returns a list of available roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/mysql/roles`               |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/mysql/roles
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["dev", "prod"]
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/mysql/roles/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/mysql/roles/my-role
-```
-
-## Generate Credentials
-
-This endpoint generates a new set of dynamic credentials based on the named
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/mysql/creds/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/mysql/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "username": "user-role-aefa63",
-    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
-  }
-}
-```
diff --git a/website/source/api/secret/nomad/index.html.md b/website/source/api/secret/nomad/index.html.md
deleted file mode 100644
index ae3c327a5807..000000000000
--- a/website/source/api/secret/nomad/index.html.md
+++ /dev/null
@@ -1,332 +0,0 @@
----
-layout: "api"
-page_title: "Nomad Secret Backend - HTTP API"
-sidebar_title: "Nomad"
-sidebar_current: "api-http-secret-nomad"
-description: |-
-  This is the API documentation for the Vault Nomad secret backend.
----
-
-# Nomad Secret Backend HTTP API
-
-This is the API documentation for the Vault Nomad secret backend. For general
-information about the usage and operation of the Nomad backend, please see the
-[Vault Nomad backend documentation](/docs/secrets/nomad/index.html).
-
-This documentation assumes the Nomad backend is mounted at the `/nomad` path
-in Vault. Since it is possible to mount secret backends at any location, please
-update your API calls accordingly.
-
-## Configure Access
-
-This endpoint configures the access information for Nomad. This access
-information is used so that Vault can communicate with Nomad and generate
-Nomad tokens.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/nomad/config/access`       |
-
-### Parameters
-
-- `address` `(string: "")` – Specifies the address of the Nomad
-  instance, provided as `"protocol://host:port"` like `"http://127.0.0.1:4646"`.
-  This value can also be provided on individual calls with the NOMAD_ADDR 
-  environment variable.
-
-- `token` `(string: "")` – Specifies the Nomad Management token to use.
-  This value can also be provided on individual calls with the NOMAD_TOKEN 
-  environment variable.
-
-- `max_token_name_length` `(int: <optional>)` – Specifies the maximum length to
-  use for the name of the Nomad token generated with [Generate
-  Credential](#generate-credential). If omitted, `0` is used and ignored,
-  defaulting to the max value allowed by the Nomad version. For Nomad versions
-  0.8.3 and earlier, the default is `64`. For Nomad version 0.8.4 and later, the default is
-  `256`.
-
-### Sample Payload
-
-```json
-{
-  "address": "http://127.0.0.1:4646",
-  "token": "adha...",
-  "max_token_name_length": 256
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --header "X-Vault-Token: ..." \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/nomad/config/access
-```
-
-## Read Access Configuration
-
-This endpoint queries for information about the Nomad connection.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/nomad/config/access`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/nomad/config/access
-```
-
-### Sample Response
-
-```json
-  "data": {
-    "address": "http://localhost:4646/"
-  }
-```
-
-## Configure Lease
-
-This endpoint configures the lease settings for generated tokens.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/nomad/config/lease`        |
-
-### Parameters
-
-- `ttl` `(string: "")` – Specifies the ttl for the lease. This is provided
-  as a string duration with a time suffix like `"30s"` or `"1h"` or as total 
-  seconds.
-
-- `max_ttl` `(string: "")` – Specifies the max ttl for the lease. This is 
-  provided as a string duration with a time suffix like `"30s"` or `"1h"` or as 
-  total seconds.
-
-### Sample Payload
-
-```json
-{
-  "ttl": 1800,
-  "max_ttl": 3600
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/nomad/config/lease
-```
-
-## Read Lease Configuration
-
-This endpoint queries for information about the Lease TTL for the specified mount.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/nomad/config/lease`        |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/nomad/config/lease
-```
-
-### Sample Response
-
-```json
-  "data": {
-    "max_ttl": 86400,
-    "ttl": 86400
-  }
-```
-
-## Delete Lease Configuration
-
-This endpoint deletes the lease configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/nomad/config/lease`         |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/nomad/config/lease
-```
-
-## Create/Update Role
-
-This endpoint creates or updates the Nomad role definition in Vault. If the role does not exist, it will be created. If the role already exists, it will receive
-updated attributes.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/nomad/role/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of an existing role against
-  which to create this Nomad tokens. This is part of the request URL.
-
-- `policies` `(string: "")` – Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
-
-- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](https://www.nomadproject.io/guides/acl.html#acl-tokens).
-
-- `type` `(string: "client")` - Specifies the type of token to create when
-  using this role. Valid values are `"client"` or `"management"`.
-
-### Sample Payload
-
-To create a client token with a custom policy:
-
-```json
-{
-  "policies": "readonly"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --header "X-Vault-Token: ..." \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/nomad/role/monitoring
-```
-
-## Read Role
-
-This endpoint queries for information about a Nomad role with the given name.
-If no role exists with that name, a 404 is returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/nomad/role/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to query. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/nomad/role/monitoring
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "lease": "0s",
-    "policies": [
-      "example"
-    ],
-    "token_type": "client"
-  }
-}
-```
-
-## List Roles
-
-This endpoint lists all existing roles in the backend.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`    | `/nomad/role`              |
-| `GET`     | `/nomad/role?list=true`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/nomad/role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": [
-      "example"
-    ]
-  }
-}
-```
-
-## Delete Role
-
-This endpoint deletes a Nomad role with the given name. Even if the role does
-not exist, this endpoint will still return a successful response.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/nomad/role/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --request DELETE \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/nomad/role/example-role
-```
-
-## Generate Credential
-
-This endpoint generates a dynamic Nomad token based on the given role
-definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/nomad/creds/:name`         |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of an existing role against
-  which to create this Nomad token. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/nomad/creds/example
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "accessor_id": "c834ba40-8d84-b0c1-c084-3a31d3383c03",
-    "secret_id": "65af6f07-7f57-bb24-cdae-a27f86a894ce"
-  }
-}
-```
diff --git a/website/source/api/secret/pki/index.html.md b/website/source/api/secret/pki/index.html.md
deleted file mode 100644
index 323f6dd3a232..000000000000
--- a/website/source/api/secret/pki/index.html.md
+++ /dev/null
@@ -1,1596 +0,0 @@
----
-layout: "api"
-page_title: "PKI - Secrets Engines - HTTP API"
-sidebar_title: "PKI"
-sidebar_current: "api-http-secret-pki"
-description: |-
-  This is the API documentation for the Vault PKI secrets engine.
----
-
-# PKI Secrets Engine (API)
-
-This is the API documentation for the Vault PKI secrets engine. For general
-information about the usage and operation of the PKI secrets engine, please see
-the [PKI documentation](/docs/secrets/pki/index.html).
-
-This documentation assumes the PKI secrets engine is enabled at the `/pki` path
-in Vault. Since it is possible to enable secrets engines at any location, please
-update your API calls accordingly.
-
-## Table of Contents
-
-* [Read CA Certificate](#read-ca-certificate)
-* [Read CA Certificate Chain](#read-ca-certificate-chain)
-* [Read Certificate](#read-certificate)
-* [List Certificates](#list-certificates)
-* [Submit CA Information](#submit-ca-information)
-* [Read CRL Configuration](#read-crl-configuration)
-* [Set CRL Configuration](#set-crl-configuration)
-* [Read URLs](#read-urls)
-* [Set URLs](#set-urls)
-* [Read CRL](#read-crl)
-* [Rotate CRLs](#rotate-crls)
-* [Generate Intermediate](#generate-intermediate)
-* [Set Signed Intermediate](#set-signed-intermediate)
-* [Generate Certificate](#generate-certificate)
-* [Revoke Certificate](#revoke-certificate)
-* [Create/Update Role](#create-update-role)
-* [Read Role](#read-role)
-* [List Roles](#list-roles)
-* [Delete Role](#delete-role)
-* [Generate Root](#generate-root)
-* [Delete Root](#delete-root)
-* [Sign Intermediate](#sign-intermediate)
-* [Sign Self-Issued](#sign-self-issued)
-* [Sign Certificate](#sign-certificate)
-* [Sign Verbatim](#sign-verbatim)
-* [Tidy](#tidy)
-
-## Read CA Certificate
-
-This endpoint retrieves the CA certificate *in raw DER-encoded form*. This is a
-bare endpoint that does not return a standard Vault data structure and cannot
-be read by the Vault CLI; use `/pki/cert` for that. If `/pem` is added to the
-endpoint, the CA certificate is returned in PEM format.
-
-This is an unauthenticated endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/ca(/pem)`              | 
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/pki/ca/pem
-```
-
-### Sample Response
-
-```
-<binary DER-encoded certificate>
-```
-
-## Read CA Certificate Chain
-
-This endpoint retrieves the CA certificate chain, including the CA _in PEM
-format_. This is a bare endpoint that does not return a standard Vault data
-structure and cannot be read by the Vault CLI; use `/pki/cert` for that.
-
-This is an unauthenticated endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/ca_chain`              |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/pki/ca_chain
-```
-
-### Sample Response
-
-```
-<PEM-encoded certificate chain>
-```
-
-## Read Certificate
-
-This endpoint retrieves one of a selection of certificates. This endpoint returns the certificate in PEM formatting in the
-`certificate` key of the JSON object, which is a standard Vault response that is readable by the Vault CLI.
-
-This is an unauthenticated endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/cert/:serial`          |
-
-### Parameters
-
-- `serial` `(string: <required>)` – Specifies the serial of the key to read.
-  This is part of the request URL. Valid values for `serial` are:
-
-    - `<serial>` for the certificate with the given serial number
-    - `ca` for the CA certificate
-    - `crl` for the current CRL
-    - `ca_chain` for the CA trust chain or a serial number in either hyphen-separated or colon-separated octal format
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/pki/cert/crl
-```
-
-### Sample Response
-```json
-{
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIGmDCCBYCgAwIBAgIHBzEB3fTzhTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE\n..."
-  }
-}
-```
-
-
-## List Certificates
-
-This endpoint returns a list of the current certificates by serial number only.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/pki/certs`                 |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/pki/certs
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id":"",
-  "renewable":false,
-  "lease_duration":0,
-  "data":{
-    "keys":[
-      "17:67:16:b0:b9:45:58:c0:3a:29:e3:cb:d6:98:33:7a:a6:3b:66:c1",
-      "26:0f:76:93:73:cb:3f:a0:7a:ff:97:85:42:48:3a:aa:e5:96:03:21"
-    ]
-  },
-  "wrap_info":null,
-  "warnings":null,
-  "auth":null
-}
-```
-
-## Submit CA Information
-
-This endpoint allows submitting the CA information for the backend via a PEM
-file containing the CA certificate and its private key, concatenated.
-
-May optionally append additional CA certificates.  Useful when creating an
-intermediate CA to ensure a full chain is returned when signing or generating
-certificates.
-
-Not needed if you are generating a self-signed root certificate, and not used
-if you have a signed intermediate CA certificate with a generated key (use the
-`/pki/intermediate/set-signed` endpoint for that). _If you have already set a
-certificate and key, they will be overridden._
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/config/ca`             |
-
-### Parameters
-
-- `pem_bundle` `(string: <required>)` – Specifies the key and certificate concatenated in PEM format.
-
-### Sample Request
-
-```text
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data "@payload.json" \
-    http://127.0.0.1:8200/v1/pki/config/ca
-```
-
-Note that if you provide the data through the HTTP API it must be
-JSON-formatted, with newlines replaced with `\n`, like so:
-
-```json
-{
-  "pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END CERTIFICATE-----"
-}
-```
-
-## Read CRL Configuration
-
-This endpoint allows getting the duration for which the generated CRL should be
-marked valid.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/config/crl`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/pki/config/crl
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-      "disable": false,
-      "expiry": "72h"
-    },
-  "auth": null
-}
-```
-
-## Set CRL Configuration
-
-This endpoint allows setting the duration for which the generated CRL should be
-marked valid. If the CRL is disabled, it will return a signed but zero-length
-CRL for any request. If enabled, it will re-build the CRL.
-
-  ~> Note: Disabling the CRL does not affect whether revoked certificates are
-  stored internally. Certificates that have been revoked when a role's
-  certificate storage is enabled will continue to be marked and stored as
-  revoked until `tidy` has been run with the desired safety buffer. Re-enabling
-  CRL generation will then result in all such certificates becoming a part of
-  the CRL.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/config/crl`            |
-
-### Parameters
-
-- `expiry` `(string: "72h")` – Specifies the time until expiration.
-- `disable` `(bool: false)` – Disables or enables CRL building.
-
-### Sample Payload
-
-```json
-{
-  "expiry": "48h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/config/crl
-```
-
-## Read URLs
-
-This endpoint fetches the URLs to be encoded in generated certificates.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/config/urls`           |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/pki/config/urls
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "issuing_certificates": ["<url1>", "<url2>"],
-    "crl_distribution_points": ["<url1>", "<url2>"],
-    "ocsp_servers": ["<url1>", "<url2>"]
-  },
-  "auth": null
-}
-```
-
-## Set URLs
-
-This endpoint allows setting the issuing certificate endpoints, CRL distribution
-points, and OCSP server endpoints that will be encoded into issued certificates.
-You can update any of the values at any time without affecting the other
-existing values. To remove the values, simply use a blank string as the
-parameter.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/config/urls`           |
-
-### Parameters
-
-- `issuing_certificates` `(array<string>: nil)` – Specifies the URL values for
-  the Issuing Certificate field. This can be an array or a comma-separated
-  string list.
-
-- `crl_distribution_points` `(array<string>: nil)` – Specifies the URL values
-  for the CRL Distribution Points field. This can be an array or a
-  comma-separated string list.
-
-- `ocsp_servers` `(array<string>: nil)` – Specifies the URL values for the OCSP
-  Servers field. This can be an array or a comma-separated string list.
-
-### Sample Payload
-
-```json
-{
-  "ocsp_servers": ["https://..."]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/config/urls
-```
-
-## Read CRL
-
-This endpoint retrieves the current CRL **in raw DER-encoded form**. This
-endpoint is suitable for usage in the CRL Distribution Points extension in a CA
-certificate. This is a bare endpoint that does not return a standard Vault data
-structure and cannot be parsed by the Vault CLI; use `/pki/cert/crl` in that case.
-If `/pem` is added to the endpoint, the CRL is returned in PEM format.
-
-This is an unauthenticated endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/crl(/pem)`             | 
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/pki/crl/pem
-```
-
-### Sample Response
-
-```
-<binary DER-encoded CRL>
-```
-
-## Rotate CRLs
-
-This endpoint forces a rotation of the CRL. This can be used by administrators
-to cut the size of the CRL if it contains a number of certificates
-that have now expired, but has not been rotated due to no further
-certificates being revoked.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/crl/rotate`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/pki/crl/rotate
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "success": true
-  }
-}
-```
-
-## Generate Intermediate
-
-This endpoint generates a new private key and a CSR for signing. If using Vault
-as a root, and for many other CAs, the various parameters on the final
-certificate are set at signing time and may or may not honor the parameters set
-here. _This will overwrite any previously existing CA private key._
-
-This is mostly meant as a helper function, and not all possible parameters that
-can be set in a CSR are supported.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/intermediate/generate/:type` |
-
-### Parameters
-
-- `type` `(string: <required>)` – Specifies the type of the intermediate to
-  create. If `exported`, the private key will be returned in the response; if
-  `internal` the private key will not be returned and *cannot be retrieved
-  later*.  This is part of the request URL.
-
-- `common_name` `(string: <required>)` – Specifies the requested CN for the
-  certificate.
-
-- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
-  Names, in a comma-delimited list. These can be host names or email addresses;
-  they will be parsed into their respective fields.
-
-- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
-  Names, in a comma-delimited list.
-
-- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
-  Names, in a comma-delimited list.
-
-- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
-  must match values specified on the role in `allowed_other_sans` (see role
-  creation for allowed_other_sans globbing rules). 
-  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
-  only current valid type is `UTF8`. This can be a comma-delimited list or a
-  JSON string slice.
-
-- `format` `(string: "pem")` – Specifies the format for returned data. This can be
-  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
-  base64 encoded. If `pem_bundle`, the `csr` field will contain the private key
-  (if exported) and CSR, concatenated.
-
-- `private_key_format` `(string: "der")` – Specifies the format for marshaling the
-  private key. Defaults to `der` which will return either base64-encoded DER or
-  PEM-encoded DER, depending on the value of `format`. The other option is
-  `pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
-
-- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`
-  or `ec`.
-
-- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
-  changed to a valid value if the `key_type` is `ec`, e.g., 224 or 521.
-
-- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
-  not be included in DNS or Email Subject Alternate Names (as appropriate).
-  Useful if the CN is not a hostname or email address, but is instead some
-  human-readable identifier.
-
-- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
-  subject field of the resulting CSR. This is a comma-separated string
-  or JSON array.
-
-- `organization` `(string: "")` – Specifies the O (Organization) values in the
-  subject field of the resulting CSR. This is a comma-separated string
-  or JSON array.
-
-- `country` `(string: "")` – Specifies the C (Country) values in the subject
-  field of the resulting CSR. This is a comma-separated string or JSON
-  array.
-
-- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
-  field of the resulting CSR. This is a comma-separated string or JSON
-  array.
-
-- `province` `(string: "")` – Specifies the ST (Province) values in the subject
-  field of the resulting CSR. This is a comma-separated string or JSON
-  array.
-
-- `street_address` `(string: "")` – Specifies the Street Address values in the
-  subject field of the resulting CSR. This is a comma-separated string
-  or JSON array.
-
-- `postal_code` `(string: "")` – Specifies the Postal Code values in the
-  subject field of the resulting CSR. This is a comma-separated string
-  or JSON array.
-
-- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
-  Otherwise Vault will generate a random serial for you. If you want more than
-  one, specify alternative names in the alt_names map using OID 2.5.4.5.
-
-### Sample Payload
-
-```json
-{
-  "common_name": "www.example.com"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/intermediate/generate/exported
-```
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 21600,
-  "data": {
-    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE REQUEST-----\n",
-    "private_key": "-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEAwsANtGz9gS3o5SwTSlOG1l-----END RSA PRIVATE KEY-----",
-    "private_key_type": "rsa"
-  },
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Set Signed Intermediate
-
-This endpoint allows submitting the signed CA certificate corresponding to a
-private key generated via `/pki/intermediate/generate`. The certificate should
-be submitted in PEM format; see the documentation for
-[/pki/config/ca](/api/secret/pki/index.html#submit-ca-information) for some
-hints on submitting.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/intermediate/set-signed` |
-
-## Parameters
-
-- `certificate` `(string: <required>)` – Specifies the certificate in PEM
-  format. May optionally append additional CA certificates to populate the
-  whole chain, which will then enable returning the full chain from issue and
-  sign operations.
-
-### Sample Payload
-
-```json
-{
-  "certificate": "-----BEGIN CERTIFICATE..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/intermediate/set-signed
-```
-
-## Generate Certificate
-
-This endpoint generates a new set of credentials (private key and certificate)
-based on the role named in the endpoint. The issuing CA certificate is returned
-as well, so that only the root CA need be in a client's trust store.
-
-**The private key is _not_ stored. If you do not save the private key, you will
-need to request a new certificate.**
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/issue/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create the
-  certificate against. This is part of the request URL.
-
-- `common_name` `(string: <required>)` – Specifies the requested CN for the
-  certificate. If the CN is allowed by role policy, it will be issued.
-
-- `alt_names` `(string: "")` – Specifies requested Subject Alternative Names, in
-  a comma-delimited list. These can be host names or email addresses; they will
-  be parsed into their respective fields. If any requested names do not match
-  role policy, the entire request will be denied.
-
-- `ip_sans` `(string: "")` – Specifies requested IP Subject Alternative Names,
-  in a comma-delimited list. Only valid if the role allows IP SANs (which is the
-  default).
-
-- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
-  Names, in a comma-delimited list.
-
-- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
-  must match values specified on the role in `allowed_other_sans` (see role
-  creation for allowed_other_sans globbing rules). 
-  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
-  only current valid type is `UTF8`. This can be a comma-delimited list or a
-  JSON string slice.
-
-- `ttl` `(string: "")` – Specifies requested Time To Live. Cannot be greater
-  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
-  be used. Note that the role values default to system values if not explicitly
-  set.
-
-- `format` `(string: "")` – Specifies the format for returned data. Can be
-  `pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
-  base64 encoded. If `pem_bundle`, the `certificate` field will contain the
-  private key and certificate, concatenated; if the issuing CA is not a
-  Vault-derived self-signed root, this will be included as well.
-
-- `private_key_format` `(string: "")` – Specifies the format for marshaling the
-  private key. Defaults to `der` which will return either base64-encoded DER or
-  PEM-encoded DER, depending on the value of `format`. The other option is
-  `pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
-
-- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
-  not be included in DNS or Email Subject Alternate Names (as appropriate).
-  Useful if the CN is not a hostname or email address, but is instead some
-  human-readable identifier.
-
-
-### Sample Payload
-
-```json
-{
-  "common_name": "www.example.com"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/issue/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "pki/issue/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
-  "renewable": false,
-  "lease_duration": 21600,
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
-    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
-    "ca_chain": ["-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"],
-    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAnVHfwoKsUG1GDVyWB1AFroaKl2ImMBO8EnvGLRrmobIkQvh+\n...\nQN351pgTphi6nlCkGPzkDuwvtxSxiCWXQcaxrHAL7MiJpPzkIBq1\n-----END RSA PRIVATE KEY-----\n",
-    "private_key_type": "rsa",
-    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
-    },
-  "warnings": "",
-  "auth": null
-}
-```
-
-## Revoke Certificate
-
-This endpoint revokes a certificate using its serial number. This is an
-alternative option to the standard method of revoking using Vault lease IDs. A
-successful revocation will rotate the CRL.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/revoke`                |
-
-### Parameters
-
-- `serial_number` `(string: <required>)` – Specifies the serial number of the
-  certificate to revoke, in hyphen-separated or colon-separated octal.
-
-### Sample Payload
-
-```json
-{
-  "serial_number": "39:dd:2e..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/revoke
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "revocation_time": 1433269787
-  }
-}
-```
-
-## Create/Update Role
-
-This endpoint creates or updates the role definition. Note that the
-`allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and
-`allow_any_name` attributes are additive; between them nearly and across
-multiple roles nearly any issuing policy can be accommodated. `server_flag`,
-`client_flag`, and `code_signing_flag` are additive as well. If a client
-requests a certificate that is not allowed by the CN policy in the role, the
-request is denied.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create. This
-  is part of the request URL.
-
-- `ttl` `(string: "")` – Specifies the Time To Live value provided as a string
-  duration with time suffix. Hour is the largest suffix.  If not set, uses the
-  system default value or the value of `max_ttl`, whichever is shorter.
-
-- `max_ttl` `(string: "")` – Specifies the maximum Time To Live provided as a
-  string duration with time suffix. Hour is the largest suffix. If not set,
-  defaults to the system maximum lease TTL.
-
-- `allow_localhost` `(bool: true)` – Specifies if clients can request
-  certificates for `localhost` as one of the requested common names. This is
-  useful for testing and to allow clients on a single host to talk securely.
-
-- `allowed_domains` `(list: [])` – Specifies the domains of the role. This is 
-  used with the `allow_bare_domains` and `allow_subdomains` options.
-
-- `allow_bare_domains` `(bool: false)` – Specifies if clients can request
-  certificates matching the value of the actual domains themselves; e.g. if a
-  configured domain set with `allowed_domains` is `example.com`, this allows
-  clients to actually request a certificate containing the name `example.com` as
-  one of the DNS values on the final certificate. In some scenarios, this can be
-  considered a security risk.
-
-- `allow_subdomains` `(bool: false)` – Specifies if clients can request
-  certificates with CNs that are subdomains of the CNs allowed by the other role
-  options. _This includes wildcard subdomains._ For example, an
-  `allowed_domains` value of `example.com` with this option set to true will
-  allow `foo.example.com` and `bar.example.com` as well as `*.example.com`. This
-  is redundant when using the `allow_any_name` option.
-
-- `allow_glob_domains` `(bool: false)` - Allows names specified in
-  `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`). Clients
-  will be allowed to request certificates with names matching the glob
-  patterns.
-
-- `allow_any_name` `(bool: false)` – Specifies if clients can request any CN.
-  Useful in some circumstances, but make sure you understand whether it is
-  appropriate for your installation before enabling it.
-
-- `enforce_hostnames` `(bool: true)` – Specifies if only valid host names are
-  allowed for CNs, DNS SANs, and the host part of email addresses.
-
-- `allow_ip_sans` `(bool: true)` – Specifies if clients can request IP Subject
-  Alternative Names. No authorization checking is performed except to verify
-  that the given values are valid IP addresses.
-
-- `allowed_uri_sans` `(string: "")` - Defines allowed URI Subject
-  Alternative Names. No authorization checking is performed except to verify
-  that the given values are valid URIs. This can be a comma-delimited list or
-  a JSON string slice. Values can contain glob patterns (e.g. 
-  `spiffe://hostname/*`).
-
-- `allowed_other_sans` `(string: "")` – Defines allowed custom OID/UTF8-string
-  SANs.  This can be a comma-delimited list or a JSON string slice, where 
-  each element has the same format as OpenSSL: `<oid>;<type>:<value>`, but 
-  the only valid type is `UTF8` or `UTF-8`.  The `value` part of an element
-  may be a `*` to allow any value with that OID.
-  Alternatively, specifying a single `*` will allow any `other_sans` input.
-
-- `server_flag` `(bool: true)` – Specifies if certificates are flagged for
-  server use.
-
-- `client_flag` `(bool: true)` – Specifies if certificates are flagged for
-  client use.
-
-- `code_signing_flag` `(bool: false)` – Specifies if certificates are flagged
-  for code signing use.
-
-- `email_protection_flag` `(bool: false)` – Specifies if certificates are
-  flagged for email protection use.
-
-- `key_type` `(string: "rsa")` – Specifies the type of key to generate for
-  generated private keys and the type of key expected for submitted CSRs.
-  Currently, `rsa` and `ec` are supported, or when signing CSRs `any` can be
-  specified to allow keys of either type and with any bit size (subject to >
-  1024 bits for RSA keys).
-
-- `key_bits` `(int: 2048)` – Specifies the number of bits to use for the
-  generated keys. This will need to be changed for `ec` keys, e.g., 224 or 521.
-
-- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
-  Specifies the allowed key usage constraint on issued certificates. Valid 
-  values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply 
-  drop the `KeyUsage` part of the value. Values are not case-sensitive. To 
-  specify no key usage constraints, set this to an empty list.
-
-- `ext_key_usage` `(list: [])` –
-  Specifies the allowed extended key usage constraint on issued certificates. Valid 
-  values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply 
-  drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To 
-  specify no key usage constraints, set this to an empty list.
-
-- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.
-
-- `use_csr_common_name` `(bool: true)` – When used with the CSR signing
-  endpoint, the common name in the CSR will be used instead of taken from the
-  JSON data. This does `not` include any requested SANs in the CSR; use
-  `use_csr_sans` for that.
-
-- `use_csr_sans` `(bool: true)` – When used with the CSR signing endpoint, the
-  subject alternate names in the CSR will be used instead of taken from the JSON
-  data. This does `not` include the common name in the CSR; use
-  `use_csr_common_name` for that.
-
-- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
-  subject field of issued certificates. This is a comma-separated string or
-  JSON array.
-
-- `organization` `(string: "")` – Specifies the O (Organization) values in the
-  subject field of issued certificates. This is a comma-separated string or
-  JSON array.
-
-- `country` `(string: "")` – Specifies the C (Country) values in the
-  subject field of issued certificates. This is a comma-separated string or
-  JSON array.
-
-- `locality` `(string: "")` – Specifies the L (Locality) values in the
-  subject field of issued certificates. This is a comma-separated string or
-  JSON array.
-
-- `province` `(string: "")` – Specifies the ST (Province) values in the
-  subject field of issued certificates. This is a comma-separated string or
-  JSON array.
-
-- `street_address` `(string: "")` – Specifies the Street Address values in the
-  subject field of issued certificates. This is a comma-separated string or
-  JSON array.
-
-- `postal_code` `(string: "")` – Specifies the Postal Code values in the
-  subject field of issued certificates. This is a comma-separated string or
-  JSON array.
-
-- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
-  Otherwise Vault will generate a random serial for you. If you want more than
-  one, specify alternative names in the alt_names map using OID 2.5.4.5.
-
-- `generate_lease` `(bool: false)` – Specifies  if certificates issued/signed
-  against this role will have Vault leases attached to them. Certificates can be
-  added to the CRL by `vault revoke <lease_id>` when certificates are associated
-  with leases.  It can also be done using the `pki/revoke` endpoint. However,
-  when lease generation is disabled, invoking `pki/revoke` would be the only way
-  to add the certificates to the CRL.
-
-- `no_store` `(bool: false)` – If set, certificates issued/signed against this
-  role will not be stored in the storage backend. This can improve performance
-  when issuing large numbers of certificates. However, certificates issued in
-  this way cannot be enumerated or revoked, so this option is recommended only
-  for certificates that are non-sensitive, or extremely short-lived.  This
-  option implies a value of `false` for `generate_lease`.
-
-- `require_cn` `(bool: true)` - If set to false, makes the `common_name` field
-  optional while generating a certificate.
-
-- `policy_identifiers` `(list: [])` – A comma-separated string or list of policy
-  OIDs.
-
-- `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints
-  valid when issuing non-CA certificates.
-
-- `not_before_duration` `(duration: "30s")` – Specifies the duration by which to backdate the NotBefore property.
-
-
-### Sample Payload
-
-```json
-{
-  "allowed_domains": ["example.com"],
-  "allow_subdomains": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/pki/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/pki/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "allow_any_name": false,
-    "allow_ip_sans": true,
-    "allow_localhost": true,
-    "allow_subdomains": false,
-    "allowed_domains": ["example.com", "foobar.com"],
-    "allowed_uri_sans": ["example.com","spiffe://*"],
-    "allowed_other_sans": ["1.3.6.1.4.1.311.20.2.3;utf8:devops@example.com","1.3.6.1.4.1.311.20.2.4;UTF-8:*"],
-    "client_flag": true,
-    "code_signing_flag": false,
-    "key_bits": 2048,
-    "key_type": "rsa",
-    "ttl": "6h",
-    "max_ttl": "12h",
-    "server_flag": true
-  }
-}
-```
-
-## List Roles
-
-This endpoint returns a list of available roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/pki/roles`                 |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/pki/roles
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["dev", "prod"]
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition. Deleting a role **does not**
-revoke certificates previously issued under this role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/pki/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/pki/roles/my-role
-```
-
-## Generate Root
-
-This endpoint generates a new self-signed CA certificate and private key. If
-the path ends with `exported`, the private key will be returned in the
-response; if it is `internal` the private key will not be returned and *cannot
-be retrieved later*.  Distribution points use the values set via `config/urls`.
-
-As with other issued certificates, Vault will automatically revoke the
-generated root at the end of its lease period; the CA certificate will sign its
-own CRL.
-
-As of Vault 0.8.1, if a CA cert/key already exists, this function will not
-overwrite it; it must be deleted first. Previous versions of Vault would
-overwrite the existing cert/key with new values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/root/generate/:type`   |
-
-
-### Parameters
-
-- `type` `(string: <required>)` – Specifies the type of the root to
-  create. If `exported`, the private key will be returned in the response; if
-  `internal` the private key will not be returned and *cannot be retrieved
-  later*.  This is part of the request URL.
-
-- `common_name` `(string: <required>)` – Specifies the requested CN for the
-  certificate.
-
-- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
-  Names, in a comma-delimited list. These can be host names or email addresses;
-  they will be parsed into their respective fields.
-
-- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
-  Names, in a comma-delimited list.
-
-- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
-  Names, in a comma-delimited list.
-
-- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
-  must match values specified on the role in `allowed_other_sans` (see role
-  creation for allowed_other_sans globbing rules). 
-  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
-  only current valid type is `UTF8`. This can be a comma-delimited list or a
-  JSON string slice.
-
-- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
-  certificate will be expired). This cannot be larger than the engine's max (or,
-  if not set, the system max).
-
-- `format` `(string: "pem")` – Specifies the format for returned data. Can be
-  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
-  `pem_bundle`, the `certificate` field will contain the private key (if
-  exported) and certificate, concatenated; if the issuing CA is not a
-  Vault-derived self-signed root, this will be included as well.
-
-- `private_key_format` `(string: "")` – Specifies the format for marshaling the
-  private key. Defaults to `der` which will return either base64-encoded DER or
-  PEM-encoded DER, depending on the value of `format`. The other option is
-  `pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
-
-- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`
-  or `ec`.
-
-- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
-  changed to a valid value if the `key_type` is `ec`, e.g., 224 or 521.
-
-- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
-  the generated certificate. `-1` means no limit. Unless the signing certificate
-  has a maximum path length set, in which case the path length is set to one
-  less than that of the signing certificate.  A limit of `0` means a literal
-  path length of zero.
-
-- `exclude_cn_from_sans` `(bool: false)` – If set, the given `common_name` will
-  not be included in DNS or Email Subject Alternate Names (as appropriate).
-  Useful if the CN is not a hostname or email address, but is instead some
-  human-readable identifier.
-
-- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
-  array) containing DNS domains for which certificates are allowed to be issued
-  or signed by this CA certificate. Note that subdomains are allowed, as per
-  [RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
-
-- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `organization` `(string: "")` – Specifies the O (Organization) values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `country` `(string: "")` – Specifies the C (Country) values in the subject
-  field of the resulting certificate. This is a comma-separated string or JSON
-  array.
-
-- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
-  field of the resulting certificate. This is a comma-separated string or JSON
-  array.
-
-- `province` `(string: "")` – Specifies the ST (Province) values in the subject
-  field of the resulting certificate. This is a comma-separated string or JSON
-  array.
-
-- `street_address` `(string: "")` – Specifies the Street Address values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `postal_code` `(string: "")` – Specifies the Postal Code values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
-  Otherwise Vault will generate a random serial for you. If you want more than
-  one, specify alternative names in the alt_names map using OID 2.5.4.5.
-
-### Sample Payload
-
-```json
-{
-  "common_name": "example.com"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/root/generate/internal
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
-    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
-    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
-  },
-  "auth": null
-}
-```
-
-## Delete Root
-
-This endpoint deletes the current CA key (the old CA certificate will still be
-accessible for reading until a new certificate/key are generated or uploaded).
-_This endpoint requires sudo/root privileges._
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE`   | `/pki/root`   |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/pki/root
-```
-
-## Sign Intermediate
-
-This endpoint uses the configured CA certificate to issue a certificate with
-appropriate values for acting as an intermediate CA. Distribution points use the
-values set via `config/urls`. Values set in the CSR are ignored unless
-`use_csr_values` is set to true, in which case the values from the CSR are used
-verbatim.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/root/sign-intermediate` |
-
-### Parameters
-
-- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
-
-- `common_name` `(string: <required>)` – Specifies the requested CN for the
-  certificate.
-
-- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
-  Names, in a comma-delimited list. These can be host names or email addresses;
-  they will be parsed into their respective fields.
-
-- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
-  Names, in a comma-delimited list.
-
-- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
-  Names, in a comma-delimited list.
-
-- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
-  must match values specified on the role in `allowed_other_sans` (see role
-  creation for allowed_other_sans globbing rules). 
-  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
-  only current valid type is `UTF8`. This can be a comma-delimited list or a
-  JSON string slice.
-
-- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
-  certificate will be expired). This cannot be larger than the engine's max (or,
-  if not set, the system max). However, this can be after the expiration of the
-  signing CA.
-
-- `format` `(string: "pem")` – Specifies the format for returned data. Can be
-  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
-  `pem_bundle`, the `certificate` field will contain the certificate and, if the
-  issuing CA is not a Vault-derived self-signed root, it will be concatenated
-  with the certificate.
-
-- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
-  the generated certificate. `-1`, means no limit, unless the signing
-  certificate has a maximum path length set, in which case the path length is
-  set to one less than that of the signing certificate.  A limit of `0` means a
-  literal path length of zero.
-
-- `exclude_cn_from_sans` `(string: "")` – Specifies the given `common_name` will
-  not be included in DNS or Email Subject Alternate Names (as appropriate).
-  Useful if the CN is not a hostname or email address, but is instead some
-  human-readable identifier.
-
-- `use_csr_values` `(bool: false)` – If set to `true`, then: 1) Subject
-  information, including names and alternate names, will be preserved from the
-  CSR rather than using the values provided in the other parameters to this
-  path; 2) Any key usages (for instance, non-repudiation) requested in the CSR
-  will be added to the basic set of key usages used for CA certs signed by this
-  path; 3) Extensions requested in the CSR will be copied into the issued
-  certificate.
-
-- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
-  array) containing DNS domains for which certificates are allowed to be issued
-  or signed by this CA certificate. Supports subdomains via a `.` in front of
-  the domain, as per
-  [RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
-
-- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `organization` `(string: "")` – Specifies the O (Organization) values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `country` `(string: "")` – Specifies the C (Country) values in the subject
-  field of the resulting certificate. This is a comma-separated string or JSON
-  array.
-
-- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
-  field of the resulting certificate. This is a comma-separated string or JSON
-  array.
-
-- `province` `(string: "")` – Specifies the ST (Province) values in the subject
-  field of the resulting certificate. This is a comma-separated string or JSON
-  array.
-
-- `street_address` `(string: "")` – Specifies the Street Address values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `postal_code` `(string: "")` – Specifies the Postal Code values in the
-  subject field of the resulting certificate. This is a comma-separated string
-  or JSON array.
-
-- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
-  Otherwise Vault will generate a random serial for you. If you want more than
-  one, specify alternative names in the alt_names map using OID 2.5.4.5.
-
-### Sample Payload
-
-```json
-{
-  "csr": "...",
-  "common_name": "example.com"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/root/sign-intermediate
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
-    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
-    "ca_chain": ["-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"],
-    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
-  },
-  "auth": null
-}
-```
-## Sign Self-Issued
-
-This endpoint uses the configured CA certificate to sign a self-issued
-certificate (which will usually be a self-signed certificate as well).
-
-**_This is an extremely privileged endpoint_**. The given certificate will be
-signed as-is with only minimal validation performed (is it a CA cert, and is it
-actually self-issued). The only values that will be changed will be the
-authority key ID, the issuer DN, and, if set, any distribution points.
-
-This is generally only needed for root certificate rolling in cases where you
-don't want/can't get access to a CSR (such as if it's a root stored in Vault
-where the key is not exposed). If you don't know whether you need this
-endpoint, you most likely should be using a different endpoint (such as
-`sign-intermediate`).
-
-This endpoint requires `sudo` capability.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/root/sign-self-issued` |
-
-### Parameters
-
-- `certificate` `(string: <required>)` – Specifies the PEM-encoded self-issued certificate.
-
-### Sample Payload
-
-```json
-{
-  "certificate": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/root/sign-self-issued
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
-    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
-  },
-  "auth": null
-}
-```
-
-
-## Sign Certificate
-
-This endpoint signs a new certificate based upon the provided CSR and the
-supplied parameters, subject to the restrictions contained in the role named in
-the endpoint. The issuing CA certificate is returned as well, so that only the
-root CA need be in a client's trust store.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/sign/:name`            |
-
-### Parameters
-
-- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
-
-- `common_name` `(string: <required>)` – Specifies the requested CN for the
-  certificate. If the CN is allowed by role policy, it will be issued.
-
-- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
-  Names, in a comma-delimited list. These can be host names or email addresses;
-  they will be parsed into their respective fields. If any requested names do
-  not match role policy, the entire request will be denied.
-
-- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
-  must match values specified on the role in `allowed_other_sans` (see role
-  creation for allowed_other_sans globbing rules). 
-  The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
-  only current valid type is `UTF8`. This can be a comma-delimited list or a
-  JSON string slice.
-
-- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
-  Names, in a comma-delimited list. Only valid if the role allows IP SANs (which
-  is the default).
-
-- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
-  Names, in a comma-delimited list. If any requested URIs do not match role policy, 
-  the entire request will be denied.
-
-- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
-  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
-  be used. Note that the role values default to system values if not explicitly
-  set.
-
-- `format` `(string: "pem")` – Specifies the format for returned data. Can be
-  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
-  `pem_bundle`, the `certificate` field will contain the certificate and, if the
-  issuing CA is not a Vault-derived self-signed root, it will be concatenated
-  with the certificate.
-
-- `exclude_cn_from_sans` `(bool: false)` – If set, the given `common_name` will
-  not be included in DNS or Email Subject Alternate Names (as appropriate).
-  Useful if the CN is not a hostname or email address, but is instead some
-  human-readable identifier.
-
-### Sample Payload
-
-```json
-{
-  "csr": "...",
-  "common_name": "example.com"
-}
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "pki/sign/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
-  "renewable": false,
-  "lease_duration": 21600,
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
-    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
-    "ca_chain": ["-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"],
-    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
-  },
-  "auth": null
-}
-```
-
-## Sign Verbatim
-
-This endpoint signs a new certificate based upon the provided CSR. Values are
-taken verbatim from the CSR; the _only_ restriction is that this endpoint will
-refuse to issue an intermediate CA certificate (see the
-`/pki/root/sign-intermediate` endpoint for that functionality.)
-
-**This is a potentially dangerous endpoint and only highly trusted users should
-have access.**
-
-| Method   | Path                                 |
-| :----------------------------------- | :--------------------- |
-| `POST`   | `/pki/sign-verbatim(/:name)`         |
-
-### Parameters
-
-- `name` `(string: "")` - Specifies a role. If set, the following parameters
-  from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, and
-  `no_store`.
-
-- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
-
-- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
-  Specifies the allowed key usage constraint on issued certificates. Valid 
-  values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply 
-  drop the `KeyUsage` part of the value. Values are not case-sensitive. To 
-  specify no key usage constraints, set this to an empty list.
-
-- `ext_key_usage` `(list: [])` –
-  Specifies the allowed extended key usage constraint on issued certificates. Valid 
-  values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply 
-  drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To 
-  specify no key usage constraints, set this to an empty list.
-
-- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.  
-
-- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
-  than the engine's `max_ttl` value. If not provided, the engine's `ttl` value
-  will be used, which defaults to system values if not explicitly set.
-
-- `format` `(string: "pem")` – Specifies the format for returned data. Can be
-  `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
-  `pem_bundle`, the `certificate` field will contain the certificate and, if the
-  issuing CA is not a Vault-derived self-signed root, it will be concatenated
-  with the certificate.
-
-### Sample Payload
-
-```json
-{
-  "csr": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/sign-verbatim
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "pki/sign-verbatim/7ad6cfa5-f04f-c62a-d477-f33210475d05",
-  "renewable": false,
-  "lease_duration": 21600,
-  "data": {
-    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
-    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
-    "ca_chain": ["-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"],
-    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
-  },
-  "auth": null
-}
-```
-
-## Tidy
-
-This endpoint allows tidying up the storage backend and/or CRL by removing
-certificates that have expired and are past a certain buffer period beyond their
-expiration time.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/pki/tidy`                  |
-
-### Parameters
-
-- `tidy_cert_store` `(bool: false)` Specifies whether to tidy up the certificate
-  store.
-
-- `tidy_revoked_certs` `(bool: false)` Set to true to expire all revoked and
-  expired certificates, removing them both from the CRL and from storage. The
-  CRL will be rotated if this causes any values to be removed.
-
-- `safety_buffer` `(string: "")` Specifies  A duration (given as an integer
-  number of seconds or a string; defaults to `72h`) used as a safety buffer to
-  ensure certificates are not expunged prematurely; as an example, this can keep
-  certificates from being removed from the CRL that, due to clock skew, might
-  still be considered valid on other hosts. For a certificate to be expunged,
-  the time must be after the expiration time of the certificate (according to
-  the local clock) plus the duration of `safety_buffer`.
-
-### Sample Payload
-
-```json
-{
-  "safety_buffer": "24h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/pki/tidy
-```
diff --git a/website/source/api/secret/postgresql/index.html.md b/website/source/api/secret/postgresql/index.html.md
deleted file mode 100644
index 73047200d716..000000000000
--- a/website/source/api/secret/postgresql/index.html.md
+++ /dev/null
@@ -1,265 +0,0 @@
----
-layout: "api"
-page_title: "PostgreSQL - Secrets Engines - HTTP API"
-sidebar_title: "PostgreSQL <sup>DEPRECATED</sup>"
-sidebar_current: "api-http-secret-postgresql"
-description: |-
-  This is the API documentation for the Vault PostgreSQL secrets engine.
----
-
-# PostgreSQL Secrets Engine (API)
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the API documentation for
-the new implementation of this secrets engine at
-[PostgreSQL database plugin HTTP API](/api/secret/databases/postgresql.html).
-
-This is the API documentation for the Vault PostgreSQL secrets engine. For
-general information about the usage and operation of the PostgreSQL secrets
-engine, please see the [PostgreSQL
-documentation](/docs/secrets/postgresql/index.html).
-
-This documentation assumes the PostgreSQL secrets engine is enabled at the
-`/postgresql` path in Vault. Since it is possible to enable secrets engines at
-any location, please update your API calls accordingly.
-
-## Configure Connection
-
-This endpoint configures the connection string used to communicate with
-PostgreSQL.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/postgresql/config/connection` |
-
-### Parameters
-
-- `connection_url` `(string: <required>)` – Specifies the PostgreSQL connection
-  URL or PG-style string, for example `"user=foo host=bar"`.
-
-- `max_open_connections` `(int: 2)` – Specifies the maximum number of open
-  connections to the database. A negative value means unlimited.
-
-- `max_idle_connections` `(int: 0)` – Specifies the maximum number of idle
-  connections to the database. A zero uses the value of `max_open_connections`
-  and a negative value disables idle connections. If this is larger than
-  `max_open_connections` it will be reduced to be equal.
-
-- `verify_connection` `(bool: true)` – Specifies if the connection is verified
-  during initial configuration.
-
-### Sample Payload
-
-```json
-{
-  "connection_url": "postgresql://user:pass@localhost/my-db"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/postgresql/config/connection
-```
-
-## Configure Lease
-
-This configures the lease settings for generated credentials. If not configured,
-leases default to 1 hour. This is a root protected endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/postgresql/config/lease`   |
-
-### Parameters
-
-- `lease` `(string: <required>)` – Specifies the lease value provided as a
-  string duration with time suffix. "h" (hour) is the largest suffix.
-
-- `lease_max` `(string: <required>)` – Specifies the maximum lease value
-  provided as a string duration with time suffix. "h" (hour) is the largest
-  suffix.
-
-### Sample Payload
-
-```json
-{
-  "lease": "12h",
-  "lease_max": "24h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/postgresql/config/lease
-```
-
-## Create Role
-
-This endpoint creates or updates a role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/postgresql/roles/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create. This
-  is specified as part of the URL.
-
-- `sql` `(string: <required>)` – Specifies the SQL statements executed to create
-  and configure the role. Must be a semicolon-separated string, a base64-encoded
-  semicolon-separated string, a serialized JSON string array, or a
-  base64-encoded serialized JSON string array. The '{{name}}', '{{password}}'
-  and '{{expiration}}' values will be substituted.
-
-- `revocation_sql` `(string: "")` – Specifies the SQL statements to be executed
-  to revoke a user. Must be a semicolon-separated string, a base64-encoded
-  semicolon-separated string, a serialized JSON string array, or a
-  base64-encoded serialized JSON string array. The '{{name}}' value will be
-  substituted.
-
-### Sample Payload
-
-```json
-{
-  "sql": "CREATE USER WITH ROLE {{name}}"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/postgresql/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/postgresql/roles/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/postgresql/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "sql": "CREATE USER..."
-  }
-}
-```
-
-## List Roles
-
-This endpoint returns a list of available roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/postgresql/roles`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/postgresql/roles
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["dev", "prod"]
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/postgresql/roles/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/postgresql/roles/my-role
-```
-
-## Generate Credentials
-
-This endpoint generates a new set of dynamic credentials based on the named
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/postgresql/creds/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/postgresql/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "username": "root-1430158508-126",
-    "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
-  }
-}
-```
diff --git a/website/source/api/secret/rabbitmq/index.html.md b/website/source/api/secret/rabbitmq/index.html.md
deleted file mode 100644
index 555bbb669f32..000000000000
--- a/website/source/api/secret/rabbitmq/index.html.md
+++ /dev/null
@@ -1,223 +0,0 @@
----
-layout: "api"
-page_title: "RabbitMQ - Secrets Engines - HTTP API"
-sidebar_title: "RabbitMQ"
-sidebar_current: "api-http-secret-rabbitmq"
-description: |-
-  This is the API documentation for the Vault RabbitMQ secrets engine.
----
-
-# RabbitMQ Secrets Engine (API)
-
-This is the API documentation for the Vault RabbitMQ secrets engine. For general
-information about the usage and operation of the RabbitMQ secrets engine, please
-see the [RabbitMQ documentation](/docs/secrets/rabbitmq/index.html).
-
-This documentation assumes the RabbitMQ secrets engine is enabled at the
-`/rabbitmq` path in Vault. Since it is possible to enable secrets engines at any
-location, please update your API calls accordingly.
-
-## Configure Connection
-
-This endpoint configures the connection string used to communicate with
-RabbitMQ.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/rabbitmq/config/connection` |
-
-### Parameters
-
-- `connection_uri` `(string: <required>)` – Specifies the RabbitMQ connection
-  URI.
-
-- `username` `(string: <required>)` – Specifies the RabbitMQ management
-  administrator username.
-
-- `password` `(string: <required>)` – Specifies the RabbitMQ management
-  administrator password.
-
-- `verify_connection` `(bool: true)` – Specifies whether to verify connection
-  URI, username, and password.
-
-### Sample Payload
-
-```json
-{
-  "connection_uri": "https://...",
-  "username": "user",
-  "password": "password"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/rabbitmq/config/connection
-```
-
-## Configure Lease
-
-This endpoint configures the lease settings for generated credentials.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/rabbitmq/config/lease`     |
-
-### Parameters
-
-- `ttl` `(int: 0)` – Specifies the lease ttl provided in seconds.
-
-- `max_ttl` `(int: 0)` – Specifies the maximum ttl provided in seconds.
-
-### Sample Payload
-
-```json
-{
-  "ttl": 1800,
-  "max_ttl": 3600
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/rabbitmq/config/lease
-```
-
-## Create Role
-
-This endpoint creates or updates the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/rabbitmq/roles/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create. This
-  is specified as part of the URL.
-
-- `tags` `(string: "")` – Specifies a comma-separated RabbitMQ management tags.
-
-- `vhosts` `(string: "")` – Specifies a map of virtual hosts to
-  permissions.
-
-- `vhost_topics` `(string: "")` – Specifies a map of virtual hosts and exchanges
-  to topic permissions. This option requires RabbitMQ 3.7.0 or later.
-
-### Sample Payload
-
-```json
-{
-  "tags": "tag1,tag2",
-  "vhosts": "{\"/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}",
-  "vhost_topics": "{\"/\": {\"amq.topic\": {\"write\":\".*\", \"read\": \".*\"}}}"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/rabbitmq/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/rabbitmq/roles/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/rabbitmq/roles/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "tags": "",
-    "vhosts": "{\"/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}",
-    "vhost_topics": "{\"/\": {\"amq.topic\": {\"write\":\".*\", \"read\": \".*\"}}}"
-  }
-}
-```
-
-## Delete Role
-
-This endpoint deletes the role definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/rabbitmq/roles/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/rabbitmq/roles/my-role
-```
-
-## Generate Credentials
-
-This endpoint generates a new set of dynamic credentials based on the named
-role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/rabbitmq/creds/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/rabbitmq/creds/my-role
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "username": "root-4b95bf47-281d-dcb5-8a60-9594f8056092",
-    "password": "e1b6c159-ca63-4c6a-3886-6639eae06c30"
-  }
-}
-```
diff --git a/website/source/api/secret/ssh/index.html.md b/website/source/api/secret/ssh/index.html.md
deleted file mode 100644
index 6b129d50da70..000000000000
--- a/website/source/api/secret/ssh/index.html.md
+++ /dev/null
@@ -1,816 +0,0 @@
----
-layout: "api"
-page_title: "SSH - Secrets Engines - HTTP API"
-sidebar_title: "SSH"
-sidebar_current: "api-http-secret-ssh"
-description: |-
-  This is the API documentation for the Vault SSH secrets engine.
----
-
-# SSH Secrets Engine (API)
-
-This is the API documentation for the Vault SSH secrets engine. For general
-information about the usage and operation of the SSH secrets engine, please see
-the [SSH documentation](/docs/secrets/ssh/index.html).
-
-This documentation assumes the SSH secrets engine is enabled at the `/ssh` path
-in Vault. Since it is possible to enable secrets engines at any location, please
-update your API calls accordingly.
-
-## Create/Update Key
-
-This endpoint creates or updates a named key.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/ssh/keys/:name`            |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the key to create. This
-  is part of the request URL.
-
-- `key` `(string: <required>)` – Specifies an SSH private key with appropriate
-  privileges on remote hosts.
-
-### Sample Payload
-
-```json
-{
-  "key": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/keys/my-key
-```
-
-## Delete Key
-
-This endpoint deletes a named key.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/ssh/keys/:name`            |
-
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the key to delete. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/ssh/keys/my-key
-```
-
-## Create Role
-
-This endpoint creates or updates a named role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/ssh/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create. This
-  is part of the request URL.
-
-- `key` `(string: "")` – Specifies the name of the registered key in Vault.
-  Before creating the role, use the `keys/` endpoint to create a named key. This
-  is required for "Dynamic Key" type.
-
-- `admin_user` `(string: "")` – Specifies the admin user at remote host. The
-  shared key being registered should be for this user and should have root or
-  sudo privileges. Every time a dynamic	credential is generated for a client,
-  Vault uses this admin username to login to remote host and install the
-  generated credential. This is required for Dynamic Key type.
-
-- `default_user` `(string: "")` – Specifies the default username for which a
-  credential will be generated. When the endpoint `creds/` is used without a
-  username, this value will be used as default username. Its recommended to
-  create individual roles for each username to ensure absolute isolation between
-  usernames. This is required for Dynamic Key type and OTP type.
-
-    For the CA type, if you wish this to be a valid principal, it must also be
-    in `allowed_users`.
-
-- `cidr_list` `(string: "")` – Specifies a comma separated list of CIDR blocks
-  for which the role is applicable for. It is possible that a same set of CIDR
-  blocks are part of multiple roles. This is a required parameter, unless the
-  role is registered under the `/config/zeroaddress` endpoint.
-
-- `exclude_cidr_list` `(string: "")` – Specifies a comma-separated list of CIDR
-  blocks. IP addresses belonging to these blocks are not accepted by the role.
-  This is particularly useful when big CIDR blocks are being used by the role
-  and certain parts need to be kept out.
-
-- `port` `(int: 22)` – Specifies the port number for SSH connection. Port number
-  does not play any role in OTP generation. For the `otp` secrets engine type, this is
-  just a way to inform the client about the port number to use. The port number
-  will be	returned to the client by Vault along with the OTP.
-
-- `key_type` `(string: <required>)` – Specifies the type of credentials
-  generated by this role. This can be either `otp`, `dynamic` or `ca`.
-
-- `key_bits` `(int: 1024)` – Specifies the length of the RSA dynamic key in
-  bits. This can be either 1024 or 2048.
-
-- `install_script` `(string: "")` – Specifies the script used to install and
-  uninstall public keys in the target machine. Defaults to the built-in script.
-
-- `allowed_users` `(string: "")` – If this option is not specified, or if it is
-  `*`, the client can request a credential for any valid user at the remote
-  host, including the admin user. If only certain usernames are to be allowed,
-  then this list enforces it. If this field is set, then credentials can only
-  be created for `default_user` and usernames present in this list. Setting
-  this option will enable all the users with access this role to fetch
-  credentials for all other usernames in this list. Use with caution. N.B.: if
-  the type is `ca`, an empty list does not allow any user; instead you must use
-  `*` to enable this behavior.
-
-- `allowed_domains` `(string: "")` – The list of domains for which a client can
-  request a host certificate. If this option is explicitly set to `"*"`, then
-  credentials can be created for any domain. See also `allow_bare_domains` and
-  `allow_subdomains`.
-
-- `key_option_specs` `(string: "")` – Specifies a comma separated option
-  specification which will be prefixed to RSA keys in the remote host's
-  authorized_keys file. N.B.: Vault does not check this string for validity.
-
-- `ttl` `(string: "")` – Specifies the Time To Live value provided as a string
-  duration with time suffix. Hour is the largest suffix.  If not set, uses the
-  system default value or the value of `max_ttl`, whichever is shorter.
-
-- `max_ttl` `(string: "")` – Specifies the maximum Time To Live provided as a
-  string duration with time suffix. Hour is the largest suffix. If not set,
-  defaults to the system maximum lease TTL.
-
-- `allowed_critical_options` `(string: "")` – Specifies a comma-separated list
-  of critical options that certificates can have when signed. To allow any
-  critical options, set this to an empty string. Will default to allowing any
-  critical options.
-
-- `allowed_extensions` `(string: "")` – Specifies a comma-separated list of
-  extensions that certificates can have when signed. To allow any critical
-  options, set this to an empty string. Will default to allowing any
-  extensions.  For the list of extensions, take a look at the [sshd
-  manual's](https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT)
-  `AUTHORIZED_KEYS FILE FORMAT` section. You should add a `permit-` before the
-  name of extension to allow it.
-
-- `default_critical_options` `(map<string|string>: "")` – Specifies a map of
-  critical options certificates should have if none are provided when signing.
-  This field takes in key value pairs in JSON format. Note that these are not
-  restricted by `allowed_critical_options`. Defaults to none.
-
-- `default_extensions` `(map<string|string>: "")` – Specifies a map of
-  extensions certificates should have if none are provided when signing. This
-  field takes in key value pairs in JSON format. Note that these are not
-  restricted by `allowed_extensions`. Defaults to none.
-
-- `allow_user_certificates` `(bool: false)` – Specifies if certificates are
-  allowed to be signed for use as a 'user'.
-
-- `allow_host_certificates` `(bool: false)` – Specifies if certificates are
-  allowed to be signed for use as a 'host'.
-
-- `allow_bare_domains` `(bool: false)` – Specifies if host certificates that are
-  requested are allowed to use the base domains listed in `allowed_domains`, e.g.
-  "example.com". This is a separate option as in some cases this can be
-  considered a security threat.
-
-- `allow_subdomains` `(bool: false)` – Specifies if host certificates that are
-  requested are allowed to be subdomains of those listed in `allowed_domains`,
-  e.g. if "example.com" is part of `allowed_domains`, this allows
-  "foo.example.com".
-
-- `allow_user_key_ids` `(bool: false)` – Specifies if users can override the key
-  ID for a signed certificate with the "key_id" field. When false, the key ID
-  will always be the token display name. The key ID is logged by the SSH server
-  and can be useful for auditing.
-
-- `key_id_format` `(string: "")` – When supplied, this value specifies a custom
-  format for the key id of a signed certificate. The following variables are
-  available for use: '{{token_display_name}}' - The display name of the token used
-  to make the request. '{{role_name}}' - The name of the role signing the request.
-  '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.
-  e.g. "custom-keyid-{{token_display_name}}"
-
-- `allowed_user_key_lengths` `(map<string|int>: "")` – Specifies a map of ssh key types
-  and their expected sizes which are allowed to be signed by the CA type.
-
-### Sample Payload
-
-```json
-{
-  "key_type": "otp"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/roles/my-role
-```
-
-## Read Role
-
-This endpoint queries a named role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/ssh/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to read. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/ssh/roles/my-role
-```
-
-### Sample Response
-
-For a dynamic key role:
-
-```json
-{
-  "admin_user": "username",
-  "cidr_list": "x.x.x.x/y",
-  "default_user": "username",
-  "key": "<key name>",
-  "key_type": "dynamic",
-  "port": 22
-}
-```
-
-For an OTP role:
-
-```json
-{
-  "cidr_list": "x.x.x.x/y",
-  "default_user": "username",
-  "key_type": "otp",
-  "port": 22
-}
-```
-
-For a CA role:
-
-```json
-{
-  "allow_bare_domains": false,
-  "allow_host_certificates": true,
-  "allow_subdomains": false,
-  "allow_user_key_ids": false,
-  "allow_user_certificates": true,
-  "allowed_critical_options": "",
-  "allowed_extensions": "",
-  "default_critical_options": {},
-  "default_extensions": {},
-  "max_ttl": "768h",
-  "ttl": "4h"
-}
-```
-
-## List Roles
-
-This endpoint returns a list of available roles. Only the role names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/ssh/roles`                 |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/ssh/roles
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["dev", "prod"],
-    "key_info": {
-      "dev": {
-        "key_type": "ca"
-      },
-      "prod": {
-        "key_type": "dynamic"
-      }
-    }
-  },
-  "lease_duration": 2764800,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Role
-
-This endpoint deletes a named role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/ssh/roles/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to delete. This
-  is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/roles/my-role
-```
-
-## List Zero-Address Roles
-
-This endpoint returns the list of configured zero-address roles.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/ssh/config/zeroaddress`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/ssh/config/zeroaddress
-```
-
-### Sample Response
-
-```json
-{  
-   "lease_id":"",
-   "renewable":false,
-   "lease_duration":0,
-   "data":{  
-      "roles":[  
-         "otp_key_role"
-      ]
-   },
-   "warnings":null,
-   "auth":null
-}
-```
-
-## Configure Zero-Address Roles
-
-This endpoint configures zero-address roles.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/ssh/config/zeroaddress`    |
-
-### Parameters
-
-- `roles` `(string: <required>)` – Specifies a string containing comma separated
-  list of role names which allows credentials to be requested for any IP
-  address. CIDR blocks previously registered under these roles will be ignored.
-
-### Sample Payload
-
-```json
-{
-  "roles": ["otp_key_role"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/config/zeroaddress
-```
-
-## Delete Zero-Address Role
-
-This endpoint deletes the zero-address roles configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/ssh/config/zeroaddress`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/ssh/config/zeroaddress
-```
-
-## Generate SSH Credentials
-
-This endpoint creates credentials for a specific username and IP with the
-parameters defined in the given role.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/ssh/creds/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to create
-  credentials against. This is part of the request URL.
-
-- `username` `(string: "")` – Specifies the username on the remote host.
-
-- `ip` `(string: <required>)` – Specifies the IP of the remote host.
-
-### Sample Payload
-
-```json
-{
-  "ip": "1.2.3.4"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/creds/my-role
-```
-
-### Sample Response
-
-For a dynamic key role:
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "admin_user": "rajanadar",
-    "allowed_users": "",
-    "cidr_list": "x.x.x.x/y",
-    "default_user": "rajanadar",
-    "exclude_cidr_list": "x.x.x.x/y",
-    "install_script": "pretty_large_script",
-    "key": "5d9ee6a1-c787-47a9-9738-da243f4f69bf",
-    "key_bits": 1024,
-    "key_option_specs": "",
-    "key_type": "dynamic",
-    "port": 22
-   },
-  "warnings": null,
-  "auth": null
-}
-```
-
-For an OTP role:
-
-```json
-{
-  "lease_id": "sshs/creds/c3c2e60c-5a48-415a-9d5a-a41e0e6cdec5/3ee6ad28-383f-d482-2427-70498eba4d96",
-  "renewable": false,
-  "lease_duration": 2764800,
-  "data": {
-    "ip": "127.0.0.1",
-    "key": "6d6411fd-f622-ea0a-7e2c-989a745cbbb2",
-    "key_type": "otp",
-    "port": 22,
-    "username": "rajanadar"
-   },
-  "warnings": null,
-  "auth": null
-}
-```
-
-## List Roles by IP
-
-This endpoint lists all of the roles with which the given IP is associated.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/ssh/lookup`                |
-
-### Parameters
-
-- `ip` `(string: <required>)` – Specifies the IP of the remote host.
-
-### Sample Payload
-
-```json
-{
-  "ip": "1.2.3.4"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/lookup
-```
-
-### Sample Response
-
-An array of roles as a secret structure.
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "roles": [
-      "fe6f61b7-7e4a-46a6-b2c8-0d530b8513df",
-      "6d6411fd-f622-ea0a-7e2c-989a745cbbb2"
-    ]
-  },
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Verify SSH OTP
-
-This endpoint verifies if the given OTP is valid. This is an unauthenticated
-endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/ssh/verify`                |
-
-## Parameters
-
-- `otp` `(string: <required>)` – Specifies the One-Time-Key that needs to be
-  validated.
-
-### Sample Payload
-
-```json
-{
-  "otp": "bad2b3-..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/verify
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id":"",
-  "renewable":false,
-  "lease_duration":0,
-  "data": {
-    "ip":"127.0.0.1",
-    "username":"rajanadar"
-  },
-  "warnings":null,
-  "auth":null
-}
-```
-
-## Submit CA Information
-
-This endpoint allows submitting the CA information for the secrets engine via an SSH
-key pair. _If you have already set a certificate and key, they will be
-overridden._
-
-| Method   | Path                         |
-| :--------------------------- | :------------------------- |
-| `POST`   | `/ssh/config/ca`             | `200/204 application/json` |
-
-### Parameters
-
-- `private_key` `(string: "")` – Specifies the private key part the SSH CA key
-  pair; required if `generate_signing_key` is false.
-
-- `public_key` `(string: "")` – Specifies the public key part of the SSH CA key
-  pair; required if `generate_signing_key` is false.
-
-- `generate_signing_key` `(bool: true)` – Specifies if Vault should generate
-  the signing key pair internally. The generated public key will be returned so
-  you can add it to your configuration.
-
-### Sample Payload
-
-```json
-{
-  "generate_signing_key": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/config/ca
-```
-
-### Sample Response
-
-This will return a `204` response if `generate_signing_key` was unset or false.
-
-This will return a `200` response if `generate_signing_key` was true:
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "public_key": "ssh-rsa AAAAHHNzaC1y...\n"
-  },
-  "warnings": null
-}
-```
-
-## Delete CA Information
-
-This endpoint deletes the CA information for the backend via an SSH key pair.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/ssh/config/ca`             |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/ssh/config/ca
-```
-
-## Read Public Key (Unauthenticated)
-
-This endpoint returns the configured/generated public key. This is an unauthenticated
-endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------- |
-| `GET`    | `/ssh/public_key`            | `200 text/plain` |
-
-### Sample Request
-
-```
-$ curl http://127.0.0.1:8200/v1/ssh/public_key
-```
-
-### Sample Response
-
-```text
-    ssh-rsa AAAAHHNzaC1y...
-```
-
-## Read Public Key (Authenticated)
-
-This endpoint reads the configured/generated public key.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/ssh/config/ca`             |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/ssh/config/ca
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "public_key": "ssh-rsa AAAAHHNzaC1y...\n"
-  },
-  "warnings": null
-}
-```
-
-## Sign SSH Key
-
-This endpoint signs an SSH public key based on the supplied parameters, subject
-to the restrictions contained in the role named in the endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/ssh/sign/:name`            |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the role to sign. This
-  is part of the request URL.
-
-- `public_key` `(string: <required>)` – Specifies the SSH public key that should
-  be signed.
-
-- `ttl` `(string: "")` – Specifies the Requested Time To Live. Cannot be greater
-  than the role's `max_ttl` value. If not provided, the role's `ttl` value will
-  be used. Note that the role values default to system values if not explicitly
-  set.
-
-- `valid_principals` `(string: "")` – Specifies valid principals, either
-  usernames or hostnames, that the certificate should be signed for.
-
-- `cert_type` `(string: "user")` – Specifies the type of certificate to be
-  created; either "user" or "host".
-
-- `key_id` `(string: "")` – Specifies the key id that the created certificate
-  should have. If not specified, the display name of the token will be used.
-
-- `critical_options` `(map<string|string>: "")` – Specifies a map of the
-  critical options that the certificate should be signed for. Defaults to none.
-
-- `extension` `(map<string|string>: "")` – Specifies a map of the extensions
-  that the certificate should be signed for. Defaults to none.
-
-### Sample Payload
-
-```json
-{
-  "public_key": "ssh-rsa ..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/ssh/sign/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "ssh/sign/example/097bf207-96dd-0041-0e83-b23bd1923993",
-  "renewable": false,
-  "lease_duration": 21600,
-  "data": {
-    "serial_number": "f65ed2fd21443d5c",
-    "signed_key": "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...\n"
-  },
-  "auth": null
-}
-```
diff --git a/website/source/api/secret/totp/index.html.md b/website/source/api/secret/totp/index.html.md
deleted file mode 100644
index 88950e5cd66f..000000000000
--- a/website/source/api/secret/totp/index.html.md
+++ /dev/null
@@ -1,272 +0,0 @@
----
-layout: "api"
-page_title: "TOTP - Secrets Engines - HTTP API"
-sidebar_title: "TOTP"
-sidebar_current: "api-http-secret-totp"
-description: |-
-  This is the API documentation for the Vault TOTP secrets engine.
----
-
-# TOTP Secrets Engine (API)
-
-This is the API documentation for the Vault TOTP secrets engine. For general
-information about the usage and operation of the TOTP secrets engine, please see
-the [TOTP documentation](/docs/secrets/totp/index.html).
-
-This documentation assumes the TOTP secrets engine is enabled at the `/totp`
-path in Vault. Since it is possible to enable secrets engines at any location,
-please update your API calls accordingly.
-
-## Create Key
-
-This endpoint creates or updates a key definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------------------------------------------------------------------------------- |
-| `POST`   | `/totp/keys/:name`           | 
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the key to create. This is specified as part of the URL.
-
-- `generate` `(bool: false)` – Specifies if a key should be generated by Vault or if a key is being passed from another service.
-
-- `exported` `(bool: true)` – Specifies if a QR code and url are returned upon generating a key. Only used if generate is true.
-
-- `key_size` `(int: 20)` – Specifies the size in bytes of the Vault generated key. Only used if generate is true.
-
-- `url` `(string: "")` – Specifies the TOTP key url string that can be used to configure a key. Only used if generate is false.
-
-- `key` `(string: <required - if generate is false and url is empty>)` – Specifies the master key used to generate a TOTP code. Only used if generate is false.
-
-- `issuer` `(string: "" <required - if generate is true>)` – Specifies the name of the key’s issuing organization.
-
-- `account_name` `(string: "" <required - if generate is true>)` – Specifies the name of the account associated with the key.
-
-- `period` `(int or duration format string: 30)` – Specifies the length of time in seconds used to generate a counter for the TOTP code calculation.
-
-- `algorithm` `(string: "SHA1")` – Specifies the hashing algorithm used to generate the TOTP code. Options include "SHA1", "SHA256" and "SHA512".
-
-- `digits` `(int: 6)` – Specifies the number of digits in the generated TOTP code. This value can be set to 6 or 8.
-
-- `skew` `(int: 1)` – Specifies the number of delay periods that are allowed when validating a TOTP code. This value can be either 0 or 1. Only used if generate is true.
-
-- `qr_size` `(int: 200)` – Specifies the pixel size of the square QR code when generating a new key. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.
-
-### Sample Payload
-
-```json
-{
-  "url": "otpauth://totp/Google:test@gmail.com?secret=Y64VEVMBTSXCYIWRSHRNDZW62MPGVU2G&issuer=Google"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/totp/keys/my-key
-```
-
-### Sample Payload
-
-```json
-{
-  "generate": true,
-  "issuer": "Google",
-  "account_name": "test@gmail.com",
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/totp/keys/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "barcode": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAGXklEQVR4nOyd4Y4iOQyEmRPv/8p7upX6BJm4XbbDbK30fT9GAtJJhpLjdhw3z1+/HmDEP396AvDO878/X1+9i1frWvu5Po/6Xz+P2kft1nFVa1f7z+YdjT/5PrEQMxDEDAQx4/n6orsGr6z9ZP1mviMbP/MBav/R6/U61Ud0vk8sxAwEMQNBzHju3lTvv6P2ajwS9Ve9zz+9pkfjRp+r/SjzwULMQBAzEMSMrQ/pUo0bouun7dW9LXVvrBq/TMBCzEAQMxDEjKM+JFqT17W4mu9Y+49eq/OL3r/GVX3CJ7KtWIgZCGIGgpix9SHTtXGa4476qfoa1adVc+HV/6/yfWIhZiCIGQhixpsP6Z4nulD3lqavV7q+Yvo6G7/zfWIhZiCIGQhixteJ/Rh1Da3e71d9RjRul2ocdeK7xELMQBAzEMSM3z6ku6dTrdOo1l9M6y5O7clVx5n4SCzEDAQxA0HMuN3L+qlavqj9itpePY+VtVdrHqfzeQULMQNBzEAQM97ikAv1vr/brltTeCp/svarcjLe2F1PnbohCGIGgphRqjG8mJ6PmtYMVnP363Vqv6d8qZrzf2AhfiCIGQhixm0c8n+jQ8+7+jZ4cY3PrlfHO/1Ml+45st18sRAzEMQMBDHjdxyixgPqs0lWsvvwqH00zrSO41R80p3XXXssxAwEMQNBzJCeuaieo6pedzGtb1/76fqgLH6ofg+dZ65gIWYgiBkIYsbbs9/V+/EVde1V+62eh1I/r/qIrs+Ixo2uYy/LGAQxA0HMeNvLilDX1OraXc2jVNtPzxJXr6v+HzuwEDMQxAwEMWNbp95d21WmzzBR6066e07dPMq0XoW9LEMQxAwEMUOqUz+1p9ONd07Xz586u6yifp/4EEMQxAwEMUPay7rIcthqTrx6v1/NTX+qZrIbF63v34GFmIEgZiCIGdvfU++e1a3GM2oOPjtvpfbfjS+qeZFJXgcLMQNBzEAQM6Tn9p7OLVdrFqP5TFF9ZXTdqfqTV7AQMxDEDAQx482HdPMPGdN8SjeHr6710zzJidrCB/kQTxDEDAQxY7uXdTGNC9S9pK6vqs6nWzdyej53PhELMQNBzEAQM0o59YtTz/xQfVO3jmOdl0rmE6f5ort5YSFmIIgZCGLGbU69eka3ep+v5sCzcbp5jZXMR0zr+aPPqVM3BkHMQBAzRs/tjejmwj9d05ihzq96nQr5EEMQxAwEMWPrQy6q9/fdevFTcVA0v+n5K7U/tf4lGhcfYgiCmIEgZtw+6+RCXUurvkKlepZ2vS5i+oyTaby0GxcLMQNBzEAQM0r5kKnv6K6xK9X4R13zu+eyJnXpazssxAwEMQNBzNj+fkg3nqjGK9laPz1vleXwq2v+p+vciUMMQRAzEMSM298xrOYDVqrtpmtzt59uHqc6v2zcBxbiB4KYgSBmbOvUV7q577VdOIliXqLr87p7Tere2YnrsRAzEMQMBDFj+zuGar3Gp+rNp3kUtR5lmj/Jxo/GvZsvFmIGgpiBIGbcPi/rW+MPPaeqOs407xL1E1E9lzWpg8FCzEAQMxDEDOk3qC66a7f6fsSn1uz18+o8P+GzsBAzEMQMBDFjm1Ov7L3s3p+2/6lcfoa6ZxaNm50DWyEOMQRBzEAQM7Zne6PX3XilW5M3zbd0c/3ZHpvqY6P+7j7HQsxAEDMQxIxRPqRaT6Kuzemkh7WJ3RrJbJxq7eOuPyzEDAQxA0HMKJ3t/XbxobW/Gmdka/PpPMxPgoWYgSBmIIgZ0m9QrXTP1mb9Ru2y+/hsD2xaM9jN5UfjEIf8RSCIGQhiRus3qLp7ONU6jK4vynxMdn10XdY+m4/SHxZiBoKYgSBm3MYhGdl9/qkzvN18ilpDqF6nxiPVGs3Xz7EQMxDEDAQx4/ZcVoR6fqobZ6h7Vtm81TVejZdWuvHNXXssxAwEMQNBzHju3pyujdO68Ky9Wm+h9qPGJVG/6nyU+WIhZiCIGQhixtaHdFF9hlqLeOrcVPcMQDeOmtTNYyFmIIgZCGLGUR/SPQs73QuL5tGtiVznlc1X/T8iXtthIWYgiBkIYsbWh3T3nNS1dXqe6tReW8S0Hr1b5/LAQvxAEDMQxIw3H9I9nzU9R6XGHdn41dx4d4+rGp9En7OX9ReAIGYgiBlff6IWG2KwEDP+DQAA//+TDHXGhqE4+AAAAABJRU5ErkJggg==",
-    "url" : "otpauth://totp/Google:test@gmail.com?algorithm=SHA1&digits=6&issuer=Google&period=30&secret=HTXT7KJFVNAJUPYWQRWMNVQE5AF5YZI2",
-  }
-}
-```
-
-If a QR code is returned, it consists of base64-formatted PNG bytes. You can embed it in a web page by including the base64 string in an `img` tag with the prefix `data:image/png;base64`
-
-```
-<img src="data:image/png;base64,iVBORw0KGgoAAAANSUh.." />
-```
-
-## Read Key
-
-This endpoint queries the key definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/totp/keys/:name`          |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the key to read. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/totp/keys/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "account_name": "test@gmail.com",
-    "algorithm" : "SHA1",
-    "digits" : 6,
-    "issuer": "Google",
-    "period" : 30,
-  }
-}
-```
-
-## List Keys
-
-This endpoint returns a list of available keys. Only the key names are
-returned, not any values.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/totp/keys`                 |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/totp/keys
-```
-
-### Sample Response
-
-```json
-{
-  "auth": null,
-  "data": {
-    "keys": ["my-key"]
-  },
-  "lease_duration": 0,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Key
-
-This endpoint deletes the key definition.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/totp/keys/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the key to delete. This
-  is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/totp/keys/my-key
-```
-
-## Generate Code
-
-This endpoint generates a new time-based one-time use password based on the named
-key.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/totp/code/:name`          |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the key to create
-  credentials against. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/totp/code/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "code": "810920",
-  }
-}
-```
-
-## Validate Code
-
-This endpoint validates a time-based one-time use password generated from the named
-key.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/totp/code/:name`           |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the key used to generate the password. This is specified as part of the URL.
-
-- `code` `(string: <required>)` – Specifies the password you want to validate.
-
-### Sample Payload
-
-```json
-{
-  "code": "123802"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/totp/code/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "valid": true,
-  }
-}
-```
diff --git a/website/source/api/secret/transit/index.html.md b/website/source/api/secret/transit/index.html.md
deleted file mode 100644
index 6789c54f0a9e..000000000000
--- a/website/source/api/secret/transit/index.html.md
+++ /dev/null
@@ -1,1334 +0,0 @@
----
-layout: "api"
-page_title: "Transit - Secrets Engines - HTTP API"
-sidebar_title: "Transit"
-sidebar_current: "api-http-secret-transit"
-description: |-
-  This is the API documentation for the Vault Transit secrets engine.
----
-
-# Transit Secrets Engine (API)
-
-This is the API documentation for the Vault Transit secrets engine. For general
-information about the usage and operation of the Transit secrets engine, please
-see the [transit documentation](/docs/secrets/transit/index.html).
-
-This documentation assumes the transit secrets engine is enabled at the
-`/transit` path in Vault. Since it is possible to enable secrets engines at any
-location, please update your API calls accordingly.
-
-## Create Key
-
-This endpoint creates a new named encryption key of the specified type. The
-values set here cannot be changed after key creation.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/keys/:name`        |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  create. This is specified as part of the URL.
-
-- `convergent_encryption` `(bool: false)` – If enabled, the key will support
-  convergent encryption, where the same plaintext creates the same ciphertext.
-  This requires _derived_ to be set to `true`. When enabled, each
-  encryption(/decryption/rewrap/datakey) operation will derive a `nonce` value
-  rather than randomly generate it.
-
-- `derived` `(bool: false)` – Specifies if key derivation is to be used. If
-  enabled, all encrypt/decrypt requests to this named key must provide a context
-  which is used for key derivation.
-
-- `exportable` `(bool: false)` -  Enables keys to be exportable. This
-  allows for all the valid keys in the key ring to be exported. Once set, this
-  cannot be disabled.
-
-- `allow_plaintext_backup` `(bool: false)` - If set, enables taking backup of
-  named key in the plaintext format. Once set, this cannot be disabled.
-
-- `type` `(string: "aes256-gcm96")` – Specifies the type of key to create. The
-  currently-supported types are:
-
-    - `aes128-gcm96` – AES-128 wrapped with GCM using a 96-bit nonce size AEAD
-      (symmetric, supports derivation and convergent encryption)
-    - `aes256-gcm96` – AES-256 wrapped with GCM using a 96-bit nonce size AEAD
-      (symmetric, supports derivation and convergent encryption, default)
-    - `chacha20-poly1305` – ChaCha20-Poly1305 AEAD (symmetric, supports
-      derivation and convergent encryption)
-    - `ed25519` – ED25519 (asymmetric, supports derivation). When using
-      derivation, a sign operation with the same context will derive the same
-      key and signature; this is a signing analogue to `convergent_encryption`.
-    - `ecdsa-p256` – ECDSA using the P-256 elliptic curve (asymmetric)
-    - `ecdsa-p384` – ECDSA using the P-384 elliptic curve (asymmetric)
-    - `ecdsa-p521` – ECDSA using the P-521 elliptic curve (asymmetric)
-    - `rsa-2048` - RSA with bit size of 2048 (asymmetric)
-    - `rsa-4096` - RSA with bit size of 4096 (asymmetric)
-
-### Sample Payload
-
-```json
-{
-  "type": "ed25519",
-  "derived": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/keys/my-key
-```
-
-## Read Key
-
-This endpoint returns information about a named encryption key. The `keys`
-object shows the creation time of each key version; the values are not the keys
-themselves. Depending on the type of key, different information may be returned,
-e.g. an asymmetric key will return its public key in a standard format for the
-type.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/transit/keys/:name`        |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  read. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/transit/keys/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "type": "aes256-gcm96",
-    "deletion_allowed": false,
-    "derived": false,
-    "exportable": false,
-    "allow_plaintext_backup": false,
-    "keys": {
-      "1": 1442851412
-    },
-    "min_decryption_version": 1,
-    "min_encryption_version": 0,
-    "name": "foo",
-    "supports_encryption": true,
-    "supports_decryption": true,
-    "supports_derivation": true,
-    "supports_signing": false
-  }
-}
-```
-
-## List Keys
-
-This endpoint returns a list of keys. Only the key names are returned (not the
-actual keys themselves).
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/transit/keys`              |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/transit/keys
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "keys": ["foo", "bar"]
-  },
-  "lease_duration": 0,
-  "lease_id": "",
-  "renewable": false
-}
-```
-
-## Delete Key
-
-This endpoint deletes a named encryption key. It will no longer be possible to
-decrypt any data encrypted with the named key. Because this is a potentially
-catastrophic operation, the `deletion_allowed` tunable must be set in the key's
-`/config` endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/transit/keys/:name`        |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  delete. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/transit/keys/my-key
-```
-
-## Update Key Configuration
-
-This endpoint allows tuning configuration values for a given key. (These values
-are returned during a read operation on the named key.)
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/keys/:name/config` |
-
-### Parameters
-
-- `min_decryption_version` `(int: 0)` – Specifies the minimum version of
-  ciphertext allowed to be decrypted. Adjusting this as part of a key rotation
-  policy can prevent old copies of ciphertext from being decrypted, should they
-  fall into the wrong hands. For signatures, this value controls the minimum
-  version of signature that can be verified against. For HMACs, this controls
-  the minimum version of a key allowed to be used as the key for verification.
-
-- `min_encryption_version` `(int: 0)` – Specifies the minimum version of the
-  key that can be used to encrypt plaintext, sign payloads, or generate HMACs.
-  Must be `0` (which will use the latest version) or a value greater or equal
-  to `min_decryption_version`.
-
-- `deletion_allowed` `(bool: false)` - Specifies if the key is allowed to be
-  deleted.
-
-- `exportable` `(bool: false)` -  Enables keys to be exportable. This
-  allows for all the valid keys in the key ring to be exported. Once set, this
-  cannot be disabled.
-
-- `allow_plaintext_backup` `(bool: false)` - If set, enables taking backup of
-  named key in the plaintext format. Once set, this cannot be disabled.
-
-### Sample Payload
-
-```json
-{
-  "deletion_allowed": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/keys/my-key/config
-```
-
-## Rotate Key
-
-This endpoint rotates the version of the named key. After rotation, new
-plaintext requests will be encrypted with the new version of the key. To upgrade
-ciphertext to be encrypted with the latest version of the key, use the `rewrap`
-endpoint. This is only supported with keys that support encryption and
-decryption operations.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/keys/:name/rotate` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/transit/keys/my-key/rotate
-```
-
-## Export Key
-
-This endpoint returns the named key. The `keys` object shows the value of the
-key for each version. If `version` is specified, the specific version will be
-returned. If `latest` is provided as the version, the current key will be
-provided. Depending on the type of key, different information may be returned.
-The key must be exportable to support this operation and the version must still
-be valid.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/transit/export/:key_type/:name(/:version)` |
-
-### Parameters
-
-- `key_type` `(string: <required>)` – Specifies the type of the key to export.
-  This is specified as part of the URL. Valid values are:
-
-    - `encryption-key`
-    - `signing-key`
-    - `hmac-key`
-
-- `name` `(string: <required>)` – Specifies the name of the key to read
-  information about. This is specified as part of the URL.
-
-- `version` `(string: "")` – Specifies the version of the key to read. If omitted,
-  all versions of the key will be returned. This is specified as part of the
-  URL. If the version is set to `latest`, the current key will be returned.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/transit/export/encryption-key/my-key/1
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "name": "foo",
-    "keys": {
-      "1": "eyXYGHbTmugUJn6EtYD/yVEoF6pCxm4R/cMEutUm3MY=",
-      "2": "Euzymqx6iXjS3/NuGKDCiM2Ev6wdhnU+rBiKnJ7YpHE="
-    }
-  }
-}
-```
-
-## Encrypt Data
-
-This endpoint encrypts the provided plaintext using the named key. This path
-supports the `create` and `update` policy capabilities as follows: if the user
-has the `create` capability for this endpoint in their policies, and the key
-does not exist, it will be upserted with default values (whether the key
-requires derivation depends on whether the context parameter is empty or not).
-If the user only has `update` capability and the key does not exist, an error
-will be returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/encrypt/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  encrypt against. This is specified as part of the URL.
-
-- `plaintext` `(string: <required>)` – Specifies **base64 encoded** plaintext to
-  be encoded.
-
-- `context` `(string: "")` – Specifies the **base64 encoded** context for key
-  derivation. This is required if key derivation is enabled for this key.
-
-- `key_version` `(int: 0)` – Specifies the version of the key to use for
-  encryption. If not set, uses the latest version. Must be greater than or
-  equal to the key's `min_encryption_version`, if set.
-
-- `nonce` `(string: "")` – Specifies the **base64 encoded** nonce value. This
-  must be provided if convergent encryption is enabled for this key and the key
-  was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The
-  value must be exactly 96 bits (12 bytes) long and the user must ensure that
-  for any given context (and thus, any given encryption key) this nonce value is
-  **never reused**.
-
-- `batch_input` `(array<object>: nil)` – Specifies a list of items to be
-  encrypted in a single batch. When this parameter is set, if the parameters
-  'plaintext', 'context' and 'nonce' are also set, they will be ignored. The
-  format for the input is:
-
-    ```json
-    [
-      {
-        "context": "c2FtcGxlY29udGV4dA==",
-        "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
-      },
-      {
-        "context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
-        "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
-      },
-    ]
-    ```
-
-- `type` `(string: "aes256-gcm96")` –This parameter is required when encryption
-  key is expected to be created. When performing an upsert operation, the type
-  of key to create.
-
-- `convergent_encryption` `(string: "")` – This parameter will only be used when
-  a key is expected to be created.  Whether to support convergent encryption.
-  This is only supported when using a key with key derivation enabled and will
-  require all requests to carry both a context and 96-bit (12-byte) nonce. The
-  given nonce will be used in place of a randomly generated nonce. As a result,
-  when the same context and nonce are supplied, the same ciphertext is
-  generated. It is _very important_ when using this mode that you ensure that
-  all nonces are unique for a given context.  Failing to do so will severely
-  impact the ciphertext's security.
-
-**NOTE:** All plaintext data **must be base64-encoded**. The reason for this
-requirement is that Vault does not require that the plaintext is "text". It
-could be a binary file such as a PDF or image. The easiest safe transport
-mechanism for this data as part of a JSON payload is to base64-encode it.
-
-### Sample Payload
-
-Fist, encode the plaintext with base64:
-
-```sh
-$ base64 <<< "the quick brown fox"
-dGhlIHF1aWNrIGJyb3duIGZveAo=
-```
-
-Use the base64-encoded plaintext in the payload:
-
-```json
-{
-  "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo="
-}
-```
-
-!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial
-of service attack. This can be tuned per [`listener`
-block](/docs/configuration/listener/tcp.html) in the Vault server
-configuration.
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/encrypt/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
-  }
-}
-```
-
-## Decrypt Data
-
-This endpoint decrypts the provided ciphertext using the named key.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/decrypt/:name`     |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  decrypt against. This is specified as part of the URL.
-
-- `ciphertext` `(string: <required>)` – Specifies the ciphertext to decrypt.
-
-- `context` `(string: "")` – Specifies the **base64 encoded** context for key
-  derivation. This is required if key derivation is enabled.
-
-- `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
-  encryption. Must be provided if convergent encryption is enabled for this key
-  and the key was generated with Vault 0.6.1. Not required for keys created in
-  0.6.2+.
-
-- `batch_input` `(array<object>: nil)` – Specifies a list of items to be
-  decrypted in a single batch. When this parameter is set, if the parameters
-  'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format
-  for the input goes like this:
-
-    ```json
-    [
-      {
-        "context": "c2FtcGxlY29udGV4dA==",
-        "ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
-      },
-      {
-        "context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
-        "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
-      },
-    ]
-    ```
-
-### Sample Payload
-
-```json
-{
-  "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/decrypt/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo="
-  }
-}
-```
-
-## Rewrap Data
-
-This endpoint rewraps the provided ciphertext using the latest version of the
-named key. Because this never returns plaintext, it is possible to delegate this
-functionality to untrusted users or scripts.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/rewrap/:name`      |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  re-encrypt against. This is specified as part of the URL.
-
-- `ciphertext` `(string: <required>)` – Specifies the ciphertext to re-encrypt.
-
-- `context` `(string: "")` – Specifies the **base64 encoded** context for key
-  derivation. This is required if key derivation is enabled.
-
-- `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
-
-- `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
-  encryption. Must be provided if convergent encryption is enabled for this key
-  and the key was generated with Vault 0.6.1. Not required for keys created in
-  0.6.2+.
-
-- `batch_input` `(array<object>: nil)` – Specifies a list of items to be
-  decrypted in a single batch. When this parameter is set, if the parameters
-  'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format
-  for the input goes like this:
-
-    ```json
-    [
-      {
-        "context": "c2FtcGxlY29udGV4dA==",
-        "ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
-      },
-      {
-        "context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
-        "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
-      },
-    ]
-    ```
-
-### Sample Payload
-
-```json
-{
-  "ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/rewrap/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "ciphertext": "vault:v2:abcdefgh"
-  }
-}
-```
-
-## Generate Data Key
-
-This endpoint generates a new high-entropy key and the value encrypted with the
-named key. Optionally return the plaintext of the key as well. Whether plaintext
-is returned depends on the path; as a result, you can use Vault ACL policies to
-control whether a user is allowed to retrieve the plaintext value of a key. This
-is useful if you want an untrusted user or operation to generate keys that are
-then made available to trusted users.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/datakey/:type/:name` |
-
-### Parameters
-
-- `type` `(string: <required>)` – Specifies the type of key to generate. If
-  `plaintext`, the plaintext key will be returned along with the ciphertext. If
-  `wrapped`, only the ciphertext value will be returned. This is specified as
-  part of the URL.
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  use to encrypt the datakey. This is specified as part of the URL.
-
-- `context` `(string: "")` – Specifies the key derivation context, provided as a
-  base64-encoded string. This must be provided if derivation is enabled.
-
-- `nonce` `(string: "")` – Specifies a nonce value, provided as base64 encoded.
-  Must be provided if convergent encryption is enabled for this key and the key
-  was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The
-  value must be exactly 96 bits (12 bytes) long and the user must ensure that
-  for any given context (and thus, any given encryption key) this nonce value is
-  **never reused**.
-
-- `bits` `(int: 256)` – Specifies the number of bits in the desired key. Can be
-  128, 256, or 512.
-
-### Sample Payload
-
-```json
-{
-  "context": "Ab3=="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/datakey/plaintext/my-key
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
-    "ciphertext": "vault:v1:abcdefgh"
-  }
-}
-```
-
-## Generate Random Bytes
-
-This endpoint returns high-quality random bytes of the specified length.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/random(/:bytes)`   |
-
-### Parameters
-
-- `bytes` `(int: 32)` – Specifies the number of bytes to return. This value can
-  be specified either in the request body, or as a part of the URL.
-
-- `format` `(string: "base64")` – Specifies the output encoding. Valid options
-  are `hex` or `base64`.
-
-### Sample Payload
-
-```json
-{
-  "format": "hex"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/random/164
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
-  }
-}
-```
-
-## Hash Data
-
-This endpoint returns the cryptographic hash of given data using the specified
-algorithm.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/hash(/:algorithm)` |
-
-### Parameters
-
-- `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
-  can also be specified as part of the URL. Currently-supported algorithms are:
-
-    - `sha2-224`
-    - `sha2-256`
-    - `sha2-384`
-    - `sha2-512`
-
-- `input` `(string: <required>)` – Specifies the **base64 encoded** input data.
-
-- `format` `(string: "hex")` – Specifies the output encoding. This can be either
-  `hex` or `base64`.
-
-### Sample Payload
-
-```json
-{
-  "input": "adba32=="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/hash/sha2-512
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "sum": "dGhlIHF1aWNrIGJyb3duIGZveAo="
-  }
-}
-```
-
-## Generate HMAC
-
-This endpoint returns the digest of given data using the specified hash
-algorithm and the named key. The key can be of any type supported by `transit`;
-the raw key will be marshaled into bytes to be used for the HMAC function. If
-the key is of a type that supports rotation, the latest (current) version will
-be used.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/hmac/:name(/:algorithm)` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  generate hmac against. This is specified as part of the URL.
-
-- `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
-
-- `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
-  can also be specified as part of the URL. Currently-supported algorithms are:
-
-    - `sha2-224`
-    - `sha2-256`
-    - `sha2-384`
-    - `sha2-512`
-
-- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
-  `input` or `batch_input` must be supplied.
-
-- `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
-  When this parameter is set, if the parameter 'input' is also set, it will be
-  ignored.  Responses are returned in the 'batch_results' array component of the
-  'data' element of the response. If the input data value of an item is invalid, the
-  corresponding item in the 'batch_results' will have the key 'error' with a value
-  describing the error. The format for batch_input is:
-
-    ```json
-    {
-      "batch_input": [
-        {
-          "input": "adba32=="
-        },
-        {
-          "input": "aGVsbG8gd29ybGQuCg=="
-        }
-      ]
-    }
-    ```
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/hmac/my-key/sha2-512
-```
-
-### Sample Payload
-
-```json
-{
-  "input": "adba32=="
-}
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "hmac": "dGhlIHF1aWNrIGJyb3duIGZveAo="
-  }
-}
-```
-
-### Sample Payload with batch_input
-
-```json
-{
-  "batch_input": [
-    {
-      "input": "adba32=="
-    },
-    {
-      "input": "adba32=="
-    },
-    {},
-    {
-      "input": ""
-    }
-  ]
-}
-```
-
-### Sample Response for batch_input
-
-```json
-{
-  "data": {
-    "batch_results": [
-      {
-        "hmac": "vault:v1:1jFhRYWHiddSKgEFyVRpX8ieX7UU+748NBwHKecXE3hnGBoAxrfgoD5U0yAvji7b5X6V1fP"
-      },
-      {
-        "hmac": "vault:v1:1jFhRYWHiddSKgEFyVRpX8ieX7UU+748NBwHKecXE3hnGBoAxrfgoD5U0yAvji7b5X6V1fP"
-      },
-      {
-        "error": "missing input for HMAC"
-      },
-      {
-        "hmac": "vault:v1:/wsSP6iQ9ECO9RRkefKLXey9sDntzSjoiW0vBrWfUsYB0ISroyC6plUt/jN7gcOv9O+Ecow"
-      }
-    ]
-  }
-}
-```
-
-
-## Sign Data
-
-This endpoint returns the cryptographic signature of the given data using the
-named key and the specified hash algorithm. The key must be of a type that
-supports signing.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/sign/:name(/:hash_algorithm)` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key to
-  use for signing. This is specified as part of the URL.
-
-- `key_version` `(int: 0)` – Specifies the version of the key to use for
-  signing. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
-
-- `hash_algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use for
-  supporting key types (notably, not including `ed25519` which specifies its
-  own hash algorithm). This can also be specified as part of the URL.
-  Currently-supported algorithms are:
-
-    - `sha1`
-    - `sha2-224`
-    - `sha2-256`
-    - `sha2-384`
-    - `sha2-512`
-
-- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
-  `input` or `batch_input` must be supplied.
-
-- `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
-  When this parameter is set, any supplied 'input' or 'context' parameters will be
-  ignored.  Responses are returned in the 'batch_results' array component of the
-  'data' element of the response. If the input data value of an item is invalid, the
-  corresponding item in the 'batch_results' will have the key 'error' with a value
-  describing the error. The format for batch_input is:
-
-    ```json
-    {
-      "batch_input": [
-        {
-          "input": "adba32==",
-          "context": "abcd"
-        },
-        {
-          "input": "aGVsbG8gd29ybGQuCg==",
-          "context": "efgh"
-        }
-      ]
-    }
-    ```
-
-- `context` `(string: "")` - Base64 encoded context for key derivation.
-   Required if key derivation is enabled; currently only available with ed25519
-   keys.
-
-- `prehashed` `(bool: false)` - Set to `true` when the input is already hashed.
-  If the key type is `rsa-2048` or `rsa-4096`, then the algorithm used to hash
-  the input should be indicated by the `hash_algorithm` parameter.  Just as the
-  value to sign should be the base64-encoded representation of the exact binary
-  data you want signed, when set, `input` is expected to be base64-encoded
-  binary hashed data, not hex-formatted. (As an example, on the command line,
-  you could generate a suitable input via `openssl dgst -sha256 -binary |
-  base64`.)
-
-- `signature_algorithm` `(string: "pss")` – When using a RSA key, specifies the RSA
-  signature algorithm to use for signing. Supported signature types are:
-
-    - `pss`
-    - `pkcs1v15`
-
-- `marshaling_algorithm` `(string: "asn1")` – Specifies the way in which the signature should be marshaled. This currently only applies to ECDSA keys. Supported types are:
-
-    - `asn1`: The default, used by OpenSSL and X.509
-    - `jws`: The version used by JWS (and thus for JWTs). Selecting this will
-      also change the output encoding to URL-safe Base64 encoding instead of
-      standard Base64-encoding.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/sign/my-key/sha2-512
-```
-
-### Sample Payload
-
-```json
-{
-  "input": "adba32=="
-}
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "signature": "vault:v1:MEUCIQCyb869d7KWuA0hBM9b5NJrmWzMW3/pT+0XYCM9VmGR+QIgWWF6ufi4OS2xo1eS2V5IeJQfsi59qeMWtgX0LipxEHI="
-  }
-}
-```
-
-### Sample Payload with batch_input
-
- Given an ed25519 key with derived keys set, the context parameter is expected for each batch_input item, and
- the response will include the derived public key for each item.
-```
-{
-  "batch_input": [
-    {
-      "input": "adba32==",
-      "context": "efgh"
-    },
-    {
-      "input": "adba32==",
-      "context": "abcd"
-    },
-    {}
-  ]
-}
-```
-
-### Sample Response for batch_input
-```
-{
-  "data": {
-    "batch_results": [
-      {
-        "signature": "vault:v1:+R3cxAy6j4KriYzAyExU6p1glnyT/eLDSaUZO7gr8a8kgi/zSynNbOBSDJcGaAfLD1OF2hGupYBYTjmZMNoVAA==",
-        "publickey": "2fQIaaem7+EhSGs3jUebAS/8qP2+sUrmxOmgqZIZc0c="
-      },
-      {
-        "signature": "vault:v1:3hBwA88lnuAVJqb5rCCEstzKYaBTeSdejk356BTCE/nKwySOhzQH3mWCvJZwbRptNGa7ia5ykosYYdJz+aIKDA==",
-        "publickey": "goDXuePo7L9z6HOw+a54O4HeV189BLECK9nAUudwp4Y="
-      },
-      {
-        "error": "missing input"
-      }
-    ]
-  },
-}
-```
-
-## Verify Signed Data
-
-This endpoint returns whether the provided signature is valid for the given
-data.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/transit/verify/:name(/:hash_algorithm)` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the encryption key that
-  was used to generate the signature or HMAC.
-
-- `hash_algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
-  can also be specified as part of the URL. Currently-supported algorithms are:
-
-    - `sha1`
-    - `sha2-224`
-    - `sha2-256`
-    - `sha2-384`
-    - `sha2-512`
-
-- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
-  `input` or `batch_input` must be supplied.
-
-- `signature` `(string: "")` – Specifies the signature output from the
-  `/transit/sign` function. Either this must be supplied or `hmac` must be
-  supplied.
-
-- `hmac` `(string: "")` – Specifies the signature output from the
-  `/transit/hmac` function. Either this must be supplied or `signature` must be
-  supplied.
-
-- `batch_input` `(array<object>: nil)` – Specifies a list of items for processing.
-  When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters
-  will be ignored.  'batch_input' items should contain an 'input' parameter and
-  either an 'hmac' or 'signature' parameter. All items in the batch must consistently
-  supply either 'hmac' or 'signature' parameters.  It is an error for some items to
-  supply 'hmac' while others supply 'signature'. Responses are returned in the
-  'batch_results' array component of the 'data' element of the response. If the
-  input data value of an item is invalid, the corresponding item in the 'batch_results'
-  will have the key 'error' with a value describing the error. The format for batch_input is:
-
-    ```json
-    {
-      "batch_input": [
-        {
-          "input": "adba32==",
-          "hmac": "vault:v1:1jFhRYWHiddSKgEFyVRpX8ieX7UU+748NBwHKecXE3hnGBoAxrfgoD5U0yAvji7b5X6V1fP"
-        },
-        {
-          "input": "aGVsbG8gd29ybGQuCg==",
-          "hmac": "vault:v1:/wsSP6iQ9ECO9RRkefKLXey9sDntzSjoiW0vBrWfUsYB0ISroyC6plUt/jN7gcOv9O+Ecow"
-        }
-      ]
-    }
-    ```
-
-- `context` `(string: "")` - Base64 encoded context for key derivation.
-   Required if key derivation is enabled; currently only available with ed25519
-   keys.
-
-- `prehashed` `(bool: false)` - Set to `true` when the input is already
-   hashed. If the key type is `rsa-2048` or `rsa-4096`, then the algorithm used
-   to hash the input should be indicated by the `hash_algorithm` parameter.
-
-- `signature_algorithm` `(string: "pss")` – When using a RSA key, specifies the RSA
-  signature algorithm to use for signature verification. Supported signature types
-  are:
-
-    - `pss`
-    - `pkcs1v15`
-
-- `marshaling_algorithm` `(string: "asn1")` – Specifies the way in which the signature was originally marshaled. This currently only applies to ECDSA keys. Supported types are:
-
-    - `asn1`: The default, used by OpenSSL and X.509
-    - `jws`: The version used by JWS (and thus for JWTs). Selecting this will
-      also expect the input encoding to URL-safe Base64 encoding instead of
-      standard Base64-encoding.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/verify/my-key/sha2-512
-```
-
-### Sample Payload
-
-```json
-{
-  "input": "abcd13==",
-  "signature": "vault:v1:MEUCIQCyb869d7KWuA..."
-}
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "valid": true
-  }
-}
-```
-
-### Sample Payload with batch_input
-
-```
-{
-  "batch_input": [
-    {
-      "input": "adba32==",
-      "context": "abcd",
-      "signature": "vault:v1:3hBwA88lnuAVJqb5rCCEstzKYaBTeSdejk356BTCE/nKwySOhzQH3mWCvJZwbRptNGa7ia5ykosYYdJz+aIKDA=="
-    },
-    {
-      "input": "adba32==",
-      "context": "efgh",
-      "signature": "vault:v1:3hBwA88lnuAVJqb5rCCEstzKYaBTeSdejk356BTCE/nKwySOhzQH3mWCvJZwbRptNGa7ia5ykosYYdJz+aIKDA=="
-    },
-    {
-      "input": "",
-      "context": "abcd",
-      "signature": "vault:v1:C/pxm5V1RI6kqudLdbLdj5Bpm2P38FKgvxoV69oNXphvJukRcQIqjZO793jCa2JPYPG21Y7vquDWy/Ff4Ma4AQ=="
-    }
-  ]
-}
-```
-
-### Sample Response for batch_input
-```
-{
-  "data": {
-    "batch_results": [
-      {
-        "valid": true
-      },
-      {
-        "valid": false
-      },
-      {
-        "valid": true
-      }
-    ]
-  },
-}
-```
-
-## Backup Key
-
-This endpoint returns a plaintext backup of a named key. The backup contains all
-the configuration data and keys of all the versions along with the HMAC key.
-The response from this endpoint can be used with the `/restore` endpoint to
-restore the key.
-
-| Method  | Path                    |
-| :---------------------- | :--------------------- |
-| `GET`   | `/transit/backup/:name` |
-
-### Parameters
-
- - `name` `(string: <required>)` - Name of the key.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/transit/backup/aes
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "backup": "eyJwb2xpY3kiOnsibmFtZSI6ImFlcyIsImtleXMiOnsiMSI6eyJrZXkiOiJXK3k4Z0dOMHdiTDJLOU95NXFPN1laMGtjdzMvR0ZiNWM4STBzdlNMMnFNPSIsImhtYWNfa2V5IjoiUDBTcjh1YTJaZERNUTdPd2h4RGp1Z0U5d0JSR3Q2QXl6K0t4TzN5Z2M5ST0iLCJ0aW1lIjoiMjAxNy0xMi0wOFQxMTo1MDowOC42MTM4MzctMDU6MDAiLCJlY194IjpudWxsLCJlY195IjpudWxsLCJlY19kIjpudWxsLCJyc2Ffa2V5IjpudWxsLCJwdWJsaWNfa2V5IjoiIiwiY3JlYXRpb25fdGltZSI6MTUxMjc1MTgwOH19LCJkZXJpdmVkIjpmYWxzZSwia2RmIjowLCJjb252ZXJnZW50X2VuY3J5cHRpb24iOmZhbHNlLCJleHBvcnRhYmxlIjpmYWxzZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjEsImFyY2hpdmVfdmVyc2lvbiI6MSwiZGVsZXRpb25fYWxsb3dlZCI6ZmFsc2UsImNvbnZlcmdlbnRfdmVyc2lvbiI6MCwidHlwZSI6MCwiYmFja3VwX2luZm8iOnsidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MjkuMjI4MTU3LTA1OjAwIiwidmVyc2lvbiI6MX0sInJlc3RvcmVfaW5mbyI6bnVsbH0sImFyY2hpdmVkX2tleXMiOnsia2V5cyI6W3sia2V5IjpudWxsLCJobWFjX2tleSI6bnVsbCwidGltZSI6IjAwMDEtMDEtMDFUMDA6MDA6MDBaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjB9LHsia2V5IjoiVyt5OGdHTjB3YkwySzlPeTVxTzdZWjBrY3czL0dGYjVjOEkwc3ZTTDJxTT0iLCJobWFjX2tleSI6IlAwU3I4dWEyWmRETVE3T3doeERqdWdFOXdCUkd0NkF5eitLeE8zeWdjOUk9IiwidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MDguNjEzODM3LTA1OjAwIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjE1MTI3NTE4MDh9XX19Cg=="
-  }
-}
-```
-
-## Restore Key
-
-This endpoint restores the backup as a named key. This will restore the key
-configurations and all the versions of the named key along with HMAC keys. The
-input to this endpoint should be the output of `/backup` endpoint.
-
- ~> For safety, by default the backend will refuse to restore to an existing
- key. If you want to reuse a key name, it is recommended you delete the key
- before restoring. It is a good idea to attempt restoring to a different key
- name first to verify that the operation successfully completes.
-
-| Method   | Path                        |
-| :-------------------------- | :--------------------- |
-| `POST`   | `/transit/restore(/:name)`  |
-
-### Parameters
-
- - `backup` `(string: <required>)` - Backed up key data to be restored. This
-   should be the output from the `/backup` endpoint.
-
- - `name` `(string: <optional>)` - If set, this will be the name of the
-   restored key.
-
- - `force` `(bool: false)` - If set, force the restore to proceed even if a key
-   by this name already exists.
-
-### Sample Payload
-
-```json
-  "backup": "eyJwb2xpY3kiOnsibmFtZSI6ImFlcyIsImtleXMiOnsiMSI6eyJrZXkiOiJXK3k4Z0dOMHdiTDJLOU95NXFPN1laMGtjdzMvR0ZiNWM4STBzdlNMMnFNPSIsImhtYWNfa2V5IjoiUDBTcjh1YTJaZERNUTdPd2h4RGp1Z0U5d0JSR3Q2QXl6K0t4TzN5Z2M5ST0iLCJ0aW1lIjoiMjAxNy0xMi0wOFQxMTo1MDowOC42MTM4MzctMDU6MDAiLCJlY194IjpudWxsLCJlY195IjpudWxsLCJlY19kIjpudWxsLCJyc2Ffa2V5IjpudWxsLCJwdWJsaWNfa2V5IjoiIiwiY3JlYXRpb25fdGltZSI6MTUxMjc1MTgwOH19LCJkZXJpdmVkIjpmYWxzZSwia2RmIjowLCJjb252ZXJnZW50X2VuY3J5cHRpb24iOmZhbHNlLCJleHBvcnRhYmxlIjpmYWxzZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjEsImFyY2hpdmVfdmVyc2lvbiI6MSwiZGVsZXRpb25fYWxsb3dlZCI6ZmFsc2UsImNvbnZlcmdlbnRfdmVyc2lvbiI6MCwidHlwZSI6MCwiYmFja3VwX2luZm8iOnsidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MjkuMjI4MTU3LTA1OjAwIiwidmVyc2lvbiI6MX0sInJlc3RvcmVfaW5mbyI6bnVsbH0sImFyY2hpdmVkX2tleXMiOnsia2V5cyI6W3sia2V5IjpudWxsLCJobWFjX2tleSI6bnVsbCwidGltZSI6IjAwMDEtMDEtMDFUMDA6MDA6MDBaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjB9LHsia2V5IjoiVyt5OGdHTjB3YkwySzlPeTVxTzdZWjBrY3czL0dGYjVjOEkwc3ZTTDJxTT0iLCJobWFjX2tleSI6IlAwU3I4dWEyWmRETVE3T3doeERqdWdFOXdCUkd0NkF5eitLeE8zeWdjOUk9IiwidGltZSI6IjIwMTctMTItMDhUMTE6NTA6MDguNjEzODM3LTA1OjAwIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNyZWF0aW9uX3RpbWUiOjE1MTI3NTE4MDh9XX19Cg=="
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/restore
-```
-
-## Trim Key
-
-This endpoint trims older key versions setting a minimum version for the
-keyring. Once trimmed, previous versions of the key cannot be recovered.
-
-| Method   | Path                       |
-| :------------------------- | :--------------------- |
-| `POST`   | `/transit/keys/:name/trim` |
-
-### Parameters
-
-- `min_available_version` `(int: <required>)` - The minimum available version
-  for the key ring. All versions before this version will be permanently
-  deleted. This value can at most be equal to the lesser of
-  `min_decryption_version` and `min_encryption_version`. This is not allowed to
-  be set when either `min_encryption_version` or `min_decryption_version` is set
-  to zero.
-
-### Sample Payload
-
-```json
-{
-    "min_version": 2
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/keys/my-key/trim
-```
-
-## Configure Cache
-
-This endpoint is used to configure the transit engine's cache. Note that configuration
-changes will not be applied until the transit plugin is reloaded which can be achieved
- using the [`/sys/plugins/reload/backend`][sys-plugin-reload-backend] endpoint.
-
-| Method   | Path                       |
-| :------------------------- | :--------------------- |
-| `POST`   | `/transit/cache-config` |
-
-### Parameters
-
-- `size` `(int: 0)` - Specifies the size in terms of number of entries. A size of
-  `0` means unlimited. A _Least Recently Used_ (LRU) caching strategy is used for a
-  non-zero cache size.
-
-### Sample Payload
-
-```json
-{
-  "size": 456
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..."
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/transit/cache-config
-```
-
-## Read Transit Cache Configuration
-
-This endpoint retrieves configurations for the transit engine's cache.
-
-| Method   | Path                       |
-| :------------------------- | :--------------------- |
-| `GET`   | `/transit/cache-config` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..."
-    --request GET \
-    http://127.0.0.1:8200/v1/transit/cache-config
-```
-
-### Sample Response
-
-```json
-  "data": {
-    "size": 0
-  },
-```
-
-[sys-plugin-reload-backend]: /api/system/plugins-reload-backend.html#reload-plugins
diff --git a/website/source/api/system/audit-hash.html.md b/website/source/api/system/audit-hash.html.md
deleted file mode 100644
index d9b804c51742..000000000000
--- a/website/source/api/system/audit-hash.html.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-layout: "api"
-page_title: "/sys/audit-hash - HTTP API"
-sidebar_title: "<code>/sys/audit-hash</code>"
-sidebar_current: "api-http-system-audit-hash"
-description: |-
-  The `/sys/audit-hash` endpoint is used to hash data using an audit device's
-  hash function and salt.
----
-
-# `/sys/audit-hash`
-
-The `/sys/audit-hash` endpoint is used to calculate the hash of the data used by
-an audit device's hash function and salt. This can be used to search audit logs
-for a hashed value when the original value is known.
-
-## Calculate Hash
-
-This endpoint hashes the given input data with the specified audit device's
-hash function and salt. This endpoint can be used to discover whether a given
-plaintext string (the `input` parameter) appears in the audit log in obfuscated
-form.
-
-The audit log records requests and responses. Since the Vault API is JSON-based,
-any binary data returned from an API call (such as a DER-format certificate) is
-base64-encoded by the Vault server in the response. As a result such information
-should also be base64-encoded to supply into the `input` parameter.
-
-| Method | Path                    |
-| :---------------------- | :----------------- |
-| `POST` | `/sys/audit-hash/:path` |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the audit device to
-  generate hashes for. This is part of the request URL.
-
-- `input` `(string: <required>)` – Specifies the input string to hash.
-
-### Sample Payload
-
-```json
-{
-  "input": "my-secret-vault"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/audit-hash/example-audit
-```
-
-### Sample Response
-
-```json
-{
-  "hash": "hmac-sha256:08ba35..."
-}
-```
diff --git a/website/source/api/system/audit.html.md b/website/source/api/system/audit.html.md
deleted file mode 100644
index fe349ec33213..000000000000
--- a/website/source/api/system/audit.html.md
+++ /dev/null
@@ -1,125 +0,0 @@
----
-layout: "api"
-page_title: "/sys/audit - HTTP API"
-sidebar_title: "<code>/sys/audit</code>"
-sidebar_current: "api-http-system-audit/"
-description: |-
-  The `/sys/audit` endpoint is used to enable and disable audit devices.
----
-
-# `/sys/audit`
-
-The `/sys/audit` endpoint is used to list, enable, and disable audit devices.
-Audit devices must be enabled before use, and more than one device may be
-enabled at a time.
-
-## List Enabled Audit Devices
-
-This endpoint lists only the enabled audit devices (it does not list all
-available audit devices).
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/audit`                 |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/audit
-```
-
-### Sample Response
-
-```javascript
-{
-  "file": {
-    "type": "file",
-    "description": "Store logs in a file",
-    "options": {
-      "file_path": "/var/log/vault.log"
-    }
-  }
-}
-```
-
-## Enable Audit Device
-
-This endpoint enables a new audit device at the supplied path. The path can be a
-single word name or a more complex, nested path.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/audit/:path`           |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path in which to enable the audit
-  device. This is part of the request URL.
-
-- `description` `(string: "")` – Specifies a human-friendly description of the
-  audit device.
-
-- `options` `(map<string|string>: nil)` – Specifies configuration options to
-  pass to the audit device itself. This is dependent on the audit device type.
-
-- `type` `(string: <required>)` – Specifies the type of the audit device.
-
-Additionally, the following options are allowed in Vault open-source, but
-relevant functionality is only supported in Vault Enterprise:
-
-- `local` `(bool: false)` – Specifies if the audit device is a local only. Local
-  audit devices are not replicated nor (if a secondary) removed by replication.
-
-### Sample Payload
-
-```json
-{
-  "type": "file",
-  "options": {
-    "file_path": "/var/log/vault/log"
-  }
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/audit/example-audit
-```
-
-## Disable Audit Device
-
-This endpoint disables the audit device at the given path.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/audit/:path`           |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path of the audit device to
-  delete. This is part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/audit/example-audit
-```
diff --git a/website/source/api/system/auth.html.md b/website/source/api/system/auth.html.md
deleted file mode 100644
index c23241a19374..000000000000
--- a/website/source/api/system/auth.html.md
+++ /dev/null
@@ -1,267 +0,0 @@
----
-layout: "api"
-page_title: "/sys/auth - HTTP API"
-sidebar_title: "<code>/sys/auth</code>"
-sidebar_current: "api-http-system-auth"
-description: |-
-  The `/sys/auth` endpoint is used to manage auth methods in Vault.
----
-
-# `/sys/auth`
-
-The `/sys/auth` endpoint is used to list, create, update, and delete auth
-methods. Auth methods convert user or machine-supplied information into a
-token which can be used for all future requests.
-
-## List Auth Methods
-
-This endpoint lists all enabled auth methods.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/auth`                  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/auth
-```
-
-### Sample Response
-
-```json
-{
-  "github/": {
-    "type": "github",
-    "description": "GitHub auth"
-  },
-  "token/": {
-    "config": {
-      "default_lease_ttl": 0,
-      "max_lease_ttl": 0
-    },
-    "description": "token based credentials",
-    "type": "token"
-  }
-}
-```
-
-## Enable Auth Method
-
-This endpoint enables a new auth method. After enabling, the auth method can
-be accessed and configured via the auth path specified as part of the URL. This
-auth path will be nested under the `auth` prefix.
-
-For example, enable the "foo" auth method will make it accessible at
-`/auth/foo`.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/auth/:path`            |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path in which to enable the auth
-  method. This is part of the request URL.
-
-    !> **NOTE:** Use ASCII printable characters to specify the desired path.
-
-- `description` `(string: "")` – Specifies a human-friendly description of the
-  auth method.
-
-- `type` `(string: <required>)` – Specifies the name of the authentication
-  method type, such as "github" or "token".
-
-- `config` `(map<string|string>: nil)` – Specifies configuration options for
-  this auth method. These are the possible values:
-
-  - `default_lease_ttl` `(string: "")` - The default lease duration, specified
-    as a string duration like "5s" or "30m".
-
-  - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
-    string duration like "5s" or "30m".
-
-  - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
-    that will not be HMAC'd by audit devices in the request data object.
-
-  - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
-    that will not be HMAC'd by audit devices in the response data object.
-
-  - `listing_visibility` `(string: "")` - Specifies whether to show this mount
-    in the UI-specific listing endpoint.
-
-  - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
-    to whitelist and pass from the request to the plugin.
-
-  - `allowed_response_headers` `(array: [])` - Comma-separated list of headers
-    to whitelist, allowing a plugin to include them in the response.
-
-Additionally, the following options are allowed in Vault open-source, but
-relevant functionality is only supported in Vault Enterprise:
-
-- `local` `(bool: false)` – Specifies if the auth method is local only. Local
-  auth methods are not replicated nor (if a secondary) removed by replication.
-
-  ~> ** Warning:** Remember, policies when using replication secondaries are
-  validated by the local cluster. An administrator that can set up a local auth
-  method mount can assign policies to tokens that are valid on the replication
-  primary if a request is forwarded. Never give untrusted administrators the
-  ability to assign policies or configure authentication methods.
-
-- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
-  values stored by the mount to be wrapped by the seal's encryption capability.
-
-### Sample Payload
-
-```json
-{
-  "type": "github",
-  "description": "Login with GitHub"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/auth/my-auth
-```
-
-## Disable Auth Method
-
-This endpoint disables the auth method at the given auth path.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/auth/:path`            |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path to disable. This is part of
-  the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/auth/my-auth
-```
-
-## Read Auth Method Tuning
-
-This endpoint reads the given auth path's configuration. _This endpoint requires
-`sudo` capability on the final path, but the same functionality can be achieved
-without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/auth/:path/tune`       |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path in which to tune.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/auth/my-auth/tune
-```
-
-### Sample Response
-
-```json
-{
-  "default_lease_ttl": 3600,
-  "max_lease_ttl": 7200
-}
-```
-
-## Tune Auth Method
-
-Tune configuration parameters for a given auth path. _This endpoint
-requires `sudo` capability on the final path, but the same functionality
-can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/auth/:path/tune`       |
-
-### Parameters
-
-- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. If set on
-  a specific auth path, this overrides the global default.
-
-- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. If set on a
-  specific auth path, this overrides the global default.
-
-- `description` `(string: "")` – Specifies the description of the mount. This
-  overrides the current stored value, if any.
-
-- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
-  list of keys that will not be HMAC'd by audit devices in the request data
-  object.
-
-- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
-  list of keys that will not be HMAC'd by audit devices in the response data
-  object.
-
-- `listing_visibility` `(string: "")` - Specifies whether to show this mount
-   in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`.
-
-- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
-  to whitelist and pass from the request to the plugin.
-
-- `allowed_response_headers` `(array: [])` - Comma-separated list of headers
-  to whitelist, allowing a plugin to include them in the response.
-
-- `token_type` `(string: "")` – Specifies the type of tokens that should be
-  returned by the mount. The following values are available:
-
-  - `default-service`: Unless the auth method requests a different type, issue
-    service tokens
-  - `default-batch`: Unless the auth method requests a different type, issue
-    batch tokens
-  - `service`: Override any auth method preference and always issue service
-    tokens from this mount
-  - `batch`: Override any auth method preference and always issue batch tokens
-    from this mount
-
-### Sample Payload
-
-```json
-{
-  "default_lease_ttl": 1800,
-  "max_lease_ttl": 86400
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/auth/my-auth/tune
-```
diff --git a/website/source/api/system/capabilities-accessor.html.md b/website/source/api/system/capabilities-accessor.html.md
deleted file mode 100644
index 6b24651ff2bf..000000000000
--- a/website/source/api/system/capabilities-accessor.html.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-layout: "api"
-page_title: "/sys/capabilities-accessor - HTTP API"
-sidebar_title: "<code>/sys/capabilities-accessor</code>"
-sidebar_current: "api-http-system-capabilities-accessor"
-description: |-
-  The `/sys/capabilities-accessor` endpoint is used to fetch the capabilities of
-  the token associated with an accessor, on the given paths.
----
-
-# `/sys/capabilities-accessor`
-
-The `/sys/capabilities-accessor` endpoint is used to fetch the capabilities of
-the token associated with the given accessor. The capabilities returned will be
-derived from the policies that are on the token, and from the policies to which
-the token is entitled to through the entity and entity's group memberships.
-
-## Query Token Accessor Capabilities
-
-This endpoint returns the capabilities of the token associated with the given
-accessor, for the given path. Multiple paths are taken in at once and the
-capabilities of the token associated with the given accessor for each path is
-returned. For backwards compatibility, if a single path is supplied, a
-`capabilities` field will also be returned.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/capabilities-accessor` |
-
-### Parameters
-
-- `accessor` `(string: <required>)` – Accessor of the token for which
-  capabilities are being queried.
-
-- `paths` `(list: <required>)` – Paths on which capabilities are being
-  queried.
-
-### Sample Payload
-
-```json
-{
-  "accessor": "abcd1234",
-  "paths": ["secret/foo"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/capabilities-accessor
-```
-
-### Sample Response
-
-```json
-{
-  "capabilities": [
-    "delete",
-    "list",
-    "read",
-    "update"
-  ],
-  "secret/foo": [
-    "delete",
-    "list",
-    "read",
-    "update"
-  ]
-}
-```
diff --git a/website/source/api/system/capabilities-self.html.md b/website/source/api/system/capabilities-self.html.md
deleted file mode 100644
index c5a45b3c7202..000000000000
--- a/website/source/api/system/capabilities-self.html.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-layout: "api"
-page_title: "/sys/capabilities-self - HTTP API"
-sidebar_title: "<code>/sys/capabilities-self</code>"
-sidebar_current: "api-http-system-capabilities-self"
-description: |-
-  The `/sys/capabilities-self` endpoint is used to fetch the capabilities of
-  client token on the given paths.
----
-
-# `/sys/capabilities-self`
-
-The `/sys/capabilities-self` endpoint is used to fetch the capabilities of the
-token used to make the API call, on the given paths. The capabilities returned
-will be derived from the policies that are on the token, and from the policies
-to which the token is entitled to through the entity and entity's group
-memberships.
-
-## Query Self Capabilities
-
-This endpoint returns the capabilities of client token on the given paths. The
-client token is the Vault token with which this API call is made. Multiple
-paths are taken in at once and the capabilities of the token for each path is
-returned. For backwards compatibility, if a single path is supplied, a
-`capabilities` field will also be returned.
-
-| Method   | Path                     |
-| :----------------------- | :--------------------- |
-| `POST`   | `/sys/capabilities-self` |
-
-
-### Parameters
-
-- `paths` `(list: <required>)` – Paths on which capabilities are being queried.
-
-### Sample Payload
-
-```json
-{
-  "paths": ["secret/foo"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/capabilities-self
-```
-
-### Sample Response
-
-```json
-{
-  "capabilities": [
-    "delete",
-    "list",
-    "read",
-    "update"
-  ],
-  "secret/foo": [
-    "delete",
-    "list",
-    "read",
-    "update"
-  ]
-}
diff --git a/website/source/api/system/capabilities.html.md b/website/source/api/system/capabilities.html.md
deleted file mode 100644
index 0a3407c0ec89..000000000000
--- a/website/source/api/system/capabilities.html.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-layout: "api"
-page_title: "/sys/capabilities - HTTP API"
-sidebar_title: "<code>/sys/capabilities</code>"
-sidebar_current: "api-http-system-capabilities/"
-description: |-
-  The `/sys/capabilities` endpoint is used to fetch the capabilities of a token
-  on the given paths.
----
-
-# `/sys/capabilities`
-
-The `/sys/capabilities` endpoint is used to fetch the capabilities of a token
-on the given paths. The capabilities returned will be derived from the policies
-that are on the token, and from the policies to which the token is entitled to
-through the entity and entity's group memberships.
-
-## Query Token Capabilities
-
-This endpoint returns the list of capabilities of a given token on the given
-paths. Multiple paths are taken in at once and the capabilities of the token
-for each path is returned. For backwards compatibility, if a single path is
-supplied, a `capabilities` field will also be returned.
-
-| Method   | Path                 |
-| :------------------- | :--------------------- |
-| `POST`   | `/sys/capabilities`  |
-
-### Parameters
-
-- `paths` `(list: <required>)` – Paths on which capabilities are being queried.
-
-- `token` `(string: <required>)` – Token for which capabilities are being
-  queried.
-
-### Sample Payload
-
-```json
-{
-  "token": "abcd1234",
-  "paths": ["secret/foo"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/capabilities
-```
-
-### Sample Response
-
-```json
-{
-  "capabilities": [
-    "delete",
-    "list",
-    "read",
-    "update"
-  ],
-  "secret/foo": [
-    "delete",
-    "list",
-    "read",
-    "update"
-  ]
-}
-```
diff --git a/website/source/api/system/config-auditing.html.md b/website/source/api/system/config-auditing.html.md
deleted file mode 100644
index e710ac86fa4c..000000000000
--- a/website/source/api/system/config-auditing.html.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-layout: "api"
-page_title: "/sys/config/auditing - HTTP API"
-sidebar_title: "<code>/sys/config/auditing</code>"
-sidebar_current: "api-http-system-config-auditing"
-description: |-
-  The `/sys/config/auditing` endpoint is used to configure auditing settings.
----
-
-# `/sys/config/auditing/request-headers`
-
-The `/sys/config/auditing` endpoint is used to configure auditing settings.
-
-## Read All Audited Request Headers
-
-This endpoint lists the request headers that are configured to be audited.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/config/auditing/request-headers` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers
-```
-
-### Sample Response
-
-```json
-{
-  "headers": {
-    "X-Forwarded-For": {
-      "hmac": true
-    }
-  }
-}
-```
-
-## Read Single Audit Request Header
-
-This endpoint lists the information for the given request header.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/config/auditing/request-headers/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the request header to
-  query. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
-```
-
-### Sample Response
-
-```json
-{
-  "X-Forwarded-For": {
-    "hmac": true
-  }
-}
-```
-
-## Create/Update Audit Request Header
-
-This endpoint enables auditing of a header.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/config/auditing/request-headers/:name` |
-
-### Parameters
-
-- `hmac` `(bool: false)` – Specifies if this header's value should be HMAC'ed in
-  the audit logs.
-
-### Sample Payload
-
-```json
-{
-  "hmac": true
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
-```
-
-## Delete Audit Request Header
-
-This endpoint disables auditing of the given request header.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/config/auditing/request-headers/:name` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
-```
diff --git a/website/source/api/system/config-control-group.html.md b/website/source/api/system/config-control-group.html.md
deleted file mode 100644
index d953afdbc463..000000000000
--- a/website/source/api/system/config-control-group.html.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-layout: "api"
-page_title: "/sys/config/control-group - HTTP API"
-sidebar_title: "<code>/sys/config/control-group</code>"
-sidebar_current: "api-http-system-config-control-group"
-description: |-
-  The '/sys/config/control-group' endpoint configures control groups.
----
-
-# `/sys/config/control-group`
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-The `/sys/config/control-group` endpoint is used to configure Control Group 
-settings.
-
-## Read Control Group Settings
-
-This endpoint returns the current Control Group configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/config/control-group` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/config/control-group
-```
-
-### Sample Response
-
-```json
-{
-  "max_ttl": "4h"
-}
-```
-
-## Configure Control Group Settings
-
-This endpoint allows configuring control groups.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/config/control-group` |
-
-### Parameters
-
-- `max_ttl` `int` – The maximum ttl for a control group wrapping token.  This can be provided in seconds or duration (2h).
-
-### Sample Payload
-
-```json
-{
-  "max_ttl": "4h"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/config/control-group
-```
-
-## Delete Control Group Settings
-
-This endpoint removes any control group configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/config/control-group` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/config/control-group
-```
diff --git a/website/source/api/system/config-cors.html.md b/website/source/api/system/config-cors.html.md
deleted file mode 100644
index 8d8e2ddab6a2..000000000000
--- a/website/source/api/system/config-cors.html.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-layout: "api"
-page_title: "/sys/config/cors - HTTP API"
-sidebar_title: "<code>/sys/config/cors</code>"
-sidebar_current: "api-http-system-config-cors"
-description: |-
-  The '/sys/config/cors' endpoint configures how the Vault server responds to cross-origin requests.
----
-
-# `/sys/config/cors`
-
-The `/sys/config/cors` endpoint is used to configure CORS settings.
-
-- **`sudo` required** – All CORS endpoints require `sudo` capability in
-  addition to any path-specific capabilities.
-
-## Read CORS Settings
-
-This endpoint returns the current CORS configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/config/cors` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/config/cors
-```
-
-### Sample Response
-
-```json
-{
-  "enabled": true,
-  "allowed_origins": ["http://www.example.com"],
-  "allowed_headers": [
-    "Content-Type",
-    "X-Requested-With",
-    "X-Vault-AWS-IAM-Server-ID",
-    "X-Vault-No-Request-Forwarding",
-    "X-Vault-Token",
-    "Authorization",
-    "X-Vault-Wrap-Format",
-    "X-Vault-Wrap-TTL",
-  ]
-}
-```
-
-## Configure CORS Settings
-
-This endpoint allows configuring the origins that are permitted to make
-cross-origin requests, as well as headers that are allowed on cross-origin requests.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/config/cors` |
-
-### Parameters
-
-- `allowed_origins` `(string or string array: <required>)` – A wildcard (`*`), comma-delimited string, or array of strings specifying the origins that are permitted to make cross-origin requests.
-
-- `allowed_headers` `(string or string array: "" or [])` – A comma-delimited string or array of strings specifying headers that are permitted to be on cross-origin requests. Headers set via this parameter will be appended to the list of headers that Vault allows by default.
-
-### Sample Payload
-
-```json
-{
-  "allowed_origins": "*",
-  "allowed_headers": "X-Custom-Header"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/config/cors
-```
-
-## Delete CORS Settings
-
-This endpoint removes any CORS configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/config/cors` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/config/cors
-```
diff --git a/website/source/api/system/config-state.html.md b/website/source/api/system/config-state.html.md
deleted file mode 100644
index 872ad2cc071d..000000000000
--- a/website/source/api/system/config-state.html.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-layout: "api"
-page_title: "/sys/config/state - HTTP API"
-sidebar_title: "<code>/sys/config/state</code>"
-sidebar_current: "api-http-system-config-state"
-description: |-
-  The '/sys/config/state' endpoint is used to retrieve the configuration state.
----
-
-# `/sys/config/state`
-
-The endpoints under `sys/config/state` return Vault's configuration state.
-Currently, it only supports returning a sanitized version of the configuration.
-
-## `Get Sanitized Configuration State`
-
-This endpoint returns a sanitized version of the configuration state. The
-configuration excludes certain fields and mappings in the configuration file
-that can potentially contain sensitive information, which includes values from
-`Storage.Config`, `HAStorage.Config`, `Seals.Config` and the
-`Telemetry.CirconusAPIToken` value.
-
-| Method | Path                          |
-|:-------|:------------------------------|
-| `GET`  | `/sys/config/state/sanitized` |
-
-
-### Sample Request
-
-```
-$ curl \
-  --header "X-Vault-Token: ..." \
-    'http://127.0.0.1:8200/v1/sys/config/state/sanitized'
-```
-
-### Sample Response
-
-```json
-{
-  "api_addr": "http://127.0.0.1:8200",
-  "cache_size": 0,
-  "cluster_addr": "",
-  "cluster_cipher_suites": "",
-  "cluster_name": "",
-  "default_lease_ttl": 0,
-  "default_max_request_duration": 0,
-  "disable_cache": false,
-  "disable_clustering": false,
-  "disable_indexing": false,
-  "disable_mlock": false,
-  "disable_performance_standby": false,
-  "disable_printable_check": false,
-  "disable_sealwrap": false,
-  "enable_ui": true,
-  "listeners": [
-    {
-      "config": {
-        "address": "127.0.0.1:8200",
-        "tls_disable": 1
-      },
-      "type": "tcp"
-    }
-  ],
-  "log_format": "",
-  "log_level": "",
-  "max_lease_ttl": 0,
-  "pid_file": "",
-  "plugin_directory": "/opt/vault/plugins",
-  "raw_storage_endpoint": false,
-  "seals": [
-    {
-      "disabled": false,
-      "type": "shamir"
-    }
-  ],
-  "storage": {
-    "cluster_addr": "",
-    "disable_clustering": false,
-    "redirect_addr": "http://127.0.0.1:8200",
-    "type": "inmem"
-  }
-}
-```
\ No newline at end of file
diff --git a/website/source/api/system/config-ui.html.md b/website/source/api/system/config-ui.html.md
deleted file mode 100644
index 0178121dce80..000000000000
--- a/website/source/api/system/config-ui.html.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-layout: "api"
-page_title: "/sys/config/ui - HTTP API"
-sidebar_title: "<code>/sys/config/ui</code>"
-sidebar_current: "api-http-system-config-ui"
-description: |-
-  The '/sys/config/ui' endpoint configures the UI.
----
-
-# `/sys/config/ui`
-
-The `/sys/config/ui` endpoint is used to configure UI settings.
-
-- **`sudo` required** – All UI endpoints require `sudo` capability in
-  addition to any path-specific capabilities.
-
-## Read UI Settings
-
-This endpoint returns the given UI header configuration.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/config/ui/headers/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the custom header.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
-```
-
-### Sample Response
-
-```json
-{
-  "value": "custom-value"
-}
-```
-
-## Configure UI Headers
-
-This endpoint allows configuring the values to be returned for the UI header.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/config/ui/headers/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – The name of the custom header.
-
-- `values` `(list: <required>)` - The values to be returned from the header.
-
-### Sample Payload
-
-```json
-{
-  "values": ["custom value 1", "custom value 2"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
-```
-
-## Delete a UI Header
-
-This endpoint removes a UI header.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/config/ui/headers/:name`|
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
-```
-
-## List UI Headers
-
-This endpoint returns a list of configured UI headers.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/sys/config/ui/headers`   |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/sys/config/ui/headers
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "keys":[
-      "X-Custom...",
-      "X-Header...",
-    ]
-  }
-}
-```
diff --git a/website/source/api/system/control-group.html.md b/website/source/api/system/control-group.html.md
deleted file mode 100644
index e7350ed4db37..000000000000
--- a/website/source/api/system/control-group.html.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-layout: "api"
-page_title: "/sys/control-group - HTTP API"
-sidebar_title: "<code>/sys/control-group</code>"
-sidebar_current: "api-http-system-control-group"
-description: |-
-  The '/sys/control-group' endpoint handles the Control Group workflow.
----
-
-## Authorize Control Group Request
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-This endpoint authorizes a control group request.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `POST`   | `/sys/control-group/authorize`   | 
-
-### Parameters
-
-- `accessor` `(string: <required>)` – The accessor for the control group wrapping token.
-
-### Sample Payload
-
-```json
-{
-  "accessor": "0ad21b78-e9bb-64fa-88b8-1e38db217bde",
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/control-group/authorize
-```
-
-### Sample Response
-
-```json
-{
-    "data": {
-        "approved": false
-    }
-}
-```
-
-## Check Control Group Request Status
-
-This endpoint checks the status of a control group request.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `POST`   | `/sys/control-group/request`   | 
-
-### Parameters
-
-- `accessor` `(string: <required>)` – The accessor for the control group wrapping token.
-
-### Sample Payload
-
-```json
-{
-  "accessor": "0ad21b78-e9bb-64fa-88b8-1e38db217bde",
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/control-group/request
-```
-
-### Sample Response
-
-```json
-{
-    "data": {
-        "approved": false,
-        "request_path": "secret/foo",
-        "request_entity": {
-                "id": "c8b6e404-de4b-50a4-2917-715ff8beec8e",
-                "name": "Bob"
-        },
-        "authorizations": [
-            {
-                "entity_id": "6544a3ec-d3cd-443b-b87b-4fd2e889e0b7",
-                "entity_name": "Abby Jones"
-            },
-            {
-                "entity_id": "919084a4-417e-42ee-9d78-87fa2843af37",
-                "entity_name": "James Franklin"
-            }
-        ]
-    }
-}
-```
diff --git a/website/source/api/system/generate-recovery-token.html.md b/website/source/api/system/generate-recovery-token.html.md
deleted file mode 100644
index 5df7ce3f5663..000000000000
--- a/website/source/api/system/generate-recovery-token.html.md
+++ /dev/null
@@ -1,173 +0,0 @@
----
-layout: "api"
-page_title: "/sys/generate-recovery-token - HTTP API"
-sidebar_title: "<code>/sys/generate-recovery-token</code>"
-sidebar_current: "api-http-system-generate-recovery-token"
-description: |-
-  The `/sys/generate-recovery-token/` endpoints are used to create a new 
-  recovery token for Vault.  They are only active in recovery mode.
----
-
-# `/sys/generate-recovery-token`
-
-The `/sys/generate-recovery-token` endpoint is used to create a new recovery
-token for Vault.
-
-## Read Recovery Token Generation Progress
-
-This endpoint reads the configuration and process of the current root generation
-attempt.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/generate-recovery-token/attempt` |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 1,
-  "required": 3,
-  "encoded_token": "",
-  "pgp_fingerprint": "",
-  "otp_length": 24,
-  "complete": false
-}
-```
-
-If a recovery token generation is started, `progress` is how many unseal keys
-have been provided for this generation attempt, where `required` must be reached
-to complete. The `nonce` for the current attempt and whether the attempt is
-complete is also displayed.
-
-If a PGP key is being used to encrypt the final root
-token, its fingerprint will be returned.
-
-If an OTP is being used to encode the final root token it will be returned only
-once, on the response to the start request.
-
-The OTP is a base62 string, with length of otp_length.
-The raw bytes (char codes) of the token will be XOR'd with
-this value before being returned  as a response to the final unseal
-key, encoded as base64.
-
-## Start Recovery Token Generation
-
-This endpoint initializes a new recovery token generation attempt. Only a single 
-recovery token generation attempt can take place at a time. 
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/generate-recovery-token/attempt` |
-
-### Parameters
-
-- `pgp_key` `(string: <optional>)` – Specifies a base64-encoded PGP public key.
-  The raw bytes of the token will be encrypted with this value before being
-  returned to the final unseal key provider.
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt    
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 1,
-  "required": 3,
-  "encoded_token": "",
-  "otp": "2vPFYG8gUSW9npwzyvxXMug0",
-  "otp_length" :24,
-  "complete": false
-}
-```
-
-## Cancel Recovery Token Generation
-
-This endpoint cancels any in-progress recovery token generation attempt. This
-clears any progress made. This must be called to change the OTP or PGP key being
-used.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/generate-recovery-token/attempt` |
-
-### Sample Request
-
-```
-$ curl \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
-```
-
-## Provide Key Share to Generate Recovery Token
-
-This endpoint is used to enter a single master key share to progress the 
-recovery token generation attempt. If the threshold number of master key shares
-is reached, Vault will complete the recovery token generation and issue the new
-token. Otherwise, this API must be called multiple times until that threshold
-is met. The attempt nonce must be provided with each call.
-
-Note that once a token has been issued, Vault is unsealed.  The token lives
-only in memory and thus will only be valid until the next restart.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/generate-recovery-token/update`  |
-
-### Parameters
-
-- `key` `(string: <required>)` – Specifies a single master key share.
-
-- `nonce` `(string: <required>)` – Specifies the nonce of the attempt.
-
-### Sample Payload
-
-```json
-{
-  "key": "acbd1234",
-  "nonce": "ad235"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/generate-recovery-token/update
-```
-
-### Sample Response
-
-This returns a JSON-encoded object indicating the attempt nonce, and completion
-status, and the encoded recovery token, if the attempt is complete.
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 3,
-  "required": 3,
-  "pgp_fingerprint": "",
-  "complete": true,
-  "encoded_token": "FPzkNBvwNDeFh4SmGA8c+w=="
-}
-```
diff --git a/website/source/api/system/generate-root.html.md b/website/source/api/system/generate-root.html.md
deleted file mode 100644
index a5d008d2140f..000000000000
--- a/website/source/api/system/generate-root.html.md
+++ /dev/null
@@ -1,168 +0,0 @@
----
-layout: "api"
-page_title: "/sys/generate-root - HTTP API"
-sidebar_title: "<code>/sys/generate-root</code>"
-sidebar_current: "api-http-system-generate-root"
-description: |-
-  The `/sys/generate-root/` endpoints are used to create a new root key for
-  Vault.
----
-
-# `/sys/generate-root`
-
-The `/sys/generate-root` endpoint is used to create a new root key for Vault.
-
-## Read Root Generation Progress
-
-This endpoint reads the configuration and process of the current root generation
-attempt.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/generate-root/attempt` |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/generate-root/attempt
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 1,
-  "required": 3,
-  "encoded_token": "",
-  "pgp_fingerprint": "",
-  "otp_length": 24,
-  "complete": false
-}
-```
-
-If a root generation is started, `progress` is how many unseal keys have been
-provided for this generation attempt, where `required` must be reached to
-complete. The `nonce` for the current attempt and whether the attempt is
-complete is also displayed.
-
-If a PGP key is being used to encrypt the final root
-token, its fingerprint will be returned.
-
-If an OTP is being used to encode the final root token it will be returned only
-once, on the response to the start request.
-
-The OTP is a base62 string, with length of otp_length.
-The raw bytes (char codes) of the token will be XOR'd with
-this value before being returned  as a response to the final unseal
-key, encoded as base64.
-
-## Start Root Token Generation
-
-This endpoint initializes a new root generation attempt. Only a single root
-generation attempt can take place at a time. 
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/generate-root/attempt` |
-
-### Parameters
-
-- `pgp_key` `(string: <optional>)` – Specifies a base64-encoded PGP public key.
-  The raw bytes of the token will be encrypted with this value before being
-  returned to the final unseal key provider.
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/generate-root/attempt    
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 1,
-  "required": 3,
-  "encoded_token": "",
-  "otp": "2vPFYG8gUSW9npwzyvxXMug0",
-  "otp_length" :24,
-  "complete": false
-}
-```
-
-## Cancel Root Generation
-
-This endpoint cancels any in-progress root generation attempt. This clears any
-progress made. This must be called to change the OTP or PGP key being used.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/generate-root/attempt` |
-
-### Sample Request
-
-```
-$ curl \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/generate-root/attempt
-```
-
-## Provide Key Share to Generate Root
-
-This endpoint is used to enter a single master key share to progress the root
-generation attempt. If the threshold number of master key shares is reached,
-Vault will complete the root generation and issue the new token.  Otherwise,
-this API must be called multiple times until that threshold is met. The attempt
-nonce must be provided with each call.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/generate-root/update`  |
-
-### Parameters
-
-- `key` `(string: <required>)` – Specifies a single master key share.
-
-- `nonce` `(string: <required>)` – Specifies the nonce of the attempt.
-
-### Sample Payload
-
-```json
-{
-  "key": "acbd1234",
-  "nonce": "ad235"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/generate-root/update
-```
-
-### Sample Response
-
-This returns a JSON-encoded object indicating the attempt nonce, and completion
-status, and the encoded root token, if the attempt is complete.
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 3,
-  "required": 3,
-  "pgp_fingerprint": "",
-  "complete": true,
-  "encoded_token": "FPzkNBvwNDeFh4SmGA8c+w=="
-}
-```
diff --git a/website/source/api/system/health.html.md b/website/source/api/system/health.html.md
deleted file mode 100644
index 16653e493629..000000000000
--- a/website/source/api/system/health.html.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-layout: "api"
-page_title: "/sys/health - HTTP API"
-sidebar_title: "<code>/sys/health</code>"
-sidebar_current: "api-http-system-health"
-description: |-
-  The `/sys/health` endpoint is used to check the health status of Vault.
----
-
-# `/sys/health`
-
-The `/sys/health` endpoint is used to check the health status of Vault.
-
-## Read Health Information
-
-This endpoint returns the health status of Vault. This matches the semantics of
-a Consul HTTP health check and provides a simple way to monitor the health of a
-Vault instance.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `HEAD`   | `/sys/health`                | 
-| `GET`    | `/sys/health`                | 
-
-The default status codes are:
-
-- `200` if initialized, unsealed, and active
-- `429` if unsealed and standby
-- `472` if disaster recovery mode replication secondary and active
-- `473` if performance standby
-- `501` if not initialized
-- `503` if sealed
-
-### Parameters
-
-- `standbyok` `(bool: false)` – Specifies if being a standby should still return
-  the active status code instead of the standby status code. This is useful when
-  Vault is behind a non-configurable load balancer that just wants a 200-level
-  response. This will not apply if the node is a performance standby.
-
-- `perfstandbyok` `(bool: false)` – Specifies if being a performance standby should
-  still return the active status code instead of the performance standby status code.
-  This is useful when Vault is behind a non-configurable load balancer that just wants
-  a 200-level response.
-
-- `activecode` `(int: 200)` – Specifies the status code that should be returned
-  for an active node.
-
-- `standbycode` `(int: 429)` – Specifies the status code that should be returned
-  for a standby node.
-
-- `drsecondarycode` `(int: 472)` – Specifies the status code that should be
-  returned for a DR secondary node.
-
-- `performancestandbycode` `(int: 473)` – Specifies the status code that should be
-  returned for a performance standby node.
-
-- `sealedcode` `(int: 503)` – Specifies the status code that should be returned
-  for a sealed node.
-
-- `uninitcode` `(int: 501)` – Specifies the status code that should be returned
-  for a uninitialized node.
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/health
-```
-
-### Sample Response
-
-This response is only returned for a `GET` request.
-
-Note: `replication_perf_mode` and `replication_dr_mode` reflect the state of
-the active node in the cluster; if you are querying it for a standby that has
-just come up, it can take a small time for the active node to inform the
-standby of its status.
-
-```json
-{
-  "initialized": true,
-  "sealed": false,
-  "standby": false,
-  "performance_standby": false,
-  "replication_perf_mode": "disabled",
-  "replication_dr_mode": "disabled",
-  "server_time_utc": 1516639589,
-  "version": "0.9.1",
-  "cluster_name": "vault-cluster-3bd69ca2",
-  "cluster_id": "00af5aa8-c87d-b5fc-e82e-97cd8dfaf731"
-}
-```
diff --git a/website/source/api/system/host-info.html.md b/website/source/api/system/host-info.html.md
deleted file mode 100644
index 53982567d379..000000000000
--- a/website/source/api/system/host-info.html.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-layout: "api"
-page_title: "/sys/host-info - HTTP API"
-sidebar_title: "<code>/sys/host-info</code>"
-sidebar_current: "api-http-system-host-info"
-description: |-
-  The '/sys/host-info' endpoint is used to retrieve host information
----
-
-# `/sys/host-info`
-
-The `/sys/host-info` endpoint is used retrieve information about the 
-host instance that the Vault server is running on.
-
-## Collect Host Information
-
-This endpoint returns information about the host instance that the Vault
-server is running on. The data returned includes CPU information, CPU
-times, disk usage, host info, and memory statistics.
-
-| Method | Path             |
-|:-------|:-----------------|
-| `GET`  | `/sys/host-info` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/host-info
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "cpu": [
-      {
-        "cpu": 0,
-        "vendorId": "GenuineIntel",
-        "family": "6",
-        "model": "78",
-        ...
-      },
-      ...
-    ],
-    "cpu_times": [
-      {
-        "cpu": "cpu",
-        "user": 7491,
-        "system": 16833,
-        "idle": 5726276,
-        ...
-      },
-      ...
-    ],
-    "disk": [
-      {
-        "path": "/",
-        "fstype": "ext4",
-        "total": 410352476160,
-        "free": 102141169664,
-        "used": 306428051456,
-        ...
-      },
-      ...
-    ],
-    "host": {
-      "hostname": "vault-server-1",
-      "uptime": 28618,
-      "bootTime": 1570114491,
-      "procs": 439,
-      ...
-    },
-    "memory": {
-      "total": 17179869184,
-      "available": 6203424768,
-      "used": 10976444416,
-      ...
-    },
-    "timestamp": "2019-10-03T22:51:49.715927Z"
-  }
-}
-```
\ No newline at end of file
diff --git a/website/source/api/system/index.html.md b/website/source/api/system/index.html.md
deleted file mode 100644
index 9b269378e7d7..000000000000
--- a/website/source/api/system/index.html.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-layout: "api"
-page_title: "System Backend - HTTP API"
-sidebar_title: "System Backend"
-sidebar_current: "api-http-system"
-description: |-
-  The system backend is a default backend in Vault that is mounted at the `/sys`
-  endpoint. This endpoint cannot be disabled or moved, and is used to configure
-  Vault and interact with many of Vault's internal features.
----
-
-# System Backend
-
-The system backend is a default backend in Vault that is mounted at the `/sys`
-endpoint. This endpoint cannot be disabled or moved, and is used to configure
-Vault and interact with many of Vault's internal features.
-
-For more information about a particular path, please click on it in the sidebar.
diff --git a/website/source/api/system/init.html.md b/website/source/api/system/init.html.md
deleted file mode 100644
index 7055402761a6..000000000000
--- a/website/source/api/system/init.html.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-layout: "api"
-page_title: "/sys/init - HTTP API"
-sidebar_title: "<code>/sys/init</code>"
-sidebar_current: "api-http-system-init"
-description: |-
-  The `/sys/init` endpoint is used to initialize a new Vault.
----
-
-# `/sys/init`
-
-The `/sys/init` endpoint is used to initialize a new Vault.
-
-## Read Initialization Status
-
-This endpoint returns the initialization status of Vault.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/init`                  |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/init
-```
-
-### Sample Response
-
-```json
-{
-  "initialized": true
-}
-```
-
-## Start Initialization
-
-This endpoint initializes a new Vault. The Vault must not have been previously
-initialized. The recovery options, as well as the stored shares option, are only
-available when using Vault HSM.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/init`                  |
-
-### Parameters
-
-- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used
-  to encrypt the output unseal keys. Ordering is preserved. The keys must be
-  base64-encoded from their original binary representation. The size of this
-  array must be the same as `secret_shares`.
-
-- `root_token_pgp_key` `(string: "")` – Specifies a PGP public key used to
-  encrypt the initial root token. The key must be base64-encoded from its
-  original binary representation.
-
-- `secret_shares` `(int: <required>)` – Specifies the number of shares to
-  split the master key into.
-
-- `secret_threshold` `(int: <required>)` – Specifies the number of shares
-  required to reconstruct the master key. This must be less than or equal
-  `secret_shares`. If using Vault HSM with auto-unsealing, this value must be
-  the same as `secret_shares`.
-
-Additionally, the following options are only supported on Vault Pro/Enterprise:
-
-- `stored_shares` `(int: <required>)` – Specifies the number of shares that
-  should be encrypted by the HSM and stored for auto-unsealing. Currently must
-  be the same as `secret_shares`.
-
-- `recovery_shares` `(int: <required>)` – Specifies the number of shares to
-  split the recovery key into.
-
-- `recovery_threshold` `(int: <required>)` – Specifies the number of shares
-  required to reconstruct the recovery key. This must be less than or equal to
-  `recovery_shares`.
-
-- `recovery_pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public
-  keys used to encrypt the output recovery keys. Ordering is preserved. The keys
-  must be base64-encoded from their original binary representation. The size of
-  this array must be the same as `recovery_shares`.
-
-### Sample Payload
-
-```json
-{
-  "secret_shares": 10,
-  "secret_threshold": 5
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/init
-```
-
-### Sample Response
-
-A JSON-encoded object including the (possibly encrypted, if `pgp_keys` was
-provided) master keys, base 64 encoded master keys and initial root token:
-
-```json
-{
-  "keys": ["one", "two", "three"],
-  "keys_base64": ["cR9No5cBC", "F3VLrkOo", "zIDSZNGv"],
-  "root_token": "foo"
-}
-```
diff --git a/website/source/api/system/internal-specs-openapi.html.md b/website/source/api/system/internal-specs-openapi.html.md
deleted file mode 100644
index 3318c4844ed6..000000000000
--- a/website/source/api/system/internal-specs-openapi.html.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-layout: "api"
-page_title: "/sys/internal/specs/openapi - HTTP API"
-sidebar_title: "<code>/sys/internal/specs/openapi</code>"
-sidebar_current: "api-http-system-internal-specs-openapi"
-description: |-
-  The `/sys/internal/specs/openapi` endpoint is used to generate an OpenAPI document of the mounted backends.
----
-
-# `/sys/internal/specs/openapi`
-
-The `/sys/internal/specs/openapi` endpoint is used to generate an OpenAPI document of the mounted backends.
-The response conforms to the [OpenAPI V3 specification](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md),
-with path names matching the mount names used by the Vault server (i.e. customizations with `-path` will be reflected).
-The set of included paths is based on the permissions of the request token.
-
-The response may include Vault-specific [extensions](https://github.com/oai/openapi-specification/blob/master/versions/3.0.2.md#specification-extensions). Three are currently defined:
-
-- `x-vault-sudo` - Endpoint requires [sudo](https://www.vaultproject.io/docs/concepts/policies.html#sudo) privileges.
-- `x-vault-unauthenticated` - Endpoint is unauthenticated.
-- `x-vault-create-supported` - Endpoint allows creation of new items, in addition to updating existing items.
-
-Basic documentation will be generated for all paths, but a newer path definition structure now allows for
-more detailed documentation to be added. At this time the `/sys` endpoints have been updated to use the new
-structure, and other endpoints will be modified incrementally.
-
-## Get OpenAPI Document
-
-This endpoint returns a single OpenAPI document describing all paths visible to the requester.
-
-| Method |           Path                |
-| :------------------------     | :--------------------- |
-| `GET`  | `/sys/internal/specs/openapi` |
-
-
-### Sample Request
-
-```
-$ curl http://127.0.0.1:8200/v1/sys/internal/specs/openapi
-```
-
-### Sample Response
-
-```json
-{
-  "openapi": "3.0.2",
-  "info": {
-    "title": "HashiCorp Vault API",
-    "description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
-    "version": "1.0.0",
-    "license": {
-      "name": "Mozilla Public License 2.0",
-      "url": "https://www.mozilla.org/en-US/MPL/2.0"
-    }
-  },
-  "paths": {
-    "/auth/token/create": {
-      "description": "The token create path is used to create new tokens.",
-      "post": {
-        "summary": "The token create path is used to create new tokens.",
-        "tags": [
-          "auth"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK"
-          }
-        }
-      }
-    },
-    ...
-```
-
diff --git a/website/source/api/system/internal-ui-mounts.html.md b/website/source/api/system/internal-ui-mounts.html.md
deleted file mode 100644
index 1a0490aa92d6..000000000000
--- a/website/source/api/system/internal-ui-mounts.html.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-layout: "api"
-page_title: "/sys/internal/ui/mounts - HTTP API"
-sidebar_title: "<code>/sys/internal/ui/mounts</code>"
-sidebar_current: "api-http-system-internal-ui-mounts"
-description: |-
-  The `/sys/internal/ui/mounts` endpoint is used to manage mount listing visibility.
----
-
-# `/sys/internal/ui/mounts`
-
-The `/sys/internal/ui/mounts` endpoint is used to manage mount listing
-visibility. The response generated by this endpoint is based on the
-`listing_visibility` value on the mount, which can be set during mount time or
-via mount tuning. This is currently only being used internally for the UI and is
-an unauthenticated endpoint.
-
-Due to the nature of its intended usage, there is no guarantee on backwards
-compatibility for this endpoint.
-
-## Get Available Visible Mounts
-
-This endpoint lists all enabled auth methods.
-
-| Method |           Path            |
-| :------------------------ | :--------------------- |
-| `GET`  | `/sys/internal/ui/mounts` |
-
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/internal/ui/mounts
-```
-
-### Sample Response
-
-```json
-{
-  "auth": {
-    "github/": {
-      "description": "GitHub auth",
-      "type": "github"
-    }
-  },
-  "secret": {
-    "custom-secrets/": {
-      "description": "Custom secrets",
-      "type": "kv"
-    }
-  }
-}
-```
\ No newline at end of file
diff --git a/website/source/api/system/key-status.html.md b/website/source/api/system/key-status.html.md
deleted file mode 100644
index d6ae4be916d8..000000000000
--- a/website/source/api/system/key-status.html.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-layout: "api"
-page_title: "/sys/key-status - HTTP API"
-sidebar_title: "<code>/sys/key-status</code>"
-sidebar_current: "api-http-system-key-status"
-description: |-
-  The `/sys/key-status` endpoint is used to query info about the current
-  encryption key of Vault.
----
-
-# `/sys/key-status`
-
-The `/sys/key-status` endpoint is used to query info about the current
-encryption key of Vault.
-
-## Get Encryption Key Status
-
-This endpoint returns information about the current encryption key used by
-Vault.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/key-status`            |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/key-status
-
-```
-
-### Sample Response
-
-```json
-{
-  "term": 3,
-  "install_time": "2015-05-29T14:50:46.223692553-07:00"
-}
-```
-
-The `term` parameter is the sequential key number, and `install_time` is the
-time that encryption key was installed.
diff --git a/website/source/api/system/leader.html.md b/website/source/api/system/leader.html.md
deleted file mode 100644
index 5568becf236c..000000000000
--- a/website/source/api/system/leader.html.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: "api"
-page_title: "/sys/leader - HTTP API"
-sidebar_title: "<code>/sys/leader</code>"
-sidebar_current: "api-http-system-leader"
-description: |-
-  The `/sys/leader` endpoint is used to check the high availability status and
-  current leader of Vault.
----
-
-# `/sys/leader`
-
-The `/sys/leader` endpoint is used to check the high availability status and
-current leader of Vault.
-
-## Read Leader Status
-
-This endpoint returns the high availability status and current leader instance
-of Vault.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/leader`                |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/leader
-```
-
-### Sample Response
-
-```json
-{
-  "ha_enabled": true,
-  "is_self": false,
-  "leader_address": "https://127.0.0.1:8200/",
-  "leader_cluster_address": "https://127.0.0.1:8201/",
-  "performance_standby": false,
-  "performance_standby_last_remote_wal": 0
-}
-```
diff --git a/website/source/api/system/leases.html.md b/website/source/api/system/leases.html.md
deleted file mode 100644
index 844715ee2c5f..000000000000
--- a/website/source/api/system/leases.html.md
+++ /dev/null
@@ -1,244 +0,0 @@
----
-layout: "api"
-page_title: "/sys/leases - HTTP API"
-sidebar_title: "<code>/sys/leases</code>"
-sidebar_current: "api-http-system-leases"
-description: |-
-  The `/sys/leases` endpoints are used to view and manage leases.
----
-
-# `/sys/leases`
-
-The `/sys/leases` endpoints are used to view and manage leases in Vault.
-
-## Read Lease
-
-This endpoint retrieve lease metadata.
-
-| Method   | Path                          |
-| :---------------------------- | :--------------------- |
-| `PUT`    | `/sys/leases/lookup`          |
-
-### Parameters
-
-- `lease_id` `(string: <required>)` – Specifies the ID of the lease to lookup.
-
-### Sample Payload
-
-```json
-{
-  "lease_id": "aws/creds/deploy/abcd-1234..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/leases/lookup
-```
-
-### Sample Response
-
-```json
-{
-  "id": "auth/token/create/25c75065466dfc5f920525feafe47502c4c9915c",
-  "issue_time": "2017-04-30T10:18:11.228946471-04:00",
-  "expire_time": "2017-04-30T11:18:11.228946708-04:00",
-  "last_renewal_time": null,
-  "renewable": true,
-  "ttl": 3558
-}
-```
-
-## List Leases
-
-This endpoint returns a list of lease ids.
-
-**This endpoint requires 'sudo' capability.**
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/sys/leases/lookup/:prefix` |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/sys/leases/lookup/aws/creds/deploy/
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "keys":[
-      "abcd-1234...",
-      "efgh-1234...",
-      "ijkl-1234..."
-    ]
-  }
-}
-```
-
-## Renew Lease
-
-This endpoint renews a lease, requesting to extend the lease.  Token leases 
-cannot be renewed using this endpoint, use instead the auth/token/renew endpoint.
-
-| Method   | Path                          |
-| :---------------------------- | :--------------------- |
-| `PUT`    | `/sys/leases/renew`           |
-
-### Parameters
-
-- `lease_id` `(string: <required>)` – Specifies the ID of the lease to extend.
-  This can be specified as part of the URL or as part of the request body.
-
-- `increment` `(int: 0)` – Specifies the requested amount of time (in seconds)
-  to extend the lease.
-
-### Sample Payload
-
-```json
-{
-  "lease_id": "aws/creds/deploy/abcd-1234...",
-  "increment": 1800
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/leases/renew
-```
-
-### Sample Response
-
-```json
-{
-  "lease_id": "aws/creds/deploy/abcd-1234...",
-  "renewable": true,
-  "lease_duration": 2764790
-}
-```
-
-## Revoke Lease
-
-This endpoint revokes a lease immediately.
-
-| Method   | Path                          |
-| :---------------------------- | :--------------------- |
-| `PUT`    | `/sys/leases/revoke`          |
-
-### Parameters
-
-- `lease_id` `(string: <required>)` – Specifies the ID of the lease to revoke.
-
-### Sample Payload
-
-```json
-{
-  "lease_id": "postgresql/creds/readonly/abcd-1234..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/leases/revoke
-```
-
-## Revoke Force
-
-This endpoint revokes all secrets or tokens generated under a given prefix
-immediately. Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors
-encountered during revocation. This is _potentially very dangerous_ and should
-only be used in specific emergency situations where errors in the backend or the
-connected backend service prevent normal revocation.
-
-By ignoring these errors, Vault abdicates responsibility for ensuring that the
-issued credentials or secrets are properly revoked and/or cleaned up. Access to
-this endpoint should be tightly controlled.
-
-**This endpoint requires 'sudo' capability.**
-
-| Method   | Path                                |
-| :---------------------------------- | :--------------------- |
-| `PUT`    | `/sys/leases/revoke-force/:prefix`  |
-
-### Parameters
-
-- `prefix` `(string: <required>)` – Specifies the prefix to revoke. This is
-  specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/leases/revoke-force/aws/creds
-```
-
-## Revoke Prefix
-
-This endpoint revokes all secrets (via a lease ID prefix) or tokens (via the
-tokens' path property) generated under a given prefix immediately. This requires
-`sudo` capability and access to it should be tightly controlled as it can be
-used to revoke very large numbers of secrets/tokens at once.
-
-**This endpoint requires 'sudo' capability.**
-
-| Method   | Path                                |
-| :---------------------------------- | :--------------------- |
-| `PUT`    | `/sys/leases/revoke-prefix/:prefix` |
-
-### Parameters
-
-- `prefix` `(string: <required>)` – Specifies the prefix to revoke. This is
-  specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/aws/creds
-```
-
-
-## Tidy Leases
-
-This endpoint cleans up the dangling storage entries for leases. Generally,
-running this is not needed unless upgrade notes or support personnel suggest it.
-This may perform a lot of I/O to the storage method so should be used sparingly.
-
-| Method | Path               |
-|:-------|:-------------------|
-| `POST` | `/sys/leases/tidy` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/leases/tidy
-```
\ No newline at end of file
diff --git a/website/source/api/system/license.html.md b/website/source/api/system/license.html.md
deleted file mode 100644
index c41cd7801128..000000000000
--- a/website/source/api/system/license.html.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-layout: "api"
-page_title: "/sys/license - HTTP API"
-sidebar_title: "<code>/sys/license</code>"
-sidebar_current: "api-http-system-license"
-description: |-
-  The `/sys/license` endpoint is used to view and update the license used in 
-  Vault.
----
-
-# `/sys/license`
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-The `/sys/license` endpoint is used to view and update the license used in 
-Vault.
-
-## Read License
-
-This endpoint returns information about the currently installed license.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/license`                |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/license
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "expiration_time": "2017-11-14T16:34:36.546753-05:00",
-    "features": [
-      "UI",
-      "HSM",
-      "Performance Replication",
-      "DR Replication"
-    ],
-    "license_id": "temporary",
-    "start_time": "2017-11-14T16:04:36.546753-05:00"
-  },
-  "warnings": [
-    "time left on license is 29m33s"
-  ]
-}
-```
-
-## Install License
-
-This endpoint is used to install a license into Vault.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/license`                |
-
-### Parameters
-
-- `text` `(string: <required>)` – The text of the license.
-
-*DR Secondary Specific Parameters*
-
-  - `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
-
-
-### Sample Payload
-
-```json
-{
-  "text": "01ABCDEFG..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/license
-```
diff --git a/website/source/api/system/metrics.html.md b/website/source/api/system/metrics.html.md
deleted file mode 100644
index 9e8bf0ebc523..000000000000
--- a/website/source/api/system/metrics.html.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-layout: "api"
-page_title: "/sys/metrics - HTTP API"
-sidebar_title: "<code>/sys/metrics</code>"
-sidebar_current: "api-http-system-metrics"
-description: |-
-  The `/sys/metrics` endpoint is used to get telemetry metrics for Vault.
----
-
-# `/sys/metrics`
-
-The `/sys/metrics` endpoint is used to get telemetry metrics for Vault.
-
-## Read Telemetry Metrics
-
-This endpoint returns the telemetry metrics for Vault. It can be used by metrics
-collections systems like [Prometheus](https://prometheus.io) that use a pull
-model for metrics collection.
-
-| Method   | Path             |
-| :------- | :--------------- |
-| `GET`    | `/sys/metrics`   |
-
-### Parameters
-
-- `format` `(string: "")` – Specifies the format used for the returned metrics. The
-  default metrics format is JSON. Setting `format` to `prometheus` will return the
-  metrics in [Prometheus format](https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format).
-
-### Sample Request
-
-```
-$ curl \
-  --header "X-Vault-Token: ..." \
-    'http://127.0.0.1:8200/v1/sys/metrics?format=prometheus'
-```
-
-### Sample Response
-
-This response is only returned for a `GET` request.
-
-```
-# HELP vault_audit_log_request vault_audit_log_request
-# TYPE vault_audit_log_request summary
-vault_audit_log_request{quantile="0.5"} 0.005927000194787979
-vault_audit_log_request{quantile="0.9"} 0.005927000194787979
-vault_audit_log_request{quantile="0.99"} 0.005927000194787979
-vault_audit_log_request_sum 0.014550999738276005
-vault_audit_log_request_count 2
-# HELP vault_audit_log_request_failure vault_audit_log_request_failure
-# TYPE vault_audit_log_request_failure counter
-vault_audit_log_request_failure 0
-# HELP vault_audit_log_response vault_audit_log_response
-# TYPE vault_audit_log_response summary
-vault_audit_log_response{quantile="0.5"} NaN
-vault_audit_log_response{quantile="0.9"} NaN
-vault_audit_log_response{quantile="0.99"} NaN
-vault_audit_log_response_sum 0.0057669999077916145
-vault_audit_log_response_count 1
-# HELP vault_audit_log_response_failure vault_audit_log_response_failure
-# TYPE vault_audit_log_response_failure counter
-vault_audit_log_response_failure 0
-# HELP vault_barrier_get vault_barrier_get
-# TYPE vault_barrier_get summary
-vault_barrier_get{quantile="0.5"} 0.011938000097870827
-vault_barrier_get{quantile="0.9"} 0.011938000097870827
-vault_barrier_get{quantile="0.99"} 0.011938000097870827
-vault_barrier_get_sum 0.1814980012131855
-vault_barrier_get_count 36
-...
-```
diff --git a/website/source/api/system/mfa/duo.html.md b/website/source/api/system/mfa/duo.html.md
deleted file mode 100644
index 8bd31847f0bd..000000000000
--- a/website/source/api/system/mfa/duo.html.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-layout: "api"
-page_title: "/sys/mfa/method/duo - HTTP API"
-sidebar_title: "<code>/sys/mfa/method/duo</code>"
-sidebar_current: "api-http-system-mfa-duo"
-description: |-
-  The '/sys/mfa/method/duo' endpoint focuses on managing Duo MFA behaviors in Vault Enterprise.
----
-
-## Configure Duo MFA Method
-
-This endpoint defines a MFA method of type Duo.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `POST`   | `/sys/mfa/method/duo/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-- `mount_accessor` `(string: <required>)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
-
-- `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{alias.name}}@example.com"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
-  - alias.name: The name returned by the mount configured via the `mount_accessor` parameter
-  - entity.name: The name configured for the Entity
-  - alias.metadata.`<key>`: The value of the Alias's metadata parameter
-  - entity.metadata.`<key>`: The value of the Entity's metadata parameter
-
-- `secret_key` `(string)` - Secret key for Duo.
-
-- `integration_key` `(string)` - Integration key for Duo.
-
-- `api_hostname` `(string)` - API hostname for Duo.
-
-- `push_info` `(string)` - Push information for Duo.
-
-### Sample Payload
-
-```json
-{
-  "mount_accessor": "auth_userpass_1793464a",
-  "secret_key": "BIACEUEAXI20BNWTEYXT",
-  "integration_key":"8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz",
-  "api_hostname":"api-2b5c39f5.duosecurity.com"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/mfa/method/duo/my_duo
-```
-
-## Read Duo MFA Method
-
-This endpoint queries the MFA configuration of Duo type for a given method
-name.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `GET`    | `/sys/mfa/method/duo/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/mfa/method/duo/my_duo
-
-```
-
-### Sample Response
-
-```json
-{
-        "data": {
-                "api_hostname": "api-2b5c39f5.duosecurity.com",
-                "id": "0ad21b78-e9bb-64fa-88b8-1e38db217bde",
-                "integration_key": "BIACEUEAXI20BNWTEYXT",
-                "mount_accessor": "auth_userpass_1793464a",
-                "name": "my_duo",
-                "pushinfo": "",
-                "secret_key": "8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz",
-                "type": "duo",
-                "username_format": ""
-        }
-}
-```
-## Delete Duo MFA Method
-
-This endpoint deletes a Duo MFA method.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `DELETE` | `/sys/mfa/method/duo/:name`   |
-
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/mfa/method/duo/my_duo
-
-```
diff --git a/website/source/api/system/mfa/index.html.md b/website/source/api/system/mfa/index.html.md
deleted file mode 100644
index a4a92e87418f..000000000000
--- a/website/source/api/system/mfa/index.html.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-layout: "api"
-page_title: "/sys/mfa - HTTP API"
-sidebar_title: "<code>/sys/mfa</code>"
-sidebar_current: "api-http-system-mfa"
-description: |-
-  The '/sys/mfa' endpoint focuses on managing MFA behaviors in Vault Enterprise MFA.
----
-
-# `/sys/mfa`
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-## Supported MFA types.
-
-* [TOTP](/api/system/mfa/totp.html)
-
-* [Okta](/api/system/mfa/okta.html)
-
-* [Duo](/api/system/mfa/duo.html)
-
-* [PingID](/api/system/mfa/pingid.html)
diff --git a/website/source/api/system/mfa/okta.html.md b/website/source/api/system/mfa/okta.html.md
deleted file mode 100644
index 698593db2387..000000000000
--- a/website/source/api/system/mfa/okta.html.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-layout: "api"
-page_title: "/sys/mfa/method/okta - HTTP API"
-sidebar_title: "<code>/sys/mfa/method/okta</code>"
-sidebar_current: "api-http-system-mfa-okta"
-description: |-
-  The '/sys/mfa/method/okta' endpoint focuses on managing Okta MFA behaviors in Vault Enterprise.
----
-
-## Configure Okta MFA Method
-
-This endpoint defines a MFA method of type Okta.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `POST`   | `/sys/mfa/method/okta/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-- `mount_accessor` `(string: <required>)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
-
-- `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{alias.name}}@example.com"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
-  - alias.name: The name returned by the mount configured via the `mount_accessor` parameter
-  - entity.name: The name configured for the Entity
-  - alias.metadata.`<key>`: The value of the Alias's metadata parameter
-  - entity.metadata.`<key>`: The value of the Entity's metadata parameter
-
-- `org_name` `(string)` - Name of the organization to be used in the Okta API.
-
-- `api_token` `(string)` - Okta API key.
-
-- `base_url` `(string)` -  If set, will be used as the base domain for API requests.  Examples are okta.com, oktapreview.com, and okta-emea.com.
-
-- `primary_email` `(bool: false)` -  If set, the username will only match the primary email for the account.
-
-### Sample Payload
-
-```json
-{
-  "mount_accessor": "auth_userpass_1793464a",
-  "org_name": "dev-262778",
-  "api_token": "0081u7KrReNkzmABZJAP2oDyIXccveqx9vIOEyCZDC"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/mfa/method/okta/my_okta
-```
-
-## Read Okta MFA Method
-
-This endpoint queries the MFA configuration of Okta type for a given method
-name.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `GET`    | `/sys/mfa/method/okta/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/mfa/method/okta/my_okta
-
-```
-
-### Sample Response
-
-```json
-{
-        "data": {
-                "api_token": "0081u7KrReNkzmABZJAP2oDyIXccveqx9vIOEyCZDC",
-                "id": "e39f08a1-a42d-143d-5b87-15c61d89c15a",
-                "mount_accessor": "auth_userpass_1793464a",
-                "name": "my_okta",
-                "org_name": "dev-262778",
-                "production": true,
-                "type": "okta",
-                "username_format": ""
-        }
-}
-```
-## Delete Okta MFA Method
-
-This endpoint deletes a Okta MFA method.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `DELETE` | `/sys/mfa/method/okta/:name`   |
-
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/mfa/method/okta/my_okta
-
-```
diff --git a/website/source/api/system/mfa/pingid.html.md b/website/source/api/system/mfa/pingid.html.md
deleted file mode 100644
index 09c479792b06..000000000000
--- a/website/source/api/system/mfa/pingid.html.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-layout: "api"
-page_title: "/sys/mfa/method/pingid - HTTP API"
-sidebar_title: "<code>/sys/mfa/method/pingid</code>"
-sidebar_current: "api-http-system-mfa-pingid"
-description: |-
-  The '/sys/mfa/method/pingid' endpoint focuses on managing PingID MFA behaviors in Vault Enterprise.
----
-
-## Configure PingID MFA Method
-
-This endpoint defines a MFA method of type PingID.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `POST`   | `/sys/mfa/method/pingid/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-- `mount_accessor` `(string: <required>)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
-
-- `username_format` `(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `"{{alias.name}}@example.com"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
-  - alias.name: The name returned by the mount configured via the `mount_accessor` parameter
-  - entity.name: The name configured for the Entity
-  - alias.metadata.`<key>`: The value of the Alias's metadata parameter
-  - entity.metadata.`<key>`: The value of the Entity's metadata parameter
-
-- `settings_file_base64` `(string)` - A base64-encoded third-party settings file retrieved from PingID's configuration page.
-
-### Sample Payload
-
-```json
-{
-  "mount_accessor": "auth_userpass_1793464a",
-  "settings_file_base64": "AA8owj3..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/mfa/method/pingid/ping
-```
-
-## Read PingiD MFA Method
-
-This endpoint queries the MFA configuration of PingID type for a given method
-name.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `GET`    | `/sys/mfa/method/pingid/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/mfa/method/pingid/ping
-
-```
-
-### Sample Response
-
-```json
-{
-        "data": {
-                "use_signature": true,
-                "idp_url": "https://idpxnyl3m.pingidentity.com/pingid",
-                "admin_url": "https://idpxnyl3m.pingidentity.com/pingid",
-                "authenticator_url": "https://authenticator.pingone.com/pingid/ppm",
-                "mount_accessor": "auth_userpass_1793464a",
-                "name": "ping",
-                "org_alias": "181459b0-9fb1-4938-8c86...",
-                "type": "pingid",
-                "username_format": ""
-        }
-}
-```
-## Delete PingID MFA Method
-
-This endpoint deletes a PingID MFA method.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `DELETE` | `/sys/mfa/method/pingid/:name`   |
-
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/mfa/method/pingid/ping
-
-```
diff --git a/website/source/api/system/mfa/totp.html.md b/website/source/api/system/mfa/totp.html.md
deleted file mode 100644
index 64182639bb6f..000000000000
--- a/website/source/api/system/mfa/totp.html.md
+++ /dev/null
@@ -1,236 +0,0 @@
----
-layout: "api"
-page_title: "/sys/mfa/method/totp - HTTP API"
-sidebar_title: "<code>/sys/mfa/method/totp</code>"
-sidebar_current: "api-http-system-mfa-totp"
-description: |-
-  The '/sys/mfa/method/totp' endpoint focuses on managing TOTP MFA behaviors in Vault Enterprise.
----
-
-## Configure TOTP MFA Method
-
-This endpoint defines a MFA method of type TOTP.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `POST`   | `/sys/mfa/method/totp/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-- `issuer` `(string: <required>)` - The name of the key's issuing organization.
-
-- `period` `(int or duration format string: 30)` - The length of time used to generate a counter for the TOTP token calculation.
-
-- `key_size` `(int: 20)` – Specifies the size in bytes of the generated key.
-
-- `qr_size` `(int: 200)` - The pixel size of the generated square QR code.
-
-- `algorithm` `(string: "SHA1")` – Specifies the hashing algorithm used to generate the TOTP code. Options include "SHA1", "SHA256" and "SHA512".
-
-- `digits` `(int: 6)` - The number of digits in the generated TOTP token. This value can either be 6 or 8.
-
-- `skew` `(int: 1)` - The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
-
-
-### Sample Payload
-
-```json
-{
-  "issuer": "vault"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp
-```
-
-## Read TOTP MFA Method
-
-This endpoint queries the MFA configuration of TOTP type for a given method
-name.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `GET`    | `/sys/mfa/method/totp/:name`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp
-
-```
-
-### Sample Response
-
-```json
-{
-        "data": {
-                "algorithm": "SHA1",
-                "digits": 6,
-                "id": "865587ba-6229-7f2a-6da0-609d5370af70",
-                "issuer": "vault",
-                "key_size": 20,
-                "name": "my_totp",
-                "period": 30,
-                "qr_size": 200,
-                "skew": 1,
-                "type": "totp"
-        }
-}
-```
-
-## Delete TOTP MFA Method
-
-This endpoint deletes a TOTP MFA method.
-
-| Method   | Path                           |
-| :----------------------------- | :----------------------- |
-| `DELETE` | `/sys/mfa/method/totp/:name`   |
-
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp
-
-```
-
-## Generate a TOTP MFA Secret
-
-This endpoint generates an MFA secret in the entity of the calling token, if it
-doesn't exist already, using the configuration stored under the given MFA
-method name.
-
-| Method   | Path                                  |
-| :------------------------------------ | :----------------------- |
-| `GET`    | `/sys/mfa/method/totp/:name/generate` |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the MFA method.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp/generate
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "barcode": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAGc0lEQVR4nOyd244bOQxEZxbz/7+cRQI4sLWiyCLlTU1wzkMAu1uXTIGSxUv3148fH2DEP396AvDK189/Pj97jR/W9Wi/fs7uz/pZya5H92dk40fzjeY1+XtiIWYgiBkIYsbX84dba7O6B0z3hmgPqO5Z6/WsH3VvynjuDwsxA0HMQBAzvnZfZueI6Pvs93r2+z6ax7qWZ+2zPSP7PutfPW8of08sxAwEMQNBzNjuISqRLyc7X6jnkex8UPVBqXtJxk2PORZiBoKYgSBmXNlDsriIeq6J+umeG1RfVjav7L4JWIgZCGIGgpix3UO6a6MaU4/OD9Fnda2P2qnxl2ge1fbKOFiIGQhiBoKY8bKHdH052V5Q3VPUz9n42XhR++zzStWXVgELMQNBzEAQM37tIbd9MtX4Qvc8EI13q32210Sfb8wHCzEDQcxAEDM+f6532e/86nmiPYk31X2sZP1Pz0PVGP+pPRZiBoKYgSBmbPeQ/9xUvP6geg7p9leNj3RrH7v1K+reRm7vNwBBzEAQM471IVmt3oN31V9E93Xr3KNx1BrD7t+jMl8sxAwEMQNBzDjm9lZj5d04gZoLHPX3rjjFu3J5T/8/LMQMBDEDQcyQ6kPUHNsH1TU+Gi/qr+rLmo6zfq6eTzr9YiFmIIgZCGLG5/M69y5fzfr9Ol613bQ/NaYe9bui5gKczmNYiBkIYgaCmHF85mK01t2KO2Q1h9l43dzgbhxG7b+zZ2EhZiCIGQhiRuvZ77dygNVY+3q9es5Qv1+vT2sIlb0OCzEDQcxAEDMkX1bXN7S2z8brxl2q40b3rXR9bxn4sr4RCGIGgpjxUh8S0a2feFdNYrd/Ndad9Xsrpv/cHgsxA0HMQBAzPk/reXdN7fqA3ln/PZnndE9SxsFCzEAQMxDEjJd4iJqrqtYiPlBr9qZE81znk7V/F8TUjUEQMxDEjO1ze9U1PqtFzO5X87VW1H6i+XXqyneQl/UXgSBmIIgZpdzebgxdPWdMfVnr/dHn23XsWb18VpP4DBZiBoKYgSBmbPOyukzr2Lvnlu781FzkaF7deezAQsxAEDMQxIxjTP33TcN8JpXqOOp9qg8tm586n8qehYWYgSBmIIgZrfcYZvGPW2tztZ0aj8nGzb7Prnfr5z+wED8QxAwEMaP0PvVpzV63zru6pld//6t7SvRZzXmO5rPrBwsxA0HMQBAzpGeddH08WT/VNTv6vZ/NJxp/Wh8S9ZvN5/T/x0LMQBAzEMSMY0y9mpdV3YPU+pNsnGm+1v9dyxhBjaExCGIGgpixPYdUzwUdf/8JNV+qu3dE/aj9Z/Un0XzWcTiHGIMgZiCIGaX3qf+++fLe0f0dP83FVfO0VNS9jXOIMQhiBoKY8esc0vUBqb4ttY49Q13js/uzPKsuSr4XFmIGgpiBIGaM8rKmz0bJxo36nZ5Xov6zcbvnFqWWEQsxA0HMQBAzSs9cXKneH8ULpnUV0/lle0Y3DqOOv2uPhZiBIGYgiBnbOvVunfdKNyf2to9L9UV1Y/Tr/ep5iXiIIQhiBoKYcczLys4P1b2lGwNf23dr99Q8rqnvrOvr+sBC/EAQMxDEjG1M/UHXFxWhxAUq31evd5nmjWU+MvKyvgEIYgaCmLF9F+7Ul7TSrbdQzw/qeOv9K7f+v0o7LMQMBDEDQcw4vj8kYlpf3vUFZe2jeVbbVX1Y1fE6eyAWYgaCmIEgZmyfdVL9XT7NAb5F9xyh7n3Tc1IlToKFmIEgZiCIGaV3UHXrv6P23fyubj1K1l80zwg17yq6vhsfCzE DQcxAEDOOz+2troUZaq1hNP40lr/eP61TicbP5nO6joWYgSBmIIgZx7ysiNu+ruj6dB5q7D4ii5Oo82EP+UYgiBkIYob0/pCV2/Uda7/TunX1PJHNq9qvGvN/HgcLMQNBzEAQM1p5WdM6kI mv5zReNo9uvtet+WTz+sBC/EAQMxDEjO0zF99dA9it+6jOM7qe+dKqde7V/qP5nP5eWIgZCGIGgpix3UNUbsXkq/Xd2Thd35zqE5v66Hb9YCFmIIgZCGLGlT3kwS1fUbcGsVq3HvUXnY/U+ ExEZW/DQsxAEDMQxIzS+0Mybq3REd1c3ur5qBs7z/a4zjNWsBAzEMQMBDHjZQ+Z+oAeqGv42o9aq5j1m5HN51ZdfWX+WIgZCGIGgpixfX8I/DmwEDP+DQAA//9kwGH4xZewMgAAAABJRU5E rkJggg==",
-    "url": "otpauth://totp/vault:4746fb81-028c-cd4e-026b-7dd18fe4c2f4?algorithm=SHA1&digits=6&issuer=vault&period=30&secret=XVE7TOZWJVEWQOATOD7 U53IEAJG72Z2I"
-  }
-}
-```
-
-## Administratively Generate a TOTP MFA Secret
-
-This endpoint can be used to generate a TOTP MFA secret. Unlike the `generate`
-API which stores the generated secret on the entity ID of the calling token,
-the `admin-generate` API stores the generated secret on the given entity ID.
-
-| Method   | Path                                         |
-| :------------------------------------------- | :----------------------- |
-| `POST`   | `/sys/mfa/method/totp/:name/admin-generate`  |
-
-### Parameters
-
-- `name` `(string: <required>)` - Name of the MFA method.
-
-- `entity_id` `(string: <required>)` - Entity ID on which the generated secret
-  needs to get stored.
-
-### Sample Payload
-
-```json
-{
-  "entity_id":"4746fb81-028c-cd4e-026b-7dd18fe4c2f4"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json
-    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp/admin-generate
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "barcode": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAGZElEQVR4nOyd7W4jNwxFkyLv/8pbpMAAHnUo8pJyc1Oc82OB2KOP9QVFSyTlrz9/PsCIv356AnDn6/ufz89e48i6ov6u59f319ezfqtWnf2/snHX19XnVL7bYyFmIIgZCGLG5/e61V2b37WWXkRr9+lxonEvqv1XfeHK6/NYiBkIYgaCmPH19GK2j4ieX9/P9h0R2T6l+pzqYzKfmM0zQvk8sRAzEMQMBDHj0YdMqa6Z1TOvyDdF/VTPnqLnVzIfePLEHAsxA0HMQBAz3uJDqvuVbO1Vv/934yzReNV4ykmwEDMQxAwEMePRh5xeG6fxjNXnVM+Y1HHVM7Tq56R8nliIGQhiBoKYcfMhp2LT6hp7UY2hV8dTY/KZT1N9SufzxELMQBAzEMSMf3zI6X2HembUXbuz8dT9g+qLIiafJxZiBoKYgSBm3OpDunlMartTubrdeEUWI1dzAqa5wK9gIWYgiBkIYsaReIi6P1jbqd/7qznDqm9SfcKJs6sVLMQMBDEDQcz43K3z3fqLaf336fiFymQf8dRe8aVYiBkIYgaCmHHzIdW8pGo8QT1rOuULTvkc9a6TqD+lTgULMQNBzEAQMx7jIRdqjV7ULvpbrReJxl/nodYodseLxu/GWz6wED8QxAwEMeN2X9ZK9/4neRLDNfrUc919yPp8t/8PLMQPBDEDQcyQ6tTVO0JWqvGT6PWu75jub6L+T/kg4iHGIIgZCGLGKB5yKn5SpVuDWKXrI0/4jgssxAwEMQNBzNieZWV0v/erZ0Knxp3OYxoXqoyPhZiBIGYgiBmPub1q7m7G6fiB2n+3niSbZwT7kP8RCGIGgpjxeF9W5iPU8/+ofUY1r6q6ZkfzmtbJV2skozw04iHGIIgZCGKGlJeVvZ61V+MX07OiqJ9oftE41fGm9TD4EEMQxAwEMaN010lW1zGNoVfX+OrZl/rcfx0P2c0XCzEDQcxAEDMe87K68YBubH7tdxonmcb0q+2qZ2DK/gkLMQNBzEAQM2516lXUs6GIbA3v+qruPinrX/Ud0Xx288JCzEAQMxDEjG2NYXf/odztsXuuEoOu9BO93933RONm86n0h4WYgSBmIIgZt9+gqtaDq7m3K2rObnc+UT/Z36f2MZ28MCzEDAQxA0HMaJ1lTevBo/5OxRsysv1O9Fx1nO4Z3QcW4geCmIEgZki/H1Klu+Z369PVeVXHexfEQ34RCGIGgpjxWGN40c1VXdtXaxW79SLTOvqonVpDqdavkNv7C0AQMxDEjNK9vdP4gFq3ntV1Z+NEf099ZEZ1vrv+sBAzEMQMBDFjW2PYjT9U4xqqT1D7/ak4j5rn9QoWYgaCmIEgZpTu7e2u5Vk/4aQO3XFSHUc9s1rnNfVdr/1hIWYgiBkIYsZtH6LGA9Z20d8Z3fuq1HyqUznC1fZVX0c8xBgEMQNBzNje2xvxrlzYan1K1H82fjXOUfU12XzW5yufBxZiBoKYgSBmSL+FezE9s1lR9yHq2VvUT7fefOpjd58fFmIGgpiBIGZId52sr6u5u9M7RtTn1Hmr8ZzqnSvK2R4WYgaCmIEgZmzjIdHr3Rzfi278I3pdvStFrWVUfU52d8quPRZiBoKYgSBmbOvU//Xwobr1U7FpNV8qatetm4+onvU9jYuFmIEgZiCIGbf7srLv1d01vLsWqzmzapymeyaWfQ5qXtsrWIgZCGIGgphR+g2q9f0V9Y6SartsXtP8qOmZWDTe5AwMCzEDQcxAEDMeY+rVfUj0fLddN9Y+3feodfPd+pnKvLAQMxDEDAQxY1unPo11q+2i8adxCXV+an/qfHbzwELMQBAzEMQMKaYediL6FDVmruaBTWsU1bMwdT67/zcWYgaCmIEgZrR+g+piPata18Tu9/Zurq5aTxLNV833qs6nMg8sxAwEMQNBzHisD8lQ6y3W/qt3kpyuS8/ez3xiNL/qfMjL+oUgiBkIYkYppn7R9THd56s5tBGn60myfcSJ3GMsxAwEMQNBzGjdlxXRja1068mj9tla3c3DysaLxon+fgILMQNBzEAQM476kG5c5aJ7BnS6bqX6+jS/jLysXwCCmIEgZmx/x7DK6btCurF31WdMawPfkXOMhZiBIGYgiBmPvx+iUo2RV/vp3llSpZuXpfqgbNwnsBAzEMQMBDHjSH0InAMLMePvAAAA//8x2VnbmmL6HQAAAABJRU5ErkJggg==",
-    "url": "otpauth://totp/vault:4746fb81-028c-cd4e-026b-7dd18fe4c2f4?algorithm=SHA1&digits=6&issuer=vault&period=30&secret=6HQ4RZ7GM6MMLRKVDCI23LXNZF7UDZ2U"
-  }
-}
-```
-
-### Administratively Destroy TOTP MFA Secret
-
-This endpoint deletes a TOTP MFA secret from the given entity ID.
-
-Note that in order to overwrite a secret on the entity, it is required to
-explicitly delete the secret first. This API can be used to delete the secret
-and the `generate` or `admin-generate` APIs should be used to regenerate a new
-secret.
-
-| Method   | Path                                    |
-| :-------------------------------------- | :--------------------- |
-| `POST`   | `/sys/mfa/method/:name/admin-destroy`   |
-
-### Parameters
-
-- `name` `(string: <required>)` – Name of the MFA method.
-
-- `entity_id` `(string: <required>)` - Entity ID from which the MFA secret
-  should be removed.
-
-### Sample Payload
-
-```json
-{
-  "entity_id": "4746fb81-028c-cd4e-026b-7dd18fe4c2f4"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json
-    http://127.0.0.1:8200/v1/sys/mfa/method/totp/my_totp/admin-destroy
-```
diff --git a/website/source/api/system/mounts.html.md b/website/source/api/system/mounts.html.md
deleted file mode 100644
index e28b5e0c6780..000000000000
--- a/website/source/api/system/mounts.html.md
+++ /dev/null
@@ -1,272 +0,0 @@
----
-layout: "api"
-page_title: "/sys/mounts - HTTP API"
-sidebar_title: "<code>/sys/mounts</code>"
-sidebar_current: "api-http-system-mounts"
-description: |-
-  The `/sys/mounts` endpoint is used manage secrets engines in Vault.
----
-
-# `/sys/mounts`
-
-The `/sys/mounts` endpoint is used manage secrets engines in Vault.
-
-## List Mounted Secrets Engines
-
-This endpoints lists all the mounted secrets engines.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/mounts`                |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/mounts
-```
-
-### Sample Response
-```json
-{
-  "aws/": {
-    "type": "aws",
-    "description": "AWS keys",
-    "config": {
-      "default_lease_ttl": 0,
-      "max_lease_ttl": 0,
-      "force_no_cache": false,
-      "seal_wrap": false
-    }
-  },
-  "sys/": {
-    "type": "system",
-    "description": "system endpoint",
-    "config": {
-      "default_lease_ttl": 0,
-      "max_lease_ttl": 0,
-      "force_no_cache": false,
-      "seal_wrap": false
-    }
-  },
-  "data": {
-    "aws/": {
-      "type": "aws",
-      "description": "AWS keys",
-      "config": {
-        "default_lease_ttl": 0,
-        "max_lease_ttl": 0,
-        "force_no_cache": false,
-        "seal_wrap": false
-      }
-    },
-    "sys/": {
-      "type": "system",
-      "description": "system endpoint",
-      "config": {
-        "default_lease_ttl": 0,
-        "max_lease_ttl": 0,
-        "force_no_cache": false,
-        "seal_wrap": false
-      }
-    },
-  }
-}
-```
-
-`default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults
-are used by this backend.
-
-## Enable Secrets Engine
-
-This endpoint enables a new secrets engine at the given path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/mounts/:path`          |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path where the secrets engine
-  will be mounted. This is specified as part of the URL.
-
-    !> **NOTE:** Use ASCII printable characters to specify the desired path.
-
-- `type` `(string: <required>)` – Specifies the type of the backend, such as
-  "aws".
-
-- `description` `(string: "")` – Specifies the human-friendly description of the
-  mount.
-
-- `config` `(map<string|string>: nil)` – Specifies configuration options for
-  this mount; if set on a specific mount, values will override any global
-  defaults (e.g. the system TTL/Max TTL)
-
-  - `default_lease_ttl` `(string: "")` - The default lease duration, specified
-    as a string duration like "5s" or "30m".
-
-  - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
-    string duration like "5s" or "30m".
-
-  - `force_no_cache` `(bool: false)` - Disable caching.
-
-  - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
-    that will not be HMAC'd by audit devices in the request data object.
-
-  - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
-    that will not be HMAC'd by audit devices in the response data object.
-
-  - `listing_visibility` `(string: "")` - Specifies whether to show this mount
-    in the UI-specific listing endpoint. Valid values are `"unauth"` or
-    `"hidden"`.  If not set, behaves like `"hidden"`.
-
-  - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
-    to whitelist and pass from the request to the plugin.
-
-  - `allowed_response_headers` `(array: [])` - Comma-separated list of headers
-    to whitelist, allowing a plugin to include them in the response.
-
-- `options` `(map<string|string>: nil)` - Specifies mount type specific options
-  that are passed to the backend.
-
-  *Key/Value (KV)*
-  - `version` `(string: "1")` - The version of the KV to mount. Set to "2" for mount
-    KV v2.
-
-Additionally, the following options are allowed in Vault open-source, but
-relevant functionality is only supported in Vault Enterprise:
-
-- `local` `(bool: false)` – Specifies if the secrets engine is a local mount
-  only. Local mounts are not replicated nor (if a secondary) removed by
-  replication.
-
-- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
-  values stored by the mount to be wrapped by the seal's encryption capability.
-  
-- `external_entropy_access` `(bool: false)` - Enable the secrets engine to access
-  Vault's external entropy source.
-
-### Sample Payload
-
-```json
-{
-  "type": "aws",
-  "config": {
-    "force_no_cache": true
-  }
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/mounts/my-mount
-```
-
-## Disable Secrets Engine
-
-This endpoint disables the mount point specified in the URL.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/mounts/:path`          | `204 (empty body)    ` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/mounts/my-mount
-```
-
-## Read Mount Configuration
-
-This endpoint reads the given mount's configuration. Unlike the `mounts`
-endpoint, this will return the current time in seconds for each TTL, which may
-be the system default or a mount-specific value.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`   | `/sys/mounts/:path/tune`      |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
-```
-
-### Sample Response
-
-```json
-{
-  "default_lease_ttl": 3600,
-  "max_lease_ttl": 7200,
-  "force_no_cache": false
-}
-```
-
-## Tune Mount Configuration
-
-This endpoint tunes configuration parameters for a given mount point.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/mounts/:path/tune`     |
-
-### Parameters
-
-- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. This
-  overrides the global default. A value of `0` is equivalent to the system
-  default TTL.
-
-- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. This
-  overrides the global default. A value of `0` are equivalent and set to the
-  system max TTL.
-
-- `description` `(string: "")` – Specifies the description of the mount. This
-  overrides the current stored value, if any.
-
-- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
-  list of keys that will not be HMAC'd by audit devices in the request data
-  object.
-
-- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
-  list of keys that will not be HMAC'd by audit devices in the response data
-  object.
-
-- `listing_visibility` `(string: "")` - Specifies whether to show this mount in
-  the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
-  If not set, behaves like `"hidden"`.
-
-- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
-  to whitelist and pass from the request to the plugin.
-
-- `allowed_response_headers` `(array: [])` - Comma-separated list of headers
-  to whitelist, allowing a plugin to include them in the response.
-
-### Sample Payload
-
-```json
-{
-  "default_lease_ttl": 1800,
-  "max_lease_ttl": 3600
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
-```
diff --git a/website/source/api/system/namespaces.html.md b/website/source/api/system/namespaces.html.md
deleted file mode 100644
index 5afe5ec5df8a..000000000000
--- a/website/source/api/system/namespaces.html.md
+++ /dev/null
@@ -1,103 +0,0 @@
----
-layout: "api"
-page_title: "/sys/namespaces - HTTP API"
-sidebar_title: "<code>/sys/namespaces</code>"
-sidebar_current: "api-http-system-namespaces"
-description: |-
-  The `/sys/namespaces` endpoint is used manage namespaces in Vault.
----
-
-# `/sys/namespaces`
-
-The `/sys/namespaces` endpoint is used manage namespaces in Vault.
-
-## List Namespaces
-
-This endpoints lists all the namespaces.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/sys/namespaces`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    -X LIST \
-    http://127.0.0.1:8200/v1/sys/namespaces
-```
-
-### Sample Response
-
-```json
-[
-    "ns1/",
-    "ns2/"
-]
-
-```
-
-## Create Namespace
-
-This endpoint creates a namespace at the givent path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/namespaces/:path`      |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the path where the namespace
-  will be namespace. This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/namespaces/ns1
-```
-
-## Delete Namespace
-
-This endpoint deletes a namespace at the specified path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/namespaces/:path`      | 
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/namespaces/ns1
-```
-
-## Read Namespace Information
-
-This endpoint get the metadata for the given namespace path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/namespaces/:path`      |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/namespaces/ns1
-```
-
-### Sample Response
-
-```json
-{
-  "id": "gsudj",
-  "path": "ns1/"
-}
-```
diff --git a/website/source/api/system/plugins-catalog.html.md b/website/source/api/system/plugins-catalog.html.md
deleted file mode 100644
index 4998c5ed84db..000000000000
--- a/website/source/api/system/plugins-catalog.html.md
+++ /dev/null
@@ -1,217 +0,0 @@
----
-layout: "api"
-page_title: "/sys/plugins/catalog - HTTP API"
-sidebar_title: "<code>/sys/plugins/catalog</code>"
-sidebar_current: "api-http-system-plugins-catalog"
-description: |-
-  The `/sys/plugins/catalog` endpoint is used to manage plugins.
----
-
-# `/sys/plugins/catalog`
-
-The `/sys/plugins/catalog` endpoint is used to read, register, update, and
-remove plugins in Vault's catalog. Plugins must be registered before use, and
-once registered backends can use the plugin by querying the catalog.
-
-## LIST Plugins
-
-This endpoint lists the plugins in the catalog by type.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/plugins/catalog`       |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/plugins/catalog
-```
-
-### Sample Response
-
-```javascript
-{
-    "data": {
-        "auth": [
-            "aws",
-            "azure",
-            "custom-auth-plugin",
-            "gcp",
-            "ldap"
-        ],
-        "database": [
-            "cassandra-database-plugin",
-            "mssql-database-plugin",
-            "mysql-database-plugin",
-            "postgresql-database-plugin"
-        ],
-        "secret": [
-            "ad",
-            "aws",
-            "azure",
-            "gcp",
-            "transit"
-        ]
-    }
-}
-```
-## LIST Plugins
-
-This endpoint lists the plugins in the catalog by type.
-
-| Method   | Path                              |
-| :-------------------------------- | :--------------------- |
-| `LIST`   | `/sys/plugins/catalog/auth`       |
-| `LIST`   | `/sys/plugins/catalog/database`   |
-| `LIST`   | `/sys/plugins/catalog/secret`     |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST
-    http://127.0.0.1:8200/v1/sys/plugins/catalog/auth
-```
-
-### Sample Response
-
-```javascript
-{
-    "data": {
-        "keys": [
-            "aws",
-            "azure",
-            "custom-auth-plugin",
-            "gcp",
-            "ldap"
-        ]
-    }
-}
-```
-
-## Register Plugin
-
-This endpoint registers a new plugin, or updates an existing one with the
-supplied name.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                               |
-| :--------------------------------- | :--------------------- |
-| `PUT`    | `/sys/plugins/catalog/:type/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name for this plugin. The name
-  is what is used to look up plugins in the catalog. This is part of the request
-  URL.
-  
-- `type` `(string: <required>)` – Specifies the type of this plugin. May be 
-  "auth", "database", or "secret".
-
-- `sha256` `(string: <required>)` – This is the SHA256 sum of the plugin's
-  binary. Before a plugin is run it's SHA will be checked against this value, if
-  they do not match the plugin can not be run.
-
-- `command` `(string: <required>)` – Specifies the command used to execute the
-  plugin. This is relative to the plugin directory. e.g. `"myplugin"`.
-
-- `args` `(array: [])` – Specifies the arguments used to execute the plugin. If
-  the arguments are provided here, the `command` parameter should only contain
-  the named program. e.g. `"--my_flag=1"`.
-
-- `env` `(array: [])` – Specifies the environment variables used during the
-  execution of the plugin. Each entry is of the form "key=value". e.g
-  `"FOO=BAR"`.
-
-### Sample Payload
-
-```json
-{
-  "sha256": "d130b9a0fbfddef9709d8ff92e5e6053ccd246b78632fc03b8548457026961e9",
-  "command": "mysql-database-plugin"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/plugins/catalog/secret/example-plugin
-```
-
-## Read Plugin
-
-This endpoint returns the configuration data for the plugin with the given name.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                               |
-| :--------------------------------- | :--------------------- |
-| `GET`    | `/sys/plugins/catalog/:type/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the plugin to retrieve.
-  This is part of the request URL.
-  
-- `type` `(string: <required>)` – Specifies the type of this plugin. May be 
-  "auth", "database", or "secret".
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/plugins/catalog/secret/example-plugin
-```
-
-### Sample Response
-
-```javascript
-{
-	"data": {
-		"args": [],
-		"builtin": false,
-		"command": "/tmp/vault-plugins/mysql-database-plugin",
-		"name": "example-plugin",
-		"sha256": "0TC5oPv93vlwnY/5Ll5gU8zSRreGMvwDuFSEVwJpYek="
-	}
-}
-```
-## Remove Plugin from Catalog
-
-This endpoint removes the plugin with the given name.
-
-- **`sudo` required** – This endpoint requires `sudo` capability in addition to
-  any path-specific capabilities.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/plugins/catalog/:type/:name` |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the plugin to delete.
-  This is part of the request URL.
-  
-- `type` `(string: <required>)` – Specifies the type of this plugin. May be 
-  "auth", "database", or "secret".
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/plugins/catalog/secret/example-plugin
-```
diff --git a/website/source/api/system/plugins-reload-backend.html.md b/website/source/api/system/plugins-reload-backend.html.md
deleted file mode 100644
index f502653f9063..000000000000
--- a/website/source/api/system/plugins-reload-backend.html.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-layout: "api"
-page_title: "/sys/plugins/reload/backend - HTTP API"
-sidebar_title: "<code>/sys/plugins/reload/backend</code>"
-sidebar_current: "api-http-system-plugins-reload-backend"
-description: |-
-  The `/sys/plugins/reload/backend` endpoint is used to reload plugin backends.
----
-
-# `/sys/plugins/reload/backend`
-
-The `/sys/plugins/reload/backend` endpoint is used to reload mounted plugin
-backends. Either the plugin name (`plugin`) or the desired plugin backend mounts
-(`mounts`) must be provided, but not both. In the case that the plugin name is
-provided, all mounted paths that use that plugin backend will be reloaded.
-
-## Reload Plugins
-
-This endpoint reloads mounted plugin backends.
-
-| Method   | Path                      -   |
-| :---------------------------- | :--------------------- |
-| `PUT`    | `/sys/plugins/reload/backend` |
-
-### Parameters
-
-- `plugin` `(string: "")` – The name of the plugin to reload, as
-  registered in the plugin catalog.
-
-- `mounts` `(array: [])` – Array or comma-separated string mount paths
-  of the plugin backends to reload.
-
-### Sample Payload
-
-```json
-{
-  "plugin": "mock-plugin"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT
-    http://127.0.0.1:8200/v1/sys/plugins/reload/backend
-```
diff --git a/website/source/api/system/policies.html.md b/website/source/api/system/policies.html.md
deleted file mode 100644
index 054ecb46d965..000000000000
--- a/website/source/api/system/policies.html.md
+++ /dev/null
@@ -1,377 +0,0 @@
----
-layout: "api"
-page_title: "/sys/policies/ - HTTP API"
-sidebar_title: "<code>/sys/policies</code>"
-sidebar_current: "api-http-system-policies"
-description: |-
-  The `/sys/policies/` endpoints are used to manage ACL, RGP, and EGP policies in Vault.
----
-
-# `/sys/policies/`
-
-The `/sys/policies` endpoints are used to manage ACL, RGP, and EGP policies in Vault.
-
-
-~> **NOTE**: This endpoint is only available in Vault version 0.9+. Please also note that RGPs and EGPs are Vault Enterprise Premium features and the associated endpoints are not available in Vault Open Source or Vault Enterprise Pro.
-
-## List ACL Policies
-
-This endpoint lists all configured ACL policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/sys/policies/acl`          |
-
-### Sample Request
-
-```
-$ curl \
-    -X LIST --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policies/acl
-```
-
-### Sample Response
-
-```json
-{
-  "keys": ["root", "my-policy"]
-}
-```
-
-## Read ACL Policy
-
-This endpoint retrieves information about the named ACL policy.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/policies/acl/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policies/acl/my-policy
-```
-
-### Sample Response
-
-```json
-{
-  "name": "deploy",
-  "policy": "path \"secret/foo\" {..."
-}
-```
-
-## Create/Update ACL Policy
-
-This endpoint adds a new or updates an existing ACL policy. Once a policy is
-updated, it takes effect immediately to all associated users.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/policies/acl/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to create.
-  This is specified as part of the request URL.
-
-- `policy` `(string: <required>)` - Specifies the policy document. This can be
-  base64-encoded to avoid string escaping.
-
-### Sample Payload
-
-```json
-{
-  "policy": "path \"secret/foo\" {..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/policies/acl/my-policy
-```
-
-## Delete ACL Policy
-
-This endpoint deletes the ACL policy with the given name. This will immediately
-affect all users associated with this policy. (A deleted policy set on a token
-acts as an empty policy.)
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/policies/acl/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to delete.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/policies/acl/my-policy
-```
-
-## List RGP Policies
-
-This endpoint lists all configured RGP policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/sys/policies/rgp`          |
-
-### Sample Request
-
-```
-$ curl \
-    -X LIST --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policies/rgp
-```
-
-### Sample Response
-
-```json
-{
-  "keys": ["webapp", "database"]
-}
-```
-
-## Read RGP Policy
-
-This endpoint retrieves information about the named RGP policy.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/policies/rgp/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policies/rgp/webapp
-```
-
-### Sample Response
-
-```json
-{
-  "name": "webapp",
-  "policy": "rule main = {...",
-  "enforcement_level": "soft-mandatory"
-}
-```
-
-## Create/Update RGP Policy
-
-This endpoint adds a new or updates an existing RGP policy. Once a policy is
-updated, it takes effect immediately to all associated users.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/policies/rgp/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to create.
-  This is specified as part of the request URL.
-
-- `policy` `(string: <required>)` - Specifies the policy document. This can be
-  base64-encoded to avoid string escaping.
-
-- `enforcement_level` `(string: <required>)` - Specifies the enforcement level
-  to use. This must be one of `advisory`, `soft-mandatory`, or
-  `hard-mandatory`.
-
-### Sample Payload
-
-```json
-{
-  "policy": "rule main = {...",
-  "enforcement_level": "soft-mandatory"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/policies/rgp/webapp
-```
-
-## Delete RGP Policy
-
-This endpoint deletes the RGP policy with the given name. This will immediately
-affect all users associated with this policy. (A deleted policy set on a token
-acts as an empty policy.)
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/policies/rgp/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to delete.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/policies/rgp/webapp
-```
-
-## List EGP Policies
-
-This endpoint lists all configured EGP policies. Since EGP policies act on a
-path, this endpoint returns two identifiers:
-
- * `keys` contains a mapping of names to associated paths in a format that
-   `vault list` understands
- * `name_path_map` contains an object mapping names to paths and glob status in
-   a more machine-friendly format
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/sys/policies/egp`          |
-
-### Sample Request
-
-```
-$ curl \
-    -X LIST --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policies/egp
-```
-
-### Sample Response
-
-```json
-{
-  "keys": [ "breakglass" ]
-}
-```
-
-## Read EGP Policy
-
-This endpoint retrieves information about the named EGP policy.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/policies/egp/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policies/egp/breakglass
-```
-
-### Sample Response
-
-```json
-{
-  "enforcement_level": "soft-mandatory",
-  "name": "breakglass",
-  "paths": [ "*" ],
-  "policy": "rule main = {..."
-}
-```
-
-## Create/Update EGP Policy
-
-This endpoint adds a new or updates an existing EGP policy. Once a policy is
-updated, it takes effect immediately to all associated users.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/policies/egp/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to create.
-  This is specified as part of the request URL.
-
-- `policy` `(string: <required>)` - Specifies the policy document. This can be
-  base64-encoded to avoid string escaping.
-
-- `enforcement_level` `(string: <required>)` - Specifies the enforcement level
-  to use. This must be one of `advisory`, `soft-mandatory`, or
-  `hard-mandatory`.
-
-- `paths` `(string or array: required)` - Specifies the paths on which this EGP
-  should be applied, either as a comma-separated list or an array. Glob
-  characters can denote suffixes, e.g. `secret/*`; a path of `*` will affect
-  all authenticated and login requests.
-
-### Sample Payload
-
-```json
-{
-  "policy": "rule main = {...",
-  "paths": [ "*", "secret/*", "transit/keys/*" ],
-  "enforcement_level": "soft-mandatory"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/policies/egp/breakglass
-```
-
-## Delete EGP Policy
-
-This endpoint deletes the EGP policy with the given name from all paths on which it was configured.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/policies/egp/:name`    |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to delete.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/policies/egp/breakglass
-```
diff --git a/website/source/api/system/policy.html.md b/website/source/api/system/policy.html.md
deleted file mode 100644
index 454b73d2d2c5..000000000000
--- a/website/source/api/system/policy.html.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-layout: "api"
-page_title: "/sys/policy - HTTP API"
-sidebar_title: "<code>/sys/policy</code>"
-sidebar_current: "api-http-system-policy"
-description: |-
-  The `/sys/policy` endpoint is used to manage ACL policies in Vault.
----
-
-# `/sys/policy`
-
-The `/sys/policy` endpoint is used to manage ACL policies in Vault.
-
-## List Policies
-
-This endpoint lists all configured policies.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/policy`                |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policy
-```
-
-### Sample Response
-
-```json
-{
-  "policies": ["root", "deploy"]
-}
-```
-
-## Read Policy
-
-This endpoint retrieve the policy body for the named policy.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/policy/:name`          |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to retrieve.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/policy/my-policy
-```
-
-### Sample Response
-
-```json
-{
-  "name": "my-policy",
-  "rules": "path \"secret/*\"...
-}
-```
-
-## Create/Update Policy
-
-This endpoint adds a new or updates an existing policy. Once a policy is
-updated, it takes effect immediately to all associated users.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/policy/:name`          |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to create.
-  This is specified as part of the request URL.
-
-- `policy` `(string: <required>)` - Specifies the policy document.
-
-### Sample Payload
-
-```json
-{
-  "policy": "path \"secret/foo\" {..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/policy/my-policy
-```
-
-## Delete Policy
-
-This endpoint deletes the policy with the given name. This will immediately
-affect all users associated with this policy.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/policy/:name`          |
-
-### Parameters
-
-- `name` `(string: <required>)` – Specifies the name of the policy to delete.
-  This is specified as part of the request URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/policy/my-policy
-```
diff --git a/website/source/api/system/pprof.html.md b/website/source/api/system/pprof.html.md
deleted file mode 100644
index 0191590fe58c..000000000000
--- a/website/source/api/system/pprof.html.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-layout: "api"
-page_title: "/sys/pprof - HTTP API"
-sidebar_title: "<code>/sys/pprof</code>"
-sidebar_current: "api-http-system-pprof"
-description: |-
-  The `/sys/pprof` endpoint is used to query profiling information.
----
-
-# `/sys/pprof`
-
-The `/sys/pprof` endpoint is used to query. The response returned by
-these endpoints are equivalent to those returned by the `http/pprof`
-package.
-
-## Index
-
-This endpoint returns an HTML page listing the available profiles.
-
-| Method | Path          |
-|:-------|:--------------|
-| `GET`  | `/sys/pprof/` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/pprof/
-```
-
-## Cmdline
-
-This endpoint returns the running program's command line, with arguments
-separated by NUL bytes.
-
-| Method | Path                 |
-|:-------|:---------------------|
-| `GET`  | `/sys/pprof/cmdline` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/pprof/cmdline
-```
-
-## Goroutine
-
-This endpoint returns stack traces of all current goroutines.
-
-| Method | Path                   |
-|:-------|:-----------------------|
-| `GET`  | `/sys/pprof/goroutine` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/pprof/goroutine
-```
-
-## Heap
-
-This endpoint returns a sampling of memory allocations of live object.
-
-| Method | Path              |
-|:-------|:------------------|
-| `GET`  | `/sys/pprof/heap` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/pprof/heap
-```
-
-## Profile
-
-This endpoint returns a pprof-formatted cpu profile payload. Profiling
-lasts for duration specified in seconds GET parameter, or for 30 seconds
-if not specified.
-
-| Method | Path                 |
-|:-------|:---------------------|
-| `GET`  | `/sys/pprof/profile` |
-
-### Parameters
-
-- `seconds` `(int: 30)` - Specifies the duration to run the profiling 
-  command. This value is specified as a query parameter.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/pprof/profile
-```
-
-## Symbol
-
-This endpoint returns the program counters listed in the request.
-
-| Method | Path                |
-|:-------|:--------------------|
-| `GET`  | `/sys/pprof/symbol` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/pprof/symbol
-```
-
-
-## Trace
-
-This endpoint returns the execution trace in binary form. Tracing lasts
-for duration specified in seconds GET parameter, or for 1 second if not
-specified.
-
-| Method | Path               |
-|:-------|:-------------------|
-| `GET`  | `/sys/pprof/trace` |
-
-### Parameters
-
-- `seconds` `(int: 1)` - Specifies the duration to run the tracing 
-  command. This value is specified as a query parameter.
-  
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/pprof/trace
-```
\ No newline at end of file
diff --git a/website/source/api/system/raw.html.md b/website/source/api/system/raw.html.md
deleted file mode 100644
index 1798a4213d26..000000000000
--- a/website/source/api/system/raw.html.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-layout: "api"
-page_title: "/sys/raw - HTTP API"
-sidebar_title: "<code>/sys/raw</code>"
-sidebar_current: "api-http-system-raw"
-description: |-
-  The `/sys/raw` endpoint is used to access the raw underlying store in Vault.
----
-
-# `/sys/raw`
-
-The `/sys/raw` endpoint is used to access the raw underlying store in Vault.
-
-This endpoint is off by default.  See the 
-[Vault configuration documentation](/docs/configuration/index.html) to
-enable.
-
-## Read Raw
-
-This endpoint reads the value of the key at the given path. This is the raw path
-in the storage backend and not the logical path that is exposed via the mount
-system.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/raw/:path`             |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the raw path in the storage backend.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    ---header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/raw/secret/foo
-```
-
-### Sample Response
-
-```json
-{
-  "value": "{'foo':'bar'}"
-}
-```
-
-## Create/Update Raw
-
-This endpoint updates the value of the key at the given path. This is the raw
-path in the storage backend and not the logical path that is exposed via the
-mount system.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/raw/:path`             |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the raw path in the storage backend.
-  This is specified as part of the URL.
-
-- `value` `(string: <required>)` – Specifies the value of the key.
-
-### Sample Payload
-
-```json
-{
-  "value": "{\"foo\": \"bar\"}"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/raw/secret/foo
-```
-
-## List Raw
-
-This endpoint returns a list keys for a given path prefix.
-
-**This endpoint requires 'sudo' capability.**
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `LIST`   | `/sys/raw/:prefix` |
-| `GET`   | `/sys/raw/:prefix?list=true` |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request LIST \
-    http://127.0.0.1:8200/v1/sys/raw/logical
-```
-
-### Sample Response
-
-```json
-{
-  "data":{
-    "keys":[
-      "abcd-1234...",
-      "efgh-1234...",
-      "ijkl-1234..."
-    ]
-  }
-}
-```
-
-## Delete Raw
-
-This endpoint deletes the key with given path. This is the raw path in the
-storage backend and not the logical path that is exposed via the mount system.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/raw/:path`             |
-
-### Parameters
-
-- `path` `(string: <required>)` – Specifies the raw path in the storage backend.
-  This is specified as part of the URL.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/raw/secret/foo
-```
diff --git a/website/source/api/system/rekey-recovery-key.html.md b/website/source/api/system/rekey-recovery-key.html.md
deleted file mode 100644
index 4a8eed6ee023..000000000000
--- a/website/source/api/system/rekey-recovery-key.html.md
+++ /dev/null
@@ -1,362 +0,0 @@
----
-layout: "api"
-page_title: "/sys/rekey-recovery-key - HTTP API"
-sidebar_title: "<code>/sys/rekey-recovery-key</code>"
-sidebar_current: "api-http-system-rekey-recovery-key"
-description: |-
-  The `/sys/rekey-recovery-key` endpoints are used to rekey the recovery keys for Vault.
----
-
-# `/sys/rekey-recovery-key`
-
-~> **Note:** These endpoints are only applicable to seals that support recovery keys.
-
-The `/sys/rekey-recovery-key` endpoints are used to rekey the recovery keys for Vault.
-
-## Read Rekey Progress
-
-This endpoint reads the configuration and progress of the current rekey attempt.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `GET`    | `/sys/rekey-recovery-key/init`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "t": 3,
-  "n": 5,
-  "progress": 1,
-  "required": 3,
-  "pgp_fingerprints": ["abcd1234"],
-  "backup": true,
-  "verification_required": false
-}
-```
-
-If a rekey is started, then `n` is the new shares to generate and `t` is the
-threshold required for the new shares. `progress` is how many recovery keys have
-been provided for this rekey, where `required` must be reached to complete. The
-`nonce` for the current rekey operation is also displayed. If PGP keys are being
-used to encrypt the final shares, the key fingerprints and whether the final
-keys will be backed up to physical storage will also be displayed.
-`verification_required` indicates whether verification was enabled for this
-operation.
-
-## Start Rekey
-
-This endpoint initializes a new rekey attempt. Only a single recovery key rekey
-attempt can take place at a time, and changing the parameters of a rekey
-requires canceling and starting a new rekey, which will also provide a new
-nonce.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `PUT`    | `/sys/rekey-recovery-key/init`            |
-
-### Parameters
-
-- `secret_shares` `(int: <required>)` – Specifies the number of shares to split
-  the recovery key into.
-
-- `secret_threshold` `(int: <required>)` – Specifies the number of shares
-  required to reconstruct the recovery key. This must be less than or equal to
-  `secret_shares`.
-
-- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used
-  to encrypt the output recovery key shares. Ordering is preserved. The keys must be
-  base64-encoded from their original binary representation. The size of this
-  array must be the same as `secret_shares`.
-
-- `backup` `(bool: false)` – Specifies if using PGP-encrypted keys, whether
-  Vault should also store a plaintext backup of the PGP-encrypted keys at
-  `core/recovery-keys-backup` in the physical storage backend. These can then
-  be retrieved and removed via the `sys/rekey-recovery-key/backup` endpoint.
-
-- `require_verification` `(bool: false)` – This turns on verification
-  functionality. When verification is turned on, after successful authorization
-  with the current unseal keys, the new unseal keys are returned but the
-  recovery key is not actually rotated. The new keys must be provided to
-  authorize the actual rotation of the key. This ensures that the new keys have
-  been successfully saved and protects against a risk of the keys being lost
-  after rotation but before they can be persisted. This can be used with
-  without `pgp_keys`, and when used with it, it allows ensuring that the
-  returned keys can be successfully decrypted before committing to the new
-  shares, which the backup functionality does not provide.
-
-### Sample Payload
-
-```json
-{
-  "secret_shares": 10,
-  "secret_threshold": 5
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
-```
-
-## Cancel Rekey
-
-This endpoint cancels any in-progress rekey. This clears the rekey settings as
-well as any progress made. This must be called to change the parameters of the
-rekey. Note: verification is still a part of a rekey. If rekeying is canceled
-during the verification flow, the current unseal keys remain valid.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `DELETE` | `/sys/rekey-recovery-key/init`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
-```
-
-## Read Backup Key
-
-This endpoint returns the backup copy of PGP-encrypted recovery key shares. The
-returned value is the nonce of the rekey operation and a map of PGP key
-fingerprint to hex-encoded PGP-encrypted key.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `GET`    | `/sys/rekey/recovery-key-backup`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/rekey/recovery-key-backup
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "keys": {
-    "abcd1234": "..."
-  }
-}
-```
-
-## Delete Backup Key
-
-This endpoint deletes the backup copy of PGP-encrypted recovery key shares.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `DELETE` | `/sys/rekey/recovery-key-backup`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/rekey/recovery-key-backup
-```
-
-## Submit Key
-
-This endpoint is used to enter a single recovery key share to progress the rekey
-of the Vault. If the threshold number of recovery key shares is reached, Vault
-will complete the rekey. Otherwise, this API must be called multiple times until
-that threshold is met. The rekey nonce operation must be provided with each
-call.
-
-When the operation is complete, this will return a response like the example
-below; otherwise the response will be the same as the `GET` method against
-`sys/rekey/init`, providing status on the operation itself.
-
-If verification was requested, successfully completing this flow will
-immediately put the operation into a verification state, and provide the nonce
-for the verification operation.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `PUT`    | `/sys/rekey-recovery-key/update`          |
-
-### Parameters
-
-- `key` `(string: <required>)` – Specifies a single recovery share key.
-
-- `nonce` `(string: <required>)` – Specifies the nonce of the rekey operation.
-
-### Sample Payload
-
-```json
-{
-  "key": "AB32...",
-  "nonce": "abcd1234..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/update
-```
-
-### Sample Response
-
-```json
-{
-  "complete": true,
-  "keys": ["one", "two", "three"],
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "pgp_fingerprints": ["abcd1234"],
-  "keys_base64": ["base64keyvalue"],
-  "backup": true,
-  "verification_required": true,
-  "verification_nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10"
-}
-```
-
-If the keys are PGP-encrypted, an array of key fingerprints will also be
-provided (with the order in which the keys were used for encryption) along with
-whether or not the keys were backed up to physical storage.
-
-## Read Rekey Recovery Key Verification Progress
-
-This endpoint reads the configuration and progress of the current rekey
-verification attempt.
-
-| Method   | Path                                        |
-| :------------------------------------------ | :--------------------- |
-| `GET`    | `/sys/rekey-recovery-key/verify`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10",
-  "t": 3,
-  "n": 5,
-  "progress": 1
-}
-```
-
-`n` is the total number of new shares that were generated and `t` is the
-threshold required for the new shares to pass verification. `progress` is how
-many of the new unseal keys have been provided for this verification operation.
-The `nonce` for the current rekey operation is also displayed.
-
-## Cancel Rekey Verification
-
-This endpoint cancels any in-progress rekey verification operation. This clears
-any progress made and resets the nonce. Unlike a `DELETE` against
-`sys/rekey-recovery-key/init`, this only resets the current verification
-operation, not the entire rekey atttempt. The return value is the same as `GET`
-along with the new nonce.
-
-| Method   | Path                                        |
-| :------------------------------------------ | :--------------------- |
-| `DELETE` | `/sys/rekey-recovery-key/verify`            | 
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
-  "t": 3,
-  "n": 5,
-  "progress": 0
-}
-```
-
-## Submit Verification Key
-
-This endpoint is used to enter a single new key share to progress the rekey
-verification operation.  If the threshold number of new key shares is reached,
-Vault will complete the rekey by performing the actual rotation of the recovery
-key. Otherwise, this API must be called multiple times until that threshold is
-met. The nonce must be provided with each call.
-
-When the operation is complete, this will return a response like the example
-below; otherwise the response will be the same as the `GET` method against
-`sys/rekey-recovery-key/verify`, providing status on the operation itself.
-
-| Method   | Path                                      |
-| :---------------------------------------- | :--------------------- |
-| `PUT`    | `/sys/rekey-recovery-key/verify`          |
-
-### Parameters
-
-- `key` `(string: <required>)` – Specifies a single recovery share key from the
-  new set of shares.
-
-- `nonce` `(string: <required>)` – Specifies the nonce of the rekey
-  verification operation.
-
-### Sample Payload
-
-```json
-{
-  "key": "A58d...",
-  "nonce": "5a27bbc1..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
-  "complete": true
-}
-```
diff --git a/website/source/api/system/rekey.html.md b/website/source/api/system/rekey.html.md
deleted file mode 100644
index a33ba9fb205d..000000000000
--- a/website/source/api/system/rekey.html.md
+++ /dev/null
@@ -1,364 +0,0 @@
----
-layout: "api"
-page_title: "/sys/rekey - HTTP API"
-sidebar_title: "<code>/sys/rekey</code>"
-sidebar_current: "api-http-system-rekey"
-description: |-
-  The `/sys/rekey` endpoints are used to rekey the unseal keys for Vault.
----
-
-# `/sys/rekey`
-
-The `/sys/rekey` endpoints are used to rekey the unseal keys for Vault.
-
-On seals that support stored keys (e.g. HSM PKCS11), the recovery key share(s)
-can be provided to rekey the master key since no unseal keys are available. The
-secret shares, secret threshold, and stored shares parameters must be set to 1.
-Upon successful rekey, no split unseal key shares are returned.
-
-## Read Rekey Progress
-
-This endpoint reads the configuration and progress of the current rekey attempt.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/rekey/init`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/rekey/init
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "t": 3,
-  "n": 5,
-  "progress": 1,
-  "required": 3,
-  "pgp_fingerprints": ["abcd1234"],
-  "backup": true,
-  "verification_required": false
-}
-```
-
-If a rekey is started, then `n` is the new shares to generate and `t` is the
-threshold required for the new shares. `progress` is how many unseal keys have
-been provided for this rekey, where `required` must be reached to complete. The
-`nonce` for the current rekey operation is also displayed. If PGP keys are being
-used to encrypt the final shares, the key fingerprints and whether the final
-keys will be backed up to physical storage will also be displayed.
-`verification_required` indicates whether verification was enabled for this
-operation.
-
-## Start Rekey
-
-This endpoint initializes a new rekey attempt. Only a single rekey attempt can
-take place at a time, and changing the parameters of a rekey requires canceling
-and starting a new rekey, which will also provide a new nonce.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/rekey/init`            |
-
-### Parameters
-
-- `secret_shares` `(int: <required>)` – Specifies the number of shares to split
-  the master key into.
-
-- `secret_threshold` `(int: <required>)` – Specifies the number of shares
-  required to reconstruct the master key. This must be less than or equal to
-  `secret_shares`.
-
-- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used
-  to encrypt the output unseal keys. Ordering is preserved. The keys must be
-  base64-encoded from their original binary representation. The size of this
-  array must be the same as `secret_shares`.
-
-- `backup` `(bool: false)` – Specifies if using PGP-encrypted keys, whether
-  Vault should also store a plaintext backup of the PGP-encrypted keys at
-  `core/unseal-keys-backup` in the physical storage backend. These can then
-  be retrieved and removed via the `sys/rekey/backup` endpoint.
-
-- `require_verification` `(bool: false)` – This turns on verification
-  functionality. When verification is turned on, after successful authorization
-  with the current unseal keys, the new unseal keys are returned but the master
-  key is not actually rotated. The new keys must be provided to authorize the
-  actual rotation of the master key. This ensures that the new keys have been
-  successfully saved and protects against a risk of the keys being lost after
-  rotation but before they can be persisted. This can be used with without
-  `pgp_keys`, and when used with it, it allows ensuring that the returned keys
-  can be successfully decrypted before committing to the new shares, which the
-  backup functionality does not provide.
-
-### Sample Payload
-
-```json
-{
-  "secret_shares": 10,
-  "secret_threshold": 5
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/rekey/init
-```
-
-## Cancel Rekey
-
-This endpoint cancels any in-progress rekey. This clears the rekey settings as
-well as any progress made. This must be called to change the parameters of the
-rekey. Note: verification is still a part of a rekey. If rekeying is canceled
-during the verification flow, the current unseal keys remain valid.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/rekey/init`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/rekey/init
-```
-
-## Read Backup Key
-
-This endpoint returns the backup copy of PGP-encrypted unseal keys. The returned
-value is the nonce of the rekey operation and a map of PGP key fingerprint to
-hex-encoded PGP-encrypted key.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/rekey/backup`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/rekey/backup
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "keys": {
-    "abcd1234": "..."
-  }
-}
-```
-
-## Delete Backup Key
-
-This endpoint deletes the backup copy of PGP-encrypted unseal keys.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/rekey/backup`          |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/rekey/backup
-```
-
-## Submit Key
-
-This endpoint is used to enter a single master key share to progress the rekey
-of the Vault. If the threshold number of master key shares is reached, Vault
-will complete the rekey. Otherwise, this API must be called multiple times until
-that threshold is met. The rekey nonce operation must be provided with each
-call.
-
-When the operation is complete, this will return a response like the example
-below; otherwise the response will be the same as the `GET` method against
-`sys/rekey/init`, providing status on the operation itself.
-
-If verification was requested, successfully completing this flow will
-immediately put the operation into a verification state, and provide the nonce
-for the verification operation.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/rekey/update`          |
-
-### Parameters
-
-- `key` `(string: <required>)` – Specifies a single master share key.
-
-- `nonce` `(string: <required>)` – Specifies the nonce of the rekey operation.
-
-### Sample Payload
-
-```json
-{
-  "key": "AB32...",
-  "nonce": "abcd1234..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/rekey/update
-```
-
-### Sample Response
-
-```json
-{
-  "complete": true,
-  "keys": ["one", "two", "three"],
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "pgp_fingerprints": ["abcd1234"],
-  "keys_base64": ["base64keyvalue"],
-  "backup": true,
-  "verification_required": true,
-  "verification_nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10"
-}
-```
-
-If the keys are PGP-encrypted, an array of key fingerprints will also be
-provided (with the order in which the keys were used for encryption) along with
-whether or not the keys were backed up to physical storage.
-
-## Read Rekey Verification Progress
-
-This endpoint reads the configuration and progress of the current rekey
-verification attempt.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `GET`    | `/sys/rekey/verify`            |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/rekey/verify
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10",
-  "t": 3,
-  "n": 5,
-  "progress": 1
-}
-```
-
-`n` is the total number of new shares that were generated and `t` is the
-threshold required for the new shares to pass verification. `progress` is how
-many of the new unseal keys have been provided for this verification operation.
-The `nonce` for the current rekey operation is also displayed.
-
-## Cancel Rekey Verification
-
-This endpoint cancels any in-progress rekey verification operation. This clears
-any progress made and resets the nonce. Unlike a `DELETE` against
-`sys/rekey/init`, this only resets the current verification operation, not the
-entire rekey atttempt. The return value is the same as `GET` along with the new
-nonce.
-
-| Method   | Path                           |
-| :----------------------------- | :--------------------- |
-| `DELETE` | `/sys/rekey/verify`            | 
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/rekey/verify
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
-  "t": 3,
-  "n": 5,
-  "progress": 0
-}
-```
-
-## Submit Verification Key
-
-This endpoint is used to enter a single new key share to progress the rekey
-verification operation.  If the threshold number of new key shares is reached,
-Vault will complete the rekey by performing the actual rotation of the master
-key. Otherwise, this API must be called multiple times until that threshold is
-met. The nonce must be provided with each call.
-
-When the operation is complete, this will return a response like the example
-below; otherwise the response will be the same as the `GET` method against
-`sys/rekey/verify`, providing status on the operation itself.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/rekey/verify`          |
-
-### Parameters
-
-- `key` `(string: <required>)` – Specifies a single master share key from the
-  new set of shares.
-
-- `nonce` `(string: <required>)` – Specifies the nonce of the rekey
-  verification operation.
-
-### Sample Payload
-
-```json
-{
-  "key": "A58d...",
-  "nonce": "5a27bbc1..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token" \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/rekey/verify
-```
-
-### Sample Response
-
-```json
-{
-  "nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
-  "complete": true
-}
-```
diff --git a/website/source/api/system/remount.html.md b/website/source/api/system/remount.html.md
deleted file mode 100644
index e82d4ae2b83f..000000000000
--- a/website/source/api/system/remount.html.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-layout: "api"
-page_title: "/sys/remount - HTTP API"
-sidebar_title: "<code>/sys/remount</code>"
-sidebar_current: "api-http-system-remount"
-description: |-
-  The '/sys/remount' endpoint is used remount a mounted backend to a new endpoint.
----
-
-# `/sys/remount`
-
-The `/sys/remount` endpoint is used remount a mounted backend to a new endpoint.
-
-## Move Backend
-
-This endpoint moves an already-mounted backend to a new mount point.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/remount`               |
-
-### Parameters
-
-- `from` `(string: <required>)` – Specifies the previous mount point.
-
-- `to` `(string: <required>)` – Specifies the new destination mount point.
-
-### Sample Payload
-
-```json
-{
-  "from": "secret",
-  "to": "new-secret"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/remount
-```
diff --git a/website/source/api/system/replication/index.html.md b/website/source/api/system/replication/index.html.md
deleted file mode 100644
index a10508dfedb8..000000000000
--- a/website/source/api/system/replication/index.html.md
+++ /dev/null
@@ -1,170 +0,0 @@
----
-layout: "api"
-page_title: "/sys/replication - HTTP API"
-sidebar_title: "<code>/sys/replication</code>"
-sidebar_current: "api-http-system-replication"
-description: |-
-  The '/sys/replication' endpoint focuses on managing general operations in Vault Enterprise replication
----
-
-# `/sys/replication`
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-## Attempt Recovery
-
-This endpoint attempts recovery if replication is in an adverse state. For
-example: an error has caused replication to stop syncing.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/recover`   |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/recover
-```
-
-### Sample Response
-
-```json
-{
-  "warnings": ["..."]
-}
-```
-
-## Reindex Replication
-
-This endpoint reindexes the local data storage. This can cause a very long delay
-depending on the number and size of objects in the data store.
-
-**This endpoint requires 'sudo' capability.**
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/reindex`   |
-
-### Parameters
-
-- `diff` `(bool: false)` – Enables a slower re-indexing which will perform a key 
-   level check to diagnose issues. Defaults false.
-
-- `force` `(bool: false)` – Forces a complete re-indexing which only scans data 
-   available in the storage. Defaults false.
-
-- `skip_flush` `(bool: false)` – Skips the tree flushing stage of the reindex 
-   process. This setting can be used to reduce the amount of time the tree is locked
-   during a reindex process. If this node is killed before the full tree has been 
-   asynchronously flushed the reindex may not have applied fully and a new reindex
-   may need to be done. Shutting down this node cleanly will cause the tree to be 
-   flushed prior to shutdown. Defaults false.
-
-### Sample Payload
-
-```json
-{}
-```
-
-### Sample Request
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/reindex
-```
-
-### Sample Response
-
-```json
-{
-  "warnings": ["..."]
-}
-```
-
-## Check Status
-
-This endpoint print information about the status of replication (mode,
-sync progress, etc).
-
-This is an authenticated endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/status`    |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/replication/status
-```
-
-### Sample Response
-
-The printed status of the replication environment. As an example, for a
-performance primary and DR primary node, it will look something like:
-
-```json
-{
-  "data": {
-    "dr": {
-      "cluster_id": "f2c21cb5-523f-617b-20ac-c913d9154ba6",
-      "known_secondaries": [
-        "3"
-      ],
-      "last_wal": 291,
-      "merkle_root": "38543b95d44132138003939addbaf94125ec184e",
-      "mode": "primary",
-      "primary_cluster_addr": ""
-    },
-    "performance": {
-      "cluster_id": "1598d434-dfec-1f48-f019-3d22a8075bf9",
-      "known_secondaries": [
-        "2"
-      ],
-      "last_wal": 291,
-      "merkle_root": "43f40fc775b40cc76cd5d7e289b2e6eaf4ba138c",
-      "mode": "primary",
-      "primary_cluster_addr": ""
-    }
-  },
-}
-```
-
-### Sample Response from Performance Secondary & DR Primary
-
-The printed status of the replication environment. As an example, for a
-performnace secondary and DR primary node, it will look something like:
-
-```json
-{
-  "data": {
-    "dr": {
-      "cluster_id": "e4bfa800-002e-7b6d-14c2-617855ece02f",
-      "known_secondaries": [
-        "4"
-      ],
-      "last_wal": 455,
-      "merkle_root": "cdcf796619240ce19dd8af30fa700f64c8006e3d",
-      "mode": "primary",
-      "primary_cluster_addr": ""
-    },
-    "performance": {
-      "cluster_id": "1598d434-dfec-1f48-f019-3d22a8075bf9",
-      "known_primary_cluster_addrs": [
-        "https://127.0.0.1:8201"
-      ],
-      "last_remote_wal": 291,
-      "merkle_root": "43f40fc775b40cc76cd5d7e289b2e6eaf4ba138c",
-      "mode": "secondary",
-      "primary_cluster_addr": "https://127.0.0.1:8201",
-      "secondary_id": "2",
-      "state": "stream-wals"
-    }
-  },
-}
-```
diff --git a/website/source/api/system/replication/replication-dr.html.md b/website/source/api/system/replication/replication-dr.html.md
deleted file mode 100644
index ce52a5654d25..000000000000
--- a/website/source/api/system/replication/replication-dr.html.md
+++ /dev/null
@@ -1,619 +0,0 @@
----
-layout: "api"
-page_title: "/sys/replication - HTTP API"
-sidebar_title: "<code>/sys/replication/dr</code>"
-sidebar_current: "api-http-system-replication-dr"
-description: |-
-  The '/sys/replication/dr' endpoint focuses on managing general operations in Vault Enterprise Disaster Recovery replication
----
-
-# `/sys/replication/dr`
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-## Check DR Status
-
-This endpoint prints information about the status of replication (mode,
-sync progress, etc).
-
-This is an authenticated endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/dr/status`    |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/replication/dr/status
-```
-
-### Sample Response from Primary
-
-The printed status of the replication environment. As an example, for a
-primary, it will look something like:
-
-```json
-{
-  "data": {
-    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
-    "known_secondaries": [],
-    "last_wal": 241,
-    "merkle_root": "56794a98e52598f35974024fba6691f047e772e9",
-    "mode": "primary"
-  },
-}
-```
-### Sample Response from Secondary
-
-The printed status of the replication environment. As an example, for a
-secondary, it will look something like:
-
-```json
-{
-  "data": {
-    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
-    "known_primary_cluster_addrs": [
-      "https://127.0.0.1:8201"
-    ],
-    "last_remote_wal": 241,
-    "merkle_root": "56794a98e52598f35974024fba6691f047e772e9",
-    "mode": "secondary",
-    "primary_cluster_addr": "https://127.0.0.1:8201",
-    "secondary_id": "3",
-    "state": "stream-wals"
-  },
-}
-```
-
-## Enable DR Primary Replication
-
-This endpoint enables DR replication in primary mode. This is used when DR replication
-is currently disabled on the cluster (if the cluster is already a secondary, it
-must be promoted).
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/primary/enable` |
-
-### Parameters
-
-- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
-  primary gives to secondary nodes. Useful if the primary's cluster address is
-  not directly accessible and must be accessed via an alternate path/address,
-  such as through a TCP-based load balancer.
-
-### Sample Payload
-
-```json
-{}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/primary/enable
-```
-
-## Demote DR Primary
-
-This endpoint demotes a DR primary cluster to a secondary. This DR secondary cluster
-will not attempt to connect to a primary (see the update-primary call), but will
-maintain knowledge of its cluster ID and can be reconnected to the same
-DR replication set without wiping local storage.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/primary/demote` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/dr/primary/demote
-```
-
-## Disable DR Primary
-
-This endpoint disables DR replication entirely on the cluster. Any secondaries will
-no longer be able to connect. Caution: re-enabling this node as a primary or
-secondary will change its cluster ID; in the secondary case this means a wipe of
-the underlying storage when connected to a primary, and in the primary case,
-secondaries connecting back to the cluster (even if they have connected before)
-will require a wipe of the underlying storage.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/primary/disable` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/dr/primary/disable
-```
-
-## Generate DR Secondary Token
-
-This endpoint generates a DR secondary activation token for the
-cluster with the given opaque identifier, which must be unique. This
-identifier can later be used to revoke a DR secondary's access.
-
-**This endpoint requires 'sudo' capability.**
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`    | `/sys/replication/dr/primary/secondary-token` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
-
-- `ttl` `(string: "30m")` – Specifies the TTL for the secondary activation
-  token.
-
-- `secondary_public_key` `(string: "")` – Specifies the secondary's generated
-  public key, if using encryption rather than response wrapping to protect the
-  secondary credentials. (Vault 1.3+)
-
-### Sample Payload
-
-```json
-{
-  "id": "us-east-1"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/primary/secondary-token
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": null,
-  "warnings": null,
-  "wrap_info": {
-    "token": "fb79b9d3-d94e-9eb6-4919-c559311133d6",
-    "ttl": 300,
-    "creation_time": "2016-09-28T14:41:00.56961496-04:00",
-    "wrapped_accessor": ""
-  }
-}
-```
-
-## Revoke DR Secondary Token
-
-This endpoint revokes a DR secondary's ability to connect to the DR primary cluster;
-the DR secondary will immediately be disconnected and will not be allowed to
-connect again unless given a new activation token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/primary/revoke-secondary` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
-
-### Sample Payload
-
-```json
-{
-  "id": "us-east"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/primary/revoke-secondary
-```
-
-## Fetch DR Secondary Public Key
-
-(Vault 1.3+)
-
-This endpoint allows fetching a public key that is used to encrypt the returned
-credential information (instead of using a response wrapped token). This avoids
-needing to make an API call to the primary during activation.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/secondary/generate-public-key` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-public-key
-```
-
-## Enable DR Secondary
-
-This endpoint enables replication on a DR secondary using a DR secondary activation
-token.
-
-!> This will immediately clear all data in the secondary cluster!
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/secondary/enable` |
-
-### Parameters
-
-- `token` `(string: <required>)` – Specifies the secondary activation token
-  fetched from the primary.
-
-- `primary_api_addr` `(string: "")` – Set this to the API address (normal Vault
-  address) to override the value embedded in the token. This can be useful if
-  the primary's redirect address is not accessible directly from this cluster
-  (e.g. through a load balancer).
-
-- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
-  that the secondary can use when unwrapping the token from the primary. If this
-  and ca_path are not given, defaults to system CA roots.
-
-- `ca_path` `(string: "")` – Specifies  the path to a CA root directory
-  containing PEM-format files that the secondary can use when unwrapping the
-  token from the primary. If this and ca_file are not given, defaults to system
-  CA roots.
-
-### Sample Payload
-
-```json
-{
-  "token": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/enable
-```
-
-## Promote DR Secondary
-
-This endpoint promotes the DR secondary cluster to DR primary. For data safety and
-security reasons, new secondary tokens will need to be issued to other
-secondaries, and there should never be more than one primary at a time.
-
-If the DR secondary's primary cluster is also in a performance replication set,
-the DR secondary will be promoted into that replication set. Care should be
-taken when promoting to ensure multiple performance primary clusters are not
-activate at the same time.
-
-If the DR secondary's primary cluster is a performance secondary, the promoted
-cluster will attempt to connect to the performance primary cluster using the
-same secondary token.
-
-This endpoint requires a DR Operation Token to be provided as means of
-authorization. See the [DR Operation Token API
-docs](#generate-disaster-recovery-operation-token) for more information.
-
-!> Only one performance primary should be active at a given time. Multiple primaries may
-result in data loss!
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/secondary/promote` |
-
-### Parameters
-
-- `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
-- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
-  primary gives to secondary nodes. Useful if the primary's cluster address is
-  not directly accessible and must be accessed via an alternate path/address
-  (e.g. through a load balancer).
-- `force` `(bool: false)` - If true the cluster will be promoted even if it fails
-  certain safety checks. Caution: Forcing promotion could result in data loss if
-  data isn't fully replicated.
-
-### Sample Payload
-
-```json
-{
-  "dr_operation_token": "ijH8tphEHaBtgx+IvPfxDsSi2LV4j9k+Lad6eqT5cJw="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/promote
-```
-
-### Sample Response
-
-```json
-{
-  "progress": 0,
-  "required": 1,
-  "complete": false,
-  "request_id": "ad8f9074-0e24-d30e-83cd-595c9652ff89",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "complete": false,
-    "progress": 0,
-    "required": 1
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-## Update DR Secondary's Primary
-
-This endpoint changes a DR secondary cluster's assigned primary cluster using a
-secondary activation token. This does not wipe all data in the cluster.
-
-This endpoint requires a DR Operation Token to be provided as means of
-authorization. See the [DR Operation Token API
-docs](#generate-disaster-recovery-operation-token) for more information.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/secondary/update-primary` |
-
-### Parameters
-
-- `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
-
-- `token` `(string: <required>)` – Specifies the secondary activation token
-  fetched from the primary. If you set this to a blank string, the cluster will
-  stay a secondary but clear its knowledge of any past primary (and thus not
-  attempt to connect to the previous primary). This can be useful if the primary
-  is down to stop the secondary from trying to reconnect to it.
-
-- `primary_api_addr` `(string: )` – Specifies the API address (normal Vault
-  address) to override the value embedded in the token. This can be useful if
-  the primary's redirect address is not accessible directly from this cluster.
-
-- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
-  that the secondary can use when unwrapping the token from the primary. If this
-  and ca_path are not given, defaults to system CA roots.
-
-- `ca_path` `string: ()` – Specifies the path to a CA root directory containing
-  PEM-format files that the secondary can use when unwrapping the token from the
-  primary. If this and ca_file are not given, defaults to system CA roots.
-
-### Sample Payload
-
-```json
-{
-  "dr_operation_token": "...",
-  "token": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/update-primary
-```
-
-## Generate Disaster Recovery Operation Token
-
-The `/sys/replication/dr/secondary/generate-operation-token` endpoint is used to create a new Disaster
-Recovery operation token for a DR secondary. These tokens are used to authorize
-certain DR Operations. They should be treated like traditional root tokens by
-being generated when needed and deleted soon after.
-
-## Read Generation Progress
-
-This endpoint reads the configuration and process of the current generation
-attempt.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/dr/secondary/generate-operation-token/attempt` |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 1,
-  "required": 3,
-  "encoded_token": "",
-  "pgp_fingerprint": "",
-  "complete": false
-}
-```
-
-If a generation is started, `progress` is how many unseal keys have been
-provided for this generation attempt, where `required` must be reached to
-complete. The `nonce` for the current attempt and whether the attempt is
-complete is also displayed. If a PGP key is being used to encrypt the final
-token, its fingerprint will be returned. Note that if an OTP is being used to
-encode the final token, it will never be returned.
-
-## Start Token Generation
-
-This endpoint initializes a new generation attempt. Only a single
-generation attempt can take place at a time.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/replication/dr/secondary/generate-operation-token/attempt` |
-
-### Parameters
-
-- `pgp_key` `(string: <optional>)` – Specifies a base64-encoded PGP public key.
-  The raw bytes of the token will be encrypted with this value before being
-  returned to the final unseal key provider.
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt
-```
-
-### Sample Response
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 1,
-  "required": 3,
-  "encoded_token": "",
-  "otp": "2vPFYG8gUSW9npwzyvxXMug0",
-  "otp_length" :24,
-  "complete": false
-}
-```
-
-## Cancel Generation
-
-This endpoint cancels any in-progress generation attempt. This clears any
-progress made. This must be called to change the OTP or PGP key being used.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `DELETE` | `/sys/replication/dr/secondary/generate-operation-token/attempt` |
-
-### Sample Request
-
-```
-$ curl \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt
-```
-
-## Provide Key Share to Generate Token
-
-This endpoint is used to enter a single master key share to progress the
-generation attempt. If the threshold number of master key shares is reached,
-Vault will complete the generation and issue the new token.  Otherwise,
-this API must be called multiple times until that threshold is met. The attempt
-nonce must be provided with each call.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/replication/dr/secondary/generate-operation-token/update`  |
-
-### Parameters
-
-- `key` `(string: <required>)` – Specifies a single master key share.
-
-- `nonce` `(string: <required>)` – Specifies the nonce of the attempt.
-
-### Sample Payload
-
-```json
-{
-  "key": "acbd1234",
-  "nonce": "ad235"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-operation-token/update
-```
-
-### Sample Response
-
-This returns a JSON-encoded object indicating the attempt nonce, and completion
-status, and the encoded token, if the attempt is complete.
-
-```json
-{
-  "started": true,
-  "nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
-  "progress": 3,
-  "required": 3,
-  "pgp_fingerprint": "",
-  "complete": true,
-  "encoded_token": "FPzkNBvwNDeFh4SmGA8c+w=="
-}
-```
-
-## Delete DR Operation Token
-
-This endpoint revokes the DR Operation Token. This token does not have a TTL
-and therefore should be deleted when it is no longer needed.
-
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/dr/secondary/operation-token/delete` |
-
-### Parameters
-
-- `dr_operation_token` `(string: <required>)` - DR operation token used to authorize this request.
-
-### Sample Payload
-
-```json
-{
-  "dr_operation_token": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/operation-token/delete
-```
diff --git a/website/source/api/system/replication/replication-performance.html.md b/website/source/api/system/replication/replication-performance.html.md
deleted file mode 100644
index f95d5c6fbe4e..000000000000
--- a/website/source/api/system/replication/replication-performance.html.md
+++ /dev/null
@@ -1,670 +0,0 @@
----
-layout: "api"
-page_title: "/sys/replication - HTTP API"
-sidebar_title: "<code>/sys/replication/performance</code>"
-sidebar_current: "api-http-system-replication-performance"
-description: |-
-  The '/sys/replication/performance' endpoint focuses on managing general operations in Vault Enterprise Performance Replication
----
-
-# `/sys/replication/performance`
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-## Check Performance Status
-
-This endpoint prints information about the status of replication (mode,
-sync progress, etc).
-
-This is an authenticated endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/performance/status`    |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/replication/performance/status
-```
-
-### Sample Response from Primary
-
-The printed status of the replication environment. As an example, for a
-primary, it will look something like:
-
-```json
-{
-  "data": {
-    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
-    "known_secondaries": [
-      "2"
-    ],
-    "last_wal": 87,
-    "merkle_root": "c31e40f6ff02f32c37b70e6a4d58732ac812abf0",
-    "mode": "primary"
-  },
-}
-```
-
-### Sample Response from Secondary
-
-The printed status of the replication environment. As an example, for a
-secondary, it will look something like:
-
-```json
-{
-  "data": {
-    "cluster_id": "d4095d41-3aee-8791-c421-9bc7f88f7c3e",
-    "known_primary_cluster_addrs": [
-      "https://127.0.0.1:8201"
-    ],
-    "last_remote_wal": 87,
-    "merkle_root": "c31e40f6ff02f32c37b70e6a4d58732ac812abf0",
-    "mode": "secondary",
-    "primary_cluster_addr": "https://127.0.0.1:8201",
-    "secondary_id": "2",
-    "state": "stream-wals"
-  },
-}
-```
-
-## Enable Performance Primary Replication
-
-This endpoint enables replication in primary mode. This is used when replication
-is currently disabled on the cluster (if the cluster is already a secondary, it
-must be promoted).
-
-!> Only one primary should be active at a given time. Multiple primaries may
-result in data loss!
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/primary/enable` |
-
-### Parameters
-
-- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
-  primary gives to secondary nodes. Useful if the primary's cluster address is
-  not directly accessible and must be accessed via an alternate path/address,
-  such as through a TCP-based load balancer. If not set, uses vault's configured
-  cluster address.
-
-### Sample Payload
-
-```json
-{}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/enable
-```
-
-## Demote Performance Primary
-
-This endpoint demotes a performance primary cluster to a performance secondary.
-This secondary cluster will not attempt to connect to a primary (see the update-primary call),
-but will maintain knowledge of its cluster ID and can be reconnected to the same
-replication set without wiping local storage.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/primary/demote` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/demote
-```
-
-## Disable Performance Primary
-
-This endpoint disables performance replication entirely on the cluster. Any
-performance secondaries will no longer be able to connect. Caution: re-enabling
-this node as a primary or secondary will change its cluster ID; in the secondary
-case this means a wipe of the underlying storage when connected to a primary,
-and in the primary case, secondaries connecting back to the cluster (even if
-they have connected before) will require a wipe of the underlying storage.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/primary/disable` |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/disable
-```
-
-## Generate Performance Secondary Token
-
-This endpoint generates a performance secondary activation token for the
-cluster with the given opaque identifier, which must be unique. This
-identifier can later be used to revoke a secondary's access.
-
-**This endpoint requires 'sudo' capability.**
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`    | `/sys/replication/performance/primary/secondary-token` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
-
-- `ttl` `(string: "30m")` – Specifies the TTL for the secondary activation
-  token.
-
-- `secondary_public_key` `(string: "")` – Specifies the secondary's generated
-  public key, if using encryption rather than response wrapping to protect the
-  secondary credentials. (Vault 1.3+)
-
-### Sample Payload
-
-```json
-{
-  "id": "us-east-1"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/secondary-token
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": null,
-  "warnings": null,
-  "wrap_info": {
-    "token": "fb79b9d3-d94e-9eb6-4919-c559311133d6",
-    "ttl": 300,
-    "creation_time": "2016-09-28T14:41:00.56961496-04:00",
-    "wrapped_accessor": ""
-  }
-}
-```
-
-## Revoke Performance Secondary Token
-
-This endpoint revokes a performance secondary's ability to connect to the
-performance primary cluster; the secondary will immediately be disconnected and
-will not be allowed to connect again unless given a new activation token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/primary/revoke-secondary` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
-
-### Sample Payload
-
-```json
-{
-  "id": "us-east"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/revoke-secondary
-```
-
-## Create Paths Filter 
-
-This endpoint is used to modify the mounts and namespaces that are filtered to a secondary.
-Filtering can be specified in allow mode or deny mode.  In allow
-mode the secret and auth mounts that are specified are included to the
-selected secondary.  In deny mode, the mount and namespace paths are excluded.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/primary/paths-filter/:id` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
-
-- `mode` `(string: "allow")` – Specifies the filtering mode.  Available values
-  are "allow" and "deny".
-
-- `paths` `(array: [])` – The list of mount and namespace paths that are filtered.
-
-### Sample Payload
-
-```json
-{
-  "mode": "allow",
-  "paths": ["secret/", "ns1/"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
-```
-
-## Read Paths Filter
-
-This endpoint is used to read the mode and the mount/namespace paths that are filtered
-for a secondary.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/performance/primary/paths-filter/:id`  | `200 (empty body)` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
-```
-
-### Sample Response
-
-```json
-{
-  "mode": "allow",
-  "paths": ["secret/", "ns1/"]
-}
-```
-
-## Delete Paths Filter
-
-This endpoint is used to delete the mount and namespace filters for a secondary.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `DELETE` | `/sys/replication/performance/primary/paths-filter/:id`  |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/paths-filter/mySecondaryID
-```
-
-## Read Dynamically Generated Filter (PRIMARY)
-
-This endpoint is used to read the namespace and the mount paths that are dynamically
-filtered for a secondary on the primary.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/performance/primary/dynamic-filter/:id`  | `200 (empty body)` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/dynamic-filter/mySecondaryID
-```
-
-### Sample Response
-
-```json
-{
-  "dynamic_filtered_mounts": ["ns1/ns2/secret/", "ns1/kv/"],
-  "dynamic_filtered_namespaces": ["ns1/", "ns1/ns2/"]
-}
-```
-
-## Read Dynamically Generated Filter (SECONDARY)
-
-This endpoint is used to read the namespace and the mount paths that are dynamically
-filtered for a secondary on the secondary.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/performance/secondary/dynamic-filter/:id`  | `200 (empty body)` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies the unique performance secondary identifier.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/dynamic-filter/mySecondaryID
-```
-
-### Sample Response
-
-```json
-{
-  "dynamic_filtered_mounts": ["ns1/ns2/secret/", "ns1/kv/"],
-  "dynamic_filtered_namespaces": ["ns1/", "ns1/ns2/"]
-}
-```
-
-## Create Mounts Filter (DEPRECATED)
-
-~> This API is deprecated and will be removed in a future version of Vault.
-Please use Paths Filter instead.
-
-This endpoint is used to modify the mounts that are filtered to a secondary.
-Filtering can be specified in whitelist mode or blacklist mode.  In whitelist
-mode the secret and auth mounts that are specified are included to the
-selected secondary.  In blacklist mode, the mount paths are excluded.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/primary/mount-filter/:id` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
-
-- `mode` `(string: "whitelist")` – Specifies the filtering mode.  Available values
-  are "whitelist" and blacklist".
-
-- `paths` `(array: [])` – The list of mount paths that are filtered.
-
-### Sample Payload
-
-```json
-{
-  "mode": "whitelist",
-  "paths": ["secret/"]
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
-```
-
-## Read Mounts Filter (DEPRECATED)
-
-~> This API is deprecated and will be removed in a future version of Vault.
-Please use Paths Filter instead.
-
-This endpoint is used to read the mode and the mount paths that are filtered
-for a secondary.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `GET`    | `/sys/replication/performance/primary/mount-filter/:id`  | `200 (empty body)` |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
-```
-
-### Sample Response
-
-```json
-{
-  "mode": "whitelist",
-  "paths": ["secret/"]
-}
-```
-
-## Delete Mounts Filter (DEPRECATED)
-
-~> This API is deprecated and will be removed in a future version of Vault.
-Please use Paths Filter instead.
-
-This endpoint is used to delete the mount filters for a secondary.
-
-| Method   | Path                                                     |
-| :------------------------------------------------------- | :--------------------- |
-| `DELETE` | `/sys/replication/performance/primary/mount-filter/:id`  |
-
-### Parameters
-
-- `id` `(string: <required>)` – Specifies an opaque identifier, e.g. 'us-east'
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request DELETE \
-    http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
-```
-
-## Fetch Performance Secondary Public Key
-
-(Vault 1.3+)
-
-This endpoint allows fetching a public key that is used to encrypt the returned
-credential information (instead of using a response wrapped token). This avoids
-needing to make an API call to the primary during activation.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/secondary/generate-public-key` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/generate-public-key
-```
-
-## Enable Performance Secondary
-
-This endpoint enables performance replication on a secondary using a secondary activation
-token.
-
-!> This will immediately clear all data in the secondary cluster!
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/secondary/enable` |
-
-### Parameters
-
-- `token` `(string: <required>)` – Specifies the secondary activation token
-  fetched from the primary.
-
-- `primary_api_addr` `(string: "")` – Set this to the API address (normal Vault
-  address) to override the value embedded in the token. This can be useful if
-  the primary's redirect address is not accessible directly from this cluster
-  (e.g. through a load balancer).
-
-- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
-  that the secondary can use when unwrapping the token from the primary. If this
-  and ca_path are not given, defaults to system CA roots.
-
-- `ca_path` `(string: "")` – Specifies  the path to a CA root directory
-  containing PEM-format files that the secondary can use when unwrapping the
-  token from the primary. If this and ca_file are not given, defaults to system
-  CA roots.
-
-### Sample Payload
-
-```json
-{
-  "token": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/enable
-```
-
-## Promote Performance Secondary
-
-This endpoint promotes the performance secondary cluster to performance primary.
-For data safety and security reasons, new secondary tokens will need to be
-issued to other secondaries, and there should never be more than one performance
-primary at a time.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/secondary/promote` |
-
-### Parameters
-
-- `primary_cluster_addr` `(string: "")` – Specifies the cluster address that the
-  primary gives to secondary nodes. Useful if the primary's cluster address is
-  not directly accessible and must be accessed via an alternate path/address
-  (e.g. through a load balancer).
-- `force` `(bool: false)` - If true the cluster will be promoted even if it fails 
-  certain safety checks. Caution: Forcing promotion could result in data loss if 
-  data isn't fully replicated.
-
-### Sample Payload
-
-```json
-{}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/promote
-```
-
-## Disable Performance Secondary
-
-This endpoint disables performance replication entirely on the cluster. The cluster will no
-longer be able to connect to the performance primary.
-
-!> Re-enabling this node as a performance primary or secondary will change its cluster ID;
-in the secondary case this means a wipe of the underlying storage when connected
-to a primary, and in the primary case, secondaries connecting back to the
-cluster (even if they have connected before) will require a wipe of the
-underlying storage.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/secondary/disable` |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/disable
-```
-
-## Update Performance Secondary's Primary
-
-This endpoint changes a performance secondary cluster's assigned primary cluster using a
-secondary activation token. This does not wipe all data in the cluster.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/replication/performance/secondary/update-primary` |
-
-### Parameters
-
-- `token` `(string: <required>)` – Specifies the secondary activation token
-  fetched from the primary. If you set this to a blank string, the cluster will
-  stay a secondary but clear its knowledge of any past primary (and thus not
-  attempt to connect to the previous primary). This can be useful if the primary
-  is down to stop the secondary from trying to reconnect to it.
-
-- `primary_api_addr` `(string: )` – Specifies the API address (normal Vault
-  address) to override the value embedded in the token. This can be useful if
-  the primary's redirect address is not accessible directly from this cluster.
-
-- `ca_file` `(string: "")` – Specifies the path to a CA root file (PEM format)
-  that the secondary can use when unwrapping the token from the primary. If this
-  and ca_path are not given, defaults to system CA roots.
-
-- `ca_path` `string: ()` – Specifies the path to a CA root directory containing
-  PEM-format files that the secondary can use when unwrapping the token from the
-  primary. If this and ca_file are not given, defaults to system CA roots.
-
-### Sample Payload
-
-```json
-{
-  "token": "..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/update-primary
-```
diff --git a/website/source/api/system/rotate.html.md b/website/source/api/system/rotate.html.md
deleted file mode 100644
index 4795ec3d2ab5..000000000000
--- a/website/source/api/system/rotate.html.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-layout: "api"
-page_title: "/sys/rotate - HTTP API"
-sidebar_title: "<code>/sys/rotate</code>"
-sidebar_current: "api-http-system-rotate"
-description: |-
-  The `/sys/rotate` endpoint is used to rotate the encryption key.
----
-
-# `/sys/rotate`
-
-The `/sys/rotate` endpoint is used to rotate the encryption key.
-
-## Rotate Encryption Key
-
-This endpoint triggers a rotation of the backend encryption key. This is the key
-that is used to encrypt data written to the storage backend, and is not provided
-to operators. This operation is done online. Future values are encrypted with
-the new key, while old values are decrypted with previous encryption keys.
-
-This path requires `sudo` capability in addition to `update`.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/rotate`                |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/rotate
-```
diff --git a/website/source/api/system/seal-status.html.md b/website/source/api/system/seal-status.html.md
deleted file mode 100644
index 7294081bc0eb..000000000000
--- a/website/source/api/system/seal-status.html.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-layout: "api"
-page_title: "/sys/seal-status - HTTP API"
-sidebar_title: "<code>/sys/seal-status</code>"
-sidebar_current: "api-http-system-seal-status"
-description: |-
-  The `/sys/seal-status` endpoint is used to check the seal status of a Vault.
----
-
-# `/sys/seal-status`
-
-The `/sys/seal-status` endpoint is used to check the seal status of a Vault.
-
-## Seal Status
-
-This endpoint returns the seal status of the Vault. This is an unauthenticated
-endpoint.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `GET`    | `/sys/seal-status`           |
-
-### Sample Request
-
-```
-$ curl \
-    http://127.0.0.1:8200/v1/sys/seal-status
-```
-
-### Sample Response
-
-The "t" parameter is the threshold, and "n" is the number of shares.
-
-```json
-{
-  "type": "shamir",
-  "sealed": true,
-  "t": 3,
-  "n": 5,
-  "progress": 2,
-  "nonce": "",
-  "version": "0.9.0"
-}
-```
-
-Sample response when Vault is unsealed.
-
-```json
-{
-  "type": "shamir",
-  "sealed": false,
-  "t": 3,
-  "n": 5,
-  "progress": 0,
-  "version": "0.9.0",
-  "cluster_name": "vault-cluster-d6ec3c7f",
-  "cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8",
-  "nonce": "ef05d55d-4d2c-c594-a5e8-55bc88604c24"
-}
-```
diff --git a/website/source/api/system/seal.html.md b/website/source/api/system/seal.html.md
deleted file mode 100644
index 8f6cb82b87db..000000000000
--- a/website/source/api/system/seal.html.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-layout: "api"
-page_title: "/sys/seal - HTTP API"
-sidebar_title: "<code>/sys/seal</code>"
-sidebar_current: "api-http-system-seal/"
-description: |-
-  The `/sys/seal` endpoint seals the Vault.
----
-
-# `/sys/seal`
-
-The `/sys/seal` endpoint seals the Vault.
-
-## Seal
-
-This endpoint seals the Vault. In HA mode, only an active node can be sealed.
-Standby nodes should be restarted to get the same effect. Requires a token with
-`root` policy or `sudo` capability on the path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/seal`                  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/seal
-```
diff --git a/website/source/api/system/sealwrap-rewrap.html.md b/website/source/api/system/sealwrap-rewrap.html.md
deleted file mode 100644
index cffd9ba50fcf..000000000000
--- a/website/source/api/system/sealwrap-rewrap.html.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-layout: "api"
-page_title: "/sys/sealwrap/rewrap - HTTP API"
-sidebar_title: "<code>/sys/sealwrap/rewrap</code>"
-sidebar_current: "api-http-system-sealwrap-rewrap"
-description: |-
-  The `/sys/sealwrap/rewrap` endpoint is used to rewrap all seal wrapped entries.
----
-
-# `/sys/sealwrap/rewrap`
-
-~> **Enterprise Only** – These endpoints require Vault Enterprise.
-
-The `/sys/sealwrap/rewrap` endpoint is used to rewrap all seal wrapped entries.
-This is useful when you want to upgrade seal wrapped entries to use the latest
-key, for example, after a seal migration or after rotating the remote keyring.
-
-## Read Rewrap Status
-
-This endpoint reports whether a seal rewrap process is currently running.
-
-| Method   | Path                   |
-| :------- | :--------------------- |
-| `GET`    | `/sys/sealwrap/rewrap` |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/sealwrap/rewrap
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "entries": {
-      "failed": 0,
-      "processed": 30,
-      "succeeded": 30
-    },
-    "is_running": false
-  }
-}
-```
-
-## Start a Seal Rewrap Process
-
-This endpoint starts a seal rewrap process if one is not currently running.
-The process will run in the background. Check the vault server logs for status
-and progress updates.
-
-| Method   | Path                   |
-| :------- | :--------------------- |
-| `POST`   | `/sys/sealwrap/rewrap` |
-
-The default status codes are:
-
-- `200` if a seal rewrap process is already running
-- `204` if a seal rewrap process was started
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    http://127.0.0.1:8200/v1/sys/sealwrap/rewrap
-```
diff --git a/website/source/api/system/step-down.html.md b/website/source/api/system/step-down.html.md
deleted file mode 100644
index 4f97d448cb8d..000000000000
--- a/website/source/api/system/step-down.html.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-layout: "api"
-page_title: "/sys/step-down - HTTP API"
-sidebar_title: "<code>/sys/step-down</code>"
-sidebar_current: "api-http-system-step-down"
-description: |-
-  The `/sys/step-down` endpoint causes the node to give up active status.
----
-
-# `/sys/step-down`
-
-The `/sys/step-down` endpoint causes the node to give up active status.
-
-## Step Down Leader
-
-This endpoint forces the node to give up active status. If the node does not
-have active status, this endpoint does nothing. Note that the node will sleep
-for ten seconds before attempting to grab the active lock again, but if no
-standby nodes grab the active lock in the interim, the same node may become the
-active node again. Requires a token with `root` policy or `sudo` capability on
-the path.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/step-down`             |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request PUT \
-    http://127.0.0.1:8200/v1/sys/step-down
-```
diff --git a/website/source/api/system/storage/index.html.md b/website/source/api/system/storage/index.html.md
deleted file mode 100644
index 07aa5ff922ad..000000000000
--- a/website/source/api/system/storage/index.html.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: "api"
-page_title: "/sys/storage - HTTP API"
-sidebar_title: "<code>/sys/storage </code>"
-sidebar_current: "api-http-system-storage"
-description: |-
-
-  The '/sys/storage' endpoints are used to manage Vault's storage backends.
-
----
-
-This API sub-section is currently only used to manage [Raft](raft.html) storage backend.
diff --git a/website/source/api/system/storage/raft.html.md b/website/source/api/system/storage/raft.html.md
deleted file mode 100644
index 438abecbc30a..000000000000
--- a/website/source/api/system/storage/raft.html.md
+++ /dev/null
@@ -1,195 +0,0 @@
----
-layout: "api"
-page_title: "/sys/storage/raft - HTTP API"
-sidebar_title: "<code>/sys/storage/raft</code>"
-sidebar_current: "api-http-system-storage-raft"
-description: |-
-
-  The `/sys/storage/raft` endpoints are used to manage Vault's Raft storage
-  backend.
-
----
-
-## Join a Raft cluster
-
-This endpoint joins a new server node to the Raft cluster. When using Shamir
-seal, as soon as the Vault server is brought up, this API should be invoked
-instead of `sys/init`. This API completes in 2 phases. Once this is invoked,
-the joining node will receive a challenge from the Raft's leader node. This
-challenge can be answered by the joining node only after a successful unseal.
-Hence, the joining node should be unsealed using the unseal keys of the Raft's
-leader node.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/storage/raft/join`    |
-
-### Parameters
-
-- `leader_api_addr` `(string: <required>)` – Address of the leader node in the
-  Raft cluster to which this node is trying to join.
-
-- `retry` `(bool: false)` - Retry joining the Raft cluster in case of
-  failures.
-
-- `leader_ca_cert` `(string: "")` - CA certificate used to communicate with
-  Raft's leader node.
-
-- `leader_client_cert` `(string: "")` - Client certificate used to communicate
-  with Raft's leader node.
-
-- `leader_client_key` `(string: "")` - Client key used to communicate with
-  Raft's leader node.
-
-### Sample Payload
-```json
-{
-  "leader_api_addr": "https://127.0.0.1:8200",
-  "leader_ca_cert": "-----BEGIN CERTIFICATE-----\nMIIDKTCCAhGgAwIBAgIUcd+Uyk1Tz+FhcbYP0zmynlkARoEwDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE5MDYyNDIyMjgzNVoXDTE5MDYy\nNzIyMjkwNVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdYr6rU\n21vYf7q/cpPigtBchqHvGZvpbA9DZucuUdQ0g4oAXRyShQ8omzmZOmO4A1GI3gqz\nHBePSYl+1IZCwgbPBk2CH7MhlMMINdwoEH6IxFgHNBkNK6GbwnGLyKL0Sym88ly1\n+sPP6+llS8uWNKu5GcObHLysD3Ce6QTt3usDPiw0cxp/KL1EkMi2dT7PvxTsX137\nsEsuQcylltGEtRb67xvFBP8XhQZAEGw+u4S3EmtwWMwZixB45WQhj2Ncz5U0+w8V\ncp9DSqB1QheoGPBBI62jHle05kzG85ZKmLBgHE6HEGS8biIHpannM7dgI0cRH6i2\nF69N0rcbzK+NInUCAwEAAaOBhjCBgzAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYw\nFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQelJT5fthHdbCyD5zaI4tw\n7mfp8zAfBgNVHSMEGDAWgBSuG6hyoOWoiGvSA3kqwo9DirS+pzASBgNVHREBAf8E\nCDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQCmetSH5w835RbbyHZD8e3ClHzi\n210SrvzWkx3N0JcBOjs47jlLuqVTl0HRr2xMoIkErFbhPDBXARYV8eezhQ6G5M60\n8AwVsG56rCa1l0weK2JfnEWgkwXZ/zbpZ2yNkWatWNSHdlJwGp99JTSriQYNOnMG\nWvBDA8ukoOkIJd/a8+aXZBdUiAcFvlLWmX73pYGTlnQDiIqJvhrlkgCKPvzZqvV+\njtz7kCt9EfT6sN6Xcny7GusRBSs+XfEe8u10+mbud+ufE/QSJ2D3tTYrS6eGqpVD\nrezD8jS9PfZgQfHXVaphMADyw4flaSVxfJ/ZRFxXql3oJSuj02+VX6QsXex+\n-----END CERTIFICATE-----",
-  "leader_client_cert": "-----BEGIN CERTIFICATE-----\nMIIDNTCCAh2gAwIBAgIULkPFG+qu7tGv21Plc1sg4eGbMPkwDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE5MDYyNDIyMjgwNVoXDTI5MDYy\nMTIyMjgzNVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwszD+A5vWD8S1N632ElHA5Px2dk97wJBKNYc/7RPNptn\n+EOmMTXPfuA3LB92FoSMCR7ye3wvSTzyK9nqafS7U2tlOF4PJrJoNZyzrVwBVLXg\n7Pd8qQxnxbonc3bscWZuEfbFsugkPHgBtnSkyCffXKhhwM5LbJqmK5cfJRZZ0eRy\nwmOCQCJ8ZmN2KfjHiGSEw9v19CNtvFNLyfiTZZLO9M5n4dgainZZCs+vdKD7tSJf\nycwWiZ4ezOwLMIgxdbLYKVglbZsPcMVVPLTskmY8WiHUM6sy3HAbFQn20Rj7JGE6\nldR3NX80YtCMt8/d+xzBfxu4x8juxHCgZFGt3nUS0wIDAQABo38wfTAOBgNVHQ8B\nAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUrhuocqDlqIhr0gN5\nKsKPQ4q0vqcwHwYDVR0jBBgwFoAUrhuocqDlqIhr0gN5KsKPQ4q0vqcwGgYDVR0R\nBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBRno9NOaat\n8g1ma/6OxP1JUt1VRao4+t2GQTCJ697d2SmpHr8CYanMPog+QhDj/lderA/oS0V3\n2jruH9CyH0smFMIsLBZpnRIwdhTISbIXdU3Uvcd6nne/f7LiUUmqf8YS9SHxWPFq\nI72QvtPrsjYKCZwJsHZe071lYScjrjGnlUhhbrug2g6/ZMHJ7mndGE022zMn/XD/\njrrKE6fCDCjJ4PRrta7+G7BvsFHqMSQ+2/947TGohxW69cbNyDeiQVDQ5mpJUy2b\nnOCVVnq0nafSuvBTHCCLxjd7f+9TiB/B3qT8GA9V6LANDSdQ15MRIhpup/yosmqX\nl5goCY/j3bDh\n-----END CERTIFICATE-----",
-    "leader_client_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAp1ivqtTbW9h/ur9yk+KC0FyGoe8Zm+lsD0Nm5y5R1DSDigBd\nHJKFDyibOZk6Y7gDUYjeCrMcF49JiX7UhkLCBs8GTYIfsyGUwwg13CgQfojEWAc0\nGQ0roZvCcYvIovRLKbzyXLX6w8/r6WVLy5Y0q7kZw5scvKwPcJ7pBO3e6wM+LDRz\nGn8ovUSQyLZ1Ps+/FOxfXfuwSy5BzKWW0YS1FvrvG8UE/xeFBkAQbD67hLcSa3BY\nzBmLEHjlZCGPY1zPlTT7DxVyn0NKoHVCF6gY8EEjraMeV7TmTMbzlkqYsGAcTocQ\nZLxuIgelqeczt2AjRxEfqLYXr03StxvMr40idQIDAQABAoIBAHCOhhkw8hnklITX\nIAm34KSklylz2JW1eqkJfL0huogwigjYFciSBE0d0sn69fr8Wb8Nf8tSjSKLjbqd\nQ/TKEhbiSCr5yriBbb2AWDmr+OwisW1D6xaudRpN2Yrlqh1wkt2P6LPS8sehodtp\n9oEIloSqC1o1ii6czAXD3JckJzuJ66yoVyCo2oVC3NETujjJRhdRcNY0dYUGx47M\n+hQo7b4s79wlMFmccrgyJcKI7Ra3DtMrBIaVXm4WcjX2x4DduZX6L4mfG83uLWng\nhbvcEPKGamUErjPGYixKE5XOwgJT6Nzq/ZZJZpok6DbHBCtqvwwByWlfLzh8lc4o\nz+Pl5EECgYEA3pJXRM+SdVUCnWIpMFOAiNstOwz3nm0/c8GDdYYNq0ere1tKCVV0\nii+ujMQY8vEdRrp7fbqJEPJANyI6sM4Jc2nxMveFuBoEsEClZuE4KBFquW8CQU4R\nGNkzKF1W0GaTI5O4QDUag+lFG6TPCwZiejTIkt65o5bnSzGLgdC546sCgYEAwHr9\nlq9HytWkV9OLz0zbcAUEIrFAljnC32Mybsj8LzdSKIZ3wErf9Txh8zqZqMyhedxL\nOn17cpJAq5Vi71uXOaxnhkf7TPuRs8nBRRJfgyNHPXuXLkuWeuvXEe/PIC+nvOIX\nas0Ab0Pvx0fRGl4EkZ2pV9oDAEUezbVVZCoO8l8CgYEAp4p3YNfzwpj0d+5tXPBu\ngBakzJ+tQjewnP1dbLk1TuqLXjdQ2wfVyzOrbFEtCquPwy8bSICDLxt8VURR88eU\n+6kTJK+InBYR029GUtRUhmzd7qpugyQ14IOXa9ofQI8GUbCf8M1IoWWWXQHJzN3I\ngX98QHqiOU+d2k94WYb6dzMCgYA3E7p2oMdZShLRss3hzqtH/Zd2WeQSWIrjox3u\nR4Kp/Bl9UST5GDPHl7SrhcwsWgmmthusq/VkDmeE8aUyurGmJigla3mESMQjfwrX\nue8sti6PcEsNS0HPAKc1EbriCeDkkomC3RBPxk/ZZTp3YgnKpSOs6MxNCnpLAKVj\nmQlX3wKBgQCFYyYJdCKMoaoMrNjMM34sAfTqmZT4Hbxg9KM4OMDSxyvIi0ZaVcnB\nkzssvt0FOMucp4o7h8Iujt8xsgnBHwg81IV7WOw+ZwpUDAzgVc7+kCU6CLd2Q40j\n5uFnuRgiWeGm1aT4arNLWlJrDLSGbyrf59SlGJV1hmu/7SMaYIZHSQ==\n-----END RSA PRIVATE KEY-----"
-}
-```
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/storage/raft/join
-```
-
-**Note:** Unseal the joining node immediately after this API is invoked.
-
-## Read Raft Configuration
-
-This endpoint returns the details of all the nodes in the raft cluster.
-
-| Method                       | Path                           |
-| :--------------------------- | :----------------------------  |
-| `GET`                          | `/sys/storage/raft/configuration`  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    http://127.0.0.1:8200/v1/sys/storage/raft/configuration
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "ca4b5a1d-38d6-e27e-e756-269521328a15",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "config": {
-      "index": 24,
-      "servers": [
-        {
-          "address": "127.0.0.1:8201",
-          "leader": true,
-          "node_id": "raft1",
-          "protocol_version": "\u0003",
-          "voter": true
-        },
-        {
-          "address": "127.0.0.2:8201",
-          "leader": false,
-          "node_id": "raft2",
-          "protocol_version": "\u0003",
-          "voter": true
-        }
-      ]
-    }
-  },
-  "warnings": null
-}
-```
-
-## Remove a node from Raft cluster
-
-This endpoint removes a node from the raft cluster.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/storage/raft/remove-peer`    |
-
-### Sample Payload
-
-```json
-{
-  "server_id": "raft1"
-}
-```
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/storage/raft/remove-peer
-```
-
-## Take a snapshot of the Raft cluster
-
-This endpoint returns a snapshot of the current state of the raft cluster. The
-snapshot is returned as binary data and should be redirected to a file.
-
-| Method                       | Path                           |
-| :--------------------------- | :----------------------------  |
-| `GET`                          | `/sys/storage/raft/snapshot`  |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot > raft.snap
-```
-
-## Restore Raft using a snapshot
-
-Installs the provided snapshot, returning the cluster to the state defined in it.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/storage/raft/snapshot`    |
-
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    -- data-binary @raft.snap
-    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot
-```
-
-## Force Restore Raft using a snapshot
-
-Installs the provided snapshot, returning the cluster to the state defined in
-it. This is same as writing to `/sys/storage/raft/snapshot` except that this
-bypasses checks ensuring the Autounseal or shamir keys are consistent with the
-snapshot data.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/storage/raft/snapshot-force`    |
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data-binary @raft.snap
-    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-force
-```
diff --git a/website/source/api/system/tools.html.md b/website/source/api/system/tools.html.md
deleted file mode 100644
index 972b740472f1..000000000000
--- a/website/source/api/system/tools.html.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-layout: "api"
-page_title: "/sys/tools - HTTP API"
-sidebar_title: "<code>/sys/tools</code>"
-sidebar_current: "api-http-system-tools"
-description: |-
-  This is the API documentation for a general set of crypto  tools.
----
-
-# `/sys/tools`
-
-The `/sys/tools` endpoints are a general set of tools.
-
-## Generate Random Bytes
-
-This endpoint returns high-quality random bytes of the specified length.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/tools/random(/:bytes)`   |
-
-### Parameters
-
-- `bytes` `(int: 32)` – Specifies the number of bytes to return. This value can
-  be specified either in the request body, or as a part of the URL.
-
-- `format` `(string: "base64")` – Specifies the output encoding. Valid options
-  are `hex` or `base64`.
-
-### Sample Payload
-
-```json
-{
-  "format": "hex"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/tools/random/164
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
-  }
-}
-```
-
-## Hash Data
-
-This endpoint returns the cryptographic hash of given data using the specified
-algorithm.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/tools/hash(/:algorithm)` |
-
-### Parameters
-
-- `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
-  can also be specified as part of the URL. Currently-supported algorithms are:
-
-    - `sha2-224`
-    - `sha2-256`
-    - `sha2-384`
-    - `sha2-512`
-
-- `input` `(string: <required>)` – Specifies the **base64 encoded** input data.
-
-- `format` `(string: "hex")` – Specifies the output encoding. This can be either
-  `hex` or `base64`.
-
-### Sample Payload
-
-```json
-{
-  "input": "adba32=="
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/tools/hash/sha2-512
-```
-
-### Sample Response
-
-```json
-{
-  "data": {
-    "sum": "dGhlIHF1aWNrIGJyb3duIGZveAo="
-  }
-}
-```
-
diff --git a/website/source/api/system/unseal.html.md b/website/source/api/system/unseal.html.md
deleted file mode 100644
index 766bc3490bce..000000000000
--- a/website/source/api/system/unseal.html.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-layout: "api"
-page_title: "/sys/unseal - HTTP API"
-sidebar_title: "<code>/sys/unseal</code>"
-sidebar_current: "api-http-system-unseal"
-description: |-
-  The `/sys/unseal` endpoint is used to unseal the Vault.
----
-
-# `/sys/unseal`
-
-The `/sys/seal-unseal` endpoint is used to unseal the Vault.
-
-## Submit Unseal Key
-
-This endpoint is used to enter a single master key share to progress the
-unsealing of the Vault. If the threshold number of master key shares is reached,
-Vault will attempt to unseal the Vault. Otherwise, this API must be called
-multiple times until that threshold is met.
-
-Either the `key` or `reset` parameter must be provided; if both are provided,
-`reset` takes precedence.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `PUT`    | `/sys/unseal`                |
-
-### Parameters
-
-- `key` `(string: "")` – Specifies a single master key share. This is required
-  unless `reset` is true.
-
-- `reset` `(bool: false)` – Specifies if previously-provided unseal keys are
-  discarded and the unseal process is reset.
-
-- `migrate` `(bool: false)` - Available in 1.0 - Used to migrate the seal
-  from shamir to autoseal or autoseal to shamir.  Must be provided on all unseal
-  key calls.
-
-### Sample Payload
-
-```json
-{
-  "key": "abcd1234..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request PUT \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/unseal
-```
-
-### Sample Response
-
-The "t" parameter is the threshold, and "n" is the number of shares.
-
-```json
-{
-  "sealed": true,
-  "t": 3,
-  "n": 5,
-  "progress": 2,
-  "version": "0.6.2"
-}
-```
-
-Sample response when Vault is unsealed.
-
-```json
-{
-  "sealed": false,
-  "t": 3,
-  "n": 5,
-  "progress": 0,
-  "version": "0.6.2",
-  "cluster_name": "vault-cluster-d6ec3c7f",
-  "cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8"
-}
-```
diff --git a/website/source/api/system/wrapping-lookup.html.md b/website/source/api/system/wrapping-lookup.html.md
deleted file mode 100644
index 31c2aab5314b..000000000000
--- a/website/source/api/system/wrapping-lookup.html.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-layout: "api"
-page_title: "/sys/wrapping/lookup - HTTP API"
-sidebar_title: "<code>/sys/wrapping/lookup</code>"
-sidebar_current: "api-http-system-wrapping-lookup"
-description: |-
-  The `/sys/wrapping/lookup` endpoint returns wrapping token properties.
----
-
-# `/sys/wrapping/lookup`
-
-The `/sys/wrapping/lookup` endpoint returns wrapping token properties.
-
-## Wrapping Lookup
-
-This endpoint looks up wrapping properties for the given token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/wrapping/lookup`       |
-
-### Parameters
-
-- `token` `(string: <required>)` – Specifies the wrapping token ID.
-
-### Sample Payload
-
-```json
-{
-  "token": "abcd1234"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/wrapping/lookup
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "481320f5-fdf8-885d-8050-65fa767fd19b",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": {
-    "creation_path": "sys/wrapping/wrap",
-    "creation_time": "2016-09-28T14:16:13.07103516-04:00",
-    "creation_ttl": 300
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
diff --git a/website/source/api/system/wrapping-rewrap.html.md b/website/source/api/system/wrapping-rewrap.html.md
deleted file mode 100644
index 33f9c289fd76..000000000000
--- a/website/source/api/system/wrapping-rewrap.html.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-layout: "api"
-page_title: "/sys/wrapping/rewrap - HTTP API"
-sidebar_title: "<code>/sys/wrapping/rewrap</code>"
-sidebar_current: "api-http-system-wrapping-rewrap"
-description: |-
-  The `/sys/wrapping/rewrap` endpoint can be used to rotate a wrapping token and refresh its TTL.
----
-
-# `/sys/wrapping/rewrap`
-
-The `/sys/wrapping/rewrap` endpoint can be used to rotate a wrapping token and
-refresh its TTL.
-
-## Wrapping Rewrap
-
-This endpoint rewraps a response-wrapped token. The new token will use the same
-creation TTL as the original token and contain the same response. The old token
-will be invalidated. This can be used for long-term storage of a secret in a
-response-wrapped token when rotation is a requirement.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/wrapping/rewrap`       |
-
-### Parameters
-
-- `token` `(string: <required>)` – Specifies the wrapping token ID.
-
-### Sample Payload
-
-```json
-{
-  "token": "abcd1234...",
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/wrapping/lookup
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": null,
-  "warnings": null,
-  "wrap_info": {
-    "token": "3b6f1193-0707-ac17-284d-e41032e74d1f",
-    "ttl": 300,
-    "creation_time": "2016-09-28T14:22:26.486186607-04:00",
-    "creation_path": "sys/wrapping/wrap"
-  }
-}
-```
diff --git a/website/source/api/system/wrapping-unwrap.html.md b/website/source/api/system/wrapping-unwrap.html.md
deleted file mode 100644
index cf71938ebd44..000000000000
--- a/website/source/api/system/wrapping-unwrap.html.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-layout: "api"
-page_title: "/sys/wrapping/unwrap - HTTP API"
-sidebar_title: "<code>/sys/wrapping/unwrap</code>"
-sidebar_current: "api-http-system-wrapping-unwrap"
-description: |-
-  The `/sys/wrapping/unwrap` endpoint unwraps a wrapped response.
----
-
-# `/sys/wrapping/unwrap`
-
-The `/sys/wrapping/unwrap` endpoint unwraps a wrapped response.
-
-## Wrapping Unwrap
-
-This endpoint returns the original response inside the given wrapping token.
-Unlike simply reading `cubbyhole/response` (which is deprecated), this endpoint
-provides additional validation checks on the token, returns the original value
-on the wire rather than a JSON string representation of it, and ensures that the
-response is properly audit-logged.
-
-This endpoint can be used by using a wrapping token as the client token in the
-API call, in which case the `token` parameter is not required; or, a different
-token with permissions to access this endpoint can make the call and pass in the
-wrapping token in the `token` parameter. Do _not_ use the wrapping token in both
-locations; this will cause the wrapping token to be revoked but the value to be
-unable to be looked up, as it will basically be a double-use of the token!
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/wrapping/unwrap`       |
-
-### Parameters
-
-- `token` `(string: "")` – Specifies the wrapping token ID. This is required if
-  the client token is not the wrapping token. Do not use the wrapping token in
-  both locations.
-
-### Sample Payload
-
-```json
-{
-  "token": "abcd1234..."
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/wrapping/unwrap
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "8e33c808-f86c-cff8-f30a-fbb3ac22c4a8",
-  "lease_id": "",
-  "lease_duration": 2592000,
-  "renewable": false,
-  "data": {
-    "zip": "zap"
-  },
-  "warnings": null
-}
-```
diff --git a/website/source/api/system/wrapping-wrap.html.md b/website/source/api/system/wrapping-wrap.html.md
deleted file mode 100644
index 3089f91592e9..000000000000
--- a/website/source/api/system/wrapping-wrap.html.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-layout: "api"
-page_title: "/sys/wrapping/wrap - HTTP API"
-sidebar_title: "<code>/sys/wrapping/wrap</code>"
-sidebar_current: "api-http-system-wrapping-wrap"
-description: |-
-  The `/sys/wrapping/wrap` endpoint wraps the given values in a
-  response-wrapped token.
----
-
-# `/sys/wrapping/wrap`
-
-The `/sys/wrapping/wrap` endpoint wraps the given values in a response-wrapped
-token.
-
-## Wrapping Wrap
-
-This endpoint wraps the given user-supplied data inside a response-wrapped
-token.
-
-| Method   | Path                         |
-| :--------------------------- | :--------------------- |
-| `POST`   | `/sys/wrapping/wrap`         |
-
-### Parameters
-
-- `:any` `(map<string|string>: nil)` – Parameters should be supplied as
-  keys/values in a JSON object. The exact set of given parameters will be
-  contained in the wrapped response.
-
-### Sample Payload
-
-```json
-{
-  "foo": "bar",
-  "zip": "zap"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --header "X-Vault-Wrap-TTL: 60" \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/wrapping/wrap
-```
-
-### Sample Response
-
-```json
-{
-  "request_id": "",
-  "lease_id": "",
-  "lease_duration": 0,
-  "renewable": false,
-  "data": null,
-  "warnings": null,
-  "wrap_info": {
-    "token": "fb79b9d3-d94e-9eb6-4919-c559311133d6",
-    "ttl": 300,
-    "creation_time": "2016-09-28T14:41:00.56961496-04:00",
-    "creation_path": "sys/wrapping/wrap",
-  }
-}
-```
diff --git a/website/source/community.html.erb b/website/source/community.html.erb
deleted file mode 100644
index d99e3dbcf5c6..000000000000
--- a/website/source/community.html.erb
+++ /dev/null
@@ -1,25 +0,0 @@
----
-layout: "inner"
-page_title: "Community"
-description: "Vault is an open source project with a growing community."
----
-
-<hashi-section-header
-  headline='Community'
-  description='Vault is an open source project with a growing community. There are active, dedicated users willing to help you through various mediums.'
-  use_h1=true
-></hashi-section-header>
-
-<hashi-vertical-text-block-list _data="<%= encode([
-  {
-    header: 'Discussion List',
-    body: '[Vault Community Forum](https://discuss.hashicorp.com/c/vault)'
-  }, {
-    header: 'Bug Tracker',
-    body: '[Issue tracker
-  	on GitHub](https://github.com/hashicorp/vault/issues) for reporting bugs. Use IRC or the mailing list for general help.'
-  }, {
-    header: 'Training',
-    body: '[Paid HashiCorp](https://www.hashicorp.com/training.html) training courses are available in a city near you. Private training courses are also available.'
-  }
-]) %>"></hashi-vertical-text-block-list>
diff --git a/website/source/docs/agent/autoauth/index.html.md b/website/source/docs/agent/autoauth/index.html.md
deleted file mode 100644
index 75f0011b7b7f..000000000000
--- a/website/source/docs/agent/autoauth/index.html.md
+++ /dev/null
@@ -1,168 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth"
-sidebar_title: "Auto-Auth"
-sidebar_current: "docs-agent-autoauth"
-description: |-
-  Vault Agent's Auto-Auth functionality allows easy and automatic
-  authentication to Vault in a variety of environments.
----
-
-# Vault Agent Auto-Auth
-
-The Auto-Auth functionality of Vault Agent allows for easy authentication in a
-wide variety of environments.
-
-## Functionality
-
-Auto-Auth consists of two parts: a Method, which is the authentication method
-that should be used in the current environment; and one or more Sinks, which
-are locations where the agent should write a token any time the current token
-value has changed.
-
-When the agent is started with Auto-Auth enabled, it will attempt to acquire a
-Vault token using the configured Method. On failure, it will back off for a
-short while (including some randomness to help prevent thundering herd
-scenarios) and retry. On success, unless the auth method is configured to wrap
-the tokens, it will keep the resulting token renewed until renewal is no longer
-allowed or fails, at which point it will attempt to reauthenticate.
-
-Every time an authentication is successful, the token is written to the
-configured Sinks, subject to their configuration.
-
-## Advanced Functionality
-
-Sinks support some advanced features, including the ability for the written
-values to be encrypted or
-[response-wrapped](/docs/concepts/response-wrapping.html).
-
-Both mechanisms can be used concurrently; in this case, the value will be
-response-wrapped, then encrypted.
-
-### Response-Wrapping Tokens
-
-There are two ways that tokens can be response-wrapped by the agent:
-
-1. By the auth method. This allows the end client to introspect the
-   `creation_path` of the token, helping prevent Man-In-The-Middle (MITM)
-   attacks. However, because the agent cannot then unwrap the token and rewrap
-   it without modifying the `creation_path`, the agent is not able to renew the
-   token; it is up to the end client to renew the token. The agent stays
-   daemonized in this mode since some auth methods allow for reauthentication
-   on certain events.
-
-2. By any of the token sinks. Because more than one sink can be configured, the
-   token must be wrapped after it is fetched, rather than wrapped by Vault as
-   it's being returned. As a result, the `creation_path` will always be
-   `sys/wrapping/wrap`, and validation of this field cannot be used as
-   protection against MITM attacks. However, this mode allows the agent to keep
-   the token renewed for the end client and automatically reauthenticate when
-   it expires.
-
-### Encrypting Tokens
-
- ~> This is experimental; if input/output formats change we will make every
- effort to provide backwards compatibility.
-
-Tokens can be encrypted, using a Diffie-Hellman exchange to generate an
-ephemeral key. In this mechanism, the client receiving the token writes a
-generated public key to a file. The sink responsible for writing the token to
-that client looks for this public key and uses it to compute a shared secret
-key, which is then used to encrypt the token via AES-GCM. The nonce, encrypted
-payload, and the sink's public key are then written to the output file, where
-the client can compute the shared secret and decrypt the token value.
-
-~> NOTE: This is not a protection against MITM attacks! The purpose of this
-feature is for forward-secrecy and coverage against bare token values being
-persisted. A MITM that can write to the sink's output and/or client public-key
-input files could attack this exchange.
-
-To help mitigate MITM attacks, additional authenticated data (AAD) can be
-provided to the agent. This data is written as part of the AES-GCM tag and must
-match on both the agent and the client. This of course means that protecting
-this AAD becomes important, but it provides another layer for an attacker to
-have to overcome. For instance, if the attacker has access to the file system
-where the token is being written, but not to read agent configuration or read
-environment variables, this AAD can be generated and passed to the agent and
-the client in ways that would be difficult for the attacker to find.
-
-When using AAD, it is always a good idea for this to be as fresh as possible;
-generate a value and pass it to your client and agent on startup. Additionally,
-agent uses a Trust On First Use model; after it finds a generated public key,
-it will reuse that public key instead of looking for new values that have been
-written.
-
-If writing a client that uses this feature, it will likely be helpful to look
-at the
-[dhutil](https://github.com/hashicorp/vault/blob/master/helper/dhutil/dhutil.go)
-library. This shows the expected format of the public key input and envelope
-output formats.
-
-## Configuration
-
-The top level `auto_auth` block has two configuration entries:
-
-- `method` `(object: required)` - Configuration for the method
-
-- `sinks` `(array of objects: required)` - Configuration for the sinks
-
-### Configuration (Method)
-
-These are common configuration values that live within the `method` block:
-
-- `type` `(string: required)` - The type of the method to use, e.g. `aws`,
-  `gcp`, `azure`, etc. *Note*: when using HCL this can be used as the key for
-  the block, e.g. `method "aws" {...}`.
-
-- `mount_path` `(string: optional)` - The mount path of the method. If not
-  specified, defaults to a value of `auth/<method type>`.
-  
-- `namespace` `(string: optional)` - The default namespace path for the mount.
-  If not specified, defaults to the root namespace. 
-
-- `wrap_ttl` `(string or integer: optional)` - If specified, the written token
-  will be response-wrapped by the agent. This is more secure than wrapping by
-  sinks, but does not allow the agent to keep the token renewed or
-  automatically reauthenticate when it expires. Rather than a simple string,
-  the written value will be a JSON-encoded
-  [SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
-  structure. Values can be an integer number of seconds or a stringish value
-  like `5m`.
-
-- `config` `(object: required)` - Configuration of the method itself. See the
-  sidebar for information about each method.
-
-### Configuration (Sinks)
-
-These configuration values are common to all Sinks:
-
-- `type` `(string: required)` - The type of the method to use, e.g. `file`.
-  *Note*: when using HCL this can be used as the key for the block, e.g. `sink
-  "file" {...}`.
-
-- `wrap_ttl` `(string or integer: optional)` - If specified, the written token
-  will be response-wrapped by the sink. This is less secure than wrapping by
-  the method, but allows the agent to keep the token renewed and automatically
-  reauthenticate when it expires. Rather than a simple string, the written
-  value will be a JSON-encoded
-  [SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
-  structure. Values can be an integer number of seconds or a stringish value
-  like `5m`.
-
-- `dh_type` `(string: optional)` - If specified, the type of Diffie-Hellman exchange to
-  perform, meaning, which ciphers and/or curves. Currently only `curve25519` is
-  supported.
-
-- `dh_path` `(string: required if dh_type is set)` - The path from which the
-  agent should read the client's initial parameters (e.g. curve25519 public
-  key).
-
-- `aad` `(string: optional)` - If specified, additional authenticated data to
-  use with the AES-GCM encryption of the token. Can be any string, including
-  serialized data.
-
-- `aad_env_var` `(string: optional)` - If specified, AAD will be read from the
-  given environment variable rather than a value in the configuration file.
-
-- `config` `(object: required)` - Configuration of the sink itself. See the
-  sidebar for information about each sink.
diff --git a/website/source/docs/agent/autoauth/methods/alicloud.html.md b/website/source/docs/agent/autoauth/methods/alicloud.html.md
deleted file mode 100644
index 932fbe85a8af..000000000000
--- a/website/source/docs/agent/autoauth/methods/alicloud.html.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth AliCloud Method"
-sidebar_title: "AliCloud"
-sidebar_current: "docs-agent-autoauth-methods-alicloud"
-description: |-
-  AliCloud Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth AliCloud Method
-
-The `alicloud` method performs authentication against the [AliCloud Auth
-method](https://www.vaultproject.io/docs/auth/alicloud.html).
-
-## Credentials
-
-The Vault agent will use the first credential it can successfully obtain in the following order:
-
-1. [Environment variables](https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/auth/credentials/providers/env.go)
-2. A static credential configuration
-3. Instance metadata (recommended)
-
-Wherever possible, we recommend using instance metadata for credentials. These rotate every hour
-and require no effort on your part to provision, making instance metadata the most secure of the three methods. If
-using instance metadata _and_ a custom `credential_poll_interval`, be sure the frequency is set for
-less than an hour, because instance metadata credentials expire every hour.
-
-Environment variables are given first precedence to provide the ability to quickly override your
-configuration.
-
-## Configuration
-
-### General
-
-- `role` `(string: required)` - The role to authenticate against on Vault.
-
-- `region` `(string: required)` - The AliCloud region in which the Vault agent resides. Example: "us-west-1".
-
-- `credential_poll_interval` `(integer: optional)` - In seconds, how frequently the Vault agent should check for new credentials.
-
-### Optional Static Credential Configuration (Not Preferred)
-
-If instance metadata is not available, you may provide credential information through the parameters below.
-
-- `access_key` `(string: optional)` - The access key to use.
-
-- `secret_key` `(string: optional)` - The secret key to use.
-
-- `access_token` `(string: optional)` - The access token to use.
-
-- `role_arn` `(string: optional)` - The role ARN to use.
-
-- `role_session_name` `(string: optional)` - The role session name to use.
-
-- `role_session_expiration` `(string: optional)` - The role session expiration to use.
-
-- `private_key` `(string: optional)` - The private key to use.
-
-- `public_key_id` `(string: optional)` - The public key ID to use.
-
-- `session_expiration` `(string: optional)` - The session expiration to use.
-
-- `role_name` `(string: optional)` - The role name to use.
diff --git a/website/source/docs/agent/autoauth/methods/approle.html.md b/website/source/docs/agent/autoauth/methods/approle.html.md
deleted file mode 100644
index 3cfeb6a7c982..000000000000
--- a/website/source/docs/agent/autoauth/methods/approle.html.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth AppRole Method"
-sidebar_title: "AppRole"
-sidebar_current: "docs-agent-autoauth-methods-approle"
-description: |-
-  AppRole Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth AppRole Method
-
-The `approle` method reads in a role ID and a secret ID from files and sends
-the values to the [AppRole Auth
-method](https://www.vaultproject.io/docs/auth/approle.html).
-
-The method caches values and it is safe to delete the role ID/secret ID files
-after they have been read. In fact, by default, after reading the secret ID,
-the agent will delete the file. New files or values written at the expected
-locations will be used on next authentication and the new values will be
-cached.
-
-## Configuration
-
-* `role_id_file_path` `(string: required)` - The path to the file with role ID
-
-* `secret_id_file_path` `(string: optional)` - The path to the file with secret
-  ID.
-  If not set, only the `role-id` will be used. \
-  In that case, the AppRole should have `bind_secret_id` set to `false` otherwise Vault Agent wouldn't be able to login.
-
-* `remove_secret_id_file_after_reading` `(bool: optional, defaults to true)` -
-  This can be set to `false` to disable the default behavior of removing the
-  secret ID file after it's been read.
-
-* `secret_id_response_wrapping_path` `(string: optional)` - If set, the value
-  at `secret_id_file_path` will be expected to be a [Response-Wrapping
-  Token](https://www.vaultproject.io/docs/concepts/response-wrapping.html)
-  containing the output of the secret ID retrieval endpoint for the role (e.g.
-  `auth/approle/role/webservers/secret-id`) and the creation path for the
-  response-wrapping token must match the value set here.
diff --git a/website/source/docs/agent/autoauth/methods/aws.html.md b/website/source/docs/agent/autoauth/methods/aws.html.md
deleted file mode 100644
index 3e75c08ad30a..000000000000
--- a/website/source/docs/agent/autoauth/methods/aws.html.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth AWS Method"
-sidebar_title: "AWS"
-sidebar_current: "docs-agent-autoauth-methods-aws"
-description: |-
-  AWS Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth AWS Method
-
-The `aws` method performs authentication against the [AWS Auth
-method](https://www.vaultproject.io/docs/auth/aws.html). Both `ec2` and `iam`
-authentication types are supported. If `ec2` is used, the agent will store the
-reauthentication value in memory and use it for reauthenticating, but will not
-persist it to disk.
-
-Due to the complexity of the Trust On First Use (TOFU) model used in the `ec2`
-method, we recommend the `iam` method when possible.
-
-## Credentials
-
-Vault will use the AWS SDK's normal credential chain behavior, which means it
-will use the first valid credentials it finds in the following order:
-
-1. A static credential configuration
-2. Environment variables
-3. A file containing credentials
-4. From any identity services available in its physical environment like container environment variables or role-based instance metadata
-
-Wherever possible, we recommend using identity services (method 4) for credentials.
-These rotate regularly and require no effort on your part to provision, making
-identity services the most secure of the four methods. If using identity services _and_ a custom
-`credential_poll_interval`, be sure the frequency is set low enough to pick up new credentials
-from the physical environment as they become available.
-
-To use identity services, choose the `iam` type and leave the `access_key`, `secret_key`, and `session_token`
-parameters unset in your configuration.
-
-## Configuration
-
-- `type` `(string: required)` - The type of authentication; must be `ec2` or `iam`.
-
-- `role` `(string: required)` - The role to authenticate against on Vault.
-
-- `credential_poll_interval` `(integer: optional)` - In seconds, how frequently the Vault agent should check for new credentials if using the iam type.
-
-- `access_key` `(string: optional)` - When using static credentials, the access key to use.
-
-- `secret_key` `(string: optional)` - When using static credentials, the secret key to use.
-
-- `region` `(string: "us-east-1")` - The region to use for signing the authentication request. The
-   region Agent uses should match that corresponding to
-   [`sts_endpoint`](https://www.vaultproject.io/api/auth/aws/index.html#sts_endpoint),
-   if a custom endpoint has been configured on the Vault server.
-
-- `session_token` `(string: optional)` - The session token to use for authentication, if needed.
-
-- `header_value` `(string: optional)` - If configured in Vault, the value to use for
-  [`iam_server_id_header_value`](https://www.vaultproject.io/api/auth/aws/index.html#iam_server_id_header_value).
-
-## Learn
-
-Refer to the [Vault Agent with
-AWS](https://learn.hashicorp.com/vault/identity-access-management/vault-agent-aws)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/agent/autoauth/methods/azure.html.md b/website/source/docs/agent/autoauth/methods/azure.html.md
deleted file mode 100644
index fd3ea434ba70..000000000000
--- a/website/source/docs/agent/autoauth/methods/azure.html.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth Azure Method"
-sidebar_title: "Azure"
-sidebar_current: "docs-agent-autoauth-methods-azure"
-description: |-
-  Azure Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth Azure Method 
-
-The `azure` method reads in Azure instance credentials and uses them to
-authenticate with the [Azure Auth
-method](https://www.vaultproject.io/docs/auth/azure.html). It reads most
-parameters needed for authentication directly from instance information based
-on the value of the `resource` parameter.
-
-## Configuration
-
-- `role` `(string: required)` - The role to authenticate against on Vault
-
-- `resource` `(string: required)` - The resource name to use when getting instance information
diff --git a/website/source/docs/agent/autoauth/methods/cert.html.md b/website/source/docs/agent/autoauth/methods/cert.html.md
deleted file mode 100644
index 379d284e2de3..000000000000
--- a/website/source/docs/agent/autoauth/methods/cert.html.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth Cert Method"
-sidebar_title: "Cert"
-sidebar_current: "docs-agent-autoauth-methods-cert"
-description: |-
-  Cert Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth Cert Method
-
-The `cert` method uses the configured TLS certificates from the `vault` stanza of
-the agent configuration and takes an optional `name` parameter. There is no option
-to use certificates which differ from those used in the `vault` stanza.
-
-See TLS settings in the [`vault` Stanza](https://vaultproject.io/docs/agent/index.html#vault-stanza)
-
-## Configuration
-
-* `name` `(string: optional)` - The trusted certificate role which should be used
-  when authenticating with TLS. If a `name` is not specified, the auth method will
-  try to authenticate against [all trusted certificates](https://www.vaultproject.io/docs/auth/cert.html#authentication).
diff --git a/website/source/docs/agent/autoauth/methods/cf.html.md b/website/source/docs/agent/autoauth/methods/cf.html.md
deleted file mode 100644
index 7c54274c22a4..000000000000
--- a/website/source/docs/agent/autoauth/methods/cf.html.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth CF Method"
-sidebar_title: "CF"
-sidebar_current: "docs-agent-autoauth-methods-cf"
-description: |-
-  CF Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth CF Method
-
-The `cf` method performs authentication against the [CF Auth 
-method] (https://www.vaultproject.io/docs/auth/cf.html).
-
-## Credentials
-
-The Vault agent will use the `CF_INSTANCE_CERT` and `CF_INSTANCE_KEY` env variables to
-construct a valid login call for CF.
-
-## Configuration
-
-- `role` `(string: required)` - The role to authenticate against on Vault.
diff --git a/website/source/docs/agent/autoauth/methods/gcp.html.md b/website/source/docs/agent/autoauth/methods/gcp.html.md
deleted file mode 100644
index 1511f0b76979..000000000000
--- a/website/source/docs/agent/autoauth/methods/gcp.html.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth GCP Method"
-sidebar_title: "GCP"
-sidebar_current: "docs-agent-autoauth-methods-gcp"
-description: |-
-  GCP Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth GCP Method 
-
-The `gcp` method performs authentication against the [GCP Auth
-method](https://www.vaultproject.io/docs/auth/gcp.html). Both `gce` and `iam`
-authentication types are supported.
-
-## Credentials
-
-Vault will use the GCP SDK's normal credential chain behavior. You can set a
-static `credentials` value but it is usually not needed. If running on GCE
-using Application Default Credentials, you may need to specify the service
-account and project since ADC does not provide metadata used to automatically
-determine these.
-
-## Configuration
-
-- `type` `(string: required)` - The type of authentication; must be `gce` or `iam`
-
-- `role` `(string: required)` - The role to authenticate against on Vault
-
-- `credentials` `(string: optional)` - When using static credentials, the
-  contents of the JSON credentials file
-
-- `service_account` `(string: optional)` - The service account to use, if it
-  cannot be automatically determined
-
-- `project` `(string: optional)` - The project to use, if it cannot be
-  automatically determined
-
-- `jwt_exp` `(string or int: optional)` - The number of minutes a generated JWT
-  should be valid for when using the `iam` method; defaults to 15 minutes
diff --git a/website/source/docs/agent/autoauth/methods/index.html.md b/website/source/docs/agent/autoauth/methods/index.html.md
deleted file mode 100644
index 140ce020a90d..000000000000
--- a/website/source/docs/agent/autoauth/methods/index.html.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth Methods"
-sidebar_title: "Methods"
-sidebar_current: "docs-agent-autoauth-methods"
-description: |-
-  Methods for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth Methods
-
-Please see the sidebar for available methods and their usage/configuration.
diff --git a/website/source/docs/agent/autoauth/methods/jwt.html.md b/website/source/docs/agent/autoauth/methods/jwt.html.md
deleted file mode 100644
index 4400996636fd..000000000000
--- a/website/source/docs/agent/autoauth/methods/jwt.html.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth JWT Method"
-sidebar_title: "JWT"
-sidebar_current: "docs-agent-autoauth-methods-jwt"
-description: |-
-  JWT Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth JWT Method
-
-The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
-method](https://www.vaultproject.io/docs/auth/jwt.html). Since JWTs often have
-limited lifetime, it constantly watches for a new JWT to be written, and when
-found it will immediately ingress this value, delete the file, and use the new
-JWT to perform a reauthentication.
-
-## Configuration
-
-* `path` `(string: required)` - The path to the JWT file
-
-* `role` `(string: required)` - The role to authenticate against on Vault
diff --git a/website/source/docs/agent/autoauth/methods/kubernetes.html.md b/website/source/docs/agent/autoauth/methods/kubernetes.html.md
deleted file mode 100644
index 4907d751c54f..000000000000
--- a/website/source/docs/agent/autoauth/methods/kubernetes.html.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth Kubernetes Method"
-sidebar_title: "Kubernetes"
-sidebar_current: "docs-agent-autoauth-methods-kubernetes"
-description: |-
-  Kubernetes Method for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth Kubernetes Method
-
-The `kubernetes` method reads in a Kubernetes service account token from the
-running pod (via `/var/run/secrets/kubernetes.io/serviceaccount/token`) and
-sends it to the [Kubernetes Auth
-method](https://www.vaultproject.io/docs/auth/kubernetes.html).
-
-## Configuration
-
-- `role` `(string: required)` - The role to authenticate against on Vault
-- `token_path` `(string: optional)` - The file path to a custom JWT token to use
-for authentication. If omitted, the default service account token path is used.
-
-## Learn
-
-Refer to the [Vault Agent with
-Kubernetes](https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/agent/autoauth/sinks/file.html.md b/website/source/docs/agent/autoauth/sinks/file.html.md
deleted file mode 100644
index 22a8a505a75d..000000000000
--- a/website/source/docs/agent/autoauth/sinks/file.html.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth File Sink"
-sidebar_title: "File"
-sidebar_current: "docs-agent-autoauth-sinks-file"
-description: |-
-  File sink for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth File Sink 
-
-The `file` sink writes tokens, optionally response-wrapped and/or encrypted, to
-a file. This may be a local file or a file mapped via some other process (NFS,
-Gluster, CIFS, etc.).
-
-Once the sink writes the file, it is up to the client to control lifecycle;
-generally it is best for the client to remove the file as soon as it is seen.
-
-It is also best practice to write the file to a ramdisk, ideally an encrypted
-ramdisk, and use appropriate filesystem permissions. The file is currently
-written with `0640` permissions as default, but can be overridden with the optional
-'mode' setting.
-
-## Configuration
-
-- `path` `(string: required)` - The path to use to write the token file
-- `mode` `(int: optional)` - A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to "0000" to prevent Vault from modifying the file mode
diff --git a/website/source/docs/agent/autoauth/sinks/index.html.md b/website/source/docs/agent/autoauth/sinks/index.html.md
deleted file mode 100644
index f0058fbcb0dc..000000000000
--- a/website/source/docs/agent/autoauth/sinks/index.html.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Auto-Auth Sinks"
-sidebar_title: "Sinks"
-sidebar_current: "docs-agent-autoauth-sinks"
-description: |-
-  Sinks for Vault Agent Auto-Auth
----
-
-# Vault Agent Auto-Auth Sinks 
-
-Please see the sidebar for available sinks and their usage/configuration.
diff --git a/website/source/docs/agent/caching/index.html.md b/website/source/docs/agent/caching/index.html.md
deleted file mode 100644
index ab3a99e1e44c..000000000000
--- a/website/source/docs/agent/caching/index.html.md
+++ /dev/null
@@ -1,240 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Caching"
-sidebar_title: "Caching"
-sidebar_current: "docs-agent-caching"
-description: |-
-  Vault Agent Caching allows client-side caching of responses containing newly
-  created tokens and responses containing leased secrets generated off of these
-  newly created tokens.
----
-
-# Vault Agent Caching
-
-Vault Agent Caching allows client-side caching of responses containing newly
-created tokens and responses containing leased secrets generated off of these
-newly created tokens. The renewals of the cached tokens and leases are also
-managed by the agent.
-
--> **Note:** Vault Agent Caching works best with servers/clusters that are
-running on Vault 1.1 and above due to changes that were introduced
-alongside this feature, such as the exposure of the `orphan` field in token
-creation responses.
-
-## Caching and Renewals
-
-Response caching and renewals are managed by the agent only under these
-specific scenarios.
-
-1. Token creation requests are made through the agent. This means that any
-   login operations performed using various auth methods and invoking the token
-   creation endpoints of the token auth method via the agent will result in the
-   response getting cached by the agent. Responses containing new tokens will
-   be cached by the agent only if the parent token is already being managed by
-   the agent or if the new token is an orphan token.
-
-2. Leased secret creation requests are made through the agent using tokens that
-   are already managed by the agent. This means that any dynamic credentials
-   that are issued using the tokens managed by the agent, will be cached and
-   its renewals are taken care of.
-
-## Using Auto-Auth Token
-
-Vault Agent allows for easy authentication to Vault in a wide variety of
-environments using [Auto-Auth](/docs/agent/autoauth/index.html). By setting the
-`use_auto_auth_token` (see below) configuration, clients will not be required
-to provide a Vault token to the requests made to the agent. When this
-configuration is set, if the request doesn't already bear a token, then the
-auto-auth token will be used to forward the request to the Vault server. This
-configuration will be overridden if the request already has a token attached,
-in which case, the token present in the request will be used to forward the
-request to the Vault server.
-
-## Cache Evictions
-
-The eviction of cache entries pertaining to secrets will occur when the agent
-can no longer renew them. This can happen when the secrets hit their maximum
-TTL or if the renewals result in errors.
-
-Agent does some best-effort cache evictions by observing specific request types
-and response codes. For example, if a token revocation request is made via the
-agent and if the forwarded request to the Vault server succeeds, then agent
-evicts all the cache entries associated with the revoked token. Similarly, any
-lease revocation operation will also be intercepted by the agent and the
-respective cache entries will be evicted.
-
-Note that while agent evicts the cache entries upon secret expirations and upon
-intercepting revocation requests, it is still possible for the agent to be
-completely unaware of the revocations that happen through direct client
-interactions with the Vault server. This could potentially lead to stale cache
-entries. For managing the stale entries in the cache, an endpoint
-`/agent/v1/cache-clear`(see below) is made available to manually evict cache
-entries based on some of the query criteria used for indexing the cache entries.
-
-## Request Uniqueness
-
-In order to detect repeat requests and return cached responses, agent will need
-to have a way to uniquely identify the requests. This computation as it stands
-today takes a simplistic approach (may change in future) of serializing and
-hashing the HTTP request along with all the headers and the request body. This
-hash value is then used as an index into the cache to check if the response is
-readily available. The consequence of this approach is that the hash value for
-any request will differ if any data in the request is modified. This has the
-side-effect of resulting in false negatives if say, the ordering of the request
-parameters are modified. As long as the requests come in without any change,
-caching behavior should be consistent. Identical requests with differently
-ordered request values will result in duplicated cache entries. A heuristic
-assumption that the clients will use consistent mechanisms to make requests,
-thereby resulting in consistent hash values per request is the idea upon which
-the caching functionality is built upon.
-
-## Renewal Management
-
-The tokens and leases are renewed by the agent using the secret renewer that is
-made available via the Vault server's [Go
-API](https://godoc.org/github.com/hashicorp/vault/api#Renewer). Agent performs
-all operations in memory and does not persist anything to storage. This means
-that when the agent is shut down, all the renewal operations are immediately
-terminated and there is no way for agent to resume renewals after the fact.
-Note that shutting down the agent does not indicate revocations of the secrets,
-instead it only means that renewal responsibility for all the valid unrevoked
-secrets are no longer performed by the Vault agent.
-
-### Agent CLI
-
-Agent's listener address will be picked up by the CLI through the
-`VAULT_AGENT_ADDR` environment variable. This should be a complete URL such as
-"http://127.0.0.1:8200".
-
-## API
-
-### Cache Clear
-
-This endpoint clears the cache based on given criteria. To use this
-API, some information on how the agent caches values should be known
-beforehand. Each response that is cached in the agent will be indexed on some
-factors depending on the type of request. Those factors can be the `token` that
-is belonging to the cached response, the `token_accessor` of the token
-belonging to the cached response, the `request_path` that resulted in the
-cached response, the `lease` that is attached to the cached response, the
-`namespace` to which the cached response belongs to, and a few more. This API
-exposes some factors through which associated cache entries are fetched and
-evicted.
-
-| Method   | Path                         | Produces               |
-| :------- | :--------------------------- | :--------------------- |
-| `POST`   | `/agent/v1/cache-clear`      | `200 application/json` |
-
-#### Parameters
-
-- `type` `(strings: required)` - The type of cache entries to evict. Valid
-  values are `request_path`, `lease`, `token`, `token_accessor`, and `all`.
-  If the `type` is set to `all`, the _entire cache_ is cleared.
-
-- `value` `(string: required)` - An exact value or the prefix of the value for
-  the `type` selected. This parameter is optional when the `type` is set
-  to `all`.
-
-- `namespace` `(string: optional)` - This is only applicable when the `type` is set to
-  `request_path`. The namespace of which the cache entries to be evicted for
-  the given request path.
-
-### Sample Payload
-
-```json
-{
-  "type": "token",
-  "value": "s.rlNjegSKykWcplOkwsjd8bP9"
-}
-```
-
-### Sample Request
-
-```
-$ curl \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:1234/agent/v1/cache-clear
-```
-
-## Configuration (`cache`)
-
-The top level `cache` block has the following configuration entries:
-
-- `use_auto_auth_token (bool: false)` - If set, the requests made to agent
-  without a Vault token will be forwarded to the Vault server with the
-  auto-auth token attached. If the requests already bear a token, this
-  configuration will be overridden and the token in the request will be used to
-  forward the request to the Vault server.
-
-## Configuration (`listener`)
-
-- `listener` `(array of objects: required)` - Configuration for the listeners.
-
-There can be one or more `listener` blocks at the top level.
-These configuration values are common to all `listener` blocks.
-
-- `type` `(string: required)` - The type of the listener to use. Valid values
-  are `tcp` and `unix`.
-  *Note*: when using HCL this can be used as the key for the block, e.g.
-  `listener "tcp" {...}`.
-
-- `address` `(string: required)` - The address for the listener to listen to.
-  This can either be a URL path when using `tcp` or a file path when using
-  `unix`. For example, `127.0.0.1:8200` or `/path/to/socket`. Defaults to
-  `127.0.0.1:8200`.
-
-- `tls_disable` `(bool: false)` - Specifies if TLS will be disabled.
-
-- `tls_key_file` `(string: optional)` - Specifies the path to the private key
-  for the certificate.
-
-- `tls_cert_file` `(string: optional)` - Specifies the path to the certificate
-  for TLS.
-
-### Example Configuration
-
-An example configuration, with very contrived values, follows:
-
-```javascript
-auto_auth {
-  method {
-    type = "aws"
-    wrap_ttl = 300
-    config = {
-      role = "foobar"
-    }
-  }
-
-  sink {
-    type = "file"
-    config = {
-      path = "/tmp/file-foo"
-    }
-  }
-}
-
-cache {
-  use_auto_auth_token = true
-}
-
-listener "unix" {
-  address = "/path/to/socket"
-  tls_disable = true
-}
-
-listener "tcp" {
-  address = "127.0.0.1:8200"
-  tls_disable = true
-}
-
-vault {
-  address = "http://127.0.0.1:8200"
-}
-```
-
-## Learn
-
-Refer to the [Vault Agent
-Caching](https://learn.hashicorp.com/vault/identity-access-management/agent-caching)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/agent/index.html.md b/website/source/docs/agent/index.html.md
deleted file mode 100644
index f63d9cedb5ff..000000000000
--- a/website/source/docs/agent/index.html.md
+++ /dev/null
@@ -1,176 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent"
-sidebar_title: "Vault Agent"
-sidebar_current: "docs-agent"
-description: |-
-  Vault Agent is a client-side daemon that can be used to perform some Vault
-  functionality automatically.
----
-
-# Vault Agent
-
-Vault Agent is a client daemon that provides the following features:
-
-- <tt>[Auto-Auth][autoauth]</tt> - Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
-- <tt>[Caching][caching]</tt> - Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens.
-- <tt>[Templating][template]</tt> - Allows rendering of user supplied templates by Vault Agent, using the token generated by the Auto-Auth step. 
-To get help, run:
-
-```text
-$ vault agent -h
-```
-
-## Auto-Auth
-
-Vault Agent allows for easy authentication to Vault in a wide variety of
-environments. Please see the [Auto-Auth docs][autoauth]
-for information.
-
-Auto-Auth functionality takes place within an `auto_auth` configuration stanza.
-
-## Caching
-
-Vault Agent allows client-side caching of responses containing newly created tokens
-and responses containing leased secrets generated off of these newly created tokens.
-Please see the [Caching docs][caching] for information.
-
-## Configuration
-
-These are the currently-available general configuration option:
-
-- `vault` <tt>([vault][vault]: \<optional\>)</tt> - Specifies the remote Vault server the Agent connects to.
-
-- `auto_auth` <tt>([auto_auth][autoauth]: \<optional\>)</tt> - Specifies the method and other options used for Auto-Auth functionality.
-
-- `cache` <tt>([cache][caching]: \<optional\>)</tt> - Specifies options used for Caching functionality.
-
-- `listener` <tt>([listener][listener]: \<optional\>)</tt> - Specifies the addresses and ports on which the Agent will respond to requests.
-
-- `pid_file` `(string: "")` - Path to the file in which the agent's Process ID
-  (PID) should be stored
-
-- `exit_after_auth` `(bool: false)` - If set to `true`, the agent will exit
-  with code `0` after a single successful auth, where success means that a
-  token was retrieved and all sinks successfully wrote it
-
-- `template` <tt>([template][template`]: \<optional\>)</tt> - Specifies options used for templating Vault secrets to files.
-
-### vault Stanza
-
-There can at most be one top level `vault` block and it has the following
-configuration entries:
-
-- `address (string: optional)` - The address of the Vault server. This should
-  be a complete URL such as `https://127.0.0.1:8200`. This value can be
-  overridden by setting the `VAULT_ADDR` environment variable.
-
-- `ca_cert (string: optional)` - Path on the local disk to a single PEM-encoded
-  CA certificate to verify the Vault server's SSL certificate. This value can
-  be overridden by setting the `VAULT_CACERT` environment variable.
-
-- `ca_path (string: optional)` - Path on the local disk to a directory of
-  PEM-encoded CA certificates to verify the Vault server's SSL certificate.
-  This value can be overridden by setting the `VAULT_CAPATH` environment
-  variable.
-
-- `client_cert (string: option)` - Path on the local disk to a single
-  PEM-encoded CA certificate to use for TLS authentication to the Vault server.
-  This value can be overridden by setting the `VAULT_CLIENT_CERT` environment
-  variable.
-
-- `client_key (string: option)` - Path on the local disk to a single
-  PEM-encoded private key matching the client certificate from `client_cert`.
-  This value can be overridden by setting the `VAULT_CLIENT_KEY` environment
-  variable.
-
-- `tls_skip_verify (string: optional)` - Disable verification of TLS
-  certificates. Using this option is highly discouraged as it decreases the
-  security of data transmissions to and from the Vault server. This value can
-  be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.
-
-- `tls_server_name (string: optional)` - Name to use as the SNI host when
-  connecting via TLS. This value can be overridden by setting the
-  `VAULT_TLS_SERVER_NAME` environment variable.
-
-### listener Stanza
-
-Agent supports one or more [listener][listener_main] stanzas.  In addition to
-the standard listener configuration, an Agent's listener configuration also
-supports an additional optional entry:
-
-- `require_request_header (bool: false)` - Require that all incoming HTTP
-  requests on this listener must have an `X-Vault-Request: true` header entry.
-  Using this option offers an additional layer of protection from Server Side
-  Request Forgery attacks.  Requests on the listener that do not have the proper
-  `X-Vault-Request` header will fail, with a HTTP response status code of `412:
-  Precondition Failed`.
-
-## Example Configuration
-
-An example configuration, with very contrived values, follows:
-
-```python
-pid_file = "./pidfile"
-
-vault {
-        address = "https://127.0.0.1:8200"
-}
-
-auto_auth {
-        method "aws" {
-                mount_path = "auth/aws-subaccount"
-                config = {
-                        type = "iam"
-                        role = "foobar"
-                }
-        }
-
-        sink "file" {
-                config = {
-                        path = "/tmp/file-foo"
-                }
-        }
-
-        sink "file" {
-                wrap_ttl = "5m"
-                aad_env_var = "TEST_AAD_ENV"
-                dh_type = "curve25519"
-                dh_path = "/tmp/file-foo-dhpath2"
-                config = {
-                        path = "/tmp/file-bar"
-                }
-        }
-}
-
-cache {
-        use_auto_auth_token = true
-}
-
-listener "unix" {
-         address = "/path/to/socket"
-         tls_disable = true
-}
-
-listener "tcp" {
-         address = "127.0.0.1:8100"
-         tls_disable = true
-}
-
-template {
-  source      = "/etc/vault/server.key.ctmpl"
-  destination = "/etc/vault/server.key"
-}
-
-template {
-  source      = "/etc/vault/server.crt.ctmpl"
-  destination = "/etc/vault/server.crt"
-}
-```
-
-[vault]: /docs/agent/index.html#vault-stanza
-[autoauth]: /docs/agent/autoauth/index.html
-[caching]: /docs/agent/caching/index.html
-[template]: /docs/agent/template/index.html
-[listener]: /docs/agent/index.html#listener-stanza
-[listener_main]: /docs/configuration/listener/tcp.html
diff --git a/website/source/docs/agent/template/index.html.md b/website/source/docs/agent/template/index.html.md
deleted file mode 100644
index b16d61df0a5e..000000000000
--- a/website/source/docs/agent/template/index.html.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Template"
-sidebar_title: "Templates"
-sidebar_current: "docs-agent-template"
-description: |-
-  Vault Agent's Template functionality allows Vault secrets to be rendered to files 
-  using Consul Template markup.
----
-
-# Vault Agent Templates
-
-Vault Agent's Template functionality allows Vault secrets to be rendered to files 
-using [Consul Template markup](https://github.com/hashicorp/consul-template#templating-language).
-
-## Functionality
-
-The `template` stanza configures the templating engine in the Vault agent for rendering 
-secrets to files using Consul Template markup language.  Multiple `template` stanzas 
-can be defined to render multiple files.
-
-When the agent is started with templating enabled, it will attempt to acquire a 
-Vault token using the configured Method. On failure, it will back off for a short 
-while (including some randomness to help prevent thundering herd scenarios) and 
-retry. On success, secrets defined in the templates will be retrieved from Vault and 
-rendered locally.
-
-## Configuration
-
-The top level `template` block has multiple configurations entries:
-
-- `source` `(object: optional)` - Path on disk to use as the input template.  This 
-option is required if not using the `contents` option.
-- `destination` `(object: required)` - Path on disk where the rendered secrets should 
-be created. If the parent directories If the parent directories do not exist, Vault 
-Agent will attempt to create them, unless `create_dest_dirs` is false.
-- `create_dest_dirs` `(object: required)` - This option tells Vault Agent to create 
-the parent directories of the destination path if they do not exist. The default 
-value is true.
-- `contents` `(object: optional)` - This option allows embedding the contents of 
-a template in the configuration file rather then supplying the `source` path to 
-the template file. This is useful for short templates. This option is mutually 
-exclusive with the `source` option.
-- `command` `(object: optional)` - This is the optional command to run when the 
-template is rendered. The command will only run if the resulting template changes. 
-The command must return within 30s (configurable), and it must have a successful 
-exit code. Vault Agent is not a replacement for a process monitor or init system.
-- `command_timeout` `(object: optional)` - This is the maximum amount of time to 
-wait for the optional command to return. Default is 30s.
-- `error_on_missing_key` `(object: optional)` - Exit with an error when accessing 
-a struct or map field/key that does notexist. The default behavior will print `<no value>` 
-when accessing a field that does not exist. It is highly recommended you set this 
-to "true". 
-- `perms` `(object: optional)` - This is the permission to render the file. If 
-this option is left unspecified, Vault Agent will attempt to match the permissions 
-of the file that already exists at the destination path. If no file exists at that 
-path, the permissions are 0644. 
-- `backup` `(object: optional)` - This option backs up the previously rendered template 
-at the destination path before writing a new one. It keeps exactly one backup. 
-This option is useful for preventing accidental changes to the data without having 
-a rollback strategy.
-- `left_delimiter` `(object: optional)` - Delimiter to use in the template. The 
-default is "{{" but for some templates, it may be easier to use a different 
-delimiter that does not conflict with the output file itself. 
-- `right_delimiter` `(object: optional)` - Delimiter to use in the template. The 
-default is "}}" but for some templates, it may be easier to use a different 
-delimiter that does not conflict with the output file itself.
-- `sandbox_path` `(object: optional)` - If a sandbox path is provided, any path 
-provided to the `file` function is checked that it falls within the sandbox path. 
-Relative paths that try to traverse outside the sandbox path will exit with an error. 
-- `wait` `(object: required)` - This is the `minimum(:maximum)` to wait before rendering 
-a new template to disk and triggering a command, separated by a colon (`:`).
-
-## Example Template
-
-Template with Vault Agent requires the use of the `secret` [function from Consul Template](https://github.com/hashicorp/consul-template#secret).  
-The following is an example of a template that retrieves a generic secret from Vault's 
-KV store:
-
-```
-{{ with secret "secret/my-secret" }}
-{{ .Data.data.foo }}
-{{ end }}
-```
-
-## Example Configuration
-
-The following demonstrates configuring Vault Agent to template secrets using the 
-AppRole Auth method:
-
-```python
-pid_file = "./pidfile"
-
-vault {
-  address = "https://127.0.0.1:8200"
-}
-
-auto_auth {
-  method {
-    type      = "approle"
-
-    config = {
-      role_id_file_path = "/etc/vault/roleid"
-      secret_id_file_path = "/etc/vault/secretid"
-    }
-  }
-
-  sink {
-    type = "file"
-
-    config = {
-      path = "/tmp/file-foo"
-    }
-  }
-}
-
-template {
-  source      = "/tmp/agent/template.ctmpl"
-  destination = "/tmp/agent/render.txt"
-}
-```
diff --git a/website/source/docs/audit/file.html.md b/website/source/docs/audit/file.html.md
deleted file mode 100644
index 3f410b09f6ab..000000000000
--- a/website/source/docs/audit/file.html.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-layout: "docs"
-page_title: "File - Audit Devices"
-sidebar_title: "File"
-sidebar_current: "docs-audit-file"
-description: |-
-  The "file" audit device writes audit logs to a file.
----
-
-# File Audit Device
-
-The `file` audit device writes audit logs to a file. This is a very simple audit
-device: it appends logs to a file.
-
-The device does not currently assist with any log rotation. There are very
-stable and feature-filled log rotation tools already, so we recommend using
-existing tools.
-
-Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
-and re-open their underlying file, which can assist with log rotation needs.
-
-## Examples
-
-Enable at the default path:
-
-```text
-$ vault audit enable file file_path=/var/log/vault_audit.log
-```
-
-Enable at a different path. It is possible to enable multiple copies of an audit
-device:
-
-```text
-$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
-```
-
-Enable logs on stdout. This is useful when running in a container:
-
-```text
-$ vault audit enable file file_path=stdout
-```
-
-## Configuration
-
-Note the difference between `audit enable` command options and the `file` backend
-configuration options. Use `vault audit enable -help` to see the command options.
-Following are the configuration options available for the backend.
-
-## Configuration
-
-- `file_path` `(string: <required>)` - The path to where the audit log will be
-  written. If a file already exists at the given path, the audit backend will
-  append to it. There are some special keywords:
-
-  - `stdout` writes the audit log to standard output
-
-  - `discard` writes output (useful in testing scenarios)
-
-- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
-  information without hashing, in the raw format.
-
-- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
-  accessor.
-
-- `mode` `(string: "0600")` - A string containing an octal number representing
-  the bit pattern for the file mode, similar to `chmod`. Set to `"0000"` to
-  prevent Vault from modifying the file mode.
-
-- `format` `(string: "json")` - Allows selecting the output format. Valid values
-  are `"json"` and `"jsonx"`, which formats the normal log entries as XML.
-
-- `prefix` `(string: "")` - A customizable string prefix to write before the
-  actual log line.
-
-## Log File Rotation
-
-To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the `vault` process a signal hang up / `SIGHUP` after each rotation of the log file.
diff --git a/website/source/docs/audit/index.html.md b/website/source/docs/audit/index.html.md
deleted file mode 100644
index 39e0753cc359..000000000000
--- a/website/source/docs/audit/index.html.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-layout: "docs"
-page_title: "Audit Devices"
-sidebar_title: "Audit Devices"
-sidebar_current: "docs-audit"
-description: |-
-  Audit devices are mountable devices that log requests and responses in Vault.
----
-
-# Audit Devices
-
-Audit devices are the components in Vault that keep a detailed log of all
-requests and response to Vault. Because every operation with Vault is an API
-request/response, the audit log contains _every authenticated_ interaction with
-Vault, including errors.
-
-Multiple audit devices can be enabled and Vault will send the audit logs to
-both. This allows you to not only have a redundant copy, but also a second copy
-in case the first is tampered with.
-
-## Format
-
-Each line in the audit log is a JSON object. The `type` field specifies what
-type of object it is. Currently, only two types exist: `request` and `response`.
-The line contains all of the information for any given request and response. By
-default, all the sensitive information is first hashed before logging in the
-audit logs.
-
-## Sensitive Information
-
-The audit logs contain the full request and response objects for every
-interaction with Vault. The request and response can be matched utilizing a
-unique identifier assigned to each request.
-
-With a few specific exceptions, all strings (including authentication tokens and lease information) contained within requests and
-responses are hashed with a salt using HMAC-SHA256. The purpose of the hash is
-so that secrets aren't in plaintext within your audit logs. However, you're
-still able to check the value of secrets by generating HMACs yourself; this can
-be done with the audit device's hash function and salt by using the
-`/sys/audit-hash` API endpoint (see the documentation for more details).
-
-Note that currently only strings coming from JSON or being returned in JSON are
-HMAC'd. Other data types, like integers, booleans, and so on, are passed
-through in plaintext.
-
-## Enabling/Disabling Audit Devices
-
-When a Vault server is first initialized, no auditing is enabled. Audit
-devices must be enabled by a root user using `vault audit enable`.
-
-When enabling an audit device, options can be passed to it to configure it.
-For example, the command below enables the file audit device:
-
-```text
-$ vault audit enable file file_path=/var/log/vault_audit.log
-```
-
-In the command above, we passed the "file_path" parameter to specify the path
-where the audit log will be written to. Each audit device has its own
-set of parameters. See the documentation to the left for more details.
-
-When an audit device is disabled, it will stop receiving logs immediately.
-The existing logs that it did store are untouched.
-
-## Blocked Audit Devices
-
-If there are any audit devices enabled, Vault requires that at least
-one be able to persist the log before completing a Vault request.
-
-!> If you have only one audit device enabled, and it is blocking (network
-block, etc.), then Vault will be _unresponsive_. Vault **will not** complete
-any requests until the audit device can write.
-
-If you have more than one audit device, then Vault will complete the request
-as long as one audit device persists the log.
-
-Vault will not respond to requests if audit devices are blocked because
-audit logs are critically important and ignoring blocked requests opens
-an avenue for attack. Be absolutely certain that your audit devices cannot
-block.
-
-## API
-
-Audit devices also have a full HTTP API. Please see the [Audit device API
-docs](/api/system/audit.html) for more details.
diff --git a/website/source/docs/audit/socket.html.md b/website/source/docs/audit/socket.html.md
deleted file mode 100644
index c34a907c2c40..000000000000
--- a/website/source/docs/audit/socket.html.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-layout: "docs"
-page_title: "Socket - Audit Devices"
-sidebar_title: "Socket"
-sidebar_current: "docs-audit-socket"
-description: |-
-  The "socket" audit device writes audit writes to a TCP or UDP socket.
----
-
-# Socket Audit Device
-
-The `socket` audit device writes to a TCP, UDP, or UNIX socket.
-
-~> **Warning:** Due to the nature of the underlying protocols used in this
-device there exists a case when the connection to a socket is lost a single
-audit entry could be omitted from the logs and the request will still succeed.
-Using this device in conjunction with another audit device will help to improve
-accuracy, but the socket device should not be used if strong guarantees are
-needed for audit logs.
-
-## Enabling
-
-Enable at the default path:
-
-```text
-$ vault audit enable socket
-```
-
-Supply configuration parameters via K=V pairs:
-
-```text
-$ vault audit enable socket address=127.0.0.1:9090 socket_type=tcp
-```
-
-## Configuration
-
-- `address` `(string: "")` - The socket server address to use. Example
-  `127.0.0.1:9090` or `/tmp/audit.sock`.
-
-- `socket_type` `(string: "tcp")` - The socket type to use, any type compatible
-  with <a href="https://golang.org/pkg/net/#Dial">net.Dial</a> is acceptable.
-
-- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
-  information without hashing, in the raw format.
-
-- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
-  accessor.
-
-- `mode` `(string: "0600")` - A string containing an octal number representing
-  the bit pattern for the file mode, similar to `chmod`.
-
-- `format` `(string: "json")` - Allows selecting the output format. Valid values
-  are `"json"` and `"jsonx"`, which formats the normal log entries as XML.
-
-- `prefix` `(string: "")` - A customizable string prefix to write before the
-  actual log line.
diff --git a/website/source/docs/audit/syslog.html.md b/website/source/docs/audit/syslog.html.md
deleted file mode 100644
index 10dd5a08c9c1..000000000000
--- a/website/source/docs/audit/syslog.html.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-layout: "docs"
-page_title: "Syslog - Audit Devices"
-sidebar_title: "Syslog"
-sidebar_current: "docs-audit-syslog"
-description: |-
-  The "syslog" audit device writes audit logs to syslog.
----
-
-# Syslog Audit Device
-
-The `syslog` audit device writes audit logs to syslog.
-
-It currently does not support a configurable syslog destination, and always
-sends to the local agent. This device is only supported on Unix systems,
-and should not be enabled if any standby Vault instances do not support it.
-
-~> **Warning**: Audit messages generated for some operations can be quite
-large, and can be larger than a [maximum-size single UDP
-packet](https://tools.ietf.org/html/rfc5426#section-3.1). If possible with your
-syslog daemon, configure a TCP listener. Otherwise, consider using a `file`
-backend and having syslog configured to read entries from the file; or, enable
-both `file` and `syslog` so that a failure for a particular message to log
-directly to `syslog` will not result in Vault being blocked.
-
-## Examples
-
-Audit `syslog` device can be enabled by the following command:
-
-```text
-$ vault audit enable syslog
-```
-
-Supply configuration parameters via K=V pairs:
-
-```text
-$ vault audit enable syslog tag="vault" facility="AUTH"
-```
-
-## Configuration
-
-- `facility` `(string: "AUTH")` - The syslog facility to use.
-
-- `tag` `(string: "vault")` - The syslog tag to use.
-
-- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
-  information without hashing, in the raw format.
-
-- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
-  accessor.
-
-- `mode` `(string: "0600")` - A string containing an octal number representing
-  the bit pattern for the file mode, similar to `chmod`.
-
-- `format` `(string: "json")` - Allows selecting the output format. Valid values
-  are `"json"` and `"jsonx"`, which formats the normal log entries as XML.
-
-- `prefix` `(string: "")` - A customizable string prefix to write before the
-  actual log line.
diff --git a/website/source/docs/auth/alicloud.html.md b/website/source/docs/auth/alicloud.html.md
deleted file mode 100644
index 95e10a29c694..000000000000
--- a/website/source/docs/auth/alicloud.html.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-layout: "docs"
-page_title: "AliCloud - Auth Methods"
-sidebar_title: "AliCloud"
-sidebar_current: "docs-auth-alicloud"
-description: |-
-  The AliCloud auth method allows automated authentication of AliCloud entities.
----
-
-# AliCloud Auth Method
-
-The `alicloud` auth method provides an automated mechanism to retrieve
-a Vault token for AliCloud entities. Unlike most Vault auth methods, this 
-method does not require manual first-deploying, or provisioning 
-security-sensitive credentials (tokens, username/password, client certificates, 
-etc), by operators. It treats AliCloud as a Trusted Third Party and uses a 
-special AliCloud request signed with private credentials. A variety of credentials 
-can be used to construct the request, but AliCloud offers 
-[instance metadata](https://www.alibabacloud.com/help/faq-detail/49122.htm) 
-that's ideally suited for the purpose. By launching an instance with a role,
-the role's STS credentials under instance metadata can be used to securely 
-build the request.
-
-## Authentication Workflow
-
-The AliCloud STS API includes a method,
-[`sts:GetCallerIdentity`](https://www.alibabacloud.com/help/doc-detail/43767.htm),
-which allows you to validate the identity of a client. The client signs
-a `GetCallerIdentity` query using the [AliCloud signature
-algorithm](https://www.alibabacloud.com/help/doc-detail/67332.htm). It then 
-submits 2 pieces of information to the Vault server to recreate a valid signed 
-request: the request URL, and the request headers. The Vault server then 
-reconstructs the query and forwards it on to the AliCloud STS service and validates 
-the result back.
-
-Importantly, the credentials used to sign the GetCallerIdentity request can come
-from the ECS instance metadata service for an ECS instance, which obviates the
-need for an operator to manually provision some sort of identity material first.
-However, the credentials can, in principle, come from anywhere, not just from
-the locations AliCloud has provided for you.
-
-Each signed AliCloud request includes the current timestamp and a nonce to mitigate 
-the risk of replay attacks.
-
-It's also important to note that AliCloud does NOT include any sort
-of authorization around calls to `GetCallerIdentity`. For example, if you have
-a RAM policy on your credential that requires all access to be MFA authenticated,
-non-MFA authenticated credentials will still be able to authenticate to Vault 
-using this method. It does not appear possible to enforce a RAM principal to be 
-MFA authenticated while authenticating to Vault.
-
-## Authorization Workflow
-
-The basic mechanism of operation is per-role. 
-
-Roles are associated with a role ARN that has been pre-created in AliCloud. 
-AliCloud's console displays each role's ARN. A role in Vault has a 1:1 relationship
-with a role in AliCloud, and must bear the same name.
-
-When a client assumes that role and sends its `GetCallerIdentity` request to Vault,
-Vault matches the arn of its assumed role with that of a pre-created role in Vault.
-It then checks what policies have been associated with the role, and grants a
-token accordingly.
-
-## Authentication
-
-### Via the CLI
-
-#### Enable AliCloud authentication in Vault.
-
-```
-$ vault auth enable alicloud
-```
-
-#### Configure the policies on the role.
-
-```
-$ vault write auth/alicloud/role/dev-role arn='acs:ram::5138828231865461:role/dev-role'
-```
-
-#### Perform the login operation
-
-```
-$ vault write auth/alicloud/login \
-        role=dev-role \
-        identity_request_url=$IDENTITY_REQUEST_URL_BASE_64 \
-        identity_request_headers=$IDENTITY_REQUEST_HEADERS_BASE_64
-```
-
-For the RAM auth method, generating the signed request is a non-standard
-operation. The Vault CLI supports generating this for you:
-
-```
-$ vault login -method=alicloud access_key=... secret_key=... security_token=... region=...
-```
-
-This assumes you have the AliCloud credentials you would find on an ECS instance using the 
-following call:
-```
-curl 'http://100.100.100.200/latest/meta-data/ram/security-credentials/$ROLE_NAME'
-```
-Please note the `$ROLE_NAME` above is case-sensitive and must be consistent with how it's reflected
-on the instance.
-
-An example of how to generate the required request values for the `login` method
-can be found found in the 
-[Vault CLI source code](https://github.com/hashicorp/vault-plugin-auth-alicloud/blob/master/tools/tools.go).
-
-## API
-
-The AliCloud auth method has a full HTTP API. Please see the
-[AliCloud Auth API](/api/auth/alicloud/index.html) for more
-details.
diff --git a/website/source/docs/auth/app-id.html.md b/website/source/docs/auth/app-id.html.md
deleted file mode 100644
index dc6729a16f54..000000000000
--- a/website/source/docs/auth/app-id.html.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-layout: "docs"
-page_title: "AppID - Auth Methods"
-sidebar_title: "App ID <sup>DEPRECATED</sup>"
-sidebar_current: "docs-auth-appid"
-description: |-
-  The AppID auth method is a mechanism for machines to authenticate with Vault.
----
-
-# AppID Auth Method
-
-~> **DEPRECATED!** As of Vault 0.6.1, AppID is deprecated in favor of
-[AppRole](/docs/auth/approle.html). AppRole can accommodate the same workflow as
-AppID while enabling much more secure and flexible management and other types
-of authentication workflows. No new features or enhancements are planned for App
-ID, and new users should use AppRole instead of AppID.
-
-The AppID auth method is a mechanism for machines to authenticate with Vault.
-It works by requiring two hard-to-guess unique pieces of information: a unique
-app ID, and a unique user ID.
-
-The goal of this auth method is to allow elastic users (dynamic
-machines, containers, etc.) to authenticate with Vault without having to store
-passwords outside of Vault. It is a single method of solving the
-chicken-and-egg problem of setting up Vault access on a machine. With this
-provider, nobody except the machine itself has access to both pieces of
-information necessary to authenticate. For example: configuration management
-will have the app IDs, but the machine itself will detect its user ID based on
-some unique machine property such as a MAC address (or a hash of it with some
-salt).
-
-An example, real world process for using this provider:
-
-1.  Create unique app IDs (UUIDs work well) and map them to policies. (Path:
-    `map/app-id/<app-id>`)
-
-2.  Store the app IDs within configuration management systems.
-
-3.  An out-of-band process run by security operators map unique user IDs to
-    these app IDs. Example: when an instance is launched, a cloud-init system
-    tells security operators a unique ID for this machine. This process can be
-    scripted, but the key is that it is out-of-band and out of reach of
-    configuration management. (Path: `map/user-id/<user-id>`)
-
-4.  A new server is provisioned. Configuration management configures the app
-    ID, the server itself detects its user ID. With both of these pieces of
-    information, Vault can be accessed according to the policy set by the app
-    ID.
-
-More details on this process follow:
-
-* The app ID is a unique ID that maps to a set of policies. This ID is generated
-  by an operator and configured into the method. The ID itself is usually a
-  UUID-formatted random value, but any hard-to-guess unique value can be used.
-
-* After creating app IDs, an operator authorizes a fixed set of user IDs with
-  each app ID. When a valid {app ID, user ID} tuple is given to the "login"
-  path, then the user is authenticated with the configured app ID policies.
-
-* The user ID can be any value (just like the app ID), however it is generally a
-  value unique to a machine, such as a MAC address or instance ID, or a value
-  hashed from these unique values.
-
-## Authentication
-
-Via the CLI:
-
-```text
-$ vault write auth/app-id/login/:app-id user_id=:user_id
-```
-
-Via the API:
-
-```text
-$ curl \
-    --method POST \
-    --data '{"user_id": ":user_id"}' \
-    http://127.0.0.1:8200/v1/auth/app-id/login/:app_id
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-1.  Enable the AppID auth method:
-
-    ```text
-    $ vault auth enable app-id
-    ```
-
-1.  Configure it with the set of AppIDs, user IDs, and the mapping between them:
-
-    ```text
-    $ vault write auth/app-id/map/app-id/foo value=admins display_name=foo
-    # ...
-
-    $ vault write auth/app-id/map/user-id/bar value=foo cidr_block=10.0.0.0/16
-    # ...
-    ```
-
-    This will create an AppID "foo" that associates with the policy "admins".
-    The `display_name` sets the display name for audit logs and secrets. Next,
-    we configure the user ID "bar" and say that the user ID bar can be paired
-    with "foo" but only if the client is in the "10.0.0.0/16" CIDR block. The
-    `cidr_block` configuration is optional.
-
-    This means that if a client authenticates and provide both "foo" and "bar",
-    then the app ID will authenticate that client with the policy "admins".
-
-    In practice, both the user and app ID are likely hard-to-guess UUID-like
-    values.
-
-    Note that it is possible to authorize multiple app IDs with each user ID by
-    writing them as comma-separated values to the user ID mapping:
-
-    ```text
-    $ vault write auth/app-id/map/user-id/bar value=foo,baz cidr_block=10.0.0.0/16
-    # ...
-    ```
-
-## API
-
-The AppID auth method has a full HTTP API. Please see the
-[AppID auth method API](/api/auth/app-id/index.html) for more
-details.
diff --git a/website/source/docs/auth/approle.html.md b/website/source/docs/auth/approle.html.md
deleted file mode 100644
index 1900047bbb6e..000000000000
--- a/website/source/docs/auth/approle.html.md
+++ /dev/null
@@ -1,243 +0,0 @@
----
-layout: "docs"
-page_title: "AppRole - Auth Methods"
-sidebar_title: "AppRole"
-sidebar_current: "docs-auth-approle"
-description: |-
-  The AppRole auth method allows machines and services to authenticate with
-  Vault.
----
-
-# AppRole Auth Method
-
-The `approle` auth method allows machines or _apps_ to authenticate with
-Vault-defined _roles_. The open design of `AppRole` enables a varied set of
-workflows and configurations to handle large numbers of apps. This auth method
-is oriented to automated workflows (machines and services), and is less useful
-for human operators.
-
-An "AppRole" represents a set of Vault policies and login constraints that must
-be met to receive a token with those policies. The scope can be as narrow or
-broad as desired. An AppRole can be created for a particular machine, or even
-a particular user on that machine, or a service spread across machines. The
-credentials required for successful login depend upon the constraints set on
-the AppRole associated with the credentials.
-
-## Authentication
-
-### Via the CLI
-
-The default path is `/approle`. If this auth method was enabled at a different
-path, specify `auth/my-path/login` instead.
-
-```text
-$ vault write auth/approle/login \
-    role_id=db02de05-fa39-4855-059b-67221c5c2f63 \
-    secret_id=6a174c20-f6de-a53c-74d2-6018fcceff64
-
-Key                Value
----                -----
-token              65b74ffd-842c-fd43-1386-f7d7006e520a
-token_accessor     3c29bc22-5c72-11a6-f778-2bc8f48cea0e
-token_duration     20m0s
-token_renewable    true
-token_policies     [default]
-```
-
-### Via the API
-
-The default endpoint is `auth/approle/login`. If this auth method was enabled
-at a different path, use that value instead of `approle`.
-
-```sh
-$ curl \
-    --request POST \
-    --data '{"role_id":"988a9df-...","secret_id":"37b74931..."}' \
-    http://127.0.0.1:8200/v1/auth/approle/login
-```
-
-The response will contain the token at `auth.client_token`:
-
-```json
-{
-  "auth": {
-    "renewable": true,
-    "lease_duration": 2764800,
-    "metadata": {},
-    "policies": [
-      "default",
-      "dev-policy",
-      "test-policy"
-    ],
-    "accessor": "5d7fb475-07cb-4060-c2de-1ca3fcbf0c56",
-    "client_token": "98a4c7ab-b1fe-361b-ba0b-e307aacfd587"
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-### Via the CLI
-
-1. Enable the AppRole auth method:
-
-    ```text
-    $ vault auth enable approle
-    ```
-
-1. Create a named role:
-
-    ```text
-    $ vault write auth/approle/role/my-role \
-        secret_id_ttl=10m \
-        token_num_uses=10 \
-        token_ttl=20m \
-        token_max_ttl=30m \
-        secret_id_num_uses=40
-    ```
-
-    For the complete list of configuration options, please see the API
-    documentation.
-
-1. Fetch the RoleID of the AppRole:
-
-    ```text
-    $ vault read auth/approle/role/my-role/role-id
-    role_id     db02de05-fa39-4855-059b-67221c5c2f63
-    ```
-
-1. Get a SecretID issued against the AppRole:
-
-    ```text
-    $ vault write -f auth/approle/role/my-role/secret-id
-    secret_id               6a174c20-f6de-a53c-74d2-6018fcceff64
-    secret_id_accessor      c454f7e5-996e-7230-6074-6ef26b7bcf86
-    ```
-
-### Via the API
-
-1. Enable the AppRole auth method:
-
-    ```sh
-    $ curl \
-        --header "X-Vault-Token: ..." \
-        --request POST \
-        --data '{"type": "approle"}' \
-        http://127.0.0.1:8200/v1/sys/auth/approle
-    ```
-
-1. Create an AppRole with desired set of policies:
-
-    ```sh
-    $ curl \
-        --header "X-Vault-Token: ..." \
-        --request POST \
-        --data '{"policies": "dev-policy,test-policy"}' \
-        http://127.0.0.1:8200/v1/auth/approle/role/my-role
-    ```
-
-1. Fetch the identifier of the role:
-
-    ```sh
-    $ curl \
-        --header "X-Vault-Token: ..." \
-        http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
-    ```
-
-    The response will look like:
-
-    ```json
-    {
-      "data": {
-        "role_id": "988a9dfd-ea69-4a53-6cb6-9d6b86474bba"
-      }
-    }
-    ```
-
-1. Create a new secret identifier under the role:
-
-    ```sh
-    $ curl \
-        --header "X-Vault-Token: ..." \
-        --request POST \
-         http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
-    ```
-
-    The response will look like:
-
-    ```json
-    {
-      "data": {
-        "secret_id_accessor": "45946873-1d96-a9d4-678c-9229f74386a5",
-        "secret_id": "37b74931-c4cd-d49a-9246-ccc62d682a25"
-      }
-    }
-    ```
-
-## Credentials/Constraints
-
-### RoleID
-
-RoleID is an identifier that selects the AppRole against which the other
-credentials are evaluated. When authenticating against this auth method's login
-endpoint, the RoleID is a required argument (via `role_id`) at all times. By
-default, RoleIDs are unique UUIDs, which allow them to serve as secondary
-secrets to the other credential information. However, they can be set to
-particular values to match introspected information by the client (for
-instance, the client's domain name).
-
-### SecretID
-
-SecretID is a credential that is required by default for any login (via
-`secret_id`) and is intended to always be secret. (For advanced usage,
-requiring a SecretID can be disabled via an AppRole's `bind_secret_id`
-parameter, allowing machines with only knowledge of the RoleID, or matching
-other set constraints, to fetch a token). SecretIDs can be created against an
-AppRole either via generation of a 128-bit purely random UUID by the role
-itself (`Pull` mode) or via specific, custom values (`Push` mode). Similarly to
-tokens, SecretIDs have properties like usage-limit, TTLs and expirations.
-
-#### Pull And Push SecretID Modes
-
-If the SecretID used for login is fetched from an AppRole, this is operating in
-Pull mode. If a "custom" SecretID is set against an AppRole by the client, it
-is referred to as a Push mode. Push mode mimics the behavior of the deprecated
-App-ID auth method; however, in most cases Pull mode is the better approach. The
-reason is that Push mode requires some other system to have knowledge of the
-full set of client credentials (RoleID and SecretID) in order to create the
-entry, even if these are then distributed via different paths. However, in Pull
-mode, even though the RoleID must be known in order to distribute it to the
-client, the SecretID can be kept confidential from all parties except for the
-final authenticating client by using [Response
-Wrapping](/docs/concepts/response-wrapping.html).
-
-Push mode is available for App-ID workflow compatibility, which in some
-specific cases is preferable, but in most cases Pull mode is more secure and
-should be preferred.
-
-### Further Constraints
-
-`role_id` is a required credential at the login endpoint. AppRole pointed to by
-the `role_id` will have constraints set on it. This dictates other `required`
-credentials for login. The `bind_secret_id` constraint requires `secret_id` to
-be presented at the login endpoint.  Going forward, this auth method can support
-more constraint parameters to support varied set of Apps. Some constraints will
-not require a credential, but still enforce constraints for login.  For
-example, `secret_id_bound_cidrs` will only allow logins coming from IP addresses
-belonging to configured CIDR blocks on the AppRole.
-
-## Learn
-
-Refer to the [AppRole Pull
-Authentication](https://learn.hashicorp.com/vault/identity-access-management/iam-authentication)
-guide for a step-by-step tutorial.
-
-## API
-
-The AppRole auth method has a full HTTP API. Please see the
-[AppRole API](/api/auth/approle/index.html) for more
-details.
diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md
deleted file mode 100644
index 0911d510c4bb..000000000000
--- a/website/source/docs/auth/aws.html.md
+++ /dev/null
@@ -1,736 +0,0 @@
----
-layout: "docs"
-page_title: "AWS - Auth Methods"
-sidebar_title: "AWS"
-sidebar_current: "docs-auth-aws"
-description: |-
-  The aws auth method allows automated authentication of AWS entities.
----
-
-# AWS Auth Method
-
-The `aws` auth method provides an automated mechanism to retrieve a Vault token
-for IAM principals and AWS EC2 instances. Unlike most Vault auth methods, this
-method does not require manual first-deploying, or provisioning
-security-sensitive credentials (tokens, username/password, client certificates,
-etc), by operators under many circumstances.
-
-## Authentication Workflow
-
-There are two authentication types present in the aws auth method: `iam` and
-`ec2`.
-
-With the `iam` method, a special AWS request signed with AWS IAM credentials is
-used for authentication. The IAM credentials are automatically supplied to AWS
-instances in IAM instance profiles, Lambda functions, and others, and it is
-this information already provided by AWS which Vault can use to authenticate
-clients.
-
-With the `ec2` method, AWS is treated as a Trusted Third Party and
-cryptographically signed dynamic metadata information that uniquely represents
-each EC2 instance is used for authentication. This metadata information is
-automatically supplied by AWS to all EC2 instances.
-
-Based on how you attempt to authenticate, Vault will determine if you are
-attempting to use the `iam` or `ec2` type. Each has a different authentication
-workflow, and each can solve different use cases. 
-
-Note: The `ec2` method was implemented before the primitives to implement the
-`iam` method were supported by AWS. The `iam` method is the recommended approach
-as it is more flexible and aligns with best practices to perform access
-control and authentication. See the section on comparing the two auth methods
-below for more information.
-
-### IAM auth method
-
-The AWS STS API includes a method,
-[`sts:GetCallerIdentity`](http://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html),
-which allows you to validate the identity of a client. The client signs a
-`GetCallerIdentity` query using the [AWS Signature v4
-algorithm](http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html) and
-submits 4 pieces of information to the Vault server to recreate a valid signed
-request: the request URL, the request body, the request headers, and the
-request method, as the AWS signature is computed over those fields. The Vault
-server then reconstructs the query and forwards it on to the AWS STS service
-and validates the result back. Clients don't need network-level access to talk
-to the AWS STS API endpoint; they merely need access to the credentials to sign
-the request. However, it means that the Vault server does need network-level
-access to send requests to the STS endpoint.
-
-Importantly, the credentials used to sign the GetCallerIdentity request can
-come from the EC2 instance metadata service for an EC2 instance, or from the
-AWS environment variables in an AWS Lambda function execution, which obviates
-the need for an operator to manually provision some sort of identity material
-first.  However, the credentials can, in principle, come from anywhere, not
-just from the locations AWS has provided for you.
-
-Each signed AWS request includes the current timestamp to mitigate the risk of
-replay attacks. In addition, Vault allows you to require an additional header,
-`X-Vault-AWS-IAM-Server-ID`, to be present to mitigate against different types
-of replay attacks (such as a signed `GetCallerIdentity` request stolen from a
-dev Vault instance and used to authenticate to a prod Vault instance). Vault
-further requires that this header be one of the headers included in the AWS
-signature and relies upon AWS to authenticate that signature.
-
-While AWS API endpoints support both signed GET and POST requests, for
-simplicity, the aws auth method supports only POST requests. It also does not
-support `presigned` requests, i.e., requests with `X-Amz-Credential`,
-`X-Amz-Signature`, and `X-Amz-SignedHeaders` GET query parameters containing
-the authenticating information.
-
-It's also important to note that Amazon does NOT appear to include any sort of
-authorization around calls to `GetCallerIdentity`. For example, if you have an
-IAM policy on your credential that requires all access to be MFA authenticated,
-non-MFA authenticated credentials (i.e., raw credentials, not those retrieved
-by calling `GetSessionToken` and supplying an MFA code) will still be able to
-authenticate to Vault using this method. It does not appear possible to enforce
-an IAM principal to be MFA authenticated while authenticating to Vault.
-
-### EC2 auth method
-
-Amazon EC2 instances have access to metadata which describes the instance. The
-Vault EC2 auth method leverages the components of this metadata to authenticate
-and distribute an initial Vault token to an EC2 instance. The data flow (which
-is also represented in the graphic below) is as follows:
-
-[![Vault AWS EC2 Authentication Flow](/img/vault-aws-ec2-auth-flow.png)](/img/vault-aws-ec2-auth-flow.png)
-
-1. An AWS EC2 instance fetches its [AWS Instance Identity Document][aws-iid]
-from the [EC2 Metadata Service][aws-ec2-mds]. In addition to data itself, AWS
-also provides the PKCS#7 signature of the data, and publishes the public keys
-(by region) which can be used to verify the signature.
-
-1. The AWS EC2 instance makes a request to Vault with the PKCS#7 signature.
-The PKCS#7 signature contains the Instance Identity Document within itself.
-
-1. Vault verifies the signature on the PKCS#7 document, ensuring the information
-is certified accurate by AWS. This process validates both the validity and
-integrity of the document data. As an added security measure, Vault verifies
-that the instance is currently running using the public EC2 API endpoint.
-
-1. Provided all steps are successful, Vault returns the initial Vault token to
-the EC2 instance. This token is mapped to any configured policies based on the
-instance metadata.
-
-[aws-iid]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
-[aws-ec2-mds]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
-
-There are various modifications to this workflow that provide more or less
-security, as detailed later in this documentation.
-
-## Authorization Workflow
-
-The basic mechanism of operation is per-role. Roles are registered in the
-method and associated with a specific authentication type that cannot be
-changed once the role has been created. Roles can also be associated with
-various optional restrictions, such as the set of allowed policies and max TTLs
-on the generated tokens. Each role can be specified with the constraints that
-are to be met during the login. Many of these constraints accept lists of
-required values. For any constraint which accepts a list of values, that
-constraint will be considered satisfied if any one of the values is matched
-during the login process. For example, one such constraint that is
-supported is to bind against a list of AMI IDs. A role which is bound to a
-specific list of AMIs can only be used for login by EC2 instances that are
-deployed to one of the AMIs that the role is bound to.
-
-The iam auth method allows you to specify bound IAM principal ARNs.
-Clients authenticating to Vault must have an ARN that matches one of the ARNs bound to
-the role they are attempting to login to. The bound ARN allows specifying a
-wildcard at the end of the bound ARN. For example, if the bound ARN were
-`arn:aws:iam::123456789012:*` it would allow any principal in AWS account
-123456789012 to login to it. Similarly, if it were
-`arn:aws:iam::123456789012:role/*` it would allow any IAM role in the AWS
-account to login to it. If you wish to specify a wildcard, you must give Vault
-`iam:GetUser` and `iam:GetRole` permissions to properly resolve the full user
-path.
-
-In general, role bindings that are specific to an EC2 instance are only checked
-when the ec2 auth method is used to login, while bindings specific to IAM
-principals are only checked when the iam auth method is used to login. However,
-the iam method includes the ability for you to "infer" an EC2 instance ID from
-the authenticated client and apply many of the bindings that would otherwise
-only apply specifically to EC2 instances.
-
-In many cases, an organization will use a "seed AMI" that is specialized after
-bootup by configuration management or similar processes. For this reason, a
-role entry in the method can also be associated with a "role tag" when using
-the ec2 auth type. These tags
-are generated by the method and are placed as the value of a tag with the
-given key on the EC2 instance. The role tag can be used to further restrict the
-parameters set on the role, but cannot be used to grant additional privileges.
-If a role with an AMI bind constraint has "role tag" enabled on the role, and
-the EC2 instance performing login does not have an expected tag on it, or if the
-tag on the instance is deleted for some reason, authentication fails.
-
-The role tags can be generated at will by an operator with appropriate API
-access. They are HMAC-signed by a per-role key stored within the method, allowing
-the method to verify the authenticity of a found role tag and ensure that it has
-not been tampered with. There is also a mechanism to blacklist role tags if one
-has been found to be distributed outside of its intended set of machines.
-
-## IAM Authentication Inferences
-
-With the iam auth method, normally Vault will see the IAM principal that
-authenticated, either the IAM user or role. However, when you have an EC2
-instance in an IAM instance profile, Vault can actually see the instance ID of
-the instance and can "infer" that it's an EC2 instance. However, there are
-important security caveats to be aware of before configuring Vault to make that
-inference.
-
-Each AWS IAM role has a "trust policy" which specifies which entities are
-trusted to call
-[`sts:AssumeRole`](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
-on the role and retrieve credentials that can be used to authenticate with that
-role. When AssumeRole is called, a parameter called RoleSessionName is passed
-in, which is chosen arbitrarily by the entity which calls AssumeRole. If you
-have a role with an ARN `arn:aws:iam::123456789012:role/MyRole`, then the
-credentials returned by calling AssumeRole on that role will be
-`arn:aws:sts::123456789012:assumed-role/MyRole/RoleSessionName` where
-RoleSessionName is the session name in the AssumeRole API call. It is this
-latter value which Vault actually sees.
-
-When you have an EC2 instance in an instance profile, the corresponding role's
-trust policy specifies that the principal `"Service": "ec2.amazonaws.com"` is
-trusted to call AssumeRole. When this is configured, EC2 calls AssumeRole on
-behalf of your instance, with a RoleSessionName corresponding to the
-instance's instance ID. Thus, it is possible for Vault to extract the instance
-ID out of the value it sees when an EC2 instance in an instance profile
-authenticates to Vault with the iam auth method. This is known as
-"inferencing." Vault can be configured, on a role-by-role basis, to infer that a
-caller is an EC2 instance and, if so, apply further bindings that apply
-specifically to EC2 instances -- most of the bindings available to the ec2
-auth method.
-
-However, it is very important to note that if any entity other than an AWS
-service is permitted to call AssumeRole on your role, then that entity can
-simply pass in your instance's instance ID and spoof your instance to Vault.
-This also means that anybody who is able to modify your role's trust policy
-(e.g., via
-[`iam:UpdateAssumeRolePolicy`](http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html),
-then that person could also spoof your instances. If this is a concern but you
-would like to take advantage of inferencing, then you should tightly restrict
-who is able to call AssumeRole on the role, tightly restrict who is able to call
-UpdateAssumeRolePolicy on the role, and monitor CloudTrail logs for calls to
-AssumeRole and UpdateAssumeRolePolicy. All of these caveats apply equally to
-using the iam auth method without inferencing; the point is merely
-that Vault cannot offer an iron-clad guarantee about the inference and it is up
-to operators to determine, based on their own AWS controls and use cases,
-whether or not it's appropriate to configure inferencing.
-
-## Mixing Authentication Types
-
-Vault allows you to configure using either the ec2 auth method or the iam auth
-method, but not both auth methods. Further, Vault will prevent you from
-enforcing restrictions that it cannot enforce given the chosen auth type for a
-role. Some examples of how this works in practice:
-
-1. You configure a role with the ec2 auth type, with a bound AMI ID. A
-   client would not be able to login using the iam auth type.
-2. You configure a role with the iam auth type, with a bound IAM
-   principal ARN. A client would not be able to login with the ec2 auth method.
-3. You configure a role with the iam auth type and further configure
-   inferencing. You have a bound AMI ID and a bound IAM principal ARN. A client
-   must login using the iam method; the RoleSessionName must be a valid instance
-   ID viewable by Vault, and the instance must have come from the bound AMI ID.
-
-## Comparison of the IAM and EC2 Methods
-
-The iam and ec2 auth methods serve similar and somewhat overlapping
-functionality, in that both authenticate some type of AWS entity to Vault.
-Here are some comparisons that illustrate why `iam` method is preferred over
-`ec2`.
-
-* What type of entity is authenticated:
-  * The ec2 auth method authenticates only AWS EC2 instances and is specialized
-    to handle EC2 instances, such as restricting access to EC2 instances from
-    a particular AMI, EC2 instances in a particular instance profile, or EC2
-    instances with a specialized tag value (via the role_tag feature).
-  * The iam auth method authenticates AWS IAM principals. This can
-    include IAM users, IAM roles assumed from other accounts, AWS Lambdas that
-    are launched in an IAM role, or even EC2 instances that are launched in an
-    IAM instance profile. However, because it authenticates more generalized IAM
-    principals, this method doesn't offer more granular controls beyond binding
-    to a given IAM principal without the use of inferencing.
-* How the entities are authenticated
-  * The ec2 auth method authenticates instances by making use of the EC2
-    instance identity document, which is a cryptographically signed document
-    containing metadata about the instance. This document changes relatively
-    infrequently, so Vault adds a number of other constructs to mitigate against
-    replay attacks, such as client nonces, role tags, instance migrations, etc.
-    Because the instance identity document is signed by AWS, you have a strong
-    guarantee that it came from an EC2 instance.
-  * The iam auth method authenticates by having clients provide a specially
-    signed AWS API request which the method then passes on to AWS to validate
-    the signature and tell Vault who created it. The actual secret (i.e.,
-    the AWS secret access key) is never transmitted over the wire, and the
-    AWS signature algorithm automatically expires requests after 15 minutes,
-    providing simple and robust protection against replay attacks. The use of
-    inferencing, however, provides a weaker guarantee that the credentials came
-    from an EC2 instance in an IAM instance profile compared to the ec2
-    authentication mechanism.
-  * The instance identity document used in the ec2 auth method is more likely to
-    be stolen given its relatively static nature, but it's harder to spoof. On
-    the other hand, the credentials of an EC2 instance in an IAM instance
-    profile are less likely to be stolen given their dynamic and short-lived
-    nature, but it's easier to spoof credentials that might have come from an
-    EC2 instance.
-* Specific use cases
-  * If you have non-EC2 instance entities, such as IAM users, Lambdas in IAM
-    roles, or developer laptops using [AdRoll's
-    Hologram](https://github.com/AdRoll/hologram) then you would need to use the
-    iam auth method.
-  * If you have EC2 instances, then you could use either auth method. If you
-    need more granular filtering beyond just the instance profile of given EC2
-    instances (such as filtering based off the AMI the instance was launched
-    from), then you would need to use the ec2 auth method, change the instance
-    profile associated with your EC2 instances so they have unique IAM roles
-    for each different Vault role you would want them to authenticate
-    to, or make use of inferencing. If you need to make use of role tags, then
-    you will need to use the ec2 auth method.
-
-## Recommended Vault IAM Policy
-
-This specifies the recommended IAM policy needed by the AWS auth method. Note
-that if you are using the same credentials for the AWS auth and secret methods
-(e.g., if you're running Vault on an EC2 instance in an IAM instance profile),
-then you will need to add additional permissions as required by the AWS secret
-method.
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ec2:DescribeInstances",
-        "iam:GetInstanceProfile",
-        "iam:GetUser",
-        "iam:GetRole"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": ["sts:AssumeRole"],
-      "Resource": [
-        "arn:aws:iam::<AccountId>:role/<VaultRole>"
-      ]
-    }
-  ]
-}
-```
-
-Here are some of the scenarios in which Vault would need to use each of these
-permissions. This isn't intended to be an exhaustive list of all the scenarios
-in which Vault might make an AWS API call, but rather illustrative of why these
-are needed.
-
-* `ec2:DescribeInstances` is necessary when you are using the `ec2` auth method
-  or when you are inferring an `ec2_instance` entity type to validate that the
-  EC2 instance meets binding requirements of the role
-* `iam:GetInstanceProfile` is used when you have a `bound_iam_role_arn` in the
-  `ec2` auth method. Vault needs to determine which IAM role is attached to the
-  instance profile.
-* `iam:GetUser` and `iam:GetRole` are used when using the iam auth method and
-  binding to an IAM user or role principal to determine the unique AWS user ID
-  or when using a wildcard on the bound ARN to resolve the full ARN of the user
-  or role.
-* The `sts:AssumeRole` stanza is necessary when you are using [Cross Account
-  Access](#cross-account-access). The `Resource`s specified should be a list of
-  all the roles for which you have configured cross-account access, and each of
-  those roles should have this IAM policy attached (except for the
-  `sts:AssumeRole` statement).
-
-## Client Nonce
-
-Note: this only applies to the ec2 auth method.
-
-If an unintended party gains access to the PKCS#7 signature of the identity
-document (which by default is available to every process and user that gains
-access to an EC2 instance), it can impersonate that instance and fetch a Vault
-token. The method addresses this problem by using a Trust On First Use (TOFU)
-mechanism that allows the first client to present the PKCS#7 signature of the
-document to be authenticated and denying the rest. An important property of
-this design is detection of unauthorized access: if an unintended party authenticates,
-the intended client will be unable to authenticate and can raise an alert for
-investigation.
-
-During the first login, the method stores the instance ID that authenticated
-in a `whitelist`. One method of operation of the method is to disallow any
-authentication attempt for an instance ID contained in the whitelist, using the
-`disallow_reauthentication` option on the role, meaning that an instance is
-allowed to login only once. However, this has consequences for token rotation,
-as it means that once a token has expired, subsequent authentication attempts
-would fail. By default, reauthentication is enabled in this method, and can be
-turned off using `disallow_reauthentication` parameter on the registered role.
-
-In the default method of operation, the method will return a unique nonce
-during the first authentication attempt, as part of auth `metadata`. Clients
-should present this `nonce` for subsequent login attempts and it should match
-the `nonce` cached at the identity-whitelist entry at the method. Since only
-the original client knows the `nonce`, only the original client is allowed to
-reauthenticate. (This is the reason that this is a whitelist rather than a
-blacklist; by default, it's keeping track of clients allowed to reauthenticate,
-rather than those that are not.). Clients can choose to provide a `nonce` even
-for the first login attempt, in which case the provided `nonce` will be tied to
-the cached identity-whitelist entry. It is recommended to use a strong `nonce`
-value in this case.
-
-It is up to the client to behave correctly with respect to the nonce; if the
-client stores the nonce on disk it can survive reboots, but could also give
-access to other users or applications on the instance. It is also up to the
-operator to ensure that client nonces are in fact unique; sharing nonces allows
-a compromise of the nonce value to enable an attacker that gains access to any
-EC2 instance to imitate the legitimate client on that instance. This is why
-nonces can be disabled on the method side in favor of only a single
-authentication per instance; in some cases, such as when using ASGs, instances
-are immutable and single-boot anyways, and in conjunction with a high max TTL,
-reauthentication may not be needed (and if it is, the instance can simply be
-shut down and allow ASG to start a new one).
-
-In both cases, entries can be removed from the whitelist by instance ID,
-allowing reauthentication by a client if the nonce is lost (or not used) and an
-operator approves the process.
-
-One other point: if available by the OS/distribution being used with the EC2
-instance, it is not a bad idea to firewall access to the signed PKCS#7 metadata
-to ensure that it is accessible only to the matching user(s) that require
-access.
-
-The client nonce which is generated by the backend and which gets returned
-along with the authentication response, will be audit logged in plaintext. If
-this is undesired, clients can supply a custom nonce to the login endpoint
-which will not be returned and hence will not be audit logged.
-
-## Advanced Options and Caveats
-
-### Dynamic Management of Policies Via Role Tags
-
-Note: This only applies to the ec2 auth method or the iam auth method when
-inferencing is used.
-
-If the instance is required to have customized set of policies based on the
-role it plays, the `role_tag` option can be used to provide a tag to set on
-instances, for a given role. When this option is set, during login, along with
-verification of PKCS#7 signature and instance health, the method will query
-for the value of a specific tag with the configured key that is attached to the
-instance. The tag holds information that represents a *subset* of privileges that
-are set on the role and are used to further restrict the set of the role's
-privileges for that particular instance.
-
-A `role_tag` can be created using `auth/aws/role/<role>/tag` endpoint
-and is immutable. The information present in the tag is SHA256 hashed and HMAC
-protected. The per-role key to HMAC is only maintained in the method. This prevents
-an adversarial operator from modifying the tag when setting it on the EC2 instance
-in order to escalate privileges.
-
-When 'role_tag' option is enabled on a role, the instances are required to have a
-role tag. If the tag is not found on the EC2 instance, authentication will fail.
-This is to ensure that privileges of an instance are never escalated for not
-having the tag on it or for getting the tag removed. If the role tag creation does
-not specify the policy component, the client will inherit the allowed policies set
-on the role. If the role tag creation specifies the policy component but it contains
-no policies, the token will contain only the `default` policy; by default, this policy
-allows only manipulation (revocation, renewal, lookup) of the existing token, plus
-access to its [cubbyhole](/docs/secrets/cubbyhole/index.html).
-This can be useful to allow instances access to a secure "scratch space" for
-storing data (via the token's cubbyhole) but without granting any access to
-other resources provided by or resident in Vault.
-
-### Handling Lost Client Nonces
-
-Note: This only applies to the ec2 auth method.
-
-If an EC2 instance loses its client nonce (due to a reboot, a stop/start of the
-client, etc.), subsequent login attempts will not succeed. If the client nonce
-is lost, normally the only option is to delete the entry corresponding to the
-instance ID from the identity `whitelist` in the method. This can be done via
-the `auth/aws/identity-whitelist/<instance_id>` endpoint. This allows a new
-client nonce to be accepted by the method during the next login request.
-
-Under certain circumstances there is another useful setting. When the instance
-is placed onto a host upon creation, it is given a `pendingTime` value in the
-instance identity document (documentation from AWS does not cover this option,
-unfortunately). If an instance is stopped and started, the `pendingTime` value
-is updated (this does not apply to reboots, however).
-
-The method can take advantage of this via the `allow_instance_migration`
-option, which is set per-role. When this option is enabled, if the client nonce
-does not match the saved nonce, the `pendingTime` value in the instance
-identity document will be checked; if it is newer than the stored `pendingTime`
-value, the method assumes that the client was stopped/started and allows the
-client to log in successfully, storing the new nonce as the valid nonce for
-that client. This essentially re-starts the TOFU mechanism any time the
-instance is stopped and started, so should be used with caution. Just like with
-initial authentication, the legitimate client should have a way to alert (or an
-alert should trigger based on its logs) if it is denied authentication.
-
-Unfortunately, the `allow_instance_migration` only helps during stop/start
-actions; the current metadata does not provide for a way to allow this
-automatic behavior during reboots. The method will be updated if this needed
-metadata becomes available.
-
-The `allow_instance_migration` option is set per-role, and can also be
-specified in a role tag. Since role tags can only restrict behavior, if the
-option is set to `false` on the role, a value of `true` in the role tag takes
-effect; however, if the option is set to `true` on the role, a value set in the
-role tag has no effect.
-
-### Disabling Reauthentication
-
-Note: this only applies to the ec2 auth method.
-
-If in a given organization's architecture, a client fetches a long-lived Vault
-token and has no need to rotate the token, all future logins for that instance
-ID can be disabled. If the option `disallow_reauthentication` is set, only one
-login will be allowed per instance. If the intended client successfully
-retrieves a token during login, it can be sure that its token will not be
-hijacked by another entity.
-
-When `disallow_reauthentication` option is enabled, the client can choose not
-to supply a nonce during login, although it is not an error to do so (the nonce
-is simply ignored). Note that reauthentication is enabled by default. If only
-a single login is desired, `disallow_reauthentication` should be set explicitly
-on the role or on the role tag.
-
-The `disallow_reauthentication` option is set per-role, and can also be
-specified in a role tag. Since role tags can only restrict behavior, if the
-option is set to `false` on the role, a value of `true` in the role tag takes
-effect; however, if the option is set to `true` on the role, a value set in the
-role tag has no effect.
-
-### Blacklisting Role Tags
-
-Note: this only applies to the ec2 auth method or the iam auth method
-when inferencing is used.
-
-Role tags are tied to a specific role, but the method has no control over, which
-instances using that role, should have any particular role tag; that is purely up
-to the operator. Although role tags are only restrictive (a tag cannot escalate
-privileges above what is set on its role), if a role tag is found to have been
-used incorrectly, and the administrator wants to ensure that the role tag has no
-further effect, the role tag can be placed on a `blacklist` via the endpoint
-`auth/aws/roletag-blacklist/<role_tag>`. Note that this will not invalidate the
-tokens that were already issued; this only blocks any further login requests from
-those instances that have the blacklisted tag attached to them.
-
-### Expiration Times and Tidying of `blacklist` and `whitelist` Entries
-
-The expired entries in both identity `whitelist` and role tag `blacklist` are
-deleted automatically. The entries in both of these lists contain an expiration
-time which is dynamically determined by three factors: `max_ttl` set on the role,
-`max_ttl` set on the role tag, and `max_ttl` value of the method mount. The
-least of these three dictates the maximum TTL of the issued token, and
-correspondingly will be set as the expiration times of these entries.
-
-The endpoints `auth/aws/tidy/identity-whitelist` and `auth/aws/tidy/roletag-blacklist` are
-provided to clean up the entries present in these lists. These endpoints allow
-defining a safety buffer, such that an entry must not only be expired, but be
-past expiration by the amount of time dictated by the safety buffer in order
-to actually remove the entry.
-
-Automatic deletion of expired entries is performed by the periodic function
-of the method. This function does the tidying of both blacklist role tags
-and whitelist identities. Periodic tidying is activated by default and will
-have a safety buffer of 72 hours, meaning only those entries are deleted which
-were expired before 72 hours from when the tidy operation is being performed.
-This can be configured via `config/tidy/roletag-blacklist` and `config/tidy/identity-whitelist`
-endpoints.
-
-### Varying Public Certificates
-
-Note: this only applies to the ec2 auth method.
-
-The AWS public certificate, which contains the public key used to verify the
-PKCS#7 signature, varies for different AWS regions. The primary AWS public
-certificate, which covers most AWS regions, is already included in Vault and
-does not need to be added. Instances whose PKCS#7 signatures cannot be
-verified by the default public certificate included in Vault can register a
-different public certificate which can be found [here]
-(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
-via the `auth/aws/config/certificate/<cert_name>` endpoint.
-
-### Dangling Tokens
-
-An EC2 instance, after authenticating itself with the method, gets a Vault token.
-After that, if the instance terminates or goes down for any reason, the method
-will not be aware of such events. The token issued will still be valid, until
-it expires. The token will likely be expired sooner than its lifetime when the
-instance fails to renew the token on time.
-
-### Cross Account Access
-
-To allow Vault to authenticate IAM principals and EC2 instances in other
-accounts, Vault supports using AWS STS (Security Token Service) to assume AWS
-IAM Roles in other accounts. For each target AWS account ID, you configure the
-IAM Role for Vault to assume using the `auth/aws/config/sts/<account_id>` and
-Vault will use credentials from assuming that role to validate IAM principals
-and EC2 instances in the target account.
-
-The account in which Vault is running (i.e. the master account) must be listed as
-a trusted entity in the IAM Role being assumed on the remote account. The Role itself
-should allow the permissions specified in the [Recommended Vault IAM
-Policy](#recommended-vault-iam-policy) except it doesn't need any further
-`sts:AssumeRole` permissions.
-
-Furthermore, in the master account, Vault must be granted the action `sts:AssumeRole`
-for the IAM Role to be assumed.
-
-## Authentication
-
-### Via the CLI
-
-#### Enable AWS EC2 authentication in Vault.
-
-```
-$ vault auth enable aws
-```
-
-#### Configure the credentials required to make AWS API calls
-
-If not specified, Vault will attempt to use standard environment variables
-(`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) or IAM EC2 instance role
-credentials if available.
-
-The IAM account or role to which the credentials map must allow the
-`ec2:DescribeInstances` action. In addition, if IAM Role binding is used (see
-`bound_iam_role_arn` below), `iam:GetInstanceProfile` must also be allowed.
-
-```
-$ vault write auth/aws/config/client secret_key=vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj access_key=VKIAJBRHKH6EVTTNXDHA
-```
-
-#### Configure the policies on the role.
-
-```
-$ vault write auth/aws/role/dev-role auth_type=ec2 bound_ami_id=ami-fce3c696 policies=prod,dev max_ttl=500h
-
-$ vault write auth/aws/role/dev-role-iam auth_type=iam \
-              bound_iam_principal_arn=arn:aws:iam::123456789012:role/MyRole policies=prod,dev max_ttl=500h
-```
-
-#### Configure a required X-Vault-AWS-IAM-Server-ID Header (recommended)
-
-```
-$ vault write auth/aws/config/client iam_server_id_header_value=vault.example.com
-```
-
-
-#### Perform the login operation
-
-```
-$ vault write auth/aws/login role=dev-role \
-pkcs7=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA nonce=5defbf9e-a8f9-3063-bdfc-54b7a42a1f95
-```
-
-For the iam auth method, generating the signed request is a non-standard
-operation. The Vault cli supports generating this for you:
-
-```
-$ vault login -method=aws header_value=vault.example.com role=dev-role-iam
-```
-
-This assumes you have AWS credentials configured in the standard locations AWS
-SDKs search for credentials (environment variables, ~/.aws/credentials, IAM
-instance profile, or ECS task role, in that order). If you do not have IAM
-credentials available at any of these locations, you can explicitly pass them
-in on the command line (though this is not recommended), omitting
-`aws_security_token` if not applicable.
-
-```
-$ vault login -method=aws header_value=vault.example.com role=dev-role-iam \
-        aws_access_key_id=<access_key> \
-        aws_secret_access_key=<secret_key> \
-        aws_security_token=<security_token>
-```
-
-The region used defaults to `us-east-1`, but you can specify a custom region like so:
-```
-$ vault login -method=aws region=us-west-2 role=dev-role-iam
-```
-When using a custom region, be sure the designated region corresponds to that of the 
-STS endpoint you're using.
-
-An example of how to generate the required request values for the `login` method
-can be found found in the [vault cli
-source code](https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go).
-Using an approach such as this, the request parameters can be generated and
-passed to the `login` method:
-
-```
-$ vault write auth/aws/login role=dev-role-iam \
-        iam_http_request_method=POST \
-        iam_request_url=aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8= \
-        iam_request_body=QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ== \
-        iam_request_headers=eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ==
-```
-
-### Via the API
-
-#### Enable AWS authentication in Vault.
-
-```
-curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/sys/auth/aws" -d '{"type":"aws"}'
-```
-
-#### Configure the credentials required to make AWS API calls.
-
-```
-curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/auth/aws/config/client" -d '{"access_key":"VKIAJBRHKH6EVTTNXDHA", "secret_key":"vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj"}'
-```
-
-#### Configure the policies on the role.
-
-```
-curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/auth/aws/role/dev-role -d '{"bound_ami_id":"ami-fce3c696","policies":"prod,dev","max_ttl":"500h"}'
-
-curl -X POST -H "X-Vault-Token:123" "http://127.0.0.1:8200/v1/auth/aws/role/dev-role-iam -d '{"auth_type":"iam","policies":"prod,dev","max_ttl":"500h","bound_iam_principal_arn":"arn:aws:iam::123456789012:role/MyRole"}'
-```
-
-#### Perform the login operation
-
-```
-curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev-role","pkcs7":"'$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')'","nonce":"5defbf9e-a8f9-3063-bdfc-54b7a42a1f95"}'
-
-curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", "iam_http_request_method": "POST", "iam_request_url": "aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=", "iam_request_body": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==", "iam_request_headers": "eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ==" }'
-```
-
-The response will be in JSON. For example:
-
-```javascript
-{
-  "auth": {
-    "renewable": true,
-    "lease_duration": 72000,
-    "metadata": {
-      "role_tag_max_ttl": "0s",
-      "role": "ami-f083709d",
-      "region": "us-east-1",
-      "nonce": "5defbf9e-a8f9-3063-bdfc-54b7a42a1f95",
-      "instance_id": "i-a832f734",
-      "ami_id": "ami-f083709d"
-    },
-    "policies": [
-      "default",
-      "dev",
-      "prod"
-    ],
-    "accessor": "5cd96cd1-58b7-2904-5519-75ddf957ec06",
-    "client_token": "150fc858-2402-49c9-56a5-f4b57f2c8ff1"
-  },
-  "warnings": null,
-  "wrap_info": null,
-  "data": null,
-  "lease_duration": 0,
-  "renewable": false,
-  "lease_id": "",
-  "request_id": "d7d50c06-56b8-37f4-606c-ccdc87a1ee4c"
-}
-```
-
-## API
-
-The AWS auth method has a full HTTP API. Please see the
-[AWS Auth API](/api/auth/aws/index.html) for more
-details.
diff --git a/website/source/docs/auth/azure.html.md b/website/source/docs/auth/azure.html.md
deleted file mode 100644
index 925b22edff6b..000000000000
--- a/website/source/docs/auth/azure.html.md
+++ /dev/null
@@ -1,205 +0,0 @@
----
-layout: "docs"
-page_title: "Azure - Auth Methods"
-sidebar_title: "Azure"
-sidebar_current: "docs-auth-azure"
-description: |-
-  The azure auth method plugin allows automated authentication of Azure Active
-  Directory.
----
-
-# Azure Auth Method
-
-The `azure` auth method allows authentication against Vault using
-Azure Active Directory credentials. It treats Azure as a Trusted Third Party 
-and expects a [JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519) 
-signed by Azure Active Directory for the configured tenant.
-
-Currently supports authentication for:
-
-  * [Azure Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview)
-
-## Prerequisites:
-
-The following documentation assumes that the method has been
-[mounted](/docs/plugin/index.html) at `auth/azure`.
-
-* A configured [Azure AD application](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) which is used as the resource for generating MSI access tokens.
-* Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See [Azure AD Service to Service Client Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
-
-Required Azure API permissions to be granted to Vault user:
-
-* `Microsoft.Compute/virtualMachines/*/read`
-* `Microsoft.Compute/virtualMachineScaleSets/*/read`
-
-If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret.  MSI must be [enabled](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm) on the VMs hosting Vault. 
-
-The next sections review how the authN/Z workflows work. If you
-have already reviewed these sections, here are some quick links to:
-
-  * [Usage](#usage)
-  * [API documentation](/api/auth/azure/index.html) docs.
-
-## Authentication
-
-### Via the CLI
-
-The default path is `/auth/azure`. If this auth method was enabled at a different
-path, specify `auth/my-path/login` instead.
-
-```text
-$ vault write auth/azure/login \
-    role="dev-role" \
-    jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-    subscription_id="12345-..." \
-    resource_group_name="test-group" \
-    vm_name="test-vm"
-```
-
-The `role` and `jwt` parameters are required. When using bound_service_principal_ids and bound_groups in the token roles, all the information is required in the JWT.  When using other bound_* parameters, calls to Azure APIs will be made and subscription id, resource group name, and vm name are all required and can be obtained through instance metadata.
-
-For example:
-
-```text
-$ vault write auth/azure/login role="dev-role" \
-     jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.hashicorp.com%2F' -H Metadata:true | jq -r '.access_token')" \
-     subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .subscriptionId')  \
-     resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .resourceGroupName') \
-     vm_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r '.compute | .name')
-```
-
-### Via the API
-
-The default endpoint is `auth/azure/login`. If this auth method was enabled
-at a different path, use that value instead of `azure`.
-
-```sh
-$ curl \
-    --request POST \
-    --data '{"role": "dev-role", "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
-    https://127.0.0.1:8200/v1/auth/azure/login
-```
-
-The response will contain the token at `auth.client_token`:
-
-```json
-{
-  "auth": {
-    "client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
-    "accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
-    "policies": [
-      "default",
-      "dev",
-      "prod"
-    ],
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before machines can authenticate.
-These steps are usually completed by an operator or configuration management 
-tool.
-
-### Via the CLI
-
-1. Enable Azure authentication in Vault:
-
-    ```text
-    $ vault auth enable azure
-    ```
-
-1. Configure the Azure auth method:
-
-    ```text
-    $ vault write auth/azure/config \
-        tenant_id=7cd1f227-ca67-4fc6-a1a4-9888ea7f388c \
-        resource=https://vault.hashicorp.com \
-        client_id=dd794de4-4c6c-40b3-a930-d84cd32e9699 \
-        client_secret=IT3B2XfZvWnfB98s1cie8EMe7zWg483Xy8zY004=
-    ```
-
-    For the complete list of configuration options, please see the API
-    documentation.
-
-1. Create a role:
-
-    ```text
-    $ vault write auth/azure/role/dev-role \
-        policies="prod,dev" \
-        bound_subscription_ids=6a1d5988-5917-4221-b224-904cd7e24a25 \
-        bound_resource_groups=vault
-    ```
-
-    Roles are associated with an authentication type/entity and a set of Vault
-    policies. Roles are configured with constraints specific to the
-    authentication type, as well as overall constraints and configuration for
-    the generated auth tokens.
-
-    For the complete list of role options, please see the [API documentation](/api/auth/azure/index.html).
-
-### Via the API
-
-1. Enable Azure authentication in Vault:
-
-    ```sh
-    $ curl \
-        --header "X-Vault-Token: ..." \
-        --request POST \
-        --data '{"type": "azure"}' \
-        https://127.0.0.1:8200/v1/sys/auth/azure
-    ```
-
-1. Configure the Azure auth method:
-
-    ```sh
-    $ curl \
-        --header "X-Vault-Token: ..." \
-        --request POST \
-        --data '{"tenant_id": "...", "resource": "..."}' \
-        https://127.0.0.1:8200/v1/auth/azure/config
-    ```
-
-1. Create a role:
-
-    ```sh
-    $ curl \
-        --header "X-Vault-Token: ..." \
-        --request POST \
-        --data '{"policies": ["dev", "prod"], ...}' \
-        https://127.0.0.1:8200/v1/auth/azure/role/dev-role
-    ```
-
-### Plugin Setup
-
-~> The following section is only relevant if you decide to enable the azure auth
-method as an external plugin. The azure plugin method is integrated into Vault as
-a builtin method by default.
-
-Assuming you have saved the binary `vault-plugin-auth-azure` to some folder and
-configured the [plugin directory](/docs/internals/plugins.html#plugin-directory)
-for your server at `path/to/plugins`:
-
-
-1. Enable the plugin in the catalog:
-
-    ```text
-    $ vault write sys/plugins/catalog/auth/azure-auth \
-        command="vault-plugin-auth-azure" \
-        sha256="..."
-    ```
-
-1. Enable the azure auth method as a plugin:
-
-    ```text
-    $ vault auth enable -path=azure azure-auth
-    ```
-
-## API
-
-The Azure Auth Plugin has a full HTTP API. Please see the [API documentation]
-(/api/auth/azure/index.html) for more details.
-
diff --git a/website/source/docs/auth/cert.html.md b/website/source/docs/auth/cert.html.md
deleted file mode 100644
index 4f610d6d7657..000000000000
--- a/website/source/docs/auth/cert.html.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-layout: "docs"
-page_title: "TLS Certificates - Auth Methods"
-sidebar_title: "TLS Certificates"
-sidebar_current: "docs-auth-cert"
-description: |-
-  The "cert" auth method allows users to authenticate with Vault using TLS client certificates.
----
-
-# TLS Certificates Auth Method
-
-The `cert` auth method allows authentication using SSL/TLS client certificates
-which are either signed by a CA or self-signed.
-
-The trusted certificates and CAs are configured directly to the auth method
-using the `certs/` path. This method cannot read trusted certificates from an
-external source.
-
-CA certificates are associated with a role; role names and CRL names are normalized to
-lower-case.
-
-Please note that to use this auth method, `tls_disable` must be false in the Vault 
-configuration. This is because the certificates are sent through TLS communication itself.
-
-## Revocation Checking
-
-Since Vault 0.4, the method supports revocation checking.
-
-An authorised user can submit PEM-formatted CRLs identified by a given name;
-these can be updated or deleted at will. (Note: Vault **does not** fetch CRLs;
-the CRLs themselves and any updates must be pushed into Vault when desired,
-such as via a `cron` job that fetches them from the source and pushes them into
-Vault.)
-
-When there are CRLs present, at the time of client authentication:
-
-* If the client presents any chain where no certificate in the chain matches a
-  revoked serial number, authentication is allowed
-
-* If there is no chain presented by the client without a revoked serial number,
-  authentication is denied
-
-This method provides good security while also allowing for flexibility. For
-instance, if an intermediate CA is going to be retired, a client can be
-configured with two certificate chains: one that contains the initial
-intermediate CA in the path, and the other that contains the replacement. When
-the initial intermediate CA is revoked, the chain containing the replacement
-will still allow the client to successfully authenticate.
-
-**N.B.**: Matching is performed by *serial number only*. For most CAs,
-including Vault's `pki` method, multiple CRLs can successfully be used as
-serial numbers are globally unique. However, since RFCs only specify that
-serial numbers must be unique per-CA, some CAs issue serial numbers in-order,
-which may cause clashes if attempting to use CRLs from two such CAs in the same
-mount of the method. The workaround here is to mount multiple copies of the
-`cert` method, configure each with one CA/CRL, and have clients connect to the
-appropriate mount.
-
-In addition, since the method does not fetch the CRLs itself, the CRL's
-designated time to next update is not considered. If a CRL is no longer in use,
-it is up to the administrator to remove it from the method.
-
-## Authentication
-
-### Via the CLI
-
-The below requires Vault to present a certificate signed by `ca.pem` and
-presents `cert.pem` (using `key.pem`) to authenticate against the `web` cert
-role. Note that the name of `web` ties out with the configuration example 
-below writing to a path of `auth/cert/certs/web`. If a certificate role name 
-is not specified, the auth method will try to authenticate against all trusted 
-certificates.
-
-```
-$ vault login \
-    -method=cert \
-    -ca-cert=ca.pem \
-    -client-cert=cert.pem \
-    -client-key=key.pem \
-    name=web
-```
-
-### Via the API
-
-The endpoint for the login is `/login`. The client simply connects with their
-TLS certificate and when the login endpoint is hit, the auth method will
-determine if there is a matching trusted certificate to authenticate the client.
-Optionally, you may specify a single certificate role to authenticate against.
-
-```sh
-$ curl \
-    --request POST \
-    --cacert ca.pem \
-    --cert cert.pem \
-    --key key.pem \
-    --data '{"name": "web"}' \
-    https://127.0.0.1:8200/v1/auth/cert/login
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the certificate auth method:
-
-    ```text
-    $ vault auth enable cert
-    ```
-
-1. Configure it with trusted certificates that are allowed to authenticate:
-
-    ```text
-    $ vault write auth/cert/certs/web \
-        display_name=web \
-        policies=web,prod \
-        certificate=@web-cert.pem \
-        ttl=3600
-    ```
-
-    This creates a new trusted certificate "web" with same display name and the
-    "web" and "prod" policies. The certificate (public key) used to verify
-    clients is given by the "web-cert.pem" file. Lastly, an optional `ttl` value
-    can be provided in seconds to limit the lease duration.
-
-## API
-
-The TLS Certificate auth method has a full HTTP API. Please see the
-[TLS Certificate API](/api/auth/cert/index.html) for more details.
diff --git a/website/source/docs/auth/cf.html.md b/website/source/docs/auth/cf.html.md
deleted file mode 100644
index 15bfdc4b5587..000000000000
--- a/website/source/docs/auth/cf.html.md
+++ /dev/null
@@ -1,302 +0,0 @@
----
-layout: "docs"
-page_title: "Cloud Foundry - Auth Methods"
-sidebar_title: "Cloud Foundry"
-sidebar_current: "docs-auth-cf"
-description: |-
-  The cf auth method allows automated authentication of Cloud Foundry instances.
----
-
-# Cloud Foundry (CF) Auth Method
-
-The `cf` auth method provides an automated mechanism to retrieve a Vault token
-for CF instances. It leverages CF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation).
-At a high level, this works as follows:
-
-1. You construct a request to Vault including your `CF_INSTANCE_CERT`, signed by your `CF_INSTANCE_KEY`.
-2. Vault validates that the signature is no more than 300 seconds old, or 60 seconds in the future.
-3. Vault validates that the cert was issued by the CA certificate you've pre-configured.
-4. Vault validates that the request was signed by the private key for the `CF_INSTANCE_CERT`.
-5. Vault validates that the `CF_INSTANCE_CERT` application ID, space ID, and org ID presently exist.
-6. If all checks pass, Vault issues an appropriately-scoped token.
-
-## Known Risks
-
-This authentication engine uses CF's instance identity service to authenticate users to Vault. Because 
-CF makes its CA certificate and private key available to certain users at any time, it's possible for 
-someone with access to them to self-issue identity certificates that meet the criteria for a Vault role, 
-allowing them to gain unintended access to Vault.
-
-For this reason, we recommend that if you enable this auth method, you carefully guard access to the 
-private key for your instance identity CA certificate. In CredHub, it can be obtained through the 
-following call: `$ credhub get -n /cf/diego-instance-identity-root-ca`.
-
-Take extra steps to limit access to that path in CredHub, whether it be through use of CredHub's ACL 
-system, or through carefully limiting the users who can access CredHub.
-
-## Usage
-
-### Preparing to Configure the Plugin
-
-To configure this plugin, you'll need to gather the CA certificate that CF uses to issue each `CF_INSTANCE_CERT`,
-and you'll need to configure it to access the CF API. 
-
-To gain your instance identity CA certificate, in the [cf dev](https://github.com/cloudfoundry-incubator/cfdev)
-environment it can be found using:
-
-```
-$ bosh int --path /diego_instance_identity_ca ~/.cfdev/state/bosh/creds.yml
-```
-
-In environments containing Ops Manager, it can be found in CredHub. To gain access to CredHub, first install
-[the PCF command-line utility](https://docs.pivotal.io/tiledev/2-2/pcf-command.html) and authenticate to it
-using the `metadata` file it describes. These instructions also use [jq](https://stedolan.github.io/jq/) for
-ease of drilling into the particular part of the response you'll need.
-
-Once those steps are complete, get the credentials you'll use for CredHub:
-
-```
-$ pcf settings | jq '.products[0].director_credhub_client_credentials'
-```
-
-SSH into your Ops Manager VM:
-
-```
-$ ssh -i ops_mgr.pem ubuntu@$OPS_MGR_URL
-```
-
-Please note that the above OPS_MGR_URL shouldn't be prepended with `https://`.
-
-Log into CredHub with the credentials you obtained earlier:
-
-```
-$ credhub login --client-name=director_to_credhub --client-secret=some-secret
-```
-
-And view the root certificate CF uses to issue instance identity certificates:
-
-```
-$ credhub get -n /cf/diego-instance-identity-root-ca
-```
-
-The output to that call will include two certificates and one RSA key. You will need to copy the certificate
-under `ca: |` and place it into a file on your local machine that's properly formatted. Here's an example of
-a properly formatted CA certificate:
-
-```
-$ cat ca.crt
------BEGIN CERTIFICATE-----
-MIIDNDCCAhygAwIBAgITPqTy1qvfHNEVuxsl9l1glY85OTANBgkqhkiG9w0BAQsF
-ADAqMSgwJgYDVQQDEx9EaWVnbyBJbnN0YW5jZSBJZGVudGl0eSBSb290IENBMB4X
-DTE5MDYwNjA5MTIwMVoXDTIyMDYwNTA5MTIwMVowKjEoMCYGA1UEAxMfRGllZ28g
-SW5zdGFuY2UgSWRlbnRpdHkgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALa8xGDYT/q3UzEKAsLDajhuHxPpIPFlCXwp6u8U5Qrf427Xof7n
-rXRKzRu3g7E20U/OwzgBi3VZs8T29JGNWeA2k0HtX8oQ+Wc8Qngz9M8t1h9SZlx5
-fGfxPt3x7xozaIGJ8p4HKQH1ZlirL7dzun7Y+7m6Ey8cMVsepqUs64r8+KpCbxKJ
-rV04qtTNlr0LG3yOxSHlip+DDvUVL3jSFz/JDWxwCymiFBAh0QjG1LKp2FisURoX
-GY+HJbf2StpK3i4dYnxQXQlMDpipozK7WFxv3gH4Q6YMZvlmIPidAF8FxfDIsYcq
-TgQ5q0pr9mbu8oKbZ74vyZMqiy+r9vLhbu0CAwEAAaNTMFEwHQYDVR0OBBYEFAHf
-pwqBhZ8/A6ZAvU+p5JPz/omjMB8GA1UdIwQYMBaAFAHfpwqBhZ8/A6ZAvU+p5JPz
-/omjMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADuDJev+6bOC
-v7t9SS4Nd/zeREuF9IKsHDHrYUZBIO1aBQbOO1iDtL4VA3LBEx6fOgN5fbxroUsz
-X9/6PtxLe+5U8i5MOztK+OxxPrtDfnblXVb6IW4EKhTnWesS7R2WnOWtzqRQXKFU
-voBn3QckLV1o9eqzYIE/aob4z0GaVanA9PSzzbVPsX79RCD1B7NmV0cKEQ7IrCrh
-L7ElDV/GlNrtVdHjY0mwz9iu+0YJvxvcHDTERi106b28KXzJz+P5/hyg2wqRXzdI
-faXAjW0kuq5nxyJUALwxD/8pz77uNt4w6WfJoSDM6XrAIhh15K3tZg9EzBmAZ/5D
-jK0RcmCyaXw=
------END CERTIFICATE-----
-```
-
-An easy way to verify that your CA certificate is properly formatted is using OpenSSL like so:
-
-```
-$ openssl x509 -in ca.crt -text -noout
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            3e:a4:f2:d6:ab:df:1c:d1:15:bb:1b:25:f6:5d:60:95:8f:39:39
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Diego Instance Identity Root CA
-        Validity
-            Not Before: Jun  6 09:12:01 2019 GMT
-            Not After : Jun  5 09:12:01 2022 GMT
-        Subject: CN=Diego Instance Identity Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b6:bc:c4:60:d8:4f:fa:b7:53:31:0a:02:c2:c3:
-                    6a:38:6e:1f:13:e9:20:f1:65:09:7c:29:ea:ef:14:
-                    e5:0a:df:e3:6e:d7:a1:fe:e7:ad:74:4a:cd:1b:b7:
-                    83:b1:36:d1:4f:ce:c3:38:01:8b:75:59:b3:c4:f6:
-                    f4:91:8d:59:e0:36:93:41:ed:5f:ca:10:f9:67:3c:
-                    42:78:33:f4:cf:2d:d6:1f:52:66:5c:79:7c:67:f1:
-                    3e:dd:f1:ef:1a:33:68:81:89:f2:9e:07:29:01:f5:
-                    66:58:ab:2f:b7:73:ba:7e:d8:fb:b9:ba:13:2f:1c:
-                    31:5b:1e:a6:a5:2c:eb:8a:fc:f8:aa:42:6f:12:89:
-                    ad:5d:38:aa:d4:cd:96:bd:0b:1b:7c:8e:c5:21:e5:
-                    8a:9f:83:0e:f5:15:2f:78:d2:17:3f:c9:0d:6c:70:
-                    0b:29:a2:14:10:21:d1:08:c6:d4:b2:a9:d8:58:ac:
-                    51:1a:17:19:8f:87:25:b7:f6:4a:da:4a:de:2e:1d:
-                    62:7c:50:5d:09:4c:0e:98:a9:a3:32:bb:58:5c:6f:
-                    de:01:f8:43:a6:0c:66:f9:66:20:f8:9d:00:5f:05:
-                    c5:f0:c8:b1:87:2a:4e:04:39:ab:4a:6b:f6:66:ee:
-                    f2:82:9b:67:be:2f:c9:93:2a:8b:2f:ab:f6:f2:e1:
-                    6e:ed
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                01:DF:A7:0A:81:85:9F:3F:03:A6:40:BD:4F:A9:E4:93:F3:FE:89:A3
-            X509v3 Authority Key Identifier: 
-                keyid:01:DF:A7:0A:81:85:9F:3F:03:A6:40:BD:4F:A9:E4:93:F3:FE:89:A3
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha256WithRSAEncryption
-         3b:83:25:eb:fe:e9:b3:82:bf:bb:7d:49:2e:0d:77:fc:de:44:
-         4b:85:f4:82:ac:1c:31:eb:61:46:41:20:ed:5a:05:06:ce:3b:
-         58:83:b4:be:15:03:72:c1:13:1e:9f:3a:03:79:7d:bc:6b:a1:
-         4b:33:5f:df:fa:3e:dc:4b:7b:ee:54:f2:2e:4c:3b:3b:4a:f8:
-         ec:71:3e:bb:43:7e:76:e5:5d:56:fa:21:6e:04:2a:14:e7:59:
-         eb:12:ed:1d:96:9c:e5:ad:ce:a4:50:5c:a1:54:be:80:67:dd:
-         07:24:2d:5d:68:f5:ea:b3:60:81:3f:6a:86:f8:cf:41:9a:55:
-         a9:c0:f4:f4:b3:cd:b5:4f:b1:7e:fd:44:20:f5:07:b3:66:57:
-         47:0a:11:0e:c8:ac:2a:e1:2f:b1:25:0d:5f:c6:94:da:ed:55:
-         d1:e3:63:49:b0:cf:d8:ae:fb:46:09:bf:1b:dc:1c:34:c4:46:
-         2d:74:e9:bd:bc:29:7c:c9:cf:e3:f9:fe:1c:a0:db:0a:91:5f:
-         37:48:7d:a5:c0:8d:6d:24:ba:ae:67:c7:22:54:00:bc:31:0f:
-         ff:29:cf:be:ee:36:de:30:e9:67:c9:a1:20:cc:e9:7a:c0:22:
-         18:75:e4:ad:ed:66:0f:44:cc:19:80:67:fe:43:8c:ad:11:72:
-         60:b2:69:7c
-```
-
-You will also need to configure access to the CF API. To prepare for this, we will now
-use the [cf](https://docs.cloudfoundry.org/cf-cli/install-go-cli.html) command-line tool.
-
-First, while in the directory containing the `metadata` file you used earlier to authenticate
-to CF, run `$ pcf target`. This points the `cf` tool at the same place as the `pcf` tool. Next,
-run `$ cf api` to view the API endpoint that Vault will use.
-
-Next, configure a user for Vault to use. This plugin was tested with Org Manager level 
-permissions, but lower level permissions _may_ be usable.
-
-```
-$ cf create-user vault pa55w0rd
-$ cf orgs
-$ cf org-users my-example-org
-$ cf set-org-role vault my-example-org OrgManager
-```
-
-Specifically, the `vault` user created here will need to be able to perform the following API calls:
-
-- Method: "GET", endpoint: "/v2/info"
-- Method: "POST", endpoint: "/oauth/token"
-- Method: "GET", endpoint: "/v2/apps/$APP_ID"
-- Method: "GET", endpoint: "/v2/organizations/$ORG_ID"
-- Method: "GET", endpoint: "/v2/spaces/$SPACE_ID"
-
-Next, PCF often uses a self-signed certificate for TLS, which can be rejected at first 
-with an error like:
-
-```
-x509: certificate signed by unknown authority
-```
-
-If you encounter this error, you will need to first gain a copy of the certificate that CF
-is using for the API via:
-
-```
-$ openssl s_client -showcerts -servername domain.com -connect domain.com:443
-```
-
-Here is an example of a real call:
-
-```
-$ openssl s_client -showcerts -servername api.sys.somewhere.cf-app.com -connect api.sys.somewhere.cf-app.com:443
-```
-
-Part of the response will contain a certificate, which you'll need to copy and paste to
-a well-formatted local file. Please see `ca.crt` above for an example of how the certificate
-should look, and how to verify it can be parsed using `openssl`. The walkthrough below presumes
-you name this file `cfapi.crt`.
-
-### Walkthrough
-
-After obtaining the information described above, a Vault operator will configure the CF auth method
-like so:
-
-```
-$ vault auth enable cf
-
-$ vault write auth/cf/config \
-      identity_ca_certificates=@ca.crt \
-      cf_api_addr=https://api.dev.cfdev.sh \
-      cf_username=vault \
-      cf_password=pa55w0rd \
-      cf_api_trusted_certificates=@cfapi.crt
-      
-$ vault write auth/cf/roles/my-role \
-    bound_application_ids=2d3e834a-3a25-4591-974c-fa5626d5d0a1 \
-    bound_space_ids=3d2eba6b-ef19-44d5-91dd-1975b0db5cc9 \
-    bound_organization_ids=34a878d0-c2f9-4521-ba73-a9f664e82c7bf \
-    policies=my-policy
-```
-
-Once configured, from a CF instance containing real values for the `CF_INSTANCE_CERT` and 
-`CF_INSTANCE_KEY`, login can be performed using:
-
-```
-$ vault login -method=cf role=test-role
-```
-
-For CF, we do also offer an agent that, once configured, can be used to obtain a Vault token on
-your behalf.
-
-### Maintenance
-
-In testing we found that CF instance identity CA certificates were set to expire in 3 years. Some
-CF docs indicate they expire every 4 years. However long they last, at some point you may need 
-to add another CA certificate - one that's soon to expire, and one that is currently or soon-to-be
-valid. 
-
-```
-$ CURRENT=$(cat /path/to/current-ca.crt)
-$ FUTURE=$(cat /path/to/future-ca.crt)
-$ vault write auth/vault-plugin-auth-cf/config identity_ca_certificates="$CURRENT,$FUTURE"
-```
-
-If Vault receives a `CF_INSTANCE_CERT` matching _any_ of the `identity_ca_certificates`,
-the instance cert will be considered valid.
-
-A similar approach can be taken to update the `cf_api_trusted_certificates`.
-
-### Troubleshooting At-A-Glance
-
-If you receive an error containing `x509: certificate signed by unknown authority`, set 
-`cf_api_trusted_certificates` as described above.
-
-If you're unable to authenticate using the `CF_INSTANCE_CERT`, first obtain a current copy
-of your `CF_INSTANCE_CERT` and copy it to your local environment. Then divide it into two 
-files, each being a distinct certificate. The first certificate tends to be the actual 
-`identity.crt`, and the second one tends to be the `intermediate.crt`. Verify each are 
-properly named and formatted using a command like:
-
-```
-$ openssl x509 -in ca.crt -text -noout
-```
-
-Then, verify that the certificates are properly chained to the `ca.crt` you've configured:
-
-```
-$ openssl verify -CAfile ca.crt -untrusted intermediate.crt identity.crt
-```
-
-This should show a success response. If it doesn't, try to identify the root cause, be it
-an expired certificate, an incorrect `ca.crt`, or a Vault configuration that doesn't 
-match the certificates you're checking.
-
-## API
-
-The CF auth method has a full HTTP API. Please see the [CF Auth API](/api/auth/cf/index.html) 
-for more details.
diff --git a/website/source/docs/auth/gcp.html.md b/website/source/docs/auth/gcp.html.md
deleted file mode 100644
index 0f7dadb94add..000000000000
--- a/website/source/docs/auth/gcp.html.md
+++ /dev/null
@@ -1,353 +0,0 @@
----
-layout: "docs"
-page_title: "Google Cloud - Auth Methods"
-sidebar_title: "Google Cloud"
-sidebar_current: "docs-auth-gcp"
-description: |-
-  The "gcp" auth method allows users and machines to authenticate to Vault using
-  Google Cloud service accounts.
----
-
-# Google Cloud Auth Method
-
-The `gcp` auth method allows Google Cloud Platform entities to authenticate to
-Vault. Vault treats Google Cloud as a trusted third party and verifies
-authenticating entities against the Google Cloud APIs. This backend allows for
-authentication of:
-
-- Google Cloud IAM service accounts
-- Google Compute Engine (GCE) instances
-
-This backend focuses on identities specific to Google _Cloud_ and does not
-support authenticating arbitrary Google or G Suite users or generic OAuth
-against Google.
-
-This plugin is developed in a separate GitHub repository at
-[hashicorp/vault-plugin-auth-gcp][repo],
-but is automatically bundled in Vault releases. Please file all feature
-requests, bugs, and pull requests specific to the GCP plugin under that
-repository.
-
-
-## Authenticate
-
-### Via the CLI Helper
-
-Vault includes a CLI helper that obtains a signed JWT locally and sends the
-request to Vault. This helper is only available for IAM-type roles.
-
-```text
-$ vault login -method=gcp \
-    role="my-role" \
-    service_account="authenticating-account@my-project.iam.gserviceaccount.com" \
-    project="my-project" \
-    jwt_exp="15m" \
-    credentials=@path/to/signer/credentials.json
-```
-
-For more usage information, run `vault auth help gcp`.
-
-### Via the CLI
-
-```text
-$ vault write -field=token auth/gcp/login \
-    role="my-role" \
-    jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-```
-
-See [Generating JWTs](#generating-jwts) for ways to obtain the JWT token.
-
-### Via the API
-
-```text
-$ curl \
-    --request POST \
-    --data '{"role":"my-role", "jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}' \
-    http://127.0.0.1:8200/v1/auth/gcp/login
-```
-
-See [API docs][api-docs] for expected response.
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the Google Cloud auth method:
-
-    ```text
-    $ vault auth enable gcp
-    ```
-
-1. Configure the auth method credentials:
-
-    ```text
-    $ vault write auth/gcp/config \
-        credentials=@/path/to/credentials.json
-    ```
-
-    If you are using instance credentials or want to specify credentials via
-    an environment variable, you can skip this step. To learn more, see the
-    [Google Cloud Authentication](#google-cloud-authentication) section below.
-
-1. Create a named role:
-
-    For an `iam`-type role:
-
-    ```text
-    $ vault write auth/gcp/role/my-iam-role \
-        type="iam" \
-        policies="dev,prod" \
-        bound_service_accounts="my-service@my-project.iam.gserviceaccount.com"
-    ```
-
-    For a `gce`-type role:
-
-    ```text
-    $ vault write auth/gcp/role/my-gce-role \
-        type="gce" \
-        policies="dev,prod" \
-        bound_projects="my-project1,my-project2" \
-        bound_zones="us-east1-b" \
-        bound_labels="foo:bar,zip:zap"
-    ```
-
-    For the complete list of configuration options for each type, please see the
-    [API documentation][api-docs].
-
-
-## Authentication
-
-The Google Cloud Vault auth method uses the official Google Cloud Golang SDK.
-This means it supports the common ways of [providing credentials to Google
-Cloud][cloud-creds].
-
-1. The environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
-as the **path** to a Google Cloud credentials file, typically for a service
-account. If this environment variable is present, the resulting credentials are
-used. If the credentials are invalid, an error is returned.
-
-1. Default instance credentials. When no environment variable is present, the
-default service account credentials are used.
-
-For more information on service accounts, please see the [Google Cloud Service
-Accounts documentation][service-accounts].
-
-To use this auth method, the service account must have the following minimum
-scope:
-
-```text
-https://www.googleapis.com/auth/cloud-platform
-```
-
-### Required GCP Permissions
-
-#### Vault Server Permissions
-
-**For `iam`-type Vault roles**, Vault can be given the following roles:
-
-```text
-roles/iam.serviceAccountKeyAdmin
-```
-
-**For `gce`-type Vault roles**, Vault can be given the following roles:
-
-```text
-roles/compute.viewer
-```
-
-If you instead wish to create a custom role with only the exact GCP permissions
-required, use the following list of permissions:
-
-```text
-iam.serviceAccounts.get
-iam.serviceAccountKeys.get
-compute.instances.get
-compute.instanceGroups.list
-compute.instanceGroups.listInstances
-```
-
-These allow Vault to:
-
-* verify the service account, either directly authenticating or associated with 
-  authenticating GCE instance, exists
-* get the corresponding public keys for verifying JWTs signed by service account
-  private keys.
-* verify authenticating GCE instances exist
-* compare bound fields for GCE roles (zone/region, labels, or membership
-  in given instance groups)
-
-#### Permissions For Authenticating Against Vault
-
-Note that the previously mentioned permissions are given to the _Vault servers_. 
-The IAM service account or GCE instance that is **authenticating against Vault**
-must have the following role:
-
-```text
-roles/iam.serviceAccountTokenCreator
-```
-
-## Group Aliases
-
-As of Vault 1.0, roles can specify an `add_group_aliases` boolean parameter
-that adds [group aliases][identity-group-aliases] to the auth response. These
-aliases can aid in building reusable policies since they are available as
-interpolated values in Vault's policy engine. Once enabled, the auth response
-will include the following aliases:
-
-```json
-[
-  "project-$PROJECT_ID",
-  "folder-$SUBFOLDER_ID",
-  "folder-$FOLDER_ID",
-  "organization-$ORG_ID"
-]
-```
-
-
-## Implementation Details
-
-This section describes the implementation details for how Vault communicates
-with Google Cloud to authenticate and authorize JWT tokens. This information is
-provided for those who are curious, but these details are not
-required knowledge for using the auth method.
-
-### IAM Login
-
-IAM login applies only to roles of type `iam`. The Vault authentication workflow
-for IAM service accounts looks like this:
-
-[![Vault Google Cloud IAM Login Workflow](/img/vault-gcp-iam-auth-workflow.svg)](/img/vault-gcp-iam-auth-workflow.svg)
-
-  1. The client generates a signed JWT using the IAM
-  [`projects.serviceAccounts.signJwt`][signjwt-method] method. For examples of
-  how to do this, see the [Obtaining JWT Tokens](#obtaining-jwt-tokens) section.
-
-  2. The client sends this signed JWT to Vault along with a role name.
-
-  3. Vault extracts the `kid` header value, which contains the ID of the
-  key-pair used to generate the JWT, and the `sub` ID/email to find the service
-  account key. If the service account does not exist or the key is not linked to
-  the service account, Vault denies authentication.
-
-  4. Vault authorizes the confirmed service account against the given role. If
-  that is successful, a Vault token with the proper policies is returned.
-
-### GCE Login
-
-GCE login only applies to roles of type `gce` and **must be completed on an
-instance running in GCE**. These steps will not work from your local laptop or
-another cloud provider.
-
-[![Vault Google Cloud GCE Login Workflow](/img/vault-gcp-gce-auth-workflow.svg)](/img/vault-gcp-gce-auth-workflow.svg)
-
-  1. The client obtains an [instance identity metadata token][instance-identity]
-  on a GCE instance.
-
-  2. The client sends this JWT to Vault along with a role name.
-
-  3. Vault extracts the `kid` header value, which contains the ID of the
-  key-pair used to generate the JWT, to find the OAuth2 public cert to verify
-  this JWT.
-
-  4. Vault authorizes the confirmed instance against the given role, ensuring
-  the instance matches the bound zones, regions, or instance groups. If that is
-  successful, a Vault token with the proper policies is returned.
-
-
-## Generating JWTs
-
-This section details the various methods and examples for obtaining JWT
-tokens.
-
-### IAM
-
-This describes how to use the GCP IAM [API method][signjwt-method] directly
-to generate the signed JWT with the claims that Vault expects. Note the CLI
-does this process for you and is much easier, and that there is very little
-reason to do this yourself.
-
-#### curl Example
-
-Vault requires the following minimum claim set:
-
-```json
-{
-  "sub": "$SERVICE_ACCOUNT_EMAIL_OR_ID",
-  "aud": "vault/$ROLE",
-  "exp": "$EXPIRATION"
-}
-```
-
-For the API method, expiration is optional and will default to an hour.
-If specified, expiration must be a
-[NumericDate](https://tools.ietf.org/html/rfc7519#section-2) value (seconds from
-Epoch). This value must be before the max JWT expiration allowed for a role.
-This defaults to 15 minutes and cannot be more than 1 hour.
-
-One you have all this information, the JWT token can be signed using curl and
-[oauth2l](https://github.com/google/oauth2l):
-
-```text
-ROLE="my-role"
-PROJECT="my-project"
-SERVICE_ACCOUNT="service-account@my-project.iam.gserviceaccount.com"
-OAUTH_TOKEN="$(oauth2l header cloud-platform)"
-JWT_CLAIM="{\\\"aud\\\":\\\"vault/${ROLE}\\\", \\\"sub\\\": \\\"${SERVICE_ACCOUNT}\\\"}"
-
-curl \
-  --header "${OAUTH_TOKEN}" \
-  --header "Content-Type: application/json" \
-  --request POST \
-  --data "{\"payload\": \"${JWT_CLAIM}\"}" \
-  "https://iam.googleapis.com/v1/projects/${PROJECT}/serviceAccounts/${SERVICE_ACCOUNT}:signJwt"
-```
-
-#### gcloud Example
-
-You can also do this through the (currently beta) gcloud command.
-
-```text
-$ gcloud beta iam service-accounts sign-jwt $INPUT_JWT_CLAIMS $OUTPUT_JWT_FILE \
-    --iam-account=service-account@my-project.iam.gserviceaccount.com \
-    --project=my-project
-```
-
-#### Golang Example
-
-Read more on the
-[Google Open Source blog](https://opensource.googleblog.com/2017/08/hashicorp-vault-and-google-cloud-iam.html).
-
-### GCE
-
-GCE tokens **can only be generated from a GCE instance**. The JWT token can be
-obtained from the `service-accounts/default/identity` endpoint for a
-instance's metadata server.
-
-#### curl Example
-
-```text
-ROLE="my-gce-role"
-
-curl \
-  --header "Metadata-Flavor: Google" \
-  --get \
-  --data-urlencode "audience=http://vault/${ROLE}" \
-  --data-urlencode "format=full" \
-  "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
-```
-
-## API
-
-The GCP Auth Plugin has a full HTTP API. Please see the
-[API docs][api-docs] for more details.
-
-[jwt]: https://tools.ietf.org/html/rfc7519
-[signjwt-method]: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt
-[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
-[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
-[api-docs]: /api/auth/gcp/index.html
-[identity-group-aliases]: /api/secret/identity/group-alias.html
-[instance-identity]: https://cloud.google.com/compute/docs/instances/verifying-instance-identity
-[repo]: https://github.com/hashicorp/vault-plugin-auth-gcp
diff --git a/website/source/docs/auth/github.html.md b/website/source/docs/auth/github.html.md
deleted file mode 100644
index ef0e6497776b..000000000000
--- a/website/source/docs/auth/github.html.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-layout: "docs"
-page_title: "GitHub - Auth Methods"
-sidebar_title: "GitHub"
-sidebar_current: "docs-auth-github"
-description: |-
-  The GitHub auth method allows authentication with Vault using GitHub.
----
-
-# GitHub Auth Method
-
-The `github` auth method can be used to authenticate with Vault using a GitHub
-personal access token. This method of authentication is most useful for humans:
-operators or developers using Vault directly via the CLI.
-
-~> **IMPORTANT NOTE:** Vault does not support an OAuth workflow to generate
-GitHub tokens, so does not act as a GitHub application. As a result, this method
-uses personal access tokens. An important consequence is that any valid GitHub
-access token with the `read:org` scope can be used for authentication. If such a
-token is stolen from a third party service, and the attacker is able to make
-network calls to Vault, they will be able to log in as the user that generated
-the access token. When using this method it is a good idea to ensure that access
-to Vault is restricted at a network level rather than public. If these risks are
-unacceptable to you, you should use a different method.
-
-## Authentication
-
-### Via the CLI
-
-The default path is `/github`. If this auth method was enabled at a different
-path, specify `-path=/my-path` in the CLI.
-
-```text
-$ vault login -method=github token="MY_TOKEN"
-```
-
-### Via the API
-
-The default endpoint is `auth/github/login`. If this auth method was enabled
-at a different path, use that value instead of `github`.
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"token": "MY_TOKEN"}' \
-    http://127.0.0.1:8200/v1/auth/github/login
-```
-
-The response will contain a token at `auth.client_token`:
-
-```json
-{
-  "auth": {
-    "renewable": true,
-    "lease_duration": 2764800,
-    "metadata": {
-      "username": "my-user",
-      "org": "my-org"
-    },
-    "policies": [
-      "default",
-      "dev-policy"
-    ],
-    "accessor": "f93c4b2d-18b6-2b50-7a32-0fecf88237b8",
-    "client_token": "1977fceb-3bfa-6c71-4d1f-b64af98ac018"
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the GitHub auth method:
-
-    ```text
-    $ vault auth enable github
-    ```
-
-1. Use the `/config` endpoint to configure Vault to talk to GitHub.
-
-    ```text
-    $ vault write auth/github/config organization=hashicorp
-    ```
-
-    For the complete list of configuration options, please see the API
-    documentation.
-
-1. Map the users/teams of that GitHub organization to policies in Vault. Team
-   names must be "slugified":
-
-    ```text
-    $ vault write auth/github/map/teams/dev value=dev-policy
-    ```
-
-    In this example, when members of the team "dev" in the organization
-    "hashicorp" authenticate to Vault using a GitHub personal access token, they
-    will be given a token with the "dev-policy" policy attached.
-
-    ---
-
-    You can also create mappings for a specific user `map/users/<user>`
-    endpoint:
-
-    ```text
-    $ vault write auth/github/map/users/sethvargo value=sethvargo-policy
-    ```
-
-    In this example, a user with the GitHub username `sethvargo` will be
-    assigned the `sethvargo-policy` policy **in addition to** any team policies.
-
-## API
-
-The GitHub auth method has a full HTTP API. Please see the
-[GitHub Auth API](/api/auth/github/index.html) for more
-details.
diff --git a/website/source/docs/auth/index.html.md b/website/source/docs/auth/index.html.md
deleted file mode 100644
index 35a856d49645..000000000000
--- a/website/source/docs/auth/index.html.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-layout: "docs"
-page_title: "Auth Methods"
-sidebar_title: "Auth Methods"
-sidebar_current: "docs-auth"
-description: |-
-  Auth methods are mountable methods that perform authentication for Vault.
----
-
-# Auth Methods
-
-Auth methods are the components in Vault that perform authentication and are
-responsible for assigning identity and a set of policies to a user.
-
-Having multiple auth methods enables you to use an auth method that makes the
-most sense for your use case of Vault and your organization.
-
-For example, on developer machines, the [GitHub auth method](/docs/auth/github.html)
-is easiest to use. But for servers the [AppRole](/docs/auth/approle.html)
-method is the recommended choice.
-
-To learn more about authentication, see the
-[authentication concepts page](/docs/concepts/auth.html).
-
-## Enabling/Disabling Auth Methods
-
-Auth methods can be enabled/disabled using the CLI or the API.
-
-```text
-$ vault auth enable userpass
-```
-
-When enabled, auth methods are similar to [secrets engines](/docs/secrets/index.html):
-they are mounted within the Vault mount table and can be accessed
-and configured using the standard read/write API. All auth methods are mounted underneath the `auth/` prefix.
-
-By default, auth methods are mounted to `auth/<type>`. For example, if you
-enable "github", then you can interact with it at `auth/github`. However, this
-path is customizable, allowing users with advanced use cases to mount a single
-auth method multiple times.
-
-```text
-$ vault auth enable -path=my-login userpass
-```
-
-When an auth method is disabled, all users authenticated via that method are
-automatically logged out.
diff --git a/website/source/docs/auth/jwt.html.md b/website/source/docs/auth/jwt.html.md
deleted file mode 100644
index bc32b9c5d248..000000000000
--- a/website/source/docs/auth/jwt.html.md
+++ /dev/null
@@ -1,309 +0,0 @@
----
-layout: "docs"
-page_title: "JWT/OIDC - Auth Methods"
-sidebar_title: "JWT/OIDC"
-sidebar_current: "docs-auth-jwt-oidc"
-description: |-
-  The JWT/OIDC auth method allows authentication using OIDC and user-provided JWTs
----
-
-# JWT/OIDC Auth Method
-
-The `jwt` auth method can be used to authenticate with Vault using
-[OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) or by providing a
-[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token).
-
-The OIDC method allows authentication via a configured OIDC provider using the
-user's web browser.  This method may be initiated from the Vault UI or the
-command line. Alternatively, a JWT can be provided directly. The JWT is
-cryptographically verified using locally-provided keys, or, if configured, an
-OIDC Discovery service can be used to fetch the appropriate keys. The choice of
-method is configured per role.
-
-Both methods allow additional processing of the claims data in the JWT. Some of
-the concepts common to both methods will be covered first, followed by specific
-examples of OIDC and JWT usage.
-
-### JWT Verification
-
-JWT signatures will be verified against public keys from the issuer. This process can be done in
-three different ways, though only one method may be configured for a single backend:
-
-- **Static Keys**. A set of public keys is stored directly in the backend configuration.
-
-- **JWKS**. A JSON Web Key Set ([JWKS](https://tools.ietf.org/html/rfc7517)) URL (and optional
-certificate chain) is configured. Keys will be fetched from this endpoint during authentication.
-
-- **OIDC Discovery**. An OIDC Discovery URL (and optional certificate chain) is configured. Keys
-will be fetched from this URL during authentication. When OIDC Discovery is used, OIDC validation
-criteria (e.g. `iss`, `aud`, etc.) will be applied.
-
-If multiple methods are needed, another instance of the backend can be mounted and configured
-at a different path.
-
-### Bound Claims
-
-Once a JWT has been validated as being properly signed and not expired, the
-authorization flow will validate that any configured "bound" parameters match.
-In some cases there are dedicated parameters, for example `bound_subject`,
-which must match the JWT's `sub` parameter. A role may also be configured to
-check arbitrary claims through the `bound_claims` map. The map contains a set
-of claims and their required values. For example, assume `bound_claims` is set
-to:
-
-```json
-{
-  "division": "Europe",
-  "department": "Engineering"
-}
-```
-
-Only JWTs containing both the "division" and "department" claims, and
-respective matching values of "Europe" and "Engineering", would be authorized.
-If the expected value is a list, the claim must match one of the items in the list.
-To limit authorization to a set of email addresses:
-
-```json
-{
-  "email": ["fred@example.com", "julie@example.com"]
-}
-```
-
-
-### Claims as Metadata
-
-Data from claims can be copied into the resulting auth token and alias metadata by configuring `claim_mappings`. This role
-parameter is a map of items to copy. The map elements are of the form: `"<JWT claim>":"<metadata key>"`. Assume
-`claim_mappings` is set to:
-
-```json
-{
-  "division": "organization",
-  "department": "department"
-}
-```
-
-This specifies that the value in the JWT claim "division" should be copied to the metadata key "organization". The JWT
-"department" claim value will also be copied into metadata but will retain the key name. If a claim is configured in `claim_mappings`,
-it must existing in the JWT or else the authentication will fail.
-
-Note: the metadata key name "role" is reserved and may not be used for claim mappings.
-
-
-### Claim specifications and JSON Pointer
-
-Some parameters (e.g. `bound_claims` and `groups_claim`) are used to point to data within the JWT. If
-the desired key is at the top of level of the JWT, the name can be provided directly. If it is nested at a
-lower level, a JSON Pointer may be used.
-
-Assume the following JSON data to be referenced:
-
-```json
-{
-  "division": "North America",
-  "groups": {
-    "primary": "Engineering",
-    "secondary": "Software"
-  }
-}
-```
-
-A parameter of `"division"` will reference "North America", as this is a top level key. A parameter
-`"/groups/primary"` uses JSON Pointer syntax to reference "Engineering" at a lower level. Any valid
-JSON Pointer can be used as a selector. Refer to the
-[JSON Pointer RFC](https://tools.ietf.org/html/rfc6901) for a full description of the syntax
-
-
-## OIDC Authentication
-
-This section covers the setup and use of OIDC roles. If a JWT is to be provided directly,
-refer to the [JWT Authentication](/docs/auth/jwt.html#jwt-authentication) section below. Basic
-familiarity with [OIDC concepts] (https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1)
-is assumed.
-
-Vault includes two built-in OIDC login flows: the Vault UI, and the CLI
-using a `vault login`.
-
-### Redirect URIs
-
-An important part of OIDC role configuration is properly setting redirect URIs. This must be
-done both in Vault and with the OIDC provider, and these configurations must align. The
-redirect URIs are specified for a role with the `allowed_redirect_uris` parameter. There are
-different redirect URIs to configure the Vault UI and CLI flows, so one or both will need to
-be set up depending on the installation.
-
-**CLI**
-
-If you plan to support authentication via `vault login -method=oidc`, a localhost redirect URI
-must be set. This can usually be: `http://localhost:8250/oidc/callback`. Logins via the CLI may
-specify a different host and/or listening port if needed, and a URI with this host/port must match one
-of the configured redirected URIs. These same "localhost" URIs must be added to the provider as well.
-
-**Vault UI**
-
-Logging in via the Vault UI requires a redirect URI of the form:
-`https://{host:port}/ui/vault/auth/{path}/oidc/callback`
-
-The "host:port" must be correct for the Vault server, and "path" must match the path the JWT
-backend is mounted at (e.g. "oidc" or "jwt").
-If [namespaces](https://www.vaultproject.io/docs/enterprise/namespaces/index.html) are being used,
-they must be added as query parameters, for example:
-
-`https://vault.example.com:8200/ui/vault/auth/oidc/oidc/callback?namespace=my_ns`
-
-### OIDC Login (Vault UI)
-
-1. Select the "OIDC" login method.
-1. Enter a role name if necessary.
-1. Press "Sign In" and complete the authentication with the configured provider.
-
-### OIDC Login (CLI)
-
-The CLI login defaults to path of `/oidc`. If this auth method was enabled at a
-different path, specify `-path=/my-path` in the CLI.
-
-```text
-$ vault login -method=oidc port=8400 role=test
-
-Complete the login via your OIDC provider. Launching browser to:
-
-    https://myco.auth0.com/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A8400%2Foidc%2Fcallback&client_id=r3qXc2bix9eF...
-```
-
-The browser will open to the generated URL to complete the provider's login. The
-URL may be entered manually if the browser cannot be automatically opened.
-
-The callback listener may be customized with the following optional parameters:
-
-* `callbackhost` (default: "localhost")
-* `port` (default: 8250)
-
-### OIDC Provider Configuration
-
-The OIDC authentication flow has been successfully tested with a number of providers. A full
-guide to configuring OAuth/OIDC applications is beyond the scope of Vault documentation, but a
-collection of provider configuration steps has been collected to help get started:
-[OIDC Provider Setup](/docs/auth/jwt_oidc_providers.html)
-
-### OIDC Configuration Troubleshooting
-This amount of configuration required for OIDC is relatively small, but it can be tricky to debug
-why things aren't working. Some tips for setting up OIDC:
-
-- Monitor Vault's log output. Important information about OIDC validation failures will be emitted.
-- Ensure Redirect URIs are correct in Vault and on the provider. They need to match exactly. Check:
-http/https, 127.0.0.1/localhost, port numbers, whether trailing slashes are present.
-- Start simple. The only claim configuration a role requires is `user_claim`. After authentication is
-known to work, you can add additional claims bindings and metadata copying.
-- `bound_audiences` is optional for OIDC roles and typically not required. OIDC providers will use
-the client_id as the audience and OIDC validation expects this.
-- Check your provider for what scopes are required in order to receive all
-of the information you need. The scopes "profile" and "groups" often need to be
-requested, and can be added by setting `oidc_scopes="profile,groups"` on the role.
-- If you're seeing claim-related errors in logs, review the provider's docs very carefully to see
-how they're naming and structuring their claims. Depending on the provider, you may be able to
-construct a simple `curl` implicit grant request to obtain a JWT that you can inspect. An example
-of how to decode the JWT (in this case located in the "access_token" field of a JSON response):
-
-`cat jwt.json | jq -r .access_token | cut -d. -f2 | base64 -D`
-- As of Vault 1.2, the [`verbose_oidc_logging`](/api/auth/jwt/index.html#verbose_oidc_logging) role
-option is available which will log the received OIDC token if debug-level logging is enabled. This can
-be helpful when debugging provider setup and verifying that the received claims are what you expect.
-Since claims data is logged verbatim and may contain sensitive information, this option should not be
-used in production.
-
-## JWT Authentication
-
-The authentication flow for roles of type "jwt" is simpler than OIDC since Vault
-only needs to validate the provided JWT.
-
-### Via the CLI
-
-The default path is `/jwt`. If this auth method was enabled at a
-different path, specify `-path=/my-path` in the CLI.
-
-```text
-$ vault write auth/jwt/login role=demo jwt=...
-```
-
-### Via the API
-
-The default endpoint is `auth/jwt/login`. If this auth method was enabled
-at a different path, use that value instead of `jwt`.
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"jwt": "your_jwt", "role": "demo"}' \
-    http://127.0.0.1:8200/v1/auth/jwt/login
-```
-
-The response will contain a token at `auth.client_token`:
-
-```json
-{
-  "auth": {
-    "client_token": "38fe9691-e623-7238-f618-c94d4e7bc674",
-    "accessor": "78e87a38-84ed-2692-538f-ca8b9f400ab3",
-    "policies": [
-      "default"
-    ],
-    "metadata": {
-      "role": "demo"
-    },
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-
-1. Enable the JWT auth method. Either the "jwt" or "oidc" name may be used. The
-backend will be mounted at the chosen name.
-
-    ```text
-    $ vault auth enable jwt
-     or
-    $ vault auth enable oidc
-    ```
-
-1. Use the `/config` endpoint to configure Vault. To support JWT roles, either local keys or an OIDC
-Discovery URL must be present. For OIDC roles, OIDC Discovery URL, OIDC Client ID and OIDC Client Secret are required. For the
-list of available configuration options, please see the [API documentation](/api/auth/jwt/index.html).
-
-    ```text
-    $ vault write auth/jwt/config \
-        oidc_discovery_url="https://myco.auth0.com/" \
-        oidc_client_id="m5i8bj3iofytj" \
-        oidc_client_secret="f4ubv72nfiu23hnsj" \
-        default_role="demo"
-    ```
-
-1. Create a named role:
-
-    ```text
-    vault write auth/jwt/role/demo \
-        bound_subject="r3qX9DljwFIWhsiqwFiu38209F10atW6@clients" \
-        bound_audiences="https://vault.plugin.auth.jwt.test" \
-        user_claim="https://vault/user" \
-        groups_claim="https://vault/groups" \
-        policies=webapps \
-        ttl=1h
-    ```
-
-    This role authorizes JWTs with the given subject and audience claims, gives
-    it the `webapps` policy, and uses the given user/groups claims to set up
-    Identity aliases.
-
-    For the complete list of configuration options, please see the API
-    documentation.
-
-## API
-
-The JWT Auth Plugin has a full HTTP API. Please see the
-[API docs](/api/auth/jwt/index.html) for more details.
diff --git a/website/source/docs/auth/jwt_oidc_providers.html.md b/website/source/docs/auth/jwt_oidc_providers.html.md
deleted file mode 100644
index adc09add6920..000000000000
--- a/website/source/docs/auth/jwt_oidc_providers.html.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-layout: "docs"
-page_title: "OIDC Provider Setup - Auth Methods"
-description: |-
-  OIDC provider configuration quick starts
----
-
-# OIDC Provider Configuration
-
-This page collects high-level setup steps on how to configure an OIDC
-application for various providers. For more general usage and operation
-information, see the [Vault JWT/OIDC method documentation](https://www.vaultproject.io/docs/auth/jwt.html).
-
-OIDC providers are often highly configurable and you should become familiar with
-their recommended settings and best practices. The instructions below are
-largely community-driven and intended to help you get started. Corrections
-and additions may be submitted via the [Vault Github repository](https://github.com/hashicorp/vault).
-
-## Azure Active Directory (AAD)
-Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)
-
-1. Register or select an AAD application. Visit Overview page.
-1. Configure Redirect URIs ("Web" type). 
-    * You may include two redirect URIs, one for CLI access another one for Vault UI access.
-       * http://localhost:8250/oidc/callback
-       * https://hostname:port_number/ui/vault/auth/oidc/oidc/callback
-1. Record "Application (client) ID" as you will need it as the oidc_client_id
-1. Under API Permissions grant the following permission:
-    * Microsoft Graph API permission [Group.Read.All](https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-10)  
-1. Under "Endpoints", copy the OpenID Connect metadata document URL, omitting the `/well-known...` portion.
-    * The endpoint url (oidc_discovery_url) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
-1. Switch to Certificates & Secrets. Create a new client secret and record the generated value as
-it will not be accessible after you leave the page.
-
-Please note [Azure AD v2.0 endpoints](https://docs.microsoft.com/en-gb/azure/active-directory/develop/azure-ad-endpoint-comparison)
-are required for [external groups](https://www.vaultproject.io/docs/secrets/identity/index.html#external-vs-internal-groups) to work.
-
-* `groupMembershipClaims` should be changed from `none` in the 
-[App registration manifest](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest).
-Options are "All" or "Security"
-
-* In the [OIDC Role config](https://www.vaultproject.io/api/auth/jwt/index.html#create-role) 
-the scope `"https://graph.microsoft.com/.default"` should be added to add groups 
-to the jwt token and `groups_claim` should be set to `groups`. 
-
-* Finally Azure AD group can be referenced by using the groups `objectId` as the [group alias name](https://www.vaultproject.io/api/secret/identity/group-alias.html) for the external group.
-
-### CLI setup instructions:
-You have to fill in the following values make sure to use the correct vault secret 
-path that matches the name of the authentication method such as /oidc/
-
-   * oidc_client_id = Application Client ID
-   * oidc_client_secret = Secret obtained from the Certificates & Secrets Section
-   * default_role = default role the user will be using when connecting. (see the second command)
-   * oidc_discovery_url = Open ID endpoint retrieved from the App Registration sections.
-
-```
-vault write auth/oidc/config \
-    oidc_client_id="your_client_id" \
-    oidc_client_secret="your_client_secret" \
-    default_role=“your_default_role” \
-    oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0”
-```
-
-```
-vault write auth/oidc/role/demo user_claim="email" \
-    allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
-    groups_claim="groups" \
-    policies=default
-```
-
-## Auth0
-1. Select Create Application (Regular Web App).
-1. Configure Allowed Callback URLs.
-1. Copy client ID and secret.
-1. If you see Vault errors involving signature, check the application's Advanced > OAuth settings
- and verify that signing algorithm is "RS256".
-
-## Gitlab
-1. Visit Settings > Applications.
-1. Fill out Name and Redirect URIs.
-1. Making sure to select the "openid" scope.
-1. Copy client ID and secret.
-
-## Google
-Main reference: [Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/OAuth2)
-
-1. Visit the [Google API Console](https://console.developers.google.com).
-1. Create or a select a project.
-1. Create a new credential via Credentials > Create Credentials > OAuth Client ID.
-1. Configure the OAuth Consent Screen. Application Name is required. Save.
-1. Select application type: "Web Application".
-1. Configure Authorized Redirect URIs.
-1. Save client ID and secret.
-
-## Keycloak
-1. Select/create a Realm and Client. Select a Client and visit Settings.
-1. Client Protocol: openid-connect
-1. Access Type: confidential
-1. Standard Flow Enabled: On
-1. Configure Valid Redirect URIs.
-1. Save.
-1. Visit Credentials. Select Client ID and Secret and note the generated secret.
-
-## Okta
-
-1. Make sure an Authorization Server has been created. The "Issuer" field shown on the Setting page
-  will be used as the `oidc_discovery_url`.
-1. Visit Applications > Add Application (Web).
-1. Configure Login redirect URIs. Save.
-1. Save client ID and secret.
-
-Note your policy will need `oidc_scopes` to include `profile` to get a full profile ("[Fat Token](https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token)"). You will also need to configure bound audience along the lines of `"bound_audiences": ["api://default", "0a4........."]` if you are using the default authorization server.
diff --git a/website/source/docs/auth/kerberos.html.md b/website/source/docs/auth/kerberos.html.md
deleted file mode 100644
index 1a6c180a6fdb..000000000000
--- a/website/source/docs/auth/kerberos.html.md
+++ /dev/null
@@ -1,225 +0,0 @@
----
-layout: "docs"
-page_title: "Kerberos - Auth Methods"
-sidebar_title: "Kerberos"
-sidebar_current: "docs-auth-kerberos"
-description: |-
-  The Kerberos auth method allows automated authentication of Kerberos entities.
----
-
-# Kerberos Auth Method
-
-The `kerberos` auth method provides an automated mechanism to retrieve
-a Vault token for Kerberos entities.
-
-[Kerberos](https://web.mit.edu/kerberos/) is a network authentication
-protocol invented by MIT in the 1980s. Its name is inspired by Cerberus, 
-the three-headed hound of Hades from Greek mythology. The three heads
-refer to Kerberos' three entities - an authentication server, a ticket
-granting server, and a principals database. Kerberos underlies
-authentication in Active Directory, and its purpose is to _distribute_
-a network's authentication workload.
-
-Vault's Kerberos auth method was originally written by the folks at 
-[Winton](https://github.com/wintoncode), to whom we owe a special thanks
-for both originally building the plugin, and for collaborating to bring 
-it into HashiCorp's maintenance.
-
-## Prerequisites
-
-Kerberos is a very hands-on auth method. Other auth methods like 
-[LDAP](https://www.vaultproject.io/docs/auth/ldap.html) and 
-[Azure](https://www.vaultproject.io/docs/auth/azure.html) only require
-a cursory amount of knowledge for configuration and use.
-Kerberos, on the other hand, is best used by people already familiar
-with it. We recommend that you use simpler authentication methods if
-your use case is achievable through them. If not, we recommend that 
-before approaching Kerberos, you become familiar with its fundamentals.
-
-- [MicroNugget: How Kerberos Works in Windows Active Directory](https://www.youtube.com/watch?v=kp5d8Yv3-0c)
-- [MIT's Kerberos Documentation](https://web.mit.edu/kerberos/)
-- [Kerberos: The Definitive Guide](https://www.amazon.com/Kerberos-Definitive-Guide-ebook-dp-B004P1J81C/dp/B004P1J81C/ref=mt_kindle?_encoding=UTF8&me=&qid=1573685442)
-
-Regardless of how you gain your knowledge, before using this auth method,
-ensure you are comfortable with Kerberos' high-level architecture, and
-ensure you've gone through the exercise of:
-
-- Creating a valid `krb5.conf` file
-- Creating a valid `keytab` file
-- Authenticating to your domain server with your `keytab` file using `kinit`
-
-With that knowledge in hand, and with an environment that's already tested
-and confirmed working, you will be ready to use Kerberos with Vault.
-
-## Configuration
-
-* Enable Kerberos authentication in Vault:
-
-```text
-$ vault auth enable \
-    -passthrough-request-headers=Authorization \
-    -allowed-response-headers=www-authenticate \
-    kerberos
-```
-   
-* Create a `keytab` for the Kerberos plugin:
-
-```text
-$ ktutil
-ktutil:  addent -password -p your_service_account@REALM.COM -e aes256-cts -k 1
-Password for your_service_account@REALM.COM:
-ktutil:  list -e
-slot KVNO Principal
----- ---- ---------------------------------------------------------------------
-  1    1            your_service_account@REALM.COM (aes256-cts-hmac-sha1-96)
-ktutil:  wkt vault.keytab
-```
-   
-   The KVNO (`-k 1`) should match the KVNO of the service account. An error will show in the Vault logs if this is incorrect.
-   
-   Different encryption types can also be added to the `keytab`, for example `-e rc4-hmac` with additional `addent` commands.
-   
-   Then base64 encode it:
-   
-```text
-$ base64 vault.keytab > vault.keytab.base64
-```
-
-* Configure the Kerberos auth method with the `keytab` and 
-entry name that will be used to verify inbound login 
-requests:
-
-```text
-$ vault write auth/kerberos/config \
-    keytab=@vault.keytab.base64 \
-    service_account="vault_svc"
-```
-   
-* Configure the Kerberos auth method to communicate with
-LDAP using the service account configured above. This is 
-a sample LDAP configuration. Yours will vary. Ensure you've
-first tested your configuration from the Vault server using 
-a tool like `ldapsearch`.
-
-```text
-$ vault write auth/kerberos/config/ldap \
-    binddn=vault_svc@MATRIX.LAN \
-    bindpass=$VAULT_SVC_PASSWORD \
-    groupattr=sAMAccountName \
-    groupdn="DC=MATRIX,DC=LAN" \
-    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
-    userdn="CN=Users,DC=MATRIX,DC=LAN" \
-    userattr=sAMAccountName \
-    upndomain=MATRIX.LAN \
-    url=ldaps://somewhere.foo
-```
-   
-The LDAP above relies upon the same code as the LDAP auth method.
-See [its documentation](https://www.vaultproject.io/docs/auth/ldap.html) 
-for further discussion of available parameters. 
-   
-* Configure the Vault policies that should be granted to those 
-who successfully authenticate based on their LDAP group membership.
-Since this is identical to the LDAP auth method, see 
-[Group Membership Resolution](https://www.vaultproject.io/docs/auth/ldap.html#group-membership-resolution)
-and [LDAP Group -> Policy Mapping](https://www.vaultproject.io/docs/auth/ldap.html#ldap-group-gt-policy-mapping)
-for further discussion.
-
-```text
-$ vault write auth/kerberos/groups/engineering-team \
-    policies=engineers
-```
-
-The above group grants the "engineers" policy to those who authenticate
-via Kerberos and are found to be members of the "engineering-team" LDAP
-group.
-
-## Authentication
-
-From a client machine with a valid `krb5.conf` and `keytab`, perform a command
-like the following:
-
-```text
-$ vault login -method=kerberos \
-    username=grace \
-    service=HTTP/my-service \
-    realm=MATRIX.LAN \
-    keytab_path=/etc/krb5/krb5.keytab  \
-    krb5conf_path=/etc/krb5.conf
-```
-
-- `krb5conf_path` is the path to a valid `krb5.conf` file describing how to
-communicate with the Kerberos environment.
-- `keytab_path` is the path to the `keytab` in which the entry lives for the
-entity authenticating to Vault.
-- `username` is the username for the entry _within_ the `keytab` to use for 
-logging into Kerberos. This username must match a service account in LDAP.
-- `service` is the service principal name to use in obtaining a service ticket for
-gaining a SPNEGO token. This service must exist in LDAP.
-- `realm` is the name of the Kerberos realm. This realm must match the UPNDomain
-configured on the LDAP connection. This check is case-sensitive.
-
-## Troubleshooting
-
-### Identify the Malfunctioning Piece
-
-Once the malfunctioning piece of the journey is identified, you can focus
-your debugging efforts in the most useful direction.
-
-1. Use `ldapsearch` while logged into your machine hosting Vault to ensure
-your LDAP configuration is functional.
-2. Authenticate to your domain server using `kinit`, your `keytab`, and your 
-`krb5.conf`. Do this with both Vault's `keytab`, and any client `keytab` being
-used for logging in. This ensures your Kerberos network is working.
-3. While logged into your client machine, verify you can reach Vault 
-through the following command: `$ curl $VAULT_ADDR/v1/sys/health`.
-
-### Build Clear Steps to Reproduce the Problem
-
-If possible, make it easy for someone else to reproduce the problem who
-is outside of your company. For instance, if you expect that you should 
-be able to login using a command like:
-
-```text
-$ vault login -method=kerberos \
-    username=my-name \
-    service=HTTP/my-service \
-    realm=EXAMPLE.COM \
-    keytab_path=/etc/krb5/krb5.keytab  \
-    krb5conf_path=/etc/krb5.conf
-```
-
-Then make sure you're ready to share the error output of that command, the 
-contents of the `krb5.conf` file, and [the entries listed](https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjs1q/index.html)
-in the `keytab` file.
-
-After you've stripped the issue down to its simplest form, if you still
-encounter difficulty resolving it, it will be much easier to gain assistance
-by posting your reproduction to the [Vault Forum](https://discuss.hashicorp.com/c/vault)
-or by providing it to [HashiCorp Support](https://www.hashicorp.com/support.html) 
-(if applicable.)
-
-### Additional Troubleshooting Resources
-
-- [Troubleshooting Vault](https://learn.hashicorp.com/vault/operations/troubleshooting-vault)
-- [The plugin's code](https://github.com/hashicorp/vault-plugin-auth-kerberos)
-
-The Vault Kerberos library has a working integration test environment that
-can be referenced as an example of a full Kerberos and LDAP environment. 
-It runs through Docker and can be started through either one of the following 
-commands:
-
-```text
-$ make integration
-$ make dev-env
-```
-
-These commands run variations of [a script](https://github.com/hashicorp/vault-plugin-auth-kerberos/blob/master/scripts/integration_env.sh)
-that spins up a full environment, adds users, and executes a login from a 
-client.
-
-## API
-
-The Kerberos auth method has a full HTTP API. Please see the
-[Kerberos auth method API](/api/auth/kerberos/index.html) for more
-details.
diff --git a/website/source/docs/auth/kubernetes.html.md b/website/source/docs/auth/kubernetes.html.md
deleted file mode 100644
index 7ee40d283283..000000000000
--- a/website/source/docs/auth/kubernetes.html.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-layout: "docs"
-page_title: "Kubernetes - Auth Methods"
-sidebar_title: "Kubernetes"
-sidebar_current: "docs-auth-kubernetes"
-description: |-
-  The Kubernetes auth method allows automated authentication of Kubernetes
-  Service Accounts.
----
-
-# Kubernetes Auth Method
-
-The `kubernetes` auth method can be used to authenticate with Vault using a
-Kubernetes Service Account Token. This method of authentication makes it easy to
-introduce a Vault token into a Kubernetes Pod.
-
-## Authentication
-
-### Via the CLI
-
-The default path is `/kubernetes`. If this auth method was enabled at a
-different path, specify `-path=/my-path` in the CLI.
-
-
-```text
-$ vault write auth/kubernetes/login role=demo jwt=...
-```
-
-### Via the API
-
-The default endpoint is `auth/kubernetes/login`. If this auth method was enabled
-at a different path, use that value instead of `kubernetes`.
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"jwt": "your_service_account_jwt", "role": "demo"}' \
-    http://127.0.0.1:8200/v1/auth/kubernetes/login
-```
-
-The response will contain a token at `auth.client_token`:
-
-```json
-{
-  "auth": {
-    "client_token": "38fe9691-e623-7238-f618-c94d4e7bc674",
-    "accessor": "78e87a38-84ed-2692-538f-ca8b9f400ab3",
-    "policies": [
-      "default"
-    ],
-    "metadata": {
-      "role": "demo",
-      "service_account_name": "vault-auth",
-      "service_account_namespace": "default",
-      "service_account_secret_name": "vault-auth-token-pd21c",
-      "service_account_uid": "aa9aa8ff-98d0-11e7-9bb7-0800276d99bf"
-    },
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-
-1. Enable the Kubernetes auth method:
-
-    ```text
-    $ vault auth enable kubernetes
-    ```
-
-1. Use the `/config` endpoint to configure Vault to talk to Kubernetes. For the
-list of available configuration options, please see the API documentation.
-
-    ```text
-    $ vault write auth/kubernetes/config \
-        token_reviewer_jwt="reviewer_service_account_jwt" \
-        kubernetes_host=https://192.168.99.100:8443 \
-        kubernetes_ca_cert=@ca.crt
-    ```
-
-    !> **NOTE:** The pattern Vault uses to authenticate Pods depends on sharing
-    the JWT token over the network. Given the [security model of
-    Vault](/docs/internals/security.html), this is allowable because Vault is
-    part of the trusted compute base. In general, Kubernetes applications should
-    **not** share this JWT with other applications, as it allows API calls to be
-    made on behalf of the Pod and can result in unintended access being granted
-    to 3rd parties.
-
-
-1. Create a named role:
-
-    ```text
-    vault write auth/kubernetes/role/demo \
-        bound_service_account_names=vault-auth \
-        bound_service_account_namespaces=default \
-        policies=default \
-        ttl=1h
-    ```
-
-    This role authorizes the "vault-auth" service account in the default
-    namespace and it gives it the default policy.
-
-    For the complete list of configuration options, please see the API
-    documentation.
-
-## Configuring Kubernetes
-
-This auth method accesses the [Kubernetes TokenReview API][k8s-tokenreview] to
-validate the provided JWT is still valid. Kubernetes should be running with
-`--service-account-lookup`. This is defaulted to true in Kubernetes 1.7, but any
-versions prior should ensure the Kubernetes API server is started with this
-setting. Otherwise deleted tokens in Kubernetes will not be properly revoked and
-will be able to authenticate to this auth method.
-
-Service Accounts used in this auth method will need to have access to the
-TokenReview API. If Kubernetes is configured to use RBAC roles, the Service
-Account should be granted permissions to access this API. The following
-example ClusterRoleBinding could be used to grant these permissions:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: vault-auth
-  namespace: default
-```
-
-## API
-
-The Kubernetes Auth Plugin has a full HTTP API. Please see the
-[API docs](/api/auth/kubernetes/index.html) for more details.
-
-[k8s-tokenreview]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#tokenreview-v1-authentication-k8s-io
diff --git a/website/source/docs/auth/ldap.html.md b/website/source/docs/auth/ldap.html.md
deleted file mode 100644
index 6fd41285545b..000000000000
--- a/website/source/docs/auth/ldap.html.md
+++ /dev/null
@@ -1,259 +0,0 @@
----
-layout: "docs"
-page_title: "LDAP - Auth Methods"
-sidebar_title: "LDAP"
-sidebar_current: "docs-auth-ldap"
-description: |-
-  The "ldap" auth method allows users to authenticate with Vault using LDAP
-  credentials.
----
-
-# LDAP Auth Method
-
-The `ldap` auth method allows authentication using an existing LDAP
-server and user/password credentials. This allows Vault to be integrated
-into environments using LDAP without duplicating the user/pass configuration
-in multiple places.
-
-The mapping of groups and users in LDAP to Vault policies is managed by using
-the `users/` and `groups/` paths.
-
-## A Note on Escaping
-
-**It is up to the administrator** to provide properly escaped DNs. This
-includes the user DN, bind DN for search, and so on.
-
-The only DN escaping performed by this method is on usernames given at login
-time when they are inserted into the final bind DN, and uses escaping rules
-defined in RFC 4514.
-
-Additionally, Active Directory has escaping rules that differ slightly from the
-RFC; in particular it requires escaping of '#' regardless of position in the DN
-(the RFC only requires it to be escaped when it is the first character), and
-'=', which the RFC indicates can be escaped with a backslash, but does not
-contain in its set of required escapes. If you are using Active Directory and
-these appear in your usernames, please ensure that they are escaped, in
-addition to being properly escaped in your configured DNs.
-
-For reference, see [RFC 4514](https://www.ietf.org/rfc/rfc4514.txt) and this
-[TechNet post on characters to escape in Active
-Directory](http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx).
-
-## Authentication
-
-### Via the CLI
-
-```text
-$ vault login -method=ldap username=mitchellh
-Password (will be hidden):
-Successfully authenticated! The policies that are associated
-with this token are listed below:
-
-admins
-```
-
-### Via the API
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"password": "foo"}' \
-    http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh
-```
-
-The response will be in JSON. For example:
-
-```javascript
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "auth": {
-    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
-    "policies": [
-      "admins"
-    ],
-    "metadata": {
-      "username": "mitchellh"
-    },
-    "lease_duration": 0,
-    "renewable": false
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the ldap auth method:
-
-    ```text
-    $ vault auth enable ldap
-    ```
-
-1. Configure connection details for your LDAP server, information on how to
-authenticate users, and instructions on how to query for group membership. The
-configuration options are categorized and detailed below.
-
-### Connection parameters
-
-* `url` (string, required) - The LDAP server to connect to. Examples: `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. This can also be a comma-delineated list of URLs, e.g. `ldap://ldap.myorg.com,ldaps://ldap.myorg.com:636`, in which case the servers will be tried in-order if there are errors during the connection process.
-* `starttls` (bool, optional) - If true, issues a `StartTLS` command after establishing an unencrypted connection.
-* `insecure_tls` - (bool, optional) - If true, skips LDAP server SSL certificate verification - insecure, use with caution!
-* `certificate` - (string, optional) - CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
-
-### Binding parameters
-
-There are two alternate methods of resolving the user object used to authenticate the end user: _Search_ or _User Principal Name_. When using _Search_, the bind can be either anonymous or authenticated. User Principal Name is a method of specifying users supported by Active Directory. More information on UPN can be found [here](https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName).
-
-#### Binding - Authenticated Search
-
-* `binddn` (string, optional) - Distinguished name of object to bind when performing user and group search. Example: `cn=vault,ou=Users,dc=example,dc=com`
-* `bindpass` (string, optional) - Password to use along with `binddn` when performing user search.
-* `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
-* `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
-
-#### Binding - Anonymous Search
-
-* `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user
-* `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
-* `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
-* `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
-
-#### Binding - User Principal Name (AD)
-
-* `upndomain` (string, optional) - userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind as `username@example.com`.
-
-### Group Membership Resolution
-
-Once a user has been authenticated, the LDAP auth method must know how to resolve which groups the user is a member of. The configuration for this can vary depending on your LDAP server and your directory schema. There are two main strategies when resolving group membership - the first is searching for the authenticated user object and following an attribute to groups it is a member of. The second is to search for group objects of which the authenticated user is a member of. Both methods are supported.
-
-* `groupfilter` (string, optional) - Go template used when constructing the group membership query. The template can access the following context variables: \[`UserDN`, `Username`\]. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`, which is compatible with several common directory schemas. To support nested group resolution for Active Directory, instead use the following query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
-* `groupdn` (string, required) - LDAP search base to use for group membership search. This can be the root containing either groups or users. Example: `ou=Groups,dc=example,dc=com`
-* `groupattr` (string, optional) - LDAP attribute to follow on objects returned by `groupfilter` in order to enumerate user group membership. Examples: for groupfilter queries returning _group_ objects, use: `cn`. For queries returning _user_ objects, use: `memberOf`. The default is `cn`.
-
-*Note*: When using _Authenticated Search_ for binding parameters (see above) the distinguished name defined for `binddn` is used for the group search.  Otherwise, the authenticating user is used to perform the group search.
-
-Use `vault path-help` for more details.
-
-## Examples:
-
-### Scenario 1
-
-* LDAP server running on `ldap.example.com`, port 389.
-* Server supports `STARTTLS` command to initiate encryption on the standard port.
-* CA Certificate stored in file named `ldap_ca_cert.pem`
-* Server is Active Directory supporting the userPrincipalName attribute. Users are identified as `username@example.com`.
-* Groups are nested, we will use `LDAP_MATCHING_RULE_IN_CHAIN` to walk the ancestry graph.
-* Group search will start under `ou=Groups,dc=example,dc=com`. For all group objects under that path, the `member` attribute will be checked for a match against the authenticated user.
-* Group names are identified using their `cn` attribute.
-
-```
-$ vault write auth/ldap/config \
-    url="ldap://ldap.example.com" \
-    userdn="ou=Users,dc=example,dc=com" \
-    groupdn="ou=Groups,dc=example,dc=com" \
-    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
-    groupattr="cn" \
-    upndomain="example.com" \
-    certificate=@ldap_ca_cert.pem \
-    insecure_tls=false \
-    starttls=true
-...
-```
-
-### Scenario 2
-
-* LDAP server running on `ldap.example.com`, port 389.
-* Server supports `STARTTLS` command to initiate encryption on the standard port.
-* CA Certificate stored in file named `ldap_ca_cert.pem`
-* Server does not allow anonymous binds for performing user search.
-* Bind account used for searching is `cn=vault,ou=users,dc=example,dc=com` with password `My$ecrt3tP4ss`.
-* User objects are under the `ou=Users,dc-example,dc=com` organizational unit.
-* Username passed to vault when authenticating maps to the `sAMAccountName` attribute.
-* Group membership will be resolved via the `memberOf` attribute of _user_ objects. That search will begin under `ou=Users,dc=example,dc=com`.
-
-```
-$ vault write auth/ldap/config \
-    url="ldap://ldap.example.com" \
-    userattr=sAMAccountName \
-    userdn="ou=Users,dc=example,dc=com" \
-    groupdn="ou=Users,dc=example,dc=com" \
-    groupfilter="(&(objectClass=person)(uid={{.Username}}))" \
-    groupattr="memberOf" \
-    binddn="cn=vault,ou=users,dc=example,dc=com" \
-    bindpass='My$ecrt3tP4ss' \
-    certificate=@ldap_ca_cert.pem \
-    insecure_tls=false \
-    starttls=true
-...
-```
-
-### Scenario 3
-
-* LDAP server running on `ldap.example.com`, port 636 (LDAPS)
-* CA Certificate stored in file named `ldap_ca_cert.pem`
-* User objects are under the `ou=Users,dc=example,dc=com` organizational unit.
-* Username passed to vault when authenticating maps to the `uid` attribute.
-* User bind DN will be auto-discovered using anonymous binding.
-* Group membership will be resolved via any one of `memberUid`, `member`, or `uniqueMember` attributes. That search will begin under `ou=Groups,dc=example,dc=com`.
-* Group names are identified using the `cn` attribute.
-
-```
-$ vault write auth/ldap/config \
-    url="ldaps://ldap.example.com" \
-    userattr="uid" \
-    userdn="ou=Users,dc=example,dc=com" \
-    discoverdn=true \
-    groupdn="ou=Groups,dc=example,dc=com" \
-    certificate=@ldap_ca_cert.pem \
-    insecure_tls=false \
-    starttls=true
-...
-```
-
-## LDAP Group -> Policy Mapping
-
-Next we want to create a mapping from an LDAP group to a Vault policy:
-
-```
-$ vault write auth/ldap/groups/scientists policies=foo,bar
-```
-
-This maps the LDAP group "scientists" to the "foo" and "bar" Vault policies.
-We can also add specific LDAP users to additional (potentially non-LDAP)
-groups. Note that policies can also be specified on LDAP users as well.
-
-```
-$ vault write auth/ldap/groups/engineers policies=foobar
-$ vault write auth/ldap/users/tesla groups=engineers policies=zoobar
-```
-
-This adds the LDAP user "tesla" to the "engineers" group, which maps to
-the "foobar" Vault policy. User "tesla" itself is associated with "zoobar"
-policy.
-
-Finally, we can test this by authenticating:
-
-```
-$ vault login -method=ldap username=tesla
-Password (will be hidden):
-Successfully authenticated! The policies that are associated
-with this token are listed below:
-
-default, foobar, zoobar
-```
-
-## Note on policy mapping
-
-It should be noted that user -> policy mapping happens at token creation time. And changes in group membership on the LDAP server will not affect tokens that have already been provisioned. To see these changes, old tokens should be revoked and the user should be asked to reauthenticate.
-
-## API
-
-The LDAP auth method has a full HTTP API. Please see the
-[LDAP auth method API](/api/auth/ldap/index.html) for more
-details.
diff --git a/website/source/docs/auth/mfa.html.md b/website/source/docs/auth/mfa.html.md
deleted file mode 100644
index 7333b1ad3020..000000000000
--- a/website/source/docs/auth/mfa.html.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-layout: "docs"
-page_title: "Multi-Factor Authentication (MFA) - Auth Methods"
-sidebar_title: "MFA <sup>LEGACY / UNSUPPORTED</sup>"
-sidebar_current: "docs-auth-mfa"
-description: |-
-  Multi-factor authentication (MFA) is supported for several authentication
-  methods.
----
-
-# Multi-Factor Authentication
-
-~> **NOTE**: This page describes the legacy MFA system available in the OSS
-edition of Vault. This system is not supported by HashiCorp. Vault Enterprise
-contains a fully-supported MFA system that is significantly more complete and
-flexible and which can be used throughout Vault's API. See the [Vault
-Enterprise MFA](/docs/enterprise/mfa/index.html) page for more information.
-
-Several auth methods support multi-factor authentication (MFA). Once
-enabled for a method, users are required to provide additional verification,
-like a one-time passcode, before being authenticated.
-
-Currently, the "ldap", "okta", "radius", and "userpass" backends support MFA.
-
-## Authentication
-
-When authenticating, users still provide the same information as before, in
-addition to MFA verification. Usually this is a passcode, but in other cases,
-like a Duo Push notification, no additional information is needed.
-
-### Via the CLI
-
-```tedt
-$ vault login -method=userpass \
-    username=my-username \
-    password=test \
-    passcode=111111
-```
-
-```text
-$ vault login -method=userpass \
-    username=my-username \
-    password=test \
-    method=push
-```
-
-### Via the API
-
-The endpoint for the login is the same as for the original method. Additional
-MFA information should be sent in the POST body encoded as JSON.
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"password": "test", "passcode": "111111"}' \
-    http://127.0.0.1:8200/v1/auth/userpass/login/my-username
-```
-
-The response is the same as for the original method.
-
-## Configuration
-
-To enable MFA for a supported method, the MFA type must be set in `mfa_config`.
-For example:
-
-```text
-$ vault write auth/userpass/mfa_config type=duo
-```
-
-This enables the Duo MFA type, which is currently the only MFA type supported.
-The username used for MFA is the same as the login username, unless the method
-or MFA type provide options to behave differently (see Duo configuration below).
-
-### Duo
-
-The Duo MFA type is configured through two paths: `duo/config` and `duo/access`.
-
-`duo/access` contains connection information for the Duo Auth API. To configure:
-
-```text
-$ vault write auth/[mount]/duo/access \
-    host=[host] \
-    ikey=[integration key] \
-    skey=[secret key]
-```
-
-`duo/config` is an optional path that contains general configuration information
-for Duo authentication. To configure:
-
-```text
-$ vault write auth/[mount]/duo/config \
-    user_agent="" \
-    username_format="%s"
-```
-
-- `user_agent` is the user agent to use when connecting to Duo.
-
-- `username_format` controls how the username used to login is transformed
-  before authenticating with Duo. This field is a format string that is passed
-  the original username as its first argument and outputs the new username. For
-  example "%s@example.com" would append "@example.com" to the provided username
-  before connecting to Duo.
-
-- `push_info` is a string of URL-encoded key/value pairs that provides
-  additional context about the authentication attempt in the Duo Mobile
-  application.
-
-More information can be found through the CLI `path-help` command.
diff --git a/website/source/docs/auth/oci.html.md b/website/source/docs/auth/oci.html.md
deleted file mode 100644
index d9055e349f66..000000000000
--- a/website/source/docs/auth/oci.html.md
+++ /dev/null
@@ -1,194 +0,0 @@
----
-layout: "docs"
-page_title: "OCI Auth method"
-sidebar_title: "Oracle Cloud Infrastructure"
-sidebar_current: "docs-auth-oci"
-description: |-
-  The OCI Auth method for Vault enables authentication and authorization using OCI Identity credentials.
----
-
-# OCI Auth Method
-
-The OCI Auth method for Vault enables authentication and authorization using [OCI Identity](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/overview.htm) credentials.
-
-This plugin is developed in a separate GitHub repository at https://github.com/hashicorp/vault-plugin-auth-oci,
-but is automatically bundled in Vault releases. Please file all feature requests, bugs, and pull requests
-specific to the OCI plugin under that repository.
-
-
-## OCI Roles
-
-The OCI Auth method authorizes using roles, as shown here:
-![Role Based Authorization](/img/oci/oci-role-based-authz.png)
-
-There is a many-to-many relationship between various items seen above:
-
-* A user can belong to many identity groups.
-* An identity group can contain many users.
-* A compute instance can belong to many dynamic groups.
-* A dynamic group can contain many compute instances.
-* A role defined in Vault can be mapped to many groups and dynamic groups.
-* A single role can be mapped to both groups and dynamic groups.
-* A Vault policy can be mapped from different roles.
-
-The `ocid_list` field of a role is a list of [Group or Dynamic Group](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/overview.htm#one) OCIDs. Only members of these Groups or Dynamic Groups are allowed to take this role.
-
-## Configuration
-
-### Configure the OCI Tenancy to Run Vault
-The OCI Auth method requires [instance principal](https://blogs.oracle.com/cloud-infrastructure/announcing-instance-principals-for-identity-and-access-management) credentials to call OCI Identity APIs, and therefore the Vault server needs to run inside an OCI compute instance.
-
-Follow the steps below to add policies to your tenancy that allow the OCI compute instance in which the Vault server is running to call certain OCI Identity APIs.
-
-1. In your tenancy, [launch the compute instance(s)](https://docs.cloud.oracle.com/iaas/Content/Compute/Tasks/launchinginstance.htm) that will run the Vault server. The [VCN](https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVCNs.htm) in which you launch the Compute Instance should have a [Service Gateway](https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/servicegateway.htm) added to it .
-        
-1.  Make a note of the Oracle Cloud Identifier (OCID) of the compute instance(s) running Vault.
-1.  In your tenancy, [create a dynamic group](https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm) with the name VaultDynamicGroup to contain the computer instance(s).
-1.  Add the OCID of the compute instance(s) to the dynamic group.
-1.  Add the following policies to the root compartment of your tenancy that allow the dynamic group to call specific Identity APIs.
-
-```
-    allow dynamic-group VaultDynamicGroup to {AUTHENTICATION_INSPECT} in tenancy   
-    allow dynamic-group VaultDynamicGroup to {GROUP_MEMBERSHIP_INSPECT} in tenancy
-```   
-    
-### Configure the OCI Auth method
-
-* Configure your home tenancy in the Vault, so that only users or instances from your tenancy will
-be allowed to log into Vault through the OCI Auth method. Create a file named hometenancyid.json with
-the below content, using the tenancy OCID. To find your tenancy OCID, see [https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm).       
-
-```json
-{"home_tenancy_id":"your tenancy ocid here"}
-```
-        
-* Configure the home_tenancy_id parameter in the Vault.
-
-```sh
-    curl --header "X-Vault-Token: $roottoken" --request PUT \       
-    --data @hometenancyid.json \       
-    http://127.0.0.1:8200/v1/auth/oci/config (127.0.0.1:8200/v1/auth/oci/config)
-```
-       
-* Create a Vault administrator role in the OCI Auth method. The vaultadminrole allows the
-administrator of Vault to log into Vault and grants them the permissions allowed in the policy.
-
-Create a file named vaultadminrole.json with the below contents. Replace the ocid_list with the
-Group or Dynamic Group OCIDs in your tenancy that has users or instances that you want to take the Vault admin role. 
-
-  * For testing in dev mode, you can add the OCID of the dynamic group previously created.
-  * In production, add only the OCID of groups and dynamic groups that can take the admin role in Vault.
-        
-```json
-{"token_policies":"vaultadminpolicy","token_ttl":"1800","ocid_list":"ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"}
-```
-        
-Create the Vault admin role:
-            
-```sh     
-    curl --header "X-Vault-Token: $roottoken" --request PUT \
-    --data @vaultadminrole.json \
-    http://127.0.0.1:8200/v1/auth/oci/role/vaultadminrole (127.0.0.1:8200/v1/auth/oci/role/vaultadminrole)
-```           
-
-1.  Log into the Vault using instance principal.
-    * This assumes that the VAULT\_ADDR export has been specified, as shown earlier in this page.     
-    * The compute instance that you are logging in from should be a part of a dynamic group that was added to the Vault admin role. The compute instance should also have connectivity to the endpoint specified in VAULT\_ADDR. 
-    * When testing in dev mode in the same compute instance that the Vault is running, this is [http://127.0.0.1:8200](http://127.0.0.1:8200/).    
-    `vault login -method=oci auth_type=instance role=vaultadminrole`
-
-You will see a response that includes a token with the previously added policy.
-
-1.  Use the received token to read secrets, writer secrets, and add roles per the instructions in [https://www.vaultproject.io/docs/secrets/kv/kv-v1.html](https://www.Vaultproject.io/docs/secrets/kv/kv-v1.html).
-1.  Log into Vault using the user API key.  
-    *  [Add an API Key](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm) for a user in the console. This user should be part of a group that has previously been added to the Vault admin role.
-    *  Create the config file `~/.oci/config` using the user's credentials as detailed in [https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm).  
-        Ensure that the region in the config matches the region of the compute instance that is running Vault.
-    *  Log into Vault using the user API key. 
-    
-       `vault login -method=oci auth_type=apikey role=vaultadminrole`      
-1.  Stop Vault and re-start it in the production environment. See [https://www.vaultproject.io/docs/configuration](https://www.Vaultproject.io/docs/configuration/) for more information.      
-1.  Repeat all steps in this [Configure the OCI Auth Method](#OnboardingtoOCIAuthMethod-ConfiguretheOCIAuthMethod) section while in the production environment.
-
-### Manage Roles in the OCI Auth method
-
-1.  Similar to creating the Vault administrator role, create other roles mapped to other policies. Create a file named devrole.json with the following contents. Replace ocid_list with Groups or Dynamic Groups in your tenancy.
-
-```json
-{"token_policies":"devpolicy","token_ttl":"1500","ocid_list":"ocid1.group.oc1..aaaaaaaaiqnblimpvmgrouplrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmdg2u5n7ffamn2pdvxaq6esb2vzzoduexamplea"}
-```
-    
-1.  Add the role.    
-
-```sh 
-curl --header "X-Vault-Token: $token" --request PUT \
---data @devrole.json \
-http://127.0.0.1:8200/v1/auth/oci/role/devrole (127.0.0.1:8200/v1/auth/oci/role/devrole)
-```
-
-1.  Login to Vault assuming the devrole.
-
-```sh
-vault login -method=oci auth_type=instance role=vaultadminrole`
-```
-    
-## Authentication
-
-When authenticating, users can use Vault cli.
-
-### Via the CLI
-
-With Compute Instance credentials: 
-
-```sh
-$ vault login -method=oci auth_type=instance role=devrole
-```
-
-With User credentials: [SDK Config](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm)
-
-```sh
-$ vault login -method=oci auth_type=apikey role=devrole
-```
-
-### Via the API
-
-1.  First, sign the following request with your OCI credentials and obtain the signing string and the authorization header. Replace the endpoint, scheme (http or https) & role of the URL corresponding to your vault configuration. For more information on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm).
-
-    http://127.0.0.1/v1/auth/oci/login/devrole
-
-1.  On signing the above request, you would get headers similar to:
-
-The signing string would look like (line breaks inserted into the (request-target) header for easier reading):
-            
-```text
-date: Fri, 22 Aug 2019 21:02:19 GMT
-(request-target): get /v1/auth/oci/login/devrole
-host: 127.0.0.1
-
-The Authorization header would look like:
-
-Signature version="1",headers="date (request-target) host",keyId="ocid1.t
-enancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/
-ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3ryn
-jq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7",algorithm="rsa-sha256
-",signature="GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPe
-DUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll
-8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M="
-```
-
-1.  Add the signed headers to the "request_headers" field and make the actual request to vault. An example is given below:
-
-```sh
-POST http://127.0.0.1/v1/auth/oci/login/devrole
-   "request_headers": {
-       "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
-       "(request-target)": ["get /v1/auth/oci/login/devrole"],
-       "host": ["127.0.0.1"],
-       "content-type": ["application/json"],
-       "authorization": ["Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""]
-   }
-```
-    
-## API
-
-The OCI Auth method has a full HTTP API. Please see the [API docs](/api/auth/oci/index.html) for more details.
\ No newline at end of file
diff --git a/website/source/docs/auth/okta.html.md b/website/source/docs/auth/okta.html.md
deleted file mode 100644
index 5e845e133ed3..000000000000
--- a/website/source/docs/auth/okta.html.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-layout: "docs"
-page_title: "Okta - Auth Methods"
-sidebar_title: "Okta"
-sidebar_current: "docs-auth-okta"
-description: |-
-  The Okta auth method allows users to authenticate with Vault using Okta
-  credentials.
----
-
-# Okta Auth Method
-
-The `okta` auth method allows authentication using Okta and user/password
-credentials. This allows Vault to be integrated into environments using Okta.
-
-The mapping of groups in Okta to Vault policies is managed by using the
-`users/` and `groups/` paths.
-
-## Authentication
-
-### Via the CLI
-
-The default path is `/okta`. If this auth method was enabled at a different
-path, specify `-path=/my-path` in the CLI.
-
-```text
-$ vault login -method=okta username=my-username
-```
-
-### Via the API
-
-The default endpoint is `auth/okta/login`. If this auth method was enabled
-at a different path, use that value instead of `okta`.
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"password": "MY_PASSWORD"}' \
-    http://127.0.0.1:8200/v1/auth/okta/login/my-username
-```
-
-The response will contain a token at `auth.client_token`:
-
-```json
-{
-  "auth": {
-    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
-    "policies": [
-      "admins"
-    ],
-    "metadata": {
-      "username": "mitchellh"
-    }
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-### Via the CLI
-
-1. Enable the Okta auth method:
-
-    ```text
-    $ vault auth enable okta
-    ```
-
-1. Configure Vault to communicate with your Okta account:
-
-    ```text
-    $ vault write auth/okta/config \
-        base_url="okta.com" \
-        organization="dev-123456" \
-        token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
-    ```
-
-    **If no token is supplied, Vault will function, but only locally configured
-    group membership will be available. Without a token, groups will not be
-    queried.**
-
-    For the complete list of configuration options, please see the API
-    documentation.
-
-1. Map an Okta group to a Vault policy:
-
-    ```text
-    $ vault write auth/okta/groups/scientists policies=nuclear-reactor
-    ```
-
-    In this example, anyone who successfully authenticates via Okta who is a
-    member of the "scientists" group will receive a Vault token with the
-    "nuclear-reactor" policy attached.
-
-    ---
-
-    It is also possible to add users directly:
-
-    ```text
-    $ vault write auth/okta/groups/engineers policies=autopilot
-    $ vault write auth/okta/users/tesla groups=engineers
-    ```
-
-    This adds the Okta user "tesla" to the "engineers" group, which maps to
-    the "autopilot" Vault policy.
-
-      **The user-policy mapping via group membership happens at token _creation
-      time_. Any changes in group membership in Okta will not affect existing
-      tokens that have already been provisioned. To see these changes, users
-      will need to re-authenticate. You can force this by revoking the
-      existing tokens.**
-
-## API
-
-The Okta auth method has a full HTTP API. Please see the
-[Okta Auth API](/api/auth/okta/index.html) for more details.
diff --git a/website/source/docs/auth/radius.html.md b/website/source/docs/auth/radius.html.md
deleted file mode 100644
index d48b2776cbdb..000000000000
--- a/website/source/docs/auth/radius.html.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-layout: "docs"
-page_title: "RADIUS - Auth Methods"
-sidebar_title: "RADIUS"
-sidebar_current: "docs-auth-radius"
-description: |-
-  The "radius" auth method allows users to authenticate with Vault using an
-  existing RADIUS server.
----
-
-# RADIUS Auth Method
-
-The `radius` auth method allows users to authenticate with Vault using an
-existing RADIUS server that accepts the PAP authentication scheme.
-
-## Authentication
-
-The default path is `/radius`. If this auth method was enabled at a different
-path, specify `-path=/my-path` in the CLI.
-
-### Via the CLI
-
-```text
-$ vault login -path=radius username=sethvargo
-```
-
-### Via the API
-
-The default endpoint is `auth/radius/login`. If this auth method was enabled
-at a different path, use that value instead of `radius`.
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"password": "..."}' \
-    http://127.0.0.1:8200/v1/auth/radius/login/sethvargo
-```
-
-The response will contain a token at `auth.client_token`:
-
-```json
-{
-  "auth": {
-    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
-    "policies": [
-      "admins"
-    ],
-    "metadata": {
-      "username": "mitchellh"
-    }
-  }
-}
-```
-
-## Configuration
-
-### Via the CLI
-
-1. Enable the radius auth method:
-
-    ```text
-    $ vault auth enable radius
-    ```
-
-1. Configure connection details for your RADIUS server.
-
-    ```text
-    $ vault write auth/radius/users/mitchellh policies=admins
-    ```
-
-    For the complete list of configuration options, please see the API
-    documentation.
-
-    The above creates a new mapping for user "mitchellh" that will be associated
-    with the "admins" policy.
-
-    Alternatively, Vault can assign a configurable set of policies to any user
-    that successfully authenticates with the RADIUS server but has no explicit
-    mapping in the `users/` path. This is done through the
-    `unregistered_user_policies` configuration parameter.
-
-## API
-
-The RADIUS auth method has a full HTTP API. Please see the
-[RADIUS Auth API](/api/auth/radius/index.html) for more
-details.
diff --git a/website/source/docs/auth/token.html.md b/website/source/docs/auth/token.html.md
deleted file mode 100644
index 6415e08a0e8a..000000000000
--- a/website/source/docs/auth/token.html.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: "docs"
-page_title: "Token - Auth Methods"
-sidebar_title: "Tokens"
-sidebar_current: "docs-auth-token"
-description: |-
-  The token store auth method is used to authenticate using tokens.
----
-
-# Token Auth Method
-
-The `token` method is built-in and automatically available at `/auth/token`. It
-allows users to authenticate using a token, as well to create new tokens, revoke
-secrets by token, and more.
-
-When any other auth method returns an identity, Vault core invokes the
-token method to create a new unique token for that identity.
-
-The token store can also be used to bypass any other auth method:
-you can create tokens directly, as well as perform a variety of other
-operations on tokens such as renewal and revocation.
-
-Please see the [token concepts](/docs/concepts/tokens.html) page dedicated
-to tokens.
-
-## Authentication
-
-### Via the CLI
-
-```text
-$ vault login token=<token>
-```
-
-### Via the API
-
-The token is set directly as a header for the HTTP API. The header should be
-either `X-Vault-Token: <token>` or `Authorization: Bearer <token>`.
-
-## API
-
-The Token auth method has a full HTTP API. Please see the
-[Token auth method API](/api/auth/token/index.html) for more
-details.
diff --git a/website/source/docs/auth/userpass.html.md b/website/source/docs/auth/userpass.html.md
deleted file mode 100644
index 2eecb5f07adc..000000000000
--- a/website/source/docs/auth/userpass.html.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-layout: "docs"
-page_title: "Userpass - Auth Methods"
-sidebar_title: "Username &amp; Password"
-sidebar_current: "docs-auth-userpass"
-description: |-
-  The "userpass" auth method allows users to authenticate with Vault using a username and password.
----
-
-# Userpass Auth Method
-
-The `userpass` auth method allows users to authenticate with Vault using
-a username and password combination.
-
-The username/password combinations are configured directly to the auth
-method using the `users/` path. This method cannot read usernames and
-passwords from an external source.
-
-The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
-same entry.
-
-## Authentication
-
-### Via the CLI
-
-```text
-$ vault login -method=userpass \
-    username=mitchellh \
-    password=foo
-```
-
-### Via the API
-
-```shell
-$ curl \
-    --request POST \
-    --data '{"password": "foo"}' \
-    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
-```
-
-The response will contain the token at `auth.client_token`:
-
-```json
-{
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "auth": {
-    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
-    "policies": [
-      "admins"
-    ],
-    "metadata": {
-      "username": "mitchellh"
-    },
-    "lease_duration": 0,
-    "renewable": false
-  }
-}
-```
-
-## Configuration
-
-Auth methods must be configured in advance before users or machines can
-authenticate. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the userpass auth method:
-
-    ```text
-    $ vault auth enable userpass
-    ```
-
-1. Configure it with users that are allowed to authenticate:
-
-    ```text
-    $ vault write auth/userpass/users/mitchellh \
-        password=foo \
-        policies=admins
-    ```
-
-    This creates a new user "mitchellh" with the password "foo" that will be
-    associated with the "admins" policy. This is the only configuration
-    necessary.
-
-## API
-
-The Userpass auth method has a full HTTP API. Please see the [Userpass auth
-method API](/api/auth/userpass/index.html) for more details.
diff --git a/website/source/docs/commands/agent.html.md b/website/source/docs/commands/agent.html.md
deleted file mode 100644
index ff5fc7c8b3c0..000000000000
--- a/website/source/docs/commands/agent.html.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: "docs"
-page_title: "agent - Command"
-sidebar_title: "<code>agent</code>"
-sidebar_current: "docs-commands-agent"
-description: |-
-  The "agent" command is used to start Vault Agent
----
-
-# agent
-
-Please see the [Vault Agent documentation page](/docs/agent/index.html).
diff --git a/website/source/docs/commands/audit/disable.html.md b/website/source/docs/commands/audit/disable.html.md
deleted file mode 100644
index ce26975b041f..000000000000
--- a/website/source/docs/commands/audit/disable.html.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-layout: "docs"
-page_title: "audit disable - Command"
-sidebar_title: "<code>disable</code>"
-sidebar_current: "docs-commands-audit-disable"
-description: |-
-  The "audit disable" command disables an audit device at a given path, if one
-  exists. This command is idempotent, meaning it succeeds even if no audit
-  device is enabled at the path.
----
-
-# audit disable
-
-The `audit disable` command disables an audit device at a given path, if one
-exists. This command is idempotent, meaning it succeeds even if no audit device
-is enabled at the path.
-
-Once an audit device is disabled, no future audit logs are dispatched to it. The
-data associated with the audit device is unaffected. For example, if you
-disabled an audit device that was logging to a file, the file would still exist
-and have stored contents.
-
-## Examples
-
-Disable the audit device enabled at "file/":
-
-```text
-$ vault audit disable file/
-Success! Disabled audit device (if it was enabled) at: file/
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/audit/enable.html.md b/website/source/docs/commands/audit/enable.html.md
deleted file mode 100644
index add810f170f7..000000000000
--- a/website/source/docs/commands/audit/enable.html.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-layout: "docs"
-page_title: "audit enable - Command"
-sidebar_title: "<code>enable</code>"
-sidebar_current: "docs-commands-audit-enable"
-description: |-
-  The "audit enable" command enables an audit device at a given path.
----
-
-# audit enable
-
-The `audit enable` command enables an audit device at a given path. If an audit
-device already exists at the given path, an error is returned. Additional
-options for configuring the audit device are provided as `KEY=VALUE`. Each audit
-device declares its own set of configuration options.
-
-Once an audit device is enabled, almost every request and response will be
-logged to the device.
-
-## Examples
-
-Enable the audit device "file" enabled at "file/":
-
-```text
-$ vault audit enable file file_path=/tmp/my-file.txt
-Success! Enabled the file audit device at: file/
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-description` `(string: "")` - Human-friendly description for the purpose of
-  this audit device.
-
--  `-local` `(bool: false)` - Mark the audit device as a local-only device.
-   Local devices are not replicated or removed by replication.
-
-- `-path` `(string: "")` - Place where the audit device will be accessible. This
-  must be unique across all audit devices. This defaults to the "type" of the
-  audit device.
diff --git a/website/source/docs/commands/audit/index.html.md b/website/source/docs/commands/audit/index.html.md
deleted file mode 100644
index 43a39cc1f6de..000000000000
--- a/website/source/docs/commands/audit/index.html.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-layout: "docs"
-page_title: "audit - Command"
-sidebar_title: "<code>audit</code>"
-sidebar_current: "docs-commands-audit"
-description: |-
-  The "audit" command groups subcommands for interacting with Vault's audit
-  devices. Users can list, enable, and disable audit devices.
----
-
-# audit
-
-The `audit` command groups subcommands for interacting with Vault's audit
-devices. Users can list, enable, and disable audit devices.
-
-For more information, please see the [audit device
-documentation](/docs/audit/index.html)
-
-## Examples
-
-Enable an audit device:
-
-```text
-$ vault audit enable file file_path=/tmp/my-file.txt
-Success! Enabled the file audit device at: file/
-```
-
-List all audit devices:
-
-```text
-$ vault audit list
-Path     Type    Description
-----     ----    -----------
-file/    file    n/a
-```
-
-Disable an audit device:
-
-```text
-$ vault audit disable file/
-Success! Disabled audit device (if it was enabled) at: file/
-```
-
-## Usage
-
-```text
-Usage: vault audit <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    disable    Disables an audit device
-    enable     Enables an audit device
-    list       Lists enabled audit devices
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/audit/list.html.md b/website/source/docs/commands/audit/list.html.md
deleted file mode 100644
index 4f9d3ba8c3b9..000000000000
--- a/website/source/docs/commands/audit/list.html.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-layout: "docs"
-page_title: "audit list - Command"
-sidebar_title: "<code>list</code>"
-sidebar_current: "docs-commands-audit-list"
-description: |-
-  The "audit list" command lists the audit devices enabled. The output lists the
-  enabled audit devices and options for those devices.
----
-
-# audit list
-
-The `audit list` command lists the audit devices enabled. The output lists the
-enabled audit devices and options for those devices.
-
-## Examples
-
-List all audit devices:
-
-```text
-$ vault audit list
-Path     Type    Description
-----     ----    -----------
-file/    file    n/a
-```
-
-List detailed audit device information:
-
-```text
-$ vault audit list -detailed
-Path     Type    Description    Replication    Options
-----     ----    -----------    -----------    -------
-file/    file    n/a            replicated     file_path=/var/log/audit.log
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-detailed` `(bool: false)` - Print detailed information such as options and
-  replication status about each auth device.
diff --git a/website/source/docs/commands/auth/disable.html.md b/website/source/docs/commands/auth/disable.html.md
deleted file mode 100644
index 545aba36505d..000000000000
--- a/website/source/docs/commands/auth/disable.html.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-layout: "docs"
-page_title: "auth disable - Command"
-sidebar_title: "<code>disable</code>"
-sidebar_current: "docs-commands-auth-disable"
-description: |-
-  The "auth disable" command disables an auth method at a given path, if one
-  exists. This command is idempotent, meaning it succeeds even if no auth method
-  is enabled at the path.
----
-
-# auth disable
-
-The `auth disable` command disables an auth method at a given path, if one
-exists. This command is idempotent, meaning it succeeds even if no auth method
-is enabled at the path.
-
-Once an auth method is disabled, it can no longer be used for authentication.
-**All access tokens generated via the disabled auth method are immediately
-revoked.** This command will block until all tokens are revoked.
-
-## Examples
-
-Disable the auth method enabled at "userpass/":
-
-```text
-$ vault auth disable userpass/
-Success! Disabled the auth method (if it existed) at: userpass/
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/auth/enable.html.md b/website/source/docs/commands/auth/enable.html.md
deleted file mode 100644
index 39cf1770cc29..000000000000
--- a/website/source/docs/commands/auth/enable.html.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-layout: "docs"
-page_title: "auth enable - Command"
-sidebar_title: "<code>enable</code>"
-sidebar_current: "docs-commands-auth-enable"
-description: |-
-  The "auth enable" command enables an auth method at a given path. If an auth
-  method already exists at the given path, an error is returned. After the auth
-  method is enabled, it usually needs configuration.
----
-
-# auth enable
-
-The `auth enable` command enables an auth method at a given path. If an auth
-method already exists at the given path, an error is returned. After the auth
-method is enabled, it usually needs configuration. The configuration varies by
-auth method.
-
-An auth method is responsible for authenticating users or machines and assigning
-them policies and a token with which they can access Vault. Authentication is
-usually mapped to policy. Please see the [policies
-concepts](/docs/concepts/policies.html) page for more information.
-
-## Examples
-
-Enable the auth method "userpass" enabled at "userpass/":
-
-```text
-$ vault auth enable userpass
-Success! Enabled the userpass auth method at: userpass/
-```
-
-Create a user:
-
-```text
-$ vault write auth/userpass/users/sethvargo password=secret
-Success! Data written to: auth/userpass/users/sethvargo
-```
-
-For more information on the specific configuration options and paths, please see
-the [auth method](/docs/auth/index.html) documentation.
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-description` `(string: "")` - Human-friendly description for the purpose of
-  this auth method.
-
-- `-local` `(bool: false)` - Mark the auth method as local-only. Local auth
-  methods are not replicated nor removed by replication.
-
-- `-path` `(string: "")` - Place where the auth method will be accessible. This
-  must be unique across all auth methods. This defaults to the "type" of the
-  auth method. The auth method will be accessible at `/auth/<path>`.
diff --git a/website/source/docs/commands/auth/help.html.md b/website/source/docs/commands/auth/help.html.md
deleted file mode 100644
index 7457261c0adb..000000000000
--- a/website/source/docs/commands/auth/help.html.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-layout: "docs"
-page_title: "auth help - Command"
-sidebar_title: "<code>help</code>"
-sidebar_current: "docs-commands-auth-help"
-description: |-
-  The "auth help" command prints usage and help for an auth method.
----
-
-# auth help
-
-The `auth help` command prints usage and help for an auth method.
-
-  - If given a TYPE, this command prints the default help for the auth method of
-    that type.
-
-  - If given a PATH, this command prints the help output for the auth method
-    enabled at that path. This path must already exist.
-
-Each auth method produces its own help output.
-
-## Examples
-
-Get usage instructions for the userpass auth method:
-
-```text
-$ vault auth help userpass
-Usage: vault login -method=userpass [CONFIG K=V...]
-
-  The userpass auth method allows users to authenticate using Vault's
-  internal user database.
-
-# ...
-```
-
-Print usage for the auth method enabled at my-method/
-
-```text
-$ vault auth help my-method/
-# ...
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/auth/index.html.md b/website/source/docs/commands/auth/index.html.md
deleted file mode 100644
index 33e1606ce845..000000000000
--- a/website/source/docs/commands/auth/index.html.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-layout: "docs"
-page_title: "auth - Command"
-sidebar_title: "<code>auth</code>"
-sidebar_current: "docs-commands-auth"
-description: |-
-  The "auth" command groups subcommands for interacting with Vault's auth
-  methods. Users can list, enable, disable, and get help for different auth
-  methods.
----
-
-# auth
-
-The `auth` command groups subcommands for interacting with Vault's auth methods.
-Users can list, enable, disable, and get help for different auth methods.
-
-For more information, please see the [auth method
-documentation](/docs/auth/index.html) or the [authentication
-concepts](/docs/concepts/auth.html) page.
-
-To authenticate to Vault as a user or machine, use the [`vault login`](/docs/commands/login.html) command instead. This command is for
-interacting with the auth methods themselves, not authenticating to Vault.
-
-## Examples
-
-Enable an auth method:
-
-```text
-$ vault auth enable userpass
-Success! Enabled userpass auth method at: userpass/
-```
-
-List all auth methods:
-
-```text
-$ vault auth list
-Path         Type        Description
-----         ----        -----------
-token/       token       token based credentials
-userpass/    userpass    n/a
-```
-
-Get help about how to authenticate to a particular auth method:
-
-```text
-$ vault auth help userpass/
-Usage: vault login -method=userpass [CONFIG K=V...]
-# ...
-```
-
-Disable an auth method:
-
-```text
-$ vault auth disable userpass/
-Success! Disabled the auth method (if it existed) at: userpass/
-```
-
-Tune an auth method:
-
-```text
-$ vault auth tune -max-lease-ttl=30m userpass/
-Success! Tuned the auth method at: userpass/
-```
-
-## Usage
-
-```text
-Usage: vault auth <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    disable    Disables an auth method
-    enable     Enables a new auth method
-    help       Prints usage for an auth method
-    list       Lists enabled auth methods
-    tune       Tunes an auth method configuration
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/auth/list.html.md b/website/source/docs/commands/auth/list.html.md
deleted file mode 100644
index babad4e4fdfc..000000000000
--- a/website/source/docs/commands/auth/list.html.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-layout: "docs"
-page_title: "auth list - Command"
-sidebar_title: "<code>list</code>"
-sidebar_current: "docs-commands-auth-list"
-description: |-
-  The "auth list" command lists the auth methods enabled. The output lists the
-  enabled auth methods and options for those methods.
----
-
-# auth list
-
-The `auth list` command lists the auth methods enabled. The output lists the
-enabled auth methods and options for those methods.
-
-## Examples
-
-List all auth methods:
-
-```text
-$ vault auth list
-Path         Type        Description
-----         ----        -----------
-token/       token       token based credentials
-userpass/    userpass    n/a
-```
-
-List detailed auth method information:
-
-```text
-$ vault auth list -detailed
-Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
-----         ----        --------                  ------    -----------    -------    -----------    -----------
-token/       token       auth_token_b2166f9e       n/a       system         system     replicated     token based credentials
-userpass/    userpass    auth_userpass_eea6507e    n/a       system         system     replicated     n/a
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-detailed` `(bool: false)` - Print detailed information such as configuration
-  and replication status about each auth method.
diff --git a/website/source/docs/commands/auth/tune.html.md b/website/source/docs/commands/auth/tune.html.md
deleted file mode 100644
index 1c42b4aa74a6..000000000000
--- a/website/source/docs/commands/auth/tune.html.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-layout: "docs"
-page_title: "auth tune - Command"
-sidebar_title: "<code>tune</code>"
-sidebar_current: "docs-commands-auth-tune"
-description: |-
-  The "auth tune" command tunes the configuration options for the auth method at
-  the given PATH.
----
-
-# auth tune
-
-The `auth tune` command tunes the configuration options for the auth method at
-the given PATH. **The argument corresponds to the PATH where the auth method is
-enabled, not the TYPE!**
-
-## Examples
-
-Tune the default lease for the auth method enabled at "github/":
-
-```text
-$ vault auth tune -default-lease-ttl=72h github/
-Success! Tuned the auth method at: github/
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this auth
-  method. If unspecified, this defaults to the Vault server's globally
-  configured default lease TTL, or a previously configured value for the auth
-  method.
-
-- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth
-  method. If unspecified, this defaults to the Vault server's globally
-  configured maximum lease TTL, or a previously configured value for the auth
-  method.
diff --git a/website/source/docs/commands/debug.html.md b/website/source/docs/commands/debug.html.md
deleted file mode 100644
index d301e810276f..000000000000
--- a/website/source/docs/commands/debug.html.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-layout: "docs"
-page_title: "debug - Command"
-sidebar_title: "<code>debug</code>"
-sidebar_current: "docs-commands-debug"
-description: |-
-  The "debug" command monitors a Vault server, probing information about
-  it for a certain duration.
----
-
-# debug
-
-The `debug` command starts a process that monitors a Vault server, probing
-information about it for a certain duration.
-
-Gathering information about the state of the Vault cluster often requires the
-operator to access all necessary information via various API calls and terminal
-commands. The `debug` command aims to provide a simple workflow that produces a
-consistent output to help operators retrieve and share information about the
-server in question.
-
-The `debug` command honors the same the variables that the base command
-accepts, such as the token stored via a previous login or the environment
-variables `VAULT_TOKEN` and `VAULT_ADDRESS`. The token used determines the
-permissions and, in turn, the information that `debug` may be able to collect.
-The address specified determines the target server that will be probed against.
-
-If the command is interrupted, the information collected up until that
-point gets persisted to an output directory.
-
-## Permissions
-
-Regardless of whether a particular target is provided, the ability for `debug`
-to fetch data for the target depends on the token provided. Some targets, such
-as `server-status`, queries unauthenticated endpoints which means that it can be
-queried all the time. Other targets require the token to have ACL permissions to
-query the matching endpoint in order to get a proper response. Any errors
-encountered during capture due to permissions or otherwise will be logged in the
-index file.
-
-## Capture Targets
-
-The `-target` flag can be specified multiple times to capture specific
-information when debug is running. By default, it captures all information.
-
-| Target               | Description                                                                       |
-|:---------------------|:----------------------------------------------------------------------------------|
-| `config`             | Sanitized version of the configuration state.                                     |
-| `host`               | Information about the instance running the server, such as CPU, memory, and disk. |
-| `metrics`            | Telemetry information.                                                            |
-| `pprof`              | Runtime profiling data, including heap, CPU, goroutine, and trace profiling.      |
-| `replication-status` | Replication status.                                                               |
-| `server-status`      | Health and seal status.                                                           |
-
-Note that the `config`, `host`,`metrics`, and `pprof` targets are only queried 
-on active and performance standby nodes due to the the fact that the information
-pertains to the local node and the request should not be forwarded. 
-
-Additionally, host information is not available on the OpenBSD platform due to
-library limitations in fetching the data without enabling `cgo`.
-
-
-## Output Layout
-
-The output of the bundled information, once decompressed, is contained within a
-single directory. Each target, with the exception of profiling data, is captured
-in a single file. For each of those targets collection is represented as a JSON
-array object, with each entry captured at each interval as a JSON object.
-
-```text
-$ tree vault-debug-2019-10-15T21-44-49Z/
-vault-debug-2019-10-15T21-44-49Z/
-├── 2019-10-15T21-44-49Z
-│   ├── goroutine.prof
-│   ├── heap.prof
-│   ├── profile.prof
-│   └── trace.out
-├── 2019-10-15T21-45-19Z
-│   ├── goroutine.prof
-│   ├── heap.prof
-│   ├── profile.prof
-│   └── trace.out
-├── 2019-10-15T21-45-49Z
-│   ├── goroutine.prof
-│   ├── heap.prof
-│   ├── profile.prof
-│   └── trace.out
-├── 2019-10-15T21-46-19Z
-│   ├── goroutine.prof
-│   ├── heap.prof
-│   ├── profile.prof
-│   └── trace.out
-├── 2019-10-15T21-46-49Z
-│   ├── goroutine.prof
-│   └── heap.prof
-├── config.json
-├── host_info.json
-├── index.json
-├── metrics.json
-├── replication_status.json
-└── server_status.json
-```
-
-## Examples
-
-Start debug using sane defaults:
-
-```text
-$ vault debug
-```
-
-Start debug with different duration, intervals, and metrics interval values, and
-skip compression:
-
-```text
-$ vault debug -duration=1m -interval=10s -metrics-interval=5s -compress=false
-```
-
-Start debug with specific targets:
-
-```text
-$ vault debug -target=host -target=metrics
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Command Options
-
-- `-compress` `(bool: true)` - Toggles whether to compress output package The
-  default is true.
-
-- `-duration` `(int or time string: "2m")` - Duration to run the command. The
-  default is 2m0s.
-
-- `-interval` `(int or time string: "30s")` - The polling interval at which to
-  collect profiling data and server state. The default is 30s.
-
-- `-metrics-interval` `(int or time string: "10s")` - The polling interval at
-  which to collect metrics data. The default is 10s.
-
-- `-output` `(string)` - Specifies the output path for the debug package. Defaults
-  to an time-based generated file name.
-
-- `-target` `(string: all targets)` - Target to capture, defaulting to all if
-  none specified. This can be specified multiple times to capture multiple
-  targets. Available targets are: config, host, metrics, pprof,
-  replication-status, server-status.
\ No newline at end of file
diff --git a/website/source/docs/commands/delete.html.md b/website/source/docs/commands/delete.html.md
deleted file mode 100644
index c80e94b7488d..000000000000
--- a/website/source/docs/commands/delete.html.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-layout: "docs"
-page_title: "delete - Command"
-sidebar_title: "<code>delete</code>"
-sidebar_current: "docs-commands-delete"
-description: |-
-  The "delete" command deletes secrets and configuration from Vault at the given
-  path. The behavior of "delete" is delegated to the backend corresponding to
-  the given path.
----
-
-# delete
-
-The `delete` command deletes secrets and configuration from Vault at the given
-path. The behavior of "delete" is delegated to the backend corresponding to the
-given path.
-
-## Examples
-
-Remove data in the static secrets engine:
-
-```text
-$ vault delete secret/my-secret
-```
-
-Uninstall an encryption key in the transit backend:
-
-```text
-$ vault delete transit/keys/my-key
-```
-
-Delete an IAM role:
-
-```text
-$ vault delete aws/roles/ops
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/help.html.md b/website/source/docs/commands/help.html.md
deleted file mode 100644
index 1c43a730f1cc..000000000000
--- a/website/source/docs/commands/help.html.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-layout: "docs"
-page_title: "Path Help"
-sidebar_title: "<code>path-help</code>"
-sidebar_current: "docs-commands-path-help"
-description: |-
-  The Vault CLI has a built-in help system that can be used to get help for not only the CLI itself, but also any paths that the CLI can be used with within Vault.
----
-
-# Help
-
-In addition to standard CLI help using the `-h` or `-help` flag for
-commands, Vault has a built-in `path-help` command that can be used to get
-help for specific paths within Vault. These paths are used with the
-API or `read, write, delete` commands in order to interact with Vault.
-
-The help system is the easiest way to learn how to use the various systems
-in Vault, and also allows you to discover new paths.
-
--> **Important!** The help system is incredibly important in day-to-day
-use of Vault. As a beginner or experienced user of Vault, you'll be using
-the help command a lot to remember how to use different components of
-Vault. Note that the Vault Server must be running and the client configured
-properly to execute this command to look up paths.
-
-## Discovering Paths
-
-Before using `path-help`, it is important to understand "paths" within Vault.
-Paths are the parameters used for `vault read`, `vault write`, etc. An
-example path is `secret/foo`, or `aws/config/root`. The paths available
-depend on the enabled secrets engines. Because of this, the interactive
-help is an indispensable tool to finding what paths are supported.
-
-To discover what paths are supported, use `vault path-help <mount point>`.
-For example, if you mounted the AWS secrets engine, you can use
-`vault path-help aws` to find the paths supported by that backend. The paths
-will be shown with regular expressions, which can make them hard to
-parse, but they're also extremely exact.
-
-You can try it right away with any Vault with `vault path-help secret`, since
-`secret` is always mounted initially. The output from this command is shown
-below and contains both a description of what that backend is for, along with
-the paths it supports.
-
-```
-$ vault path-help secret
-## DESCRIPTION
-
-The key/value backend reads and writes arbitrary secrets to the backend.
-The secrets are encrypted/decrypted by Vault: they are never stored
-unencrypted in the backend and the backend never has an opportunity to
-see the unencrypted value.
-
-Leases can be set on a per-secret basis. These leases will be sent down
-when that secret is read, and it is assumed that some outside process will
-revoke and/or replace the secret at that path.
-
-## PATHS
-
-The following paths are supported by this backend. To view help for
-any of the paths below, use the help command with any route matching
-the path pattern. Note that depending on the policy of your auth token,
-you may or may not be able to access certain paths.
-
-    ^.*$
-        Pass-through secret storage to the storage backend, allowing you to
-        read/write arbitrary data into secret storage.
-```
-
-## Single Path
-
-Once you've found a path you like, you can learn more about it by
-using `vault path-help <path>` where "path" is a path that matches one of the
-regular expressions from the backend help.
-
-Or, if you saw an example online with `vault write` or some similar
-command, you can plug that directly into `vault path-help` to learn about it
-(assuming you have the proper backends mounted!).
-
-For example, below we get the help for a single secret in the `secret/`
-mount point. The help shows the operations that that path supports, the
-parameters it takes (for write), and a description of that specific path.
-
-```
-$ vault path-help secret/password
-Request:        password
-Matching Route: ^.*$
-
-Pass-through secret storage to the storage backend, allowing you to
-read/write arbitrary data into secret storage.
-
-## PARAMETERS
-
-    lease (string)
-        Lease time for this key when read. Ex: 1h
-
-## DESCRIPTION
-
-The pass-through backend reads and writes arbitrary data into secret storage,
-encrypting it along the way.
-
-A lease can be specified when writing with the "lease" field. If given, then
-when the secret is read, Vault will report a lease with that duration. It
-is expected that the consumer of this backend properly writes renewed keys
-before the lease is up. In addition, revocation must be handled by the
-user of this backend.
-```
diff --git a/website/source/docs/commands/index.html.md b/website/source/docs/commands/index.html.md
deleted file mode 100644
index c0f75b19555a..000000000000
--- a/website/source/docs/commands/index.html.md
+++ /dev/null
@@ -1,312 +0,0 @@
----
-layout: "docs"
-page_title: "Commands (CLI)"
-sidebar_title: "Commands (CLI)"
-sidebar_current: "docs-commands"
-description: |-
-  In addition to a verbose HTTP API, Vault features a command-line interface
-  that wraps common functionality and formats output. The Vault CLI is a single
-  static binary. It is a thin wrapper around the HTTP API. Every CLI command
-  maps directly to the HTTP API internally.
----
-
-# Vault Commands (CLI)
-
-~> **Note:** The Vault CLI interface was changed substantially in 0.9.2+ and may cause
-confusion while using older versions of Vault with this documentation. Read our
-[upgrade guide](/guides/upgrading/upgrade-to-0.9.2.html#backwards-compatible-cli-changes) for more information.
-
-In addition to a verbose [HTTP API](/api/index.html), Vault features a
-command-line interface that wraps common functionality and formats output. The
-Vault CLI is a single static binary. It is a thin wrapper around the HTTP API.
-Every CLI command maps directly to the HTTP API internally.
-
-Each command is represented as a command or subcommand. Please see the sidebar
-for more information about a particular command. This documentation corresponds
-to the latest version of Vault. If you are running an older version, commands
-may behave differently. Run `vault -h` or `vault <command> -h` to see the help
-output which corresponds to your version.
-
-To get help, run:
-
-```text
-$ vault -h
-```
-
-To get help for a subcommand, run:
-
-```text
-$ vault <subcommand> -h
-```
-
-## CLI Command Structure
-
-There are a number of command and subcommand options available: HTTP options,
-output options, and command specific options.
-
-Construct your Vault CLI command such that the command options precede its path
-and arguments if any:
-
-```text
-vault <command> [options] [path] [args]
-```
-
-- `options` - [Flags](/docs/commands/index.html#flags) to specify additional settings
-- `args` - API arguments specific to the operation
-
-  -> **NOTE:** Run `vault path-help <path>` to see the list of args (parameters).
-
-#### Examples:
-
-The following `write` command creates a new user (`bob`) in the userpass auth
-method. It passes the `-address` flag to specify the Vault server address which
-precedes the path (`auth/userpass/users/bob`) and its
-[argument](/api/auth/userpass/index.html#create-update-user)
-(`password="long-password"`) at last.
-
-```text
-$ vault write -address="http://127.0.0.1:8200" auth/userpass/users/bob password="long-password"
-```
-
-If multiple options (`-address` and `-namespace`) and
-[arguments](/api/auth/userpass/index.html#create-update-user) (`password` and
-`policies`) are specified, the command would look like:
-
-```text
-$ vault write -address="http://127.0.0.1:8200" -namespace="my-organization" \
-        auth/userpass/users/bob password="long-password" policies="admin"
-```
-
-The options (flags) come after the command (or subcommand) preceding the path,
-and the args always follow the path to set API parameter values.
-
-## Exit Codes
-
-The Vault CLI aims to be consistent and well-behaved unless documented
-otherwise.
-
-  - Local errors such as incorrect flags, failed validations, or wrong numbers
-    of arguments return an exit code of 1.
-
-  - Any remote errors such as API failures, bad TLS, or incorrect API parameters
-    return an exit status of 2
-
-Some commands override this default where it makes sense. These commands
-document this anomaly.
-
-## Autocompletion
-
-The `vault` command features opt-in autocompletion for flags, subcommands, and
-arguments (where supported).
-
-Enable autocompletion by running:
-
-```text
-$ vault -autocomplete-install
-```
-
-~> Be sure to **restart your shell** after installing autocompletion!
-
-When you start typing a Vault command, press the `<tab>` character to show a
-list of available completions. Type `-<tab>` to show available flag completions.
-
-If the `VAULT_*` environment variables are set, the autocompletion will
-automatically query the Vault server and return helpful argument suggestions.
-
-## Reading and Writing Data
-
-The four most common operations in Vault are `read`, `write`, `delete`, and
-`list`. These operations work on most paths in Vault. Some paths will
-contain secrets, other paths might contain configuration. Whatever it is, the
-primary interface for reading and writing data to Vault is similar.
-
-To demonstrate basic read and write operations, the built-in key/value (K/V)
-secrets engine will be used. This engine is automatically mounted and has no
-external dependencies, making it practical for this introduction. Note that
-K/V uses slightly different commands for reading and writing: `kv get`
-and `kv put`, respectively.
-
-~> The original version of K/V used the common `read` and `write` operations.
-A more advanced K/V Version 2 engine was released in Vault 0.10 and introduced
-the `kv get` and `kv put` commands.
-
-
-### Writing Data
-
-To write data to Vault, use the `vault kv put` command:
-
-```text
-$ vault kv put secret/password value=itsasecret
-```
-
-For some secrets engines, the key/value pairs are arbitrary. For others, they
-are generally more strict. Vault's built-in help will guide you to these
-restrictions where appropriate.
-
-#### stdin
-
-Some commands in Vault can read data from stdin using `-` as the value. If `-`
-is the entire argument, Vault expects to read a JSON object from stdin:
-
-```text
-$ echo -n '{"value":"itsasecret"}' | vault kv put secret/password -
-```
-
-In addition to reading full JSON objects, Vault can read just a value from
-stdin:
-
-```text
-$ echo -n "itsasecret" | vault kv put secret/password value=-
-```
-
-#### Files
-
-Some commands can also read data from a file on disk. The usage is similar to
-stdin as documented above. If an argument starts with `@`, Vault will read it as
-a file:
-
-```text
-$ vault kv put secret/password @data.json
-```
-
-Or specify the contents of a file as a value:
-
-```text
-$ vault kv put secret/password value=@data.txt
-```
-
-### Reading Data
-
-After data is persisted, read it back using `vault kv get`:
-
-```
-$ vault kv get secret/password
-Key                 Value
----                 -----
-refresh_interval    768h0m0s
-value               itsasecret
-```
-
-## Token Helper
-
-By default, the Vault CLI uses a "token helper" to cache the token after
-authentication. This is conceptually similar to how a website securely stores
-your session information as a cookie in the browser. Token helpers are
-customizable, and you can even build your own.
-
-The default token helper stores the token in `~/.vault-token`. You can delete
-this file at any time to "logout" of Vault.
-
-## Environment Variables
-
-The CLI reads the following environment variables to set behavioral defaults.
-This can alleviate the need to repetitively type a flag. Flags always take
-precedence over the environment variables.
-
-### `VAULT_TOKEN`
-
-Vault authentication token. Conceptually similar to a session token on a
-website, the `VAULT_TOKEN` environment variable holds the contents of the token.
-For more information, please see the [token
-concepts](/docs/concepts/tokens.html) page.
-
-### `VAULT_ADDR`
-
-Address of the Vault server expressed as a URL and port, for example:
-`https://127.0.0.1:8200/`.
-
-### `VAULT_CACERT`
-
-Path to a PEM-encoded CA certificate _file_ on the local disk. This file is used
-to verify the Vault server's SSL certificate. This environment variable takes
-precedence over `VAULT_CAPATH`.
-
-### `VAULT_CAPATH`
-
-Path to a _directory_ of PEM-encoded CA certificate files on the local disk.
-These certificates are used to verify the Vault server's SSL certificate.
-
-### `VAULT_CLIENT_CERT`
-
-Path to a PEM-encoded client certificate on the local disk. This file is used
-for TLS communication with the Vault server.
-
-### `VAULT_CLIENT_KEY`
-
-Path to an unencrypted, PEM-encoded private key on disk which corresponds to the
-matching client certificate.
-
-### `VAULT_CLIENT_TIMEOUT`
-
-Timeout variable. The default value is 60s.
-
-### `VAULT_CLUSTER_ADDR`
-
-Address that should be used for other cluster members to connect to this node
-when in High Availability mode.
-
-### `VAULT_MAX_RETRIES`
-
-Maximum number of retries when a `5xx` error code is encountered. The default is
-`2`, for three total attempts. Set this to `0` or less to disable retrying.
-
-### `VAULT_REDIRECT_ADDR`
-
-Address that should be used when clients are redirected to this node when in
-High Availability mode.
-
-### `VAULT_SKIP_VERIFY`
-
-Do not verify Vault's presented certificate before communicating with it.
-Setting this variable is not recommended and voids Vault's [security
-model](/docs/internals/security.html).
-
-### `VAULT_TLS_SERVER_NAME`
-
-Name to use as the SNI host when connecting via TLS.
-
-### `VAULT_CLI_NO_COLOR`
-
-If provided, Vault output will not include ANSI color escape sequence characters.
-
-### `VAULT_RATE_LIMIT`
-
-This environment variable will limit the rate at which the `vault` command
-sends requests to Vault.
-
-This environment variable has the format `rate[:burst]` (where items in `[]` are
-optional). If not specified, the burst value defaults to rate. Both rate and
-burst are specified in "operations per second". If the environment variable is
-not specified, then the rate and burst will be unlimited *i.e.* rate
-limiting is off by default.
-
-*Note:* The rate is limited for each invocation of the `vault` CLI. Since
-each invocation of the `vault` CLI typically only makes a few requests,
-this environment variable is most useful when using the Go
-[Vault client API](https://www.vaultproject.io/api/libraries.html#go).
-
-### `VAULT_NAMESPACE`
-
-The namespace to use for the command. Setting this is not necessary
-but allows using relative paths.
-
-### `VAULT_MFA`
-
-**ENTERPRISE ONLY**
-
-MFA credentials in the format `mfa_method_name[:key[=value]]` (items in `[]` are
-optional). Note that when using the environment variable, only one credential
-can be supplied. If a MFA method expects multiple credential values, or if there
-are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be
-used.
-
-## Flags
-
-There are different CLI flags that are available depending on subcommands. Some
-flags, such as those used for setting HTTP and output options, are available
-globally, while others are specific to a particular subcommand. For a completely
-list of available flags, run:
-
-```text
-$ vault <subcommand> -h
-```
diff --git a/website/source/docs/commands/kv/delete.html.md b/website/source/docs/commands/kv/delete.html.md
deleted file mode 100644
index 1a364c892a50..000000000000
--- a/website/source/docs/commands/kv/delete.html.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-layout: "docs"
-page_title: "kv delete - Command"
-sidebar_title: "<code>delete</code>"
-sidebar_current: "docs-commands-kv-delete"
-description: |-
-  The "kv delete" command disables a secrets engine at a given PATH. The
-  argument corresponds to the enabled PATH of the engine, not the TYPE! All
-  secrets created by this engine are revoked and its Vault data is removed.
----
-
-# kv delete
-
-The `kv delete` command deletes the data for the provided path in
-the key/value secrets engine. If using K/V Version 2, its versioned data will
-not be fully removed, but marked as deleted and will no longer be returned in
-normal get requests.
-
-## Examples
-
-Delete the latest version of the key "creds":
-
-```text
-$ vault kv delete secret/creds
-Success! Data deleted (if it existed) at: secret/creds
-```
-
-**[K/V Version 2]** Delete version 11 of key "creds":
-
-```text
-$ vault kv delete -versions=11 secret/creds
-Success! Data deleted (if it existed) at: secret/creds
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-
-### Command Options
-
-- `-versions` `([]int: <required>)` - The versions to be deleted. The versioned
-data will not be deleted, but it will no longer be returned in normal get
-requests.
-
-~> **NOTE:** This command option is only for K/V v2.
diff --git a/website/source/docs/commands/kv/destroy.html.md b/website/source/docs/commands/kv/destroy.html.md
deleted file mode 100644
index 18a3187d638a..000000000000
--- a/website/source/docs/commands/kv/destroy.html.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-layout: "docs"
-page_title: "kv destroy - Command"
-sidebar_title: "<code>destroy</code>"
-sidebar_current: "docs-commands-kv-destroy"
-description: |-
-  The "kv destroy" command permanently removes the specified version data for
-  the provided key and version numbers from the key-value store.
----
-
-# kv destroy
-
-~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
-engine command, and not available for Version 1.
-
-The `kv destroy` command permanently removes the specified versions' data
-from the key/value secrets engine. If no key exists at the path, no action is
-taken.
-
-
-## Examples
-
-Destroy version 11 of the key "creds":
-
-```text
-$ vault kv destroy -versions=11 secret/creds
-Success! Data written to: secret/destroy/creds
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-versions` `([]int: <required>)` - The versions to destroy. Their data will
-be permanently deleted.
diff --git a/website/source/docs/commands/kv/enable-versioning.html.md b/website/source/docs/commands/kv/enable-versioning.html.md
deleted file mode 100644
index f7c31ecbabd0..000000000000
--- a/website/source/docs/commands/kv/enable-versioning.html.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-layout: "docs"
-page_title: "kv enable-versioning - Command"
-sidebar_title: "<code>enable-versioning</code>"
-sidebar_current: "docs-commands-kv-enable-versioning"
-description: |-
-  The "kv enable-versioning" command turns on versioning for the backend
-  at the provided path.
----
-
-# kv enable-versioning
-
-The `kv enable-versioning` command turns on versioning for an existing
-non-versioned key/value secrets engine (K/V Version 1) at its path.
-
-## Examples
-
-This command turns on versioning for the K/V Version 1 secrets engine enabled at
-"secret".
-
-```text
-$ vault kv enable-versioning secret
-Success! Tuned the secrets engine at: secret/
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/kv/get.html.md b/website/source/docs/commands/kv/get.html.md
deleted file mode 100644
index fa4af77b0b80..000000000000
--- a/website/source/docs/commands/kv/get.html.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-layout: "docs"
-page_title: "kv get - Command"
-sidebar_title: "<code>get</code>"
-sidebar_current: "docs-commands-kv-get"
-description: |-
-  The "kv get" command retrieves the value from Vault's key-value store at the
-  given key name. If no key exists with that name, an error is returned. If a
-  key exists with that name but has no data, nothing is returned.
----
-
-# kv get
-
-The `kv get` command retrieves the value from K/V secrets engine at the given
-key name. If no key exists with that name, an error is returned. If a key exists
-with the name but has no data, nothing is returned.
-
-## Examples
-
-Retrieve the data of the key "creds":
-
-```text
-$ vault kv get secret/creds
-====== Metadata ======
-Key              Value
----              -----
-created_time     2019-06-06T06:03:26.595978Z
-deletion_time    n/a
-destroyed        false
-version          5
-
-====== Data ======
-Key         Value
----         -----
-passcode    my-long-passcode
-```
-
-If K/V Version 1 secrets engine is enabled at "secret", the output has no
-metadata since there is no versioning information associated with the data:
-
-```text
-$ vault kv get secret/creds
-====== Data ======
-Key         Value
----         -----
-passcode    my-long-passcode
-```
-
-Return only the "creds" "passcode" key:
-
-```text
-$ vault kv get -field=passcode secret/creds
-my-long-passcode
-```
-
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other
-  processes. 
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-version` `(int: 0)` - Specifies the version to return. If not set the
- latest version is returned.
diff --git a/website/source/docs/commands/kv/index.html.md b/website/source/docs/commands/kv/index.html.md
deleted file mode 100644
index e780ff92bc67..000000000000
--- a/website/source/docs/commands/kv/index.html.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-layout: "docs"
-page_title: "kv - Command"
-sidebar_title: "<code>kv</code>"
-sidebar_current: "docs-commands-kv"
-description: |-
-  The "kv" command groups subcommands for interacting with Vault's key/value
-  secret engine.
----
-
-# kv
-
-The `kv` command groups subcommands for interacting with Vault's key/value
-secrets engine (both [K/V Version 1](/docs/secrets/kv/kv-v1.html) and [K/V
-Version 2](/docs/secrets/kv/kv-v2.html).
-
-
-## Examples
-
-Create or update the key named "creds" in the K/V Version 2 enabled at "secret"
-with the value "passcode=my-long-passcode":
-
-```text
-$ vault kv put secret/creds passcode=my-long-passcode
-Key              Value
----              -----
-created_time     2019-06-28T15:53:30.395814Z
-deletion_time    n/a
-destroyed        false
-version          1
-```
-
-Read this value back:
-
-```text
-$ vault kv get secret/creds
-====== Metadata ======
-Key              Value
----              -----
-created_time     2019-06-28T15:53:30.395814Z
-deletion_time    n/a
-destroyed        false
-version          1
-
-====== Data ======
-Key         Value
----         -----
-passcode    my-long-passcode
-```
-
-Get metadata for the key named "creds":
-
-```text
-$ vault kv metadata get secret/creds
-========== Metadata ==========
-Key                     Value
----                     -----
-cas_required            false
-created_time            2019-06-28T15:53:30.395814Z
-current_version         1
-delete_version_after    0s
-max_versions            0
-oldest_version          0
-updated_time            2019-06-28T15:53:30.395814Z
-
-====== Version 1 ======
-Key              Value
----              -----
-created_time     2019-06-28T15:53:30.395814Z
-deletion_time    n/a
-destroyed        false
-```
-
-
-Get a specific version of the key named "creds":
-
-```text
-$ vault kv get -version=1 secret/creds
-====== Metadata ======
-Key              Value
----              -----
-created_time     2019-06-28T15:53:30.395814Z
-deletion_time    n/a
-destroyed        false
-version          1
-
-====== Data ======
-Key         Value
----         -----
-passcode    my-long-passcode
-```
-
-
-## Usage
-
-```text
-Usage: vault kv <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    delete               Deletes versions in the KV store
-    destroy              Permanently removes one or more versions in the KV store
-    enable-versioning    Turns on versioning for a KV store
-    get                  Retrieves data from the KV store
-    list                 List data or secrets
-    metadata             Interact with Vault's Key-Value storage
-    patch                Sets or updates data in the KV store without overwriting
-    put                  Sets or updates data in the KV store
-    rollback             Rolls back to a previous version of data
-    undelete             Undeletes versions in the KV store
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/kv/list.html.md b/website/source/docs/commands/kv/list.html.md
deleted file mode 100644
index e0a90269dabc..000000000000
--- a/website/source/docs/commands/kv/list.html.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-layout: "docs"
-page_title: "kv list - Command"
-sidebar_title: "<code>list</code>"
-sidebar_current: "docs-commands-kv-list"
-description: |-
-  The "kv list" command lists data from Vault's K/V secrets engine at the given
-  path.
----
-
-# kv list
-
-The `kv list` command returns a list of key names at the specified location.
-Folders are suffixed with /. The input must be a folder; list on a file will not
-return a value. Note that no policy-based filtering is performed on keys; do not
-encode sensitive information in key names. The values themselves are not
-accessible via this command.
-
-Use this command to list all existing key names at a specific path.
-
-## Examples
-
-List values under the key "my-app":
-
-```text
-$ vault kv list secret/my-app/
-Keys
-----
-admin_creds
-domain
-eng_creds
-qa_creds
-release
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/kv/metadata.html.md b/website/source/docs/commands/kv/metadata.html.md
deleted file mode 100644
index 8850744cedbc..000000000000
--- a/website/source/docs/commands/kv/metadata.html.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-layout: "docs"
-page_title: "kv metadata - Command"
-sidebar_title: "<code>metadata</code>"
-sidebar_current: "docs-commands-kv-metadata"
-description: |-
-  The "kv metadata" command has subcommands for interacting with the metadata
-  endpoint in Vault's key-value store.
----
-
-# kv metadata
-
-~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
-engine command, and not available for Version 1.
-
-
-The `kv metadata` command has subcommands for interacting with the metadata and
-versions for the versioned secrets (K/V Version 2 secrets engine) at the
-specified path.
-
-
-## Usage
-
-```text
-Usage: vault kv metadata <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    delete    Deletes all versions and metadata for a key in the KV store
-    get       Retrieves key metadata from the KV store
-    put       Sets or updates key settings in the KV store
-```
-
-### kv metadata delete
-
-The `kv metadata delete` command deletes all versions and metadata for the
-provided key.
-
-#### Examples
-
-Deletes all versions and metadata of the key "creds":
-
-```text
-$ vault kv metadata delete secret/creds
-Success! Data deleted (if it existed) at: secret/metadata/creds
-```
-
-
-### kv metadata get
-
-The `kv metadata get` command retrieves the metadata of the versioned secrets at
-the given key name. If no key exists with that name, an error is returned.
-
-#### Examples
-
-Retrieves the metadata of the key name, "creds":
-
-```text
-$ vault kv metadata get secret/creds
-========== Metadata ==========
-Key                     Value
----                     -----
-cas_required            false
-created_time            2019-06-28T15:53:30.395814Z
-current_version         5
-delete_version_after    0s
-max_versions            0
-oldest_version          0
-updated_time            2019-06-28T16:01:47.40064Z
-
-====== Version 1 ======
-Key              Value
----              -----
-created_time     2019-06-28T15:53:30.395814Z
-deletion_time    n/a
-destroyed        false
-
-====== Version 2 ======
-Key              Value
----              -----
-created_time     2019-06-28T16:01:36.676912Z
-deletion_time    n/a
-destroyed        false
-
-...
-```
-
-
-### kv metadata put
-
-The `kv metadata put` command can be used to create a blank key in the K/V v2
-secrets engine or to update key configuration for a specified key.
-
-
-#### Examples
-
-Create a key in the K/V v2 with no data at the key "creds":
-
-```text
-$ vault kv metadata put secret/creds
-Success! Data written to: secret/metadata/creds
-```
-
-Set the maximum number of versions to keep for the key "creds":
-
-```text
-$ vault kv metadata put -max-versions=5 secret/creds
-Success! Data written to: secret/metadata/creds
-```
-
-**NOTE:** If not set, the backend’s configured max version is used. Once a key
-has more than the configured allowed versions the oldest version will be
-permanently deleted.
-
-
-Require Check-and-Set for the key "creds":
-
-```text
-$ vault kv metadata put -cas-required secret/creds
-```
-
-**NOTE:** When check-and-set is required, the key will require the `cas`
-parameter to be set on all write requests. Otherwise, the backend’s
-configuration will be used.
-
-Set the length of time before a version is deleted for the key "creds":
-
-```text
-$ vault kv metadata put -delete-version-after="3h25m19s" secret/creds
-```
-
-**NOTE:** If not set, the backend's configured Delete-Version-After is used. If
-set to a duration greater than the backend's, the backend's Delete-Version-After
-setting will be used. Any changes to the Delete-Version-After setting will only
-be applied to new versions.
-
-#### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-#### Subcommand Options
-
-- `-cas-required` `(bool: false)` - If true the key will require the cas
- parameter to be set on all write requests. If false, the backend’s
- configuration will be used. The default is false.
-
-- `-max-versions` `(int: 0)` - The number of versions to keep per key. If not
- set, the backend’s configured max version is used. Once a key has more than the
- configured allowed versions the oldest version will be permanently deleted.
-
-- `-delete-version-after` `(string:"0s")` – Set the `delete-version-after` value
-  to a duration to specify the `deletion_time` for all new versions written to
-  this key. If not set, the backend's `delete_version_after` will be used. If
-  the value is greater than the backend's `delete_version_after`, the backend's
-  `delete_version_after` will be used. Accepts [Go duration format
-  string][duration-godoc].
-
-[duration-godoc]: https://golang.org/pkg/time/#ParseDuration
diff --git a/website/source/docs/commands/kv/patch.html.md b/website/source/docs/commands/kv/patch.html.md
deleted file mode 100644
index 64cb3d208bf4..000000000000
--- a/website/source/docs/commands/kv/patch.html.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-layout: "docs"
-page_title: "kv patch - Command"
-sidebar_title: "<code>patch</code>"
-sidebar_current: "docs-commands-kv-patch"
-description: |-
-  The "kv patch" command writes the data to the given path in the key-value
-  store. The data can be of any type.
----
-
-# kv patch
-
-~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
-engine command, and not available for Version 1.
-
-
-The `kv patch` command writes the data to the given path in the K/V v2 secrets
-engine. The data can be of any type. Unlike the `kv put` command, the `patch`
-command combines the change with existing data instead of replacing them.
-Therefore, this command makes it easy to make a partial updates to an existing
-data.
-
-## Examples
-
-If you wish to add an additional key-value (`ttl=48h`) to the existing data at
-the key "creds":
-
-```text
-$ vault kv patch secret/creds ttl=48h
-Key              Value
----              -----
-created_time     2019-06-06T16:46:22.090654Z
-deletion_time    n/a
-destroyed        false
-version          6
-```
-
-**NOTE:** The `kv put` command requires both the existing data and
-the data you wish to add in order to accomplish the same result.
-
-```text
-$ vault kv put secret/creds ttl=48h passcode=my-long-passcode
-```
-
-The data can also be consumed from a file on disk by prefixing with the "@"
-symbol. For example:
-
-```text
-$ vault kv patch secret/creds @data.json
-```
-
-Or it can be read from stdin using the "-" symbol:
-
-```text
-$ echo "abcd1234" | vault kv patch secret/foo bar=-
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other
-  processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/kv/put.html.md b/website/source/docs/commands/kv/put.html.md
deleted file mode 100644
index 25c58e2a0cec..000000000000
--- a/website/source/docs/commands/kv/put.html.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-layout: "docs"
-page_title: "kv put - Command"
-sidebar_title: "<code>put</code>"
-sidebar_current: "docs-commands-kv-put"
-description: |-
-  The "kv put" command writes the data to the given path in the K/V secrets
-  engine. The data can be of any type.
----
-
-# kv put
-
-The `kv put` command writes the data to the given path in the K/V secrets
-engine.
-
-If working with K/V v2, this command creates a new version of a secret at the
-specified location. If working with K/V v1, this command stores the given secret
-at the specified location.
-
-Regardless of the K/V version, if the value does not yet exist at the specified
-path, the calling token must have an ACL policy granting the "create"
-capability. If the value already exists, the calling token must have an ACL
-policy granting the "update" capability.
-
-
-## Examples
-
-Writes the data to the key "creds":
-
-```text
-$ vault kv put secret/creds passcode=my-long-passcode
-```
-
-The data can also be consumed from a file on disk by prefixing with the "@"
-symbol. For example:
-
-```text
-$ vault kv put secret/foo @data.json
-```
-
-Or it can be read from stdin using the "-" symbol:
-
-```text
-$ echo "abcd1234" | vault kv put secret/foo bar=-
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other
-  processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-cas` `(int: 0)` - Specifies to use a Check-And-Set operation. If not set the
- write will be allowed. If set to 0 a write will only be allowed if the key
- doesn’t exist. If the index is non-zero the write will only be allowed if the
- key’s current version matches the version specified in the cas parameter. The
- default is -1.
diff --git a/website/source/docs/commands/kv/rollback.html.md b/website/source/docs/commands/kv/rollback.html.md
deleted file mode 100644
index 5441561e3ad2..000000000000
--- a/website/source/docs/commands/kv/rollback.html.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-layout: "docs"
-page_title: "kv rollback - Command"
-sidebar_title: "<code>rollback</code>"
-sidebar_current: "docs-commands-kv-rollback"
-description: |-
-  The "kv rollback" command restores a given previous version to the current
-  version at the given path.
----
-
-# kv rollback
-
-~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
-engine command, and not available for Version 1.
-
-
-The `kv rollback` command restores a given previous version to the current
-version at the given path. The value is written as a new version; for instance,
-if the current version is 5 and the rollback version is 2, the data from version
-2 will become version 6. This command makes it easy to restore unintentionally
-overwritten data.
-
-## Examples
-
-Restores the version 2 of the data at key "creds":
-
-```text
-$ vault kv rollback -version=2 secret/creds
-Key              Value
----              -----
-created_time     2019-06-06T17:07:19.299831Z
-deletion_time    n/a
-destroyed        false
-version          6
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-version` `(int: 0)` - Specifies the version number that should be made
-current again.
diff --git a/website/source/docs/commands/kv/undelete.html.md b/website/source/docs/commands/kv/undelete.html.md
deleted file mode 100644
index e9455309568a..000000000000
--- a/website/source/docs/commands/kv/undelete.html.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-layout: "docs"
-page_title: "kv undelete - Command"
-sidebar_title: "<code>undelete</code>"
-sidebar_current: "docs-commands-kv-undelete"
-description: |-
-  The "kv undelete" command undeletes the data for the provided version and path
-  in the key-value store. This restores the data, allowing it to be returned on
-  get requests.
----
-
-# kv undelete
-
-~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
-engine command, and not available for Version 1.
-
-
-The `kv undelete` command undoes the deletes of the data for the provided version
-and path in the key-value store. This restores the data, allowing it to be
-returned on get requests.
-
-## Examples
-
-Undelete version 3 of the key "creds":
-
-```text
-$ vault kv undelete -versions=3 secret/creds
-Success! Data written to: secret/undelete/creds
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-versions` `([]int: <required>)` - Specifies the version number that should
-be made current again.
diff --git a/website/source/docs/commands/lease.html.md b/website/source/docs/commands/lease.html.md
deleted file mode 100644
index 4f4608527d0a..000000000000
--- a/website/source/docs/commands/lease.html.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-layout: "docs"
-page_title: "lease - Command"
-sidebar_title: "<code>lease</code>"
-sidebar_current: "docs-commands-lease"
-description: |-
-  The "lease" command groups subcommands for interacting with leases attached to
-  secrets.
----
-
-# lease
-
-The `lease` command groups subcommands for interacting with leases attached to
-secrets. For leases attached to tokens, use the [`vault
-token`](/docs/commands/token.html) subcommand.
-
-## Examples
-
-Renew a lease:
-
-```text
-$ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-Key                Value
----                -----
-lease_id           database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-lease_duration     5m
-lease_renewable    true
-```
-
-Revoke a lease:
-
-```text
-$ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-```
-
-## Usage
-
-```text
-Usage: vault lease <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    renew     Renews the lease of a secret
-    revoke    Revokes leases and secrets
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/lease/index.html.md b/website/source/docs/commands/lease/index.html.md
deleted file mode 100644
index 57f2841e3d6c..000000000000
--- a/website/source/docs/commands/lease/index.html.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-layout: "docs"
-page_title: "lease - Command"
-sidebar_title: "<code>lease</code>"
-sidebar_current: "docs-commands-lease"
-description: |-
-  The "lease" command groups subcommands for interacting with leases attached to
-  secrets.
----
-
-# lease
-
-The `lease` command groups subcommands for interacting with leases attached to
-secrets. For leases attached to tokens, use the [`vault token`](/docs/commands/token.html) subcommand.
-
-## Examples
-
-Renew a lease:
-
-```text
-$ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-Key                Value
----                -----
-lease_id           database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-lease_duration     5m
-lease_renewable    true
-```
-
-Revoke a lease:
-
-```text
-$ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-```
-
-## Usage
-
-```text
-Usage: vault lease <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    renew     Renews the lease of a secret
-    revoke    Revokes leases and secrets
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/lease/renew.html.md b/website/source/docs/commands/lease/renew.html.md
deleted file mode 100644
index 27bc883e05f2..000000000000
--- a/website/source/docs/commands/lease/renew.html.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-layout: "docs"
-page_title: "lease renew - Command"
-sidebar_title: "<code>renew</code>"
-sidebar_current: "docs-commands-lease-renew"
-description: |-
-  The "lease renew" command renews the lease on a secret, extending the time
-  that it can be used before it is revoked by Vault.
----
-
-# lease renew
-
-The `lease renew` command renews the lease on a secret, extending the time that
-it can be used before it is revoked by Vault.
-
-Every secret in Vault has a lease associated with it. If the owner of the secret
-wants to use it longer than the lease, then it must be renewed. Renewing the
-lease does not change the contents of the secret.
-
-## Examples
-
-Renew a lease:
-
-```text
-$ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-increment` `(duration: "")` - Request a specific increment in seconds. Vault
-  is not required to honor this request.
diff --git a/website/source/docs/commands/lease/revoke.html.md b/website/source/docs/commands/lease/revoke.html.md
deleted file mode 100644
index 09a31f253a24..000000000000
--- a/website/source/docs/commands/lease/revoke.html.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-layout: "docs"
-page_title: "lease revoke - Command"
-sidebar_title: "<code>revoke</code>"
-sidebar_current: "docs-commands-lease-revoke"
-description: |-
-  The "lease revoke" command revokes the lease on a secret, invalidating the
-  underlying secret.
----
-
-# lease revoke
-
-The `lease revoke` command revokes the lease on a secret, invalidating the
-underlying secret.
-
-## Examples
-
-Revoke a lease:
-
-```text
-$ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
-```
-
-Revoke a lease which starts with a prefix:
-
-```text
-$ vault lease revoke -prefix database/creds
-Success! Revoked any leases with prefix: database/creds
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-force` `(bool: false)` - Delete the lease from Vault even if the secret
-  engine revocation fails. This is meant for recovery situations where the
-  secret in the target secrets engine was manually removed. If this flag is
-  specified, -prefix is also required. This is aliased as "-f". The default is
-  false.
-
-- `-prefix` `(bool: false)` - Treat the ID as a prefix instead of an exact lease
-  ID. This can revoke multiple leases simultaneously. The default is false.
diff --git a/website/source/docs/commands/list.html.md b/website/source/docs/commands/list.html.md
deleted file mode 100644
index 5537db62a8c4..000000000000
--- a/website/source/docs/commands/list.html.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-layout: "docs"
-page_title: "list - Command"
-sidebar_title: "<code>list</code>"
-sidebar_current: "docs-commands-list"
-description: |-
-  The "list" command lists data from Vault at the given path. This can be used
-  to list keys in a, given secrets engine.
----
-
-# list
-
-The `list` command lists data from Vault at the given path. This can be used to
-list keys in a given secrets engine.
-
-## Examples
-
-List values under the "my-app" folder of the KV secrets engine:
-
-```text
-$ vault list secret/my-app/
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/login.html.md b/website/source/docs/commands/login.html.md
deleted file mode 100644
index e98e31b29b21..000000000000
--- a/website/source/docs/commands/login.html.md
+++ /dev/null
@@ -1,137 +0,0 @@
----
-layout: "docs"
-page_title: "login - Command"
-sidebar_title: "<code>login</code>"
-sidebar_current: "docs-commands-login"
-description: |-
-  The "login" command authenticates users or machines to Vault using the
-  provided arguments. A successful authentication results in a Vault token -
-  conceptually similar to a session token on a website.
----
-
-# login
-
-The `login` command authenticates users or machines to Vault using the provided
-arguments. A successful authentication results in a Vault token - conceptually
-similar to a session token on a website. By default, this token is cached on the
-local machine for future requests.
-
-The `-method` flag allows using other auth methods, such as userpass,
-github, or cert. For these, additional "K=V" pairs may be required.  For more
-information about the list of configuration parameters available for a given
-auth method, use the "vault auth help TYPE". You can also use "vault
-auth list" to see the list of enabled auth methods.
-
-If an auth method is enabled at a non-standard path, the `-method`
-flag still refers to the canonical type, but the `-path` flag refers to the
-enabled path.
-
-If the authentication is requested with response wrapping (via `-wrap-ttl`),
-the returned token is automatically unwrapped unless:
-
-  - The `-token-only` flag is used, in which case this command will output
-    the wrapping token.
-
-  - The `-no-store` flag is used, in which case this command will output the
-    details of the wrapping token.
-
-## Examples
-
-By default, login uses a "token" method:
-
-```text
-$ vault login s.3jnbMAKl1i4YS3QoKdbHzGXq
-Success! You are now authenticated. The token information displayed below
-is already stored in the token helper. You do NOT need to run "vault login"
-again. Future Vault requests will automatically use this token.
-
-Key                  Value
----                  -----
-token                s.3jnbMAKl1i4YS3QoKdbHzGXq
-token_accessor       7Uod1Rm0ejUAz77Oh7SxpAM0
-token_duration       767h59m49s
-token_renewable      true
-token_policies       ["admin" "default"]
-identity_policies    []
-policies             ["admin" "default"]
-```
-
-To login with a different method, use `-method`:
-
-```text
-$ vault login -method=userpass username=my-username
-Password (will be hidden):
-Success! You are now authenticated. The token information below is already
-stored in the token helper. You do NOT need to run "vault login" again. Future
-requests will use this token automatically.
-
-Key                    Value
----                    -----
-token                  s.2y4SU3Sk46dK3p2Y8q2jSBwL
-token_accessor         8J125x9SZyB76MI9uF2jSJZf
-token_duration         768h
-token_renewable        true
-token_policies         ["default"]
-identity_policies      []
-policies               ["default"]
-token_meta_username    my-username
-```
-
-~> Notice that the command option (`-method=userpass`) precedes the command
-argument (`username=my-username`).
-
-If a github auth method was enabled at the path "github-prod":
-
-```text
-$ vault login -method=github -path=github-prod
-Success! You are now authenticated. The token information below is already
-stored in the token helper. You do NOT need to run "vault login" again. Future
-requests will use this token automatically.
-
-Key                    Value
----                    -----
-token                  s.2f3c5L1MHtnqbuNCbx90utmC
-token_accessor         JLUIXJ6ltUftTt2UYRl2lTAC
-token_duration         768h
-token_renewable        true
-token_policies         ["default"]
-identity_policies      []
-policies               ["default"]
-token_meta_org         hashicorp
-token_meta_username    my-username
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-method` `(string "token")` - Type of authentication to use such as
-  "userpass" or "ldap". Note this corresponds to the TYPE, not the enabled path.
-  Use -path to specify the path where the authentication is enabled.
-
-- `-no-print` `(bool: false)` - Do not display the token. The token will be
-  still be stored to the configured token helper. The default is false.
-
-- `-no-store` `(bool: false)` - Do not persist the token to the token helper
-  (usually the local filesystem) after authentication for use in future
-  requests. The token will only be displayed in the command output.
-
-- `-path` `(string: "")` - Remote path in Vault where the auth method
-  is enabled. This defaults to the TYPE of method (e.g. userpass -> userpass/).
-
-- `-token-only` `(bool: false)` - Output only the token with no verification.
-  This flag is a shortcut for "-field=token -no-store". Setting those
-  flags to other values will have no affect.
diff --git a/website/source/docs/commands/namespace.html.md b/website/source/docs/commands/namespace.html.md
deleted file mode 100644
index 57cf503a1691..000000000000
--- a/website/source/docs/commands/namespace.html.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-layout: "docs"
-page_title: "namespace - Command"
-sidebar_title: "<code>namespace</code>"
-sidebar_current: "docs-commands-namespace"
-description: |-
-  The "namespace" command groups subcommands for interacting with namespaces.
----
-
-# namespace
-
-The `namespace` command groups subcommands for interacting with namespaces.
-
-## Examples
-
-List all namespaces:
-
-```text
-$ vault namespace list
-```
-
-Create a namespace at the path `ns1/`:
-
-```text
-$ vault namespace create ns1/
-```
-
-Delete the namespace at path `ns1/`:
-
-```text
-$ vault namespace delete ns1/
-```
-
-Lookup the namespace information at path `ns1/`:
-
-```text
-$ vault namespace lookup ns1/
-```
-
-## Usage
-
-```text
-Usage: vault namespace <subcommand> [options] [args]
-
-  This command groups subcommands for interacting with Vault namespaces.
-  These set of subcommands operate on the context of the namespace that the
-  current logged in token belongs to.
-
-Subcommands:
-    create    Create a new namespace
-    delete    Delete an existing namespace
-    list      List child namespaces
-    lookup    Look up an existing namespace
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/operator/generate-root.html.md b/website/source/docs/commands/operator/generate-root.html.md
deleted file mode 100644
index 9262c7a53544..000000000000
--- a/website/source/docs/commands/operator/generate-root.html.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-layout: "docs"
-page_title: "operator generate-root - Command"
-sidebar_title: "<code>generate-root</code>"
-sidebar_current: "docs-commands-operator-generate-root"
-description: |-
-  The "operator generate-root" command generates a new root token by combining a
-  quorum of share holders.
----
-
-# operator generate-root
-
-The `operator generate-root` command generates a new root token by combining a
-quorum of share holders.  With the `-dr-token` or `-recovery-token` options,
-it can generate a DR operational token or a recovery token in the same way.
-
-One of the following must be provided to start the root token generation:
-
-- A base64-encoded one-time-password (OTP) provided via the `-otp` flag. Use the
-  `-generate-otp` flag to generate a usable value. The resulting token is XORed
-  with this value when it is returned. Use the `-decode` flag to output the
-  final value.
-
-- A file containing a PGP key or a
-  [keybase](/docs/concepts/pgp-gpg-keybase.html) username in the `-pgp-key`
-  flag. The resulting token is encrypted with this public key.
-
-An unseal key may be provided directly on the command line as an argument to the
-command. If key is specified as "-", the command will read from stdin. If a TTY
-is available, the command will prompt for text.
-
-Please see the [generate root guide](/guides/operations/generate-root.html) for
-step-by-step instructions.
-
-## Examples
-
-Generate an OTP code for the final token:
-
-```text
-$ vault operator generate-root -generate-otp
-```
-
-Start a root token generation:
-
-```text
-$ vault operator generate-root -init -otp="..."
-```
-
-Enter an unseal key to progress root token generation:
-
-```text
-$ vault operator generate-root -otp="..."
-```
-
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-cancel` `(bool: false)` - Reset the root token generation progress. This
-  will discard any submitted unseal keys or configuration.
-
-- `-decode` `(string: "")` - Decode and output the generated root token. This
-  option requires the `-otp` flag be set to the OTP used during initialization.
-
-- `-generate-otp` `(bool: false)` - Generate and print a high-entropy
-  one-time-password (OTP) suitable for use with the "-init" flag.
-
-- `-init` `(bool: false)` - Start a root token generation. This can only be done
-  if there is not currently one in progress.
-
-- `-nonce` `(string; "")`- Nonce value provided at initialization. The same
-  nonce value must be provided with each unseal key.
-
-- `-otp` `(string: "")` - OTP code to use with `-decode` or `-init`.
-
-- `-pgp-key` `(keybase or pgp)`- Path to a file on disk containing a binary or
-  base64-encoded public GPG key. This can also be specified as a Keybase
-  username using the format `keybase:<username>`. When supplied, the generated
-  root token will be encrypted and base64-encoded with the given public key.
-
-- `-status` `(bool: false)` - Print the status of the current attempt without
-  providing an unseal key. The default is false.
-  
-- `-dr-token` `(bool: false)` - Generate DR operational token
-
-- `-recovery-token` `(bool: false)` - Generate recovery operational token
diff --git a/website/source/docs/commands/operator/index.html.md b/website/source/docs/commands/operator/index.html.md
deleted file mode 100644
index 8f1c2edc9419..000000000000
--- a/website/source/docs/commands/operator/index.html.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-layout: "docs"
-page_title: "operator - Command"
-sidebar_title: "<code>operator</code>"
-sidebar_current: "docs-commands-operator"
-description: |-
-  The "operator" command groups subcommands for operators interacting with
-  Vault. Most users will not need to interact with these commands.
----
-
-# operator
-
-The `operator` command groups subcommands for operators interacting with Vault.
-Most users will not need to interact with these commands.
-
-## Examples
-
-Initialize a new Vault cluster:
-
-```text
-$ vault operator init
-Unseal Key 1: sP/4C/fwIDjJmHEC2bi/1Pa43uKhsUQMmiB31GRzFc0R
-Unseal Key 2: kHkw2xTBelbDFIMEgEC8NVX7NDSAZ+rdgBJ/HuJwxOX+
-Unseal Key 3: +1+1ZnkQDfJFHDZPRq0wjFxEuEEHxDDOQxa8JJ/AYWcb
-Unseal Key 4: cewseNJTLovmFrgpyY+9Hi5OgJlJgGGCg7PZyiVdPwN0
-Unseal Key 5: wyd7rMGWX5fi0k36X4e+C4myt5CoTmJsHJ0rdYT7BQcF
-
-Initial Root Token: 6662bb4a-afd0-4b6b-faad-e237fb564568
-
-# ...
-```
-
-Force a Vault to resign leadership in a cluster:
-
-```text
-$ vault operator step-down
-Success! Stepped down: https://127.0.0.1:8200
-```
-
-Rotate Vault's underlying encryption key:
-
-```text
-$ vault operator rotate
-Success! Rotated key
-
-Key Term        2
-Install Time    01 Jan 07 12:30 UTC
-```
-
-## Usage
-
-```text
-Usage: vault operator <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    generate-root    Generates a new root token
-    init             Initializes a server
-    key-status       Provides information about the active encryption key
-    rekey            Generates new unseal keys
-    rotate           Rotates the underlying encryption key
-    seal             Seals the Vault server
-    step-down        Forces Vault to resign active duty
-    unseal           Unseals the Vault server
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/operator/init.html.md b/website/source/docs/commands/operator/init.html.md
deleted file mode 100644
index 9be244071e7c..000000000000
--- a/website/source/docs/commands/operator/init.html.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-layout: "docs"
-page_title: "operator init - Command"
-sidebar_title: "<code>init</code>"
-sidebar_current: "docs-commands-operator-init"
-description: |-
-  The "operator init" command initializes a Vault server. Initialization is the
-  process by which Vault's storage backend is prepared to receive data. Since
-  Vault servers share the same storage backend in HA mode, you only need to
-  initialize one Vault to initialize the storage backend.
----
-
-# operator init
-
-The `operator init` command initializes a Vault server. Initialization is the
-process by which Vault's storage backend is prepared to receive data. Since
-Vault servers share the same storage backend in HA mode, you only need to
-initialize one Vault to initialize the storage backend.
-
-During initialization, Vault generates an in-memory master key and applies
-Shamir's secret sharing algorithm to disassemble that master key into a
-configuration number of key shares such that a configurable subset of those key
-shares must come together to regenerate the master key. These keys are often
-called "unseal keys" in Vault's documentation.
-
-This command cannot be run against already-initialized Vault cluster.
-
-For more information on sealing and unsealing, please the [seal concepts page](/docs/concepts/seal.html).
-
-## Examples
-
-Start initialization with the default options:
-
-```text
-$ vault operator init
-```
-
-Initialize, but encrypt the unseal keys with pgp keys:
-
-```text
-$ vault operator init \
-    -key-shares=3 \
-    -key-threshold=2 \
-    -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
-```
-
-Initialize Auto Unseal, but encrypt the recovery keys with pgp keys:
-
-```text
-$ vault operator init \
-    -recovery-shares=1 \
-    -recovery-threshold=1 \
-    -recovery-pgp-keys="keybase:grahamhashicorp"
-```
-
-Encrypt the initial root token using a pgp key:
-
-```text
-$ vault operator init -root-token-pgp-key="keybase:hashicorp"
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "")` - Print the output in the given format. Valid formats
-  are "table", "json", or "yaml". The default is table. This can also be
-  specified via the `VAULT_FORMAT` environment variable.
-
-### Common Options
-
-- `-key-shares` `(int: 5)` - Number of key shares to split the generated master
-  key into. This is the number of "unseal keys" to generate. This is aliased as
-  `-n`.
-
-- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the
-  master key. This must be less than or equal to -key-shares. This is aliased as
-  `-t`.
-
-- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk
-  containing public GPG keys OR a comma-separated list of Keybase usernames
-  using the format `keybase:<username>`. When supplied, the generated unseal
-  keys will be encrypted and base64-encoded in the order specified in this list.
-  The number of entries must match -key-shares, unless -stored-shares are used.
-
-- `-root-token-pgp-key` `(string: "")` - Path to a file on disk containing a
-  binary or base64-encoded public GPG key. This can also be specified as a
-  Keybase username using the format `keybase:<username>`. When supplied, the
-  generated root token will be encrypted and base64-encoded with the given
-  public key.
-
-- `-status` `(bool": false)` - Print the current initialization status. An exit
-  code of 0 means the Vault is already initialized. An exit code of 1 means an
-  error occurred. An exit code of 2 means the Vault is not initialized.
-
-### Consul Options
-
-- `-consul-auto` `(bool: false)` - Perform automatic service discovery using
-  Consul in HA mode. When all nodes in a Vault HA cluster are registered with
-  Consul, enabling this option will trigger automatic service discovery based on
-  the provided -consul-service value. When Consul is Vault's HA backend, this
-  functionality is automatically enabled. Ensure the proper Consul environment
-  variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is
-  discovered, it will be initialized automatically. When more than one Vault
-  server is discovered, they will each be output for selection. The default is
-  false.
-
-- `-consul-service` `(string: "vault")` - Name of the service in Consul under
-  which the Vault servers are registered.
-
-### HSM and KMS Options
-
-- `-recovery-pgp-keys` `(string: "...")` - Behaves like `-pgp-keys`, but for the
-  recovery key shares. This is only used in HSM mode.
-
-- `-recovery-shares` `(int: 5)` - Number of key shares to split the recovery key
-  into. This is only used in HSM mode.
-
-- `-recovery-threshold` `(int: 3)` - Number of key shares required to
-  reconstruct the recovery key. This is only used in HSM mode.
-
-- `-stored-shares` `(int: 0)` - Number of unseal keys to store on an HSM. This
-  must be equal to `-key-shares`.
diff --git a/website/source/docs/commands/operator/key-status.html.md b/website/source/docs/commands/operator/key-status.html.md
deleted file mode 100644
index 782a4370fce3..000000000000
--- a/website/source/docs/commands/operator/key-status.html.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-layout: "docs"
-page_title: "operator key-status - Command"
-sidebar_title: "<code>key-status</code>"
-sidebar_current: "docs-commands-operator-key-status"
-description: |-
-  The "operator key-status" provides information about the active encryption
-  key.
----
-
-# operator key-status
-
-The `operator key-status` provides information about the active encryption key.
-Specifically, the current key term and the key installation time.
-
-## Examples
-
-Get the key status:
-
-```text
-$ vault operator key-status
-Key Term        2
-Install Time    01 Jan 17 12:30 UTC
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/operator/migrate.html.md b/website/source/docs/commands/operator/migrate.html.md
deleted file mode 100644
index 1afb014ceefe..000000000000
--- a/website/source/docs/commands/operator/migrate.html.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-layout: "docs"
-page_title: "operator migrate - Command"
-sidebar_title: "<code>migrate</code>"
-sidebar_current: "docs-commands-operator-migrate"
-description: |-
-  The "operator migrate" command copies data between storage backends to facilitate
-  migrating Vault between configurations. It operates directly at the storage
-  level, with no decryption involved.
----
-
-# operator migrate
-
-The `operator migrate` command copies data between storage backends to facilitate
-migrating Vault between configurations. It operates directly at the storage
-level, with no decryption involved. Keys in the destination storage backend will
-be overwritten, and the destination should _not_ be initialized prior to the
-migrate operation. The source data is not modified, with the exception of a small lock
-key added during migration.
-
-This is intended to be an offline operation to ensure data consistency, and Vault
-will not allow starting the server if a migration is in progress.
-
-## Examples
-
-Migrate all keys:
-
-```text
-$ vault operator migrate -config migrate.hcl
-
-2018-09-20T14:23:23.656-0700 [INFO ] copied key: data/core/seal-config
-2018-09-20T14:23:23.657-0700 [INFO ] copied key: data/core/wrapping/jwtkey
-2018-09-20T14:23:23.658-0700 [INFO ] copied key: data/logical/fd1bed89-ffc4-d631-00dd-0696c9f930c6/31c8e6d9-2a17-d98f-bdf1-aa868afa1291/archive/metadata
-2018-09-20T14:23:23.660-0700 [INFO ] copied key: data/logical/fd1bed89-ffc4-d631-00dd-0696c9f930c6/31c8e6d9-2a17-d98f-bdf1-aa868afa1291/metadata/5kKFZ4YnzgNfy9UcWOzxxzOMpqlp61rYuq6laqpLQDnB3RawKpqi7yBTrawj1P
-...
-```
-
-Migration is done in a consistent, sorted order. If the migration is halted or
-exits before completion (e.g. due to a connection error with a storage backend),
-it may be resumed from an arbitrary key prefix:
-
-```text
-$ vault operator migrate -config migrate.hcl -start "data/logical/fd"
-```
-
-## Configuration
-
-The `operator migrate` command uses a dedicated configuration file to specify the source
-and destination storage backends. The format of the storage stanzas is identical
-to that used to [configure Vault](/docs/configuration/storage/index.html),
-with the only difference being that two stanzas are required: `storage_source` and `storage_destination`.
-
-```hcl
-storage_source "mysql" {
-  username = "user1234"
-  password = "secret123!"
-  database = "vault"
-}
-
-storage_destination "consul" {
-  address = "127.0.0.1:8500"
-  path    = "vault"
-}
-```
-
-## Usage
-
-The following flags are available for the `operator migrate` command.
-
-- `-config` `(string: <required>)` - Path to the migration configuration file.
-
-- `-start` `(string: "")` - Migration starting key prefix. Only keys at or after this value will be copied.
-
-- `-reset` - Reset the migration lock. A lock file is added during migration to prevent
-  starting the Vault server or another migration. The `-reset` option can be used to
-  remove a stale lock file if present.
diff --git a/website/source/docs/commands/operator/rekey.html.md b/website/source/docs/commands/operator/rekey.html.md
deleted file mode 100644
index e2c392e1bafd..000000000000
--- a/website/source/docs/commands/operator/rekey.html.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-layout: "docs"
-page_title: "operator rekey - Command"
-sidebar_title: "<code>rekey</code>"
-sidebar_current: "docs-commands-operator-rekey"
-description: |-
-  The "operator rekey" command generates a new set of unseal keys. This can
-  optionally change the total number of key shares or the required threshold of
-  those key shares to reconstruct the master key. This operation is zero
-  downtime, but it requires the Vault is unsealed and a quorum of existing
-  unseal keys are provided.
----
-
-# operator rekey
-
-The `operator rekey` command generates a new set of unseal keys. This can
-optionally change the total number of key shares or the required threshold of
-those key shares to reconstruct the master key. This operation is zero downtime,
-but it requires the Vault is unsealed and a quorum of existing unseal keys are
-provided.
-
-An unseal key may be provided directly on the command line as an argument to the
-command. If key is specified as "-", the command will read from stdin. If a TTY
-is available, the command will prompt for text.
-
-Please see the [rotating and rekeying](/guides/operations/rekeying-and-rotating.html) for
-step-by-step instructions.
-
-## Examples
-
-Initialize a rekey:
-
-```text
-$ vault operator rekey \
-    -init \
-    -key-shares=15 \
-    -key-threshold=9
-```
-
-Initialize a rekey and activate the verification process:
-
-```text
-$ vault operator rekey \
-    -init \
-    -key-shares=15 \
-    -key-threshold=9 \
-    -verify
-```
-
-Rekey and encrypt the resulting unseal keys with PGP:
-
-```text
-$ vault operator rekey \
-    -init \
-    -key-shares=3 \
-    -key-threshold=2 \
-    -pgp-keys="keybase:hashicorp,keybase:jefferai,keybase:sethvargo"
-```
-
-Rekey an Auto Unseal vault and encrypt the resulting recovery keys with PGP:
-
-```text
-$ vault operator rekey \
-    -target=recovery \
-    -init \
-    -pgp-keys=keybase:grahamhashicorp 
-    -key-shares=1 
-    -key-threshold=1
-```
-
-Store encrypted PGP keys in Vault's core:
-
-```text
-$ vault operator rekey \
-    -init \
-    -pgp-keys="..." \
-    -backup
-```
-
-Retrieve backed-up unseal keys:
-
-```text
-$ vault operator rekey -backup-retrieve
-```
-
-Delete backed-up unseal keys:
-
-```text
-$ vault operator rekey -backup-delete
-```
-
-Perform the verification of the rekey using the verification nonce:
-
-```text
-$ vault operator rekey -verify -nonce="..."
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-cancel` `(bool: false)` - Reset the rekeying progress. This will discard any submitted unseal keys
-      or configuration. The default is false.
-
-- `-init` `(bool: false)` - Initialize the rekeying operation. This can only be
-  done if no rekeying operation is in progress. Customize the new number of key
-  shares and key threshold using the `-key-shares` and `-key-threshold flags`.
-
-- `-key-shares` `(int: 5)` - Number of key shares to split the generated master
-  key into. This is the number of "unseal keys" to generate. This is aliased as
-  `-n`
-
-- `-key-threshold` `(int: 3)` - Number of key shares required to reconstruct the
-  master key. This must be less than or equal to -key-shares. This is aliased as
-  `-t`.
-
-- `-nonce` `(string: "")` - Nonce value provided at initialization. The same
-  nonce value must be provided with each unseal key.
-
-- `-pgp-keys` `(string: "...")` - Comma-separated list of paths to files on disk
-  containing public GPG keys OR a comma-separated list of Keybase usernames
-  using the format `keybase:<username>`. When supplied, the generated unseal
-  keys will be encrypted and base64-encoded in the order specified in this list.
-
-- `-status` `(bool: false)` - Print the status of the current attempt without
-  providing an unseal key. The default is false.
-
-- `-target` `(string: "barrier")` - Target for rekeying. "recovery" only applies
-  when HSM support is enabled or using [Auto Unseal](/docs/concepts/seal.html#auto-unseal).
-
-- `-verify` `(bool: false)` - Indicate during the phase `-init` that the
-  verification process is activated for the rekey. Along with `-nonce` option
-  it indicates that the nonce given is for the verification process.
-
-### Backup Options
-
-- `-backup` `(bool: false)` - Store a backup of the current PGP encrypted unseal
-  keys in Vault's core. The encrypted values can be recovered in the event of
-  failure or discarded after success. See the -backup-delete and
-  -backup-retrieve options for more information. This option only applies when
-  the existing unseal keys were PGP encrypted.
-
-- `-backup-delete` `(bool: false)` - Delete any stored backup unseal keys.
-
-- `-backup-retrieve` `(bool: false)` - Retrieve the backed-up unseal keys. This
-  option is only available if the PGP keys were provided and the backup has not
-  been deleted.
diff --git a/website/source/docs/commands/operator/rotate.html.md b/website/source/docs/commands/operator/rotate.html.md
deleted file mode 100644
index 06ae8dcdf997..000000000000
--- a/website/source/docs/commands/operator/rotate.html.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: "docs"
-page_title: "operator rotate - Command"
-sidebar_title: "<code>rotate</code>"
-sidebar_current: "docs-commands-operator-rotate"
-description: |-
-  The "operator rotate" rotates the underlying encryption key which is used to
-  secure data written to the storage backend. This installs a new key in the key
-  ring. This new key is used to encrypt new data, while older keys in the ring
-  are used to decrypt older data.
----
-
-# operator rotate
-
-The `operator rotate` rotates the underlying encryption key which is used to
-secure data written to the storage backend. This installs a new key in the key
-ring. This new key is used to encrypted new data, while older keys in the ring
-are used to decrypt older data.
-
-This is an online operation and does not cause downtime. This command is run
-per-cluster (not per-server), since Vault servers in HA mode share the same
-storage backend.
-
-## Examples
-
-Rotate Vault's encryption key:
-
-```text
-$ vault operator rotate
-Key Term        3
-Install Time    01 May 17 10:30 UTC
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/operator/seal.html.md b/website/source/docs/commands/operator/seal.html.md
deleted file mode 100644
index d6dfa54dad7b..000000000000
--- a/website/source/docs/commands/operator/seal.html.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-layout: "docs"
-page_title: "operator seal - Command"
-sidebar_title: "<code>seal</code>"
-sidebar_current: "docs-commands-operator-seal"
-description: |-
-  The "operator seal" command seals the Vault server. Sealing tells the Vault server to
-  stop responding to any operations until it is unsealed. When sealed, the Vault
-  server discards its in-memory master key to unlock the data, so it is
-  physically blocked from responding to operations unsealed.
----
-
-# operator seal
-
-The `operator seal` seals the Vault server. Sealing tells the Vault server to
-stop responding to any operations until it is unsealed. When sealed, the Vault
-server discards its in-memory master key to unlock the data, so it is physically
-blocked from responding to operations unsealed.
-
-If an unseal is in progress, sealing the Vault will reset the unsealing process.
-Users will have to re-enter their portions of the master key again.
-
-This command does nothing if the Vault server is already sealed.
-
-For more information on sealing and unsealing, please the [seal concepts
-page](/docs/concepts/seal.html).
-
-## Examples
-
-Seal a Vault server:
-
-```text
-$ vault operator seal
-Success! Vault is sealed.
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/operator/step-down.html.md b/website/source/docs/commands/operator/step-down.html.md
deleted file mode 100644
index 5bad451deeb3..000000000000
--- a/website/source/docs/commands/operator/step-down.html.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-layout: "docs"
-page_title: "operator step-down - Command"
-sidebar_title: "<code>step-down</code>"
-sidebar_current: "docs-commands-operator-step-down"
-description: |-
-  The "operator step-down" forces the Vault server at the given address to step
-  down from active duty.
----
-
-# operator step-down
-
-The `operator step-down` forces the Vault server at the given address to step
-down from active duty. While the affected node will have a delay before
-attempting to acquire the leader lock again, if no other Vault nodes acquire the
-lock beforehand, it is possible for the same node to re-acquire the lock and
-become active again.
-
-## Examples
-
-Force a Vault server to step down as the leader:
-
-```text
-$ vault operator step-down
-Success! Stepped down: http://127.0.0.1:8200
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/operator/unseal.html.md b/website/source/docs/commands/operator/unseal.html.md
deleted file mode 100644
index 12b508d9515f..000000000000
--- a/website/source/docs/commands/operator/unseal.html.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-layout: "docs"
-page_title: "operator unseal - Command"
-sidebar_title: "<code>unseal</code>"
-sidebar_current: "docs-commands-operator-unseal"
-description: |-
-  The "operator unseal" allows the user to provide a portion of the master key
-  to unseal a Vault server.
----
-
-# operator unseal
-
-The `operator unseal` allows the user to provide a portion of the master key to
-unseal a Vault server. Vault starts in a sealed state. It cannot perform
-operations until it is unsealed. This command accepts a portion of the master
-key (an "unseal key").
-
-The unseal key can be supplied as an argument to the command, but this is
-not recommended as the unseal key will be available in your history:
-
-```text
-$ vault operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
-```
-
-Instead, run the command with no arguments and it will prompt for the key:
-
-```text
-$ vault operator unseal
-Key (will be hidden): IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
-```
-
-For more information on sealing and unsealing, please the [seal concepts
-page](/docs/concepts/seal.html).
-
-
-## Examples
-
-Provide an unseal key:
-
-```text
-$ vault operator unseal
-Key (will be hidden):
-Sealed: false
-Key Shares: 1
-Key Threshold: 1
-Unseal Progress: 0
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-migrate` `(bool: false)` - Indicate that this share is provided with the intent that it is part of a seal migration process.
-
-- `-reset` `(bool: false)` - Discard any previously entered keys to the unseal
-  process.
diff --git a/website/source/docs/commands/path-help.html.md b/website/source/docs/commands/path-help.html.md
deleted file mode 100644
index d5eecea2f628..000000000000
--- a/website/source/docs/commands/path-help.html.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-layout: "docs"
-page_title: "path-help - Command"
-sidebar_title: "<code>path-help</code>"
-sidebar_current: "docs-commands-path-help"
-description: |-
-  The "path-help" command retrieves API help for paths. All endpoints in Vault
-  provide built-in help in markdown format. This includes system paths, secret
-  engines, and auth methods.
----
-
-# path-help
-
-The `path-help` command retrieves API help for paths. All endpoints in Vault
-provide built-in help in markdown format. This includes system paths, secret
-engines, and auth methods.
-
-The help system is the easiest way to learn how to use the various systems
-in Vault, and also allows you to discover new paths.
-
-Before using `path-help`, it is important to understand "paths" within Vault.
-Paths are the parameters used for `vault read`, `vault write`, etc. An example
-path is `secret/foo`, or `aws/config/root`. The paths available depend on the
-secrets engines in use. Because of this, the interactive help is an
-indispensable tool to finding what paths are supported.
-
-To discover what paths are supported, use `vault path-help PATH`. For example,
-if you enabled the AWS secrets engine, you can use `vault path-help aws` to find
-the paths supported by that backend. The paths are shown with regular
-expressions, which can make them hard to parse, but they are also extremely
-exact.
-
-## Examples
-
-Get help output for the KV secrets engine:
-
-```text
-$ vault path-help secret
-## DESCRIPTION
-
-The KV backend reads and writes arbitrary secrets to the backend.
-The secrets are encrypted/decrypted by Vault: they are never stored
-unencrypted in the backend and the backend never has an opportunity to
-see the unencrypted value.
-
-Leases can be set on a per-secret basis. These leases will be sent down
-when that secret is read, and it is assumed that some outside process will
-revoke and/or replace the secret at that path.
-
-## PATHS
-
-The following paths are supported by this backend. To view help for
-any of the paths below, use the help command with any route matching
-the path pattern. Note that depending on the policy of your auth token,
-you may or may not be able to access certain paths.
-
-    ^.*$
-        Pass-through secret storage to the storage backend, allowing you to
-        read/write arbitrary data into secret storage.
-```
-
-Once you've found a path you like, you can learn more about it by using `vault
-path-help <path>` where "path" is a path that matches one of the regular
-expressions from the backend help.
-
-```text
-$ vault path-help secret/password
-Request:        password
-Matching Route: ^.*$
-
-Pass-through secret storage to the storage backend, allowing you to
-read/write arbitrary data into secret storage.
-
-## PARAMETERS
-
-    lease (string)
-        Lease time for this key when read. Ex: 1h
-
-## DESCRIPTION
-
-The pass-through backend reads and writes arbitrary data into secret storage,
-encrypting it along the way.
-
-A lease can be specified when writing with the "lease" field. If given, then
-when the secret is read, Vault will report a lease with that duration. It
-is expected that the consumer of this backend properly writes renewed keys
-before the lease is up. In addition, revocation must be handled by the
-user of this backend.
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/plugin/deregister.html.md b/website/source/docs/commands/plugin/deregister.html.md
deleted file mode 100644
index 8f176a00cf6f..000000000000
--- a/website/source/docs/commands/plugin/deregister.html.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-layout: "docs"
-page_title: "plugin deregister - Command"
-sidebar_title: "<code>deregister</code>"
-sidebar_current: "docs-commands-plugin-deregister"
-description: |-
-  The "plugin deregister" command deregisters a new plugin in Vault's plugin
-  catalog.
----
-
-# plugin deregister
-
-The `plugin deregister` command deregisters an existing plugin from Vault's
-plugin catalog. If the plugin does not exist, no error is returned. The plugin's
-type of "auth", "database", or "secret" must be included.
-
-## Examples
-
-Deregister a plugin:
-
-```text
-$ vault plugin deregister auth my-custom-plugin
-Success! Deregistered plugin (if it was registered): my-custom-plugin
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/plugin/index.html.md b/website/source/docs/commands/plugin/index.html.md
deleted file mode 100644
index 859b42195503..000000000000
--- a/website/source/docs/commands/plugin/index.html.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-layout: "docs"
-page_title: "plugin - Command"
-sidebar_title: "<code>plugin</code>"
-sidebar_current: "docs-commands-plugin"
-description: |-
-  The "plugin" command groups subcommands for interacting with
-  Vault's plugins and the plugin catalog.
----
-
-# plugin
-
-The `plugin` command groups subcommands for interacting with Vault's plugins and
-the plugin catalog
-
-## Examples
-
-List all available plugins in the catalog:
-
-```text
-$ vault plugin list
-
-Plugins
--------
-my-custom-plugin
-# ...
-```
-
-Register a new plugin to the catalog:
-
-```text
-$ vault plugin register \
-  -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
-  my-custom-plugin
-Success! Registered plugin: my-custom-plugin
-```
-
-Get information about a plugin in the catalog:
-
-```text
-$ vault plugin info my-custom-plugin
-Key        Value
----        -----
-command    my-custom-plugin
-name       my-custom-plugin
-sha256     d3f0a8be02f6c074cf38c9c99d4d04c9c6466249
-```
-
-## Usage
-
-```text
-Usage: vault plugin <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    deregister    Deregister an existing plugin in the catalog
-    list          Lists available plugins
-    read          Read information about a plugin in the catalog
-    register      Registers a new plugin in the catalog
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/plugin/info.html.md b/website/source/docs/commands/plugin/info.html.md
deleted file mode 100644
index 3b5e26d94c96..000000000000
--- a/website/source/docs/commands/plugin/info.html.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-layout: "docs"
-page_title: "plugin info - Command"
-sidebar_title: "<code>info</code>"
-sidebar_current: "docs-commands-plugin-info"
-description: |-
-  The "plugin info" command displays information about a plugin in the catalog.
----
-
-# plugin info
-
-The `plugin info` displays information about a plugin in the catalog.
-The plugin's type of "auth", "database", or "secret" must be included.
-
-## Examples
-
-Display information about a plugin
-
-```text
-$ vault plugin info auth my-custom-plugin
-
-Key        Value
----        -----
-args       []
-builtin    false
-command    my-custom-plugin
-name       my-custom-plugin
-sha256     d3f0a8be02f6c074cf38c9c99d4d04c9c6466249
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other
-  processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/plugin/list.html.md b/website/source/docs/commands/plugin/list.html.md
deleted file mode 100644
index db0627c531c2..000000000000
--- a/website/source/docs/commands/plugin/list.html.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: "docs"
-page_title: "plugin list - Command"
-sidebar_title: "<code>list</code>"
-sidebar_current: "docs-commands-plugin-list"
-description: |-
-  The "plugin list" command lists all available plugins in the plugin catalog.
----
-
-# plugin list
-
-The `plugin list` command lists all available plugins in the plugin catalog.
-It can be used alone or with a type such as "auth", "database", or "secret".
-
-## Examples
-
-List all available plugins in the catalog.
-
-```text
-$ vault plugin list
-
-Plugins
--------
-my-custom-plugin
-# ...
-
-$ vault plugin list database
-Plugins
--------
-cassandra-database-plugin
-# ...
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/plugin/register.html.md b/website/source/docs/commands/plugin/register.html.md
deleted file mode 100644
index a449ddf649fe..000000000000
--- a/website/source/docs/commands/plugin/register.html.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-layout: "docs"
-page_title: "plugin register - Command"
-sidebar_title: "<code>register</code>"
-sidebar_current: "docs-commands-plugin-register"
-description: |-
-  The "plugin register" command registers a new plugin in Vault's plugin
-  catalog.
----
-
-# plugin register
-
-The `plugin register` command registers a new plugin in Vault's plugin catalog.
-The plugin's type of "auth", "database", or "secret" must be included.
-
-## Examples
-
-Register a plugin:
-
-```text
-$ vault plugin register \
-    -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
-    auth my-custom-plugin
-Success! Registered plugin: my-custom-plugin
-```
-
-Register a plugin with custom args:
-
-```text
-$ vault plugin register \
-    -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
-    -args=--with-glibc,--with-curl-bindings \
-    auth my-custom-plugin
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-sha256` `(string: <required>)` - Checksum (SHA256) of the plugin binary.
-
-- `-args` `(string: "")` - List of arguments to pass to the binary plugin during
-  each invocation. Specify multiple arguments with commas.
-
-- `-command` `(string: "")` - Name of the command to run to invoke the binary.
-  By default, this is the name of the plugin.
diff --git a/website/source/docs/commands/policy/delete.html.md b/website/source/docs/commands/policy/delete.html.md
deleted file mode 100644
index e5709afdb9b3..000000000000
--- a/website/source/docs/commands/policy/delete.html.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-layout: "docs"
-page_title: "policy delete - Command"
-sidebar_title: "<code>delete</code>"
-sidebar_current: "docs-commands-policy-delete"
-description: |-
-  The "policy delete" command deletes the policy named NAME in the Vault server.
-  Once the policy is deleted, all tokens associated with the policy are affected
-  immediately.
----
-
-# policy delete
-
-The `policy delete` command deletes the policy named NAME in the Vault server.
-Once the policy is deleted, all tokens associated with the policy are affected
-immediately.
-
-Note that it is not possible to delete the "default" or "root" policies. These
-are built-in policies.
-
-## Examples
-
-Delete the policy named "my-policy":
-
-```text
-$ vault policy delete my-policy
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/policy/fmt.html.md b/website/source/docs/commands/policy/fmt.html.md
deleted file mode 100644
index 68396cd1901e..000000000000
--- a/website/source/docs/commands/policy/fmt.html.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-layout: "docs"
-page_title: "policy fmt - Command"
-sidebar_title: "<code>fmt</code>"
-sidebar_current: "docs-commands-policy-fmt"
-description: |-
-  The "policy fmt" formats a local policy file to the policy specification. This
-  command will overwrite the file at the given PATH with the properly-formatted
-  policy file contents.
----
-
-# policy fmt
-
-The `policy fmt` formats a local policy file to the policy specification. This
-command will overwrite the file at the given PATH with the properly-formatted
-policy file contents.
-
-## Examples
-
-Format the local file "my-policy.hcl":
-
-```text
-$ vault policy fmt my-policy.hcl
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/policy/index.html.md b/website/source/docs/commands/policy/index.html.md
deleted file mode 100644
index 0c9a15213bbd..000000000000
--- a/website/source/docs/commands/policy/index.html.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-layout: "docs"
-page_title: "policy - Command"
-sidebar_title: "<code>policy</code>"
-sidebar_current: "docs-commands-policy"
-description: |-
-  The "policy" command groups subcommands for interacting with policies. Users
-  can write, read, and list policies in Vault.
----
-
-# policy
-
-The `policy` command groups subcommands for interacting with policies. Users can
-write, read, and list policies in Vault.
-
-For more information, please see the [policy
-documentation](/docs/concepts/policies.html).
-
-## Examples
-
-List all enabled policies:
-
-```text
-$ vault policy list
-```
-
-Create a policy named "my-policy" from contents on local disk:
-
-```text
-$ vault policy write my-policy ./my-policy.hcl
-```
-
-Delete the policy named my-policy:
-
-```text
-$ vault policy delete my-policy
-```
-
-## Usage
-
-```text
-Usage: vault policy <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    delete    Deletes a policy by name
-    list      Lists the installed policies
-    read      Prints the contents of a policy
-    write     Uploads a named policy from a file
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/policy/list.html.md b/website/source/docs/commands/policy/list.html.md
deleted file mode 100644
index fe31ed8be7ca..000000000000
--- a/website/source/docs/commands/policy/list.html.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-layout: "docs"
-page_title: "policy list - Command"
-sidebar_title: "<code>list</code>"
-sidebar_current: "docs-commands-policy-list"
-description: |-
-  The "policy list" command Lists the names of the policies that are installed
-  on the Vault server.
----
-
-# policy list
-
-The `policy list` command Lists the names of the policies that are installed on
-the Vault server.
-
-## Examples
-
-List the available policies:
-
-```text
-$ vault policy list
-default
-root
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
diff --git a/website/source/docs/commands/policy/read.html.md b/website/source/docs/commands/policy/read.html.md
deleted file mode 100644
index 96a97f7202b3..000000000000
--- a/website/source/docs/commands/policy/read.html.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-layout: "docs"
-page_title: "policy read - Command"
-sidebar_title: "<code>read</code>"
-sidebar_current: "docs-commands-policy-read"
-description: |-
-  The "policy read" command prints the contents and metadata of the Vault policy
-  named NAME. If the policy does not exist, an error is returned.
----
-
-# policy read
-
-The `policy read` command prints the contents and metadata of the Vault policy
-named NAME. If the policy does not exist, an error is returned.
-
-## Examples
-
-Read the policy named "my-policy":
-
-```text
-$ vault policy read my-policy
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/policy/write.html.md b/website/source/docs/commands/policy/write.html.md
deleted file mode 100644
index e078656c6842..000000000000
--- a/website/source/docs/commands/policy/write.html.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-layout: "docs"
-page_title: "policy write - Command"
-sidebar_title: "<code>write</code>"
-sidebar_current: "docs-commands-policy-write"
-description: |-
-  The "policy write" command uploads a policy with name NAME from the contents
-  of a local file PATH or stdin. If PATH is "-", the policy is read from stdin.
-  Otherwise, it is loaded from the file at the given path on the local disk.
----
-
-# policy write
-
-The `policy write` command uploads a policy with name NAME from the contents of
-a local file PATH or stdin. If PATH is "-", the policy is read from stdin.
-Otherwise, it is loaded from the file at the given path on the local disk.
-
-For details on the policy syntax, please see the [policy
-documentation](/docs/concepts/policies.html).
-
-## Examples
-
-Upload a policy named "my-policy" from "/tmp/policy.hcl" on the local disk:
-
-```text
-$ vault policy write my-policy /tmp/policy.hcl
-```
-
-Upload a policy from stdin:
-
-```text
-$ cat my-policy.hcl | vault policy write my-policy -
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/read.html.md b/website/source/docs/commands/read.html.md
deleted file mode 100644
index 4a9634efcf51..000000000000
--- a/website/source/docs/commands/read.html.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-layout: "docs"
-page_title: "read - Command"
-sidebar_title: "<code>read</code>"
-sidebar_current: "docs-commands-read"
-description: |-
-  The "read" command reads data from Vault at the given path. This can be used
-  to read secrets, generate dynamic credentials, get configuration details, and
-  more.
----
-
-# read
-
-The `read` command reads data from Vault at the given path. This can be used to
-read secrets, generate dynamic credentials, get configuration details, and more.
-
-For a full list of examples and paths, please see the documentation that
-corresponds to the secrets engine in use.
-
-## Examples
-
-Read a secret from the static secrets engine:
-
-```text
-$ vault read secret/my-secret
-Key                 Value
----                 -----
-refresh_interval    768h
-foo                 bar
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/secrets/disable.html.md b/website/source/docs/commands/secrets/disable.html.md
deleted file mode 100644
index 09032eaa5d7c..000000000000
--- a/website/source/docs/commands/secrets/disable.html.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-layout: "docs"
-page_title: "secrets disable - Command"
-sidebar_title: "<code>disable</code>"
-sidebar_current: "docs-commands-secrets-disable"
-description: |-
-  The "secrets disable" command disables an secrets engine at a given PATH. The
-  argument corresponds to the enabled PATH of the engine, not the TYPE! All
-  secrets created by this engine are revoked and its Vault data is removed.
----
-
-# secrets disable
-
-The `secrets disable` command disables an secrets engine at a given PATH. The
-argument corresponds to the enabled PATH of the engine, not the TYPE! All
-secrets created by this engine are revoked and its Vault data is removed.
-
-Once an secrets engine is disabled, **all secrets generated via the secrets
-engine are immediately revoked.**
-
-## Examples
-
-Disable the secrets engine enabled at aws/:
-
-```text
-$ vault secrets disable aws/
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/secrets/enable.html.md b/website/source/docs/commands/secrets/enable.html.md
deleted file mode 100644
index e1db0ad8159f..000000000000
--- a/website/source/docs/commands/secrets/enable.html.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-layout: "docs"
-page_title: "secrets enable - Command"
-sidebar_title: "<code>enable</code>"
-sidebar_current: "docs-commands-secrets-enable"
-description: |-
-  The "secrets enable" command enables an secrets engine at a given path. If an
-  secrets engine already exists at the given path, an error is returned. After
-  the secrets engine is enabled, it usually needs configuration. The
-  configuration varies by secrets engine.
----
-
-# secrets enable
-
-The `secrets enable` command enables an secrets engine at a given path. If an
-secrets engine already exists at the given path, an error is returned. After the
-secrets engine is enabled, it usually needs configuration. The configuration
-varies by secrets engine.
-
-By default, secrets engines are enabled at the path corresponding to their TYPE,
-but users can customize the path using the `-path` option.
-
-Some secrets engines persist data, some act as data pass-through, and some
-generate dynamic credentials. The secrets engine will likely require
-configuration after it is mounted. For details on the specific configuration
-options, please see the [secrets engine
-documentation](/docs/secrets/index.html).
-
-
-## Examples
-
-Enable the AWS secrets engine at "aws/":
-
-```text
-$ vault secrets enable aws
-Success! Enabled the aws secrets engine at: aws/
-```
-
-Enable the SSH secrets engine at ssh-prod/:
-
-```text
-$ vault secrets enable -path=ssh-prod ssh
-```
-
-Enable the database secrets engine with an explicit maximum TTL of 30m:
-
-```text
-$ vault secrets enable -max-lease-ttl=30m database
-```
-
-Enable a custom plugin (after it is registered in the plugin registry):
-
-```text
-$ vault secrets enable -path=my-secrets my-plugin
-```
-
-For more information on the specific configuration options and paths, please see
-the [secrets engine](/docs/secrets/index.html) documentation.
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
-  engine. If unspecified, this defaults to the Vault server's globally
-  configured default lease TTL.
-
-- `-description` `(string: "")` - Human-friendly description for the purpose of
-  this engine.
-
-- `-force-no-cache` `(bool: false)` - Force the secrets engine to disable
-  caching. If unspecified, this defaults to the Vault server's globally
-  configured cache settings. This does not affect caching of the underlying
-  encrypted data storage.
-
-- `-local` `(bool: false)` - Mark the secrets engine as local-only. Local
-  engines are not replicated or removed by replication.
-
-- `-max-lease-ttl` `(duration: "")` The maximum lease TTL for this secrets
-  engine. If unspecified, this defaults to the Vault server's globally
-  configured maximum lease TTL.
-
-- `-path` `(string: "")` Place where the secrets engine will be accessible. This
-  must be unique cross all secrets engines. This defaults to the "type" of the
-  secrets engine.
diff --git a/website/source/docs/commands/secrets/index.html.md b/website/source/docs/commands/secrets/index.html.md
deleted file mode 100644
index b917f154a521..000000000000
--- a/website/source/docs/commands/secrets/index.html.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-layout: "docs"
-page_title: "secrets - Command"
-sidebar_title: "<code>secrets</code>"
-sidebar_current: "docs-commands-secrets"
-description: |-
-  The "secrets" command groups subcommands for interacting with Vault's secrets
-  engines.
----
-
-# secrets
-
-The `secrets` command groups subcommands for interacting with Vault's secrets
-engines. Each secrets engine behaves differently. Please see the documentation
-for more information.
-
-Some secrets engines persist data, some act as data pass-through, and some
-generate dynamic credentials. The secrets engine will likely require
-configuration after it is mounted. For details on the specific configuration
-options, please see the [secrets engine
-documentation](/docs/secrets/index.html).
-
-## Examples
-
-Enable a secrets engine:
-
-```text
-$ vault secrets enable database
-Success! Enabled the database secrets engine at: database/
-```
-
-List all secrets engines:
-
-```text
-$ vault secrets list
-Path          Type         Description
-----          ----         -----------
-cubbyhole/    cubbyhole    per-token private secret storage
-database/     database     n/a
-secret/       kv           key/value secret storage
-sys/          system       system endpoints used for control, policy and debugging
-```
-
-Move a secrets engine to a new path:
-
-```text
-$ vault secrets move database/ db-prod/
-Success! Moved secrets engine database/ to: db-prod/
-```
-
-Tune a secrets engine:
-
-```text
-$ vault secrets tune -max-lease-ttl=30m db-prod/
-Success! Tuned the secrets engine at: db-prod/
-```
-
-Disable a secrets engine:
-
-```text
-$ vault secrets disable db-prod/
-Success! Disabled the secrets engine (if it existed) at: db-prod/
-```
-
-## Usage
-
-```text
-Usage: vault secrets <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    disable    Disable a secrets engine
-    enable     Enable a secrets engine
-    list       List enabled secrets engines
-    move       Move a secrets engine to a new path
-    tune       Tune a secrets engine configuration
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/secrets/list.html.md b/website/source/docs/commands/secrets/list.html.md
deleted file mode 100644
index ec3dfd671a33..000000000000
--- a/website/source/docs/commands/secrets/list.html.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-layout: "docs"
-page_title: "secrets list - Command"
-sidebar_title: "<code>list</code>"
-sidebar_current: "docs-commands-secrets-list"
-description: |-
-  The "secrets list" command lists the enabled secrets engines on the Vault
-  server. This command also outputs information about the enabled path including
-  configured TTLs and human-friendly descriptions. A TTL of "system" indicates
-  that the system default is in use.
----
-
-# secrets list
-
-The `secrets list` command lists the enabled secrets engines on the Vault server.
-This command also outputs information about the enabled path including
-configured TTLs and human-friendly descriptions. A TTL of "system" indicates
-that the system default is in use.
-
-## Examples
-
-List all enabled secrets engines:
-
-```text
-$ vault secrets list
-Path          Type         Description
-----          ----         -----------
-cubbyhole/    cubbyhole    per-token private secret storage
-secret/       kv           key/value secret storage
-sys/          system       system endpoints used for control, policy and debugging
-```
-
-List all enabled secrets engines with detailed output:
-
-```text
-$ vault secrets list -detailed
-Path          Type         Accessor              Plugin    Default TTL    Max TTL    Force No Cache    Replication    Description
-----          ----         --------              ------    -----------    -------    --------------    -----------    -----------
-cubbyhole/    cubbyhole    cubbyhole_10fbb584    n/a       n/a            n/a        false             local          per-token private secret storage
-secret/       kv           kv_167ce199           n/a       system         system     false             replicated     key/value secret storage
-sys/          system       system_a9fd745d       n/a       n/a            n/a        false             replicated     system endpoints used for control, policy and debugging
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-detailed` `(bool: false)` - Print detailed information such as configuration
-  and replication status about each secrets engine.
diff --git a/website/source/docs/commands/secrets/move.html.md b/website/source/docs/commands/secrets/move.html.md
deleted file mode 100644
index ba088ab3fb79..000000000000
--- a/website/source/docs/commands/secrets/move.html.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-layout: "docs"
-page_title: "secrets move - Command"
-sidebar_title: "<code>move</code>"
-sidebar_current: "docs-commands-secrets-move"
-description: |-
-  The "secrets move" command moves an existing secrets engine to a new path. Any
-  leases from the old secrets engine are revoked, but all configuration
-  associated with the engine is preserved.
----
-
-# secrets move
-
-The `secrets move` command moves an existing secrets engine to a new path. Any
-leases from the old secrets engine are revoked, but all configuration associated
-with the engine is preserved.
-
-**Moving an existing secrets engine will revoke any leases from the old
-engine.**
-
-## Examples
-
-Move the existing secrets engine at secret/ to kv/:
-
-```text
-$ vault secrets move secret/ kv/
-```
-
-## Usage
-
-There are no flags beyond the [standard set of flags](/docs/commands/index.html)
-included on all commands.
diff --git a/website/source/docs/commands/secrets/tune.html.md b/website/source/docs/commands/secrets/tune.html.md
deleted file mode 100644
index 40f1002d80ba..000000000000
--- a/website/source/docs/commands/secrets/tune.html.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-layout: "docs"
-page_title: "secrets tune - Command"
-sidebar_title: "<code>tune</code>"
-sidebar_current: "docs-commands-secrets-tune"
-description: |-
-  The "secrets tune" command tunes the configuration options for the secrets
-  engine at the given PATH. The argument corresponds to the PATH where the
-  secrets engine is enabled, not the TYPE!
----
-
-# secrets tune
-
-The `secrets tune` command tunes the configuration options for the secrets
-engine at the given PATH. The argument corresponds to the PATH where the secrets
-engine is enabled, not the TYPE!
-
-## Examples
-
-Tune the default lease for the PKI secrets engine:
-
-```text
-$ vault secrets tune -default-lease-ttl=72h pki/
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
-  engine. If unspecified, this defaults to the Vault server's globally
-  configured default lease TTL, or a previously configured value for the secrets
-  engine.
-
-- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets
-  engine. If unspecified, this defaults to the Vault server's globally
-  configured maximum lease TTL, or a previously configured value for the secrets
-  engine.
diff --git a/website/source/docs/commands/server.html.md b/website/source/docs/commands/server.html.md
deleted file mode 100644
index 3f43e9dfedfb..000000000000
--- a/website/source/docs/commands/server.html.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-layout: "docs"
-page_title: "server - Command"
-sidebar_title: "<code>server</code>"
-sidebar_current: "docs-commands-server"
-description: |-
-  The "server" command starts a Vault server that responds to API requests. By
-  default, Vault will start in a "sealed" state. The Vault cluster must be
-  initialized before use.
----
-
-# server
-
-The `server` command starts a Vault server that responds to API requests. By
-default, Vault will start in a "sealed" state. The Vault cluster must be
-initialized before use, usually by the `vault operator init` command. Each Vault
-server must also be unsealed using the `vault operator unseal` command or the
-API before the server can respond to requests.
-
-For more information, please see:
-
-- [`operator init` command](/docs/commands/operator/init.html) for information
-  on initializing a Vault server.
-
-- [`operator unseal` command](/docs/commands/operator/unseal.html) for
-  information on providing unseal keys.
-
-- [Vault configuration](/docs/configuration/index.html) for the syntax and
-  various configuration options for a Vault server.
-
-## Examples
-
-Start a server with a configuration file:
-
-```text
-$ vault server -config=/etc/vault/config.hcl
-```
-
-Run in "dev" mode with a custom initial root token:
-
-```text
-$ vault server -dev -dev-root-token-id="root"
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Command Options
-
-- `-config` `(string: "")` - Path to a configuration file or directory of
-  configuration files. This flag can be specified multiple times to load
-  multiple configurations. If the path is a directory, all files which end in
-  .hcl or .json are loaded.
-
-- `-log-level` `(string: "info")` - Log verbosity level. Supported values (in
-  order of detail) are "trace", "debug", "info", "warn", and "err". This can
-  also be specified via the VAULT_LOG_LEVEL environment variable.
-  
-- `-log-format` `(string: "standard")` - Log format. Supported values
-  are "standard" and "json". This can also be specified via the 
-  VAULT_LOG_FORMAT environment variable.
-
-### Dev Options
-
-- `-dev` `(bool: false)` - Enable development mode. In this mode, Vault runs
-  in-memory and starts unsealed. As the name implies, do not run "dev" mode in
-  production.
-
-- `-dev-listen-address` `(string: "127.0.0.1:8200")` - Address to bind to in
-  "dev" mode. This can also be specified via the `VAULT_DEV_LISTEN_ADDRESS`
-  environment variable.
-
-- `-dev-root-token-id` `(string: "")` - Initial root token. This only applies
-  when running in "dev" mode. This can also be specified via the
-  `VAULT_DEV_ROOT_TOKEN_ID` environment variable.
-
-- `-dev-no-store-token` `(string: "")` - Do not persist the dev root token to
-  the token helper (usually the local filesystem) for use in future requests.
-  The token will only be displayed in the command output.
-
-- `-dev-plugin-dir` `(string: "")` - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.
diff --git a/website/source/docs/commands/ssh.html.md b/website/source/docs/commands/ssh.html.md
deleted file mode 100644
index 18e18155cea7..000000000000
--- a/website/source/docs/commands/ssh.html.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-layout: "docs"
-page_title: "ssh - Command"
-sidebar_title: "<code>ssh</code>"
-sidebar_current: "docs-commands-ssh"
-description: |-
-  The "ssh" command establishes an SSH connection with the target machine using
-  credentials obtained from an SSH secrets engine.
----
-
-# ssh
-
-The `ssh` command establishes an SSH connection with the target machine.
-
-This command uses one of the SSH secrets engines to authenticate and
-automatically establish an SSH connection to a host. This operation requires
-that the SSH secrets engine is mounted and configured.
-
-The user must have `ssh` installed locally - this command will exec out to it
-with the proper commands to provide an "SSH-like" consistent experience.
-
-## Examples
-
-SSH using the OTP mode (requires [sshpass](https://linux.die.net/man/1/sshpass)
-for full automation):
-
-```text
-$ vault ssh -mode=otp -role=my-role user@1.2.3.4
-```
-
-SSH using the CA mode:
-
-```text
-$ vault ssh -mode=ca -role=my-role user@1.2.3.4
-```
-
-SSH using CA mode with host key verification:
-
-```text
-$ vault ssh \
-    -mode=ca \
-    -role=my-role \
-    -host-key-mount-point=host-signer \
-    -host-key-hostnames=example.com \
-    user@example.com
-```
-
-For step-by-step guides and instructions for each of the available SSH
-auth methods, please see the corresponding [SSH secrets
-engine](/docs/secrets/ssh/index.html).
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### SSH Options
-
-- `-mode` `(string: "")` - Name of the authentication mode (ca, dynamic, otp)."
-
-- `-mount-point` `(string: "ssh/")` - Mount point to the SSH secrets engine.
-
-- `-no-exec` `(bool: false)` - Print the generated credentials, but do not
-  establish a connection.
-
-- `-role` `(string: "")` - Name of the role to use to generate the key.
-
-- `-strict-host-key-checking` `(string: "")` - Value to use for the SSH
-  configuration option "StrictHostKeyChecking". The default is ask. This can
-  also be specified via the `VAULT_SSH_STRICT_HOST_KEY_CHECKING` environment
-  variable.
-
-- `-user-known-hosts-file` `(string: "~/.ssh/known_hosts")` - Value to use for
-  the SSH configuration option "UserKnownHostsFile". This can also be specified
-  via the `VAULT_SSH_USER_KNOWN_HOSTS_FILE` environment variable.
-
-### CA Mode Options
-
-- `-host-key-hostnames` `(string: "*")` - List of hostnames to delegate for the
-  CA. The default value allows all domains and IPs. This is specified as a
-  comma-separated list of values. This can also be specified via the
-  `VAULT_SSH_HOST_KEY_HOSTNAMES` environment variable.
-
-- `-host-key-mount-point` `(string: "")` - Mount point to the SSH
-  secrets engine where host keys are signed. When given a value, Vault will
-  generate a custom "known_hosts" file with delegation to the CA at the provided
-  mount point to verify the SSH connection's host keys against the provided CA.
-  By default, host keys are validated against the user's local "known_hosts"
-  file. This flag forces strict key host checking and ignores a custom user
-  known hosts file. This can also be specified via the
-  `VAULT_SSH_HOST_KEY_MOUNT_POINT` environment variable.
-
-- `-private-key-path` `(string: "~/.ssh/id_rsa")` - Path to the SSH private key
-  to use for authentication. This must be the corresponding private key to
-  `-public-key-path`.
-
-- `-public-key-path` `(string: "~/.ssh/id_rsa.pub")` - Path to the SSH public
-  key to send to Vault for signing.
diff --git a/website/source/docs/commands/status.html.md b/website/source/docs/commands/status.html.md
deleted file mode 100644
index b84adb7b58cd..000000000000
--- a/website/source/docs/commands/status.html.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-layout: "docs"
-page_title: "status - Command"
-sidebar_title: "<code>status</code>"
-sidebar_current: "docs-commands-status"
-description: |-
-  The "status" command prints the current state of Vault including whether it is
-  sealed and if HA mode is enabled. This command prints regardless of whether
-  the Vault is sealed.
----
-
-# status
-
-The `status` command prints the current state of Vault including whether it is
-sealed and if HA mode is enabled. This command prints regardless of whether the
-Vault is sealed.
-
-The exit code reflects the seal status:
-
-- 0 - unsealed
-- 1 - error
-- 2 - sealed
-
-## Examples
-
-Check the status:
-
-```text
-$ vault status
-Sealed: false
-Key Shares: 5
-Key Threshold: 3
-Unseal Progress: 0
-Unseal Nonce:
-Version: x.y.z
-Cluster Name: vault-cluster-49ffd45f
-Cluster ID: d2dad792-fb99-1c8d-452e-528d073ba205
-
-High-Availability Enabled: false
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
\ No newline at end of file
diff --git a/website/source/docs/commands/token-helper.html.md b/website/source/docs/commands/token-helper.html.md
deleted file mode 100644
index c10c49180701..000000000000
--- a/website/source/docs/commands/token-helper.html.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-layout: "docs"
-page_title: "Token Helpers"
-sidebar_title: "Token Helpers"
-sidebar_current: "docs-commands-token-helper"
-description: |-
-  The Vault CLI supports external token helpers that make retrieving, setting and erasing tokens simpler to use.
----
-
-# Token Helpers
-
-The Vault CLI provides a built in tool for authenticating to any of the enabled auth backends. By default the Vault CLI will take the generated token after a successful authentication and store it on disk in the `~/.vault-token` file. This functionality can change in Vault via the use of a token helper. A token helper is an external program that Vault calls to save, retrieve or erase a saved token. The token helper could be a very simple script or a more complex program depending on your needs. The interface to the external token helper is extremely simple.
-
-## Configuration
-
-To configure a token helper, edit (or create) the file `~/.vault` and add a line similar to:
-
-```
-token_helper = "/path/to/token/helper.sh"
-```
-
-You will need to use the fully qualified path to the token helper script. The script should be executable.
-
-## Developing a Token Helper
-
-The interface to a token helper is extremely simple: the script is passed with one argument that could be `get`, `store` or `erase`. If the argument is `get`, the script should do whatever work it needs to do to retrieve the stored token and then print the token to `STDOUT`. If the argument is `store`, Vault is asking you to store the token. Finally, if the argument is `erase`, your program should erase the stored token.
-
-If your program succeeds, it should exit with status code 0. If it encounters an issue that prevents it from working, it should exit with some other status code. You should write a user-friendly error message to `STDERR`. You should never write anything other than the token to `STDOUT`, as Vault assumes whatever it gets on `STDOUT` is the token.
-
-### Example Token Helper
-
-This is an example token helper written in Ruby that stores and retrieves tokens in a json file called `~/.vault_tokens`. The key is the environment variable $VAULT_ADDR, this allows the Vault user to easily store and retrieve tokens from a number of different Vault servers.
-
-```
-#!/usr/bin/env ruby
-
-require 'json'
-
-unless ENV['VAULT_ADDR']
-  STDERR.puts "No VAULT_ADDR environment variable set. Set it and run me again!"
-  exit 100
-end
-
-begin
-  tokens = JSON.parse(File.read("#{ENV['HOME']}/.vault_tokens"))
-rescue Errno::ENOENT => e
-  # file doesn't exist so create a blank hash for it
-  tokens = {}
-end
-
-case ARGV.first
-when 'get'
-  print tokens[ENV['VAULT_ADDR']] if tokens[ENV['VAULT_ADDR']]
-  exit 0
-when 'store'
-  tokens[ENV['VAULT_ADDR']] = STDIN.read
-when 'erase'
-  tokens.delete!(ENV['VAULT_ADDR'])
-end
-
-File.open("#{ENV['HOME']}/.vault_tokens", 'w') { |file| file.write(tokens.to_json) }
-```
-
-
diff --git a/website/source/docs/commands/token/capabilities.html.md b/website/source/docs/commands/token/capabilities.html.md
deleted file mode 100644
index 5f272d64979c..000000000000
--- a/website/source/docs/commands/token/capabilities.html.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-layout: "docs"
-page_title: "token capabilities - Command"
-sidebar_title: "<code>capabilities</code>"
-sidebar_current: "docs-commands-token-capabilities"
-description: |-
-  The "token capabilities" command fetches the capabilities of a token for a
-  given path.
----
-
-# token capabilities
-
-The `token capabilities` command fetches the capabilities of a token for a given
-path.
-
-If a TOKEN is provided as an argument, this command uses the "/sys/capabilities"
-endpoint and permission. If no TOKEN is provided, this command uses the
-"/sys/capabilities-self" endpoint and permission with the locally authenticated
-token.
-
-## Examples
-
-List capabilities for the local token on the "secret/foo" path:
-
-```text
-$ vault token capabilities secret/foo
-read
-```
-
-List capabilities for a token on the "cubbyhole/foo" path:
-
-```text
-$ vault token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 database/creds/readonly
-deny
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
\ No newline at end of file
diff --git a/website/source/docs/commands/token/create.html.md b/website/source/docs/commands/token/create.html.md
deleted file mode 100644
index 4e96cbb2abeb..000000000000
--- a/website/source/docs/commands/token/create.html.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-layout: "docs"
-page_title: "token create - Command"
-sidebar_title: "<code>create</code>"
-sidebar_current: "docs-commands-token-create"
-description: |-
-  The "token create" command creates a new token that can be used for
-  authentication. This token will be created as a child of the currently
-  authenticated token. The generated token will inherit all policies and
-  permissions of the currently authenticated token unless you explicitly define
-  a subset list policies to assign to the token.
----
-
-# token create
-
-The `token create` command creates a new token that can be used for
-authentication. This token will be created as a child of the currently
-authenticated token. The generated token will inherit all policies and
-permissions of the currently authenticated token unless you explicitly define a
-subset list policies to assign to the token.
-
-A ttl can also be associated with the token. If a ttl is not associated with the
-token, then it cannot be renewed. If a ttl is associated with the token, it will
-expire after that amount of time unless it is renewed.
-
-Metadata associated with the token (specified with `-metadata`) is written to
-the audit log when the token is used.
-
-If a role is specified, the role may override parameters specified here.
-
-## Examples
-
-Create a token attached to specific policies:
-
-```text
-$ vault token create -policy=my-policy -policy=other-policy
-Key                Value
----                -----
-token              95eba8ed-f6fc-958a-f490-c7fd0eda5e9e
-token_accessor     882d4a40-3796-d06e-c4f0-604e8503750b
-token_duration     768h
-token_renewable    true
-token_policies     [default my-policy other-policy]
-```
-
-Create a periodic token:
-
-```text
-$ vault token create -period=30m
-Key                Value
----                -----
-token              fdb90d58-af87-024f-fdcd-9f95039e353a
-token_accessor     4cd9177c-034b-a004-c62d-54bc56c0e9bd
-token_duration     30m
-token_renewable    true
-token_policies     [my-policy]
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-display-name` `(string: "")` - Name to associate with this token. This is a
-  non-sensitive value that can be used to help identify created secrets (e.g.
-  prefixes).
-
-- `-explicit-max-ttl` `(duration: "")` - Explicit maximum lifetime for the
-  token. Unlike normal TTLs, the maximum TTL is a hard limit and cannot be
-  exceeded. This is specified as a numeric string with suffix like "30s" or
-  "5m".
-
-- `-id` `(string: "")` - Value for the token. By default, this is an
-  auto-generated value. Specifying this value requires sudo permissions.
-
-- `-metadata` `(k=v: "")` - Arbitrary key=value metadata to associate with the
-  token. This metadata will show in the audit log when the token is used. This
-  can be specified multiple times to add multiple pieces of metadata.
-
-- `-no-default-policy` `(bool: false)` - Detach the "default" policy from the
-  policy set for this token.
-
-- `-orphan` `(bool: false)` - Create the token with no parent. This prevents the
-  token from being revoked when the token which created it expires. Setting this
-  value requires sudo permissions.
-
-- `-period` `(duration: "")` - If specified, every renewal will use the given
-  period. Periodic tokens do not expire as long as they are actively being
-  renewed (unless `-explicit-max-ttl` is also provided). Setting this value 
-  requires sudo permissions. This is specified as a numeric string with suffix 
-  like "30s" or "5m".
-
-- `-policy` `(string: "")` - Name of a policy to associate with this token. This
-  can be specified multiple times to attach multiple policies.
-
-- `-renewable` `(bool: true)` - Allow the token to be renewed up to it's maximum
-  TTL.
-
-- `-role` `(string: "")` - Name of the role to create the token against.
-  Specifying -role may override other arguments. The locally authenticated Vault
-  token must have permission for `auth/token/create/<role>`.
-
-- `-ttl` `(duration: "")` - Initial TTL to associate with the token. Token
-  renewals may be able to extend beyond this value, depending on the configured
-  maximumTTLs. This is specified as a numeric string with suffix like "30s" or
-  "5m".
-
-- `-type` `(string: "service")` - The type of token to create. Can be "service" or "batch".
-
-- `-use-limit` `(int: 0)` - Number of times this token can be used. After the
-  last use, the token is automatically revoked. By default, tokens can be used
-  an unlimited number of times until their expiration.
diff --git a/website/source/docs/commands/token/index.html.md b/website/source/docs/commands/token/index.html.md
deleted file mode 100644
index 7aea0cc588e7..000000000000
--- a/website/source/docs/commands/token/index.html.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-layout: "docs"
-page_title: "token - Command"
-sidebar_title: "<code>token</code>"
-sidebar_current: "docs-commands-token"
-description: |-
-  The "token" command groups subcommands for interacting with tokens. Users can
-  create, lookup, renew, and revoke tokens.
----
-
-# token
-
-The `token` command groups subcommands for interacting with tokens. Users can
-create, lookup, renew, and revoke tokens.
-
-For more information on tokens, please see the [token concepts
-page](/docs/concepts/tokens.html).
-
-## Examples
-
-Create a new token:
-
-```text
-$ vault token create
-```
-
-Revoke a token:
-
-```text
-$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
-```
-
-Renew a token:
-
-```text
-$ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
-```
-
-## Usage
-
-```text
-Usage: vault token <subcommand> [options] [args]
-
-  # ...
-
-Subcommands:
-    capabilities    Print capabilities of a token on a path
-    create          Create a new token
-    lookup          Display information about a token
-    renew           Renew a token lease
-    revoke          Revoke a token and its children
-```
-
-For more information, examples, and usage about a subcommand, click on the name
-of the subcommand in the sidebar.
diff --git a/website/source/docs/commands/token/lookup.html.md b/website/source/docs/commands/token/lookup.html.md
deleted file mode 100644
index edb7c8f41d33..000000000000
--- a/website/source/docs/commands/token/lookup.html.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-layout: "docs"
-page_title: "token lookup - Command"
-sidebar_title: "<code>lookup</code>"
-sidebar_current: "docs-commands-token-lookup"
-description: |-
-  The "token lookup" displays information about a token or accessor. If a TOKEN
-  is not provided, the locally authenticated token is used.
----
-
-# token lookup
-
-The `token lookup` displays information about a token or accessor. If a TOKEN is
-not provided, the locally authenticated token is used.
-
-## Examples
-
-Get information about the locally authenticated token (this uses the
-`/auth/token/lookup-self` endpoint and permission):
-
-```text
-$ vault token lookup
-```
-
-Get information about a particular token (this uses the `/auth/token/lookup`
-endpoint and permission):
-
-```text
-$ vault token lookup 96ddf4bc-d217-f3ba-f9bd-017055595017
-```
-
-Get information about a token via its accessor:
-
-```text
-$ vault token lookup -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(default: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
-  token. When this option is selected, the output will NOT include the token.
diff --git a/website/source/docs/commands/token/renew.html.md b/website/source/docs/commands/token/renew.html.md
deleted file mode 100644
index 757977ccaa46..000000000000
--- a/website/source/docs/commands/token/renew.html.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-layout: "docs"
-page_title: "token renew - Command"
-sidebar_title: "<code>renew</code>"
-sidebar_current: "docs-commands-token-renew"
-description: |-
-  The "token renew" renews a token's lease, extending the amount of time it can
-  be used. If a TOKEN is not provided, the locally authenticated token is used.
-  Lease renewal will fail if the token is not renewable, the token has already
-  been revoked, or if the token has already reached its maximum TTL.
----
-
-# token renew
-
-The `token renew` renews a token's lease, extending the amount of time it can be
-used. If a TOKEN is not provided, the locally authenticated token is used. Lease
-renewal will fail if the token is not renewable, the token has already been
-revoked, or if the token has already reached its maximum TTL.
-
-## Examples
-
-Renew a token (this uses the `/auth/token/renew` endpoint and permission):
-
-```text
-$ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
-```
-
-Renew the currently authenticated token (this uses the `/auth/token/renew-self`
-endpoint and permission):
-
-```text
-$ vault token renew
-```
-
-Renew a token requesting a specific increment value:
-
-```text
-$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-format` `(default: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-increment` `(duration: "")` - Request a specific increment for renewal.
-  Vault is not required to honor this request. If not supplied, Vault will use
-  the default TTL. This is specified as a numeric string with suffix like "30s"
-  or "5m". This is aliased as "-i".
diff --git a/website/source/docs/commands/token/revoke.html.md b/website/source/docs/commands/token/revoke.html.md
deleted file mode 100644
index c11e0a015332..000000000000
--- a/website/source/docs/commands/token/revoke.html.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-layout: "docs"
-page_title: "token revoke - Command"
-sidebar_title: "<code>revoke</code>"
-sidebar_current: "docs-commands-token-revoke"
-description: |-
-  The "token revoke" revokes authentication tokens and their children. If a
-  TOKEN is not provided, the locally authenticated token is used.
----
-
-# token revoke
-
-The `token revoke` revokes authentication tokens and their children. If a TOKEN
-is not provided, the locally authenticated token is used. The `-mode` flag can
-be used to control the behavior of the revocation.
-
-## Examples
-
-Revoke a token and all the token's children:
-
-```text
-$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
-Success! Revoked token (if it existed)
-```
-
-Revoke a token leaving the token's children:
-
-```text
-$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017
-Success! Revoked token (if it existed)
-```
-
-Revoke a token by accessor:
-
-```text
-$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da
-Success! Revoked token (if it existed)
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-- `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
-  token.
-
-- `-mode` `(string: "")` - Type of revocation to perform. If unspecified, Vault
-  will revoke the token and all of the token's children. If "orphan", Vault will
-  revoke only the token, leaving the children as orphans. If "path", tokens
-  created from the given authentication path prefix are deleted along with their
-  children.
-
-- `-self` -  Perform the revocation on the currently authenticated token.
diff --git a/website/source/docs/commands/unwrap.html.md b/website/source/docs/commands/unwrap.html.md
deleted file mode 100644
index 1aaa8f37ec3f..000000000000
--- a/website/source/docs/commands/unwrap.html.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-layout: "docs"
-page_title: "unwrap - Command"
-sidebar_title: "<code>unwrap</code>"
-sidebar_current: "docs-commands-unwrap"
-description: |-
-  The "unwrap" command unwraps a wrapped secret from Vault by the given token.
-  The result is the same as the "vault read" operation on the non-wrapped
-  secret. If no token is given, the data in the currently authenticated token is
-  unwrapped.
----
-
-# unwrap
-
-The `unwrap` command unwraps a wrapped secret from Vault by the given token. The
-result is the same as the "vault read" operation on the non-wrapped secret. If
-no token is given, the data in the currently authenticated token is unwrapped.
-
-## Examples
-
-Unwrap the data in the cubbyhole secrets engine for a token:
-
-```text
-$ vault unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd
-```
-
-Unwrap the data in the active token:
-
-```text
-$ vault login 848f9ccf-7176-098c-5e2b-75a0689d41cd
-$ vault unwrap # unwraps 848f9ccf...
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
diff --git a/website/source/docs/commands/version.html.md b/website/source/docs/commands/version.html.md
deleted file mode 100644
index 99ec93cbc583..000000000000
--- a/website/source/docs/commands/version.html.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-layout: "docs"
-page_title: "version - Command"
-sidebar_title: "<code>version</code>"
-sidebar_current: "docs-commands-version"
-description: |-
-  The "version" command prints the version of Vault.
----
-
-# version
-
-The `version` command prints the Vault version:
-
-```
-$ vault version
-Vault v1.2.3
-```
-
-It can also be printed by adding the flags `--version` or `-v` to the `vault` command:
-
-```
-$ vault -v
-Vault v1.2.3
-```
diff --git a/website/source/docs/commands/write.html.md b/website/source/docs/commands/write.html.md
deleted file mode 100644
index b87c627b7e7d..000000000000
--- a/website/source/docs/commands/write.html.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-layout: "docs"
-page_title: "write - Command"
-sidebar_title: "<code>write</code>"
-sidebar_current: "docs-commands-write"
-description: |-
-  The "write" command writes data to Vault at the given path. The data can be
-  credentials, secrets, configuration, or arbitrary data. The specific behavior
-  of this command is determined at the thing mounted at the path.
----
-
-# write
-
-The `write` command writes data to Vault at the given path. The data can be
-credentials, secrets, configuration, or arbitrary data. The specific behavior of
-this command is determined at the thing mounted at the path.
-
-Data is specified as "key=value" pairs. If the value begins with an "@", then it
-is loaded from a file. If the value is "-", Vault will read the value from
-stdin.
-
-For a full list of examples and paths, please see the documentation that
-corresponds to the secrets engines in use.
-
-## Examples
-
-Persist data in the KV secrets engine:
-
-```text
-$ vault write secret/my-secret foo=bar
-```
-
-Create a new encryption key in the transit secrets engine:
-
-```text
-$ vault write -f transit/keys/my-key
-```
-
-Upload an AWS IAM policy from a file on disk:
-
-```text
-$ vault write aws/roles/ops policy=@policy.json
-```
-
-Configure access to Consul by providing an access token:
-
-```text
-$ echo $MY_TOKEN | vault write consul/config/access token=-
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/docs/commands/index.html) included on all commands.
-
-### Output Options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command Options
-
-- `-force` `(bool: false)` - Allow the operation to continue with no key=value
-  pairs. This allows writing to keys that do not need or expect data. This is
-  aliased as "-f".
diff --git a/website/source/docs/concepts/auth.html.md b/website/source/docs/concepts/auth.html.md
deleted file mode 100644
index 1911114b42d7..000000000000
--- a/website/source/docs/concepts/auth.html.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-layout: "docs"
-page_title: "Authentication"
-sidebar_title: "Authentication"
-sidebar_current: "docs-concepts-auth"
-description: |-
-  Before performing any operation with Vault, the connecting client must be authenticated.
----
-
-# Authentication
-
-Authentication in Vault is the process by which user or machine supplied
-information is verified against an internal or external system. Vault supports
-multiple [auth methods](/docs/auth/index.html) including GitHub,
-LDAP, AppRole, and more. Each auth method has a specific use case.
-
-Before a client can interact with Vault, it must _authenticate_ against an
-auth method. Upon authentication, a token is generated. This token is
-conceptually similar to a session ID on a website. The token may have attached
-policy, which is mapped at authentication time. This process is described in
-detail in the [policies concepts](/docs/concepts/policies.html) documentation.
-
-## auth methods
-
-Vault supports a number of auth methods. Some backends are targeted
-toward users while others are targeted toward machines. Most authentication
-backends must be enabled before use. To enable an auth method:
-
-```sh
-$ vault write sys/auth/my-auth type=userpass
-```
-
-This enables the "userpass" auth method at the path "my-auth". This
-authentication will be accessible at the path "my-auth". Often you will see
-authentications at the same path as their name, but this is not a requirement.
-
-To learn more about this authentication, use the built-in `path-help` command:
-
-```sh
-$ vault path-help auth/my-auth
-# ...
-```
-
-Vault supports multiple auth methods simultaneously, and you can even
-mount the same type of auth method at different paths. Only one
-authentication is required to gain access to Vault, and it is not currently
-possible to force a user through multiple auth methods to gain
-access, although some backends do support MFA.
-
-## Tokens
-
-There is an [entire page dedicated to tokens](/docs/concepts/tokens.html),
-but it is important to understand that authentication works by verifying
-your identity and then generating a token to associate with that identity.
-
-For example, even though you may authenticate using something like GitHub,
-Vault generates a unique access token for you to use for future requests.
-The CLI automatically attaches this token to requests, but if you're using
-the API you'll have to do this manually.
-
-This token given for authentication with any backend can also be used
-with the full set of token commands, such as creating new sub-tokens,
-revoking tokens, and renewing tokens. This is all covered on the
-[token concepts page](/docs/concepts/tokens.html).
-
-## Authenticating
-
-### Via the CLI
-
-To authenticate with the CLI, `vault login` is used. This supports many
-of the built-in auth methods. For example, with GitHub:
-
-```
-$ vault login -method=github token=<token>
-...
-```
-
-After authenticating, you will be logged in. The CLI command will also
-output your raw token. This token is used for revocation and renewal.
-As the user logging in, the primary use case of the token is renewal,
-covered below in the "Auth Leases" section.
-
-To determine what variables are needed for an auth method,
-supply the `-method` flag without any additional arguments and help
-will be shown.
-
-If you're using a method that isn't supported via the CLI, then the API
-must be used.
-
-### Via the API
-
-API authentication is generally used for machine authentication. Each
-auth method implements its own login endpoint. Use the `vault path-help`
-mechanism to find the proper endpoint.
-
-For example, the GitHub login endpoint is located at `auth/github/login`.
-And to determine the arguments needed, `vault path-help auth/github/login` can
-be used.
-
-## Auth Leases
-
-Just like secrets, identities have
-[leases](/docs/concepts/lease.html) associated with them. This means that
-you must reauthenticate after the given lease period to continue accessing
-Vault.
-
-To set the lease associated with an identity, reference the help for
-the specific auth method in use. It is specific to each backend
-how leasing is implemented.
-
-And just like secrets, identities can be renewed without having to
-completely reauthenticate. Just use `vault token renew <token>` with the
-leased token associated with your identity to renew it.
diff --git a/website/source/docs/concepts/dev-server.html.md b/website/source/docs/concepts/dev-server.html.md
deleted file mode 100644
index ec017afc5b82..000000000000
--- a/website/source/docs/concepts/dev-server.html.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-layout: "docs"
-page_title: "Dev Server Mode"
-sidebar_title: "'Dev' Server"
-sidebar_current: "docs-concepts-devserver"
-description: |-
-  The dev server in Vault can be used for development or to experiment with Vault.
----
-
-# "Dev" Server Mode
-
-You can start Vault as a server in "dev" mode like so: `vault server -dev`.
-This dev-mode server requires no further setup, and your local `vault` CLI will
-be authenticated to talk to it. This makes it easy to experiment with Vault or
-start a Vault instance for development. Every feature of Vault is available in
-"dev" mode. The `-dev` flag just short-circuits a lot of setup to insecure
-defaults.
-
-~> **Warning:** Never, ever, ever run a "dev" mode server in production.
-It is insecure and will lose data on every restart (since it stores data
-in-memory). It is only made for development or experimentation.
-
-## Properties
-
-The properties of the dev server (some can be overridden with command line
-flags or by specifying a configuration file):
-
-  * **Initialized and unsealed** - The server will be automatically initialized
-    and unsealed. You don't need to use `vault operator unseal`. It is ready
-    for use immediately.
-
-  * **In-memory storage** - All data is stored (encrypted) in-memory. Vault
-    server doesn't require any file permissions.
-
-  * **Bound to local address without TLS** - The server is listening on
-    `127.0.0.1:8200` (the default server address) _without_ TLS.
-
-  * **Automatically Authenticated** - The server stores your root access
-    token so `vault` CLI access is ready to go. If you are accessing Vault
-    via the API, you'll need to authenticate using the token printed out.
-
-  * **Single unseal key** - The server is initialized with a single unseal
-    key. The Vault is already unsealed, but if you want to experiment with
-    seal/unseal, then only the single outputted key is required.
-    
-  * **Key Value store mounted** - A v2 KV secret engine is mounted at
-    `secret/`.
-
-## Use Case
-
-The dev server should be used for experimentation with Vault features, such
-as different auth methods, secrets engines, audit devices, etc.
-If you're new to Vault, you may want to pick up with [Your First
-Secret](/intro/getting-started/first-secret.html) in
-our getting started guide.
-
-In addition to experimentation, the dev server is very easy to automate
-for development environments.
diff --git a/website/source/docs/concepts/ha.html.md b/website/source/docs/concepts/ha.html.md
deleted file mode 100644
index 4356be9b7a98..000000000000
--- a/website/source/docs/concepts/ha.html.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-layout: "docs"
-page_title: "High Availability"
-sidebar_title: "High Availability"
-sidebar_current: "docs-concepts-ha"
-description: |-
-  Vault can be highly available, allowing you to run multiple Vaults to protect against outages.
----
-
-# High Availability Mode (HA)
-
-Vault supports a multi-server mode for high availability. This mode protects
-against outages by running multiple Vault servers. High availability mode
-is automatically enabled when using a data store that supports it.
-
-You can tell if a data store supports high availability mode ("HA") by starting
-the server and seeing if "(HA available)" is output next to the data store
-information. If it is, then Vault will automatically use HA mode. This
-information is also available on the
-[Configuration](/docs/configuration/index.html) page.
-
-To be highly available, one of the Vault server nodes grabs a lock within the
-data store. The successful server node then becomes the active node; all other
-nodes become standby nodes. At this point, if the standby nodes receive a
-request, they will either forward the request or redirect the client depending
-on the current configuration and state of the cluster -- see the sections below
-for details. Due to this architecture, HA does not enable increased
-scalability. In general, the bottleneck of Vault is the data store itself, not
-Vault core. For example: to increase the scalability of Vault with Consul, you
-would generally scale Consul instead of Vault.
-
-Certain storage backends can support high availability mode, which enable them
-to store both Vault's information in addition to the HA lock. However, Vault
-also supports split data/HA mode, whereby the lock value and the rest of the
-data live separately. This can be done by specifying both the `storage` and
-`ha_storage` stanzas in the configuration file with different backends. For
-instance, a Vault cluster can be set up to use Consul as the `ha_storage` to
-manage the lock, and use Amazon S3 as the `storage` for all other persisted
-data.
-
-The sections below explain the server communication patterns and each type of
-request handling in more detail. At a minimum, the requirements for redirection
-mode must be met for an HA cluster to work successfully.
-
-## Server-to-Server Communication
-
-Both methods of request handling rely on the active node advertising
-information about itself to the other nodes. Rather than over the network, this
-communication takes place within Vault's encrypted storage; the active node
-writes this information and unsealed standby Vault nodes can read it.
-
-For the client redirection method, this is the extent of server-to-server
-communication -- no direct communication with only encrypted entries in the
-data store used to transfer state.
-
-For the request forwarding method, the servers need direct communication with
-each other. In order to perform this securely, the active node also advertises,
-via the encrypted data store entry, a newly-generated private key (ECDSA-P521)
-and a newly-generated self-signed certificate designated for client and server
-authentication. Each standby uses the private key and certificate to open a
-mutually-authenticated TLS 1.2 connection to the active node via the advertised
-cluster address. When client requests come in, the requests are serialized,
-sent over this TLS-protected communication channel, and acted upon by the
-active node. The active node then returns a response to the standby, which
-sends the response back to the requesting client.
-
-## Request Forwarding
-
-If request forwarding is enabled (turned on by default in 0.6.2), clients can
-still force the older/fallback redirection behavior (see below) if desired by
-setting the `X-Vault-No-Request-Forwarding` header to any non-empty value.
-
-Successful cluster setup requires a few configuration parameters, although some
-can be automatically determined.
-
-## Client Redirection
-
-If `X-Vault-No-Request-Forwarding` header in the request is set to a non-empty
-value, the standby nodes will redirect the client using a `307` status code to
-the *active node's* redirect address.
-
-This is also the fallback method used when request forwarding is turned off or
-there is an error performing the forwarding. As such, a redirect address is
-always required for all HA setups.
-
-Some HA data store drivers can autodetect the redirect address, but it is often
-necessary to configure it manually via a top-level value in the configuration
-file. The key for this value is `api_addr` and the value can also be specified
-by the `VAULT_API_ADDR` environment variable, which takes precedence.
-
-What the `api_addr` value should be set to depends on how Vault is set up.
-There are two common scenarios: Vault servers accessed directly by clients, and
-Vault servers accessed via a load balancer.
-
-In both cases, the `api_addr` should be a full URL including scheme
-(`http`/`https`), not simply an IP address and port.
-
-### Direct Access
-
-When clients are able to access Vault directly, the `api_addr` for each
-node should be that node's address. For instance, if there are two Vault nodes
-`A` (accessed via `https://a.vault.mycompany.com:8200`) and `B` (accessed via
-`https://b.vault.mycompany.com:8200`), node `A` would set its `api_addr`
-to `https://a.vault.mycompany.com:8200` and node `B` would set its
-`api_addr` to `https://b.vault.mycompany.com:8200`.
-
-This way, when `A` is the active node, any requests received by node `B` will
-cause it to redirect the client to node `A`'s `api_addr` at
-`https://a.vault.mycompany.com`, and vice-versa.
-
-### Behind Load Balancers
-
-Sometimes clients use load balancers as an initial method to access one of the
-Vault servers, but actually have direct access to each Vault node. In this
-case, the Vault servers should actually be set up as described in the above
-section, since for redirection purposes the clients have direct access.
-
-However, if the only access to the Vault servers is via the load balancer, the
-`api_addr` on each node should be the same: the address of the load
-balancer. Clients that reach a standby node will be redirected back to the load
-balancer; at that point hopefully the load balancer's configuration will have
-been updated to know the address of the current leader. This can cause a
-redirect loop and as such is not a recommended setup when it can be avoided.
-
-### Per-Node Cluster Listener Addresses
-
-Each `listener` block in Vault's configuration file contains an `address` value
-on which Vault listens for requests. Similarly, each `listener` block can
-contain a `cluster_address` on which Vault listens for server-to-server cluster
-requests. If this value is not set, its IP address will be automatically set to
-same as the `address` value, and its port will be automatically set to the same
-as the `address` value plus one (so by default, port `8201`).
-
-Note that *only* active nodes have active listeners. When a node becomes active
-it will start cluster listeners, and when it becomes standby it will stop them.
-
-### Per-Node Cluster Address
-
-Similar to the `api_addr`, `cluster_addr` is the value that each node, if
-active, should advertise to the standbys to use for server-to-server
-communications, and lives as a top-level value in the configuration file. On
-each node, this should be set to a host name or IP address that a standby can
-use to reach one of that node's `cluster_address` values set in the `listener`
-blocks, including port. (Note that this will always be forced to `https` since
-only TLS connections are used between servers.)
-
-This value can also be specified by the `VAULT_CLUSTER_ADDR` environment
-variable, which takes precedence.
-
-## Storage Support
-
-Currently there are several storage backends that support high availability
-mode, including Consul, ZooKeeper and etcd. These may change over time, and the
-[configuration page](/docs/configuration/index.html) should be referenced.
-
-The Consul backend is the recommended HA backend, as it is used in production
-by HashiCorp and its customers with commercial support.
-
-If you're interested in implementing another backend or adding HA support to
-another backend, we'd love your contributions. Adding HA support requires
-implementing the `physical.HABackend` interface for the storage backend.
diff --git a/website/source/docs/concepts/index.html.md b/website/source/docs/concepts/index.html.md
deleted file mode 100644
index eca8ce1cc1a3..000000000000
--- a/website/source/docs/concepts/index.html.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-layout: "docs"
-page_title: "Concepts"
-sidebar_title: "Concepts"
-sidebar_current: "docs-concepts"
-description: |-
-  Concepts that are important to understand for Vault usage.
----
-
-# Concepts
-
-This section covers some concepts that are important to understand for day to
-day Vault usage and operation. Every page in this section is recommended
-reading for anyone consuming or operating Vault.
-
-Please use the navigation to the left to learn more about a topic.
diff --git a/website/source/docs/concepts/lease.html.md b/website/source/docs/concepts/lease.html.md
deleted file mode 100644
index 658e4d32f8f3..000000000000
--- a/website/source/docs/concepts/lease.html.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-layout: "docs"
-page_title: "Lease, Renew, and Revoke"
-sidebar_title: "Lease, Renew, and Revoke"
-sidebar_current: "docs-concepts-lease"
-description: |-
-  Vault provides a lease with every secret. When this lease is expired, Vault will revoke that secret.
----
-
-# Lease, Renew, and Revoke
-
-With every dynamic secret and `service` type authentication token, Vault
-creates a _lease_: metadata containing information such as a time duration,
-renewability, and more. Vault promises that the data will be valid for the
-given duration, or Time To Live (TTL). Once the lease is expired, Vault can
-automatically revoke the data, and the consumer of the secret can no longer be
-certain that it is valid.
-
-The benefit should be clear: consumers of secrets need to check in with
-Vault routinely to either renew the lease (if allowed) or request a
-replacement secret. This makes the Vault audit logs more valuable and
-also makes key rolling a lot easier.
-
-All dynamic secrets in Vault are required to have a lease. Even if the data is
-meant to be valid for eternity, a lease is required to force the consumer
-to check in routinely.
-
-In addition to renewals, a lease can be _revoked_. When a lease is revoked, it
-invalidates that secret immediately and prevents any further renewals. For
-example, with the [AWS secrets engine](/docs/secrets/aws/index.html), the
-access keys will be deleted from AWS the moment a lease is revoked. This
-renders the access keys invalid from that point forward.
-
-Revocation can happen manually via the API, via the `vault revoke` cli command,
-or automatically by Vault. When a lease is expired, Vault will automatically
-revoke that lease. When a token is revoked, Vault will revoke all leases that
-were created using that token.
-
-**Note**: The [Key/Value Backend](/docs/secrets/kv/index.html) which stores
-arbitrary secrets does not issue leases although it will sometimes return a
-lease duration; see the documentation for more information.
-
-## Lease IDs
-
-When reading a dynamic secret, such as via `vault read`, Vault always returns a
-`lease_id`. This is the ID used with commands such as `vault renew` and `vault
-revoke` to manage the lease of the secret.
-
-## Lease Durations and Renewal
-
-Along with the lease ID, a _lease duration_ can be read. The lease duration is
-a Time To Live value: the time in seconds for which the lease is valid.  A
-consumer of this secret must renew the lease within that time.
-
-When renewing the lease, the user can request a specific amount of time they
-want remaining on the lease, termed the `increment`. This is not an increment
-at the end of the current TTL; it is an increment _from the current time_. For
-example, `vault lease renew -increment=3600 my-lease-id` would request that the TTL of the lease
-be adjusted to 1 hour (3600 seconds). Having the increment be rooted at the
-current time instead of the end of the lease makes it easy for users to reduce
-the length of leases if they don't actually need credentials for the full
-possible lease period, allowing those credentials to expire sooner and
-resources to be cleaned up earlier.
-
-The requested increment is completely advisory. The backend in charge of the
-secret can choose to completely ignore it. For most secrets, the backend does
-its best to respect the increment, but often limits it to ensure renewals every
-so often.
-
-As a result, the return value of renewals should be carefully inspected to
-determine what the new lease is.
-
-## Prefix-based Revocation
-
-In addition to revoking a single secret, operators with proper access control
-can revoke multiple secrets based on their lease ID prefix.
-
-Lease IDs are structured in a way that their prefix is always the path where
-the secret was requested from. This lets you revoke trees of secrets. For
-example, to revoke all AWS access keys, you can do `vault revoke -prefix aws/`.
-
-This is very useful if there is an intrusion within a specific system: all
-secrets of a specific backend or a certain configured backend can be revoked
-quickly and easily.
diff --git a/website/source/docs/concepts/pgp-gpg-keybase.html.md b/website/source/docs/concepts/pgp-gpg-keybase.html.md
deleted file mode 100644
index cdbc9736bf98..000000000000
--- a/website/source/docs/concepts/pgp-gpg-keybase.html.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-layout: "docs"
-page_title: "Using PGP, GPG, and Keybase"
-sidebar_title: "PGP, GPG, and Keybase"
-sidebar_current: "docs-concepts-pgp-gpg-keybase"
-description: |-
-  Vault has the ability to integrate with OpenPGP-compatible programs like GPG
-  and services like Keybase.io to provide an additional layer of security when
-  performing certain operations.  This page details the various GPG
-  integrations, their use, and operation.
----
-
-# Using PGP, GPG, and Keybase
-
-Vault has the ability to integrate with OpenPGP-compatible programs like GPG
-and services like Keybase.io to provide an additional layer of security when
-performing certain operations.  This page details the various PGP integrations,
-their use, and operation.
-
-Keybase.io support is available only in the command-line tool and not via the
-Vault HTTP API, tools that help with initialization should use the Keybase.io
-API in order to obtain the GPG keys needed for a secure initialization if you
-want them to use Keybase for keys.
-
-Once the Vault has been initialized, it is possible to use Keybase to decrypt
-the shards and unseal normally.
-
-## Initializing with PGP
-One of the early fundamental problems when bootstrapping and initializing Vault
-was that the first user (the initializer) received a plain-text copy of all of
-the unseal keys. This defeats the promises of Vault's security model, and it
-also makes the distribution of those keys more difficult. Since Vault 0.3,
-Vault can optionally be initialized using PGP keys. In this mode, Vault will
-generate the unseal keys and then immediately encrypt them using the given
-users' public PGP keys. Only the owner of the corresponding private key is then
-able to decrypt the value, revealing the plain-text unseal key.
-
-First, you must create, acquire, or import the appropriate key(s) onto the
-local machine from which you are initializing Vault. This guide will not
-attempt to cover all aspects of PGP keys but give examples using two popular
-programs: Keybase and GPG.
-
-For beginners, we suggest using [Keybase.io](https://keybase.io/) ("Keybase")
-as it can be both simpler and has a number of useful behaviors and properties
-around key management, such as verification of users' identities using a number
-of public online sources. It also exposes the ability for users to have PGP
-keys generated, stored, and managed securely on their servers. Using Vault with
-Keybase will be discussed first as it is simpler.
-
-## Initializing with Keybase
-To generate unseal keys for Keybase users, Vault accepts the `keybase:` prefix
-to the `-pgp-keys` argument:
-
-```
-$ vault operator init -key-shares=3 -key-threshold=2 \
-    -pgp-keys="keybase:jefferai,keybase:vishalnayak,keybase:sethvargo"
-```
-
-This requires far fewer steps than traditional PGP (e.g. with `gpg`) because
-Keybase handles a few of the tedious steps. The output will be the similar to
-the following:
-
-```
-Key 1: wcBMA37rwGt6FS1VAQgAk1q8XQh6yc...
-Key 2: wcBMA0wwnMXgRzYYAQgAavqbTCxZGD...
-Key 3: wcFMA2DjqDb4YhTAARAAeTFyYxPmUd...
-...
-```
-
-The output should be rather long in comparison to a regular unseal key. These
-keys are encrypted, and only the user holding the corresponding private key can
-decrypt the value. The keys are encrypted in the order in which specified in
-the `-pgp-keys` attribute. As such, the keys belong to respective Keybase
-accounts of `jefferai`, `vishalnayak`, and `sethvargo`. These keys can be
-distributed over almost any medium, although common sense and judgement are
-best advised. The encrypted keys are base64 encoded before returning.
-
-
-### Unsealing with Keybase
-As a user, the easiest way to decrypt your unseal key is with the Keybase CLI
-tool. You can download it from [Keybase.io download
-page](https://keybase.io/download). After you have downloaded and configured
-the Keybase CLI, you are now tasked with entering your unseal key. To get the
-plain-text unseal key, you must decrypt the value given to you by the
-initializer. To get the plain-text value, run the following command:
-
-```
-$ echo "wcBMA37..." | base64 --decode | keybase pgp decrypt
-```
-
-And replace `wcBMA37...` with the encrypted key.
-
-You will be prompted to enter your Keybase passphrase. The output will be the
-plain-text unseal key.
-
-```
-6ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101
-```
-
-This is your unseal key in plain-text and should be guarded the same way you
-guard a password. Now you can enter your key to the `unseal` command:
-
-```
-$ vault operator unseal
-Key (will be hidden): ...
-```
-
-- - -
-
-## Initializing with GPG
-GPG is an open-source implementation of the OpenPGP standard and is available
-on nearly every platform. For more information, please see the [GPG
-manual](https://gnupg.org/gph/en/manual.html).
-
-To create a new PGP key, run, following the prompts:
-
-```
-$ gpg --gen-key
-```
-
-To import an existing key, download the public key onto disk and run:
-
-```
-$ gpg --import key.asc
-```
-
-Once you have imported the users' public keys, you need to save their values
-to disk as either base64 or binary key files. For example:
-
-```
-$ gpg --export 348FFC4C | base64 > seth.asc
-```
-
-These key files must exist on disk in base64 (the "standard" base64 character set,
-without ASCII armoring) or binary. Once saved to disk, the path to these files
-can be specified as an argument to the `-pgp-keys` flag.
-
-```
-$ vault operator init -key-shares=3 -key-threshold=2 \
-    -pgp-keys="jeff.asc,vishal.asc,seth.asc"
-```
-
-The result should look something like this:
-
-```
-Key 1: wcBMA37rwGt6FS1VAQgAk1q8XQh6yc...
-Key 2: wcBMA0wwnMXgRzYYAQgAavqbTCxZGD...
-Key 3: wcFMA2DjqDb4YhTAARAAeTFyYxPmUd...
-...
-```
-
-The output should be rather long in comparison to a regular unseal key. These
-keys are encrypted, and only the user holding the corresponding private key
-can decrypt the value. The keys are encrypted in the order in which specified
-in the `-pgp-keys` attribute. As such, the first key belongs to Jeff, the second
-to Vishal, and the third to Seth. These keys can be distributed over almost any
-medium, although common sense and judgement are best advised. The encrypted
-keys are base64 encoded before returning.
-
-### Unsealing with a GPG
-Assuming you have been given an unseal key that was encrypted using your public
-PGP key, you are now tasked with entering your unseal key. To get the
-plain-text unseal key, you must decrypt the value given to you by the
-initializer. To get the plain-text value, run the following command:
-
-```
-$ echo "wcBMA37..." | base64 --decode | gpg -dq
-```
-
-And replace `wcBMA37...` with the encrypted key.
-
-If you encrypted your private PGP key with a passphrase, you may be prompted to
-enter it.  After you enter your password, the output will be the plain-text
-key:
-
-```
-6ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101
-```
-
-This is your unseal key in plain-text and should be guarded the same way you
-guard a password. Now you can enter your key to the `unseal` command:
-
-```
-$ vault operator unseal
-Key (will be hidden): ...
-```
diff --git a/website/source/docs/concepts/policies.html.md b/website/source/docs/concepts/policies.html.md
deleted file mode 100644
index 6a87f5fd8aa3..000000000000
--- a/website/source/docs/concepts/policies.html.md
+++ /dev/null
@@ -1,692 +0,0 @@
----
-layout: "docs"
-page_title: "Policies"
-sidebar_title: "Policies"
-sidebar_current: "docs-concepts-policies"
-description: |-
-  Policies are how authorization is done in Vault, allowing you to restrict which parts of Vault a user can access.
----
-
-# Policies
-
-Everything in Vault is path based, and policies are no exception. Policies
-provide a declarative way to grant or forbid access to certain paths and
-operations in Vault. This section discusses policy workflows and syntaxes.
-
-Policies are **deny by default**, so an empty policy grants no permission in the
-system.
-
-## Policy-Authorization Workflow
-
-Before a human or machine can gain access, an administrator must configure Vault
-with an [auth method](/docs/concepts/auth.html). Authentication is
-the process by which human or machine-supplied information is verified against
-an internal or external system.
-
-Consider the following diagram, which illustrates the steps a security team
-would take to configure Vault to authenticate using a corporate LDAP or
-ActiveDirectory installation. Even though this example uses LDAP, the concept
-applies to all auth methods.
-
-[![Vault Auth Workflow](/img/vault-policy-workflow.svg)](/img/vault-policy-workflow.svg)
-
-1. The security team configures Vault to connect to an auth method.
-This configuration varies by auth method. In the case of LDAP, Vault
-needs to know the address of the LDAP server and whether to connect using TLS.
-It is important to note that Vault does not store a copy of the LDAP database -
-Vault will delegate the authentication to the auth method.
-
-1. The security team authors a policy (or uses an existing policy) which grants
-access to paths in Vault. Policies are written in HCL in your editor of
-preference and saved to disk.
-
-1. The policy's contents are uploaded and stored in Vault and referenced by name.
-You can think of the policy's name as a pointer or symlink to its set of rules.
-
-1. Most importantly, the security team maps data in the auth method to a policy.
-For example, the security team might create mappings like:
-
-    > Members of the OU group "dev" map to the Vault policy named "readonly-dev".
-
-    or
-
-    > Members of the OU group "ops" map to the Vault policies "admin" and "auditor".
-
-Now Vault has an internal mapping between a backend authentication system and
-internal policy. When a user authenticates to Vault, the actual authentication
-is delegated to the auth method. As a user, the flow looks like:
-
-[![Vault Auth Workflow](/img/vault-auth-workflow.svg)](/img/vault-auth-workflow.svg)
-
-1. A user attempts to authenticate to Vault using their LDAP credentials,
-providing Vault with their LDAP username and password.
-
-1. Vault establishes a connection to LDAP and asks the LDAP server to verify the
-given credentials. Assuming this is successful, the LDAP server returns the
-information about the user, including the OU groups.
-
-1. Vault maps the result from the LDAP server to policies inside Vault using the
-mapping configured by the security team in the previous section. Vault then
-generates a token and attaches the matching policies.
-
-1. Vault returns the token to the user. This token has the correct policies
-assigned, as dictated by the mapping configuration that was setup by the
-security team in advance.
-
-The user then uses this Vault token for future operations. If the user performs
-the authentication steps again, they will get a _new_ token. The token will have
-the same permissions, but the actual token will be different. Authenticating a
-second time does not invalidate the original token.
-
-## Policy Syntax
-
-Policies are written in [HCL][hcl] or JSON and describe which paths in Vault a
-user or machine is allowed to access.
-
-[hcl]: https://github.com/hashicorp/hcl
-
-Here is a very simple policy which grants read capabilities to the path
-"secret/foo":
-
-```ruby
-path "secret/foo" {
-  capabilities = ["read"]
-}
-```
-
-When this policy is assigned to a token, the token can read from `"secret/foo"`.
-However, the token cannot update or delete `"secret/foo"`, since the
-capabilities do not allow it. Because policies are **deny by default**, the
-token would have no other access in Vault.
-
-Here is a more detailed policy, and it is documented inline:
-
-```ruby
-# This section grants all access on "secret/*". Further restrictions can be
-# applied to this broad policy, as shown below.
-path "secret/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-
-# Even though we allowed secret/*, this line explicitly denies
-# secret/super-secret. This takes precedence.
-path "secret/super-secret" {
-  capabilities = ["deny"]
-}
-
-# Policies can also specify allowed, disallowed, and required parameters. Here
-# the key "secret/restricted" can only contain "foo" (any value) and "bar" (one
-# of "zip" or "zap").
-path "secret/restricted" {
-  capabilities = ["create"]
-  allowed_parameters = {
-    "foo" = []
-    "bar" = ["zip", "zap"]
-  }
-}
-```
-
-Policies use path-based matching to test the set of capabilities against a
-request. A policy `path` may specify an exact path to match, or it could specify
-a glob pattern which instructs Vault to use a prefix match:
-
-```ruby
-# Permit reading only "secret/foo". An attached token cannot read "secret/food"
-# or "secret/foo/bar".
-path "secret/foo" {
-  capabilities = ["read"]  
-}
-
-# Permit reading everything under "secret/bar". An attached token could read
-# "secret/bar/zip", "secret/bar/zip/zap", but not "secret/bars/zip".
-path "secret/bar/*" {
-  capabilities = ["read"]
-}
-
-# Permit reading everything prefixed with "zip-". An attached token could read
-# "secret/zip-zap" or "secret/zip-zap/zong", but not "secret/zip/zap
-path "secret/zip-*" {
-  capabilities = ["read"]
-}
-```
-
-In addition, a `+` can be used to denote any number of characters bounded
-within a single path segment (this appeared in Vault 1.1):
-
-```ruby
-# Permit reading the "teamb" path under any top-level path under secret/
-path "secret/+/teamb" {
-  capabilities = ["read"]
-}
-
-# Permit reading secret/foo/bar/teamb, secret/bar/foo/teamb, etc.
-path "secret/+/+/teamb" {
-  capabilities = ["read"]
-}
-```
-
-Vault's architecture is similar to a filesystem. Every action in Vault has a
-corresponding path and capability - even Vault's internal core configuration
-endpoints live under the "sys/" path. Policies define access to these paths and
-capabilities, which controls a token's access to credentials in Vault.
-
-~> Policy paths are matched using the **most specific path match**. This may be
-an exact match or the longest-prefix match of a glob. This means if you define a
-policy for `"secret/foo*"`, the policy would also match `"secret/foobar"`.
-
-!> The glob character referred to in this documentation is the asterisk (`*`). It *is not a regular expression* and is only supported **as the last character of the path**!
-
-When providing `list` capability, it is important to note that since listing
-always operates on a prefix, policies must operate on a prefix because Vault
-will sanitize request paths to be prefixes. In other words, policy paths
-targeting `list` capability should end with a trailing slash:
-
-```ruby
-path "secret/foo" {
-  capabilities = ["read"]
-}
-
-path "secret/foo/" {
-  capabilities = ["list"]
-}
-```
-
-### Capabilities
-
-Each path must define one or more capabilities which provide fine-grained
-control over permitted (or denied) operations. As shown in the examples above,
-capabilities are always specified as a list of strings, even if there is only
-one capability. The list of capabilities are:
-
-~> In the list below, the associated HTTP verbs are shown in parenthesis next to
-the capability. When authoring policy, it is usually helpful to look at the HTTP
-API documentation for the paths and HTTP verbs and map them back onto
-capabilities. While the mapping is not strictly 1:1, they are often very
-similarly matched.
-
-  * `create` (`POST/PUT`) - Allows creating data at the given path. Very few
-    parts of Vault distinguish between `create` and `update`, so most operations
-    require both `create` and  `update` capabilities. Parts of Vault that
-    provide such a distinction are noted in documentation.
-
-  * `read` (`GET`) - Allows reading the data at the given path.
-
-  * `update` (`POST/PUT`) - Allows changing the data at the given path. In most
-    parts of Vault, this implicitly includes the ability to create the initial
-    value at the path.
-
-  * `delete` (`DELETE`) - Allows deleting the data at the given path.
-
-  * `list` (`LIST`) - Allows listing values at the given path. Note that the
-    keys returned by a `list` operation are *not* filtered by policies. Do not
-    encode sensitive information in key names. Not all backends support listing.
-
-In addition to the standard set, there are some capabilities that do not map to
-HTTP verbs.
-
-  * `sudo` - Allows access to paths that are _root-protected_. Tokens are not
-    permitted to interact with these paths unless they are have the `sudo`
-    capability (in addition to the other necessary capabilities for performing
-    an operation against that path, such as `read` or `delete`).
-
-    For example, modifying the audit log backends requires a token with `sudo`
-    privileges.
-
-  * `deny` - Disallows access. This always takes precedence regardless of any
-    other defined capabilities, including `sudo`.
-
-~> Note that capabilities usually map to the HTTP verb, not the underlying
-action taken. This can be a common source of confusion. Generating database
-credentials _creates_ database credentials, but the HTTP request is a GET which
-corresponds to a `read` capability. Thus, to grant access to generate database
-credentials, the policy would grant `read` access on the appropriate path.
-
-## Templated Policies
-
-The policy syntax allows for doing variable replacement in some policy strings
-with values available to the token. Currently `identity` information can be
-injected, and currently the `path` keys in policies allow injection.
-
-### Parameters
-
-|                                    Name                                |                                    Description                               |
-| :--------------------------------------------------------------------- | :--------------------------------------------------------------------------- |
-| `identity.entity.id`                                                   | The entity's ID                                                              |
-| `identity.entity.name`                                                 | The entity's name                                                            |
-| `identity.entity.metadata.<<metadata key>>`                            | Metadata associated with the entity for the given key                        |
-| `identity.entity.aliases.<<mount accessor>>.id`                        | Entity alias ID for the given mount                                          |
-| `identity.entity.aliases.<<mount accessor>>.name`                      | Entity alias name for the given mount                                        |
-| `identity.entity.aliases.<<mount accessor>>.metadata.<<metadata key>>` | Metadata associated with the alias for the given mount and metadata key      |
-| `identity.groups.ids.<<group id>>.name`                                | The group name for the given group ID                                        |
-| `identity.groups.names.<<group name>>.id`                              | The group ID for the given group name                                        |
-| `identity.groups.ids.<<group id>>.metadata.<<metadata key>>`           | Metadata associated with the group for the given key                                        |
-| `identity.groups.names.<<group name>>.metadata.<<metadata key>>`       | Metadata associated with the group for the given key                                        |
-
-### Examples
-
-The following policy creates a section of the KVv2 Secret Engine to a specific user
-
-```ruby
-path "secret/data/{{identity.entity.id}}/*" {
-  capabilities = ["create", "update", "read", "delete"]
-}
-
-path "secret/metadata/{{identity.entity.id}}/*" {
-  capabilities = ["list"]
-}
-```
-
-If you wanted to create a shared section of KV that is associated with entities that are in a
-group.
-
-```ruby
-# In the example below, the group ID maps a group and the path
-path "secret/data/groups/{{identity.groups.ids.fb036ebc-2f62-4124-9503-42aa7A869741.name}}/*" {
-  capabilities = ["create", "update", "read", "delete"]
-}
-
-path "secret/metadata/groups/{{identity.groups.ids.fb036ebc-2f62-4124-9503-42aa7A869741.name}}/*" {
-  capabilities = ["list"]
-}
-```
-
- ~> When developing templated policies, use IDs wherever possible. Each ID is
- unique to the user, whereas names can change over time and can be reused. This
- ensures that if a given user or group name is changed, the policy will be
- mapped to the intended entity or group.
-
-## Fine-Grained Control
-
-In addition to the standard set of capabilities, Vault offers finer-grained
-control over permissions at a given path. The capabilities associated with a
-path take precedence over permissions on parameters.
-
-### Parameter Constraints
-
-In Vault, data is represented as `key=value` pairs. Vault policies can
-optionally further restrict paths based on the keys and data at those keys when
-evaluating the permissions for a path. The optional finer-grained control
-options are:
-
-  * `required_parameters` - A list of parameters that must be specified.
-
-      ```ruby
-      # This requires the user to create "secret/foo" with a parameter named
-      # "bar" and "baz".
-      path "secret/foo" {
-        capabilities = ["create"]
-        required_parameters = ["bar", "baz"]
-      }
-      ```
-
-  * `allowed_parameters` - Whitelists a list of keys and values that are
-    permitted on the given path.
-
-    * Setting a parameter with a value of the empty list allows the parameter to
-      contain any value.
-
-        ```ruby
-        # This allows the user to create "secret/foo" with a parameter named
-        # "bar". It cannot contain any other parameters, but "bar" can contain
-        # any value.
-        path "secret/foo" {
-          capabilities = ["create"]
-          allowed_parameters = {
-            "bar" = []
-          }
-        }
-        ```
-
-    * Setting a parameter with a value of a populated list allows the parameter
-      to contain only those values.
-
-        ```ruby
-        # This allows the user to create "secret/foo" with a parameter named
-        # "bar". It cannot contain any other parameters, and "bar" can only
-        # contain the values "zip" or "zap".
-        path "secret/foo" {
-          capabilities = ["create"]
-          allowed_parameters = {
-            "bar" = ["zip", "zap"]
-          }
-        }
-        ```
-
-    * If any keys are specified, all non-specified parameters will be denied
-      unless the parameter `"*"` is set to an empty array, which will
-      allow all other parameters to be modified. Parameters with specific values
-      will still be restricted to those values.
-
-        ```ruby
-        # This allows the user to create "secret/foo" with a parameter named
-        # "bar". The parameter "bar" can only contain the values "zip" or "zap",
-        # but any other parameters may be created with any value.
-        path "secret/foo" {
-          capabilities = ["create"]
-          allowed_parameters = {
-            "bar" = ["zip", "zap"]
-            "*"   = []
-          }
-        }
-        ```
-
-  * `denied_parameters` - Blacklists a list of parameter and values. Any values
-    specified here take precedence over `allowed_parameters`.
-
-    * Setting a parameter with a value of the empty list denies any changes to
-      that parameter.
-
-        ```ruby
-        # This allows the user to create "secret/foo" with any parameters not
-        # named "bar".
-        path "secret/foo" {
-          capabilities = ["create"]
-          denied_parameters = {
-            "bar" = []
-          }
-        }
-        ```
-
-    * Setting a parameter with a value of a populated list denies any parameter
-      containing those values.
-
-        ```ruby
-        # This allows the user to create "secret/foo" with a parameter named
-        # "bar". It can contain any other parameters, but "bar" cannot contain
-        # the values "zip" or "zap".
-        path "secret/foo" {
-          capabilities = ["create"]
-          denied_parameters = {
-            "bar" = ["zip", "zap"]
-          }
-        }
-        ```
-
-    * Setting to `"*"` will deny any parameter.
-
-        ```ruby
-        # This allows the user to create "secret/foo", but it cannot have any
-        # parameters.
-        path "secret/foo" {
-          capabilities = ["create"]
-          denied_parameters = {
-            "*" = []
-          }
-        }
-        ```
-
-    * If any parameters are specified, all non-specified parameters are allowed,
-      unless `allowed_parameters` is also set, in which case normal rules apply.
-
-Parameter values also support prefix/suffix globbing. Globbing is enabled by
-prepending or appending or prepending a splat (`*`) to the value:
-
-```ruby
-# Only allow a parameter named "bar" with a value starting with "foo-*".
-path "secret/foo" {
-  capabilities = ["create"]
-  allowed_parameters = {
-    "bar" = ["foo-*"]
-  }
-}
-```
-
-Note: the only value that can be used with the `*` parameter is `[]`.
-
-
-### Required Response Wrapping TTLs
-
-These parameters can be used to set minimums/maximums on TTLs set by clients
-when requesting that a response be
-[wrapped](/docs/concepts/response-wrapping.html), with a granularity of a
-second. These can either be specified as a number of seconds or a string with a
-`s`, `m`, or `h` suffix indicating seconds, minutes, and hours respectively.
-
-In practice, setting a minimum TTL of one second effectively makes response
-wrapping mandatory for a particular path.
-
-  * `min_wrapping_ttl` - The minimum allowed TTL that clients can specify for a
-    wrapped response. In practice, setting a minimum TTL of one second
-    effectively makes response wrapping mandatory for a particular path. It can
-    also be used to ensure that the TTL is not too low, leading to end targets
-    being unable to unwrap before the token expires.
-
-  * `max_wrapping_ttl` - The maximum allowed TTL that clients can specify for a
-    wrapped response.
-
-```ruby
-# This effectively makes response wrapping mandatory for this path by setting min_wrapping_ttl to 1 second.
-# This also sets this path's wrapped response maximum allowed TTL to 90 seconds.
-path "auth/approle/role/my-role/secret-id" {
-    capabilities = ["create", "update"]
-    min_wrapping_ttl = "1s"
-    max_wrapping_ttl = "90s"
-}
-```
-
-If both are specified, the minimum value must be less than the maximum. In
-addition, if paths are merged from different stanzas, the lowest value
-specified for each is the value that will result, in line with the idea of
-keeping token lifetimes as short as possible.
-
-## Builtin Policies
-
-Vault has two built-in policies: `default` and `root`. This section describes
-the two builtin policies.
-
-### Default Policy
-
-The `default` policy is a builtin Vault policy that cannot be removed. By
-default, it is attached to all tokens, but may be explicitly excluded at token
-creation time by supporting authentication methods.
-
-The policy contains basic functionality such as the ability for the token to
-look up data about itself and to use its cubbyhole data. However, Vault is not
-proscriptive about its contents. It can be modified to suit your needs; Vault
-will never overwrite your modifications. If you want to stay up-to-date with
-the latest upstream version of the `default` policy, simply read the contents
-of the policy from an up-to-date `dev` server, and write those contents into
-your Vault's `default` policy.
-
-To view all permissions granted by the default policy on your Vault
-installation, run:
-
-```sh
-$ vault read sys/policy/default
-```
-
-To disable attachment of the default policy:
-
-```sh
-$ vault token create -no-default-policy
-```
-
-or via the API:
-
-```sh
-$ curl \
-  --request POST \
-  --header "X-Vault-Token: ..." \
-  --data '{"no_default_policy": "true"}' \
-  https://vault.hashicorp.rocks/v1/auth/token/create
-```
-
-### Root Policy
-
-The `root` policy is a builtin Vault policy that can not be modified or removed.
-Any user associated with this policy becomes a root user. A root user can do
-_anything_ within Vault. As such, it is **highly recommended** that you revoke
-any root tokens before running Vault in production.
-
-When a Vault server is first initialized, there always exists one root user.
-This user is used to do the initial configuration and setup of Vault. After
-configured, the initial root token should be revoked and more strictly
-controlled users and authentication should be used.
-
-To revoke a root token, run:
-
-```sh
-$ vault token revoke "<token>"
-```
-
-or via the API:
-
-```sh
-$ curl \
-  --request POST \
-  --header "X-Vault-Token: ..." \
-  --data '{"token": "<token>"}' \
-  https://vault.hashicorp.rocks/v1/auth/token/revoke
-```
-
-For more information, please read:
-
-- [Production Hardening](/guides/operations/production.html)
-- [Generating a Root Token](/guides/operations/generate-root.html)
-
-## Managing Policies
-
-Policies are authored (written) in your editor of choice. They can be authored
-in HCL or JSON, and the syntax is described in detail above. Once saved,
-policies must be uploaded to Vault before they can be used.
-
-### Listing Policies
-
-To list all registered policies in Vault:
-
-```sh
-$ vault read sys/policy
-```
-
-or via the API:
-
-```sh
-$ curl \
-  --header "X-Vault-Token: ..." \
-  https://vault.hashicorp.rocks/v1/sys/policy
-```
-
-~> You may also see the CLI command `vault policies`. This is a convenience
-wrapper around reading the sys endpoint directly. It provides the same
-functionality but formats the output in a special manner.
-
-### Creating Policies
-
-Policies may be created (uploaded) via the CLI or via the API. To create a new
-policy in Vault:
-
-```sh
-$ vault policy write policy-name policy-file.hcl
-```
-
-or via the API:
-
-```sh
-$ curl \
-  --request POST \
-  --header "X-Vault-Token: ..." \
-  --data '{"policy":"path \"...\" {...} "}' \
-  https://vault.hashicorp.rocks/v1/sys/policy/policy-name
-```
-
-In both examples, the name of the policy is "policy-name". You can think of this
-name as a pointer or symlink to the policy ACLs. Tokens are attached policies by
-name, which are then mapped to the set of rules corresponding to that name.
-
-### Updating Policies
-
-Existing policies may be updated to change permissions via the CLI or via the
-API. To update an existing policy in Vault, follow the same steps as creating a
-policy, but use an existing policy name:
-
-```sh
-$ vault write sys/policy/my-existing-policy policy=@updated-policy.json
-```
-
-or via the API:
-
-```sh
-$ curl \
-  --request POST \
-  --header "X-Vault-Token: ..." \
-  --data '{"policy":"path \"...\" {...} "}' \
-  https://vault.hashicorp.rocks/v1/sys/policy/my-existing-policy
-```
-
-### Deleting Policies
-
-Existing policies may be deleted via the CLI or API. To delete a policy:
-
-```sh
-$ vault delete sys/policy/policy-name
-```
-
-or via the API:
-
-```sh
-$ curl \
-  --request DELETE \
-  --header "X-Vault-Token: ..." \
-  https://vault.hashicorp.rocks/v1/sys/policy/policy-name
-```
-
-This is an idempotent operation. Vault will not return an error when deleting a
-policy that does not exist.
-
-## Associating Policies
-
-Vault can automatically associate a set of policies to a token based on an
-authorization. This configuration varies significantly between authentication
-backends. For simplicity, this example will use Vault's built-in userpass
-auth method.
-
-A Vault administrator or someone from the security team would create the user in
-Vault with a list of associated policies:
-
-```sh
-$ vault write auth/userpass/users/sethvargo \
-    password="s3cr3t!" \
-    policies="dev-readonly,logs"
-```
-
-This creates an authentication mapping to the policy such that, when the user
-authenticates successfully to Vault, they will be given a token which has the list
-of policies attached.
-
-The user wishing to authenticate would run
-
-```sh
-$ vault login -method="userpass" username="sethvargo"
-Password (will be hidden): ...
-```
-
-If the provided information is correct, Vault will generate a token, assign the
-list of configured policies to the token, and return that token to the
-authenticated user.
-
-### Tokens
-
-Tokens are associated with their policies at creation time. For example:
-
-```sh
-$ vault token create -policy=dev-readonly -policy=logs
-```
-
-Child tokens can be associated with a subset of a parent's policies. Root users
-can assign any policies.
-
-There is no way to modify the policies associated with a token once the token
-has been issued. The token must be revoked and a new one acquired to receive a
-new set of policies.
-
-However, the _contents_ of policies are parsed in real-time whenever the token is used.
-As a result, if a policy is modified, the modified rules will be in force the
-next time a token, with that policy attached, is used to make a call to Vault.
-
-
-## Learn
-
-Refer to the following tutorials for further learning:
-
-- [Vault Policies](https://learn.hashicorp.com/vault/identity-access-management/iam-policies)
-- [ACL Policy Path Templating](https://learn.hashicorp.com/vault/identity-access-management/policy-templating)
diff --git a/website/source/docs/concepts/recovery-mode.html.md b/website/source/docs/concepts/recovery-mode.html.md
deleted file mode 100644
index 0df852ce2723..000000000000
--- a/website/source/docs/concepts/recovery-mode.html.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-layout: "docs"
-page_title: "Recovery Mode"
-sidebar_title: "Recovery Mode"
-sidebar_current: "docs-concepts-recovery-mode"
-description: |-
-  Recovery mode allows for doing surgery on a Vault that won't start.
----
-
-# Recovery Mode
-
-Vault can be started using the `-recovery` flag to bring it up in Recovery Mode.
-
-In recovery mode, Vault:
-- is automatically unsealed once a recovery token is issued
-- apart from recovery token operations, only supports the `sys/raw` endpoint
-- `raw` requests must be authenticated using a recovery token
-- won't form clusters or handle requests forwarded by standbys
-
-## Recovery tokens
-
-Recovery tokens are issued in much the same way as root tokens are generated:
-the API is basically the same, only using a different endpoint. Unlike root
-tokens, the recovery token is not persisted, so if Vault is restarted into
-recovery mode a new one must be generated.
-
-Only a single recovery token can be generated. If lost, restart Vault and
-generate a new one.
-
-## Raw requests
-
-Requests can be issued to `sys/raw` in just the same way as in regular Vault
-server mode.  The only difference is that in recovery mode, `X-Vault-Token`
-must contain a recovery token instead of a service or batch token.
-
-## Raft rejoin
-
-Raft integrated storage is the immediate motivation for recovery mode.  With
-other backends it was always possible to delete data directly from a storage
-backend, but that's impractical with a Raft backend.  That said, recovery mode
-works with any backend.
-
-In order to bring the Vault server up reliably, using any node's raft data,
-recovery mode Vault automatically resizes the cluster to size 1.  This means
-that after having used recovery mode, part of the procedure for returning to
-active service must include rejoining the raft cluster.
-
-
diff --git a/website/source/docs/concepts/response-wrapping.html.md b/website/source/docs/concepts/response-wrapping.html.md
deleted file mode 100644
index f3added98017..000000000000
--- a/website/source/docs/concepts/response-wrapping.html.md
+++ /dev/null
@@ -1,175 +0,0 @@
----
-layout: "docs"
-page_title: "Response Wrapping"
-sidebar_title: "Response Wrapping"
-sidebar_current: "docs-concepts-response-wrapping"
-description: |-
-  Wrapping responses in cubbyholes for secure distribution.
----
-
-# Response Wrapping
-
-_Note_: Some of this information relies on features of response-wrapping tokens
-introduced in Vault 0.8 and may not be available in earlier releases.
-
-## Overview
-
-In many Vault deployments, clients can access Vault directly and consume
-returned secrets. In other situations, it may make sense to or be desired to
-separate privileges such that one trusted entity is responsible for interacting
-with most of the Vault API and passing secrets to the end consumer.
-
-However, the more relays a secret travels through, the more possibilities for
-accidental disclosure, especially if the secret is being transmitted in
-plaintext. For instance, you may wish to get a TLS private key to a machine
-that has been cold-booted, but since you do not want to store a decryption key
-in persistent storage, you cannot encrypt this key in transit.
-
-To help address this problem, Vault includes a feature called _response
-wrapping_. When requested, Vault can take the response it would have sent to an
-HTTP client and instead insert it into the
-[`cubbyhole`](/docs/secrets/cubbyhole/index.html) of a single-use token,
-returning that single-use token instead. Logically speaking, the response is
-wrapped by the token, and retrieving it requires an unwrap operation against
-this token.
-
-This provides a powerful mechanism for information sharing in many
-environments. In the types of scenarios, described above, often the best
-practical option is to provide _cover_ for the secret information, be able to
-_detect malfeasance_ (interception, tampering), and limit _lifetime_ of the
-secret's exposure. Response wrapping performs all three of these duties:
-
- * It provides _cover_ by ensuring that the value being transmitted across the
-   wire is not the actual secret but a reference to such a secret, namely the
-   response-wrapping token. Information stored in logs or captured along the
-   way do not directly see the sensitive information.
- * It provides _malfeasance detection_ by ensuring that only a single party can
-   ever unwrap the token and see what's inside. A client receiving a token that
-   cannot be unwrapped can trigger an immediate security incident. In addition,
-   a client can inspect a given token before unwrapping to ensure that its
-   origin is from the expected location in Vault.
- * It _limits the lifetime_ of secret exposure because the response-wrapping
-   token has a lifetime that is separate from the wrapped secret (and often can
-   be much shorter), so if a client fails to come up and unwrap the token, the
-   token can expire very quickly.
-
-## Response-Wrapping Tokens
-
-When a response is wrapped, the normal API response from Vault does not contain
-the original secret, but rather contains a set of information related to the
-response-wrapping token:
-
- * TTL: The TTL of the response-wrapping token itself
- * Token: The actual token value
- * Creation Time: The time that the response-wrapping token was created
- * Creation Path: The API path that was called in the original request
- * Wrapped Accessor: If the wrapped response is an authentication response
-   containing a Vault token, this is the value of the wrapped token's accessor.
-   This is useful for orchestration systems (such as Nomad) to able to control
-   the lifetime of secrets based on their knowledge of the lifetime of jobs,
-   without having to actually unwrap the response-wrapping token or gain
-   knowledge of the token ID inside.
-
-Vault currently does not provide signed response-wrapping tokens, as it
-provides little extra protection. If you are being pointed to the correct Vault
-server, token validation is performed by interacting with the server itself; a
-signed token does not remove the need to validate the token with the server,
-since the token is not carrying data but merely an access mechanism and the
-server will not release data without validating it. If you are being attacked
-and pointed to the wrong Vault server, the same attacker could trivially give
-you the wrong signing public key that corresponds to the wrong Vault server.
-You could cache a previously valid key, but could also cache a previously valid
-address (and in most cases the Vault address will not change or will be set via
-a service discovery mechanism). As such, we rely on the fact that the token
-itself is not carrying authoritative data and do not sign it.
-
-## Response-Wrapping Token Operations
-
-Via the `sys/wrapping` path, several operations can be run against wrapping
-tokens:
-
- * Lookup (`sys/wrapping/lookup`): This allows fetching the response-wrapping
-   token's creation time, creation path, and TTL. This path is unauthenticated
-   and available to response-wrapping tokens themselves. In other words, a
-   response-wrapping token holder wishing to perform validation is always
-   allowed to look up the properties of the token.
- * Unwrap (`sys/wrapping/unwrap`): Unwrap the token, returning the response
-   inside. The response that is returned will be the original wire-format
-   response; it can be used directly with API clients.
- * Rewrap (`sys/wrapping/rewrap`): Allows migrating the wrapped data to a new
-   response-wrapping token. This can be useful for long-lived secrets. For
-   example, an organization may wish (or be required in a compliance scenario)
-   to have the `pki` backend's root CA key be returned in a long-lived
-   response-wrapping token to ensure that nobody has seen the key (easily
-   verified by performing lookups on the response-wrapping token) but available
-   for signing CRLs in case they ever accidentally change or lose the `pki`
-   mount.  Often, compliance schemes require periodic rotation of secrets, so
-   this helps achieve that compliance goal without actually exposing what's
-   inside.
- * Wrap (`sys/wrapping/wrap`): A helper endpoint that echoes back the data sent
-   to it in a response-wrapping token. Note that blocking access to this
-   endpoint does not remove the ability for arbitrary data to be wrapped, as it
-   can be done elsewhere in Vault.
-
-## Response-Wrapping Token Creation
-
-Response wrapping is per-request and is triggered by providing to Vault the
-desired TTL for a response-wrapping token for that request. This is set by the
-client using the `X-Vault-Wrap-TTL` header and can be either an integer number
-of seconds or a string duration of seconds (`15s`), minutes (`20m`), or hours
-(`25h`). When using the Vault CLI, you can set this via the `-wrap-ttl`
-parameter. When using the Go API, wrapping is triggered by [setting a helper
-function](https://godoc.org/github.com/hashicorp/vault/api#Client.SetWrappingLookupFunc)
-that tells the API the conditions under which to request wrapping, by mapping
-an operation and path to a desired TTL.
-
-If a client requests wrapping:
-
-1. The original HTTP response is serialized
-2. A new single-use token is generated with the TTL supplied by the client
-3. Internally, the original serialized response is stored in the single-use
-   token's cubbyhole
-4. A new response is generated, with the token ID, TTL, and path stored in the
-   new response's wrap information object
-5. The new response is returned to the caller
-
-Note that policies can control minimum/maximum wrapping TTLs; see the [policies
-concepts page](https://www.vaultproject.io/docs/concepts/policies.html) for
-more information.
-
-## Response-Wrapping Token Validation
-
-Proper validation of response-wrapping tokens is essential to ensure that any
-malfeasance is detected. It's also pretty straightforward.
-
-Validation is best performed by the following steps:
-
-1. If a client has been expecting delivery of a response-wrapping token and
-   none arrives, this may be due to an attacker intercepting the token and then
-   preventing it from traveling further. This should cause an alert to trigger
-   an immediate investigation.
-2. Perform a lookup on the response-wrapping token. This immediately tells you
-   if the token has already been unwrapped or is expired (or otherwise
-   revoked). If the lookup indicates that a token is invalid, it does not
-   necessarily mean that the data was intercepted (for instance, perhaps the
-   client took a long time to start up and the TTL expired) but should trigger
-   an alert for immediate investigation, likely with the assistance of Vault's
-   audit logs to see if the token really was unwrapped.
-3. With the token information in hand, validate that the creation path matches
-   expectations. If you expect to find a TLS key/certificate inside, chances
-   are the path should be something like `pki/issue/...`. If the path is not
-   what you expect, it is possible that the data contained inside was read and
-   then put into a new response-wrapping token. (This is especially likely if
-   the path starts with `cubbyhole` or `sys/wrapping/wrap`.) Particular care
-   should be taken with `kv` secrets engine: exact matches on the path are best
-   there.  For example, if you expect a secret to come from `secret/foo` and
-   the interceptor provides a token with `secret/bar` as the path, simply
-   checking for a prefix of `secret/` is not enough.
-4. After prefix validation, unwrap the token. If the unwrap fails, the response
-   is similar to if the initial lookup fails: trigger an alert for immediate
-   investigation.
-
-Following those steps provides very strong assurance that the data contained
-within the response-wrapping token has never been seen by anyone other than the
-intended client and that any interception or tampering has resulted in a
-security alert.
diff --git a/website/source/docs/concepts/seal.html.md b/website/source/docs/concepts/seal.html.md
deleted file mode 100644
index 88f77b3192e0..000000000000
--- a/website/source/docs/concepts/seal.html.md
+++ /dev/null
@@ -1,128 +0,0 @@
----
-layout: "docs"
-page_title: "Seal/Unseal"
-sidebar_title: "Seal/Unseal"
-sidebar_current: "docs-concepts-seal"
-description: |-
-  A Vault must be unsealed before it can access its data. Likewise, it can be sealed to lock it down.
----
-
-# Seal/Unseal
-
-When a Vault server is started, it starts in a _sealed_ state. In this
-state, Vault is configured to know where and how to access the physical
-storage, but doesn't know how to decrypt any of it.
-
-_Unsealing_ is the process of constructing the master key necessary to
-read the decryption key to decrypt the data, allowing access to the Vault.
-
-Prior to unsealing, almost no operations are possible with Vault. For
-example authentication, managing the mount tables, etc. are all not possible.
-The only possible operations are to unseal the Vault and check the status
-of the unseal.
-
-## Why?
-
-The data stored by Vault is stored encrypted. Vault needs the
-_encryption key_ in order to decrypt the data. The encryption key is
-also stored with the data, but encrypted with another encryption key
-known as the _master key_. The master key isn't stored anywhere.
-
-Therefore, to decrypt the data, Vault must decrypt the encryption key
-which requires the master key. Unsealing is the process of reconstructing
-this master key.
-
-Instead of distributing this master key as a single key to an operator,
-Vault uses an algorithm known as
-[Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing)
-to split the key into shards. A certain threshold of shards is required to
-reconstruct the master key.
-
-This is the _unseal_ process: the shards are added one at a time (in any
-order) until enough shards are present to reconstruct the key and
-decrypt the data.
-
-## Unsealing
-
-The unseal process is done by running `vault operator unseal` or via the API.
-This process is stateful: each key can be entered via multiple mechanisms
-on multiple computers and it will work. This allows each shard of the master
-key to be on a distinct machine for better security.
-
-Once a Vault is unsealed, it remains unsealed until one of two things happens:
-
-  1. It is resealed via the API (see below).
-
-  2. The server is restarted.
-
--> **Note:** Unsealing makes the process of automating a Vault install
-difficult. Automated tools can easily install, configure, and start Vault,
-but unsealing it is a very manual process. We have plans in the future to
-make it easier. For the time being, the best method is to manually unseal
-multiple Vault servers in [HA mode](/docs/concepts/ha.html). Use a tool such
-as Consul to make sure you only query Vault servers that are unsealed.
-
-## Sealing
-
-There is also an API to seal the Vault. This will throw away the master
-key and require another unseal process to restore it. Sealing only requires
-a single operator with root privileges.
-
-This way, if there is a detected intrusion, the Vault data can be locked
-quickly to try to minimize damages. It can't be accessed again without
-access to the master key shards.
-
-## Auto Unseal
-
-Auto Unseal was developed to aid in reducing the operational complexity of
-keeping the master key secure. This feature delegates the responsibility of
-securing the master key from users to a trusted device or service. Instead of
-only constructing the key in memory, the master key is encrypted with one of
-these services or devices and then stored in the storage backend allowing Vault
-to decrypt the master key at startup and unseal automatically.
-
-When using Auto Unseal there are certain operations in Vault that still
-require a quorum of users to perform an operation such as generating a root token.
-During the initialization process, a set of Shamir keys are generated that are called
-Recovery Keys and are used for these operations.
-
-For a list of examples and supported providers, please see the
-[seal documentation](/docs/configuration/seal/index.html).
-
-## Seal Migration
-
-The seal can be migrated from Shamir keys to Auto Unseal and vice versa.
-
-  ~> **NOTE**: This is not currently supported when using Vault Enterprise Replication.
-  While the primary can be migrated without issue, the secondaries, depending on
-  which type of seal is being migrated from/to, may not work correctly. We plan
-  to support this officially in a future release.
-
-To migrate from Shamir keys to Auto Unseal, take your server cluster offline and update
-the [seal configuration](/docs/configuration/seal/index.html) with the appropriate seal
-configuration. Bring your server back up and leave the rest of the nodes offline if
-using multi-server mode, then run the unseal process with the `-migrate` flag and bring
-the rest of the cluster online.
-
-All unseal commands must specify the `-migrate` flag. Once the required threshold of
-unseal keys are entered, unseal keys will be migrated to recovery keys.
-
-```
-$ vault operator unseal -migrate
-```
-
-To migrate from Auto Unseal to Shamir keys, take your server cluster offline and update
-the [seal configuration](/docs/configuration/seal/index.html) and add `disabled = "true"`
-to the seal block.  This allows the migration to use this information to decrypt the key
-but will not unseal Vault.  When you bring your server back up, run the unseal process
-with the `-migrate` flag and use the Recovery Keys to perform the migration. All unseal
-commands must specify the `-migrate` flag. Once the required threshold of recovery keys
-are entered, the recovery keys will be migrated to be used as unseal keys.
-
-## Recovery Key Rekeying
-
-During Auto Seal initialization process, a set of Shamir keys called Recovery Keys are
-generated which are used for operations that still require a quorum of users.
-
-Recovery Keys can be rekeyed to change the number of shares or thresholds. When using the
-Vault CLI, this is performed by using the `-target=recovery` flag to `vault operator rekey`.
diff --git a/website/source/docs/concepts/tokens.html.md b/website/source/docs/concepts/tokens.html.md
deleted file mode 100644
index 8313ad002de2..000000000000
--- a/website/source/docs/concepts/tokens.html.md
+++ /dev/null
@@ -1,288 +0,0 @@
----
-layout: "docs"
-page_title: "Tokens"
-sidebar_title: "Tokens"
-sidebar_current: "docs-concepts-tokens"
-description: |-
-  Tokens are a core auth method in Vault. Concepts and important features.
----
-
-# Tokens
-
-Tokens are the core method for _authentication_ within Vault. Tokens
-can be used directly or [auth methods](/docs/concepts/auth.html)
-can be used to dynamically generate tokens based on external identities.
-
-If you've gone through the getting started guide, you probably noticed that
-`vault server -dev` (or `vault operator init` for a non-dev server) outputs an
-initial "root token." This is the first method of authentication for Vault.
-It is also the only auth method that cannot be disabled.
-
-As stated in the [authentication concepts](/docs/concepts/auth.html),
-all external authentication mechanisms, such as GitHub, map down to dynamically
-created tokens. These tokens have all the same properties as a normal manually
-created token.
-
-Within Vault, tokens map to information. The most important information mapped
-to a token is a set of one or more attached
-[policies](/docs/concepts/policies.html). These policies control what the token
-holder is allowed to do within Vault. Other mapped information includes
-metadata that can be viewed and is added to the audit log, creation time, last
-renewal time, and more.
-
-~> Note that external to Vault, tokens are to be considered opaque values
-by users and as such, their structure is both currently undocumented and
-subject to change.
-
-Read on for a deeper dive into token concepts.
-
-## Token Types
-
-As of Vault 1.0, there are two types of tokens: `service` tokens and `batch`
-tokens. A section near the bottom of this page contains detailed information
-about their differences, but it is useful to understand other token concepts
-first. The features in the following sections all apply to service tokens, and
-their applicability to batch tokens is discussed later.
-
-## The Token Store
-
-Often in documentation or in help channels, the "token store" is referenced.
-This is the same as the [`token` authentication
-backend](/docs/auth/token.html). This is a special
-backend in that it is responsible for creating and storing tokens, and cannot
-be disabled. It is also the only auth method that has no login
-capability -- all actions require existing authenticated tokens.
-
-## Root Tokens
-
-Root tokens are tokens that have the `root` policy attached to them. Root
-tokens can do anything in Vault. _Anything_. In addition, they are the only
-type of token within Vault that can be set to never expire without any renewal
-needed. As a result, it is purposefully hard to create root tokens; in fact
-there are only three ways to create root tokens:
-
-1. The initial root token generated at `vault operator init` time -- this token has no
-   expiration
-2. By using another root token; a root token with an expiration cannot create a
-   root token that never expires
-3. By using `vault operator generate-root` ([example](/guides/operations/generate-root.html))
-   with the permission of a quorum of unseal key holders
-
-Root tokens are useful in development but should be extremely carefully guarded
-in production. In fact, the Vault team recommends that root tokens are only
-used for just enough initial setup (usually, setting up auth methods
-and policies necessary to allow administrators to acquire more limited tokens)
-or in emergencies, and are revoked immediately after they are no longer needed.
-If a new root token is needed, the `operator generate-root` command and associated
-[API endpoint](/api/system/generate-root.html) can be used to generate one on-the-fly.
-
-It is also good security practice for there to be multiple eyes on a terminal
-whenever a root token is live. This way multiple people can verify as to the
-tasks performed with the root token, and that the token was revoked immediately
-after these tasks were completed.
-
-## Token Hierarchies and Orphan Tokens
-
-Normally, when a token holder creates new tokens, these tokens will be created
-as children of the original token; tokens they create will be children of them;
-and so on. When a parent token is revoked, all of its child tokens -- and all
-of their leases -- are revoked as well. This ensures that a user cannot escape
-revocation by simply generating a never-ending tree of child tokens.
-
-Often this behavior is not desired, so users with appropriate access can create
-`orphan` tokens. These tokens have no parent -- they are the root of their own
-token tree. These orphan tokens can be created:
-
-1. Via the `auth/token/create-orphan` endpoint
-2. By having `sudo` capability or `root` policy when accessing
-   `auth/token/create` and setting the `orphan` parameter to `true`
-3. Via token store roles
-4. By logging in with any other (non-`token`) auth method
-
-Users with appropriate permissions can also use the `auth/token/revoke-orphan`
-endpoint, which revokes the given token but rather than revoke the rest of the
-tree, it instead sets the tokens' immediate children to be orphans. Use with
-caution!
-
-## Token Accessors
-
-When tokens are created, a token accessor is also created and returned. This
-accessor is a value that acts as a reference to a token and can only be used to
-perform limited actions:
-
-1. Look up a token's properties (not including the actual token ID)
-2. Look up a token's capabilities on a path
-3. Renew the token
-4. Revoke the token
-
-The token _making the call_, *not* the token associated with the accessor, must
-have appropriate permissions for these functions.
-
-There are many useful workflows around token accessors. As an example, a
-service that creates tokens on behalf of another service (such as the
-[Nomad](https://www.nomadproject.io/) scheduler) can store the accessor
-correlated with a particular job ID. When the job is complete, the accessor can
-be used to instantly revoke the token given to the job and all of its leased
-credentials, limiting the chance that a bad actor will discover and use them.
-
-Audit devices can optionally be set to not obfuscate token accessors in audit
-logs. This provides a way to quickly revoke tokens in case of an emergency.
-However, it also means that the audit logs can be used to perform a larger-scale
-denial of service attack.
-
-Finally, the only way to "list tokens" is via the `auth/token/accessors`
-command, which actually gives a list of token accessors. While this is still a
-dangerous endpoint (since listing all of the accessors means that they can then
-be used to revoke all tokens), it also provides a way to audit and revoke the
-currently-active set of tokens.
-
-## Token Time-To-Live, Periodic Tokens, and Explicit Max TTLs
-
-Every non-root token has a time-to-live (TTL) associated with it, which is a
-current period of validity since either the token's creation time or last
-renewal time, whichever is more recent. (Root tokens may have a TTL associated,
-but the TTL may also be 0, indicating a token that never expires). After the
-current TTL is up, the token will no longer function -- it, and its associated
-leases, are revoked.
-
-If the token is renewable, Vault can be asked to extend the token validity
-period using `vault token renew` or the appropriate renewal endpoint. At this
-time, various factors come into play. What happens depends upon whether the
-token is a periodic token (available for creation by `root`/`sudo` users, token
-store roles, or some auth methods), has an explicit maximum TTL
-attached, or neither.
-
-### The General Case
-
-In the general case, where there is neither a period nor explicit maximum TTL
-value set on the token, the token's lifetime since it was created will be
-compared to the maximum TTL. This maximum TTL value is dynamically generated
-and can change from renewal to renewal, so the value cannot be displayed when a
-token's information is looked up. It is based on a combination of factors:
-
-1. The system max TTL, which is 32 days but can be changed in Vault's
-   configuration file.
-2. The max TTL set on a mount using [mount
-   tuning](/api/system/mounts.html). This value
-   is allowed to override the system max TTL -- it can be longer or shorter,
-   and if set this value will be respected.
-3. A value suggested by the auth method that issued the token. This
-   might be configured on a per-role, per-group, or per-user basis. This value
-   is allowed to be less than the mount max TTL (or, if not set, the system max
-   TTL), but it is not allowed to be longer.
-
-Note that the values in (2) and (3) may change at any given time, which is why
-a final determination about the current allowed max TTL is made at renewal time
-using the current values. It is also why it is important to always ensure that
-the TTL returned from a renewal operation is within an allowed range; if this
-value is not extending, likely the TTL of the token cannot be extended past its
-current value and the client may want to reauthenticate and acquire a new
-token. However, outside of direct operator interaction, Vault will never revoke
-a token before the returned TTL has expired.
-
-### Explicit Max TTLs
-
-Tokens can have an explicit max TTL set on them. This value becomes a hard
-limit on the token's lifetime -- no matter what the values in (1), (2), and (3)
-from the general case are, the token cannot live past this explicitly-set
-value. This has an effect even when using periodic tokens to escape the normal
-TTL mechanism.
-
-### Periodic Tokens
-
-In some cases, having a token be revoked would be problematic -- for instance,
-if a long-running service needs to maintain its SQL connection pool over a long
-period of time. In this scenario, a periodic token can be used. Periodic tokens
-can be created in a few ways:
-
-1. By having `sudo` capability or a `root` token with the `auth/token/create`
-   endpoint
-2. By using token store roles
-3. By using an auth method that supports issuing these, such as
-   AppRole
-
-At issue time, the TTL of a periodic token will be equal to the configured
-period. At every renewal time, the TTL will be reset back to this configured
-period, and as long as the token is successfully renewed within each of these
-periods of time, it will never expire. Outside of `root` tokens, it is
-currently the only way for a token in Vault to have an unlimited lifetime.
-
-The idea behind periodic tokens is that it is easy for systems and services to
-perform an action relatively frequently -- for instance, every two hours, or
-even every five minutes. Therefore, as long as a system is actively renewing
-this token -- in other words, as long as the system is alive -- the system is
-allowed to keep using the token and any associated leases. However, if the
-system stops renewing within this period (for instance, if it was shut down),
-the token will expire relatively quickly. It is good practice to keep this
-period as short as possible, and generally speaking it is not useful for humans
-to be given periodic tokens.
-
-There are a few important things to know when using periodic tokens:
-
-* When a periodic token is created via a token store role, the _current_ value
-  of the role's period setting will be used at renewal time
-* A token with both a period and an explicit max TTL will act like a periodic
-  token but will be revoked when the explicit max TTL is reached
-
-## CIDR-Bound Tokens
-
-Some tokens are able to be bound to CIDR(s) that restrict the range of client
-IPs allowed to use them. These affect all tokens except for non-expiring root
-tokens (those with a TTL of zero). If a root token has an expiration, it also
-is affected by CIDR-binding.
-
-## Token Types in Detail
-
-There are currently two types of tokens.
-
-### Service Tokens
-
-Service tokens are what users will generally think of as "normal" Vault tokens.
-They support all features, such as renewal, revocation, creating child tokens,
-and more. They are correspondingly heavyweight to create and track.
-
-### Batch Tokens
-
-Batch tokens are encrypted blobs that carry enough information for them to
-be used for Vault actions, but they require no storage on disk to track them.
-As a result they are extremely lightweight and scalable, but lack most of the
-flexibility and features of service tokens.
-
-### Token Type Comparison
-
-This reference chart describes the difference in behavior between service and
-batch tokens. 
-
-|  | Service Tokens | Batch Tokens |
-|---|---:|---:|
-| Can Be Root Tokens | Yes | No |
-| Can Create Child Tokens | Yes | No |
-| Can be Renewable | Yes | No |
-| Can be Periodic | Yes | No |
-| Can have Explicit Max TTL | Yes | No (always uses a fixed TTL) |
-| Has Accessors | Yes | No |
-| Has Cubbyhole | Yes | No |
-| Revoked with Parent (if not orphan) | Yes | Stops Working |
-| Dynamic Secrets Lease Assignment | Self | Parent (if not orphan) |
-| Can be Used Across Performance Replication Clusters | No | Yes (if orphan) |
-| Creation Scales with Performance Standby Node Count | No | Yes |
-| Cost | Heavyweight; multiple storage writes per token creation | Lightweight; no storage cost for token creation |
-
-### Service vs. Batch Token Lease Handling
-
-#### Service Tokens
-
-Leases created by service tokens (including child tokens' leases) are tracked
-along with the service token and revoked when the token expires.
-
-#### Batch Tokens
-
-Leases created by batch tokens are constrained to the remaining TTL of the
-batch tokens and, if the batch token is not an orphan, are tracked by the
-parent. They are revoked when the batch token's TTL expires, or when the batch
-token's parent is revoked (at which point the batch token is also denied access
-to Vault).
-
-As a corollary, batch tokens can be used across performance replication
-clusters, but only if they are orphan, since non-orphan tokens will not be able
-to ensure the validity of the parent token.
diff --git a/website/source/docs/configuration/entropy-augmentation/index.html.md b/website/source/docs/configuration/entropy-augmentation/index.html.md
deleted file mode 100644
index e46ab889ef4d..000000000000
--- a/website/source/docs/configuration/entropy-augmentation/index.html.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-layout: "docs"
-page_title: "Entropy Augmentation - Configuration"
-sidebar_title: "<code>Entropy Augmentation</code> <sup>ENT</sup>"
-sidebar_current: "docs-configuration-entropy-augmentation"
-description: |-
-  Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
----
-
-# `Entropy Augmentation` Seal
-
-  Entropy augmentation enables Vault to sample entropy from an external cryptographic modules.
-  Currently, sourcing external entropy is done through a configured [PKCS11 seal](/docs/configuration/seal/pkcs11.html).
-  Vault Enterprises's external entropy support is activated by the presence of an `entropy "seal"`
-  block in Vault's configuration file.
-
-## Requirements
-
-The following software packages are required for Vault Enterprise Entropy Augmentation:
-
-- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
-  higher of PKCS#11. Depending on any given HSM, some functions (such as key
-  generation) may have to be performed manually.
-- The [GNU libltdl library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html)
-  — ensure that it is installed for the correct architecture of your servers
-- Governance and Policy module of a Vault Enterprise license
-
-## `entropy` Example
-
-This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration
-file:
-
-```hcl
-seal "pkcs11" {
-    ...
-}
-
-entropy "seal" {
-    mode = "augmentation"
-}
-```
-
-## `entropy augmentation` Parameters
-
-These parameters apply to the `entropy` stanza in the Vault configuration file:
-
-- `mode` `(string: <required>)`: The mode determines which Vault operations requiring
-entropy will sample entropy from the external source. Currently, the only mode supported
-is `augmentation` which sources entropy for [Critical Security Parameters (CSPs)](/docs/enterprise/entropy-augmentation/index.html#Critical-Security-Parameters-(CSPs)).
diff --git a/website/source/docs/configuration/index.html.md b/website/source/docs/configuration/index.html.md
deleted file mode 100644
index 5ee97459b7be..000000000000
--- a/website/source/docs/configuration/index.html.md
+++ /dev/null
@@ -1,183 +0,0 @@
----
-layout: "docs"
-page_title: "Server Configuration"
-sidebar_title: "Configuration"
-sidebar_current: "docs-configuration"
-description: |-
-  Vault server configuration reference.
----
-
-# Vault Configuration
-
-Outside of development mode, Vault servers are configured using a file.
-The format of this file is [HCL](https://github.com/hashicorp/hcl) or JSON.
-An example configuration is shown below:
-
-```javascript
-storage "consul" {
-  address = "127.0.0.1:8500"
-  path    = "vault"
-}
-
-listener "tcp" {
-  address     = "127.0.0.1:8200"
-  tls_disable = 1
-}
-
-telemetry {
-  statsite_address = "127.0.0.1:8125"
-  disable_hostname = true
-}
-```
-
-After the configuration is written, use the `-config` flag with `vault server`
-to specify where the configuration is.
-
-## Parameters
-
-- `storage` <tt>([StorageBackend][storage-backend]: \<required\>)</tt> –
-  Configures the storage backend where Vault data is stored. Please see the
-  [storage backends documentation][storage-backend] for the full list of
-  available storage backends. Running Vault in HA mode would require
-  coordination semantics to be supported by the backend. If the storage backend
-  supports HA coordination, HA backend options can also be specified in this
-  parameter block. If not, a separate `ha_storage` parameter should be
-  configured with a backend that supports HA, along with corresponding HA
-  options.
-
-- `ha_storage` <tt>([StorageBackend][storage-backend]: nil)</tt> – Configures
-  the storage backend where Vault HA coordination will take place. This must be
-  an HA-supporting backend. If not set, HA will be attempted on the backend
-  given in the `storage` parameter. This parameter is not required if the
-  storage backend supports HA coordination and if HA specific options are
-  already specified with `storage` parameter.
-
-- `listener` <tt>([Listener][listener]: \<required\>)</tt> – Configures how
-  Vault is listening for API requests.
-
-- `seal` <tt>([Seal][seal]: nil)</tt> – Configures the seal type to use for
-  auto-unsealing, as well as for
-  [seal wrapping][sealwrap] as an additional layer of data protection.
-
-- `cluster_name` `(string: <generated>)` – Specifies the identifier for the
-  Vault cluster. If omitted, Vault will generate a value. When connecting to
-  Vault Enterprise, this value will be used in the interface.
-
-- `cache_size` `(string: "32000")` – Specifies the size of the read cache used
-  by the physical storage subsystem. The value is in number of entries, so the
-  total cache size depends on the size of stored entries.
-
-- `disable_cache` `(bool: false)` – Disables all caches within Vault, including
-  the read cache used by the physical storage subsystem. This will very
-  significantly impact performance.
-
-- `disable_mlock` `(bool: false)` – Disables the server from executing the
-  `mlock` syscall. `mlock` prevents memory from being swapped to disk. Disabling
-  `mlock` is not recommended in production, but is fine for local development
-  and testing.
-
-    Disabling `mlock` is not recommended unless the systems running Vault only
-    use encrypted swap or do not use swap at all. Vault only supports memory
-    locking on UNIX-like systems that support the mlock() syscall (Linux, FreeBSD, etc).
-    Non UNIX-like systems (e.g. Windows, NaCL, Android) lack the primitives to keep a
-    process's entire memory address space from spilling to disk and is therefore
-    automatically disabled on unsupported platforms.
-
-    On Linux, to give the Vault executable the ability to use the `mlock`
-    syscall without running the process as root, run:
-
-    ```shell
-    sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
-    ```
-
-    Note: Since each plugin runs as a separate process, you need to do the same for each plugin in your [plugins directory](https://www.vaultproject.io/docs/internals/plugins.html#plugin-directory).
-
-    If you use a Linux distribution with a modern version of systemd, you can add
-    the following directive to the "[Service]" configuration section:
-
-    ```ini
-    LimitMEMLOCK=infinity
-    ```
-
-- `plugin_directory` `(string: "")` – A directory from which plugins are
-  allowed to be loaded. Vault must have permission to read files in this
-  directory to successfully load plugins, and the value cannot be a symbolic link.
-
-- `telemetry` <tt>([Telemetry][telemetry]: &lt;none&gt;)</tt> – Specifies the telemetry
-  reporting system.
-
-- `log_level` `(string: "")` – Specifies the log level to use; overridden by
-  CLI and env var parameters. On SIGHUP, Vault will update the log level to the
-  current value specified here (including overriding the CLI/env var
-  parameters). Not all parts of Vault's logging can have its level be changed
-  dynamically this way; in particular, secrets/auth plugins are currently not
-  updated dynamically. Supported log levels: Trace, Debug, Error, Warn, Info.
-
-- `log_format` `(string: "")` – Specifies the log format to use; overridden by
-  CLI and env var parameters. Supported log formats: "standard", "json".
-
-- `default_lease_ttl` `(string: "768h")` – Specifies the default lease duration
-  for tokens and secrets. This is specified using a label suffix like `"30s"` or
-  `"1h"`. This value cannot be larger than `max_lease_ttl`.
-
-- `max_lease_ttl` `(string: "768h")` – Specifies the maximum possible lease
-  duration for tokens and secrets. This is specified using a label
-  suffix like `"30s"` or `"1h"`.
-
-- `default_max_request_duration` `(string: "90s")` – Specifies the default
-  maximum request duration allowed before Vault cancels the request. This can
-  be overridden per listener via the `max_request_duration` value.
-
-- `raw_storage_endpoint` `(bool: false)` – Enables the `sys/raw` endpoint which
-  allows the decryption/encryption of raw data into and out of the security
-  barrier. This is a highly privileged endpoint.
-
-- `ui` `(bool: false)` – Enables the built-in web UI, which is available on all
-  listeners (address + port) at the `/ui` path. Browsers accessing the standard
-  Vault API address will automatically redirect there. This can also be provided
-  via the environment variable `VAULT_UI`. For more information, please see the
-  [ui configuration documentation](/docs/configuration/ui/index.html).
-
-- `pid_file` `(string: "")` - Path to the file in which the Vault server's
-  Process ID (PID) should be stored.
-
-### High Availability Parameters
-
-The following parameters are used on backends that support [high availability][high-availability].
-
-- `api_addr` `(string: "")` - Specifies the address (full URL) to advertise to
-  other Vault servers in the cluster for client redirection. This value is also
-  used for [plugin backends][plugins]. This can also be provided via the
-  environment variable `VAULT_API_ADDR`. In general this should be set as a full
-  URL that points to the value of the [`listener`](#listener) address.
-
-- `cluster_addr` `(string: "")` -  – Specifies the address to advertise to other
-  Vault servers in the cluster for request forwarding. This can also be provided
-  via the environment variable `VAULT_CLUSTER_ADDR`. This is a full URL, like
-  `api_addr`, but Vault will ignore the scheme (all cluster members always
-  use TLS with a private key/certificate).
-
-- `disable_clustering` `(bool: false)` – Specifies whether clustering features
-  such as request forwarding are enabled. Setting this to true on one Vault node
-  will disable these features _only when that node is the active node_.
-
-### Vault Enterprise Parameters
-
-The following parameters are only used with Vault Enterprise
-
-- `disable_sealwrap` `(bool: false)` – Disables using [seal wrapping][sealwrap]
-  for any value except the master key. If this value is toggled, the new
-  behavior will happen lazily (as values are read or written).
-
-- `disable_performance_standby` `(bool: false)` – Specifies whether performance
-  standbys should be disabled on this node. Setting this to true on one Vault
-  node will disable this feature when this node is Active or Standby. It's
-  recommended to sync this setting across all nodes in the cluster.
-
-[storage-backend]: /docs/configuration/storage/index.html
-[listener]: /docs/configuration/listener/index.html
-[seal]: /docs/configuration/seal/index.html
-[sealwrap]: /docs/enterprise/sealwrap/index.html
-[telemetry]: /docs/configuration/telemetry.html
-[high-availability]: /docs/concepts/ha.html
-[plugins]: /docs/plugin/index.html
diff --git a/website/source/docs/configuration/listener/index.html.md b/website/source/docs/configuration/listener/index.html.md
deleted file mode 100644
index eba830d349c0..000000000000
--- a/website/source/docs/configuration/listener/index.html.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-layout: "docs"
-page_title: "Listeners - Configuration"
-sidebar_title: "<code>listener</code>"
-sidebar_current: "docs-configuration-listener"
-description: |-
-  The listener stanza configures the addresses and ports on which Vault will
-  respond to requests.
----
-
-# `listener` Stanza
-
-The `listener` stanza configures the addresses and ports on which Vault will
-respond to requests. At this time, there is only one listener - [TCP][tcp].
-
-[tcp]: /docs/configuration/listener/tcp.html
diff --git a/website/source/docs/configuration/listener/tcp.html.md b/website/source/docs/configuration/listener/tcp.html.md
deleted file mode 100644
index f23a05b22e80..000000000000
--- a/website/source/docs/configuration/listener/tcp.html.md
+++ /dev/null
@@ -1,193 +0,0 @@
----
-layout: "docs"
-page_title: "TCP - Listeners - Configuration"
-sidebar_title: "TCP"
-sidebar_current: "docs-configuration-listener-tcp"
-description: |-
-  The TCP listener configures Vault to listen on the specified TCP address and
-  port.
----
-
-# `tcp` Listener
-
-The TCP listener configures Vault to listen on a TCP address/port.
-
-```hcl
-listener "tcp" {
-  address = "127.0.0.1:8200"
-}
-```
-
-The `listener` stanza may be specified more than once to make Vault listen on
-multiple interfaces. If you configure multiple listeners you also need to
-specify [`api_addr`][api-addr] and [`cluster_addr`][cluster-addr] so Vault will
-advertise the correct address to other nodes.
-
-## `tcp` Listener Parameters
-
-- `address` `(string: "127.0.0.1:8200")` – Specifies the address to bind to for
-  listening.
-
-- `cluster_address` `(string: "127.0.0.1:8201")` – Specifies the address to bind
-  to for cluster server-to-server requests. This defaults to one port higher
-  than the value of `address`. This does not usually need to be set, but can be
-  useful in case Vault servers are isolated from each other in such a way that
-  they need to hop through a TCP load balancer or some other scheme in order to
-  talk.
-
-- `http_idle_timeout` `(string: "5m")` - Specifies the maximum amount of time to
-  wait for the next request when keep-alives are enabled. If `http_idle_timeout`
-  is zero, the value of `http_read_timeout` is used. If both are zero, the value
-  of `http_read_header_timeout` is used. This is specified using a label suffix
-  like `"30s"` or `"1h"`.
-
-- `http_read_header_timeout` `(string: "10s")` - Specifies the amount of time
-  allowed to read request headers. This is specified using a label suffix like
-  `"30s"` or `"1h"`.
-
-- `http_read_timeout` `(string: "30s")` - Specifies the maximum duration for
-  reading the entire request, including the body. This is specified using a
-  label suffix like `"30s"` or `"1h"`.
-
-- `http_write_timeout` `string: "0")` - Specifies the maximum duration before
-  timing out writes of the response and is reset whenever a new request's header
-  is read. The default value of `"0"` means inifinity. This is specified using a
-  label suffix like `"30s"` or `"1h"`.
-
-- `max_request_size` `(int: 33554432)` – Specifies a hard maximum allowed
-  request size, in bytes. Defaults to 32 MB. Specifying a number less than or
-  equal to `0` turns off limiting altogether.
-
-- `max_request_duration` `(string: "90s")` – Specifies the maximum
-  request duration allowed before Vault cancels the request. This overrides
-  `default_max_request_duration` for this listener.
-
-- `proxy_protocol_behavior` `(string: "")` – When specified, enables a PROXY
-  protocol version 1 behavior for the listener.
-  Accepted Values:
-  - *use_always* - The client's IP address will always be used.
-  - *allow_authorized* - If the source IP address is in the
-  `proxy_protocol_authorized_addrs` list, the client's IP address will be used.
-  If the source IP is not in the list, the source IP address will be used.
-  - *deny_unauthorized* - The traffic will be rejected if the source IP
-  address is not in the `proxy_protocol_authorized_addrs` list.
-
-- `proxy_protocol_authorized_addrs` `(string: <required-if-enabled> or array: <required-if-enabled> )` –
-  Specifies the list of allowed source IP addresses to be used with the PROXY protocol.
-  Not required if `proxy_protocol_behavior` is set to `use_always`. Source IPs should
-  be comma-delimited if provided as a string. At least one source IP must be provided,
-  `proxy_protocol_authorized_addrs` cannot be an empty array or string.
-
-- `tls_disable` `(string: "false")` – Specifies if TLS will be disabled. Vault
-  assumes TLS by default, so you must explicitly disable TLS to opt-in to
-  insecure communication.
-
-- `tls_cert_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
-  Specifies the path to the certificate for TLS. To configure the listener to
-  use a CA certificate, concatenate the primary certificate and the CA
-  certificate together. The primary certificate should appear first in the
-  combined file. On `SIGHUP`, the path set here _at Vault startup_ will be used
-  for reloading the certificate; modifying this value while Vault is running
-  will have no effect for `SIGHUP`s.
-
-- `tls_key_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
-  Specifies the path to the private key for the certificate. If the key file
-  is encrypted, you will be prompted to enter the passphrase on server startup.
-  The passphrase must stay the same between key files when reloading your
-  configuration using `SIGHUP`. On `SIGHUP`, the path set here _at Vault
-  startup_ will be used for reloading the certificate; modifying this value
-  while Vault is running will have no effect for `SIGHUP`s.
-
-- `tls_min_version` `(string: "tls12")` – Specifies the minimum supported
-  version of TLS. Accepted values are "tls10", "tls11" or "tls12".
-
-    ~> **Warning**: TLS 1.1 and lower are generally considered insecure.
-
-- `tls_cipher_suites` `(string: "")` – Specifies the list of supported
-  ciphersuites as a comma-separated-list. The list of all available ciphersuites
-  is available in the [Golang TLS documentation][golang-tls].
-
-- `tls_prefer_server_cipher_suites` `(string: "false")` – Specifies to prefer the
-  server's ciphersuite over the client ciphersuites.
-
-- `tls_require_and_verify_client_cert` `(string: "false")` – Turns on client
-  authentication for this listener; the listener will require a presented
-  client cert that successfully validates against system CAs.
-
-- `tls_client_ca_file` `(string: "")` – PEM-encoded Certificate Authority file
-  used for checking the authenticity of client.
-
-- `tls_disable_client_certs` `(string: "false")` – Turns off client
-  authentication for this listener. The default behavior (when this is false)
-  is for Vault to request client certificates when available.
-
-- `x_forwarded_for_authorized_addrs` `(string: <required-to-enable>)` –
-  Specifies the list of source IP CIDRs for which an X-Forwarded-For header
-  will be trusted. Comma-separated list or JSON array. This turns on
-  X-Forwarded-For support.
-
-- `x_forwarded_for_hop_skips` `(string: "0")` – The number of addresses that will be
-  skipped from the *rear* of the set of hops. For instance, for a header value
-  of `1.2.3.4, 2.3.4.5, 3.4.5.6`, if this value is set to `"1"`, the address that
-  will be used as the originating client IP is `2.3.4.5`.
-
-- `x_forwarded_for_reject_not_authorized` `(string: "true")` – If set false,
-  if there is an X-Forwarded-For header in a connection from an unauthorized
-  address, the header will be ignored and the client connection used as-is,
-  rather than the client connection rejected.
-
-- `x_forwarded_for_reject_not_present` `(string: "true")` – If set false, if
-  there is no X-Forwarded-For header or it is empty, the client address will be
-  used as-is, rather than the client connection rejected.
-
-### `telemetry` Parameters
-
-- `unauthenticated_metrics_access` `(string: "false")` - If set to true, allows
-  unauthenticated access to the `/v1/sys/metrics` endpoint. 
-
-## `tcp` Listener Examples
-
-### Configuring TLS
-
-This example shows enabling a TLS listener.
-
-```hcl
-listener "tcp" {
-  tls_cert_file = "/etc/certs/vault.crt"
-  tls_key_file  = "/etc/certs/vault.key"
-}
-```
-
-### Listening on Multiple Interfaces
-
-This example shows Vault listening on a private interface, as well as localhost.
-
-```hcl
-listener "tcp" {
-  address = "127.0.0.1:8200"
-}
-
-listener "tcp" {
-  address = "10.0.0.5:8200"
-}
-
-# Advertise the non-loopback interface
-api_addr = "https://10.0.0.5:8200"
-cluster_addr = "https://10.0.0.5:8201"
-```
-
-### Configuring unauthenticated metrics access 
-
-This example shows enabling unauthenticated metrics access.
-
-```hcl
-listener "tcp" {
-  telemetry {
-    unauthenticated_metrics_access = true
-  }
-}
-```
-
-[golang-tls]: https://golang.org/src/crypto/tls/cipher_suites.go
-[api-addr]: /docs/configuration/index.html#api_addr
-[cluster-addr]: /docs/configuration/index.html#cluster_addr
diff --git a/website/source/docs/configuration/seal/alicloudkms.html.md b/website/source/docs/configuration/seal/alicloudkms.html.md
deleted file mode 100644
index f572aa396e77..000000000000
--- a/website/source/docs/configuration/seal/alicloudkms.html.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-layout: "docs"
-page_title: "AliCloud KMS - Seals - Configuration"
-sidebar_title: "AliCloud KMS"
-sidebar_current: "docs-configuration-seal-alicloudkms"
-description: |-
-  The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping
-  mechanism.
----
-
-# `alicloudkms` Seal
-
-The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping mechanism.
-The AliCloud KMS seal is activated by one of the following:
-
-* The presence of a `seal "alicloudkms"` block in Vault's configuration file.
-* The presence of the environment variable `VAULT_SEAL_TYPE` set to `alicloudkms`. If
-  enabling via environment variable, all other required values specific to AliCloud
-  KMS (i.e. `VAULT_ALICLOUDKMS_SEAL_KEY_ID`) must be also supplied, as well as all
-  other AliCloud-related environment variables that lends to successful
-  authentication.
-
-## `alicloudkms` Example
-
-This example shows configuring AliCloud KMS seal through the Vault configuration file
-by providing all the required values:
-
-```hcl
-seal "alicloudkms" {
-  region     = "us-east-1"
-  access_key = "0wNEpMMlzy7szvai"
-  secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA"
-  kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73"
-}
-```
-
-## `alicloudkms` Parameters
-
-These parameters apply to the `seal` stanza in the Vault configuration file:
-
-* `region` `(string: <required> "us-east-1")`: The AliCloud region where the encryption key
-  lives. May also be specified by the `ALICLOUD_REGION`
-  environment variable.
-
-* `domain` `(string: "kms.us-east-1.aliyuncs.com")`: If set, overrides the endpoint
-  AliCloud would normally use for KMS for a particular region. May also be specified
-  by the `ALICLOUD_DOMAIN` environment variable.
-
-* `access_key` `(string: <required>)`: The AliCloud access key ID to use. May also be
-  specified by the `ALICLOUD_ACCESS_KEY` environment variable or as part of the
-  AliCloud profile from the AliCloud CLI or instance profile.
-
-* `secret_key` `(string: <required>)`: The AliCloud secret access key to use. May
-  also be specified by the `ALICLOUD_SECRET_KEY` environment variable or as
-  part of the AliCloud profile from the AliCloud CLI or instance profile.
-
-* `kms_key_id` `(string: <required>)`: The AliCloud KMS key ID to use for encryption
-  and decryption. May also be specified by the `VAULT_ALICLOUDKMS_SEAL_KEY_ID`
-  environment variable.
-
-## Authentication
-
-Authentication-related values must be provided, either as environment
-variables or as configuration parameters.
-
-~> **Note:** Although the configuration file allows you to pass in
-`ALICLOUD_ACCESS_KEY` and `ALICLOUD_SECRET_KEY` as part of the seal's parameters, it
-is _strongly_ recommended to set these values via environment variables.
-
-```text
-AliCloud authentication values:
-
-* `ALICLOUD_REGION`
-* `ALICLOUD_ACCESS_KEY`
-* `ALICLOUD_SECRET_KEY`
-```
-
-Note: The client uses the official AliCloud SDK and will use environment credentials,
-the specified credentials, or RAM role credentials in that order.
-
-## `alicloudkms` Environment Variables
-
-Alternatively, the AliCloud KMS seal can be activated by providing the following
-environment variables:
-
-```text
-Vault Seal specific values:
-
-* `VAULT_SEAL_TYPE`
-* `VAULT_ALICLOUDKMS_SEAL_KEY_ID`
-```
diff --git a/website/source/docs/configuration/seal/awskms.html.md b/website/source/docs/configuration/seal/awskms.html.md
deleted file mode 100644
index 5a149a728767..000000000000
--- a/website/source/docs/configuration/seal/awskms.html.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-layout: "docs"
-page_title: "AWS KMS - Seals - Configuration"
-sidebar_title: "AWS KMS"
-sidebar_current: "docs-configuration-seal-awskms"
-description: |-
-  The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping
-  mechanism.
----
-
-# `awskms` Seal
-
-The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping mechanism.
-The AWS KMS seal is activated by one of the following:
-
-* The presence of a `seal "awskms"` block in Vault's configuration file
-* The presence of the environment variable `VAULT_SEAL_TYPE` set to `awskms`. If
-  enabling via environment variable, all other required values specific to AWS
-  KMS (i.e. `VAULT_AWSKMS_SEAL_KEY_ID`) must be also supplied, as well as all
-  other AWS-related environment variables that lends to successful
-  authentication (i.e. `AWS_ACCESS_KEY_ID`, etc.).
-
-## `awskms` Example
-
-This example shows configuring AWS KMS seal through the Vault configuration file
-by providing all the required values:
-
-```hcl
-seal "awskms" {
-  region     = "us-east-1"
-  access_key = "AKIAIOSFODNN7EXAMPLE"
-  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-  kms_key_id = "19ec80b0-dfdd-4d97-8164-c6examplekey"
-  endpoint   = "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com"
-}
-```
-
-## `awskms` Parameters
-
-These parameters apply to the `seal` stanza in the Vault configuration file:
-
-- `region` `(string: "us-east-1")`: The AWS region where the encryption key
-  lives. If not provided, may be populated from the `AWS_REGION` or
-  `AWS_DEFAULT_REGION` environment variables, from your `~/.aws/config` file,
-   or from instance metadata.
-
-- `access_key` `(string: <required>)`: The AWS access key ID to use. May also be
-  specified by the `AWS_ACCESS_KEY_ID` environment variable or as part of the
-  AWS profile from the AWS CLI or instance profile.
-
-- `session_token` `(string: "")`: Specifies the AWS session token. This can
-  also be provided via the environment variable `AWS_SESSION_TOKEN`.
-
-- `secret_key` `(string: <required>)`: The AWS secret access key to use. May
-  also be specified by the `AWS_SECRET_ACCESS_KEY` environment variable or as
-  part of the AWS profile from the AWS CLI or instance profile.
-
-- `kms_key_id` `(string: <required>)`: The AWS KMS key ID to use for encryption
-  and decryption. May also be specified by the `VAULT_AWSKMS_SEAL_KEY_ID`
-  environment variable.
-
-- `endpoint` `(string: "")`: The KMS API endpoint to be used to make AWS KMS
-  requests. May also be specified by the `AWS_KMS_ENDPOINT` environment
-  variable. This is useful, for example, when connecting to KMS over a [VPC
-  Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html).
-  If not set, Vault will use the default API endpoint for your region.
-
-## Authentication
-
-Authentication-related values must be provided, either as environment
-variables or as configuration parameters.
-
-~> **Note:** Although the configuration file allows you to pass in
-`AWS_ACCESS_KEY_ID` and `AWS_ACCESS_KEY_ID` as part of the seal's parameters, it
-is *strongly* recommended to set these values via environment variables.
-
-AWS authentication values:
-
-* `AWS_REGION` or `AWS_DEFAULT_REGION`
-* `AWS_ACCESS_KEY_ID`
-* `AWS_SECRET_ACCESS_KEY`
-
-
-Note: The client uses the official AWS SDK and will use the specified
-credentials, environment credentials, shared file credentials, or IAM role/ECS
-task credentials in that order, if the above AWS specific values are not
-provided.
-
-Vault needs the following permissions on the KMS key:
-
-* `kms:Encrypt`
-* `kms:Decrypt`
-* `kms:DescribeKey`
-
-These can be granted via IAM permissions on the principal that Vault uses, on
-the KMS key policy for the KMS key, or via KMS Grants on the key.
-
-## `awskms` Environment Variables
-
-Alternatively, the AWS KMS seal can be activated by providing the following
-environment variables.
-
-Vault Seal specific values:
-
-* `VAULT_SEAL_TYPE`
-* `VAULT_AWSKMS_SEAL_KEY_ID`
-
-
-## Key Rotation
-
-This seal supports rotating the master keys defined in AWS KMS
-[doc](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). Both automatic
-rotation and manual rotation is supported for KMS since the key information is stored with the
-encrypted data.  Old keys must not be disabled or deleted and are used to decrypt older data.
-Any new or updated data will be encrypted with the current key defined in the seal configuration
-or set to current under a key alias.
-
-## Learn
-
-Refer to the [Auto-unseal using AWS KMS](https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/configuration/seal/azurekeyvault.html.md b/website/source/docs/configuration/seal/azurekeyvault.html.md
deleted file mode 100644
index 9ffeaae62d99..000000000000
--- a/website/source/docs/configuration/seal/azurekeyvault.html.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-layout: "docs"
-page_title: "Azure Key Vault - Seals - Configuration"
-sidebar_title: "Azure Key Vault"
-sidebar_current: "docs-configuration-seal-azurekeyvault"
-description: |-
-  The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal wrapping
-  mechanism.
----
-
-# `azurekeyvault` Seal
-
-The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal
-wrapping mechanism. The Azure Key Vault seal is activated by one of the following:
-
-* The presence of a `seal "azurekeyvault"` block in Vault's configuration file.
-* The presence of the environment variable `VAULT_SEAL_TYPE` set to `azurekeyvault`.
-  If enabling via environment variable, all other required values specific to
-  Key Vault (i.e. `VAULT_AZUREKEYVAULT_VAULT_NAME`, etc.) must be also supplied, as
-  well as all other Azure-related environment variables that lends to successful
-  authentication (i.e. `AZURE_TENANT_ID`, etc.).
-
-## `azurekeyvault` Example
-
-This example shows configuring Azure Key Vault seal through the Vault
-configuration file by providing all the required values:
-
-```hcl
-seal "azurekeyvault" {
-  tenant_id      = "46646709-b63e-4747-be42-516edeaf1e14"
-  client_id      = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"
-  client_secret  = "DUJDS3..."
-  vault_name     = "hc-vault"
-  key_name       = "vault_key"
-}
-```
-
-## `azurekeyvault` Parameters
-
-These parameters apply to the `seal` stanza in the Vault configuration file:
-
-- `tenant_id` `(string: <required>)`: The tenant id for the Azure Active Directory organization. May
-  also be specified by the `AZURE_TENANT_ID` environment variable.
-
-- `client_id` `(string: <required or MSI>)`: The client id for credentials to query the Azure APIs.
-  May also be specified by the `AZURE_CLIENT_ID` environment variable.
-
-- `client_secret` `(string: <required or MSI>)`: The client secret for credentials to query the Azure APIs.
-  May also be specified by the `AZURE_CLIENT_SECRET` environment variable.
-
-- `environment` `(string: "AZUREPUBLICCLOUD")`: The Azure Cloud environment API endpoints to use.  May also
-  be specified by the `AZURE_ENVIRONMENT` environment variable.
-
-- `vault_name` `(string: <required>)`: The Key Vault vault to use the encryption keys for encryption and
-  decryption. May also be specified by the `VAULT_AZUREKEYVAULT_VAULT_NAME` environment variable.
-
-- `key_name` `(string: <required>)`: The Key Vault key to use for encryption and decryption. May also be specified by the
-  `VAULT_AZUREKEYVAULT_KEY_NAME` environment variable.
-
-## Authentication
-
-Authentication-related values must be provided, either as environment
-variables or as configuration parameters.
-
-Azure authentication values:
-
-* `AZURE_TENANT_ID`
-* `AZURE_CLIENT_ID`
-* `AZURE_CLIENT_SECRET`
-* `AZURE_ENVIRONMENT`
-
-
-~> **Note:** If Vault is hosted on Azure, Vault can use Managed Service
-Identities (MSI) to access Azure instead of an environment and shared client id
-and secret.  MSI must be
-[enabled](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm)
-on the VMs hosting Vault, and it is the preferred configuration since MSI
-prevents your Azure credentials from being stored as clear text. Refer to the
-[Production
-Hardening](https://learn.hashicorp.com/vault/day-one/production-hardening) guide
-for more best practices.
-
-
-## `azurekeyvault` Environment Variables
-
-Alternatively, the Azure Key Vault seal can be activated by providing the following
-environment variables:
-
-* `VAULT_AZUREKEYVAULT_VAULT_NAME`
-* `VAULT_AZUREKEYVAULT_KEY_NAME`
-
-## Key Rotation
-
-This seal supports rotating keys defined in Azure Key Vault.  Key metadata is stored with the
-encrypted data to ensure the correct key is used during decryption operations.
-
-## Learn
-
-Refer to the [Auto-unseal using Azure Key Vault](https://learn.hashicorp.com/vault/operations/autounseal-azure-keyvault)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/configuration/seal/gcpckms.html.md b/website/source/docs/configuration/seal/gcpckms.html.md
deleted file mode 100644
index c8c4621b6e0c..000000000000
--- a/website/source/docs/configuration/seal/gcpckms.html.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-layout: "docs"
-page_title: "GCP Cloud KMS - Seals - Configuration"
-sidebar_title: "GCP Cloud KMS"
-sidebar_current: "docs-configuration-seal-gcpckms"
-description: |-
-  The GCP Cloud KMS seal configures Vault to use GCP Cloud KMS as the seal wrapping
-  mechanism.
----
-
-# `gcpckms` Seal
-
-The GCP Cloud KMS seal configures Vault to use GCP Cloud KMS as the seal
-wrapping mechanism. The GCP Cloud KMS seal is activated by one of the following:
-
-* The presence of a `seal "gcpckms"` block in Vault's configuration file.
-* The presence of the environment variable `VAULT_SEAL_TYPE` set to `gcpckms`.
-  If enabling via environment variable, all other required values specific to
-  Cloud KMS (i.e. `VAULT_GCPCKMS_SEAL_KEY_RING`, etc.) must be also supplied, as
-  well as all other GCP-related environment variables that lends to successful
-  authentication (i.e. `GOOGLE_PROJECT`, etc.).
-
-## `gcpckms` Example
-
-This example shows configuring GCP Cloud KMS seal through the Vault
-configuration file by providing all the required values:
-
-```hcl
-seal "gcpckms" {
-  credentials = "/usr/vault/vault-project-user-creds.json"
-  project     = "vault-project"
-  region      = "global"
-  key_ring    = "vault-keyring"
-  crypto_key  = "vault-key"
-}
-```
-
-## `gcpckms` Parameters
-
-These parameters apply to the `seal` stanza in the Vault configuration file:
-
-- `credentials` `(string: <required>)`: The path to the credentials JSON file
-  to use. May be also specified by the `GOOGLE_CREDENTIALS` or
-  `GOOGLE_APPLICATION_CREDENTIALS` environment variable or set automatically if
-  running under Google App Engine, Google Compute Engine or Google Kubernetes
-  Engine.
-
-- `project` `(string: <required>)`: The GCP project ID to use. May also be
-  specified by the `GOOGLE_PROJECT` environment variable.
-
-- `region` `(string: "us-east-1")`: The GCP region/location where the key ring
-  lives. May also be specified by the `GOOGLE_REGION` environment variable.
-
-- `key_ring` `(string: <required>)`: The GCP CKMS key ring to use. May also be
-  specified by the `VAULT_GCPCKMS_SEAL_KEY_RING` environment variable.
-
-- `crypto_key` `(string: <required>)`: The GCP CKMS crypto key to use for
-  encryption and decryption. May also be specified by the
-  `VAULT_GCPCKMS_SEAL_CRYPTO_KEY` environment variable.
-
-## Authentication &amp; Permissions
-
-Authentication-related values must be provided, either as environment
-variables or as configuration parameters.
-
-GCP authentication values:
-
-* `GOOGLE_CREDENTIALS` or `GOOGLE_APPLICATION_CREDENTIALS`
-* `GOOGLE_PROJECT`
-* `GOOGLE_REGION`
-
-
-Note: The client uses the official Google SDK and will use the specified
-credentials, environment credentials, or [application default
-credentials](https://developers.google.com/identity/protocols/application-default-credentials)
-in that order, if the above GCP specific values are not provided.
-
-The service account needs the following minimum permissions on the crypto key:
-
-```text
-cloudkms.cryptoKeyVersions.useToEncrypt
-cloudkms.cryptoKeyVersions.useToDecrypt
-cloudkms.cryptoKeys.get
-```
-
-These permissions can be described with the following role:
-
-```text
-roles/cloudkms.cryptoKeyEncrypterDecrypter
-cloudkms.cryptoKeys.get
-```
-
-`cloudkms.cryptoKeys.get` permission is used for retrieving metadata information of keys from CloudKMS within this engine initialization process.
-
-## `gcpckms` Environment Variables
-
-Alternatively, the GCP Cloud KMS seal can be activated by providing the following
-environment variables:
-
-* `VAULT_SEAL_TYPE`
-* `VAULT_GCPCKMS_SEAL_KEY_RING`
-* `VAULT_GCPCKMS_SEAL_CRYPTO_KEY`
-
-
-## Key Rotation
-
-This seal supports rotating keys defined in Google Cloud KMS
-[doc](https://cloud.google.com/kms/docs/rotating-keys). Both scheduled rotation and manual
-rotation is supported for CKMS since the key information. Old keys version must not be
-disabled or deleted and are used to decrypt older data. Any new or updated data will be
-encrypted with the primary key version.
-
-## Learn
-
-Refer to the [Auto-unseal using GCP Cloud KMS](https://learn.hashicorp.com/vault/operations/autounseal-gcp-kms)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/configuration/seal/index.html.md b/website/source/docs/configuration/seal/index.html.md
deleted file mode 100644
index 428ca3d6ac37..000000000000
--- a/website/source/docs/configuration/seal/index.html.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-layout: "docs"
-page_title: "Seals - Configuration"
-sidebar_title: "<code>seal</code>"
-sidebar_current: "docs-configuration-seal"
-description: |-
-  The seal stanza configures the seal type to use for additional data protection.
----
-
-# `seal` Stanza
-
-The `seal` stanza configures the seal type to use for additional data
-protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
-master key. This stanza is optional, and in the case of the master key, Vault
-will use the Shamir algorithm to cryptographically split the master key if this
-is not configured.
-
-As of Vault 0.9.0, the seal can also be used for [seal wrapping][sealwrap] to
-add an extra layer of protection and satisfy compliance and regulatory requirements. 
-This feature is only available in Vault Enterprise.
-
-For more examples, please choose a specific auto unsealing technology from the
-sidebar.
-
-## Configuration
-
-Seal configuration can be done through the Vault configuration file using the
-`seal` stanza:
-
-```hcl
-seal [NAME] {
-  # ...
-}
-```
-
-For example:
-
-```hcl
-seal "pkcs11" {
-  # ...
-}
-```
-
-For configuration options which also read an environment variable, the
-environment variable will take precedence over values in the configuration file.
-
-[sealwrap]: /docs/enterprise/sealwrap/index.html
diff --git a/website/source/docs/configuration/seal/ocikms.html.md b/website/source/docs/configuration/seal/ocikms.html.md
deleted file mode 100644
index fd8c61b8983e..000000000000
--- a/website/source/docs/configuration/seal/ocikms.html.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-layout: "docs"
-page_title: "OCI KMS - Seals - Configuration"
-sidebar_title: "OCI KMS"
-sidebar_current: "docs-configuration-seal-ocikms"
-description: |-
-  The OCI KMS seal configures Vault to use OCI KMS as the seal wrapping
-  mechanism.
----
-
-# `ocikms` Seal
-
-The OCI KMS seal configures Vault to use OCI KMS as the seal wrapping mechanism.
-The OCI KMS seal is activated by one of the following:
-
-* The presence of a `seal "ocikms"` block in Vault's configuration file
-* The presence of the environment variable `VAULT_SEAL_TYPE` set to `ocikms`. If
-  enabling via environment variable, all other required values specific to OCI
-  KMS (i.e. `VAULT_OCIKMS_SEAL_KEY_ID`, `VAULT_OCIKMS_CRYPTO_ENDPOINT` `VAULT_OCIKMS_MANAGEMENT_ENDPOINT`) must be also supplied, as well as all
-  other OCI-related [environment variables][oci-sdk] that lends to successful
-  authentication. 
-  
-## `ocikms` Example
-
-This example shows configuring the OCI KMS seal through the Vault configuration file
-by providing all the required values:
-
-```hcl
-seal "ocikms" {
-    key_id               = "ocid1.key.oc1.iad.afnxza26aag4s.abzwkljsbapzb2nrha5nt3s7s7p42ctcrcj72vn3kq5qx"
-    crypto_endpoint      = "https://afnxza26aag4s-crypto.kms.us-ashburn-1.oraclecloud.com"
-    management_endpoint  = "https://afnxza26aag4s-management.kms.us-ashburn-1.oraclecloud.com"
-    auth_type_api_key    = "true"
-}
-```
-
-## `ocikms` Parameters
-
-These parameters apply to the `seal` stanza in the Vault configuration file:
-
-- `key_id` `(string: <required>)`: The OCI KMS key ID to use. May also be
-  specified by the `VAULT_OCIKMS_SEAL_KEY_ID` environment variable.
-- `crypto_endpoint` `(string: <required>)`: The OCI KMS cryptographic endpoint (or data plane endpoint) 
-  to be used to make OCI KMS encryption/decryption requests. May also be specified by the `VAULT_OCIKMS_CRYPTO_ENDPOINT` environment
-  variable.
-- `management_endpoint` `(string: <required>)`: The OCI KMS management endpoint (or control plane endpoint) 
-  to be used to make OCI KMS key management requests. May also be specified by the `VAULT_OCIKMS_MANAGEMENT_ENDPOINT` environment
-  variable.
-- `auth_type_api_key` `(boolean: false)`: Specifies if using API key to authenticate to OCI KMS service.
-  If it is `false`, Vault authenticates using the instance principal from the compute instance. See Authentication section for details. Default is `false`. 
-
-## Authentication
-
-Authentication-related values must be provided, either as environment
-variables or as configuration parameters.
-
-If you want to use Instance Principal, add section configuration below and add further configuration settings as detailed at https://www.vaultproject.io/docs/configuration/.
-
-```hcl
-seal "ocikms" {
-    crypto_endpoint     = "<kms-crypto-endpoint>"
-    management_endpoint = "<kms-management-endpoint>"
-    key_id              = "<kms-key-id>"
-}
-# Notes:
-# crypto_endpoint can be replaced by VAULT_OCIKMS_CRYPTO_ENDPOINT environment var
-# management_endpoint can be replaced by VAULT_OCIKMS_MANAGEMENT_ENDPOINT environment var
-# key_id can be replaced by VAULT_OCIKMS_SEAL_KEY_ID environment var
-```
-   
-If you want to use User Principal, the plugin will take the API key you defined for OCI SDK, often under `~/.oci/config`.
-
-```hcl
-seal "ocikms" {
-    auth_type_api_key   = true
-    crypto_endpoint     = "<kms-crypto-endpoint>"
-    management_endpoint = "<kms-management-endpoint>"
-    key_id              = "<kms-key-id>"
-}
-```
-
-To grant permission for a compute instance to use OCI KMS service, write policies for KMS access.
-
-- Create a [Dynamic Group][oci-dg] in your OCI tenancy.
-- Create a policy that allows the Dynamic Group to use or manage keys from OCI KMS. There are multiple ways to write these policies. The [OCI Identity Policy][oci-id] can be used as a reference or starting point.
-
-The most common policy allows a dynamic group of tenant A to use KMS's keys in tenant B:
-
-```text
-define tenancy tenantB as <tenantB-ocid>
- 
-endorse dynamic-group <dynamic-group-name> to use keys in tenancy tenantB
-
-```
-
-```text
-define tenancy tenantA as <tenantA-ocid>
-
-define dynamic-group <dynamic-group-name> as <dynamic-group-ocid>
-
-admit dynamic-group <dynamic-group-name> of tenancy tenantA to use keys in compartment <key-compartment>
-
-```
-   
-## `ocikms` Rotate OCI KMS Master Key
-
-For the [OCI KMS key rotation feature][oci-kms-rotation], OCI KMS will create a new version of key internally. This process is independent from Vault, and Vault still uses the same `key_id` without any interruption.
-
-If you want to change the `key_id`: migrate to Shamir, change `key_id`, and then migrate to OCI KMS with the new `key_id`.
-
-[oci-sdk]: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm
-[oci-dg]:  https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm
-[oci-id]: https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policies.htm
-[oci-kms-rotation]: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Tasks/managingkeys.htm
-
-
diff --git a/website/source/docs/configuration/seal/pkcs11.html.md b/website/source/docs/configuration/seal/pkcs11.html.md
deleted file mode 100644
index af3652873677..000000000000
--- a/website/source/docs/configuration/seal/pkcs11.html.md
+++ /dev/null
@@ -1,249 +0,0 @@
----
-layout: "docs"
-page_title: "PKCS11 - Seals - Configuration"
-sidebar_title: "HSM PKCS11 <sup>ENT</sup>"
-sidebar_current: "docs-configuration-seal-pkcs11"
-description: |-
-  The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal
-  wrapping mechanism.
----
-
-# `pkcs11` Seal
-
-The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrapping
-mechanism. Vault Enterprise's HSM PKCS11 support is activated by one of the
-following:
-
-* The presence of a `seal "pkcs11"` block in Vault's configuration file
-* The presence of the environment variable `VAULT_HSM_LIB` set to the library's
-  path as well as `VAULT_HSM_TYPE` set to `pkcs11`. If enabling via environment
-  variable, all other required values (i.e. `VAULT_HSM_SLOT`) must be also
-  supplied.
-
-**IMPORTANT**: Having Vault generate its own key is the easiest way to get up
-and running, but for security, Vault marks the key as non-exportable. If your
-HSM key backup strategy requires the key to be exportable, you should generate
-the key yourself. The list of creation attributes that Vault uses to generate
-the key are listed at the end of this document.
-
-## Requirements
-
-The following software packages are required for Vault Enterprise HSM:
-
-- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
-  higher of PKCS#11. Depending on any given HSM, some functions (such as key
-  generation) may have to be performed manually.
-- The [GNU libltdl
-  library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html)
-  — ensure that it is installed for the correct architecture of your servers
-
-## `pkcs11` Example
-
-This example shows configuring HSM PKCS11 seal through the Vault configuration
-file by providing all the required values:
-
-```hcl
-seal "pkcs11" {
-  lib            = "/usr/vault/lib/libCryptoki2_64.so"
-  slot           = "0"
-  pin            = "AAAA-BBBB-CCCC-DDDD"
-  key_label      = "vault-hsm-key"
-  hmac_key_label = "vault-hsm-hmac-key"
-}
-```
-
-## `pkcs11` Parameters
-
-These parameters apply to the `seal` stanza in the Vault configuration file:
-
-- `lib` `(string: <required>)`: The path to the PKCS#11 library shared object
-  file. May also be specified by the `VAULT_HSM_LIB` environment variable.
-  **Note:** Depending on your HSM, this may be either a binary or a dynamic
-  library, and its use may require other libraries depending on which system the
-  Vault binary is currently running on (e.g.: a Linux system may require other
-  libraries to interpret Windows .dll files).
-
-- `slot` `(string: <slot or token label required>)`: The slot number to use,
-  specified as a string (e.g. `"0"`). May also be specified by the `VAULT_HSM_SLOT`
-  environment variable.
-
-- `token_label` `(string: <slot or token label required>)`: The slot token label to
-  use. May also be specified by the `VAULT_HSM_TOKEN_LABEL` environment variable.
-
-- `pin` `(string: <required>)`: The PIN for login. May also be specified by the
-  `VAULT_HSM_PIN` environment variable. _If set via the environment variable,
-  Vault will obfuscate the environment variable after reading it, and it will
-  need to be re-set if Vault is restarted._
-
-- `key_label` `(string: <required>)`: The label of the key to use. If the key
-  does not exist and generation is enabled, this is the label that will be given
-  to the generated key. May also be specified by the `VAULT_HSM_KEY_LABEL`
-  environment variable.
-
-- `default_key_label` `(string: "")`: This is the default key label for decryption
-  operations.  Prior to 0.10.1, key labels were not stored with the ciphertext.
-  Seal entries now track the label used in encryption operations.  The default value
-  for this field is the `key_label`.  If `key_label` is rotated and this value is not
-  set, decryption may fail. May also be specified by the `VAULT_HSM_DEFAULT_KEY_LABEL`
-  environment variable.  This value is ignored in new installations.
-
-- `hmac_key_label` `(string: <required>)`: The label of the key to use for
-  HMACing. This needs to be a suitable type. If Vault tries to create this it
-  will attempt to use CKK_GENERIC_SECRET_KEY. If the key does not exist and
-  generation is enabled, this is the label that will be given to the generated
-  key. May also be specified by the `VAULT_HSM_HMAC_KEY_LABEL` environment
-  variable.
-
-- `default_hmac_key_label` `(string: "")`: This is the default HMAC key label for signing
-  operations.  Prior to 0.10.1, HMAC key labels were not stored with the signature.
-  Seal entries now track the label used in signing operations.  The default value
-  for this field is the `hmac_key_label`.  If `hmac_key_label` is rotated and this
-  value is not set, signature verification may fail. May also be specified by the
-  `VAULT_HSM_HMAC_DEFAULT_KEY_LABEL` environment variable.  This value is ignored in
-  new installations.
-
-- `mechanism` `(string: <best available>)`: The encryption/decryption mechanism to use,
-  specified as a decimal or hexadecimal (prefixed by `0x`) string. May also be
-  specified by the `VAULT_HSM_MECHANISM` environment variable.  
-  Currently supported mechanisms (in order of precedence):
-
-    - `0x1085` `CKM_AES_CBC_PAD` (HMAC mechanism required)
-    - `0x1082` `CKM_AES_CBC` (HMAC mechanism required)
-    - `0x1087` `CKM_AES_GCM`
-    - `0x0009` `CKM_RSA_PKCS_OAEP`
-    - `0x0001` `CKM_RSA_PKCS`
-
-- `hmac_mechanism` `(string: "0x0251")`: The encryption/decryption mechanism to
-  use, specified as a decimal or hexadecimal (prefixed by `0x`) string.
-  Currently only `0x0251` (corresponding to `CKM_SHA256_HMAC` from the
-  specification) is supported. May also be specified by the
-  `VAULT_HSM_HMAC_MECHANISM` environment variable. This value is only required
-  for specific mechanisms.
-
-- `generate_key` `(string: "false")`: If no existing key with the label
-  specified by `key_label` can be found at Vault initialization time, instructs
-  Vault to generate a key. This is a boolean expressed as a string (e.g.
-  `"true"`). May also be specified by the `VAULT_HSM_GENERATE_KEY` environment
-  variable. Vault may not be able to successfully generate keys in all
-  circumstances, such as if proprietary vendor extensions are required to
-  create keys of a suitable type.
-
-### Mechanism Specific Flags
-
-- `rsa_encrypt_local` `(string: "false")`: For HSMs that do not support encryption
-  for RSA keys, perform encryption locally.  Available for mechanisms
-  `CKM_RSA_PKCS_OAEP` and `CKM_RSA_PKCS`.  May also be specified by the
-  `VAULT_HSM_RSA_ENCRYPT_LOCAL` environment variable.
-
-- `rsa_oaep_hash` `(string: "sha256")`: Specify the hash algorithm to use for RSA
-  with OAEP padding.  Valid values are sha1, sha224, sha256, sha384, and sha512.
-  Available for mechanism `CKM_RSA_PKCS_OAEP`.  May also be specified by the
-  `VAULT_HSM_RSA_OAEP_HASH` environment variable.
-
-~> **Note:** Although the configuration file allows you to pass in
-`VAULT_HSM_PIN` as part of the seal's parameters, it is *strongly* recommended
-to set this value via environment variables.
-
-## `pkcs11` Environment Variables
-
-Alternatively, the HSM seal can be activated by providing the following
-environment variables:
-
-```text
-VAULT_HSM_LIB
-VAULT_HSM_TYPE
-VAULT_HSM_SLOT
-VAULT_HSM_TOKEN_LABEL
-VAULT_HSM_PIN
-VAULT_HSM_KEY_LABEL
-VAULT_HSM_DEFAULT_KEY_LABEL
-VAULT_HSM_HMAC_KEY_LABEL
-VAULT_HSM_HMAC_DEFAULT_KEY_LABEL
-VAULT_HSM_MECHANISM
-VAULT_HSM_HMAC_MECHANISM
-VAULT_HSM_GENERATE_KEY
-VAULT_HSM_RSA_ENCRYPT_LOCAL
-VAULT_HSM_RSA_OAEP_HASH
-```
-
-## Vault Key Generation Attributes
-
-If Vault generates the HSM key for you, the following is the list of attributes
-it uses. These identifiers correspond to official PKCS#11 identifiers.
-
-### AES Key
-
-* `CKA_CLASS`: `CKO_SECRET_KEY` (It's a secret key)
-* `CKA_KEY_TYPE`: `CKK_AES` (Key type is AES)
-* `CKA_VALUE_LEN`: `32` (Key size is 256 bits)
-* `CKA_LABEL`: Set to the key label set in Vault's configuration
-* `CKA_ID`: Set to a random 32-bit unsigned integer
-* `CKA_PRIVATE`: `true` (Key is private to this slot/token)
-* `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
-  session only)
-* `CKA_SENSITIVE`: `true` (Key is a sensitive value)
-* `CKA_ENCRYPT`: `true` (Key can be used for encryption)
-* `CKA_DECRYPT`: `true` (Key can be used for decryption)
-* `CKA_WRAP`: `true` (Key can be used for wrapping)
-* `CKA_UNWRAP`: `true` (Key can be used for unwrapping)
-* `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
-
-### RSA Key
-
-_Public Key_
-
-* `CKA_CLASS`: `CKO_PUBLIC_KEY` (It's a public key)
-* `CKA_KEY_TYPE`: `CKK_RSA` (Key type is RSA)
-* `CKA_LABEL`: Set to the key label set in Vault's configuration
-* `CKA_ID`: Set to a random 32-bit unsigned integer
-* `CKA_ENCRYPT`: `true` (Key can be used for encryption)
-* `CKA_WRAP`: `true` (Key can be used for wrapping)
-* `CKA_MODULUS_BITS`: `2048` (Key size is 2048 bits)
-* `CKA_PUBLIC_EXPONENT`: `0x10001` (Public exponent of 65537)
-* `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
-  session only)
-
-_Private Key_
-
-* `CKA_CLASS`: `CKO_PRIVATE_KEY` (It's a private key)
-* `CKA_KEY_TYPE`: `CKK_RSA` (Key type is RSA)
-* `CKA_LABEL`: Set to the key label set in Vault's configuration
-* `CKA_ID`: Set to a random 32-bit unsigned integer
-* `CKA_DECRYPT`: `true` (Key can be used for decryption)
-* `CKA_UNWRAP`: `true` (Key can be used for unwrapping)
-* `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
-  session only)
-* `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
-
-### HMAC Key
-
-* `CKA_CLASS`: `CKO_SECRET_KEY` (It's a secret key)
-* `CKA_KEY_TYPE`: `CKK_GENERIC_SECRET_KEY` (Key type is a generic secret key)
-* `CKA_VALUE_LEN`: `32` (Key size is 256 bits)
-* `CKA_LABEL`: Set to the HMAC key label set in Vault's configuration
-* `CKA_ID`: Set to a random 32-bit unsigned integer
-* `CKA_PRIVATE`: `true` (Key is private to this slot/token)
-* `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
-  session only)
-* `CKA_SENSITIVE`: `true` (Key is a sensitive value)
-* `CKA_SIGN`: `true` (Key can be used for signing)
-* `CKA_VERIFY`: `true` (Key can be used for verifying)
-* `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
-
-## Key Rotation
-
-This seal supports rotating keys by using different key labels to track key versions. To rotate
-the key value, generate a new key in a different key label in the HSM and update Vault's
-configuration with the new key label value.  Restart your vault instance to pick up the new key
-label and all new encryption operations will use the updated key label. Old keys must not be disabled
-or deleted and are used to decrypt older data.
-
-**NOTE**: Prior to version 0.10.1, key information was not tracked with the ciphertext. If
-rotation is desired for data that was seal wrapped prior to this version must also set
-`default_key_label` and `hmac_default_key_label` to allow for decryption of older values.
-
-
-## Learn
-
-Refer to the [HSM Integration - Seal Wrap](https://learn.hashicorp.com/vault/operations/ops-seal-wrap)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/configuration/seal/transit.html.md b/website/source/docs/configuration/seal/transit.html.md
deleted file mode 100644
index dc5676022e6d..000000000000
--- a/website/source/docs/configuration/seal/transit.html.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Transit - Seals - Configuration"
-sidebar_title: "Vault Transit"
-sidebar_current: "docs-configuration-seal-transit"
-description: |-
-  The Transit seal configures Vault to use Vault's Transit Secret Engine as the
-  autoseal mechanism.
----
-
-# `transit` Seal
-
-The Transit seal configures Vault to use Vault's Transit Secret Engine as the
-autoseal mechanism.
-The Transit seal is activated by one of the following:
-
-* The presence of a `seal "transit"` block in Vault's configuration file
-* The presence of the environment variable `VAULT_SEAL_TYPE` set to `transit`.
-
-## `transit` Example
-
-This example shows configuring Transit seal through the Vault configuration file
-by providing all the required values:
-
-```hcl
-seal "transit" {
-  address            = "https://vault:8200"
-  token              = "s.Qf1s5zigZ4OX6akYjQXJC1jY"
-  disable_renewal    = "false"
-
-  // Key configuration
-  key_name           = "transit_key_name"
-  mount_path         = "transit/"
-  namespace          = "ns1/"
-
-  // TLS Configuration
-  tls_ca_cert        = "/etc/vault/ca_cert.pem"
-  tls_client_cert    = "/etc/vault/client_cert.pem"
-  tls_client_key     = "/etc/vault/ca_cert.pem"
-  tls_server_name    = "vault"
-  tls_skip_verify    = "false"
-}
-```
-
-## `transit` Parameters
-
-These parameters apply to the `seal` stanza in the Vault configuration file:
-
-- `address` `(string: <required>)`: The full address to the Vault cluster.
-  This may also be specified by the `VAULT_ADDR` environment variable.
-
-- `token` `(string: <required>)`: The Vault token to use. This may also be
-  specified by the `VAULT_TOKEN` environment variable.
-
-- `key_name` `(string: <required>)`: The transit key to use for encryption and
-  decryption.  This may also be supplied using the `VAULT_TRANSIT_SEAL_KEY_NAME`
-  environment variable.
-
-- `mount_path` `(string: <required>)`: The mount path to the transit secret engine.  
-  This may also be supplied using the `VAULT_TRANSIT_SEAL_MOUNT_PATH` environment
-  variable.
-
-- `namespace` `(string: "")`: The namespace path to the transit secret engine.  
-  This may also be supplied using the `VAULT_NAMESPACE` environment variable.
-
-- `disable_renewal` `(string: "false")`: Disables the automatic renewal of the token
-  in case the lifecycle of the token is managed with some other mechanism outside of
-  Vault, such as Vault Agent.  This may also be specified using the
-  `VAULT_TRANSIT_SEAL_DISABLE_RENEWAL` environment variable.
-
-- `tls_ca_cert` `(string: "")`: Specifies the path to the CA certificate file used
-  for communication with the Vault server.  This may also be specified using the
-  `VAULT_CA_CERT` environment variable.
-
-- `tls_client_cert` `(string: "")`: Specifies the path to the client certificate
-  for communication with the Vault server.  This may also be specified using the
-  `VAULT_CLIENT_CERT` environment variable.
-
-- `tls_client_key` `(string: "")`: Specifies the path to the private key for
-  communication with the Vault server.  This may also be specified using the
-  `VAULT_CLIENT_KEY` environment variable.
-
-- `tls_server_name` `(string: "")`: Name to use as the SNI host when connecting
-  to the Vault server via TLS.  This may also be specified via the
-  `VAULT_TLS_SERVER_NAME` environment variable.
-
-- `tls_skip_verify` `(bool: "false")`: Disable verification of TLS certificates.
-  Using this option is highly discouraged and decreases the security of data
-  transmissions to and from the Vault server.  This may also be specified using the
-  `VAULT_SKIP_VERIFY` environment variable.
-
-## Authentication
-
-Authentication-related values must be provided, either as environment
-variables or as configuration parameters.
-
-~> **Note:** Although the configuration file allows you to pass in
-`VAULT_TOKEN` as part of the seal's parameters, it is *strongly* recommended
-to set these values via environment variables.
-
-The Vault token used to authenticate needs the following permissions on the
-transit key:
-
-```hcl
-path "<mount path>/encrypt/<key name>" {
-  capabilities = ["update"]
-}
-
-path "<mount path>/decrypt/<key name>" {
-  capabilities = ["update"]
-}
-```
-
-## Key Rotation
-
-This seal supports key rotation using the Transit Secret Engine's key rotation endpoints.  See
-[doc](/api/secret/transit/index.html#rotate-key). Old keys must not be disabled or deleted and are
-used to decrypt older data.
-
-## Learn
-
-Refer to the [Auto-unseal using Transit Secrets Engine](https://learn.hashicorp.com/vault/operations/autounseal-transit)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/configuration/service-registration/consul.html.md b/website/source/docs/configuration/service-registration/consul.html.md
deleted file mode 100644
index c724444fa1ca..000000000000
--- a/website/source/docs/configuration/service-registration/consul.html.md
+++ /dev/null
@@ -1,231 +0,0 @@
----
-layout: "docs"
-page_title: "Consul - Service Registration - Configuration"
-sidebar_title: "Consul"
-sidebar_current: "docs-configuration-storage-consul"
-description: |-
-  Consul Service Registration registers Vault as a service in Consul with a default
-  health check.
----
-
-# Consul Service Registration
-
-Consul Service Registration registers Vault as a service in [Consul][consul] with
-a default health check.
-
-- **HashiCorp Supported** – Consul Service Registration is officially supported
-by HashiCorp.
-
-```hcl
-service_registration "consul" {
-  address      = "127.0.0.1:8500"
-}
-```
-
-Once properly configured, an unsealed Vault installation should be available and
-accessible at:
-
-```text
-active.vault.service.consul
-```
-
-Unsealed Vault instances in standby mode are available at:
-
-```text
-standby.vault.service.consul
-```
-
-All unsealed Vault instances are available as healthy at:
-
-```text
-vault.service.consul
-```
-
-Sealed Vault instances will mark themselves as unhealthy to avoid being returned
-at Consul's service discovery layer.
-
-## `consul` Parameters
-
-- `address` `(string: "127.0.0.1:8500")` – Specifies the address of the Consul
-  agent to communicate with. This can be an IP address, DNS record, or unix
-  socket. It is recommended that you communicate with a local Consul agent; do
-  not communicate directly with a server.
-
-- `check_timeout` `(string: "5s")` – Specifies the check interval used to send
-  health check information back to Consul. This is specified using a label
-  suffix like `"30s"` or `"1h"`.
-
-- `disable_registration` `(string: "false")` – Specifies whether Vault should
-  register itself with Consul.
-
-- `scheme` `(string: "http")` – Specifies the scheme to use when communicating
-  with Consul. This can be set to "http" or "https". It is highly recommended
-  you communicate with Consul over https over non-local connections. When
-  communicating over a unix socket, this option is ignored.
-
-- `service` `(string: "vault")` – Specifies the name of the service to register
-  in Consul.
-
-- `service_tags` `(string: "")` – Specifies a comma-separated list of tags to
-  attach to the service registration in Consul.
-
-- `service_address` `(string: nil)` – Specifies a service-specific address to
-  set on the service registration in Consul. If unset, Vault will use what it
-  knows to be the HA redirect address - which is usually desirable. Setting
-  this parameter to `""` will tell Consul to leverage the configuration of the
-  node the service is registered on dynamically. This could be beneficial if
-  you intend to leverage Consul's
-  [`translate_wan_addrs`][consul-translate-wan-addrs] parameter.
-
-- `token` `(string: "")` – Specifies the [Consul ACL token][consul-acl] with
-  permission to read and write from the `path` in Consul's key-value store.
-  This is **not** a Vault token. See the ACL section below for help.
-
-The following settings apply when communicating with Consul via an encrypted
-connection. You can read more about encrypting Consul connections on the
-[Consul encryption page][consul-encryption].
-
-- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate used
-  for Consul communication. This defaults to system bundle if not specified.
-  This should be set according to the
-  [`ca_file`](https://www.consul.io/docs/agent/options.html#ca_file) setting in
-  Consul.
-
-- `tls_cert_file` `(string: "")` (optional) – Specifies the path to the
-  certificate for Consul communication. This should be set according to the
-  [`cert_file`](https://www.consul.io/docs/agent/options.html#cert_file) setting
-  in Consul.
-
-- `tls_key_file` `(string: "")` – Specifies the path to the private key for
-  Consul communication. This should be set according to the
-  [`key_file`](https://www.consul.io/docs/agent/options.html#key_file) setting
-  in Consul.
-
-- `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to
-  use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
-
-- `tls_skip_verify` `(string: "false")` – Disable verification of TLS certificates.
-  Using this option is highly discouraged.
-
-## ACLs
-
-If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8,
-the following will work for most use-cases, assuming that your service name is
-`vault` and the prefix being used is `vault/`:
-
-```json
-{
-  "key": {
-    "vault/": {
-      "policy": "write"
-    }
-  },
-  "node": {
-    "": {
-      "policy": "write"
-    }
-  },
-  "service": {
-    "vault": {
-      "policy": "write"
-    }
-  },
-  "agent": {
-    "": {
-      "policy": "write"
-    }
-
-  },
-  "session": {
-    "": {
-      "policy": "write"
-    }
-  }
-}
-```
-
-For Consul 1.4+, the following example takes into account the changed ACL
-language:
-
-```json
-{
-  "key_prefix": {
-    "vault/": {
-      "policy": "write"
-    }
-  },
-  "node_prefix": {
-    "": {
-      "policy": "write"
-    }
-  },
-  "service": {
-    "vault": {
-      "policy": "write"
-    }
-  },
-  "agent_prefix": {
-    "": {
-      "policy": "write"
-    }
-
-  },
-  "session_prefix": {
-    "": {
-      "policy": "write"
-    }
-  }
-}
-```
-
-## `consul` Examples
-
-### Local Agent
-
-This example shows a sample configuration which communicates with a local
-Consul agent running on `127.0.0.1:8500`.
-
-```hcl
-service_registration "consul" {}
-```
-
-### Detailed Customization
-
-This example shows communicating with Consul on a custom address with an ACL
-token.
-
-```hcl
-service_registration "consul" {
-  address = "10.5.7.92:8194"
-  token   = "abcd1234"
-}
-```
-
-### Consul via Unix Socket
-
-This example shows communicating with Consul over a local unix socket.
-
-```hcl
-service_registration "consul" {
-  address = "unix:///tmp/.consul.http.sock"
-}
-```
-
-### Custom TLS
-
-This example shows using a custom CA, certificate, and key file to securely
-communicate with Consul over TLS.
-
-```hcl
-service_registration "consul" {
-  scheme        = "https"
-  tls_ca_file   = "/etc/pem/vault.ca"
-  tls_cert_file = "/etc/pem/vault.cert"
-  tls_key_file  = "/etc/pem/vault.key"
-}
-```
-
-[consul]: https://www.consul.io/ "Consul by HashiCorp"
-[consul-acl]: https://www.consul.io/docs/guides/acl.html "Consul ACLs"
-[consul-encryption]: https://www.consul.io/docs/agent/encryption.html "Consul Encryption"
-[consul-translate-wan-addrs]: https://www.consul.io/docs/agent/options.html#translate_wan_addrs "Consul Configuration"
diff --git a/website/source/docs/configuration/service-registration/index.html.md b/website/source/docs/configuration/service-registration/index.html.md
deleted file mode 100644
index 484c378396a2..000000000000
--- a/website/source/docs/configuration/service-registration/index.html.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-layout: "docs"
-page_title: "Service Registration - Configuration"
-sidebar_title: "<code>service_registration</code>"
-sidebar_current: "docs-configuration-serviceDiscovery"
-description: |-
-  The optional `service_registration` stanza configures Vault's mechanism for
-  service registration.  
----
-
-# `service_registration` Stanza
-
-The optional `service_registration` stanza configures Vault's mechanism for
-service registration.  The `service_registration` stanza is designed for use cases
-where you would like to use a system like [Consul][consul] for [service
-discovery][consul-discovery], but use a different system for the [storage
-backend][storage-backend].  
-
-When Consul is configured as the [storage backend][consul-backend], Vault
-implicitly uses Consul for service registration, so the `service_registration` stanza
-is not needed.  
-
-For times when you would like to use a different storage backend, like
-[Raft][raft-backend], but still have service registration available, the
-`service_registration` stanza can be used:
-
-```hcl
-service_registration "consul" {
-  address = "127.0.0.1:8500"
-}
-storage "raft" {
-  path = "/path/to/raft/data"
-  node_id = "raft_node_1"
-}
-```
-
-For information about a specific service registration provider, choose one from
-the navigation on the left.
-
-## Configuration
-
-Service registration configuration is done through the Vault configuration file
-using the `service_registration` stanza:
-
-```hcl
-service_registration [NAME] {
-  [PARAMETERS...]
-}
-```
-
-For example:
-
-```hcl
-service_registration "consul" {
-  address = "127.0.0.1:8500"
-}
-```
-
-For configuration options which also read an environment variable, the
-environment variable will take precedence over values in the configuration
-file.
-
-[consul]: https://www.consul.io/
-[consul-discovery]: https://www.consul.io/discovery.html
-[storage-backend]: /docs/configuration/storage/index.html
-[consul-backend]: /docs/configuration/storage/consul.html
-[raft-backend]: /docs/configuration/storage/raft.html
diff --git a/website/source/docs/configuration/storage/alicloudoss.html.md b/website/source/docs/configuration/storage/alicloudoss.html.md
deleted file mode 100644
index 212a2bf0cd5b..000000000000
--- a/website/source/docs/configuration/storage/alicloudoss.html.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-layout: "docs"
-page_title: "Alicloud OSS - Storage Backends - Configuration"
-sidebar_title: "AliCloud OSS"
-sidebar_current: "docs-configuration-storage-alicloudoss"
-description: |-
-  The Alicloud OSS storage backend is used to persist Vault's data in
-  an Alicloud OSS bucket.
----
-
-# Alicloud OSS Storage Backend
-
-The Alicloud OSS storage backend is used to persist Vault's data in
-an [Alicloud OSS][alicloudoss] bucket.
-
-- **No High Availability** – the Alicloud OSS storage backend does not support
-  high availability.
-
-- **Community Supported** – the Alicloud OSS storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "alicloudoss" {
-  access_key = "abcd1234"
-  secret_key = "defg5678"
-  endpoint   = "oss-us-west-1.aliyuncs.com"
-  bucket     = "my-bucket"
-}
-```
-
-## `alicloudoss` Parameters
-
-- `bucket` `(string: <required>)` – Specifies the name of the OSS bucket. This
-  can also be provided via the environment variable `ALICLOUD_OSS_BUCKET`.
-
-- `endpoint` `(string: "")` – Specifies the OSS endpoint. This can also be
- provided via the environment variable `ALICLOUD_OSS_ENDPOINT`.
-
-The following settings are used for authenticating to Alicloud.
-
-- `access_key` – Specifies the Alicloud access key. This can also be provided via
-  the environment variable `ALICLOUD_ACCESS_KEY`.
-
-- `secret_key` – Specifies the Alicloud secret key. This can also be provided via
-  the environment variable `ALICLOUD_SECRET_KEY`.
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to Alicloud OSS.
-
-## `alicloudoss` Examples
-
-### Default Example
-
-This example shows using Alicloud OSS as a storage backend.
-
-```hcl
-storage "alicloudoss" {
-  access_key = "abcd1234"
-  secret_key = "defg5678"
-  endpoint   = "oss-us-west-1.aliyuncs.com"
-  bucket     = "my-bucket"
-}
-```
-
-[alicloudoss]: https://www.alibabacloud.com/product/oss
diff --git a/website/source/docs/configuration/storage/azure.html.md b/website/source/docs/configuration/storage/azure.html.md
deleted file mode 100644
index 12e40d57050f..000000000000
--- a/website/source/docs/configuration/storage/azure.html.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-layout: "docs"
-page_title: "Azure - Storage Backends - Configuration"
-sidebar_title: "Azure"
-sidebar_current: "docs-configuration-storage-azure"
-description: |-
-  The Azure storage backend is used to persist Vault's data in an Azure Storage
-  Container. The storage container must already exist and the provided account
-  credentials must have read and write  permissions to the storage container.
----
-
-# Azure Storage Backend
-
-The Azure storage backend is used to persist Vault's data in an
-[Azure Storage Container][azure-storage]. The storage container must already
-exist and the provided account credentials must have read and write permissions
-to the storage container. The storage account type must support block blobs. This
-currently includes the general purpose "Storage V2" type with _Standard_ performance
-(Premium will not work), as well as Premium "Block Blob Storage"
-([limited region availability](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=storage&regions=all)).
-
-
-- **No High Availability** – the Azure storage backend does not support high
-  availability.
-
-- **Community Supported** – the Azure storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "azure" {
-  accountName = "my-storage-account"
-  accountKey  = "abcd1234"
-  container   = "container-efgh5678"
-  environment = "AzurePublicCloud"
-}
-```
-
-The current implementation is limited to a maximum of 4 megabytes per blob.
-
-## `azure` Parameters
-
-- `accountName` `(string: <required>)` – Specifies the Azure Storage account
-  name.
-
-- `accountKey` `(string: <required>)` – Specifies the Azure Storage account key.
-
-- `container` `(string: <required>)` – Specifies the Azure Storage Blob
-  container name.
-
-- `environment` `(string: "AzurePublicCloud")` - Specifies the cloud
-   environment the storage account belongs to by way of the case-insensitive
-   name defined in the [Azure Go SDK][azure-environment].
-
-- `arm_endpoint` `(string: "")` - Specifies the cloud environment
-  the storage account belongs to by way of the Azure Resource Manager endpoint
-  URL.
-
-- `max_parallel` `(string: "128")` – Specifies The maximum number of concurrent
-  requests to Azure.
-
-## `azure` Examples
-
-This example shows configuring the Azure storage backend with a custom number of
-maximum parallel connections.
-
-```hcl
-storage "azure" {
-  accountName  = "my-storage-account"
-  accountKey   = "abcd1234"
-  container    = "container-efgh5678"
-  max_parallel = 512
-}
-```
-
-[azure-storage]: https://azure.microsoft.com/en-us/services/storage/
-[azure-environment]: https://godoc.org/github.com/Azure/go-autorest/autorest/azure#pkg-variables
diff --git a/website/source/docs/configuration/storage/cassandra.html.md b/website/source/docs/configuration/storage/cassandra.html.md
deleted file mode 100644
index 417a5bb1e151..000000000000
--- a/website/source/docs/configuration/storage/cassandra.html.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-layout: "docs"
-page_title: "Cassandra - Storage Backends - Configuration"
-sidebar_title: "Cassandra"
-sidebar_current: "docs-configuration-storage-cassandra"
-description: |-
-  The Cassandra storage backend is used to persist Vault's data in an Apache
-  Cassandra cluster.
----
-
-# Cassandra Storage Backend
-
-The Cassandra storage backend is used to persist Vault's data in an [Apache
-Cassandra][cassandra] cluster.
-
-- **No High Availability** – the Cassandra storage backend does not support high
-  availability.
-
-- **Community Supported** – the Cassandra storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with it,
-  you may be referred to the original author.
-
-```hcl
-storage "cassandra" {
-  hosts            = "localhost"
-  consistency      = "LOCAL_QUORUM"
-  protocol_version = 3
-}
-```
-
-The Cassandra storage backend does not automatically create the keyspace and
-table. This sample configuration can be used as a guide, but you will want to
-ensure the keyspace [replication options][replication-options]
-are appropriate for your cluster:
-
-```cql
-CREATE KEYSPACE "vault" WITH REPLICATION = {
-    'class': 'SimpleStrategy',
-    'replication_factor': 1
-};
-
-CREATE TABLE "vault"."entries" (
-    bucket text,
-    key text,
-    value blob,
-    PRIMARY KEY (bucket, key)
-) WITH CLUSTERING ORDER BY (key ASC);
-```
-
-## `cassandra` Parameters
-
-* `hosts` `(string: "127.0.0.1")` – Comma-separated list of Cassandra hosts to
-  connect to.
-
-* `keyspace` `(string: "vault")` Cassandra keyspace to use.
-
-* `table` `(string: "entries")` – Table within the `keyspace` in which to store
-  data.
-
-* `consistency` `(string: "LOCAL_QUORUM")` Consistency level to use when
-  reading/writing data. If set, must be one of `"ANY"`, `"ONE"`, `"TWO"`,
-  `"THREE"`, `"QUORUM"`, `"ALL"`, `"LOCAL_QUORUM"`, `"EACH_QUORUM"`, or 
-  `"LOCAL_ONE"`.
-
-* `protocol_version` `(int: 2)` Cassandra protocol version to use.
-
-* `username` `(string: "")` – Username to use when authenticating with the
-  Cassandra hosts.
-
-* `password` `(string: "")` – Password to use when authenticating with the
-  Cassandra hosts.
-
-* `connection_timeout` `(int: 0)` - A timeout in seconds to wait until a
-  connection is established with the Cassandra hosts.
-
-* `tls` `(int: 0)` – If `1`, indicates the connection with the Cassandra hosts
-  should use TLS.
-
-* `pem_bundle_file` `(string: "")` - Specifies a file containing a
-  certificate and private key; a certificate, private key, and issuing CA
-  certificate; or just a CA certificate.
-
-* `pem_json_file` `(string: "")` - Specifies a JSON file containing a certificate
-  and private key; a certificate, private key, and issuing CA certificate;
-  or just a CA certificate.
-
-* `tls_skip_verify` `(int: 0)` - If `1`, then TLS host verification
-  will be disabled for Cassandra. Defaults to `0`.
-
-* `tls_min_version` `(string: "tls12")` - Minimum TLS version to use. Accepted
-  values are `tls10`, `tls11` or `tls12`. Defaults to `tls12`.
-
-[cassandra]: http://cassandra.apache.org/
-[replication-options]: https://docs.datastax.com/en/cassandra/2.1/cassandra/architecture/architectureDataDistributeReplication_c.html
diff --git a/website/source/docs/configuration/storage/cockroachdb.html.md b/website/source/docs/configuration/storage/cockroachdb.html.md
deleted file mode 100644
index 4060707130df..000000000000
--- a/website/source/docs/configuration/storage/cockroachdb.html.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-layout: "docs"
-page_title: "CockroachDB - Storage Backends - Configuration"
-sidebar_title: "CockroachDB"
-sidebar_current: "docs-configuration-storage-cockroachdb"
-description: |-
-  The CockroachDB storage backend is used to persist Vault's data in a CockroachDB
-  server or cluster.
----
-
-# CockroachDB Storage Backend
-
-The CockroachDB storage backend is used to persist Vault's data in a
-[CockroachDB][cockroachdb] server or cluster.
-
-- **No High Availability** – the CockroachDB storage backend does not support
-  high availability.
-
-- **Community Supported** – the CockroachDB storage backend is supported by the
-  community. While it has undergone development and review by HashiCorp 
-  employees, they may not be as knowledgeable about the technology.
-
-```hcl
-storage "cockroachdb" {
-  connection_url = "postgres://user123:secret123!@localhost:5432/vault"
-}
-```
-
-**Note** - CockroachDB is compatible with the PostgreSQL database driver and 
-uses that driver to interact with the database.
-
-## `cockroachdb` Parameters
-
-- `connection_url` `(string: <required>)` – Specifies the connection string to
-  use to authenticate and connect to CockroachDB. A full list of supported
-  parameters can be found in [the pq library documentation][pglib]. For example
-  connection string URLs, see the examples section below.
-
-- `table` `(string: "vault_kv_store")` – Specifies the name of the table in
-  which to write Vault data. This table must already exist (Vault will not
-  attempt to create it).
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to CockroachDB.
-
-## `cockroachdb` Examples
-
-This example shows connecting to a PostgreSQL cluster using full SSL
-verification (recommended).
-
-```hcl
-storage "cockroachdb" {
-  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=verify-full"
-}
-```
-
-To disable SSL verification (not recommended), replace `verify-full` with
-`disable`:
-
-```hcl
-storage "cockroachdb" {
-  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=disable"
-}
-```
-
-[cockroachdb]: https://www.cockroachlabs.com/
-[pglib]: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
diff --git a/website/source/docs/configuration/storage/consul.html.md b/website/source/docs/configuration/storage/consul.html.md
deleted file mode 100644
index 8b2d33d2d0af..000000000000
--- a/website/source/docs/configuration/storage/consul.html.md
+++ /dev/null
@@ -1,281 +0,0 @@
----
-layout: "docs"
-page_title: "Consul - Storage Backends - Configuration"
-sidebar_title: "Consul"
-sidebar_current: "docs-configuration-storage-consul"
-description: |-
-  The Consul storage backend is used to persist Vault's data in Consul's
-  key-value store. In addition to providing durable storage, inclusion of this
-  backend will also register Vault as a service in Consul with a default health
-  check.
----
-
-# Consul Storage Backend
-
-The Consul storage backend is used to persist Vault's data in [Consul's][consul]
-key-value store. In addition to providing durable storage, inclusion of this
-backend will also register Vault as a service in Consul with a default health
-check.
-
-- **High Availability** – the Consul storage backend supports high availability.
-
-- **HashiCorp Supported** – the Consul storage backend is officially supported
-  by HashiCorp.
-
-```hcl
-storage "consul" {
-  address = "127.0.0.1:8500"
-  path    = "vault"
-}
-```
-
-Once properly configured, an unsealed Vault installation should be available and
-accessible at:
-
-```text
-active.vault.service.consul
-```
-
-Unsealed Vault instances in standby mode are available at:
-
-```text
-standby.vault.service.consul
-```
-
-All unsealed Vault instances are available as healthy at:
-
-```text
-vault.service.consul
-```
-
-Sealed Vault instances will mark themselves as unhealthy to avoid being returned
-at Consul's service discovery layer.
-
-Note that if you have configured multiple listeners for Vault, you must specify
-which one Consul should advertise to the cluster using [`api_addr`][api-addr]
-and [`cluster_addr`][cluster-addr] ([example][listener-example]).
-
-## `consul` Parameters
-
-- `address` `(string: "127.0.0.1:8500")` – Specifies the address of the Consul
-  agent to communicate with. This can be an IP address, DNS record, or unix
-  socket. It is recommended that you communicate with a local Consul agent; do
-  not communicate directly with a server.
-
-- `check_timeout` `(string: "5s")` – Specifies the check interval used to send
-  health check information back to Consul. This is specified using a label
-  suffix like `"30s"` or `"1h"`.
-
-- `consistency_mode` `(string: "default")` – Specifies the Consul
-  [consistency mode][consul-consistency]. Possible values are `"default"` or
-  `"strong"`.
-
-- `disable_registration` `(string: "false")` – Specifies whether Vault should
-  register itself with Consul.
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to Consul.
-
-- `path` `(string: "vault/")` – Specifies the path in Consul's key-value store
-  where Vault data will be stored.
-
-- `scheme` `(string: "http")` – Specifies the scheme to use when communicating
-  with Consul. This can be set to "http" or "https". It is highly recommended
-  you communicate with Consul over https over non-local connections. When
-  communicating over a unix socket, this option is ignored.
-
-- `service` `(string: "vault")` – Specifies the name of the service to register
-  in Consul.
-
-- `service_tags` `(string: "")` – Specifies a comma-separated list of tags to
-  attach to the service registration in Consul.
-
-- `service_address` `(string: nil)` – Specifies a service-specific address to
-  set on the service registration in Consul. If unset, Vault will use what it
-  knows to be the HA redirect address - which is usually desirable. Setting
-  this parameter to `""` will tell Consul to leverage the configuration of the
-  node the service is registered on dynamically. This could be beneficial if
-  you intend to leverage Consul's
-  [`translate_wan_addrs`][consul-translate-wan-addrs] parameter.
-
-- `token` `(string: "")` – Specifies the [Consul ACL token][consul-acl] with
-  permission to read and write from the `path` in Consul's key-value store.
-  This is **not** a Vault token. This can also be provided via the environment
-  variable [`CONSUL_HTTP_TOKEN`][consul-token]. See the ACL section below for help.
-
-- `session_ttl` `(string: "15s")` - Specifies the minimum allowed [session
-  TTL][consul-session-ttl]. Consul server has a lower limit of 10s on the
-  session TTL by default. The value of `session_ttl` here cannot be lesser than
-  10s unless the `session_ttl_min` on the consul server's configuration has a
-  lesser value.
-
-- `lock_wait_time` `(string: "15s")` - Specifies the wait time before a lock
-  acquisition is made. This affects the minimum time it takes to cancel a
-  lock acquisition.
-
-The following settings apply when communicating with Consul via an encrypted
-connection. You can read more about encrypting Consul connections on the
-[Consul encryption page][consul-encryption].
-
-- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate used
-  for Consul communication. This defaults to system bundle if not specified.
-  This should be set according to the
-  [`ca_file`](https://www.consul.io/docs/agent/options.html#ca_file) setting in
-  Consul.
-
-- `tls_cert_file` `(string: "")` (optional) – Specifies the path to the
-  certificate for Consul communication. This should be set according to the
-  [`cert_file`](https://www.consul.io/docs/agent/options.html#cert_file) setting
-  in Consul.
-
-- `tls_key_file` `(string: "")` – Specifies the path to the private key for
-  Consul communication. This should be set according to the
-  [`key_file`](https://www.consul.io/docs/agent/options.html#key_file) setting
-  in Consul.
-
-- `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to
-  use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
-
-- `tls_skip_verify` `(string: "false")` – Disable verification of TLS certificates.
-  Using this option is highly discouraged.
-
-## ACLs
-
-If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8,
-the following will work for most use-cases, assuming that your service name is
-`vault` and the prefix being used is `vault/`:
-
-```json
-{
-  "key": {
-    "vault/": {
-      "policy": "write"
-    }
-  },
-  "node": {
-    "": {
-      "policy": "write"
-    }
-  },
-  "service": {
-    "vault": {
-      "policy": "write"
-    }
-  },
-  "agent": {
-    "": {
-      "policy": "write"
-    }
-
-  },
-  "session": {
-    "": {
-      "policy": "write"
-    }
-  }
-}
-```
-
-For Consul 1.4+, the following example takes into account the changed ACL
-language:
-
-```json
-{
-  "key_prefix": {
-    "vault/": {
-      "policy": "write"
-    }
-  },
-  "node_prefix": {
-    "": {
-      "policy": "write"
-    }
-  },
-  "service": {
-    "vault": {
-      "policy": "write"
-    }
-  },
-  "agent_prefix": {
-    "": {
-      "policy": "write"
-    }
-
-  },
-  "session_prefix": {
-    "": {
-      "policy": "write"
-    }
-  }
-}
-```
-
-## `consul` Examples
-
-### Local Agent
-
-This example shows a sample physical backend configuration which communicates
-with a local Consul agent running on `127.0.0.1:8500`.
-
-```hcl
-storage "consul" {}
-```
-
-### Detailed Customization
-
-This example shows communicating with Consul on a custom address with an ACL
-token.
-
-```hcl
-storage "consul" {
-  address = "10.5.7.92:8194"
-  token   = "abcd1234"
-}
-```
-
-### Custom Storage Path
-
-This example shows storing data at a custom path in Consul's key-value store.
-This path must be readable and writable by the Consul ACL token, if Consul
-configured to use ACLs.
-
-```hcl
-storage "consul" {
-  path = "vault/"
-}
-```
-
-### Consul via Unix Socket
-
-This example shows communicating with Consul over a local unix socket.
-
-```hcl
-storage "consul" {
-  address = "unix:///tmp/.consul.http.sock"
-}
-```
-
-### Custom TLS
-
-This example shows using a custom CA, certificate, and key file to securely
-communicate with Consul over TLS.
-
-```hcl
-storage "consul" {
-  scheme        = "https"
-  tls_ca_file   = "/etc/pem/vault.ca"
-  tls_cert_file = "/etc/pem/vault.cert"
-  tls_key_file  = "/etc/pem/vault.key"
-}
-```
-
-[consul]: https://www.consul.io/ "Consul by HashiCorp"
-[consul-acl]: https://www.consul.io/docs/guides/acl.html "Consul ACLs"
-[consul-consistency]: https://www.consul.io/api/index.html#consistency-modes "Consul Consistency Modes"
-[consul-encryption]: https://www.consul.io/docs/agent/encryption.html "Consul Encryption"
-[consul-translate-wan-addrs]: https://www.consul.io/docs/agent/options.html#translate_wan_addrs "Consul Configuration"
-[consul-token]: https://www.consul.io/docs/commands/acl/set-agent-token.html#token-lt-value-gt- "Consul Token"
-[consul-session-ttl]: https://www.consul.io/docs/agent/options.html#session_ttl_min "Consul Configuration"
-[api-addr]: /docs/configuration/index.html#api_addr
-[cluster-addr]: /docs/configuration/index.html#cluster_addr
-[listener-example]: /docs/configuration/listener/tcp.html#listening-on-multiple-interfaces
diff --git a/website/source/docs/configuration/storage/couchdb.html.md b/website/source/docs/configuration/storage/couchdb.html.md
deleted file mode 100644
index f7f074365f4e..000000000000
--- a/website/source/docs/configuration/storage/couchdb.html.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-layout: "docs"
-page_title: "CouchDB - Storage Backends - Configuration"
-sidebar_title: "CouchDB"
-sidebar_current: "docs-configuration-storage-couchdb"
-description: |-
-  The CouchDB storage backend is used to persist Vault's data in a CouchDB
-  database.
----
-
-# CouchDB Storage Backend
-
-The CouchDB storage backend is used to persist Vault's data in
-[CouchDB][couchdb] table.
-
-- **No High Availability** – the CouchDB backend does not support high
-  availability.
-
-- **Community Supported** – the CouchDB storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "couchdb" {
-  endpoint = "https://my-couchdb-dns.tld:5984/my-database"
-  username = "admin"
-  password = "admin"
-}
-```
-
-## `couchdb` Parameters
-
-- `endpoint` `(string: "")` – Specifies your CouchDB endpoint. This can also be
-  provided via the environment variable `COUCHDB_ENDPOINT`.
-
-- `username` `(string: "")` – Specifies the user to authenticate as. This can
-  also be provided via the environment variable `COUCHDB_USERNAME`.
-
-- `password` `(string: "")` – Specifies the user to authenticate as. This can
-  also be provided via the environment variable `COUCHDB_PASSWORD`.
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to CouchDB.
-
-[couchdb]: http://couchdb.apache.org/
diff --git a/website/source/docs/configuration/storage/dynamodb.html.md b/website/source/docs/configuration/storage/dynamodb.html.md
deleted file mode 100644
index dc2768cb1f23..000000000000
--- a/website/source/docs/configuration/storage/dynamodb.html.md
+++ /dev/null
@@ -1,188 +0,0 @@
----
-layout: "docs"
-page_title: "DynamoDB - Storage Backends - Configuration"
-sidebar_title: "DynamoDB"
-sidebar_current: "docs-configuration-storage-dynamodb"
-description: |-
-  The DynamoDB storage backend is used to persist Vault's data in DynamoDB
-  table.
----
-
-# DynamoDB Storage Backend
-
-The DynamoDB storage backend is used to persist Vault's data in
-[DynamoDB][dynamodb] table.
-
-- **High Availability** – the DynamoDB storage backend supports high
-  availability. Because DynamoDB uses the time on the Vault node to implement
-  the session lifetimes on its locks, significant clock skew across Vault nodes
-  could cause contention issues on the lock.
-
-- **Community Supported** – the DynamoDB storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with this
-  storage backend, you could be referred to the original author for support.
-
-```hcl
-storage "dynamodb" {
-  ha_enabled = "true"
-  region     = "us-west-2"
-  table      = "vault-data"
-}
-```
-
-For more information about the read/write capacity of DynamoDB tables, please
-see the [official AWS DynamoDB documentation][dynamodb-rw-capacity].
-
-## DynamoDB Parameters
-
-- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, DynamoDB
-  endpoint. This can also be provided via the environment variable
-  `AWS_DYNAMODB_ENDPOINT`.
-
-- `ha_enabled` `(string: "false")` – Specifies whether this backend should be used
-  to run Vault in high availability mode. Valid values are "true" or "false". This
-  can also be provided via the environment variable `DYNAMODB_HA_ENABLED`.
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests.
-
-- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be
-  provided via the environment variable `AWS_DEFAULT_REGION`.
-
-- `read_capacity` `(int: 5)` – Specifies the maximum number of reads consumed
-  per second on the table, for use if Vault creates the DynamoDB table. This has
-  no effect if the `table` already exists. This can also be provided via the
-  environment variable `AWS_DYNAMODB_READ_CAPACITY`.
-
-- `table` `(string: "vault-dynamodb-backend")` – Specifies the name of the
-  DynamoDB table in which to store Vault data. If the specified table does not
-  yet exist, it will be created during initialization. This can also be
-  provided via the environment variable `AWS_DYNAMODB_TABLE`. See the 
-  information on the table schema below.
-
-- `write_capacity` `(int: 5)` – Specifies the maximum number of writes performed
-  per second on the table, for use if Vault creates the DynamoDB table. This value
-  has no effect if the `table` already exists. This can also be provided via the
-  environment variable `AWS_DYNAMODB_WRITE_CAPACITY`.
-
-The following settings are used for authenticating to AWS. If you are
-running your Vault server on an EC2 instance, you can also make use of the EC2
-instance profile service to provide the credentials Vault will use to make
-DynamoDB API calls. Leaving the `access_key` and `secret_key` fields empty will
-cause Vault to attempt to retrieve credentials from the AWS metadata service.
-
-- `access_key` `(string: <required>)` – Specifies the AWS access key. This can
-  also be provided via the environment variable `AWS_ACCESS_KEY_ID`.
-
-- `secret_key` `(string: <required>)` – Specifies the AWS secret key. This can
-  also be provided via the environment variable `AWS_SECRET_ACCESS_KEY`.
-
-- `session_token` `(string: "")` – Specifies the AWS session token. This can
-  also be provided via the environment variable `AWS_SESSION_TOKEN`.
-
-## Required AWS Permissions
-
-The governing policy for the IAM user or EC2 instance profile that Vault uses
-to access DynamoDB must contain the following permissions for Vault to perform
-the required operations on the DynamoDB table:
-
-```javascript
-  "Statement": [
-    {
-      "Action": [ 
-        "dynamodb:DescribeLimits",
-        "dynamodb:DescribeTimeToLive",
-        "dynamodb:ListTagsOfResource",
-        "dynamodb:DescribeReservedCapacityOfferings",
-        "dynamodb:DescribeReservedCapacity",
-        "dynamodb:ListTables",
-        "dynamodb:BatchGetItem",
-        "dynamodb:BatchWriteItem",
-        "dynamodb:CreateTable",
-        "dynamodb:DeleteItem",
-        "dynamodb:GetItem",
-        "dynamodb:GetRecords",
-        "dynamodb:PutItem",
-        "dynamodb:Query",
-        "dynamodb:UpdateItem",
-        "dynamodb:Scan",
-        "dynamodb:DescribeTable"
-      ],
-      "Effect": "Allow",
-      "Resource": [ "arn:aws:dynamodb:us-east-1:... dynamodb table ARN" ]
-    },
-```
-
-## Table Schema
-
-If you are going to create the DynamoDB table prior to the execution and
-initialization of Vault, you will need to create a table with these attributes:
-
-* Primary partition key: "Path", a string
-* Primary sort key: "Key", a string
-
-You might create the table via Terraform, with a configuration similar to this:
-
-```
-resource "aws_dynamodb_table" "dynamodb-table" {
-  name           = "${var.dynamoTable}"
-  read_capacity  = 1
-  write_capacity = 1
-	hash_key       = "Path"
-	range_key      = "Key"
-	attribute      = [
-		{
-			name = "Path"
-			type = "S"
-		},
-		{
-			name = "Key"
-			type = "S"
-		}
-	]
-  tags {
-    Name        = "vault-dynamodb-table"
-    Environment = "prod"
-  }
-}
-```
-
-If a table with the configured name already exists, Vault will not modify it -
-and the Vault configuration values of `read_capacity` and `write_capacity` have
-no effect.
-
-If the table does not already exist, Vault will try to create it, with read and
-write capacities set to the values of `read_capacity` and `write_capacity`
-respectively.
-
-## DynamoDB Examples of Vault Configuration
-
-### Custom Table and Read-Write Capacity
-
-This example shows using a custom table name and read/write capacity.
-
-```hcl
-storage "dynamodb" {
-  table = "my-vault-data"
-
-  read_capacity  = 10
-  write_capacity = 15
-}
-```
-
-### Enabling High Availability
-
-This example shows enabling high availability for the DynamoDB storage backend.
-
-```hcl
-api_addr = "https://vault-leader.my-company.internal"
-
-storage "dynamodb" {
-  ha_enabled    = "true"
-  ...
-}
-```
-
-[dynamodb]: https://aws.amazon.com/dynamodb/
-[dynamodb-rw-capacity]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.html#ProvisionedThroughput
diff --git a/website/source/docs/configuration/storage/etcd.html.md b/website/source/docs/configuration/storage/etcd.html.md
deleted file mode 100644
index 2db5f188130e..000000000000
--- a/website/source/docs/configuration/storage/etcd.html.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-layout: "docs"
-page_title: "Etcd - Storage Backends - Configuration"
-sidebar_title: "Etcd"
-sidebar_current: "docs-configuration-storage-etcd"
-description: |-
-  The Etcd storage backend is used to persist Vault's data in Etcd. It supports
-  both the v2 and v3 Etcd APIs, and the version is automatically detected based
-  on the version of the Etcd cluster.
----
-
-# Etcd Storage Backend
-
-The Etcd storage backend is used to persist Vault's data in [Etcd][etcd]. It
-supports both the v2 and v3 Etcd APIs, and the version is automatically detected
-based on the version of the Etcd cluster.
-
-- **High Availability** – the Etcd storage backend supports high availability.
-  The v2 API has known issues with HA support and should not be used in HA
-  scenarios.
-
-- **Community Supported** – the Etcd storage backend is supported by CoreOS.
-  While it has undergone review by HashiCorp employees, they may not be as
-  knowledgeable about the technology. If you encounter problems with them, you
-  may be referred to the original author.
-
-```hcl
-storage "etcd" {
-  address  = "http://localhost:2379"
-  etcd_api = "v3"
-}
-```
-
-## `etcd` Parameters
-
-- `address` `(string: "http://localhost:2379")` – Specifies the addresses of the
-  Etcd instances as a comma-separated list. This can also be provided via the
-  environment variable `ETCD_ADDR`.
-
-- `discovery_srv` `(string: "example.com")` - Specifies the domain name to
-  query for SRV records describing cluster endpoints. This can also be provided
-  via the environment variable `ETCD_DISCOVERY_SRV`.
-
-- `discovery_srv_name` `(string: "vault")` - Specifies the service name to use
-  when querying for SRV records describing cluster endpoints. This can also be
-  provided via the environment variable `ETCD_DISCOVERY_SRV_NAME`.
-
-- `etcd_api` `(string: "<varies>")` – Specifies the version of the API to
-  communicate with. By default, this is derived automatically. If the cluster
-  version is 3.1+ and there has been no data written using the v2 API, the
-  auto-detected default is v3.
-
-- `ha_enabled` `(string: "false")` – Specifies if high availability should be
-  enabled. This can also be provided via the environment variable
-  `ETCD_HA_ENABLED`.
-
-- `path` `(string: "/vault/")` – Specifies the path in Etcd where Vault data will
-  be stored.
-
-- `sync` `(string: "true")` – Specifies whether to sync the list of available
-  Etcd services on startup. This is a string that is coerced into a boolean
-  value. You may want to set this to false if your cluster is behind a proxy
-  server and syncing causes Vault to fail.
-
-- `username` `(string: "")` – Specifies the username to use when authenticating
-  with the Etcd server. This can also be provided via the environment variable
-  `ETCD_USERNAME`.
-
-- `password` `(string: "")` – Specifies the password to use when authenticating
-  with the Etcd server. This can also be provided via the environment variable
-  `ETCD_PASSWORD`.
-
-- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate used
-  for Etcd communication. This defaults to system bundle if not specified.
-
-- `tls_cert_file` `(string: "")` – Specifies the path to the certificate for
-  Etcd communication.
-
-- `tls_key_file` `(string: "")` – Specifies the path to the private key for Etcd
-  communication.
-
-- `request_timeout` `(string: "5s")` – Specifies timeout for requests
-  to etcd. 5 seconds should be long enough for most cases, even with internal
-  retry.
-
-- `lock_timeout` `(string: "15s")` – Specifies lock timeout for master
-  Vault instance. Set bigger value if you don't need faster recovery.
-
-## `etcd` Examples
-
-### DNS Discovery of cluster members
-
-This example configures vault to discover the Etcd cluster members via SRV
-records as outlined in the
-[DNS Discovery protocol documentation][dns discovery].
-
-```hcl
-storage "etcd" {
-  discovery_srv = "example.com"
-}
-```
-
-### Custom Authentication
-
-This example shows connecting to the Etcd cluster using a username and password.
-
-```hcl
-storage "etcd" {
-  username = "user1234"
-  password = "pass5678"
-}
-```
-
-### Custom Path
-
-This example shows storing data in a custom path.
-
-```hcl
-storage "etcd" {
-  path = "my-vault-data/"
-}
-```
-
-### Enabling High Availability
-
-This example shows enabling high availability for the Etcd storage backend.
-
-```hcl
-api_addr = "https://vault-leader.my-company.internal"
-
-storage "etcd" {
-  ha_enabled    = "true"
-  ...
-}
-```
-
-[etcd]: https://coreos.com/etcd "Etcd by CoreOS"
-[dns discovery]: https://coreos.com/etcd/docs/latest/op-guide/clustering.html#dns-discovery "Etcd cluster DNS Discovery"
diff --git a/website/source/docs/configuration/storage/filesystem.html.md b/website/source/docs/configuration/storage/filesystem.html.md
deleted file mode 100644
index 4b63ab2e0717..000000000000
--- a/website/source/docs/configuration/storage/filesystem.html.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-layout: "docs"
-page_title: "Filesystem - Storage Backends - Configuration"
-sidebar_title: "Filesystem"
-sidebar_current: "docs-configuration-storage-filesystem"
-description: |-
-  The Filesystem storage backend stores Vault's data on the filesystem using a
-  standard directory structure. It can be used for durable single server
-  situations, or to develop locally where durability is not critical.
----
-
-# Filesystem Storage Backend
-
-The Filesystem storage backend stores Vault's data on the filesystem using a
-standard directory structure. It can be used for durable single server
-situations, or to develop locally where durability is not critical.
-
-- **No High Availability** – the Filesystem backend does not support high
-  availability.
-
-- **HashiCorp Supported** – the Filesystem backend is officially supported by
-  HashiCorp.
-
-```hcl
-storage "file" {
-  path = "/mnt/vault/data"
-}
-```
-
-Even though Vault's data is encrypted at rest, you should still take appropriate
-measures to secure access to the filesystem.
-
-## `file` Parameters
-
-- `path` `(string: <required>)` – The absolute path on disk to the directory
-  where the data will be stored. If the directory does not exist, Vault will
-  create it.
-
-## `file` Examples
-
-This example shows the Filesystem storage backend being mounted at
-`/mnt/vault/data`.
-
-```hcl
-storage "file" {
-  path = "/mnt/vault/data"
-}
-```
diff --git a/website/source/docs/configuration/storage/foundationdb.html.md b/website/source/docs/configuration/storage/foundationdb.html.md
deleted file mode 100644
index 35e72c278061..000000000000
--- a/website/source/docs/configuration/storage/foundationdb.html.md
+++ /dev/null
@@ -1,166 +0,0 @@
----
-layout: "docs"
-page_title: "FoundationDB - Storage Backends - Configuration"
-sidebar_title: "FoundationDB"
-sidebar_current: "docs-configuration-storage-foundationdb"
-description: |-
-  The FoundationDB storage backend is used to persist Vault's data in the
-  FoundationDB KV store.
----
-
-# FoundationDB Storage Backend
-
-The FoundationDB storage backend is used to persist Vault's data in
-[FoundationDB][foundationdb].
-
-The backend needs to be explicitly enabled at build time, and is not available
-in the standard Vault binary distribution. Please refer to the documentation
-accompanying the backend's source in the Vault source tree.
-
-- **High Availability** – the FoundationDB storage backend supports high
-  availability. The HA implementation relies on the clocks of the Vault
-  nodes inside the cluster being properly synchronized; clock skews are
-  susceptible to cause contention on the locks.
-
-- **Community Supported** – the FoundationDB storage backend is supported
-  by the community. While it has undergone review by HashiCorp employees,
-  they may not be as knowledgeable about the technology. If you encounter
-  problems with them, you may be referred to the original author.
-
-```hcl
-storage "foundationdb" {
-  api_version      = 520
-  cluster_file     = "/path/to/fdb.cluster"
-
-  tls_verify_peers = "I.CN=MyTrustedIssuer,I.O=MyCompany\, Inc.,I.OU=Certification Authority"
-  tls_ca_file      = "/path/to/ca_bundle.pem"
-  tls_cert_file    = "/path/to/cert.pem"
-  tls_key_file     = "/path/to/key.pem"
-  tls_password     = "PrivateKeyPassword"
-
-  path             = "vault-top-level-directory"
-  ha_enabled       = "true"
-}
-```
-
-## `foundationdb` Parameters
-
-- `api_version` `(int)` - The FoundationDB API version to use; this is a
-  required parameter and doesn't have a default value. The minimum required API
-  version is 520.
-
-- `cluster_file` `(string)` - The path to the cluster file containing the
-  connection data for the target cluster; this is a required parameter and
-  doesn't have a default value.
-
-- `tls_verify_peers` `(string)` - The peer certificate verification criteria;
-  this parameter is mandatory if TLS is enabled. Refer to the [FoundationDB TLS]
-  [fdb-tls] documentation.
-
-- `tls_ca_file` `(string)` - The path to the CA certificate bundle file; this
-  parameter is mandatory if TLS is enabled.
-
-- `tls_cert_file` `(string)` - The path to the certificate file; specifying this
-  parameter together with `tls_key_file` will enable TLS support.
-
-- `tls_key_file` `(string)` - The path to the key file; specifying this
-  parameter together with `tls_cert_file` will enable TLS support.
-
-- `tls_password` `(string)` - The password needed to decrypt `tls_key_file`, if
-  it is encrypted; optional. This can also be specified via the
-  `FDB_TLS_PASSWORD` environment variable.
-
-- `path` `(string: "vault")` - The path of the top-level FoundationDB directory
-  (using the directory layer) under which the Vault data will reside.
-
-- `ha_enabled` `(string: "false")` - Whether or not to enable Vault
-  high-availability mode using the FoundationDB backend.
-
-## `foundationdb` tips
-
-### Cluster file
-
-The FoundationDB client expects to be able to update the cluster file at
-runtime, to keep it current with changes happening to the cluster.
-
-It does so by first writing a new cluster file alongside the current one,
-then atomically renaming it into place.
-
-This means the cluster file and the directory it resides in must be writable
-by the user Vault is running as. You probably want to isolate the cluster
-file into its own directory.
-
-### Multi-version client
-
-The FoundationDB client library version is tightly coupled to the server
-version; during cluster upgrades, multiple server versions will be running
-in the cluster, and the client must cope with that situation.
-
-This is handled by the (primary) client library having the ability to load
-a different, later version of the client library to connect to a particular
-server; it is referred to as the [multi-version client][multi-ver-client]
-feature.
-
-#### Client setup with `LD_LIBRARY_PATH`
-
-If you do not use mlock, you can use `LD_LIBRARY_PATH` to point the linker at
-the location of the primary client library.
-
-```
-$ export LD_LIBRARY_PATH=/dest/dir/for/primary:$LD_LIBRARY_PATH
-$ export FDB_NETWORK_OPTION_EXTERNAL_CLIENT_DIRECTORY=/dest/dir/for/secondary
-$ /path/to/bin/vault ...
-```
-
-#### Client setup with `RPATH`
-
-When running Vault with mlock, the Vault binary must have capabilities set to
-allow the use of mlock.
-
-```
-# setcap cap_ipc_lock=+ep /path/to/bin/vault
-$ getcap /path/to/bin/vault
-/path/to/bin/vault = cap_ipc_lock+ep
-```
-
-The presence of the capabilities will cause the linker to ignore
-`LD_LIBRARY_PATH`, for security reasons.
-
-In that case, we have to set an `RPATH` on the Vault binary at build time
-to replace the use of `LD_LIBRARY_PATH`.
-
-When building Vault, pass the `-r /dest/dir/for/primary` option to the Go
-linker, for instance:
-
-```
-$ make dev FDB_ENABLED=1 LD_FLAGS="-r /dest/dir/for/primary "
-```
-
-(Note the trailing space in the variable value above).
-
-You can verify `RPATH` is set on the Vault binary using `readelf`:
-
-```
-$ readelf -d /path/to/bin/vault | grep RPATH
- 0x000000000000000f (RPATH)              Library rpath: [/dest/dir/for/primary]
-```
-
-With the client libraries installed:
-
-```
-$ ldd /path/to/bin/vault
-...
-    libfdb_c.so => /dest/dir/for/primary/libfdb_c.so (0x00007f270ad05000)
-...
-```
-
-Now run Vault:
-
-```
-$ export FDB_NETWORK_OPTION_EXTERNAL_CLIENT_DIRECTORY=/dest/dir/for/secondary
-$ /path/to/bin/vault ...
-```
-
-[foundationdb]: https://www.foundationdb.org
-[fdb-tls]: https://apple.github.io/foundationdb/tls.html
-[multi-ver-client]: https://apple.github.io/foundationdb/api-general.html#multi-version-client-api
diff --git a/website/source/docs/configuration/storage/google-cloud-spanner.html.md b/website/source/docs/configuration/storage/google-cloud-spanner.html.md
deleted file mode 100644
index 3a2ef6a8ae77..000000000000
--- a/website/source/docs/configuration/storage/google-cloud-spanner.html.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-layout: "docs"
-page_title: "Google Cloud Spanner - Storage Backends - Configuration"
-sidebar_title: "Google Cloud Spanner"
-sidebar_current: "docs-configuration-storage-spanner"
-description: |-
-  The Google Cloud Spanner storage backend is used to persist Vault's data in
-  Spanner, a fully managed, mission-critical, relational database service that
-  offers transactional consistency at global scale.
----
-
-# Google Cloud Spanner Storage Backend
-
-The Google Cloud Spanner storage backend is used to persist Vault's data in
-[Spanner][spanner-docs], a fully managed, mission-critical, relational database
-service that offers transactional consistency at global scale, schemas, SQL, and
-automatic, synchronous replication for high availability.
-
-- **High Availability** – the Google Cloud Spanner storage backend supports high
-  availability. Because the Google Cloud Spanner storage backend uses the system
-  time on the Vault node to acquire sessions, clock skew across Vault servers
-  can cause lock contention.
-
-- **Community Supported** – the Google Cloud Spanner storage backend is
-  supported by the community. While it has undergone review by HashiCorp
-  employees, they may not be as knowledgeable about the technology. If you
-  encounter problems with them, you may be referred to the original author.
-
-```hcl
-storage "spanner" {
-  database = "projects/my-project/instances/my-instance/databases/my-database"
-}
-```
-
-For more information on schemas or Google Cloud Spanner, please see the [Google
-Cloud Spanner documentation][spanner-docs].
-
-## `spanner` Setup
-
-To use the Google Cloud Spanner Vault storage backend, you must have a Google
-Cloud Platform account. Either using the API or web interface, create a database
-and the following tables:
-
--> You can choose "Edit as text" and copy-paste the following as the schema.
-These are the default table names. If you choose to use different table names,
-you will need to update the configuration accordingly.
-
-```sql
-CREATE TABLE Vault (
-  Key       STRING(MAX) NOT NULL,
-  Value     BYTES(MAX),
-) PRIMARY KEY (Key);
-
-CREATE TABLE VaultHA (
-  Key           STRING(MAX) NOT NULL,
-  Value         STRING(MAX),
-  Identity      STRING(36) NOT NULL,
-  Timestamp     TIMESTAMP NOT NULL,
-) PRIMARY KEY (Key);
-```
-
-The Google Cloud Spanner storage backend does not support creating the table
-automatically at this time, but this could be a future enhancement. For more
-information on schemas or Google Cloud Spanner, please see the [Google Cloud
-Spanner documentation][spanner-docs].
-
-## `spanner` Authentication
-
-The Google Cloud Spanner Vault storage backend uses the official Google Cloud
-Golang SDK. This means it supports the common ways of [providing credentials to
-Google Cloud][cloud-creds].
-
-1. The environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
-as the **path** to a Google Cloud credentials file, typically for a service
-account. If this environment variable is present, the resulting credentials are
-used. If the credentials are invalid, an error is returned.
-
-1. Default instance credentials. When no environment variable is present, the
-default service account credentials are used.
-
-For more information on service accounts, please see the [Google Cloud Service
-Accounts documentation][service-accounts].
-
-To use this storage backend, the service account must have the following
-minimum scope(s):
-
-```text
-https://www.googleapis.com/auth/google-cloud-spanner.data
-```
-
-## `spanner` Parameters
-
-- `database` `(string: <required>)` – Specifies the name of the database. Note
-  that this is specified as a "path" including the project ID and instance, for
-  example:
-
-    ```text
-    projects/my-project/instances/my-instance/databases/my-database
-    ```
-
-- `table` `(string: "Vault")` - Specifies the name of the table where
-  data will be stored and retrieved.
-
-- `max_parallel` `(int: 128)` - Specifies the maximum number of parallel
-  operations to take place.
-
-### High Availability Parameters
-
-- `ha_enabled` `(string: "false")` - Specifies if high availability mode is
-  enabled. This is a boolean value, but it is specified as a string like "true"
-  or "false".
-
-- `ha_table` `(string: "VaultHA")` - Specifies the name of the table to use for
-  storing high availability information. By default, this is the name of the
-  `table` suffixed with "HA".
-
-## `spanner` Examples
-
-### High Availability
-
-This example shows configuring Google Cloud Spanner with high availability
-enabled.
-
-```hcl
-api_addr = "https://vault-leader.my-company.internal"
-
-storage "spanner" {
-  database   = "projects/demo/instances/abc123/databases/vault-data"
-  ha_enabled = "true"
-}
-```
-
-### Custom Tables
-
-This example shows listing custom table names for data and HA with the Google
-Cloud Spanner Vault storage backend.
-
-```hcl
-storage "spanner" {
-  database = "projects/demo/instances/abc123/databases/vault-data"
-  table    = "VaultData"
-  ha_table = "VaultLeader"
-}
-```
-
-[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
-[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
-[spanner-docs]: https://cloud.google.com/spanner/docs/
diff --git a/website/source/docs/configuration/storage/google-cloud-storage.html.md b/website/source/docs/configuration/storage/google-cloud-storage.html.md
deleted file mode 100644
index d456ba7f972e..000000000000
--- a/website/source/docs/configuration/storage/google-cloud-storage.html.md
+++ /dev/null
@@ -1,153 +0,0 @@
----
-layout: "docs"
-page_title: "Google Cloud Storage - Storage Backends - Configuration"
-sidebar_title: "Google Cloud Storage"
-sidebar_current: "docs-configuration-storage-google-cloud"
-description: |-
-  The Google Cloud Storage storage backend is used to persist Vault's data in
-  Google Cloud Storage.
----
-
-# Google Cloud Storage Storage Backend
-
-The Google Cloud Storage storage backend is used to persist Vault's data in
-[Google Cloud Storage][gcs-docs].
-
-- **High Availability** – the Google Cloud Storage storage backend supports high
-  availability. Because the Google Cloud Storage storage backend uses the system
-  time on the Vault node to acquire sessions, clock skew across Vault servers
-  can cause lock contention.
-
-- **Community Supported** – the Google Cloud Storage storage backend is
-  supported by the community. While it has undergone review by HashiCorp
-  employees, they may not be as knowledgeable about the technology. If you
-  encounter problems with them, you may be referred to the original author.
-
-```hcl
-storage "gcs" {
-  bucket = "my-storage-bucket"
-}
-```
-
-For more information on schemas or Google Cloud Storage, please see the [Google
-Cloud Storage documentation][gcs-docs].
-
-## `gcs` Setup
-
-To use the Google Cloud Storage Vault storage backend, you must have a Google
-Cloud Platform account with permissions to create Google Cloud Storage buckets.
-
-To use the Google Cloud Storage Vault storage backend, you must have a Google
-Cloud Platform account. Either using the API or web interface, create a bucket
-using the [`gsutil`][cloud-sdk] command. Bucket names must be globally unique
-across all of Google Cloud, so choose a unique name:
-
-```sh
-$ gsutil mb gs://mycompany-vault-data
-```
-
-Even though the data is encrypted in transit and at rest, be sure to set the
-appropriate permissions on the bucket to limit exposure. You may want to create
-a service account that limits Vault's interactions with Google Cloud to objects
-in the storage bucket using IAM permissions.
-
-Here is a sample [Google Cloud IAM][iam] policy that grants the proper
-permissions to a [service account][service-accounts]. Be sure to replace the
-value with the value for your service account.
-
-```json
-{
-  "bindings": [
-    {
-      "role": "roles/storage.objectAdmin",
-      "members": [
-        "serviceAccount:my-vault@gserviceaccount.com"
-      ]
-    }
-  ]
-}
-```
-
-Then give Vault the service account's credential file as a configuration option.
-
-For more information on schemas or Google Cloud Storage, please see the [Google
-Cloud Storage documentation][gcs-docs].
-
-## `gcs` Authentication
-
-The Google Cloud Storage Vault storage backend uses the official Google Cloud
-Golang SDK. This means it supports the common ways of [providing credentials to
-Google Cloud][cloud-creds].
-
-1. The environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
-as the **path** to a Google Cloud credentials file, typically for a service
-account. If this environment variable is present, the resulting credentials are
-used. If the credentials are invalid, an error is returned.
-
-1. Default instance credentials. When no environment variable is present, the
-default service account credentials are used.
-
-For more information on service accounts, please see the [Google Cloud Service
-Accounts documentation][service-accounts].
-
-To use this storage backend, the service account must have the following
-minimum scope(s):
-
-```text
-https://www.googleapis.com/auth/devstorage.read_write
-```
-
-## `gcs` Parameters
-
-- `bucket` `(string: <required>)` – Specifies the name of the bucket to use for
-  storage.
-
-- `chunk_size` `(string: "8192")` – Specifies the maximum size (in kilobytes) to
-  send in a single request. If set to 0, it will attempt to send the whole
-  object at once, but will not retry any failures. If you are not storing large
-  objects in Vault, it is recommended to set this to a low value (minimum is
-  256) since it will reduce the amount of memory Vault uses.
-
-- `max_parallel` `(int: 128)` - Specifies the maximum number of parallel
-  operations to take place.
-
-### High Availability Parameters
-
-- `ha_enabled` `(string: "false")` - Specifies if high availability mode is
-  enabled. This is a boolean value, but it is specified as a string like "true"
-  or "false".
-
-## `gcs` Examples
-
-### High Availability
-
-This example shows configuring Google Cloud Storage with high availability
-enabled.
-
-```hcl
-api_addr = "https://vault-leader.my-company.internal"
-
-storage "gcs" {
-  bucket        = "mycompany-vault-data"
-  ha_enabled    = "true"
-}
-```
-
-### Custom Chunk Size
-
-This example shows setting a custom chunk size for uploads. When uploading large
-data to Vault, setting a lower number can reduce Vault's memory consumption, but
-will increase the number of outbound requests.
-
-```hcl
-storage "gcs" {
-  bucket     = "mycompany-vault-data"
-  chunk_size = "512"
-}
-```
-
-[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
-[cloud-sdk]: https://cloud.google.com/sdk/downloads
-[gcs-docs]: https://cloud.google.com/storage/docs/
-[iam]: https://cloud.google.com/iam/docs/
-[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
diff --git a/website/source/docs/configuration/storage/in-memory.html.md b/website/source/docs/configuration/storage/in-memory.html.md
deleted file mode 100644
index d23b3d49b3b4..000000000000
--- a/website/source/docs/configuration/storage/in-memory.html.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-layout: "docs"
-page_title: "In-Memory - Storage Backends - Configuration"
-sidebar_title: "In-Memory"
-sidebar_current: "docs-configuration-storage-in-memory"
-description: |-
-  The In-Memory storage backend is used to persist Vault's data entirely
-  in-memory on the same machine in which Vault is running. This is useful for
-  development and experimentation, but use of this backend is highly discouraged
-  in production except in very specific use-cases.
----
-
-# In-Memory Storage Backend
-
-The In-Memory storage backend is used to persist Vault's data entirely in-memory
-on the same machine in which Vault is running. This is useful for development
-and experimentation, but use of this backend is **highly discouraged in
-production**. All data is lost when Vault or the machine on which it is running
-is restarted.
-
-- **No High Availability** – the In-Memory backend does not support high
-  availability.
-
-- **Not Production Recommended** – the In-Memory backend is not recommended for
-  production installations as data does not persist beyond restarts.
-
-- **HashiCorp Supported** – the In-Memory backend is officially supported by
-  HashiCorp.
-
-```hcl
-storage "inmem" {}
-```
-
-## `inmem` Parameters
-
-The In-Memory storage backend has no configuration parameters.
-
-## `inmem` Examples
-
-This example shows activating the In-Memory storage backend.
-
-```hcl
-storage "inmem" {}
-```
diff --git a/website/source/docs/configuration/storage/index.html.md b/website/source/docs/configuration/storage/index.html.md
deleted file mode 100644
index ecf7489d9561..000000000000
--- a/website/source/docs/configuration/storage/index.html.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-layout: "docs"
-page_title: "Storage Backends - Configuration"
-sidebar_title: "<code>storage</code>"
-sidebar_current: "docs-configuration-storage"
-description: |-
-  The storage stanza configures the storage backend, which represents the
-  location for the durable storage of Vault's information. Each backend has
-  pros, cons, advantages, and trade-offs. For example, some backends support
-  high availability while others provide a more robust backup and restoration
-  process.
----
-
-# `storage` Stanza
-
-The `storage` stanza configures the storage backend, which represents the
-location for the durable storage of Vault's information. Each backend has pros,
-cons, advantages, and trade-offs. For example, some backends support high
-availability while others provide a more robust backup and restoration process.
-For information about a specific backend, choose one from the navigation on the
-left.
-
-## Configuration
-
-Storage backend configuration is done through the Vault configuration file using
-the `storage` stanza:
-
-```hcl
-storage [NAME] {
-  [PARAMETERS...]
-}
-```
-
-For example:
-
-```hcl
-storage "file" {
-  path = "/mnt/vault/data"
-}
-```
-
-For configuration options which also read an environment variable, the
-environment variable will take precedence over values in the configuration
-file.
diff --git a/website/source/docs/configuration/storage/manta.html.md b/website/source/docs/configuration/storage/manta.html.md
deleted file mode 100644
index 4aee11481fec..000000000000
--- a/website/source/docs/configuration/storage/manta.html.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-layout: "docs"
-page_title: "Manta - Storage Backends - Configuration"
-sidebar_title: "Manta"
-sidebar_current: "docs-configuration-storage-manta"
-description: |-
-  The Manta storage backend is used to persist Vault's data in Triton's Manta Object
-  Storage. The storage folder must already exist.
----
-
-# Manta Storage Backend
-
-The Manta storage backend is used to persist Vault's data in [Triton's Manta Object 
-Storage][manta-object-store]. The storage folder must already exist.
-
-- **No High Availability** – the Manta storage backend does not support high
-  availability.
-
-- **Community Supported** – the Manta storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "manta" {
-  directory   = "manta-directory"
-  user = "myuser"
-  key_id = "40:9d:d3:f9:0b:86:62:48:f4:2e:a5:8e:43:00:2a:9b"
-}
-```
-
-## `manta` Parameters
-
-- `directory` `(string: <required>)` – Specifies the name of the manta directory to use.
-This will be in the `/stor/` folder in the specific manta account
-
-The following settings are used for authenticating to Manta.
-
-- `user` `(string: <required>)` – Specifies the Manta user account name. This can also be provided via
-  the environment variable `MANTA_USER`.
-  
-- `key_id` `(string: <required>)` – The fingerprint of the public key of the SSH key pair to use for authentication with the Manta API. 
-  It is assumed that the SSH agent has the private key corresponding to this key ID loaded. This can also be provided 
-  via the environment variable `MANTA_KEY_ID`.
-  
-- `subuser` - The name of a subuser that has been granted access to the Manta account. This can also be
-  provided via the environment variable `MANTA_SUBUSER`.
-    
-- `url` – Specifies the Manta URL. Defaults to `https://us-east.manta.joyent.com`. This can also be provided via 
-  the environment variable `MANTA_URL`.
-
-- `max_parallel` `(string: "128")` – Specifies The maximum number of concurrent
-  requests to Manta.
-
-## `manta` Examples
-
-This example shows configuring the Azure storage backend with a custom number of
-maximum parallel connections.
-
-```hcl
-storage "manta" {
-  directory    = "vault-storage-directory"
-  max_parallel = 512
-}
-```
-
-[manta-object-store]: https://www.joyent.com/triton/object-storage
diff --git a/website/source/docs/configuration/storage/mssql.html.md b/website/source/docs/configuration/storage/mssql.html.md
deleted file mode 100644
index 5d786c3ecb53..000000000000
--- a/website/source/docs/configuration/storage/mssql.html.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-layout: "docs"
-page_title: "MSSQL - Storage Backends - Configuration"
-sidebar_title: 'MSSQL'
-sidebar_current: "docs-configuration-storage-mssql"
-description: |-
-  The MSSQL storage backend is used to persist Vault's data in a Microsoft SQL Server.
----
-
-# MSSQL Storage Backend
-
-The MSSQL storage backend is used to persist Vault's data in a Microsoft SQL Server.
-
-- **No High Availability** – the MSSQL storage backend does not support high
-  availability.
-
-- **Community Supported** – the MSSQL storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "mssql" {
-  server = "localhost"
-  username = "user1234"
-  password = "secret123!"
-  database = "vault"
-  table = "vault"
-  appname = "vault"
-  schema = "dbo"
-  connectionTimeout = 30
-  logLevel = 0
-}
-```
-
-## `mssql` Parameters
-
-- `server` `(string: <required>)` – host or host\instance.
-
-- `username` `(string: "")` - enter the SQL Server Authentication user id or
-  the Windows Authentication user id in the DOMAIN\User format.
-  On Windows, if user id is empty or missing Single-Sign-On is used.
-
-- `password` `(string: "")` – specifies the MSSQL password to connect to
-  the database.
-
-- `database` `(string: "Vault")` – Specifies the name of the database. If the
-  database does not exist, Vault will attempt to create it.
-
-- `table` `(string: "Vault")` – Specifies the name of the table. If the table
-  does not exist, Vault will attempt to create it.
-
-- `schema` `(string: "dbo")` – Specifies the name of the schema. If the schema
-  does not exist, Vault will attempt to create it.
-
-- `appname` `(string: "Vault")` – the application name.
-
-- `connectionTimeout` `(int: 30)` – in seconds (default is 30).
-
-- `logLevel` `(int: 0)` – logging flags (default 0/no logging, 63 for full logging) .
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to MSSQL.
-
-## `mssql` Examples
-
-### Custom Database, Table and Schema
-
-This example shows configuring the MSSQL backend to use a custom database and
-table name.
-
-```hcl
-storage "mssql" {
-  database = "my-vault"
-  table    = "vault-data"
-  schema   = "vlt"
-  username = "user1234"
-  password = "pass5678"
-}
-```
diff --git a/website/source/docs/configuration/storage/mysql.html.md b/website/source/docs/configuration/storage/mysql.html.md
deleted file mode 100644
index ad1f3649284d..000000000000
--- a/website/source/docs/configuration/storage/mysql.html.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-layout: "docs"
-page_title: "MySQL - Storage Backends - Configuration"
-sidebar_title: "MySQL"
-sidebar_current: "docs-configuration-storage-mysql"
-description: |-
-  The MySQL storage backend is used to persist Vault's data in a MySQL server or
-  cluster.
----
-
-# MySQL Storage Backend
-
-The MySQL storage backend is used to persist Vault's data in a [MySQL][mysql]
-server or cluster.
-
-- **High Availability** – the MySQL storage backend supports high availability.
-  Note that due to the way mysql locking functions work they are lost if a connection
-  dies. If you would like to not have frequent changes in your elected leader you
-  can increase interactive_timeout and wait_timeout MySQL config to much higher than
-  default which is set at 8 hours.
-
-- **Community Supported** – the MySQL storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "mysql" {
-  username = "user1234"
-  password = "secret123!"
-  database = "vault"
-}
-```
-
-## `mysql` Parameters
-
-- `address` `(string: "127.0.0.1:3306")` – Specifies the address of the MySQL
-  host.
-
-- `database` `(string: "vault")` – Specifies the name of the database. If the
-  database does not exist, Vault will attempt to create it.
-
-- `table` `(string: "vault")` – Specifies the name of the table. If the table
-  does not exist, Vault will attempt to create it.
-
-- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate to
-  connect using TLS.
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to MySQL.
-
-- `max_idle_connections` `(string: "0")` – Specifies the maximum number of idle
-  connections to the database. A zero uses value defaults to 2 idle connections
-  and a negative value disables idle connections. If larger than
-  `max_parallel` it will be reduced to be equal.
-
-- `max_connection_lifetime` `(string: "0")` – Specifies the maximum amount of
-  time in seconds that a connection may be reused. If <= 0s connections are reused forever.
-
-Additionally, Vault requires the following authentication information.
-
-- `username` `(string: <required>)` – Specifies the MySQL username to connect to
-  the database.
-
-- `password` `(string: <required>)` – Specifies the MySQL password to connect to
-  the database.
-
-### High Availability Parameters
-
-- `ha_enabled` `(string: "true")` -  Specifies if high availability mode is
-  enabled. This is a boolean value, but it is specified as a string like "true"
-  or "false".
-
-- `lock_table` `(string: "vault_lock")` – Specifies the name of the table to
-  use for storing high availability information. By default, this is the name
-  of the `table` suffixed with `_lock`. If the table does not exist, Vault will
-  attempt to create it.
-
-## `mysql` Examples
-
-### Custom Database and Table
-
-This example shows configuring the MySQL backend to use a custom database and
-table name.
-
-```hcl
-storage "mysql" {
-  database = "my-vault"
-  table    = "vault-data"
-  username = "user1234"
-  password = "pass5678"
-}
-```
-
-[mysql]: https://dev.mysql.com
diff --git a/website/source/docs/configuration/storage/oci-object-storage.html.md b/website/source/docs/configuration/storage/oci-object-storage.html.md
deleted file mode 100644
index 67900ffb0308..000000000000
--- a/website/source/docs/configuration/storage/oci-object-storage.html.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-layout: "docs"
-page_title: "OCI Object Storage - Storage Backends - Configuration"
-sidebar_title: "OCI Object Storage"
-sidebar_current: "docs-configuration-storage-oci-object-storage"
-description: |-
-  The OCI Object Storage backend is used to persist Vault's data in OCI Object Storage.
----
-
-# OCI Object Storage Storage Backend
-
-The OCI Object Storage backend is used to persist Vault's data in OCI Object Storage.
-
-- **High Availability** – the OCI Object Storage backend supports high availability.
-
-- **Community Supported** – the OCI Object Storage backend is supported by the community. While it has undergone review by HashiCorp employees, they may not be as knowledgeable about the technology. If you encounter problems with them, you may be referred to the original author.
-
-```hcl
-storage "oci" {
-   namespace_name = "<object_storage_namespace_name>"
-   bucket_name = "<vault_data_bucket_name>"
-   ha_enabled = "<boolean true/false>"
-   lock_bucket_name = "<leader_lock_bucket_name>"
-   auth_type_api_key = "<boolean setting for using api-key instead of instance principals>"
-}
-```
-
-For more information on OCI Object Storage, please see the Oracle's [OCI Object Storage documentation][ocios-docs].
-
-
-## `oci` Setup
-
-To use the OCI Object Storage Vault storage backend, you must have a OCI account. Either using the API or web interface, create the data bucket and lock bucket if enabling high availability.
-
-The OCI Object Storage backend does not support creating the buckets automatically at this time.
-
-
-## `oci` Authentication
-
-The OCI Object Storage Vault storage backend uses the official OCI Golang SDK. This means it supports the common ways of providing credentials to OCI.
-
-For more information on service accounts, please see the [OCI Identity documentation] [oci-identity].
-
-## `oci` Parameters
-
-- `namespace_name` `(string: <required>)` – Specifies the name of the OCI Object Storage namespaces containing the data bucket and the lock bucket.
-
-- `bucket_name` `(string: <required>)` - Specifies the name of the bucket that will be used to store the vault data.
-
-
-### High Availability Parameters
-
-- `ha_enabled` `(string: "<required>")` - Specifies if high availability mode is
-  enabled. This is a boolean value, but it is specified as a string like "true"
-  or "false".
-
-- `lock_bucket_name` `(string: "<required>")` - Specifies the name of the bucket that will be used to store the node lease data.
-
-## `oci` Examples
-
-### Standalone Vault instance
-
-This example shows configuring OCI Object Storage as a standalone instance.
-
-```hcl
-storage "oci" {
-    namespace_name = "MyNamespace"
-    bucket_name = "DataBucket"
-}
-```
-
-### High Availability
-
-This example shows configuring OCI Object Storage with high availability enabled.
-
-```hcl
-storage "oci" {
-   namespace_name = "MyNamespace"
-   bucket_name = "DataBucket"
-   ha_enabled = "true"
-   lock_bucket_name = "LockBucket"
-}
-```
-
-[oci-identity]: https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/overview.htm
-[ocios-docs]: https://docs.cloud.oracle.com/iaas/Content/Object/Concepts/objectstorageoverview.htm
diff --git a/website/source/docs/configuration/storage/postgresql.html.md b/website/source/docs/configuration/storage/postgresql.html.md
deleted file mode 100644
index 59c192cbfbf8..000000000000
--- a/website/source/docs/configuration/storage/postgresql.html.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-layout: "docs"
-page_title: "PostgreSQL - Storage Backends - Configuration"
-sidebar_title: "PostgreSQL"
-sidebar_current: "docs-configuration-storage-postgresql"
-description: |-
-  The PostgreSQL storage backend is used to persist Vault's data in a PostgreSQL
-  server or cluster.
----
-
-# PostgreSQL Storage Backend
-
-The PostgreSQL storage backend is used to persist Vault's data in a
-[PostgreSQL][postgresql] server or cluster.
-
-- **High Availability** – the PostgreSQL storage backend supports
-  high availability. Requires PostgreSQL 9.5 or later.
-
-- **Community Supported** – the PostgreSQL storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "postgresql" {
-  connection_url = "postgres://user123:secret123!@localhost:5432/vault"
-}
-```
-
-~> **Note:** The PostgreSQL storage backend plugin will attempt to use SSL 
-when connecting to the database.  If SSL is not enabled the `connection_url` 
-will need to be configured to disable SSL.  See the documentation below 
-to disable SSL.
-
-The PostgreSQL storage backend does not automatically create the table. Here is
-some sample SQL to create the schema and indexes.
-
-```sql
-CREATE TABLE vault_kv_store (
-  parent_path TEXT COLLATE "C" NOT NULL,
-  path        TEXT COLLATE "C",
-  key         TEXT COLLATE "C",
-  value       BYTEA,
-  CONSTRAINT pkey PRIMARY KEY (path, key)
-);
-
-CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
-```
-
-Store for HAEnabled backend
-
-```sql
-CREATE TABLE vault_ha_locks (
-  ha_key                                      TEXT COLLATE "C" NOT NULL,
-  ha_identity                                 TEXT COLLATE "C" NOT NULL,          
-  ha_value                                    TEXT COLLATE "C",  
-  valid_until                                 TIMESTAMP WITH TIME ZONE NOT NULL,
-  CONSTRAINT ha_key PRIMARY KEY (ha_key)
-);
-```
-
-
-If you're using a version of PostgreSQL prior to 9.5, create the following function:
-
-```sql
-CREATE FUNCTION vault_kv_put(_parent_path TEXT, _path TEXT, _key TEXT, _value BYTEA) RETURNS VOID AS
-$$
-BEGIN
-    LOOP
-        -- first try to update the key
-        UPDATE vault_kv_store
-          SET (parent_path, path, key, value) = (_parent_path, _path, _key, _value)
-          WHERE _path = path AND key = _key;
-        IF found THEN
-            RETURN;
-        END IF;
-        -- not there, so try to insert the key
-        -- if someone else inserts the same key concurrently,
-        -- we could get a unique-key failure
-        BEGIN
-            INSERT INTO vault_kv_store (parent_path, path, key, value)
-              VALUES (_parent_path, _path, _key, _value);
-            RETURN;
-        EXCEPTION WHEN unique_violation THEN
-            -- Do nothing, and loop to try the UPDATE again.
-        END;
-    END LOOP;
-END;
-$$
-LANGUAGE plpgsql;
-```
-
-## `postgresql` Parameters
-
-- `connection_url` `(string: <required>)` – Specifies the connection string to
-  use to authenticate and connect to PostgreSQL. The connection URL can also be
-  set using the `VAULT_PG_CONNECTION_URL` environment variable. A full list of supported
-  parameters can be found in [the pq library documentation][pglib]. For example
-  connection string URLs, see the examples section below.
-
-- `table` `(string: "vault_kv_store")` – Specifies the name of the table in
-  which to write Vault data. This table must already exist (Vault will not
-  attempt to create it).
-
-- `max_idle_connections` `(int)` - Default not set. Sets the maximum number of 
-  connections in the idle connection pool. See
-  [golang docs on SetMaxIdleConns][golang_SetMaxIdleConns] for more information. 
-  Requires 1.2 or later.
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to PostgreSQL.
-
-- `ha_enabled` `(string: "true|false")` – Default not enabled, requires 9.5 or later.
-
-- `ha_table` `(string: "vault_ha_locks")` – Specifies the name of the table to use
-  for storing high availability information. This table must already exist (Vault
-  will not attempt to create it).
-
-## `postgresql` Examples
-
-### Custom SSL Verification
-
-This example shows connecting to a PostgreSQL cluster using full SSL
-verification (recommended).
-
-```hcl
-storage "postgresql" {
-  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=verify-full"
-}
-```
-
-To disable SSL verification (not recommended), replace `verify-full` with
-`disable`:
-
-```hcl
-storage "postgresql" {
-  connection_url = "postgres://user:pass@localhost:5432/database?sslmode=disable"
-}
-```
-
-[golang_SetMaxIdleConns]: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
-[postgresql]: https://www.postgresql.org/
-[pglib]: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
diff --git a/website/source/docs/configuration/storage/raft.html.md b/website/source/docs/configuration/storage/raft.html.md
deleted file mode 100644
index 5575876af72e..000000000000
--- a/website/source/docs/configuration/storage/raft.html.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-layout: "docs"
-page_title: "Raft - Storage Backends - Configuration"
-sidebar_title: "Raft"
-sidebar_current: "docs-configuration-storage-raft"
-description: |-
-
- The Raft storage backend is used to persist Vault's data. Unlike all the other
- storage backends, this backend does not operate from a single source for the
- data. Instead all the nodes in a Vault cluster will have a replicated copy of
- the entire data. The data is replicated across the nodes using the Raft
- Consensus Algorithm.
-
----
-
-# Raft Storage Backend
-
-~> **NOTE:** Vault's Integrated Storage is currently a ***Beta***
-feature and not recommended for deployment in production.
-
-The Raft storage backend is used to persist Vault's data. Unlike other storage
-backends, Raft storage does not operate from a single source of data. Instead
-all the nodes in a Vault cluster will have a replicated copy of Vault's data.
-Data gets replicated across the all the nodes via the [Raft Consensus
-Algorithm][raft].
-
-
-- **High Availability** – the Raft storage backend supports high availability.
-
-- **HashiCorp Supported** – the Raft storage backend is officially supported
-  by HashiCorp.
-
-```hcl
-storage "raft" {
-  path = "/path/to/raft/data"
-  node_id = "raft_node_1"
-}
-cluster_addr = "http://127.0.0.1:8201"
-```
-
-**Note:** When using the Raft storage backend, it is required to provide `cluster_addr` to indicate the address and port to be used for communication between the nodes in the Raft cluster.
-
-## `raft` Parameters
-
-- `path` `(string: "")` – The file system path where all the Vault data gets
-  stored.
-  This value can be overridden by setting the `VAULT_RAFT_PATH` environment variable.
-
-- `node_id` `(string: "")` - The identifier for the node in the Raft cluster.
-  This value can be overridden by setting the `VAULT_RAFT_NODE_ID` environment variable.
-
-[raft]: https://raft.github.io/ "The Raft Consensus Algorithm"
diff --git a/website/source/docs/configuration/storage/s3.html.md b/website/source/docs/configuration/storage/s3.html.md
deleted file mode 100644
index 17d54589a33d..000000000000
--- a/website/source/docs/configuration/storage/s3.html.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-layout: "docs"
-page_title: "S3 - Storage Backends - Configuration"
-sidebar_title: "S3"
-sidebar_current: "docs-configuration-storage-s3"
-description: |-
-  The S3 storage backend is used to persist Vault's data in an Amazon S3
-  bucket.
----
-
-# S3 Storage Backend
-
-The S3 storage backend is used to persist Vault's data in an [Amazon S3][s3]
-bucket.
-
-- **No High Availability** – the S3 storage backend does not support high
-  availability.
-
-- **Community Supported** – the S3 storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "s3" {
-  access_key = "abcd1234"
-  secret_key = "defg5678"
-  bucket     = "my-bucket"
-}
-```
-
-## `s3` Parameters
-
-- `bucket` `(string: <required>)` – Specifies the name of the S3 bucket. This
-  can also be provided via the environment variable `AWS_S3_BUCKET`.
-
-- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, S3
-  endpoint. This can also be provided via the environment variable
-  `AWS_S3_ENDPOINT`.
-
-- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be
-  provided via the environment variable `AWS_REGION` or `AWS_DEFAULT_REGION`,
-  in that order of preference.
-
-The following settings are used for authenticating to AWS. If you are
-running your Vault server on an EC2 instance, you can also make use of the EC2
-instance profile service to provide the credentials Vault will use to make
-S3 API calls. Leaving the `access_key` and `secret_key` fields empty will
-cause Vault to attempt to retrieve credentials from the AWS metadata service.
-
-- `access_key` – Specifies the AWS access key. This can also be provided via
-  the environment variable `AWS_ACCESS_KEY_ID`, AWS credential files, or by
-  IAM role.
-
-- `secret_key` – Specifies the AWS secret key. This can also be provided via
-  the environment variable `AWS_SECRET_ACCESS_KEY`, AWS credential files, or
-  by IAM role.
-
-- `session_token` `(string: "")` – Specifies the AWS session token. This can
-  also be provided via the environment variable `AWS_SESSION_TOKEN`.
-
-- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-  requests to S3.
-
-- `s3_force_path_style` `(string: "false")` - Specifies whether to use host
-  bucket style domains with the configured endpoint.
-
-- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the
-  endpoint connection (highly recommended not to disable for production).
-
-- `kms_key_id` `(string: "")` - Specifies the ID or Alias of the KMS key used to
-  encrypt data in the S3 backend. Vault must have `kms:Encrypt` and `kms:Decrypt`
-  permissions for this key. You can use `alias/aws/s3` to specify the default
-  key for the account.
-  
-- `path` `(string: "")` - Specifies the path in the S3 Bucket where Vault 
-  data will be stored.
-  
-## `s3` Examples
-
-### Default Example
-
-This example shows using Amazon S3 as a storage backend.
-
-```hcl
-storage "s3" {
-  access_key = "abcd1234"
-  secret_key = "defg5678"
-  bucket     = "my-bucket"
-}
-```
-
-### S3 KMS Encryption with Default Key
-
-This example shows using Amazon S3 as a storage backend using KMS
-encryption with the default S3 KMS key for the account.
-
-```hcl
-storage "s3" {
-  access_key = "abcd1234"
-  secret_key = "defg5678"
-  bucket     = "my-bucket"
-  kms_key_id = "alias/aws/s3"
-}
-```
-
-### S3 KMS Encryption with Custom Key
-
-This example shows using Amazon S3 as a storage backend using KMS
-encryption with a customer managed KMS key.
-
-```hcl
-storage "s3" {
-  access_key = "abcd1234"
-  secret_key = "defg5678"
-  bucket     = "my-bucket"
-  kms_key_id = "001234ac-72d3-9902-a3fc-0123456789ab"
-}
-```
-
-[s3]: https://aws.amazon.com/s3/
diff --git a/website/source/docs/configuration/storage/swift.html.md b/website/source/docs/configuration/storage/swift.html.md
deleted file mode 100644
index 1108949e4169..000000000000
--- a/website/source/docs/configuration/storage/swift.html.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-layout: "docs"
-page_title: "Swift - Storage Backends - Configuration"
-sidebar_title: "Swift"
-sidebar_current: "docs-configuration-storage-swift"
-description: |-
-  The Swift storage backend is used to persist Vault's data in an OpenStack
-  Swift Container.
----
-
-# Swift Storage Backend
-
-The Swift storage backend is used to persist Vault's data in an
-[OpenStack Swift Container][swift].
-
-
-- **No High Availability** – the Swift storage backend does not support high
-  availability.
-
-- **Community Supported** – the Swift storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "swift" {
-  auth_url  = "https://..."
-  username  = "admin"
-  password  = "secret123!"
-  container = "my-storage-container"
-}
-```
-
-## `swift` Parameters
-
-- `auth_url` `(string: <required>)` – Specifies the OpenStack authentication
-  endpoint. This can also be provided via the environment variable `OS_AUTH_URL`.
-
-- `container` `(string: <required>)` – Specifies the name of the Swift
-  container. This can also be provided via the environment variable
-  `OS_CONTAINER`.
-
-- `max_parallel` `(string: "128")` – The maximum number of concurrent requests.
-
-- `password` `(string: <required>)` – Specifies the OpenStack password. This can
-  also be provided via the environment variable `OS_PASSWORD`.
-
-- `tenant` `(string: "")` – Specifies the name of the tenant. If left blank,
-  this will default to the default tenant of the username. This can also be
-  provided via the environment variable `OS_TENANT_NAME`.
-
-- `username` `(string: <required>)` – Specifies the OpenStack account/username.
-  This can also be provided via the environment variable `OS_USERNAME`.
-
-- `region` `(string: "")` – Specifies the name of the region. This can also be provided via the environment variable `OS_REGION_NAME`. 
-
-- `tenant_id` `(string: "")` - Specifies the id of the tenant. This can also be provided via the environment variable `OS_TENANT_ID`.
-
-- `domain` `(string: "")` - Specifies the name of the user domain. This can also be provided via the environment variable `OS_USER_DOMAIN_NAME`.
-
-- `project-domain` `(string: "")` - Specifies the name of the project's domain. This can also be provided via the environment variable `OS_PROJECT_DOMAIN_NAME`.
-
-- `trust_id` `(string: "")` - Specifies the id of the trust. This can also be provided via the environment variable `OS_TRUST_ID`.
-
-- `storage_url` `(string: "")` - Specifies storage URL from alternate authentication. This can also be provided via the environment variable `OS_STORAGE_URL`.
-
-- `auth_token` `(string: "")` - Specifies auth token from alternate authentication. This can also be provided via the environment variable `OS_AUTH_TOKEN`.
-
-## `swift` Examples
-
-### Default Example
-
-This example shows a default configuration for Swift.
-
-```hcl
-storage "swift" {
-  auth_url  = "https://os.internal/v1/auth"
-  container = "container-239"
-
-  username  = "user1234"
-  password  = "pass5678"
-}
-```
-
-[swift]: http://docs.openstack.org/developer/swift/
diff --git a/website/source/docs/configuration/storage/zookeeper.html.md b/website/source/docs/configuration/storage/zookeeper.html.md
deleted file mode 100644
index a7ce05a3ee71..000000000000
--- a/website/source/docs/configuration/storage/zookeeper.html.md
+++ /dev/null
@@ -1,154 +0,0 @@
----
-layout: "docs"
-page_title: "Zookeeper - Storage Backends - Configuration"
-sidebar_title: "Zookeeper"
-sidebar_current: "docs-configuration-storage-zookeeper"
-description: |-
-  The Zookeeper storage backend is used to persist Vault's data in Zookeeper.
----
-
-# Zookeeper Storage Backend
-
-The Zookeeper storage backend is used to persist Vault's data in
-[Zookeeper][zk].
-
-- **High Availability** – the Zookeeper storage backend supports high
-  availability.
-
-- **Community Supported** – the Zookeeper storage backend is supported by the
-  community. While it has undergone review by HashiCorp employees, they may not
-  be as knowledgeable about the technology. If you encounter problems with them,
-  you may be referred to the original author.
-
-```hcl
-storage "zookeeper" {
-  address = "localhost:2181"
-  path    = "vault/"
-}
-```
-
-## `zookeeper` Parameters
-
-- `address` `(string: "localhost:2181")` – Specifies the addresses of the
-  Zookeeper instances as a comma-separated list.
-
-- `path` `(string: "vault/")` – Specifies the path in Zookeeper where data will
-  be stored.
-
-The following optional settings can be used to configure zNode ACLs:
-
-~> **Warning!** If neither `auth_info` nor `znode_owner` are set, the backend
-will not authenticate with Zookeeper and will set the `OPEN_ACL_UNSAFE` ACL on
-all nodes. In this scenario, anyone connected to Zookeeper could change Vault’s
-znodes and, potentially, take Vault out of service.
-
-- `auth_info` `(string: "")` – Specifies an authentication string in Zookeeper
-  AddAuth format. For example, `digest:UserName:Password` could be used to
-  authenticate as user `UserName` using password `Password` with the `digest`
-  mechanism.
-
-- `znode_owner` `(string: "")` – If specified, Vault will always set all
-  permissions (CRWDA) to the ACL identified here via the Schema and User parts
-  of the Zookeeper ACL format. The expected format is `schema:user-ACL-match`,
-  for example:
-
-    ```text
-    # Access for user "UserName" with corresponding digest "HIDfRvTv623G=="
-    digest:UserName:HIDfRvTv623G==
-    ```
-
-    ```text
-    # Access from localhost only
-    ip:127.0.0.1
-    ```
-
-    ```text
-    # Access from any host on the 70.95.0.0 network (Zookeeper 3.5+)
-    ip:70.95.0.0/16
-    ```
-
-- `tls_enabled` `(bool: false)` – Specifies if TLS communication with the Zookeeper
-   backend has to be enabled.
-
-- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate file used
-  for Zookeeper communication. Multiple CA certificates can be provided in the same file.
-
-- `tls_cert_file` `(string: "")` (optional) – Specifies the path to the
-  client certificate for Zookeeper communication.
-
-- `tls_key_file` `(string: "")` – Specifies the path to the private key for
-  Zookeeper communication.
-
-- `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to
-  use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
-
-- `tls_skip_verify` `(bool: false)` – Disable verification of TLS certificates.
-  Using this option is highly discouraged.
-
-- `tls_verify_ip` `(bool: false)` - This property comes into play only when
-  'tls_skip_verify' is set to false. When 'tls_verify_ip' is set to 'true', the
-  zookeeper server's IP is verified in the presented certificates CN/SAN entry. 
-  When set to 'false' the server's DNS name is verified in the certificates CN/SAN entry.
-
-
-## `zookeeper` Examples
-
-### Custom Address and Path
-
-This example shows configuring Vault to communicate with a Zookeeper
-installation running on a custom port and to store data at a custom path.
-
-```hcl
-storage "zookeeper" {
-  address = "localhost:3253"
-  path    = "my-vault-data/"
-}
-```
-
-### zNode Vault User Only
-
-This example instructs Vault to set an ACL on all of its zNodes which permit
-access only to the user "vaultUser". As per Zookeeper's ACL model, the digest
-value in `znode_owner` must match the user in `znode_owner`.
-
-```hcl
-storage "zookeeper" {
-  znode_owner = "digest:vaultUser:raxgVAfnDRljZDAcJFxznkZsExs="
-  auth_info   = "digest:vaultUser:abc"
-}
-```
-
-### zNode Localhost Only
-
-This example instructs Vault to only allow access from localhost. As this is the
-`ip` no `auth_info` is required since Zookeeper uses the address of the client
-for the ACL check.
-
-```hcl
-storage "zookeeper" {
-  znode_owner = "ip:127.0.0.1"
-}
-```
-
-### zNode connection over TLS.
-
-This example instructs Vault to connect to Zookeeper using the provided TLS configuration. The host verification will happen with the presented certificate using the servers IP because 'tls_verify_ip' is set to true.
-
-```hcl
-storage "zookeeper" {
-  address = "host1.com:5200,host2.com:5200,host3.com:5200"
-  path = "vault_path_on_zk/"
-  znode_owner = "digest:vault_user:digestvalueforpassword="
-  auth_info = "digest:vault_user:thisisthepassword"
-  redirect_addr = "http://localhost:8200"
-  tls_verify_ip = "true"
-  tls_enabled= "true"
-  tls_min_version= "tls12"
-  tls_cert_file = "/path/to/the/cert/file/zkcert.pem"
-  tls_key_file = "/path/to/the/key/file/zkkey.pem"
-  tls_skip_verify= "false"
-  tls_ca_file= "/path/to/the/ca/file/ca.pem"
-}
-```
-
-[zk]: https://zookeeper.apache.org/
diff --git a/website/source/docs/configuration/telemetry.html.md b/website/source/docs/configuration/telemetry.html.md
deleted file mode 100644
index a8abfc9e0c09..000000000000
--- a/website/source/docs/configuration/telemetry.html.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-layout: "docs"
-page_title: "Telemetry - Configuration"
-sidebar_title: "<code>telemetry</code>"
-sidebar_current: "docs-configuration-telemetry"
-description: |-
-  The telemetry stanza specifies various configurations for Vault to publish
-  metrics to upstream systems.
----
-
-# `telemetry` Stanza
-
-The `telemetry` stanza specifies various configurations for Vault to publish
-metrics to upstream systems. Available Vault metrics can be found in the
-[Telemetry internals documentation](/docs/internals/telemetry.html).
-
-```hcl
-telemetry {
-  statsite_address = "statsite.company.local:8125"
-}
-```
-
-## `telemetry` Parameters
-
-Due to the number of configurable parameters to the `telemetry` stanza,
-parameters on this page are grouped by the telemetry provider.
-
-### Common
-
-The following options are available on all telemetry configurations.
-
-* `disable_hostname` `(bool: false)` - Specifies if gauge values should be
-  prefixed with the local hostname.
-* `enable_hostname_label` `(bool: false)` - Specifies if all metric values should
-  contain the `host` label with the local hostname. It is recommended to enable
-  `disable_hostname` if this option is used.
-
-### `statsite`
-
-These `telemetry` parameters apply to
-[statsite](https://github.com/armon/statsite).
-
-* `statsite_address` `(string: "")` - Specifies the address of a statsite server
-  to forward metrics data to.
-
-```hcl
-telemetry {
-  statsite_address = "statsite.company.local:8125"
-}
-```
-
-### `statsd`
-
-These `telemetry` parameters apply to
-[statsd](https://github.com/etsy/statsd).
-
-* `statsd_address` `(string: "")` - Specifies the address of a statsd server to
-  forward metrics to.
-
-```hcl
-telemetry {
-  statsd_address = "statsd.company.local:8125"
-}
-```
-
-### `circonus`
-
-These `telemetry` parameters apply to [Circonus](http://circonus.com/).
-
-* `circonus_api_token` `(string: "")` - Specifies a valid Circonus API Token
-  used to create/manage check. If provided, metric management is enabled.
-
-* `circonus_api_app` `(string: "nomad")` - Specifies a valid app name associated
-  with the API token.
-
-* `circonus_api_url` `(string: "https://api.circonus.com/v2")` - Specifies the
-  base URL to use for contacting the Circonus API.
-
-* `circonus_submission_interval` `(string: "10s")` - Specifies the interval at
-  which metrics are submitted to Circonus.
-
-* `circonus_submission_url` `(string: "")` - Specifies the
-  `check.config.submission_url` field, of a Check API object, from a previously
-  created HTTPTRAP check.
-
-* `circonus_check_id` `(string: "")` - Specifies the Check ID (**not check
-  bundle**) from a previously created HTTPTRAP check. The numeric portion of the
-  `check._cid` field in the Check API object.
-
-* `circonus_check_force_metric_activation` `(bool: false)` - Specifies if force
-  activation of metrics which already exist and are not currently active. If
-  check management is enabled, the default behavior is to add new metrics as
-  they are encountered. If the metric already exists in the check, it will
-  not be activated. This setting overrides that behavior.
-
-* `circonus_check_instance_id` `(string: "<hostname>:<application>")` - Serves
-  to uniquely identify the metrics coming from this _instance_. It can be used
-  to maintain metric continuity with transient or ephemeral instances as they
-  move around within an infrastructure. By default, this is set to
-  hostname:application name (e.g. "host123:nomad").
-
-* `circonus_check_search_tag` `(string: <service>:<application>)` - Specifies a
-  special tag which, when coupled with the instance id, helps to narrow down the
-  search results when neither a Submission URL or Check ID is provided. By
-  default, this is set to service:app (e.g. "service:nomad").
-
-* `circonus_check_display_name` `(string: "")` - Specifies a name to give a
-  check when it is created. This name is displayed in the Circonus UI Checks
-  list.
-
-* `circonus_check_tags` `(string: "")` - Comma separated list of additional
-  tags to add to a check when it is created.
-
-* `circonus_broker_id` `(string: "")` - Specifies the ID of a specific Circonus
-  Broker to use when creating a new check. The numeric portion of `broker._cid`
-  field in a Broker API object. If metric management is enabled and neither a
-  Submission URL nor Check ID is provided, an attempt will be made to search for
-  an existing check using Instance ID and Search Tag. If one is not found, a new
-  HTTPTRAP check will be created. By default, this is a random
-  Enterprise Broker is selected, or, the default Circonus Public Broker.
-
-* `circonus_broker_select_tag` `(string: "")` - Specifies a special tag which
-  will be used to select a Circonus Broker when a Broker ID is not provided. The
-  best use of this is to as a hint for which broker should be used based on
-  _where_ this particular instance is running (e.g. a specific geo location or
-  datacenter, dc:sfo).
-
-### `dogstatsd`
-
-These `telemetry` parameters apply to
-[DogStatsD](http://docs.datadoghq.com/guides/dogstatsd/).
-
-* `dogstatsd_addr` `(string: "")` - This provides the address of a DogStatsD
-  instance. DogStatsD is a protocol-compatible flavor of statsd, with the added
-  ability to decorate metrics with tags and event information. If provided,
-  Vault will send various telemetry information to that instance for
-  aggregation. This can be used to capture runtime information.
-
-- `dogstatsd_tags` `(string array: [])` - This provides a list of global tags
-  that will be added to all telemetry packets sent to DogStatsD. It is a list
-  of strings, where each string looks like "my_tag_name:my_tag_value".
-
-### `prometheus`
-
-These `telemetry` parameters apply to
-[prometheus](https://prometheus.io).
-
-* `prometheus_retention_time` `(string: "24h")` - Specifies the amount of time that
-  prometheus metrics are retained in memory. It is recommended to also enable the option
-  `disable_hostname` to avoid having prefixed metrics with hostname. Vault does not use the
-  default Prometheus path, so Prometheus must be configured as follows. Note that using
-  `?format=prometheus` in the path won't work as "?" will be escaped, so it must be specified
-  as a parameter. Additionally a Vault token is required to access /v1/sys/metrics. The prometheus
-  `bearer_token` or `bearer_token_file` options must be added to the scrape job.
-
-```
-metrics_path: "/v1/sys/metrics"
-params:
-  format: ['prometheus']
-bearer_token: your_vault_token_here
-
-```
-
-```hcl
-telemetry {
-  prometheus_retention_time = "30s",
-  disable_hostname = true
-}
-```
-
-### `stackdriver`
-
-These `telemetry` parameters apply to [Stackdriver Monitoring](https://cloud.google.com/monitoring/).
-
-The Stackdriver telemetry provider uses the official Google Cloud Golang SDK. This means
-it supports the common ways of
-[providing credentials to Google Cloud](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application).
-
-To use this telemetry provider, the service account must have the following
-minimum scope(s):
-
-```text
-https://www.googleapis.com/auth/cloud-platform
-https://www.googleapis.com/auth/monitoring
-https://www.googleapis.com/auth/monitoring.write
-```
-
-And the following IAM role(s):
-
-```text
-roles/monitoring.metricWriter
-```
-
-*  `stackdriver_project_id` the Google Cloud ProjectID to send telemetry data to.
-*  `stackdriver_location` the GCP or AWS region of the monitored resource.
-*  `stackdriver_namespace` a namespace identifier for the telemetry data.
-
-It is recommended to also enable the option `disable_hostname` to avoid having prefixed
-metrics with hostname and enable instead `enable_hostname_label`. 
-
-```hcl
-telemetry {
-  stackdriver_project_id = "my-test-project"
-  stackdriver_location = "us-east1-a"
-  stackdriver_namespace = "vault-cluster-a"
-  disable_hostname = true
-  enable_hostname_label = true
-}
-```
diff --git a/website/source/docs/configuration/ui/index.html.md b/website/source/docs/configuration/ui/index.html.md
deleted file mode 100644
index 84059f3f6cd0..000000000000
--- a/website/source/docs/configuration/ui/index.html.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-layout: "docs"
-page_title: "UI - Configuration"
-sidebar_title: "<code>ui</code>"
-sidebar_current: "docs-configuration-ui"
-description: |-
-  Vault features a user interface (web interface) for interacting with Vault.
-  Easily create, read, update, and delete secrets, authenticate, unseal, and
-  more with the Vault UI.
----
-
-# Vault UI
-
-Vault features a user interface (web interface) for interacting with Vault.
-Easily create, read, update, and delete secrets, authenticate, unseal, and
-more with the Vault UI.
-
--> The UI requires **Vault 0.10 or higher** or Vault Enterprise.
-
-## Activating the Vault UI
-
-The Vault UI is not activated by default. To activate the UI, set the `ui`
-configuration option in the Vault server configuration. Vault clients do not
-need to set this option, since they will not be serving the UI.
-
-```hcl
-ui = true
-
-listener "tcp" {
-  # ...
-}
-```
-
-For more information, please see the
-[Vault configuration options](/docs/configuration/index.html).
-
-## Accessing the Vault UI
-
-The UI runs on the same port as the Vault listener. As such, you must configure
-at least one `listener` stanza in order to access the UI.
-
-```hcl
-listener "tcp" {
-  address = "10.0.1.35:8200"
-
-  # If bound to localhost, the Vault UI is only
-  # accessible from the local machine!
-  # address = "127.0.0.1:8200"
-}
-```
-
-In this case, the UI is accessible the following URL from any machine on the
-subnet (provided no network firewalls are in place):
-
-```text
-https://10.0.1.35:8200/ui/
-```
-
-It is also accessible at any DNS entry that resolves to that IP address, such as
-the Consul service address (if using Consul):
-
-```text
-https://vault.service.consul:8200/ui/
-```
-
-### Note on TLS
-
-When using TLS (recommended), the certificate must be valid for all DNS entries
-you will be accessing the Vault UI on, and any IP addresses on the SAN. If you
-are running Vault with a self-signed certificate, any browsers that access the
-Vault UI will need to have the root CA installed. Failure to do so may result in
-the browser displaying a warning that the site is "untrusted". It is highly
-recommended that client browsers accessing the Vault UI install the proper CA
-root for validation to reduce the chance of a MITM attack.
diff --git a/website/source/docs/enterprise/control-groups/index.html.md b/website/source/docs/enterprise/control-groups/index.html.md
deleted file mode 100644
index 88aa7ba150fb..000000000000
--- a/website/source/docs/enterprise/control-groups/index.html.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Enterprise Control Groups"
-sidebar_title: "Control Groups"
-sidebar_current: "docs-vault-enterprise-control-groups"
-description: |-
-  Vault Enterprise has support for Control Group Authorization.
-
----
-
-# Vault Enterprise Control Group Support
-
-Vault Enterprise has support for Control Group Authorization. Control Groups
-add additional authorization factors to be required before satisfying a request.  
-
-When a Control Group is required for a request, a limited duration response
-wrapping token is returned to the user instead of the requested data. The
-accessor of the response wrapping token can be passed to the authorizers
-required by the control group policy. Once all authorizations are satisfied,
-the wrapping token can be used to unwrap and process the original request.
-
-## Control Group Factors
-
-Control Groups can verify the following factors:
-
-- `Identity Groups` - Require an authorizer to be in a specific set of identity
-groups.
-
-## Control Groups In ACL Policies
-
-Control Group requirements on paths are specified as `control_group` along
-with other ACL parameters.
-
-### Sample ACL Policies
-
-```
-path "secret/foo" {
-    capabilities = ["read"]
-    control_group = {
-        factor "ops_manager" {
-            identity {
-                group_names = ["managers"]
-                approvals = 1
-            }
-        }
-    }
-}
-```
-
-The above policy grants `read` access to `secret/foo` only after one member of
-the "managers" group authorizes the request.
-
-```
-path "secret/foo" {
-    capabilities = ["create", "update"]
-    control_group = {
-        ttl = "4h"
-        factor "tech leads" {
-            identity {
-                group_names = ["managers", "leads"]
-                approvals = 2
-            }
-        }
-        factor "super users" {
-            identity {
-                group_names = ["superusers"]
-                approvals = 1
-            }
-        }
-    }
-}
-```
-
-The above policy grants `create` and `update` access to `secret/foo` only after
-two member of the "managers" or "leads" group and one member of the "superusers"
-group authorizes the request.  If an authorizer is a member of both the
-"managers" and "superusers" group, one authorization for both factors will be
-satisfied.
-
-## Control Groups in Sentinel
-
-Control Groups are also supported in Sentinel policies using the `controlgroup`
-import.  See [Sentinel Documentation](/docs/enterprise/sentinel/index.html) for more
-details on available properties.
-
-### Sample Sentinel Policy
-
-```
-import "time"
-import "controlgroup"
-
-control_group = func() {
-    numAuthzs = 0
-    for controlgroup.authorizations as authz {
-		if "managers" in authz.groups.by_name {
-			if time.load(authz.time).unix > time.now.unix - 3600 {
-				numAuthzs = numAuthzs + 1
-			}
-		}
-    }
-    if numAuthzs >= 2 {
-        return true
-    }
-    return false
-}
-
-main = rule {
-    control_group()
-}
-```
-
-The above policy will reject the request unless two members of the `managers`
-group have authorized the request. Additionally it verifies the authorizations
-happened in the last hour.
-
-## Learn
-
-Refer to the [Control Groups](https://learn.hashicorp.com/vault/identity-access-management/iam-control-groups)
-guide for a step-by-step tutorial.
-
-## API
-
-Control Groups can be managed over the HTTP API. Please see
-[Control Groups API](/api/system/control-group.html) for more details.
diff --git a/website/source/docs/enterprise/entropy-augmentation/index.html.md b/website/source/docs/enterprise/entropy-augmentation/index.html.md
deleted file mode 100644
index 03f19c7b05f1..000000000000
--- a/website/source/docs/enterprise/entropy-augmentation/index.html.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Enterprise Entropy Augmentation"
-sidebar_title: "Entropy Augmentation"
-sidebar_current: "docs-vault-enterprise-entropy-augmentation"
-description: |-
-  Vault Enterprise features a mechanism to sample entropy from external
-  cryptographic modules.
----
-
-# Entropy Augmentation
-
-Vault Enterprise features a mechanism to sample entropy (or randomness for
-cryptographic operations) from external cryptographic modules via the [seals](/docs/configuration/seal/index.html)
-interface. While the system entropy used by Vault is more than capable of
-operating in most threat models, there are some situations where additional
-entropy from hardware-based random number generators is desirable.
-
-To use this feature, you must have an active or trial license for Vault
-Enterprise. To start a trial, contact [HashiCorpsales](mailto:sales@hashicorp.com).
-
-# Critical Security Parameters (CSPs)
-
-Entropy augmentation allows Vault Enterprise to supplement its system entropy with
-entropy from an external cryptography module. Designed to operate in environments
-where alignment with cryptographic regulations like [NIST SP800-90B](https://csrc.nist.gov/publications/detail/sp/800-90b/final)
-is required or when augmented entropy from external sources such as hardware true
-random number generators (TRNGs) or [quantum computing TRNGs](https://www.hashicorp.com/blog/quantum-security-and-cryptography-in-hashicorp-vault/)
-are desirable, augmented entropy replaces system entropy when performing random
-number operations on critical security parameters (CSPs).
-
-These CSPs have been selected from our previous work in [evaluating Vault for conformance with
-FIPS 140-2 guidelines for key storage and key transport](https://www.datocms-assets.com/2885/1510600487-vault_compliance_letter_fips_140-2.pdf)
-and include the following:
-
-
-- Vault’s master key
-- Keyring encryption keys
-- Auto Unseal recovery keys
-- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
-- Enterprise MFA TOTP token keys
-- JWT token wrapping keys
-- Root tokens
-- DR operation tokens
-- [Transit](/docs/secrets/transit/index.html) backend key generation
-
-## Enabling/Disabling
-
-Entropy augmentation is disabled by default. To enable entropy augmentation Vault's
-[configuration file][configuration] must include a properly configured [PKCS#11 seal and
-entropy stanza](/docs/configuration/entropy-augmentation/index.html).
-
-[configuration]: /docs/configuration/index.html
-
-
-## Learn
-
-Refer to the [HSM Integration - Entropy Augmentation](https://learn.hashicorp.com/vault/operations/hsm-entropy) guide
-for a step-by-step tutorial.
diff --git a/website/source/docs/enterprise/hsm/behavior.html.md b/website/source/docs/enterprise/hsm/behavior.html.md
deleted file mode 100644
index 192064dfd882..000000000000
--- a/website/source/docs/enterprise/hsm/behavior.html.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-layout: "docs"
-page_title: "Behavioral Changes - HSM Integration - Vault Enterprise"
-sidebar_title: "Behavioral Changes"
-sidebar_current: "docs-vault-enterprise-hsm-behavior"
-description: |-
-  Vault Enterprise HSM support changes the way Vault works with regard to unseal and recovery keys as well as rekey and recovery operations.
----
-
-# Vault Enterprise HSM Behavioral Changes
-
-This page contains information about the behavioral differences that take
-effect when using Vault with an HSM.
-
-## Key Split Between Unseal Keys and Recovery Keys
-
-Normally, Vault uses a single set of unseal keys to perform both decryption of
-the cryptographic barrier and to authorize recovery operations, such as the
-[`generate-root`](/api/system/generate-root.html)
-functionality.
-
-When using an HSM, because the HSM automatically unseals the barrier but
-recovery operations should still have human oversight, Vault instead uses two
-sets of keys: unseal keys and recovery keys.
-
-## Unseal (Master) Key
-
-Vault usually generates a master key and splits it using [Shamir's Secret
-Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) to prevent a
-single operator from being able to modify and unseal Vault (see more
-information about Vault's security model
-[here](/docs/internals/security.html)).
-
-When using an HSM, Vault instead stores the master key, encrypted by the HSM,
-into its internal storage. As a result, during an `init` command, the number of
-key shares, threshold, and stored shares are required to be set to `1`, meaning
-to not split the master key, so that the single key share is itself the master
-key. (Vault does not do this automatically as it generally prefers to error
-rather than change parameters set by an operator.)
-
-Both rekeying the master key and rotation of the underlying data
-encryption key are supported when using an HSM.
-
-## Recovery Key
-
-When Vault is initialized while using an HSM, rather than unseal keys being
-returned to the operator, recovery keys are returned. These are generated from
-an internal recovery key that is split via Shamir's Secret Sharing, similar to
-Vault's treatment of unseal keys when running without an HSM.
-
-Details about initialization and rekeying follow. When performing an operation
-that uses recovery keys, such as `generate-root`, selection of the recovery
-keys for this purpose, rather than the barrier unseal keys, is automatic.
-
-### Initialization
-
-When initializing, the split is performed according to the following CLI flags
-and their API equivalents in the
-[/sys/init](/api/system/init.html) endpoint:
-
- * `recovery-shares`: The number of shares into which to split the recovery
-   key. This value is equivalent to the `recovery_shares` value in the API
-   endpoint.
- * `recovery-threshold`: The threshold of shares required to reconstruct the
-   recovery key. This value is equivalent to the `recovery_threshold` value in
-   the API endpoint.
- * `recovery-pgp-keys`: The PGP keys to use to encrypt the returned recovery
-   key shares. This value is equivalent to the `recovery_pgp_keys` value in the
-   API endpoint, although as with `pgp_keys` the object in the API endpoint is
-   an array, not a string.
-
-Additionally, Vault will refuse to initialize if the option has not been set to
-generate a key but no key is found. See
-[Configuration](/docs/configuration/seal/pkcs11.html) for more details.
-
-### Rekeying
-
-#### Unseal Key
-
-Vault's unseal key can be rekeyed using a normal `vault operator rekey`
-operation from the CLI or the matching API calls. The rekey operation is
-authorized by meeting the threshold of recovery keys. After rekeying, the new
-barrier key is wrapped by the HSM and stored like the previous key; it is not
-returned to the users that submitted their recovery keys.
-
-#### Recovery Key
-
-The recovery key can be rekeyed to change the number of shares/threshold or to
-target different key holders via different PGP keys. When using the Vault CLI,
-this is performed by using the `-target=recovery` flag to `vault operator rekey`.
-
-Via the API, the rekey operation is performed with the same parameters as the
-[normal `/sys/rekey`
-endpoint](/api/system/rekey.html); however, the
-API prefix for this operation is at `/sys/rekey-recovery-key` rather than
-`/sys/rekey`.
diff --git a/website/source/docs/enterprise/hsm/index.html.md b/website/source/docs/enterprise/hsm/index.html.md
deleted file mode 100644
index 6744c2ee9ee4..000000000000
--- a/website/source/docs/enterprise/hsm/index.html.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-layout: "docs"
-page_title: "HSM Integration - Vault Enterprise"
-sidebar_title: "HSM Support"
-sidebar_current: "docs-vault-enterprise-hsm"
-description: |-
-  Vault Enterprise has HSM support, allowing for external master key storage and automatic unsealing.
-
----
-
-# Vault Enterprise HSM Support
-
-HSM support is a feature of [Vault
-Enterprise](https://www.hashicorp.com/vault.html) that takes advantage of HSMs
-to provide three pieces of special functionality:
-
- * Master Key Wrapping: Vault protects its master key by transiting it through
-   the HSM for encryption rather than splitting into key shares
- * Automatic Unsealing: Vault stores its HSM-wrapped master key in storage,
-   allowing for automatic unsealing
- * [Seal Wrapping](/docs/enterprise/sealwrap/index.html) to provide FIPS
-   KeyStorage-conforming functionality for Critical Security Parameters
- * [Entropy Augmentation](/docs/enterprise/entropy-augmentation/index.html) to
-   allow Vault to sample entropy from an external cryptographic module.
-
-HSM support is available for devices that support PKCS#11 version 2.20+
-interfaces and provide integration libraries, and is currently available for
-linux/amd64 platforms only. It has successfully been tested against many
-different vendor HSMs; HSMs that provide only subsets of the full PKCS#11
-specification can usually be supported but it depends on available
-cryptographic mechanisms.
-
-Please note however that configuration details, flags, and supported features
-within PKCS#11 vary depending on HSM model and configuration. Consult your
-HSM's documentation for more details.
-
-Some parts of Vault work differently when using an HSM. Please see the
-[Behavioral Changes](/docs/enterprise/hsm/behavior.html) page for
-important information on these differences.
-
-The [Configuration](/docs/configuration/seal/pkcs11.html) page contains
-configuration information.
-
-Finally, the [Security](/docs/enterprise/hsm/security.html) page contains
-information about deploying Vault's HSM support in a secure fashion.
diff --git a/website/source/docs/enterprise/hsm/security.html.md b/website/source/docs/enterprise/hsm/security.html.md
deleted file mode 100644
index 75bf68fbf3db..000000000000
--- a/website/source/docs/enterprise/hsm/security.html.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: "docs"
-page_title: "Security Details - HSM Integration - Vault Enterprise"
-sidebar_title: "Security"
-sidebar_current: "docs-vault-enterprise-hsm-security"
-description: |-
-  Recommendations to ensure the security of a Vault Enterprise HSM deployment.
-
----
-
-# Vault Enterprise HSM Security Details
-
-This page provides information to help ensure that a Vault HSM deployment is
-performed as securely as possible.
-
-## PKCS#11 Authentication
-
-PKCS#11 authentication occurs via a slot number and PIN. In practice, because
-the PIN is not required to be numeric (and some HSMs require more complex
-PINs), this behaves like a username and password.
-
-Like a username and password, these values should be protected. If they are
-stored in Vault's configuration file, read access to the file should be tightly
-controlled to appropriate users. (Vault's configuration file should always have
-tight write controls.) Rather than storing these values into Vault's
-configuration file, they can also be supplied via the environment; see the
-[Configuration](/docs/configuration/seal/pkcs11.html) page for more details.
-
-The attack surface of stolen PKCS#11 credentials depends highly on the
-individual HSM, but generally speaking, it should be assumed that if an
-attacker can see these credentials and has access to a machine on which Vault
-is running, the attacker will be able to access the HSM key protecting Vault's
-master key. Therefore, it is extremely important that access to the machine on
-which Vault is running is also tightly controlled.
-
-## Recovery Key Shares Protection
-
-Recovery key shares should be protected in the same way as your organization
-would protect key shares for the cryptographic barrier. As a quorum of recovery
-key shares can be used with the `generate-root` feature to generate a new root
-token, and root tokens can do anything within Vault, PGP encryption should
-always be used to protect the returned recovery key shares and the recovery
-share holders should be highly trusted individuals.
diff --git a/website/source/docs/enterprise/index.html.md b/website/source/docs/enterprise/index.html.md
deleted file mode 100644
index 972e2752e248..000000000000
--- a/website/source/docs/enterprise/index.html.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Enterprise"
-sidebar_title: "Vault Enterprise"
-sidebar_current: "docs-vault-enterprise"
-description: |-
-  Vault Enterprise features a number of capabilities beyond the open
-  source offering that may be beneficial in certain workflows.
----
-
-# Vault Enterprise
-
-Vault Enterprise includes a number of features that may be useful in specific
-workflows. Please use the sidebar navigation on the left to choose a specific
-topic.
-
-These features are part of [Vault Enterprise](https://www.hashicorp.com/vault.html?utm_source=oss&utm_medium=docs&utm_campaign=vault&_ga=1.201793489.1956619674.1489356624).
diff --git a/website/source/docs/enterprise/mfa/index.html.md b/website/source/docs/enterprise/mfa/index.html.md
deleted file mode 100644
index 8c4f9790311c..000000000000
--- a/website/source/docs/enterprise/mfa/index.html.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-layout: "docs"
-page_title: "MFA Support - Vault Enterprise"
-sidebar_title: "MFA"
-sidebar_current: "docs-vault-enterprise-mfa"
-description: |-
-  Vault Enterprise has support for Multi-factor Authentication (MFA), using different authentication types.
-
----
-
-# Vault Enterprise MFA Support
-
-Vault Enterprise has support for Multi-factor Authentication (MFA), using
-different authentication types. MFA is built on top of the Identity system of
-Vault.
-
-## MFA Types
-
-MFA in Vault can be of the following types.
-
-- `Time-based One-time Password (TOTP)` - If configured and enabled on a path,
-  this would require a TOTP passcode along with Vault token, to be presented
-  while invoking the API request. The passcode will be validated against the
-  TOTP key present in the identity of the caller in Vault.
-
-- `Okta` - If Okta push is configured and enabled on a path, then the enrolled
-  device of the user will get a push notification to approve or deny the access
-  to the API. The Okta username will be derived from the caller identity's
-  alias.
-
-- `Duo` - If Duo push is configured and enabled on a path, then the enrolled
-  device of the user will get a push notification to approve or deny the access
-  to the API. The Duo username will be derived from the caller identity's
-  alias.
-
-- `PingID` - If PingID push is configured and enabled on a path, then the
-  enrolled device of the user will get a push notification to approve or deny
-  the access to the API. The PingID username will be derived from the caller
-  identity's alias.
-
-## Configuring MFA Methods
-
-MFA methods are globally managed within the `System Backend` using the HTTP API.
-Please see [MFA API](/api/system/mfa.html) for details on how to configure an MFA
-method.
-
-## MFA Methods In Policies
-
-MFA requirements on paths are specified as `mfa_methods` along with other ACL
-parameters.
-
-### Sample Policy
-
-```hcl
-path "secret/foo" {
-  capabilities = ["read"]
-  mfa_methods  = ["dev_team_duo", "sales_team_totp"]
-}
-```
-
-The above policy grants `read` access to `secret/foo` only after *both* the MFA
-methods `dev_team_duo` and `sales_team_totp` are validated.
-
-## Namespaces
-
-All MFA configurations must be configured in the root namespace. They can be
-referenced from ACL and Sentinel policies in any namespace via the method name
-and can be tied to a mount accessor in any namespace.
-
-When using [Sentinel
-EGPs](/docs/enterprise/sentinel/index.html#endpoint-governing-policies-egps-),
-any MFA configuration specified must be satisfied by all requests affected by
-the policy, which can be difficult if the configured paths spread across
-namespaces. One way to address this is to use a policy similar to the
-following, using `or` operators to allow MFA configurations tied to mount
-accessors in the various namespaces:
-
-```python
-import "mfa"
-
-has_mfa = rule {
-    mfa.methods.duons1.valid
-}
-
-has_mfa2 = rule {
-    mfa.methods.duons2.valid
-}
-
-main = rule {
-    has_mfa or has_mfa2
-}
-```
-
-When using TOTP, any user with ACL permissions can self-generate credentials.
-Admins can generate or destroy credentials only if the targeted entity is in
-the same namespace.
-
-## Supplying MFA Credentials
-
-MFA credentials are retrieved from the `X-Vault-MFA` HTTP header. The format of
-the header is `mfa_method_name[:key[=value]]`. The items in the `[]` are
-optional.
-
-### Sample Request
-
-```
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --header "X-Vault-MFA:my_totp:695452" \
-    http://127.0.0.1:8200/v1/secret/foo
-```
-
-### API
-
-MFA can be managed entirely over the HTTP API. Please see [MFA API](/api/system/mfa.html) for more details.
diff --git a/website/source/docs/enterprise/mfa/mfa-duo.html.md b/website/source/docs/enterprise/mfa/mfa-duo.html.md
deleted file mode 100644
index 262443b9f4e7..000000000000
--- a/website/source/docs/enterprise/mfa/mfa-duo.html.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-layout: "docs"
-page_title: "Duo MFA - MFA Support - Vault Enterprise"
-sidebar_title: "Duo MFA"
-sidebar_current: "docs-vault-enterprise-mfa-duo"
-description: |-
-  Vault Enterprise supports Duo MFA type.
----
-
-# Duo MFA
-
-This page demonstrates the Duo MFA on ACL'd paths of Vault.
-
-## Configuration
-
-1. Enable the appropriate auth method:
-
-    ```text
-    $ vault auth enable userpass
-    ```
-
-1. Fetch the mount accessor for the enabled auth method:
-
-    ```text
-    $ vault auth list -detailed
-    ```
-
-    The response will look like:
-
-    ```text
-    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
-    ----         ----        --------                  ------    -----------    -------    -----------    -----------
-    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
-    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
-    ```
-
-1. Configure Duo MFA:
-
-    ```text
-    $ vault write sys/mfa/method/duo/my_duo \
-        mount_accessor=auth_userpass_54b8e339 \
-        integration_key=BIACEUEAXI20BNWTEYXT \
-        secret_key=HIGTHtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz \
-        api_hostname=api-2b5c39f5.duosecurity.com
-    ```
-
-1. Create a policy that gives access to secret through the MFA method created
-   above:
-
-    ```text
-    $ vault policy write duo-policy -<<EOF
-    path "secret/foo" {
-      capabilities = ["read"]
-      mfa_methods  = ["my_duo"]
-    }
-    EOF
-    ```
-
-1. Create a user. MFA works only for tokens that have identity information on
-them. Tokens created by logging in using auth methods will have the associated
-identity information. Create a user in the `userpass` auth method and
-authenticate against it:
-
-
-    ```text
-    $ vault write auth/userpass/users/testuser \
-        password=testpassword \
-        policies=duo-policy
-    ```
-
-1. Create a login token:
-
-    ```text
-    $ vault write auth/userpass/login/testuser \
-        password=testpassword
-
-    Key                    Value
-    ---                    -----
-    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
-    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    token_duration         768h
-    token_renewable        true
-    token_policies         [default duo-policy]
-    token_meta_username    "testuser"
-    ```
-
-    Note that the CLI is not authenticated with the newly created token yet, we
-    did not call `vault login`, instead we used the login API to simply return a
-    token.
-
-1. Fetch the entity ID from the token. The caller identity is represented by the
-`entity_id` property of the token:
-
-    ```text
-    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
-
-    Key                 Value
-    ---                 -----
-    accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    creation_time       1502245243
-    creation_ttl        2764800
-    display_name        userpass-testuser
-    entity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
-    expire_time         2017-09-09T22:20:43.448543132-04:00
-    explicit_max_ttl    0
-    id                  70f97438-e174-c03c-40fe-6bcdc1028d6c
-    issue_time          2017-08-08T22:20:43.448543003-04:00
-    meta                map[username:testuser]
-    num_uses            0
-    orphan              true
-    path                auth/userpass/login/testuser
-    policies            [default duo-policy]
-    renewable           true
-    ttl                 2764623
-    ```
-
-1. Login as the user:
-
-    ```text
-    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
-    ```
-
-1. Read a secret to trigger a Duo push. This will be a blocking call until
-the push notification is either approved or declined:
-
-    ```text
-    $ vault read secret/foo
-
-    Key                 Value
-    ---                 -----
-    refresh_interval    768h
-    data                which can only be read after MFA validation
-    ```
-   
-## Hardware Tokens and Passcodes
-
-If hardware tokens or other TOTP/HOTP devices (e.g. Google Authenticator) are configured on the Duo
-account, the codes from these devices may be passed via the
-[X-Vault-MFA header](/docs/enterprise/mfa/index.html#supplying-mfa-credentials) and will be used
-in lieu of a Duo push. They may also be provided to the `vault` command using the `-mfa` parameter
-and the `passcode` field.
-
-### Sample Command
-
-```
-$ vault login -mfa=my_duo:passcode=280077 -method=userpass \ 
-    username=testuser password=testpassword
-``` 
diff --git a/website/source/docs/enterprise/mfa/mfa-okta.html.md b/website/source/docs/enterprise/mfa/mfa-okta.html.md
deleted file mode 100644
index e83f5196b7ab..000000000000
--- a/website/source/docs/enterprise/mfa/mfa-okta.html.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-layout: "docs"
-page_title: "Okta MFA - MFA Support - Vault Enterprise"
-sidebar_title: "Okta MFA"
-sidebar_current: "docs-vault-enterprise-mfa-okta"
-description: |-
-  Vault Enterprise supports Okta MFA type.
----
-
-# Okta MFA
-
-This page demonstrates the Okta MFA on ACL'd paths of Vault.
-
-## Configuration
-
-1. Enable the appropriate auth method:
-
-    ```text
-    $ vault auth enable userpass
-    ```
-
-1. Fetch the mount accessor for the enabled auth method:
-
-    ```text
-    $ vault auth list -detailed
-    ```
-
-    The response will look like:
-
-    ```text
-    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
-    ----         ----        --------                  ------    -----------    -------    -----------    -----------
-    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
-    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
-    ```
-
-1. Configure Okta MFA:
-
-    ```text
-    $ vault write sys/mfa/method/okta/my_okta \
-        mount_accessor=auth_userpass_54b8e339 \
-        org_name="dev-262775" \
-        api_token="0071u8PrReNkzmATGJAP2oDyIXwwveqx9vIOEyCZDC"
-    ```
-
-1. Create a policy that gives access to secret through the MFA method created
-   above:
-
-    ```text
-    $ vault policy write okta-policy -<<EOF
-    path "secret/foo" {
-      capabilities = ["read"]
-      mfa_methods  = ["my_okta"]
-    }
-    EOF
-    ```
-
-1. Create a user. MFA works only for tokens that have identity information on
-them. Tokens created by logging in using auth methods will have the associated
-identity information. Create a user in the `userpass` auth method and
-authenticate against it:
-
-
-    ```text
-    $ vault write auth/userpass/users/testuser \
-        password=testpassword \
-        policies=okta-policy
-    ```
-
-1. Create a login token:
-
-    ```text
-    $ vault write auth/userpass/login/testuser password=testpassword
-
-    Key                    Value
-    ---                    -----
-    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
-    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    token_duration         768h0m0s
-    token_renewable        true
-    token_policies         [default okta-policy]
-    token_meta_username    "testuser"
-    ```
-
-    Note that the CLI is not authenticated with the newly created token yet, we
-    did not call `vault login`, instead we used the login API to simply return a
-    token.
-
-1. Fetch the entity ID from the token. The caller identity is represented by the
-`entity_id` property of the token:
-
-    ```text
-    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
-
-    Key                     Value
-    ---                     -----
-    accessor                a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    creation_time           1502245243
-    creation_ttl            2764800
-    display_name            userpass-testuser
-    entity_id               307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
-    expire_time             2017-09-09T22:20:43.448543132-04:00
-    explicit_max_ttl        0
-    id                      70f97438-e174-c03c-40fe-6bcdc1028d6c
-    issue_time              2017-08-08T22:20:43.448543003-04:00
-    meta                    map[username:testuser]
-    num_uses                0
-    orphan                  true
-    path                    auth/userpass/login/testuser
-    policies                [default okta-policy]
-    renewable               true
-    ttl                     2764623
-    ```
-
-1. Login as the user:
-
-    ```text
-    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
-    ```
-
-1. Read a secret to trigger an Okta push. This will be a blocking call until
-the push notification is either approved or declined:
-
-    ```text
-    $ vault read secret/foo
-
-    Key                     Value
-    ---                     -----
-    refresh_interval        768h0m0s
-    data                    which can only be read after MFA validation
-    ```
diff --git a/website/source/docs/enterprise/mfa/mfa-pingid.html.md b/website/source/docs/enterprise/mfa/mfa-pingid.html.md
deleted file mode 100644
index 6eaedfc23bd0..000000000000
--- a/website/source/docs/enterprise/mfa/mfa-pingid.html.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-layout: "docs"
-page_title: "PingID MFA - MFA Support - Vault Enterprise"
-sidebar_title: "PingID MFA"
-sidebar_current: "docs-vault-enterprise-mfa-pingid"
-description: |-
-  Vault Enterprise supports PingID MFA type.
----
-
-# PingID MFA
-
-This page demonstrates PingID MFA on ACL'd paths of Vault.
-
-## Configuration
-
-1. Enable the appropriate auth method:
-
-    ```text
-    $ vault auth enable userpass
-    ```
-
-1. Fetch the mount accessor for the enabled auth method:
-
-    ```text
-    $ vault auth list -detailed
-    ```
-
-    The response will look like:
-
-    ```text
-    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
-    ----         ----        --------                  ------    -----------    -------    -----------    -----------
-    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
-    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
-    ```
-
-
-1. Configure PingID MFA:
-
-    ```text
-    $ vault write sys/mfa/method/pingid/ping \
-        mount_accessor=auth_userpass_54b8e339 \
-        settings_file_base64="AABDwWaR..."
-    ```
-
-1. Create a policy that gives access to secret through the MFA method created
-   above:
-
-    ```
-    $ vault policy write ping-policy -<<EOF
-    path "secret/foo" {
-      capabilities = ["read"]
-      mfa_methods  = ["ping"]
-    }
-    EOF
-    ```
-
-1. Create a user. MFA works only for tokens that have identity information on
-them. Tokens created by logging in using auth methods will have the associated
-identity information. Create a user in the `userpass` auth method and
-authenticate against it:
-
-
-    ```text
-    $ vault write auth/userpass/users/testuser \
-        password=testpassword \
-        policies=ping-policy
-    ```
-
-1. Create a login token:
-
-    ```text
-    $ vault write auth/userpass/login/testuser password=testpassword
-
-    Key                    Value
-    ---                    -----
-    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
-    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    token_duration         768h0m0s
-    token_renewable        true
-    token_policies         [default ping-policy]
-    token_meta_username    "testuser"
-    ```
-
-    Note that the CLI is not authenticated with the newly created token yet, we
-    did not call `vault login`, instead we used the login API to simply return a
-    token.
-
-1. Fetch the entity ID from the token. The caller identity is represented by the
-`entity_id` property of the token:
-
-    ```text
-    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
-
-    Key                 Value
-    ---                 -----
-    accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    creation_time       1502245243
-    creation_ttl        2764800
-    display_name        userpass-testuser
-    entity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
-    expire_time         2017-09-09T22:20:43.448543132-04:00
-    explicit_max_ttl    0
-    id                  70f97438-e174-c03c-40fe-6bcdc1028d6c
-    issue_time          2017-08-08T22:20:43.448543003-04:00
-    meta                map[username:testuser]
-    num_uses            0
-    orphan              true
-    path                auth/userpass/login/testuser
-    policies            [default ping-policy]
-    renewable           true
-    ttl                 2764623
-    ```
-
-1. Login as the user:
-
-    ```text
-    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
-    ```
-
-1. Read a secret to trigger a PingID push. This will be a blocking call until
-the push notification is either approved or declined:
-
-    ```text
-    $ vault read secret/foo
-
-    Key                 Value
-    ---                 -----
-    refresh_interval    768h
-    data                which can only be read after MFA validation
-    ```
diff --git a/website/source/docs/enterprise/mfa/mfa-totp.html.md b/website/source/docs/enterprise/mfa/mfa-totp.html.md
deleted file mode 100644
index b0bd3013a1a9..000000000000
--- a/website/source/docs/enterprise/mfa/mfa-totp.html.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-layout: "docs"
-page_title: "TOTP MFA - MFA Support - Vault Enterprise"
-sidebar_title: "TOTP MFA"
-sidebar_current: "docs-vault-enterprise-mfa-totp"
-description: |-
-  Vault Enterprise supports TOTP MFA type.
----
-
-# TOTP MFA
-
-This page demonstrates the TOTP MFA on ACL'd paths of Vault.
-
-## Configuration
-
-1. Enable the appropriate auth method:
-
-    ```text
-    $ vault auth enable userpass
-    ```
-
-1. Fetch the mount accessor for the enabled auth method:
-
-    ```text
-    $ vault auth list -detailed
-    ```
-
-    The response will look like:
-
-    ```text
-    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
-    ----         ----        --------                  ------    -----------    -------    -----------    -----------
-    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
-    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
-    ```
-
-1. Configure TOTP MFA:
-
-    ```text
-    $ vault write sys/mfa/method/totp/my_totp \
-        issuer=Vault \
-        period=30 \
-        key_size=30 \
-        algorithm=SHA256 \
-        digits=6
-    ```
-
-1. Create a policy that gives access to secret through the MFA method created
-   above:
-
-    ```text
-    $ vault policy write totp-policy -<<EOF
-    path "secret/foo" {
-      capabilities = ["read"]
-      mfa_methods  = ["my_totp"]
-    }
-    EOF
-    ```
-
-1. Create a user. MFA works only for tokens that have identity information on
-them. Tokens created by logging in using auth methods will have the associated
-identity information. Create a user in the `userpass` auth method and
-authenticate against it:
-
-
-    ```text
-    $ vault write auth/userpass/users/testuser \
-        password=testpassword \
-        policies=totp-policy
-    ```
-
-1. Create a login token:
-
-    ```text
-    $ vault write auth/userpass/login/testuser \
-        password=testpassword
-
-    Key                    Value
-    ---                    -----
-    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
-    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    token_duration         768h
-    token_renewable        true
-    token_policies         [default totp-policy]
-    token_meta_username    "testuser"
-    ```
-
-    Note that the CLI is not authenticated with the newly created token yet, we
-    did not call `vault login`, instead we used the login API to simply return a
-    token.
-
-1. Fetch the entity ID from the token. The caller identity is represented by the
-`entity_id` property of the token:
-
-    ```text
-    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c
-
-    Key                 Value
-    ---                 -----
-    accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
-    creation_time       1502245243
-    creation_ttl        2764800
-    display_name        userpass-testuser
-    entity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
-    expire_time         2017-09-09T22:20:43.448543132-04:00
-    explicit_max_ttl    0
-    id                  70f97438-e174-c03c-40fe-6bcdc1028d6c
-    issue_time          2017-08-08T22:20:43.448543003-04:00
-    meta                map[username:testuser]
-    num_uses            0
-    orphan              true
-    path                auth/userpass/login/testuser
-    policies            [default totp-policy]
-    renewable           true
-    ttl                 2764623
-    ```
-
-1. Generate TOTP method attached to the entity. This should be distributed to
-the intended user to be able to generate TOTP passcode:
-
-    ```text
-    $ vault write sys/mfa/method/totp/my_totp/admin-generate \
-        entity_id=307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
-
-    Key        Value
-    ---        -----
-    barcode    iVBORw0KGgoAAAANSUhEUgAAAM...
-    url        otpauth://totp/Vault:307d6c16-6f5c-4ae7-46a9-2d153ffcbc63?algo...
-    ```
-
-    Either the base64 encoded png barcode or the url should be given to the end
-    user. This barcode/url can be loaded into Google Authenticator or a similar
-    TOTP tool to generate codes.
-
-1. Login as the user:
-
-    ```text
-    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
-    ```
-
-1. Read the secret, specifying the mfa flag:
-
-    ```text
-    $ vault read -mfa my_totp:146378 secret/foo
-
-    Key                 Value
-    ---                 -----
-    refresh_interval    768h
-    data                which can only be read after MFA validation
-    ```
diff --git a/website/source/docs/enterprise/namespaces/index.html.md b/website/source/docs/enterprise/namespaces/index.html.md
deleted file mode 100644
index 81105845c649..000000000000
--- a/website/source/docs/enterprise/namespaces/index.html.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-layout: "docs"
-page_title: "Namespaces - Vault Enterprise"
-sidebar_title: "Namespaces"
-sidebar_current: "docs-vault-enterprise-namespaces"
-description: |-
-  Vault Enterprise has support for Namespaces, a feature to enable Secure Multi-tenancy (SMT) and self-management.
-
----
-
-# Vault Enterprise Namespaces
-
-## Overview
-
-Many organizations implement Vault as a "service", providing centralized
-management for teams within an organization while ensuring that those teams
-operate within isolated environments known as *tenants*.
-
-There are two common challenges when implementing this architecture in Vault:
-
-**Tenant Isolation**
-
-Frequently teams within a VaaS environment require strong isolation from other
-users in their policies, secrets, and identities. Tenant isolation is typically a
-result of compliance regulations such as [GDPR](https://www.eugdpr.org/), though it may
-be necessitated by corporate or organizational infosec requirements.
-
-**Self-Management**
-
-As new tenants are added, there is an additional human cost in the management
-overhead for teams. Given that tenants will likely have different policies and
-request changes at a different rate, managing a multi-tenant environment can
-become very difficult for a single team as the number of tenants within that
-organization grow.
-
-'Namespaces' is a set of features within Vault Enterprise that allows Vault
-environments to support *Secure Multi-tenancy* (or *SMT*) within a single Vault
-infrastructure. Through namespaces, Vault administrators can support tenant isolation
-for teams and individuals as well as empower delegated administrators to manage their
-own tenant environment.
-
-## Usage
-
-API operations performed under a namespace can be done by providing the relative
-request path along with the namespace path using the `X-Vault-Namespace` header.
-Similarly, the namespace header value can be provided in full or partially when
-reaching into nested namespaces. When provided partially, the remaining
-namespace path must be provided in the request path in order to reach into the
-desired nested namespace.
-
-Alternatively, the fully qualified path can be provided without using the
-`X-Vault-Namespace` header. In either scenario, Vault will construct the fully
-qualified path from these two sources to correctly route the request to the
-appropriate namespace.
-
-For example, these three requests are equivalent:
-1. Path: `ns1/ns2/secret/foo`
-2. Path: `secret/foo`, Header: `X-Vault-Namespace: ns1/ns2/`
-3. Path: `ns2/secret/foo`, Header: `X-Vault-Namespace: ns1/`
-
-## Architecture
-
-Namespaces are isolated environments that functionally exist as "Vaults within a Vault."
-They have separate login paths and support creating and managing data isolated to their
-namespace. This data includes the following:
-
-- Secret Engines
-- Auth Methods
-- Policies
-- Identities (Entities, Groups)
-- Tokens
-
-Rather than rely on Vault system admins, namespaces can be managed by delegated admins who
-can be prescribed administration rights for their namespace. These delegated admins can also
-create their own child namespaces, thereby prescribing admin rights on a subordinate group
-of delegate admins.
-
-Child namespaces can share policies from their parent namespaces. For example, a child namespace
-may refer to parent identities (entities and groups) when writing policies that function only
-within that child namespace. Similarly, a parent namespace can have policies asserted on child
-identities.
-
-## Learn
-
-Refer to the [Secure Multi-Tenancy with Namespaces](https://learn.hashicorp.com/vault/operations/namespaces)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/enterprise/performance-standby/index.html.md b/website/source/docs/enterprise/performance-standby/index.html.md
deleted file mode 100644
index 57797313f5a9..000000000000
--- a/website/source/docs/enterprise/performance-standby/index.html.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-layout: "docs"
-page_title: "Performance Standby Nodes - Vault Enterprise"
-sidebar_title: "Performance Standbys"
-sidebar_current: "docs-vault-enterprise-perf-standbys"
-description: |-
-  Performance Standby Nodes - Vault Enterprise
----
-
-# Performance Standby Nodes
-
-Vault supports a multi-server mode for high availability. This mode protects
-against outages by running multiple Vault servers. High availability mode
-is automatically enabled when using a data store that supports it. You can
-learn more about HA mode on the [Concepts](/docs/concepts/ha.html) page.
-
-Vault Enterprise offers additional features that allow HA nodes to service
-read-only requests on the local standby node. Read-only requests are requests
-that do not modify Vault's storage.
-
-## Server-to-Server Communication
-
-Performance Standbys require the request forwarding method described in the [HA
-Server-to-Server](/docs/concepts/ha.html#server-to-server-communication) docs.
-
-A performance standby will connect to the active node over the existing request
-forwarding connection. If selected by the active node to be promoted to a
-performance standby it will be handed a newly-generated private key and certificate
-for use in creating a new mutually-authenticated TLS connection to the cluster
-port. This connection will be used to send updates from the active node to the
-standby.
-
-## Request Forwarding
-
-A Performance Standby will attempt to process requests that come in. If a
-storage write is detected the standby will forward the request over the cluster
-port connection to the active node. If the request is read-only the Performance
-Standby will handle the requests locally.
-
-Sending requests to Performance Standbys that result in forwarded writes will be
-slightly slower than going directly to the active node. A client that has
-advanced knowledge of the behavior of the call can choose to point the request
-to the appropriate node.
-
-### Direct Access
-
-A Performance Standby will tag itself as such in consul if service registration
-is enabled. To access the set of Performance Standbys the `performance-standby`
-tag can be used. For example to send requests to only the performance standbys
-`https://performance-standby.vault.dc1.consul` could be used (host name may vary
-based on consul configuration).
-
-### Behind Load Balancers
-
-Additionally, if you wish to point your load balancers at performance standby
-nodes, the `sys/health` endpoint can be used to determine if a node is a
-performance standby. See the [sys/health API](/api/system/health.html) docs for
-more info.
-
-## Disabling Performance Standbys
-
-To disable performance standbys the `disable_performance_standby` flag should be
-set to true in the Vault config file. This will both tell a standby not to
-attempt to enable performance mode and an active node to not allow any
-performance standby connections.
-
-This setting should be synced across all nodes in the cluster.
-
-## Monitoring Performance Standbys
-
-To verify your node is a performance standby the `vault status` command can be
-used:
-
-```
-$ vault status
-Key                                    Value
----                                    -----
-Seal Type                              shamir
-Sealed                                 false
-Total Shares                           1
-Threshold                              1
-Version                                0.11.0+prem
-Cluster Name                           vault-cluster-d040e74c
-Cluster ID                             9f82e03b-71fb-97a6-9c5a-46fa6715d6e4
-HA Enabled                             true
-HA Cluster                             https://127.0.0.1:8201
-HA Mode                                standby
-Active Node Address                    http://127.0.0.1:8200
-Performance Standby Node               true
-Performance Standby Last Remote WAL    380329
-```
diff --git a/website/source/docs/enterprise/replication/index.html.md b/website/source/docs/enterprise/replication/index.html.md
deleted file mode 100644
index d111e87f7a43..000000000000
--- a/website/source/docs/enterprise/replication/index.html.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-layout: "docs"
-page_title: "Replication - Vault Enterprise"
-sidebar_title: "Replication"
-sidebar_current: "docs-vault-enterprise-replication"
-description: |-
-  Vault Enterprise has support for Replication, allowing critical data to be replicated across clusters to support horizontally scaling and disaster recovery workloads.
-
----
-
-# Vault Enterprise Replication
-
-## Overview
-
-Many organizations have infrastructure that spans multiple datacenters. Vault
-provides the critical services of identity management, secrets storage, and
-policy management.  This functionality is expected to be highly available and
-to scale as the number of clients and their functional needs increase; at the
-same time, operators would like to ensure that a common set of policies are
-enforced globally, and a consistent set of secrets and keys are exposed to
-applications that need to interoperate.
-
-Vault replication addresses both of these needs in providing consistency,
-scalability, and highly-available disaster recovery.
-
-Note: Using replication requires a storage backend that supports transactional updates, such as Consul.
-
-## Architecture
-
-The core unit of Vault replication is a **cluster**, which is comprised of a
-collection of Vault nodes (an active and its corresponding HA nodes). Multiple Vault
-clusters communicate in a one-to-many near real-time flow.
-
-Replication operates on a leader/follower model, wherein a leader cluster (known as a
-**primary**) is linked to a series of follower **secondary** clusters. The primary
-cluster acts as the system of record and asynchronously replicates most Vault data.
-
-All communication between primaries and secondaries is end-to-end encrypted
-with mutually-authenticated TLS sessions, setup via replication tokens which are
-exchanged during bootstrapping.
-
-What data is replicated between the primary and secondary depends on the type of
-replication that is configured between the primary and secondary. These types
-of relationships are either **disaster recovery** or **performance**
-relationships.
-
-## Performance Replication and Disaster Recovery (DR) Replication
-
-*Performance Replication*:
-In performance replication, secondaries keep track of their own tokens and leases
-but share the underlying configuration, policies, and supporting secrets (K/V values,
-encryption keys for `transit`, etc).
-
-If a user action would modify underlying shared state, the secondary forwards the request
-to the primary to be handled; this is transparent to the client. In practice, most
-high-volume workloads (reads in the `kv` backend, encryption/decryption operations
-in `transit`, etc.) can be satisfied by the local secondary, allowing Vault to scale
-relatively horizontally with the number of secondaries rather than vertically as
-in the past.
-
-*Disaster Recovery (DR) Replication*:
-In disaster recovery (or DR) replication, secondaries share the same underlying configuration,
-policy, and supporting secrets  (K/V values, encryption keys for `transit`, etc) infrastructure
-as the primary. They also share the same token and lease infrastructure as the primary, as
-they are designed to allow for continuous operations with applications connecting to the
-original primary on the election of the DR secondary.
-
-DR is designed to be a mechanism to protect against catastrophic failure of entire clusters.
-They do not forward service read or write requests until they are elected and become a new primary.
-
-| Capability                                                                                                               	| Disaster Recovery 	| Performance                                                              	|
-|--------------------------------------------------------------------------------------------------------------------------	|-------------------	|--------------------------------------------------------------------------	|
-| Mirrors the configuration of a primary cluster                                                                  	| Yes               	| Yes                                                                      	|
-| Mirrors the configuration of a primary cluster’s backends (i.e.: auth methods, secrets engines, audit devices, etc.) 	| Yes               	| Yes                                                                      	|
-| Mirrors the tokens and leases for applications and users interacting with the primary cluster                     	| Yes               	| No. Secondaries keep track of their own tokens and leases. When the secondary is promoted, applications must reauthenticate and obtain new leases from the newly-promoted primary. 	|
-| Allows the secondary cluster to handle client requests                          	| No                	| Yes                                                                      	|
-
-For more information on the capabilities of performance and disaster recovery replication, see the Vault Replication [API Documentation](/api/system/replication.html).
-
-## Internals
-
-Details on the internal design of the replication feature can be found in the
-[replication
-internals](/docs/internals/replication.html)
-document.
-
-## Security Model
-
-Vault is trusted all over the world to keep secrets safe. As such, we have put
-extreme focus to detail to our replication model as well.
-
-### Primary/Secondary Communication
-
-When a cluster is marked as the primary it generates a self-signed CA
-certificate. On request, and given a user-specified identifier, the primary
-uses this CA certificate to generate a private key and certificate and packages
-these, along with some other information, into a replication bootstrapping
-bundle, a.k.a. a secondary activation token. The certificate is used to perform
-TLS mutual authentication between the primary and that secondary.
-
-This CA certificate is never shared with secondaries, and no secondary ever has
-access to any other secondary’s certificate. In practice this means that
-revoking a secondary’s access to the primary does not allow it continue
-replication with any other machine; it also means that if a primary goes down,
-there is full administrative control over which cluster becomes primary. An
-attacker cannot spoof a secondary into believing that a cluster the attacker
-controls is the new primary without also being able to administratively direct
-the secondary to connect by giving it a new bootstrap package (which is an
-ACL-protected call).
-
-Vault makes use of Application Layer Protocol Negotiation on its cluster port.
-This allows the same port to handle both request forwarding and replication,
-even while keeping the certificate root of trust and feature set different.
-
-### Secondary Activation Tokens
-
-A secondary activation token is an extremely sensitive item and as such is
-protected via response wrapping. Experienced Vault users will note that the
-wrapping format for replication bootstrap packages is different from normal
-response wrapping tokens: it is a signed JWT. This allows the replication token
-to carry the redirect address of the primary cluster as part of the token. In
-most cases this means that simply providing the token to a new secondary is
-enough to activate replication, although this can also be overridden when the
-token is provided to the secondary.
-
-Secondary activation tokens should be treated like Vault root tokens. If
-disclosed to a bad actor, that actor can gain access to all Vault data. It
-should therefore be treated with utmost sensitivity.  Like all
-response-wrapping tokens, once the token is used successfully (in this case, to
-activate a secondary) it is useless, so it is only necessary to safeguard it
-from one machine to the next.  Like with root tokens, HashiCorp recommends that
-when a secondary activation token is live, there are multiple eyes on it from
-generation until it is used.
-
-Once a secondary is activated, its cluster information is stored safely behind
-its encrypted barrier.
-
-
-## Learn
-
-Refer to the following tutorials replication setup and best practices:
-
-- [Setting up Performance Replication](https://learn.hashicorp.com/vault/operations/ops-replication)
-- [Disaster Recovery Replication Setup](https://learn.hashicorp.com/vault/operations/ops-disaster-recovery)
-- [Performance Replication with Mount Filters](https://learn.hashicorp.com/vault/operations/mount-filter)
-- [Monitoring Vault Replication](https://learn.hashicorp.com/vault/operations/monitor-replication)
-
-## API
-
-The Vault replication component has a full HTTP API. Please see the
-[Vault Replication API](/api/system/replication.html) for more
-details.
diff --git a/website/source/docs/enterprise/sealwrap/index.html.md b/website/source/docs/enterprise/sealwrap/index.html.md
deleted file mode 100644
index 7337b5d7abf4..000000000000
--- a/website/source/docs/enterprise/sealwrap/index.html.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Enterprise Seal Wrap"
-sidebar_title: "Seal Wrap / FIPS 140-2"
-sidebar_current: "docs-vault-enterprise-sealwrap"
-description: |-
-  Vault Enterprise features a mechanism to wrap values with an extra layer of
-  encryption for supporting seals
----
-
-# Seal Wrap
-
-Vault Enterprise features a mechanism to wrap values with an extra layer of
-encryption for supporting [seals](/docs/configuration/seal/index.html). This adds an
-extra layer of protection and is useful in some compliance and regulatory
-environments, including FIPS 140-2 environments.
-
-To use this feature, you must have an active or trial license for Vault
-Enterprise (HSMs) or Vault Pro (AWS KMS). To start a trial, contact [HashiCorp
-sales](mailto:sales@hashicorp.com).
-
-## Enabling/Disabling
-
-Seal Wrap is enabled by default on supporting seals. This implies that the seal
-must be available throughout Vault's runtime. Most cloud-based seals should be
-quite reliable, but, for instance, if using an HSM in a non-HA setup a
-connection interruption to the HSM will result in issues with Vault
-functionality.
-
-To disable seal wrapping, set `disable_sealwrap = true` in Vault's
-[configuration file][configuration]. This will not affect auto-unsealing functionality; Vault's
-master key will still be protected by the seal wrapping mechanism. It will
-simply prevent other storage entries within Vault from being seal wrapped.
-
-*N.B.*: This is a lazy downgrade; as keys are accessed or written their seal
-wrapping status will change. Similarly, if the flag is removed, it will be a
-lazy upgrade (which is the case when initially upgrading to a seal
-wrap-supporting version of Vault).
-
-## FIPS 140-2 Compliance
-
-Vault's Seal Wrap feature has been evaluated by Leidos for compliance with
-FIPS 140-2 requirements. When used with a FIPS 140-2-compliant HSM, Vault will
-store Critical Security Parameters (CSPs) in a manner that is compliant with
-KeyStorage and KeyTransit requirements. This is on by default for many parts of
-Vault and opt-in for each individual mount; see the Activating Seal Wrapping
-section below for details.
-
-[Download the current compliance letter](/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf)
-
-### Updates Since The Latest FIPS Compliance Audit
-
-The following are values that take advantage of seal wrapping in the current
-release of Vault that have not yet been asserted as compliant by Leidos. The
-mechanism for seal wrapping is the same, they simply were not specifically
-evaluated by the auditors.
-
-* Root tokens
-* Replication secondary activation tokens
-* Client authentication information for the GCP Auth Backend
-* Client authentication information for the Kubernetes Auth Backend
-
-## Activating Seal Wrapping
-
-For some values, seal wrapping is always enabled with a supporting seal. This
-includes the recovery key, any stored key shares, the master key, the keyring,
-and more; essentially, any Critical Security Parameter (CSP) within Vault's
-core. If upgrading from a version of Vault that did not support seal wrapping,
-the next time these values are read they will be seal-wrapped and stored.
-
-Backend mounts within Vault can also take advantage of seal wrapping. Seal
-wrapping can be activated at mount time for a given mount by mounting the
-backend with the `seal_wrap` configuration value set to `true`. (This value
-cannot currently be changed later.)
-
-A given backend's author can specify which values should be seal-wrapped by
-identifying where CSPs are stored. If no specific CSPs are identifiable, all
-data for the backend may be seal-wrapped.
-
-To see the current list of seal-wrapped data per backend type, see the latest
-audit letter and updates in the FIPS 140-2 Compliance section above.
-
-Note that it is often an order of magnitude or two slower to write to and read
-from HSMs or remote seals. However, values will be cached in memory
-un-seal-wrapped (but still encrypted by Vault's built-in cryptographic barrier)
-in Vault, which will mitigate this for read-heavy workloads.
-
-## Seal Wrap and Replication
-
-Seal wrapping takes place below the replication logic. As a result, it is
-transparent to replication. Replication will convey which values should be
-seal-wrapped, but it is up to the seal on the local cluster to implement it.
-In practice, this means that seal wrapping can be used without needing to have
-the replicated keys on both ends of the connection; each cluster can have
-distinct keys in an HSM or in KMS.
-
-In addition, it is possible to replicate from a Shamir-protected primary
-cluster to clusters that use HSMs when seal wrapping is required in downstream
-datacenters but not in the primary.
-
-Because of the level of flexibility targeted for replication, values sent over
-replication connections do not currently meet KeyTransit requirements for FIPS
-140-2. Vault's clustering implementation does support best practices guidance
-given in FIPS 140-2, but the cryptographic implementation of TLS is not FIPS
-140-2 certified. We may look into providing certified TLS in the future for
-replication traffic; in the meantime, a transparent TCP proxy that supports
-certified FIPS 140-2 TLS (such as
-[stunnel](https://www.stunnel.org/index.html)) can be used for replication
-traffic if meeting KeyTransit requirements for replication is necessary.
-
-[configuration]: /docs/configuration/index.html
diff --git a/website/source/docs/enterprise/sentinel/examples.html.md b/website/source/docs/enterprise/sentinel/examples.html.md
deleted file mode 100644
index f361e4d7cff7..000000000000
--- a/website/source/docs/enterprise/sentinel/examples.html.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-layout: "docs"
-page_title: "Sentinel Examples"
-sidebar_title: "Examples"
-sidebar_current: "docs-vault-enterprise-sentinel-examples"
-description: |-
-  An overview of how Sentinel interacts with Vault Enterprise.
-
----
-
-# Examples
-
-Following are some examples that help to introduce concepts. If you are
-unfamiliar with writing Sentinel policies in Vault, please read through to
-understand some best practices.
-
-## MFA and CIDR Check on Login
-
-The following Sentinel policy requires the incoming user to successfully
-validate with an Okta MFA push request before authenticating with LDAP.
-Additionally, it ensures that only users on the 10.20.0.0/16 subnet are able to
-authenticate using LDAP.
-
-```python
-import "sockaddr"
-import "mfa"
-import "strings"
-
-# We expect logins to come only from our private IP range
-cidrcheck = rule {
-    sockaddr.is_contained(request.connection.remote_addr, "10.20.0.0/16")
-}
-
-# Require Ping MFA validation to succeed
-ping_valid = rule {
-    mfa.methods.ping.valid
-}
-
-main = rule when strings.has_prefix(request.path, "auth/ldap/login") {
-    ping_valid and cidrcheck
-}
-```
-
-Note the `rule when` construct on the `main` rule. This scopes the policy to
-the given condition.
-
-Vault takes a default-deny approach to security. Without such scoping, because
-active Sentinel policies must all pass successfully, the user would be forced
-to start with a passing status and then define the conditions under which
-access is denied, breaking the default-deny concept.
-
-By instead indicating the conditions under which the `main` rule (and thus, in
-this example, the entire policy) should be evaluated, the policy instead
-describes the conditions under which a matching request is successful. This
-keeps the default-deny feeling of Vault; if the evaluation condition isn't met,
-the policy is simply a no-op.
-
-## Allow Only Specific Identity Entities or Groups
-
-```python
-main = rule {
-    identity.entity.name is "jeff" or
-    identity.entity.id is "fe2a5bfd-c483-9263-b0d4-f9d345efdf9f" or
-    "sysops" in identity.groups.names or
-    "14c0940a-5c07-4b97-81ec-0d423accb8e0" in keys(identity.groups.by_id)
-}
-```
-
-This example shows accessing Identity properties to make decisions, showing
-that for Identity values IDs or names can be used for reference.
-
-In general, it is more secure to use IDs. While convenient, entity names and
-group names can be switched from one entity to another, because their only
-constraint is that they must be unique. Using IDs guarantees that only that
-specific entity or group is sufficient; if the group or entity are deleted and
-recreated with the same name, the match will fail.
-
-## Instantly Disallow All Previously-Generated Tokens
-
-Imagine a break-glass scenario where it is discovered that there have been
-compromises of some unknown number of previously-generated tokens.
-
-In such a situation it would be possible to revoke all previous tokens, but
-this may take a while for a number of reasons, from requiring revocation of
-generated secrets to the simple delay required to remove many entries from
-storage. In addition, it could revoke tokens and generated secrets that later
-forensic analysis shows were not compromised, unnecessarily widening the impact
-of the mass revocation.
-
-In Vault's ACL system a simple deny could be put into place, but this is a very
-coarse-grained control and would require forethought to ensure that a policy
-that can be modified in such a way is attached to every token. It also would
-not prevent access to login paths or other unauthenticated paths.
-
-Sentinel offers much more fine-grained control:
-
-```python
-import "time"
-
-main = rule when not request.unauthenticated {
-    time.load(token.creation_time).unix >
-      time.load("2017-09-17T13:25:29Z").unix
-}
-```
-
-Created as an EGP on `*`, this will block all access to any path Sentinel
-operates on with a token created before the given time. Tokens created after
-this time, since they were not a part of the compromise, will not be subject to
-this restriction.
-
-## Delegate EGP Policy Management Under a Path
-
-The following policy gives token holders with this policy (via their tokens or
-their Identity entities/groups) the ability to write EGP policies that can only
-take effect at Vault paths below certain prefixes. This effectively delegates
-policy management to the team for their own key-value spaces.
-
-```python
-import "strings"
-
-data_match = func() {
-    # Make sure there is request data
-    if length(request.data else 0) is 0 {
-        return false
-    }
-
-    # Make sure request data includes paths
-    if length(request.data.paths else 0) is 0 {
-        return false
-    }
-
-    # For each path, verify that it is in the allowed list
-    for strings.split(request.data.paths, ",") as path {
-        # Make it easier for users who might be used to starting paths with
-        # slashes
-        sanitizedPath = strings.trim_prefix(path, "/")
-        if not strings.has_prefix(sanitizedPath, "dev-kv/teama/") and
-           not strings.has_prefix(sanitizedPath, "prod-kv/teama/") {
-            return false
-        }
-    }
-
-    return true
-}
-
-# Only care about writing; reading can be allowed by normal ACLs
-precond = rule {
-    request.operation in ["create", "update"] and
-    strings.has_prefix(request.path, "sys/policies/egp/")
-}
-
-main = rule when precond {
-    strings.has_prefix(request.path, "sys/policies/egp/teama-") and data_match()
-}
-```
diff --git a/website/source/docs/enterprise/sentinel/index.html.md b/website/source/docs/enterprise/sentinel/index.html.md
deleted file mode 100644
index b7ef0f10d954..000000000000
--- a/website/source/docs/enterprise/sentinel/index.html.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Enterprise Sentinel Integration"
-sidebar_title: "Sentinel"
-sidebar_current: "docs-vault-enterprise-sentinel"
-description: |-
-  An overview of how Sentinel interacts with Vault Enterprise.
-
----
-
-# Overview
-
-Vault Enterprise integrates HashiCorp Sentinel to provide a rich set of access
-control functionality. Because Vault is a security-focused product trusted with
-high-risk secrets and assets, and because of its default-deny stance,
-integration with Vault is implemented in a defense-in-depth fashion. This takes
-the form of multiple types of policies and a fixed evaluation order.
-
-## Policy Types
-
-Vault's policy system has been expanded to support three types of policies:
-
-- `ACLs` - These are the [traditional Vault
-  policies](/docs/concepts/policies.html) and remain unchanged.
-
-- `Role Governing Policies (RGPs)` - RGPs are Sentinel policies that are tied
-  to particular tokens, Identity entities, or Identity groups. They have access
-  to a rich set of controls across various aspects of Vault.
-
-- `Endpoint Governing Policies (EGPs)` - EGPs are Sentinel policies that are
-  tied to particular paths instead of tokens. They have access to as much
-  request information as possible, but they can take effect even on
-  unauthenticated paths, such as login paths.
-
-Not every unauthenticated path supports EGPs. For instance, the paths related
-to root token generation cannot support EGPs because it's already the mechanism
-of last resort if, for instance, all clients are locked out of Vault due to
-misconfigured EGPs.
-
-Like with ACLs, [root tokens](/docs/concepts/tokens.html#root-tokens) tokens
-are not subject to Sentinel policy checks.
-
-Sentinel execution should be considered to be significantly slower than normal
-ACL policy checking. If high performance is needed, testing should be performed
-appropriately when introducing Sentinel policies.
-
-## Policy Evaluation
-
-During evaluation, all policy types, if they exist, must grant access.
-Evaluation uses the following logic:
-
-1. If the request is unauthenticated, skip to step 3. Otherwise, evaluate the
-   token's ACL policies. These must grant access; as always, a failure to be
-   granted capabilities on a path via ACL policies denies the request.
-2. RGPs attached to the token are evaluated. All policies must pass according
-   to their enforcement level.
-3. EGPs set on the requested path, and any prefix-matching EGPs set on
-   less-specific paths, are evaluated. All policies must pass according to
-   their enforcement level.
-
-Any failure at any of these steps results in a denied request.
-
-## Policy Overriding
-
-Vault supports normal Sentinel overriding behavior. Requests to override can be
-specified on the command line via the `policy-override` flag or in HTTP
-requests by setting the `X-Vault-Policy-Override` header to `true`.
-
-Override requests are visible in Vault's audit log; in addition, override
-requests and their eventual status (whether they ended up being required) are
-logged as warnings in Vault's server logs.
-
-## MFA
-
-Sentinel policies support the [Identity-based MFA
-system](/docs/enterprise/mfa/index.html) in Vault Enterprise.  Within a single
-request, multiple checks of any named MFA method will only trigger
-authentication behavior for that method once, regardless of whether its
-validity is checked via ACLs, RGPs, or EGPs.
-
-EGPs can be used to require MFA on otherwise unauthenticated paths, such as
-login paths. On such paths, the request data will perform a lookahead to try to
-discover the appropriate Identity information to use for MFA. It may be
-necessary to pre-populate Identity entries or supply additional parameters with
-the request if you require more information to use MFA than the endpoint is
-able to glean from the original request alone.
-
-# Using Sentinel
-
-## Configuration
-
-Sentinel policies can be configured via the `sys/policies/rgp/` and
-`sys/policies/egp/` endpoints; see [the
-documentation](/api/system/policies.html) for more information.
-
-Once set, RGPs can be assigned to Identity entities and groups or to tokens
-just like ACL policies. As a result, they cannot share names with ACL policies.
-
-When setting an EGP, a list of paths must be provided specifying on which paths
-that EGP should take effect. Endpoints can have multiple distinct EGPs set on
-them; all are evaluated for each request. Paths can use a glob character (`*`)
-as the last character of the path to perform a prefix match; a path that
-consists only of a `*` will apply to the root of the API. Since requests are
-subject to an EGPs exactly matching the requested path and any glob EGPs
-sitting further up the request path, an EGP with a path of `*` will thus take
-effect on all requests.
-
-## Properties and Examples
-
-See the [Examples](/docs/enterprise/sentinel/examples.html) page for examples
-of Sentinel in action, and the
-[Properties](/docs/enterprise/sentinel/properties.html) page for detailed
-property documentation.
-
-## Learn
-
-Refer to the [Sentinel Policies](https://learn.hashicorp.com/vault/identity-access-management/iam-sentinel)
-guide for a step-by-step tutorial.
diff --git a/website/source/docs/enterprise/sentinel/properties.html.md b/website/source/docs/enterprise/sentinel/properties.html.md
deleted file mode 100644
index 848806753b67..000000000000
--- a/website/source/docs/enterprise/sentinel/properties.html.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-layout: "docs"
-page_title: "Sentinel Properties"
-sidebar_title: "Properties"
-sidebar_current: "docs-vault-enterprise-sentinel-properties"
-description: |-
-  An overview of how Sentinel interacts with Vault Enterprise.
-
----
-
-# Properties
-
-Vault injects a rich set of data into the running Sentinel environment,
-allowing for very fine-grained controls. The set of available properties are
-enumerated on this page.
-
-The following properties are available for use in Sentinel policies.
-
-## Namespace Properties
-
-The `namespace` (Sentinel) namespace gives access to information about the
-namespace in which the request is running. (This may or may not match the
-client's chosen namespace, if a request reaches into a child namespace).
-
-| Name | Type   | Description                    |
-| :----| :------| :------------------------------|
-| `id`   | `string` | The namespace ID               |
-| `path` | `string` | The root path of the namespace |
-
-## Request Properties
-
-The following properties are available in the `request` namespace.
-
-|           Name           |           Type           |                                         Description                                         |
-| :----------------------- | :----------------------- | :------------------------------------------------------------------------------------------ |
-| `connection.remote_addr` | `string`                 | TCP/IP source address/port of the client                                                    |
-| `data`                   | `map (string -> any)`    | Raw request data                                                                            |
-| `operation`              | `string`                 | Operation type, e.g. "read" or "update"                                                     |
-| `path`                   | `string`                 | Path, with any leading `/` trimmed                                                          |
-| `policy_override`        | `bool`                   | `true` if a `soft-mandatory` policy override was requested                                  |
-| `unauthenticated`        | `bool`                   | `true` if the requested path is an unauthenticated path                                     |
-| `wrapping.ttl`           | `duration`               | The requested response-wrapping TTL in nanoseconds, suitable for use with the `time` import |
-| `wrapping.ttl_seconds`   | `int`                    | The requested response-wrapping TTL in seconds                                              |
-
-### Replication Properties
-
-The following properties exists at the `replication.mode` namespace.
-
-|     Name      |   Type   |                                                  Description                                                   |
-| :------------ | :------- | :------------------------------------------------------------------------------------------------------------- |
-| `dr`          | `string` | The state of DR replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary"          |
-| `replication` | `string` | The state of performance replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary" |
-
-## Token Properties
-
-The following properties, if available, are in the `token` namespace. The
-namespace will not exist if there is no token information attached to a
-request, e.g. when logging in.
-
-|            Name            |           Type           |                                                            Description                                                             |
-| :------------------------- | :----------------------- | :--------------------------------------------------------------------------------------------------------------------------------- |
-| `creation_time`            | `string`                 | The timestamp of the token's creation, in RFC3339 format                                                                           |
-| `creation_time_unix`       | `int`                    | The timestamp of the token's creation, in seconds since Unix epoch UTC                                                             |
-| `creation_ttl`             | `duration`               | The TTL the token was first created with in nanoseconds, suitable for use with the `time` import                                   |
-| `creation_ttl_seconds`     | `int`                    | The TTL the token was first created with in seconds                                                                                |
-| `display_name`             | `string`                 | The display name set on the token, if any                                                                                          |
-| `entity_id`                | `string`                 | The Identity entity ID attached to the token, if any                                                                               |
-| `explicit_max_ttl`         | `duration`               | If the token has an explicit max TTL, the duration of the explicit max TTL in nanoseconds, suitable for use with the `time` import |
-| `explicit_max_ttl_seconds` | `int`                    | If the token has an explicit max TTL, the duration of the explicit max TTL in seconds                                              |
-| `metadata`                 | `map (string -> string)` | Metadata set on the token                                                                                                          |
-| `num_uses`                 | `int`                    | The number of uses remaining on a use-count-limited token; 0 if the token has no use-count limit                                   |
-| `path`                     | `string`                 | The request path that resulted in creation of this token                                                                           |
-| `period`                   | `duration`               | If the token has a period, the duration of the period in nanoseconds, suitable for use with the `time` import                      |
-| `period_seconds`           | `int`                    | If the token has a period, the duration of the period in seconds                                                                   |
-| `policies`                 | `list (string)`          | Policies directly attached to the token                                                                                            |
-| `role`                     | `string`                 | If created via a token role, the role that created the token                                                                       |
-| `type`                     | `string`                 | The type of token, currently will be either `batch` or `service` |
-
-## Token Namespace Properties
-
-The following properties, if available, are in the `token.namespace` namespace. 
-The (Sentinel) namespace will not exist if there is no token information attached to a
-request, e.g. when logging in.
-
-| Name | Type   | Description                    |
-| :----| :------| :------------------------------|
-| `id`   | `string` | The namespace ID               |
-| `path` | `string` | The root path of the namespace |
-
-## Identity Properties
-
-The following properties, if available, are in the `identity` namespace. The
-namespace may not exist if there is no token information attached to the
-request; however, at login time the user's request data will be used to attempt
-to find any existing Identity information, or create some information to pass
-to MFA functions.
-
-### Entity Properties
-
-These exist at the `identity.entity` namespace.
-
-|        Name         |           Type           |                          Description                          |
-| :------------------ | :----------------------- | :------------------------------------------------------------ |
-| `creation_time`     | `string`                 | The entity's creation time in RFC3339 format                  |
-| `id`                | `string`                 | The entity's ID                                               |
-| `last_update_time`  | `string`                 | The entity's last update (modify) time in RFC3339 format      |
-| `metadata`          | `map (string -> string)` | Metadata associated with the entity                           |
-| `name`              | `string`                 | The entity's name                                             |
-| `merged_entity_ids` | `list (string)`          | A list of IDs of entities that have been merged into this one |
-| `aliases`           | `list (alias)`           | List of aliases associated with this entity                   |
-| `policies`          | `list (string)`          | List of the policies set on this entity                       |
-
-### Alias Properties
-
-These can be retrieved from `identity.entity.aliases`.
-
-|           Name           |           Type           |                                                                  Description                                                                  |
-| :----------------------- | :----------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------- |
-| `creation_time`          | `string`                 | The alias's creation time in RFC3339 format                                                                                                   |
-| `id`                     | `string`                 | The alias's ID                                                                                                                                |
-| `last_update_time`       | `string`                 | The alias's last update (modify) time in RFC3339 format                                                                                       |
-| `metadata`               | `map (string -> string)` | Metadata associated with the alias                                                                                                            |
-| `merged_from_entity_ids` | `list (string)`          | If this alias was attached to the current entity via one or more merges, the original entity/entities will be in this list                    |
-| `mount_accessor`         | `string`                 | The immutable accessor of the mount that created this alias                                                                                   |
-| `mount_path`             | `string`                 | The path of the mount that created this alias; unlike the accessor, there is no guarantee that the current path represents the original mount |
-| `mount_type`             | `string`                 | The type of the mount that created this alias                                                                                                 |
-| `name`                   | `string`                 | The alias's name                                                                                                                              |
-
-### Groups Properties
-
-These exist at the `identity.groups` namespace.
-
-|   Name    |          Type           |                                                                   Description                                                                   |
-| :-------- | :---------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------- |
-| `by_id`   | `map (string -> group)` | A map of group ID to group information                                                                                                          |
-| `by_name` | `map (string -> group)` | A map of group name to group information; unlike the group ID, there is no guarantee that the current name will always represent the same group |
-
-### Group Properties
-
-These can be retrieved from the `identity.groups` maps.
-
-|        Name         |           Type           |                            Description                             |
-| :------------------ | :----------------------- | :----------------------------------------------------------------- |
-| `creation_time`     | `string`                 | The group's creation time in RFC3339 format                        |
-| `id`                | `string`                 | The group's ID                                                     |
-| `last_update_time`  | `string`                 | The group's last update (modify) time in RFC3339 format            |
-| `metadata`          | `map (string -> string)` | Metadata associated with the group                                 |
-| `name`              | `string`                 | The group's name                                                   |
-| `member_entity_ids` | `list (string)`          | A list of IDs of entities that are directly assigned to this group |
-| `parent_group_ids`  | `list (string)`          | A list of IDs of groups that are parents of this group             |
-| `policies`          | `list (string)`          | List of the policies set on this group                             |
-
-## MFA Properties
-
-These properties exist at the `mfa` namespace.
-
-|   Name    |           Type           |                Description                |
-| :-------- | :----------------------- | :---------------------------------------- |
-| `methods` | `map (string -> method)` | A map of method name to method properties |
-
-### MFA Method Properties
-
-These properties can be accessed via the `mfa.methods` selector.
-
-|  Name   |  Type  |                                                                                                                  Description                                                                                                                  |
-| :------ | :----- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `valid` | `bool` | Whether the method has successfully been validated; if validation has not been attempted, this will trigger the validation attempt. The result of the validation attempt will be used for this method for all policies for the given request. |
-
-## Control Group Properties
-
-These properties exist at the `controlgroup` namespace.
-
-|          Name          |          Type          |                 Description                 |
-| :--------------------- | :--------------------- | :------------------------------------------ |
-| `time`, `request_time` | `string`               | The original request time in RFC3339 format |
-| `authorizations`       | `list (authorization)` | List of control group authorizations        |
-
-### Control Group Authorization
-
-These properties can be accessed via the `controlgroup.authorizations` selector.
-
-|   Name   |       Type        |                        Description                         |
-| :------- | :---------------- | :--------------------------------------------------------- |
-| `time`   | `string`          | The authorization time in RFC3339 format                   |
-| `entity` | `identity.entity` | The identity entity for the authorizer.                    |
-| `groups` | `identity.groups` | The map of identity groups associated with the authorizer. |
diff --git a/website/source/docs/index.html.erb.md b/website/source/docs/index.html.erb.md
deleted file mode 100644
index 7952233e16ce..000000000000
--- a/website/source/docs/index.html.erb.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-layout: 'docs'
-sidebar_title: 'Overview'
-sidebar_current: 'docs-index'
----
diff --git a/website/source/docs/install/index.html.md b/website/source/docs/install/index.html.md
deleted file mode 100644
index 7ca9ef996c27..000000000000
--- a/website/source/docs/install/index.html.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-layout: "docs"
-page_title: "Install Vault"
-sidebar_title: "Installing Vault"
-sidebar_current: "docs-install-install"
-description: |-
-  Installing Vault is simple. You can download a precompiled binary or compile
-  from source. This page details both methods.
----
-
-# Install Vault
-
-Installing Vault is simple. There are two approaches to installing Vault:
-
-1. Using a [precompiled binary](#precompiled-binaries)
-
-1. Installing [from source](#compiling-from-source)
-
-Downloading a precompiled binary is easiest, and we provide downloads over TLS
-along with SHA256 sums to verify the binary. We also distribute a PGP signature
-with the SHA256 sums that can be verified.
-
-## Precompiled Binaries
-
-To install the precompiled binary, [download](/downloads.html) the appropriate
-package for your system. Vault is currently packaged as a zip file. We do not
-have any near term plans to provide system packages.
-
-Once the zip is downloaded, unzip it into any directory. The `vault` binary
-inside is all that is necessary to run Vault (or `vault.exe` for Windows). Any
-additional files, if any, aren't required to run Vault.
-
-Copy the binary to anywhere on your system. If you intend to access it from the
-command-line, make sure to place it somewhere on your `PATH`.
-
-## Compiling from Source
-
-To compile from source, you will need [Go](https://golang.org) installed and
-configured properly (including a `GOPATH` environment variable set), as well
-as a copy of [`git`](https://www.git-scm.com/) in your `PATH`.
-
-  1. Clone the Vault repository from GitHub into your `GOPATH`:
-
-    ```shell
-    $ mkdir -p $GOPATH/src/github.com/hashicorp && cd $_
-    $ git clone https://github.com/hashicorp/vault.git
-    $ cd vault
-    ```
-
-  1. Bootstrap the project. This will download and compile libraries and tools
-  needed to compile Vault:
-
-    ```shell
-    $ make bootstrap
-    ```
-
-  1. Build Vault for your current system and put the
-  binary in `./bin/` (relative to the git checkout). The `make dev` target is
-  just a shortcut that builds `vault` for only your local build environment (no
-  cross-compiled targets).
-
-    ```shell
-    $ make dev
-    ```
-
-## Verifying the Installation
-
-To verify Vault is properly installed, run `vault -h` on your system. You should
-see help output. If you are executing it from the command line, make sure it is
-on your PATH or you may get an error about Vault not being found.
-
-```shell
-$ vault -h
-```
diff --git a/website/source/docs/internals/architecture.html.md b/website/source/docs/internals/architecture.html.md
deleted file mode 100644
index ba7172dc2313..000000000000
--- a/website/source/docs/internals/architecture.html.md
+++ /dev/null
@@ -1,176 +0,0 @@
----
-layout: "docs"
-page_title: "Architecture"
-sidebar_title: "Architecture"
-sidebar_current: "docs-internals-architecture"
-description: |-
-  Learn about the internal architecture of Vault.
----
-
-# Architecture
-
-Vault is a complex system that has many different pieces. To help both users and
-developers of Vault build a mental model of how it works, this page documents
-the system architecture.
-
-~> **Advanced Topic!** This page covers technical details of Vault. You don't
-need to understand these details to effectively use Vault. The details are
-documented here for those who wish to learn about them without having to go
-spelunking through the source code. However, if you're an operator of Vault, we
-recommend learning about the architecture due to the importance of Vault in an
-environment.
-
-# Glossary
-
-Before describing the architecture, we provide a glossary of terms to help
-clarify what is being discussed:
-
-- **Storage Backend** - A storage backend is responsible for durable storage of
-  _encrypted_ data. Backends are not trusted by Vault and are only expected to
-  provide durability. The storage backend is configured when starting the Vault
-  server.
-
-- **Barrier** - The barrier is cryptographic steel and concrete around the
-  Vault. All data that flows between Vault and the storage backend passes
-  through the barrier. The barrier ensures that only encrypted data is written
-  out, and that data is verified and decrypted on the way in. Much like a bank
-  vault, the barrier must be "unsealed" before anything inside can be accessed.
-
-- **Secrets Engine** - A secrets engine is responsible for managing secrets.
-  Simple secrets engines like the "kv" secrets engine simply return the same
-  secret when queried. Some secrets engines support using policies to
-  dynamically generate a secret each time they are queried. This allows for
-  unique secrets to be used which allows Vault to do fine-grained revocation and
-  policy updates. As an example, a MySQL secrets engine could be configured with
-  a "web" policy. When the "web" secret is read, a new MySQL user/password pair
-  will be generated with a limited set of privileges for the web server.
-
-- **Audit Device** - An audit device is responsible for managing audit logs.
-  Every request to Vault and response from Vault goes through the configured
-  audit devices. This provides a simple way to integrate Vault with multiple
-  audit logging destinations of different types.
-
-- **Auth Method** - An auth method is used to authenticate users or applications
-  which are connecting to Vault. Once authenticated, the auth method returns the
-  list of applicable policies which should be applied. Vault takes an
-  authenticated user and returns a client token that can be used for future
-  requests. As an example, the `userpass` auth method uses a username and
-  password to authenticate the user. Alternatively, the `github` auth method
-  allows users to authenticate via GitHub.
-
-- **Client Token** - A client token (aka "Vault Token") is conceptually
-  similar to a session cookie on a web site. Once a user authenticates, Vault
-  returns a client token which is used for future requests. The token is used by
-  Vault to verify the identity of the client and to enforce the applicable ACL
-  policies. This token is passed via HTTP headers.
-
-- **Secret** - A secret is the term for anything returned by Vault which
-  contains confidential or cryptographic material. Not everything returned by
-  Vault is a secret, for example system configuration, status information, or
-  policies are not considered secrets. Secrets always have an associated lease.
-  This means clients cannot assume that the secret contents can be used
-  indefinitely. Vault will revoke a secret at the end of the lease, and an
-  operator may intervene to revoke the secret before the lease is over. This
-  contract between Vault and its clients is critical, as it allows for changes
-  in keys and policies without manual intervention.
-
-- **Server** - Vault depends on a long-running instance which operates as a
-  server. The Vault server provides an API which clients interact with and
-  manages the interaction between all the secrets engines, ACL enforcement, and
-  secret lease revocation. Having a server based architecture decouples clients
-  from the security keys and policies, enables centralized audit logging and
-  simplifies administration for operators.
-
-# High-Level Overview
-
-A very high level overview of Vault looks like this:
-
-[![Architecture Overview](/img/layers.png)](/img/layers.png)
-
-Let's begin to break down this picture. There is a clear separation of
-components that are inside or outside of the security barrier. Only the storage
-backend and the HTTP API are outside, all other components are inside the
-barrier.
-
-The storage backend is untrusted and is used to durably store encrypted data.
-When the Vault server is started, it must be provided with a storage backend so
-that data is available across restarts. The HTTP API similarly must be started
-by the Vault server on start so that clients can interact with it.
-
-Once started, the Vault is in a _sealed_ state. Before any operation can be
-performed on the Vault it must be unsealed. This is done by providing the unseal
-keys. When the Vault is initialized it generates an encryption key which is used
-to protect all the data. That key is protected by a master key. By default,
-Vault uses a technique known as [Shamir's secret sharing
-algorithm](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing) to split the
-master key into 5 shares, any 3 of which are required to reconstruct the master
-key.
-
-[![Vault Shamir Secret Sharing Algorithm](/img/vault-shamir-secret-sharing.svg)](/img/vault-shamir-secret-sharing.svg)
-
-The number of shares and the minimum threshold required can both be specified.
-Shamir's technique can be disabled, and the master key used directly for
-unsealing. Once Vault retrieves the encryption key, it is able to decrypt the
-data in the storage backend, and enters the _unsealed_ state. Once unsealed,
-Vault loads all of the configured audit devices, auth methods, and secrets
-engines.
-
-The configuration of those audit devices, auth methods, and secrets engines must
-be stored in Vault since they are security sensitive. Only users with the
-correct permissions should be able to modify them, meaning they cannot be
-specified outside of the barrier. By storing them in Vault, any changes to them
-are protected by the ACL system and tracked by audit logs.
-
-After the Vault is unsealed, requests can be processed from the HTTP API to the
-Core. The core is used to manage the flow of requests through the system,
-enforce ACLs, and ensure audit logging is done.
-
-When a client first connects to Vault, it needs to authenticate. Vault provides
-configurable auth methods providing flexibility in the authentication mechanism
-used. Human friendly mechanisms such as username/password or GitHub might be
-used for operators, while applications may use public/private keys or tokens to
-authenticate. An authentication request flows through core and into an auth
-method, which determines if the request is valid and returns a list of
-associated policies.
-
-Policies are just a named ACL rule. For example, the "root" policy is built-in
-and permits access to all resources. You can create any number of named policies
-with fine-grained control over paths. Vault operates exclusively in a whitelist
-mode, meaning that unless access is explicitly granted via a policy, the action
-is not allowed. Since a user may have multiple policies associated, an action is
-allowed if any policy permits it. Policies are stored and managed by an internal
-policy store. This internal store is manipulated through the system backend,
-which is always mounted at `sys/`.
-
-Once authentication takes place and an auth method provides a set of applicable
-policies, a new client token is generated and managed by the token store. This
-client token is sent back to the client, and is used to make future requests.
-This is similar to a cookie sent by a website after a user logs in. The client
-token may have a lease associated with it depending on the auth method
-configuration. This means the client token may need to be periodically renewed
-to avoid invalidation.
-
-Once authenticated, requests are made providing the client token. The token is
-used to verify the client is authorized and to load the relevant policies. The
-policies are used to authorize the client request. The request is then routed to
-the secrets engine, which is processed depending on its type. If the secrets
-engine returns a secret, the core registers it with the expiration manager and
-attaches a lease ID. The lease ID is used by clients to renew or revoke their
-secret. If a client allows the lease to expire, the expiration manager
-automatically revokes the secret.
-
-The core handles logging of requests and responses to the audit broker, which
-fans the request out to all the configured audit devices. Outside of the request
-flow, the core performs certain background activity. Lease management is
-critical, as it allows expired client tokens or secrets to be revoked
-automatically. Additionally, Vault handles certain partial failure cases by
-using write ahead logging with a rollback manager. This is managed transparently
-within the core and is not user visible.
-
-# Getting in Depth
-
-This has been a brief high-level overview of the architecture of Vault. There
-are more details available for each of the sub-systems.
-
-For other details, either consult the code, ask in IRC or reach out to the
-mailing list.
diff --git a/website/source/docs/internals/high-availability.html.md b/website/source/docs/internals/high-availability.html.md
deleted file mode 100644
index f701580131f2..000000000000
--- a/website/source/docs/internals/high-availability.html.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-layout: "docs"
-page_title: "High Availability"
-sidebar_title: "High Availability"
-sidebar_current: "docs-internals-ha"
-description: |-
-  Learn about the high availability design of Vault.
----
-
-# High Availability
-
-Vault is primarily used in production environments to manage secrets.
-As a result, any downtime of the Vault service can affect downstream clients.
-Vault is designed to support a highly available deploy to ensure a machine
-or process failure is minimally disruptive.
-
-~> **Advanced Topic!** This page covers technical details
-of Vault. You don't need to understand these details to
-effectively use Vault. The details are documented here for
-those who wish to learn about them without having to go
-spelunking through the source code. However, if you're an
-operator of Vault, we recommend learning about the architecture
-due to the importance of Vault in an environment.
-
-# Design Overview
-
-The primary design goal in making Vault highly available (HA) was to
-minimize downtime and not horizontal scalability. Vault is typically
-bound by the IO limits of the storage backend rather than the compute
-requirements. This simplifies the HA approach and allows more complex
-coordination to be avoided.
-
-Certain storage backends, such as Consul, provide additional coordination
-functions that enable Vault to run in an HA configuration. When supported
-by the backend, Vault will automatically run in HA mode without additional
-configuration.
-
-When running in HA mode, Vault servers have two additional states they
-can be in: standby and active. For multiple Vault servers sharing a storage
-backend, only a single instance will be active at any time while all other
-instances are hot standbys.
-
-The active server operates in a standard fashion and processes all requests.
-The standby servers do not process requests, and instead redirect to the active
-Vault. Meanwhile, if the active server is sealed, fails, or loses network connectivity
-then one of the standbys will take over and become the active instance.
-
-It is important to note that only _unsealed_ servers act as a standby.
-If a server is still in the sealed state, then it cannot act as a standby
-as it would be unable to serve any requests should the active server fail.
-
-# Performance Standby Nodes (Enterprise)
-
-Performance Standby Nodes are just like traditional High Availability standby
-nodes but they can service read-only requests from users or applications.
-Read-only requests are requests that do not modify Vault's storage. This allows
-for Vault to quickly scale its ability to service these kinds of operations,
-providing near-linear request-per-second scaling in many common scenarios for
-some secrets engines like K/V and Transit. By spreading traffic across
-performance standby nodes, clients can scale these IOPS horizontally to handle
-extremely high traffic workloads.  
-
-If a request comes into a Performance Standby Node that causes a storage write
-the request will be forwarded onto the active server. If the request is
-read-only the request will be serviced locally on the Performance Standby.
-
-Just like traditional HA standbys if the active node is sealed, fails, or loses
-network connectivity then a performance standby can take over and become the
-active instance.
diff --git a/website/source/docs/internals/index.html.md b/website/source/docs/internals/index.html.md
deleted file mode 100644
index 46d5d2d653a5..000000000000
--- a/website/source/docs/internals/index.html.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-layout: "docs"
-page_title: "Internals"
-sidebar_title: "Internals"
-sidebar_current: "docs-internals"
-description: |-
-  This section covers the internals of Vault and explains technical details of Vaults operation.
----
-
-# Vault Internals
-
-This section covers the internals of Vault and explains the technical
-details of how Vault functions, its architecture and security properties.
-
--> **Note:** Knowledge of Vault internals is not
-required to use Vault. If you aren't interested in the internals
-of Vault, you may safely skip this section. If you're operating Vault,
-we recommend understanding the internals.
diff --git a/website/source/docs/internals/plugins.html.md b/website/source/docs/internals/plugins.html.md
deleted file mode 100644
index 83168b6ffc0d..000000000000
--- a/website/source/docs/internals/plugins.html.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-layout: "docs"
-page_title: "Plugin System"
-sidebar_title: "Plugins"
-sidebar_current: "docs-internals-plugins"
-description: |-
-  Learn about Vault's plugin system.
----
-
-# Plugin System
-All Vault auth and secret backends are considered plugins. This simple concept
-allows both built-in and external plugins to be treated like Legos. Any plugin
-can exist at multiple different locations. Different versions of a plugin may
-be at each one, with each version differing from Vault's version.
-
-## Built-In Plugins
-Built-in plugins are shipped with Vault, often for commonly used implementations,
-and require no additional operator intervention to run. Built-in plugins are
-just like any other backend code inside Vault.
-
-To use a different or edited version of a built-in plugin, you would first edit
-the plugin's code or navigate to the Vault version holding the version of the
-plugin you desire. Then, you'd `$ cd` into the `cmd/:plugin-name` directory
-contained alongside that plugin's code. For instance, for AppRole, you would:
-`$ cd vault/builtin/credential/approle/cmd/approle`. Once in that directory,
-you would run `$ go build` to obtain a new binary for the AppRole plugin. Then
-you would add it to the plugin catalog as per normal, and enable it.
-
-# Plugin Architecture
-Vault's plugins are completely separate, standalone applications that Vault
-executes and communicates with over RPC. This means the plugin process does not
-share the same memory space as Vault and therefore can only access the
-interfaces and arguments given to it. This also means a crash in a plugin can not
-crash the entirety of Vault.
-
-It is possible to enable a custom plugin with a name that's identical to a
-built-in plugin. In such a situation, Vault will always choose the custom plugin
-when enabling it.
-
-## Plugin Communication
-Vault creates a mutually authenticated TLS connection for communication with the
-plugin's RPC server. While invoking the plugin process, Vault passes a [wrapping
-token](https://www.vaultproject.io/docs/concepts/response-wrapping.html) to the
-plugin process' environment. This token is single use and has a short TTL. Once
-unwrapped, it provides the plugin with a uniquely generated TLS certificate and
-private key for it to use to talk to the original Vault process.
-
-The [`api_addr`][api_addr] must be set in order for the plugin process establish
-communication with the Vault server during mount time. If the storage backend
-has HA enabled and supports automatic host address detection (e.g. Consul),
-Vault will automatically attempt to determine the `api_addr` as well.
-
-~> Note: Reading the original connection's TLS connection state is not supported
-in plugins.
-
-## Plugin Registration
-An important consideration of Vault's plugin system is to ensure the plugin
-invoked by Vault is authentic and maintains integrity. There are two components
-that a Vault operator needs to configure before external plugins can be run, the
-plugin directory and the plugin catalog entry.
-
-### Plugin Directory
-The plugin directory is a configuration option of Vault, and can be specified in
-the [configuration file](https://www.vaultproject.io/docs/configuration/index.html).
-This setting specifies a directory in which all plugin binaries must live;
-_this value cannot be a symbolic link_. A plugin
-can not be added to Vault unless it exists in the plugin directory. There is no
-default for this configuration option, and if it is not set plugins can not be
-added to Vault.
-
-~> Warning: A Vault operator should take care to lock down the permissions on
-this directory to ensure a plugin can not be modified by an unauthorized user
-between the time of the SHA check and the time of plugin execution.
-
-### Plugin Catalog
-The plugin catalog is Vault's list of approved plugins. The catalog is stored in
-Vault's barrier and can only be updated by a Vault user with sudo permissions.
-Upon adding a new plugin, the plugin name, SHA256 sum of the executable, and the
-command that should be used to run the plugin must be provided. The catalog will
-make sure the executable referenced in the command exists in the plugin
-directory. When added to the catalog the plugin is not automatically executed,
-it instead becomes visible to backends and can be executed by them. For more
-information on the plugin catalog please see the [Plugin Catalog API
-docs](/api/system/plugins-catalog.html).
-
-An example plugin submission looks like:
-
-```
-$ vault write sys/plugins/catalog/database/myplugin-database-plugin \
-    sha256=<expected SHA256 Hex value of the plugin binary> \
-    command="myplugin"
-Success! Data written to: sys/plugins/catalog/database/myplugin-database-plugin
-```
-
-### Plugin Execution
-When a backend wants to run a plugin, it first looks up the plugin, by name, in
-the catalog. It then checks the executable's SHA256 sum against the one
-configured in the plugin catalog. Finally Vault runs the command configured in
-the catalog, sending along the JWT formatted response wrapping token and mlock
-settings (like Vault, plugins support [the use of mlock when available](https://www.vaultproject.io/docs/configuration/index.html#disable_mlock)).
-
-# Plugin Development
-
-~> Advanced topic! Plugin development is a highly advanced topic in Vault, and
-is not required knowledge for day-to-day usage. If you don't plan on writing any
-plugins, we recommend not reading this section of the documentation.
-
-Because Vault communicates to plugins over a RPC interface, you can build and
-distribute a plugin for Vault without having to rebuild Vault itself. This makes
-it easy for you to build a Vault plugin for your organization's internal use,
-for a proprietary API that you don't want to open source, or to prototype
-something before contributing it back to the main project.
-
-In theory, because the plugin interface is HTTP, you could even develop a plugin
-using a completely different programming language! (Disclaimer, you would also
-have to re-implement the plugin API which is not a trivial amount of work.)
-
-Developing a plugin is simple. The only knowledge necessary to write
-a plugin is basic command-line skills and basic knowledge of the
-[Go programming language](http://golang.org).
-
-Your plugin implementation needs to satisfy the interface for the plugin
-type you want to build. You can find these definitions in the docs for the
-backend running the plugin.
-
-```go
-package main
-
-import (
-	"os"
-
-	myPlugin "your/plugin/import/path"
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/sdk/plugin"
-)
-
-func main() {
-	apiClientMeta := &api.PluginAPIClientMeta{}
-	flags := apiClientMeta.FlagSet()
-	flags.Parse(os.Args[1:])
-
-	tlsConfig := apiClientMeta.GetTLSConfig()
-	tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
-
-	err := plugin.Serve(&plugin.ServeOpts{
-		BackendFactoryFunc: myPlugin.Factory,
-		TLSProviderFunc:    tlsProviderFunc,
-	})
-	if err != nil {
-		logger := hclog.New(&hclog.LoggerOptions{})
-
-		logger.Error("plugin shutting down", "error", err)
-		os.Exit(1)
-	}
-}
-```
-
-And that's basically it! You would just need to change `myPlugin` to your actual
-plugin. For more information on how to register and enable your plugin, check out the [Building Plugin Backends](https://learn.hashicorp.com/vault/developer/plugin-backends) tutorial.
-
-[api_addr]: /docs/configuration/index.html#api_addr
diff --git a/website/source/docs/internals/replication.html.md b/website/source/docs/internals/replication.html.md
deleted file mode 100644
index 2aba911d407c..000000000000
--- a/website/source/docs/internals/replication.html.md
+++ /dev/null
@@ -1,169 +0,0 @@
----
-layout: "docs"
-page_title: "Replication"
-sidebar_title: "Replication"
-sidebar_current: "docs-internals-replication"
-description: |-
-  Learn about the details of multi-datacenter replication within Vault.
----
-
-# Replication (Vault Enterprise)
-
-Vault Enterprise 0.7 adds support for multi-datacenter replication. Before
-using this feature, it is useful to understand the intended use cases, design
-goals, and high level architecture.
-
-Replication is based on a primary/secondary (1:N) model with asynchronous
-replication, focusing on high availability for global deployments. The
-trade-offs made in the design and implementation of replication reflect these
-high level goals.
-
-# Use Cases
-
-Vault replication is based on a number of common use cases:
-
-* **Multi-Datacenter Deployments**: A common challenge is providing Vault to
-  applications across many datacenters in a highly-available manner. Running a
-  single Vault cluster imposes high latency of access for remote clients,
-  availability loss or outages during connectivity failures, and limits
-  scalability.
-
-* **Backup Sites**: Implementing a robust business continuity plan around the
-  loss of a primary datacenter requires the ability to quickly and easily fail
-  to a hot backup site.
-
-* **Scaling Throughput**: Applications that use Vault for
-  Encryption-as-a-Service or cryptographic offload may generate a very high
-  volume of requests for Vault. Replicating keys between multiple clusters
-  allows load to be distributed across additional servers to scale request
-  throughput.
-
-# Design Goals
-
-Based on the use cases for Vault Replication, we had a number of design goals
-for the implementation:
-
-* **Availability**: Global deployments of Vault require high levels of
-  availability, and can tolerate reduced consistency. During full connectivity,
-  replication is nearly real-time between the primary and secondary clusters.
-  Degraded connectivity between a primary and secondary does not impact the
-  primary's ability to service requests, and the secondary will continue to
-  service reads on last-known data.
-
-* **Conflict Free**: Certain replication techniques allow for potential write
-  conflicts to take place. Particularly, any active/active configuration where
-  writes are allowed to multiple sites require a conflict resolution strategy.
-  This varies from techniques that allow for data loss like last-write-wins, or
-  techniques that require manual operator resolution like allowing multiple
-  values per key. We avoid the possibility of conflicts to ensure there is no
-  data loss or manual intervention required.
-
-* **Transparent to Clients**: Vault replication should be transparent to
-  clients of Vault, so that existing thin clients work unmodified. The Vault
-  servers handle the logic of request forwarding to the primary when necessary,
-  and multi-hop routing is performed internally to ensure requests are
-  processed.
-
-* **Simple to Operate**: Operating a replicated cluster should be simple to
-  avoid administrative overhead and potentially introducing security gaps.
-  Setup of replication is very simple, and secondaries can handle being
-  arbitrarily behind the primary, avoiding the need for operator intervention
-  to copy data or snapshot the primary.
-
-# Architecture
-
-The architecture of Vault replication is based on the design goals, focusing on
-the intended use cases. When replication is enabled, a cluster is set as either
-a _primary_ or _secondary_. The primary cluster is authoritative, and is the
-only cluster allowed to perform actions that write to the underlying data
-storage, such as modifying policies or secrets. Secondary clusters can service
-all other operations, such as reading secrets or sending data through
-`transit`, and forward any writes to the primary cluster. Disallowing multiple
-primaries ensures the cluster is conflict free and has an authoritative state.
-
-The primary cluster uses log shipping to replicate changes to all of the
-secondaries.  This ensures writes are visible globally in near real-time when
-there is full network connectivity. If a secondary is down or unable to
-communicate with the primary, writes are not blocked on the primary and reads
-are still serviced on the secondary. This ensures the availability of Vault.
-When the secondary is initialized or recovers from degraded connectivity it
-will automatically reconcile with the primary.
-
-Lastly, clients can speak to any Vault server without a thick client. If a
-client is communicating with a standby instance, the request is automatically
-forwarded to an active instance. Secondary clusters will service reads locally
-and forward any write requests to the primary cluster. The primary cluster is
-able to service all request types.
-
-An important optimization Vault makes is to avoid replication of tokens or
-leases between clusters. Policies and secrets are the minority of data managed
-by Vault and tend to be relatively stable. Tokens and leases are much more
-dynamic, as they are created and expire rapidly. Keeping tokens and leases
-locally reduces the amount of data that needs to be replicated, and distributes
-the work of TTL management between the clusters. The caveat is that clients
-will need to re-authenticate if they switch the Vault cluster they are
-communicating with.
-
-# Implementation Details
-
-It is important to understand the high-level architecture of replication to
-ensure the trade-offs are appropriate for your use case. The implementation
-details may be useful for those who are curious or want to understand more
-about the performance characteristics or failure scenarios.
-
-Using replication requires a storage backend that supports transactional
-updates, such as Consul.  This allows multiple key/value updates to be
-performed atomically. Replication uses this to maintain a
-[Write-Ahead-Log][wal] (WAL) of all updates, so that the key update happens
-atomically with the WAL entry creation.  The WALs are then used to perform log
-shipping between the Vault clusters. When a secondary is closely synchronized
-with a primary, Vault directly streams new WALs to be applied, providing near
-real-time replication. A bounded set of WALs are maintained for the
-secondaries, and older WALs are garbage collected automatically.
-
-When a secondary is initialized or is too far behind the primary there may not
-be enough WALs to synchronize. To handle this scenario, Vault maintains a
-[merkle index][merkle] of the encrypted keys. Any time a key is updated or
-deleted, the merkle index is updated to reflect the change.  When a secondary
-needs to reconcile with a primary, they compare their merkle indexes to
-determine which keys are out of sync. The structure of the index allows this to
-be done very efficiently, usually requiring only two round trips and a small
-amount of data. The secondary uses this information to reconcile and then
-switches back into WAL streaming mode.
-
-Performance is an important concern for Vault, so WAL entries are batched and
-the merkle index is not flushed to disk with every operation. Instead, the
-index is updated in memory for every operation and asynchronously flushed to
-disk. As a result, a crash or power loss may cause the merkle index to become
-out of sync with the underlying keys. Vault uses the [ARIES][aries] recovery
-algorithm to ensure the consistency of the index under those failure
-conditions.
-
-Log shipping traditionally requires the WAL stream to be synchronized, which
-can introduce additional complexity when a new primary cluster is promoted.
-Vault uses the merkle index as the source of truth, allowing the WAL streams to
-be completely distinct and unsynchronized.  This simplifies administration of
-Vault Replication for operators.
-
-# Caveats
-
-* **Read-After-Write Consistency**: All write requests are forwarded from
-  secondaries to the primary cluster in order to avoid potential conflicts.
-  While replication is near real-time, it is not instantaneous, meaning there
-  is a potential for a client to write to a secondary and a subsequent read to
-  return an old value. Secondaries attempt to mask this from an individual
-  client making subsequent requests by stalling write requests until the write
-  is replicated or a timeout is reached (2 seconds). If the timeout is reached,
-  the client will receive a warning.
-
-* **Stale Reads**: Secondary clusters service reads based on their
-  locally-replicated data. During normal operation updates from a primary are
-  received in near real-time by secondaries. However, during an outage or
-  network service disruption, replication may stall and secondaries may have
-  stale data. The cluster will automatically recover and reconcile any stale
-  data once the outage has recovered, but reads in the intervening period may
-  receive stale data.
-
-[wal]: https://en.wikipedia.org/wiki/Write-ahead_logging
-[merkle]: https://en.wikipedia.org/wiki/Merkle_tree
-[aries]: https://en.wikipedia.org/wiki/Algorithms_for_Recovery_and_Isolation_Exploiting_Semantics
diff --git a/website/source/docs/internals/rotation.html.md b/website/source/docs/internals/rotation.html.md
deleted file mode 100644
index 5daa34603be5..000000000000
--- a/website/source/docs/internals/rotation.html.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-layout: "docs"
-page_title: "Key Rotation"
-sidebar_title: "Key Rotation"
-sidebar_current: "docs-internals-rotation"
-description: |-
-  Learn about the details of key rotation within Vault.
----
-
-# Key Rotation
-
-Vault has multiple encryption keys that are used for various purposes. These keys support
-rotation so that they can be periodically changed or in response to a potential leak or
-compromise. It is useful to first understand the
-[high-level architecture](/docs/internals/architecture.html) before learning about key rotation.
-
-As a review, Vault starts in a _sealed_ state. Vault is unsealed by providing the unseal keys.
-By default, Vault uses a technique known as [Shamir's secret sharing algorithm](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
-to split the master key into 5 shares, any 3 of which are required to reconstruct the master
-key. The master key is used to protect the encryption key, which is ultimately used to protect
-data written to the storage backend.
-
-[![Vault Shamir Secret Sharing Algorithm](/img/vault-shamir-secret-sharing.svg)](/img/vault-shamir-secret-sharing.svg)
-
-To support key rotation, we need to support changing the unseal keys, master key, and the
-backend encryption key. We split this into two separate operations, `rekey` and `rotate`.
-
-The `rekey` operation is used to generate a new master key. When this is being done,
-it is possible to change the parameters of the key splitting, so that the number of shares
-and the threshold required to unseal can be changed. To perform a rekey a threshold of the
-current unseal keys must be provided. This is to prevent a single malicious operator from
-performing a rekey and invalidating the existing master key.
-
-Performing a rekey is fairly straightforward. The rekey operation must be initialized with
-the new parameters for the split and threshold. Once initialized, the current unseal keys
-must be provided until the threshold is met. Once met, Vault will generate the new master
-key, perform the splitting, and re-encrypt the encryption key with the new master key.
-The new unseal keys are then provided to the operator, and the old unseal keys are no
-longer usable.
-
-The `rotate` operation is used to change the encryption key used to protect data written
-to the storage backend. This key is never provided or visible to operators, who only
-have unseal keys. This simplifies the rotation, as it does not require the current key
-holders unlike the `rekey` operation. When `rotate` is triggered, a new encryption key
-is generated and added to a keyring. All new values written to the storage backend are
-encrypted with the new key. Old values written with previous encryption keys can still
-be decrypted since older keys are saved in the keyring. This allows key rotation to be
-done online, without an expensive re-encryption process.
-
-Both the `rekey` and `rotate` operations can be done online and in a highly available
-configuration. Only the active Vault instance can perform either of the operations
-but standby instances can still assume an active role after either operation. This is
-done by providing an online upgrade path for standby instances. If the current encryption
-key is `N` and a rotation installs `N+1`, Vault creates a special "upgrade" key, which
-provides the `N+1` encryption key protected by the `N` key. This upgrade key is only available
-for a few minutes enabling standby instances to do a periodic check for upgrades.
-This allows standby instances to update their keys and stay in-sync with the active Vault
-without requiring operators to perform another unseal.
diff --git a/website/source/docs/internals/security.html.md b/website/source/docs/internals/security.html.md
deleted file mode 100644
index d3459610a85f..000000000000
--- a/website/source/docs/internals/security.html.md
+++ /dev/null
@@ -1,163 +0,0 @@
----
-layout: "docs"
-page_title: "Security Model"
-sidebar_title: "Security Model"
-sidebar_current: "docs-internals-security"
-description: |-
-  Learn about the security model of Vault.
----
-
-# Security Model
-
-Due to the nature of Vault and the confidentiality of data it is managing,
-the Vault security model is very critical. The overall goal of Vault's security
-model is to provide [confidentiality, integrity, availability, accountability,
-authentication](https://en.wikipedia.org/wiki/Information_security).
-
-This means that data at rest and in transit must be secure from eavesdropping
-or tampering. Clients must be appropriately authenticated and authorized
-to access data or modify policy. All interactions must be auditable and traced
-uniquely back to the origin entity. The system must be robust against intentional
-attempts to bypass any of its access controls.
-
-# Threat Model
-
-The following are the various parts of the Vault threat model:
-
-* Eavesdropping on any Vault communication. Client communication with Vault
-  should be secure from eavesdropping as well as communication from Vault to
-  its storage backend.
-
-* Tampering with data at rest or in transit. Any tampering should be detectable
-  and cause Vault to abort processing of the transaction.
-
-* Access to data or controls without authentication or authorization. All requests
-  must be proceeded by the applicable security policies.
-
-* Access to data or controls without accountability. If audit logging
-  is enabled, requests and responses must be logged before the client receives
-  any secret material.
-
-* Confidentiality of stored secrets. Any data that leaves Vault to rest in the
-  storage backend must be safe from eavesdropping. In practice, this means all
-  data at rest must be encrypted.
-
-* Availability of secret material in the face of failure. Vault supports
-  running in a highly available configuration to avoid loss of availability.
-
-The following are not parts of the Vault threat model:
-
-* Protecting against arbitrary control of the storage backend. An attacker
-  that can perform arbitrary operations against the storage backend can
-  undermine security in any number of ways that are difficult or impossible to protect
-  against. As an example, an attacker could delete or corrupt all the contents
-  of the storage backend causing total data loss for Vault. The ability to control
-  reads would allow an attacker to snapshot in a well-known state and rollback state
-  changes if that would be beneficial to them.
-
-* Protecting against the leakage of the existence of secret material. An attacker
-  that can read from the storage backend may observe that secret material exists
-  and is stored, even if it is kept confidential.
-
-* Protecting against memory analysis of a running Vault. If an attacker is able
-  to inspect the memory state of a running Vault instance then the confidentiality
-  of data may be compromised.
-
-# External Threat Overview
-
-Given the architecture of Vault, there are 3 distinct systems we are concerned
-with for Vault. There is the client, which is speaking to Vault over an API.
-There is Vault or the server more accurately, which is providing an API and
-serving requests. Lastly, there is the storage backend, which the server is
-utilizing to read and write data.
-
-There is no mutual trust between the Vault client and server. Clients use
-[TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) to verify the
-identity of the server and to establish a secure communication channel. Servers
-require that a client provides a client token for every request which is used
-to identify the client.  A client that does not provide their token is only
-permitted to make login requests.
-
-The storage backends used by Vault are also untrusted by design. Vault uses a
-security barrier for all requests made to the backend. The security barrier
-automatically encrypts all data leaving Vault using a 256-bit [Advanced
-Encryption Standard
-(AES)](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) cipher in
-the [Galois Counter Mode
-(GCM)](https://en.wikipedia.org/wiki/Galois/Counter_Mode) with 96-bit nonces.
-The nonce is randomly generated for every encrypted object. When data is read
-from the security barrier the GCM authentication tag is verified during the
-decryption process to detect any tampering.
-
-Depending on the backend used, Vault may communicate with the backend over TLS
-to provide an added layer of security. In some cases, such as a file backend
-this is not applicable. Because storage backends are untrusted, an eavesdropper
-would only gain access to encrypted data even if communication with the backend
-was intercepted.
-
-# Internal Threat Overview
-
-Within the Vault system, a critical security concern is an attacker attempting
-to gain access to secret material they are not authorized to. This is an internal
-threat if the attacker is already permitted some level of access to Vault and is
-able to authenticate.
-
-When a client first authenticates with Vault, an auth method is used to verify
-the identity of the client and to return a list of associated ACL policies.
-This association is configured by operators of Vault ahead of time. For
-example, GitHub users in the "engineering" team may be mapped to the
-"engineering" and "ops" Vault policies. Vault then generates a client token
-which is a randomly generated, serialized value and maps it to the policy list.
-This client token is then returned to the client.
-
-On each request a client provides this token. Vault then uses it to check that
-the token is valid and has not been revoked or expired, and generates an ACL
-based on the associated policies. Vault uses a strict default deny or whitelist
-enforcement. This means unless an associated policy allows for a given action,
-it will be denied. Each policy specifies a level of access granted to a path in
-Vault. When the policies are merged (if multiple policies are associated with a
-client), the highest access level permitted is used.  For example, if the
-"engineering" policy permits read/update access to the "eng/" path, and the
-"ops" policy permits read access to the "ops/" path, then the user gets the
-union of those. Policy is matched using the most specific defined policy, which
-may be an exact match or the longest-prefix match glob pattern.
-
-Certain operations are only permitted by "root" users, which is a distinguished
-policy built into Vault. This is similar to the concept of a root user on a
-Unix system or an Administrator on Windows. Although clients could be provided
-with root tokens or associated with the root policy, instead Vault supports the
-notion of "sudo" privilege.  As part of a policy, users may be granted "sudo"
-privileges to certain paths, so that they can still perform security sensitive
-operations without being granted global root access to Vault.
-
-Lastly, Vault supports using a [Two-man
-rule](https://en.wikipedia.org/wiki/Two-man_rule) for unsealing using [Shamir's
-Secret Sharing
-technique](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing).  When Vault
-is started, it starts in a _sealed_ state. This means that the encryption key
-needed to read and write from the storage backend is not yet known. The process
-of unsealing requires providing the master key so that the encryption key can
-be retrieved. The risk of distributing the master key is that a single
-malicious actor with access to it can decrypt the entire Vault. Instead,
-Shamir's technique allows us to split the master key into multiple shares or
-parts.  The number of shares and the threshold needed is configurable, but by
-default Vault generates 5 shares, any 3 of which must be provided to
-reconstruct the master key.
-
-By using a secret sharing technique, we avoid the need to place absolute trust
-in the holder of the master key, and avoid storing the master key at all. The
-master key is only retrievable by reconstructing the shares. The shares are not
-useful for making any requests to Vault, and can only be used for unsealing.
-Once unsealed the standard ACL mechanisms are used for all requests.
-
-To make an analogy, a bank puts security deposit boxes inside of a vault.  Each
-security deposit box has a key, while the vault door has both a combination and
-a key.  The vault is encased in steel and concrete so that the door is the only
-practical entrance.  The analogy to Vault, is that the cryptosystem is the
-steel and concrete protecting the data.  While you could tunnel through the
-concrete or brute force the encryption keys, it would be prohibitively time
-consuming. Opening the bank vault requires two-factors: the key and the
-combination.  Similarly, Vault requires multiple shares be provided to
-reconstruct the master key.  Once unsealed, each security deposit boxes still
-requires the owner provide a key, and similarly the Vault ACL system protects
-all the secrets stored.
diff --git a/website/source/docs/internals/telemetry.html.md b/website/source/docs/internals/telemetry.html.md
deleted file mode 100644
index 5058f93c7f3e..000000000000
--- a/website/source/docs/internals/telemetry.html.md
+++ /dev/null
@@ -1,347 +0,0 @@
----
-layout: "docs"
-page_title: "Telemetry"
-sidebar_title: "Telemetry"
-sidebar_current: "docs-internals-telemetry"
-description: |-
-  Learn about the telemetry data available in Vault.
----
-
-# Telemetry
-
-The Vault server process collects various runtime metrics about the performance of different libraries and subsystems. These metrics are aggregated on a ten second interval and are retained for one minute.
-
-To view the raw data, you must send a signal to the Vault process: on Unix-style operating systems, this is `USR1` while on Windows it is `BREAK`. When the Vault process receives this signal it will dump the current telemetry information to the process's `stderr`.
-
-This telemetry information can be used for debugging or otherwise getting a better view of what Vault is doing.
-
-Telemetry information can also be streamed directly from Vault to a range of metrics aggregation solutions as described in the [telemetry Stanza documentation][telemetry-stanza].
-
-The following is an example telemetry dump snippet:
-
-```text
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.expire.num_leases': 5100.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.num_goroutines': 39.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.sys_bytes': 222746880.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.malloc_count': 109189192.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.free_count': 108408240.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.heap_objects': 780953.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_runs': 232.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.alloc_bytes': 72954392.000
-[2017-12-19 20:37:50 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_pause_ns': 150293024.000
-[2017-12-19 20:37:50 +0000 UTC][S] 'vault.merkle.flushDirty': Count: 100 Min: 0.008 Mean: 0.027 Max: 0.183 Stddev: 0.024 Sum: 2.681 LastUpdated: 2017-12-19 20:37:59.848733035 +0000 UTC m=+10463.692105920
-[2017-12-19 20:37:50 +0000 UTC][S] 'vault.merkle.saveCheckpoint': Count: 4 Min: 0.021 Mean: 0.054 Max: 0.110 Stddev: 0.039 Sum: 0.217 LastUpdated: 2017-12-19 20:37:57.048458148 +0000 UTC m=+10460.891835029
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.alloc_bytes': 73326136.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.sys_bytes': 222746880.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.malloc_count': 109195904.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.free_count': 108409568.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.heap_objects': 786342.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_pause_ns': 150293024.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.expire.num_leases': 5100.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.num_goroutines': 39.000
-[2017-12-19 20:38:00 +0000 UTC][G] 'vault.7f320e57f9fe.runtime.total_gc_runs': 232.000
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.route.rollback.consul-': Count: 1 Sum: 0.013 LastUpdated: 2017-12-19 20:38:01.968471579 +0000 UTC m=+10465.811842067
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.consul-': Count: 1 Sum: 0.073 LastUpdated: 2017-12-19 20:38:01.968502743 +0000 UTC m=+10465.811873131
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.pki-': Count: 1 Sum: 0.070 LastUpdated: 2017-12-19 20:38:01.96867005 +0000 UTC m=+10465.812041936
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.route.rollback.auth-app-id-': Count: 1 Sum: 0.012 LastUpdated: 2017-12-19 20:38:01.969146401 +0000 UTC m=+10465.812516689
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.identity-': Count: 1 Sum: 0.063 LastUpdated: 2017-12-19 20:38:01.968029888 +0000 UTC m=+10465.811400276
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.rollback.attempt.database-': Count: 1 Sum: 0.066 LastUpdated: 2017-12-19 20:38:01.969394215 +0000 UTC m=+10465.812764603
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.barrier.get': Count: 16 Min: 0.010 Mean: 0.015 Max: 0.031 Stddev: 0.005 Sum: 0.237 LastUpdated: 2017-12-19 20:38:01.983268118 +0000 UTC m=+10465.826637008
-[2017-12-19 20:38:00 +0000 UTC][S] 'vault.merkle.flushDirty': Count: 100 Min: 0.006 Mean: 0.024 Max: 0.098 Stddev: 0.019 Sum: 2.386 LastUpdated: 2017-12-19 20:38:09.848158309 +0000 UTC m=+10473.691527099
-```
-
-You'll note that log entries are prefixed with the metric type as follows:
-
-- **[C]** is a counter
-- **[G]** is a gauge
-- **[S]** is a summary
-
-
-The following sections describe available Vault metrics. The metrics interval can be assumed to be 10 seconds when manually triggering metrics output using the above described signals.
-
-## Audit Metrics
-
-These metrics relate to auditing.
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.audit.log_request`| Duration of time taken by all audit log requests across all audit log devices | ms | summary |
-| `vault.audit.log_response`| Duration of time taken by audit log responses across all audit log devices | ms | summary |
-| `vault.audit.log_request_failure` | Number of audit log request failures.  **NOTE**: This is a particularly important metric. Any non-zero value here indicates that there was a failure to make an audit log request to any of the configured audit log devices; **when Vault cannot log to any of the configured audit log devices it ceases all user operations**, and you should begin troubleshooting the audit log devices immediately if this metric continually increases. | failures | counter |
-| `vault.audit.log_response_failure` | Number of audit log response failures. **NOTE**: This is a particularly important metric. Any non-zero value here indicates that there was a failure to receive a response to a request made to one of the configured audit log devices; **when Vault cannot log to any of the configured audit log devices it ceases all user operations**, and you should begin troubleshooting the audit log devices immediately if this metric continually increases. | failures | counter |
-
-**NOTE:** In addition, there are audit metrics for each enabled audit device represented as `vault.audit.<type>.log_request`.  For example, if a file audit device is enabled, its metrics would be `vault.audit.file.log_request` and `vault.audit.file.log_response` .
-
-## Core Metrics
-
-These metrics represent operational aspects of the running Vault instance.
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.barrier.delete` | Duration of time taken by DELETE operations at the barrier | ms | summary |
-| `vault.barrier.get` | Duration of time taken by GET operations at the barrier | ms | summary |
-| `vault.barrier.put` | Duration of time taken by PUT operations at the barrier | ms | summary |
-| `vault.barrier.list` | Duration of time taken by LIST operations at the barrier | ms | summary |
-| `vault.core.check_token` | Duration of time taken by token checks handled by Vault core | ms | summary |
-| `vault.core.fetch_acl_and_token` | Duration of time taken by ACL and corresponding token entry fetches handled by Vault core | ms | summary |
-| `vault.core.handle_request` | Duration of time taken by requests handled by Vault core | ms | summary |
-| `vault.core.handle_login_request` | Duration of time taken by login requests handled by Vault core | ms | summary |
-| `vault.core.leadership_setup_failed` | Duration of time taken by cluster leadership setup failures which have occurred in a highly available Vault cluster. This should be monitored and alerted on for overall cluster leadership status. | ms | summary |
-| `vault.core.leadership_lost` | Duration of time taken by cluster leadership losses which have occurred in a highly available Vault cluster.  This should be monitored and alerted on for overall cluster leadership status. | ms | summary |
-| `vault.core.post_unseal` | Duration of time taken by post-unseal operations handled by Vault core | ms | gauge |
-| `vault.core.pre_seal` | Duration of time taken by pre-seal operations | ms | gauge |
-| `vault.core.seal-with-request` | Duration of time taken by requested seal operations | ms | gauge |
-| `vault.core.seal` | Duration of time taken by seal operations | ms | gauge |
-| `vault.core.seal-internal` | Duration of time taken by internal seal operations | ms | gauge |
-| `vault.core.step_down` | Duration of time taken by cluster leadership step downs.  This should be monitored and alerted on for overall cluster leadership status. | ms | summary |
-| `vault.core.unseal` | Duration of time taken by unseal operations | ms | summary |
-
-## Runtime Metrics
-
-These metrics represent runtime aspects of the running Vault instance.
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.runtime.alloc_bytes` | Number of bytes allocated by the Vault process.  This could burst from time to time, but should return to a steady state value. | bytes | gauge |
-| `vault.runtime.free_count` | Number of freed objects | objects | gauge |
-| `vault.runtime.heap_objects` | Number of objects on the heap.  This is a good general memory pressure indicator worth establishing a baseline and thresholds for alerting. | objects | gauge |
-| `vault.runtime.malloc_count` | Cumulative count of allocated heap objects | objects | gauge |
-| `vault.runtime.num_goroutines` | Number of goroutines.  This serves as a general system load indicator worth establishing a baseline and thresholds for alerting. | goroutines | gauge |
-| `vault.runtime.sys_bytes` | Number of bytes allocated to Vault.  This includes what is being used by Vault's heap and what has been reclaimed but not given back to the operating system. | bytes | gauge |
-| `vault.runtime.total_gc_pause_ns` | The total garbage collector pause time since Vault was last started | ms | summary |
-| `vault.runtime.total_gc_runs` | Total number of garbage collection runs since Vault was last started | operations | gauge |
-
-## Policy and Token Metrics
-
-These metrics relate to policies and tokens.
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.expire.fetch-lease-times` | Time taken to fetch lease times | ms | summary |
-| `vault.expire.fetch-lease-times-by-token` | Time taken to fetch lease times by token | ms | summary |
-| `vault.expire.num_leases` | Number of all leases which are eligible for eventual expiry | leases | gauge |
-| `vault.expire.revoke` | Time taken to revoke a token | ms | summary |
-| `vault.expire.revoke-force` | Time taken to forcibly revoke a token | ms | summary |
-| `vault.expire.revoke-prefix` | Time taken to revoke tokens on a prefix | ms | summary |
-| `vault.expire.revoke-by-token` | Time taken to revoke all secrets issued with a given token | ms | summary |
-| `vault.expire.renew` | Time taken to renew a lease | ms | summary |
-| `vault.expire.renew-token` | Time taken to renew a token which does not need to invoke a logical backend | ms | summary |
-| `vault.expire.register` | Time taken for register operations | ms | summary |
-
-These operations take a request and response with an associated lease and register a lease entry with lease ID
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.expire.register-auth` | Time taken for register authentication operations which create lease entries without lease ID | ms | summary |
-| `vault.policy.get_policy` | Time taken to get a policy | ms | summary |
-| `vault.policy.list_policies` | Time taken to list policies | ms | summary |
-| `vault.policy.delete_policy` | Time taken to delete a policy | ms | summary |
-| `vault.policy.set_policy` | Time taken to set a policy | ms | summary |
-| `vault.token.create` | The time taken to create a token | ms | summary |
-| `vault.token.createAccessor` | The time taken to create a token accessor | ms | summary |
-| `vault.token.lookup` | The time taken to look up a token | ms | summary |
-| `vault.token.revoke` | Time taken to revoke a token | ms | summary |
-| `vault.token.revoke-tree` | Time taken to revoke a token tree | ms | summary |
-| `vault.token.store` | Time taken to store an updated token entry without writing to the secondary index | ms | summary |
-
-## Auth Methods Metrics
-
-These metrics relate to supported authentication methods.
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.rollback.attempt.auth-token` | Time taken to perform a rollback operation for the [token auth method][token-auth-backend] | ms | summary |
-| `vault.rollback.attempt.auth-ldap` | Time taken to perform a rollback operation for the [LDAP auth method][ldap-auth-backend] | ms | summary |
-| `vault.rollback.attempt.cubbyhole` | Time taken to perform a rollback operation for the [Cubbyhole secret backend][cubbyhole-secrets-engine] | ms | summary |
-| `vault.rollback.attempt.secret` | Time taken to perform a rollback operation for the [K/V secret backend][kv-secrets-engine] | ms | summary |
-| `vault.rollback.attempt.sys` | Time taken to perform a rollback operation for the system backend | ms | summary |
-| `vault.route.rollback.auth-ldap` | Time taken to perform a route rollback operation for the [LDAP auth method][ldap-auth-backend] | ms | summary |
-| `vault.route.rollback.auth-token` | Time taken to perform a route rollback operation for the [token auth method][token-auth-backend] | ms | summary |
-| `vault.route.rollback.cubbyhole` | Time taken to perform a route rollback operation for the [Cubbyhole secret backend][cubbyhole-secrets-engine] | ms | summary |
-| `vault.route.rollback.secret` | Time taken to perform a route rollback operation for the [K/V secret backend][kv-secrets-engine] | ms | summary |
-| `vault.route.rollback.sys` | Time taken to perform a route rollback operation for the system backend | ms | summary |
-
-## Merkle Tree and Write Ahead Log Metrics
-
-These metrics relate to internal operations on Merkle Trees and Write Ahead Logs (WAL)
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.merkle_flushdirty` | Time taken to flush any dirty pages to cold storage | ms | summary |
-| `vault.merkle_savecheckpoint` | Time taken to save the checkpoint | ms | summary |
-| `vault.wal_deletewals` | Time taken to delete a Write Ahead Log (WAL) | ms | summary |
-| `vault.wal_gc_deleted` | Number of Write Ahead Logs (WAL) deleted during each garbage collection run | WAL | counter |
-| `vault.wal_gc_total` | Total Number of Write Ahead Logs (WAL) on disk | WAL | counter |
-| `vault.wal_loadWAL` | Time taken to load a Write Ahead Log (WAL) | ms | summary |
-| `vault.wal_persistwals` | Time taken to persist a Write Ahead Log (WAL) | ms | summary |
-| `vault.wal_flushready` | Time taken to flush a ready Write Ahead Log (WAL) to storage | ms | summary |
-
-## Replication Metrics
-
-These metrics relate to [Vault Enterprise Replication](https://www.vaultproject.io/docs/enterprise/replication/index.html). The following metrics are not available in telemetry unless replication is in an unhealthy state: `replication.fetchRemoteKeys`, `replication.merkleDiff`, and `replication.merkleSync`.
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `logshipper.streamWALs.missing_guard` | Number of incidences where the starting Merkle Tree index used to begin streaming WAL entries is not matched/found | missing guards | counter |
-| `logshipper.streamWALs.guard_found` | Number of incidences where the starting Merkle Tree index used to begin streaming WAL entries is matched/found | found guards | counter |
-| `replication.fetchRemoteKeys` | Time taken to fetch keys from a remote cluster participating in replication prior to Merkle Tree based delta generation | ms | summary |
-| `replication.merkleDiff` | Time taken to perform a Merkle Tree based delta generation between the clusters participating in replication | ms | summary |
-| `replication.merkleSync` | Time taken to perform a Merkle Tree based synchronization using the last delta generated between the clusters participating in replication | ms | summary |
-| `replication.merkle.commit_index` | The last committed index in the Merkle Tree. | sequence number | gauge |
-| `replication.wal.last_wal` | The index of the last WAL | sequence number | gauge |
-| `replication.wal.last_dr_wal` | The index of the last DR WAL | sequence number | gauge |
-| `replication.wal.last_performance_wal` | The index of the last Performance WAL | sequence number | gauge |
-| `replication.fsm.last_remote_wal` | The index of the last remote WAL | sequence number | gauge |
-| `replication.rpc.server.auth_request` | Duration of time taken by auth request | ms | summary |
-| `replication.rpc.server.bootstrap_request` | Duration of time taken by bootstrap request | ms | summary |
-| `replication.rpc.server.conflicting_pages_request` | Duration of time taken by conflicting pages request | ms | summary |
-| `replication.rpc.server.echo` | Duration of time taken by echo | ms | summary |
-| `replication.rpc.server.forwarding_request` | Duration of time taken by forwarding request | ms | summary |
-| `replication.rpc.server.guard_hash_request` | Duration of time taken by guard hash request | ms | summary |
-| `replication.rpc.server.persist_alias_request` | Duration of time taken by persist alias request | ms | summary |
-| `replication.rpc.server.persist_persona_request` | Duration of time taken by persist persona request | ms | summary |
-| `replication.rpc.server.stream_wals_request` | Duration of time taken by stream wals request | ms | summary |
-| `replication.rpc.server.sub_page_hashes_request` | Duration of time taken by sub page hashes request | ms | summary |
-| `replication.rpc.server.sync_counter_request` | Duration of time taken by sync counter request | ms | summary |
-| `replication.rpc.server.upsert_group_request` | Duration of time taken by upsert group request | ms | summary |
-| `replication.rpc.client.conflicting_pages` | Duration of time taken by client conflicting pages request | ms | summary |
-| `replication.rpc.client.fetch_keys` | Duration of time taken by client fetch keys request | ms | summary |
-| `replication.rpc.client.forward` | Duration of time taken by client forward request | ms | summary |
-| `replication.rpc.client.guard_hash` | Duration of time taken by client guard hash request | ms | summary |
-| `replication.rpc.client.persist_alias` | Duration of time taken by | ms | summary |
-| `replication.rpc.client.register_auth` | Duration of time taken by client register auth request | ms | summary |
-| `replication.rpc.client.register_lease` | Duration of time taken by client register lease request | ms | summary |
-| `replication.rpc.client.stream_wals` | Duration of time taken by client s | ms | summary |
-| `replication.rpc.client.sub_page_hashes` | Duration of time taken by client sub page hashes request | ms | summary |
-| `replication.rpc.client.sync_counter` | Duration of time taken by client sync counter request | ms | summary |
-| `replication.rpc.client.upsert_group` | Duration of time taken by client upstert group request | ms | summary |
-| `replication.rpc.client.wrap_in_cubbyhole` | Duration of time taken by client wrap in cubbyhole request | ms | summary |
-| `replication.rpc.dr.server.echo` | Duration of time taken by DR echo request | ms | summary |
-| `replication.rpc.dr.server.fetch_keys_request` | Duration of time taken by DR fetch keys request | ms | summary |
-| `replication.rpc.standby.server.echo` | Duration of time taken by standby echo request | ms | summary |
-| `replication.rpc.standby.server.register_auth_request` | Duration of time taken by standby register auth request | ms | summary |
-| `replication.rpc.standby.server.register_lease_request` | Duration of time taken by standby register lease request | ms | summary |
-| `replication.rpc.standby.server.wrap_token_request` | Duration of time taken by standby wrap token request | ms | summary |
-
-## Secrets Engines Metrics
-
-These metrics relate to the supported [secrets engines][secrets-engines].
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `database.Initialize` | Time taken to initialize a database secret engine across all database secrets engines | ms | summary |
-| `database.&lt;name&gt;.Initialize` | Time taken to initialize a database secret engine for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Initialize` | ms | summary |
-| `database.Initialize.error` | Number of database secrets engine initialization operation errors across all database secrets engines | errors | counter |
-| `database.&lt;name&gt;.Initialize.error` | Number of database secrets engine initialization operation errors for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Initialize.error` | errors | counter |
-| `database.Close` | Time taken to close a database secret engine across all database secrets engines | ms | summary |
-| `database.&lt;name&gt;.Close` | Time taken to close a database secret engine for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Close` | ms | summary |
-| `database.Close.error` | Number of database secrets engine close operation errors across all database secrets engines | errors | counter |
-| `database.&lt;name&gt;.Close.error` | Number of database secrets engine close operation errors for the named database secrets engine `<name>`, for example: `database.postgresql-prod.Close.error` | errors | counter |
-| `database.CreateUser` | Time taken to create a user across all database secrets engines | ms | summary |
-| `database.&lt;name&gt;.CreateUser` | Time taken to create a user for the named database secrets engine `<name>` | ms | summary |
-| `database.CreateUser.error` | Number of user creation operation errors across all database secrets engines | errors | counter |
-| `database.&lt;name&gt;.CreateUser.error` | Number of user creation operation errors for the named database secrets engine `<name>`, for example: `database.postgresql-prod.CreateUser.error` | errors | counter |
-| `database.RenewUser` | Time taken to renew a user across all database secrets engines | ms | summary |
-| `database.&lt;name&gt;.RenewUser` | Time taken to renew a user for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RenewUser` | ms | summary |
-| `database.RenewUser.error` | Number of user renewal operation errors across all database secrets engines | errors | counter |
-| `database.&lt;name&gt;.RenewUser.error` | Number of user renewal operations for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RenewUser.error` | errors | counter |
-| `database.RevokeUser` | Time taken to revoke a user across all database secrets engines | ms | summary |
-| `database.&lt;name&gt;.RevokeUser` | Time taken to revoke a user for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RevokeUser` | ms | summary |
-| `database.RevokeUser.error` | Number of user revocation operation errors across all database secrets engines | errors | counter |
-| `database.&lt;name&gt;.RevokeUser.error` | Number of user revocation operations for the named database secrets engine `<name>`, for example: `database.postgresql-prod.RevokeUser.error` | errors | counter |
-
-## Storage Backend Metrics
-
-These metrics relate to the supported [storage backends][storage-backends].
-
-| Metric | Description | Unit | Type |
-| :----- | :---------- | :--- | :--- |
-| `vault.azure.put` | Duration of a PUT operation against the [Azure storage backend][azure-storage-backend] | ms | summary |
-| `vault.azure.get` | Duration of a GET operation against the [Azure storage backend][azure-storage-backend] | ms | summary |
-| `vault.azure.delete` | Duration of a DELETE operation against the [Azure storage backend][azure-storage-backend] | ms | summary |
-| `vault.azure.list` | Duration of a LIST operation against the [Azure storage backend][azure-storage-backend] | ms | summary |
-| `vault.cassandra.put` | Duration of a PUT operation against the [Cassandra storage backend][cassandra-storage-backend] | ms | summary |
-| `vault.cassandra.get` | Duration of a GET operation against the [Cassandra storage backend][cassandra-storage-backend] | ms | summary |
-| `vault.cassandra.delete` | Duration of a DELETE operation against the [Cassandra storage backend][cassandra-storage-backend] | ms | summary |
-| `vault.cassandra.list` | Duration of a LIST operation against the [Cassandra storage backend][cassandra-storage-backend] | ms | summary |
-| `vault.cockroachdb.put` | Duration of a PUT operation against the [CockroachDB storage backend][cockroachdb-storage-backend] | ms | summary |
-| `vault.cockroachdb.get` | Duration of a GET operation against the [CockroachDB storage backend][cockroachdb-storage-backend] | ms | summary |
-| `vault.cockroachdb.delete` | Duration of a DELETE operation against the [CockroachDB storage backend][cockroachdb-storage-backend] | ms | summary |
-| `vault.cockroachdb.list` | Duration of a LIST operation against the [CockroachDB storage backend][cockroachdb-storage-backend] | ms | summary |
-| `vault.consul.put` | Duration of a PUT operation against the [Consul storage backend][consul-storage-backend] | ms | summary |
-| `vault.consul.get` | Duration of a GET operation against the [Consul storage backend][consul-storage-backend] | ms | summary |
-| `vault.consul.delete` | Duration of a DELETE operation against the [Consul storage backend][consul-storage-backend] | ms | summary |
-| `vault.consul.list` | Duration of a LIST operation against the [Consul storage backend][consul-storage-backend] | ms | summary |
-| `vault.couchdb.put` | Duration of a PUT operation against the [CouchDB storage backend][couchdb-storage-backend] | ms | summary |
-| `vault.couchdb.get` | Duration of a GET operation against the [CouchDB storage backend][couchdb-storage-backend] | ms | summary |
-| `vault.couchdb.delete` | Duration of a DELETE operation against the [CouchDB storage backend][couchdb-storage-backend] | ms | summary |
-| `vault.couchdb.list` | Duration of a LIST operation against the [CouchDB storage backend][couchdb-storage-backend] | ms | summary |
-| `vault.dynamodb.put` | Duration of a PUT operation against the [DynamoDB storage backend][dynamodb-storage-backend] | ms | summary |
-| `vault.dynamodb.get` | Duration of a GET operation against the [DynamoDB storage backend][dynamodb-storage-backend] | ms | summary |
-| `vault.dynamodb.delete` | Duration of a DELETE operation against the [DynamoDB storage backend][dynamodb-storage-backend] | ms | summary |
-| `vault.dynamodb.list` | Duration of a LIST operation against the [DynamoDB storage backend][dynamodb-storage-backend] | ms | summary |
-| `vault.etcd.put` | Duration of a PUT operation against the [etcd storage backend][etcd-storage-backend] | ms | summary |
-| `vault.etcd.get` | Duration of a GET operation against the [etcd storage backend][etcd-storage-backend] | ms | summary |
-| `vault.etcd.delete` | Duration of a DELETE operation against the [etcd storage backend][etcd-storage-backend] | ms | summary |
-| `vault.etcd.list` | Duration of a LIST operation against the [etcd storage backend][etcd-storage-backend] | ms | summary |
-| `vault.gcs.put` | Duration of a PUT operation against the [Google Cloud Storage storage backend][gcs-storage-backend] | ms | summary |
-| `vault.gcs.get` | Duration of a GET operation against the [Google Cloud Storage storage backend][gcs-storage-backend] | ms | summary |
-| `vault.gcs.delete` | Duration of a DELETE operation against the [Google Cloud Storage storage backend][gcs-storage-backend] | ms | summary |
-| `vault.gcs.list` | Duration of a LIST operation against the [Google Cloud Storage storage backend][gcs-storage-backend] | ms | summary |
-| `vault.gcs.lock.unlock` | Duration of an UNLOCK operation against the [Google Cloud Storage storage backend][gcs-storage-backend] in HA mode | ms | summary |
-| `vault.gcs.lock.lock` | Duration of a LOCK operation against the [Google Cloud Storage storage backend][gcs-storage-backend] in HA mode | ms | summary |
-| `vault.gcs.lock.value` | Duration of a VALUE operation against the [Google Cloud Storage storage backend][gcs-storage-backend] in HA mode | ms | summary |
-| `vault.mssql.put` | Duration of a PUT operation against the [MS-SQL storage backend][mssql-storage-backend] | ms | summary |
-| `vault.mssql.get` | Duration of a GET operation against the [MS-SQL storage backend][mssql-storage-backend] | ms | summary |
-| `vault.mssql.delete` | Duration of a DELETE operation against the [MS-SQL storage backend][mssql-storage-backend] | ms | summary |
-| `vault.mssql.list` | Duration of a LIST operation against the [MS-SQL storage backend][mssql-storage-backend] | ms | summary |
-| `vault.mysql.put` | Duration of a PUT operation against the [MySQL storage backend][mysql-storage-backend] | ms | summary |
-| `vault.mysql.get` | Duration of a GET operation against the [MySQL storage backend][mysql-storage-backend] | ms | summary |
-| `vault.mysql.delete` | Duration of a DELETE operation against the [MySQL storage backend][mysql-storage-backend] | ms | summary |
-| `vault.mysql.list` | Duration of a LIST operation against the [MySQL storage backend][mysql-storage-backend] | ms | summary |
-| `vault.postgres.put` | Duration of a PUT operation against the [PostgreSQL storage backend][postgresql-storage-backend] | ms | summary |
-| `vault.postgres.get` | Duration of a GET operation against the [PostgreSQL storage backend][postgresql-storage-backend] | ms | summary |
-| `vault.postgres.delete` | Duration of a DELETE operation against the [PostgreSQL storage backend][postgresql-storage-backend] | ms | summary |
-| `vault.postgres.list` | Duration of a LIST operation against the [PostgreSQL storage backend][postgresql-storage-backend] | ms | summary |
-| `vault.s3.put` | Duration of a PUT operation against the [Amazon S3 storage backend][s3-storage-backend] | ms | summary |
-| `vault.s3.get` | Duration of a GET operation against the [Amazon S3 storage backend][s3-storage-backend] | ms | summary |
-| `vault.s3.delete` | Duration of a DELETE operation against the [Amazon S3 storage backend][s3-storage-backend] | ms | summary |
-| `vault.s3.list` | Duration of a LIST operation against the [Amazon S3 storage backend][s3-storage-backend] | ms | summary |
-| `vault.spanner.put` | Duration of a PUT operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] | ms | summary |
-| `vault.spanner.get` | Duration of a GET operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] | ms | summary |
-| `vault.spanner.delete` | Duration of a DELETE operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] | ms | summary |
-| `vault.spanner.list` | Duration of a LIST operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] | ms | summary |
-| `vault.spanner.lock.unlock` | Duration of an UNLOCK operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] in HA mode | ms | summary |
-| `vault.spanner.lock.lock` | Duration of a LOCK operation against the [Google Cloud Spanner storage backend][spanner-storage-backend] in HA mode | ms | summary |
-| `vault.spanner.lock.value` | Duration of a VALUE operation against the [Google Cloud Spanner storage backend][gcs-storage-backend] in HA mode | ms | summary |
-| `vault.swift.put` | Duration of a PUT operation against the [Swift storage backend][swift-storage-backend] | ms | summary |
-| `vault.swift.get` | Duration of a GET operation against the [Swift storage backend][swift-storage-backend] | ms | summary |
-| `vault.swift.delete` | Duration of a DELETE operation against the [Swift storage backend][swift-storage-backend] | ms | summary |
-| `vault.swift.list` | Duration of a LIST operation against the [Swift storage backend][swift-storage-backend] | ms | summary |
-| `vault.zookeeper.put` | Duration of a PUT operation against the [ZooKeeper storage backend][zookeeper-storage-backend] | ms | summary |
-| `vault.zookeeper.get` | Duration of a GET operation against the [ZooKeeper storage backend][zookeeper-storage-backend] | ms | summary |
-| `vault.zookeeper.delete` | Duration of a DELETE operation against the [ZooKeeper storage backend][zookeeper-storage-backend] | ms | summary |
-| `vault.zookeeper.list` | Duration of a LIST operation against the [ZooKeeper storage backend][zookeeper-storage-backend] | ms | summary |
-
-[secrets-engines]: /docs/secrets/index.html
-[storage-backends]: /docs/configuration/storage/index.html
-[telemetry-stanza]: /docs/configuration/telemetry.html
-[cubbyhole-secrets-engine]: /docs/secrets/cubbyhole/index.html
-[kv-secrets-engine]: /docs/secrets/kv/index.html
-[ldap-auth-backend]: /docs/auth/ldap.html
-[token-auth-backend]: /docs/auth/token.html
-[azure-storage-backend]: /docs/configuration/storage/azure.html
-[cassandra-storage-backend]: /docs/configuration/storage/cassandra.html
-[cockroachdb-storage-backend]: /docs/configuration/storage/cockroachdb.html
-[consul-storage-backend]: /docs/configuration/storage/consul.html
-[couchdb-storage-backend]: /docs/configuration/storage/couchdb.html
-[dynamodb-storage-backend]: /docs/configuration/storage/dynamodb.html
-[etcd-storage-backend]: /docs/configuration/storage/etcd.html
-[gcs-storage-backend]: /docs/configuration/storage/google-cloud-storage.html
-[spanner-storage-backend]: /docs/configuration/storage/google-cloud-spanner.html
-[mssql-storage-backend]: /docs/configuration/storage/mssql.html
-[mysql-storage-backend]: /docs/configuration/storage/mysql.html
-[postgresql-storage-backend]: /docs/configuration/storage/postgresql.html
-[s3-storage-backend]: /docs/configuration/storage/s3.html
-[swift-storage-backend]: /docs/configuration/storage/swift.html
-[zookeeper-storage-backend]: /docs/configuration/storage/zookeeper.html
diff --git a/website/source/docs/internals/token.html.md b/website/source/docs/internals/token.html.md
deleted file mode 100644
index 4bf96492adc2..000000000000
--- a/website/source/docs/internals/token.html.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-layout: "docs"
-page_title: "Token Authentication"
-sidebar_title: "Token Authentication"
-sidebar_current: "docs-internals-token"
-description: |-
-  Learn about the client token authentication in Vault.
----
-
-# Token Authentication
-
-The `token` auth method is built-in and is at the core of
-client authentication. Other auth methods may be used to
-authenticate a client, but they eventually result in the generation of a client
-token managed by the `token` backend.
-
-Every token has a number of properties:
-
-* ID - The primary ID of a token is a randomly generated value
-* Display Name - Optionally, a human readable display name
-* Metadata - Metadata used for audit logging
-* Number of Uses - Optionally, a restricted use count
-* Parent ID - Optionally, a parent token which created this child token
-* Policies - An associated list of ACL policies
-* Source Path - The path at which the token was generated (e.g. `auth/github/login`)
-
-The properties of a token are immutable once created. The exception to this
-is the number of uses, which is decremented on each request. Each of these
-properties enable Vault to do a number of interesting things.
-
-Each token maintains the source path, or the login path, that was used
-to create the token. This is used to allow source based revocation. For example,
-if we believe our GitHub organization was compromised, we may want to revoke
-all tokens generated via `auth/github/login`. This would be done by using the
-`sys/revoke-prefix/` API with the `auth/github/` prefix. Revoking the
-prefix will revoke all client tokens generated at that path, as well as all
-dynamic secrets generated by those tokens. This provides a powerful "break glass"
-procedure during a potential compromise.
-
-If a token is created by another auth method, they do not have
-a parent token. However, any tokens created by the `auth/token/create` API
-have a parent token, namely the token used to make that request. By maintaining
-this parent-child relationship, Vault models token trees. Child tokens can
-be created with a subset of the parent policies, allowing for dropping of
-privileges. When a token is revoked, the entire sub-tree of tokens is revoked
-with it. This allows clients to safely generate child tokens and then revoke
-them all along with the root.
-
-Child tokens are very useful, especially when combined with limited use tokens.
-When a token is created, its use count can be optionally specified. Providing
-a use count of one makes a _one time token_. This means the token can be used
-for a single request before being automatically revoked. This can be generalized
-to any number of uses. Limited use tokens cannot be used to create sub-tokens,
-but they can be a powerful way to allow extremely limited access to Vault.
diff --git a/website/source/docs/partnerships/index.html.md b/website/source/docs/partnerships/index.html.md
deleted file mode 100644
index 4de11e4b22d3..000000000000
--- a/website/source/docs/partnerships/index.html.md
+++ /dev/null
@@ -1,144 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Integration Program"
-sidebar_current: "docs-partnerships"
-description: |-
-  Guide to partnership integrations and creating plugins for Vault.
----
-
-# Vault Integration Program
-
-The HashiCorp Vault Integration Program allows vendors to integrate their products to work with Vault. Vault has a relatively large surface area and thereby a large set of possible integrations some of which require the vendor integration code, like other integrations that result in the solution working tightly with Vault.
- 
-Vendors integrating their solutions via the Vault Integration Process provide their customers a verified and seamless user experience. The Vault Integration Program currently only supports coding with the Go programming language (run time integrations). 
- 
-This program is intended to be largely a self-service process with links and guidance to information sources, clearly defined steps, and checkpoints.
-
-
-## Types of Vault Integrations
-
-From a high-level perspective, Vault is a tool used to manage secrets and protect sensitive data. It helps secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. For a full description of the current features please refer to the Vault website [Vault Website](/). Vault provides a unified interface to any secret, while providing tight access control and support with detailed recording from integrated audit logs.
- 
-The diagram below depicts the key Vault integration categories and types.
-
-![Integration Categories](/img/integration-program-vaulteco.png)
-
-Main Vault categories for partners to integrate with include:
-
-**Authentication Methods**: Authentication (or Auth) methods are components in Vault that perform authentication and are responsible for assigning identity along with a set of policies to a user. Vault supports multiple auth methods/identity models to better support your business use case. You can find more information about Vault Auth Methods [here](/docs/auth/). 
-
-**Runtime Integrations**: Plugin backends are components in Vault that can be implemented separately from Vault's built-in features. Runtime integrations are sometimes referred to a Direct Application Integration. These backends can be either authentication, secrets engines or other security features. You can find more information about Vault Direct Application Integration [here]("https://learn.hashicorp.com/vault/developer/sm-app-integration").
-
-**Audit/Monitoring & Compliance**: Audit/Monitoring and Compliance are components in Vault that keep a detailed log of all requests and response to Vault. Because every operation with Vault is an API request/response, the audit log contains every authenticated interaction with Vault, including errors. Vault supports multiple audit devices to support your business use case. You can find more information about Vault Audit Devices [here](/docs/audit/).
-
-HSM (Hardware Security Module) integrations provide an added level of security and compliance. The HSM communicates with Vault using the PKCS#11 protocol thereby resulting in the integration to primarily involve verification of the operation of the functionality. You can find more information about Vault HSM [here](/docs/enterprise/hsm/index.html).
-
-**Secrets Engines**: Secrets engine are components which store, generate, or encrypt data. Secrets engines are provided some set of data, that take some action on that data, and then return a result. Some secrets engines store and read data, like encrypted in-memory data structure, other secrets engines connect to other services. Examples of secrets engines include Identity modules of Cloud providers like AWS, Azure IAM models, Cloud (LDAP), database or key management. You can find more information about Vault Secrets Engines here.
-
-
-## Development Process
-
-The Vault integration development process is divided into six steps. By following these steps, Vault integrations can be developed alongside HashiCorp to ensure that the integrations are able to be verified and supported in Vault as quickly as possible. A visual representation of the self-guided steps is depicted below.
-
-![Development Process](/img/integration-program-devprocess.png)
-
-1.  Engage: Initial contact between vendor and HashiCorp
-2.  Enable: Information and articles to aid with the development of the integration
-3.  Develop and Test: Integration development and testing process
-4.  Review: HashiCorp code review and verification of integration (iterative process)
-5.  Release: Verified integration made available and listed on the HashiCorp website once the HashiCorp technology partnership agreement has been executed
-6.  Support: Ongoing maintenance and support of the integration by the vendor.
-
-### 1. Engage
-
-Please begin by providing some basic information about the integration that is being built via a simple [webform]("https://docs.google.com/forms/d/e/1FAIpQLSfQL1uj-mL59bd2EyCPI31LT9uvVT-xKyoHAb5FKIwWwwJ1qQ/viewform").
-
-This information is recorded and used by HashiCorp to track the integration through various stages. The information is also used to notify the integration developer of any overlapping work, perhaps coming from the community so you may better focus resources.
-
-Vault has a large and active community and ecosystem of partners that may have already started working on a similar integration. We'll do our best to connect similar parties to avoid duplicate work.
-
-
-### 2. Enable
-
-While not mandatory, HashiCorp encourages vendors to sign and MNDA (Mutual Non-Disclosure Agreement) to allow for open dialog and sharing of ideas during the integration process.
-
-In an effort to support our self-serve model we’ve included links to resources, documentation, examples and best practices to guide you through the Vault integration development and testing process.
-
-* [Writing vendor extension guide]("https://learn.hashicorp.com/vault#operations-and-development")
-* Sample development implemented by a [partner]("https://www.hashicorp.com/integrations/venafi/vault/")
-* Example vendor extensions for reference: [Aqua]("https://www.hashicorp.com/integrations/aqua-security/vault/"), [Demisto]("https://www.demisto.com/integrations/?_sf_s=hashicorp") 
-* Contributing to Vault [guidelines]("https://github.com/hashicorp/vault/blob/master/CONTRIBUTING.md")
-* [Vault Community Forum]("https://discuss.hashicorp.com/c/vault")
-* [Vault's source code]("https://github.com/hashicorp/vault")
-
-
-We encourage vendors to closely follow the above guidance. Adopting the same structure and coding patterns helps expedite the review and release cycles.
-
-
-### 3. Develop and Test
-
-Vault requires all code-level integrations to be written in the [Go]("https://golang.org/") programming language and contain an [MPL-2.0]("https://en.wikipedia.org/wiki/Mozilla_Public_License") open source license. The only knowledge necessary to write a plugin is basic command-line skills and knowledge of the Go programming language.  When writing in Go-Language, HashiCorp has found the integration development process to be straightforward and simple when vendors pay close attention and follow the resources and by adopting the same structure and coding patterns helps expedite the review and release cycles. Please remember that all integration major steps should contain acceptance testing and the appropriate documentation.
-
-Auth Methods
-
-*  [Auth Methods documentation](/docs/auth/index.html)
-*  [Example of how to build, install, and maintain auth method plugins plugin]("https://www.hashicorp.com/blog/building-a-vault-secure-plugin") 
-*  [Sample plugin code]("https://github.com/hashicorp/vault-auth-plugin-example")
-
-Runtime Integration
-
-*  [Plugins documentation](/docs/internals/plugins.html)
-*  [Guide to building Vault plugin backends]("https://www.vaultproject.io/guides/operations/plugin-backends.html")
-*  [Vault Direct Application Integration]("https://learn.hashicorp.com/vault?track=getting-started#getting-started")
-
-Audit, Monitoring & Compliance Integration
-
-*  [HSM documentation](/docs/enterprise/hsm/index.html)
-*  [Configuration information](/docs/configuration/seal/pkcs11.html)
-*  [Audit devices documentation](/docs/audit/index.html)
-
-Secrets Engine Integration
-
-*  [Secret engine documentation](/docs/secrets/index.html)
-*  There is currently no empty sample secrets plugin; however, the [AliCloud Secrets Plugin]("https://github.com/hashicorp/vault-plugin-secrets-alicloud")  was written recently and is fairly simple
-*  [Storage configuration documentation](/docs/configuration/storage/index.html)
-
-
-### 4. Review
-
-During the review process, HashiCorp will provide feedback on the newly developed integration. This is an important step to allow HashiCorp to review and verify your Vault integration. Please send the integration code and other relevant logs for verification to: vault-integration-dev@hashicorp.com.
-
-For Auth, Secret and Storage plugins please submit a GitHub pull request (PR) against the [Vault project]("https://github.com/hashicorp/vault"). In some cases the vendor may need to provide HashiCorp with a permanent test account so that the integration can be verified on an ongoing basis.
-
-The review process can take a while to complete and may require some iterations through the code to address and problems identified by the HashiCorp team.
-
-### 5. Release
-
-At this stage, it is expected that the integration is fully complete, the necessary documentation has been written, the acceptance tests have all passed, and that HashiCorp has reviewed the integration. Once the plugin has been validated and accepted by HashiCorp, the plugin can be hosted anywhere so it can more easily be downloaded then installed within Vault.
-
-Once the integration has been released the vendor is requested to sign the HashiCorp Technology Partner Agreement so that we can have their integration be listed on the HashiCorp website.
-
-
-### 6. Support
-
-Many vendors view the release step to be the end of the journey, while at HashiCorp we view it to be the beginning of the journey. Getting the integration built is just the first step in enabling users to leverage it against their infrastructure. Once development is completed, on-going effort is required to support the developed integration maintain the provider and address any issues in a timely manner.
-
-The expectation from the vendor/partner is to create a mechanism for them to track and resolve all critical issues as soon as possible within 48 hours and all other issues within 5 business days. This is a requirement given the critical nature of Vault to customer’s operation. Vendors who choose to not support their integration will not be considered a verified integration and cannot be listed on the website.
-
-
-## Checklist
-
-Below is a checklist of steps that should be followed during the Vault integration development process. This reiterates the steps described above.
-
-* Fill out the [Vault Integration webform](https://docs.google.com/forms/d/e/1FAIpQLSfQL1uj-mL59bd2EyCPI31LT9uvVT-xKyoHAb5FKIwWwwJ1qQ/viewform)
-* Develop and test Vault integration along with the acceptance tests and documentation, send to vault-integration-dev@hashicorp.com, to schedule an initial review
-* Address review feedback and finalize the development process
-* Provide HashiCorp with credentials for underlying infrastructure for test purposes
-* Demo the integration and/or send the test logs to HashiCorp to vault-integration-dev@hashicorp.com
-* Execute HashiCorp Partner Agreement Documents, review logo guidelines, partner listing and more
-* Plan to continue supporting the integration with additional functionality and responding to customer issues
-
-
-## Contact Us
-
-For any questions or feedback, please contact us at: [vault-integration-dev@hashicorp.com](mailto:vault-integration-dev@hashicorp.com)
diff --git a/website/source/docs/platform/aws-mp/index.html.md b/website/source/docs/platform/aws-mp/index.html.md
deleted file mode 100644
index 5ff295c5fad7..000000000000
--- a/website/source/docs/platform/aws-mp/index.html.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-layout: "docs"
-page_title: "AWS Marketplace"
-sidebar_current: "docs-platform-aws-mp-index"
-sidebar_title: "AWS Marketplace"
-description: |-
-  This section documents the official AWS Marketplace AMIs for Vault Open Source and Vault Enterprise.
----
-
-# AWS Marketplace 
-
-Vault can be deployed onto Amazon Web Services (AWS) using HashiCorp’s official AWS Marketplace offerings. HashiCorp packages the latest version of both Vault Open Source and Vault Enterprise as Amazon Machine Images (AMIs).
-
-There are two varieties of Vault AMIs available through the AWS Marketplace. Vault Open Source is available as a public listing and can be subscribed to using the standard process for the AWS Marketplace. Vault Enterprise is also available through the AWS Marketplace. To learn more about consuming Vault Enterprise through the AWS Marketplace, please reach out to our sales team at the following address: <aws-marketplace@hashicorp.com>
-
-The AWS Marketplace listings can be found below.
-
-* [HashiCorp Vault OSS](http://aws.amazon.com/marketplace/pp/B07YLYPLYB)
-* [HashiCorp Vault Enterprise](http://aws.amazon.com/marketplace/pp/B07YLXD9TD)
-
-## Use Cases
-
-The Vault AMIs listed in the AWS Marketplace are intended to serve as an easy starting point for a Vault installation. Vault AMIs are built on top of a minimal Ubuntu distribution and contain up to date packages for both Vault and the underlying operating system dependencies.
-
-The Open Source Vault AMI is intended for development and test use cases. This listing will launch a non-HA Vault instance with Vault running and the Vault UI available. For production use cases, please see the [Architecture](/docs/platform/aws-mp/run.html#Architecture) section of this documentation.
diff --git a/website/source/docs/platform/aws-mp/run.html.md b/website/source/docs/platform/aws-mp/run.html.md
deleted file mode 100644
index 52f0d34afcc6..000000000000
--- a/website/source/docs/platform/aws-mp/run.html.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-layout: "docs"
-page_title: "Running Vault"
-sidebar_current: "docs-platform-aws-mp-run"
-sidebar_title: "Running Vault"
-description: |-
-  Vault can be launched from within the AWS Marketplace from the official Vault Marketplace Listings.
----
-
-# Running Vault
-
-## Launching the Vault AMI
-
-When Vault is first launched from an official Marketplace AMI, it will come up in an uninitialized state and must be initialized via the [API](https://www.vaultproject.io/api/system/init.html), [CLI](/docs/commands/operator/init.html), or UI. The Marketplace AMI listens on port 8200 by default. It is recommended to restrict ingress networking to the Vault instance as much as possible when initially deploying Vault (through EC2 security groups or otherwise) because anyone with network access to Vault will be able to initialize it. To learn more about the default listener configuration, or to make changes, please see the [Vault Deployment Guide](https://learn.hashicorp.com/vault/operations/ops-deployment-guide#listener-stanza).
-
-Additionally on first launch, a new self-signed [certificate](/docs/configuration/listener/tcp.html#tls_cert_file) and [key](/docs/configuration/listener/tcp.html#tls_key_file) (unique to the EC2 instance) will be generated to secure Vault traffic using TLS. This is provided as a “more secure” (vs. unencrypted TCP traffic) temporary solution, but it is strongly recommended to replace these with your own certificate and key. Please note that when using a self-signed certificate, Vault clients will need to [skip](/docs/commands/#vault_skip_verify) the verification of Vault’s certificate, which voids Vault’s [security model](/docs/internals/security.html).
-
-In order to begin using a newly launched Vault instance or cluster, it must be [unsealed](/docs/concepts/seal.html) first. HashiCorp generally recommends using the [AWS KMS Seal](/docs/configuration/seal/awskms.html) when running Vault on AWS.
-
-## Viewing the Vault UI
-The Vault UI is enabled by default. You can view the UI by navigating to `https://VAULT_INSTANCE_PUBLIC_IP:8200/` in a web browser. Please note that your web browser will likely show a security warning that the default self-signed TLS certificate `(Organization: HashiCorp, Common Name: Vault)` is not trusted, and that this can be ignored at your own risk until Vault’s certificate and key are replaced with your own valid ones.
-
-## Upgrading Vault
-New Vault AMIs are added to the AWS Marketplace listing regularly and contain the latest versions of Vault and updated operating system packages. However, new AMIs are not built and tested to support in-place upgrades of your existing Vault installation.
-
-To upgrade a Vault instance launched from an official AWS Marketplace AMI, please follow the normal upgrade instructions for a [non-HA installation](https://www.vaultproject.io/docs/upgrading/index.html#non-ha-installations).
-
-# Architecture
-HashiCorp’s AWS Marketplace offerings provide an easy way to deploy Vault in a single-instance configuration using the [Filesystem storage backend](/docs/configuration/storage/filesystem.html), but for production use, we recommend running Vault on AWS with the same [general architecture](/docs/internals/architecture.html) as running it anywhere else. While the Filesystem storage backend is officially supported by HashiCorp, it does not support High Availability. Because Vault data is stored on disk in this configuration, it is subject to the durability and availability of Amazon Elastic Block Store (EBS) and should be backed up accordingly.
-
-For additional guidance on best practices for running Vault in production, please refer to the [production hardening guide](https://learn.hashicorp.com/vault/day-one/production-hardening).
-
-# Getting Support
-
-## Open Source
-For the Open Source Vault AMI, support can be obtained through the community channels: <https://www.vaultproject.io/community>
-
-See the Vault Project on Github.com: <https://github.com/hashicorp/vault>
-
-## Enterprise
-For customers that purchase the Enterprise Vault AMI through the AWS Marketplace, Enterprise Support is also available from HashiCorp. To learn more: <https://support.hashicorp.com/hc/en-us>
diff --git a/website/source/docs/platform/index.html.md b/website/source/docs/platform/index.html.md
deleted file mode 100644
index 2bb1cbb66838..000000000000
--- a/website/source/docs/platform/index.html.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-layout: "docs"
-page_title: "Platforms"
-sidebar_title: "Platforms"
-sidebar_current: "docs-platform"
-description: |-
-  This section covers running Vault on various platforms (such as Kubernetes).
----
-
-# Platforms
-
-This section covers running Vault on various platforms (such as Kubernetes) and 
-explains architecture, configuration, installation and security considerations.
diff --git a/website/source/docs/platform/k8s/helm/configuration.html.md b/website/source/docs/platform/k8s/helm/configuration.html.md
deleted file mode 100644
index 091245ca82e3..000000000000
--- a/website/source/docs/platform/k8s/helm/configuration.html.md
+++ /dev/null
@@ -1,472 +0,0 @@
----
-layout: "docs"
-page_title: "Configuration"
-sidebar_current: "docs-platform-k8s-configuration"
-sidebar_title: "Configuration"
-description: |-
-  This section documents configuration options for the Vault Helm chart
----
-
-# Configuration
-
-~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
-
-The chart is highly customizable using
-[Helm configuration values](https://docs.helm.sh/using_helm/#customizing-the-chart-before-installing).
-Each value has a default tuned for an optimal getting started experience
-with Vault. Before going into production, please review the parameters below
-and consider if they're appropriate for your deployment.
-
-* `global` - These global values affect multiple components of the chart.
-
-    * `enabled` (`boolean: true`) - The master enabled/disabled configuration. If this is true, most components will be installed by default. If this is false, no components will be installed by default and manually opting-in is required, such as by setting `server.enabled` to true.
-
-    * `imagePullSecrets` (`string: ""`) - Defines secrets to be used when pulling images from private registries.
-
-        - `name`: (`string: required`) - Name of the secret containing files required for authentication to private image registries.
-
-    * `tlsDisable` (`boolean: true`) - When set to `true`, changes URLs from `https` to `http` (such as the `VAULT_ADDR=http://127.0.0.1:8200` environment variable set on the Vault pods).
-
-* `injector` - Values that configure running a Vault Agent Injector Admission Webhook Controller within Kubernetes.
-    
-    * `enabled` (`boolean: true`) - When set to `true`, the Vault Agent Injector Admission Webhook controller will be created.
-    
-    * `image` - Values that configure the Vault Agent Injector Docker image.
-
-        * `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
-
-        * `tag` (`string: "0.1.2"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
-
-        * `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images.  The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
-    
-    * `agentImage` - Values that configure the Vault Agent sidecar image.
-
-        * `repository` (`string: "vault"`) - The name of the Docker image for the Vault Agent sidecar.  This should be set to the official Vault Docker image.
-
-        * `tag` (`string: "1.3.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar.  **Vault 1.3.1+ is required by the admission controller**.
-
-    * `resources` (`string: ""`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources.
-    <br>**Setting this is highly recommended.**
-
-    ```yaml
-    # Resources are defined as a formatted multi-line string:
-    resources: |
-      requests:
-        memory: "10Gi"
-      limits:
-        memory: "10Gi"
-    ```
-
-    * `namespaceSelector` (`string: ""`) - The selector used by the admission webhook controller to limit what namespaces where injection can happen.  If set to null, all non-system namespaces are eligible for injection.
-
-    ```yaml
-    # Selectors are defined as a formatted multi-line string.
-    # In this example, all namespaces with the label "injection: enabled" are eligible:
-    namespaceSelector: |
-      matchLabels:
-        injection: enabled
-    ```
-
-    * `certs` - The certs section configures how the webhook TLS certs are configured. These are the TLS certs for the Kube apiserver communicating to the webhook. By default, the injector will generate and manage its own certs, but this requires the ability for the injector to update its own `MutatingWebhookConfiguration`. In a production environment, custom certs should probably be used. Configure the values below to enable this.
-
-        * `secretName` (`string: ""`) - secretName is the name of the Kubernetes secret that has the TLS certificate and private key to serve the injector webhook. If this is null, then the injector will default to its automatic management mode.
-
-        * `caBundle` (`string: ""`) - The PEM-encoded CA public certificate bundle for the TLS certificate served by the injector. This must be specified as a string and can't come from a secret because it must be statically configured on the Kubernetes `MutatingAdmissionWebhook` resource. This only needs to be specified if `secretName` is not null.
-
-        * `certName` (`string: "tls.crt"`) - The name of the certificate file within the `secretName` secret.
-
-        * `keyName` (`string: "tls.key"`) - The name of the key file within the `secretName` secret.
-
-* `server` - Values that configure running a Vault server within Kubernetes.
-
-    * `image` - Values that configure the Vault Docker image.
-
-        * `repository` (`string: "vault"`) - The name of the Docker image for the containers running Vault.
-
-        * `tag` (`string: "1.3.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
-
-        * `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images.  The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
-    
-
-    * `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources.
-    <br>**Setting this is highly recommended.**
-
-    ```yaml
-    # Resources are defined as a formatted multi-line string:
-    resources: |
-      requests:
-        memory: "10Gi"
-      limits:
-        memory: "10Gi"
-    ```
-
-    * `ingress` - Values that configure Ingress services for Vault.
-
-        * `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created.
-
-        * `annotations` (`string`) - This value defines additional annotations to add to the Ingress service.  This should be formatted as a multi-line string.
-
-        ```yaml
-        annotations: |
-          kubernetes.io/ingress.class: nginx
-          kubernetes.io/tls-acme: "true"
-        ```
-
-        * `hosts` - Values that configure the Ingress host rules.
-
-            - `host` (`string: required`): Name of the host to use for Ingress.
-
-            - `paths` (`string: required`): This value defines the types of host rules for the Ingress service.
-
-            ```yaml
-            paths:
-            - backend:
-              serviceName: service2
-              servicePort: 80
-            ```
-
-    * `tls` - Values that configure the Ingress TLS rules.
-
-        - `hosts` (`string: null)`: Name of the hosts defined in the Common Name of the TLS Certificate.  This should be formated as a multi-line string.
-
-        - `secretName` (`string: null)`: Name of the secret containing the required TLS files such as certificates and keys.
-
-        ```yaml
-        hosts:
-          - sslexample.foo.com
-          - sslexample.bar.com
-         secretName: testsecret-tls
-        ```
-
-    * `authDelegator` - Values that configure the Cluster Role Binding attached to the Vault service account.
-
-        - `enabled` (`boolean: true`) - When set to `true`, a Cluster Role Binding will be bound to the Vault service account.  This Cluster Role Binding has the necessary privileges for Vault to use the [Kubernetes Auth Method](/docs/auth/kubernetes.html).
-
-    * `readinessProbe` - Values that configure the readiness probe for the Vault pods.
-
-        - `enabled` (`boolean: true`) - When set to `true`, a readiness probe will be applied to the Vault pods.
-
-        - `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe.  The http/https scheme is controled by the `tlsDisable` value.
-
-    ```yaml
-     readinessProbe:
-       enabled: true
-       path: /v1/sys/health?standbyok=true
-    ``` 
-
-    * `livelinessProbes` - Values that configure the liveliness probe for the Vault pods.
-
-        - `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
-
-        - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe.  The http/https scheme is controled by the `tlsDisable` value.
-
-        - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
-
-    ```yaml
-     livelinessProbe:
-       enabled: true
-       path: /v1/sys/health?standbyok=true
-       initialDelaySeconds: 60
-    ``` 
-
-    * `extraContainers` (`array: []`) - The extra containers to be applied to the Vault server pods.
-
-    ```yaml
-     extraContainers:
-       - name: mycontainer
-         image: "app:0.0.0"
-         env:
-           ...
-    ```
-
-    ```yaml
-    # Extra Environment Variables are defined as key/value strings.
-     extraEnvironmentVars:
-       GOOGLE_REGION: global
-       GOOGLE_PROJECT: myproject
-       GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
-    ```
-
-    * `extraEnvironmentVars` - The extra environment variables to be applied to the Vault server.  This should be a multi-line key/value string.
-
-    ```yaml
-    # Extra Environment Variables are defined as key/value strings.
-     extraEnvironmentVars:
-       GOOGLE_REGION: global
-       GOOGLE_PROJECT: myproject
-       GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
-    ```
-
-    * `extraSecretEnvironmentVars` (`string: null`) - The extra environment variables populated from a secret to be applied to the Vault server.  This should be a multi-line key/value string.
-
-        - `envName` (`string: required`) -
-        Name of the environment variable to be populated in the Vault container.
-
-        - `secretName` (`string: required`) -
-        Name of Kubernetes secret used to populate the environment variable defined by `envName`.
-
-        - `secretKey` (`string: required`) -
-        Name of the key where the requested secret value is located in the Kubernetes secret.
-
-        ```yaml
-        # Extra Environment Variables populated from a secret.
-         extraSecretEnvironmentVars:
-          - envName: AWS_SECRET_ACCESS_KEY
-            secretName: vault
-            secretKey: AWS_SECRET_ACCESS_KEY
-        ```
-
-    * `extraVolumes` (`array: []`) - A list of extra volumes to mount to Vault servers. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates. The value of this should be a list of objects. Each object supports the following keys:
-
-        - `type` (`string: required`) -
-        Type of the volume, must be one of "configMap" or "secret". Case sensitive.
-
-        - `name` (`string: required`) -
-        Name of the configMap or secret to be mounted. This also controls the path
-        that it is mounted to. The volume will be mounted to `/vault/userconfig/<name>` by default
-        unless `path` is configured.
-
-        - `path` (`string: /vault/userconfigs`) -
-        Name of the path where a configMap or secret is mounted.  If not specified
-        the volume will be mounted to `/vault/userconfig/<name of volume>`.
-
-        ```yaml
-        extraVolumes:
-          -  type: "secret"
-             name: "vault-certs"
-             path: "/etc/pki"
-        ```
-
-    * `affinity` - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to `null`.
-
-    ```yaml
-    # Recommended default server affinity:
-    affinity: |
-      podAntiAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-        - labelSelector:
-          matchLabels:
-            app: {{ template "vault.name" . }}
-            release: "{{ .Release.Name }}"
-            component: server
-          topologyKey: kubernetes.io/hostname
-    ```
-
-    * `tolerations` (`array []`) - This value defines the [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) that are acceptable when being scheduled.
-
-    ```yaml
-    tolerations:
-    - key: "node.kubernetes.io/unreachable"
-      operator: "Exists"
-      effect: "NoExecute"
-      tolerationSeconds: 6000
-    ```
-
-    * `nodeSelector` - This value defines additional node selection criteria for more control over where the Vault servers are deployed.
-
-    ```yaml
-    nodeSelector:
-      disktype: ssd
-    ```
-
-    * `extraLabels` - This value defines additional labels for server pods. This should be formatted as a multi-line string.
-
-    ```yaml
-    extraLabels: |
-      "sample/label1": "foo"
-      "sample/label2": "bar"
-    ```
-
-    * `annotations` - This value defines additional annotations for server pods. This should be a formatted as a multi-line string.
-
-    ```yaml
-    annotations: |
-      "sample/annotation1": "foo"
-      "sample/annotation2": "bar"
-    ```
-
-    * `service` - Values that configure the Kubernetes service created for Vault.
-
-        - `enabled` (`boolean: true`) - When set to `true`, a Kubernetes service will be created for Vault.
-        
-        - `clusterIP` (`string`) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes.  By default the Vault service will be given a Cluster IP address, set to `None` to disable.  When disabled Kubernetes will create a "headless" service.  Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer.
-        
-        - `type` (`string: "ClusterIP"`) - Sets the type of service to create, such as `NodePort`.
-
-        - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod.
-
-        - `targetPort` (`int: 8200`) - Port on which the service is listening.
-
-        - `nodePort` (`int: `) - When type is set to `NodePort`, the bound node port can be configured using this value.  A random port will be assigned if this is left blank.
-
-        - `annotations` (`string`) - This value defines additional annotations for the service. This should be formatted as a multi-line string.
-
-        ```yaml
-        annotations: |
-          "sample/annotation1": "foo"
-          "sample/annotation2": "bar"
-        ```
-
-    * `serviceAccount` - Values that configure the Kubernetes service account created for Vault.
-
-        - `annotations` (`string`) - This value defines additional annotations for the service account. This should be formatted as a multi-line string.
-
-        ```yaml
-        annotations: |
-          "sample/annotation1": "foo"
-          "sample/annotation2": "bar"
-        ```
-
-    * `extraVolumes` - This configures the `Service` resource created for the Vault server.
-
-        - `enabled` (`boolean: true`) -
-        Enables a service to allow other pods running in Kubernetes to communicate with the Vault server.
-
-    * `dataStorage` - This configures the volume used for storing Vault data when not using external storage such as Consul.
-
-        - `enabled` (`boolean: true`) -
-        Enables a persistent volume to be created for storing Vault data when not using an external storage service.
-
-        - `size` (`string: 10Gi`) -
-        Size of the volume to be created for Vault's data storage when not using an external storage service.
-
-        - `storageClass` (`string: null`) -
-        Name of the storage class to use when creating the data storage volume.
-
-        - `accessMode` (`string: ReadWriteOnce`) -
-        Type of access mode of the storage device.  See the [official Kubernetes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) for more information.
-
-    * `auditStorage` - This configures the volume used for storing Vault's audit logs.  See the [Vault documentation](/docs/audit) for more information.
-
-        - `enabled` (`boolean: true`) -
-        Enables a persistent volume to be created for storing Vault's audit logs.
-
-        - `size` (`string: 10Gi`) -
-        Size of the volume to be created for Vault's audit logs.
-
-        - `storageClass` (`string: null`) -
-        Name of the storage class to use when creating the audit storage volume.
-
-        - `accessMode` (`string: ReadWriteOnce`) -
-        Type of access mode of the storage device.
-
-    * `dev` - This configures `dev` mode for the Vault server.
-
-        - `enabled` (`boolean: false`) -
-        Enables `dev` mode for the Vault server.  This mode is useful for experimenting with Vault without needing to unseal.
-
-        ~> **Security Warning:** Never, ever, ever run a "dev" mode server in production. It is insecure and will lose data on every restart (since it stores data in-memory). It is only made for development or experimentation.
-
-    * `standalone` - This configures `standalone` mode for the Vault server.
-
-        - `enabled` (`boolean: true`) -
-        Enables `standalone` mode for the Vault server.  This mode uses the `file` storage backend and requires a volume for persistence (`dataStorage`).
-
-        - `config` (`string: "{}"`) -
-        A raw string of extra HCL or JSON [configuration](https://www.vaultproject.io/docs/configuration/index.html) for Vault servers.
-        This will be saved as-is into a ConfigMap that is read by the Vault servers.
-        This can be used to add additional configuration that isn't directly exposed by the chart.
-
-        ```yaml
-        # ExtraConfig values are formatted as a multi-line string:
-        config: |
-          api_addr = "http://POD_IP:8200"
-
-          listener "tcp" {
-            tls_disable = 1
-            address     = "0.0.0.0:8200"
-          }
-
-          storage "file" {
-            path = "/vault/data"
-          }
-        ```
-
-        This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
-
-        ```shell
-        --set server.standalone.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
-        ```
-
-    * `ha` - This configures `ha` mode for the Vault server.
-
-        - `enabled` (`boolean: false`) -
-        Enables `ha` mode for the Vault server.  This mode uses a highly available backend storage (such as Consul) to store Vault's data.  By default this is configured to use [Consul Helm](https://github.com/hashicorp/consul-helm).  For a complete list of storage backends, see the [Vault documentation](/docs/configuration).
-
-        - `replicas` (`int: 5`) -
-        The number of pods to deploy to create a highly available cluster of Vault servers.
-
-        - `updatePartition` (`int: 0`) -
-        If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated.  If set to `0`, this disables parition updates.  For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
-
-        - `config` (`string: "{}"`) -
-        A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
-        This will be saved as-is into a ConfigMap that is read by the Vault servers.
-        This can be used to add additional configuration that isn't directly exposed by the chart.
-
-        ```yaml
-        # ExtraConfig values are formatted as a multi-line string:
-        config: |
-          ui = true
-          api_addr = "http://POD_IP:8200"
-          listener "tcp" {
-              tls_disable = 1
-              address     = "0.0.0.0:8200"
-          }
-
-          storage "consul" {
-              path = "vault"
-              address = "HOST_IP:8500"
-          }
-        ```
-
-        This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
-
-        ```shell
-        --set server.ha.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
-        ```
-
-    - `disruptionBudget` - Values that configures the disruption budget policy.  See the [official Kubernetes documentation](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for more information.
-
-        - `enabled` (`boolean: true`) -
-        Enables disruption budget policy to limit the number of pods that are down simultaneously from voluntary disruptions.
-
-        - `maxUnavailable` (`int: null`) -
-        The maximum number of unavailable pods. By default, this will be automatically
-        computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set
-        this to `0`, you will need to add a `--set 'server.disruptionBudget.maxUnavailable=0'`
-        flag to the helm chart installation command because of a limitation in the Helm
-        templating language.
-
-* `ui` - Values that configure the Vault UI.
-
-    - `enabled` (`boolean: false`) - If true, the UI will be enabled. The UI will only be enabled on Vault servers. If `server.enabled` is false, then this setting has no effect. To expose the UI in some way, you must configure `ui.service`.
-
-    - `serviceType` (`string: ClusterIP`) -
-    The service type to register. This defaults to `ClusterIP`.
-    The available service types are documented on
-    [the Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types).
-
-    - `serviceNodePort` (`int: null`) -
-    Sets the Node Port value when using `serviceType: NodePort` on the Vault UI service.
-
-    - `externalPort` (`int: 8200`) -
-    Sets the external port value of the service.
-
-    - `loadBalancerSourceRanges` (`string`) - This value defines additional source CIDRs when using `serviceType: LoadBalancer`.  This should be formatted as a multi-line string.
-
-    ```yaml
-    loadBalancerSourceRanges:
-    - 10.0.0.0/16
-    - 120.78.23.3/32
-    ```
-
-    - `loadBalancerIP` (`string`) - This value defines the IP address of the load balancer when using `serviceType: LoadBalancer`.
-
-    - `annotations` (`string`) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string.
-
-    ```yaml
-    annotations: |
-      "sample/annotation1": "foo"
-      "sample/annotation2": "bar"
-    ```
diff --git a/website/source/docs/platform/k8s/helm/examples.html.md b/website/source/docs/platform/k8s/helm/examples.html.md
deleted file mode 100644
index 2c01ef26bb35..000000000000
--- a/website/source/docs/platform/k8s/helm/examples.html.md
+++ /dev/null
@@ -1,213 +0,0 @@
----
-layout: "docs"
-page_title: "Examples"
-sidebar_current: "docs-platform-k8s-examples"
-sidebar_title: "Examples"
-description: |-
-  This section documents configuration options for the Vault Helm chart
----
-
-# Helm Chart Examples
-
-~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
-
-The following are different configuration examples to support a variety of
-deployment models.
-
-## Standalone Server with Load Balanced UI
-
-The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
-
-```yaml
-global:
-  enabled: true
-
-server:
-  image:
-    repository: "vault"
-    tag: "1.3.1"
-
-  standalone:
-    enabled: true
-    config: |
-      ui = true
-
-      listener "tcp" {
-        tls_disable = 1
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
-      storage "file" {
-        path = "/vault/data"
-      }
-
-  service:
-    enabled: true
-
-  dataStorage:
-    enabled: true
-    size: 10Gi
-    storageClass: null
-    accessMode: ReadWriteOnce
-
-ui:
-  enabled: true
-  serviceType: LoadBalancer
-```
-
-## Standalone Server with TLS
-
-The below `values.yaml` can be used to set up a single server Vault cluster using TLS.
-This assumes that a Kubernetes `secret` exists with the server certificate, key and
-certificate authority:
-
-```yaml
-global:
-  enabled: true
-  tlsDisable: false
-
-server:
-  image:
-    repository: "vault"
-    tag: "1.3.1"
-
-  extraVolumes:
-  - type: secret
-    name: vault-server-tls
-
-  standalone:
-    enabled: true
-    config: |
-      listener "tcp" {
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-        tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
-        tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
-        tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
-      }
-
-      storage "file" {
-        path = "/vault/data"
-      }
-
-  service:
-    enabled: true
-
-  dataStorage:
-    enabled: true
-    size: 10Gi
-    storageClass: null
-    accessMode: ReadWriteOnce
-```
-
-## Standalone Server with Audit Storage
-
-The below `values.yaml` can be used to set up a single server Vault cluster with
-auditing enabled.
-
-```yaml
-global:
-  enabled: true
-
-server:
-  image:
-    repository: "vault"
-    tag: "1.3.1"
-
-  standalone:
-    enabled: true
-    config: |
-      listener "tcp" {
-        tls_disable = true
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
-
-      storage "file" {
-        path = "/vault/data"
-      }
-
-  service:
-    enabled: true
-
-  dataStorage:
-    enabled: true
-    size: 10Gi
-    storageClass: null
-    accessMode: ReadWriteOnce
-
-  auditStorage:
-    enabled: true
-    size: 10Gi
-    storageClass: null
-    accessMode: ReadWriteOnce
-```
-
-After Vault has been deployed, initialized and unsealed, auditing can be enabled
-by running the following command against the Vault pod:
-
-```bash
-$ kubectl exec -ti <POD NAME> --  vault audit enable file file_path=/vault/audit/vault_audit.log
-```
-
-## Highly Available Vault Cluster with Consul
-
-The below `values.yaml` can be used to set up a five server Vault cluster using
-Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
-
-```yaml
-global:
-  enabled: true
-
-server:
-  image:
-    repository: "vault"
-    tag: "1.3.1"
-
-  extraEnvironmentVars:
-    GOOGLE_REGION: global
-    GOOGLE_PROJECT: myproject
-    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
-
-  extraVolumes: []
-    - type: secret
-      name: my-gcp-iam
-
-  affinity: |
-    podAntiAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        - labelSelector:
-            matchLabels:
-              app: {{ template "vault.name" . }}
-              release: "{{ .Release.Name }}"
-              component: server
-          topologyKey: kubernetes.io/hostname
-
-  service:
-    enabled: true
-
-  ha:
-    enabled: true
-    replicas: 5
-
-    config: |
-      ui = true
-
-      listener "tcp" {
-        tls_disable = 1
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
-
-      storage "consul" {
-        path = "vault"
-        address = "HOST_IP:8500"
-      }
-
-      seal "gcpckms" {
-         project     = "myproject"
-         region      = "global"
-         key_ring    = "vault-unseal-kr"
-         crypto_key  = "vault-unseal-key"
-      }
-```
diff --git a/website/source/docs/platform/k8s/helm/index.html.md b/website/source/docs/platform/k8s/helm/index.html.md
deleted file mode 100644
index 27cdc75443ad..000000000000
--- a/website/source/docs/platform/k8s/helm/index.html.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-layout: "docs"
-page_title: "Helm - Kubernetes"
-sidebar_current: "docs-platform-k8s-helm"
-sidebar_title: "Helm Chart"
-description: |-
-  The Vault Helm chart is the recommended way to install and configure Vault on Kubernetes.
----
-
-# Helm Chart
-
-~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
-
-The [Vault Helm chart](https://github.com/hashicorp/vault-helm)
-is the recommended way to install and configure Vault on Kubernetes.
-In addition to running Vault itself, the Helm chart is the primary
-method for installing and configuring Vault to integrate with other
-services such as Consul for High Availability deployments.
-
-This page assumes general knowledge of [Helm](https://v2.helm.sh/) and
-how to use it. Using Helm to install Vault will require that Helm is
-properly installed and configured with your Kubernetes cluster.
-
--> **Important:** The Helm chart is new and
-may still change significantly over time. Please always run Helm with
-`--dry-run` before any install or upgrade to verify changes.
-
-~> **Security Warning:** By default, the chart will install an insecure configuration
-of Vault. This provides a less complicated out-of-box experience for new users,
-but is not appropriate for a production setup. It is highly recommended to use
-a [properly secured Kubernetes cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/).
-See the [architecture reference](/docs/platform/k8s/run.html#architecture)
-for a Vault Helm production deployment checklist.
-
-## Using the Helm Chart
-
-To use the Helm chart, you must download or clone the
-[vault-helm GitHub repository](https://github.com/hashicorp/vault-helm)
-and run Helm against the directory. We plan to transition to using a real
-Helm repository soon. When running Helm, we highly recommend you always
-checkout a specific tagged release of the chart to avoid any
-instabilities from master.
-
-Prior to this, you must have Helm installed and configured both in your
-Kubernetes cluster and locally on your machine. The steps to do this are
-out of the scope of this document. Please refer to the
-[Helm documentation](https://helm.sh/) for more information.
-
-Example chart usage:
-
-```sh
-# Clone the chart repo
-$ git clone https://github.com/hashicorp/vault-helm.git
-$ cd vault-helm
-
-# Checkout a tagged version
-$ git checkout v0.3.2
-
-# Run Helm
-$ helm install --dry-run ./
-```
diff --git a/website/source/docs/platform/k8s/helm/run.html.md b/website/source/docs/platform/k8s/helm/run.html.md
deleted file mode 100644
index e06d1b9be140..000000000000
--- a/website/source/docs/platform/k8s/helm/run.html.md
+++ /dev/null
@@ -1,378 +0,0 @@
----
-layout: "docs"
-page_title: "Running Vault - Kubernetes"
-sidebar_current: "docs-platform-k8s-run"
-sidebar_title: "Running Vault"
-description: |-
-  Vault can run directly on Kubernetes in various configurations.  For pure-Kubernetes worloads, this enables Vault to also exist purely within Kubernetes.
----
-
-# Running Vault on Kubernetes
-
-Vault can run directly on Kubernetes in various modes: `dev,` `standalone` and `ha`.
-For pure-Kubernetes workloads, this enables Vault to also exist purely
-within Kubernetes.
-
-This page starts with a large how-to section for various specific tasks.
-
-!> **IMPORTANT NOTE:** Vault Enterprise is currently not supported.  We are actively
-working a version for Vault Enterprise and it will be available in the future.
-
-~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
-
-## Helm Chart
-
-The [Vault Helm chart](https://github.com/hashicorp/vault-helm)
-is the recommended way to install and configure Vault on Kubernetes.
-In addition to running Vault itself, the Helm chart is the primary
-method for installing and configuring Vault to integrate with other
-services such as Consul for High Availability deployments.
-
-While the Helm chart exposes dozens of useful configurations and automatically
-sets up complex resources, it **does not automatically operate Vault.**
-You are still responsible for learning how to monitor, backup,
-upgrade, etc. the Vault cluster.
-
-The Helm chart has no required configuration and will install a Vault
-cluster with sane defaults out of the box. Prior to going to production,
-it is highly recommended that you
-[learn about the configuration options](/docs/platform/k8s/helm/configuration.html).
-
-~> **Security Warning:** By default, the chart will install an insecure configuration
-of Vault. This provides a less complicated out-of-box experience for new users,
-but is not appropriate for a production setup. It is highly recommended to use
-a [properly secured Kubernetes cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/).
-See the [architecture reference](/docs/platform/k8s/run.html#architecture)
-for a production deployment checklist.
-
-## How-To
-
-### Installing Vault
-
-To install Vault, clone the vault-helm repository, checkout the latest release, and install
-Vault. You can run `helm install` with the `--dry-run` flag to see the
-resources it would configure. In a production environment, you should always
-use the `--dry-run` flag prior to making any changes to the Vault cluster
-via Helm.  See the [chart configuration values](/docs/platform/k8s/helm.html#configuration-values-)
-for additional configuration options.
-
-```sh
-# Clone the chart repo
-$ git clone https://github.com/hashicorp/vault-helm.git
-$ cd vault-helm
-
-# Checkout a tagged version
-$ git checkout v0.3.2
-
-# Run Helm
-$ helm install --name vault ./
-...
-```
-
-!> **IMPORTANT NOTE:** Vault Helm will not initialize and unseal Vault automatically.
-Initialization is required after installation followed by unsealing.  Vault can be
-configured to auto-unseal using KMS providers such as
-[Google Cloud Platform](/docs/platform/k8s/run.html#google-kms-auto-unseal).  This
-allows the pods to auto unseal if they're rescheduled in Kubernetes.
-
-If standalone or HA mode are being used, the Vault pods must be initialized and unsealed.
-For HA deployments, only one of the Vault pods needs to be initialized.
-
-```sh
-$ kubectl exec -ti vault-0 -- vault operator init
-$ kubectl exec -ti vault-0 -- vault operator unseal
-```
-
-For HA deployments, unseal the remaining pods:
-
-```sh
-$ kubectl exec -ti <NAME OF POD> -- vault operator unseal
-```
-
-### Viewing the Vault UI
-
-The Vault UI is enabled by default when using the Helm chart.
-For security reasons, it isn't exposed via a Service by default so you must
-use `kubectl port-forward` to visit the UI. Once the port is forwarded as
-shown below, navigate your browser to `http://localhost:8200`.
-
-```
-$ kubectl port-forward vault-0 8200:8200
-...
-```
-
-The UI can also be exposed via a Kubernetes Service. To do this, configure
-the [`ui.service` chart values](/docs/platform/k8s/helm.html#v-ui).
-
-### Upgrading Vault on Kubernetes
-
-To upgrade Vault on Kubernetes, we follow the same pattern as
-[generally upgrading Vault](/docs/upgrading.html), except we can use
-the Helm chart to update the Vault server Statefulset.  It is important to understand
-how to [generally upgrade Vault](/docs/upgrading.html) before reading this
-section.
-
-The Vault Statefulset uses `OnDelete` update strategy.  It is critical to use `OnDelete` instead
-of `RollingUpdate` because standbys must be updated before the active primary.  A
-failover to an older version of Vault must always be avoided.
-
-!> **IMPORTANT NOTE:** Always back up your data before upgrading! Vault does not
-make backward-compatibility guarantees for its data store. Simply replacing the
-newly-installed Vault binary with the previous version will not cleanly
-downgrade Vault, as upgrades may perform changes to the underlying data
-structure that make the data incompatible with a downgrade. If you need to roll
-back to a previous version of Vault, you should roll back your data store as
-well.
-
-#### Upgrading Vault Servers
-
-To initiate the upgrade, change the `server.image` values to the
-desired Vault version. For illustrative purposes, the example below will
-use `vault:123.456`.
-
-```yaml
-server:
-  image:
-    repository: "vault"
-    tag: "123.456"
-```
-
-Next, run the upgrade. You should run this with `--dry-run` first to verify
-the changes that will be sent to the Kubernetes cluster.
-
-```shell
-$ helm upgrade vault ./
-...
-```
-
-This should cause no changes (although the resource will be updated). If
-everything is stable, `helm upgrade` can be run.
-
-The `helm upgrade` command should have updated the Statefulset template for
-the Vault servers, however, no pods have been deleted.  The pods must be manually
-deleted to upgrade.  Deleting the pods will not delete any persisted data.
-
-If Vault is not deployed using `ha` mode, the single Vault server may be deleted by
-running:
-
-```bash
-$ kubectl delete pod <name of Vault pod>
-```
-
-If Vault is deployed using `ha` mode, the standby pods must be upgraded first.
-To identify which pod is currently the active primary, run the following commad
-on each Vault pod:
-
-```bash
-$ kubectl exec -ti <name of pod> -- vault status | grep "HA Mode"
-```
-
-Next, delete every pod that is not the active primary:
-
-```bash
-$ kubectl delete pod <name of Vault pods>
-```
-
-If auto-unseal is not being used, the newly scheduled Vault standby pods will need
-to be unsealed:
-
-```bash
-$ kubectl exec -ti <name of pod> -- vault operator unseal
-```
-
-Finally, once the standby nodes have been updated and unsealed, delete the active
-primary:
-
-```bash
-$ kubectl delete pod <name of Vault primary>
-```
-
-Similar to the standby nodes, the former primary will also need to be unsealed:
-
-```bash
-$ kubectl exec -ti <name of pod> -- vault operator unseal
-```
-
-After a few moments the Vault cluster should elect a new active primary.  The Vault
-cluster is now upgraded!
-
-#### Google KMS Auto Unseal
-
-The following example demonstrates configuring Vault Helm to use
-[Google KMS for Auto Unseal](/docs/configuration/seal/gcpckms.html).
-
-In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials.  The `credentials.json`
-file will need to be mounted as a secret to the Vault container.
-
-##### Create the Secret
-
-First, create the secret in Kubernetes:
-
-```bash
-kubectl create secret generic kms-creds --from-file=credentials.json
-```
-
-Vault Helm will mount this to `/vault/userconfig/kms-creds/credentials.json`.
-
-##### Config Example
-
-The following is an example of how to configure Vault Helm to use Google KMS:
-
-```yaml
-global:
-  enabled: true
-
-server:
-  image:
-    repository: "vault"
-    tag: "1.3.1"
-
-  extraEnvironmentVars:
-    GOOGLE_REGION: global
-    GOOGLE_PROJECT: <PROJECT NAME>
-    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
-
-  extraVolumes:
-    - type: "secret"
-      name: "kms-creds"
-
-  ha:
-    enabled: true
-    replicas: 3
-
-    config: |
-      ui = true
-
-      listener "tcp" {
-        tls_disable = 1
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
-
-      seal "gcpckms" {
-        project     = "<NAME OF PROJECT>"
-        region      = "global"
-        key_ring    = "<NAME OF KEYRING>"
-        crypto_key  = "<NAME OF KEY>"
-      }
-
-      storage "consul" {
-        path = "vault"
-        address = "HOST_IP:8500"
-      }
-```
-
-#### Amazon EKS Auto Unseal
-
-The following example demonstrates configuring Vault Helm to use
-[AWS EKS for Auto Unseal](/docs/configuration/seal/awskms.html).
-
-In order to authenticate and use EKS in AWS, Vault Helm needs credentials.  The AWS access key
-ID and key will be mounted as secret environment variables in the Vault pods.
-
-##### Create the Secret
-
-First, create a secret with your EKS access key/secret:
-
-```bash
-kubectl create secret generic eks-creds\
-  --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID?}" \
-  --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY?}"
-```
-
-##### Config Example
-
-The following is an example of how to configure Vault Helm to use AWS EKS:
-
-```yaml
-global:
-  enabled: true
-
-server:
-  image:
-    repository: "vault"
-    tag: "1.3.1"
-
-  extraSecretEnvironmentVars:
-  - envName: AWS_ACCESS_KEY_ID
-    secretName: eks-creds
-    secretKey: AWS_ACCESS_KEY_ID
-  - envName: AWS_SECRET_ACCESS_KEY
-    secretName: eks-creds
-    secretKey: AWS_SECRET_ACCESS_KEY
-
-  ha:
-    enabled: true
-    config: |
-      ui = true
-
-      listener "tcp" {
-        tls_disable = 1
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
-
-      seal "awskms" {
-        region     = "KMS_REGION_HERE"
-        kms_key_id = "KMS_KEY_ID_HERE"
-      }
-
-      storage "consul" {
-        path = "vault"
-        address = "HOST_IP:8500"
-      }
-```
-
-## Architecture
-
-We recommend running Vault on Kubernetes with the same
-[general architecture](/docs/internals/architecture.html)
-as running it anywhere else. There are some benefits Kubernetes can provide
-that eases operating a Vault cluster and we document those below. The standard
-[production deployment guide](https://learn.hashicorp.com/vault/day-one/production-hardening) is still an
-important read even if running Vault within Kubernetes.
-
-### Production Deployment Checklist
-
-*End-to-End TLS.* Vault should always be used with TLS in production. If
-intermediate load balancers or reverse proxies are used to front Vault,
-they should not terminate TLS. This way traffic is always encrypted in transit
-to Vault and minimizes risks introduced by intermediate layers.  See the
-[official documentation](/docs/platform/k8s/helm.html#standalone-server-with-tls)
-for example on configuring Vault Helm to use TLS.
-
-*Single Tenancy.* Vault should be the only main process running on a machine.
-This reduces the risk that another process running on the same machine is
-compromised and can interact with Vault. This can be accomplished by using Vault
-Helm's `affinity` configurable. See the
-[official documentation](/docs/platform/k8s/helm.html#highly-available-vault-cluster-with-consul)
-for example on configuring Vault Helm to use affinity rules.
-
-*Enable Auditing.* Vault supports several auditing backends. Enabling auditing
-provides a history of all operations performed by Vault and provides a forensics
-trail in the case of misuse or compromise. Audit logs securely hash any sensitive
-data, but access should still be restricted to prevent any unintended disclosures.
-Vault Helm includes a configurable `auditStorage` option that will provision a persistent
-volume to store audit logs.  See the
-[official documentation](/docs/platform/k8s/helm.html#standalone-server-with-audit-storage)
-for an example on configuring Vault Helm to use auditing.
-
-*Immutable Upgrades.* Vault relies on an external storage backend for persistence,
-and this decoupling allows the servers running Vault to be managed immutably.
-When upgrading to new versions, new servers with the upgraded version of Vault
-are brought online. They are attached to the same shared storage backend and
-unsealed. Then the old servers are destroyed. This reduces the need for remote
-access and upgrade orchestration which may introduce security gaps. See the
-[upgrade section](/docs/platform/k8s/run.html#how-to) for instructions
-on upgrading Vault on Kubernetes.
-
-*Upgrade Frequently.* Vault is actively developed, and updating frequently is
-important to incorporate security fixes and any changes in default settings such
-as key lengths or cipher suites. Subscribe to the Vault mailing list and
-GitHub CHANGELOG for updates.
-
-*Restrict Storage Access.* Vault encrypts all data at rest, regardless of which
-storage backend is used. Although the data is encrypted, an attacker with arbitrary
-control can cause data corruption or loss by modifying or deleting keys. Access
-to the storage backend should be restricted to only Vault to avoid unauthorized
-access or operations.
diff --git a/website/source/docs/platform/k8s/index.html.md b/website/source/docs/platform/k8s/index.html.md
deleted file mode 100644
index f8221ab90354..000000000000
--- a/website/source/docs/platform/k8s/index.html.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: "docs"
-page_title: "Kubernetes"
-sidebar_current: "docs-platform-k8s-index"
-sidebar_title: "Kubernetes"
-description: |-
-  This section documents the official integration between Vault and Kubernetes.
----
-
-# Kubernetes
-
-Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart.  
-The helm chart allows users to deploy Vault in various configurations:
-
-* Dev mode: a single in-memory Vault server for testing Vault
-* Standalone mode (default): a single Vault server persisting to a volume using the file storage backend
-* HA mode: a cluster of Vault servers that use an HA storage backend such as Consul (default)
-
-## Use Cases
-
-**Running a Vault Service:** The Vault server cluster can run directly on Kubernetes.  
-This can be used by applications running within Kubernetes as well as external to 
-Kubernetes, as long as they can communicate to the server via the network.
-
-**Accessing and Storing Secrets:** Applications using the Vault service running in 
-Kubernetes can access and store secrets from Vault using a number of different 
-[secret engines](/docs/secrets) and [authentication methods](/docs/auth).
-
-**Running a Highly Available Vault Service:**  By using pod affinities, highly available 
-backend storage (such as Consul) and [auto-unseal](/docs/concepts/seal.html#auto-unseal), 
-Vault can become a highly available service in Kubernetes.
-
-**Encryption as a Service:** Applications using the Vault service running in Kubernetes 
-can leverage the [Transit secret engine](/docs/secrets/transit) 
-as "encryption as a service".  This allows applications to offload encryption needs 
-to Vault before storing data at rest.
-
-**Audit Logs for Vault:** Operators can choose to attach a persistent volume 
-to the Vault cluster which can be used to [store audit logs](/docs/audit).
-
-**And more!** Vault can run directly on Kubernetes, so in addition to the
-native integrations provided by Vault itself, any other tool built for
-Kubernetes can choose to leverage Vault.
diff --git a/website/source/docs/platform/k8s/injector/examples.html.md b/website/source/docs/platform/k8s/injector/examples.html.md
deleted file mode 100644
index ab857554c1c4..000000000000
--- a/website/source/docs/platform/k8s/injector/examples.html.md
+++ /dev/null
@@ -1,237 +0,0 @@
----
-layout: "docs"
-page_title: "Vault Agent Sidecar Injector Examples"
-sidebar_current: "docs-platform-k8s-injector-examples"
-sidebar_title: "Examples"
-description: |-
-  This section documents examples of using the Vault Agent Injector.
----
-
-# Vault Agent Injector Examples
-
-The following are different configuration examples to support a variety of
-deployment models.
-
-~> A common mistake is to set the annotation on the Deployment or other resource.
-  Ensure that the injector annotations are specified on the pod specification when 
-  using higher level constructs such as deployments, jobs or statefulsets.
-
-## Before Using the Vault Agent Injector
-
-Before applying Vault Agent injection annotations to pods, the following requirements
-should be satisfied:
-
-* Kubernetes auth method should be configured and enabled in Vault,
-* Pod should have a service account,
-* desired secrets exist within Vault,
-* the service account should be bound to a Vault role with a policy enabling access to desired secrets.
-
-For more information on configuring the Vault Kubernetes auth method,
-[see the official documentation](/docs/auth/kubernetes.html#configuration).
-
-## Debugging
-
-If an error occurs with a mutation request, Kubernetes will attach the error to the 
-owner of the pod.  Check the following for errors:
-
-* If the pod was created by a deployment or statefulset, check for errors in the `replicaset`
-  that owns the pod.
-* If the pod was created by a job, check the `job` for errors.
-
-## Patching Existing Pods
-
-To patch existing pods, a Kubernetes patch can be applied to add the required annoations
-to pods.  When applying a patch, the pods will be rescheduled.
-
-First, create the patch:
-
-```bash
-cat <<EOF >> ./patch.yaml
-spec:
-  template:
-    metadata:
-      annotations:
-        vault.hashicorp.com/agent-inject: "true"
-        vault.hashicorp.com/agent-inject-status: "update"
-        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
-        vault.hashicorp.com/agent-inject-template-db-creds: |
-          {{- with secret "database/creds/db-app" -}}
-          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable
-          {{- end }}
-        vault.hashicorp.com/role: "db-app"
-        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
-        vault.hashicorp.com/client-cert: "/vault/tls/client.crt"
-        vault.hashicorp.com/client-key: "/vault/tls/client.key"
-        vault.hashicorp.com/tls-secret: "vault-tls-client"
-EOF
-```
-
-Next, apply the patch:
-
-```bash
-kubectl patch deployment <MY DEPLOYMENT> --patch "$(cat patch.yaml)"
-```
-
-The pod should now be rescheduled with additional containers.  The pod can be inspected
-using the `kubectl describe` command:
-
-```bash
-kubectl describe pod <name of pod>
-```
-
-## Deployments, StatefulSets, etc.
-
-The annotations for configuring Vault Agent injection must be on the pod
-specification. Since higher level resources such as Deployments wrap pod
-specification templates, Vault Agent Injector can be used with all of these
-higher level constructs, too.
-
-An example Deployment below shows how to enable Vault Agent injection:
-
-```yaml
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: app-example
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: app-example-deployment
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: app-example
-  template:
-    metadata:
-      labels:
-        app: app-example
-      annotations:
-        vault.hashicorp.com/agent-inject: "true"
-        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
-        vault.hashicorp.com/agent-inject-template-db-creds: |
-          {{- with secret "database/creds/db-app" -}}
-          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable
-          {{- end }}
-        vault.hashicorp.com/role: "db-app"
-        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
-        vault.hashicorp.com/client-cert: "/vault/tls/client.crt"
-        vault.hashicorp.com/client-key: "/vault/tls/client.key"
-        vault.hashicorp.com/tls-secret: "vault-tls-client"
-    spec:
-      containers:
-        - name:app 
-          image: "app:1.0.0"
-      serviceAccountName: app-example
-```
-
-## ConfigMap Example
-
-The following example creates a deployment that mounts a Kubernetes ConfigMap
-containing Vault Agent configuration files.  For a complete list of the Vault
-Agent configuration settings, [see the Agent documentation](/docs/agent/template/index.html#vault-agent-templates).
-
-```yaml
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: app-example
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: app-example-deployment
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: app-example
-  template:
-    metadata:
-      labels:
-        app: app-example
-      annotations:
-        vault.hashicorp.com/agent-inject: "true"
-        vault.hashicorp.com/agent-configmap: "my-configmap"
-        vault.hashicorp.com/tls-secret: "vault-tls-client"
-    spec:
-      containers:
-        - name:app 
-          image: "app:1.0.0"
-      serviceAccountName: app-example
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: my-configmap
-agent-config
-    app: app-example
-data:
-  config.hcl: |
-    "auto_auth" = {
-      "method" = {
-        "config" = {
-          "role" = "db-app"
-        }
-        "type" = "kubernetes"
-      }
-
-      "sink" = {
-        "config" = {
-          "path" = "/home/vault/.token"
-        }
-
-        "type" = "file"
-      }
-    }
-
-    "exit_after_auth" = false
-    "pid_file" = "/home/vault/.pid"
-
-    "template" = {
-      "contents" = "{{- with secret "database/creds/db-app" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
-      "destination" = "/vault/secrets/db-creds"
-    }
-
-    "vault" = {
-      "address" = "https://vault.demo.svc.cluster.local:8200"
-      "ca_cert" = "/vault/tls/ca.crt"
-      "client_cert" = "/vault/tls/client.crt"
-      "client_key" = "/vault/tls/client.key"
-    }
-  config-init.hcl: |
-    "auto_auth" = {
-      "method" = {
-        "config" = {
-          "role" = "db-app"
-        }
-        "type" = "kubernetes"
-      }
-
-      "sink" = {
-        "config" = {
-          "path" = "/home/vault/.token"
-        }
-
-        "type" = "file"
-      }
-    }
-
-    "exit_after_auth" = true
-    "pid_file" = "/home/vault/.pid"
-
-    "template" = {
-      "contents" = "{{- with secret "database/creds/db-app" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
-      "destination" = "/vault/secrets/db-creds"
-    }
-
-    "vault" = {
-      "address" = "https://vault.demo.svc.cluster.local:8200"
-      "ca_cert" = "/vault/tls/ca.crt"
-      "client_cert" = "/vault/tls/client.crt"
-      "client_key" = "/vault/tls/client.key"
-    }
-```
diff --git a/website/source/docs/platform/k8s/injector/index.html.md b/website/source/docs/platform/k8s/injector/index.html.md
deleted file mode 100644
index cb836a38cf67..000000000000
--- a/website/source/docs/platform/k8s/injector/index.html.md
+++ /dev/null
@@ -1,268 +0,0 @@
----
-layout: "docs"
-page_title: "Agent Sidecar Injector Overview"
-sidebar_current: "docs-platform-k8s-injector"
-sidebar_title: "Agent Injector"
-description: |-
-  The Vault Agent Sidecar Injector is a Kubernetes admission webhook that adds Vault Agent containers to pods for consuming Vault secrets.
----
-
-# Agent Sidecar Injector
-
-The Vault Agent Injector alters pod specifications to include Vault Agent
-containers that render Vault secrets to a shared memory volume using 
-[Vault Agent Templates](/docs/agent/template/index.html).
-By rendering secrets to a shared volume, containers within the pod can consume 
-Vault secrets without being Vault aware.
-
-The injector is a [Kubernetes Mutation Webhook Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/).
-The controller intercepts pod events and applies mutations to the pod if annotations exist within
-the request.  This functionality is provided by the [vault-k8s](https://github.com/hashicorp/vault-k8s)
-project and can be automatically installed and configured using the
-[Vault Helm](https://github.com/hashicorp/vault-helm) chart.
-
-## Overview
-
-The Vault Agent Injector works by intercepting pod `CREATE` and `UPDATE`
-events in Kubernetes.  The controller parses the event and looks for the metadata
-annotation `vault.hashicorp.com/agent-inject: true`.  If found, the controller will
-alter the pod specification based on other annotations present.
-
-### Mutations
-
-At a minimum, every container in the pod will be configured to mount a shared
-memory volume.  This volume is mounted to `/vault/secrets` and will be used by the Vault
-Agent containers for sharing secrets with the other containers in the pod.
-
-Next, two types of Vault Agent containers can be injected: init and sidecar.  The
-init container will prepopulate the shared memory volume with the requested
-secrets prior to the other containers starting.  The sidecar container will
-continue to authenticate and render secrets to the same location as the pod runs.
-Using annotations, the initialization and sidecar containers may be disabled.
-
-Last, two additional types of volumes can be optionally mounted to the Vault Agent
-containers.  The first is secret volume containing TLS requirements such as client
-and CA (certificate authority) certificates and keys. This volume is useful when
-communicating and verifying the Vault server's authenticity using TLS.  The second
-is a configuration map containing Vault Agent configuration files.  This volume is
-useful to customize Vault Agent beyond what the provided annotations offer.
-
-### Authenticating with Vault
-
-The primary method of authentication with Vault when using the Vault Agent Injector
-is the service account attached to the pod.  At this time, no other authentication
-method is supported by the controller.
-
-The service account must be bound to a Vault role and a policy granting access to
-the secrets desired.
-
-A service account must be present to use the Vault Agent Injector.  It is *not*
-recommended to bind Vault roles to the default service account provided to pods
-if no service account is defined.
-
-### Requesting Secrets
-
-There are two methods of configuring the Vault Agent containers to render secrets:
-
-* the `vault.hashicorp.com/agent-inject-secret` annotation, or
-* a configuration map containing Vault Agent configuration files.
-
-Only one of these methods may be used at any time.
-
-#### Secrets via Annotations
-
-To configure secret injection using annotations, the user must supply:
-
-* one or more _secret_ annotations, and
-* the Vault role used to access those secrets. 
-
-The annotation must have the format:
-
-```yaml
-vault.hashicorp.com/agent-inject-secret-<unique-name>: /path/to/secret
-```
-
-The unique name will be the filename of the rendered secret and must be unique if
-multiple secrets are defined by the user.  For example, consider the following
-secret annotations:
-
-```yaml
-vault.hashicorp.com/agent-inject-secret-foo: database/roles/app
-vault.hashicorp.com/agent-inject-secret-bar: consul/creds/app
-vault.hashicorp.com/role: "app"
-```
-
-The first annotation will be rendered to `/vault/secrets/foo` and the second
-annotation will be rendered to `/vault/secrets/bar`.
-
-It's possible to set the file format of the using the annotation.  For example the
-following secret will be rendered to `/vault/secrets/foo.txt`:
-
-```yaml
-vault.hashicorp.com/agent-inject-secret-foo.txt: database/roles/app
-vault.hashicorp.com/role: "app"
-```
-
-The secret unique name must consist of alphanumeric characters, `.`, `_` or `-`.
-
-##### Secret Templates
-
-~> Vault Agent uses the Consul Template project to render secrets.  For more information
-  on writing templates, see the [Consul Template documentation](https://github.com/hashicorp/consul-template).
-
-How the secret is rendered to the file is also configurable.  To configure the template
-used, the user must supply a _template_ annotation using the same unique name of
-the secret.  The annotation must have the following format:
-
-```yaml
-vault.hashicorp.com/agent-inject-template-<unique-name>: |
-  < 
-    TEMPLATE
-    HERE
-  >
-```
-
-For example, consider the following:
-
-```yaml
-vault.hashicorp.com/agent-inject-secret-foo: "database/roles/app"
-vault.hashicorp.com/agent-inject-template-foo: |
-  {{- with secret "database/creds/db-app" -}}
-  postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable
-  {{- end }}
-vault.hashicorp.com/role: "app"
-```
-
-The rendered secret would look like this within the container:
-
-```bash
-$ cat /vault/secrets/foo
-postgres://v-kubernet-pg-app-q0Z7WPfVN:A1a-BUEuQR52oAqPrP1J@postgres:5432/mydb?sslmode=disable
-```
-
-~> The default left and right template delimiters are `{{` and `}}`.
-
-If no template is provided the following generic template is used:
-
-```
-{{ with secret "/path/to/secret" }}
-    {{ range $k, $v := .Data }}
-        {{ $k }}: {{ $v }}
-    {{ end }}
-{{ end }}
-```
-
-For example, the following annotation will use the default template to render
-PostgreSQL secrets found at the configured path:
-
-```yaml
-vault.hashicorp.com/agent-inject-secret-foo: "database/roles/pg-app"
-vault.hashicorp.com/role: "app"
-```
-
-The rendered secret would look like this within the container:
-
-```bash
-$ cat /vault/secrets/foo
-password: A1a-BUEuQR52oAqPrP1J
-username: v-kubernet-pg-app-q0Z7WPfVNqqTJuoDqCTY-1576529094
-```
-
-#### Vault Agent Configuration Map
-
-For advanced use cases, it may be required to define Vault Agent configuration
-files to mount instead of using secret and template annotations.  The Vault Agent 
-Injector supports mounting ConfigMaps by specifying the name using the `vault.hashicorp.com/agent-configmap`
-annotation.  The configuration files will be mounted to `/vault/configs`. 
-
-The configuration map must contain either one or both of the following files:
-
-* `config-init.hcl` used by the init container.  This must have `exit_after_auth` set to `true`.
-* `config.hcl` used by the sidecar container.  This must have `exit_after_auth` set to `false`.
-
-An example of mounting a Vault Agent configmap [can be found here](/docs/platform/k8s/injector/examples.html#configmap-example).
-
-## Annotations
-
-* `vault.hashicorp.com/agent-inject` - configures whether injection is explicitly
-  enabled or disabled for a pod. This should be set to a `true` or `false` value.
-  Defaults to `false`.
-
-* `vault.hashicorp.com/agent-inject-status` - blocks further mutations
-  by adding the value `injected` to the pod after a successful mutation.
-
-* `vault.hashicorp.com/agent-inject-secret` - configures Vault Agent
-  to retrieve the secrets from Vault required by the container. The name of the
-  secret is any unique string after `vault.hashicorp.com/agent-inject-secret-`,
-  such as `vault.hashicorp.com/agent-inject-secret-foobar`. The value is the path
-  in Vault where the secret is located.
-
-* `vault.hashicorp.com/agent-inject-template` - configures Vault Agent
-  what template to use for rendering the secrets.  The name of the template is any
-  unique string after `vault.hashicorp.com/agent-inject-template-`, such as 
-  `vault.hashicorp.com/agent-inject-template-foobar`. This should map to the same
-  unique value provided in `vault.hashicorp.com/agent-inject-secret-`. If not provided,
-  a default generic template is used.
-
-* `vault.hashicorp.com/role` - configures the Vault role used by the Vault Agent
-  auto-auth method.  Required when `vault.hashicorp.com/agent-configmap` is not set.
-
-* `vault.hashicorp.com/agent-configmap` - name of the configuration map where Vault
-  Agent configuration file and templates can be found.
-
-* `vault.hashicorp.com/agent-pre-populate` - configures whether an init container
-  is included to pre-populate the shared memory volume with secrets prior to the
-  containers starting.
-
-* `vault.hashicorp.com/agent-pre-populate-only` - configures whether an init container
-  is the only injected container. If true, no sidecar container will be injected
-  at runtime of the pod.
-
-* `vault.hashicorp.com/agent-image` - name of the Vault docker image to use. This
-  value overrides the default image configured in the controller and is usually
-  not needed.  Defaults to `vault:1.3.1`.
-
-* `vault.hashicorp.com/service` - name of the Vault service to use.  This value
-  overrides the default service configured in the controller and is usually not
-  needed.
-
-* `vault.hashicorp.com/agent-limits-cpu` - configures the CPU limits on the Vault
-  Agent containers.  Defaults to `500m`.
-
-* `vault.hashicorp.com/agent-limits-mem` - configures the memory limits on the Vault
-  Agent containers.  Defaults to `128Mi`.
-
-* `vault.hashicorp.com/agent-requests-cpu` - configures the CPU requests on the
-  Vault Agent containers.  Defaults to `250m`.
-
-* `vault.hashicorp.com/agent-requests-mem` - configures the memory requests on the
-  Vault Agent containers.  Defaults to `64Mi`.
-
-* `vault.hashicorp.com/tls-secret` - name of the Kubernetes secret containing TLS
-  Client and CA certificates and keys.  This is mounted to `/vault/tls`.
-
-* `vault.hashicorp.com/tls-server-name` - name of the Vault server to verify the
-  authenticity of the server when communicating with Vault over TLS.
-
-* `vault.hashicorp.com/tls-skip-verify` - if true, configures the Vault Agent to
-  skip verification of Vault's TLS certificate.  It's not recommended to set this
-  value to true in a production environment.
-
-* `vault.hashicorp.com/ca-cert` - path of the CA certificate used to verify Vault's
-  TLS.
-
-* `vault.hashicorp.com/ca-key` - path of the CA public key used to verify Vault's
-  TLS.
-
-* `vault.hashicorp.com/client-cert` - path of the client certificate used when
-  communicating with Vault via mTLS.
-
-* `vault.hashicorp.com/client-key` - path of the client public key used when communicating
-  with Vault via mTLS.
-
-* `vault.hashicorp.com/client-max-retries` - configures number of Vault Agent retry
-  attempts when 5xx errors are encountered.  Defaults to 2.
-
-* `vault.hashicorp.com/client-timeout` - configures the request timeout threshold,
-  in seconds, of the Vault Agent when communicating with Vault.  Defaults to `60s` 
-  and accepts value types of `60`, `60s` or `1m`.
diff --git a/website/source/docs/platform/k8s/injector/installation.html.md b/website/source/docs/platform/k8s/injector/installation.html.md
deleted file mode 100644
index 6da935bc5ebe..000000000000
--- a/website/source/docs/platform/k8s/injector/installation.html.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-layout: "docs"
-page_title: "Agent Sidecar Injector Installation"
-sidebar_current: "docs-platform-k8s-injector-installation"
-sidebar_title: "Installation"
-description: |-
-  The Vault Agent Sidecar Injector can be installed using Vault Helm.
----
-
-# Installing the Agent Injector
-
-The following are the different methods of installing the Agent Injector in
-Kubernetes.
-
-~> The Vault Agent Injector requires Vault 1.3.1.
-
-To install the Vault Agent injector, enable the injection feature using
-[Helm values](/docs/platform/k8s/helm/configuration.html) and
-upgrade the installation using `helm upgrade` for existing installs or
-`helm install` for a fresh install.
-
-To install a new instance of Vault and the Vault Agent Injector, run the following:
-
-```bash
-helm install --name=vault \
-  --set="injector.enabled=true" \
-  https://github.com/hashicorp/vault-helm/archive/v0.3.2.tar.gz
-``` 
-
-Other values in the Helm chart can be used to limit the namespaces the injector
-runs in, TLS options and more.
-
-## TLS Options
-
-Admission webhook controllers require TLS to run within Kubernetes.  At this time
-the Vault Agent Injector supports two TLS options:
-
-* Auto TLS generation (default)
-* Manual TLS
-
-### Auto TLS
-
-By default, the Vault Agent Injector will bootstrap TLS by generating a certificate
-authority and creating a certificate/key to be used by the controller.  If using
-Vault Helm, the chart will automatically create the neccessary DNS entries for the
-controller's service used to verify the certificate.
-
-### Manual TLS
-
-If desired, users can supply their own TLS certificates, key and certificate authority.
-The following is required to configure TLS manually:
-
-* Server certificate/key
-* Base64 PEM encoded Certificate Authority bundle
-
-For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration.html#certs).
-
-## Namespace Selector
-
-By default, the Vault Agent Injector will process all namespaces in Kubernetes except
-the system namespaces `kube-system` and `kube-public`.  To limit what namespaces
-the injector can work in a namespace selector can be defined to match labels attached
-to namespaces.
-
-For more information on configuring namespace selection, see the [Vault Helm namespaceSelector value](/docs/platform/k8s/helm/configuration.html#namespaceselector).
diff --git a/website/source/docs/plugin/index.html.md b/website/source/docs/plugin/index.html.md
deleted file mode 100644
index 13c258b60783..000000000000
--- a/website/source/docs/plugin/index.html.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-layout: "docs"
-page_title: "Custom Plugin Backends"
-sidebar_title: "Plugin Backends"
-sidebar_current: "docs-plugin"
-description: |-
-  Plugin backends are mountable backends that are implemented using Vault's plugin system.
----
-
-# Custom Plugin Backends
-
-Plugin backends are the components in Vault that can be implemented separately from Vault's
-builtin backends. These backends can be either authentication or secrets engines.
-
-The [`api_addr`][api_addr] must be set in order for the plugin process to establish
-communication with the Vault server during mount time. If the storage backend
-has HA enabled and supports automatic host address detection (e.g. Consul),
-Vault will automatically attempt to determine the `api_addr` as well.
-
-Detailed information regarding the plugin system can be found in the
-[internals documentation](https://www.vaultproject.io/docs/internals/plugins.html).
-
-# Enabling/Disabling Plugin Backends
-
-Before a plugin backend can be mounted, it needs to be registered via the
-[plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog). After
-the plugin is registered, it can be mounted by specifying the registered plugin name:
-
-```text
-$ vault secrets enable -path=my-secrets passthrough-plugin
-Success! Enabled the passthrough-plugin secrets engine at: my-secrets/
-```
-
-Listing secrets engines will display secrets engines that are mounted as
-plugins:
-
-```text
-$ vault secrets list
-Path         Type       Accessor            Plugin              Default TTL  Max TTL  Force No Cache  Replication Behavior  Description
-my-secrets/  plugin     plugin_deb84140     passthrough-plugin  system       system   false           replicated
-```
-
-Disabling a plugin backend is the identical to disabling internal secrets engines:
-
-```text
-$ vault secrets disable my-secrets
-```
-
-# Upgrading Plugins
-
-Upgrade instructions can be found in the [Upgrading Plugins - Guides][upgrading_plugins]
-page.
-
-
-[api_addr]: /docs/configuration/index.html#api_addr
-[upgrading_plugins]: /docs/upgrading/plugins.html
diff --git a/website/source/docs/secrets/ad/index.html.md b/website/source/docs/secrets/ad/index.html.md
deleted file mode 100644
index 4ff8f5ee6a5d..000000000000
--- a/website/source/docs/secrets/ad/index.html.md
+++ /dev/null
@@ -1,346 +0,0 @@
----
-layout: "docs"
-page_title: "Active Directory - Secrets Engines"
-sidebar_title: "Active Directory"
-sidebar_current: "docs-secrets-active-directory"
-description: |-
-  The Active Directory secrets engine for Vault generates passwords dynamically based on
-  roles.
----
-
-# Active Directory Secrets Engine
-
-The Active Directory (AD) secrets engine is a plugin residing [here](https://github.com/hashicorp/vault-plugin-secrets-active-directory).
-It has two main features.
-
-The first feature (password rotation) is where the AD secrets engine rotates AD passwords dynamically.
-This is designed for a high-load environment where many instances may be accessing
-a shared password simultaneously. With a simple set up and a simple creds API,
-it doesn't require instances to be manually registered in advance to gain access.
-As long as access has been granted to the creds path via a method like
-[AppRole](https://www.vaultproject.io/api/auth/approle/index.html), they're available. Passwords are
-lazily rotated based on preset TTLs and can have a length configured to meet your needs.
-
-The second feature (service account check-out) is where a library of service accounts can
-be checked out by a person or by machines. Vault will automatically rotate the password
-each time a service account is checked in. Service accounts can be voluntarily checked in, or Vault
-will check them in when their lending period (or, "ttl", in Vault's language) ends.
-
-## Password Rotation
-
-### A Note on Lazy Rotation
-
-To drive home the point that passwords are rotated "lazily", consider this scenario:
-
-- A password is configured with a TTL of 1 hour.
-- All instances of a service using this password are off for 12 hours.
-- Then they wake up and again request the password.
-
-In this scenario, although the password TTL was set to 1 hour, the password wouldn't be rotated for 12 hours when it
-was next requested. "Lazy" rotation means passwords are rotated when all of the following conditions are true:
-
-- They are over their TTL
-- They are requested
-
-Therefore, the AD TTL can be considered a soft contract. It's fulfilled when the given password is next requested.
-
-To ensure your passwords are rotated as expected, we'd recommend you configure services to request each password at least
-twice as often as its TTL.
-
-### A Note on Escaping
-
-**It is up to the administrator** to provide properly escaped DNs. This
-includes the user DN, bind DN for search, and so on.
-
-The only DN escaping performed by this method is on usernames given at login
-time when they are inserted into the final bind DN, and uses escaping rules
-defined in RFC 4514.
-
-Additionally, Active Directory has escaping rules that differ slightly from the
-RFC; in particular it requires escaping of '#' regardless of position in the DN
-(the RFC only requires it to be escaped when it is the first character), and
-'=', which the RFC indicates can be escaped with a backslash, but does not
-contain in its set of required escapes. If you are using Active Directory and
-these appear in your usernames, please ensure that they are escaped, in
-addition to being properly escaped in your configured DNs.
-
-For reference, see [RFC 4514](https://www.ietf.org/rfc/rfc4514.txt) and this
-[TechNet post on characters to escape in Active
-Directory](http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx).
-
-### Quick Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the Active Directory secrets engine:
-
-    ```text
-    $ vault secrets enable ad
-    Success! Enabled the ad secrets engine at: ad/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-2. Configure the credentials that Vault uses to communicate with Active Directory
-to generate passwords:
-
-    ```text
-    $ vault write ad/config \
-        binddn=$USERNAME \
-        bindpass=$PASSWORD \
-        url=ldaps://138.91.247.105 \
-        userdn='dc=example,dc=com'
-    ```
-
-    The `$USERNAME` and `$PASSWORD` given must have access to modify passwords
-    for the given account. It is possible to delegate access to change
-    passwords for these accounts to the one Vault is in control of, and this is
-    usually the highest-security solution.
-
-    If you'd like to do a quick, insecure evaluation, also set `insecure_tls` to true. However, this is NOT RECOMMENDED
-    in a production environment. In production, we recommend `insecure_tls` is false (its default) and is used with a valid
-    `certificate`.
-
-3. Configure a role that maps a name in Vault to an account in Active Directory.
-When applications request passwords, password rotation settings will be managed by
-this role.
-
-    ```text
-    $ vault write ad/roles/my-application \
-        service_account_name="my-application@example.com"
-    ```
-
-4. Grant "my-application" access to its creds at `ad/creds/my-application` using an
-auth method like [AppRole](https://www.vaultproject.io/api/auth/approle/index.html).
-
-### FAQ
-
-#### What if someone directly rotates an Active Directory password that Vault is managing?
-
-If an administrator at your company rotates a password that Vault is managing,
-the next time an application asks _Vault_ for that password, Vault won't know
-it.
-
-To maintain that application's up-time, Vault will need to return to a state of
-knowing the password. Vault will generate a new password, update it, and return
-it to the application(s) asking for it. This all occurs automatically, without
-human intervention.
-
-Thus, we wouldn't recommend that administrators directly rotate the passwords
-for accounts that Vault is managing. This may lead to behavior the
-administrator wouldn't expect, like finding very quickly afterwards that their
-new password has already been changed.
-
-The password `ttl` on a role can be updated at any time to ensure that the
-responsibility of updating passwords can be left to Vault, rather than
-requiring manual administrator updates.
-
-#### Why does Vault return the last password in addition to the current one?
-
-Active Directory promises _eventual consistency_, which means that new
-passwords may not be propagated to all instances immediately. To deal with
-this, Vault returns the current password with the last password if it's known.
-That way, if a new password isn't fully operational, the last password can also
-be used.
-
-## Service Account Check-Out
-
-Vault offers the ability to check service accounts in and out. This is a separate,
-different set of functionality from the password rotation feature above. Let's walk
-through how to use it, with explanation at each step.
-
-First we'll need to enable the AD secrets engine and tell it how to talk to our AD
-server just as we did above.
-
-```text
-$ vault secrets enable ad
-Success! Enabled the ad secrets engine at: ad/
-
-$ vault write ad/config \
-    binddn=$USERNAME \
-    bindpass=$PASSWORD \
-    url=ldaps://138.91.247.105 \
-    userdn='dc=example,dc=com'
-```
-
-Our next step is to designate a set of service accounts for check-out.
-
-```text
-$ vault write ad/library/accounting-team \
-    service_account_names=fizz@example.com,buzz@example.com \
-    ttl=10h \
-    max_ttl=20h \
-    disable_check_in_enforcement=false
-```
-
-In this example, the service account names of `fizz@example.com` and `buzz@example.com` have
-already been created on the remote AD server. They've been set aside solely for Vault to handle.
-The `ttl` is how long each check-out will last before Vault checks in a service account,
-rotating its password during check-in. The `max_ttl` is the maximum amount of time it can live
-if it's renewed. These default to `24h`. Also by default, a service account must be checked in
-by the same Vault entity or client token that checked it out. However, if this behavior causes
-problems, set `disable_check_in_enforcement=true`.
-
-When a library of service accounts has been created, view their status at any time to see if they're
-available or checked out.
-
-```text
-$ vault read ad/library/accounting-team/status
-Key                 Value
----                 -----
-buzz@example.com    map[available:true]
-fizz@example.com    map[available:true]
-```
-
-To check out any service account that's available, simply execute:
-
-```text
-$ vault write -f ad/library/accounting-team/check-out
-Key                     Value
----                     -----
-lease_id                ad/library/accounting-team/check-out/EpuS8cX7uEsDzOwW9kkKOyGW
-lease_duration          10h
-lease_renewable         true
-password                ?@09AZKh03hBORZPJcTDgLfntlHqxLy29tcQjPVThzuwWAx/Twx4a2ZcRQRqrZ1w
-service_account_name    fizz@example.com
-```
-
-If the default `ttl` for the check-out is higher than needed, set the check-out to last
-for a shorter time by using:
-
-```text
-$ vault write ad/library/accounting-team/check-out ttl=30m
-Key                     Value
----                     -----
-lease_id                ad/library/accounting-team/check-out/gMonJ2jB6kYs6d3Vw37WFDCY
-lease_duration          30m
-lease_renewable         true
-password                ?@09AZerLLuJfEMbRqP+3yfQYDSq6laP48TCJRBJaJu/kDKLsq9WxL9szVAvL/E1
-service_account_name    buzz@example.com
-```
-
-This can be a nice way to say, "Although I _can_ have a check-out for 24 hours, if I
-haven't checked it in after 30 minutes, I forgot or I'm a dead instance, so you can just
-check it back in."
-
-If no service accounts are available for check-out, Vault will return a 400 Bad Request.
-
-```text
-$ vault write -f ad/library/accounting-team/check-out
-Error writing data to ad/library/accounting-team/check-out: Error making API request.
-
-URL: PUT http://localhost:8200/v1/ad/library/accounting-team/check-out
-Code: 400. Errors:
-
-* No service accounts available for check-out.
-```
-
-To extend a check-out, renew its lease.
-
-```text
-$ vault lease renew ad/library/accounting-team/check-out/0C2wmeaDmsToVFc0zDiX9cMq
-Key                Value
----                -----
-lease_id           ad/library/accounting-team/check-out/0C2wmeaDmsToVFc0zDiX9cMq
-lease_duration     10h
-lease_renewable    true
-```
-
-Renewing a check-out means its current password will live longer, since passwords are rotated
-anytime a password is _checked in_ either by a caller, or by Vault because the check-out `ttl`
-ends.
-
-To check a service account back in for others to use, call:
-
-```text
-$ vault write -f ad/library/accounting-team/check-in
-Key          Value
----          -----
-check_ins    [fizz@example.com]
-```
-
-Most of the time this will just work, but if multiple service accounts checked out by the same
-caller, Vault will need to know which one(s) to check in.
-
-```text
-$ vault write ad/library/accounting-team/check-in service_account_names=fizz@example.com
-Key          Value
----          -----
-check_ins    [fizz@example.com]
-```
-
-To perform a check-in, Vault verifies that the caller _should_ be able to check in a given service account.
-To do this, Vault looks for either the same [entity ID](https://learn.hashicorp.com/vault/identity-access-management/iam-identity)
-used to check out the service account, or the same client token.
-
-If a caller is unable to check in a service account, or simply doesn't try,
-Vault will check it back in automatically when the `ttl` expires. However, if that is too long,
-service accounts can be forcibly checked in by a highly privileged user through:
-
-```text
-$ vault write -f ad/library/manage/accounting-team/check-in
-Key          Value
----          -----
-check_ins    [fizz@example.com]
-```
-
-Or, alternatively, revoking the secret's lease has the same effect.
-
-```text
-$ vault lease revoke ad/library/accounting-team/check-out/PvBVG0m7pEg2940Cb3Jw3KpJ
-All revocation operations queued successfully!
-```
-
-### Troubleshooting
-
-#### Old passwords are still valid for a period of time.
-
-During testing, we found that by default, many versions of Active Directory
-perpetuate old passwords for a short while. After we discovered this behavior,
-we found articles discussing it by searching for "AD password caching" and "OldPasswordAllowedPeriod". We
-also found [an article from Microsoft](https://support.microsoft.com/en-us/help/906305/new-setting-modifies-ntlm-network-authentication-behavior)
-discussing how to configure this behavior. This behavior appears to vary by AD
-version. We recommend you test the behavior of your particular AD server,
-and edit its settings to gain the desired behavior.
-
-#### I get a lot of 400 Bad Request's when trying to check out service accounts.
-
-This will occur when there aren't enough service accounts for those requesting them. Let's
-suppose our "accounting-team" service accounts are the ones being requested. When Vault
-receives a check-out call but none are available, Vault will log at debug level:
-"'accounting-team' had no check-outs available". Vault will also increment a metric
-containing the strings "active directory", "check-out", "unavailable", and "accounting-team".
-
-Once it's known _which_ library needs more service accounts for checkout, fix this issue
-by merely creating a new service account for it to use in Active Directory, then adding it to
-Vault like so:
-
-```text
-$ vault write ad/library/accounting-team \
-    service_account_names=fizz@example.com,buzz@example.com,new@example.com
-```
-
-In this example, fizz and buzz were pre-existing but were still included in the call
-because we'd like them to exist in the resulting set. The new account was appended to
-the end.
-
-#### Sometimes Vault gives me a password but then AD says it's not valid.
-
-Active Directory is eventually consistent, meaning that it can take some time for word
-of a new password to travel across all AD instances in a cluster. In larger clusters, we
-have observed the password taking over 10 seconds to propagate fully. The simplest way to
-handle this is to simply wait and retry using the new password.
-
-## Learn
-
-Refer to the [Active Directory Service Account Check-out](https://learn.hashicorp.com/vault/secrets-management/ad-secrets) guide
-for a step-by-step tutorial.
-
-## API
-
-The Active Directory secrets engine has a full HTTP API. Please see the
-[Active Directory secrets engine API](/api/secret/ad/index.html) for more
-details.
diff --git a/website/source/docs/secrets/alicloud/index.html.md b/website/source/docs/secrets/alicloud/index.html.md
deleted file mode 100644
index 6e4985f045ce..000000000000
--- a/website/source/docs/secrets/alicloud/index.html.md
+++ /dev/null
@@ -1,207 +0,0 @@
----
-layout: "docs"
-page_title: "AliCloud - Secrets Engines"
-sidebar_title: "AliCloud"
-sidebar_current: "docs-secrets-alicloud"
-description: |-
-  The AliCloud secrets engine for Vault generates access tokens or STS credentials
-  dynamically based on RAM policies or roles.
----
-
-# AliCloud Secrets Engine
-
-The AliCloud secrets engine dynamically generates AliCloud access tokens based on RAM
-policies, or AliCloud STS credentials based on RAM roles. This generally
-makes working with AliCloud easier, since it does not involve clicking in the web UI.
-The AliCloud access tokens are time-based and are automatically revoked when the Vault
-lease expires. STS credentials are short-lived, non-renewable, and expire on their own.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the AliCloud secrets engine:
-
-    ```text
-    $ vault secrets enable alicloud
-    Success! Enabled the alicloud secrets engine at: alicloud/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. [Create a custom policy](https://www.alibabacloud.com/help/doc-detail/28640.htm)
-in AliCloud that will be used for the access key you will give Vault. See "Example
-RAM Policy for Vault".
-
-1. [Create a user](https://www.alibabacloud.com/help/faq-detail/28637.htm) in AliCloud
-with a name like "hashicorp-vault", and directly apply the new custom policy to that user
-in the "User Authorization Policies" section.
-
-1. Create an access key for that user in AliCloud, which is an action available in
-AliCloud's UI on the user's page.
-
-1. Configure that access key as the credentials that Vault will use to communicate with
-AliCloud to generate credentials:
-
-    ```text
-    $ vault write alicloud/config \
-        access_key=0wNEpMMlzy7szvai \
-        secret_key=PupkTg8jdmau1cXxYacgE736PJj4cA
-    ```
-
-    Alternatively, the AliCloud secrets engine can pick up credentials set as environment variables,
-    or credentials available through instance metadata. Since it checks current credentials on every API call,
-    changes in credentials will be picked up almost immediately without a Vault restart.
-
-    If available, we recommend using instance metadata for these credentials as they are the most
-    secure option. To do so, simply ensure that the instance upon which Vault is running has sufficient
-    privileges, and do not add any config.
-
-1. Configure a role describing how credentials will be granted.
-
-    To generate access tokens using only policies that have already been created in AliCloud:
-
-    ```text
-    $ vault write alicloud/role/policy-based \
-        remote_policies='name:AliyunOSSReadOnlyAccess,type:System' \
-        remote_policies='name:AliyunRDSReadOnlyAccess,type:System'
-    ```
-    To generate access tokens using only policies that will be dynamically created in AliCloud by
-    Vault:
-
-    ```text
-    $ vault write alicloud/role/policy-based \
-        inline_policies=-<<EOF
-    [
-        {
-          "Statement": [
-            {
-              "Action": "rds:Describe*",
-              "Effect": "Allow",
-              "Resource": "*"
-            }
-          ],
-          "Version": "1"
-        },
-        {...}
-    ]
-    EOF
-    ```
-    Both `inline_policies` and `remote_policies` may be used together. However, neither may be
-    used configuring how to generate STS credentials, like so:
-
-    ```text
-    $ vault write alibaba/role/role-based \
-          role_arn='acs:ram::5138828231865461:role/hastrustedactors'
-    ```
-    Any `role_arn` specified must have added "trusted actors" when it was being created. These
-    can only be added at role creation time. Trusted actors are entities that can assume the role.
-    Since we will be assuming the role to gain credentials, the `access_key` and `secret_key` in
-    the config must qualify as a trusted actor.
-
-### Helpful Links
-
-- [More on roles](https://www.alibabacloud.com/help/doc-detail/28649.htm)
-- [More on policies](https://www.alibabacloud.com/help/doc-detail/28652.htm)
-
-### Example RAM Policy for Vault
-
-While AliCloud credentials can be supplied by environment variables, an explicit
-setting in the `alicloud/config`, or through instance metadata, the resulting
-credentials need sufficient permissions to issue secrets. The necessary permissions
-vary based on the ways roles are configured.
-
-This is an example RAM policy that would allow you to create credentials using
-any type of role:
-
-```json
-{
-  "Statement": [
-    {
-      "Action": [
-        "ram:CreateAccessKey",
-        "ram:DeleteAccessKey",
-        "ram:CreatePolicy",
-        "ram:DeletePolicy",
-        "ram:AttachPolicyToUser",
-        "ram:DetachPolicyFromUser",
-        "ram:CreateUser",
-        "ram:DeleteUser",
-        "sts:AssumeRole"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ],
-  "Version": "1"
-}
-```
-However, the policy you use should only allow the actions you actually need
-for how your roles are configured.
-
-If any roles are using `inline_policies`, you need the following actions:
-
-* `"ram:CreateAccessKey"`
-* `"ram:DeleteAccessKey"`
-* `"ram:AttachPolicyToUser"`
-* `"ram:DetachPolicyFromUser"`
-* `"ram:CreateUser"`
-* `"ram:DeleteUser"`
-
-If any roles are using `remote_policies`, you need the following actions:
-
-* All listed for `inline_policies`
-* `"ram:CreatePolicy"`
-* `"ram:DeletePolicy"`
-
-If any roles are using `role_arn`, you need the following actions:
-
-* `"sts:AssumeRole"`
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new access key by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read alicloud/creds/policy-based
-    Key                Value
-    ---                -----
-    lease_id           alicloud/creds/policy-based/f3e92392-7d9c-09c8-c921-575d62fe80d8
-    lease_duration     768h
-    lease_renewable    true
-    access_key         0wNEpMMlzy7szvai
-    secret_key         PupkTg8jdmau1cXxYacgE736PJj4cA
-    ```
-
-    The `access_key` and `secret_key` returned are also known is an
-    `"AccessKeyId"`and `"AccessKeySecret"`, respectively, in the Alibaba's
-    docs.
-
-    Retrieving creds for a role using a `role_arn` will carry the additional
-    fields of `expiration` and `security_token`, like so:
-
-    ```text
-    $ vault read alicloud/creds/role-based
-    Key                Value
-    ---                -----
-    lease_id           alicloud/creds/role-based/f3e92392-7d9c-09c8-c921-575d62fe80d9
-    lease_duration     59m59s
-    lease_renewable    false
-    access_key         STS.L4aBSCSJVMuKg5U1vFDw
-    secret_key         wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pKCNZ9
-    security_token     CAESrAIIARKAAShQquMnLIlbvEcIxO6wCoqJufs8sWwieUxu45hS9AvKNEte8KRUWiJWJ6Y+YHAPgNwi7yfRecMFydL2uPOgBI7LDio0RkbYLmJfIxHM2nGBPdml7kYEOXmJp2aDhbvvwVYIyt/8iES/R6N208wQh0Pk2bu+/9dvalp6wOHF4gkFGhhTVFMuTDRhQlNDU0pWTXVLZzVVMXZGRHciBTQzMjc0KgVhbGljZTCpnJjwySk6BlJzYU1ENUJuCgExGmkKBUFsbG93Eh8KDEFjdGlvbkVxdWFscxIGQWN0aW9uGgcKBW9zczoqEj8KDlJlc291cmNlRXF1YWxzEghSZXNvdXJjZRojCiFhY3M6b3NzOio6NDMyNzQ6c2FtcGxlYm94L2FsaWNlLyo=
-    expiration         2018-08-15T21:58:00Z
-    ```
-
-## API
-
-The AliCloud secrets engine has a full HTTP API. Please see the
-[AliCloud secrets engine API](/api/secret/alicloud/index.html) for more
-details.
diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md
deleted file mode 100644
index 389e5c6e85de..000000000000
--- a/website/source/docs/secrets/aws/index.html.md
+++ /dev/null
@@ -1,465 +0,0 @@
----
-layout: "docs"
-page_title: "AWS - Secrets Engines"
-sidebar_title: "AWS"
-sidebar_current: "docs-secrets-aws"
-description: |-
-  The AWS secrets engine for Vault generates access keys dynamically based on
-  IAM policies.
----
-
-# AWS Secrets Engine
-
-The AWS secrets engine generates AWS access credentials dynamically based on IAM
-policies. This generally makes working with AWS IAM easier, since it does not
-involve clicking in the web UI. Additionally, the process is codified and mapped
-to internal auth methods (such as LDAP). The AWS IAM credentials are time-based
-and are automatically revoked when the Vault lease expires.
-
-Vault supports three different types of credentials to retrieve from AWS:
-
-1. `iam_user`: Vault will create an IAM user for each lease, attach the managed
-   and inline IAM policies as specified in the role to the user, and if a
-   [permissions
-   boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-   is specified on the role, the permissions boundary will also be attached.
-   Vault will then generate an access key and secret key for the IAM user and
-   return them to the caller. IAM users have no session tokens and so no
-   session token will be returned.
-2. `assumed_role`: Vault will call
-   [sts:AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
-   and return the access key, secret key, and session token to the caller.
-3. `federation_token`: Vault will call
-   [sts:GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
-   passing in the supplied AWS policy document and return the access key, secret
-   key, and session token to the caller.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the AWS secrets engine:
-
-    ```text
-    $ vault secrets enable aws
-    Success! Enabled the aws secrets engine at: aws/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure the credentials that Vault uses to communicate with AWS to generate
-the IAM credentials:
-
-    ```text
-    $ vault write aws/config/root \
-        access_key=AKIAJWVN5Z4FOFT7NLNA \
-        secret_key=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 \
-        region=us-east-1
-    ```
-
-    Internally, Vault will connect to AWS using these credentials. As such,
-    these credentials must be a superset of any policies which might be granted
-    on IAM credentials. Since Vault uses the official AWS SDK, it will use the
-    specified credentials. You can also specify the credentials via the standard
-    AWS environment credentials, shared file credentials, or IAM role/ECS task
-    credentials.  (Note that you can't authorize vault with IAM role credentials if you plan
-    on using STS Federation Tokens, since the temporary security credentials
-    associated with the role are not authorized to use GetFederationToken.)
-
-    ~> **Notice:** Even though the path above is `aws/config/root`, do not use
-    your AWS root account credentials. Instead generate a dedicated user or
-    role.
-
-1. Configure a Vault role that maps to a set of permissions in AWS as well as an
-   AWS credential type. When users generate credentials, they are generated
-   against this role. An example:
-
-    ```text
-    $ vault write aws/roles/my-role \
-        credential_type=iam_user \
-        policy_document=-<<EOF
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": "ec2:*",
-          "Resource": "*"
-        }
-      ]
-    }
-    EOF
-    ```
-
-    This creates a role named "my-role". When users generate credentials against
-    this role, Vault will create an IAM user and attach the specified policy
-    document to the IAM user. Vault will then create an access key and secret
-    key for the IAM user and return these credentials. You supply a
-    user inline policy and/or provide references to an existing AWS policy's full
-    ARN:
-
-    ```text
-    $ vault write aws/roles/my-other-role \
-        policy_arns=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess,arn:aws:iam::aws:policy/IAMReadOnlyAccess \
-        credential_type=iam_user \
-        policy_document=-<<EOF
-            {
-              "Version": "2012-10-17",
-              "Statement": [
-                {
-                  "Effect": "Allow",
-                  "Action": "ec2:*",
-                  "Resource": "*"
-                }
-              ]
-            }
-            EOF
-
-    ```
-
-    For more information on IAM policies, please see the
-    [AWS IAM policy documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html).
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read aws/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           aws/creds/my-role/f3e92392-7d9c-09c8-c921-575d62fe80d8
-    lease_duration     768h
-    lease_renewable    true
-    access_key         AKIAIOWQXTLW36DV7IEA
-    secret_key         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
-    security_token     <nil>
-    ```
-
-    Each invocation of the command will generate a new credential.
-
-    Unfortunately, IAM credentials are eventually consistent with respect to
-    other Amazon services. If you are planning on using these credential in a
-    pipeline, you may need to add a delay of 5-10 seconds (or more) after
-    fetching credentials before they can be used successfully.
-
-    If you want to be able to use credentials without the wait, consider using
-    the STS method of fetching keys. IAM credentials supported by an STS token
-    are available for use as soon as they are generated.
-
-## Example IAM Policy for Vault
-
-The `aws/config/root` credentials need permission to manage dynamic IAM users.
-Here is an example AWS IAM policy that grants the most commonly required
-permissions Vault needs:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:AttachUserPolicy",
-        "iam:CreateAccessKey",
-        "iam:CreateUser",
-        "iam:DeleteAccessKey",
-        "iam:DeleteUser",
-        "iam:DeleteUserPolicy",
-        "iam:DetachUserPolicy",
-        "iam:ListAccessKeys",
-        "iam:ListAttachedUserPolicies",
-        "iam:ListGroupsForUser",
-        "iam:ListUserPolicies",
-        "iam:PutUserPolicy",
-        "iam:RemoveUserFromGroup"
-      ],
-      "Resource": [
-        "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"
-      ]
-    }
-  ]
-}
-```
-
-Vault also supports AWS Permissions Boundaries when creating IAM users. If you
-wish to enforce that Vault always attaches a permissions boundary to an IAM
-user, you can use a policy like:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:CreateAccessKey",
-        "iam:DeleteAccessKey",
-        "iam:DeleteUser",
-        "iam:ListAccessKeys",
-        "iam:ListAttachedUserPolicies",
-        "iam:ListGroupsForUser",
-        "iam:ListUserPolicies",
-        "iam:RemoveUserFromGroup"
-      ],
-      "Resource": [
-        "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:AttachUserPolicy",
-        "iam:CreateUser",
-        "iam:DeleteUserPolicy",
-        "iam:DetachUserPolicy",
-        "iam:PutUserPolicy"
-      ],
-      "Resource": [
-        "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"
-      ],
-      "Condition": {
-        "StringEquals": {
-          "iam:PermissionsBoundary": [
-            "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/PolicyName"
-          ]
-        }
-      }
-    }
-  ]
-}
-```
-
-where the "iam:PermissionsBoundary" condition contains the list of permissions
-boundary policies that you wish to ensure that Vault uses. This policy will
-ensure that Vault uses one of the permissions boundaries specified (not all of
-them).
-
-## STS credentials
-
-The above demonstrated usage with `iam_user` credential types. As mentioned,
-Vault also supports `assumed_role` and `federation_token` credential types.
-
-### STS Federation Tokens
-
-~> **Notice:** Due to limitations in AWS, in order to use the `federation_token`
-credential type, Vault **must** be configured with IAM user credentials. AWS
-does not allow temporary credentials (such as those from an IAM instance
-profile) to be used.
-
-An STS federation token inherits a set of permissions that are the combination
-(intersection) of four sets of permissions:
-
-1. The permissions granted to the `aws/config/root` credentials
-2. The user inline policy configured in the Vault role
-3. The managed policy ARNs configured in the Vault role
-4. An implicit deny policy on IAM or STS operations.
-
-Roles with a `credential_type` of `federation_token` can specify both a
-`policy_document` and `policy_arns` parameter in the Vault role.
-
-The `aws/config/root` credentials require IAM permissions for
-`sts:GetFederationToken` and the permissions to delegate to the STS
-federation token.  For example, this policy on the `aws/config/root` credentials
-would allow creation of an STS federated token with delegated `ec2:*`
-permissions (or any subset of `ec2:*` permissions):
-
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": [
-      "ec2:*",
-      "sts:GetFederationToken"
-    ],
-    "Resource": "*"
-  }
-}
-```
-
-An `ec2_admin` role would then assign an inline policy with the same `ec2:*`
-permissions.
-
-```text
-$ vault write aws/roles/ec2_admin \
-    credential_type=federation_token \
-    policy_document=@policy.json
-```
-
-The policy.json file would contain an inline policy with similar permissions,
-less the `sts:GetFederationToken` permission.  (We could grant
-`sts:GetFederationToken` permissions, but STS attaches attach an implicit deny
-that overrides the allow.)
-
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": "ec2:*",
-    "Resource": "*"
-  }
-}
-```
-
-To generate a new set of STS federation token credentials, we simply write to
-the role using the aws/sts endpoint:
-
-```text
-$ vault write aws/sts/ec2_admin ttl=60m
-Key            	Value
-lease_id       	aws/sts/ec2_admin/31d771a6-fb39-f46b-fdc5-945109106422
-lease_duration 	60m0s
-lease_renewable	true
-access_key     	ASIAJYYYY2AA5K4WIXXX
-secret_key     	HSs0DYYYYYY9W81DXtI0K7X84H+OVZXK5BXXXX
-security_token 	AQoDYXdzEEwasAKwQyZUtZaCjVNDiXXXXXXXXgUgBBVUUbSyujLjsw6jYzboOQ89vUVIehUw/9MreAifXFmfdbjTr3g6zc0me9M+dB95DyhetFItX5QThw0lEsVQWSiIeIotGmg7mjT1//e7CJc4LpxbW707loFX1TYD1ilNnblEsIBKGlRNXZ+QJdguY4VkzXxv2urxIH0Sl14xtqsRPboV7eYruSEZlAuP3FLmqFbmA0AFPCT37cLf/vUHinSbvw49C4c9WQLH7CeFPhDub7/rub/QU/lCjjJ43IqIRo9jYgcEvvdRkQSt70zO8moGCc7pFvmL7XGhISegQpEzudErTE/PdhjlGpAKGR3d5qKrHpPYK/k480wk1Ai/t1dTa/8/3jUYTUeIkaJpNBnupQt7qoaXXXXXXXXXX
-```
-
-### STS AssumeRole
-
-The `assumed_role` credential type is typically used for cross-account
-authentication or single sign-on (SSO) scenarios. In order to use an
-`assumed_role` credential type, you must configure outside of Vault:
-
-1. An IAM role
-2. IAM inline policies and/or managed policies attached to the IAM role
-3. IAM trust policy attached to the IAM role to grant privileges for Vault to
-   assume the role
-
-`assumed_role` credentials offer a few benefits over `federation_token`:
-
-1. Assumed roles can invoke IAM and STS operations, if granted by the role's
-   IAM policies.
-2. Assumed roles support cross-account authentication
-3. Temporary credentials (such as those granted by running Vault on an EC2
-   instance in an IAM instance profile) can retrieve `assumed_role` credentials
-   (but cannot retrieve `federation_token` credentials).
-
-The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole`
-against the target role:
-
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": "sts:AssumeRole",
-    "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
-  }
-}
-```
-
-You must attach a trust policy to the target IAM role to assume, allowing
-the aws/root/config credentials to assume the role.
-
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-```
-
-When specifying a Vault role with a `credential_type` of `assumed_role`, you can
-specify more than one IAM role ARN. If you do so, Vault clients can select which
-role ARN they would like to assume when retrieving credentials from that role.
-
-Further, you can specify both a `policy_document` and `policy_arns` parameters;
-if specified, each acts as a
-filter on the IAM permissions granted to the assumed role. For an action to be
-allowed, it must be permitted by both the IAM policy on the AWS role that is
-assumed, the `policy_document` specified on the Vault role (if specified), and
-the managed policies specified by the `policy_arns` parameter. (The
-`policy_document` parameter is passed in as the `Policy` parameter to the
-[sts:AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
-API call, while the `policy_arns` parameter is passed in as the `PolicyArns`
-parameter to the same call.)
-
-Note: When multiple `role_arns` are specified, clients requesting credentials
-can specify any of the role ARNs that are defined on the Vault role in order to
-retrieve credentials. However, when a `policy_document` is specified, that will
-apply to ALL role credentials retrieved from AWS.
-
-Let's create a "deploy" policy using the arn of our role to assume:
-
-```text
-$ vault write aws/roles/deploy \
-    role_arns=arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume \
-    credential_type=assumed_role
-```
-
-To generate a new set of STS assumed role credentials, we again write to
-the role using the aws/sts endpoint:
-
-```text
-$ vault write aws/sts/deploy ttl=60m
-Key            	Value
-lease_id       	aws/sts/deploy/31d771a6-fb39-f46b-fdc5-945109106422
-lease_duration 	60m0s
-lease_renewable	true
-access_key     	ASIAJYYYY2AA5K4WIXXX
-secret_key     	HSs0DYYYYYY9W81DXtI0K7X84H+OVZXK5BXXXX
-security_token 	AQoDYXdzEEwasAKwQyZUtZaCjVNDiXXXXXXXXgUgBBVUUbSyujLjsw6jYzboOQ89vUVIehUw/9MreAifXFmfdbjTr3g6zc0me9M+dB95DyhetFItX5QThw0lEsVQWSiIeIotGmg7mjT1//e7CJc4LpxbW707loFX1TYD1ilNnblEsIBKGlRNXZ+QJdguY4VkzXxv2urxIH0Sl14xtqsRPboV7eYruSEZlAuP3FLmqFbmA0AFPCT37cLf/vUHinSbvw49C4c9WQLH7CeFPhDub7/rub/QU/lCjjJ43IqIRo9jYgcEvvdRkQSt70zO8moGCc7pFvmL7XGhISegQpEzudErTE/PdhjlGpAKGR3d5qKrHpPYK/k480wk1Ai/t1dTa/8/3jUYTUeIkaJpNBnupQt7qoaXXXXXXXXXX
-```
-
-
-## Troubleshooting
-
-### Dynamic IAM user errors
-
-If you get an error message similar to either of the following, the root credentials that you wrote to `aws/config/root` have insufficient privilege:
-
-```text
-$ vault read aws/creds/deploy
-* Error creating IAM user: User: arn:aws:iam::000000000000:user/hashicorp is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::000000000000:user/vault-root-1432735386-4059
-
-$ vault revoke aws/creds/deploy/774cfb27-c22d-6e78-0077-254879d1af3c
-Revoke error: Error making API request.
-
-URL: PUT http://127.0.0.1:8200/v1/sys/revoke/aws/creds/deploy/774cfb27-c22d-6e78-0077-254879d1af3c
-Code: 400. Errors:
-
-* invalid request
-```
-
-If you get stuck at any time, simply run `vault path-help aws` or with a subpath for
-interactive help output.
-
-### STS federated token errors
-
-Vault generates STS tokens using the IAM credentials passed to `aws/config`.
-
-Those credentials must have two properties:
-
-- They must have permissions to call `sts:GetFederationToken`.
-- The capabilities of those credentials have to be at least as permissive as those requested
-by policies attached to the STS creds.
-
-If either of those conditions are not met, a "403 not-authorized" error will be returned.
-
-See http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html for more details.
-
-Vault 0.5.1 or later is recommended when using STS tokens to avoid validation
-errors for exceeding the AWS limit of 32 characters on STS token names.
-
-## API
-
-The AWS secrets engine has a full HTTP API. Please see the
-[AWS secrets engine API](/api/secret/aws/index.html) for more
-details.
diff --git a/website/source/docs/secrets/azure/index.html.md b/website/source/docs/secrets/azure/index.html.md
deleted file mode 100644
index 6ce29a599fcf..000000000000
--- a/website/source/docs/secrets/azure/index.html.md
+++ /dev/null
@@ -1,262 +0,0 @@
----
-layout: "docs"
-page_title: "Azure - Secrets Engine"
-sidebar_title: "Azure"
-sidebar_current: "docs-secrets-azure"
-description: |-
-  The Azure Vault secrets engine dynamically generates Azure
-  service principals and role assignments.
----
-
-# Azure Secrets Engine
-
-The Azure secrets engine dynamically generates Azure service principals along
-with role and group assignments.  Vault roles can be mapped to one or more Azure
-roles, and optionally group assignments, providing a simple, flexible way to
-manage the permissions granted to generated service principals.
-
-Each service principal is associated with a Vault lease. When the lease expires
-(either during normal revocation or through early revocation), the service
-principal is automatically deleted.
-
-If an existing service principal is specified as part of the role configuration,
-a new password will be dynamically generated instead of a new service principal.
-The password will be deleted when the lease is revoked.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the Azure secrets engine:
-
-    ```text
-    $ vault secrets enable azure
-    Success! Enabled the azure secrets engine at: azure/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure the secrets engine with account credentials:
-
-    ```text
-    $ vault write azure/config \
-    subscription_id=$AZURE_SUBSCRIPTION_ID \
-    tenant_id=$AZURE_TENANT_ID \
-    client_id=$AZURE_CLIENT_ID \
-    client_secret=$AZURE_CLIENT_SECRET
-
-    Success! Data written to: azure/config
-    ```
-
-    If you are running Vault inside an Azure VM with MSI enabled, `client_id` and
-    `client_secret` may be omitted. For more information on authentication, see the [authentication](#authentication) section below.
-
-1. Configure a role. A role may be set up with either an existing service principal, or
-a set of Azure roles that will be assigned to a dynamically created service principal.
-
-To configure a role called "my-role" with an existing service principal:
-
-    ```text
-    $ vault write azure/roles/my-role application_object_id=<existing_app_obj_id> ttl=1h
-    ```
-
-Alternatively, to configure the role to create a new service principal with Azure roles:
-
-    ```text
-    $ vault write azure/roles/my-role ttl=1h azure_roles=-<<EOF
-        [
-       	    {
-       	        "role_name": "Contributor",
-       	        "scope":  "/subscriptions/<uuid>/resourceGroups/Website"
-       	    }
-        ]
-    EOF
-    ```
-
-Roles may also have their own TTL configuration that is separate from the mount's
-TTL. For more information on roles see the [roles](#roles) section below.
-
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permissions, it can generate credentials. The usage pattern is the same
-whether an existing or dynamic service principal is used.
-
-To generate a credential using the "my-role" role:
-
-```text
-$ vault read azure/creds/my-role
-
-Key                Value
----                -----
-lease_id           azure/creds/sp_role/1afd0969-ad23-73e2-f974-962f7ac1c2b4
-lease_duration     60m
-lease_renewable    true
-client_id          408bf248-dd4e-4be5-919a-7f6207a307ab
-client_secret      ad06228a-2db9-4e0a-8a5d-e047c7f32594
-```
-
-This endpoint generates a renewable set of credentials. The application can login
-using the `client_id`/`client_secret` and will have access provided by configured service
-principal or the Azure roles set in the "my-role" configuration.
-
-
-## Roles
-
-Vault roles let you configure either an existing service principal or a set of Azure roles, along with
-role-specific TTL parameters. If an existing service principal is not provided, the configured Azure
-roles will be assigned to a newly created service principal. The Vault role may optionally specify
-role-specific `ttl` and/or `max_ttl` values. When the lease is created, the more restrictive of the
-mount or role TTL value will be used.
-
-### Application Object IDs
-If an existing service principal is to be used, the Application Object ID must be set on the Vault role.
-This ID can be found by inspecting the desired Application with the `az` CLI tool, or via the Azure Portal. Note
-that the Application **Object** ID must be provided, not the Application ID.
-
-### Azure Roles
-If dynamic service principals are used, Azure roles must be configured on the Vault role.
-Azure roles are provided as a JSON list, with each element describing an Azure role and scope to be assigned.
-Azure roles may be specified using the `role_name` parameter ("Owner"), or `role_id`
-("/subscriptions/.../roleDefinitions/...").
-`role_id` is the definitive ID that's used during Vault operation; `role_name` is a convenience during
-role management operations. All roles *must exist* when the configuration is written or the operation will fail. The role lookup priority is:
-
-1. If `role_id` is provided, it is validated and the corresponding `role_name` updated.
-1. If only `role_name` is provided, a case-insensitive search-by-name is made, succeeding
-only if *exactly one* matching role is found. The `role_id` field will updated with the matching role ID.
-
-The `scope` must be provided for every role assignment.
-
-### Azure Groups
-If dynamic service principals are used, a list of Azure groups may be configured on the Vault role.
-When the service principal is created, it will be assigned to these groups. Similar to the format used
-for specifying Azure roles, Azure groups may be referenced by either their `group_name` or `object_id`.
-Group specification by name must yield a single matching group.
-
-Example of role configuration:
-
-```text
-$ vault write azure/roles/my-role ttl=1h max_ttl=24h azure_roles=@az_roles.json azure_groups=@az_groups.json
-
-$ cat az_roles.json
-[
-  {
-    "role_name": "Contributor",
-    "scope":  "/subscriptions/<uuid>/resourceGroups/Website"
-  },
-  {
-    "role_id": "/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
-    "scope":  "/subscriptions/<uuid>"
-  },
-  {
-    "role_name": "This won't matter as it will be overwritten",
-    "role_id": "/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
-    "scope":  "/subscriptions/<uuid>/resourceGroups/Database"
-  }
-]
-
-$ cat az_groups.json
-[
-  {
-    "group_name": "foo",
-  },
-  {
-    "group_name": "This won't matter as it will be overwritten",
-    "object_id": "a6a834a6-36c3-4575-8e2b-05095963d603"
-  }
-]
-```
-
-
-## Authentication
-
-The Azure secrets backend must have sufficient permissions to read Azure role information and manage
-service principals. The authentication parameters can be set in the backend configuration or as environment variables. Environment variables will take precedence.
- The individual parameters are described in the [configuration][config] section of the API docs.
-
-If the client ID or secret are not present and Vault is running on and Azure VM, Vault will attempt to use
-[Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview) to access Azure. Note that when MSI is used, tenant and subscription IDs must still be explicitly provided in the configuration or environment variables.
-
-The following Azure roles and Azure Active Directory (AAD) permissions are required, regardless of which authentication method is used:
-
-- "Owner" role for the subscription scope
-- "Read and write all applications" permission in AAD
-
-These permissions can be configured through the Azure Portal, CLI tool, or PowerShell.
-In your Azure subscription, your account must have `Microsoft.Authorization/*/Write`
-access to assign an AD app to a role. This action is granted through the [Owner](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) role or
-[User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator) role. If your account is assigned to the Contributor role, you
-don't have adequate permission. You will receive an error when attempting to assign the service
-principal to a role.
-
-## Choosing between dynamic or existing service principals
-
-Dynamic service principals are preferred if the desired Azure resources can be provided
-via the RBAC system and Azure roles defined in the Vault role. This form of credential is
-completely decoupled from any other clients, is not subject to permission changes after
-issuance, and offers the best audit granularity.
-
-Access to some Azure services cannot be provided with the RBAC system, however. In these
-cases, an existing service principal can be set up with the necessary access, and Vault
-can create new passwords for this service principal. Any changes to the service principal
-permissions affect all clients. Furthermore, Azure does not provide any logging with
-regard to _which_ credential was used for an operation.
-
-An important limitation when using an existing service principal is that Azure limits the
-number of passwords for a single Application. This limit is based on Application object
-size and isn't firmly specified, but in practice hundreds of passwords can be issued per
-Application. An error will be returned if the object size is reached. This limit can be
-managed by reducing the role TTL, or by creating another Vault role against a different
-Azure service principal configured with the same permissions.
-
-
-## Additional Notes
-
--  **If a referenced Azure role doesn't exist, a credential will not be generated.**
-  Service principals will only be generated if *all* role assignments are successful.
-  This is important to note if you're using custom Azure role definitions that might be deleted
-  at some point.
-
-- Azure roles are assigned only once, when the service principal is created. If the
-  Vault role changes the list of Azure roles, these changes will not be reflected in
-  any existing service principal, even after token renewal.
-
-- The time required to issue a credential is roughly proportional to the number of
-  Azure roles that must be assigned. This operation make take some time (10s of seconds
-  are common, and over a minute has been seen).
-
-- Service principal credential timeouts are not used. Vault will revoke access by
-  deleting the service principal.
-
-- The Application Name for dynamic service principals will be prefixed with `vault-`. Similarly
-  the `keyId` of any passwords added to an existing service principal will begin with
-  `ffffff`. These may be used to search for Vault-created credentials using the `az` tool
-  or Portal.
-
-## Help &amp; Support
-
-The Azure secrets engine is written as an external Vault plugin and
-thus exists outside the main Vault repository. It is automatically bundled with
-Vault releases, but the code is managed separately.
-
-Please report issues, add feature requests, and submit contributions to the
-[vault-plugin-secrets-azure repo][repo] on GitHub.
-
-## Learn
-
-Refer to the [Azure Secrets
-Engine](https://learn.hashicorp.com/vault/secrets-management/azure-creds) guide
-for a step-by-step tutorial.
-
-## API
-The Azure secrets engine has a full HTTP API. Please see the [Azure secrets engine API docs][api]
-for more details.
-
-[api]: /api/secret/azure/index.html
-[config]: /api/secret/azure/index.html#configure
-[repo]: https://github.com/hashicorp/vault-plugin-secrets-azure
diff --git a/website/source/docs/secrets/cassandra/index.html.md b/website/source/docs/secrets/cassandra/index.html.md
deleted file mode 100644
index 450c7e93c996..000000000000
--- a/website/source/docs/secrets/cassandra/index.html.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-layout: "docs"
-page_title: "Cassandra - Secrets Engines"
-sidebar_title: "Cassandra <sup>DEPRECATED</sup>"
-sidebar_current: "docs-secrets-cassandra"
-description: |-
-  The Cassandra secrets engine for Vault generates database credentials to access Cassandra.
----
-
-# Cassandra Secrets Engine
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the documentation for
-the new implementation of this secrets engine at
-[Cassandra database plugin](/docs/secrets/databases/cassandra.html).
-
-The Cassandra secrets engine for Vault generates database credentials
-dynamically based on configured roles. This means that services that need
-to access a database no longer need to hardcode credentials: they can request
-them from Vault, and use Vault's leasing mechanism to more easily roll keys.
-
-Additionally, it introduces a new ability: with every service accessing
-the database with unique credentials, it makes auditing much easier when
-questionable data access is discovered: you can track it down to the specific
-instance of a service based on the Cassandra username.
-
-This page will show a quick start for this secrets engine. For detailed documentation
-on every path, use `vault path-help` after mounting the secrets engine.
-
-## Quick Start
-
-The first step to using the Cassandra secrets engine is to mount it. Unlike the
-`kv` secrets engine, the `cassandra` secrets engine is not mounted by default.
-
-```text
-$ vault secrets enable cassandra
-Success! Enabled the cassandra secrets engine at: cassandra/
-```
-
-Next, Vault must be configured to connect to Cassandra. This is done by
-writing one or more hosts, a username, and a password:
-
-```text
-$ vault write cassandra/config/connection \
-    hosts=localhost \
-    username=cassandra \
-    password=cassandra
-```
-
-In this case, we've configured Vault with the user "cassandra" and password "cassandra",
-It is important that the Vault user is a superuser, in order to manage other user accounts.
-
-The next step is to configure a role. A role is a logical name that maps
-to a policy used to generated those credentials. For example, lets create
-a "readonly" role:
-
-```text
-$ vault write cassandra/roles/readonly \
-    creation_cql="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \
-    GRANT SELECT ON ALL KEYSPACES TO {{username}};"
-Success! Data written to: cassandra/roles/readonly
-```
-
-By writing to the `roles/readonly` path we are defining the `readonly` role.
-This role will be created by evaluating the given `creation_cql` statements. By
-default, the `{{username}}` and `{{password}}` fields will be populated by
-Vault with dynamically generated values. This CQL statement is creating
-the named user, and then granting it `SELECT` or read-only privileges
-to keyspaces. More complex `GRANT` queries can be used to
-customize the privileges of the role. See the [CQL Reference Manual](https://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html)
-for more information.
-
-To generate a new set of credentials, we simply read from that role:
-Vault is now configured to create and manage credentials for Cassandra!
-
-```text
-$ vault read cassandra/creds/readonly
-Key                Value
----                -----
-lease_id           cassandra/creds/test/7a23e890-3a26-531d-529b-92d18d1fa63f
-lease_duration     3600
-lease_renewable    true
-password           dfa80eea-ccbe-b228-ebf7-e2f62b245e71
-username           vault-root-1434647667-9313
-```
-
-By reading from the `creds/readonly` path, Vault has generated a new
-set of credentials using the `readonly` role configuration. Here we
-see the dynamically generated username and password, along with a one
-hour lease.
-
-Using ACLs, it is possible to restrict using the `cassandra` secrets engine such
-that trusted operators can manage the role definitions, and both
-users and applications are restricted in the credentials they are
-allowed to read.
-
-If you get stuck at any time, simply run `vault path-help cassandra` or with a
-subpath for interactive help output.
-
-## API
-
-The Cassandra secrets engine has a full HTTP API. Please see the
-[Cassandra secrets engine API](/api/secret/cassandra/index.html) for more
-details.
diff --git a/website/source/docs/secrets/consul/index.html.md b/website/source/docs/secrets/consul/index.html.md
deleted file mode 100644
index fd42cd2b1524..000000000000
--- a/website/source/docs/secrets/consul/index.html.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-layout: "docs"
-page_title: "Consul - Secrets Engines"
-sidebar_title: "Consul"
-sidebar_current: "docs-secrets-consul"
-description: |-
-  The Consul secrets engine for Vault generates tokens for Consul dynamically.
----
-
-# Consul Secrets Engine
-
-The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
-dynamically based on Consul ACL policies.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the Consul secrets engine:
-
-    ```text
-    $ vault secrets enable consul
-    Success! Enabled the consul secrets engine at: consul/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-2. In Consul versions below 1.4, acquire a [management token][consul-mgmt-token] from Consul, using the
-`acl_master_token` from your Consul configuration file or another management
-token:
-
-    ```sh
-    $ curl \
-        --header "X-Consul-Token: my-management-token" \
-        --request PUT \
-        --data '{"Name": "sample", "Type": "management"}' \
-        https://consul.rocks/v1/acl/create
-    ```
-
-    Vault must have a management type token so that it can create and revoke ACL
-    tokens. The response will return a new token:
-
-    ```json
-    {
-      "ID": "7652ba4c-0f6e-8e75-5724-5e083d72cfe4"
-    }
-    ```
-For Consul 1.4 and above, use the command line to generate a token with the appropriate policy:
-
-   ```sh
-   $ CONSUL_HTTP_TOKEN=d54fe46a-1f57-a589-3583-6b78e334b03b consul acl token create -policy-name=global-management
-   AccessorID:   865dc5e9-e585-3180-7b49-4ddc0fc45135
-   SecretID:     ef35f0f1-885b-0cab-573c-7c91b65a7a7e
-   Description:
-   Local:        false
-   Create Time:  2018-10-22 17:40:24.128188 -0700 PDT
-   Policies:
-       00000000-0000-0000-0000-000000000001 - global-management
-   ```
-
-3. Configure Vault to connect and authenticate to Consul:
-
-    ```text
-    $ vault write consul/config/access \
-        address=127.0.0.1:8500 \
-        token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4
-    Success! Data written to: consul/config/access
-    ```
-
-4. Configure a role that maps a name in Vault to a Consul ACL policy. Depending on your Consul version, 
-you will either provide a policy document and a token_type, or a set of policies.
-When users generate credentials, they are generated against this role. For Consul versions below 1.4:
-
-    ```text
-    $ vault write consul/roles/my-role policy=$(base64 <<< 'key "" { policy = "read" }')
-    Success! Data written to: consul/roles/my-role
-    ```
-The policy must be base64-encoded. The policy language is [documented by Consul](https://www.consul.io/docs/internals/acl.html).
-
-For Consul versions 1.4 and above, [generate a policy in Consul](https://www.consul.io/docs/guides/acl.html), and proceed to link it to the role:
-
-    ```text
-    $ vault write consul/roles/my-role policies=readonly
-    Success! Data written to: consul/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-```text
-$ vault read consul/creds/my-role
-Key                Value
----                -----
-lease_id           consul/creds/my-role/b2469121-f55f-53c5-89af-a3ba52b1d6d8
-lease_duration     768h
-lease_renewable    true
-token              642783bf-1540-526f-d4de-fe1ac1aed6f0
-```
-
-When using Consul 1.4, the response will include the accessor for the token
-
-```text
-$ vault read consul/creds/my-role
-Key                Value
----                -----
-lease_id           consul/creds/my-role/7miMPnYaBCaVWDS9clNE0Nv3
-lease_duration     768h
-lease_renewable    true
-accessor           6d5a0348-dffe-e87b-4266-2bec03800abb
-token              bc7a42c0-9c59-23b4-8a09-7173c474dc42
-```
-## API
-
-The Consul secrets engine has a full HTTP API. Please see the
-[Consul secrets engine API](/api/secret/consul/index.html) for more
-details.
-
-[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create
diff --git a/website/source/docs/secrets/cubbyhole/index.html.md b/website/source/docs/secrets/cubbyhole/index.html.md
deleted file mode 100644
index 29fc3917a193..000000000000
--- a/website/source/docs/secrets/cubbyhole/index.html.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-layout: "docs"
-page_title: "Cubbyhole - Secrets Engines"
-sidebar_title: "Cubbyhole"
-sidebar_current: "docs-secrets-cubbyhole"
-description: |-
-  The cubbyhole secrets engine can store arbitrary secrets scoped to a single token.
----
-
-# Cubbyhole Secrets Engine
-
-The `cubbyhole` secrets engine is used to store arbitrary secrets within the
-configured physical storage for Vault namespaced to a token. In `cubbyhole`,
-paths are scoped per token. No token can access another token's cubbyhole. When
-the token expires, its cubbyhole is destroyed.
-
-Also unlike the `kv` secrets engine, because the cubbyhole's lifetime is
-linked to that of an authentication token, there is no concept of a TTL or
-refresh interval for values contained in the token's cubbyhole.
-
-Writing to a key in the `cubbyhole` secrets engine will completely replace the
-old value.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-The `cubbyhole` secrets engine is enabled by default. It cannot be disabled,
-moved, or enabled multiple times.
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials. The `cubbyhole` secrets
-engine allows for writing keys with arbitrary values.
-
-1. Write arbitrary data:
-
-    ```text
-    $ vault write cubbyhole/my-secret my-value=s3cr3t
-    Success! Data written to: cubbyhole/my-secret
-    ```
-
-1. Read arbitrary data:
-
-    ```text
-    $ vault read cubbyhole/my-secret
-    Key         Value
-    ---         -----
-    my-value    s3cr3t
-    ```
-
-## Learn
-
-Refer to the [Cubbyhole Response Wrapping](https://learn.hashicorp.com/vault/secrets-management/sm-cubbyhole)
-guide for a step-by-step tutorial.
-
-## API
-
-The Cubbyhole secrets engine has a full HTTP API. Please see the
-[Cubbyhole secrets engine API](/api/secret/cubbyhole/index.html) for more
-details.
diff --git a/website/source/docs/secrets/databases/cassandra.html.md b/website/source/docs/secrets/databases/cassandra.html.md
deleted file mode 100644
index 8995aac0dd6c..000000000000
--- a/website/source/docs/secrets/databases/cassandra.html.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-layout: "docs"
-page_title: "Cassandra - Database - Secrets Engines"
-sidebar_title: "Cassandra"
-sidebar_current: "docs-secrets-databases-cassandra"
-description: |-
-  Cassandra is one of the supported plugins for the database secrets engine.
-  This plugin generates database credentials dynamically based on configured
-  roles for the Cassandra database.
----
-
-# Cassandra Database Secrets Engine
-
-Cassandra is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the Cassandra database.
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-cassandra-database \
-        plugin_name="cassandra-database-plugin" \
-        hosts=127.0.0.1 \
-        protocol_version=4 \
-        username=cassandra \
-        password=cassandra \
-        allowed_roles=my-role
-    ```
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to
-create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-cassandra-database \
-        creation_statements="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \
-             GRANT SELECT ON ALL KEYSPACES TO {{username}};" \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## API
-
-The full list of configurable options can be seen in the [Cassandra database
-plugin API](/api/secret/databases/cassandra.html) page.
-
-For more information on the database secrets engine's HTTP API please see the [Database secret
-secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/custom.html.md b/website/source/docs/secrets/databases/custom.html.md
deleted file mode 100644
index dac6488215c2..000000000000
--- a/website/source/docs/secrets/databases/custom.html.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-layout: "docs"
-page_title: "Custom - Database - Secrets Engines"
-sidebar_title: "Custom"
-sidebar_current: "docs-secrets-databases-custom"
-description: |-
-  The database secrets engine allows new functionality to be added through a
-  plugin interface without needing to modify vault's core code. This allows you
-  write your own code to generate credentials in any database you wish. It also
-  allows databases that require dynamically linked libraries to be used as
-  plugins while keeping Vault itself statically linked.
----
-
-# Custom Database Secrets Engines
-
-The database secrets engine allows new functionality to be added through a
-plugin interface without needing to modify vault's core code. This allows you
-write your own code to generate credentials in any database you wish. It also
-allows databases that require dynamically linked libraries to be used as plugins
-while keeping Vault itself statically linked.
-
-~> **Advanced topic!** Plugin development is a highly advanced topic in Vault,
-and is not required knowledge for day-to-day usage. If you don't plan on writing
-any plugins, we recommend not reading this section of the documentation.
-
-Please read the [Plugins internals](/docs/internals/plugins.html) docs for more
-information about the plugin system before getting started building your
-Database plugin.
-
-## Plugin Interface
-
-All plugins for the database secrets engine must implement the same simple interface.
-
-```go
-type Database interface {
-	Type() (string, error)
-	CreateUser(ctx context.Context, statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error)
-	RenewUser(ctx context.Context, statements Statements, username string, expiration time.Time) error
-	RevokeUser(ctx context.Context, statements Statements, username string) error
-	RotateRootCredentials(ctx context.Context, statements []string) (config map[string]interface{}, err error)
-	Init(ctx context.Context, config map[string]interface{}, verifyConnection bool) (saveConfig map[string]interface{}, err error)
-	Close() error
-}
-```
-
-You'll notice the first parameter to a number of those functions is a
-`Statements` struct. This struct is used to pass the Role's configured
-statements to the plugin on function call. The struct is defined as:
-
-```go
-type Statements struct {
-	Creation   []string
-	Revocation []string
-	Rollback   []string
-	Renewal    []string
-}
-```
-
-It is up to your plugin to replace the `{{name}}`, `{{password}}`, and
-`{{expiration}}` in these statements with the proper values.
-
-The `Initialize` function is passed a map of keys to values, this data is what the
-user specified as the configuration for the plugin. Your plugin should use this
-data to make connections to the database. It is also passed a boolean value
-specifying whether or not your plugin should return an error if it is unable to
-connect to the database.
-
-## Serving your plugin
-
-Once your plugin is built you should pass it to vault's `plugins` package by
-calling the `Serve` method:
-
-```go
-package main
-
-import (
-    "github.com/hashicorp/vault/api/plugins"
-)
-
-func main() {
-    plugins.Serve(new(MyPlugin), nil)
-}
-```
-
-Replacing `MyPlugin` with the actual implementation of your plugin.
-
-The second parameter to `Serve` takes in an optional vault `api.TLSConfig` for
-configuring the plugin to communicate with vault for the initial unwrap call.
-This is useful if your vault setup requires client certificate checks. This
-config wont be used once the plugin unwraps its own TLS cert and key.
-
-## Running your plugin
-
-The above main package, once built, will supply you with a binary of your
-plugin. We also recommend if you are planning on distributing your plugin to
-build with [gox](https://github.com/mitchellh/gox) for cross platform builds.
-
-To use your plugin with the database secrets engine you need to place the binary in the
-plugin directory as specified in the [plugin internals](/docs/internals/plugins.html) docs.
-
-You should now be able to register your plugin into the vault catalog. To do
-this your token will need sudo permissions.
-
-```text
-$ vault write sys/plugins/catalog/database/myplugin-database-plugin \
-    sha256="..." \
-    command="myplugin"
-Success! Data written to: sys/plugins/catalog/database/myplugin-database-plugin
-```
-
-Now you should be able to configure your plugin like any other:
-
-```text
-$ vault write database/config/myplugin \
-    plugin_name=myplugin-database-plugin \
-    allowed_roles="readonly" \
-    myplugins_connection_details="..."
-```
diff --git a/website/source/docs/secrets/databases/elasticdb.html.md b/website/source/docs/secrets/databases/elasticdb.html.md
deleted file mode 100644
index b705ca18d415..000000000000
--- a/website/source/docs/secrets/databases/elasticdb.html.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-layout: "docs"
-page_title: "Elasticsearch - Database - Secrets Engines"
-sidebar_title: "Elasticsearch"
-sidebar_current: "docs-secrets-databases-elasticdb"
-description: |-
-  Elasticsearch is one of the supported plugins for the database secrets engine. This
-  plugin generates database credentials dynamically based on configured roles
-  for Elasticsearch.
----
-
-# Elasticsearch Database Secrets Engine
-
-Elasticsearch is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-Elasticsearch.
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Getting Started
-
-To take advantage of this plugin, you must first enable Elasticsearch's native realm of security by activating X-Pack. These
-instructions will walk you through doing this using Elasticsearch 7.1.1.
-
-### Enable X-Pack Security in Elasticsearch
-
-Read [Securing the Elastic Stack](https://www.elastic.co/guide/en/elastic-stack-overview/7.1/elasticsearch-security.html) and 
-follow [its instructions for enabling X-Pack Security](https://www.elastic.co/guide/en/elasticsearch/reference/7.1/setup-xpack.html). 
-
-### Enable Encrypted Communications
-
-This plugin communicates with Elasticsearch's security API. ES requires TLS for these communications so they can be
-encrypted.
-
-To set up TLS in Elasticsearch, first read [encrypted communications](https://www.elastic.co/guide/en/elastic-stack-overview/7.1/encrypting-communications.html)
-and go through its instructions on [encrypting HTTP client communications](https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls.html#tls-http). 
-
-After enabling TLS on the Elasticsearch side, you'll need to convert the .p12 certificates you generated to other formats so they can be 
-used by Vault. [Here is an example using OpenSSL](https://stackoverflow.com/questions/15144046/converting-pkcs12-certificate-into-pem-using-openssl) 
-to convert our .p12 certs to the pem format.
-
-Also, on the instance running Elasticsearch, we needed to install our newly generated CA certificate that was originally in the .p12 format.
-We did this by converting the .p12 CA cert to a pem, and then further converting that 
-[pem to a crt](https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key), adding that crt to `/usr/share/ca-certificates/extra`, 
-and using `sudo dpkg-reconfigure ca-certificates`.
-
-The above instructions may vary if you are not using an Ubuntu machine. Please ensure you're using the methods specific to your operating
-environment. Describing every operating environment is outside the scope of these instructions.
-
-### Set Up Passwords
-
-When done, verify that you've enabled X-Pack by running `$ $ES_HOME/bin/elasticsearch-setup-passwords interactive`. You'll
-know it's been set up successfully if it takes you through a number of password-inputting steps.
-
-### Create a Role for Vault
-
-Next, in Elasticsearch, we recommend that you create a user just for Vault to use in managing secrets.
-
-To do this, first create a role that will allow Vault the minimum privileges needed to administer users and passwords by performing a
-POST to Elasticsearch. To do this, we used the `elastic` superuser whose password we created in the
-`$ $ES_HOME/bin/elasticsearch-setup-passwords interactive` step.
-
-```
-$ curl \
-    -X POST \
-    -H "Content-Type: application/json" \
-    -d '{"cluster": ["manage_security"]}' \
-    http://elastic:$PASSWORD@localhost:9200/_xpack/security/role/vault
-```
-
-Next, create a user for Vault associated with that role.
-
-```
-$ curl \
-    -X POST \
-    -H "Content-Type: application/json" \
-    -d @data.json \
-    http://elastic:$PASSWORD@localhost:9200/_xpack/security/user/vault
-```
-
-The contents of `data.json` in this example are:
-```
-{
- "password" : "myPa55word",
- "roles" : [ "vault" ],
- "full_name" : "Hashicorp Vault",
- "metadata" : {
-   "plugin_name": "Vault Plugin Database Elasticsearch",
-   "plugin_url": "https://github.com/hashicorp/vault-plugin-database-elasticsearch"
- }
-}
-```
-
-Now, Elasticsearch is configured and ready to be used with Vault.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-elasticsearch-database \
-        plugin_name="elasticsearch-database-plugin" \
-        allowed_roles="internally-defined-role,externally-defined-role" \
-        username=vault \
-        password=myPa55word \
-        url=http://localhost:9200 \
-        ca_cert=/usr/share/ca-certificates/extra/elastic-stack-ca.crt.pem \
-        client_cert=$ES_HOME/config/certs/elastic-certificates.crt.pem \
-        client_key=$ES_HOME/config/certs/elastic-certificates.key.pem   
-    ```
-
-1. Configure a role that maps a name in Vault to a role definition in Elasticsearch.
-This is considered the most secure type of role because nobody can perform
-a privilege escalation by editing a role's privileges out-of-band in 
-Elasticsearch:
-
-    ```text
-    $ vault write database/roles/internally-defined-role \
-          db_name=my-elasticsearch-database \
-          creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["read"]}]}}' \
-          default_ttl="1h" \
-          max_ttl="24h"   
-    Success! Data written to: database/roles/internally-defined-role
-    ```
-
-1. Alternatively, configure a role that maps a name in Vault to a pre-existing 
-role definition in Elasticsearch:
-
-    ```text
-    $ vault write database/roles/externally-defined-role \
-         db_name=my-elasticsearch-database \
-         creation_statements='{"elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]}' \
-         default_ttl="1h" \
-         max_ttl="24h"
-    Success! Data written to: database/roles/externally-defined-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## API
-
-The full list of configurable options can be seen in the [Elasticsearch database
-plugin API](/api/secret/databases/elasticdb.html) page.
-
-For more information on the database secrets engine's HTTP API please see the
-[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/hanadb.html.md b/website/source/docs/secrets/databases/hanadb.html.md
deleted file mode 100644
index 9c199f0f161d..000000000000
--- a/website/source/docs/secrets/databases/hanadb.html.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-layout: "docs"
-page_title: "HANA - Database - Secrets Engines"
-sidebar_title: "HanaDB"
-sidebar_current: "docs-secrets-databases-hanadb"
-description: |-
-  HANA is one of the supported plugins for the database secrets engine. This
-  plugin generates database credentials dynamically based on configured roles
-  for the HANA database.
----
-
-# HANA Database Secrets Engine
-
-HANA is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the HANA database.
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-hana-database \
-        plugin_name=hana-database-plugin \
-        connection_url="hdb://{{username}}:{{password}}@localhost:1433" \
-        allowed_roles="my-role" \
-        username="username" \
-        password="password"
-    ```
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to
-create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-hana-database \
-        creation_statements="CREATE USER {{name}} PASSWORD {{password}} VALID UNTIL '{{expiration}}';\
-            CALL GRANT_ACTIVATED_ROLE ( 'sap.hana.admin.roles::Monitoring', '{{name}}' );" \
-        default_ttl="12h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## API
-
-The full list of configurable options can be seen in the [HANA database
-plugin API](/api/secret/databases/hanadb.html) page.
-
-For more information on the database secrets engine's HTTP API please see the
-[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/index.html.md b/website/source/docs/secrets/databases/index.html.md
deleted file mode 100644
index 7ac239a8a74d..000000000000
--- a/website/source/docs/secrets/databases/index.html.md
+++ /dev/null
@@ -1,134 +0,0 @@
----
-layout: "docs"
-page_title: "Database - Secrets Engines"
-sidebar_title: "Databases"
-sidebar_current: "docs-secrets-databases"
-description: |-
-  The database secrets engine generates database credentials dynamically based
-  on configured roles. It works with a number of different databases through a
-  plugin interface. There are a number of builtin database types and an exposed
-  framework for running custom database types for extendability.
----
-
-# Databases
-
-The database secrets engine generates database credentials dynamically based on
-configured roles. It works with a number of different databases through a plugin
-interface. There are a number of builtin database types and an exposed framework
-for running custom database types for extendability. This means that services
-that need to access a database no longer need to hardcode credentials: they can
-request them from Vault, and use Vault's leasing mechanism to more easily roll
-keys.
-
-Since every service is accessing the database with unique credentials, it makes
-auditing much easier when questionable data access is discovered. You can track
-it down to the specific instance of a service based on the SQL username.
-
-Vault makes use of its own internal revocation system to ensure that users
-become invalid within a reasonable time of the lease expiring.
-
-### Static Roles
-
-The database secrets engine supports the concept of "static roles", which are
-a 1-to-1 mapping of Vault Roles to usernames in a database. The current password
-for the database user is stored and automatically rotated by Vault on a
-configurable period of time. This is in contrast to dynamic secrets, where a
-unique username and password pair are generated with each credential request.
-When credentials are requested for the Role, Vault returns the current
-password for the configured database user, allowing anyone with the proper
-Vault policies to have access to the user account in the database.
-
-Not all database types support static roles at this time. Please consult the
-specific database documentation on the left navigation to see if a given
-database backend supports static roles.
-
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the database secrets engine:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-database \
-        plugin_name="..." \
-        connection_url="..." \
-        allowed_roles="..." \
-        username="..." \
-        password="..."
-    ```
-
-    This secrets engine can configure multiple database connections. For details
-    on the specific configuration options, please see the database-specific
-    documentation.
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-database \
-        creation_statements="..." \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-    The `{{name}}` and `{{password}}` fields will be populated by the plugin
-    with dynamically generated values. In some plugins the `{{expiration}}`
-    field is also be supported.
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## Custom Plugins
-
-This secrets engine allows custom database types to be run through the exposed
-plugin interface. Please see the [custom database
-plugin](/docs/secrets/databases/custom.html) for more information.
-
-## Password Generation
-
-Password generation for both static and dynamic database credentials occurs via the ''GetPassword()'' function. For static credentials, the ''SetCredentials()''function is also used on the output of ''GetPassword().''
-
-Please see the [DB plugin credentials source code](https://github.com/hashicorp/vault/blob/master/sdk/database/dbplugin/database.pb.go) for more information.
-
-## Learn
-
-Refer to the following step-by-step tutorials for more information:
-
-- [Secrets as a Service: Dynamic Secrets](https://learn.hashicorp.com/vault/secrets-management/sm-dynamic-secrets)
-- [Database Root Credential Rotation](https://learn.hashicorp.com/vault/secrets-management/db-root-rotation)
-- [Database Static Roles and Credential Rotation](https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation)
-
-## API
-
-The database secrets engine has a full HTTP API. Please see the [Database secret
-secrets engine API](/api/secret/databases/index.html) for more details.
diff --git a/website/source/docs/secrets/databases/influxdb.html.md b/website/source/docs/secrets/databases/influxdb.html.md
deleted file mode 100644
index a49f0dfd98c2..000000000000
--- a/website/source/docs/secrets/databases/influxdb.html.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-layout: "docs"
-page_title: "Influxdb - Database - Secrets Engines"
-sidebar_title: "Influxdb"
-sidebar_current: "docs-secrets-databases-influxdb"
-description: |-
-  Influxdb is one of the supported plugins for the database secrets engine.
-  This plugin generates database credentials dynamically based on configured
-  roles for the Influxdb database.
----
-
-# Influxdb Database Secrets Engine
-
-Influxdb is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the Influxdb database.
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-influxdb-database \
-        plugin_name="influxdb-database-plugin" \
-        host=127.0.0.1 \
-        username=influx-root \
-        password=influx-toor \
-        allowed_roles=my-role
-    ```
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to
-create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-influxdb-database \
-        creation_statements="CREATE USER \"{{username}}\" WITH PASSWORD '{{password}}'; \
-             GRANT ALL ON \"vault\" TO \"{{username}}\";" \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## API
-
-The full list of configurable options can be seen in the [Influxdb database
-plugin API](/api/secret/databases/influxdb.html) page.
-
-For more information on the database secrets engine's HTTP API please see the [Database secret
-secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/mongodb.html.md b/website/source/docs/secrets/databases/mongodb.html.md
deleted file mode 100644
index 69be0fe3d008..000000000000
--- a/website/source/docs/secrets/databases/mongodb.html.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-layout: "docs"
-page_title: "MongoDB - Database - Secrets Engines"
-sidebar_title: "MongoDB"
-sidebar_current: "docs-secrets-databases-mongodb"
-description: |-
-  MongoDB is one of the supported plugins for the database secrets engine. This
-  plugin generates database credentials dynamically based on configured roles
-  for the MongoDB database.
----
-
-# MongoDB Database Secrets Engine
-
-MongoDB is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the MongoDB database.
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-mongodb-database \
-        plugin_name=mongodb-database-plugin \
-        allowed_roles="my-role" \
-        connection_url="mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true" \
-        username="admin" \
-        password="Password!"
-    ```
-
-1. Configure a role that maps a name in Vault to a MongoDB command that executes and
-creates the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-mongodb-database \
-        creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## API
-
-The full list of configurable options can be seen in the [MongoDB database
-plugin API](/api/secret/databases/mongodb.html) page.
-
-For more information on the database secrets engine's HTTP API please see the
-[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/mssql.html.md b/website/source/docs/secrets/databases/mssql.html.md
deleted file mode 100644
index 9a3e00fe4a5e..000000000000
--- a/website/source/docs/secrets/databases/mssql.html.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-layout: "docs"
-page_title: "MSSQL - Database - Secrets Engines"
-sidebar_title: "MSSQL"
-sidebar_current: "docs-secrets-databases-mssql"
-description: |-
-
-  MSSQL is one of the supported plugins for the database secrets engine. This
-  plugin generates database credentials dynamically based on configured roles
-  for the MSSQL database.
----
-
-# MSSQL Database Secrets Engine
-
-MSSQL is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the MSSQL database.
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-mssql-database \
-        plugin_name=mssql-database-plugin \
-        connection_url='sqlserver://{{username}}:{{password}}@localhost:1433' \
-        allowed_roles="my-role" \
-        username="sa" \
-        password="yourStrong(!)Password"
-    ```
-
-    In this case, we've configured Vault with the user "sa" and password
-    "yourStrong(!)Password", connecting to an instance at "localhost" on port 1433. It is
-    not necessary that Vault has the sa login, but the user must have privileges
-    to create logins and manage processes. The fixed server roles
-    `securityadmin` and `processadmin` are examples of built-in roles that grant
-    these permissions. The user also must have privileges to create database
-    users and grant permissions in the databases that Vault manages.  The fixed
-    database roles `db_accessadmin` and `db_securityadmin` are examples or
-    built-in roles that grant these permissions.
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to
-create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-mssql-database \
-        creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\
-            CREATE USER [{{name}}] FOR LOGIN [{{name}}];\
-            GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## Example for Azure SQL Database
-
-Here is a complete example using Azure SQL Database. Note that databases in Azure SQL Database are [contained databases](https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-databases) and that we do not create a login for the user; instead, we associate the password directly with the user itself. Also note that you will need a separate connection and role for each Azure SQL database for which you want to generate dynamic credentials. You can use a single database backend mount for all these databases or use a separate mount for of them. In this example, we use a custom path for the database backend.
-
-First, we mount a database backend at the azuresql path with `vault secrets enable -path=azuresql database`. Then we configure a connection called "testvault" to connect to a database called "test-vault", using "azuresql" at the beginning of our path:
-
-```
-$ vault write azuresql/config/testvault \
-    plugin_name=mssql-database-plugin \
-    connection_url='server=hashisqlserver.database.windows.net;port=1433; \
-    user id=admin;password=pAssw0rd;database=test-vault;app name=vault;' \
-    allowed_roles="test"
-```
-
-Now we add a role called "test" for use with the "testvault" connection:
-
-```
-$ vault write azuresql/roles/test \
-    db_name=testvault \
-    creation_statements="CREATE USER [{{name}}] WITH PASSWORD = '{{password}}';" \
-    revocation_statements="DROP USER IF EXISTS [{{name}}]" \
-    default_ttl="1h" \
-    max_ttl="24h"
-```
-We can now use this role to dynamically generate credentials for the Azure SQL database, test-vault:
-
-```
-$ vault read azuresql/creds/test
-Key            	Value
----            	-----
-lease_id       	azuresql/creds/test/2e5b1e0b-a081-c7e1-5622-39f58e79a719
-lease_duration 	1h0m0s
-lease_renewable	true
-password       	A1a-48w04t1xzw1s33z3
-username       	v-token-test-tr2t4x9pxvq1z8878s9s-1513446795
-```
-
-When we no longer need the backend, we can unmount it with `vault unmount azuresql`. Now, you can use the MSSQL Database Plugin with your Azure SQL databases.
-
-## Amazon RDS
-The MSSQL plugin supports databases running on [Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html),
-but there are differences that need to be accomodated. A key limitation is that Amazon RDS doesn't support
-the "sysadmin" role, which is used by default during Vault's revocation process for MSSQL. The workaround
-is to add custom revocation statements to roles, for example:
-
-```
-vault write database/roles/my-role revocation_statements="\
-   USE my_database; \
-   IF EXISTS \
-     (SELECT name \
-      FROM sys.database_principals \
-      WHERE name = N'{{name}}') \
-   BEGIN \
-     DROP USER [{{name}}] \
-   END \
-
-   IF EXISTS \
-     (SELECT name \
-      FROM master.sys.server_principals \
-      WHERE name = N'{{name}}') \
-   BEGIN \
-     DROP LOGIN [{{name}}] \
-   END"
-```
-
-
-
-## API
-
-The full list of configurable options can be seen in the [MSSQL database
-plugin API](/api/secret/databases/mssql.html) page.
-
-For more information on the database secrets engine's HTTP API please see the
-[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/mysql-maria.html.md b/website/source/docs/secrets/databases/mysql-maria.html.md
deleted file mode 100644
index b2734fbb3531..000000000000
--- a/website/source/docs/secrets/databases/mysql-maria.html.md
+++ /dev/null
@@ -1,141 +0,0 @@
----
-layout: "docs"
-page_title: "MySQL/MariaDB - Database - Secrets Engines"
-sidebar_title: "MySQL/MariaDB"
-sidebar_current: "docs-secrets-databases-mysql-maria"
-description: |-
-  MySQL is one of the supported plugins for the database secrets engine. This
-  plugin generates database credentials dynamically based on configured roles
-  for the MySQL database.
----
-
-# MySQL/MariaDB Database Secrets Engine
-
-MySQL is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the MySQL database, and also supports [Static
-Roles](/docs/secrets/databases/index.html#static-roles).
-
-This plugin has a few different instances built into vault, each instance is for
-a slightly different MySQL driver. The only difference between these plugins is
-the length of usernames generated by the plugin as different versions of mysql
-accept different lengths. The available plugins are:
-
- - mysql-database-plugin
- - mysql-aurora-database-plugin
- - mysql-rds-database-plugin
- - mysql-legacy-database-plugin
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-mysql-database \
-        plugin_name=mysql-database-plugin \
-        connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
-        allowed_roles="my-role" \
-        username="root" \
-        password="mysql"
-    ```
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to
-create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-mysql-database \
-        creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## Examples
-
-### Using wildcards in grant statements
-
-MySQL supports using wildcards in grant statements. These are sometimes needed
-by applications which expect access to a large number of databases inside MySQL.
-This can be realized by using a wildcard in the grant statement. For example if
-you want the user created by Vault to have access to all databases starting with
-`fooapp_` you could use the following creation statement:
-
-```text
-CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON `fooapp\_%`.* TO '{{name}}'@'%';
-```
-
-MySQL expects the part in which the wildcards are to be placed inside backticks.
-If you want to add this creation statement to Vault via the Vault CLI you cannot
-simply paste the above statement on the CLI because the shell will interpret the
-text between the backticks as something that must be executed. The easiest way to
-get around this is to encode the creation statement as Base64 and feed this to Vault.
-For example:
-
-```text
-$ vault write database/roles/my-role \
-    db_name=mysql \
-    creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OIGBmb29hcHBcXyVgLiogVE8gJ3t7bmFtZX19J0AnJSc7" \
-    default_ttl="1h" \
-    max_ttl="24h"
-```
-
-### Rotating root credentials in MySQL 5.6
-
-The default root rotation setup for MySQL uses the `ALTER USER` syntax present
-in MySQL 5.7 and up. For MySQL 5.6, the [root rotation
-statements](/api/secret/databases/index.html#root_rotation_statements)
-must be configured to use the old `SET PASSWORD` syntax. For example:
-
-```text
-$ vault write database/config/my-mysql-database \
-    plugin_name=mysql-database-plugin \
-    connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
-    root_rotation_statements="SET PASSWORD = PASSWORD('{{password}}')" \
-    allowed_roles="my-role" \
-    username="root" \
-    password="mysql"
-```
-
-For a guide in root credential rotation, see [Database Root Credential
-Rotation](/guides/secret-mgmt/db-root-rotation.html).
-
-## API
-
-The full list of configurable options can be seen in the [MySQL database plugin
-API](/api/secret/databases/mysql-maria.html) page.
-
-For more information on the database secrets engine's HTTP API please see the
-[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/oracle.html.md b/website/source/docs/secrets/databases/oracle.html.md
deleted file mode 100644
index 3a724c5fff48..000000000000
--- a/website/source/docs/secrets/databases/oracle.html.md
+++ /dev/null
@@ -1,103 +0,0 @@
----
-layout: "docs"
-page_title: "Oracle - Database - Secrets Engines"
-sidebar_title: "Oracle"
-sidebar_current: "docs-secrets-databases-oracle"
-description: |-
-  Oracle is one of the supported plugins for the database secrets engine. This
-  plugin generates database credentials dynamically based on configured roles
-  for the Oracle database.
----
-
-# Oracle Database Secrets Engine
-
-Oracle is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the Oracle database.
-
-The Oracle database plugin is not bundled in the core Vault code tree and can be
-found at its own git repository here:
-[hashicorp/vault-plugin-database-oracle](https://github.com/hashicorp/vault-plugin-database-oracle)
-
-See the [Database Backend](/docs/secrets/databases/index.html) docs for more
-information about setting up the Database Backend.
-
-## Setup
-
-The Oracle Database Plugin does not live in the core Vault code tree and can be found
-at its own git repository here: [hashicorp/vault-plugin-database-oracle](https://github.com/hashicorp/vault-plugin-database-oracle)
-
-For linux/amd64, pre-built binaries can be found at [the releases page](https://releases.hashicorp.com/vault-plugin-database-oracle)
-
-Before running the plugin you will need to have the the Oracle Instant Client
-library installed. These can be downloaded from Oracle. The libraries will need to
-be placed in the default library search path or defined in the ld.so.conf configuration files.
-
-If you are running Vault with [mlock enabled](/docs/configuration/index.html#disable_mlock), 
-you will need to enable ipc_lock capabilities for the plugin binary.
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Download and register the plugin:
-
-    ```text
-    $ vault write sys/plugins/catalog/database/oracle-database-plugin \
-        sha256="..." \
-        command=vault-plugin-database-oracle
-    ```
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-oracle-database \
-        plugin_name=oracle-database-plugin \
-        connection_url="system/Oracle@localhost:1521/OraDoc.localhost" \
-        allowed_roles="my-role"
-    ```
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to
-create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-oracle-database \
-        creation_statements="CREATE USER {{name}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{name}}; GRANT CREATE SESSION TO {{name}};" \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## API
-
-The full list of configurable options can be seen in the [Oracle database plugin
-API](/api/secret/databases/oracle.html) page.
-
-For more information on the database secrets engine's HTTP API please see the
-[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/postgresql.html.md b/website/source/docs/secrets/databases/postgresql.html.md
deleted file mode 100644
index 45b3523d1642..000000000000
--- a/website/source/docs/secrets/databases/postgresql.html.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-layout: "docs"
-page_title: "PostgreSQL - Database - Secrets Engines"
-sidebar_title: "PostgreSQL"
-sidebar_current: "docs-secrets-databases-postgresql"
-description: |-
-  PostgreSQL is one of the supported plugins for the database secrets engine.
-  This plugin generates database credentials dynamically based on configured
-  roles for the PostgreSQL database.
----
-
-# PostgreSQL Database Secrets Engine
-
-PostgreSQL is one of the supported plugins for the database secrets engine. This
-plugin generates database credentials dynamically based on configured roles for
-the PostgreSQL database, and also supports [Static
-Roles](/docs/secrets/databases/index.html#static-roles).
-
-See the [database secrets engine](/docs/secrets/databases/index.html) docs for
-more information about setting up the database secrets engine.
-
-## Setup
-
-1. Enable the database secrets engine if it is not already enabled:
-
-    ```text
-    $ vault secrets enable database
-    Success! Enabled the database secrets engine at: database/
-    ```
-
-    By default, the secrets engine will enable at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure Vault with the proper plugin and connection information:
-
-    ```text
-    $ vault write database/config/my-postgresql-database \
-        plugin_name=postgresql-database-plugin \
-        allowed_roles="my-role" \
-        connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \
-        username="root" \
-        password="root"
-    ```
-
-1. Configure a role that maps a name in Vault to an SQL statement to execute to
-create the database credential:
-
-    ```text
-    $ vault write database/roles/my-role \
-        db_name=my-postgresql-database \
-        creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
-            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
-        default_ttl="1h" \
-        max_ttl="24h"
-    Success! Data written to: database/roles/my-role
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read database/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-    lease_duration     1h
-    lease_renewable    true
-    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
-    username           v-root-e2978cd0-
-    ```
-
-## API
-
-The full list of configurable options can be seen in the [PostgreSQL database
-plugin API](/api/secret/databases/postgresql.html) page.
-
-For more information on the database secrets engine's HTTP API please see the
-[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/gcp/index.html.md b/website/source/docs/secrets/gcp/index.html.md
deleted file mode 100644
index 5b8d33c0762d..000000000000
--- a/website/source/docs/secrets/gcp/index.html.md
+++ /dev/null
@@ -1,513 +0,0 @@
----
-layout: "docs"
-page_title: "Google Cloud - Secrets Engines"
-sidebar_title: "Google Cloud"
-sidebar_current: "docs-secrets-gcp"
-description: |-
-  The Google Cloud secrets engine for Vault dynamically generates Google Cloud
-  service account keys and OAuth tokens based on IAM policies.
----
-
-# Google Cloud Secrets Engine
-
-The Google Cloud Vault secrets engine dynamically generates Google Cloud service
-account keys and OAuth tokens based on IAM policies. This enables users to gain
-access to Google Cloud resources without needing to create or manage a dedicated
-service account.
-
-The benefits of using this secrets engine to manage Google Cloud IAM service accounts are:
-
-- **Automatic cleanup of GCP IAM service account keys** - each Service Account
-  key is associated with a Vault lease. When the lease expires (either during
-  normal revocation or through early revocation), the service account key is
-  automatically revoked.
-
-- **Quick, short-term access** - users do not need to create new GCP Service
-  Accounts for short-term or one-off access (such as batch jobs or quick
-  introspection).
-
-- **Multi-cloud and hybrid cloud applications** - users authenticate to Vault
-  using a central identity service (such as LDAP) and generate GCP credentials
-  without the need to create or manage a new Service Account for that user.
-
-~> **NOTE: Deprecation of `access_token` Leases**: In previous versions of this secrets engine
-    (released with Vault <= 0.11.1), a lease was generated with access tokens. If you're using
-    an old version of the plugin, please upgrade. Read more in the
-    [upgrade guide](#deprecation-of-access-token-leases)
-
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the Google Cloud secrets engine:
-
-    ```text
-    $ vault secrets enable gcp
-    Success! Enabled the gcp secrets engine at: gcp/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure the secrets engine with account credentials, or leave blank or unwritten
-   to use Application Default Credentials.
-
-    ```text
-    $ vault write gcp/config credentials=@my-credentials.json
-    Success! Data written to: gcp/config
-    ```
-
-    If you are running Vault from inside [Google Compute Engine][gce] or [Google
-    Kubernetes Engine][gke], the instance or pod service account can be used in
-    place or specifying the credentials JSON file.
-    For more information on authentication, see the [authentication section](#authentication) below.
-
-1. Configure a roleset. Rolesets determine the permissions that Service Account
-credentials generated by Vault will have on GCP resources.
-
-    To configure a roleset that generates OAuth2 access tokens (preferred):
-
-    ```text
-    $ vault write gcp/roleset/my-token-roleset \
-        project="my-project" \
-        secret_type="access_token"  \
-        token_scopes="https://www.googleapis.com/auth/cloud-platform" \
-        bindings=-<<EOF
-          resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
-            roles = ["roles/viewer"]
-          }
-        EOF
-    ```
-
-    To configure a roleset that generates GCP Service Account keys:
-
-    ```text
-    $ vault write gcp/roleset/my-key-roleset \
-        project="my-project" \
-        secret_type="service_account_key"  \
-        bindings=-<<EOF
-          resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
-            roles = ["roles/viewer"]
-          }
-        EOF
-    ```
-
-    Alternatively, provide a file for the `bindings` argument like so:
-
-    ```text
-    $ vault write gcp/roleset/my-roleset
-        bindings=@mybindings.hcl
-        ...
-    ```
-
-    For more information on role bindings and sample role bindings, please see
-    the [roleset bindings](#roleset-bindings) section below.
-
-    For more information on the differences between OAuth2 access tokens and
-    Service Account keys, see the [things to note](#things-to-note) section
-    below.
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials. Depending on how the roleset
-was configured, you can generate OAuth2 tokens or service account keys.
-
-### Access Tokens
-
-To generate OAuth2 tokens, read from `gcp/token/...`. The roleset must have been
-created as type `access_token`:
-
-```text
-$ vault read gcp/token/my-token-roleset
-
-Key                Value
----                -----
-expires_at_seconds    1537402548
-token                 ya29.c.ElodBmNPwHUNY5gcBpnXcE4ywG4w1k...
-token_ttl             3599
-```
-
-This endpoint generates a non-renewable, non-revocable static OAuth2 access token
-with a lifetime of one hour, where `token_ttl` is given in seconds and the
-`expires_at_seconds` is the expiry time for the token, given as a Unix timestamp.
-The `token` value then can be used as a HTTP Authorization Bearer token in requests
-to GCP APIs:
-
-```sh
-$ curl -H "Authorization: Bearer ya29.c.ElodBmNPwHUNY5gcBpnXcE4ywG4w1k..."
-```
-
-### Service Account Keys
-
-To generate service account keys, read from `gcp/key/...`. The roleset must have
-been created as type `service_account_key`:
-
-```text
-$ vault read gcp/key/my-key-roleset
-
-Key                 Value
----                 -----
-lease_id            gcp/key/my-key-roleset/ce563a99-5e55-389b...
-lease_duration      30m
-lease_renewable     true
-key_algorithm       KEY_ALG_RSA_2048
-key_type            TYPE_GOOGLE_CREDENTIALS_FILE
-private_key_data    ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsC...
-```
-
-This endpoint generates a new [GCP IAM service account key][iam-keys] associated
-with the roleset's Service Account. When the lease expires (or is revoked
-early), the Service Account key will be deleted.
-
-**There is a default limit of 10 keys per Service Account.** For more
-information on this limit and recommended mitigation, please see the [things to
-note](#things-to-note) section below.
-
-## Roleset Bindings
-
-Roleset bindings define a list of resources and the associated IAM roles on that
-resource. Roleset bindings are used as the `binding` argument when creating or
-updating a roleset and are specified in the following format using HCL:
-
-```hcl
-resource NAME {
-  roles = [ROLE, [ROLE...]]
-}
-```
-
-For example:
-
-```hcl
-resource "buckets/my-bucket" {
-  roles = [
-    "roles/storage.objectAdmin",
-    "roles/storage.legacyBucketReader",
-  ]
-}
-
-# At instance level, using self-link
-resource "https://www.googleapis.com/compute/v1/projects/my-project/zone/my-zone/instances/my-instance" {
-  roles = [
-    "roles/compute.instanceAdmin.v1"
-  ]
-}
-
-# At project level
-resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
-  roles = [
-    "roles/compute.instanceAdmin.v1",
-    "roles/iam.serviceAccountUser",  # required if managing instances that run as service accounts
-  ]
-}
-
-# At folder level
-resource "//cloudresourcemanager.googleapis.com/folders/123456" {
-  roles = [
-    "roles/compute.viewer",
-    "roles/deploymentmanager.viewer",
-  ]
-}
-
-```
-
-The top-level `resource` block defines the resource or resource path for which
-IAM policy information will be bound. The resource path may be specified in a
-few different formats:
-
-- **Project-level self-link** - a URI with scheme and host, generally
-  corresponding to the `self_link` attribute of a resource in GCP. This must
-  include the resource nested in the parent project.
-
-    ```text
-    # compute alpha zone
-    https://www.googleapis.com/compute/alpha/projects/my-project/zones/us-central1-c
-    ```
-
-- **Full resource name** - a schema-less URI consisting of a DNS-compatible API
-  service name and resource path. See the [full resource name API
-  documentation][resource-name-full] for more information.
-
-    ```text
-    # Compute snapshot
-    //compute.googleapis.com/project/my-project/snapshots/my-compute-snapshot
-
-    # Pubsub snapshot
-    //pubsub.googleapis.com/project/my-project/snapshots/my-pubsub-snapshot
-
-    # Resource manager
-    //cloudresourcemanager.googleapis.com/projects/my-project"
-    ```
-
-- **Relative resource name** - A path-noscheme URI path, usually as accepted by
-  the API. Use this if the version or service are apparent from the resource
-  type. Please see the [relative resource name API
-  documentation][resource-name-relative] for more information.
-
-    ```text
-    # Storage bucket objects
-    buckets/my-bucket
-    buckets/my-bucket/objects/my-object
-
-    # PubSub topics
-    projects/my-project/topics/my-pubsub-topic
-    ```
-
-The nested `roles` attribute is an array of strings names of [GCP IAM
-roles][iam-roles]. The roles may be specified in the following formats:
-
-- **Global role name** - these are global roles built into Google Cloud. For the
-  full list of available roles, please see the [list of predefined GCP
-  roles][predefined-roles].
-
-    ```text
-    roles/viewer
-    roles/bigquery.user
-    roles/billing.admin
-    ```
-
-- **Organization-level custom role** - these are roles that are created at the
-  organization level by organization owners.
-
-    ```text
-    organizations/my-organization/roles/my-custom-role
-    ```
-
-    For more information, please see the documentation on [GCP custom
-    roles][custom-roles].
-
-- **Project-level custom role** - these are roles that are created at a
-  per-project level by project owners.
-
-    ```text
-    projects/my-project/roles/my-custom-role
-    ```
-
-    For more information, please see the documentation on [GCP custom
-    roles][custom-roles].
-
-
-## Authentication
-
-The Google Cloud Vault secrets backend uses the official Google Cloud Golang
-SDK. This means it supports the common ways of [providing credentials to Google
-Cloud][cloud-creds]. In addition to specifying `credentials` directly via Vault
-configuration, you can also get configuration from the following values **on the
-Vault server**:
-
-1. The environment variables `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
-as the **path** to a Google Cloud credentials file, typically for a service
-account. If this environment variable is present, the resulting credentials are
-used. If the credentials are invalid, an error is returned.
-
-1. Default instance credentials. When no environment variable is present, the
-default service account credentials are used. This is useful when running Vault
-on [Google Compute Engine][gce] or [Google Kubernetes Engine][gke]
-
-For more information on service accounts, please see the [Google Cloud Service
-Accounts documentation][service-accounts].
-
-To use this storage backend, the service account must have the following
-minimum scope(s):
-
-```text
-https://www.googleapis.com/auth/cloud-platform
-```
-
-### Required Permissions
-
-The credentials given to Vault must have the following permissions:
-
-```text
-# Service Account + Key Admin
-iam.serviceAccounts.create
-iam.serviceAccounts.delete
-iam.serviceAccounts.get
-iam.serviceAccounts.list
-iam.serviceAccounts.update
-iam.serviceAccountKeys.create
-iam.serviceAccountKeys.delete
-iam.serviceAccountKeys.get
-iam.serviceAccountKeys.list
-
-# IAM Policy Changes
-<service>.<resource>.getIamPolicy
-<service>.<resource>.setIamPolicy
-```
-
-where `<service>` and `<resource>` correspond to permissions which will be
-granted, for example:
-
-```text
-# Projects
-resourcemanager.projects.getIamPolicy
-resourcemanager.projects.setIamPolicy
-
-# All compute
-compute.*.getIamPolicy
-compute.*.setIamPolicy
-```
-
-You can either:
-
-- Create a [custom role][custom-roles] using these permissions, and assign this
-  role at a project-level
-
-- Assign the set of roles required to get resource-specific
-  `getIamPolicy/setIamPolicy` permissions. At a minimum you will need to assign
-  `roles/iam.serviceAccountAdmin` and `roles/iam.serviceAccountKeyAdmin` so
-  Vault can manage service accounts and keys.
-
-
-## Things to Note
-
-### Access Tokens vs. Service Account Keys
-
-Advantages of `access_tokens`:
-
-* Can generate infinite number of tokens per roleset
-
-Disadvantages of `access_tokens`:
-
-* Cannot be used with some client libraries or tools
-* Have a static life-time of 1 hr that cannot be modified, revoked, or extended.
-
-Advantages of `service_account_keys`:
-
-* Controllable life-time through Vault, allowing for longer access
-* Can be used by all normal GCP tooling
-
-Disadvantages of `service_account_keys`:
-
-* Infinite lifetime in GCP (i.e. if they are not managed properly, leaked keys can live forever)
-* Limited to 10 per roleset/service account.
-
-When generating OAuth access tokens, Vault will still
-generate a dedicated service account and key. This private key is stored in Vault
-and is never accessible to other users, and the underlying key can
-be rotated. See the [GCP API documentation][api] for more information on
-rotation.
-
-### Service Accounts are Tied to Rolesets
-
-Service Accounts are created when the roleset is created (or updated) rather
-than each time a secret is generated. This may be different from how other
-secrets engines behave, but it is for good reasons:
-
-- IAM Service Account creation and permission propagation can take up to 60
-  seconds to complete. By creating the Service Account in advance, we speed up
-  the timeliness of future operations and reduce the flakiness of automated
-  workflows.
-
-- Each GCP project has a limit on the number of IAM Service Accounts. You can
-  [request additional quota][quotas]. The quota increase is processed by humans,
-  so it is best to request this additional quota in advance. This limit is
-  currently 100, **including system-managed Service Accounts**. If Service
-  Accounts were created per secret, this quota limit would reduce the number of
-  secrets that can be generated.
-
-### Service Account Keys Quota Limits
-
-GCP IAM has a hard limit (currently 10) on the number of Service Account keys.
-Attempts to generate more keys will result in an error. If you find yourself
-running into this limit, consider the following:
-
-- Have shorter TTLs or revoke access earlier. If you are not using past Service
-  Account keys, consider rotating and freeing quota earlier.
-
-- Create additional rolesets which share the same set of permissions. Additional
-  rolesets can be created with the same set of permissions. This will create a
-  new service account and increases the number of keys you can create.
-
-- Where possible, use OAuth2 access tokens instead of Service Account keys.
-
-### Resources Must Exist at Roleset Creation
-
-Because we the bindings for the Service Account are set during roleset creation,
-resources that do not exist will fail the `getIamPolicy` API call.
-
-### Roleset Creation May Partially Fail
-
-Every Service Account creation, key creation, and IAM policy change is a GCP API
-call per resource. If an API call to one of these resources fails, the roleset
-creation fails and Vault will attempt to rollback.
-
-These rollbacks are API calls, so they may also fail. The secrets engine uses a
-WAL to ensure that unused bindings are cleaned up. In the case of quota limits,
-you may need to clean these up manually.
-
-### Do Not Modify Vault-owned IAM Accounts
-
-While Vault will initially create and assign permissions to IAM service
-accounts, it is possible that an external user deletes or modifies this service
-account. These changes are difficult to detect, and it is best to prevent this
-type of modification through IAM permissions.
-
-Vault roleset Service Accounts will have emails in the format:
-
-```
-vault<roleset-prefix>-<creation-unix-timestamp>@...
-```
-
-Communicate with your teams (or use IAM permissions) to not modify these
-resources.
-
-
-## Help &amp; Support
-
-The Google Cloud Vault secrets engine is written as an external Vault plugin and
-thus exists outside the main Vault repository. It is automatically bundled with
-Vault releases, but the code is managed separately.
-
-Please report issues, add feature requests, and submit contributions to the
-[vault-plugin-secrets-gcp repo on GitHub][repo].
-
-
-## API
-The GCP secrets engine has a full HTTP API. Please see the [GCP secrets engine API docs][api]
-for more details.
-
-[api]: https://vaultproject.io/api/secret/gcp/index.html
-[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
-[custom-roles]: https://cloud.google.com/iam/docs/creating-custom-roles
-[gce]: https://cloud.google.com/compute/
-[gke]: https://cloud.google.com/kubernetes-engine/
-[iam-keys]: https://cloud.google.com/iam/docs/service-accounts#service_account_keys
-[iam-roles]: https://cloud.google.com/iam/docs/understanding-roles
-[predefined-roles]: https://cloud.google.com/iam/docs/understanding-roles#predefined_roles
-[repo]: https://github.com/hashicorp/vault-plugin-secrets-gcp
-[resource-name-full]: https://cloud.google.com/apis/design/resource_names#full_resource_name
-[resource-name-relative]: https://cloud.google.com/apis/design/resource_names#relative_resource_name
-[quotas]: https://cloud.google.com/compute/quotas
-[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
-
-
-## Upgrade Guides
-
-### Deprecation of Access Token Leases
-
-~> **NOTE**: This only affects access tokens. There is no change to the `service_account_key` secret type
-
-Previous versions of this secrets engine (Vault <= 0.11.1) created a lease for
-each access token secret. We have removed them after discovering that these
-tokens, specifically Google OAuth2 tokens for IAM service accounts, are
-non-revocable and have a static 60 minute lifetime. To match the current
-limitations of the GCP APIs, the secrets engine will no longer allow for
-revocation or manage the token TTL - more specifically, **the access_token
-response will no longer include `lease_id` or other lease information**. This
-change does not reflect any change to the actual underlying OAuth tokens or GCP
-service accounts.
-
-To upgrade:
-
-- Remove references from `lease_id`, `lease_duration` or other `lease_*`
-  attributes when reading responses for the access tokens secrets endpoint (i.e.
-  from `gcp/token/$roleset`). See the [documentation for access
-  tokens](#access-tokens) to see the new format for the response.
-
-- Be aware of leftover leases from previous versions. While these old leases
-  will still be revocable, they will not actually invalidate their associated
-  access token, and that token will still be useable for up to one hour.
diff --git a/website/source/docs/secrets/gcpkms/index.html.md b/website/source/docs/secrets/gcpkms/index.html.md
deleted file mode 100644
index fa56407d5f0d..000000000000
--- a/website/source/docs/secrets/gcpkms/index.html.md
+++ /dev/null
@@ -1,435 +0,0 @@
----
-layout: "docs"
-page_title: "Google Cloud KMS - Secrets Engines"
-sidebar_title: "Google Cloud KMS"
-sidebar_current: "docs-secrets-gcpkms"
-description: |-
-  The Google Cloud KMS secrets engine for Vault interfaces with Google Cloud
-  KMS for encryption/decryption of data and KMS key management through Vault.
----
-
-# Google Cloud KMS Secrets Engine
-
-The Google Cloud KMS Vault secrets engine provides encryption and key management
-via [Google Cloud KMS][kms]. It supports management of keys, including creation,
-rotation, and revocation, as well as encrypting and decrypting data with managed
-keys. This enables management of KMS keys through Vault's policies and IAM
-system.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the Google Cloud KMS secrets engine:
-
-    ```text
-    $ vault secrets enable gcpkms
-    Success! Enabled the gcpkms secrets engine at: gcpkms/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure the secrets engine with account credentials and/or scopes:
-
-    ```text
-    $ vault write gcpkms/config \
-        credentials=@my-credentials.json
-    Success! Data written to: gcpkms/config
-    ```
-
-    If you are running Vault from inside [Google Compute Engine][gce] or [Google
-    Kubernetes Engine][gke], the instance or pod service account can be used in
-    place or specifying the credentials JSON file. For more information on
-    authentication, see the [authentication section](#authentication) below.
-
-1. Create a Google Cloud KMS key:
-
-    ```text
-    $ vault write gcpkms/keys/my-key \
-      key_ring=projects/my-project/locations/my-location/keyRings/my-keyring \
-      rotation_period=72h
-    ```
-
-    The `key_ring` parameter is specified in the following format:
-
-    ```text
-    projects/<project>/locations/<location>/keyRings/<keyring>
-    ```
-
-    where:
-    - `<project>` - the name of the GCP project (e.g. "my-project")
-    - `<location>` - the location of the KMS key ring (e.g. "us-east1", "global")
-    - `<keyring>` - the name of the KMS key ring (e.g. "my-keyring")
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can be used to encrypt, decrypt, and manage keys. The
-following sections describe the different ways in which keys can be managed.
-
-### Symmetric Encryption/Decryption
-
-This section describes using a Cloud KMS key for symmetric
-encryption/decryption. This is one of the most common types of encryption.
-Google Cloud manages the key ring which is used to encrypt and decrypt data.
-
-<table>
-  <thead>
-    <tr>
-      <th>Purpose</th>
-      <th>Supported Algorithms</th>
-    </tr>
-    <tr>
-      <td valign="top"><code>encrypt_decrypt</code></td>
-      <td valign="top">
-        <code>symmetric_encryption</code>
-      </td>
-    </tr>
-  </thead>
-</table>
-
-1. Create or use an existing key eligible for symmetric encryption/decryption:
-
-    ```text
-    $ vault write gcpkms/keys/my-key \
-        key_ring=projects/.../my-keyring \
-        purpose=encrypt_decrypt \
-        algorithm=symmetric_encryption
-    ```
-
-1. Encrypt plaintext data using the `/encrypt` endpoint with a named key:
-
-    ```text
-    $ vault write gcpkms/encrypt/my-key plaintext="hello world"
-    Key            Value
-    ---            -----
-    ciphertext     CiQAuMv0lTiKjrF43Lgr4...
-    key_version    1
-    ```
-
-    Unlike Vault's transit backend, plaintext data does not need to be base64
-    encoded. The endpoint will automatically convert data.
-
-    Note that Vault is not _storing_ this data. The caller is responsible for
-    storing the resulting ciphertext.
-
-1. Decrypt ciphertext using the `/decrypt` endpoint with a named key:
-
-    ```text
-    $ vault write gcpkms/decrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
-    Key          Value
-    ---          -----
-    plaintext    hello world
-    ```
-
-    For easier scripting, it is also possible to extract the plaintext directly:
-
-    ```text
-    $ vault write -field=plaintext gcpkms/decrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
-    hello world
-    ```
-
-1. Rotate the underlying encryption key. This will generate a new crypto key
-version on Google Cloud KMS and set that version as the active key.
-
-    ```text
-    $ vault write -f gcpkms/keys/rotate/my-key
-    WARNING! The following warnings were returned from Vault:
-
-      * The crypto key version was rotated successfully, but it can take up to 2
-      hours for the new crypto key version to become the primary. In practice, it
-      is usually much shorter. Be sure to issue a read operation and verify the
-      key version if you require new data to be encrypted with this key.
-
-    Key            Value
-    ---            -----
-    key_version    2
-    ```
-
-    As the message says, rotation is not immediate. Depending on a number of
-    factors, the propagation of the new key can take quite some time. If you
-    have a need to immediately encrypt data with this new key, query the API to
-    wait for the key to become the primary. Alternatively, you can specify the
-    `key_version` parameter to lock to the exact key for use with encryption.
-
-1. Re-encrypt already-encrypted ciphertext to be encrypted with a new version of
-the crypto key. Vault will decrypt the value using the appropriate key in the
-keyring and then encrypt the resulting plaintext with the newest key in the
-keyring.
-
-    ```text
-    $ vault write gcpkms/reencrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
-    Key            Value
-    ---            -----
-    ciphertext     CiQAuMv0lZTTozQA/ElqM...
-    key_version    2
-    ```
-
-    This process **does not** reveal the plaintext data. As such, a Vault policy
-    could grant an untrusted process the ability to re-encrypt ciphertext data,
-    since the process would not be able to get access to the plaintext data.
-
-1. Trim old key versions by deleting Cloud KMS crypto key versions that are
-older than the `min_version` allowed on the key.
-
-    ```text
-    $ vault write gcpkms/keys/config/my-key min_version=10
-    ```
-
-    Then delete all keys older than version 10. This will make it impossible to
-    encrypt, decrypt, or sign values with the older key by conventional means.
-
-    ```text
-    $ vault write -f gcpkms/keys/trim/my-key
-    ```
-
-1. Delete the key to delete all key versions and Vault's record of the key.
-
-    ```text
-    $ vault delete gcpkms/keys/my-key
-    ```
-
-    This will make it impossible to encrypt, decrypt, or sign values by
-    conventional means.
-
-### Asymmetric Decryption
-
-This section describes using a Cloud KMS key for asymmetric decryption. In this
-model Google Cloud manages the key ring and exposes the public key via an API
-endpoint. The public key is used to encrypt data offline and produce ciphertext.
-When the plaintext is desired, the user submits the ciphertext to Cloud KMS
-which decrypts the value using the corresponding private key.
-
-<table>
-  <thead>
-    <tr>
-      <th>Purpose</th>
-      <th>Supported Algorithms</th>
-    </tr>
-    <tr>
-      <td valign="top"><code>asymmetric_decrypt</code></td>
-      <td valign="top">
-        <code>rsa_decrypt_oaep_2048_sha256</code><br>
-        <code>rsa_decrypt_oaep_3072_sha256</code><br>
-        <code>rsa_decrypt_oaep_4096_sha256</code>
-      </td>
-    </tr>
-  </thead>
-</table>
-
-1. Create or use an existing key eligible for symmetric encryption/decryption:
-
-    ```text
-    $ vault write gcpkms/keys/my-key \
-        key_ring=projects/.../my-keyring \
-        purpose=asymmetric_decrypt \
-        algorithm=rsa_decrypt_oaep_4096_sha256
-    ```
-
-1. Retrieve the public key from Cloud KMS:
-
-    ```text
-    $ gcloud alpha kms keys versions get-public-key <crypto-key-version> \
-        --location <location> \
-        --keyring <key-ring> \
-        --key <key> \
-        --output-file ~/mykey.pub
-    ```
-
-1. Encrypt plaintext data with the public key. Note this varies widely between
-programming languages. The following example uses OpenSSL, but you can use your
-language's built-ins as well.
-
-    ```text
-    $ openssl pkeyutl -in ~/my-secret-file \
-        -encrypt -pubin \
-        -inkey ~/mykey.pub \
-        -pkeyopt rsa_padding_mode:oaep \
-        -pkeyopt rsa_oaep_md:sha256 \
-        -pkeyopt rsa_mgf1_md:sha256
-    ```
-
-    Note that this encryption happens offline (meaning outside of Vault), and
-    the encryption is happening with a _public_ key. Only Cloud KMS has the
-    corresponding _private_ key.
-
-1. Decrypt ciphertext using the `/decrypt` endpoint with a named key:
-
-    ```text
-    $ vault write gcpkms/decrypt/my-key key_verison=1 ciphertext=CiQAuMv0lTiKjrF43Lgr4...
-    Key          Value
-    ---          -----
-    plaintext    hello world
-    ```
-
-### Asymmetric Signing
-
-This section describes using a Cloud KMS key for asymmetric signing. In this
-model Google Cloud manages the key ring and exposes the public key via an API
-endpoint. A message or digest is signed with the corresponding private key, and
-can be verified by anyone with the corresponding public key.
-
-<table>
-  <thead>
-    <tr>
-      <th>Purpose</th>
-      <th>Supported Algorithms</th>
-    </tr>
-    <tr>
-      <td valign="top"><code>asymmetric_sign</code></td>
-      <td valign="top">
-        <code>rsa_sign_pss_2048_sha256</code><br>
-        <code>rsa_sign_pss_3072_sha256</code><br>
-        <code>rsa_sign_pss_4096_sha256</code><br>
-        <code>rsa_sign_pkcs1_2048_sha256</code><br>
-        <code>rsa_sign_pkcs1_3072_sha256</code><br>
-        <code>rsa_sign_pkcs1_4096_sha256</code><br>
-        <code>ec_sign_p256_sha256</code><br>
-        <code>ec_sign_p384_sha384</code>
-      </td>
-    </tr>
-  </thead>
-</table>
-
-1. Create or use an existing key eligible for symmetric encryption/decryption:
-
-    ```text
-    $ vault write gcpkms/keys/my-key \
-        key_ring=projects/.../my-keyring \
-        purpose=asymmetric_sign \
-        algorithm=ec_sign_p384_sha384
-    ```
-
-1. Calculate the base64-encoded binary digest. Use the hashing algorithm that
-corresponds to they key type:
-
-    ```text
-    $ export DIGEST=$(openssl dgst -sha256 -binary /my/file | base64)
-    ```
-
-    Ask Cloud KMS to sign the digest:
-
-    ```text
-    $ vault write gcpkms/sign/my-key key_version=1 digest=$DIGEST
-    Key          Value
-    ---          -----
-    signature    MGYCMQDbOS2462SKMsGdh2GQ...
-    ```
-
-1. Verify the signature of the digest:
-
-    ```text
-    $ vault write gcpkms/verify/my-key key_version=1 digest=$DIGEST signature=$SIGNATURE
-    Key      Value
-    ---      -----
-    valid    true
-    ```
-
-    Note: it is also possible to verify this signature without Vault. Download
-    the public key from Cloud KMS, and use a tool like OpenSSL or your
-    programming language primitives to verify the signature.
-
-
-## Authentication
-
-The Google Cloud KMS Vault secrets backend uses the official Google Cloud Golang
-SDK. This means it supports the common ways of [providing credentials to Google
-Cloud][cloud-creds]. In addition to specifying `credentials` directly via Vault
-configuration, you can also get configuration from the following values **on the
-Vault server**:
-
-1. The environment variables `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
-as the **path** to a Google Cloud credentials file, typically for a service
-account. If this environment variable is present, the resulting credentials are
-used. If the credentials are invalid, an error is returned.
-
-1. Default instance credentials. When no environment variable is present, the
-default service account credentials are used. This is useful when running Vault
-on [Google Compute Engine][gce] or [Google Kubernetes Engine][gke]
-
-For more information on service accounts, please see the [Google Cloud Service
-Accounts documentation][service-accounts].
-
-To use this secrets engine, the service account must have the following
-minimum scope(s):
-
-```text
-https://www.googleapis.com/auth/kms
-```
-
-### Required Permissions
-
-The credentials given to Vault must have the following role:
-
-```text
-roles/cloudkms.admin
-```
-
-If Vault will not be creating keys, you can reduce the permissions. For example,
-to create keys out of band and have Vault manage the encryption/decryption, you
-only need the following permissions:
-
-```text
-roles/cloudkms.cryptoKeyEncrypterDecrypter
-```
-
-To sign and verify, you only need the following permissions:
-
-```text
-roles/cloudkms.signerVerifier
-```
-
-For more information, please see the [Google Cloud KMS IAM documentation][kms-iam].
-
-## FAQ
-
-**How is this different than Vault's transit secrets engine?**<br>
-Vault's [transit][vault-transit] secrets engine uses in-memory keys to
-encrypt/decrypt keys. In general it will be faster and more performant. However,
-users who need physical, off-site, or out-of-band key management can use the
-[Google Cloud KMS][kms] secrets engine to get those benefits while leveraging
-Vault's policy and identity system.
-
-**Can Vault use an existing KMS key?**<br>
-You can use the `/register` endpoint to configure Vault to talk to an existing
-Google Cloud KMS key. As long as the IAM permissions are correct, Vault will be
-able to encrypt/decrypt data and rotate the key. See the [api][api] for more
-information.
-
-**Can this be used with a hardware key like an HSM?**<br>
-Yes! You can set `protection_level` to "hsm" when creating a key, or use an
-existing Cloud KMS key that is backed by an HSM.
-
-**How much does this cost?**<br>
-The plugin is free and open source. KMS costs vary by key type and the number of
-operations. Please see the [Cloud KMS pricing page][kms-pricing] for more
-details.
-
-## Help &amp; Support
-
-The Google Cloud KMS Vault secrets engine is written as an external Vault
-plugin. The code lives outside the main Vault repository. It is automatically
-bundled with Vault releases, but the code is managed separately.
-
-Please report issues, add feature requests, and submit contributions to the
-[vault-plugin-secrets-gcpkms repo on GitHub][repo].
-
-## API
-
-The Google Cloud KMS secrets engine has a full HTTP API. Please see the
-[Google Cloud KMS secrets engine API docs][api] for more details.
-
-
-[api]: /api/secret/gcpkms/index.html
-[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
-[gce]: https://cloud.google.com/compute/
-[gke]: https://cloud.google.com/kubernetes-engine/
-[kms]: https://cloud.google.com/kms
-[kms-iam]: https://cloud.google.com/kms/docs/reference/permissions-and-roles
-[kms-pricing]: https://cloud.google.com/kms/pricing
-[repo]: https://github.com/hashicorp/vault-plugin-secrets-gcpkms
-[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
-[vault-transit]: /docs/secrets/transit/index.html
diff --git a/website/source/docs/secrets/identity/index.html.md b/website/source/docs/secrets/identity/index.html.md
deleted file mode 100644
index 091084c68ca2..000000000000
--- a/website/source/docs/secrets/identity/index.html.md
+++ /dev/null
@@ -1,325 +0,0 @@
----
-layout: "docs"
-page_title: "Identity - Secrets Engines"
-sidebar_title: "Identity"
-sidebar_current: "docs-secrets-identity"
-description: |-
-  The Identity secrets engine for Vault manages client identities.
----
-
-# Identity Secrets Engine
-
-Name: `identity`
-
-The Identity secrets engine is the identity management solution for Vault. It
-internally maintains the clients who are recognized by Vault. Each client is
-internally termed as an `Entity`. An entity can have multiple `Aliases`. For
-example, a single user who has accounts in both GitHub and LDAP, can be mapped
-to a single entity in Vault that has 2 aliases, one of type GitHub and one of
-type LDAP. When a client authenticates via any of the credential backend
-(except the Token backend), Vault creates a new entity and attaches a new
-alias to it, if a corresponding entity doesn't already exist. The entity identifier will
-be tied to the authenticated token. When such tokens are put to use, their
-entity identifiers are audit logged, marking a trail of actions performed by
-specific users.
-
-Identity store allows operators to **manage** the entities in Vault. Entities
-can be created and aliases can be tied to entities, via the ACL'd API. There
-can be policies set on the entities which adds capabilities to the tokens that
-are tied to entity identifiers. The capabilities granted to tokens via the
-entities are **an addition** to the existing capabilities of the token and
-**not** a replacement. The capabilities of the token that get inherited from
-entities are computed dynamically at request time. This provides flexibility in
-controlling the access of tokens that are already issued.
-
-This secrets engine will be mounted by default. This secrets engine cannot be
-disabled or moved.
-
-## Concepts
-
-### Entities and Aliases
-
-Each user will have multiple accounts with various identity providers. Users
-can now be mapped as `Entities` and their corresponding accounts with
-authentication providers can be mapped as `Aliases`. In essence, each entity is
-made up of zero or more aliases.
-
-### Entity Management
-
-Entities in Vault **do not** automatically pull identity information from
-anywhere. It needs to be explicitly managed by operators. This way, it is
-flexible in terms of administratively controlling the number of entities to be
-synced against Vault. In some sense, Vault will serve as a _cache_ of
-identities and not as a _source_ of identities.
-
-### Entity Policies
-
-Vault policies can be assigned to entities which will grant _additional_
-permissions to the token on top of the existing policies on the token. If the
-token presented on the API request contains an identifier for the entity and if
-that entity has a set of policies on it, then the token will be capable of
-performing actions allowed by the policies on the entity as well.
-
-This is a paradigm shift in terms of _when_ the policies of the token get
-evaluated. Before identity, the policy names on the token were immutable (not
-the contents of those policies though). But with entity policies, along with
-the immutable set of policy names on the token, the evaluation of policies
-applicable to the token through its identity will happen at request time. This
-also adds enormous flexibility to control the behavior of already issued
-tokens.
-
-Its important to note that the policies on the entity are only a means to grant
-_additional_ capabilities and not a replacement for the policies on the token.
-To know the full set of capabilities of the token with an associated entity
-identifier, the policies on the token should be taken into account.
-
-### Mount Bound Aliases
-
-Vault supports multiple authentication backends and also allows enabling the
-same type of authentication backend on different mount paths. The alias name of
-the user will be unique within the backend's mount. But identity store needs to
-uniquely distinguish between conflicting alias names across different mounts of
-these identity providers. Hence, the alias name in combination with the
-authentication backend mount's accessor, serve as the unique identifier of an
-alias.
-
-### Implicit Entities
-
-Operators can create entities for all the users of an auth mount beforehand and
-assign policies to them, so that when users login, the desired capabilities to
-the tokens via entities are already assigned. But if that's not done, upon a
-successful user login from any of the authentication backends, Vault will
-create a new entity and assign an alias against the login that was successful.
-
-Note that the tokens created using the token authentication backend will not
-have an associated identity information. Logging in using the authentication
-backends is the only way to create tokens that have a valid entity identifiers.
-
-### Identity Auditing
-
-If the token used to make API calls have an associated entity identifier, it
-will be audit logged as well. This leaves a trail of actions performed by
-specific users.
-
-### Identity Groups
-
-In version 0.9, Vault identity has support for groups. A group can contain
-multiple entities as its members. A group can also have subgroups. Policies set
-on the group is granted to all members of the group. During request time, when
-the token's entity ID is being evaluated for the policies that it has access
-to; along with the policies on the entity itself, policies that are inherited
-due to group memberships are also granted.
-
-### Group Hierarchical Permissions
-
-Entities can be direct members of groups, in which case they inherit the
-policies of the groups they belong to. Entities can also be indirect members of
-groups. For example, if a GroupA has GroupB as subgroup, then members of GroupB
-are indirect members of GroupA. Hence, the members of GroupB will have access
-to policies on both GroupA and GroupB.
-
-### External vs Internal Groups
-
-By default, the groups created in identity store are called the internal
-groups. The membership management of these groups should be carried out
-manually. A group can also be created as an external group. In this case, the
-entity membership in the group is managed semi-automatically. External group
-serves as a mapping to a group that is outside of the identity store. External
-groups can have one (and only one) alias. This alias should map to a notion of
-group that is outside of the identity store. For example, groups in LDAP, and
-teams in GitHub. A username in LDAP, belonging to a group in LDAP, can get its
-entity ID added as a member of a group in Vault automatically during *logins*
-and *token renewals*. This works only if the group in Vault is an external
-group and has an alias that maps to the group in LDAP. If the user is removed
-from the group in LDAP, that change gets reflected in Vault only upon the
-subsequent login or renewal operation.
-
-## Identity Tokens
-
-Identity information is used throughout Vault, but it can also be exported for
-use by other applications. An authorized user/application can request a token
-that encapsulates identity information for their associated entity. These
-tokens are signed JWTs following the [OIDC ID
-token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) structure.
-The public keys used to authenticate the tokens are published by Vault on an
-unauthenticated endpoint following OIDC discovery and JWKS conventions, which
-should be a directly usable by JWT/OIDC libraries. An introspection endpoint is
-also provided by Vault for token verification.
-
-### Roles and Keys
-
-OIDC-compliant ID tokens are generated against a role which allows configuration
-of token claims via a templating system, token ttl, and a way to specify which
-"key" will be used to sign the token. The role template is an optional parameter
-to customize the token contents and is described in the next section. Token TTL
-controls the expiration time of the token, after which verification library will
-consider the token invalid. All roles have a Vault-generated `client_id`
-attribute that is returned when the role is read. This value cannot be changed
-and will be added to the token's `aud` parameter. JWT/OIDC libraries will often
-require this value.
-
-A role's `key` parameter links a role to an existing named key (multiple roles
-may refer to the same key). It is not possible to generate an unsigned ID token.
-
-A named key is a public/private key pair generated by Vault. The private key is
-used to sign the identity tokens, and the public key is used by clients to
-verify the signature. Key are regularly rotated, whereby a new key pair is
-generated and the previous _public_ key is retained for a limited time for
-verification purposes.
-
-A named key's configuration specifies a rotation period, a verification ttl,
-signing algorithm and allowed client IDs. Rotation period specifies the
-frequency at which a new signing key is generated and the private portion of the
-previous signing key is deleted. Verification ttl is the time a public key is
-retained for verification, after being rotated. By default, keys are rotated
-every 24 hours, and continue to be available for verification for 24 hours after
-their rotation.
-
-A key's list of allowed client IDs limits which roles may reference the key. The
-parameter may be set to `*` to allow all roles. The validity evaluation is made
-when a token is requested, not during configuration.
-
-
-### Token Contents and Templates
-
-Identity tokens will always contain, at a minimum, the claims required by OIDC:
-
-* `iss` - Issuer URL
-* `sub` - Requester's entity ID
-* `aud` - `client_id` for the role
-* `iss` - Time of issue
-* `exp` - Expiration time for the token
-
-In addition, the operator may configure per-role templates that allow a variety
-of other entity information to be added to the token. The templates are
-structured as JSON with replaceable parameters. The parameter syntax is the same
-as that used for [ACL Path Templating](/docs/concepts/policies.html).
-
-For example:
-
-```json
-{
-  "color": {{identity.entity.metadata.color}},
-  "userinfo": {
-     "username": {{identity.entity.aliases.usermap_123.metadata.username}},
-     "groups": {{identity.entity.group_names}}
-  
-  "nbf": {{time.now}},
-}
-```
-
-When a token is requested, the resulting template might be populated as:
-
-```json
-{
-  "color": "green",
-  "userinfo": {
-     "username": "bob",
-     "groups": ["web", "engr", "default"]
-  
-  "nbf": 1561411915,
-}
-```
-
-which would be merged with the base OIDC claims into the final token:
-
-```json
-{
-  "iss": "https://10.1.1.45:8200/v1/identity/oidc",
-  "sub": "a2cd63d3-5364-406f-980e-8d71bb0692f5",
-  "aud": "SxSouteCYPBoaTFy94hFghmekos",
-  "iss": 1561411915,
-  "exp": 1561412215,
-  "color": "green",
-  "userinfo": {
-     "username": "bob",
-     "groups": ["web", "engr", "default"]
-  },
-  "nbf": 1561411915,
-}
-```
-
-Note how the template is merged, with top level template keys becoming top level
-token keys. For this reason, templates may not contain top level keys that
-overwrite the standard OIDC claims.
-
-Template parameters that are not present for an entity, such as a metadata that
-isn't present, or an alias accessor which doesn't exist, are simply empty
-strings or objects, depending on the data type.
-
-Templates are configured on the role and may be optionally encoded as base64.
-
-The full list of template parameters is shown below:
-
-|                                    Name                                |                                    Description                                          |
-| :--------------------------------------------------------------------- | :-------------------------------------------------------------------------------------- |
-| `identity.entity.id`                                                   | The entity's ID                                                                         |
-| `identity.entity.name`                                                 | The entity's name                                                                       |
-| `identity.entity.groups.ids`                                           | The IDs of the groups the entity is a member of                                         |
-| `identity.entity.groups.names`                                         | The names of the groups the entity is a member of                                       |
-| `identity.entity.metadata`                                             | Metadata associated with the entity                                                     |
-| `identity.entity.metadata.<<metadata key>>`                            | Metadata associated with the entity for the given key                                   |
-| `identity.entity.aliases.<<mount accessor>>.id`                        | Entity alias ID for the given mount                                                     |
-| `identity.entity.aliases.<<mount accessor>>.name`                      | Entity alias name for the given mount                                                   |
-| `identity.entity.aliases.<<mount accessor>>.metadata`                  | Metadata associated with the alias for the given mount                                  |
-| `identity.entity.aliases.<<mount accessor>>.metadata.<<metadata key>>` | Metadata associated with the alias for the given mount and metadata key                 |
-| `time.now`                                                             | Current time as integral seconds since the Epoch                                        |
-| `time.now.plus.<<duration>>`                                           | Current time plus a Go-parsable [duration](https://golang.org/pkg/time/#ParseDuration)  |                             |
-| `time.now.minus.<<duration>>`                                          | Current time minus a Go-parsable [duration](https://golang.org/pkg/time/#ParseDuration) |                             |
-
-### Token Generation
-    
-An authenticated client may request a token using the [token generation
-endpoint](api/secret/identity/tokens.html#generate-a-signed-id-token). The token
-will be generated per the requested role's specifications, for the requester's
-entity. It is not possible to generate tokens for an arbitrary entity.
-
-### Verifying Authenticity of ID Tokens Generated by Vault
-
-An identity token may be verified by the client party using the public keys
-published by Vault, or via a Vault-provided introspection endpoint.
-
-Vault will serve standard "[.well-known](https://tools.ietf.org/html/rfc5785)"
-endpoints that allow easy integration with OIDC verification libraries.
-Configuring the libraries will typically involve providing an issuer URL and
-client ID. The library will then handle key requests and can validate the
-signature and claims requirements on tokens. This approach has the advantage of
-only requiring _access_ to Vault, not _authorization_, as the .well-known
-endpoints are unauthenticated.
-
-Alternatively, the token may be sent to Vault for verification via an
-[introspection endpoint](api/secret/identity/tokens.html#introspect-a-signed-id-token).
-The response will indicate whether the token is "active" or not, as well as any
-errors that occurred during validation. Beyond simply allowing the client to
-delegate verification to Vault, using this endpoint incorporates the additional
-check of whether the entity is still active or not, which is something that
-cannot be determined from the token alone. Unlike the .well-known endpoint, accessing the
-introspection endpoint does require a valid Vault token and sufficient
-authorization.
-
-
-### Issuer Considerations
-
-The identity token system has one configurable parameter: issuer. The issuer
-`iss` claim is particularly important for proper validation of the token by
-clients, and special consideration should be given when using Identity Tokens
-with [performance replication](docs/enterprise/replication/index.html).
-Consumers of the token will request public keys from Vault using the issuer URL,
-so it must be network reachable. Furthermore, the returned set of keys will include
-an issuer that must match the request.
-
-By default Vault will set the issuer to the Vault instance's
-[`api_addr`](docs/configuration/index.html#api_addr). This means that tokens
-issued in a given cluster should be validated within that same cluster.
-Alternatively, the [`issuer`](api/secret/identity/tokens.html#issuer) parameter
-may be configured explicitly. This address must point to the identity/oidc path
-for the Vault instance (e.g.
-`https://vault-1.example.com:8200/v1/identity/oidc`) and should be
-reachable by any client trying to validate identity tokens.
-
-
-## API
-
-The Identity secrets engine has a full HTTP API. Please see the
-[Identity secrets engine API](/api/secret/identity/index.html) for more
-details.
diff --git a/website/source/docs/secrets/index.html.md b/website/source/docs/secrets/index.html.md
deleted file mode 100644
index 10a831854161..000000000000
--- a/website/source/docs/secrets/index.html.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-layout: "docs"
-page_title: "Secrets Engines"
-sidebar_title: "Secrets Engines"
-sidebar_current: "docs-secrets"
-description: |-
-  Secrets engines are mountable engines that store or generate secrets in Vault.
----
-
-# Secrets Engines
-
-Secrets engines are components which store, generate, or encrypt data. Secrets
-engines are incredibly flexible, so it is easiest to think about them in terms
-of their function. Secrets engines are provided some set of data, they take some
-action on that data, and they return a result.
-
-Some secrets engines simply store and read data - like encrypted
-Redis/Memcached. Other secrets engines connect to other services and generate
-dynamic credentials on demand. Other secrets engines provide encryption as a
-service, totp generation, certificates, and much more.
-
-Secrets engines are enabled at a "path" in Vault. When a request comes to Vault,
-the router automatically routes anything with the route prefix to the secrets
-engine. In this way, each secrets engine defines its own paths and properties.
-To the user, secrets engines behave similar to a virtual filesystem, supporting
-operations like read, write, and delete.
-
-## Secrets Engines Lifecycle
-
-Most secrets engines can be enabled, disabled, tuned, and moved via the CLI or
-API. Previous versions of Vault called these "mounts", but that term was
-overloaded.
-
-- **Enable** - This enables a secrets engine at a given path. With few
-  exceptions, secrets engines can be enabled at multiple paths. Each secrets
-  engine is isolated to its path. By default, they are enabled at their "type"
-  (e.g. "aws" enables at "aws/").
-
-- **Disable** - This disables an existing secrets engine. When a secrets engine
-  is disabled, all of its secrets are revoked (if they support it), and all of
-  the data stored for that engine in the physical storage layer is deleted.
-
-- **Move** - This moves the path for an existing secrets engine. This process
-  revokes all secrets, since secret leases are tied to the path they were
-  created at. The configuration data stored for the engine persists through the
-  move.
-
-- **Tune** - This tunes global configuration for the secrets engine such as the
-  TTLs.
-
-Once a secrets engine is enabled, you can interact with it directly at its path
-according to its own API. Use `vault path-help` to determine the paths it
-responds to.
-
-Note that mount points cannot conflict with each other in Vault. There are
-two broad implications of this fact. The first is that you cannot have
-a mount which is prefixed with an existing mount. The second is that you
-cannot create a mount point that is named as a prefix of an existing mount.
-As an example, the mounts `foo/bar` and `foo/baz` can peacefully coexist
-with each other whereas `foo` and `foo/baz` cannot
-
-## Barrier View
-
-Secrets engines receive a _barrier view_ to the configured Vault physical
-storage. This is a lot like a [chroot](https://en.wikipedia.org/wiki/Chroot).
-
-When a secrets engine is enabled, a random UUID is generated. This becomes the
-data root for that engine. Whenever that engine writes to the physical storage
-layer, it is prefixed with that UUID folder. Since the Vault storage layer
-doesn't support relative access (such as `../`), this makes it impossible for a
-enabled secrets engine to access other data.
-
-This is an important security feature in Vault - even a malicious engine
-cannot access the data from any other engine.
diff --git a/website/source/docs/secrets/kmip/index.html.md b/website/source/docs/secrets/kmip/index.html.md
deleted file mode 100644
index f69226918f60..000000000000
--- a/website/source/docs/secrets/kmip/index.html.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-layout: "docs"
-page_title: "KMIP - Secrets Engines"
-sidebar_title: "KMIP <sup>ENTERPRISE</sup>"
-sidebar_current: "docs-secrets-kmip"
-description: |-
-  The KMIP secrets engine allows Vault to act as a KMIP server provider and
-  handle the lifecycle of it KMIP managed objects.
----
-
-# KMIP Secrets Engine
-
-The KMIP secrets engine allows Vault to act as a [Key Management
-Interoperability Protocol](#kmip-spec) (KMIP) server provider and handle
-the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows
-services and applications to perform cryptographic operations without having to
-manage cryptographic material, otherwise known as managed objects, by delegating
-its storage and lifecycle to a key management server.
-
-## Setup
-
-The KMIP secrets engine must be configured before it can start accepting KMIP
-requests.
-
-1. Enable the KMIP secrets engine
-
-    ```text
-    $ vault secrets enable kmip
-    Success! Enabled the kmip secrets engine at: kmip/
-    ```
-
-1. Configure the secrets engine with the desired listener addresses to use and
-TLS parameters, or leave unwritten to use default values
-
-    ```text
-    $ vault write kmip/config listen_addrs=0.0.0.0:5696
-    ```
-
-## Usage
-
-### Scopes and Roles
-
-The KMIP secrets engine uses the concept of scopes to partition KMIP managed
-object storage into multiple named buckets. Within a scope, roles can be created
-which dictate the set of allowed operations that the particular role can perform.
-TLS client certificates can be generated for a role, which services and applications
-can then use when sending KMIP requests against Vault's KMIP secret engine.
-
-In order to generate client certificates for KMIP clients to interact with Vault's
-KMIP server, we must first create a scope and role and specify the desired set of
-allowed operations for it.
-
-1. Create a scope:
-
-    ```text
-    $ vault write -f kmip/scope/my-service
-    Success! Data written to: kmip/scope/my-service
-    ```
-
-1. Create a role within the scope, specifying the set of operations to allow or
-deny.
-
-    ```text
-    $ vault write kmip/scope/my-service/role/admin operation_all=true
-      Success! Data written to: kmip/scope/my-service/role/admin
-    ```
-
-### Client Certificate Generation
-
-Once a scope and role has been created, client certificates can be generated for
-that role. The client certificate can then be provided to applications and
-services that support KMIP to establish communication with Vault's KMIP server.
-Scope and role identifiers are embedded in the certificate,
-which will be used when evaluating permissions during a KMIP request.
-
-1. Generate a client certificate. This returns the CA Chain, the certificate,
-and the private key.
-
-    ```text
-    $ vault write -f kmip/scope/my-service/role/admin/credential/generate
-      Key              Value
-      ---              -----
-      ca_chain         [-----BEGIN CERTIFICATE-----
-      MIICNTCCAZigAwIBAgIUKqNFb3Zy+8ypIhTDs/2/8f/xEI8wCgYIKoZIzj0EAwIw
-      HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MjQyN1oX
-      DTI5MDYyMTE4MjQ1N1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
-      dGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAbniGNXHOiPvSb0I
-      fbc1B9QkOmdT2Ecx2WaQPLISplmO0Jm0u0z11CGuf3Igby7unnCNvCuCXrKJFCsQ
-      8JGhwknNAG3eesSZxG4tklA6FMZjE9ETUtYfjH7Z4vuJSw/fxOeey7fhrqAzhV3P
-      GRkvA9EQUHJOeV4rEpiINP/fneHNfsn1o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
-      VR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUR0o0v4rPiBU9RwQfEUucx3JwbPAw
-      HwYDVR0jBBgwFoAUMhORultSN+ABogxQdkt7KChD0wQwCgYIKoZIzj0EAwIDgYoA
-      MIGGAkF1IvkIaXNkVfe+q0V78CnX0XIJuvmPpgjN8AQzqLci8txikd9gF1zt8fFQ
-      gIKERm2QPrshSV9srHDB0YnThRKuiQJBNcDjCfYOzqKlBHifT4WT4OX1U6nP/Y2b
-      imGaLJK9VIwfcJOpVCFGp7Xi8QGV6rJIFiQAqzqCy69vcU6nVMsvens=
-      -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
-      MIICKjCCAYugAwIBAgIUerDfApmkq0VYychkhlxEnBlIDUcwCgYIKoZIzj0EAwIw
-      HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MjQyNloX
-      DTI5MDYyMTE4MjQ1NlowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb
-      MBAGByqGSM49AgEGBSuBBAAjA4GGAAQBA466Axrrz+HWanNe35gPVvB7OE7TWZcc
-      QZw1QSMQ+QIQMu5NcdfvZfh68exhe1FiJezKB+zeoJWp1Q/kqhyh7fsAFUuIcJDO
-      okZYPTmjPh3h5IZLPg5r7Pw1j99rLHhc/EXF9wYVy2UeH/2IqGJ+cncmVgqczlG8
-      m36g9OXd6hkofhCjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
-      AgEKMB0GA1UdDgQWBBQyE5G6W1I34AGiDFB2S3soKEPTBDAfBgNVHSMEGDAWgBQy
-      E5G6W1I34AGiDFB2S3soKEPTBDAKBggqhkjOPQQDAgOBjAAwgYgCQgGtPVCtgDc1
-      0SrTsVpEtUMYQKbOWnTKNHZ9h5jSna8n9aY+70Ai3U57q3FL95iIhZRW79PRpp65
-      d6tWqY51o2hHpwJCAK+eE7xpdnqh5H8TqAXKVuSoC0WEsovYCD03c8Ih3jWcZn6N
-      kbz2kXPcAk+dE6ncnwhwqNQgsJQGgQzJroH+Zzvb
-      -----END CERTIFICATE-----]
-      certificate      -----BEGIN CERTIFICATE-----
-      MIICOzCCAZygAwIBAgIUN5V7bLAGu8QIUFxlIugg8fBb+eYwCgYIKoZIzj0EAwIw
-      KjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x
-      OTA2MjQxODQ3MTdaFw0xOTA2MjUxODQ3NDdaMCAxDjAMBgNVBAsTBWNqVVNJMQ4w
-      DAYDVQQDEwVkdjRZbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEANVsHV8CHYpW
-      CBKbYVEx/sLphk67SdWxbII4Sc9Rj1KymApD4gPmS+rw0FDMZGFbn1sAfpqMBqMj
-      ylv72o9izbYSALHnYT+AaE0NFn4eGWZ2G0p56cVmfXm3ZI959E+3gvZK6X5Jnzm4
-      FKXTDKGA4pocYec/rnYJ5X8sbAJKHvk1OeO+o2cwZTAOBgNVHQ8BAf8EBAMCA6gw
-      EwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFBEIsBo3HiBIg2l2psaQoYkT
-      D1RNMB8GA1UdIwQYMBaAFEdKNL+Kz4gVPUcEHxFLnMdycGzwMAoGCCqGSM49BAMC
-      A4GMADCBiAJCAc8DV23DJsHV4fdmbmssu0eDIgNH+PrRKdYgqiHptbuVjF2qbILp
-      Z34dJRVN+R9B+RprZXkYiv7gJ/47KSUKzRZpAkIByMjZqLtcypamJM/t+/O1BSst
-      CWcblb45FIxAmO4hE00Q5wnwXNxNnDHXWiuGdSNmIBjpb9nM5wehQlbkx7HzvPk=
-      -----END CERTIFICATE-----
-      private_key      -----BEGIN EC PRIVATE KEY-----
-      MIHcAgEBBEIB9Nn7M28VUVW6g5IlOTS3bHIZYM/zqVy+PvYQxn2lFbg1YrQzfd7h
-      sdtCjet0lc7pvtoOwd1dFiATOGg98OVN7MegBwYFK4EEACOhgYkDgYYABADVbB1f
-      Ah2KVggSm2FRMf7C6YZOu0nVsWyCOEnPUY9SspgKQ+ID5kvq8NBQzGRhW59bAH6a
-      jAajI8pb+9qPYs22EgCx52E/gGhNDRZ+HhlmdhtKeenFZn15t2SPefRPt4L2Sul+
-      SZ85uBSl0wyhgOKaHGHnP652CeV/LGwCSh75NTnjvg==
-      -----END EC PRIVATE KEY-----
-      serial_number    317328055225536560033788492808123425026102524390
-    ```
-
-### Supported KMIP Operations
-
-The KMIP protocol supports a wide [variety of operations](#kmip-ops) that can be
-issued by clients to perform certain actions, such as key management,
-encryption, signing, etc. The KMIP secrets engine currently supports a subset of
-KMIP operations.
-
-Supported KMIP operations:
-
-```text
-operation_activate
-operation_add_attribute
-operation_create
-operation_destroy
-operation_discover_versions
-operation_get
-operation_get_attribute_list
-operation_get_attributes
-operation_locate
-operation_register
-operation_rekey
-operation_revoke
-```
-
-Additionally, there are two pseudo-operations that can be used to allow or deny
-all operation capabilities to a role. These operations are mutually exclusive to
-all other operations. That is, if it's provided during role creation or update,
-no other operations can be provided. Similarly, if an existing role contains a
-pseudo-operation, and it is then updated with a set supported operation, it will
-be overwritten with the newly set of provided operations.
-
-Pseudo-operations:
-
-```text
-operation_all
-operation_none
-```
-
-## Learn
-
-Refer to the [KMIP Secrets Engine](https://learn.hashicorp.com/vault/secrets-management/kmip-engine)
-guide for a step-by-step tutorial.
-
-
-[kmip-spec]: http://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.html
-[kmip-ops]: http://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html#_Toc490660840
diff --git a/website/source/docs/secrets/kv/index.html.md b/website/source/docs/secrets/kv/index.html.md
deleted file mode 100644
index 9d5eb6cd2ea1..000000000000
--- a/website/source/docs/secrets/kv/index.html.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-layout: "docs"
-page_title: "KV - Secrets Engines"
-sidebar_title: "Key/Value"
-sidebar_current: "docs-secrets-kv"
-description: |-
-  The KV secrets engine can store arbitrary secrets.
----
-
-# KV Secrets Engine
-
-The `kv` secrets engine is used to store arbitrary secrets within the
-configured physical storage for Vault. This backend can be run in one of two
-modes. It can be a generic Key-Value store that stores one value for a key.
-Versioning can be enabled and a configurable number of versions for each key
-will be stored.
-
-## KV Version 1
-
-When running the `kv` secrets backend non-versioned only the most recently
-written value for a key will be preserved. The benefits of non-versioned `kv`
-is a reduced storage size for each key since no additional metadata or history
-is stored. Additionally, requests going to a backend configured this way will be
-more performant because for any given request there will be fewer storage calls
-and no locking.
-
-More information about running in this mode can be found in the [K/V Version 1
-Docs](/docs/secrets/kv/kv-v1.html)
-
-## KV Version 2
-
-When running v2 of the `kv` backend a key can retain a configurable number of
-versions. This defaults to 10 versions. The older versions' metadata and data
-can be retrieved. Additionally, Check-and-Set operations can be used to avoid
-overwriting data unintentionally.  
-
-When a version is deleted the underlying data is not removed, rather it is
-marked as deleted. Deleted versions can be undeleted. To permanently remove a
-version's data the destroy command or API endpoint can be used. Additionally all
-versions and metadata for a key can be deleted by deleting on the metadata
-command or API endpoint. Each of these operations can be ACL'ed differently,
-restricting who has permissions to soft delete, undelete, or fully remove data.
-
-More information about running in this mode can be found in the [K/V Version 2
-Docs](/docs/secrets/kv/kv-v2.html)
diff --git a/website/source/docs/secrets/kv/kv-v1.html.md b/website/source/docs/secrets/kv/kv-v1.html.md
deleted file mode 100644
index ab0064ad07d8..000000000000
--- a/website/source/docs/secrets/kv/kv-v1.html.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-layout: "docs"
-page_title: "KV - Secrets Engines"
-sidebar_title: "K/V Version 1"
-sidebar_current: "docs-secrets-kv-v1"
-description: |-
-  The KV secrets engine can store arbitrary secrets.
----
-
-# KV Secrets Engine - Version 1
-
-The `kv` secrets engine is used to store arbitrary secrets within the
-configured physical storage for Vault.
-
-Writing to a key in the `kv` backend will replace the old value; sub-fields are
-not merged together.
-
-Key names must always be strings. If you write non-string values directly via
-the CLI, they will be converted into strings. However, you can preserve
-non-string values by writing the key/value pairs to Vault from a JSON file or
-using the HTTP API.
-
-This secrets engine honors the distinction between the `create` and `update`
-capabilities inside ACL policies.
-
-~> **Note**: Path and key names are _not_ obfuscated or encrypted; only the
-values set on keys are. You should not store sensitive information as part of a
-secret's path.
-
-## Setup
-
-To enable a version 1 kv store:
-
-```
-vault secrets enable -version=1 kv
-```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials. The `kv` secrets engine
-allows for writing keys with arbitrary values.
-
-1. Write arbitrary data:
-
-    ```text
-    $ vault kv put kv/my-secret my-value=s3cr3t
-    Success! Data written to: kv/my-secret
-    ```
-
-1. Read arbitrary data:
-
-    ```text
-    $ vault kv get kv/my-secret
-    Key                 Value
-    ---                 -----
-    my-value            s3cr3t
-    ```
-
-1. List the keys:
-
-    ```text
-    $ vault kv list kv/
-    Keys
-    ----
-    my-secret
-    ```
-
-1. Delete a key:
-
-    ```
-    $ vault kv delete kv/my-secret
-    Success! Data deleted (if it existed) at: kv/my-secret
-    ```
-
-## TTLs
-
-Unlike other secrets engines, the KV secrets engine does not enforce TTLs
-for expiration. Instead, the `lease_duration` is a hint for how often consumers
-should check back for a new value.
-
-If provided a key of `ttl`, the KV secrets engine will utilize this value
-as the lease duration:
-
-```text
-$ vault kv put kv/my-secret ttl=30m my-value=s3cr3t
-Success! Data written to: kv/my-secret
-```
-
-Even with a `ttl` set, the secrets engine _never_ removes data on its own. The
-`ttl` key is merely advisory.
-
-When reading a value with a `ttl`, both the `ttl` key _and_ the refresh interval
-will reflect the value:
-
-```text
-$ vault kv get kv/my-secret
-Key                 Value
----                 -----
-my-value            s3cr3t
-ttl                 30m
-```
-
-## Learn
-
-Refer to the [Static Secrets: Key/Value Secrets
-Engine](https://learn.hashicorp.com/vault/secrets-management/sm-static-secrets)
-guide for a step-by-step tutorial.
-
-## API
-
-The KV secrets engine has a full HTTP API. Please see the
-[KV secrets engine API](/api/secret/kv/kv-v1.html) for more
-details.
diff --git a/website/source/docs/secrets/kv/kv-v2.html.md b/website/source/docs/secrets/kv/kv-v2.html.md
deleted file mode 100644
index 70dc61137eb2..000000000000
--- a/website/source/docs/secrets/kv/kv-v2.html.md
+++ /dev/null
@@ -1,407 +0,0 @@
----
-layout: "docs"
-page_title: "KV - Secrets Engines"
-sidebar_title: "K/V Version 2"
-sidebar_current: "docs-secrets-kv-v2"
-description: |-
-  The KV secrets engine can store arbitrary secrets.
----
-
-# KV Secrets Engine - Version 2
-
-The `kv` secrets engine is used to store arbitrary secrets within the
-configured physical storage for Vault.
-
-Key names must always be strings. If you write non-string values directly via
-the CLI, they will be converted into strings. However, you can preserve
-non-string values by writing the key/value pairs to Vault from a JSON file or
-using the HTTP API.
-
-This secrets engine honors the distinction between the `create` and `update`
-capabilities inside ACL policies.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-A v2 `kv` secrets engine can be enabled by:
-
-```text
-$ vault secrets enable -version=2 kv
-```
-
-Or, you can pass `kv-v2` as the secrets engine type:
-
-```text
-$ vault secrets enable kv-v2
-```
-
-Additionally, when running a dev-mode server, the v2 `kv` secrets engine is enabled by default at the
-path `secret/` (for non-dev servers, it is currently v1). It can be disabled, moved, or enabled multiple times at
-different paths. Each instance of the KV secrets engine is isolated and unique.
-
-## Upgrading from Version 1
-
-An existing version 1 kv store can be upgraded to a version 2 kv store via the CLI or API, as shown below. This will start an upgrade process to upgrade the existing key/value data to a versioned format. The mount will be inaccessible during this process. This process could take a long time, so plan accordingly.
-
-Once upgraded to version 2, the former paths at which the data was accessible will no longer suffice. You will need to adjust user policies to add access to the version 2 paths as detailed in the [ACL Rules section below](/docs/secrets/kv/kv-v2.html#acl-rules). Similarly, users/applications will need to update the paths at which they interact with the kv data once it has been upgraded to version 2.
-
-An existing version 1 kv can be upgraded to a version 2 KV store with the CLI command:
-
-```text
-$ vault kv enable-versioning secret/
-Success! Tuned the secrets engine at: secret/
-```
-
-or via the API:
-
-```text
-$ cat payload.json
-{
-  "options": {
-      "version": "2"
-  }
-}
-
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request POST \
-    --data @payload.json \
-    http://127.0.0.1:8200/v1/sys/mounts/secret/tune
-```
-
-## ACL Rules
-
-The version 2 kv store uses a prefixed API, which is different from the
-version 1 API. Before upgrading from a version 1 kv the ACL rules
-should be changed. Also different paths in the version 2 API can be ACL'ed
-differently.
-
-Writing and reading versions are prefixed with the `data/` path. This policy
-that worked for the version 1 kv:
-
-```
-path "secret/dev/team-1/*" {
-  capabilities = ["create", "update", "read"]
-}
-```
-
-Should be changed to:
-
-```
-path "secret/data/dev/team-1/*" {
-  capabilities = ["create", "update", "read"]
-}
-```
-
-There are different levels of data deletion for this backend. To grant a policy
-the permissions to delete the latest version of a key:
-
-```
-path "secret/data/dev/team-1/*" {
-  capabilities = ["delete"]
-}
-```
-To allow the policy to delete any version of a key:
-
-```
-path "secret/delete/dev/team-1/*" {
-  capabilities = ["update"]
-}
-```
-
-To allow a policy to undelete data:
-
-```
-path "secret/undelete/dev/team-1/*" {
-  capabilities = ["update"]
-}
-```
-
-To allow a policy to destroy versions:
-
-```
-path "secret/destroy/dev/team-1/*" {
-  capabilities = ["update"]
-}
-```
-
-To allow a policy to list keys:
-
-```
-path "secret/metadata/dev/team-1/*" {
-  capabilities = ["list"]
-}
-```
-
-To allow a policy to view metadata for each version:
-
-```
-path "secret/metadata/dev/team-1/*" {
-  capabilities = ["read"]
-}
-```
-
-To allow a policy to permanently remove all versions and metadata for a key:
-
-```
-path "secret/metadata/dev/team-1/*" {
-  capabilities = ["delete"]
-}
-```
-
-See the [API Specification](/api/secret/kv/kv-v2.html) for more
-information.
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials. The `kv` secrets engine
-allows for writing keys with arbitrary values.
-
-### Writing/Reading arbitrary data
-
-1. Write arbitrary data:
-
-    ```text
-    $ vault kv put secret/my-secret my-value=s3cr3t
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:20:22.985303Z
-	deletion_time    n/a
-	destroyed        false
-	version          1
-    ```
-
-1. Read arbitrary data:
-
-    ```text
-	$ vault kv get secret/my-secret
-	====== Metadata ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:20:22.985303Z
-	deletion_time    n/a
-	destroyed        false
-	version          1
-
-	====== Data ======
-	Key         Value
-	---         -----
-	my-value    s3cr3t
-    ```
-
-1. Write another version, the previous version will still be accessible. The
-   `-cas` flag can optionally be passed to perform a check-and-set operation. If
-   not set the write will be allowed. If set to `-cas=0` a write will only be allowed
-   if the key doesn’t exist. If the index is non-zero the write will only be
-   allowed if the key’s current version matches the version specified in the
-   cas parameter.
-
-    ```text
-    $ vault kv put -cas=1 secret/my-secret my-value=new-s3cr3t
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:22:23.369372Z
-	deletion_time    n/a
-	destroyed        false
-	version          2
-    ```
-
-1. Reading now will return the newest version of the data:
-
-    ```text
-    $ vault kv get secret/my-secret
-	====== Metadata ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:22:23.369372Z
-	deletion_time    n/a
-	destroyed        false
-	version          2
-
-	====== Data ======
-	Key         Value
-	---         -----
-	my-value    new-s3cr3t
-    ```
-
-1. Previous versions can be accessed with the `-version` flag:
-
-    ```text
-    $ vault kv get -version=1 secret/my-secret
-	====== Metadata ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:20:22.985303Z
-	deletion_time    n/a
-	destroyed        false
-	version          1
-
-	====== Data ======
-	Key         Value
-	---         -----
-	my-value    s3cr3t
-    ```
-
-### Deleting and Destroying Data
-
-When deleting data the standard `vault kv delete` command will perform a
-soft delete. It will mark the version as deleted and populate a `deletion_time`
-timestamp. Soft deletes do not remove the underlying version data from storage,
-which allows the version to be undeleted. The `vault kv undelete` command
-handles undeleting versions.
-
-A version's data is permanently deleted only when the key has more versions than
-are allowed by the max-versions setting, or when using `vault kv destroy`. When
-the destroy command is used the underlying version data will be removed and the
-key metadata will be marked as destroyed. If a version is cleaned up by going
-over max-versions the version metadata will also be removed from the key.
-
-See the commands below for more information:
-
-1. The latest version of a key can be deleted with the delete command, this also
-   takes a `-versions` flag to delete prior versions:
-
-    ```text
-    $ vault kv delete secret/my-secret
-	Success! Data deleted (if it existed) at: secret/my-secret
-    ```
-
-1. Versions can be undeleted:
-
-    ```text
-    $ vault kv undelete -versions=2 secret/my-secret
-	Success! Data written to: secret/undelete/my-secret
-
-    $ vault kv get secret/my-secret
-	====== Metadata ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:23:21.834403Z
-	deletion_time    n/a
-	destroyed        false
-	version          2
-
-	====== Data ======
-	Key         Value
-	---         -----
-	my-value    short-lived-s3cr3t
-    ```
-
-1. Destroying a version permanently deletes the underlying data:
-
-    ```text
-    $ vault kv destroy -versions=2 secret/my-secret
-	Success! Data written to: secret/destroy/my-secret
-    ```
-
-### Key Metadata
-
-All versions and key metadata can be tracked with the metadata command & API.
-Deleting the metadata key will cause all metadata and versions for that key to
-be permanently removed.
-
-See the commands below for more information:
-
-1. All metadata and versions for a key can be viewed:
-
-    ```text
-    $ vault kv metadata get secret/my-secret
-	========== Metadata ==========
-	Key                     Value
-	---                     -----
-	cas_required            false
-	created_time            2019-06-19T17:20:22.985303Z
-	current_version         2
-	delete_version_after    0s
-	max_versions            0
-	oldest_version          0
-	updated_time            2019-06-19T17:22:23.369372Z
-
-	====== Version 1 ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:20:22.985303Z
-	deletion_time    n/a
-	destroyed        false
-
-	====== Version 2 ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:22:23.369372Z
-	deletion_time    n/a
-	destroyed        true
-    ```
-
-1. The metadata settings for a key can be configured:
-
-    ```text
-    $ vault kv metadata put -max-versions 2 -delete-version-after="3h25m19s" secret/my-secret
-	Success! Data written to: secret/metadata/my-secret
-    ```
-
-	Delete-version-after settings will apply only to new versions. Max versions
-	changes will be applied on next write:
-
-    ```text
-    $ vault kv put secret/my-secret my-value=newer-s3cr3t
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:31:16.662563Z
-	deletion_time    2019-06-19T20:56:35.662563Z
-	destroyed        false
-	version          4
-    ```
-
-	Once a key has more versions than max versions the oldest versions
-	are cleaned up:
-
-    ```text
-    $ vault kv metadata get secret/my-secret
-	========== Metadata ==========
-	Key                     Value
-	---                     -----
-	cas_required            false
-	created_time            2019-06-19T17:20:22.985303Z
-	current_version         4
-	delete_version_after    3h25m19s
-	max_versions            2
-	oldest_version          3
-	updated_time            2019-06-19T17:31:16.662563Z
-
-	====== Version 3 ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:23:21.834403Z
-	deletion_time    n/a
-	destroyed        true
-
-	====== Version 4 ======
-	Key              Value
-	---              -----
-	created_time     2019-06-19T17:31:16.662563Z
-	deletion_time    2019-06-19T20:56:35.662563Z
-	destroyed        false
-    ```
-
-1. Permanently delete all metadata and versions for a key:
-
-    ```text
-    $ vault kv metadata delete secret/my-secret
-	Success! Data deleted (if it existed) at: secret/metadata/my-secret
-    ```
-
-## Learn
-
-Refer to the [Versioned Key/Value Secrets
-Engine](https://learn.hashicorp.com/vault/secrets-management/sm-versioned-kv)
-guide for a step-by-step tutorial.
-
-## API
-
-The KV secrets engine has a full HTTP API. Please see the
-[KV secrets engine API](/api/secret/kv/kv-v2.html) for more
-details.
diff --git a/website/source/docs/secrets/mongodb/index.html.md b/website/source/docs/secrets/mongodb/index.html.md
deleted file mode 100644
index 759229100a16..000000000000
--- a/website/source/docs/secrets/mongodb/index.html.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-layout: "docs"
-page_title: "MongoDB - Secrets Engines"
-sidebar_title: "MongoDB <sup>DEPRECATED</sup>"
-sidebar_current: "docs-secrets-mongodb"
-description: |-
-  The mongodb secrets engine for Vault generates database credentials to access MongoDB.
----
-
-# MongoDB Secrets Engine
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the documentation for
-the new implementation of this secrets engine at
-[MongoDB database plugin](/docs/secrets/databases/mongodb.html).
-
-The `mongodb` secrets engine for Vault generates MongoDB database credentials
-dynamically based on configured roles. This means that services that need
-to access a MongoDB database no longer need to hard-code credentials: they
-can request them from Vault and use Vault's leasing mechanism to more easily
-roll them.
-
-Additionally, it introduces a new ability: with every service accessing
-the database with unique credentials, it makes auditing much easier when
-questionable data access is discovered: you can track it down to the specific
-instance of a service based on the MongoDB username.
-
-Vault makes use of its own internal revocation system to ensure that users
-become invalid within a reasonable time of the lease expiring.
-
-This page will show a quick start for this secrets engine. For detailed documentation
-on every path, use `vault path-help` after mounting the secrets engine.
-
-## Quick Start
-
-The first step to using the mongodb secrets engine is to mount it. Unlike the
-`kv` secrets engine, the `mongodb` secrets engine is not mounted by default.
-
-```
-$ vault secrets enable mongodb
-Success! Enabled the mongodb secrets engine at: mongodb/
-```
-
-Next, we must tell Vault how to connect to MongoDB. This is done by providing
-a standard connection string (URI):
-
-```
-$ vault write mongodb/config/connection uri="mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
-Key	Value
----	-----
-
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection URI as it is, including passwords, if any.
-```
-
-In this case, we've configured Vault with the username `admin` and password
-`Password!`, connecting to an instance at `mongodb.acme.com` on port `27017`
-with TLS. The user must have privileges to manage users and their roles in the
-databases Vault will manage users in. The built-in role `userAdminAnyDatabase`
-is the simplest way to grant the necessary permissions if we want Vault to
-manage all users in all databases.
-
-Optionally, we can configure the lease settings for the credentials generated
-by Vault. This is done by writing to the `config/lease` key:
-
-```
-$ vault write mongodb/config/lease ttl=1h max_ttl=24h
-Success! Data written to: mongodb/config/lease
-```
-
-This restricts each user to being valid or leased for 1 hour at a time, with
-a maximum total use period of 24 hours. This forces an application to renew
-its credentials at least hourly and to recycle them once per day.
-
-The next step is to configure a role. A role is a logical name that maps
-to a policy used to generate MongoDB credentials for that role.
-
-Note that MongoDB also uses roles. The roles you define in Vault are distinct
-from the built-in and user-defined roles in MongoDB. In fact, when defining
-a Vault role you may specify the MongoDB roles that should be assigned to
-users created for that Vault role.
-
-For example, let's create a "readonly" role:
-
-```
-$ vault write mongodb/roles/readonly db=foo roles='[ "readWrite", { "role": "read", "db": "bar" } ]'
-Success! Data written to: mongodb/roles/readonly
-```
-
-By writing to the `roles/readonly` path we are defining the `readonly` role.
-Each time Vault is asked for credentials for this role, it will create a
-user in the specified MongoDB database with the MongoDB roles provided. The
-username and password of each user created will be dynamically generated by
-Vault. Just like when creating a user directly using `db.createUser`, the
-`roles` JSON array can specify both built-in roles and user-defined roles
-for both the database the user is created in and for other databases. Please
-consult the MongoDB documentation for more details on Role-Based Access
-Control in MongoDB. In this example, Vault will create a user in the `foo`
-database with the `readWrite` built-in role on that database and the `read`
-built-in role on the `bar` database.
-
-To generate a new set of credentials for a given role, we simply read from
-the credentials path for that role:
-
-```
-$ vault read mongodb/creds/readonly
-Key                Value
----                -----
-lease_id           mongodb/creds/readonly/91685212-3040-7dde-48b1-df997c5dc8e7
-lease_duration     3600
-lease_renewable    true
-db                 foo
-password           c3faa86d-0f93-9649-de91-c431765e62dd
-username           vault-token-48729def-b0ca-2b17-d7b9-3ca7cb86f0ae
-```
-
-By reading from the `creds/readonly` path, Vault has generated a new set of
-credentials using the `readonly` role configuration. Here we see the
-dynamically generated username and password, along with a one hour lease.
-
-Using ACLs, it is possible to restrict using the `mongodb` secrets engine such that
-trusted operators can manage the role definitions, and both users and
-applications are restricted in the credentials they are allowed to read.
-
-## API
-
-The MongoDB secrets engine has a full HTTP API. Please see the
-[MongoDB secrets engine API](/api/secret/mongodb/index.html) for more
-details.
diff --git a/website/source/docs/secrets/mssql/index.html.md b/website/source/docs/secrets/mssql/index.html.md
deleted file mode 100644
index 157cb0089b0a..000000000000
--- a/website/source/docs/secrets/mssql/index.html.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-layout: "docs"
-page_title: "MSSQL - Secrets Engines"
-sidebar_title: "MSSQL <sup>DEPRECATED</sup>"
-sidebar_current: "docs-secrets-mssql"
-description: |-
-  The MSSQL secrets engine for Vault generates database credentials to access Microsoft Sql Server.
----
-
-# MSSQL Secrets Engine
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the documentation for
-the new implementation of this secrets engine at
-[MSSQL database plugin](/docs/secrets/databases/mssql.html).
-
-The MSSQL secrets engine for Vault generates database credentials
-dynamically based on configured roles. This means that services that need
-to access a database no longer need to hardcode credentials: they can request
-them from Vault, and use Vault's leasing mechanism to more easily roll keys.
-
-Additionally, it introduces a new ability: with every service accessing
-the database with unique credentials, it makes auditing much easier when
-questionable data access is discovered: you can track it down to the specific
-instance of a service based on the SQL username.
-
-Vault makes use of its own internal revocation system to ensure that users
-become invalid within a reasonable time of the lease expiring.
-
-This page will show a quick start for this secrets engine. For detailed documentation
-on every path, use `vault path-help` after mounting the secrets engine.
-
-## Quick Start
-
-The first step to using the mssql secrets engine is to mount it. Unlike the `kv`
-secrets engine, the `mssql` secrets engine is not mounted by default.
-
-```
-$ vault secrets enable mssql
-Success! Enabled the mssql secrets engine at: mssql/
-```
-
-Next, we must configure Vault to know how to connect to the MSSQL
-instance. This is done by providing a DSN (Data Source Name):
-
-```
-$ vault write mssql/config/connection \
-    connection_string="server=localhost;port=1433;user id=sa;password=Password!;database=AdventureWorks;app name=vault;"
-Success! Data written to: mssql/config/connection
-```
-
-In this case, we've configured Vault with the user "sa" and password "Password!",
-connecting to an instance at "localhost" on port 1433. It is not necessary
-that Vault has the sa login, but the user must have privileges to create
-logins and manage processes. The fixed server roles `securityadmin` and
-`processadmin` are examples of built-in roles that grant these permissions. The
-user also must have privileges to create database users and grant permissions in
-the databases that Vault manages.  The fixed database roles `db_accessadmin` and
-`db_securityadmin` are examples or built-in roles that grant these permissions.
-
-Optionally, we can configure the lease settings for credentials generated
-by Vault. This is done by writing to the `config/lease` key:
-
-```
-$ vault write mssql/config/lease \
-    ttl=1h \
-    max_ttl=24h
-Success! Data written to: mssql/config/lease
-```
-
-This restricts each credential to being valid or leased for 1 hour
-at a time, with a maximum use period of 24 hours. This forces an
-application to renew their credentials at least hourly, and to recycle
-them once per day.
-
-The next step is to configure a role. A role is a logical name that maps
-to a policy used to generate those credentials. For example, lets create
-a "readonly" role:
-
-```
-$ vault write mssql/roles/readonly \
-    sql="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; USE AdventureWorks; CREATE USER [{{name}}] FOR LOGIN [{{name}}]; GRANT SELECT ON SCHEMA::dbo TO [{{name}}]"
-Success! Data written to: mssql/roles/readonly
-```
-
-By writing to the `roles/readonly` path we are defining the `readonly` role.
-This role will be created by evaluating the given `sql` statements. By
-default, the `{{name}}` and `{{password}}` fields will be populated by
-Vault with dynamically generated values. This SQL statement is creating
-the named login on the server, user on the AdventureWorks database, and
-then granting it `SELECT` on the `dbo` schema. More complex `GRANT` queries
-can be used to customize the privileges of the role.
-
-To generate a new set of credentials, we simply read from that role:
-
-```
-$ vault read mssql/creds/readonly
-Key               Value
----               -----
-lease_id          mssql/creds/readonly/cdf23ac8-6dbd-4bf9-9919-6acaaa86ba6c
-lease_duration    3600
-password          ee202d0d-e4fd-4410-8d14-2a78c5c8cb76
-username          root-a147d529-e7d6-4a16-8930-4c3e72170b19
-```
-
-By reading from the `creds/readonly` path, Vault has generated a new
-set of credentials using the `readonly` role configuration. Here we
-see the dynamically generated username and password, along with a one
-hour lease.
-
-Using ACLs, it is possible to restrict using the mssql secrets engine such
-that trusted operators can manage the role definitions, and both
-users and applications are restricted in the credentials they are
-allowed to read.
-
-## API
-
-The MSSQL secrets engine has a full HTTP API. Please see the
-[MSSQL secrets engine API](/api/secret/mssql/index.html) for more
-details.
diff --git a/website/source/docs/secrets/mysql/index.html.md b/website/source/docs/secrets/mysql/index.html.md
deleted file mode 100644
index 3c1a174196cb..000000000000
--- a/website/source/docs/secrets/mysql/index.html.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-layout: "docs"
-page_title: "MySQL - Secrets Engines"
-sidebar_title: "MySQL <sup>DEPRECATED</sup>"
-sidebar_current: "docs-secrets-mysql"
-description: |-
-  The MySQL secrets engine for Vault generates database credentials to access MySQL.
----
-
-# MySQL Secrets Engine
-
-Name: `mysql`
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the documentation for
-the new implementation of this secrets engine at
-[MySQL/MariaDB database plugin](/docs/secrets/databases/mysql-maria.html).
-
-The MySQL secrets engine for Vault generates database credentials
-dynamically based on configured roles. This means that services that need
-to access a database no longer need to hardcode credentials: they can request
-them from Vault, and use Vault's leasing mechanism to more easily roll keys.
-
-Additionally, it introduces a new ability: with every service accessing
-the database with unique credentials, it makes auditing much easier when
-questionable data access is discovered: you can track it down to the specific
-instance of a service based on the SQL username.
-
-Vault makes use of its own internal revocation system to ensure that users
-become invalid within a reasonable time of the lease expiring.
-
-This page will show a quick start for this secrets engine. For detailed documentation
-on every path, use `vault path-help` after mounting the secrets engine.
-
-## Quick Start
-
-The first step to using the mysql secrets engine is to mount it. Unlike the `kv`
-secrets engine, the `mysql` secrets engine is not mounted by default.
-
-```
-$ vault secrets enable mysql
-Success! Enabled the mysql secrets engine at: mysql/
-```
-
-Next, we must configure Vault to know how to connect to the MySQL
-instance. This is done by providing a [DSN (Data Source Name)](https://github.com/go-sql-driver/mysql#dsn-data-source-name):
-
-```
-$ vault write mysql/config/connection \
-    connection_url="root:root@tcp(192.168.33.10:3306)/"
-Success! Data written to: mysql/config/connection
-```
-
-In this case, we've configured Vault with the user "root" and password "root,
-connecting to an instance at "192.168.33.10" on port 3306. It is not necessary
-that Vault has the root user, but the user must have privileges to create
-other users, namely the `GRANT OPTION` privilege.
-
-For using UNIX socket use: `root:root@unix(/path/to/socket)/`.
-
-Optionally, we can configure the lease settings for credentials generated
-by Vault. This is done by writing to the `config/lease` key:
-
-```
-$ vault write mysql/config/lease \
-    lease=1h \
-    lease_max=24h
-Success! Data written to: mysql/config/lease
-```
-
-This restricts each credential to being valid or leased for 1 hour
-at a time, with a maximum use period of 24 hours. This forces an
-application to renew their credentials at least hourly, and to recycle
-them once per day.
-
-The next step is to configure a role. A role is a logical name that maps
-to a policy used to generate those credentials. For example, lets create
-a "readonly" role:
-
-```
-$ vault write mysql/roles/readonly \
-    sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
-Success! Data written to: mysql/roles/readonly
-```
-
-By writing to the `roles/readonly` path we are defining the `readonly` role.
-This role will be created by evaluating the given `sql` statements. By
-default, the `{{name}}` and `{{password}}` fields will be populated by
-Vault with dynamically generated values. This SQL statement is creating
-the named user, and then granting it `SELECT` or read-only privileges
-to tables in the database. More complex `GRANT` queries can be used to
-customize the privileges of the role. See the [MySQL manual](https://dev.mysql.com/doc/refman/5.7/en/grant.html)
-for more information.
-
-To generate a new set of credentials, we simply read from that role:
-
-```
-$ vault read mysql/creds/readonly
-Key               Value
----               -----
-lease_id          mysql/creds/readonly/bd404e98-0f35-b378-269a-b7770ef01897
-lease_duration    3600
-password          132ae3ef-5a64-7499-351e-bfe59f3a2a21
-username          readonly-aefa635a-18
-```
-
-By reading from the `creds/readonly` path, Vault has generated a new
-set of credentials using the `readonly` role configuration. Here we
-see the dynamically generated username and password, along with a one
-hour lease.
-
-Using ACLs, it is possible to restrict using the mysql secrets engine such
-that trusted operators can manage the role definitions, and both
-users and applications are restricted in the credentials they are
-allowed to read.
-
-Optionally, you may configure both the number of characters from the role name
-that are truncated to form the display name portion of the mysql username
-interpolated into the `{{name}}` field: the default is 10.
-
-You may also configure the total number of characters allowed in the entire
-generated username (the sum of the display name and uuid portions); the
-default is 16. Note that versions of MySQL prior to 5.8 have a 16 character
-total limit on user names, so it is probably not safe to increase this above
-the default on versions prior to that.
-
-## API
-
-The MySQL secrets engine has a full HTTP API. Please see the
-[MySQL secrets engine API](/api/secret/mysql/index.html) for more
-details.
diff --git a/website/source/docs/secrets/nomad/index.html.md b/website/source/docs/secrets/nomad/index.html.md
deleted file mode 100644
index f40ba5106cbb..000000000000
--- a/website/source/docs/secrets/nomad/index.html.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-layout: "docs"
-page_title: "Nomad Secret Backend"
-sidebar_title: "Nomad"
-sidebar_current: "docs-secrets-nomad"
-description: |-
-  The Nomad secret backend for Vault generates tokens for Nomad dynamically.
----
-
-# Nomad Secret Backend
-
-Name: `Nomad`
-
-The Nomad secret backend for Vault generates
-[Nomad](https://www.nomadproject.io)
-API tokens dynamically based on pre-existing Nomad ACL policies.
-
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
-
-~> **Version information** ACLs are only available on Nomad 0.7.0 and above.
-
-## Quick Start
-
-The first step to using the vault backend is to mount it.
-Unlike the `generic` backend, the `nomad` backend is not mounted by default.
-
-```
-$ vault secrets enable nomad
-Successfully mounted 'nomad' at 'nomad'!
-```
-
-Optionally, we can configure the lease settings for credentials generated
-by Vault. This is done by writing to the `config/lease` key:
-
-```
-$ vault write nomad/config/lease ttl=3600 max_ttl=86400
-Success! Data written to: nomad/config/lease
-```
-
-For a quick start, you can use the SecretID token provided by the [Nomad ACL bootstrap
-process](https://www.nomadproject.io/guides/acl.html#generate-the-initial-token), although this
-is discouraged for production deployments. 
-
-```
-$ nomad acl bootstrap
-Accessor ID  = 95a0ee55-eaa6-2c0a-a900-ed94c156754e
-Secret ID    = c25b6ca0-ea4e-000f-807a-fd03fcab6e3c
-Name         = Bootstrap Token
-Type         = management
-Global       = true
-Policies     = n/a
-Create Time  = 2017-09-20 19:40:36.527512364 +0000 UTC
-Create Index = 7
-Modify Index = 7
-```
-The suggested pattern is to generate a token specifically for Vault, following the 
-[Nomad ACL guide](https://www.nomadproject.io/guides/acl.html)
-
-Next, we must configure Vault to know how to contact Nomad.
-This is done by writing the access information:
-
-```
-$ vault write nomad/config/access \
-    address=http://127.0.0.1:4646 \
-    token=adf4238a-882b-9ddc-4a9d-5b6758e4159e
-Success! Data written to: nomad/config/access
-```
-
-In this case, we've configured Vault to connect to Nomad
-on the default port with the loopback address. We've also provided
-an ACL token to use with the `token` parameter. Vault must have a management
-type token so that it can create and revoke ACL tokens.
-
-The next step is to configure a role. A role is a logical name that maps
-to a set of policy names used to generate those credentials. For example, let's create
-a "monitoring" role that maps to a "readonly" policy:
-
-```
-$ vault write nomad/role/monitoring policies=readonly
-Success! Data written to: nomad/role/monitoring
-```
-
-The backend expects either a single or a comma separated list of policy names.
-
-To generate a new Nomad ACL token, we simply read from that role:
-
-```
-$ vault read nomad/creds/monitoring
-Key              Value
----              -----
-lease_id         nomad/creds/monitoring/78ec3ef3-c806-1022-4aa8-1dbae39c760c
-lease_duration   768h0m0s
-lease_renewable  true
-accessor_id      a715994d-f5fd-1194-73df-ae9dad616307
-secret_id        b31fb56c-0936-5428-8c5f-ed010431aba9
-```
-
-Here we can see that Vault has generated a new Nomad ACL token for us.
-We can test this token out, by reading it in Nomad (by it's accessor):
-
-```
-$ nomad acl token info a715994d-f5fd-1194-73df-ae9dad616307
-Accessor ID  = a715994d-f5fd-1194-73df-ae9dad616307
-Secret ID    = b31fb56c-0936-5428-8c5f-ed010431aba9
-Name         = Vault example root 1505945527022465593
-Type         = client
-Global       = false
-Policies     = [readonly]
-Create Time  = 2017-09-20 22:12:07.023455379 +0000 UTC
-Create Index = 138
-Modify Index = 138
-```
-
-## API
-
-The Nomad secret backend has a full HTTP API. Please see the
-[Nomad secret backend API](/api/secret/nomad/index.html) for more
-details.
diff --git a/website/source/docs/secrets/pki/index.html.md b/website/source/docs/secrets/pki/index.html.md
deleted file mode 100644
index 9742b30bd119..000000000000
--- a/website/source/docs/secrets/pki/index.html.md
+++ /dev/null
@@ -1,686 +0,0 @@
----
-layout: "docs"
-page_title: "PKI - Secrets Engines"
-sidebar_title: "PKI (Certificates)"
-sidebar_current: "docs-secrets-pki"
-description: |-
-  The PKI secrets engine for Vault generates TLS certificates.
----
-
-# PKI Secrets Engine
-
-The PKI secrets engine generates dynamic X.509 certificates. With this secrets
-engine, services can get certificates without going through the usual manual
-process of generating a private key and CSR, submitting to a CA, and waiting for
-a verification and signing process to complete. Vault's built-in authentication
-and authorization mechanisms provide the verification functionality.
-
-By keeping TTLs relatively short, revocations are less likely to be needed,
-keeping CRLs short and helping the secrets engine scale to large workloads. This
-in turn allows each instance of a running application to have a unique
-certificate, eliminating sharing and the accompanying pain of revocation and
-rollover.
-
-In addition, by allowing revocation to mostly be forgone, this secrets engine
-allows for ephemeral certificates. Certificates can be fetched and stored in
-memory upon application startup and discarded upon shutdown, without ever being
-written to disk.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the PKI secrets engine:
-
-    ```text
-    $ vault secrets enable pki
-    Success! Enabled the pki secrets engine at: pki/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-
-1. Increase the TTL by tuning the secrets engine. The default value of 30 days may be too short, so increase it to 1 year:
-
-    ```text
-    $ vault secrets tune -max-lease-ttl=8760h pki
-    Success! Tuned the secrets engine at: pki/
-    ```
-
-    Note that individual roles can restrict this value to be shorter on a
-    per-certificate basis. This just configures the global maximum for this
-    secrets engine.
-
-1. Configure a CA certificate and private key. Vault can accept an existing key
-pair, or it can generate its own self-signed root. In general, we recommend
-maintaining your root CA outside of Vault and providing Vault a signed
-intermediate CA.
-
-    ```text
-    $ vault write pki/root/generate/internal \
-        common_name=my-website.com \
-        ttl=8760h
-
-    Key              Value
-    ---              -----
-    certificate      -----BEGIN CERTIFICATE-----...
-    expiration       1536807433
-    issuing_ca       -----BEGIN CERTIFICATE-----...
-    serial_number    7c:f1:fb:2c:6e:4d:99:0e:82:1b:08:0a:81:ed:61:3e:1d:fa:f5:29
-    ```
-
-    The returned certificate is purely informative. The private key is safely
-    stored internally in Vault.
-
-1. Update the CRL location and issuing certificates. These values can be updated
-in the future.
-
-    ```text
-    $ vault write pki/config/urls \
-        issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
-        crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
-    Success! Data written to: pki/config/urls
-    ```
-
-1. Configure a role that maps a name in Vault to a procedure for generating a
-certificate. When users or machines generate credentials, they are generated
-against this role:
-
-    ```text
-    $ vault write pki/roles/example-dot-com \
-        allowed_domains=my-website.com \
-        allow_subdomains=true \
-        max_ttl=72h
-    Success! Data written to: pki/roles/example-dot-com
-    ```
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by writing to the `/issue` endpoint with the name
-of the role:
-
-    ```text
-    $ vault write pki/issue/example-dot-com \
-        common_name=www.my-website.com
-
-    Key                 Value
-    ---                 -----
-    certificate         -----BEGIN CERTIFICATE-----...
-    issuing_ca          -----BEGIN CERTIFICATE-----...
-    private_key         -----BEGIN RSA PRIVATE KEY-----...
-    private_key_type    rsa
-    serial_number       1d:2e:c6:06:45:18:60:0e:23:d6:c5:17:43:c0:fe:46:ed:d1:50:be
-    ```
-
-    The output will include a dynamically generated private key and certificate
-    which corresponds to the given role and expires in 72h (as dictated by our
-    role definition). The issuing CA and trust chain is also returned for
-    automation simplicity.
-
-## Considerations
-
-To successfully deploy this secrets engine, there are a number of important
-considerations to be aware of, as well as some preparatory steps that should be
-undertaken. You should read all of these *before* using this secrets engine or
-generating the CA to use with this secrets engine.
-
-### Be Careful with Root CAs
-
-Vault storage is secure, but not as secure as a piece of paper in a bank vault.
-It is, after all, networked software. If your root CA is hosted outside of
-Vault, don't put it in Vault as well; instead, issue a shorter-lived
-intermediate CA certificate and put this into Vault. This aligns with industry
-best practices.
-
-Since 0.4, the secrets engine supports generating self-signed root CAs and
-creating and signing CSRs for intermediate CAs. In each instance, for security
-reasons, the private key can *only* be exported at generation time, and the
-ability to do so is part of the command path (so it can be put into ACL
-policies).
-
-If you plan on using intermediate CAs with Vault, it is suggested that you let
-Vault create CSRs and do not export the private key, then sign those with your
-root CA (which may be a second mount of the `pki` secrets engine).
-
-### One CA Certificate, One Secrets Engine
-
-In order to vastly simplify both the configuration and codebase of the PKI
-secrets engine, only one CA certificate is allowed per secrets engine. If you
-want to issue certificates from multiple CAs, mount the PKI secrets engine at
-multiple mount points with separate CA certificates in each.
-
-This also provides a convenient method of switching to a new CA certificate
-while keeping CRLs valid from the old CA certificate; simply mount a new secrets
-engine and issue from there.
-
-A common pattern is to have one mount act as your root CA and to use this CA
-only to sign intermediate CA CSRs from other PKI secrets engines.
-
-### Keep certificate lifetimes short, for CRL's sake
-
-This secrets engine aligns with Vault's philosophy of short-lived secrets. As
-such it is not expected that CRLs will grow large; the only place a private key
-is ever returned is to the requesting client (this secrets engine does *not*
-store generated private keys, except for CA certificates). In most cases, if the
-key is lost, the certificate can simply be ignored, as it will expire shortly.
-
-If a certificate must truly be revoked, the normal Vault revocation function can
-be used; alternately a root token can be used to revoke the certificate using
-the certificate's serial number. Any revocation action will cause the CRL to be
-regenerated. When the CRL is regenerated, any expired certificates are removed
-from the CRL (and any revoked, expired certificate are removed from secrets
-engine storage).
-
-This secrets engine does not support multiple CRL endpoints with sliding date
-windows; often such mechanisms will have the transition point a few days apart,
-but this gets into the expected realm of the actual certificate validity periods
-issued from this secrets engine. A good rule of thumb for this secrets engine
-would be to simply not issue certificates with a validity period greater than
-your maximum comfortable CRL lifetime. Alternately, you can control CRL caching
-behavior on the client to ensure that checks happen more often.
-
-Often multiple endpoints are used in case a single CRL endpoint is down so that
-clients don't have to figure out what to do with a lack of response. Run Vault in HA mode, and the CRL endpoint should be available even if a particular node
-is down.
-
-### You must configure issuing/CRL/OCSP information *in advance*
-
-This secrets engine serves CRLs from a predictable location, but it is not
-possible for the secrets engine to know where it is running. Therefore, you must
-configure desired URLs for the issuing certificate, CRL distribution points, and
-OCSP servers manually using the `config/urls` endpoint. It is supported to have
-more than one of each of these by passing in the multiple URLs as a
-comma-separated string parameter.
-
-### Safe Minimums
-
-Since its inception, this secrets engine has enforced SHA256 for signature
-hashes rather than SHA1. As of 0.5.1, a minimum of 2048 bits for RSA keys is
-also enforced. Software that can handle SHA256 signatures should also be able to
-handle 2048-bit keys, and 1024-bit keys are considered unsafe and are disallowed
-in the Internet PKI.
-
-### Token Lifetimes and Revocation
-
-When a token expires, it revokes all leases associated with it. This means that
-long-lived CA certs need correspondingly long-lived tokens, something that is
-easy to forget. Starting with 0.6, root and intermediate CA certs no longer have
-associated leases, to prevent unintended revocation when not using a token with
-a long enough lifetime. To revoke these certificates, use the `pki/revoke`
-endpoint.
-
-## Quick Start
-
-#### Mount the backend
-
-The first step to using the PKI backend is to mount it. Unlike the `kv`
-backend, the `pki` backend is not mounted by default.
-
-```text
-$ vault secrets enable pki
-Successfully mounted 'pki' at 'pki'!
-```
-
-#### Configure a CA certificate
-
-Next, Vault must be configured with a CA certificate and associated private
-key. We'll take advantage of the backend's self-signed root generation support,
-but Vault also supports generating an intermediate CA (with a CSR for signing)
-or setting a PEM-encoded certificate and private key bundle directly into the
-backend.
-
-Generally you'll want a root certificate to only be used to sign CA
-intermediate certificates, but for this example we'll proceed as if you will
-issue certificates directly from the root. As it's a root, we'll want to set a
-long maximum life time for the certificate; since it honors the maximum mount
-TTL, first we adjust that:
-
-```text
-$ vault secrets tune -max-lease-ttl=87600h pki
-Successfully tuned mount 'pki'!
-```
-
-That sets the maximum TTL for secrets issued from the mount to 10 years. (Note
-that roles can further restrict the maximum TTL.)
-
-Now, we generate our root certificate:
-
-```text
-$ vault write pki/root/generate/internal common_name=myvault.com ttl=87600h
-Key             Value
----             -----
-certificate     -----BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUJqrw/9EDZbp4DExaLjh0vSAHyBgwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyMzIwWhcNMjcx
-MjA2MTkyMzQ5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKY/vJ6sRFym+yFYUneoVtDmOCaDKAQiGzQw0IXL
-wgMBBb82iKpYj5aQjXZGIl+VkVnCi+M2AQ/iYXWZf1kTAdle4A6OC4+VefSIa2b4
-eB7R8aiGTce62jB95+s5/YgrfIqk6igfpCSXYLE8ubNDA2/+cqvjhku1UzlvKBX2
-hIlgWkKlrsnybHN+B/3Usw9Km/87rzoDR3OMxLV55YPHiq6+olIfSSwKAPjH8LZm
-uM1ITLG3WQUl8ARF17Dj+wOKqbUG38PduVwKL5+qPksrvNwlmCP7Kmjncc6xnYp6
-5lfr7V4DC/UezrJYCIb0g/SvtxoN1OuqmmvSTKiEE7hVOAcCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFECKdYM4gDbM
-kxRZA2wR4f/yNhQUMB8GA1UdIwQYMBaAFECKdYM4gDbMkxRZA2wR4f/yNhQUMBYG
-A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCCJKZPcjjn
-7mvD2+sr6lx4DW/vJwVSW8eTuLtOLNu6/aFhcgTY/OOB8q4n6iHuLrEt8/RV7RJI
-obRx74SfK9BcOLt4+DHGnFXqu2FNVnhDMOKarj41yGyXlJaQRUPYf6WJJLF+ZphN
-nNsZqHJHBfZtpJpE5Vywx3pah08B5yZHk1ItRPEz7EY3uwBI/CJoBb+P5Ahk6krc
-LZ62kFwstkVuFp43o3K7cRNexCIsZGx2tsyZ0nyqDUFsBr66xwUfn3C+/1CDc9YL
-zjq+8nI2ooIrj4ZKZCOm2fKd1KeGN/CZD7Ob6uNhXrd0Tjwv00a7nffvYQkl/1V5
-BT55jevSPVVu
------END CERTIFICATE-----
-expiration      1828121029
-issuing_ca      -----BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUJqrw/9EDZbp4DExaLjh0vSAHyBgwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyMzIwWhcNMjcx
-MjA2MTkyMzQ5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKY/vJ6sRFym+yFYUneoVtDmOCaDKAQiGzQw0IXL
-wgMBBb82iKpYj5aQjXZGIl+VkVnCi+M2AQ/iYXWZf1kTAdle4A6OC4+VefSIa2b4
-eB7R8aiGTce62jB95+s5/YgrfIqk6igfpCSXYLE8ubNDA2/+cqvjhku1UzlvKBX2
-hIlgWkKlrsnybHN+B/3Usw9Km/87rzoDR3OMxLV55YPHiq6+olIfSSwKAPjH8LZm
-uM1ITLG3WQUl8ARF17Dj+wOKqbUG38PduVwKL5+qPksrvNwlmCP7Kmjncc6xnYp6
-5lfr7V4DC/UezrJYCIb0g/SvtxoN1OuqmmvSTKiEE7hVOAcCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFECKdYM4gDbM
-kxRZA2wR4f/yNhQUMB8GA1UdIwQYMBaAFECKdYM4gDbMkxRZA2wR4f/yNhQUMBYG
-A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCCJKZPcjjn
-7mvD2+sr6lx4DW/vJwVSW8eTuLtOLNu6/aFhcgTY/OOB8q4n6iHuLrEt8/RV7RJI
-obRx74SfK9BcOLt4+DHGnFXqu2FNVnhDMOKarj41yGyXlJaQRUPYf6WJJLF+ZphN
-nNsZqHJHBfZtpJpE5Vywx3pah08B5yZHk1ItRPEz7EY3uwBI/CJoBb+P5Ahk6krc
-LZ62kFwstkVuFp43o3K7cRNexCIsZGx2tsyZ0nyqDUFsBr66xwUfn3C+/1CDc9YL
-zjq+8nI2ooIrj4ZKZCOm2fKd1KeGN/CZD7Ob6uNhXrd0Tjwv00a7nffvYQkl/1V5
-BT55jevSPVVu
------END CERTIFICATE-----
-serial_number   26:aa:f0:ff:d1:03:65:ba:78:0c:4c:5a:2e:38:74:bd:20:07:c8:18
-```
-
-The returned certificate is purely informational; it and its private key are
-safely stored in the backend mount.
-
-#### Set URL configuration
-
-Generated certificates can have the CRL location and the location of the
-issuing certificate encoded. These values must be set manually and typically to FQDN associated to the Vault server, but can be changed at any time.
-
-```text
-$ vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"
-Success! Data written to: pki/ca/urls
-```
-
-#### Configure a role
-
-The next step is to configure a role. A role is a logical name that maps to a
-policy used to generate those credentials. For example, let's create an
-"example-dot-com" role:
-
-```text
-$ vault write pki/roles/example-dot-com \
-    allowed_domains=example.com \
-    allow_subdomains=true max_ttl=72h
-Success! Data written to: pki/roles/example-dot-com
-```
-
-#### Issue Certificates
-
-By writing to the `roles/example-dot-com` path we are defining the
-`example-dot-com` role. To generate a new certificate, we simply write
-to the `issue` endpoint with that role name: Vault is now configured to create
-and manage certificates!
-
-```text
-$ vault write pki/issue/example-dot-com \
-    common_name=blah.example.com
-Key                 Value
----                 -----
-certificate         -----BEGIN CERTIFICATE-----
-MIIDvzCCAqegAwIBAgIUWQuvpMpA2ym36EoiYyf3Os5UeIowDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyNDA1WhcNMTcx
-MjExMTkyNDM1WjAbMRkwFwYDVQQDExBibGFoLmV4YW1wbGUuY29tMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1CU93lVgcLXGPxRGTRT3GM5wqytCo7Z6
-gjfoHyKoPCAqjRdjsYgp1FMvumNQKjUat5KTtr2fypbOnAURDCh4bN/omcj7eAqt
-ldJ8mf8CtKUaaJ1kp3R6RRFY/u96BnmKUG8G7oDeEDsKlXuEuRcNbGlGF8DaM/O1
-HFa57cM/8yFB26Nj5wBoG5Om6ee5+W+14Qee8AB6OJbsf883Z+zvhJTaB0QM4ZUq
-uAMoMVEutWhdI5EFm5OjtMeMu2U+iJl2XqqgQ/JmLRjRdMn1qd9TzTaVSnjoZ97s
-jHK444Px1m45einLqKUJ+Ia2ljXYkkItJj9Ut6ZSAP9fHlAtX84W3QIDAQABo4H/
-MIH8MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwHQYDVR0OBBYEFH/YdObW6T94U0zuU5hBfTfU5pt1MB8GA1UdIwQYMBaAFECK
-dYM4gDbMkxRZA2wR4f/yNhQUMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYf
-aHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jYTAbBgNVHREEFDASghBibGFo
-LmV4YW1wbGUuY29tMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly8xMjcuMC4wLjE6
-ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCDXbHV68VayweB2tkb
-KDdCaveaTULjCeJUnm9UT/6C0YqC/RxTAjdKFrilK49elOA3rAtEL6dmsDP2yH25
-ptqi2iU+y99HhZgu0zkS/p8elYN3+l+0O7pOxayYXBkFf5t0TlEWSTb7cW+Etz/c
-MvSqx6vVvspSjB0PsA3eBq0caZnUJv2u/TEiUe7PPY0UmrZxp/R/P/kE54yI3nWN
-4Cwto6yUwScOPbVR1d3hE2KU2toiVkEoOk17UyXWTokbG8rG0KLj99zu7my+Fyre
-sjV5nWGDSMZODEsGxHOC+JgNAC1z3n14/InFNOsHICnA5AnJzQdSQQjvcZHN2NyW
-+t4f
------END CERTIFICATE-----
-issuing_ca          -----BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUJqrw/9EDZbp4DExaLjh0vSAHyBgwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMjA4MTkyMzIwWhcNMjcx
-MjA2MTkyMzQ5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKY/vJ6sRFym+yFYUneoVtDmOCaDKAQiGzQw0IXL
-wgMBBb82iKpYj5aQjXZGIl+VkVnCi+M2AQ/iYXWZf1kTAdle4A6OC4+VefSIa2b4
-eB7R8aiGTce62jB95+s5/YgrfIqk6igfpCSXYLE8ubNDA2/+cqvjhku1UzlvKBX2
-hIlgWkKlrsnybHN+B/3Usw9Km/87rzoDR3OMxLV55YPHiq6+olIfSSwKAPjH8LZm
-uM1ITLG3WQUl8ARF17Dj+wOKqbUG38PduVwKL5+qPksrvNwlmCP7Kmjncc6xnYp6
-5lfr7V4DC/UezrJYCIb0g/SvtxoN1OuqmmvSTKiEE7hVOAcCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFECKdYM4gDbM
-kxRZA2wR4f/yNhQUMB8GA1UdIwQYMBaAFECKdYM4gDbMkxRZA2wR4f/yNhQUMBYG
-A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCCJKZPcjjn
-7mvD2+sr6lx4DW/vJwVSW8eTuLtOLNu6/aFhcgTY/OOB8q4n6iHuLrEt8/RV7RJI
-obRx74SfK9BcOLt4+DHGnFXqu2FNVnhDMOKarj41yGyXlJaQRUPYf6WJJLF+ZphN
-nNsZqHJHBfZtpJpE5Vywx3pah08B5yZHk1ItRPEz7EY3uwBI/CJoBb+P5Ahk6krc
-LZ62kFwstkVuFp43o3K7cRNexCIsZGx2tsyZ0nyqDUFsBr66xwUfn3C+/1CDc9YL
-zjq+8nI2ooIrj4ZKZCOm2fKd1KeGN/CZD7Ob6uNhXrd0Tjwv00a7nffvYQkl/1V5
-BT55jevSPVVu
------END CERTIFICATE-----
-private_key         -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1CU93lVgcLXGPxRGTRT3GM5wqytCo7Z6gjfoHyKoPCAqjRdj
-sYgp1FMvumNQKjUat5KTtr2fypbOnAURDCh4bN/omcj7eAqtldJ8mf8CtKUaaJ1k
-p3R6RRFY/u96BnmKUG8G7oDeEDsKlXuEuRcNbGlGF8DaM/O1HFa57cM/8yFB26Nj
-5wBoG5Om6ee5+W+14Qee8AB6OJbsf883Z+zvhJTaB0QM4ZUquAMoMVEutWhdI5EF
-m5OjtMeMu2U+iJl2XqqgQ/JmLRjRdMn1qd9TzTaVSnjoZ97sjHK444Px1m45einL
-qKUJ+Ia2ljXYkkItJj9Ut6ZSAP9fHlAtX84W3QIDAQABAoIBAQCf5YIANfF+gkNt
-/+YM6yRi+hZJrU2I/1zPETxPW1vaFZR8y4hEoxCEDD8JCRm+9k+w1TWoorvxgkEv
-r1HuDALYbNtwLd/71nCHYCKyH1b2uQpyl07qOAyASlb9r5oVjz4E6eobkd3N9fJA
-QN0EdK+VarN968mLJsD3Hxb8chGdObBCQ+LO+zdqQLaz+JwhfnK98rm6huQtYK3w
-ccd0OwoVmtZz2eJl11TJkB9fi4WqJyxl4wST7QC80LstB1deR78oDmN5WUKU12+G
-4Mrgc1hRwUSm18HTTgAhaA4A3rjPyirBohb5Sf+jJxusnnay7tvWeMnIiRI9mqCE
-dr3tLrcxAoGBAPL+jHVUF6sxBqm6RTe8Ewg/8RrGmd69oB71QlVUrLYyC96E2s56
-19dcyt5U2z+F0u9wlwR1rMb2BJIXbxlNk+i87IHmpOjCMS38SPZYWLHKj02eGfvA
-MjKKqEjNY/md9eVAVZIWSEy63c4UcBK1qUH3/5PNlyjk53gCOI/4OXX/AoGBAN+A
-Alyd6A/pyHWq8WMyAlV18LnzX8XktJ07xrNmjbPGD5sEHp+Q9V33NitOZpu3bQL+
-gCNmcrodrbr9LBV83bkAOVJrf82SPaBesV+ATY7ZiWpqvHTmcoS7nglM2XTr+uWR
-Y9JGdpCE9U5QwTc6qfcn7Eqj7yNvvHMrT+1SHwsjAoGBALQyQEbhzYuOF7rV/26N
-ci+z+0A39vNO++b5Se+tk0apZlPlgb2NK3LxxR+LHevFed9GRzdvbGk/F7Se3CyP
-cxgswdazC6fwGjhX1mOYsG1oIU0V6X7f0FnaqWETrwf1M9yGEO78xzDfgozIazP0
-s0fQeR9KXsZcuaotO3TIRxRRAoGAMFIDsLRvDKm1rkL0B0czm/hwwDMu/KDyr5/R
-2M2OS1TB4PjmCgeUFOmyq3A63OWuStxtJboribOK8Qd1dXvWj/3NZtVY/z/j1P1E
-Ceq6We0MOZa0Ae4kyi+p/kbAKPgv+VwSoc6cKailRHZPH7quLoJSIt0IgbfRnXC6
-ygtcLNMCgYBwiPw2mTYvXDrAcO17NhK/r7IL7BEdFdx/w8vNJQp+Ub4OO3Iw6ARI
-vXxu6A+Qp50jra3UUtnI+hIirMS+XEeWqJghK1js3ZR6wA/ZkYZw5X1RYuPexb/4
-6befxmnEuGSbsgvGqYYTf5Z0vgsw4tAHfNS7TqSulYH06CjeG1F8DQ==
------END RSA PRIVATE KEY-----
-private_key_type    rsa
-serial_number       59:0b:af:a4:ca:40:db:29:b7:e8:4a:22:63:27:f7:3a:ce:54:78:8a
-```
-
-Vault has now generated a new set of credentials using the `example-dot-com`
-role configuration. Here we see the dynamically generated private key and
-certificate.
-
-Using ACLs, it is possible to restrict using the pki backend such that trusted
-operators can manage the role definitions, and both users and applications are
-restricted in the credentials they are allowed to read.
-
-If you get stuck at any time, simply run `vault path-help pki` or with a
-subpath for interactive help output.
-
-## Setting Up Intermediate CA
-
-In the Quick Start guide, certificates were issued directly from the root
-certificate authority. As described in the example, this is not a recommended
-practice. This guide builds on the previous guide's root certificate authority
-and creates an intermediate authority using the root authority to sign the
-intermediate's certificate.
-
-#### Mount the backend
-
-To add another certificate authority to our Vault instance, we have to mount it
-at a different path.
-
-```text
-$ vault secrets enable -path=pki_int pki
-Successfully mounted 'pki' at 'pki_int'!
-```
-
-#### Configure an Intermediate CA
-
-```text
-$ vault secrets tune -max-lease-ttl=43800h pki_int
-Successfully tuned mount 'pki_int'!
-```
-
-That sets the maximum TTL for secrets issued from the mount to 5 years. This
-value should be less than or equal to the root certificate authority.
-
-Now, we generate our intermediate certificate signing request:
-
-```text
-$ vault write pki_int/intermediate/generate/internal common_name="myvault.com Intermediate Authority" ttl=43800h
-Key Value
-csr -----BEGIN CERTIFICATE REQUEST-----
-MIICsjCCAZoCAQAwLTErMCkGA1UEAxMibXl2YXVsdC5jb20gSW50ZXJtZWRpYXRl
-IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJU1Qh8l
-BW16WHAu34Fy92FnSy4219WVlKw1xwpKxjd95xH6WcxXozOs6oHFQ9c592bz51F8
-KK3FFJYraUrGONI5Cz9qHbzC1mFCmjnXVXCoeNKIzEBG0Y+ehH7MQ1SvDCyvaJPX
-ItFXaGf6zENiGsApw3Y3lFr0MjPzZDBH1p4Nq3aA6L2BaxvO5vczdQl5tE2ud/zs
-GIdCWnl1ThDEeiX1Ppduos/dx3gaZa9ly3iCuDMKIL9yK5XTBTgKB6ALPApekLQB
-kcUFbOuMzjrDSBe9ytu65yICYp26iAPPA8aKTj5cUgscgzEvQS66rSAVG/unrWxb
-wbl8b7eQztCmp60CAwEAAaBAMD4GCSqGSIb3DQEJDjExMC8wLQYDVR0RBCYwJIIi
-bXl2YXVsdC5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0eTANBgkqhkiG9w0BAQsF
-AAOCAQEAZA9A1QvTdAd45+Ay55FmKNWnis1zLjbmWNJURUoDei6i6SCJg0YGX1cZ
-WkD0ibxPYihSsKRaIUwC2bE8cxZM57OSs7ISUmyPQAT2IHTHvuGK72qlFRBlFOzg
-SHEG7gfyKdrALphyF8wM3u4gXhcnY3CdltjabL3YakZqd3Ey4870/0XXeo5c4k7w
-/+n9M4xED4TnXYCGfLAlu5WWKSeCvu9mHXnJcLo1MiYjX7KGey/xYYbfxHSPm4ul
-tI6Vf59zDRscfNmq37fERD3TiKP0QZNGTSRvnrxrx2RUQGXFywM8l4doG8nS5BxU
-2jP20cdv0lJFvHr9663/8B/+F5L6Yw==
------END CERTIFICATE REQUEST-----
-```
-
-Take the signing request from the intermediate authority and sign it using
-another certificate authority, in this case the root certificate authority
-generated in the first example.
-
-```text
-$ vault write pki/root/sign-intermediate csr=@pki_int.csr format=pem_bundle ttl=43800h
-Key             Value
-certificate     -----BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIUENxQD7KIJi1zE/jEiYqAG1VC4NwwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMTI4MTcwNzIzWhcNMjIx
-MTI3MTcwNzUzWjAtMSswKQYDVQQDEyJteXZhdWx0LmNvbSBJbnRlcm1lZGlhdGUg
-QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5seNV4Yd
-uCMX0POUUuSzCBiR3Cyf9b9tGsCX7UfvZmjPs+Fl/X+Ovq6UtHM9RuTGlyfFrCWy
-pflO7mc0H8PBzlvhv1WQet5aRyUOXkG6iYmooG9iobIY8z/TZCaCF605pgygfOaS
-DIlwOdJkfiXxGpQ00pfIwe/Y2OK2I5e36u0E2EA6kXvcfexLjQGFPbod+H0R29Ro
-/GwOJ6MpSHqB77mF025x1y08EtqT1z1kFCiDzFSkzNZEZYWljhDS6ZRY9ctzKufm
-5CkUwmvCVRI2CivDJvmfhXyv0DRoq4IhYdJHo179RSObq3BY9f9LQ0balNLiM0Ft
-O8f0urTqUAbySwIDAQABo4GTMIGQMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBSQgTfcMrKYzyckP6t/0iVQkl0ZBDAfBgNVHSMEGDAW
-gBRccsCARqs3wQDjW7JMNXS6pWlFSDAtBgNVHREEJjAkgiJteXZhdWx0LmNvbSBJ
-bnRlcm1lZGlhdGUgQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQABNg2HxccY
-DwRpsJ+sxA0BgDyF+tYtOlXViVNv6Z+nOU0nNhQSCjfzjYWmBg25nfKaFhQSC3b7
-fIW+e7it/FLVrCgaqdysoxljqhR0gXMAy8S/ubmskPWjJiKauJB5bfB59Uf2GP6j
-zimZDu6WjWvvgkKcJqJEbOOS9DWBvCTdmmml1NMXZtcytpod2Y7mxninqNRx3qpx
-Pst4vgAbyM/3zLSzkyUD+MXIyRXwxktFlyEYBHvMd9OoHzLO6WLxk22FyQQ+w4by
-NfXJY4r5pj6a4lJ6pPuqyfBhidYMTdY3AI7w/QRGk4qQv1iDmnZspk2AxdbR5Lwe
-YmChIML/f++S
------END CERTIFICATE-----
-expiration      1669568873
-issuing_ca      -----BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUdR44qhhyh3CZjnCtflGKQlTI8NswDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTcxMTI4MTYxODA2WhcNMjcx
-MTI2MTYxODM1WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANTPnQ2CUkuLrYT4V6/IIK/gWFZXFG4lWTmgM5Zh
-PDquMhLEikZCbZKbupouBI8MOr5i8tycENaTnSs9dBwVEOWAHbLkliVgvCKgLi0F
-PfPM87FnBoKVctO2ip8AdmYcAt/wc096dWBG6eKLVP5xsAe7NcYDtF/inHgEZ22q
-ZjGVEyC6WntIASgULoHGgHakPp1AHLhGm8nL5YbusWY7RgZIlNeGWLVoneG0pxdV
-7W1SPO67dsQyq58mTxMIGVUj5YE1q7/C6OhCTnAHc+sRm0oUehPfO8kY4NHpCJGv
-nDRdJi6k6ewk94c0KK2tUUM/TN6ZSRfx6ccgfPH8zNcVPVcCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFxywIBGqzfB
-AONbskw1dLqlaUVIMB8GA1UdIwQYMBaAFFxywIBGqzfBAONbskw1dLqlaUVIMBYG
-A1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBgvsgpBuVR
-iKVdXXpFyoQLImuoaHZgaj5tuUDqnMoxOA1XWW6SVlZmGfDQ7+u5NBkp2cGSDRGm
-ARHJTeURvdZIwdFdGkNqfAZjutRjjQOnXgS65ujZd7AnlZq1v0ZOZqVVk9YEOhOe
-Rh2MjnHGNuiLBib1YNQHNuRef1mPwIE2Gm/Tz/z3JPHtkKNIKbn60zHrIIM/OT2Z
-HYjcMUcqXtKGYfNjVspJm3lSDUoyJdaq80Afmy2Ez1Vt9crGG3Dj8mgs59lEhEyo
-MDVhOP116M5HJfQlRPVd29qS8pFrjBvXKjJSnJNG1UFdrWBJRJ3QrBxUQALKrJlR
-g5lvTeymHjS/
------END CERTIFICATE-----
-serial_number   10:dc:50:0f:b2:88:26:2d:73:13:f8:c4:89:8a:80:1b:55:42:e0:dc
-```
-
-Now set the intermediate certificate authorities signing certificate to the
-root-signed certificate.
-
-```text
-$ vault write pki_int/intermediate/set-signed certificate=@signed_certificate.pem
-Success! Data written to: pki_int/intermediate/set-signed
-```
-
-The intermediate certificate authority is now configured and ready to issue
-certificates.
-
-#### Set URL configuration
-
-Generated certificates can have the CRL location and the location of the
-issuing certificate encoded. These values must be set manually, but can be
-changed at any time.
-
-```text
-$ vault write pki_int/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki_int/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki_int/crl"
-Success! Data written to: pki_int/ca/urls
-```
-
-#### Configure a role
-
-The next step is to configure a role. A role is a logical name that maps to a
-policy used to generate those credentials. For example, let's create an
-"example-dot-com" role:
-
-```text
-$ vault write pki_int/roles/example-dot-com \
-    allowed_domains=example.com \
-    allow_subdomains=true max_ttl=72h
-Success! Data written to: pki_int/roles/example-dot-com
-```
-
-#### Issue Certificates
-
-By writing to the `roles/example-dot-com` path we are defining the
-`example-dot-com` role. To generate a new certificate, we simply write
-to the `issue` endpoint with that role name: Vault is now configured to create
-and manage certificates!
-
-```text
-$ vault write pki_int/issue/example-dot-com \
-    common_name=blah.example.com
-Key                 Value
----                 -----
-certificate         -----BEGIN CERTIFICATE-----
-MIIDbDCCAlSgAwIBAgIUPiAyxq+nIE6xlWf7hrzLkPQxtvMwDQYJKoZIhvcNAQEL
-BQAwMzExMC8GA1UEAxMoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1
-dGhvcml0eTAeFw0xNjA5MjcwMDA5MTNaFw0xNjA5MjcwMTA5NDNaMBsxGTAXBgNV
-BAMTEGJsYWguZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDJAYB04IVdmSC/TimaA6BbXlvgBTZHL5wBUTmO4iHhenL0eDEXVe2Fd7Yq
-75LiBJmcC96hKbqh5rwS8KwN9ElZI52/mSMC+IvoNlYHAf7shwfsjrVx3q7/bTFg
-lz6wECn1ugysxynmMvgQD/pliRkxTQ7RMh4Qlh75YG3R9BHy9ZddklZp0aNaitts
-0uufHnN1UER/wxBCZdWTUu34KDL9I6yE7Br0slKKHPdEsGlFcMkbZhvjslZ7DGvO
-974S0qtOdKiawJZbpNPg0foGZ3AxesDUlkHmmgzUNes/sjknDYTHEfeXM6Uap0j6
-XvyhCxqdeahb/Vtibg0z9I0IusJbAgMBAAGjgY8wgYwwDgYDVR0PAQH/BAQDAgOo
-MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU/5oy0rL7
-TT0wX7KZK7qcXqgayNwwHwYDVR0jBBgwFoAUgM37P8oXmA972ztLfw+b1eIY5now
-GwYDVR0RBBQwEoIQYmxhaC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
-CT2vI6/taeLTw6ZulUhLXEXYXWZu1gF8n2COjZzbZXmHxQAoZ3GtnSNwacPHAyIj
-f3cA9Moo552y39LUtWk+wgFtQokWGK7LXglLaveNUBowOHq/xk0waiIinJcgTG53
-Z/qnbJnTjAOG7JwVJplWUIiS1avCksrHt7heE2EGRGJALqyLZ119+PW6ogtCLUv1
-X8RCTw/UkIF/LT+sLF0bXWy4Hn38Gjwj1MVv1l76cEGOVSHyrYkN+6AMnAP58L5+
-IWE9tN3oac4x7jhbuNpfxazIJ8Q6l/Up5U5Evfbh6N1DI0/gFCP20fMBkHwkuLfZ
-2ekZoSeCgFRDlHGkr7Vv9w==
------END CERTIFICATE-----
-issuing_ca          -----BEGIN CERTIFICATE-----
-MIIDijCCAnKgAwIBAgIUB28DoGwgGFKL7fbOu9S4FalHLn0wDQYJKoZIhvcNAQEL
-BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y
-aXR5MB4XDTE2MDkyNzAwMDgyMVoXDTI2MDkxNjE2MDg1MVowMzExMC8GA1UEAxMo
-VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSCiSij4wy1wiMwvZt+rtU3IaO6ZTn9
-LfIPuGsR5/QSJk37pCZQco1LgoE/rTl+/xu3bDovyHDmgObghC6rzVOX2Tpi7kD+
-DOZpqxOsaS8ebYgxB/XJTSxyEJuSAcpSNLqqAiZivuQXdaD0N7H3Or0awwmKE9mD
-I0g8CF4fPDmuuOG0ASn9fMqXVVt5tXtEqZ9yJYfNOXx3FOPjRVOZf+kvSc31wCKe
-i/KmR0AQOmToKMzq988nLqFPTi9KZB8sEU20cGFeTQFol+m3FTcIru94EPD+nLUn
-xtlLELVspYb/PP3VpvRj9b+DY8FGJ5nfSJl7Rkje+CD4VxJpSadin3kCAwEAAaOB
-mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
-gM37P8oXmA972ztLfw+b1eIY5nowHwYDVR0jBBgwFoAUj4YAIxRwrBy0QMRKLnD0
-kVidIuYwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi
-IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAA4buJuPNJvA1kiATLw1dVU2J
-HPubk2Kp26Mg+GwLn7Vz45Ub133JCYfF3/zXLFZZ5Yub9gWTtjScrvNfQTAbNGdQ
-BdnUlMmIRmfB7bfckhryR2R9byumeHATgNKZF7h8liNHI7X8tTzZGs6wPdXOLlzR
-TlM3m1RNK8pbSPOkfPb06w9cBRlD8OAbNtJmuypXA6tYyiiMYBhP0QLAO3i4m1ns
-aAjAgEjtkB1rQxW5DxoTArZ0asiIdmIcIGmsVxfDQIjFlRxAkafMs74v+5U5gbBX
-wsOledU0fLl8KLq8W3OXqJwhGLK65fscrP0/omPAcFgzXf+L4VUADM4XhW6Xyg==
------END CERTIFICATE-----
-ca_chain            [-----BEGIN CERTIFICATE-----
-MIIDijCCAnKgAwIBAgIUB28DoGwgGFKL7fbOu9S4FalHLn0wDQYJKoZIhvcNAQEL
-BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y
-aXR5MB4XDTE2MDkyNzAwMDgyMVoXDTI2MDkxNjE2MDg1MVowMzExMC8GA1UEAxMo
-VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSCiSij4wy1wiMwvZt+rtU3IaO6ZTn9
-LfIPuGsR5/QSJk37pCZQco1LgoE/rTl+/xu3bDovyHDmgObghC6rzVOX2Tpi7kD+
-DOZpqxOsaS8ebYgxB/XJTSxyEJuSAcpSNLqqAiZivuQXdaD0N7H3Or0awwmKE9mD
-I0g8CF4fPDmuuOG0ASn9fMqXVVt5tXtEqZ9yJYfNOXx3FOPjRVOZf+kvSc31wCKe
-i/KmR0AQOmToKMzq988nLqFPTi9KZB8sEU20cGFeTQFol+m3FTcIru94EPD+nLUn
-xtlLELVspYb/PP3VpvRj9b+DY8FGJ5nfSJl7Rkje+CD4VxJpSadin3kCAwEAAaOB
-mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
-gM37P8oXmA972ztLfw+b1eIY5nowHwYDVR0jBBgwFoAUj4YAIxRwrBy0QMRKLnD0
-kVidIuYwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi
-IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAA4buJuPNJvA1kiATLw1dVU2J
-HPubk2Kp26Mg+GwLn7Vz45Ub133JCYfF3/zXLFZZ5Yub9gWTtjScrvNfQTAbNGdQ
-BdnUlMmIRmfB7bfckhryR2R9byumeHATgNKZF7h8liNHI7X8tTzZGs6wPdXOLlzR
-TlM3m1RNK8pbSPOkfPb06w9cBRlD8OAbNtJmuypXA6tYyiiMYBhP0QLAO3i4m1ns
-aAjAgEjtkB1rQxW5DxoTArZ0asiIdmIcIGmsVxfDQIjFlRxAkafMs74v+5U5gbBX
-wsOledU0fLl8KLq8W3OXqJwhGLK65fscrP0/omPAcFgzXf+L4VUADM4XhW6Xyg==
------END CERTIFICATE-----]
-private_key         -----BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEAyQGAdOCFXZkgv04pmgOgW15b4AU2Ry+cAVE5juIh4Xpy9Hgx
-F1XthXe2Ku+S4gSZnAveoSm6oea8EvCsDfRJWSOdv5kjAviL6DZWBwH+7IcH7I61
-cd6u/20xYJc+sBAp9boMrMcp5jL4EA/6ZYkZMU0O0TIeEJYe+WBt0fQR8vWXXZJW
-adGjWorbbNLrnx5zdVBEf8MQQmXVk1Lt+Cgy/SOshOwa9LJSihz3RLBpRXDJG2Yb
-47JWewxrzve+EtKrTnSomsCWW6TT4NH6BmdwMXrA1JZB5poM1DXrP7I5Jw2ExxH3
-lzOlGqdI+l78oQsanXmoW/1bYm4NM/SNCLrCWwIDAQABAoIBAQCCbHMJY1Wl8eIJ
-v5HG2WuHXaaHqVoavo2fXTDXwWryfx1v+zz/Q0YnQBH3shPAi/OQCTOfpw/uVWTb
-dUZul3+wUyfcVmUdXGCLgBY53dWna8Z8e+zHwhISsqtDXV/TpelUBDCNO324XIIR
-Cg0TLO4nyzQ+ESLo6D+Y2DTp8lBjMEkmKTd8CLXR2ycEoVykN98qPZm8keiLGO91
-I8K7aRd8uOyQ6HUfJRlzFHSuwaLReErxGTEPI4t/wVqh2nP2gGBsn3apiJ0ul6Jz
-NlYO5PqiwpeDk4ibhQBpicnm1jnEcynH/WtGuKgMNB0M4SBRBsEguO7WoKx3o+qZ
-iVIaPWDhAoGBAO05UBvyJpAcz/ZNQlaF0EAOhoxNQ3h6+6ZYUE52PgZ/DHftyJPI
-Y+JJNclY91wn91Yk3ROrDi8gqhzA+2Lelxo1kuZDu+m+bpzhVUdJia7tZDNzRIhI
-24eP2GdochooOZ0qjvrik4kuX43amBhQ4RHsBjmX5CnUlL5ZULs8v2xnAoGBANjq
-VLAwiIIqJZEC6BuBvVYKaRWkBCAXvQ3j/OqxHRYu3P68PZ58Q7HrhrCuyQHTph2v
-fzfmEMPbSCrFIrrMRmjUG8wopL7GjZjFl8HOBHFwzFiz+CT5DEC+IJIRkp4HM8F/
-PAzjB2wCdRdSjLTD5ph0/xQIg5xfln7D+wqU0QHtAoGBAKkLF0/ivaIiNftw0J3x
-WxXag/yErlizYpIGCqvuzII6lLr9YdoViT/eJYrmb9Zm0HS9biCu2zuwDijRSBIL
-RieyF40opUaKoi3+0JMtDwTtO2MCd8qaCH3QfkgqAG0tTuj1Q8/6F2JA/myKYamq
-MMhhpYny9+7rAlemM8ZJIqtvAoGBAKOI3zpKDNCdd98A4v7B7H2usZUIJ7gOTZDo
-XqiNyRENWb2PK6GNq/e6SrxvuclvyKA+zFnXULJoYtsj7tAH69lieGaOCc5uoRgZ
-eBU7/euMj/McE6vEO3GgJawaJYCQi3uJMjvA+bp7i81+hehOfU5ZfmmbFaZSBoMh
-u+U5Vu3tAoGBANnBIbHfD3E7rqnqdpH1oRRHLA1VdghzEKgyUTPHNDzPJG87RY3c
-rRqeXepblud3qFjD60xS9BzcBijOvZ4+KHk6VIMpkyqoeNVFCJbBVCw+JGMp88+v
-e9t+2iwryh5+rnq+pg6anmgwHldptJc1XEFZA2UUQ89RP7kOGQF6IkIS
------END RSA PRIVATE KEY-----
-private_key_type    rsa
-serial_number       3e:20:32:c6:af:a7:20:4e:b1:95:67:fb:86:bc:cb:90:f4:31:b6:f3
-```
-
-Vault has now generated a new set of credentials using the `example-dot-com`
-role configuration. Here we see the dynamically generated private key and
-certificate. The issuing CA certificate and CA trust chain are returned as well.
-The CA Chain returns all the intermediate authorities in the trust chain. The root
-authority is not included since that will usually be trusted by the underlying
-OS.
-
-## Learn
-
-Refer to the [Build Your Own Certificate Authority (CA)](https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine)
-guide for a step-by-step tutorial.
-
-## API
-
-The PKI secrets engine has a full HTTP API. Please see the
-[PKI secrets engine API](/api/secret/pki/index.html) for more
-details.
diff --git a/website/source/docs/secrets/postgresql/index.html.md b/website/source/docs/secrets/postgresql/index.html.md
deleted file mode 100644
index 741766938d84..000000000000
--- a/website/source/docs/secrets/postgresql/index.html.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-layout: "docs"
-page_title: "PostgreSQL - Secrets Engines"
-sidebar_title: "PostgreSQL <sup>DEPRECATED</sup>"
-sidebar_current: "docs-secrets-postgresql"
-description: |-
-  The PostgreSQL secrets engine for Vault generates database credentials to access PostgreSQL.
----
-
-# PostgreSQL Secrets Engine
-
-Name: `postgresql`
-
-~> **Deprecation Note:** This secrets engine is deprecated in favor of the
-combined databases secrets engine added in v0.7.1. See the documentation for
-the new implementation of this secrets engine at
-[PostgreSQL database plugin](/docs/secrets/databases/postgresql.html).
-
-The PostgreSQL secrets engine for Vault generates database credentials
-dynamically based on configured roles. This means that services that need
-to access a database no longer need to hardcode credentials: they can request
-them from Vault, and use Vault's leasing mechanism to more easily roll keys.
-
-Additionally, it introduces a new ability: with every service accessing
-the database with unique credentials, it makes auditing much easier when
-questionable data access is discovered: you can track it down to the specific
-instance of a service based on the SQL username.
-
-Vault makes use both of its own internal revocation system as well as the
-`VALID UNTIL` setting when creating PostgreSQL users to ensure that users
-become invalid within a reasonable time of the lease expiring.
-
-This page will show a quick start for this secrets engine. For detailed documentation
-on every path, use `vault path-help` after mounting the secrets engine.
-
-## Quick Start
-
-The first step to using the PostgreSQL secrets engine is to mount it. Unlike the
-`kv` secrets engine, the `postgresql` secrets engine is not mounted by default.
-
-```text
-$ vault secrets enable postgresql
-Success! Enabled the postgresql secrets engine at: postgresql/
-```
-
-Next, Vault must be configured to connect to the PostgreSQL. This is done by
-writing either a PostgreSQL URL or PG connection string:
-
-```text
-$ vault write postgresql/config/connection \
-    connection_url="postgresql://root:vaulttest@vaulttest.ciuvljjni7uo.us-west-1.rds.amazonaws.com:5432/postgres"
-```
-
-In this case, we've configured Vault with the user "root" and password "vaulttest",
-connecting to a PostgreSQL instance in AWS RDS. The "postgres" database name is being used.
-It is important that the Vault user have the `GRANT OPTION` privilege to manage users.
-
-Optionally, we can configure the lease settings for credentials generated
-by Vault. This is done by writing to the `config/lease` key:
-
-```
-$ vault write postgresql/config/lease lease=1h lease_max=24h
-Success! Data written to: postgresql/config/lease
-```
-
-This restricts each credential to being valid or leased for 1 hour
-at a time, with a maximum use period of 24 hours. This forces an
-application to renew their credentials at least hourly, and to recycle
-them once per day.
-
-The next step is to configure a role. A role is a logical name that maps
-to a policy used to generated those credentials. For example, lets create
-a "readonly" role:
-
-```text
-$ vault write postgresql/roles/readonly \
-    sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
-    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
-Success! Data written to: postgresql/roles/readonly
-```
-
-By writing to the `roles/readonly` path we are defining the `readonly` role.
-This role will be created by evaluating the given `sql` statements. By
-default, the `{{name}}`, `{{password}}` and `{{expiration}}` fields will be populated by
-Vault with dynamically generated values. This SQL statement is creating
-the named user, and then granting it `SELECT` or read-only privileges
-to tables in the database. More complex `GRANT` queries can be used to
-customize the privileges of the role. See the [PostgreSQL manual](http://www.postgresql.org/docs/9.4/static/sql-grant.html)
-for more information.
-
-To generate a new set of credentials, we simply read from that role:
-Vault is now configured to create and manage credentials for Postgres!
-
-```text
-$ vault read postgresql/creds/readonly
-Key               Value
----               -----
-lease_id          postgresql/creds/readonly/c888a097-b0e2-26a8-b306-fc7c84b98f07
-lease_duration    3600
-password          34205e88-0de1-68b7-6267-72d8e32c5d3d
-username          root-1430162075-7887
-```
-
-By reading from the `creds/readonly` path, Vault has generated a new
-set of credentials using the `readonly` role configuration. Here we
-see the dynamically generated username and password, along with a one
-hour lease.
-
-Using ACLs, it is possible to restrict using the postgresql secrets engine such
-that trusted operators can manage the role definitions, and both
-users and applications are restricted in the credentials they are
-allowed to read.
-
-If you get stuck at any time, simply run `vault path-help postgresql` or with a
-subpath for interactive help output.
-
-## API
-
-The PostgreSQL secrets engine has a full HTTP API. Please see the
-[PostgreSQL secrets engine API](/api/secret/postgresql/index.html) for more
-details.
diff --git a/website/source/docs/secrets/rabbitmq/index.html.md b/website/source/docs/secrets/rabbitmq/index.html.md
deleted file mode 100644
index b92bd1d0c56a..000000000000
--- a/website/source/docs/secrets/rabbitmq/index.html.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-layout: "docs"
-page_title: "RabbitMQ - Secrets Engines"
-sidebar_title: "RabbitMQ"
-sidebar_current: "docs-secrets-rabbitmq"
-description: |-
-  The RabbitMQ secrets engine for Vault generates user credentials to access RabbitMQ.
----
-
-# RabbitMQ Secrets Engine
-
-The RabbitMQ secrets engine generates user credentials dynamically based on
-configured permissions and virtual hosts. This means that services that need to
-access a virtual host no longer need to hardcode credentials.
-
-With every service accessing the messaging queue with unique credentials,
-auditing is much easier when questionable data access is discovered. Easily
-track issues down to a specific instance of a service based on the RabbitMQ
-username.
-
-Vault makes use both of its own internal revocation system as well as the
-deleting RabbitMQ users when creating RabbitMQ users to ensure that users become
-invalid within a reasonable time of the lease expiring.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the RabbitMQ secrets engine:
-
-    ```text
-    $ vault secrets enable rabbitmq
-    Success! Enabled the rabbitmq secrets engine at: rabbitmq/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure the credentials that Vault uses to communicate with RabbitMQ to
-generate credentials:
-
-    ```text
-    $ vault write rabbitmq/config/connection \
-        connection_uri="http://localhost:15672" \
-        username="admin" \
-        password="password"
-    Success! Data written to: rabbitmq/config/connection
-    ```
-
-    It is important that the Vault user have the administrator privilege to
-    manager users.
-
-
-1. Configure a role that maps a name in Vault to virtual host permissions:
-
-    ```text
-    $ vault write rabbitmq/roles/my-role \
-        vhosts='{"/":{"write": ".*", "read": ".*"}}'
-    Success! Data written to: rabbitmq/roles/my-role
-    ```
-
-    By writing to the `roles/my-role` path we are defining the `my-role` role.
-    This role will be created by evaluating the given `vhosts`, `vhost_topics`
-    and `tags` statements. By default, no tags, no virtual hosts or topic
-    permissions are assigned to a role. If no topic permissions are defined
-    and the default authorisation backend is used, publishing to a topic
-    exchange or consuming from a topic is always authorised. You can read
-    more about [RabbitMQ management tags][rmq-perms]
-    and [RabbitMQ topic authorization][rmq-topics].
-
- 
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new credential by reading from the `/creds` endpoint with the name
-of the role:
-
-    ```text
-    $ vault read rabbitmq/creds/my-role
-    Key                Value
-    ---                -----
-    lease_id           rabbitmq/creds/my-role/37d70d04-f24d-760a-e06e-b9b21087f0f4
-    lease_duration     768h
-    lease_renewable    true
-    password           a98af72b-b6c9-b4b1-fe37-c73a572befed
-    username           token-590f1fe2-1094-a4d6-01a7-9d4ff756a085
-    ```
-
-    Using ACLs, it is possible to restrict using the rabbitmq secrets engine
-    such that trusted operators can manage the role definitions, and both users
-    and applications are restricted in the credentials they are allowed to read.
-
-## API
-
-The RabbitMQ secrets engine has a full HTTP API. Please see the
-[RabbitMQ secrets engine API](/api/secret/rabbitmq/index.html) for more
-details.
-
-[rmq-perms]: https://www.rabbitmq.com/management.html#permissions
-[rmq-topics]: https://www.rabbitmq.com/access-control.html#topic-authorisation
diff --git a/website/source/docs/secrets/ssh/dynamic-ssh-keys.html.md b/website/source/docs/secrets/ssh/dynamic-ssh-keys.html.md
deleted file mode 100644
index 849ee2e4a6c2..000000000000
--- a/website/source/docs/secrets/ssh/dynamic-ssh-keys.html.md
+++ /dev/null
@@ -1,195 +0,0 @@
----
-layout: "docs"
-page_title: "Dynamic SSH Keys - SSH - Secrets Engines"
-sidebar_title: "Dynamic Key"
-sidebar_current: "docs-secrets-ssh-dynamic-ssh-keys"
-description: |-
-  When using this type, the administrator registers a secret key with
-  appropriate sudo privileges on the remote machines. For every authorized
-  credential request, Vault creates a new SSH key pair and appends the
-  newly-generated public key to the authorized_keys file for the configured
-  username on the remote host. Vault uses a configurable install script to
-  achieve this.
----
-
-# Dynamic SSH Keys
-
-~> **Deprecated**: There are several serious drawbacks and security implications
-inherent in this type. Because of these drawbacks, please use the SSH CA or OTP
-types whenever possible.
-
-When using this type, the administrator registers a secret key with appropriate
-`sudo` privileges on the remote machines; for every authorized credential
-request, Vault creates a new SSH key pair and appends the newly-generated public
-key to the `authorized_keys` file for the configured username on the remote
-host. Vault uses a configurable install script to achieve this.
-
-The secrets engine does not prompt for `sudo` passwords; the `NOPASSWD` option for
-sudoers should be enabled at all remote hosts for the Vault administrative
-user.
-
-The private key returned to the user will be leased and can be renewed if
-desired. Once the key is given to the user, Vault will not know when it gets
-used or how many time it gets used. Therefore, Vault **WILL NOT** and cannot
-audit the SSH session establishments.
-
-When the credential lease expires, Vault removes the secret key from the remote
-machine.
-
-This page will show a quick start for this secrets engine. For detailed documentation
-on every path, use `vault path-help` after mounting the secrets engine.
-
-### Drawbacks
-
-The dynamic key type has several serious drawbacks:
-
-1. _Audit logs are unreliable_: Vault can only log when users request
-   credentials, not when they use the given keys. If user A and user B both
-   request access to a machine, and are given a lease valid for five minutes,
-   it is impossible to know whether two accesses to that user account on the
-   remote machine were A, A; A, B; B, A; or B, B.
-2. _Generating dynamic keys consumes entropy_: Unless equipped with a hardware
-   entropy generating device, a machine can quickly run out of entropy when
-   generating SSH keys. This will cause further requests for various Vault
-   operations to stall until more entropy is available, which could take a
-   significant amount of time, after which the next request for a new SSH key
-   will use the generated entropy and cause stalling again.
-3. This type makes connections to client hosts; when this happens the host key
-   is *not* verified.
-
-### sudo
-
-In order to adjust the `authorized_keys` file for the desired user, Vault
-connects via SSH to the remote machine as a separate user, and uses `sudo` to
-gain the privileges required. An example `sudoers` file is shown below.
-
-File: `/etc/sudoers`
-
-```hcl
-# This is a sample sudoers statement; you should modify it
-# as appropriate to satisfy your security needs.
-vaultadmin   ALL=(ALL)NOPASSWD: ALL
-```
-
-### Configuration
-
-Next, infrastructure configuration must be registered with Vault via roles.
-First, however, the shared secret key must be specified.
-
-### Mount the secrets engine
-
-```text
-$ vault secrets enable ssh
-Successfully mounted 'ssh' at 'ssh'!
-```
-
-#### Registering the shared secret key
-
-Register a key with a name; this key must have administrative capabilities on
-the remote hosts.
-
-```text
-$ vault write ssh/keys/dev_key \
-    key=@dev_shared_key.pem
-```
-
-#### Create a Role
-
-Next, create a role. All of the machines contained within this CIDR block list
-should be accessible using the registered shared secret key.
-
-```text
-$ vault write ssh/roles/dynamic_key_role \
-    key_type=dynamic \
-    key=dev_key \
-    admin_user=username \
-    default_user=username \
-    cidr_list=x.x.x.x/y
-Success! Data written to: ssh/roles/dynamic_key_role
-```
-
-`cidr_list` is a comma separated list of CIDR blocks for which a role can
-generate credentials. If this is empty, the role can only generate credentials
-if it belongs to the set of zero-address roles.
-
-Zero-address roles, configured via `/ssh/config/zeroaddress` endpoint, takes
-comma separated list of role names that can generate credentials for any IP
-address.
-
-Use the `install_script` option to provide an install script if the remote
-hosts do not resemble a typical Linux machine. The default script is compiled
-into the Vault binary, but it is straight forward to specify an alternate.  The
-script takes three arguments which are explained in the comments.
-
-To see the default, see
-[linux_install_script.go](https://github.com/hashicorp/vault/blob/master/builtin/logical/ssh/linux_install_script.go)
-
-### Create a credential
-
-Create a dynamic key for an IP of the remote host that is covered by
-`dynamic_key_role`'s CIDR list.
-
-```text
-$ vault write ssh/creds/dynamic_key_role ip=x.x.x.x
-Key            	Value
-lease_id       	ssh/creds/dynamic_key_role/8c4d2042-23bc-d6a8-42c2-6ff01cb83cf8
-lease_duration 	600
-lease_renewable	true
-ip             	x.x.x.x
-key            	-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA5V/Y95qfGaUXRPkKNK9jgDHXPD2n5Ein+QTNnLSGrHtJUH7+
-pgs/5Hc4//124P9qHNmjIYQVyvcLreFgSrQCq4K8193hmypBYtsvCgvpc+jEwaGA
-zK0QV7uc1z8KL7FuRAxpHJwB6+nubOzzqM03xsViHRhaWhYVHw2Vl4oputSHE7R9
-ugaTRg67wge4Nyi5RRL0RQcmW15/Vop8B6HpBSmZQy3enjg+32KbOWCMMTAPuF9/
-DgxSgZQaFMjGN4RjDreZI8Vv5zIiFJzZ3KVOWy8piI0PblLnDpU4Q0QSQ9A+Vr7b
-JS22Lbet1Zbapl/n947/r1wGObLCc5Lilu//1QIDAQABAoIBAHWLfdO9sETjHp6h
-BULkkpgScpuTeSN6vGHXvUrOFKn1cCfJPNR4tWBuXI6LJM2+9nEccwXs+4IMwjZ0
-ZfVCdI/SKtZxBXmP2PxBGMUMP7G/mn0kN64sDlD3ezOvQZgZVEmZFpCrvixYsG+v
-qlpZ+HhrlJEWds7tvBsyyfNjwWjVIpm08zBmteFj4zu7OEcmGXEHDoxDXxyVP2BG
-eLU/fM5JA2UEjfCQ1MIZ3rBtPePdz4LRpb+ajklqrUj1OHoiDrXa8EAf0/wDP9re
-c1iH4bn7ZjYK0+IhZ+Pmw6gUftzZNWSC2kOLnZLdN/K7hgh0l0r0K/1eeXt43upB
-WALNuiECgYEA8PM2Ob3XXKALF86PUewne4fCz9iixr/cIpvrEGrh9lyQRO8X5Jxb
-ug38jEql4a574C6TSXfzxURza4P6lnfa0LvymmW0bhxZ5nev9kcAVnLKvpOUArTR
-32k9bKXd6zp8Q9ZyVNwHRxcVs4YgwfJlcx8geC4o6YRiIjvcBQ9RVHkCgYEA87OK
-lZDFBeEY/HVOxAQNXS5fgTd4U4DbwEJLv7SPk02v9oDkGHkpgMs4PcsIpCzsTpJ0
-oXMfLSxZ1lmZiuUvAupKj/7RjJ0XyjSMfm1Zs81epWj+boVfM4amZNHVLIWgddmM
-XzXEZKByvi1gs7qFcjQz2DEbZltWO6dX14O4Fz0CgYEAlWSWyHJWZ02r0xT1c7vS
-NxtTxH7zXftzR9oYgtNiStfVc4gy7kGr9c3aOjnGZAlFMRhvpevDrxnj3lO0OTsS
-5rzBjM1mc6cMboLjDPW01eTSpBroeE0Ym0arGQQ2djSK+5yowsixknhTsj2FbfsW
-v6wa+6jTIQY9ujAXGOQIbzECgYAYuXlw7SwgCZNYYappFqQodQD5giAyEJu66L74
-px/96N7WWoNJvFkqmPOOyV+KEIi0/ATbMGvUUHCY36RFRDU9zXldHJQz+Ogl+qja
-VsvIAyj8DSfrHJrpBlsxVVyUVMZPzo+ARVs0flbF1qK9+Ul6qbMs1uaZvuCD0tmF
-ovZ1XQKBgQDB0s7SDmAMgVjG8UBZgUru9vsDrxERT2BloptnnAjSiarLF5M+qeZO
-7L4NLyVP39Z83eerEonzDAHHbvhPyi6n2YmnYhGjeP+lPZIVqGF9cpZD3q48YHZc
-3ePn2/oLZrXKWOMyMwp2Uj+0SArCW+xMnoNp50sYNVR/JK3BPIdkag==
------END RSA PRIVATE KEY-----
-key_type       	dynamic
-port           	22
-username       	username
-```
-
-### Establish an SSH session
-
-Save the key to a file (e.g. `dyn_key.pem`) and then use it to establish an SSH
-session.
-
-```text
-$ ssh -i dyn_key.pem username@<IP of remote host>
-username@<IP of remote host>:~$
-```
-
-### Automate it!
-
-Creation of new key, saving to a file, and using it to establish an SSH session
-can all be done with a single Vault CLI command.
-
-```text
-$ vault ssh -role dynamic_key_role username@<IP of remote host>
-username@<IP of remote host>:~$
-```
-
-## API
-
-The SSH secret secrets engine has a full HTTP API. Please see the
-[SSH secret secrets engine API](/api/secret/ssh/index.html) for more
-details.
diff --git a/website/source/docs/secrets/ssh/index.html.md b/website/source/docs/secrets/ssh/index.html.md
deleted file mode 100644
index a9484c719448..000000000000
--- a/website/source/docs/secrets/ssh/index.html.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-layout: "docs"
-page_title: "SSH - Secrets Engines"
-sidebar_title: "SSH"
-sidebar_current: "docs-secrets-ssh"
-description: |-
-  The Vault SSH secrets engine provides secure authentication and authorization
-  for access to machines via the SSH protocol. There are multiple modes to the
-  Vault SSH secrets engine including signed SSH certificates, dynamic SSH keys,
-  and one-time passwords.
----
-
-# SSH Secrets Engine
-
-Name: `ssh`
-
-The Vault SSH secrets engine provides secure authentication and authorization
-for access to machines via the SSH protocol. The Vault SSH secrets engine helps
-manage access to machine infrastructure, providing several ways to issue SSH
-credentials.
-
-The Vault SSH secrets engine supports the following modes. Each mode is
-individually documented on its own page.
-
-- [Signed SSH Certificates](/docs/secrets/ssh/signed-ssh-certificates.html)
-- [One-time SSH Passwords](/docs/secrets/ssh/one-time-ssh-passwords.html)
-- [Dynamic SSH Keys](/docs/secrets/ssh/dynamic-ssh-keys.html) <sup>DEPRECATED</sup>
-
-All guides assume a basic familiarity with the SSH protocol.
-
-## API
-
-The SSH secrets engine has a full HTTP API. Please see the
-[SSH secrets engine API](/api/secret/ssh/index.html) for more
-details.
diff --git a/website/source/docs/secrets/ssh/one-time-ssh-passwords.html.md b/website/source/docs/secrets/ssh/one-time-ssh-passwords.html.md
deleted file mode 100644
index 38499b9bc615..000000000000
--- a/website/source/docs/secrets/ssh/one-time-ssh-passwords.html.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-layout: "docs"
-page_title: "One-Time SSH Passwords (OTP) - SSH - Secrets Engines"
-sidebar_title: "SSH OTP"
-sidebar_current: "docs-secrets-ssh-one-time-ssh-passwords"
-description: |-
-  The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server
-  to issue a One-Time Password every time a client wants to SSH into a remote
-  host using a helper command on the remote host to perform verification.
----
-
-# One-Time SSH Passwords
-
-The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server to
-issue a One-Time Password every time a client wants to SSH into a remote host
-using a helper command on the remote host to perform verification.
-
-An authenticated client requests credentials from the Vault server and, if
-authorized, is issued an OTP. When the client establishes an SSH connection to
-the desired remote host, the OTP used during SSH authentication is received by
-the Vault helper, which then validates the OTP with the Vault server. The Vault
-server then deletes this OTP, ensuring that it is only used once.
-
-Since the Vault server is contacted during SSH connection establishment, every
-login attempt and the correlating Vault lease information is logged to the audit
-secrets engine.
-
-See [Vault-SSH-Helper](https://github.com/hashicorp/vault-ssh-helper) for
-details on the helper.
-
-This page will show a quick start for this secrets engine. For detailed
-documentation on every path, use `vault path-help` after mounting the secrets
-engine.
-
-### Drawbacks
-
-The main concern with the OTP secrets engine type is the remote host's
-connection to Vault; if compromised, an attacker could spoof the Vault server
-returning a successful request. This risk can be mitigated by using TLS for the
-connection to Vault and checking certificate validity; future enhancements to
-this secrets engine may allow for extra security on top of what TLS provides.
-
-### Mount the secrets engine
-
-```text
-$ vault secrets enable ssh
-Successfully mounted 'ssh' at 'ssh'!
-```
-
-### Create a Role
-
-Create a role with the `key_type` parameter set to `otp`. All of the machines
-represented by the role's CIDR list should have helper properly installed and
-configured.
-
-```text
-$ vault write ssh/roles/otp_key_role \
-    key_type=otp \
-    default_user=username \
-    cidr_list=x.x.x.x/y,m.m.m.m/n
-Success! Data written to: ssh/roles/otp_key_role
-```
-
-### Create a Credential
-
-Create an OTP credential for an IP of the remote host that belongs to
-`otp_key_role`.
-
-```text
-$ vault write ssh/creds/otp_key_role ip=x.x.x.x
-Key            	Value
-lease_id       	ssh/creds/otp_key_role/73bbf513-9606-4bec-816c-5a2f009765a5
-lease_duration 	600
-lease_renewable	false
-port           	22
-username       	username
-ip             	x.x.x.x
-key            	2f7e25a2-24c9-4b7b-0d35-27d5e5203a5c
-key_type       	otp
-```
-
-### Establish an SSH session
-
-```text
-$ ssh username@x.x.x.x
-Password: <Enter OTP>
-username@x.x.x.x:~$
-```
-
-### Automate it!
-
-A single CLI command can be used to create a new OTP and invoke SSH with the
-correct parameters to connect to the host.
-
-```text
-$ vault ssh -role otp_key_role -mode otp username@x.x.x.x
-OTP for the session is `b4d47e1b-4879-5f4e-ce5c-7988d7986f37`
-[Note: Install `sshpass` to automate typing in OTP]
-Password: <Enter OTP>
-```
-
-The OTP will be entered automatically using `sshpass` if it is installed.
-
-```text
-$ vault ssh -role otp_key_role -mode otp -strict-host-key-checking=no username@x.x.x.x
-username@<IP of remote host>:~$
-```
-
-Note: `sshpass` cannot handle host key checking. Host key checking can be
-disabled by setting `-strict-host-key-checking=no`.
-
-## Learn
-
-Refer to the [SSH Secrets Engine: One-Time SSH
-Password](https://learn.hashicorp.com/vault/secrets-management/sm-ssh-otp) guide
-for a step-by-step tutorial.
-
-## API
-
-The SSH secrets engine has a full HTTP API. Please see the
-[SSH secrets engine API](/api/secret/ssh/index.html) for more
-details.
diff --git a/website/source/docs/secrets/ssh/signed-ssh-certificates.html.md b/website/source/docs/secrets/ssh/signed-ssh-certificates.html.md
deleted file mode 100644
index fce8b4c408e5..000000000000
--- a/website/source/docs/secrets/ssh/signed-ssh-certificates.html.md
+++ /dev/null
@@ -1,486 +0,0 @@
----
-layout: "docs"
-page_title: "Signed SSH Certificates - SSH - Secrets Engines"
-sidebar_title: "Signed Certificates"
-sidebar_current: "docs-secrets-ssh-signed-ssh-certificates"
-description: |-
-  The signed SSH certificates is the simplest and most powerful in terms of
-  setup complexity and in terms of being platform agnostic. When using this
-  type, an SSH CA signing key is generated or configured at the secrets engine's mount.
-  This key will be used to sign other SSH keys.
----
-
-# Signed SSH Certificates
-
-The signed SSH certificates is the simplest and most powerful in terms of setup
-complexity and in terms of being platform agnostic. By leveraging Vault's
-powerful CA capabilities and functionality built into OpenSSH, clients can SSH
-into target hosts using their own local SSH keys.
-
-In this section, the term "**client**" refers to the person or machine
-performing the SSH operation. The "**host**" refers to the target machine. If
-this is confusing, substitute "client" with "user".
-
-This page will show a quick start for this secrets engine. For detailed documentation
-on every path, use `vault path-help` after mounting the secrets engine.
-
-## Client Key Signing
-
-Before a client can request their SSH key be signed, the Vault SSH secrets engine must
-be configured. Usually a Vault administrator or security team performs these
-steps. It is also possible to automate these actions using a configuration
-management tool like Chef, Puppet, Ansible, or Salt.
-
-### Signing Key &amp; Role Configuration
-
-The following steps are performed in advance by a Vault administrator, security
-team, or configuration management tooling.
-
-1. Mount the secrets engine. Like all secrets engines in Vault, the SSH secrets engine
-must be mounted before use.
-
-    ```text
-    $ vault secrets enable -path=ssh-client-signer ssh
-    Successfully mounted 'ssh' at 'ssh-client-signer'!
-    ```
-
-    This enables the SSH secrets engine at the path "ssh-client-signer". It is
-    possible to mount the same secrets engine multiple times using different
-    `-path` arguments. The name "ssh-client-signer" is not special - it can be
-    any name, but this documentation will assume "ssh-client-signer".
-
-1. Configure Vault with a CA for signing client keys using the `/config/ca`
-endpoint. If you do not have an internal CA, Vault can generate a keypair for
-you.
-
-    ```text
-    $ vault write ssh-client-signer/config/ca generate_signing_key=true
-    Key             Value
-    ---             -----
-    public_key      ssh-rsa AAAAB3NzaC1yc2EA...
-    ```
-
-    If you already have a keypair, specify the public and private key parts as
-    part of the payload:
-
-    ```text
-    $ vault write ssh-client-signer/config/ca \
-        private_key="..." \
-        public_key="..."
-    ```
-
-    Regardless of whether it is generated or uploaded, the client signer public
-    key is accessible via the API at the `/public_key` endpoint.
-
-1. Add the public key to all target host's SSH configuration. This process can
-be manual or automated using a configuration management tool. The public key is
-accessible via the API and does not require authentication.
-
-    ```text
-    $ curl -o /etc/ssh/trusted-user-ca-keys.pem http://127.0.0.1:8200/v1/ssh-client-signer/public_key
-    ```
-
-    ```text
-    $ vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
-    ```
-
-    Add the path where the public key contents are stored to the SSH
-    configuration file as the `TrustedUserCAKeys` option.
-
-    ```text
-    # /etc/ssh/sshd_config
-    # ...
-    TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
-    ```
-
-    Restart the SSH service to pick up the changes.
-
-1. Create a named Vault role for signing client keys.
-
-    Because of the way some SSH certificate features are implemented, options
-    are passed as a map. The following example adds the `permit-pty` extension
-    to the certificate.
-
-    ```text
-    $ vault write ssh-client-signer/roles/my-role -<<"EOH"
-    {
-      "allow_user_certificates": true,
-      "allowed_users": "*",
-      "default_extensions": [
-        {
-          "permit-pty": ""
-        }
-      ],
-      "key_type": "ca",
-      "default_user": "ubuntu",
-      "ttl": "30m0s"
-    }
-    EOH
-    ```
-
-### Client SSH Authentication
-
-The following steps are performed by the client (user) that wants to
-authenticate to machines managed by Vault. These commands are usually run from
-the client's local workstation.
-
-1. Locate or generate the SSH public key. Usually this is `~/.ssh/id_rsa.pub`.
-If you do not have an SSH keypair, generate one:
-
-    ```text
-    $ ssh-keygen -t rsa -C "user@example.com"
-    ```
-
-1. Ask Vault to sign your **public key**. This file usually ends in `.pub` and
-the contents begin with `ssh-rsa ...`.
-
-    ```text
-    $ vault write ssh-client-signer/sign/my-role \
-        public_key=@$HOME/.ssh/id_rsa.pub
-
-    Key             Value
-    ---             -----
-    serial_number   c73f26d2340276aa
-    signed_key      ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1...
-    ```
-
-    The result will include the serial and the signed key. This signed key is
-    another public key.
-
-    To customize the signing options, use a JSON payload:
-
-    ```text
-    $ vault write ssh-client-signer/sign/my-role -<<"EOH"
-    {
-      "public_key": "ssh-rsa AAA...",
-      "valid_principals": "my-user",
-      "key_id": "custom-prefix",
-      "extension": {
-        "permit-pty": ""
-      }
-    }
-    EOH
-    ```
-
-1. Save the resulting signed, public key to disk. Limit permissions as needed.
-
-    ```text
-    $ vault write -field=signed_key ssh-client-signer/sign/my-role \
-        public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
-    ```
-
-    If you are saving the certificate directly beside your SSH keypair, suffix
-    the name with `-cert.pub` (`~/.ssh/id_rsa-cert.pub`). With this naming
-    scheme, OpenSSH will automatically use it during authentication.
-
-1. (Optional) View enabled extensions, principals, and metadata of the signed
-key.
-
-    ```text
-    $ ssh-keygen -Lf ~/.ssh/signed-cert.pub
-    ```
-
-1. SSH into the host machine using the signed key. You must supply both the
-signed public key from Vault **and** the corresponding private key as
-authentication to the SSH call.
-
-    ```text
-    $ ssh -i signed-cert.pub -i ~/.ssh/id_rsa username@10.0.23.5
-    ```
-
-## Host Key Signing
-
-For an added layers of security, we recommend enabling host key signing. This is
-used in conjunction with client key signing to provide an additional integrity
-layer. When enabled, the SSH agent will verify the target host is valid and
-trusted before attempting to SSH. This will reduce the probability of a user
-accidentally SSHing into an unmanaged or malicious machine.
-
-### Signing Key Configuration
-
-1. Mount the secrets engine. For the most security, mount at a different path from the
-client signer.
-
-    ```text
-    $ vault secrets enable -path=ssh-host-signer ssh
-    Successfully mounted 'ssh' at 'ssh-host-signer'!
-    ```
-
-1. Configure Vault with a CA for signing host keys using the `/config/ca`
-endpoint. If you do not have an internal CA, Vault can generate a keypair for
-you.
-
-    ```text
-    $ vault write ssh-host-signer/config/ca generate_signing_key=true
-    Key             Value
-    ---             -----
-    public_key      ssh-rsa AAAAB3NzaC1yc2EA...
-    ```
-
-    If you already have a keypair, specify the public and private key parts as
-    part of the payload:
-
-    ```text
-    $ vault write ssh-host-signer/config/ca \
-        private_key="..." \
-        public_key="..."
-    ```
-
-    Regardless of whether it is generated or uploaded, the host signer public
-    key is accessible via the API at the `/public_key` endpoint.
-
-1. Extend host key certificate TTLs.
-
-    ```text
-    $ vault secrets tune -max-lease-ttl=87600h ssh-host-signer
-    ```
-
-1. Create a role for signing host keys. Be sure to fill in the list of allowed
-domains, set `allow_bare_domains`, or both.
-
-    ```text
-    $ vault write ssh-host-signer/roles/hostrole \
-        key_type=ca \
-        ttl=87600h \
-        allow_host_certificates=true \
-        allowed_domains="localdomain,example.com" \
-        allow_subdomains=true
-    ```
-
-1. Sign the host's SSH public key.
-
-    ```text
-    $ vault write ssh-host-signer/sign/hostrole \
-        cert_type=host \
-        public_key=@/etc/ssh/ssh_host_rsa_key.pub
-    Key             Value
-    ---             -----
-    serial_number   3746eb17371540d9
-    signed_key      ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...
-    ```
-
-1. Set the resulting signed certificate as `HostCertificate` in the SSH
-configuration on the host machine.
-
-    ```text
-    $ vault write -field=signed_key ssh-host-signer/sign/hostrole \
-        cert_type=host \
-        public_key=@/etc/ssh/ssh_host_rsa_key.pub > /etc/ssh/ssh_host_rsa_key-cert.pub
-    ```
-
-    Set permissions on the certificate to be `0640`:
-
-    ```text
-    $ chmod 0640 /etc/ssh/ssh_host_rsa_key-cert.pub
-    ```
-
-    Add host key and host certificate to the SSH configuration file.
-
-    ```text
-    # /etc/ssh/sshd_config
-    # ...
-
-    # For client keys
-    TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
-
-    # For host keys
-    HostKey /etc/ssh/ssh_host_rsa_key
-    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
-    ```
-
-    Restart the SSH service to pick up the changes.
-
-### Client-Side Host Verification
-
-1. Retrieve the host signing CA public key to validate the host signature of
-target machines.
-
-    ```text
-    $ curl http://127.0.0.1:8200/v1/ssh-host-signer/public_key
-    ```
-
-    ```text
-    $ vault read -field=public_key ssh-host-signer/config/ca
-    ```
-
-1. Add the resulting public key to the `known_hosts` file with authority.
-
-    ```text
-    # ~/.ssh/known_hosts
-    @cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAA...
-    ```
-
-1. SSH into target machines as usual.
-
-## Troubleshooting
-
-When initially configuring this type of key signing, enable `VERBOSE` SSH
-logging to help annotate any errors in the log.
-
-```text
-# /etc/ssh/sshd_config
-# ...
-LogLevel VERBOSE
-```
-
-Restart SSH after making these changes.
-
-By default, SSH logs to `/var/log/auth.log`, but so do many other things. To
-extract just the SSH logs, use the following:
-
-```sh
-$ tail -f /var/log/auth.log | grep --line-buffered "sshd"
-```
-
-If you are unable to make a connection to the host, the SSH server logs may
-provide guidance and insights.
-
-### Name is not a listed principal
-
-If the `auth.log` displays the following messages:
-
-```text
-# /var/log/auth.log
-key_cert_check_authority: invalid certificate
-Certificate invalid: name is not a listed principal
-```
-
-The certificate does not permit the username as a listed principal for
-authenticating to the system. This is most likely due to an OpenSSH bug (see
-[known issues](#known-issues) for more information). This bug does not respect
-the `allowed_users` option value of "\*". Here are ways to work around this
-issue:
-
-1. Set `default_user` in the role. If you are always authenticating as the same
-user, set the `default_user` in the role to the username you are SSHing into the
-target machine:
-
-    ```text
-    $ vault write ssh/roles/my-role -<<"EOH"
-    {
-      "default_user": "YOUR_USER",
-      // ...
-    }
-    EOH
-    ```
-
-1. Set `valid_principals` during signing. In situations where multiple users may
-be authenticating to SSH via Vault, set the list of valid principles during key
-signing to include the current username:
-
-    ```text
-    $ vault write ssh-client-signer/sign/my-role -<<"EOH"
-    {
-      "valid_principals": "my-user"
-      // ...
-    }
-    EOH
-    ```
-
-
-### No Prompt After Login
-
-If you do not see a prompt after authenticating to the host machine, the signed
-certificate may not have the `permit-pty` extension. There are two ways to add
-this extension to the signed certificate.
-
-- As part of the role creation
-
-    ```text
-    $ vault write ssh-client-signer/roles/my-role -<<"EOH"
-    {
-      "default_extensions": [
-        {
-          "permit-pty": ""
-        }
-      ]
-      // ...
-    }
-    EOH
-    ```
-
-- As part of the signing operation itself:
-
-    ```text
-    $ vault write ssh-client-signer/sign/my-role -<<"EOH"
-    {
-      "extension": {
-        "permit-pty": ""
-      }
-      // ...
-    }
-    EOH
-    ```
-
-### No Port Forwarding
-
-If port forwarding from the guest to the host is not working, the signed
-certificate may not have the `permit-port-forwarding` extension. Add the
-extension as part of the role creation or signing process to enable port
-forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
-
-```json
-{
-  "default_extensions": [
-    {
-      "permit-port-forwarding": ""
-    }
-  ]
-}
-```
-
-### No X11 Forwarding
-
-If X11 forwarding from the guest to the host is not working, the signed
-certificate may not have the `permit-X11-forwarding` extension. Add the
-extension as part of the role creation or signing process to enable X11
-forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
-
-```json
-{
-  "default_extensions": [
-    {
-      "permit-X11-forwarding": ""
-    }
-  ]
-}
-```
-
-### No Agent Forwarding
-
-If agent forwarding from the guest to the host is not working, the signed
-certificate may not have the `permit-agent-forwarding` extension. Add the
-extension as part of the role creation or signing process to enable agent
-forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
-
-```json
-{
-  "default_extensions": [
-    {
-      "permit-agent-forwarding": ""
-    }
-  ]
-}
-```
-
-### Known Issues
-
-- On SELinux-enforcing systems, you may need to adjust related types so that the
-  SSH daemon is able to read it. For example, adjust the signed host certificate
-  to be an `sshd_key_t` type.
-
-- On some versions of SSH, you may get the following error:
-
-    ```text
-    no separate private key for certificate
-    ```
-
-    This is a bug introduced in OpenSSH version 7.2 and fixed in 7.5. See
-    [OpenSSH bug 2617](https://bugzilla.mindrot.org/show_bug.cgi?id=2617) for
-    details.
-
-## API
-
-The SSH secrets engine has a full HTTP API. Please see the
-[SSH secrets engine API](/api/secret/ssh/index.html) for more
-details.
diff --git a/website/source/docs/secrets/totp/index.html.md b/website/source/docs/secrets/totp/index.html.md
deleted file mode 100644
index 5950a71cb40f..000000000000
--- a/website/source/docs/secrets/totp/index.html.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-layout: "docs"
-page_title: "TOTP - Secrets Engines"
-sidebar_title: "TOTP"
-sidebar_current: "docs-secrets-totp"
-description: |-
-  The TOTP secrets engine for Vault generates time-based one-time use passwords.
----
-
-# TOTP Secrets Engine
-
-The TOTP secrets engine generates time-based credentials according to the TOTP
-standard. The secrets engine can also be used to generate a new key and validate
-passwords generated by that key.
-
-The TOTP secrets engine can act as both a generator (like Google Authenticator)
-and a provider (like the Google.com sign in service).
-
-## As a Generator
-
-The TOTP secrets engine can act as a TOTP code generator. In this mode, it can
-replace traditional TOTP generators like Google Authenticator. It provides an
-added layer of security since the ability to generate codes is guarded by
-policies and the entire process is audited.
-
-### Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the TOTP secrets engine:
-
-    ```text
-    $ vault secrets enable totp
-    Success! Enabled the totp secrets engine at: totp/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Configure a named key. The name of this key will be a human identifier as to
-its purpose.
-
-    ```text
-    $ vault write totp/keys/my-key \
-        url="otpauth://totp/Vault:test@test.com?secret=Y64VEVMBTSXCYIWRSHRNDZW62MPGVU2G&issuer=Vault"
-    Success! Data written to: totp/keys/my-key
-    ```
-
-    The `url` corresponds to the secret key or value from the barcode provided
-    by the third-party service.
-
-### Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can generate credentials.
-
-1. Generate a new time-based OTP by reading from the `/code` endpoint with the
-name of the key:
-
-    ```text
-    $ vault read totp/code/my-key
-    Key     Value
-    ---     -----
-    code    260610
-    ```
-
-    Using ACLs, it is possible to restrict using the TOTP secrets engine such
-    that trusted operators can manage the key definitions, and both users and
-    applications are restricted in the credentials they are allowed to read.
-
-## As a Provider
-
-The TOTP secrets engine can also act as a TOTP provider. In this mode, it can be
-used to generate new keys and validate passwords generated using those keys.
-
-### Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the TOTP secrets engine:
-
-    ```text
-    $ vault secrets enable totp
-    Success! Enabled the totp secrets engine at: totp/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Create a named key, using the `generate` option. This tells Vault to be the
-provider:
-
-    ```text
-    $ vault write totp/keys/my-user \
-        generate=true \
-        issuer=Vault \
-        account_name=user@test.com
-
-    Key        Value
-    ---        -----
-    barcode    iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BA...
-    url        otpauth://totp/Vault:user@test.com?algorithm=SHA1&digits=6&issuer=Vault&period=30&secret=V7MBSK324I7KF6KVW34NDFH2GYHIF6JY
-    ```
-
-    The response includes a base64-encoded barcode and OTP url. Both are
-    equivalent. Give these to the user who is authenticating with TOTP.
-
-### Usage
-
-1. As a user, validate a TOTP code generated by a third-party app:
-
-    ```text
-    $ vault write totp/code/my-user code=886531
-    Key      Value
-    ---      -----
-    valid    true
-    ```
-
-## API
-
-The TOTP secrets engine has a full HTTP API. Please see the
-[TOTP secrets engine API](/api/secret/totp/index.html) for more
-details.
diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md
deleted file mode 100644
index 1a990a96182e..000000000000
--- a/website/source/docs/secrets/transit/index.html.md
+++ /dev/null
@@ -1,233 +0,0 @@
----
-layout: "docs"
-page_title: "Transit - Secrets Engines"
-sidebar_title: "Transit"
-sidebar_current: "docs-secrets-transit"
-description: |-
-  The transit secrets engine for Vault encrypts/decrypts data in-transit. It doesn't store any secrets.
----
-
-# Transit Secrets Engine
-
-The transit secrets engine handles cryptographic functions on data in-transit.
-Vault doesn't store the data sent to the secrets engine. It can also be viewed
-as "cryptography as a service" or "encryption as a service". The transit secrets
-engine can also sign and verify data; generate hashes and HMACs of data; and act
-as a source of random bytes.
-
-The primary use case for `transit` is to encrypt data from applications while
-still storing that encrypted data in some primary data store. This relieves the
-burden of proper encryption/decryption from application developers and pushes
-the burden onto the operators of Vault.
-
-Key derivation is supported, which allows the same key to be used for multiple
-purposes by deriving a new key based on a user-supplied context value. In this
-mode, convergent encryption can optionally be supported, which allows the same
-input values to produce the same ciphertext.
-
-Datakey generation allows processes to request a high-entropy key of a given
-bit length be returned to them, encrypted with the named key. Normally this will
-also return the key in plaintext to allow for immediate use, but this can be
-disabled to accommodate auditing requirements.
-
-## Working Set Management
-
-The Transit engine supports versioning of keys. Key versions that are earlier
-than a key's specified `min_decryption_version` gets archived, and the rest of
-the key versions belong to the working set. This is a performance consideration
-to keep key loading fast, as well as a security consideration: by disallowing
-decryption of old versions of keys, found ciphertext corresponding to obsolete
-(but sensitive) data can not be decrypted by most users, but in an emergency
-the `min_decryption_version` can be moved back to allow for legitimate
-decryption.
-
-Currently this archive is stored in a single storage entry. With some storage
-backends, notably those using Raft or Paxos for HA capabilities, frequent
-rotation may lead to a storage entry size for the archive that is larger than
-the storage backend can handle. For frequent rotation needs, using named keys
-that correspond to time bounds (e.g. five-minute periods floored to the closest
-multiple of five) may provide a good alternative, allowing for several keys to
-be live at once and a deterministic way to decide which key to use at any given
-time.
-
-## Key Types
-
-As of now, the transit secrets engine supports the following key types (all key
-types also generate separate HMAC keys):
-
-* `aes128-gcm96`: AES-GCM with a 128-bit AES key and a 96-bit nonce; supports
-  encryption, decryption, key derivation, and convergent encryption
-* `aes256-gcm96`: AES-GCM with a 256-bit AES key and a 96-bit nonce; supports
-  encryption, decryption, key derivation, and convergent encryption (default)
-* `chacha20-poly1305`: ChaCha20-Poly1305 with a 256-bit key; supports
-  encryption, decryption, key derivation, and convergent encryption
-* `ed25519`: Ed25519; supports signing, signature verification, and key
-  derivation
-* `ecdsa-p256`: ECDSA using curve P-256; supports signing and signature
-  verification
-* `ecdsa-p384`: ECDSA using curve P-384; supports signing and signature
-  verification
-* `ecdsa-p521`: ECDSA using curve P-521; supports signing and signature
-  verification
-* `rsa-2048`: 2048-bit RSA key; supports encryption, decryption, signing, and
-  signature verification
-* `rsa-4096`: 4096-bit RSA key; supports encryption, decryption, signing, and
-  signature verification
-
-## Convergent Encryption
-
-Convergent encryption is a mode where the same set of plaintext+context always
-result in the same ciphertext. It does this by deriving a key using a key
-derivation function but also by deterministically deriving a nonce. Because
-these properties differ for any combination of plaintext and ciphertext over a
-keyspace the size of 2^256, the risk of nonce reuse is near zero.
-
-This has many practical uses. A key usage mode is to allow values to be stored
-encrypted in a database, but with limited lookup/query support, so that rows
-with the same value for a specific field can be returned from a query.
-
-To accommodate for any needed upgrades to the algorithm, different versions of
-convergent encryption have historically been supported:
-
-* Version 1 required the client to provide their own nonce, which is highly
-  flexible but if done incorrectly can be dangerous. This was only in Vault
-  0.6.1, and keys using this version cannot be upgraded.
-* Version 2 used an algorithmic approach to deriving the parameters. However,
-  the algorithm used was susceptible to offline plaintext-confirmation attacks,
-  which could allow attackers to brute force decryption if the plaintext size
-  was small. Keys using version 2 can be upgraded by simply performing a rotate
-  operation to a new key version; existing values can then be rewrapped against
-  the new key version and will use the version 3 algorithm.
-* Version 3 uses a different algorithm designed to be resistant to offline
-  plaintext-confirmation attacks. It is similar to AES-SIV in that it uses a
-  PRF to generate the nonce from the plaintext.
-
-## Setup
-
-Most secrets engines must be configured in advance before they can perform their
-functions. These steps are usually completed by an operator or configuration
-management tool.
-
-1. Enable the Transit secrets engine:
-
-    ```text
-    $ vault secrets enable transit
-    Success! Enabled the transit secrets engine at: transit/
-    ```
-
-    By default, the secrets engine will mount at the name of the engine. To
-    enable the secrets engine at a different path, use the `-path` argument.
-
-1. Create a named encryption key:
-
-    ```text
-    $ vault write -f transit/keys/my-key
-    Success! Data written to: transit/keys/my-key
-    ```
-
-    Usually each application has its own encryption key.
-
-## Usage
-
-After the secrets engine is configured and a user/machine has a Vault token with
-the proper permission, it can use this secrets engine.
-
-1. Encrypt some plaintext data using the `/encrypt` endpoint with a named key:
-
-    **NOTE:** All plaintext data **must be base64-encoded**. The reason for this
-    requirement is that Vault does not require that the plaintext is "text". It
-    could be a binary file such as a PDF or image. The easiest safe transport
-    mechanism for this data as part of a JSON payload is to base64-encode it.
-
-    ```text
-    $ vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")
-
-    Key           Value
-    ---           -----
-    ciphertext    vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
-    ```
-
-    The returned ciphertext starts with `vault:v1:`. The first prefix (`vault`)
-    identifies that it has been wrapped by Vault. The `v1` indicates the key
-    version 1 was used to encrypt the plaintext; therefore, when you rotate
-    keys, Vault knows which version to use for decryption. The rest is a base64
-    concatenation of the initialization vector (IV) and ciphertext.
-
-    Note that Vault does not _store_ any of this data. The caller is responsible
-    for storing the encrypted ciphertext. When the caller wants the plaintext,
-    it must provide the ciphertext back to Vault to decrypt the value.
-
-    !> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial
-    of service attack. This can be tuned per [`listener`
-    block](/docs/configuration/listener/tcp.html) in the Vault server
-    configuration.
-
-1. Decrypt a piece of data using the `/decrypt` endpoint with a named key:
-
-    ```text
-    $ vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
-
-    Key          Value
-    ---          -----
-    plaintext    bXkgc2VjcmV0IGRhdGEK
-    ```
-
-    The resulting data is base64-encoded (see the note above for details on
-    why). Decode it to get the raw plaintext:
-
-    ```text
-    $ base64 --decode <<< "bXkgc2VjcmV0IGRhdGEK"
-    my secret data
-    ```
-
-    It is also possible to script this decryption using some clever shell
-    scripting in one command:
-
-    ```text
-    $ vault write -field=plaintext transit/decrypt/my-key ciphertext=... | base64 --decode
-    my secret data
-    ```
-
-    Using ACLs, it is possible to restrict using the transit secrets engine such
-    that trusted operators can manage the named keys, and applications can only
-    encrypt or decrypt using the named keys they need access to.
-
-1. Rotate the underlying encryption key. This will generate a new encryption key
-and add it to the keyring for the named key:
-
-    ```text
-    $ vault write -f transit/keys/my-key/rotate
-    Success! Data written to: transit/keys/my-key/rotate
-    ```
-
-    Future encryptions will use this new key. Old data can still be decrypted
-    due to the use of a key ring.
-
-1. Upgrade already-encrypted data to a new key. Vault will decrypt the value
-using the appropriate key in the keyring and then encrypted the resulting
-plaintext with the newest key in the keyring.
-
-    ```text
-    $ vault write transit/rewrap/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
-
-    Key           Value
-    ---           -----
-    ciphertext    vault:v2:0VHTTBb2EyyNYHsa3XiXsvXOQSLKulH+NqS4eRZdtc2TwQCxqJ7PUipvqQ==
-    ```
-
-    This process **does not** reveal the plaintext data. As such, a Vault policy
-    could grant almost an untrusted process the ability to "rewrap" encrypted
-    data, since the process would not be able to get access to the plaintext
-    data.
-
-## Learn
-
-Refer to the [Encryption as a Service: Transit Secrets
-Engine](https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit)
-guide for a step-by-step tutorial.
-
-## API
-
-The Transit secrets engine has a full HTTP API. Please see the
-[Transit secrets engine API](/api/secret/transit/index.html) for more
-details.
diff --git a/website/source/docs/upgrading/index.html.md b/website/source/docs/upgrading/index.html.md
deleted file mode 100644
index 2b3ac461391b..000000000000
--- a/website/source/docs/upgrading/index.html.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading Vault - Guides"
-sidebar_title: "Upgrade Guides"
-sidebar_current: "docs-upgrading"
-description: |-
-  These are general upgrade instructions for Vault for both non-HA and HA
-  setups. Please ensure that you also read the version-specific upgrade notes.
----
-
-# Upgrading Vault
-
-These are general upgrade instructions for Vault for both non-HA and HA setups.
-_Please ensure that you also read any version-specific upgrade notes which can be
-found in the sidebar._
-
-!> **IMPORTANT NOTE:** Always back up your data before upgrading! Vault does not
-make backward-compatibility guarantees for its data store. Simply replacing the
-newly-installed Vault binary with the previous version will not cleanly
-downgrade Vault, as upgrades may perform changes to the underlying data
-structure that make the data incompatible with a downgrade. If you need to roll
-back to a previous version of Vault, you should roll back your data store as
-well.
-
-## Testing the Upgrade
-
-It's always a good idea to try to ensure that the upgrade will be successful in
-your environment. The ideal way to do this is to take a snapshot of your data
-and load it into a test cluster. However, if you are issuing secrets to third
-party resources (cloud credentials, database credentials, etc.) ensure that you
-do not allow external network connectivity during testing, in case credentials
-expire. This prevents the test cluster from trying to revoke these resources
-along with the non-test cluster.
-
-## Non-HA Installations
-
-Upgrading non-HA installations of Vault is as simple as replacing the Vault
-binary with the new version and restarting Vault. Any upgrade tasks that can be
-performed for you will be taken care of when Vault is unsealed.
-
-Always use `SIGINT` or `SIGTERM` to properly shut down Vault.
-
-Be sure to also read and follow any instructions in the version-specific
-upgrade notes.
-
-## HA Installations
-
-This is our recommended upgrade procedure, and the procedure we use internally
-at HashiCorp. However, you should consider how to apply these steps to your
-particular setup since HA setups can differ on whether a load balancer is in
-use, what addresses clients are being given to connect to Vault (standby +
-leader, leader-only, or discovered via service discovery), etc.
-
-Whatever method you use, you should ensure that you never fail over from a
-newer version of Vault to an older version. Our suggested procedure is designed
-to prevent this.
-
-Please note that Vault does not support true zero-downtime upgrades, but with
-proper upgrade procedure the downtime should be very short (a few hundred
-milliseconds to a second depending on how the speed of access to the storage
-backend).
-
-Perform these steps on each standby:
-
-1. Properly shut down Vault on the standby node via `SIGINT` or `SIGTERM`
-2. Replace the Vault binary with the new version
-3. Start the standby node
-4. Unseal the standby node
-
-At this point all standby nodes will be upgraded and ready to take over. The
-upgrade will not be complete until one of the upgraded standby nodes takes over
-active duty. To do this:
-
-1. Properly shut down the remaining (active) node. Note: it is _**very
-   important**_ that you shut the node down properly. This causes the HA lock to
-   be released, allowing a standby node to take over with a very short delay.
-   If you kill Vault without letting it release the lock, a standby node will
-   not be able to take over until the lock's timeout period has expired. This
-   is backend-specific but could be ten seconds or more.
-2. Replace the Vault binary with the new version; ensure that `mlock()` capability is added to the new binary with [setcap](https://www.vaultproject.io/docs/configuration/index.html#disable_mlock)
-3. Start the node
-4. Unseal the node (it will now be a standby)
-
-Internal upgrade tasks will happen after one of the upgraded standby nodes
-takes over active duty.
-
-Be sure to also read and follow any instructions in the version-specific
-upgrade notes.
-
-## Replication Installations
-
--> **Note:** Prior to any upgrade, be sure to also read and follow any instructions in the version-specific
-upgrade notes which are found in the navigation menu for this documentation.
-
-Upgrading installations of Vault which participate in [Enterprise Replication](/docs/enterprise/replication/index.html) requires the following basic order of operations:
-
-- **Upgrade the replication secondary instances first** using appropriate
-  guidance from the previous sections depending on whether each secondary
-  instance is Non-HA or HA
-- Verify functionality of each secondary instance after upgrading
-- When satisfied with functionality of upgraded secondary instances, upgrade
-  the primary instance
diff --git a/website/source/docs/upgrading/plugins.html.md b/website/source/docs/upgrading/plugins.html.md
deleted file mode 100644
index 921378c68090..000000000000
--- a/website/source/docs/upgrading/plugins.html.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading Plugins - Guides"
-sidebar_title: "Upgrade Plugins"
-sidebar_current: "docs-upgrading-plugins"
-description: |-
-  These are general upgrade instructions for Vault plugins.
----
-
-# Upgrading Vault Plugins
-
-The following procedure details steps for upgrading a plugin that has already
-been registered to the catalog on a running server. This procedure is applicable
-to secret, auth, and database plugins.
-
-## Upgrade Procedure
-
-Vault executes plugin binaries when they are configured and roles are established
-around them. The binary cannot be modified or replaced while running, so
-upgrades cannot be performed by simply swapping the binary and updating the hash
-in the plugin catalog.
-
-Instead, you can restart or reload a plugin with the
-`sys/plugins/reload/backend` [API][plugin_reload_api]. Follow these steps to
-replace or upgrade a Vault plugin binary:
-
-1. Register plugin_v1 to the catalog
-2. Mount the plugin backend
-3. Register plugin_v2 to the catalog under the same plugin name, but with
-updated command to run plugin_v2 and updated sha256 of plugin_v2
-4. Trigger a plugin reload with `sys/plugins/reload/backend` to reload all
-mounted backends using that plugin or a subset of the mounts using that plugin
-with either the `plugin` or `mounts` parameter respectively.
-
-Until step 4, the mount will still use plugin_v1, and when the reload is
-triggered, Vault will kill plugin_v1’s process and start a plugin_v2 process.
-
--> **Important:** Plugin reload of a new plugin binary must be 
-performed on each Vault instance. Performing a plugin upgrade on a single 
-instance or through a load balancer can result in mismatched 
-plugin binaries within a cluster. 
-
-[plugin_reload_api]: /api/system/plugins-reload-backend.html
diff --git a/website/source/docs/upgrading/upgrade-to-0.10.0.html.md b/website/source/docs/upgrading/upgrade-to-0.10.0.html.md
deleted file mode 100644
index c5cd07b3053a..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.10.0.html.md
+++ /dev/null
@@ -1,163 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.10.0 - Guides"
-sidebar_title: "Upgrade to 0.10.0"
-sidebar_current: "docs-upgrading-to-0.10.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.10.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.10.0 compared to 0.9.0. Please read it carefully.
-
-## Changes Since 0.9.6
-
-### Database Plugin Compatibility
-
-The database plugin interface was enhanced to support some additional
-functionality related to root credential rotation and supporting templated
-URL strings. The changes were made in a backwards-compatible way and all
-builtin plugins were updated with the new features. Custom plugins not built
-into Vault will need to be upgraded to support templated URL strings and
-root rotation. Additionally, the Initialize method was deprecated in favor
-of a new Init method that supports configuration modifications that occur in
-the plugin back to the primary data store.
-
-### Removal of Returned Secret Information
-
-For a long time Vault has returned configuration given to various secret
-engines and auth methods with secret values (such as secret API keys or
-passwords) still intact, and with a warning to the user on write that anyone
-with read access could see the secret. This was mostly done to make it easy for
-tools like Terraform to judge whether state had drifted. However, it also feels
-quite un-Vault-y to do this and we've never felt very comfortable doing so. In
-0.10 we have gone through and removed this bevhavior from the various backends;
-fields which contained secret values are simply no longer returned on read. We
-are working with the Terraform team to make changes to their provider to
-accommodate this as best as possible, and users of other tools may have to make
-adjustments, but in the end we felt that the ends did not justify the means and
-we needed to prioritize security over operational convenience.
-
-### LDAP Auth Method Case Sensitivity
-
-We now treat usernames and groups configured locally for policy assignment in a
-case insensitive fashion by default. Existing configurations will continue to
-work as they do now; however, the next time a configuration is written
-`case_sensitive_names` will need to be explicitly set to `true`.
-
-### TTL Handling Moved to Core
-
-All lease TTL handling has been centralized within the core of Vault to ensure
-consistency across all backends. Since this was previously delegated to
-individual backends, there may be some slight differences in TTLs generated
-from some backends.
-
-### Default `secret/` Mount is Deprecated
-
-In 0.12 we will stop mounting `secret/` by default at initialization time (it
-will still be available in `dev` mode).
-
-## Full List Since 0.9.0
-
-### Change to AWS Role Output
-
-The AWS authentication backend now allows binds for inputs as either a
-comma-delimited string or a string array. However, to keep consistency with
-input and output, when reading a role the binds will now be returned as string
-arrays rather than strings.
-
-### Change to AWS IAM Auth ARN Prefix Matching
-
-In order to prefix-match IAM role and instance profile ARNs in AWS auth
-backend, you now must explicitly opt-in by adding a `*` to the end of the ARN.
-Existing configurations will be upgraded automatically, but when writing a new
-role configuration the updated behavior will be used.
-### Backwards Compatible CLI Changes
-
-This upgrade guide is typically reserved for breaking changes, however it
-is worth calling out that the CLI interface to Vault has been completely
-revamped while maintaining backwards compatibility. This could lead to
-potential confusion  while browsing the latest version of the Vault
-documentation on vaultproject.io.
-
-All previous CLI commands should continue to work and are backwards
-compatible in almost all cases.
-
-Documentation for previous versions of Vault can be accessed using
-the GitHub interface by browsing tags (eg [0.9.1 website tree](https://github.com/hashicorp/vault/tree/v0.9.1/website)) or by
-[building the Vault website locally](https://github.com/hashicorp/vault/tree/v0.9.1/website#running-the-site-locally).
-
-### `sys/health` DR Secondary Reporting
-
-The `replication_dr_secondary` bool returned by `sys/health` could be
-misleading since it would be `false` both when a cluster was not a DR secondary
-but also when the node is a standby in the cluster and has not yet fully
-received state from the active node. This could cause health checks on LBs to
-decide that the node was acceptable for traffic even though DR secondaries
-cannot handle normal Vault traffic. (In other words, the bool could only convey
-"yes" or "no" but not "not sure yet".) This has been replaced by
-`replication_dr_mode` and `replication_perf_mode` which are string values that
-convey the current state of the node; a value of `disabled` indicates that
-replication is disabled or the state is still being discovered. As a result, an
-LB check can positively verify that the node is both not `disabled` and is not
-a DR secondary, and avoid sending traffic to it if either is true.
-
-
-### PKI Secret Backend Roles Parameter Types
-
-For `ou` and `organization` in role definitions in the PKI secret backend,
-input can now be a comma-separated string or an array of strings. Reading a
-role will now return arrays for these parameters.
-
-### Plugin API Changes
-
-The plugin API has been updated to utilize golang's context.Context package.
-Many function signatures now accept a context object as the first parameter.
-Existing plugins will need to pull in the latest Vault code and update their
-function signatures to begin using context and the new gRPC transport.
-
-### AppRole Case Sensitivity
-
-In prior versions of Vault, `list` operations against AppRole roles would
-require preserving case in the role name, even though most other operations
-within AppRole are case-insensitive with respect to the role name. This has
-been fixed; existing roles will behave as they have in the past, but new roles
-will act case-insensitively in these cases.
-
-### Token Auth Backend Roles Parameter Types
-
-For `allowed_policies` and `disallowed_policies` in role definitions in the
-token auth backend, input can now be a comma-separated string or an array of
-strings. Reading a role will now return arrays for these parameters.
-
-### Transit Key Exporting
-
-You can now mark a key in the `transit` backend as `exportable` at any time,
-rather than just at creation time; however, once this value is set, it still
-cannot be unset.
-
-### PKI Secret Backend Roles Parameter Types
-
-For `allowed_domains` and `key_usage` in role definitions in the PKI secret
-backend, input can now be a comma-separated string or an array of strings.
-Reading a role will now return arrays for these parameters.
-
-### SSH Dynamic Keys Method Defaults to 2048-bit Keys
-
-When using the dynamic key method in the SSH backend, the default is now to use
-2048-bit keys if no specific key bit size is specified.
-
-### Consul Secret Backend Lease Handling
-
-The `consul` secret backend can now accept both strings and integer numbers of
-seconds for its lease value. The value returned on a role read will be an
-integer number of seconds instead of a human-friendly string.
-
-### Unprintable Characters Not Allowed in API Paths
-
-Unprintable characters are no longer allowed in names in the API (paths and
-path parameters), with an extra restriction on whitespace characters. Allowed
-characters are those that are considered printable by Unicode plus spaces.
diff --git a/website/source/docs/upgrading/upgrade-to-0.10.2.html.md b/website/source/docs/upgrading/upgrade-to-0.10.2.html.md
deleted file mode 100644
index 30e375ed830c..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.10.2.html.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.10.2 - Guides"
-sidebar_title: "Upgrade to 0.10.2"
-sidebar_current: "docs-upgrading-to-0.10.2"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.10.2. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.10.2 compared to 0.10.1. Please read it carefully.
-
-### Convergent Encryption version 3
-
-If you are using `transit`'s convergent encryption feature, which prior to this
-release was at version 2, we recommend
-[rotating](https://www.vaultproject.io/api/secret/transit/index.html#rotate-key)
-your encryption key (the new key will use version 3) and
-[rewrapping](https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data)
-your data to mitigate the chance of offline plaintext-confirmation attacks.
-
-### PKI duration return types
-
-The PKI backend now returns durations (e.g. when reading a role) as an integer
-number of seconds instead of a Go-style string.
diff --git a/website/source/docs/upgrading/upgrade-to-0.10.4.html.md b/website/source/docs/upgrading/upgrade-to-0.10.4.html.md
deleted file mode 100644
index 9120213864b6..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.10.4.html.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.10.4 - Guides"
-sidebar_title: "Upgrade to 0.10.4"
-sidebar_current: "docs-upgrading-to-0.10.4"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.10.4. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.10.4 compared to 0.10.3. Please read it carefully.
-
-### Revocations of dynamic secrets leases now asynchronous
-
-Dynamic secret lease revocation are now queued/asynchronous rather
-than synchronous. This allows Vault to take responsibility for revocation
-even if the initial attempt fails. The previous synchronous behavior can be
-attained via the `-sync` CLI flag or `sync` API parameter. When in
-synchronous mode, if the operation results in failure it is up to the user
-to retry.
-
-### CLI Retries
-
-The CLI will no longer retry commands on 5xx errors. This was a
-source of confusion to users as to why Vault would "hang" before returning a
-5xx error. The Go API client still defaults to two retries.
-
-### Identity Entity Alias metadata
-
-You can no longer manually set metadata on
-entity aliases. All alias data (except the canonical entity ID it refers to)
-is intended to be managed by the plugin providing the alias information, so
-allowing it to be set manually didn't make sense.
diff --git a/website/source/docs/upgrading/upgrade-to-0.11.0.html.md b/website/source/docs/upgrading/upgrade-to-0.11.0.html.md
deleted file mode 100644
index fa430e72996b..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.11.0.html.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.11.0 - Guides"
-sidebar_title: "Upgrade to 0.11.0"
-sidebar_current: "docs-upgrading-to-0.11.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.11.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.11.0 compared to 0.10.0. Please read it carefully.
-
-## Known Issues
-
-### Nomad Integration
-
-Users that integrate Vault with Nomad should hold off on upgrading.  A modification to
-Vault's API is causing a runtime issue with the Nomad to Vault integration.
-
-### Minified JSON Policies
-
-Users that generate policies in minfied JSON may cause a parsing errors due to
-a regression in the policy parser when it encounters repeating brackets. Although
-HCL is the official language for policies in Vault, HCL is JSON compatible and JSON
-should work in place of HCL. To work around this error, pretty print the JSON policies
-or add spaces between repeating brackets.  This regression will be addressed in
-a future release.
-
-### Common Mount Prefixes
-
-Before running the upgrade, users should run `vault secrets list` and `vault auth list` 
-to check their mount table to ensure that mounts do not have common prefix "folders".  
-For example, if there is a mount with path `team1/` and a mount with path `team1/secrets`, 
-Vault will fail to unseal. Before upgrade, these mounts must be remounted at a path that 
-does not share a common prefix.
-
-## Changes Since 0.10.4
-
-### Request Timeouts
-
-A default request timeout of 90s is now enforced. This setting can be
-overwritten in the config file. If you anticipate requests taking longer than
-90s this setting should be configured before upgrading.
-
-### `sys/` Top Level Injection
-
-For the last two years for backwards compatibility data for various `sys/`
-routes has been injected into both the Secret's Data map and into the top level
-of the JSON response object. However, this has some subtle issues that pop up
-from time to time and is becoming increasingly complicated to maintain, so it's
-finally being removed.
-
-### Path Fallback for List Operations
-
-For a very long time Vault has automatically adjusted `list` operations to
-always end in a `/`, as list operations operates on prefixes, so all list
-operations by definition end with `/`. This was done server-side so affects all
-clients. However, this has also led to a lot of confusion for users writing
-policies that assume that the path that they use in the CLI is the path used
-internally. Starting in 0.11, ACL policies gain a new fallback rule for
-listing: they will use a matching path ending in `/` if available, but if not
-found, they will look for the same path without a trailing `/`. This allows
-putting `list` capabilities in the same path block as most other capabilities
-for that path, while not providing any extra access if `list` wasn't actually
-provided there.
-
-### Performance Standbys On By Default
-
-If your flavor/license of Vault Enterprise supports Performance Standbys, they
-are on by default. You can disable this behavior per-node with the
-`disable_performance_standby` configuration flag.
-
-### AWS Secret Engine Roles
-Roles in the AWS Secret Engine were previously ambiguous. For example, if the
-`arn` parameter had been specified, that could have been interpreted as the ARN
-of an AWS IAM policy to attach to an IAM user or it could have been the ARN of
-an AWS role to assume. Now, types are explicit, both in terms of what
-credential type is being requested (e.g., an IAM User or an Assumed Role?) as
-well as the parameters being sent to vault (e.g., the IAM policy document
-attached to an IAM user or used during a GetFederationToken call). All
-credential retrieval remains backwards compatible as does updating role data.
-However, the data returned when reading role data is now different and
-breaking, so anything which reads role data out of Vault will need to be
-updated to handle the new role data format.
-
-While creating/updating roles remains backwards compatible, the old parameters
-are now considered deprecated. You should use the new parameters as documented
-in the API docs.
-
-As part of this, the `/aws/creds/` and `/aws/sts/` endpoints have been merged,
-with the behavior only differing as specified below. The `/aws/sts/` endpoint
-is considered deprecated and should only be used when needing backwards
-compatibility.
-
-All roles will be automatically updated to the new role format when accessed.
-However, due to the way role data was previously being stored in Vault, it's
-possible that invalid data was stored that both make the upgrade impossible as
-well as would have made the role unable to retrieve credentials. In this
-situation, the previous role data is returned in an `invalid_data` key so you
-can inspect what used to be in the role and correct the role data if desired.
-One consequence of the prior AWS role storage format is that a single Vault
-role could have led to two different AWS credential types being retrieved when
-a `policy` parameter was stored. In this case, these legacy roles will be
-allowed to retrieve both IAM User and Federation Token credentials, with the
-credential type depending on the path used to access it (IAM User if accessed
-via the `/aws/creds/<role_name>` endpoint and Federation Token if accessed via
-the `/aws/sts/<role_name>` endpoint).
-
-## Full List Since 0.10.0
-
-### Revocations of dynamic secrets leases now asynchronous
-
-Dynamic secret lease revocation are now queued/asynchronous rather
-than synchronous. This allows Vault to take responsibility for revocation
-even if the initial attempt fails. The previous synchronous behavior can be
-attained via the `-sync` CLI flag or `sync` API parameter. When in
-synchronous mode, if the operation results in failure it is up to the user
-to retry.
-
-### CLI Retries
-
-The CLI will no longer retry commands on 5xx errors. This was a
-source of confusion to users as to why Vault would "hang" before returning a
-5xx error. The Go API client still defaults to two retries.
-
-### Identity Entity Alias metadata
-
-You can no longer manually set metadata on
-entity aliases. All alias data (except the canonical entity ID it refers to)
-is intended to be managed by the plugin providing the alias information, so
-allowing it to be set manually didn't make sense.
-
-### Convergent Encryption version 3
-
-If you are using `transit`'s convergent encryption feature, which prior to this
-release was at version 2, we recommend
-[rotating](https://www.vaultproject.io/api/secret/transit/index.html#rotate-key)
-your encryption key (the new key will use version 3) and
-[rewrapping](https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data)
-your data to mitigate the chance of offline plaintext-confirmation attacks.
-
-### PKI duration return types
-
-The PKI backend now returns durations (e.g. when reading a role) as an integer
-number of seconds instead of a Go-style string.
diff --git a/website/source/docs/upgrading/upgrade-to-0.11.2.html.md b/website/source/docs/upgrading/upgrade-to-0.11.2.html.md
deleted file mode 100644
index 741dc25accc8..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.11.2.html.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.11.2 - Guides"
-sidebar_title: "Upgrade to 0.11.2"
-sidebar_current: "docs-upgrading-to-0.11.2"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.11.2. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.11.2 compared to 0.11.1. Please read it carefully.
-
-### `sys/seal-status` Behavior Change
-
-The `sys/seal-status` endpoint now includes an initialized boolean in the
-output. If Vault is not initialized, it will return a 200 with this value
-set false instead of a 400
-
-### Mount Config Passthrough Headers
-
-The mount config option for `passthrough_request_headers` will now deny
-certain headers from being provided to backends based on a global denylist.
diff --git a/website/source/docs/upgrading/upgrade-to-0.11.6.html.md b/website/source/docs/upgrading/upgrade-to-0.11.6.html.md
deleted file mode 100644
index 91fd7cac9115..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.11.6.html.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.11.6 - Guides"
-sidebar_title: "Upgrade to 0.11.6"
-sidebar_current: "docs-upgrading-to-0.11.6"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.11.6. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.11.6 compared to 0.11.5. Please read it carefully.
-
-### Database Secret Engine Role Reads
-
-On role read, empty statements will be returned as empty
-slices instead of potentially being returned as JSON null values. This makes it
-more in line with other parts of Vault and makes it easier for statically typed
-languages to interpret the values.
diff --git a/website/source/docs/upgrading/upgrade-to-0.5.0.html.md b/website/source/docs/upgrading/upgrade-to-0.5.0.html.md
deleted file mode 100644
index 4afd0e3c7099..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.5.0.html.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.5.0 - Guides"
-sidebar_title: "Upgrade to 0.5.0"
-sidebar_current: "docs-upgrading-to-0.5.0"
-description: |-
-  This page contains the full list of breaking changes for Vault 0.5, including
-  actions you must take to facilitate a smooth upgrade path.
----
-
-# Overview
-
-This page contains the list of breaking changes for Vault 0.5. Please read it
-carefully.
-
-Please note that these are changes to Vault itself. Client libraries maintained
-by HashiCorp have been updated with support for these changes, but if you are
-using community-supported libraries, you should ensure that they are ready for
-Vault 0.5 before upgrading.
-
-## Rekey Requires Nonce
-
-Vault now generates a nonce when a rekey operation is started in order to
-ensure that the operation cannot be hijacked. The nonce is output when the
-rekey operation is started and when rekey status is requested.
-
-The nonce must be provided as part of the request parameters when providing an
-unseal key. The nonce can be communicated from the request initiator to unseal
-key holders via side channels; the unseal key holders can then verify the nonce
-(by providing it) when they submit their unseal key.
-
-As a convenience, if using the CLI interactively to provide the unseal key, the
-nonce will be displayed for verification but the user will not be required to
-manually re-type it.
-
-## `TTL` Field in Token Lookup
-
-Previously, the `ttl` field returned when calling `lookup` or `lookup-self` on
-the token auth method displayed the TTL set at token creation. It
-now displays the time remaining (in seconds) for the token's validity period.
-The original behavior has been moved to a field named `creation_ttl`.
-
-## Grace Periods Removed
-
-Vault no longer uses grace periods internally for leases or token TTLs.
-Previously these were set by backends and could differ greatly from one backend
-to another, causing confusion. TTLs (the `lease_duration` field for a lease,
-or, for a token lookup, the `ttl`) are now exact.
-
-## `token-renew` CLI Command
-
-If the token given for renewal is the same as the token in use by the client,
-the `renew-self` endpoint will be used in the API rather than the `renew`
-endpoint. Since the `default` policy contains `auth/token/renew-self` this
-makes it much more likely that the request will succeed rather than somewhat
-confusingly failing due to a lack of permissions on `auth/token/renew`.
-
-## `status` CLI Command
-The `status` CLI command now returns an exit code of `0` for an unsealed Vault
-(as before), `2` for a sealed Vault, and `1` for an error. This keeps error
-return codes consistent across commands.
-
-## Transit Upsertion Behavior Uses Capabilities
-
-Previously, attempting to encrypt with a key that did not exist would create a
-key with default values. This was convenient but ultimately allowed a client to
-potentially escape an ACL policy restriction, albeit without any dangerous
-access. Now that Vault supports more granular capabilities in policies,
-upsertion behavior is controlled by whether the client has the `create`
-capability for the request (upsertion is allowed) or only the `update`
-capability (upsertion is denied).
-
-## etcd Physical Backend Uses `sync`
-
-The `etcd` physical backend now supports `sync` functionality and it is turned
-on by default, which maps to the upstream library's default. It can be
-disabled; see the configuration page for information.
-
-## S3 Physical Backend Prefers Environment Variables
-
-The `s3` physical backend now prefers environment variables over configuration
-file variables. This matches the behavior of the rest of the backends and of
-Vault generally.
-
-## Lease Default and Renewal Handling
-
-All backends now honor system and mount-specific default and maximum lease
-times, except when specifically overridden by backend configuration or role
-parameters, or when doing so would not make sense (e.g. AWS STS tokens cannot
-have a lifetime of greater than 1 hour).
-
-This allows for a *much* more uniform approach to managing leases on both the
-operational side and the user side, and removes much ambiguity and uncertainty
-resulting from backend-hardcoded limits.
-
-However, also this means that the leases generated by the backends may return
-significantly different TTLs in 0.5 than in previous versions, unless they have
-been preconfigured. You can use the `mount-tune` CLI command or the
-`/sys/mounts/<mount point>/tune` endpoint to adjust default and max TTL
-behavior for any mount. This is supported in 0.4, so you can perform this
-tuning before upgrading.
-
-The following list details the ways in which lease handling has changed
-per-backend. In all cases the "mount TTL" means the mount-specific value for
-default or max TTL; however, if no value is set on a given mount, the system
-default/max values are used. This lists only the changes; any lease-issuing
-or renew function not listed here behaves the same as in 0.4.
-
-(As a refresher: the default TTL is the amount of time that the initial
-lease/token is valid for before it must be renewed; the maximum TTL is the
-amount of time a lease or token is valid for before it can no longer be renewed
-and must be reissued. A mount can be more restrictive with its maximum TTL, but
-cannot be less restrictive than the mount's maximum TTL.)
-
-#### Credential (Auth) Backends
-
-- `github` – The renewal function now uses the backend's configured maximum
-  TTL, if set; otherwise, the mount maximum TTL is used.
-- `ldap` – The renewal function now uses the mount default TTL instead of always
-  using one hour.
-- `token` – Tokens can no longer be renewed forever; instead, they now honor the
-  mount default/max TTL.
-- `userpass` – The renew function now uses the backend's configured maximum TTL,
-  if set; otherwise the mount maximum TTL is used.
-
-#### Secrets Engines
-
-- `aws` – New IAM roles no longer always have a default TTL of one hour, instead
-  honoring the configured default if available and the mount default TTL if not
-  (renewal always used the configured values if available). STS tokens return a
-  TTL corresponding to the lifetime of the token in AWS and cannot be renewed.
-- `cassandra` – `lease_grace_period` has been removed since Vault no longer uses
-  grace periods.
-- `consul` – The mount default TTL is now used as the default TTL if there is no
-  backend configuration parameter. Renewal now uses the mount default and
-  maximum TTLs.
-- `mysql` – The mount default TTL is now used as the default TTL if there is no
-  backend configuration parameter.
-- `postgresql` – The mount default TTL is now used as the default TTL if there
-  is no backend configuration parameter. In addition, there is no longer any
-  grace period with the time configured for password expiration within Postgres
-  itself.
diff --git a/website/source/docs/upgrading/upgrade-to-0.5.1.html.md b/website/source/docs/upgrading/upgrade-to-0.5.1.html.md
deleted file mode 100644
index 8dc2cb5c8661..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.5.1.html.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.5.1 - Guides"
-sidebar_title: "Upgrade to 0.5.1"
-sidebar_current: "docs-upgrading-to-0.5.1"
-description: |-
-  This page contains the list of breaking changes for Vault 0.5.1. Please read
-  it carefully.
----
-
-# Overview
-
-This page contains the list of breaking changes for Vault 0.5.1. Please read it
-carefully.
-
-## PKI Backend Disallows RSA Keys < 2048 Bits
-
-The PKI backend now refuses to issue a certificate, sign a CSR, or save a role
-that specifies an RSA key of less than 2048 bits. Smaller keys are considered
-unsafe and are disallowed in the Internet PKI. Although this may require
-updating your roles, we do not expect any other breaks from this; since its
-inception the PKI backend has mandated SHA256 hashes for its signatures, and
-software able to handle these certificates should be able to handle
-certificates with >= 2048-bit RSA keys as well.
-
-## PKI Backend Does Not Automatically Delete Expired Certificates
-
-The PKI backend now does not automatically delete expired certificates,
-including from the CRL. Doing so could lead to a situation where a time
-mismatch between the Vault server and clients could result in a certificate
-that would not be considered expired by a client being removed from the CRL.
-
-Vault strives for determinism and putting the operator in control, so expunging
-expired certificates has been moved to a new function at `pki/tidy`. You can
-flexibly determine whether to tidy up from the revocation list, the general
-certificate storage, or both. In addition, you can specify a safety buffer
-(defaulting to 72 hours) to ensure that any time discrepancies between your
-hosts is accounted for.
-
-## Cert auth method Performs Client Checking During Renewals
-
-The `cert` backend now performs a variant of channel binding at renewal time
-for increased security. In order to not overly burden clients, a notion of
-identity is used, as follows:
-
-- At both login and renewal time, the validity of the presented client
-  certificate is checked
-- At login time, the key ID of both the client certificate and its issuing
-  certificate are stored
-- At renewal time, the key ID of both the client certificate and its issuing
-  certificate must match those stored at login time
-
-Matching on the key ID rather than the serial number allows tokens to be
-renewed even if the CA or the client certificate used are rotated; so long as
-the same key was used to generate the certificate (via a CSR) and sign the
-certificate, renewal is allowed. As Vault encourages short-lived secrets,
-including client certificates (for instance, those issued by the `pki`
-backend), this is a useful approach compared to strict issuer/serial number
-checking.
-
-You can use the new `cert/config` endpoint to disable this behavior.
diff --git a/website/source/docs/upgrading/upgrade-to-0.6.0.html.md b/website/source/docs/upgrading/upgrade-to-0.6.0.html.md
deleted file mode 100644
index 36cc0dc9fc5e..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.6.0.html.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.6.0 - Guides"
-sidebar_title: "Upgrade to 0.6.0"
-sidebar_current: "docs-upgrading-to-0.6.0"
-description: |-
-  This page contains the list of breaking changes for Vault 0.6. Please read it
-  carefully.
----
-
-# Overview
-
-This page contains the list of breaking changes for Vault 0.6 compared to the
-previous release. Please read it carefully.
-
-## PKI Backend Does Not Issue Leases for CA Certificates
-
-When a token expires, it revokes all leases associated with it. This means that
-long-lived CA certs need correspondingly long-lived tokens, something that is
-easy to forget, resulting in an unintended revocation of the CA certificate
-when the token expires. To prevent this, root and intermediate CA certs no
-longer have associated leases. To revoke these certificates, use the
-`pki/revoke` endpoint.
-
-CA certificates that have already been issued and acquired leases will report
-to the lease manager that revocation was successful, but will not actually be
-revoked and placed onto the CRL.
-
-## The `auth/token/revoke-prefix` Endpoint Has Been Removed
-
-As part of addressing a minor security issue, this endpoint has been removed in
-favor of using `sys/revoke-prefix` for prefix-based revocation of both tokens
-and secrets leases.
-
-## Go API Uses `json.Number` For Decoding
-
-When using the Go API, it now calls `UseNumber()` on the decoder object. As a
-result, rather than always decode as a `float64`, numbers are returned as a
-`json.Number`, where they can be converted, with proper error checking, to
-`int64`, `float64`, or simply used as a `string` value. This fixes some display
-errors where numbers were being decoded as `float64` and printed in scientific
-notation.
-
-## List Operations Return `404` On No Keys Found
-
-Previously, list operations on an endpoint with no keys found would return an
-empty response object. Now, a `404` will be returned instead.
-
-## Consul TTL Checks Automatically Registered
-
-If using the Consul HA storage backend, Vault will now automatically register
-itself as the `vault` service and perform its own health checks/lifecycle
-status management. This behavior can be adjusted or turned off in Vault's
-configuration; see the
-[documentation](/docs/configuration/index.html#check_timeout)
-for details.
diff --git a/website/source/docs/upgrading/upgrade-to-0.6.1.html.md b/website/source/docs/upgrading/upgrade-to-0.6.1.html.md
deleted file mode 100644
index 8802e603e632..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.6.1.html.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.6.1 - Guides"
-sidebar_title: "Upgrade to 0.6.1"
-sidebar_current: "docs-upgrading-to-0.6.1"
-description: |-
-  This page contains the list of breaking changes for Vault 0.6.1. Please read
-  it carefully.
----
-
-# Overview
-
-This page contains the list of breaking changes for Vault 0.6.1. Please read it
-carefully.
-
-## Standby Nodes Must Be 0.6.1 As Well
-
-Once an active node is running 0.6.1, only standby nodes running 0.6.1+ will be
-able to form an HA cluster. If following our [general upgrade
-instructions](/guides/upgrading/index.html) this will
-not be an issue.
-
-## Health Endpoint Status Code Changes
-
-Prior to 0.6.1, the health endpoint would return a `500` (Internal Server
-Error) for both a sealed and uninitialized state. In both states this was
-confusing, since it was hard to tell, based on the status code, an actual
-internal error from Vault from a Vault that was simply uninitialized or sealed,
-not to mention differentiating between those two states.
-
-In 0.6.1, a sealed Vault will return a `503` (Service Unavailable) status code.
-As before, this can be adjusted with the `sealedcode` query parameter. An
-uninitialized Vault will return a `501` (Not Implemented) status code. This can
-be adjusted with the `uninitcode` query parameter.
-
-This removes ambiguity/confusion and falls more in line with the intention of
-each status code (including `500`).
-
-## Root Token Creation Restrictions
-
-Root tokens (tokens with the `root` policy) can no longer be created except by
-another root token or the
-[`generate-root`](/api/system/generate-root.html)
-endpoint or CLI command.
-
-## PKI Backend Certificates Will Contain Default Key Usages
-
-Issued certificates from the `pki` backend against roles created or modified
-after upgrading will contain a set of default key usages. This increases
-compatibility with some software that requires strict adherence to RFCs, such
-as OpenVPN.
-
-This behavior is fully adjustable; see the [PKI backend
-documentation](/docs/secrets/pki/index.html) for
-details.
-
-## DynamoDB Does Not Support HA By Default
-
-If using DynamoDB and want to use HA support, you will need to explicitly
-enable it in Vault's configuration; see the
-[documentation](/docs/configuration/index.html#ha_enabled)
-for details.
-
-If you are already using DynamoDB in an HA fashion and wish to keep doing so,
-it is *very important* that you set this option **before** upgrading your Vault
-instances. Without doing so, each Vault instance will believe that it is
-standalone and there could be consistency issues.
-
-## LDAP Auth Method Forgets Bind Password and Insecure TLS Settings
-
-Due to a bug, these two settings are forgotten if they have been configured in
-the LDAP backend prior to 0.6.1. If you are using these settings with LDAP,
-please be sure to re-submit your LDAP configuration to Vault after the upgrade,
-so ensure that you have a valid token to do so before upgrading if you are
-relying on LDAP authentication for permissions to modify the backend itself.
-
-## LDAP Auth Method Does Not Search `memberOf`
-
-The LDAP backend went from a model where all permutations of storing and
-filtering groups were tried in all cases to one where specific filters are
-defined by the administrator. This vastly increases overall directory
-compatibility, especially with Active Directory when using nested groups, but
-unfortunately has the side effect that `memberOf` is no longer searched for by
-default, which is a breaking change for many existing setups.
-
-`Scenario 2` in the [updated
-documentation](/docs/auth/ldap.html) shows an
-example of configuring the backend to query `memberOf`. It is recommended that
-a test Vault server be set up and that successful authentication can be
-performed using the new configuration before upgrading a primary or production
-Vault instance.
-
-In addition, if LDAP is relied upon for authentication, operators should ensure
-that they have valid tokens with policies allowing modification of LDAP
-parameters before upgrading, so that once an upgrade is performed, the new
-configuration can be specified successfully.
-
-## App-ID is Deprecated
-
-With the addition of of the new [AppRole
-backend](/docs/auth/approle.html), App-ID is
-deprecated. There are no current plans to remove it, but we encourage using
-AppRole whenever possible, as it offers enhanced functionality and can
-accommodate many more types of authentication paradigms. App-ID will receive
-security-related fixes only.
diff --git a/website/source/docs/upgrading/upgrade-to-0.6.2.html.md b/website/source/docs/upgrading/upgrade-to-0.6.2.html.md
deleted file mode 100644
index a0b6c948ea55..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.6.2.html.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.6.2 - Guides"
-sidebar_title: "Upgrade to 0.6.2"
-sidebar_current: "docs-upgrading-to-0.6.2"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.6.2. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.6.2. Please read it carefully.
-
-## Request Forwarding On By Default
-
-In 0.6.1 this feature was in beta and required opting-in, but is now enabled by
-default. This can be disabled via the `"disable_clustering"` parameter in
-Vault's [config](/docs/configuration/index.html), or
-per-request with the `X-Vault-No-Request-Forwarding` header.
-
-## AppRole Role Constraints
-
-Creating or updating a role now requires at least one constraint to be enabled,
-whereas previously it was sufficient to require only the role ID by itself.
-Currently there are two constraints: `bind_secret_id` and `bound_cidr_list`.
-`bind_secret_id` is enabled by default. Roles which were previously using only
-the role ID for authentication will continue to work but will require a
-constraint to be specified if updated.
-
-## Convergent Encryption v2
-
-New keys in `transit` using convergent mode will use a new nonce derivation
-mechanism rather than require the user to supply a nonce. While not explicitly
-increasing security, it minimizes the likelihood that a user will use the mode
-improperly and impact the security of their keys. Keys in convergent mode that
-were created in 0.6.1 will continue to work with the same mechanism
-(user-supplied nonce).
-
-## `etcd` HA Off By Default
-
-Following in the footsteps of `dynamodb`, the `etcd` storage backend now
-requires that `ha_enabled` be explicitly specified in the configuration file.
-The backend currently has known broken HA behavior, so this flag discourages
-use by default without explicitly enabling it. If you are using this
-functionality, when upgrading, you should set `ha_enabled` to `"true"` *before*
-starting the new versions of Vault.
-
-## Reading Wrapped Responses From `cubbyhole/response` Is Deprecated
-
-The `sys/wrapping/unwrap` endpoint should be used instead as it provides
-additional security, auditing, and other benefits. The ability to read directly
-will be removed in a future release.
-
-## Default/Max Lease/Token TTLs Now 32 Days
-
-In previous versions of Vault the default was 30 days, but changing it to 32
-days allows some operations (e.g. reauthenticating, renewing, etc.) to be
-performed via a monthly cron job.
-
-## AppRole Secret ID Endpoints Changed
-
-Secret ID and Secret ID accessors are no longer part of request URLs. The `GET`
-and `DELETE` operations are now moved to new endpoints (`/lookup` and
-`/destroy`) which consumes the input from the body via `POST` (or `PUT`) and
-not the URL.
-
-## Behavior Change for `bound_iam_role_arn` in AWS-EC2 Backend
-
-In prior versions a bug caused the `bound_iam_role_arn` value in the `aws-ec2`
-auth method to actually use the instance profile ARN.  This has been
-corrected, but as a result there is a behavior change. To match using the
-instance profile ARN, a new parameter `bound_iam_instance_profile_arn` has been
-added. Existing roles will automatically transfer the value over to the correct
-parameter, but the next time the role is updated, the new meanings will take
-effect.
diff --git a/website/source/docs/upgrading/upgrade-to-0.6.3.html.md b/website/source/docs/upgrading/upgrade-to-0.6.3.html.md
deleted file mode 100644
index 0798893e3dc8..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.6.3.html.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.6.3 - Guides"
-sidebar_title: "Upgrade to 0.6.3"
-sidebar_current: "docs-upgrading-to-0.6.3"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.6.3. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.6.3. Please read it carefully.
-
-## LDAP Null Binds Disabled By Default
-
-When using the LDAP auth method, `deny_null_bind` has a default value of
-`true`, preventing a successful user authentication when an empty password
-is provided. If you utilize passwordless LDAP binds, `deny_null_bind` must
-be set to `false`. Upgrades will keep previous behavior until the LDAP
-configuration information is rewritten, at which point the new behavior
-will be utilized.
-
-## Request Size Limitation
-
-A maximum request size of 32MB is imposed to prevent a denial of service attack
-with arbitrarily large requests.
-
-## Any Audit Device Successfully Activated Allows Active Duty
-
-Previously, when a new Vault node was taking over service in an HA cluster, all
-audit devices were required to be active successfully to take over active
-duty. This behavior now matches the behavior of the audit logging system
-itself: at least one audit device must successfully be activated. The server
-log contains an error when this occurs. This helps keep a Vault HA cluster
-working when there is a misconfiguration on a standby node.
diff --git a/website/source/docs/upgrading/upgrade-to-0.6.4.html.md b/website/source/docs/upgrading/upgrade-to-0.6.4.html.md
deleted file mode 100644
index 39b87854c5ed..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.6.4.html.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.6.4 - Guides"
-sidebar_title: "Upgrade to 0.6.4"
-sidebar_current: "docs-upgrading-to-0.6.4"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.6.4. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.6.4. Please read it carefully.
-
-Note: both of these are security sensitive changes.
-
-## Changes to `default` Policy Addition Rules for `auth/token/create`
-
-An issue was reported indicating that in some cases, the stated behavior of the
-`default` policy being added to tokens unless specifically requested could lead
-to a privilege escalation scenario if the parent token did not itself have the
-`default` policy. In most cases (e.g. using the default `default` policy) the
-escalated privileges are unlikely to be dangerous, but this behavior is
-undesired.
-
-As such, we have modified the rules around `default` in a few ways when
-creating tokens using this endpoint:
-
-1. If a token creation request does not specify desired policies, the parent's
-   policies will be used (as normal) but `default` will not be automatically
-   added, so the child token will only have `default` if the parent does
-2. If a token creation request specifies desired policies, `default` will be
-   added automatically if and only if the parent token has `default`
-3. If the parent token has `sudo` capability on the token creation endpoint,
-   `default` is always added; since `sudo` capability on this endpoint allows
-   adding any policy, this is not privilege escalation with respect to the
-   parent token-holder
-4. When using token store roles, `default` is always added to the list of child
-   token policies unless `default` is contained in `disallowed_policies`
-
-**Regardless of provenance**, if a token being created has the `default` policy
-and `no_default_policy` has been set `true` for the request, the `default`
-policy will be stripped from the final set of policies.
-
-## Many Users Should Run `auth/token/tidy`
-
-While investigating a report of accessor entries not being removed correctly
-from Vault's data store, a security issue was discovered: if limited use-count
-tokens are being used and expire due to the use-count dropping to zero (rather
-than due to the token's TTL expiring or the token being explicitly revoked),
-several pieces of Vault's token revocation logic would not be properly run.
-This included cleaning up the associated accessor entry from the data store,
-but more importantly, included the logic used to immediately expire leases
-associated with the token.
-
-These leases would not live forever; they would still be expired when their TTL
-ran out. This limits the severity of this issue, but it is still a potentially
-serious bug depending on each particular operational scenario.
-
-To mitigate this issue we have taken the following steps:
-
-1. Updated the token revocation logic to be more resilient to failures that can
-  happen as it performs its various steps; the revocation will now properly
-  only be considered successful if no error has occurred. In addition, the
-  token entry will remain in the data store (but _not_ be usable for
-  performing Vault functions) until all aspects of revocation report success,
-  allowing future revocation requests to succeed if the underlying cause of the
-  failure has been addressed.
-
-2. Added a function `auth/token/tidy` that can both clean up the leaked
-  accessor entries and expire the leases associated with those accessors'
-  tokens.
-
-In most cases, running `auth/token/tidy` should expire all outstanding
-leases that were generated by these revoked limited-use-count tokens.
-
-If you are both using limited-use-count tokens *and* you are using them to
-issue leased secrets, you should consider upgrading to 0.6.4 and running the
-`auth/token/tidy` endpoint immediately. Please note that running this function
-involves a lot of requests to the data store, so plan load accordingly.
-
-Note: response wrapping tokens do not allow generating leases but have still
-been subject to leaking the accessor entries, so if you have been a heavy user
-of response wrapping you should still consider running the tidy function.
diff --git a/website/source/docs/upgrading/upgrade-to-0.7.0.html.md b/website/source/docs/upgrading/upgrade-to-0.7.0.html.md
deleted file mode 100644
index e196e0ad3f61..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.7.0.html.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.7.0 - Guides"
-sidebar_title: "Upgrade to 0.7.0"
-sidebar_current: "docs-upgrading-to-0.7.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.7.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.7.0 compared to the most recent release. Please read it carefully.
-
-## List Operations Always Use Trailing Slash
-
- Any list operation, whether via the `GET` or `LIST` HTTP verb, will now
- internally canonicalize the path to have a trailing slash. This makes policy
- writing more predictable, as it means clients will no longer work or fail
- based on which client they're using or which HTTP verb they're using. However,
- it also means that policies allowing `list` capability must be carefully
- checked to ensure that they contain a trailing slash; some policies may need
- to be split into multiple stanzas to accommodate.
-
-## PKI Defaults to Unleased Certificates
-
-When issuing certificates from the PKI backend, by default, no leases will be
-issued. If you want to manually revoke a certificate, its serial number can be
-used with the `pki/revoke` endpoint. Issuing leases is still possible by
-enabling the `generate_lease` toggle in PKI role entries (this will default to
-`true` for upgrades, to keep existing behavior), which will allow using lease
-IDs to revoke certificates. For installations issuing large numbers of
-certificates (tens to hundreds of thousands, or millions), this will
-significantly improve Vault startup time since leases associated with these
-certificates will not have to be loaded; however note that it also means that
-revocation of a token used to issue certificates will no longer add these
-certificates to a CRL. If this behavior is desired or needed, consider keeping
-leases enabled and ensuring lifetimes are reasonable, and issue long-lived
-certificates via a different role with leases disabled.
diff --git a/website/source/docs/upgrading/upgrade-to-0.8.0.html.md b/website/source/docs/upgrading/upgrade-to-0.8.0.html.md
deleted file mode 100644
index b97e649bcbb6..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.8.0.html.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.8.0 - Guides"
-sidebar_title: "Upgrade to 0.8.0"
-sidebar_current: "docs-upgrading-to-0.8.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.8.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.8.0 compared to the most recent release. Please read it carefully.
-
-## Enterprise Upgrade Procedure
-
-If you are upgrading from Vault Enterprise, you should take one of the
-following upgrade paths. Please note that reindexing stops the ability of the
-node to process requests while the indexing is happening. As a result, you may
-want to plan the upgrade for a time when either no writes to the primary are
-expected and secondaries can handle traffic (if using replication), or when
-there is a maintenance window.
-
-There are two reindex processes that need to happen during the upgrade, for two
-different indexes. One will happen automatically when the cluster is upgraded
-to 0.8.0. _This happens even if you are not currently using replication._ The
-other can be done in one of a few ways, as follows.
-
-### If Not Using Replication
-
-If not using replication, no further action needs to be taken.
-
-### If Using Replication
-
-#### Option 1: Reindex the Primary, then Upgrade Secondaries
-
-The first option is to issue a write to [`sys/replication/reindex`][reindex] on the
-primary (it is not necessary on the secondaries). When the reindex on the
-primary is finished, upgrade the secondaries, then upgrade the primary.
-
-#### Option 2: Upgrade All Nodes Simultaneously
-
-The second option is to upgrade all nodes to 0.8.0 at the same time. This
-removes the need to perform an explicit reindex but may equate to more down
-time since secondaries will not be able to service requests while the primary
-is performing an explicit reindex.
-
-## `sys/revoke-force` Requires `sudo` Capability
-
-This path was meant to require `sudo` capability but was not implemented this
-way. It now requires `sudo` capability to run.
-
-[reindex]: https://www.vaultproject.io/api/system/replication.html#reindex-replication
diff --git a/website/source/docs/upgrading/upgrade-to-0.9.0.html.md b/website/source/docs/upgrading/upgrade-to-0.9.0.html.md
deleted file mode 100644
index da181456a0ef..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.9.0.html.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.9.0 - Guides"
-sidebar_title: "Upgrade to 0.9.0"
-sidebar_current: "docs-upgrading-to-0.9.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.9.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.9.0 compared to the most recent release. Please read it carefully.
-
-### PKI Root Generation (Since 0.8.1)
-
-Calling [`pki/root/generate`][generate-root] when a CA cert/key already exists will now return a
-`204` instead of overwriting an existing root. If you want to recreate the
-root, first run a delete operation on `pki/root` (requires `sudo` capability),
-then generate it again.
-
-### Token Period in AWS IAM Auth (Since 0.8.2)
-
-In prior versions of Vault, if authenticating via AWS IAM and requesting a
-periodic token, the period was not properly respected. This could lead to
-tokens expiring unexpectedly, or a token lifetime being longer than expected.
-Upon token renewal with Vault 0.8.2 the period will be properly enforced.
-
-### SSH CLI Parameters (Since 0.8.2)
-
-`vault ssh` users should supply `-mode` and `-role` to reduce the number of API
-calls. A future version of Vault will mark these optional values are required.
-Failure to supply `-mode` or `-role` will result in a warning.
-
-### Vault Plugin Init (Since 0.8.2)
-
-Vault plugins will first briefly run a restricted version of the plugin to
-fetch metadata, and then lazy-load the plugin on first request to prevent
-crash/deadlock of Vault during the unseal process. Plugins will need to be
-built with the latest changes in order for them to run properly.
-
-### Policy Input Format Standardization (Since 0.8.3)
-
-For all built-in authentication backends, policies can now be specified as a
-comma-delimited string or an array if using JSON as API input; on read,
-policies will be returned as an array; and the `default` policy will not be
-forcefully added to policies saved in configurations. Please note that the
-`default` policy will continue to be added to generated tokens, however, rather
-than backends adding `default` to the given set of input policies (in some
-cases, and not in others), the stored set will reflect the user-specified set.
-
-### PKI `sign-self-issued` modifies `Issuer` in generated certificates (Since 0.8.3)
-
-In 0.8.2 the endpoint would not modify the Issuer in the generated certificate,
-leaving the output self-issued. Although theoretically valid, in practice
-crypto stacks were unhappy validating paths containing such certs. As a result,
-`sign-self-issued` now encodes the signing CA's Subject DN into the Issuer DN
-of the generated certificate.
-
-### `sys/raw` requires enabling (Since 0.8.3)
-
-While the `sys/raw` endpoint can be extremely useful in break-glass or support
-scenarios, it is also extremely dangerous.  As of now, a configuration file
-option `raw_storage_endpoint` must be set in order to enable this API endpoint.
-Once set, the available functionality has been enhanced slightly; it now
-supports listing and decrypting most of Vault's core data structures, except
-for the encryption keyring itself.
-
-### `generic` is now `kv` (Since 0.8.3)
-
-To better reflect its actual use, the `generic` backend is now `kv`. Using
-`generic` will still work for backwards compatibility.
-
-### HSM Users Need to Specify New Config Options (In 0.9)
-
-When using Vault with an HSM, a new parameter is required: `hmac_key_label`.
-This performs a similar function to `key_label` but for the HMAC key Vault will
-use. Vault will generate a suitable key if this value is specified and
-`generate_key` is set true. See [the seal configuration page][pkcs11-seal] for
-more information.
-
-### API HTTP client behavior (In 0.9)
-
-When calling `NewClient` the API no longer modifies the provided
-client/transport. In particular this means it will no longer enable redirection
-limiting and HTTP/2 support on custom clients. It is suggested that if you want
-to make changes to an HTTP client that you use one created by `DefaultConfig`
-as a starting point.
-
-### AWS EC2 client nonce behavior (In 0.9)
-
-The client nonce generated by the backend that gets returned along with the
-authentication response will be audited in plaintext. If this is undesired, the
-clients can choose to supply a custom nonce to the login endpoint. The custom
-nonce set by the client will from now on, not be returned back with the
-authentication response, and hence not audit logged.
-
-### AWS Auth role options (In 0.9)
-
-The API will now error when trying to create or update a role with the
-mutually-exclusive options `disallow_reauthentication` and
-`allow_instance_migration`.
-
-### SSH CA role read changes (In 0.9)
-
-When reading back a role from the `ssh` backend, the TTL/max TTL values will
-now be an integer number of seconds rather than a string. This better matches
-the API elsewhere in Vault.
-
-### SSH role list changes (In 0.9)
-
-When listing roles from the `ssh` backend via the API, the response data will
-additionally return a `key_info` map that will contain a map of each key with a
-corresponding object containing the `key_type`.
-
-### More granularity in audit logs (In 0.9)
-
-Audit request and response entries are still in RFC3339 format but now have a
-granularity of nanoseconds.
-
-[generate-root]: https://www.vaultproject.io/api/secret/pki/index.html#generate-root
-[pkcs11-seal]: https://www.vaultproject.io/docs/configuration/seal/pkcs11.html
diff --git a/website/source/docs/upgrading/upgrade-to-0.9.1.html.md b/website/source/docs/upgrading/upgrade-to-0.9.1.html.md
deleted file mode 100644
index 71a5bc07c4f7..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.9.1.html.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.9.1 - Guides"
-sidebar_title: "Upgrade to 0.9.1"
-sidebar_current: "docs-upgrading-to-0.9.1"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.9.1. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.9.1 compared to 0.9.0. Please read it carefully.
-
-### AppRole Case Sensitivity
-
-In prior versions of Vault, `list` operations against AppRole roles would
-require preserving case in the role name, even though most other operations
-within AppRole are case-insensitive with respect to the role name. This has
-been fixed; existing roles will behave as they have in the past, but new roles
-will act case-insensitively in these cases.
-
-### Token Auth Backend Roles Parameter Types
-
-For `allowed_policies` and `disallowed_policies` in role definitions in the
-token auth backend, input can now be a comma-separated string or an array of
-strings. Reading a role will now return arrays for these parameters.
-
-### Transit Key Exporting
-
-You can now mark a key in the `transit` backend as `exportable` at any time,
-rather than just at creation time; however, once this value is set, it still
-cannot be unset.
-
-### PKI Secret Backend Roles Parameter Types
-
-For `allowed_domains` and `key_usage` in role definitions in the PKI secret
-backend, input can now be a comma-separated string or an array of strings.
-Reading a role will now return arrays for these parameters.
-
-### SSH Dynamic Keys Method Defaults to 2048-bit Keys
-
-When using the dynamic key method in the SSH backend, the default is now to use
-2048-bit keys if no specific key bit size is specified.
-
-### Consul Secret Backend Lease Handling
-
-The `consul` secret backend can now accept both strings and integer numbers of
-seconds for its lease value. The value returned on a role read will be an
-integer number of seconds instead of a human-friendly string.
-
-### Unprintable Characters Not Allowed in API Paths
-
-Unprintable characters are no longer allowed in names in the API (paths and
-path parameters), with an extra restriction on whitespace characters. Allowed
-characters are those that are considered printable by Unicode plus spaces.
diff --git a/website/source/docs/upgrading/upgrade-to-0.9.2.html.md b/website/source/docs/upgrading/upgrade-to-0.9.2.html.md
deleted file mode 100644
index 7c9cad7a11c6..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.9.2.html.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.9.2 - Guides"
-sidebar_title: "Upgrade to 0.9.2"
-sidebar_current: "docs-upgrading-to-0.9.2"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.9.2. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.9.2 compared to 0.9.1. Please read it carefully.
-
-### Backwards Compatible CLI Changes
-
-This upgrade guide is typically reserved for breaking changes, however it
-is worth calling out that the CLI interface to Vault has been completely
-revamped while maintaining backwards compatibility. This could lead to
-potential confusion  while browsing the latest version of the Vault
-documentation on vaultproject.io.
-
-All previous CLI commands should continue to work and are backwards
-compatible in almost all cases.
-
-Documentation for previous versions of Vault can be accessed using
-the GitHub interface by browsing tags (eg [0.9.1 website tree](https://github.com/hashicorp/vault/tree/v0.9.1/website)) or by
-[building the Vault website locally](https://github.com/hashicorp/vault/tree/v0.9.1/website#running-the-site-locally).
-
-### `sys/health` DR Secondary Reporting
-
-The `replication_dr_secondary` bool returned by `sys/health` could be
-misleading since it would be `false` both when a cluster was not a DR secondary
-but also when the node is a standby in the cluster and has not yet fully
-received state from the active node. This could cause health checks on LBs to
-decide that the node was acceptable for traffic even though DR secondaries
-cannot handle normal Vault traffic. (In other words, the bool could only convey
-"yes" or "no" but not "not sure yet".) This has been replaced by
-`replication_dr_mode` and `replication_perf_mode` which are string values that
-convey the current state of the node; a value of `disabled` indicates that
-replication is disabled or the state is still being discovered. As a result, an
-LB check can positively verify that the node is both not `disabled` and is not
-a DR secondary, and avoid sending traffic to it if either is true.
-
-
-### PKI Secret Backend Roles Parameter Types
-
-For `ou` and `organization` in role definitions in the PKI secret backend,
-input can now be a comma-separated string or an array of strings. Reading a
-role will now return arrays for these parameters.
-
-
-### Plugin API Changes
-
-The plugin API has been updated to utilize golang's context.Context package.
-Many function signatures now accept a context object as the first parameter.
-Existing plugins will need to pull in the latest Vault code and update their
-function signatures to begin using context and the new gRPC transport.
diff --git a/website/source/docs/upgrading/upgrade-to-0.9.3.html.md b/website/source/docs/upgrading/upgrade-to-0.9.3.html.md
deleted file mode 100644
index 8a7f1875de6f..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.9.3.html.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.9.3 - Guides"
-sidebar_title: "Upgrade to 0.9.3"
-sidebar_current: "docs-upgrading-to-0.9.3"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.9.3. Please read it carefully.
----
-
-# Overview
-
-Due to a rapid release following 0.9.2, there are no version-specific upgrade
-instructions although any upgrade notices for 0.9.2 apply if you are coming
-from a previous version.
-
-Please see the [0.9.2 upgrade guide](/guides/upgrading/upgrade-to-0.9.2.html) for notes on upgrading to 0.9.3.
diff --git a/website/source/docs/upgrading/upgrade-to-0.9.6.html.md b/website/source/docs/upgrading/upgrade-to-0.9.6.html.md
deleted file mode 100644
index 4dbd1592e649..000000000000
--- a/website/source/docs/upgrading/upgrade-to-0.9.6.html.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 0.9.6 - Guides"
-sidebar_title: "Upgrade to 0.9.6"
-sidebar_current: "docs-upgrading-to-0.9.6"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 0.9.6. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.9.6 compared to 0.9.5. Please read it carefully.
-
-### Change to AWS Role Output
-
-The AWS authentication backend now allows binds for inputs as either a
-comma-delimited string or a string array. However, to keep consistency with
-input and output, when reading a role the binds will now be returned as string
-arrays rather than strings.
-
-### Change to AWS IAM Auth ARN Prefix Matching
-
-In order to prefix-match IAM role and instance profile ARNs in AWS auth
-backend, you now must explicitly opt-in by adding a `*` to the end of the ARN.
-Existing configurations will be upgraded automatically, but when writing a new
-role configuration the updated behavior will be used.
diff --git a/website/source/docs/upgrading/upgrade-to-1.0.0.html.md b/website/source/docs/upgrading/upgrade-to-1.0.0.html.md
deleted file mode 100644
index 76e58899cfe3..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.0.0.html.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.0.0 - Guides"
-sidebar_title: "Upgrade to 1.0.0"
-sidebar_current: "docs-upgrading-to-1.0.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 1.0.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 0.11.5 compared to 1.0.0. Please read it carefully.
-
-## Token Format Change
-
-Tokens are now prefixed by a designation to indicate what type of token they are. Service tokens start with s. and batch tokens start with b.. Existing tokens will still work (they are all of service type and will be considered as such). Prefixing allows us to be more efficient when consuming a token, which keeps the critical path of requests faster.
-
-## Key Encoding Enforcement
-
-Vault will no longer accept updates when the storage key has invalid UTF-8 character encoding.
-
-## Upsert in Mount Tuning Endpoints
-
-Mount/Auth tuning the options map on backends will now upsert any provided values, and keep any of the existing values in place if not provided. The options map itself cannot be unset once it's set, but the keypairs within the map can be unset if an empty value is provided, with the exception of the version keypair which is handled differently for KVv2 purposes.
-
-## Agent Reauthentication
-
-Agent no longer automatically reauthenticates when new credentials are detected. It's not strictly necessary and in some cases was causing reauthentication much more often than intended.
-
-## HSM Key Regeneration Removed
-
-Vault no longer supports destroying and regenerating encryption keys on an HSM; it only supports creating them. Although this has never been a source of a customer incident, it is simply a code path that is too trivial to activate, especially by mistyping regenerate_key instead of generate_key.
-
-## Seal Upgrade before Migration
-
-When upgrading from Vault 0.8.x, the seal type in the barrier config storage entry will be upgraded from "hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals. If performing seal migration, the barrier config should first be upgraded prior to starting migration.
-
-## Pooled API Client
-
-The Go API client now uses a connection-pooling HTTP client by default. For CLI operations this makes no difference but it should provide significant performance benefits for those writing custom clients using the Go API library. As before, this can be changed to any custom HTTP client by the caller.
-
-## Plugin Catalog Changes
-
-Builtin Secret Engines and Auth Methods are integrated deeper into the plugin system. The plugin catalog can now override builtin plugins with custom versions of the same name. Additionally the plugin system now requires a plugin type field when configuring plugins, this can be "auth", "database", or "secret".
-
-## Removed Endpoints
-
-Paths within auth/token that allow specifying a token or accessor in the URL have been removed. These have been deprecated since March 2016 and undocumented, but were retained for backwards compatibility. They shouldn't be used due to the possibility of those paths being logged, so at this point they are simply being removed.
diff --git a/website/source/docs/upgrading/upgrade-to-1.1.0.html.md b/website/source/docs/upgrading/upgrade-to-1.1.0.html.md
deleted file mode 100644
index 9e86f947d705..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.1.0.html.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.1.0 - Guides"
-sidebar_title: "Upgrade to 1.1.0"
-sidebar_current: "docs-upgrading-to-1.1.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 1.1.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 1.0.3 compared to 1.1.0. Please read it carefully.
-
-## JWT Backend Changes
-
-Specifying the group claims parameter has changed to use a standards based lookup.  The groups_claim_delimiter_pattern
-has been removed and if the groups claim is not at the top level, it can now be specified as a JSONPointer.
-
-Additionally, roles now have a "role type" parameter with a default type of "oidc". To configure new JWT roles, a role
-type of "jwt" must be explicitly specified.
-
-## Deprecated CLI Commands Removed
-
-CLI commands deprecated in 0.9.2 are now removed. Please see the CLI help output for updated commands.
-
-## Additional Changes
-
-* Vault no longer automatically mounts a k/v backend at the "secret/" path when initializing Vault.
-* Vault's cluster port will now be opened on HA standby nodes.
-* Vault no longer supports running netRPC plugins. These were deprecated in favor of gRPC based plugins and any plugin built since 0.9.4 defaults to gRPC. Older plugins may need to be recompiled against the latest Vault dependencies.
-
-## Known Issues
-
--> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
-
-During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
-require an automatically-triggered reindex, either if upgrading from a pre-0.8
-version of Vault or if a previously-issued reindex operation has failed in the
-past. In these reindex scenarios, the secondary cluster will perform a complete
-WAL replay, which can take a long time and is a partially blocking operation.
-
-This is fixed in [Vault
-1.1.3](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#113-june-5th-2019),
-and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
-We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
-running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
diff --git a/website/source/docs/upgrading/upgrade-to-1.1.1.html.md b/website/source/docs/upgrading/upgrade-to-1.1.1.html.md
deleted file mode 100644
index 1279ed5cf431..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.1.1.html.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.1.1 - Guides"
-sidebar_title: "Upgrade to 1.1.1"
-sidebar_current: "docs-upgrading-to-1.1.1"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 1.1.1. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 1.1.0 compared to 1.1.1. Please read it carefully.
-
-## Known Issues
-
-### Issue with some KVv2 mounts
-
-There is a known issue that could cause the upgrade to 1.1.1 to fail under
-certain circumstances. This issue occurs when a KV version 2 mount exists but
-contains no data. This will be fixed in 1.1.2. Additionally a work around does
-exist: prior to upgrading ensure all KV v2 mounts have at least one key written
-to it.
-
-### Change in LDAP Group CN handling
-
-A bug fix to allow group CNs to be found from an LDAP server in lowercase `cn`
-as well as uppercase `CN` had an unintended consequence. If prior to that a
-group used `cn`, as in `cn=foo,ou=bar` then the group that would need to be put
-into place in the LDAP plugin to match against policies is `cn=foo,ou=bar`
-since the CN would not be correctly found. After the change, the CN was
-correctly found, but this would result in the group name being parsed as `foo`
-and would not match groups using the full DN. In 1.1.5+, there is a boolean
-config setting `use_pre111_group_cn_behavior` to allow reverting to the old
-matching behavior; we also attempt to upgrade exiting configs to have that
-defaulted to true.
-
-
-### Long WAL replay
-
--> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
-
-During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
-require an automatically-triggered reindex, either if upgrading from a pre-0.8
-version of Vault or if a previously-issued reindex operation has failed in the
-past. In these reindex scenarios, the secondary cluster will perform a complete
-WAL replay, which can take a long time and is a partially blocking operation.
-
-This is fixed in [Vault
-1.1.3](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#113-june-5th-2019),
-and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
-We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
-running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
-
-
-## JWT/OIDC Plugin
-
-Logins of role_type "oidc" via the /login path are no longer allowed.
-
-## ACL Wildcards
-
-New ordering defines which policy wins when there are multiple inexact matches
-and at least one path contains `+`. `+*` is now illegal in policy paths. The
-previous behavior simply selected any matching segment-wildcard path that
-matched.
-
-## Replication
-
-Due to technical limitations, mounting and unmounting was not previously
-possible from a performance secondary. These have been resolved, and these
-operations may now be run from a performance secondary.
diff --git a/website/source/docs/upgrading/upgrade-to-1.1.2.html.md b/website/source/docs/upgrading/upgrade-to-1.1.2.html.md
deleted file mode 100644
index 84d811d45d79..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.1.2.html.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.1.2 - Guides"
-sidebar_title: "Upgrade to 1.1.2"
-sidebar_current: "docs-upgrading-to-1.1.2"
-description: |-
-  This page explains a known issue upgrading to Vault 1.1.2 for Enterprise
-  users.  Please read it carefully.
----
-
-# Overview
-
-This page explains a known issue upgrading to Vault 1.1.2 for Enterprise users.
-Please read it carefully.
-
-## Known Issues
-
--> **NOTE:** This is a known issue applicable to _Vault Enterprise_.
-
-During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may
-require an automatically-triggered reindex, either if upgrading from a pre-0.8
-version of Vault or if a previously-issued reindex operation has failed in the
-past. In these reindex scenarios, the secondary cluster will perform a complete
-WAL replay, which can take a long time and is a partially blocking operation.
-
-This is fixed in [Vault
-1.1.3](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#113-june-5th-2019),
-and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version.
-We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are
-running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.
diff --git a/website/source/docs/upgrading/upgrade-to-1.2.0.html.md b/website/source/docs/upgrading/upgrade-to-1.2.0.html.md
deleted file mode 100644
index 8a9d5734e4c6..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.2.0.html.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.2.0 - Guides"
-sidebar_title: "Upgrade to 1.2.0"
-sidebar_current: "docs-upgrading-to-1.2.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 1.2.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 1.2.0 compared to 1.1.0. Please read it carefully.
-
-## Known Issues
-
-### AppRole Upgrade Issue
-
-Due to a bug, on upgrade AppRole roles cannot be read properly. If using AppRole, do not upgrade until this issue is fixed in 1.2.1.
-
-## Changes/Deprecations
-
-### Path Character Handling
-
-Due to underlying changes in Go's runtime past version 1.11.5, Vault is now
-stricter about what characters it will accept in path names. Whereas before it
-would filter out unprintable characters (and this could be turned off), control
-characters and other invalid characters are now rejected within Go's HTTP
-library before the request is passed to Vault, and this cannot be disabled. To
-continue using these (e.g. for already-written paths), they must be properly
-percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes `%00`, and so on).
-
-### AWSKMS Seal Region
-
-The user-configured regions on the AWSKMS seal stanza will now be preferred
-over regions set in the enclosing environment.
-
-### Audit Logging of Empty Values
-
-All values in audit logs now are omitted if they are empty.  This helps reduce
-the size of audit log entries by not reproducing keys in each entry that
-commonly don't contain any value, which can help in cases where audit log
-entries are above the maximum UDP packet size and others.
-
-### Rollback Logging
-
-Rollback will no longer display log messages when it runs; it will only display
-messages if an error occurs.
-
-### Database Plugins
-
-Database plugins now default to 4 max open connections rather than 2. This
-should be safe in nearly all cases and fixes some issues where a single
-operation could fail with the default configuration because it needed three
-connections just for that operation. However, this could result in an increase
-in held open file descriptors for each database configuration, so ensure that
-there is sufficient overhead.
-
-### AppRole Various Changes
-
-* AppRole uses new, common token fields for values that overlap with other auth
-  methods. `period` and `policies` will continue to work, with priority being
-  given to the `token_` prefixed versions of these fields, but the values for
-  those will only be returned on read if they were set initially.
-* `default` is no longer automatically added to policies after submission. It
-  was a no-op anyways since Vault's core would always add it, and changing this
-  behavior allows AppRole to support the new `token_no_default_policy`
-  parameter
-* The long-deprecated `bound_cidr_list` is no longer returned when reading a
-  role.
-
-### Token Store Roles Changes
-
-Token store roles use new, common token fields for the values that overlap with
-other auth backends. `period`, `explicit_max_ttl`, and `bound_cidrs` will
-continue to work, with priority being given to the `token_` prefixed versions
-of those parameters. They will also be returned when doing a read on the role
-if they were used to provide values initially; however, in Vault 1.4 if
-`period` or `explicit_max_ttl` is zero they will no longer be returned.
-(`explicit_max_ttl` was already not returned if empty.)
-
-### Go API/SDK Changes
-
-Vault now uses Go's official dependency management system, Go Modules, to
-manage dependencies. As a result to both reduce transitive dependencies for API
-library users and plugin authors, and to work around various conflicts, we have
-moved various helpers around, mostly under an `sdk/` submodule. A couple of
-functions have also moved from plugin helper code to the `api/` submodule. If
-you are a plugin author, take a look at some of our official plugins and the
-paths they are importing for guidance.
-
-### Change in LDAP Group CN handling
-
-A bug fix put in place in Vault 1.1.1 to allow group CNs to be found from an
-LDAP server in lowercase `cn` as well as uppercase `CN` had an unintended
-consequence. If prior to that a group used `cn`, as in `cn=foo,ou=bar` then the
-group that would need to be put into place in the LDAP plugin to match against
-policies is `cn=foo,ou=bar` since the CN would not be correctly found. After
-the change, the CN was correctly found, but this would result in the group name
-being parsed as `foo` and would not match groups using the full DN. In 1.1.5+,
-there is a boolean config setting `use_pre111_group_cn_behavior` to allow
-reverting to the old matching behavior; we also attempt to upgrade exiting
-configs to have that defaulted to true.
-
-### JWT/OIDC Plugin
-
-Logins of role_type "oidc" via the /login path are no longer allowed. 
-
-### ACL Wildcards
-
-New ordering put into place in Vault 1.1.1 defines which policy wins when there
-are multiple inexact matches and at least one path contains `+`. `+*` is now
-illegal in policy paths. The previous behavior simply selected any matching
-segment-wildcard path that matched.
-
-### Replication
-
-Due to technical limitations, mounting and unmounting was not previously
-possible from a performance secondary. These have been resolved, and these
-operations may now be run from a performance secondary.
diff --git a/website/source/docs/upgrading/upgrade-to-1.2.1.html.md b/website/source/docs/upgrading/upgrade-to-1.2.1.html.md
deleted file mode 100644
index 2a819859b149..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.2.1.html.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.2.1 - Guides"
-sidebar_title: "Upgrade to 1.2.1"
-sidebar_current: "docs-upgrading-to-1.2.1"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 1.2.1. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 1.2.1 compared to 1.2.0. Please read it carefully.
-
-## Known Issues
-
-### AppRole Upgrade Issue
-
-Vault 1.2.1 contains a known issue where an existing AppRole role
-may not be read or updated under a specific scenario. The role in 
-question needs to have been created before Vault 1.0.0, and then updated 
-between 1.0.0 and 1.1.5. If using AppRole, do not upgrade to until 
-his issue is fixed in 1.2.2.
\ No newline at end of file
diff --git a/website/source/docs/upgrading/upgrade-to-1.2.4.html.md b/website/source/docs/upgrading/upgrade-to-1.2.4.html.md
deleted file mode 100644
index 1e50a1ab0089..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.2.4.html.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.2.4 - Guides"
-sidebar_title: "Upgrade to 1.2.4"
-sidebar_current: "docs-upgrading-to-1.2.4"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 1.2.4. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 1.2.4 compared to 1.2.3. Please read it carefully.
-
-## Detached Leases From Tokens in non-root Namespaces
-
-In a non-root namespace, revocation of a token scoped to a non-root namespace
-did not trigger the expected revocation of dynamic secret leases associated with
-that token. As a result, dynamic secret leases in non-root namespaces may
-outlive the token that created them. This vulnerability, CVE-2019-18616, affects
-Vault Enterprise 0.11.0 and newer.
-
-## Mount Filtering in Disaster Recovery Secondary Clusters
-
-Disaster Recovery secondary clusters did not delete already-replicated data
-after a mount filter has been created on an upstream Performance secondary
-cluster. As a result, encrypted secrets may remain replicated on a Disaster
-Recovery secondary cluster after application of a mount filter excluding those
-secrets from replication. This vulnerability, CVE-2019-18617, affects Vault
-Enterprise 0.8 and newer.
-
-## Golang crypto/dsa CVE
-
-Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which
-corresponds to CVE-2019-17596.
-
-## AWS Region Detection in Agent and CLI
-
-If a custom sts_endpoint is configured, Vault Agent and the CLI should provide
-the corresponding region via the region parameter (which already existed as a
-CLI parameter, and has now been added to Agent). The automatic region detection
-added to the CLI and Agent in 1.2 has been removed.
-
diff --git a/website/source/docs/upgrading/upgrade-to-1.3.0.html.md b/website/source/docs/upgrading/upgrade-to-1.3.0.html.md
deleted file mode 100644
index 8286d90af6d3..000000000000
--- a/website/source/docs/upgrading/upgrade-to-1.3.0.html.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-layout: "docs"
-page_title: "Upgrading to Vault 1.3.0 - Guides"
-sidebar_title: "Upgrade to 1.3.0"
-sidebar_current: "docs-upgrading-to-1.3.0"
-description: |-
-  This page contains the list of deprecations and important or breaking changes
-  for Vault 1.3.0. Please read it carefully.
----
-
-# Overview
-
-This page contains the list of deprecations and important or breaking changes
-for Vault 1.3.0 compared to 1.2.4. Please read it carefully.
-
-## Secondary cluster activation 
-
-There has been a change to the way that activating performance and DR secondary
-clusters works when using public keys for encryption of the parameters rather
-than a wrapping token. This flow was experimental and never documented. It is
-now officially supported and documented but is not backwards compatible with
-older Vault releases.
-
-## Cluster cipher suites 
-
-On its cluster port, Vault will no longer advertise the full TLS 1.2 cipher
-suite list by default. Although this port is only used for Vault-to-Vault
-communication and would always pick a strong cipher, it could cause false flags
-on port scanners and other security utilities that assumed insecure ciphers were
-being used. The previous behavior can be achieved by setting the value of the
-(undocumented) cluster_cipher_suites config flag to tls12.
-
-## API/Agent Renewal Behavior
-
-The API now allows multiple options for how it deals with renewals. The legacy
-behavior in the Agent/API is for the renewer (now called the lifetime watcher)
-to exit on a renew error, leading to a reauthentication. The new default
-behavior is for the lifetime watcher to ignore 5XX errors and simply retry as
-scheduled, using the existing lease duration. It is also possible, within
-custom code, to disable renewals entirely, which allows the lifetime watcher to
-simply return when it believes it is time for your code to renew or
-reauthenticate.
diff --git a/website/source/docs/use-cases/index.html.md b/website/source/docs/use-cases/index.html.md
deleted file mode 100644
index e7afe9422882..000000000000
--- a/website/source/docs/use-cases/index.html.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-layout: "docs"
-page_title: "Use Cases"
-sidebar_title: "Use Cases"
-sidebar_current: "use-cases"
-description: |-
-  This page lists some concrete use cases for Vault, but the possible use cases are much broader than what we cover.
----
-
-# Use Cases
-
-Before understanding use cases, it's useful to know [what Vault is](/intro/index.html).
-This page lists some concrete use cases for Vault, but the possible use cases are
-much broader than what we cover.
-
-#### General Secret Storage
-
-At a bare minimum, Vault can be used for the storage of any secrets. For
-example, Vault would be a fantastic way to store sensitive environment variables,
-database credentials, API keys, etc.
-
-Compare this with the current way to store these which might be
-plaintext in files, configuration management, a database, etc. It would be
-much safer to query these using `vault read` or the API. This protects
-the plaintext version of these secrets as well as records access in the Vault
-audit log.
-
-#### Employee Credential Storage
-
-While this overlaps with "General Secret Storage", Vault is a good mechanism
-for storing credentials that employees share to access web services. The
-audit log mechanism lets you know what secrets an employee accessed and
-when an employee leaves, it is easier to roll keys and understand which keys
-have and haven't been rolled.
-
-#### API Key Generation for Scripts
-
-The "dynamic secrets" feature of Vault is ideal for scripts: an AWS
-access key can be generated for the duration of a script, then revoked.
-The keypair will not exist before or after the script runs, and the
-creation of the keys are completely logged.
-
-This is an improvement over using something like Amazon IAM but still
-effectively hardcoding limited-access access tokens in various places.
-
-#### Data Encryption
-
-In addition to being able to store secrets, Vault can be used to
-encrypt/decrypt data that is stored elsewhere. The primary use of this is
-to allow applications to encrypt their data while still storing it in the
-primary data store.
-
-The benefit of this is that developers do not need to worry about how to
-properly encrypt data. The responsibility of encryption is on Vault
-and the security team managing it, and developers just encrypt/decrypt
-data as needed.
diff --git a/website/source/docs/vs/chef-puppet-etc.html.md b/website/source/docs/vs/chef-puppet-etc.html.md
deleted file mode 100644
index 074cc54534f2..000000000000
--- a/website/source/docs/vs/chef-puppet-etc.html.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. Chef, Puppet, etc."
-sidebar_title: "Chef, Puppet, etc."
-sidebar_current: "vs-other-chef"
-description: |-
-  Comparison between Vault and configuration management solutions such as Chef, Puppet, etc.
----
-
-# Vault vs. Chef, Puppet, etc.
-
-A big part of configuring software is setting up secrets: configuring a
-web application to talk to a service, configuring the credentials of a
-database, etc. Because of this, configuration management systems all face
-a problem of safely storing these secrets.
-
-Chef, Puppet, etc. all solve this in a similar way: single-key
-encrypted storage. Chef has encrypted data bags, Puppet has encrypted
-Hiera, and so on. The encrypted data is always one secret (a password,
-a key, etc.) away from being decrypted, and this secret is generally
-not well protected since in an elastic environment, every server needs
-to somehow get this secret to decrypt the data. Additionally, access to
-the encrypted data isn't always logged, so if there is an intrusion, it
-isn't clear what data has been accessed and by who.
-
-Vault is not tied to any specific configuration management system. You can
-read secrets from configuration management, but you can also use the API
-directly to read secrets from applications. This means that configuration
-management requires fewer secrets, and in many cases doesn't ever have to
-persist them to disk.
-
-Vault encrypts the data onto physical storage and requires multiple
-keys to even read it. If an attacker were to gain access to the physical
-encrypted storage, it couldn't be read without multiple keys which are generally
-distributed to multiple individuals. This is known as _unsealing_, and happens
-once whenever Vault starts.
-
-For an unsealed Vault, every interaction is logged in via the audit devices.
-Even erroneous requests (invalid access tokens, for example) are logged.
-To access any data, an access token is required. This token is usually
-associated with an identity coming from a system such as GitHub, LDAP, etc.
-This identity is also written to the audit log.
-
-Access tokens can be given fine-grained control over what secrets can be
-accessed. It is rare to have a single key that can access all secrets. This
-makes it easier to have fine-grained access for consumers of Vault.
-
-For tips on how to integrate Vault using configuration management, please see
-[Using HashiCorp's Vault with Chef](https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef/).
-Although this post is about Chef, the principles can be broadly applied to many
-of the tools listed here.
diff --git a/website/source/docs/vs/consul.html.md b/website/source/docs/vs/consul.html.md
deleted file mode 100644
index 2595a1719aed..000000000000
--- a/website/source/docs/vs/consul.html.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. Consul"
-sidebar_title: "Consul"
-sidebar_current: "vs-other-consul"
-description: |-
-  Comparison between Vault and attempting to store secrets with Consul.
----
-
-# Vault vs. Consul
-
-[Consul](https://www.consul.io) is a system for service discovery, monitoring,
-and configuration that is distributed and highly available. Consul also
-supports an ACL system to restrict access to keys and service information.
-
-While Consul can be used to store secret information and gate access using
-ACLs, it is not designed for that purpose. As such, data is not encrypted
-in transit nor at rest, it does not have pluggable authentication mechanisms,
-and there is no per-request auditing mechanism.
-
-Vault is designed from the ground up as a secret management solution. As such,
-it protects secrets in transit and at rest. It provides multiple authentication
-and audit logging mechanisms. Dynamic secret generation allows Vault to avoid
-providing clients with root privileges to underlying systems and makes
-it possible to do key rolling and revocation.
-
-The strength of Consul is that it is fault tolerant and highly scalable.
-By using Consul as a backend to Vault, you get the best of both. Consul
-is used for durable storage of encrypted data at rest and provides coordination
-so that Vault can be highly available and fault tolerant. Vault provides
-the higher level policy management, secret leasing, audit logging, and automatic
-revocation.
diff --git a/website/source/docs/vs/custom.html.md b/website/source/docs/vs/custom.html.md
deleted file mode 100644
index cb3f8c335361..000000000000
--- a/website/source/docs/vs/custom.html.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. Custom Solutions"
-sidebar_title: "Custom Solutions"
-sidebar_current: "vs-other-custom"
-description: |-
-  Comparison between Vault and writing a custom solution.
----
-
-# Vault vs. Custom Solutions
-
-Many organizations resort to custom solutions for storing secrets,
-whether that be Dropbox, encrypted disk images, encrypted SQL columns,
-etc.
-
-These systems require time and resources to build and maintain.
-Storing secrets is also an incredibly important piece of infrastructure
-that must be done correctly. This increases the pressure to maintain
-the internal systems.
-
-Vault is designed for secret storage. It provides a simple interface
-on top of a strong security model to meet your secret storage needs.
-
-Furthermore, Vault is an open source tool. This means that the tool is
-as good as the entire community working together to improve it. This
-isn't just features and bug fixes, but finding potential security holes.
-Additionally, since it is open source, your own security teams can
-review and contribute to Vault and verify it meets your standards
-for security.
diff --git a/website/source/docs/vs/dropbox.html.md b/website/source/docs/vs/dropbox.html.md
deleted file mode 100644
index 91a0ac1109a8..000000000000
--- a/website/source/docs/vs/dropbox.html.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. Dropbox"
-sidebar_title: "Dropbox"
-sidebar_current: "vs-other-dropbox"
-description: |-
-  Comparison between Vault and attempting to store secrets with Dropbox.
----
-
-# Vault vs. Dropbox
-
-It is an unfortunate truth that many organizations, big and small, often use Dropbox as a mechanism for storing secrets. It is so common that we've decided to make a special section for it instead of throwing it under the "custom solutions" header.
-
-Dropbox is not made for storing secrets. Even if you're using something such as an encrypted disk image within Dropbox, it is subpar versus a real secret storage server.
-
-A real secret management tool such as Vault has a stronger security model, integrates with many different authentication services, stores audit logs, can generate dynamic secrets, and more.
-
-And, due to `vault` CLI, using `vault` on a developer machine is simple!
diff --git a/website/source/docs/vs/hsm.html.md b/website/source/docs/vs/hsm.html.md
deleted file mode 100644
index c92e36a8872e..000000000000
--- a/website/source/docs/vs/hsm.html.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. HSMs"
-sidebar_title: "HSMs"
-sidebar_current: "vs-other-hsm"
-description: |-
-  Comparison between Vault and HSM systems.
----
-
-# Vault vs. HSMs
-
-A [hardware security module
-(HSM)](https://en.wikipedia.org/wiki/Hardware_security_module) is a hardware
-device that is meant to secure various secrets using protections against access
-and tampering at both the software and hardware layers.
-
-The primary issue with HSMs is that they are expensive and not very cloud
-friendly. An exception to the latter is Amazon's CloudHSM service, which is
-friendly for AWS users but still costs more than $14k per year per instance,
-and not as useful for heterogenous cloud architectures.
-
-Once an HSM is up and running, configuring it is generally very tedious, and
-the API to request secrets is also difficult to use. Example: CloudHSM requires
-SSH and setting up various keypairs manually. It is difficult to automate. APIs
-tend to require the use of specific C libraries (e.g. PKCS#11) or
-vendor-specific libraries.
-
-However, although configuring and running an HSM can be a challenge, they come
-with a significant advantage in that they conform to government-mandated
-compliance requirements (e.g. FIPS 140), which often require specific hardware
-protections and security models in addition to software.
-
-Vault doesn't replace an HSM. Instead, they can be complementary; a compliant
-HSM can protect Vault's master key to help Vault comply with regulatory
-requirements, and Vault can provide easy client APIs for tasks such as
-encryption and decryption.
-
-Vault can also do many things that HSMs cannot currently do, such as generating
-_dynamic secrets_. Instead of storing AWS access keys directly within Vault,
-Vault can generate access keys according to a specific policy on the fly. Vault
-has the potential of doing this for any system through its mountable secret
-backend system.
-
-For many companies' security requirements, Vault alone is enough. For companies
-that can afford an HSM or with specific regulatory requirements, it can be used
-with Vault to get the best of both worlds.
diff --git a/website/source/docs/vs/index.html.md b/website/source/docs/vs/index.html.md
deleted file mode 100644
index 116e09ff7733..000000000000
--- a/website/source/docs/vs/index.html.md
+++ /dev/null
@@ -1,23 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. Other Software"
-sidebar_title: "Vault vs. Other Software"
-sidebar_current: "vs-other"
-description: |-
-  Comparisons between Vault and other software that claim to store secrets in some capacity.
----
-
-# Vault vs. Other Software
-
-There are a number of other options in the market currently that claim
-to store secrets in some capacity. This section compares Vault to these
-other software choices.
-
-Due to the bias of the comparisons being on the Vault website, we attempt
-to only use facts. If you find something that is invalid or out of date
-in the comparisons, please
-[open an issue](https://github.com/hashicorp/vault/issues) and we'll
-address it as soon as possible.
-
-Use the navigation on the left to read comparisons of Vault versus other
-systems.
diff --git a/website/source/docs/vs/keywhiz.html.md b/website/source/docs/vs/keywhiz.html.md
deleted file mode 100644
index 45935f829f7a..000000000000
--- a/website/source/docs/vs/keywhiz.html.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. Keywhiz"
-sidebar_title: "Keywhiz"
-sidebar_current: "vs-other-keywhiz"
-description: |-
-  Comparison between Vault and Keywhiz.
----
-
-# Vault vs. Keywhiz
-
-Keywhiz is a secret management solution built by Square. Keywhiz has a
-client/server architecture based on a RESTful API. Clients of Keywhiz access
-secrets through the API by authenticating with a client certificate or cookie.
-To allow for flexible consumption of secrets by arbitrary software, clients may
-also make use of a FUSE filesystem to expose secrets as files on disk, and use
-Unix file permissions for access control. Human operators may authenticate
-using a cookie-based authentication either via command line utilities or
-through a management web interface.
-
-Vault similarly is designed as a comprehensive secret management solution. The
-client interaction with Vault is flexible both for authentication and usage of
-secrets. Vault supports [mTLS authentication](/docs/auth/cert.html) along with
-many [other mechanisms](/docs/auth/index.html). The goal is to make it easy
-to authenticate as a machine for programmatic access and as a human for
-operator usage.
-
-Vault and Keywhiz expose secrets via an API. The Vault [ACL
-system](/docs/concepts/policies.html) is used to protect secrets and gate
-access, similarly to the Keywhiz ACL system. With Vault, all auditing is done
-server side using [audit devices](/docs/audit/index.html).
-
-Keywhiz focuses on storage and distribution of secrets and supports rotation
-through secret versioning, which is possible in the Keywhiz UI and command-line
-utilities. Vault also supports dynamic secrets and generating credentials
-on-demand for fine-grained security controls, but adds first class support for
-non-repudiation. Key rotation is a first class concern for Keywhiz and Vault,
-so that no external systems need to be used.
-
-Lastly, Vault forces a mandatory lease contract with clients. All secrets read
-from Vault have an associated lease which enables operators to audit key usage,
-perform key rolling, and ensure automatic revocation. Vault provides multiple
-revocation mechanisms to give operators a clear "break glass" procedure after a
-potential compromise.
diff --git a/website/source/docs/vs/kms.html.md b/website/source/docs/vs/kms.html.md
deleted file mode 100644
index a54ba6fb1522..000000000000
--- a/website/source/docs/vs/kms.html.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-layout: "docs"
-page_title: "Vault vs. Amazon Key Management Service"
-sidebar_title: "Amazon KMS"
-sidebar_current: "vs-other-kms"
-description: |-
-  Comparison between Vault and Amazon Key Management Service.
----
-
-# Vault vs. Amazon KMS
-
-Amazon Key Management Service (KMS) is a service provided in the AWS ecosystem
-for encryption key management. It is backed by Hardware Security Modules (HSM)
-for physical security.
-
-Vault and KMS differ in the scope of problems they are trying to solve.  KMS is
-focused on securely storing encryption keys and supporting cryptographic
-operations (encrypt and decrypt) using those keys. It supports access controls
-and auditing as well.
-
-In contrast, Vault provides a comprehensive secret management solution.  The
-[`transit` backend](/docs/secrets/transit/index.html) provides similar
-capabilities as KMS, allowing for encryption keys to be stored and
-cryptographic operations to be performed. However, Vault goes much further than
-just key management.
-
-The flexible secrets engines allow Vault to handle any type of secret data,
-including database credentials, API keys, PKI keys, and encryption keys.  Vault
-also supports dynamic secrets, generating credentials on-demand for
-fine-grained security controls, auditing, and non-repudiation.
-
-Lastly, Vault forces a mandatory lease contract with clients. All secrets read
-from Vault have an associated lease which enables operations to audit key
-usage, perform key rolling, and ensure automatic revocation. Vault provides
-multiple revocation mechanisms to give operators a clear "break glass"
-procedure after a potential compromise.
-
-Vault is an open source tool that can be deployed to any environment, and does
-not require any special hardware. This makes it well suited for cloud
-environments where HSMs are not available or are cost prohibitive.
diff --git a/website/source/docs/what-is-vault/index.html.md b/website/source/docs/what-is-vault/index.html.md
deleted file mode 100644
index 638f6aea226f..000000000000
--- a/website/source/docs/what-is-vault/index.html.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-layout: "docs"
-page_title: "Introduction"
-sidebar_title: "What is Vault?"
-sidebar_current: "what"
-description: |-
-  Welcome to the intro guide to Vault! This guide is the best place to start with Vault. We cover what Vault is, what problems it can solve, how it compares to existing software, and contains a quick start for using Vault.
----
-
-# Introduction to Vault
-
-Welcome to the introduction guide to HashiCorp Vault! This guide is the best
-place to get started with Vault. This guide covers what Vault is, what problems
-it can solve, how it compares to existing software, and contains a quick start
-for using Vault.
-
-If you are already familiar with the basics of Vault, the
-[documentation](/docs/index.html) provides a better reference guide for all
-available features as well as internals.
-
-## What is Vault?
-
-Vault is a tool for securely accessing _secrets_. A secret is anything that you
-want to tightly control access to, such as API keys, passwords, or certificates.
-Vault provides a unified interface to any secret, while providing tight access
-control and recording a detailed audit log.
-
-A modern system requires access to a multitude of secrets: database credentials,
-API keys for external services, credentials for service-oriented architecture
-communication, etc. Understanding who is accessing what secrets is already very
-difficult and platform-specific. Adding on key rolling, secure storage, and
-detailed audit logs is almost impossible without a custom solution. This is
-where Vault steps in.
-
-Examples work best to showcase Vault. Please see the
-[use cases](/intro/use-cases.html).
-
-The key features of Vault are:
-
-* **Secure Secret Storage**: Arbitrary key/value secrets can be stored
-  in Vault. Vault encrypts these secrets prior to writing them to persistent
-  storage, so gaining access to the raw storage isn't enough to access
-  your secrets. Vault can write to disk, [Consul](https://www.consul.io),
-  and more.
-
-* **Dynamic Secrets**: Vault can generate secrets on-demand for some
-  systems, such as AWS or SQL databases. For example, when an application
-  needs to access an S3 bucket, it asks Vault for credentials, and Vault
-  will generate an AWS keypair with valid permissions on demand. After
-  creating these dynamic secrets, Vault will also automatically revoke them
-  after the lease is up.
-
-* **Data Encryption**: Vault can encrypt and decrypt data without storing
-  it. This allows security teams to define encryption parameters and
-  developers to store encrypted data in a location such as SQL without
-  having to design their own encryption methods.
-
-* **Leasing and Renewal**: All secrets in Vault have a _lease_ associated
-  with them. At the end of the lease, Vault will automatically revoke that
-  secret. Clients are able to renew leases via built-in renew APIs.
-
-* **Revocation**: Vault has built-in support for secret revocation. Vault
-  can revoke not only single secrets, but a tree of secrets, for example
-  all secrets read by a specific user, or all secrets of a particular type.
-  Revocation assists in key rolling as well as locking down systems in the
-  case of an intrusion.
-
-## Next Steps
-
-See the page on [Vault use cases](/intro/use-cases.html) to see the
-multiple ways Vault can be used. Then see
-[how Vault compares to other software](/intro/vs/index.html)
-to see how it fits into your existing infrastructure. Finally, continue onwards with
-the [getting started guide](/intro/getting-started/index.html) to use
-Vault to read, write, and create real secrets and see how it works in practice.
diff --git a/website/source/downloads.html.erb b/website/source/downloads.html.erb
deleted file mode 100644
index 7e8399f7ab5d..000000000000
--- a/website/source/downloads.html.erb
+++ /dev/null
@@ -1,12 +0,0 @@
----
-layout: "inner"
-page_title: "Download Vault"
-description: |-
-  Download Vault
----
-
-<hashi-product-downloader
-  product="<%= config[:product_name] %>"
-  version="<%= config[:latest_version] %>"
-  downloads="<%= encode(config[:product_versions]) %>"
-></hashi-product-downloader>
diff --git a/website/source/favicon.ico b/website/source/favicon.ico
deleted file mode 100644
index ee87168bc44e..000000000000
Binary files a/website/source/favicon.ico and /dev/null differ
diff --git a/website/source/guides/encryption/index.html.md b/website/source/guides/encryption/index.html.md
deleted file mode 100644
index ce4d9d7f912f..000000000000
--- a/website/source/guides/encryption/index.html.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-layout: "guides"
-page_title: "Encryption as a Service - Guides"
-sidebar_title: "Encryption as a Service"
-sidebar_current: "guides-encryption"
-description: |-
-  The transit secrets engine handles cryptographic functions on data in-transit.
-  Vault doesn't store the data sent to the secrets engine. It can also be viewed
-  as "cryptography as a service" or "encryption as a service".
----
-
-# Encryption as a Service
-
-Vault provides Encryption as a Service (EaaS) to enable security teams to
-fortify data during transit and at rest. So even if an intrusion occurs, your
-data is encrypted and the attacker would never get a hold of the raw data.
-
-This guide walks you through Encryption as a Service topics.
-
-- [Encryption as a Service](/guides/encryption/transit.html) guide walks you
-through the usage of the `transit` secrets engine in Vault.
-Read this guide first before proceeding to the [Transit Secrets
-Re-wrapping](/guides/encryption/transit-rewrap.html) guide or [Java Application
-Demo](/guides/encryption/spring-demo.html) guide.
-
-- [Java Application Demo](/guides/encryption/spring-demo.html) guide walks
-through a sample application which relies on Vault to generate database
-credentials as well as encrypting sensitive data.  This guide is for anyone who
-wishes to reproduce the demo introduced in
-the [Manage secrets, access, and encryption in the public cloud with Vault](https://www.hashicorp.com/resources/solutions-engineering-webinar-series-episode-2-vault)
-webinar.
-
-- [Transit Secrets Re-wrapping](/guides/encryption/transit-rewrap.html) guide
-demonstrates one possible way to re-wrap data after rotating an encryption key
-in the transit engine in Vault.
diff --git a/website/source/guides/encryption/spring-demo.html.md b/website/source/guides/encryption/spring-demo.html.md
deleted file mode 100644
index 0796b45916ff..000000000000
--- a/website/source/guides/encryption/spring-demo.html.md
+++ /dev/null
@@ -1,703 +0,0 @@
----
-layout: "guides"
-page_title: "Java Application Demo - Guides"
-sidebar_title: "Java Application Demo"
-sidebar_current: "guides-encryption-spring-demo"
-description: |-
-  This guide discusses the concepts necessary to help users
-  understand Vault's AppRole authentication pattern and how to use it to
-  securely introduce a Vault authentication token to a target server,
-  application, container, etc. in a Java environment.
----
-
-# Java Sample App using Spring Cloud Vault
-
-Once you have learned the fundamentals of Vault, the next step is to start
-integrating your system with Vault to secure your organization's secrets.  
-
-The purpose of this guide is to go through the working implementation demo
-introduced in the [Manage secrets, access, and encryption in the public cloud
-with
-Vault](https://www.hashicorp.com/resources/solutions-engineering-webinar-series-episode-2-vault)
-webinar.
-
-[![YouTube](/img/vault-java-demo-1.png)](https://youtu.be/NxL2-XuZ3kc)
-
-The Java application in this demo leverages the [_Spring Cloud
-Vault_](https://cloud.spring.io/spring-cloud-vault/) library which provides
-lightweight client-side support for connecting to Vault in a distributed
-environment.
-
-
-## Reference Material
-
-- [Encryption as a Service](/guides/encryption/transit.html)
-- [Manage secrets, access, and encryption in
-the public cloud with
-Vault](https://www.hashicorp.com/resources/solutions-engineering-webinar-series-episode-2-vault)
-- [Spring Cloud Vault](https://cloud.spring.io/spring-cloud-vault/)
-- [Transit Secrets Engine](/docs/secrets/transit/index.html)
-- [Secrets as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
-
-
-## Estimated Time to Complete
-
-15 minutes
-
-
-## Challenge
-
-Incidents of data breaches which expose sensitive information make headlines more
-often than we like to hear. It becomes more and more important to protect data
-by encrypting it whether the data is in-transit or at-rest. However, creating
-a highly secure and sophisticated solution by yourself requires time and resources
-which are in demand when an organization is facing a constant threat.
-
-
-## Solution
-
-Vault centralizes management of cryptographic services used to protect your
-data.  Your system can communicate with Vault easily through the Vault API to
-encrypt and decrypt your data, and the encryption keys never have to leave the
-Vault.
-
-![Encryption as a Service](/img/vault-eaas.png)
-
-
-## Prerequisites
-
-To perform the tasks described in this guide:
-
-- Install [HashiCorp Vagrant](https://www.vagrantup.com/intro/getting-started/install.html)
-- Clone or download the demo assets from the [hashicorp/vault-guides](https://github.com/hashicorp/vault-guides/tree/master/secrets/spring-cloud-vault)
-GitHub repository
-
-
-## Steps
-
--> For the purposes of this guide, you are going to provision a Linux machine
-locally using Vagrant.  However, the GitHub repository provides supporting files
-to provision the environment demonstrated in the webinar.
-
-After downloading the [demo assets](#prerequisites) from the GitHub repository,
-you should find the following folders:
-
-| Folder           | Description                                               |
-|------------------|-----------------------------------------------------------|
-| `aws`            | Supporting files to deploy the demo app to AWS            |
-| `kubernetes`     | Supporting files to deploy the demo app to Kubernetes     |
-| `nomad`          | Supporting files to deploy the demo app to Nomad          |
-| `scripts`        | Scripts to setup PostgreSQL and Vault                     |
-| `src/main`       | Sample app source code                                    |
-| `vagrant-local`  | Vagrant file to deploy the demo locally                   |
-
-
-<br>
-
-In this guide, you will perform the following:
-
-1. [Review the demo application implementation](#step1)
-1. [Deploy and review the demo environment](#step2)
-1. [Run the demo application](#step3)
-1. [Reload the Static Secrets](#step4)
-
-![Encryption as a Service](/img/vault-java-demo-10.png)
-
-### <a name="step1"></a>Step 1: Review the demo application implementation
-
-The source code can be found under the `src/main` directory.
-
-```plaintext
-├── java
-│   └── com
-│       └── hashicorp
-│           └── vault
-│               └── spring
-│                   └── demo
-│                       ├── BeanUtil.java
-│                       ├── Order.java
-│                       ├── OrderAPIController.java
-│                       ├── OrderRepository.java
-│                       ├── Secret.java
-│                       ├── SecretController.java
-│                       ├── TransitConverter.java
-│                       └── VaultDemoOrderServiceApplication.java
-└── resources
-    └── application.yaml
-```
-
-The demo Java application leverages the Spring Cloud Vault library to
-communicate with Vault.
-
-In the `TransitConverter` class, the `convertToDatabaseColumn` method invokes a
-Vault operation to encrypt the `order`. Similarly, the
-`convertToEntityAttribute` method decrypts the `order` data.
-
-```plaintext
-...
-	@Override
-	public String convertToDatabaseColumn(String customer) {
-		VaultOperations vaultOps = BeanUtil.getBean(VaultOperations.class);
-		Plaintext plaintext = Plaintext.of(customer);
-		String cipherText = vaultOps.opsForTransit().encrypt("order", plaintext).getCiphertext();
-		return cipherText;
-	}
-
-	@Override
-	public String convertToEntityAttribute(String customer) {
-		VaultOperations vaultOps = BeanUtil.getBean(VaultOperations.class);
-		Ciphertext ciphertext = Ciphertext.of(customer);
-        String plaintext = vaultOps.opsForTransit().decrypt("order", ciphertext).asString();
-		return plaintext;
-...
-```
-
-The `VaultDemoOrderServiceApplication` class defines the `main` method.
-
-```plaintext
-public class VaultDemoOrderServiceApplication  {
-
-	private static final Logger logger = LoggerFactory.getLogger(VaultDemoOrderServiceApplication.class);
-
-	@Autowired
-    	private SessionManager sessionManager;
-
-	@Value("${spring.datasource.username}")
-	private String dbUser;
-
-	@Value("${spring.datasource.password}")
-	private String dbPass;
-
-	public static void main(String[] args) {
-		SpringApplication.run(VaultDemoOrderServiceApplication.class, args);
-	}
-
-	@PostConstruct
-	public void initIt() throws Exception {
-		logger.info("Got Vault Token: " + sessionManager.getSessionToken().getToken());
-		logger.info("Got DB User: " + dbUser);
-	}
-}
-```
-
-The `OrderAPIController` class defines the API endpoint (`api/orders`).
-
-
-### <a name="step2"></a>Step 2: Deploy and review the demo environment
-
-Now let's run the demo app and examine how it behaves.
-
-~> To keep it simple and lightweight, you are going to run a Linux virtual
-machine locally using Vagrant.
-
-#### Task 1: Run Vagrant
-
-In the **`vault-guides/secrets/spring-cloud-vault/vagrant-local`** folder,
-a `Vagrantfile` is provided which spins up a Linux machine where the demo
-components are installed and configured.
-
-```shell
-# Change the working directory to vagrant-local
-$ cd /vault-guides/secrets/spring-cloud-vault/vagrant-local
-
-# Create and configure a Linux machine. This takes about 3 minutes
-$ vagrant up
-...
-demo: Success! Data written to: database/roles/order
-demo: Success! Enabled the transit secrets engine at: transit/
-demo: Success! Data written to: transit/keys/order
-demo: Success! Data written to: secret/spring-vault-demo
-
-# Verify that the virtual machine was successfully created and running
-$ vagrant status
-Current machine states:
-demo                      running (virtualbox)
-...
-
-# Connect to the demo machine
-$ vagrant ssh demo
-```
-
-
-There are 3 Docker containers running on the machine: `spring`, `vault`, and `postgres`.
-
-```plaintext
-[vagrant@demo ~]$ docker ps
-CONTAINER ID     IMAGE            COMMAND                  CREATED           STATUS           NAMES
-684d8fb23ae5     spring           "java -Djava.secur..."   7 minutes ago     Up 7 minutes     spring
-dc6a3454b323     vault:0.10.0     "docker-entrypoint..."   7 minutes ago     Up 7 minutes     vault
-4093a45c209f     postgres         "docker-entrypoint..."   7 minutes ago     Up 7 minutes     postgres
-```
-
-#### Task 2: Examine the Vault environment
-
-During the demo machine provisioning, the `/scripts/vault.sh` script was
-executed to perform the following:
-
-- Created a policy named, **`order`**
-- Enabled the `transit` secret engine and created an encryption key named, **`order`**
-- Enabled the `database` secret engine and created a role named, **`order`**
-
-View the `vault` log:
-
-```plaintext
-[vagrant@demo ~]$  docker logs vault
-...
-==> Vault shutdown triggered
-==> Vault server configuration:
-             Api Address: http://0.0.0.0:8200
-                     Cgo: disabled
-         Cluster Address: https://0.0.0.0:8201
-              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")
-               Log Level: info
-                   Mlock: supported: true, enabled: false
-                 Storage: inmem
-                 Version: Vault v0.10.0
-             Version Sha: 5dd7f25f5c4b541f2da62d70075b6f82771a650d
-WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
-and starts unsealed with a single unseal key. The root token is already
-authenticated to the CLI, so you can immediately begin using Vault.
-You may need to set the following environment variable:
-    $ export VAULT_ADDR='http://0.0.0.0:8200'
-The unseal key and root token are displayed below in case you want to
-seal/unseal the Vault or re-authenticate.
-Unseal Key: 2QIPWPDykRG/xWWl0quSHiXq8u+pFg3yEq0sgJPhMbA=
-Root Token: root
-...
-```
-
-Notice that the log indicates that the Vault server is running in the `dev`
-mode, and the root token is `root`.  
-
-You can visit the Vault UI at http://localhost:8200/ui.  Enter **`root`** and
-click **Sign In**.
-
-
-Select the **`transit/`** secrets engine, and you should find an encryption key
-named, "`order`".
-
-![Vault UI](/img/vault-java-demo-2.png)
-
-Under the **Policies**, verify that the `order` policy exists.
-
-![Vault UI](/img/vault-java-demo-3.png)
-
-This `order` policy is for the application.  It permits `read` on the
-`database/creds/order` path so that the demo app can get a dynamically generated
-database credential from Vault. Therefore, the PostgreSQL credentials are not
-hard-coded anywhere.
-
-```plaintext
-path "database/creds/order"
-{
-  capabilities = ["read"]
-}
-```
-
-An `update` permission allows the app to request data encryption and decryption
-using the `order` encryption key in Vault.
-
-```plaintext
-...
-path "transit/decrypt/order" {
-  capabilities = ["update"]
-}
-
-path "transit/encrypt/order" {
-  capabilities = ["update"]
-}
-...
-```
-
-
-
-#### Task 3: Examine the Spring container
-
-Remember that the `VaultDemoOrderServiceApplication` class logs messages during
-the successful execution of `initIt()`:
-
-```plaintext
-...
-  @PostConstruct
-  	public void initIt() throws Exception {
-  		logger.info("Got Vault Token: " + sessionManager.getSessionToken().getToken());
-  		logger.info("Got DB User: " + dbUser);
-...
-```
-
-Verify that the log indicates that the demo app obtained a database
-credentials from Vault successfully:
-
-```plaintext
-[vagrant@demo ~]$  docker logs spring | grep Got
-...VaultDemoOrderServiceApplication : Got Vault Token: root
-...VaultDemoOrderServiceApplication : Got DB User: v-token-order-rywqz61432yyx2x27w8r-1524067226
-```
-
-Create a new shell session in the `spring` container.
-
-```plaintext
-[vagrant@demo ~]$  docker exec -it spring sh
-/ #
-```
-
-Find the `bootstrap.yaml` file:
-
-```plaintext
-/ #  ls -al
-total 36720
-drwxr-xr-x    1 root     root            51 Apr 18 16:00 .
-drwxr-xr-x    1 root     root            51 Apr 18 16:00 ..
--rwxr-xr-x    1 root     root             0 Apr 18 16:00 .dockerenv
--rwxr--r--    1 root     root      37587245 Apr 18 15:59 app.jar
-drwxr-xr-x    2 root     root          4096 Jan  9 19:37 bin
--rw-r--r--    1 1000     1000           426 Apr 17 17:58 bootstrap.yaml
-...
-
-/ # cat bootstrap.yaml
-spring.application.name: spring-vault-demo
-spring.cloud.vault:
-    authentication: TOKEN
-    token: ${VAULT_TOKEN}
-    host: localhost
-    port: 8200
-    scheme: http
-    fail-fast: true
-    config.lifecycle.enabled: true
-    generic:
-      enabled: true
-      backend: secret
-    database:
-        enabled: true
-        role: order
-        backend: database
-spring.datasource:
-  url: jdbc:postgresql://localhost:5432/postgres
-```
-
-The client token was injected into the `spring` container as an environment
-variable (`VAULT_TOKEN`) by Vagrant.
-
-Enter `exit` to close the shell session in the `spring` container.
-
-
-#### Task 4: Examine the PostgreSQL database
-
-Connect to the PostgreSQL database running in the `postgres` container:
-
-```plaintext
-[vagrant@demo ~]$ docker exec -it postgres psql -U postgres -d postgres
-psql (10.3 (Debian 10.3-1.pgdg90+1))
-Type "help" for help.
-
-
-postgres=# \d orders
-                                          Table "public.orders"
-    Column     |            Type             | Collation | Nullable |              Default
----------------+-----------------------------+-----------+----------+------------------------------------
- id            | bigint                      |           | not null | nextval('orders_id_seq'::regclass)
- customer_name | character varying(60)       |           | not null |
- product_name  | character varying(20)       |           | not null |
- order_date    | timestamp without time zone |           | not null |
-Indexes:
-    "orders_pkey" PRIMARY KEY, btree (id)
-```
-
-Let's list the existing database roles.
-
-```plaintext
-postgres-# \du
-                                                     List of roles
-                   Role name                   |                         Attributes                         | Member of
------------------------------------------------+------------------------------------------------------------+-----------
- postgres                                      | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
- v-token-order-rywqz61432yyx2x27w8r-1524067226 | Password valid until 2018-04-18 20:56:31+00                | {}
-```
-
-Notice that there is a role name starting with `v-token-order-` which was
-dynamically created by the database secret engine.
-
-~> **NOTE:** To learn more
-about the database secret engine, read the [Secrets as a Service: Dynamic
-Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide.
-
-Enter `\q` to exit out of the `psql` session, or you can open another terminal
-and SSH into the demo virtual machine.
-
-
-
-### <a name="step3"></a>Step 3: Run the demo application
-
-If everything looked fine in [Step 2](#step2), you are ready to write some data.
-
-![Vault UI](/img/vault-java-demo-9.png)
-
-You have [verified in the `spring` log](#task-3-examine-the-sprig-container)
-that the demo app successfully retrieved a database credential from the Vault
-server during its initialization.
-
-The next step is to send a new order request via the demo app's _orders_ API
-(http://localhost:8080/api/orders).  
-
-```shell
-# Create a new order data
-[vagrant@demo ~]$ tee payload.json<<EOF
-{
-  "customerName": "John",
-  "productName": "Nomad"
-}
-EOF
-
-# Send a request using cURL
-[vagrant@demo ~]$ curl --request POST --header "Content-Type: application/json" \
-                       --data @payload.json http://localhost:8080/api/orders | jq
-{
-  "id": 2,
-  "customerName": "John",
-  "productName": "Nomad",
-  "orderDate": "2018-04-18T22:07:42.916+0000"
-}
-```
-
-**NOTE:** Alternatively, you can use tool such as
-[Postman](https://www.getpostman.com/apps) instead of cURL to invoke the API if
-you prefer.
-
-![Postman](/img/vault-java-demo-4.png)
-
-
-The order data you sent gets encrypted by Vault. The database only sees the
-ciphertext. Let's verify that the order information stored in the database
-is encrypted.
-
-```plaintext
-[vagrant@demo ~]$ docker exec -it postgres psql -U postgres -d postgres
-
-postgres=# select * from orders;
- id |                     customer_name                     | product_name |       order_date
-----+-------------------------------------------------------+--------------+-------------------------
-  1 | vault:v1:Qj0lx5DSZvwcHeMOX/5UX/ErHTaDPA3mVlSSpaXd1tbM | VE           | 2018-04-18 21:56:37.924
-  2 | vault:v1:UwL3HnyqTUac5ElS5WYAuNg3NdIMFtd6vvwukL+FaKun | Nomad        | 2018-04-18 22:07:42.916
-(2 rows)
-
-postgres=# \q
-```
-
->In this demo, Vault encrypts the customer names; therefore, the values in the
-**`customer_name`** column do not display the names in a human readable
-manner (e.g. "James" and "John").  
-
-Now, retrieve the order data via the orders API:
-
-```plaintext
-[vagrant@demo ~]$ curl --header "Content-Type: application/json" \
-                       http://localhost:8080/api/orders | jq
-[
- {
-   "id": 1,
-   "customerName": "James",
-   "productName": "VE",
-   "orderDate": "2018-04-18T21:56:37.924+0000"
- },
- {
-   "id": 2,
-   "customerName": "John",
-   "productName": "Nomad",
-   "orderDate": "2018-04-18T22:07:42.916+0000"
- }
-]
-```
-
-The customer names should be readable. Remember that the **`order`** policy
-permits the demo app to encrypt and decrypt data using the `order` encryption
-key in Vault.
-
-#### Web UI
-
-Vault UI makes it easy to decrypt the data.
-
-In the **Secrets** tab, select **`transit/` > `orders`**, and select **Key
-actions**.
-
-![Web UI](/img/vault-java-demo-5.png)
-
-Select **Decrypt** from the transit actions.  Now, copy the ciphertext from the
-**`orders`** table and paste it in.
-
-![Web UI](/img/vault-java-demo-6.png)
-
-Click **Decrypt**.
-
-![Web UI](/img/vault-java-demo-7.png)
-
-Finally, click **Decode from base64** to reveal the customer name.
-
-![Web UI](/img/vault-java-demo-8.png)
-
-
-### <a name="step4"></a>Step 4: Reloading the Static Secrets
-
-Now, let's test another API endpoint, **`api/secret`** provided by the demo app.
-A plain old Java object, `Secret` defines a get method for `key` and `value`.
-The `SecretController.java` defines an API endpoint, **`api/secret`**.  
-
-```plaintext
-package com.hashicorp.vault.spring.demo;
-...
-
-@RefreshScope
-@RestController
-public class SecretController {
-
-	@Value("${secret:n/a}")
-	String secret;
-
-	@RequestMapping("/api/secret")
-	public Secret secret() {
-		return new Secret("secret", secret);
-	}
-}
-```
-
-Remember from [Step 2](#task-2-examine-the-vault-environment) that the
-**`order`** policy granted permissions on the `secret/spring-vault-demo` path.
-
-```plaintext
-path "secret/spring-vault-demo" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-...
-```
-<br>
-
-The demo app retrieved the secret from `secret/spring-vault-demo` and has a
-local copy.  If someone (or perhaps another app) updates the secret, it makes the
-secret held by the demo app to be obsolete.
-
-![Static Secret](/img/vault-java-demo-11.png)
-
-Spring offers [Spring Boot
-Actuator](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready)
-which can be used to facilitate the reloading of the static secret.
-
-#### Task 1: Read the secret
-
-The initial key-value was set by Vagrant during the provisioning. (See the
-`Vagrantfile` at line 48.)
-
-Let's invoke the demo app's secret API (**`api/secret`**):
-
-```plaintext
-$ curl -s http://localhost:8080/api/secret | jq
-{
-  "key": "secret",
-  "value": "hello-vault"
-}
-```
-
-This is the secret that the demo app knows about.
-
-
-#### Task 2: Update the Secrets
-
-Now, update the secret stored in Vault using API:
-
-```shell
-# Update the value via API
-$ curl --header "X-Vault-Token: root" \
-       --request POST \
-       --data '{ "secret": "my-api-key" }' \
-       http://127.0.0.1:8200/v1/secret/spring-vault-demo
-
-# Verify that the secret value was updated
-$ curl --header "X-Vault-Token: root" \
-       http://127.0.0.1:8200/v1/secret/spring-vault-demo | jq
-{
- "request_id": "514601e4-a790-3dc6-14b0-537d6982a6c6",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 2764800,
- "data": {
-   "secret": "my-api-key"
- },
-...
-}
-```
-
-
-#### Task 3: Refresh the secret on demo app
-
-Run the demo app's secret API again:
-
-```plaintext
-$ curl -s http://localhost:8080/api/secret | jq
-{
-  "key": "secret",
-  "value": "hello-vault"
-}
-```
-
-The current value stored in Vault is now `my-api-key`; however, the demo app
-still holds `hello-vault`.  
-
-
-Spring provides an
-[actuator](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready)
-which can be leveraged to refresh the secret value.  At line 54 of the
-`vault-guides/secrets/spring-cloud-vault/pom.xml`, you see that the actuator was
-added to the project.
-
-```plaintext
-...
-<dependency>
-  <groupId>org.springframework.boot</groupId>
-  <artifactId>spring-boot-starter-actuator</artifactId>
-</dependency>
-...
-```
-
-Let's refresh the secret using the actuator:
-
-```plaintext
-$ curl -s --request POST http://localhost:8080/actuator/refresh | jq
-[
-  "secret"
-]
-```
-
-Read back the secret from the demo app again:
-
-```plaintext
-$ curl -s http://localhost:8080/api/secret | jq
-{
-  "key": "secret",
-  "value": "my-api-key"
-}
-```
-
-It should display the correct value.
-
----
-
-When you are done exploring the demo implementation, you can destroy the virtual
-machine:
-
-```plaintext
-$ vagrant destroy
-demo: Are you sure you want to destroy the 'demo' VM? [y/N] y
-==> demo: Forcing shutdown of VM...
-==> demo: Destroying VM and associated drives...
-```
-
-~> In the webinar, the demo environment was running in a public cloud, and Nomad
-and Consul were also installed and configured.  If you wish to build a similar
-environment using Kubernetes, the assets in the `vault-guides/secrets/spring-cloud-vault/kubernetes`
-folder provides you with some guidance.
-
-## Next steps
-
-[AppRole](/docs/auth/approle.html) is an authentication mechanism within Vault
-to allow machines or apps to acquire a token to interact with Vault. Read the
-[AppRole Pull Authentication](/guides/identity/authentication.html) guide
-which introduces the steps to generate tokens for machines or apps by enabling
-AppRole auth method.
diff --git a/website/source/guides/encryption/transit-rewrap.html.md b/website/source/guides/encryption/transit-rewrap.html.md
deleted file mode 100644
index 3a5230353b4d..000000000000
--- a/website/source/guides/encryption/transit-rewrap.html.md
+++ /dev/null
@@ -1,651 +0,0 @@
----
-layout: "guides"
-page_title: "Transit Secrets Re-wrapping - Guides"
-sidebar_title: "Transit Secrets Re-wrapping"
-sidebar_current: "guides-encryption-transit-rewrap"
-description: |-
-  The goal of this guide is to demonstrate one possible way to re-wrap data after
-  rotating an encryption key in the transit engine in Vault.
----
-
-# Transit Secrets Engine
-
-In addition to being able to store secrets, Vault can encrypt/decrypt data that
-is stored elsewhere. The primary use of this is to allow applications to encrypt
-their data while still storing it in their primary data store. Vault does not
-store the data.
-
-The [`transit` secret engine](/docs/secrets/transit/index.html) handles
-cryptographic functions on data-in-transit, and often referred to as
-**_Encryption as a Service_** (EaaS). Both small amounts of arbitrary data, and
-large files such as images, can be protected with the transit engine.  This EaaS
-function can augment or eliminate the need for Transparent Data Encryption (TDE)
-with databases to encrypt the contents of a bucket, volume, and disk, etc.  
-
-![Encryption as a Service](/img/vault-encryption.png)
-
-## Encryption Key Rotation
-
-One of the benefits of using the Vault EaaS is its ability to easily rotate the
-encryption keys. Keys can be rotated manually by a human, or an automated
-process which invokes the key rotation API endpoint through `cron`, a CI
-pipeline, a periodic Nomad batch job, Kubernetes Job, etc.
-
-The goal of this guide is to demonstrate an example for re-wrapping data after
-rotating an encryption key in the transit engine in Vault.
-
-
-## Reference Material
-
-- [Encryption as a Service](/guides/encryption/transit.html)
-- [Transit Secret Engine](/docs/secrets/transit/index.html)
-- [Transit Secret Engine API](/api/secret/transit/index.html)
-- [Transparent Data Encryption in the Modern Datacenter](https://www.hashicorp.com/blog/transparent-data-encryption-in-the-modern-datacenter)
-
-
-## Estimated Time to Complete
-
-30 minutes
-
-
-## Personas
-
-The end-to-end scenario described in this guide involves two personas:
-
-- **security engineer** with privileged permissions to manage the encryption keys
-- **app** with un-privileged permissions rewraps secrets via API
-
-
-## Challenge
-
-Vault maintains the versioned keyring and the operator can decide
-the minimum version allowed for decryption operations.  When data is
-encrypted using Vault, the resulting ciphertext is prepended with the version of
-the key used to encrypt it.  
-
-The following example shows data that was encrypted using the fourth version of
-a particular encryption key:
-
-```
-vault:v4:ueizdCqCJ/YhowQSvmJyucnLfIUMd4S/nLTpGTcz64HXoY69dwOrqerFzOlhqg==
-```
-
-For example, an organization could decide that a key should be rotated _once a
-week_, and that the minimum version allowed to decrypt records is the current
-version as well as the previous two versions.  If the current version is five,
-then Vault would decrypt records that were sent to it with the following
-prefixes:
-
-- vault:**v5**:lkjasfdlkjafdlkjsdflajsdf==
-- vault:**v4**:asdfas9pirapirteradr33vvv==
-- vault:**v3**:ouoiujarontoiue8987sdjf^1==
-
-In this example, what would happen if you send Vault data that was encrypted
-with the first or second version of the key (`vault:v1:...` or `vault:v2:...`)?  
-
-Vault would refuse to decrypt the data as the key used is less than the minimum
-key version allowed.
-
-
-## Solution
-
-Luckily, Vault provides an easy way of re-wrapping encrypted data when a key is
-rotated.  Using the rewrap API endpoint, a non-privileged Vault entity can send
-data encrypted with an older version of the key to have it re-encrypted with the
-latest version. The application performing the re-wrapping never interacts with
-the decrypted data. The process of rotating the encryption key and rewrapping
-records could (and should) be completely **automated**. Records could be updated
-slowly over time to lessen database load, or all at once at the time of
-rotation.  The exact implementation will depend heavily on the needs of each
-particular organization or application.
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-The following tools are required in order to successfully run the sample
-application provided in this guide:
-
-- [.NET Core](https://www.microsoft.com/net/download)
-- [Docker](https://docs.docker.com/install/)
-
-Download the sample application code from
-[vault-guides](https://github.com/hashicorp/vault-guides/tree/master/encryption/vault-transit-rewrap)
-repository to perform the steps described in this guide.
-
-The `vault-transit-rewrap-example` contains the following:
-
-```bash
-.
-├── AppDb.cs
-├── DBHelper.cs
-├── Program.cs
-├── README.md
-├── Record.cs
-├── VaultClient.cs
-├── WebHelper.cs
-└── rewrap_example.csproj
-```
-
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-an appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Manage transit secret engine
-path "transit/keys/*" {
-  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
-}
-
-# Enable transit secret engine
-path "sys/mounts/transit" {
-  capabilities = [ "create", "update" ]
-}
-
-# Write ACL policies
-path "sys/policy/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Create tokens for verification & test
-path "auth/token/create" {
-  capabilities = [ "create", "update", "sudo" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-This guide introduces a sample _.Net_ application which automates the
-re-wrapping of the data using the latest encryption key.
-
-For the purpose of this guide, a MySQL database runs locally using Docker.
-However, these steps would work for an existing MySQL database by supplying the
-proper network information to your environment.
-
-You are going to perform the following steps:
-
-1. [Test database setup (Docker)](#step1)
-1. [Enable the transit secret engine](#step2)
-1. [Generate a new token for sample app](#step3)
-1. [Run the sample application](#step4)
-1. [Rotate the encryption keys](#step5)
-1. [Re-wrapping data programmatically](#step6)
-
-
-### <a name="step1"></a>Step 1: Test database setup (Docker)
-
-You need a database to test with.  You can create one to test with easily using
-Docker:
-
-```bash
-# Pull the latest mysql container image
-docker pull mysql/mysql-server:5.7
-
-# Create a directory for our data (change the following line if running on Windows)
-mkdir ~/rewrap-data
-
-# Run the container.  The following command creates a database named 'my_app',
-# specifies the root user password as 'root', and adds a user named vault
-docker run --name mysql-rewrap \
-  -p 3306:3306 \
-  -v ~/rewrap-data/var/lib/mysql \
-  -e MYSQL_ROOT_PASSWORD=root \
-  -e MYSQL_ROOT_HOST=% \
-  -e MYSQL_DATABASE=my_app \
-  -e MYSQL_USER=vault \
-  -e MYSQL_PASSWORD=vaultpw \
-  -d mysql/mysql-server:5.7
-```
-
-### <a name="step2"></a>Step 2: Enable the transit secret engine
-(**Persona:** security engineer)
-
-#### CLI command
-
-Enable the `transit` secret engine by executing the following command:
-
-```bash
-$ vault secrets enable transit
-```
-
-Create an encryption key to use for transit named, "my_app_key".
-
-```bash
-$ vault write -f transit/keys/my_app_key
-```
-
-#### API call using cURL
-
-Enable the `transit` secret engine via API, use the `/sys/mounts` endpoint:
-
-```bash
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data <PARAMETERS> \
-       <VAULT_ADDRESS>/v1/sys/mounts/transit
-```
-
-Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
-parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
-
-To crate a new encryption key, use the `transit/keys/<key_name>` endpoint:
-
-```bash
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data <PARAMETERS> \
-       <VAULT_ADDRESS>/v1/transit/keys/<KEY_NAME>
-```
-
-Where `<PARAMETERS>` holds [configuration
-parameters](/api/secret/transit/index.html#create-key) to specify the key type.
-
-**Example:**
-
-```shell
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type": "transit"}' \
-       https://localhost:8200/v1/sys/mounts/transit
-```
-
-The above example passes the **type** (`transit`) in the request payload which
-at the `sys/mounts/transit` endpoint.
-
-
-Next, create an encryption key to use for transit named, "my_app_key".
-
-```bash
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       https://localhost:8200/v1/transit/keys/my_app_key
-```
-
-
-### <a name="step3"></a>Step 3: Generate a new token for sample app
-(**Persona:** security engineer)
-
-Before generating a token, create a limited scope policy named, "**rewrap_example**"
-for the sample application.  
-
-The ACL policy (`rewrap_example.hcl`) looks as follows:
-
-```shell
-path "transit/keys/my_app_key" {
-  capabilities = ["read"]
-}
-
-path "transit/rewrap/my_app_key" {
-  capabilities = ["update"]
-}
-
-# This last policy is needed to seed the database as part of the example.  
-# It can be omitted if seeding is not required
-path "transit/encrypt/my_app_key" {
-  capabilities = ["update"]
-}
-```
-
-#### CLI command
-
-Create `rewrap_example` policy:
-
-```shell
-$ vault policy write rewrap_example ./rewrap_example.hcl
-```
-
-Finally, create a token to use the `rewrap_example` policy:
-
-```shell
-$ vault token create -policy=rewrap_example
-```
-
-**Example:**
-
-```shell
-$ vault token create -policy=rewrap_example
-Key                Value
----                -----
-token              68396128-82d8-002e-f289-1106944fee9f
-token_accessor     75f05f43-6a5f-2eb1-5bb8-0de3c7cf0996
-token_duration     768h
-token_renewable    true
-token_policies     [default rewrap_example]
-```
-
-The generated token is what the sample application uses to connect to Vault.
-
-
-#### API call using cURL
-
-To create a policy via API, use the `/sys/policy` endpoint:
-
-```plaintext
-$ curl --request PUT --header "X-Vault-Token: ..." \
-       --data @payload.json \
-       https://localhost:8200/v1/sys/policy/rewrap_example
-
-$ cat payload.json
-{
-  "policy": "path \"transit/keys/my_app_key\" { capabilities = [\"read\"] } path \"transit/rewrap/my_app_key\" ... }"
-}
-```
-
-Finally, create a token to use the `rewrap_example` policy:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." --request POST  \
-       --data '{ "policies": ["rewrap_example"] }' \
-       https://localhost:8200/v1/auth/token/create | jq
-{
- "request_id": "da8bde73-99ab-b435-a344-fb963b3a599f",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "wrap_info": null,
- "warnings": null,
- "auth": {
-   "client_token": "997107d5-9049-8b4b-8f39-a33a458fd02d",
-   "accessor": "d400076b-4143-4d63-7473-a8cc52c73ba3",
-   "policies": [
-     "default",
-     "rewrap-example"
-   ],
-   "metadata": null,
-   "lease_duration": 2764800,
-   "renewable": true,
-   "entity_id": ""
- }
-}
-```
-
-The generated token is what the sample application uses to connect to Vault.
-
-
-### <a name="step4"></a>Step 4: Run the sample application
-(**Persona:** app)
-
-You are now ready to run the app. Be sure to [download](#prerequisites) the
-sample application code before beginning.
-
-**Sample application**
-
-| File                   | Description                                       |
-|------------------------|---------------------------------------------------|
-| Program.cs             | Starting point of this sample app (the `Main()` method) is in this file.  It reads the environment variable values, connects to Vault and the MySQL database.  If the `user_data` table does not exist, it creates it.   |
-| DBHelper.cs            | Defines a method to create the `user_data` table if it does not exist. Finds and updates records that need to be rewrapped with the new key.    |
-| AppDb.cs               | Connects to the MySQL database.                   |
-| Record.cs              | Sample data record template.                      |
-| VaultClient.cs         | Defines methods necessary to rewrap transit data. |
-| WebHelper.cs           | Helper code to seed the initial table schema.     |
-| rewrap_example.csproj  | Project file for this sample app.                 |
-
-
-The sample app retrieves the user token, Vault address, and the name of the
-transit key through environment variables. Be sure to supply the token created
-in [Step 3](#step3):
-
-```bash
-$ VAULT_TOKEN=<APP_TOKEN> \
-     VAULT_ADDR=<VAULT_ADDRESS> \
-     VAULT_TRANSIT_KEY=my_app_key \
-     SHOULD_SEED_USERS=true \
-     dotnet run
-```
-
-> If you need to seed test data you can do so by including the
-`SHOULD_SEED_USERS=true`.  
-
-**Example:**
-
-```bash
-$ VAULT_TOKEN=$TOKEN VAULT_ADDR=http://localhost:8200 VAULT_TRANSIT_KEY=my_app_key SHOULD_SEED_USERS=true dotnet run
-
-Connecting to Vault server...
-Created (if not exist) my_app DB
-Create (if not exist) user_data table
-Seeded the database...
-Moving rewrap...
-Current Key Version: 5
-Found 0 records to rewrap.
-```
-
-You can inspect the contents of the database with:
-
-```bash
-$ docker exec -it mysql-rewrap mysql -uroot -proot
-...
-mysql> DESC user_data;
-mysql> SELECT * FROM user_data WHERE dob LIKE "vault:v1%" limit 10;
-...data...
-```
-
-### <a name="step5"></a>Step 5: Rotate the encryption keys
-(**Persona:** security engineer)
-
-The encryption key (`my_app_key`) can be rotated easily.
-
-#### CLI command
-
-To rotate the key, you write to the `transit/keys/<KEY_NAME>/rotate` path.
-
-```bash
-$ vault write -f transit/keys/my_app_key/rotate
-Success! Data written to: transit/keys/my_app_key/rotate
-```
-
-Run the command a few times to generate several versions of the encryption key
-for testing.
-
-To view the key information:
-
-```bash
-$ vault read transit/keys/my_app_key
-Key                       Value
----                       -----
-allow_plaintext_backup    false
-deletion_allowed          false
-derived                   false
-exportable                false
-keys                      map[5:1519623974 6:1519623980 1:1519620952 2:1519623255 3:1519623285 4:1519623603]
-latest_version            6
-min_decryption_version    1
-min_encryption_version    0
-name                      my_app_key
-supports_decryption       true
-supports_derivation       true
-supports_encryption       true
-supports_signing          false
-type                      aes256-gcm96
-```
-
-You can see that in the above example the current version of the key is six.
-There is no restriction about a minimum encryption key version, and any of the key
-versions can decrypt the data (`min_decryption_version`).
-
-Let's enforce the use of the encryption key at version five or later to decrypt
-data.
-
-```shell
-# replace '5' with the appropriate version
-$ vault write transit/keys/my_app_key/config min_decryption_version=5
-
-# Verify the changes were successful
-$ vault read transit/keys/my_app_key
-Key                       Value
----                       -----
-allow_plaintext_backup    false
-deletion_allowed          false
-derived                   false
-exportable                false
-keys                      map[5:1519623974 6:1519623980]
-latest_version            6
-min_decryption_version    5
-min_encryption_version    0
-name                      my_app_key
-supports_decryption       true
-supports_derivation       true
-supports_encryption       true
-supports_signing          false
-type                      aes256-gcm96
-```
-
-
-#### API call using cURL
-
-To rotate the encryption key via API, use the `transit/keys/<KEY_NAME>/rotate` endpoint:
-
-```bash
-$ curl --request POST --header "X-Vault-Token: ..." \
-       https://localhost:8200/v1/transit/keys/my_app_key/rotate
-```
-
-Run the command a few times to generate several versions of the encryption key
-for testing.
-
-```shell
-# Verify the changes were successful
-$ curl --request GET --header "X-Vault-Token: ..." \
-      https://localhost:8200/v1/transit/keys/my_app_key | jq
-{
-  "request_id": "ed13436a-4816-2f51-0552-6a001e823548",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "allow_plaintext_backup": false,
-    "deletion_allowed": false,
-    "derived": false,
-    "exportable": false,
-    "keys": {
-      "1": 1519620952,
-      "2": 1519623255,
-      "3": 1519623285,
-      "4": 1519623603,
-      "5": 1519623974,
-      "6": 1519623980
-    },
-    "latest_version": 6,
-    "min_decryption_version": 1,
-    "min_encryption_version": 0,
-    "name": "my_app_key",
-    ...
-  },
-  ...
-}
-```
-
-You can see that in the above example the current version of the key is six.
-There is no restriction about the minimum encryption key version, and any of the key
-versions can decrypt the data (`min_decryption_version`).
-
-Let's enforce the use of the encryption key at version five or later to decrypt the
-data.
-
-```shell
-$ curl --request POST --header "X-Vault-Token: ..." \
-       --data '{ "min_decryption_version": 5 }'
-       https://localhost:8200/v1/transit/keys/my_app_key/config
-
-# Verify the changes were successful
-$ curl --request GET --header "X-Vault-Token: ..." \
-       https://localhost:8200/v1/transit/keys/my_app_key | jq
-{
- ...
- "data": {
-   ...
-   "keys": {
-     "5": 1519623974,
-     "6": 1519623980
-   },
-   "latest_version": 6,
-   "min_decryption_version": 5,
-   "min_encryption_version": 0,
-   "name": "my_app_key",
-   ...
-  },
-}
-```
-
-
-### <a name="step6"></a>Step 6: Programmatically re-wrap the data
-(**Persona:** app)
-
-Now you have records in the database and you have updated our minimum key
-version. You can run the application again and should see it update records as
-appropriate. Remember you can inspect records using the MySQL shell (see above).
-
-**Example:**
-
-```shell
-$ VAULT_TOKEN=2616214b-6868-3589-b443-0330d7915882 VAULT_ADDR=http://localhost:8200 \
-          VAULT_TRANSIT_KEY=my_app_key SHOULD_SEED_USERS=true dotnet run
-Connecting to Vault server...
-Created (if not exist) my_app DB
-Create (if not exist) user_data table
-Seeded the database...
-Current Key Version: 6
-Found 3500 records to rewrap.
-Wrapped another 10 records: 10 so far...
-Wrapped another 10 records: 20 so far...
-Wrapped another 10 records: 30 so far...
-...
-```
-
-#### Validation
-
-The application has now re-wrapped all records with the latest key.  You can
-verify this by running the application again, or by inspecting the records using the
-MySQL client.
-
-```bash
-$ docker exec -it mysql-rewrap mysql -uroot -proot
-...
-mysql> DESC user_data;
-mysql> SELECT * FROM user_data WHERE dob LIKE "vault:v1%" limit 10;
-Empty set (0.00 sec)
-
-mysql> SELECT * FROM user_data WHERE dob LIKE "vault:v6%" limit 10;
-...data...
-```
-
-### Conclusion
-
-An application similar to this could be scheduled via cron, run periodically as
-a [Nomad batch
-job](https://www.nomadproject.io/docs/job-specification/periodic.html), or
-executed in a variety of other ways.  You could also modify it to re-wrap a
-limited number of records at a time so as to not put undue strain on the
-database.  The final implementation should be based upon the needs and design
-goals specific to each organization or application.  
-
-
-## Next Steps
-
-Since the main focus of this guide was to programmatically rewrap your secrets
-using the latest encryption key, the token used by the sample application was
-generated manually. In a production environment, you'll want to pass the token in
-a more secure manner.  Refer to the [Cubbyhole Response
-Wrapping](/guides/secret-mgmt/cubbyhole.html) guide to wrap the token so that only the
-expecting app can unwrap to obtain the token.
-
-Also, refer to the [AppRole Pull
-Authentication](/guides/identity/authentication.html) to generate tokens for
-apps using the AppRole auth method.
diff --git a/website/source/guides/encryption/transit.html.md b/website/source/guides/encryption/transit.html.md
deleted file mode 100644
index bdf1e0f5682b..000000000000
--- a/website/source/guides/encryption/transit.html.md
+++ /dev/null
@@ -1,648 +0,0 @@
----
-layout: "guides"
-page_title: "Encryption as a Service - Guides"
-sidebar_title: "Encryption as a Service"
-sidebar_current: "guides-encryption-transit"
-description: |-
-  HashiCorp Vault's transit secrets engine handles cryptographic functions on data in-transit. It can also viewed as _encryption as a service_.
----
-
-# Encryption as a Service: Transit Secrets Engine
-
-Vault's `transit` secrets engine handles cryptographic functions on
-data-in-transit. Vault doesn't store the data sent to the secrets engine, so it
-can also be viewed as ***encryption as a service***.  
-
-Although the `transit` secrets engine provides additional features (sign and
-verify data, generate hashes and HMACs of data, and act as a source of random
-bytes), its primary use case is to encrypt data. This relieves the burden of
-proper encryption/decryption from application developers and pushes the burden
-onto the operators of Vault.
-
-
-## Reference Materials
-
-- [Transit Secret Engine](/docs/secrets/transit/index.html)
-- [Transit Secret Engine API](/api/secret/transit/index.html)
-- [Transparent Data Encryption in the Modern Datacenter](https://www.hashicorp.com/blog/transparent-data-encryption-in-the-modern-datacenter)
-
-~> **NOTE:** An [interactive
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-transit) is
-also available if you do not have a Vault environment to perform the steps
-described in this guide.
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Personas
-
-The end-to-end scenario described in this guide involves two personas:
-
-- **operator** with privileged permissions to manage the encryption keys
-- **app** with un-privileged permissions encrypt/decrypt secrets via API
-
-
-## Challenge
-
-Think of the following scenario:
-
-_Example Inc._ recently made headlines for a massive data breach which exposed
-millions of their users' payment card accounts online. When they tracked down the
-problem they found that a new HVAC system with management software had been put
-into their data centers and had created vulnerabilities in their networks and
-exposed ports and IPs to the databases publicly.
-
-## Solutions
-
-The `transit` secrets engine enables security teams to fortify data during
-transit and at rest. So even if an intrusion occurs, your data is encrypted with
-AES 256-bit CBC encryption (TLS in transit). Even if an attacker were able to
-access the raw data, they would only have encrypted bits. This means attackers
-would need to compromise multiple systems before exfiltrating data.
-
-![Encryption as a Service](/img/vault-encryption.png)
-
-This guide demonstrates the basics of the `transit` secrets engine.
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Enable transit secrets engine
-path "sys/mounts/transit" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# To read enabled secrets engines
-path "sys/mounts" {
-  capabilities = [ "read" ]
-}
-
-# Manage the transit secrets engine
-path "transit/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-
-## Steps
-
-You will perform the following:
-
-1. [Configure Transit Secret Engine](#step1)
-1. [Encrypt Secrets](#step2)
-1. [Decrypt a cipher-text](#step3)
-1. [Rotate the Encryption Key](#step4)
-1. [Update Key Configuration](#step5)
-
-
-### <a name="step1"></a>Step 1: Configure Transit Secret Engine
-(**Persona:** operator)
-
-The `transit` secrets engine must be configured before it can perform its
-operations.  This step is usually done by an **operator** or configuration
-management tool.
-
-
-#### CLI command
-
-Enable the `transit` secret engine by executing the following command:
-
-```plaintext
-$ vault secrets enable transit
-```
-
-> By default, the secrets engine will mount at the name of the engine.  If you
-wish to enable it at a different path, use the `-path` argument.
-
-> **Example:** `vault secrets enable -path=encryption transit`
-
-Now, create an encryption key ring named, `orders` by executing the following
-command:
-
-```plaintext
-$ vault write -f transit/keys/orders
-```
-
-
-#### API call using cURL
-
-Enable `transit` secret engine using `/sys/mounts` endpoint:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data <PARAMETERS> \
-       <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
-```
-
-Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
-parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
-
-**Example:**
-
-The following example enables transit secret engine at `sys/mounts/transit`
-path, and passed the secret engine type (`transit`) in the request payload.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type":"transit"}' \
-       https://127.0.0.1:8200/v1/sys/mounts/transit
-```
-
-Now, create an encryption key ring named, `orders` using the `transit/keys`
-endpoint:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       https://127.0.0.1:8200/v1/transit/keys/orders    
-```
-
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and then login.
-
-1. Select **Enable new engine** and select **Transit** from **Secrets engine type**
-drop-down list.
-  ![Enable new engine](/img/vault-secrets-enable.png)
-
-1. Click **Enable Engine**.
-
-1. Select **Create encryption key** and enter `orders` in the **Name** field.
-  ![Create a key](/img/vault-transit-1.png)
-
-1. Click **Create encryption key** to complete.
-
-<br>
-
-~> **NOTE:** Typically, you want to create an encryption key ring for each
-application.
-
-
-
-### <a name="step2"></a>Step 2: Encrypt Secrets
-(**Persona:** operator)
-
-Once the `transit` secrets engine has been configured, any client with a valid
-token with proper permission can send data to encrypt.
-
-Here, you are going to encrypt a plaintext, _"credit-card-number"_.
-
--> **NOTE:** You can pass non-text binary file such as a PDF or image.
-When you encrypt a plaintext, it must be base64-encoded.
-
-
-#### CLI command
-
-To encrypt your secret, use the `transit/encrypt` endpoint:
-
-```plaintext
-$ vault write transit/encrypt/<key_ring_name>
-```
-
-Execute the following command to encrypt a plaintext:
-
-```plaintext
-$ vault write transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number")
-
-Key           Value
----           -----
-ciphertext    vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=
-```
-
-Vault does *NOT* store any of this data. The output you received is the
-ciphertext. You can store this ciphertext at the desired location (e.g. MySQL
-database) or pass it to another application.
-
-
-
-#### API call using cURL
-
-To encrypt your secret, use the [`transit/encrypt`
-endpoint](/api/secret/transit/index.html#encrypt-data).
-
-**Example:**
-
-```shell
-# Generate base64-encoded plaintext
-$ base64 <<< "credit-card-number"
-Y3JlZGl0LWNhcmQtbnVtYmVyCg==
-
-# Pass the base64-encoded plaintext in the request payload
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"plaintext": "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="}' \
-       https://127.0.0.1:8200/v1/transit/encrypt/orders | jq
-{
-  "request_id": "f483d9b6-8132-782e-1665-ad432c2461ab",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "ciphertext": "vault:v1:/9hdQutaWpZR72s3+VSCLK1JNhV1wKM49hYVjh7RjmuxIy/OvshtgV4L4uVB+aQ="
-  },
-  ...
-}
-```
-
-Vault does *NOT* store any of this data. The output you received is the
-ciphertext. You can store this ciphertext at the desired location (e.g. MySQL
-database) or pass it to another application.
-
-
-
-#### Web UI
-
-1. Select the **orders** encryption key.
-
-1. Select **Key actions**.
-  ![Key action](/img/vault-transit-2.png)
-
-1. Make sure that **Encrypt** is selected under **TRANSIT ACTIONS**, and then
-enter "credit-card-number" in the **Plaintext** field.
-  ![Encrypt plaintext](/img/vault-transit-3.png)
-
-1. Click **Encode to base64** to encode the plaintext.
-
-1. Click **Encrypt**.
-  Vault does *NOT* store any of this data. The output you received is the
-ciphertext. You can click **Copy** to copy the resulting ciphertext and store it
-at the desired location (e.g. MySQL database) or pass it to another application.
-![Encrypt plaintext](/img/vault-transit-4.png)
-
-
-
-### <a name="step3"></a>Step 3: Decrypt a cipher-text
-(**Persona:** operator)
-
-Any client with a valid token with proper permission can decrypt the ciphertext
-generated by Vault. To decrypt the ciphertext, invoke the `transit/decrypt`
-endpoint.
-
-
-#### CLI command
-
-Execute the following command to decrypt the ciphertext resulted in [Step
-2](#step2):
-
-```plaintext
-$ vault write transit/decrypt/orders \
-        ciphertext="vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=" \
-
-Key          Value
----          -----
-plaintext    Y3JlZGl0LWNhcmQtbnVtYmVyCg==
-```
-
-The resulting data is base64-encoded.  To reveal the original plaintext, run the
-following command:
-
-```plaintext
-$ base64 --decode <<< "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="
-credit-card-number
-```
-
-
-#### API call using cURL
-
-Use the `transit/decrypt` endpoint to decrypt the ciphertext resulted in [Step
-2](#step2):
-
-**Example:**
-
-```shell
-# Pass the ciphertext in the request payload to decode
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"ciphertext": "vault:v1:/9hdQutaWpZR72s3+VSCLK1JNhV1wKM49hYVjh7RjmuxIy/OvshtgV4L4uVB+aQ="}' \
-       https://127.0.0.1:8200/v1/transit/decrypt/orders | jq
-{
-   "request_id": "062d7998-8932-76f2-f96c-5938a55ff005",
-   "lease_id": "",
-   "renewable": false,
-   "lease_duration": 0,
-   "data": {
-     "plaintext": "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="
-   },
-   ...
-}
-
-# The resulting data is base64-encoded that it must be decoded to reveal the plaintext
-$ base64 --decode <<< "Y3JlZGl0LWNhcmQtbnVtYmVyCg=="
-credit-card-number
-```
-
-
-#### Web UI
-
-1. Select the **orders** encryption key.
-
-1. Select **Key actions**.
-
-1. Make sure that **Decrypt** is selected under **TRANSIT ACTIONS**, and then
-enter the ciphertext you wish to decrypt.
-  ![Decrypt ciphertext](/img/vault-transit-5.png)
-
-1. Click **Decrypt**.
-
-1. The resulting data is base64-encoded. Click **Decode from base64** to reveal
-the plaintext.
-
-
-
-### <a name="step4"></a>Step 4: Rotate the Encryption Key
-(**Persona:** operator)
-
-One of the benefits of using the Vault `transit` secrets engine is its ability
-to easily rotate the encryption keys. Keys can be rotated manually by a human,
-or an automated process which invokes the key rotation API endpoint through
-cron, a CI pipeline, a periodic Nomad batch job, Kubernetes Job, etc.
-
-Vault maintains the versioned keyring and the operator can decide the minimum
-version allowed for decryption operations. When data is encrypted using Vault,
-the resulting ciphertext is prepended with the version of the key used to
-encrypt it.
-
-#### CLI command
-
-To rotate the encryption key, invoke the `transit/keys/<key_ring_name>/rotate`
-endpoint.
-
-```plaintext
-$ vault write -f transit/keys/orders/rotate
-```
-
-Let's encrypt another data:
-
-```plaintext
-$ vault write transit/encrypt/orders plaintext=$(base64 <<< "visa-card-number")
-Key           Value
----           -----
-ciphertext    vault:v2:45f9zW6cglbrzCjI0yCyC6DBYtSBSxnMgUn9B5aHcGEit71xefPEmmjMbrk3
-```
-
-Compare the ciphertexts from [Step 2](#step2).  
-
-```
-ciphertext    vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=
-```
-
-Notice that the first ciphertext starts with "**`vault:v1:`**".  After rotating
-the encryption key, the ciphertext starts with "**`vault:v2:`**".  This indicates
-that the data gets encrypted using the latest version of the key after the
-rotation.
-
-
-Execute the following command to rewrap your ciphertext from [Step 2](#step2)
-with the latest version of the encryption key:
-
-```plaintext
-$ vault write transit/rewrap/orders \
-        ciphertext="vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U="
-Key           Value
----           -----
-ciphertext    vault:v2:kChHZ9w4ILRfw+DzO53IZ8m5PyB2yp2/tKbub34uB+iDqtDRB+NLCPrpzTtJHJ4=
-```
-
-Notice that the resulting ciphertext now starts with "`vault:v2:`".  
-
-This operation does not reveal the plaintext data. But Vault will decrypt the
-value using the appropriate key in the keyring and then encrypted the resulting
-plaintext with the newest key in the keyring.
-
-
-
-#### API call using cURL
-
-To rotate the encryption key, invoke the `transit/keys/<key_ring_name>/rotate`
-endpoint.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST
-       https://127.0.0.1:8200/v1/transit/keys/orders/rotate
-```
-
-Let's encrypt another data:
-
-```shell
-# Generate base64-encoded plaintext
-$ base64 <<< "visa-card-number"
-dmlzYS1jYXJkLW51bWJlcgo=
-
-# Pass the base64-encoded plaintext in the request payload
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"plaintext": "dmlzYS1jYXJkLW51bWJlcgo="}' \
-       https://127.0.0.1:8200/v1/transit/encrypt/orders | jq
-{
-  ...
-  "data": {
-    "ciphertext": "vault:v2:et873RqkfLlS268LqYspVUnqhqZm0flNwhthe4ZzfcuZQab1TnirQ8/hMNYA"
-  },
-  ...
-}
-```
-
-Compare the ciphertexts from [Step 2](#step2).  
-
-```
-ciphertext    vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=
-```
-
-Notice that the first ciphertext starts with "**`vault:v1:`**".  After rotating
-the encryption key, the ciphertext starts with "**`vault:v2:`**".  This indicates
-that the data gets encrypted using the latest version of the key after the
-rotation.
-
-
-Execute the `transit/rewrap` endpoint to rewrap your ciphertext from [Step 2](#step2)
-with the latest version of the encryption key:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"ciphertext": "vault:v1:/9hdQutaWpZR72s3+VSCLK1JNhV1wKM49hYVjh7RjmuxIy/OvshtgV4L4uVB+aQ="}' \
-       https://127.0.0.1:8200/v1/transit/rewrap/orders | jq
-{
- ...
- "data": {
-   "ciphertext": "vault:v2:ykqXDP65tLVSrqxoNZh51gIobYQSwNGT+SbiD/2nl8rrhF2md+wplBGdXlhDzd4="
- },
- ...
-```
-
-Notice that the resulting ciphertext now starts with "`vault:v2:`".  
-
-This operation does not reveal the plaintext data. But Vault will decrypt the
-value using the appropriate key in the keyring and then encrypted the resulting
-plaintext with the newest key in the keyring.
-
-
-## <a name="step5"></a>Step 5: Update Key Configuration
-(**Persona:** operator)
-
-The operators can [update the encryption key
-configuration](/api/secret/transit/index.html#update-key-configuration) to
-specify the minimum version of ciphertext allowed to be decrypted, the minimum
-version of the key that can be used to encrypt the plaintext, the key is allowed
-to be deleted, etc.
-
-This helps further tightening the data encryption rule.
-
-
-#### CLI Command
-
-Execute the key rotation command a few times to generate multiple versions of
-the key:
-
-```plaintext
-$ vault write -f transit/keys/orders/rotate
-```
-
-Now, read the `orders` key information:
-
-```plaintext
-$ vault read transit/keys/orders
-
-Key                       Value
----                       -----
-...
-keys                      map[6:1531439714 1:1531439594 2:1531439667 3:1531439714 4:1531439714 5:1531439714]
-latest_version            6
-min_decryption_version    1
-min_encryption_version    0
-...
-```
-
-In the example, the current version of the key is **6**. However, there is no
-restriction about the minimum encryption key version, and any of the key
-versions can decrypt the data (`min_decryption_version`).
-
-Run the following command to enforce the use of the encryption key at version
-**5** or later to decrypt the data.
-
-```plaintext
-$ vault write transit/keys/orders/config min_decryption_version=5
-```
-
-Now, verify the `orders` key configuration:
-
-```plaintext
-$ vault read transit/keys/orders
-
-Key                       Value
----                       -----
-allow_plaintext_backup    false
-deletion_allowed          false
-derived                   false
-exportable                false
-keys                      map[5:1531811719 6:1531811721]
-latest_version            6
-min_decryption_version    5
-min_encryption_version    0
-...
-```
-
-
-#### API call using cURL
-
-Execute the `transit/keys/<key_ring_name>/rotate` endpoint a few times key
-rotation command a few times to generate multiple versions of the key:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST
-       https://127.0.0.1:8200/v1/transit/keys/orders/rotate
-```
-
-Read the `transit/keys/orders` endpoint to review the `orders` key
-detail:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       https://127.0.0.1:8200/v1/transit/keys/orders | jq
-{
-  ...
-   "keys": {
-     "1": 1531804669,
-      "2": 1531810236,
-      "3": 1531811712,
-      "4": 1531811715,
-      "5": 1531811719,
-      "6": 1531811721
-   },
-   "latest_version": 6,
-   "min_decryption_version": 1,
-   "min_encryption_version": 0,
-   ...
-```
-
-In the example, the current version of the key is **6**. However, there is no
-restriction about the minimum encryption key version, and any of the key
-versions can decrypt the data (`min_decryption_version`).
-
-Run the following command to enforce the use of the encryption key at version
-**5** or later to decrypt the data.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST
-       --data '{"min_decryption_version": 5}'
-       https://127.0.0.1:8200/v1/transit/keys/orders/config
-```
-
-Now, verify the `orders` key configuration:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       https://127.0.0.1:8200/v1/transit/keys/orders | jq
-{
-  ...
-  "keys": {
-     "5": 1531811719,
-     "6": 1531811721
-   },
-   "latest_version": 6,
-   "min_decryption_version": 5,
-   "min_encryption_version": 0,
-   ...
-```
-
-<br>
-
--> **NOTE:** Notice that the output only displays two valid encryption key
-versions (`5` and `6`).
-
-
-
-## Next steps
-
-[Transit Secrets Re-wrapping](/guides/encryption/transit-rewrap.html) guide
-introduces a sample application which re-wraps data after rotating an encryption
-key in the transit engine in Vault.
diff --git a/website/source/guides/getting-started/index.html.md b/website/source/guides/getting-started/index.html.md
deleted file mode 100644
index d315704a55bf..000000000000
--- a/website/source/guides/getting-started/index.html.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-layout: "guides"
-page_title: "Guides"
-sidebar_title: "Getting Started"
-sidebar_current: "getting-started"
-description: |-
-  This section takes you to the Getting Started section.
----
-
-# Vault Getting Started
-
-Welcome to the Vault guides section! If you are just getting started with Vault,
-please start with the [Vault introduction](/intro/getting-started/install.html)
-instead and then continue on to the guides. The guides provide examples of
-common Vault workflows and actions for both beginner and advanced Vault users.
diff --git a/website/source/guides/identity/approle-trusted-entities.html.md b/website/source/guides/identity/approle-trusted-entities.html.md
deleted file mode 100644
index 240892eb3566..000000000000
--- a/website/source/guides/identity/approle-trusted-entities.html.md
+++ /dev/null
@@ -1,915 +0,0 @@
----
-layout: "guides"
-page_title: "AppRole With Terraform & Chef - Guides"
-sidebar_title: "AppRole with Terraform and Chef"
-sidebar_current: "guides-identity-approle-tf-chef"
-description: |-
-  This guide discusses the concepts necessary to help users
-  understand Vault's AppRole authentication pattern and how to use it to
-  securely introduce a Vault authentication token to a target server,
-  application, container, etc.x
----
-
-# Vault AppRole with Terraform and Chef Demo
-
-In the [AppRole Pull
-Authentication](/guides/identity/authentication.html#advanced-features) guide,
-the question of how best to deliver the Role ID and Secret ID were brought up,
-and the role of trusted entities (Terraform, Chef, Nomad, Kubernetes, etc.) was
-mentioned.
-
-![AppRole auth method workflow](/img/vault-approle-workflow2.png)
-
-This _intermediate_ Vault guide aims to provide a **simple**, **end-to-end**
-example of how to use Vault's [AppRole authentication
-method](/docs/auth/approle.html), along with Terraform and Chef, to address the
-challenge of the **_secure introduction_** of an initial token to a target
-system.
-
-The purpose of this guide is to provide the instruction to reproduce the working
-implementation demo introduced in the [Delivering Secret Zero: Vault AppRole
-with Terraform and
-Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
-webinar.
-
-[![YouTube](/img/vault-approle-youtube.png)](https://youtu.be/OIcIzFWjThM)
-
--> **NOTE:** This is a proof of concept and **NOT SUITABLE FOR PRODUCTION USE**.
-
-
-## Reference Material
-
-- [AppRole Auth Method](/docs/auth/approle.html)
-- [Authenticating Applications with HashiCorp Vault AppRole](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle)
-- [Delivering Secret Zero: Vault AppRole with Terraform and
-Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
-
-## Estimated Time to Complete
-
-20 minutes
-
-## Challenge
-
-The goal of the AppRole authentication method is to provide a mechanism for the
-secure introduction of secrets to target systems (servers, applications,
-containers, etc.).
-
-The question becomes what systems within our environment do we trust to handle
-or deliver the `RoleID` and `SecretID` to our target systems.
-
-
-## Solution
-
-Use _Trusted Entities_ to deliver the AppRole authentication values. For
-example, use Terraform to deliver your `RoleID` or embed it into your AMI or
-Dockerfile. Then you might use Jenkins or Chef to obtain the
-[response-wrapped](/guides/secret-mgmt/cubbyhole.html) `SecretID` and deliver it
-to the target system.
-
-AppRole allows us to securely introduce the authentication token to the target
-system by preventing any single system from having full access to an
-authentication token that does not belong to. This helps us maintain the
-security principles of **least privilege** and **non-repudiation**.
-
-The important thing to note here is that regardless of what systems are
-considered as _Trusted Entities_, the same pattern applies.
-
-For example:
-
-- With Chef, you might use the [Vault Ruby Gem](https://github.com/hashicorp/vault-ruby)
-  for simplified interaction with Vault APIs
-- Terraform provides a Vault provider: [Provider: Vault - Terraform by HashiCorp](https://www.terraform.io/docs/providers/vault/index.html)
-- For Jenkins, you might use the Vault CLI or APIs directly, as described here:
-  [Reading Vault Secrets in your Jenkins pipeline](http://nicolas.corrarello.com/general/vault/security/ci/2017/04/23/Reading-Vault-Secrets-in-your-Jenkins-pipeline.html)
-
-
-## Prerequisites
-
-This guide assumes that you are proficient enough to perform basic Terraform
-tasks. If you are not familiar with Terraform, refer to the [online
-documentation](https://www.terraform.io/intro/getting-started/install.html).
-
-The following AWS resources are required to perform this demo:
-
-- An [Amazon S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html)
-- An [IAM user credential with administrator permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html)
-(to be able to create additional IAM policies and instance profiles)
-
-### Download demo assets
-
-Clone or download the demo assets from the
-[hashicorp/vault-guides](https://github.com/hashicorp/vault-guides/tree/master/identity/vault-chef-approle)
-GitHub repository to perform the steps described in this guide.
-
-The following assets can be found in the repository:
-
-- Chef cookbook (**`/chef/cookbooks`**): A sample cookbook with a recipe that installs NGINX
-and demonstrates Vault Ruby Gem functionality used to interact with Vault APIs.
-- Terraform configurations (**`/terraform-aws`**):
-    - **`/terraform-aws/mgmt-node`**: Configuration to set up a management
-    server running both Vault and Chef Server, for demo purposes.
-    - **`/terraform-aws/chef-node`**: Configuration to set up a Chef node and
-    bootstrap it with the Chef Server, passing in Vault's AppRole RoleID and the
-    appropriate Chef run-list.
-- Vault configuration (**`/scripts`**): Data scripts used to configure the
-appropriate mounts and policies in Vault for this demo.
-
-
-## Steps
-
-The scenario in this guide uses Terraform and Chef as trusted entities to
-deliver `RoleID` and `SecretID`.
-
-![AppRole auth method workflow](/img/vault-approle-tf-chef.png)
-
-For the simplicity of the demonstration, both Vault and Chef are installed on
-the same node. Terraform provisions the node which contains the `RoleID` as an
-environment variable. Chef pulls the `SecretID` from Vault.
-
-
-Provisioning for this demo happens in 2 phases:
-
-- [Phase 1 - Provision our Vault plus Chef Server](#phase1)
-    - [Step 1: Provision the Vault and Chef Server](#step-1-provision-the-vault-and-chef-server)
-    - [Step 2: Initialize and Unseal Vault](#step-2-initialize-and-unseal-vault)
-    - [Step 3: AppRole Setup](#step-3-approle-setup)
-    - [Step 4: Configure Tokens for Terraform and Chef](#step-4-configure-tokens-for-terraform-and-chef)
-    - [Step 5: Save the Token in a Chef Data Bag](#step-5-save-the-token-in-a-chef-data-bag)
-    - [Step 6: Write Secrets](#step-6-write-secrets)
-- [Phase 2 - Provision our Chef Node to Show AppRole Login](#phase2)
-
-
-## <a name="phase1"></a>Phase 1: Provision our Vault & Chef Server
-
-### Step 1: Provision the Vault and Chef Server
-
-This provides a quick and simple Vault and Chef Server configuration to help you
-get started.  
-
-**NOTE:** This is done for demonstration purpose and **NOT a recommended
-practice** for production.
-
-In this phase, you use Terraform to spin up a server (and associated AWS
-resources) with both Vault and Chef Server installed. Once this server is up and
-running, you'll complete the appropriate configuration steps in Vault to set up
-our AppRole and tokens for use in the demo.
-
-~> If using _Terraform Enterprise_, [create a
-Workspace](https://www.terraform.io/docs/enterprise/getting-started/workspaces.html)
-for this repo and set the appropriate Terraform/Environment variables using the
-`terraform.tfvars.example` file as a reference. Follow the instructions in the
-documentation to perform the appropriate setup in Terraform Enterprise.
-
-#### Using Terraform Open Source:
-
-**Task 1:** Change the working directory (`cd`) to
-`identity/vault-chef-approle/terraform-aws/mgmt-node`.
-
-```shell
-.
-├── main.tf
-├── outputs.tf
-├── templates
-│   └── userdata-mgmt-node.tpl
-├── terraform.tfvars.example
-└── variables.tf
-```
-
-**Task 2:** Update the `terraform.tfvars.example` file to match your account and
-rename it to `terraform.tfvars`.
-
-At minimum, replace the following variable with appropriate values:
-
-- **`s3_bucket_name`**
-- **`vpc_id`**
-- **`subnet_id`**
-- **`key_name`**
-- **`ec2_pem`**
-
-> NOTE: If your VPC, subnet and EC2 key pair were created on a region other than
-`us-east-1`, be sure to set the **`aws_region`** value to match your chosen region.
-
-**Task 3:** Perform a `terraform init` to pull down the necessary provider resources.
-Then `terraform plan` to verify your changes and the resources that will be
-created. If all looks good, then perform a `terraform apply` to provision the
-resources. The Terraform output will display the public IP address to SSH into
-your server.
-
-```plaintext
-$ terraform init
-Initializing provider plugins...
-...
-Terraform has been successfully initialized!
-
-
-$ terraform plan
-...
-Plan: 5 to add, 0 to change, 0 to destroy.
-
-
-$ terraform apply
-...
-Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
-
-Outputs:
-vault-public-ip = 192.0.2.0
-```
-
-The Terraform output will display the public IP address to SSH into
-your server.
-
-For example:
-
-```plaintext
-$ ssh -i "/path/to/EC2/private_key.pem" ubuntu@192.0.2.0
-```
-
-**Task 4:** Initial setup of the Chef server takes several minutes. Once you can
-SSH into your mgmt server, run `tail -f /var/log/tf-user-data.log` to see when
-the initial configuration is complete.
-
-```plaintext
-$ tail -f /var/log/tf-user-data.log
-```
-
-When you see the following message, the initial setup is complete.
-
-```plaintext
-+ echo '2018/03/27 21:53:06 /var/lib/cloud/instance/scripts/part-001: Complete'
-```
-
-You can find the following subfolders in
-your home directory:
-
-- **`/home/ubuntu/vault-chef-approle-demo`**: root of our project
-- **`/home/ubuntu/vault-chef-approle-demo/chef`**: root of our Chef app; this is
-where our `knife` configuration is located (`.chef/knife.rb`)
-- **`/home/ubuntu/vault-chef-approle-demo/scripts`**: there's a
-`vault-approle-setup.sh` script located here to help automate the setup of
-Vault, or you can follow along in the rest of this README to configure Vault
-manually
-
-### Step 2: Initialize and Unseal Vault
-
-Before moving on, set your working environment variables in your mgmt server:
-
-```plaintext
-$ export VAULT_ADDR=http://127.0.0.1:8200
-$ export VAULT_SKIP_VERIFY=true
-```
-
-Before you can do anything in Vault, you need to initialize and unseal it.
-Perform ***one*** of the following:
-
-- **Option 1:** Run the `/home/ubuntu/demo_setup.sh` script to get up and running, and proceed to
-[Phase 2 - Provision our Chef Node to Show AppRole Login](#phase2).
-- **Option 2:** Continue onto [Step 3: AppRole Setup](#step-3-approle-setup) to
-set up the demo environment ***manually***.
-
-
-### Step 3: AppRole Setup
-
-First, initialize and unseal the Vault server using a shortcut.
-
-~> This is a convenient shortcut for demo. **_DO NOT DO THIS IN PRODUCTION!!!_**
-
-Refer to the [online documentation for initializing and unsealing](/intro/getting-started/deploy.html#initializing-the-vault) Vault for more details.
-
-```shell
-# Initialize the Vault server and write out the unseal keys and root token into files
-$ curl --silent
-       --request PUT \
-       --data '{"secret_shares": 1, "secret_threshold": 1}' \
-       ${VAULT_ADDR}/v1/sys/init | tee \
-       >(jq -r .root_token > /home/ubuntu/vault-chef-approle-demo/root-token) \
-       >(jq -r .keys[0] > /home/ubuntu/vault-chef-approle-demo/unseal-key)
-
-# Unseal vault
-$ vault operator unseal $(cat /home/ubuntu/vault-chef-approle-demo/unseal-key)
-
-# Set the root token to VAULT_TOKEN env var
-$ export VAULT_TOKEN=$(cat /home/ubuntu/vault-chef-approle-demo/root-token)
-```
-
-In the next few steps, you will create a number of policies and tokens within
-Vault. Below is a table that summarizes them:
-
-| Policy         | Description | Token Attachment     |
-|--------------------|-------------|------------------------|
-| `app-1-secret-read` | Sets the policy for the final token that will be delivered via the AppRole login | None. This will be delivered to the client upon AppRole login |
-| `app-1-approle-roleid-get` | Sets the policy for the token that you'll give to Terraform to deliver the RoleID (only) | `roleid-token` |
-| `terraform-token-create`   | The Terraform Vault provider doesn't use the token supplied to it directly. This is to prevent the token from being exposed in Terraform's state file. Instead, the Token given to Terraform needs to have the capability to create child tokens with short TTLs. See [here] (https://www.terraform.io/docs/providers/vault/index.html#token) for more info | `roleid-token` |
-| `app-1-approle-secretid-create` | Sets the policy for the token that you'll store in the Chef Data Bag. This will only be able to pull our AppRole's SecretID | `secretid-token` |
-
-
-
-These setups only need to be performed upon initial creation of an AppRole, and
-would typically be done by a Vault administrator.
-
-Now that you have your Vault server unsealed, you can begin to set up necessary
-policies, AppRole auth method, and tokens.
-
-#### Task 1: Set up our AppRole policy
-
-This is the policy that will be attached to _secret zero_ which you are
-delivering to our application (**app-1**).
-
-**API call using cURL**
-
-```bash
-# Policy to apply to AppRole token
-$ tee app-1-secret-read.json <<EOF
-{"policy":"path \"secret/app-1\" {capabilities = [\"read\", \"list\"]}"}
-EOF
-
-# Create the app-1-secret-read policy in Vault
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request PUT \
-       --data @app-1-secret-read.json \
-       $VAULT_ADDR/v1/sys/policy/app-1-secret-read
-```
-
-<br>
-**CLI command**
-
-```bash
-# Policy to apply to AppRole token
-$ tee app-1-secret-read.hcl <<EOF
-path "secret/app-1" {
-  capabilities = ["read", "list"]
-}
-EOF
-
-# Create the app-1-secret-read policy in Vault
-$ vault policy write app-1-secret-read app-1-secret-read.hcl
-```
-
-
-#### Task 2: Enable the AppRole authentication method
-
-**API call using cURL**
-
-```bash
-# Payload for invoking sys/auth API endpoint
-$ tee approle.json <<EOF
-{
-  "type": "approle",
-  "description": "Demo AppRole auth method"
-}
-EOF
-
-# Enable AppRole auth backend
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request POST \
-       --data @approle.json \
-       $VAULT_ADDR/v1/sys/auth/approle
-```
-<br>
-**CLI command**
-
-```plaintext
-$ vault auth enable -description="Demo AppRole auth method" approle
-```
-
-#### Task 3: Configure the AppRole
-
-Now, you are going to create an AppRole role named, **app-1**.
-
-**API call using cURL**
-
-```bash
-# Payload containing AppRole auth method configuration
-# TTL is set to 10 minutes, and Max TTL to be 30 minutes
-$ tee app-1-approle-role.json <<EOF
-{
-    "role_name": "app-1",
-    "bind_secret_id": true,
-    "secret_id_ttl": "10m",
-    "secret_id_num_uses": "1",
-    "token_ttl": "10m",
-    "token_max_ttl": "30m",
-    "period": 0,
-    "policies": [
-        "app-1-secret-read"
-    ]
-}
-EOF
-
-# AppRole backend configuration
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request POST \
-       --data @app-1-approle-role.json \
-       $VAULT_ADDR/v1/auth/approle/role/app-1
-```
-<br>
-**CLI command**
-
-```bash
-# TTL is set to 10 minutes, and Max TTL to be 30 minutes
-$ vault write auth/approle/role/app-1 policies="app-1-secret-read" token_ttl="10m" token_max_ttl="30m"
-```
-
-
-### Step 4: Configure Tokens for Terraform and Chef
-
-Now, you're ready to configure the policies and tokens to Terraform and Chef to
-interact with Vault. Remember, the point here is that you are giving each system
-a _limited_ token that is only able to pull either the `RoleID` or `SecretID`,
-_but not both_.
-
-![AppRole auth method workflow](/img/vault-approle-tf-chef-2.png)
-
-#### Task 1: Create a policy and token for Terraform
-Create a token with appropriate policies allowing Terraform to pull
-the `RoleID` from Vault:
-
-**API call using cURL**
-
-```bash
-# Policy file granting to retrieve RoleID from Vault
-$ tee app-1-approle-roleid-get.hcl <<EOF
-{"policy":"path \"auth/approle/role/app-1/role-id\" {capabilities = [\"read\"]}"}
-EOF
-
-# Create the app-1-approle-roleid-get policy in Vault
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request PUT \
-       --data @app-1-approle-roleid-get.hcl \
-       $VAULT_ADDR/v1/sys/policy/app-1-approle-roleid-get
-
-# For Terraform
-# See: https://www.terraform.io/docs/providers/vault/index.html#token
-# Policy granting to create tokens required by Terraform
-$ tee terraform-token-create.hcl <<EOF
-{"policy":"path \"/auth/token/create\" {capabilities = [\"update\"]}"}
-EOF
-
-# Create the app-1-approle-roleid-get policy in Vault
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request PUT \
-       --data @terraform-token-create.hcl \
-       $VAULT_ADDR/v1/sys/policy/terraform-token-create
-
-# Payload to configure token for Terraform to pull RoleID
-$ tee roleid-token-config.json <<EOF
-{
-  "policies": [
-    "app-1-approle-roleid-get",
-    "terraform-token-create"
-  ],
-  "meta": {
-    "user": "terraform-demo"
-  },
-  "ttl": "720h",
-  "renewable": true
-}
-EOF
-
-# Get token and save it in roleid-token.json
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request POST \
-       --data @roleid-token-config.json \
-       $VAULT_ADDR/v1/auth/token/create > roleid-token.json
-```
-
-The token and associated metadata will be written out to the file
-`roleid-token.json`. The `client_token` value is what you'll give to Terraform.
-The file should look similar to the following:
-
-```plaintext
-$ cat roleid-token.json | jq
-{
-  "request_id": "2e1d05eb-988d-4cf7-7b6a-d2668de31536",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "6a7ad093-42ab-885e-3d67-6d51a5583da6",
-    "accessor": "f6170506-ee0f-5a59-8478-e0aac2d3259f",
-    "policies": [
-      "app-1-approle-roleid-get",
-      "default",
-      "terraform-token-create"
-    ],
-    "metadata": {
-      "user": "terraform-demo"
-    },
-    "lease_duration": 2592000,
-    "renewable": true,
-    "entity_id": ""
-  }
-}
-```
-<br>
-**CLI command**
-
-```bash
-# Policy file granting to retrieve RoleID from Vault
-$ tee app-1-approle-roleid-get.hcl <<EOF
-path "auth/approle/role/app-1/role-id" {
-  capabilities = [ "read" ]
-}
-EOF
-
-# Create the app-1-approle-roleid-get policy in Vault
-$ vault policy write app-1-approle-roleid-get app-1-approle-roleid-get.hcl
-
-# For Terraform
-# See: https://www.terraform.io/docs/providers/vault/index.html#token
-# Policy granting to create tokens required by Terraform
-$ tee terraform-token-create.hcl <<EOF
-path "auth/token/create" {
-  capabilities = [ "update" ]
-}
-EOF
-
-# Create the app-1-approle-roleid-get policy in Vault
-$ vault policy write terraform-token-create terraform-token-create.hcl
-
-# Get token and save it in roleid-token.txt
-$ vault token create -policy="app-1-approle-roleid-get" -policy="terraform-token-create" \
-      -metadata="user"="terraform-user" > roleid-token.txt
-```
-
-The token and associated metadata will be written out to the file
-`roleid-token.txt`. The `token` value is what you'll give to Terraform.
-The file should look similar to the following:
-
-```plaintext
-$ cat roleid-token.txt
-Key                Value
----                -----
-token              2600aeda-6385-c163-7171-543b1e1fabcf
-token_accessor     6ef835e3-4948-8c61-1e89-3625ca31fd84
-token_duration     768h
-token_renewable    true
-token_policies     [app-1-approle-roleid-get default terraform-token-create]
-token_meta_user    terraform-demo
-```
-
-#### Task 2: Create a policy and token for Chef
-Create a token with appropriate policies allowing Chef to pull the `SecretID`
-from Vault:
-
-**API call using cURL**
-
-```bash
-# Policy file granting to retrieve SecretID
-$ tee app-1-approle-secretid-create.hcl <<EOF
-{"policy":"path \"auth/approle/role/app-1/secret-id\" {capabilities = [\"update\"]}"}
-EOF
-
-# Create the app-1-approle-secretid-create policy in Vault
-$ curl --silent \
-    --location \
-    --header "X-Vault-Token: $VAULT_TOKEN" \
-    --request PUT \
-    --data @app-1-approle-secretid-create.hcl \
-    $VAULT_ADDR/v1/sys/policy/app-1-approle-secretid-create
-
-# Payload to invoke auth/token/create endpoint
-$ tee secretid-token-config.json <<EOF
-{
-  "policies": [
-    "app-1-approle-secretid-create"
-  ],
-  "meta": {
-    "user": "chef-demo"
-  },
-  "ttl": "720h",
-  "renewable": true
-}
-EOF
-
-# Get token for Chef to get SecretID from Vault and store it in secretid-token.json
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request POST \
-       --data @secretid-token-config.json \
-       $VAULT_ADDR/v1/auth/token/create > secretid-token.json
-```
-
-The resulting file should look like this:
-
-```plaintext
-$ cat secretid-token.json | jq
-{
-  "request_id": "6f6ad8a1-fedb-b838-60ce-87999f01aff6",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "cdfdb7a0-d7a6-3769-927d-0ace297726ea",
-    "accessor": "88e8aaca-1584-4881-3368-d9cb5cd7ddae",
-    "policies": [
-      "app-1-approle-secretid-create",
-      "default"
-    ],
-    "metadata": {
-      "user": "chef-demo"
-    },
-    "lease_duration": 2592000,
-    "renewable": true,
-    "entity_id": ""
-  }
-}
-```
-
-<br>
-**CLI command**
-
-```bash
-# Policy file granting to retrieve SecretID
-$ tee app-1-approle-secretid-create.hcl <<EOF
-path "auth/approle/role/app-1/secret-id" {
-  capabilities = [ "update" ]
-}
-EOF
-
-# Create the app-1-approle-secretid-create policy in Vault
-$ vault policy write app-1-approle-secretid-create app-1-approle-secretid-create.hcl
-
-# Get token for Chef to get SecretID from Vault and store it in secretid-token.txt
-$ vault token create -policy="app-1-approle-secretid-create" \
-      -metadata="user"="chef-demo" > secretid-token.txt
-```
-
-The resulting file should look like this:
-
-```plaintext
-$ cat secretid-token.txt
-Key                Value
----                -----
-token              20d69183-59cb-c953-6dea-34f5f1bbe5f7
-token_accessor     a17e7a43-c14a-b96a-0014-9149d218e74a
-token_duration     768h
-token_renewable    true
-token_policies     [app-1-approle-secretid-create default]
-token_meta_user    chef-demo
-```
-
-
-
-### Step 5: Save the Token in a Chef Data Bag
-
-At this point, you have a client token generated for Terraform and another for
-Chef server to log into Vault. For the sake of simplicity, you can put the
-Chef's client token (`secretid-token.json`) in a [Data
-Bag](https://docs.chef.io/data_bags.html) which is fine because this token can
-***only*** retrieve `SecretID` from Vault which is not much of a use without a
-corresponding `RoleID`.
-
-Now, create a Chef Data Bag and put the `SecretID` token (`secretid-token.json`)
-along with the rest of its metadata.
-
-```bash
-$ cd /home/ubuntu/vault-chef-approle-demo/chef/
-
-# Use the path for where you created this file in the previous step
-# You're just adding an 'id' field to the file as that's a required field for data bags
-$ cat /home/ubuntu/secretid-token.json | jq --arg id approle-secretid-token '. + {id: $id}' > secretid-token.json
-
-$ knife data bag create secretid-token
-
-$ knife data bag from file secretid-token secretid-token.json
-
-$ knife data bag list
-
-$ knife data bag show secretid-token
-
-$ knife data bag show secretid-token approle-secretid-token
-```
-
-The last step should show the following output:
-
-```plaintext
-$ knife data bag show secretid-token approle-secretid-token
-WARNING: Unencrypted data bag detected, ignoring any provided secret options.
-auth:
-  accessor:       88e8aaca-1584-4881-3368-d9cb5cd7ddae
-  client_token:   cdfdb7a0-d7a6-3769-927d-0ace297726ea
-  entity_id:
-  lease_duration: 2592000
-  metadata:
-  policies:
-    app-1-approle-secretid-create
-    default
-  renewable:      true
-data:
-id:             approle-secretid-token
-lease_duration: 0
-lease_id:
-renewable:      false
-request_id:     6f6ad8a1-fedb-b838-60ce-87999f01aff6
-warnings:
-wrap_info:
-```
-
-### Step 6: Write Secrets
-
-Let's write some test data in the `secret/app-1` path so that the target app
-will have some secret to retrieve from Vault at a later step.
-
-**API call using cURL**
-
-```bash
-# Write some demo secrets
-$ tee demo-secrets.json <<'EOF'
-{
-  "username": "app-1-user",
-  "password": "$up3r$3cr3t!"
-}
-EOF
-
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request POST \
-       --data @demo-secrets.json \
-       $VAULT_ADDR/v1/secret/app-1
-
-# Verify that you can read back the data:
-$ curl --silent \
-       --location \
-       --header "X-Vault-Token: $VAULT_TOKEN" \
-       --request GET \
-       $VAULT_ADDR/v1/secret/app-1 | jq
-{
-  "request_id": "1f73c7ee-27fa-bad0-9c77-b330eef1ea88",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 2764800,
-  "data": {
-    "password": "$up3r$3cr3t!",
-    "username": "app-1-user"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-<br>
-**CLI command**
-
-```bash
-# Write some demo secrets
-$ vault write secret/app-1 username="app-1-user" password="\$up3r\$3cr3t!"
-
-# Verify that you can read back the data:
-$ vault read secret/app-1
-Key                 Value
----                 -----
-refresh_interval    768h
-password            $up3r$3cr3t!
-username            app-1-user
-```
-
-
--> At this point, just about all the pieces are in place. Remember, these setup
-steps will only need to be performed upon initial creation of an AppRole, and
-would typically be done by a Vault administrator.
-
-
-
-## <a name="phase2"></a>Phase 2: Provision our Chef Node to Show AppRole Login
-
-To complete the demo, run the **`chef-node`** Terraform configuration to see how
-everything talks to each other.
-
-#### Task 1: Change the working directory
-
-Open another terminal on your host machine (**not** the `mgmt-node`)
-and `cd` into the `identity/vault-chef-approle/terraform-aws/chef-node`
-directory:
-
-```plaintext
-$ cd identity/vault-chef-approle/terraform-aws/chef-node
-```
-
-#### Task 2: Update terraform.tfvars.example
-
-Replace the variable values in `terraform.tfvars.example` to match your
-environment and save it as `terraform.tfvars` like you have done at [Step 1](#step-1-provision-the-vault-and-chef-server).
-
-Note the following:
-
-* Update the **`vault_address`** and **`chef_server_address`** variables with
-the IP address of our `mgmt-node` from above.
-* Update the **`vault_token`** variable with the `RoleID` token from **Task 1**
-in [Step 4](#step-4-configure-tokens-for-terraform-and-chef).  
-  - If you ran the `demo-setup.sh` script (_Option 1_), retrieve the
-  `client_token` in the `/home/ubuntu/vault-chef-approle-demo/roleid-token.json`
-  file:
-
-```plaintext
-$ cat ~/vault-chef-approle-demo/roleid-token.json | jq ".auth.client_token"
-```
-
-
-#### Task 3: Run Terraform
-Perform a `terraform init` to pull down the necessary provider
-resources. Then `terraform plan` to verify your changes and the resources that
-will be created. If all looks good, then perform a `terraform apply` to
-provision the resources.
-
-The Terraform output will display the public IP address to SSH into your
-server.
-
-> **NOTE:** If the `terraform apply` fails with "`io: read/write on closed pipe`"
-error, this is a [known
-issue](https://github.com/hashicorp/terraform/issues/17638) with Terraform
-0.11.4 and 0.11.5.  Please try again with another Terraform version.
-
-At this point, Terraform will perform the following actions:
-
-- Pull a `RoleID` from our Vault server
-- Provision an AWS instance
-- Write the `RoleID` to the AWS instance as an environment variable
-- Run the Chef provisioner to bootstrap the AWS instance with our Chef Server
-- Run our Chef recipe which will install NGINX, perform our AppRole login, get
-our secrets, and output them to our `index.html` file
-
-![AppRole auth method workflow](/img/vault-approle-tf-chef-3.png)
-
-The Chef recipe can be found at
-`identity/vault-chef-approle/chef/cookbooks/vault_chef_approle_demo/recipes/default.rb`.
-
-```shell
-...
-# Configure address for Vault Gem
-Vault.address = ENV['VAULT_ADDR']
-
-# Get AppRole RoleID from our environment variables (delivered via Terraform)
-var_role_id = ENV['APPROLE_ROLEID']
-
-# Get Vault token from data bag (used to retrieve the SecretID)
-vault_token_data = data_bag_item('secretid-token', 'approle-secretid-token')
-
-# Set Vault token (used to retrieve the SecretID)
-Vault.token = vault_token_data['auth']['client_token']
-
-# Get AppRole SecretID from Vault
-var_secret_id = Vault.approle.create_secret_id('app-1').data[:secret_id]
-...
-```
-
-#### Task 4: Verification
-Once Terraform completes the `apply` operation, it will output the public IP
-address of our new server. You can plug that IP address into a browser to see
-the output. It should look similar to the following:
-
-```plaintext
-Role ID:
-f6286b97-246e-9fb4-4d9f-0c9465451851
-
-Secret ID:
-72f4b60c-26d0-d947-5026-153943174831
-
-AppRole Token:
-d11d81e4-0ba1-fefc-03f8-e5f06793b60d
-
-Read Our Secrets:
-{:password=>"$up3r$3cr3t!", :username=>"app-1-user"}
-```
-
-## Additional References
-
-The following is a curated list of webinars, blogs and GitHub repositories that
-add additional context to fill out the concepts discussed in the webinar and
-demonstrated in the code:
-
-- [Managing Secrets in a Container Environment by Jeff Mitchell](https://www.youtube.com/watch?v=skENC9aXgco)
-- [Using HashiCorp's Vault with Chef written by Seth Vargo](https://www.hashicorp.com/blog/using-hashicorps-vault-with-chef)
-- [Manage Secrets with Chef and HashiCorps Vault by Seth Vargo & JJ Asghar](https://blog.chef.io/2016/12/12/manage-secrets-with-chef-and-hashicorps-vault/)
-    - [Associated GitHub repository](https://github.com/sethvargo/vault-chef-webinar)
-- [Vault AppRole Authentication written by Alan Thatcher](http://blog.alanthatcher.io/vault-approle-authentication/)
-- [Integrating Chef and HashiCorp Vault written by Alan Thatcher](http://blog.alanthatcher.io/integrating-chef-and-hashicorp-vault/)
-- [Vault Ruby Client](https://github.com/hashicorp/vault-ruby)
-
-
-## Next Steps
-
-Watch the video recording of the [Delivering Secret Zero: Vault AppRole with
-Terraform and
-Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
-webinar which talks about the usage of AppRole with Terraform and Chef as its
-trusted entities.
diff --git a/website/source/guides/identity/authentication.html.md b/website/source/guides/identity/authentication.html.md
deleted file mode 100644
index 871116eb8c78..000000000000
--- a/website/source/guides/identity/authentication.html.md
+++ /dev/null
@@ -1,680 +0,0 @@
----
-layout: "guides"
-page_title: "AppRole Pull Authentication - Guides"
-sidebar_title: "AppRole Pull Authentication"
-sidebar_current: "guides-identity-authentication"
-description: |-
-  Authentication is a process in Vault by which user or machine-supplied
-  information is verified to create a token with pre-configured policy.
----
-
-# Authentication
-
-Before a client can interact with Vault, it must authenticate against an [**auth
-method**](/docs/auth/index.html) to acquire a token. This token has policies attached so
-that the behavior of the client can be governed.
-
-Since tokens are the core method for authentication within Vault, there is a
-**token** auth method (often referred to as **_token store_**). This is a special
-auth method responsible for creating and storing tokens.
-
-### Auth Methods
-
-Auth methods perform authentication to verify the user or machine-supplied
-information. Some of the supported auth methods are targeted towards users
-while others are targeted toward machines or apps. For example,
-[**LDAP**](/docs/auth/ldap.html) auth method enables user authentication using
-an existing LDAP server while [**AppRole**](/docs/auth/approle.html) auth
-method is recommended for machines or apps.
-
-The [Getting Started](/intro/getting-started/authentication.html) guide walks you
-through how to enable the GitHub auth method for user authentication.
-
-This introductory guide focuses on generating tokens for machines or apps by
-enabling the [**AppRole**](/docs/auth/approle.html) auth method.
-
-
-## Reference Material
-
-- [AppRole Auth Method](/docs/auth/approle.html)
-- [AppRole Auth Method (API)](/api/auth/approle/index.html)
-- [Authenticating Applications with HashiCorp Vault AppRole](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle)
-
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The end-to-end scenario described in this guide involves two personas:
-
-- **`admin`** with privileged permissions to configure an auth method
-- **`app`** is the consumer of secrets stored in Vault
-
-
-## Challenge
-
-Think of a scenario where a DevOps team wants to configure Jenkins to read
-secrets from Vault so that it can inject the secrets to an app's environment
-variables (e.g. `MYSQL_DB_HOST`) at deployment time.
-
-Instead of hardcoding secrets in each build script as plain text, Jenkins
-retrieves secrets from Vault.
-
-As a user, you can authenticate with Vault using your LDAP credentials, and
-Vault generates a token. This token has policies granting you permission to perform
-the appropriate operations.
-
-How can a Jenkins server programmatically request a token so that it can read
-secrets from Vault?
-
-
-## Solution
-
-Enable **AppRole** auth method so that the Jenkins server can obtain a Vault
-token with appropriate policies attached. Since each AppRole has attached
-policies, you can write fine-grained policies limiting which app can access
-which path.
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-an appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Mount the AppRole auth method
-path "sys/auth/approle" {
-  capabilities = [ "create", "read", "update", "delete", "sudo" ]
-}
-
-# Configure the AppRole auth method
-path "sys/auth/approle/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-
-# Create and manage roles
-path "auth/approle/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Write ACL policies
-path "sys/policy/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Write test data
-# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
-path "secret/mysql/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-[AppRole](/docs/auth/approle.html) is an authentication mechanism within Vault
-to allow machines or apps to acquire a token to interact with Vault. It uses
-**Role ID** and **Secret ID** for login.
-
-The basic workflow is:
-![AppRole auth method workflow](/img/vault-approle-workflow.png)
-
-> For the purpose of introducing the basics of AppRole, this guide walks you
-> through a very simple scenario involving only two personas (admin and app).
-> Please refer to the [Advanced Features](#advanced-features) section for
-> further discussions after completing the following steps.
-
-In this guide, you are going to perform the following steps:
-
-1. [Enable AppRole auth method](#step1)
-1. [Create a role with policy attached](#step2)
-1. [Get Role ID and Secret ID](#step3)
-1. [Login with Role ID & Secret ID](#step4)
-1. [Read secrets using the AppRole token](#step5)
-
-Step 1 through 3 need to be performed by an `admin` user.  Step 4 and 5 describe
-the commands that an `app` runs to get a token and read secrets from Vault.
-
-
-### <a name="step1"></a>Step 1: Enable AppRole auth method
-(**Persona:** admin)
-
-Like many other auth methods, AppRole must be enabled before it can be used.
-
-#### CLI command
-
-Enable `approle` auth method by executing the following command:
-
-```shell
-$ vault auth enable approle
-```
-
-#### API call using cURL
-
-Enable `approle` auth method by mounting its endpoint at `/sys/auth/approle`:
-
-```shell
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data <PARAMETERS> \
-       <VAULT_ADDRESS>/v1/sys/auth/approle
-```
-
-Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
-parameters](/api/system/auth.html#enable-auth-method) of the method.
-
-
-**Example:**
-
-```shell
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type": "approle"}' \
-       http://127.0.0.1:8200/v1/sys/auth/approle
-```
-
-The above example passes the **type** (`approle`) in the request payload
-at the `sys/auth/approle` endpoint.
-
-### <a name="step2"></a>Step 2: Create a role with policy attached
-(**Persona:** admin)
-
-When you enabled the AppRole auth method, it gets mounted at the
-**`/auth/approle`** path. In this example, you are going to create a role for
-the **`app`** persona (`jenkins` in our scenario).
-
-The scenario in this guide requires the `app` to have the
-following policy (`jenkins-pol.hcl`):
-
-```shell
-# Login with AppRole
-path "auth/approle/login" {
-  capabilities = [ "create", "read" ]
-}
-
-# Read test data
-# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
-path "secret/mysql/*" {
-  capabilities = [ "read" ]
-}
-
-```
-
-#### CLI command
-
-Before creating a role, create a `jenkins` policy:
-
-```shell
-$ vault policy write jenkins jenkins-pol.hcl
-```
-
-The command to create a new AppRole:
-
-```shell
-$ vault write auth/approle/role/<ROLE_NAME> [parameters]
-```
-
-> There are a number of
-> [parameters](/api/auth/approle/index.html#create-new-approle) that you can set
-> on a role. If you want to limit the use of the generated secret ID, set
-> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
-> specify `token_num_uses` and `token_ttl`. You may never want the app token to
-> expire.  In such a case, specify the `period` so that the token generated by
-> this AppRole is a periodic token.  To learn more about periodic token, refer to
-> the [Tokens and Leases](/guides/identity/lease.html#step4) guide.
-
-**Example:**
-
-The following example creates a role named `jenkins` with `jenkins` policy
-attached. (NOTE: This example creates a role operates in [**pull**
-mode](/docs/auth/approle.html).)
-
-```shell
-$ vault write auth/approle/role/jenkins policies="jenkins"
-
-# Read the jenkins role
-$ vault read auth/approle/role/jenkins
-
-  Key               	Value
-  ---               	-----
-  bind_secret_id    	true
-  bound_cidr_list
-  period            	0
-  policies          	[jenkins]
-  secret_id_num_uses	0
-  secret_id_ttl     	0
-  token_max_ttl     	0
-  token_num_uses    	0
-  token_ttl         	0
-```
-
-**NOTE:** To attach multiple policies, pass the policy names as a comma
-separated string.
-
-```shell
-$ vault write auth/approle/role/jenkins policies="jenkins,anotherpolicy"
-````
-
-#### API call using cURL
-
-Before creating a role, create `jenkins` policy:
-
-```shell
-$ curl --header "X-Vault-Token: ..." --request PUT --data @payload.json \
-     http://127.0.0.1:8200/v1/sys/policy/jenkins
-
-$ cat payload.json
-{
-  "policy": "path \"auth/approle/login\" {  capabilities = [ \"create\", \"read\" ] } ... }"
-}
-```
-
-Now, you are ready to create a role.
-
-**Example:**
-
-The following example creates a role named `jenkins` with a `jenkins` policy
-attached. (NOTE: This example creates a role which operates in [**pull**
-mode](/docs/auth/approle.html).)
-
-```shell
-$ curl --header "X-Vault-Token: ..." --request POST \
-       --data '{"policies":"jenkins"}' \
-       http://127.0.0.1:8200/v1/auth/approle/role/jenkins
-```
-
-> There are a number of
-> [parameters](/api/auth/approle/index.html#create-new-approle) that you can set
-> on a role. If you want to limit the use of the generated secret ID, set
-> `secret_id_num_uses` or `secret_id_ttl` parameter values. Similarly, you can
-> specify `token_num_uses` and `token_ttl`. You may never want the app token to
-> expire.  In such a case, specify the `period` so that the token generated by
-> this AppRole is a periodic token.  To learn more about periodic tokens, refer to
-> the [Tokens and Leases](/guides/identity/lease.html#step4) guide.
-
-
-**NOTE:** To attach multiple policies, pass the policy names as a comma
-separated string.
-
-```shell
-$ curl --header "X-Vault-Token:..."
-       --request POST \
-       --data '{"policies":"jenkins,anotherpolicy"}' \
-       http://127.0.0.1:8200/v1/auth/approle/role/jenkins
-````
-
-To read the jenkins role you just created:
-
-```shell
-$ curl --header "X-Vault-Token: ..." --request GET \
-        http://127.0.0.1:8200/v1/auth/approle/role/jenkins | jq
-{
-  "request_id": "b18054ad-1ab5-8d83-eeed-193d97026ee7",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "bind_secret_id": true,
-    "bound_cidr_list": "",
-    "period": 0,
-    "policies": [
-      "jenkins"
-    ],
-    "secret_id_num_uses": 0,
-    "secret_id_ttl": 0,
-    "token_max_ttl": 0,
-    "token_num_uses": 0,
-    "token_ttl": 0
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-
-### <a name="step3"></a>Step 3: Get Role ID and Secret ID
-(**Persona:** admin)
-
-**Role ID** and **Secret ID** are like a username and password that a machine or
-app uses to authenticate.
-
-Since the example created a `jenkins` role which operates in pull mode, Vault
-will generate the Secret ID. You can set properties such as usage-limit, TTLs,
-and expirations on the secret IDs to control its lifecycle.
-
-#### CLI command
-
-Now, you need to fetch the Role ID and Secret ID of a role.
-
-To read the Role ID:
-
-```shell
-$ vault read auth/approle/role/<ROLE_NAME>/role-id
-```
-
-To generate a new Secret ID:
-
-```shell
-$ vault write -f auth/approle/role/<ROLE_NAME>/secret-id
-```
-
-NOTE: The `-f` flag forces the `write` operation to continue without any data
-values specified. Alternatively, you can set
-[parameters](/api/auth/approle/index.html#generate-new-secret-id)  such as
-`cidr_list`.
-
-**Example:**
-
-```shell
-$ vault read auth/approle/role/jenkins/role-id
-  Key    	Value
-  ---    	-----
-  role_id	675a50e7-cfe0-be76-e35f-49ec009731ea
-
-$ vault write -f auth/approle/role/jenkins/secret-id
-  Key               	Value
-  ---               	-----
-  secret_id         	ed0a642f-2acf-c2da-232f-1b21300d5f29
-  secret_id_accessor	a240a31f-270a-4765-64bd-94ba1f65703c
-```
-
-If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
-the role in [Step 2](#step2), the generated secret ID carries out the conditions.
-
-
-#### API call using cURL
-
-To read the Role ID:
-
-```shell
-$ curl --header "X-Vault-Token:..." \
-       --request GET \
-       <VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/role-id
-```
-
-To generate a new Secret ID:
-
-```shell
-$ curl --header "X-Vault-Token:..." \
-       --request POST \
-       --data <PARAMETERS>
-       <VAULT_ADDRESS>/v1/auth/approle/role/<ROLE_NAME>/secret-id
-```
-
-You can pass
-[parameters](/api/auth/approle/index.html#generate-new-secret-id) in the request
-payload, or invoke the API with an empty payload.
-
-**Example:**
-
-```shell
-$ curl --header "X-Vault-Token:..." --request GET \
-       http://127.0.0.1:8200/v1/auth/approle/role/jenkins/role-id | jq
-
-$ curl --header "X-Vault-Token:..." --request POST \
-       http://127.0.0.1:8200/v1/auth/approle/role/jenkins/secret-id | jq
-```
-
-If you specified `secret_id_ttl`, `secret_id_num_uses`, or `bound_cidr_list` on
-the role in [Step 2](#step2), the generated secret ID carries out the conditions.
-
-
-
-### <a name="step4"></a>Step 4: Login with Role ID & Secret ID
-(**Persona:** app)
-
-The client (in this case, Jenkins) uses the role ID and secret ID passed by the
-admin to authenticate with Vault. If Jenkins did not receive the role ID and/or
-secret ID, the admin needs to investigate.
-
--> Refer to the [Advanced Features](#advanced-features) section for further
-discussion on distributing the role ID and secret ID to the client app
-securely.
-
-#### CLI command
-
-To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID.
-
-**Example:**
-
-```shell
-$ vault write auth/approle/login role_id="675a50e7-cfe0-be76-e35f-49ec009731ea" \
-  secret_id="ed0a642f-2acf-c2da-232f-1b21300d5f29"
-
-  Key                 	Value
-  ---                 	-----
-  token               	eeaf890e-4b0f-a687-4190-c75b1d6d70bc
-  token_accessor      	fcee5d4e-7281-8bb0-2901-e743c52e0502
-  token_duration      	768h0m0s
-  token_renewable     	true
-  token_policies      	[jenkins]
-  token_meta_role_name	"jenkins"
-```
-
-Now you have a **client token** with `default` and `jenkins` policies attached.
-
-
-#### API call using cURL
-
-To login, use the `auth/approle/login` endpoint by passing the role ID and secret ID
-in the request payload.
-
-**Example:**
-
-```plaintext
-$ cat payload.json
-  {
-    "role_id": "675a50e7-cfe0-be76-e35f-49ec009731ea",
-    "secret_id": "ed0a642f-2acf-c2da-232f-1b21300d5f29"
-  }
-
-$ curl --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/approle/login | jq
-{
-  "request_id": "fccae32b-1e6a-9a9c-7666-f5cb07805c1e",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc",
-    "accessor": "fcee5d4e-7281-8bb0-2901-e743c52e0502",
-    "policies": [
-      "default",
-      "jenkins"
-    ],
-    "metadata": {
-      "role_name": "jenkins"
-    },
-    "lease_duration": 2764800,
-    "renewable": true,
-    "entity_id": "54e0b765-6daf-0ff5-70b9-32c0d491f473"
-  }
-}
-```
-
-Now you have a **client token** with `default` and `jenkins` policies attached.
-
-
-### <a name="step5"></a>Step 5: Read secrets using the AppRole token
-(**Persona:** app)
-
-Once receiving a token from Vault, the client can make future requests using
-this token.
-
-#### CLI command
-
-**Example:**
-
-You can pass the `client_token` returned in [Step 4](#step4) as a part of the
-CLI command.
-
-```shell
-$ VAULT_TOKEN=3e7dd0ac-8b3e-8f88-bb37-a2890455ca6e vault kv get secret/mysql/webapp
-No value found at secret/mysql/webapp
-```
-
-Alternatively, you can first authenticate with Vault using the `client_token`.
-
-```shell
-$ vault login eeaf890e-4b0f-a687-4190-c75b1d6d70bc
-Successfully authenticated! You are now logged in.
-token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc
-token_duration: 2762013
-token_policies: [default jenkins]
-
-$ vault kv get secret/mysql/webapp
-No value found at secret/mysql/webapp
-```
-
-Since there is no value at `secret/mysql/webapp`, it returns a "no value
-found" message.
-
-**Optional:** Using the `admin` user's token, you can store some secrets in the
-`secret/mysql/webapp` path.
-
-```shell
-$ vault kv put secret/mysql/webapp @mysqldb.txt
-
-$ cat mysqldb.txt
-{
-  "url": "foo.example.com:35533",
-  "db_name": "users",
-  "username": "admin",
-  "password": "pa$$w0rd"
-}
-```
-
-Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
-This time, it should return the values you just created.
-
-
-#### API call using cURL
-
-You can now pass the `client_token` returned in [Step 4](#step4) in the
-**`X-Vault-Token`** or **`Authorization`** header.
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: eeaf890e-4b0f-a687-4190-c75b1d6d70bc" \
-       --request GET \
-       http://127.0.0.1:8200/v1/secret/data/mysql/webapp | jq
-{
-  "errors": []
-}
-```
-
-Since there is no value at `secret/mysql/webapp`, it returns an empty array.
-
-**Optional:** Using the **`admin`** user's token, create some secrets in the
-`secret/mysql/webapp` path.
-
-```shell
-$ curl --header "X-Vault-Token: ..." --request POST --data @mysqldb.txt \
-
-$ cat mysqldb.text
-{
-  "url": "foo.example.com:35533",
-  "db_name": "users",
-  "username": "admin",
-  "password": "p@ssw0rd"
-}
-```
-
-Now, try to read secrets from `secret/mysql/webapp` using the `client_token` again.
-This time, it should return the values you just created.
-
-
-
-## Advanced Features
-
-The Role ID is equivalent to a username, and Secret ID is the corresponding
-password. The app needs both to log in with Vault. Naturally, the next question
-becomes how to deliver those values to the expected client.
-
-A common solution involves **three personas** instead of two: `admin`, `app`, and
-`trusted entity`. The `trusted entity` delivers the Role ID and Secret ID to the
-client by separate means.
-
-For example, Terraform as a trusted entity can deliver the Role ID onto the
-virtual machine.  When the app runs on the virtual machine, the Role ID already
-exists on the virtual machine.
-
-![AppRole auth method workflow](/img/vault-approle-workflow2.png)
-
-The secret ID can be delivered using [**response
-wrapping**](/docs/concepts/response-wrapping.html) to transmit the _reference_
-to the secret ID rather than the actual value.
-
-In [Step 3](#step3), you executed the following command to retrieve the Secret
-ID:
-
-```shell
-$ vault write -f auth/approle/role/jenkins/secret-id
-```
-
-Instead, use response wrapping by passing the **`-wrap-ttl`** parameter:
-
-```shell
-$ vault write -wrap-ttl=60s -f auth/approle/role/jenkins/secret-id
-
-Key                          	Value
----                          	-----
-wrapping_token:              	9bbe23b7-5f8c-2aec-83dc-e97e94a2e632
-wrapping_accessor:           	cb5bdc8f-0cdb-35ff-0e68-9de57a79c3bf
-wrapping_token_ttl:          	1m0s
-wrapping_token_creation_time:	2018-01-08 21:29:38.826611 -0800 PST
-wrapping_token_creation_path:	auth/approle/role/jenkins/secret-id
-```
-
-Send this `wrapping_token` to the client so that the response can be unwrapped and
-obtain the Secret ID.
-
-```shell
-$ VAULT_TOKEN=9bbe23b7-5f8c-2aec-83dc-e97e94a2e632 vault unwrap
-
-Key               	Value
----               	-----
-secret_id         	575f23e4-01ad-25f7-2661-9c9bdbb1cf81
-secret_id_accessor	7d8a40b7-a6fd-a634-579b-b7d673ff86fb
-```
-
-NOTE: To retrieve the Secret ID alone, you can use `jq` as follows:
-
-```shell
-$ VAULT_TOKEN=2577044d-cf86-a065-e28f-e2a14ea6eaf7 vault unwrap -format=json | jq -r ".data.secret_id"
-
-b07d7a47-1d0d-741d-20b4-ae0de7c6d964
-```
-
-
-## Next steps
-
-Read the [_AppRole with Terraform and
-Chef_](/guides/identity/approle-trusted-entities.html) guide to better
-understand the role of trusted entities using Terraform and Chef as an example.
-
-To learn more about response wrapping, go to the [Cubbyhole Response
-Wrapping](/guides/secret-mgmt/cubbyhole.html) guide.
diff --git a/website/source/guides/identity/control-groups.html.md b/website/source/guides/identity/control-groups.html.md
deleted file mode 100644
index f47b95c55201..000000000000
--- a/website/source/guides/identity/control-groups.html.md
+++ /dev/null
@@ -1,666 +0,0 @@
----
-layout: "guides"
-page_title: "Control Groups - Guides"
-sidebar_title: "Control Groups"
-sidebar_current: "guides-identity-control-groups"
-description: |-
-  Vault Enterprise has a support for Control Group Authorization which adds
-  additional authorization factors to be required before satisfying a request.
----
-
-# Control Groups
-
-~> **Enterprise Only:** Control Groups is a part of _Vault Enterprise Premium_.
-
-Control Groups add additional authorization factors to be required before
-processing requests to increase the governance, accountability, and security of
-your secrets.  When a control group is required for a request, the requesting
-client receives the [wrapping token](/docs/concepts/response-wrapping.html) in
-return. Only when all authorizations are satisfied, the wrapping token can be
-used to unwrap the requested secrets.   
-
-
-## Reference Material
-
-- [Vault Enterprise Control Group Support](/docs/enterprise/control-groups/index.html)
-- [Policies](http://localhost:4567/docs/concepts/policies.html)
-- [Identity Groups](/docs/secrets/identity/index.html)
-- [Control Group API](/api/system/control-group.html)
-- [Sentinel Policies](/docs/enterprise/sentinel/index.html)
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Personas
-
-The end-to-end scenario described in this guide involves three personas:
-
-- **`admin`** with privileged permissions to create policies and identities
-- **processor** with permission to approve secret access
-- **controller** with limited permission to access secrets
-
-
-## Challenge
-
-In order to operate in EU, a company must abide by the [General Data Protection
-Regulation (GDPR)](https://www.eugdpr.org/) as of May 2018.  The regulation
-enforces two or more controllers jointly determine the purposes and means of
-processing ([Chapter 4: Controller and
-Processor](https://gdpr-info.eu/chapter-4/)).
-
-Consider the following scenarios:
-
-- Anytime an authorized user requests to read data at "`EU_GDPR_data/orders/*`",
-at least two people from the _Security_ group must approve to ensure that the
-user has a valid business reason for requesting the data.
-
-- Anytime a database configuration is updated, it requires that one person from
-the _DBA_ and one person from _Security_ group must approve it.
-
-
-## Solution
-
-Use ***Control Groups*** in your policies to implement dual controller
-authorization required.
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a ***Vault
-Enterprise*** environment.  
-
-This guide assumes that you have some hands-on experience with [ACL
-policies](/docs/concepts/policies.html) as well as
-[Identities](/docs/secrets/identity/index.html).  If you are not familiar,
-go through the following guides first:
-
-- [Policies](/guides/identity/policies.html)
-- [Identity - Entities & Groups](/guides/identity/identity.html)
-
-### Policy requirements
-
-Since this guide demonstrates the creation of policies, log in with a highly
-privileged token such as **`root`**.  
-Otherwise, required permissions to perform
-the steps in this guide are:
-
-```shell
-# Create and manage ACL policies via CLI
-path "sys/policy/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Create and manage ACL policies via Web UI
-path "sys/policies/acl/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# To enable secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-
-# Setting up test data
-path "EU_GDPR_data/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-
-# Manage userpass auth method
-path "auth/userpass/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-
-# List, create, update, and delete auth methods
-path "sys/auth/*"
-{
-  capabilities = ["create", "read", "update", "delete"]
-}
-
-# Create and manage entities and groups
-path "identity/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-```
-
-
-## Steps
-
-The scenario in this guide is that a user, **`Bob Smith`** has
-_read-only_ permission on the "**`EU_GDPR_data/orders/*`**" path; however,
-someone in the **`acct_manager`** group must approve it before he can actually
-read the data.
-
-As a member of the **`acct_manager`** group, **`Ellen Wright`** can authorize
-Bob's request.
-
-![Scenario](/img/vault-ctrl-grp-1.png)
-
-You are going to perform the following:
-
-1. [Implement a control group](#step1)
-1. [Deploy the policies](#step2)
-1. [Setup entities and a group](#step3)
-1. [Verification](#step4)
-1. [ACL Policies vs. Sentinel Policies](#step5)
-
-
--> Step 1, 2 and 3 are the tasks need to be performed by administrators or
-operators who have the privileges to create policies and configure entities and
-groups.
-
-
-### <a name="step1"></a>Step 1: Implement a control group
-(**Persona:** admin)
-
-1. Author a policy named, **`read-gdpr-order.hcl`**.
-
-    Bob needs "`read`" permit on "`EU_GDPR_data/orders/*`":
-
-    ```hcl
-    path "EU_GDPR_data/orders/*" {
-    	capabilities = [ "read" ]
-    }
-    ```
-
-    Now, add control group to this policy:
-
-    ```hcl
-    path "EU_GDPR_data/orders/*" {
-    	capabilities = [ "read" ]
-
-    	control_group = {
-    		factor "authorizer" {
-    			identity {
-    				group_names = [ "acct_manager" ]
-    				approvals = 1
-    			}
-    		}
-    	}
-    }
-    ```
-
-    For the purpose of this guide, the number of **`approvals`** is set to
-    **`1`** to keep it simple and easy to test. Any member of the identity
-    group, **`acct_manager`** can approve the read request. Although this
-    example has only one factor (`authorizer`), you can add as many factor
-    blocks as you need.
-
-1. Now, write another policy for the **`acct_manager`** group named
-**`acct_manager.hcl`**.
-
-    ```hcl
-    # To approve the request
-    path "sys/control-group/authorize" {
-        capabilities = ["create", "update"]
-    }
-
-    # To check control group request status
-    path "sys/control-group/request" {
-        capabilities = ["create", "update"]
-    }
-    ```
-
-    > **NOTE:** The important thing here is that the authorizer (`acct_manager`)
-    must have `create` and `update` permission on the
-    **`sys/control-group/authorize`** endpoint so that they can approve the request.
-
-
-1. Enable key/value secrets engine at **`EU_GDPR_data`** and write some mock data:
-
-    ```shell
-    # Enable kv-v1 at EU_GDPR_data
-    $ vault secrets enable -path=EU_GDPR_data -version=1 kv
-
-    # Write some mock data
-    $ vault kv put EU_GDPR_data/orders/acct1 order_number="12345678" product_id="987654321"
-    ```
-
-### <a name="step2"></a>Step 2: Deploy the policies
-(**Persona:** admin)
-
-Deploy the `read-gdpr-order` and `acct_manager` policies that you wrote.
-
-#### CLI command
-
-```shell
-# Create read-gdpr-order policy
-$ vault policy write read-gdpr-order read-gdpr-order.hcl
-
-# Create acct_manager policy
-$ vault policy write acct_manager acct_manager.hcl
-```
-
-
-#### API call using cURL
-
-```shell
-# Construct API request payload to create read-gdpr-read policy
-$ tee payload-1.json <<EOF
-{
-  "policy": "path \"EU_GDPR_data/orders/*\" {capabilities = [ \"read\" ]control_group = {factor \"authorizer\" ..."
-}
-EOF
-
-# Create read-gdpr-order policy
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT \
-       --data @payload-1.json \
-       http://127.0.0.1:8200/v1/sys/policies/acl/read-gdpr-order
-
-# Construct API request payload to create acct_manager policy
-$ tee payload-2.json <<EOF
-{
- "policy": "path \"sys/control-group/authorize\" {capabilities = [\"create\", \"update\"]} ..."
-}
-EOF
-
-# Create acct_manager policy
-$ curl --header "X-Vault-Token: ..." \
-      --request PUT \
-      --data @payload-2.json \
-      http://127.0.0.1:8200/v1/sys/policies/acl/acct_manager
-```
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
-then login.
-
-1. Click the **Policies** tab, and then select **Create ACL policy**.
-
-1. Toggle **Upload file**, and click **Choose a file** to select your **`read-gdpr-order.hcl`** file you authored at [Step 1](#step1).
-
-    ![Create Policy](/img/vault-ctrl-grp-2.png)
-
-    This loads the policy and sets the **Name** to be `read-gdpr-order`.
-
-1. Click **Create Policy** to complete.
-
-1. Repeat the steps to create a policy for **`acct_manager`**.
-
-
-
-### <a name="step3"></a>Step 3: Setup entities and a group
-(**Persona:** admin)
-
--> This step only demonstrates CLI commands and Web UI to create
-entities and groups.  Refer to the [Identity - Entities and
-Groups](/guides/identity/identity.html) guide if you need the full details.
-
-Now you have policies, let's create a user, **`bob`** and an **`acct_manager`**
-group with **`ellen`** as a group member.
-
-> **NOTE:** For the purpose of this guide, use `userpass` auth method to create
-user `bob` and `ellen` so that the scenario can be easily tested.
-
-#### CLI command
-
-The following command uses [`jq`](https://stedolan.github.io/jq/download/) tool
-to parse JSON output.
-
-```shell
-# Enable userpass
-$ vault auth enable userpass
-
-# Create a user, bob
-$ vault write auth/userpass/users/bob password="training"
-
-# Create a user, ellen
-$ vault write auth/userpass/users/ellen password="training"
-
-# Retrieve the userpass mount accessor and save it in a file named, accessor.txt
-$ vault auth list -format=json | jq -r '.["userpass/"].accessor' > accessor.txt  
-
-# Create Bob Smith entity and save the identity ID in the entity_id_bob.txt
-$ vault write -format=json identity/entity name="Bob Smith" policies="read-gdpr-order" \
-        metadata=team="Processor" \
-        | jq -r ".data.id" > entity_id_bob.txt
-
-# Add an entity alias for the Bob Smith entity
-$ vault write identity/entity-alias name="bob" \
-       canonical_id=$(cat entity_id_bob.txt) \
-       mount_accessor=$(cat accessor.txt)
-
-# Create Ellen Wright entity and save the identity ID in the entity_id_ellen.txt
-$ vault write -format=json identity/entity name="Ellen Wright" policies="default" \
-        metadata=team="Acct Controller" \
-        | jq -r ".data.id" > entity_id_ellen.txt
-
-# Add an entity alias for the Ellen Wright entity
-$ vault write identity/entity-alias name="ellen" \
-       canonical_id=$(cat entity_id_ellen.txt) \
-       mount_accessor=$(cat accessor.txt)
-
-# Finally, create acct_manager group and add Ellen Wright entity as a member
-$ vault write identity/group name="acct_manager" \
-      policies="acct_manager" \
-      member_entity_ids=$(cat entity_id_ellen.txt)  
-```
-
-
-#### Web UI
-
-1. Click the **Access** tab, and select **Enable new method**.
-
-1. Select **Username & Password** from the **Type** drop-down menu.
-
-1. Click **Enable Method**.
-
-1. Click the Vault CLI shell icon (**`>_`**) to open a command shell.  Enter the
-following command to create a new user, **`bob`**:
-
-    ```plaintext
-    $ vault write auth/userpass/users/bob password="training"
-    ```
-    ![Create Policy](/img/vault-ctrl-grp-3.png)
-
-1. Enter the following command to create a new user, **`ellen`**:
-
-    ```plaintext
-    $ vault write auth/userpass/users/ellen password="training"
-    ```
-
-1. Click the icon (**`>_`**) again to hide the shell.
-
-1. From the **Access** tab, select **Entities** and then **Create entity**.
-
-1. Populate the **Name**, **Policies** and **Metadata** fields as shown below.
-
-    ![Create Entity](/img/vault-ctrl-grp-7.png)
-
-1. Click **Create**.
-
-1. Select **Add alias**.  Enter **`bob`** in the **Name** field and select
-**`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
-
-1. Return to the **Entities** tab and then **Create entity**.
-
-1. Populate the **Name**, **Policies** and **Metadata** fields as shown below.
-
-    ![Create Entity](/img/vault-ctrl-grp-4.png)
-
-1. Click **Create**.
-
-1. Select **Add alias**.  Enter **`ellen`** in the **Name** field and select
-**`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
-
-1. Click **Create**.
-
-1. Select the **`Ellen Wright`** entity and copy its **ID** displayed under the
-**Details** tab.
-
-1. Click **Groups** from the left navigation, and select **Create group**.
-
-1. Enter **`acct_manager`** in the **Name**, and again enter **`acct_manager`**
-in the **Policies** fields.
-
-1. Enter the `Ellen Wright` entity ID in the **Member Entity IDs** field, and
-then click **Create**.
-
-
-### <a name="step4"></a>Step 4: Verification
-(**Persona:** bob and ellen)
-
-Now, let's see how the control group works.
-
-#### CLI Command
-
-1. Log in as **`bob`**.
-
-    ```plaintext
-    $ vault login -method=userpass username="bob" password="training"
-    ```
-
-1. Request to read "`EU_GDPR_data/orders/acct1`":
-
-    ```plaintext
-    $ vault kv get EU_GDPR_data/orders/acct1
-
-    Key                              Value
-    ---                              -----
-    wrapping_token:                  1f1411bc-2f18-551a-5e58-0fe44432e9a5
-    wrapping_accessor:               bbb4deef-e06d-9b2a-64a9-56f815c69ee7
-    wrapping_token_ttl:              24h
-    wrapping_token_creation_time:    2018-08-08 09:36:32 -0700 PDT
-    wrapping_token_creation_path:    EU_GDPR_data/orders/acct1
-    ```
-
-    The response includes `wrapping_token` and `wrapping_accessor`.
-    Copy this **`wrapping_accessor`** value.
-
-1. Now, a member of `acct_manager` must approve this request.  Log in as
-**`ellen`** who is a member of `acct_manager` group.
-
-    ```plaintext
-    $ vault login -method=userpass username="ellen" password="training"
-    ```
-
-1. As a user, `ellen`, you can check and authorize bob's request using the
-following commands.
-
-    ```shell
-    # To check the current status
-    $ vault write sys/control-group/request accessor=<wrapping_accessor>
-
-    # To approve the request
-    $ vault write sys/control-group/authorize accessor=<wrapping_accessor>
-    ```
-
-    **Example:**
-
-    ```shell
-    # Check the current status
-    $ vault write sys/control-group/request accessor=bbb4deef-e06d-9b2a-64a9-56f815c69ee7
-    Key               Value
-    ---               -----
-    approved          false
-    authorizations    <nil>
-    request_entity    map[name:Bob Smith id:38700386-723d-3d65-43b7-4fb44d7e6c30]
-    request_path      EU_GDPR_data/orders/acct1
-
-    # Approve the request
-    $ vault write sys/control-group/authorize accessor=bbb4deef-e06d-9b2a-64a9-56f815c69ee7
-    Key         Value
-    ---         -----
-    approved    true
-    ```
-
-    Now, the `approved` status is `true`.
-
-1. Since the control group requires one approval from a member of `acct_manager`
-group, the condition has been met.  Log back in as `bob` and unwrap the secret.
-
-    **Example:**
-
-    ```shell
-    # Log back in as bob - you can use the bob's token: vault login <bob_token>
-    $ vault login -method=userpass username="bob" password="training"
-
-    # Unwrap the secrets by passing the wrapping_token
-    $ vault unwrap 1f1411bc-2f18-551a-5e58-0fe44432e9a5
-    Key                 Value
-    ---                 -----
-    refresh_interval    768h
-    order_number        12345678
-    product_id          987654321
-    ```
-
-
-#### API call using cURL
-
-1. Log in as **`bob`**.
-
-    ```plaintext
-    $ curl --request POST \
-           --data '{"password": "training"}' \
-           http://127.0.0.1:8200/v1/auth/userpass/login/bob | jq
-    ```
-
-    Copy the generated **`client_token`** value.
-
-1. Request to `EU_GDPR_data/orders/acct1`:
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: <bob_client_token>" \
-           http://127.0.0.1:8200/v1/EU_GDPR_data/orders/acct1 | jq
-    {
-       ...
-       "wrap_info": {
-         "token": "20a2f2b3-8bea-4e16-980b-82724dcdc38b",
-         "accessor": "9910cb38-600c-29d8-1c39-764a1c89a481",
-         "ttl": 86400,
-         "creation_time": "2018-08-08T10:13:06-07:00",
-         "creation_path": "EU_GDPR_data/orders/acct1"
-       },
-       ...
-    }
-    ```
-
-    The response includes **`wrap_info`** instead of the actual data.
-    Copy the **`accessor`** value.
-
-1. Now, a member of `acct_manager` must approve this request.  Log in as
-**`ellen`** who is a member of `acct_manager` group.
-
-    ```plaintext
-    $ curl --request POST \
-           --data '{"password": "training"}' \
-           http://127.0.0.1:8200/v1/auth/userpass/login/ellen | jq
-    ```
-
-    Copy the generated **`client_token`** value.
-
-1. As a user, `ellen`, you can check the current status and then authorize bob's
-request. (NOTE: Be sure to replace `<accessor>` with the `accessor` value you
-copied earlier.)
-
-    ```shell
-    # To check the current status using sys/control-group/request endpoint
-    $ curl --header "X-Vault-Token: <ellen_client_token>" \
-           --request POST \
-           --data '{"accessor": "<accessor>"}' \
-           http://127.0.0.1:8200/v1/sys/control-group/request | jq
-    {
-       ...
-       "data": {
-         "approved": false,
-         "authorizations": null,
-         "request_entity": {
-           "id": "38700386-723d-3d65-43b7-4fb44d7e6c30",
-           "name": "Bob Smith"
-         },
-         "request_path": "EU_GDPR_data/orders/acct1"
-       },
-       ...
-    }
-
-    # Now, authorize the request using sys/control-group/authorize endpoint
-    $ curl --header "X-Vault-Token: <ellen_client_token>" \
-             --request POST \
-             --data '{"accessor": "<accessor>"}' \
-             http://127.0.0.1:8200/v1/sys/control-group/authorize | jq
-    {
-       ...
-       "data": {
-         "approved": true
-       },
-       ...
-    }
-    ```
-
-    Now, the `approved` status is `true`.
-
-1. The `bob` user should be able to unwrap the secrets.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: <bob_client_token>" \
-           --request POST \
-           --data '{"token": "<wrapping_token>"}' \
-           http://127.0.0.1:8200/v1/sys/wrapping/unwrap | jq
-    {
-       ...
-       "data": {
-         "order_number": "12345678",
-         "product_id": "987654321"
-       },
-       ...
-    }
-    ```
-
-#### Web UI
-
-The user, **`ellen`** can approve the data access request via UI.
-
-
-1. Open the Vault sign in page in a web browser (e.g.
-http://127.0.0.1:8200/ui/vault/auth?with=userpass).  In the **Userpass** tab,
-enter **`ellen`** in the **Username** field, and **`training`** in the
-**Password** field.
-
-1. Click **Sign in**.
-
-1. Select the **Access** tab, and then **Control Groups**.
-
-1. Enter the **`wrapping_accessor`** value in the **Accessor** field and click
-**Lookup**. ![Control Groups](/img/vault-ctrl-grp-5.png)
-
-1. _Awaiting authorization_ message displays. ![Control
-Groups](/img/vault-ctrl-grp-6.png)
-
-1. Click **Authorize**. The message changes to "_Thanks! You have given
-authorization_."
-
-> Bob needs to request data access via CLI or API. Once the access request was
-approved, use the CLI or API to unwrap the secrets.
-
-
-### <a name="step5"></a>Step 5: ACL Policy vs. Sentinel Policy
-
-Although the [**`read-gdpr-order.hcl`**](#step1) was written as ACL policy, you
-can implement Control Groups in either ACL or Sentinel policies.
-
-Using Sentinel, the same policy may look something like:
-
-```hcl
-import "controlgroup"
-
-control_group = func() {
-  numAuthzs = 0
-  for controlgroup.authorizations as authz {
-      if "acct_manager" in authz.groups.by_name {
-         numAuthzs = numAuthzs + 1
-      }
-  }
-  if numAuthzs >= 1 {
-      return true
-  }
-  return false
-}
-
-main = rule {
-   control_group()
-}
-```
-
-Deploy this policy as an Endpoint Governing Policy attached to
-"**`EU_GDPR_data/orders/*`**" path.
-
--> Refer to the [Sentinel
-Properties](/docs/enterprise/sentinel/properties.html#control-group-properties)
-documentation for the list of available properties associated with control
-groups.
-
-
-## Next steps
-
-To protect your secrets, it may become necessary to write finer-grained
-policies to introspect different aspects of incoming requests.  If you have not
-already done so, read [Sentinel](https://docs.hashicorp.com/sentinel/)
-documentation to learn more about what you can accomplish writing policies as a
-code.
diff --git a/website/source/guides/identity/identity.html.md b/website/source/guides/identity/identity.html.md
deleted file mode 100644
index b4fca2744e3d..000000000000
--- a/website/source/guides/identity/identity.html.md
+++ /dev/null
@@ -1,1126 +0,0 @@
----
-layout: "guides"
-page_title: "Identity: Entities and Groups - Guides"
-sidebar_title: "Identity - Entities & Groups"
-sidebar_current: "guides-identity-identity"
-description: |-
-  This guide demonstrates the commands to create entities, entity aliases, and
-  groups.  For the purpose of the demonstration, userpass auth method will be
-  used.  
----
-
-# Identity - Entities and Groups
-
-Vault supports multiple authentication methods and also allows enabling the same
-type of authentication method on different mount paths. Each Vault client may
-have multiple accounts with various identity providers that are enabled on the
-Vault server.
-
-Vault clients can be mapped as ***entities*** and their corresponding accounts
-with authentication providers can be mapped as ***aliases***. In essence, each
-entity is made up of zero or more aliases. Identity secrets engine internally
-maintains the clients who are recognized by Vault.
-
-## Reference Material
-
-- [Identity Secrets Engine](/docs/secrets/identity/index.html)
-- [Identity Secrets Engine (API)](/api/secret/identity/index.html)
-- [External vs Internal Groups](/docs/secrets/identity/index.html#external-vs-internal-groups)
-
-~> **NOTE:** An [interactive
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-identity) is
-also available if you do not have a Vault environment to perform the steps
-described in this guide.
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The steps described in this guide are typically performed by **operations**
-persona.
-
-
-## Challenge
-
-Bob has accounts in both Github and LDAP.  Both Github and LDAP auth methods are
-enabled on the Vault server that he can authenticate using either one of his
-accounts. Although both accounts belong to Bob, there is no association between
-the two accounts to set some common properties.
-
-## Solution
-
-Create an _entity_ representing Bob, and associate aliases representing each of
-his accounts as the entity member. You can set additional policies and metadata
-on the entity level so that both accounts can inherit.
-
-When Bob authenticates using either one of his accounts, the entity identifier
-will be tied to the authenticated token. When such tokens are put to use, their
-entity identifiers are audit logged, marking a trail of actions performed by
-specific users.
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
-with Vault. However, it is recommended that root tokens are used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-an appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Configure auth methods
-path "sys/auth" {
-  capabilities = [ "read", "list" ]
-}
-
-# Configure auth methods
-path "sys/auth/*" {
-  capabilities = [ "create", "update", "read", "delete", "list", "sudo" ]
-}
-
-# Manage userpass auth methods
-path "auth/userpass/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-
-# Manage github auth methods
-path "auth/github/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-
-# Display the Policies tab in UI
-path "sys/policies" {
-  capabilities = [ "read", "list" ]
-}
-
-# Create and manage ACL policies from UI
-path "sys/policies/acl/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Create and manage policies
-path "sys/policy" {
-  capabilities = [ "read", "list" ]
-}
-
-# Create and manage policies
-path "sys/policy/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# List available secret engines to retrieve accessor ID
-path "sys/mounts" {
-  capabilities = [ "read" ]
-}
-
-# Create and manage entities and groups
-path "identity/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-In this lab, you are going to learn the API-based commands to create entities,
-entity aliases, and groups.  For the purpose of the training, you are going to
-leverage the userpass auth method.  The challenge exercise walks you through
-creating an external group by mapping a GitHub group to an identity group.
-
-1. [Create an Entity with Alias](#step1)
-2. [Test the Entity](#step2)
-3. [Create an Internal Group](#step3)
-4. [Create an External Group](#step4)
-
-
-
-### <a name="step1"></a>Step 1: Create an Entity with Alias
-
-You are going to create a new entity with base policy assigned.  The entity
-defines two entity aliases with each has a different policy assigned.
-
-**Scenario:**  A user, Bob Smith at ACME Inc. happened to have two sets of
-credentials: `bob` and `bsmith`.  He can authenticate with Vault using either
-one of his accounts.  To manage his accounts and link them to identity `Bob
-Smith` in QA team, you are going to create an entity for Bob.
-
-![Entity Bob Smith](/img/vault-entity-1.png)
-
--> For the simplicity of this guide, you are going to work with the `userpass`
-auth method.  However, in reality, the user `bob` might be a username exists in
-Active Directory, and `bsmith` might be Bob's username in GitHub.
-
-#### Scenario Policies
-
-**`base.hcl`**
-
-```hcl
-path "secret/training_*" {
-   capabilities = ["create", "read"]
-}
-```
-
-**`test.hcl`**
-
-```hcl
-path "secret/test" {
-   capabilities = [ "create", "read", "update", "delete" ]
-}
-```
-
-**`team-qa.hcl`**
-
-```hcl
-path "secret/team-qa" {
-   capabilities = [ "create", "read", "update", "delete" ]
-}
-```
-
-~> **NOTE:** If you are running [K/V Secrets Engine v2](/api/secret/kv/kv-v2.html)
-at `secret`, set the policies path accordingly: `secret/data/training_*`,
-`secret/data/test`, and `secret/data/team-qa`.
-
-Now, you are going to create `bob` and `bsmith` users with appropriate policies
-attached.
-
-
-
-#### CLI command
-
-1. Create policies: `base`, `test`, and `team-qa`.
-
-    ```shell
-    # Create base policy
-    $ vault policy write base base.hcl
-
-    # Create test policy
-    $ vault policy write test test.hcl
-
-    # Create team-qa policy
-    $ vault policy write team-qa team-qa.hcl
-
-    # List all policies to verify that 'base', 'test' and 'team-qa' policies exist
-    $ vault policy list
-    base
-    default
-    team-qa
-    test
-    root
-    ```
-
-1. Enable the `userpass` auth method.
-
-    ```plaintext
-    $ vault auth enable userpass
-    ```
-
-1. Create a new user in userpass:
-    - username: bob
-    - password: training
-    - policy: test
-
-    ```plaintext
-    $ vault write auth/userpass/users/bob password="training" policies="test"
-    ```
-
-1. Create another user in userpass:
-    - username: bsmith
-    - password: training
-    - policy: team-qa
-
-    ```plaintext
-    $ vault write auth/userpass/users/bsmith password="training" policies="team-qa"
-    ```
-
-1. Execute the following command to discover the mount accessor for the userpass auth method:
-
-    ```plaintext
-    $ vault auth list -detailed
-    Path                  Type        Accessor                ...
-    ----                  ----        --------                ...  
-    token/                token       auth_token_bec8530a     ...
-    userpass/             userpass    auth_userpass_70eba76b  ...
-    ```
-
-    In the output, locate the **Accessor** value for `userpass`.
-
-    Run the following command to store the userpass accessor value in a file named, `accessor.txt`.
-
-    ```plaintext
-    $ vault auth list -format=json | jq -r '.["userpass/"].accessor' > accessor.txt
-    ```
-
-1. Create an entity for `bob-smith`.
-
-    ```plaintext
-    $ vault write identity/entity name="bob-smith" policies="base" \
-         metadata=organization="ACME Inc." \
-         metadata=team="QA"
-
-    Key        Value
-    ---        -----
-    aliases    <nil>
-    id         631256b1-8523-9838-5501-d0a1e2cdad9c         
-    ```
-
-    -> Make a note of the generated entity ID (**`id`**).
-
-
-1. Now, add the user `bob` to the `bob-smith` entity by creating an entity alias:
-
-    ```plaintext
-    $ vault write identity/entity-alias name="bob" \
-         canonical_id=<entity_id> \
-         mount_accessor=<userpass_accessor>
-    ```
-
-    The `<userpass_accessor>` value is stored in `accessor.txt`.
-
-    **Example:**
-
-    ```plaintext
-    $ vault write identity/entity-alias name="bob" \
-           canonical_id="631256b1-8523-9838-5501-d0a1e2cdad9c" \
-           mount_accessor=$(cat accessor.txt)
-
-    Key             Value
-    ---             -----
-    canonical_id    631256b1-8523-9838-5501-d0a1e2cdad9c
-    id              873f7b12-dec8-c182-024e-e3f065d8a9f1
-    ```
-
-1. Repeat the step to add user `bsmith` to the `bob-smith` entity.
-
-    **Example:**
-
-    ```plaintext
-    $ vault write identity/entity-alias name="bsmith" \
-           canonical_id="631256b1-8523-9838-5501-d0a1e2cdad9c" \
-           mount_accessor=$(cat accessor.txt)
-
-    Key             Value
-    ---             -----
-    canonical_id    631256b1-8523-9838-5501-d0a1e2cdad9c
-    id              55d46747-b99e-6a82-05f5-61bb60fd7d15
-    ```
-
-1. Review the entity details.
-
-    ```plaintext
-    $ vault read identity/entity/id/<entity_id>
-    ```
-
-    The output should include the entity aliases, metadata (organization, and
-    team), and base policy.
-
-
-
-
-#### API call using cURL
-
-1. Create policies: `base`, `test`, and `team-qa`.
-
-    To create a policy, use the `/sys/policy` endpoint:
-
-    ```shell
-    $ curl --header "X-Vault-Token: <TOKEN>" \
-           --request PUT \
-           --data <PAYLOAD> \
-           <VAULT_ADDRESS>/v1/sys/policy/<POLICY_NAME>
-    ```
-
-    Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
-    stringified policy.
-
-    **Example:**
-
-    ```shell
-    # Create the API request payload, payload-1.json
-    $ tee payload-1.json <<EOF
-    {
-      "policy": "path \"secret/training_*\" {\n capabilities = [\"create\", \"read\"]\n}"
-    }
-    EOF
-
-    # Create base policy
-    $ curl --header "X-Vault-Token: ..." \
-           --request PUT \
-           --data @payload-1.json \
-           http://127.0.0.1:8200/v1/sys/policy/base
-
-    # Create the API request payload, payload-2.json
-    $ tee payload-2.json <<EOF
-    {
-      "policy": "path \"secret/test\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\" ]\n }"
-    }
-    EOF
-
-    # Create base policy
-    $ curl --header "X-Vault-Token: ..." \
-           --request PUT \
-           --data @payload-2.json \
-           http://127.0.0.1:8200/v1/sys/policy/test
-
-    # Create the API request payload, payload-1.json
-    $ tee payload-3.json <<EOF
-    {
-      "policy": "path \"secret/team-qa\" {\n capabilities = [ \"create\", \"read\", \"update\", \"delete\" ]\n }"
-    }
-    EOF
-
-    # Create base policy
-    $ curl --header "X-Vault-Token: ..." \
-           --request PUT \
-           --data @payload-3.json \
-           http://127.0.0.1:8200/v1/sys/policy/team-qa
-
-    # List all policies to verify that 'base', 'test' and 'team-qa' policies exist
-    $ curl --header "X-Vault-Token: ..." \
-           http://127.0.0.1:8200/v1/sys/policy | jq
-    ```
-
-1. Enable the `userpass` auth method.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"type": "userpass"}' \
-           http://127.0.0.1:8200/v1/sys/auth/userpass
-    ```
-
-1. Create a new user in userpass:
-    - username: bob
-    - password: training
-    - policy: test
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"password": "training", "policies": "test"}' \
-           http://127.0.0.1:8200/v1/auth/userpass/users/bob
-    ```
-
-1. Create another user in userpass:
-    - username: bsmith
-    - password: training
-    - policy: team-qa
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"password": "training", "policies": "team-qa"}' \
-           http://127.0.0.1:8200/v1/auth/userpass/users/bsmith
-    ```
-
-1. Execute the following command to discover the mount accessor for the userpass
-   auth method.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           http://127.0.0.1:8200/v1/sys/auth | jq
-     {
-       ...
-       "userpass/": {
-         "accessor": "auth_userpass_9b6cd254",
-        ...
-       },
-       ...
-    ```
-
-    -> Make a note of the userpass accessor value (**`auth_userpass_XXXXX`**).
-
-1. Create an entity for bob-smith.
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-      "name": "bob-smith",
-      "metadata": {
-        "organization": "ACME Inc.",
-        "team": "QA"
-      },
-      "policies": ["base"]
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload.json \
-           http://127.0.0.1:8200/v1/identity/entity
-    {
-      "request_id": "4d4d340f-f4c9-0201-c87e-42cc140a383a",
-      "lease_id": "",
-      "renewable": false,
-      "lease_duration": 0,
-      "data": {
-        "aliases": null,
-        "id": "6ded4d31-481f-040b-11ad-c6db0cb4d211"
-      },
-      ...
-    ```
-
-    -> Make a note of the generated entity ID (**`id`**).
-
-1. Now, add the user `bob` to the `bob-smith` entity by creating an entity alias.
-In the request body, you need to pass the userpass name as `name`, the userpass 
-accessor value as `mount_accessor`, and the entity id as `canonical_id`.
-
-    **Example:**
-
-    ```plaintext
-    $ tee payload-bob.json <<EOF
-    {
-      "name": "bob",
-      "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
-      "mount_accessor": "auth_userpass_9b6cd254"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload-bob.json \
-           http://127.0.0.1:8200/v1/identity/entity-alias
-    ```
-
-
-1. Repeat the step to add user `bsmith` to the `bob-smith` entity.
-
-    **Example:**
-
-    ```plaintext
-    $ tee payload-bsmith.json <<EOF
-    {
-      "name": "bsmith",
-      "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
-      "mount_accessor": "auth_userpass_9b6cd254"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload-bsmith.json \
-           http://127.0.0.1:8200/v1/identity/entity-alias
-    ```
-
-1. Review the entity details. (**NOTE:** Be sure to enter the entity ID matching
-  your environment.)
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           http://127.0.0.1:8200/v1/identity/entity/id/<ENTITY_ID>
-    {
-       "request_id": "cc0793bf-fafe-4b2c-fd82-88855712845c",
-       "lease_id": "",
-       "renewable": false,
-       "lease_duration": 0,
-       "data": {
-         "aliases": [
-           {
-             "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
-             ...
-             "mount_type": "userpass",
-             "name": "bob"
-           },
-           {
-             "canonical_id": "6ded4d31-481f-040b-11ad-c6db0cb4d211",
-             ...
-             "mount_type": "userpass",
-             "name": "bsmith"
-           }
-         ],
-         ...
-    ```
-
-    The `bob` and `bsmith` users should appear in the entity alias list.
-
-
-#### Web UI
-
-1. Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui)
-and then login.
-
-1. Click the **Policies** tab, and then select **Create ACL policy**.
-
-1. Enter **`base`** in the **Name** field, and paste in the [`base.hcl` policy
-rules](#scenario-policies) in the **Policy** text editor.
-
-    ![Create Policy](/img/vault-policy-2.png)
-
-1. Click **Create Policy** to complete.
-
-1. Repeat the steps to create policies for **`test`** and **`team-qa`** as well.
-
-    ![Create Policy](/img/vault-policy-1.png)
-
-1. Click the **Access** tab, and select **Enable new method**.
-
-1. Select **Username & Password** from the **Type** drop-down menu.
-
-    ![Create Policy](/img/vault-auth-method-2.png)
-
-1. Click **Enable Method**.
-
-1. Click the Vault CLI shell icon (**`>_`**) to open a command shell.  Enter the
-following command to create a new user, **`bob`**:
-
-    ```plaintext
-    $ vault write auth/userpass/users/bob password="training" policies="test"
-    ```
-    ![Create Policy](/img/vault-auth-method-3.png)
-
-1. Enter the following command to create a new user, **`bsmith`**:
-
-    ```plaintext
-    $ vault write auth/userpass/users/bsmith password="training" policies="team-qa"
-    ```
-    ![Create Policy](/img/vault-auth-method-4.png)
-
-1. Click the icon (**`>_`**) again to hide the shell.
-
-1. From the **Access** tab, select **Entities** and then **Create entity**.
-
-1. Populate the **Name**, **Policies** and **Metadata** fields as shown below:
-
-    ![Create Policy](/img/vault-entity-4.png)
-
-1. Click **Create**.
-
-1. Select **Add alias**.  Enter **`bob`** in the **Name** field and select
-**`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
-
-    ![Create Policy](/img/vault-entity-5.png)
-
-1. Click **Create**.
-
-1. Return to the **Entities** list.  Select **Add alias** from the **`bob-smith`**
-entity menu.
-
-    ![Create Policy](/img/vault-entity-6.png)
-
-1. Enter **`bsmith`** in the **Name** field and select **`userpass/ (userpass)`** from the
-**Auth Backend** drop-down list, and then click **Create**.
-
-
-
-
-### <a name="step2"></a>Step 2: Test the Entity
-
-To better understand how a token inherits the capabilities from the entity's
-policy, you are going to test it by logging in as `bob`.
-
-### CLI Command
-
-First, login as `bob`.
-
-```plaintext
-$ vault login -method=userpass username=bob password=training
-
-Key                    Value
----                    -----
-token                  ac318416-0dc1-4311-67e4-b58381c86fde
-token_accessor         79cced7b-51df-9523-920f-a1579687516b
-token_duration         768h
-token_renewable        true
-token_policies         ["default" "test"]
-identity_policies      ["base"]
-policies               ["base" "default" "test"]
-token_meta_username    bob
-```
-
-> Upon a successful authentication, a token will be returned. Notice that the
-output displays **`token_policies`** and **`identity_policies`**. The generated
-token has both `test` and `base` policies attached.
-
-The `test` policy grants CRUD operations on the `secret/test` path.  
-Test to make sure that you can write secrets in the path.
-
-```plaintext
-$ vault kv put secret/test owner="bob"
-Success! Data written to: secret/test
-```
-
-
-Although the username `bob` does not have `base` policy attached, the token
-inherits the capabilities granted in the base policy because `bob` is a member
-of the `bob-smith` entity, and the entity has base policy attached.
-
-Check to see that the bob's token inherited the capabilities.  
-
-```plaintext
-$ vault token capabilities secret/training_test
-create, read
-```
-
-> The `base` policy grants create and read capabilities on
-`secret/training_*` path; therefore, `bob` is permitted to run create and
-read operations against any path starting with `secret/training_*`.
-
-
-What about the `secret/team-qa` path?
-
-```plaintext
-$ vault token capabilities secret/team-qa
-deny
-```
-
-The user `bob` only inherits capability from its associating entity's policy.
-The user can access the `secret/team-qa` path only if he logs in with
-`bsmith` credentials.
-
-
-~> Log back in with the token you used to configure the entity before proceed to
-[Step 3](#step3).
-
-
-#### API call using cURL
-
-First, login as `bob`.
-
-```plaintext
-$ curl --request POST \
-       --data '{"password": "training"}' \
-       http://127.0.0.1:8200/v1/auth/userpass/login/bob
-{
- ...
- "auth": {
-   "client_token": "b3c2ac10-9f8f-4e64-9a1c-337236ba20f6",
-   "accessor": "92204429-6555-772e-cf51-52492d7f1686",
-   "policies": [
-     "base",
-     "default",
-     "test"
-   ],
-   "token_policies": [
-      "default",
-      "test"
-    ],
-    "identity_policies": [
-      "base"
-    ],
-   ...
-```
-
-> Upon a successful authentication, a token will be returned. Notice that the
-output displays **`token_policies`** and **`identity_policies`**. The generated
-token has both `test` and `base` policies attached.
-
-The `test` policy grants CRUD operations on the `secret/test` path. Test
-to make sure that you can write secrets in the path.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"owner": "bob"}' \
-       http://127.0.0.1:8200/v1/secret/test
-```
-
-
-Although the username `bob` does not have `base` policy attached, the token
-inherits the capabilities granted in the base policy because `bob` is a member
-of the `bob-smith` entity, and the entity has base policy attached.
-
-Check to see that the bob's token inherited the capabilities.  
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-         --request POST \
-         --data '{"paths": ["secret/training_test"]}'
-         http://127.0.0.1:8200/v1/sys/capabilities-self | jq
-{
- "secret/training_test": [
-   "create",
-   "read"
- ],
- ...
-```
-
-> The `base` policy grants create and read capabilities on
-`secret/training_*` path; therefore, `bob` is permitted to run create and
-read operations against any path starting with `secret/training_*`.
-
-
-What about the `secret/team-qa` path?
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"paths": ["secret/team-qa"]}'
-       http://127.0.0.1:8200/v1/sys/capabilities-self | jq
-{
- "secret/team-qa": [
-   "deny"
- ],
- ...
-```
-
-The user `bob` only inherits capability from its associating entity's policy.
-The user can access the `secret/team-qa` path only if he logs in with
-`bsmith` credentials.
-
-
-!> **NOTE:** Log back in with the token you used to configure the entity before proceed to
-[Step 3](#step3).
-
-
-### <a name="step3"></a>Step 3: Create an Internal Group
-
-Now, you are going to create an internal group named, **`engineers`**.  Its
-member is `bob-smith` entity that you created in [Step 1](#step1).
-
-![Entity Bob Smith](/img/vault-entity-3.png)
-
-The group policy, `team-eng` defines the following: **`team-eng.hcl`**
-
-```plaintext
-path "secret/team/eng" {
-  capabilities = [ "create", "read", "update", "delete"]
-}
-```
-
-#### CLI Command
-
-1. Create a new policy named, `team-eng`:
-
-    ```plaintext
-    $ vault policy write team-eng ./team-eng.hcl
-    ```
-
-1. Create an internal group named, `engineers` and add `bob-smith` entity as a
-group member and attach `team-eng`.
-
-    ```plaintext
-    $ vault write identity/group name="engineers" \
-          policies="team-eng" \
-          member_entity_ids=<entity_id> \
-          metadata=team="Engineering" \
-          metadata=region="North America"
-    ````
-    Where `<entity_id>` is the value you copied at [Step 1](#step1).
-
-    **Example:**
-
-    ```plaintext
-    $ vault write identity/group name="engineers" \
-          policies="team-eng" \
-          member_entity_ids="631256b1-8523-9838-5501..."  \
-          metadata=team="Engineering" \
-          metadata=region="North America"
-    Key     Value
-    ---     -----
-    id      81bdac90-284a-7b8c-6289-5fa7693bcb4a
-    name    engineers
-    ```
-
-Now, when you login as `bob` or `bsmith`, its generated token inherits the
-group-level policy, **`team-eng`**. You can perform similar tests demonstrated
-in [Step 2](#step2) to verify that.
-
-
-#### API call using cURL
-
-1. Create a new policy named, `team-eng`:
-
-    ```shell
-    # API request payload containing stringified policy
-    $ tee payload.json <<EOF
-    {
-      "policy": "path \"secret/team/eng\" {\n capabilities = [\"create\", \"read\", \"delete\", \"update\"]\n }"
-    }
-    EOF
-
-    # Create base policy
-    $ curl --header "X-Vault-Token: ..." \
-           --request PUT \
-           --data @payload-1.json \
-           http://127.0.0.1:8200/v1/sys/policy/team-eng
-    ```
-
-
-1. Create an internal group named, `engineers` and add `bob-smith` entity as a
-group member and attach `team-eng`.
-
-    ```shell
-    # API request msg payload.  Be sure to replace <ENTITY_ID> with correct value
-    $ tee payload-group.json <<EOF
-    {
-      "name": "engineers",
-      "policies": ["team-eng"],
-      "member_entity_ids": ["<ENTITY_ID>"],
-      "metadata": {
-        "team": "Engineering",
-        "region": "North America"
-      }
-    }
-    EOF
-
-    # Use identity/group endpoint
-    $ curl --header "X-Vault-Token: ..." \
-           --request PUT \
-           --data @payload-group.json \
-           http://127.0.0.1:8200/v1/identity/group | jq
-    {
-       "request_id": "2b6eefd6-67a6-31c7-dbc3-11c1c132e2cf",
-       "lease_id": "",
-       "renewable": false,
-       "lease_duration": 0,
-       "data": {
-         "id": "d62157aa-b5f6-b6fe-aa40-0ffc54defc41",
-         "name": "engineers"
-       },
-       ...
-    ```
-
-Now, when you login as `bob` or `bsmith`, its generated token inherits the
-group-level policy, **`team-eng`**. You can perform similar tests demonstrated
-in [Step 2](#step2) to verify that.
-
-
-#### Web UI
-
-1. Click the **Policies** tab, and then select **Create ACL policy**.
-
-1. Enter **`team-eng`** in the **Name** field, and paste in the [`team-eng.hcl` policy
-rules](#step3) in the **Policy** text editor, and then click **Create Policy**.
-
-1. Click the **Access** tab and select **Entities**.
-
-1. Select the **`bob-smith`** entity and copy its **ID** displayed under the
-**Details** tab.
-
-1. Now, click **Groups** from the left navigation, and select **Create group**.
-
-1. Enter the group information as shown below.
-
-    ![Group](/img/vault-entity-7.png)
-
-    ~> **NOTE:** Make sure to enter the `bob-smith` entity **ID** you copied in the
-    **Member Entity IDs** field.
-
-1. Click **Create**.
-
-Now, when you login as `bob` or `bsmith`, its generated token inherits the
-group-level policy, **`team-eng`**. You can perform similar tests demonstrated
-in [Step 3](#step3) to verify that.
-
-<br>
-
-> **Summary:** By default, Vault creates an internal group. When you create an
-internal group, you specify the ***group members*** rather than ***group
-alias***. Group _aliases_ are mapping between Vault and external identity providers
-(e.g. LDAP, GitHub, etc.).  Therefore, you define group aliases only when you
-create **external** groups.  For internal groups, you specify `member_entity_ids`
-and/or `member_group_ids`.
-
-
-
-### <a name="step4"></a>Step 4: Create an External Group
-
-It is common for organizations to enable auth methods such as LDAP, Okta and
-perhaps GitHub to handle the Vault user authentication, and individual user's
-group memberships are defined within those identity providers.
-
-In order to manage the group-level authorization, you can create an external
-group to link Vault with the external identity provider (auth provider) and
-attach appropriate policies to the group.
-
-#### Example Scenario
-
-Any user who belongs to **`training`** team in GitHub organization,
-**`example-inc`** are permitted to perform all operations against the
-`secret/education` path.
-
-**NOTE:** This scenario assumes that the GitHub organization, `example-inc`
-exists as well as `training` team within the organization.
-
-### CLI Command
-
-```shell
-# Write a new policy file
-# If you are running KV v2, set the path to "secret/data/education" instead
-$ tee education.hcl <<EOF
-path "secret/education" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-EOF
-
-# Create a new policy named 'education'
-$ vault policy write education education.hcl
-
-# Enable GitHub auth method
-$ vault auth enable github
-
-# Retrieve the mount accessor for the GitHub auth method and save it in accessor.txt
-$ vault auth list -format=json | jq -r '.["github/"].accessor' > accessor.txt
-
-# Configure to point to your GitHub organization (e.g. hashicorp)
-$ vault write auth/github/config organization=example-inc
-
-# Create an external group named, "education"
-# Be sure to copy the generated group ID
-$ vault write identity/group name="education" \
-       policies="education" \
-       type="external" \
-       metadata=organization="Product Education"
-
-# Create a group alias where canonical_id is the group ID
-# 'name' is the actual GitHub team name (NOTE: Use slugified team name.)
-$ vault write identity/group-alias name="training" \
-       mount_accessor=$(cat accessor.txt) \
-       canonical_id="<group_ID>"
-```
-
-
-
-#### API call using cURL
-
-```shell
-# API request payload containing stringfied policy
-# If you are running KV v2, set the path to "secret/data/education" instead
-$ tee payload-pol.json <<EOF
-{
-  "policy": "path \"secret/education\" {\n capabilities = [\"create\", \"read\", \"delete\", \"update\", \"list\"]\n }"
-}
-EOF
-
-# Create education policy
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT \
-       --data @payload-pol.json \
-       http://127.0.0.1:8200/v1/sys/policy/education
-
-# Enable GitHub Auth Method at github
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type": "github"}' \
-       http://127.0.0.1:8200/v1/sys/auth/github
-
-# Configure GitHub auth method by setting organization
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"organization": "example-inc"}' \
-       http://127.0.0.1:8200/v1/auth/github/config
-
-# Get the github accessor value (**`auth_github_XXXXX`**)
-$ curl --header "X-Vault-Token: ..." \
-      http://127.0.0.1:8200/v1/sys/auth | jq
-{
-  ...
-  "userpass/": {
-    "accessor": "auth_github_91010f60",
-   ...
-  },
-  ...
-}
-
-# API request msg payload to create an external group  
-$ tee payload-edu.json <<EOF
-{
-   "name": "education",
-   "policies": ["education"],
-   "type": "external",
-   "metadata": {
-     "organization": "Product Education"
-   }
-}
-EOF
-
-# Create an external group named, "education"
-# Be sure to copy the group ID (id)
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload-edu.json \
-       http://127.0.0.1:8200/v1/identity/group | jq
-{
-   "request_id": "a8161086-13db-f982-4216-7d996eae3fd9",
-   "lease_id": "",
-   "renewable": false,
-   "lease_duration": 0,
-   "data": {
-     "id": "ea18cb62-2478-d370-b726-a77d1700de80",
-     "name": "education"
-   },
-  ...
-
-# API request msg payload to create a group aliases, training
-$ tee payload-training.json <<EOF
-{
-  "canonical_id": "<GROUP_ID>",
-  "mount_accessor": "auth_github_XXXXX",
-  "name": "training"
-}
-EOF
-
-# Create 'training' group alias
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload-training.json \
-       http://127.0.0.1:8200/v1/identity/group-alias | jq
-```
-
-#### Web UI
-
-1. Click the **Policies** tab, and then select **Create ACL policy**.
-
-1. Enter **`education`** in the **Name** field, and enter the following policy
-in the **Policy** text editor, and then click **Create Policy**. (**NOTE:** If
-you are running KV v2, set the path to **`secret/data/education`** instead.)
-
-    ```plaintext
-    path "secret/education" {
-      capabilities = [ "create", "read", "update", "delete", "list" ]
-    }
-    ```
-
-1. Click the **Access** tab and select **Auth Methods**.
-
-1. Select **Enable new method**.
-
-1. Select **GitHub** from the **Type** drop-down menu, and then enter
-**`example-inc`** in the **Organization** field.  
-
-1. Click **Enable Method**.
-
-1. Click the **Access** tab and select **Groups**.
-
-1. Select **Create group**. Enter the group information as shown below.
-
-    ![Create Policy](/img/vault-entity-9.png)
-
-1. Click **Create**.
-
-1. Select **Add alias** and enter **`training`** in the **Name** field.  Select
-**github/ (github)** from the **Auth Backend** drop-down list.
-
-    ![Create Policy](/img/vault-entity-10.png)
-
-1. Click **Create**.
-
-<br>
-
-> **Summary:** At this point, any GitHub user who belongs to `training`
-team within the `example-inc` organization can authenticate with Vault. The
-generated token for the user has `education` policy attached.
-
-
-## Next steps
-
-Now that you have learned about managing user identity using entities and
-groups, read the [AppRole Pull
-Authentication](/guides/identity/authentication.html) guide to learn how apps or
-machines can authenticate with Vault.
diff --git a/website/source/guides/identity/index.html.md b/website/source/guides/identity/index.html.md
deleted file mode 100644
index 01908eccd385..000000000000
--- a/website/source/guides/identity/index.html.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-layout: "guides"
-page_title: "Identity and Access Management - Guides"
-sidebar_title: "Identity and Access Management"
-sidebar_current: "guides-identity"
-description: |-
-  Once a Vault instance has been installed, the next step is to configure auth
-  backends, secret backends, and manage keys. Vault configuration guides addresses
-  key concepts in configuring your Vault application.   
----
-
-# Identity and Access Management
-
-This guide walks you through Identity and Access Management topics.
-
-- [Secure Introduction of Vault Clients](/guides/identity/secure-intro.html)
-explains the mechanism of the client authentication against a Vault server.
-
-- [Policies](/guides/identity/policies.html) are used to instrument
-Role-Based Access Control (RBAC) by specifying access privileges. Authoring of
-policies is probably the first step the Vault administrator performs. This guide
-walks you through creating example policies for `admin` and `provisioner` users.
-
-- [ACL Policy Path Templating](/guides/identity/policy-templating.html) guide
-demonstrates templated policy paths to allow non-static paths.
-
-- [AppRole Pull Authentication](/guides/identity/authentication.html) guide
-that introduces the steps to generate tokens for machines or apps by enabling
-AppRole auth method.
-
-- [AppRole with Terraform and Chef](/guides/identity/approle-trusted-entities.html)
-guide explains how AppRole auth method integrates with Terraform and Chef.
-This guide is for anyone who wishes to reproduce the demo introduced during
-the [Delivering Secret Zero: Vault AppRole with Terraform and
-Chef](https://www.hashicorp.com/resources/delivering-secret-zero-vault-approle-terraform-chef)
-webinar.
-
-- [Token and Leases](/guides/identity/lease.html) guide helps you
-understand how tokens and leases work in Vault. The understanding of the
-lease hierarchy and expiration mechanism helps you plan for break glass
-procedures and more.
-
-- [Identity - Entities & Groups](/guides/identity/identity.html) guide
-demonstrates the usage of _Entities_ and _Groups_ to manage Vault clients'
-identity.
-
-## Vault Enterprise
-
-- [Sentinel Policies](/guides/identity/sentinel.html) guide
-walks through the creation and usage of _Role Governing Policies_ (RGPs) and
-_Endpoint Governing Policies_ (EGPs) in Vault.
-
-- [Control Groups](/guides/identity/control-groups.html) can be used to enforce
-additional authorization factors before the request can be completed. This
-guide walks through the implementation of a Control Group.
diff --git a/website/source/guides/identity/lease.html.md b/website/source/guides/identity/lease.html.md
deleted file mode 100644
index 6ad8f83c98af..000000000000
--- a/website/source/guides/identity/lease.html.md
+++ /dev/null
@@ -1,848 +0,0 @@
----
-layout: "guides"
-page_title: "Tokens and Leases - Guides"
-sidebar_title: "Tokens and Leases"
-sidebar_current: "guides-identity-lease"
-description: |-
-  Tokens are the core method for authentication within Vault. For every
-  authentication token and dynamic secret, Vault creates a lease
-  containing information such as duration, renewability, and more.
-  Understanding the lifecycle of leases means understanding the lifecycle of
-  tokens in some sense.
----
-
-# Tokens and Leases
-
-Almost everything in Vault has an associated lease, and when the lease is
-expired, the secret is revoked. Tokens are not an exception. Every non-root
-token has a time-to-live (TTL) associated with it. When a token expires and it's
-not renewed, the token is automatically revoked.
-
-## Lease Hierarchy
-
-When a new token or secret is created, it is a child of the creator. If the
-parent is revoked or expires, so do all its children regardless of their own
-leases. A child may be a token, secret, or authentication created by a parent. A
-parent is almost always a **token**.
-
-Suppose a hierarchy exists with respective TTL as follows:
-
-```
-    b519c6aa... (3h)
-        6a2cf3e7... (4h)
-        1d3fd4b2... (1h)
-            794b6f2f... (2h)
-```
-
-In this scenario, the lease ID of `1d3fd4b2..` will expire in an hour. If a
-token or secret with a lease is not renewed before the lease expires, it will be
-revoked by the Vault server. When it's revoked, it takes its child
-(`794b6f2f...`) although the child has one more hour before it expires. Then,
-two hours later, `b519c6aa...` will be revoked and takes its child
-(`6a2cf3e7...`) with it.
-
-
-## Reference Material
-
-- The [Validation](/guides/secret-mgmt/dynamic-secrets.html#validation) section of the
-[Secret as a Service](/guides/secret-mgmt/dynamic-secrets.html) guide demonstrates lease
-renewal and revocation
-- [Tokens documentation](/docs/concepts/tokens.html)
-- [Token Auth Method (API)](/api/auth/token/index.html)
-- [Lease, Renew, and Revoke](/docs/concepts/lease.html)
-
-~> **NOTE:** An [interactive
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-tokens) is
-also available if you do not have a Vault environment to perform the steps
-described in this guide.
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The end-to-end scenario described in this guide involves one persona:
-
-- **`admin`** with privileged permissions to create and manage tokens
-
-See the [policy requirements](#policy-requirements) section for details.
-
-## Challenge
-
-Consider the following scenarios often encountered outside of Vault:
-
-- There is no **break glass** procedure available for revoking
-access to credentials in the event of a breach
-- Credentials for external systems (e.g. AWS, MySQL) are shared
-- Need temporal access to a database in a specific scenario
-
-## Solution
-
-Vault has built-in support for secret revocation. Vault can revoke not only
-a single secret, but also a tree of secrets. For example, Vault can revoke all
-secrets read by a specific **user** or all secrets of a specific **type**.
-Revocation assists in key rolling as well as locking down systems in the case of
-an intrusion.
-
-If a user or machine needs a temporal access to Vault, you can set a short TTL
-or a number of uses to a token so the token is automatically revoked at the
-end of its life.
-
-This also allows for organizations to plan and train for various
-"break glass" procedures.
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
-with Vault. However, it is recommended that root tokens are used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-an appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# List available auth method - Step 1
-path "sys/auth" {
-  capabilities = [ "read" ]
-}
-
-# Read default token configuration
-path "sys/auth/token/tune" {
-  capabilities = [ "read", "sudo" ]
-}
-
-# Create and manage tokens (renew, lookup, revoke, etc.)
-path "auth/token/*" {
-  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
-}
-
-# For Advanced Features - list available secret engines
-path "sys/mounts" {
-  capabilities = [ "read" ]
-}
-
-# For Advanced Features - tune the database secret engine TTL
-path "sys/mounts/database/tune" {
-  capabilities = [ "update" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-Tokens are the core method for authentication within Vault. Tokens can be used
-directly or dynamically generated by the auth methods. Regardless, the clients
-need valid tokens to interact with Vault.
-
-This guide demonstrates the lifecycle of tokens.
-
-1. [Read token auth method configuration](#step1)
-1. [Create short-lived tokens](#step2)
-1. [Create tokens with use limit](#step3)
-1. [Periodic tokens](#step4)
-1. [Orphan tokens](#step5)
-1. [Revoke tokens](#step6)
-
-
-### <a name="step1"></a>Step 1: Read token auth method configuration
-
-When you create leases with no specific TTL values, the default value applies
-to the lease.
-
-```shell
-$ vault auth list
-
-Path       Type      Accessor                Default TTL  Max TTL  Replication Behavior  Description
-approle/   approle   auth_approle_53f0fb08   system       system   replicated
-github/    github    auth_github_b770f4c8    system       system   replicated
-token/     token     auth_token_2ad69043     system       system   replicated            token based credentials
-userpass/  userpass  auth_userpass_d326d2f9  system       system   replicated
-```
-
-The system max TTL is **32 days**, but you can override it to be longer or
-shorter in Vault's configuration file.
-
-Another option is to tune the mount configuration to override the system
-defaults by calling the **`/sys/mounts/<PATH>/tune`** endpoint (e.g.
-`/sys/mounts/database/tune`). For the auth method system configuration, call
-**`/sys/auth/<METHOD>/tune`** endpoint.
-
-NOTE: Refer to the [Advanced Features](#advanced-features) section for tuning
-the system configuration.
-
-#### CLI command
-
-Read the default TTL settings for **token** auth method:
-
-```shell
-$ vault read sys/auth/token/tune
-
-Key              	Value
----              	-----
-default_lease_ttl	2764800
-force_no_cache   	false
-max_lease_ttl    	2764800
-```
-
-#### API call using cURL
-
-Use `/sys/auth/token/tune` endpoint to read the default TTL settings for **token** auth
-method:
-
-```shell
-$ curl --header "X-Vault-Token: <TOKEN>" \
-     --request GET \
-     <VAULT_ADDRESS>/v1/sys/auth/token/tune
-```
-
-Where `<TOKEN>` is your valid token with read permission on the
-`sys/auth/token/tune` path.
-
-**Example:**
-
-```shell
-$ curl --header "X-Vault-Token: ..." --request GET \
-      http://127.0.0.1:8200/v1/sys/auth/token/tune | jq
-{
-  "default_lease_ttl": 2764800,
-  "max_lease_ttl": 2764800,
-  "force_no_cache": false,
-  "request_id": "630fd49d-f704-540f-0641-41516087654f",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "default_lease_ttl": 2764800,
-    "force_no_cache": false,
-    "max_lease_ttl": 2764800
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
--> **NOTE:** The returned TTL value is in seconds (2764800 seconds = 32 days).
-
-### <a name="step2"></a>Step 2: Create short-lived tokens
-
-Create a new token with TTL of 30 seconds which means that the token gets
-automatically revoked after 30 seconds.
-
-#### CLI command
-
-To view optional parameters to create tokens:
-
-```shell
-$ vault token create -help
-```
-
-There are a number of parameters you can set.  To specify the token TTL, pass
-the value using `-ttl` parameter.
-
-**Example:**
-
-```shell
-# Create a token with TTL of 30 seconds
-$ vault token create -ttl=30s
-Key            	Value
----            	-----
-token          	3b2b1285-844b-4b40-6afa-623f39c1b738
-token_accessor 	2b2b5b83-7f22-fecd-03f0-4e25bf64da11
-token_duration 	30s
-token_renewable	true
-token_policies 	[admin]
-
-# Test the new token
-$ VAULT_TOKEN=3b2b1285-844b-4b40-6afa-623f39c1b738 vault token lookup
-Key             	Value
----             	-----
-accessor        	2b2b5b83-7f22-fecd-03f0-4e25bf64da11
-creation_time   	1515702047
-creation_ttl    	30
-display_name    	token
-expire_time     	2018-01-11T20:21:17.900969673Z
-explicit_max_ttl	0
-id              	3b2b1285-844b-4b40-6afa-623f39c1b738
-issue_time      	2018-01-11T20:20:47.90096937Z
-meta            	<nil>
-num_uses        	0
-orphan          	false
-path            	auth/token/create
-policies        	[admin]
-renewable       	true
-ttl             	8
-```
-
-**NOTE:** The `vault token lookup` command returns the token's properties.
-In this example, it shows that this token has 8 more seconds before it expires.
-
-When you execute a Vault command using the new token immediately following its
-creation, it should work. Wait for 30 seconds and try again. It returns
-**`Code: 403. Errors:`** which indicates a forbidden API call due to expired
-token usage.
-
-
-You can **renew** the token's TTL as long as the token has not expired.
-
-```shell
-$ vault token renew <TOKEN>
-```
-
-If you want to renew and extend the token's TTL, pass the desired extension:
-
-```shell
-$ vault token renew <TOKEN> <EXTENSION>
-```
-
-Or with revamped cli:
-
-```shell
-$ vault token renew -increment=<EXTENSION> <TOKEN>
-```
-
-The extension value can be an integer number of seconds (e.g. 3600) or a string
-duration (e.g. "1h").
-
-
-#### API call using cURL
-
-Use the `auth/token/create` endpoint to create a new token. There are a number of
-optional [parameters](/api/auth/token/index.html#create-token) that you can pass
-in the request payload.
-
-**Example:**
-
-The following example sets the `ttl` parameter.
-
-```shell
-# Create a new token with TTl of 30 seconds
-$ curl --header "X-Vault-Token: ..." --request POST \
-     --data '{"ttl": "30s"}' \
-     http://127.0.0.1:8200/v1/auth/token/create | jq
-{
-  ...
- "auth": {
-   "client_token": "f7d88963-1aba-64d7-11a0-9282ae7681d0",
-   "accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6",
-   "policies": [
-     "admin"
-   ],
-   "metadata": null,
-   "lease_duration": 30,
-   "renewable": true
- }
-}
-
-# Pass the returned token (`client_token`) in the `X-Vault-Token` header to test
-$ curl --header "X-Vault-Token: f7d88963-1aba-64d7-11a0-9282ae7681d0" \
-     --request GET \
-     http://127.0.0.1:8200/v1/auth/token/lookup-self | jq
-{
-  ...
- "data": {
-   "accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6",
-   "creation_time": 1515702669,
-   "creation_ttl": 30,
-    ...
-   "renewable": true,
-   "ttl": 14
- },
- ...
-}
-```
-
-When you invoke the API using the new token immediately following its
-creation, it should work. Wait for 30 seconds and try again. It returns
-**`Code: 403. Errors:`** which indicates a forbidden API call due to expired
-token usage.
-
-#### Renew the token:
-
-```shell
-$ curl --header "X-Vault-Token: ..." --request POST \
-       http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq
-
-# Renew token with 1 hour extension
-$ curl --header "X-Vault-Token: ..." --request POST \
-       --data '{"increment": "3600"}' \
-       http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq
-```
-
--> **NOTE:** Tokens can be renewed as long as its life hasn't reached its max
-TTL. For example, if the token's TTL is 1 hour and max TTL is 24 hours, you can
-renew the token up to 24 hours from its creation time. Once 24 hours has passed from
-the token's creation time, the token is revoked by Vault. For long running
-processes, this may introduce complexity. In such case, use [periodic tokens](#step4).
-
-
-### <a name="step3"></a>Step 3: Create tokens with use limit
-
-In addition to TTL and max TTL, tokens may be limited to a number of uses. Use
-limit tokens expire at the end of their last use regardless of their remaining
-TTLs. On the same note, use limit tokens expire at the end of their TTLs
-regardless of their remaining uses.
-
-To create tokens with a use limit, set the number of uses when you
-create them.
-
-#### CLI command
-
-Create a token with the `-use-limit` property argument.
-
-**Example:**
-
-```shell
-$ vault token create -policy=default -use-limit=2
-
-Key            	Value
----            	-----
-token          	bd39178e-176e-cc91-3930-94f7b0194de5
-token_accessor 	a230f5ab-b59f-db0b-855d-36ea4319b58e
-token_duration 	768h0m0s
-token_renewable	true
-token_policies 	[default]
-```
-
-This creates a token with the _default_ policy and a use limit of 2.
-
-#### Verification
-
-```shell
-$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault token lookup
-
-Key             	Value
----             	-----
-accessor        	a230f5ab-b59f-db0b-855d-36ea4319b58e
-creation_time   	1515710251
-creation_ttl    	2764800
-display_name    	token
-expire_time     	2018-02-12T22:37:31.715486503Z
-explicit_max_ttl	0
-id              	bd39178e-176e-cc91-3930-94f7b0194de5
-issue_time      	2018-01-11T22:37:31.715486221Z
-meta            	<nil>
-num_uses        	1
-orphan          	false
-path            	auth/token/create
-policies        	[default]
-renewable       	true
-ttl             	2764769
-
-
-$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault write cubbyhole/token \
-    value=bd39178e-176e-cc91-3930-94f7b0194de5
-
-Success! Data written to: cubbyhole/token
-
-
-$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault read cubbyhole/token
-Error reading cubbyhole/token: Error making API request.
-
-URL: GET http://127.0.0.1:8200/v1/cubbyhole/token
-Code: 403. Errors:
-
-* permission denied
-```
-
-The first command read the token's properties and then wrote a value to the cubbyhole
-secret engine. This exhausted the use limit of 2 for this token.  Therefore,
-the attempt to read the secret from the cubbyhole failed.
-
-
-#### API call using cURL
-
-Set the `num_uses` property in the request payload.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." --request POST  \
-       --data '{ "policies": ["default"], "num_uses":2 }' \
-       http://127.0.0.1:8200/v1/auth/token/create | jq
-{
-  "request_id": "0e98ff80-2825-7f50-6522-b6f95d596ef4",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668",
-    "accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968",
-    "policies": [
-      "default"
-    ],
-    "metadata": null,
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
-
-This creates a token with the _default_ policy and a use limit of 2.
-
-#### Verification
-
-```text
-$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
-       --request GET \
-       http://127.0.0.1:8200/v1/auth/token/lookup-self | jq
-{
-  "request_id": "77be1321-c0ca-e099-6f92-4ad87133b044",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968",
-    "creation_time": 1515711922,
-    "creation_ttl": 2764800,
-    "display_name": "token",
-    "expire_time": "2018-02-12T23:05:22.746137253Z",
-    "explicit_max_ttl": 0,
-    "id": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668",
-    "issue_time": "2018-01-11T23:05:22.746136892Z",
-    "meta": null,
-    "num_uses": 1,
-    ...
-}
-
-$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
-       --request POST \
-       --data '{ "value": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668" }' \
-       http://127.0.0.1:8200/v1/cubbyhole/token
-
-
-$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
-       --request GET \
-       http://127.0.0.1:8200/v1/cubbyhole/token | jq
-{
-  "errors": [
-    "permission denied"
-  ]
-}
-```
-
-The first command read the token's properties and then wrote a value to the cubbyhole
-secret engine. This exhausted the use limit of 2 for this token.  Therefore,
-the attempt to read the secret from the cubbyhole failed.
-
-
-
-### <a name="step4"></a>Step 4: Periodic tokens
-
-**Root** or **sudo** users have the ability to generate **periodic tokens**.
-Periodic tokens have a TTL, but no max TTL; therefore, they may live for an
-infinite duration of time so long as they are renewed within their TTL. This
-is useful for long-running services that cannot handle regenerating a token.
-
-#### CLI command
-
-First, create a token role with a specific `period`.  When you set `period`,
-tokens created for this role will have no max TTL. Instead, the `period` becomes
-the token renewal period. This value can be an integer value in seconds (e.g.
-2764800) or a string duration (e.g. 72h).
-
-```shell
-$ vault write auth/token/roles/<ROLE_NAME> allowed_policies="<POLICY_NAMES>" period=<RENEWAL_PERIOD>
-```
-
-**Example:**
-
-```shell
-$ vault write auth/token/roles/zabbix allowed_policies="default" period="24h"
-```
-
-Now, generate a token:
-
-```shell
-$ vault token create -role=zabbix
-
-Key            	Value
----            	-----
-token          	de91ebba-20ad-18ba-fa43-08e1932de301
-token_accessor 	1f8abad0-c1db-9399-15ee-dd4b6230386c
-token_duration 	24h0m0s
-token_renewable	true
-token_policies 	[default]
-```
-
-
-#### API call using cURL
-
-First, create a token role by setting `period`.  When you set `period`, tokens
-created for this role will have no max TTL. Instead, the `period` becomes the
-token renewal period. This value can be an integer value in seconds (e.g.
-2764800) or a string duration (e.g. 72h).
-
-**Example:**
-
-```shell
-# API request payload
-$ tee payload.json <<EOF
-{
-	"allowed_policies": [
-		"default"
-	],
-	"period": "24h"
-}
-EOF
-
-# Create a token role called 'zabbix'
-$ curl --header "X-Vault-Token: ..." --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/auth/token/roles/zabbix
-```
-
-This creates a token role named `zabbix` with `default` policies attached.
-Its renewal period is set to 24 hours.
-
-Now, generate a token:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." --request POST \
-     http://127.0.0.1:8200/v1/auth/token/create/zabbix | jq
-{
-  ...
-  "auth": {
-    "client_token": "a59c0d41-8df7-ba8e-477e-9bfb394f28a0",
-    "accessor": "c2023006-ce8d-532b-136f-330223ccf464",
-    "policies": [
-      "default"
-    ],
-    "metadata": null,
-    "lease_duration": 86400,
-    "renewable": true,
-    "entity_id": ""
-  }
-```
-
-Generated tokens are renewable indefinitely as long as they are renewed
-before the lease duration expires. The token renew command was covered in
-[Step 2](#step2).
-
-
-#### Additional Note: Periodic Tokens with AppRole
-
-It probably makes better sense to create **AppRole** periodic tokens since we
-are talking about long-running apps that need to be able to renew their token
-indefinitely.
-
--> For more details about AppRole, read the [AppRole Pull
-Authentication](/guides/identity/authentication.html) guide.
-
-To create AppRole periodic tokens, create your AppRole role with
-`period` specified.
-
-**Example:**
-
-```plaintext
-$ vault write auth/approle/role/jenkins policies="jenkins" period="72h"
-```
-
-Or
-
-```shell
-# Sample request payload
-$ tee payload.json <<EOF
-{
-  "allowed_policies": [
-		"jenkins"
-	],
-  "period": "72h"  
-}
-EOF
-
-# Create a role named 'jenkins'
-$ curl --header "X-Vault-Token:..." --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/auth/approle/role/jenkins
-```
-
-
-
-### <a name="step5"></a>Step 5: Orphan tokens
-
-Orphan tokens are **not** children of their parent; therefore, orphan tokens do
-not expire when their parent does.
-
-**NOTE:** Orphan tokens still expire when their own max TTL is reached.
-
-#### CLI command
-
-The following CLI command requires **root** token or **sudo** capability on the
-`auth/token/create` path.
-
-```shell
-$ vault token create -orphan
-```
-
-#### API call using cURL
-
-To create an orphan token, use the **`auth/token/create-orphan`** endpoint:
-
-```shell
-$ curl --header "X-Vault-Token:..." --request POST \
-       http://127.0.0.1:8200/v1/auth/token/create-orphan | jq
-```
-
-Also, you can create an orphan token using the **`auth/token/create`** endpoint with
-`no-parent` parameter set to true.
-
-```shell
-$ curl --header "X-Vault-Token:..." --request POST \
-       --data '{ "no_parent": true }' \
-       http://127.0.0.1:8200/v1/auth/token/create | jq
-```
-
-!> **NOTE:** The **`auth/token/create`** endpoint requires **root** token or
-**sudo** capability to create an orphan token while
-**`auth/token/create-orphan`** endpoint does not.
-
-### <a name="step6"></a>Step 6: Revoke tokens and leases
-
-Revoking a token and all its children.
-
-#### CLI command
-
-To revoke a specific token:
-
-```shell
-$ vault token revoke <TOKEN>
-```
-
-To revoke all leases under a specific path:
-
-```shell
-$ vault lease revoke -prefix <PATH>
-```
-
-**Example:**
-
-```shell
-# Revoke a specific token
-$ vault token revoke eeaf890e-4b0f-a687-4190-c75b1d6d70bc
-
-# Revoke all leases for database auth method
-$ vault lease revoke -prefix database/creds
-
-# Revoke all tokens
-$ vault lease revoke -prefix auth/token/create
-
-# Revoke all tokens by accessor
-$ vault token revoke -accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11
-```
-
-#### API call using cURL
-
-To revoke a specific token, call `/auth/token/revoke` endpoint.  If you want to revoke tokens/secrets under a specific path, call `/sys/leases/revoke-prefix/<PATH>`.
-
-
-**Example:**
-
-```shell
-# Revoke a specific token
-$ curl --header "X-Vault-Token:..." --request POST \
-       --data '{ "token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc" }' \
-       http://127.0.0.1:8200/v1/auth/token/revoke
-
-# Revoke all secrets for database auth method
-$ curl --header "X-Vault-Token:..." --request POST \
-       http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/database/creds
-
-# Revoke all tokens
-$ curl --header "X-Vault-Token:..." --request POST \
-       http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/auth/token/create
-
-# Revoke all tokens by accessor
-$ curl --header "X-Vault-Token: ..." --request POST \
-       --data '{ "accessor": "2b2b5b83-7f22-fecd-03f0-4e25bf64da11" }' \
-       http://127.0.0.1:8200/v1/auth/token/revoke-accessor
-```
-
-
-## Advanced Features
-
-It is important to understand lease configuration to avoid having your
-secret leases expire earlier than you expected.
-
-#### 1. Determine the TTLs specific to the mount
-
-```shell
-$ vault secrets list
-
-Path        Type       Accessor            Plugin  Default TTL  Max TTL  Force No Cache  Replication Behavior  Seal Wrap  Description
-cubbyhole/  cubbyhole  cubbyhole_36021b8e  n/a     n/a          n/a      false           local                 false      per-token private secret storage
-database/   database   database_e21b9b4f   n/a     system       system   false           replicated            false
-identity/   identity   identity_035fe03b   n/a     n/a          n/a      false           replicated            false      identity store
-pki/        pki        pki_9ae09eb3        n/a     system       system   false           replicated            false
-secret/     kv         kv_2e59ba96         n/a     system       system   false           replicated            false      key/value secret storage
-ssh/        ssh        ssh_ea06b9bb        n/a     system       system   false           replicated            false
-sys/        system     system_f5b5ecac     n/a     n/a          n/a      false           replicated            false      system endpoints used for control, policy and debugging
-transit/    transit    transit_07fc2df9    n/a     system       system   false           replicated            false
-```
-
-Notice the **Default TTL** and **Max TTL** columns.
-
-#### 2. Tune the system TTLs
-
-Override the global defaults by specifying `default_lease_ttl` and
-`max_lease_ttl` to meet your requirements.
-
-**Example:**
-
-The following example assumes that you have a database secret engine configured.
-
-```shell
-$ vault write sys/mounts/database/tune default_lease_ttl="8640"
-```
-
-Or
-
-```shell
-$ curl --header "X-Vault-Token:..." --request POST \
-       --data '{ "max_lease_ttl": 129600}' \
-       http://127.0.0.1:8200/v1/sys/mounts/database/tune
-```
-
-
-
-#### 3. Check the role specific TTLs
-
-Depending on the auth method, there may be more specific TTLs configured (e.g.
-roles, groups, users) as you have done so in [Step 4](#step4).
-
-```shell
-$ vault read auth/token/roles/zabbix
-
-Key                	Value
----                	-----
-allowed_policies   	[default]
-disallowed_policies	[]
-explicit_max_ttl   	0
-name               	zabbix
-orphan             	false
-path_suffix
-period             	86400
-renewable          	true
-```
-
-
-## Next steps
-
-Now that you have learned the lifecycle of tokens and leases, read the [AppRole Pull
-Authentication](/guides/identity/authentication.html) guide to learn how to generate
-tokens for apps or machines.
diff --git a/website/source/guides/identity/policies.html.md b/website/source/guides/identity/policies.html.md
deleted file mode 100644
index 9a20aae6817a..000000000000
--- a/website/source/guides/identity/policies.html.md
+++ /dev/null
@@ -1,659 +0,0 @@
----
-layout: "guides"
-page_title: "Policies - Guides"
-sidebar_title: "Policies"
-sidebar_current: "guides-identity-policies"
-description: |-
-  Policies in Vault control what a user can access.
----
-
-# Policies
-
-In Vault, we use policies to govern the behavior of clients and instrument
-Role-Based Access Control (RBAC) by specifying access privileges
-(_authorization_).
-
-When you first initialize Vault, the
-[**`root`**](/docs/concepts/policies.html#root-policy) policy gets created by
-default. The `root` policy is a special policy that gives superuser access to
-_everything_ in Vault. This allows the superuser to set up initial policies,
-tokens, etc.
-
-In addition, another built-in policy,
-[**`default`**](/docs/concepts/policies.html#default-policy), is created. The
-`default` policy is attached to all tokens and provides common permissions.
-
-Everything in Vault is path based, and admins write policies to grant or forbid
-access to certain paths and operations in Vault. Vault operates on a **secure by
-default** standard, and as such, an empty policy grants **no permissions** in the
-system.
-
-
-### HashiCorp Configuration Language (HCL)
-
-Policies written in [HCL](https://github.com/hashicorp/hcl) format are often
-referred as **_ACL Policies_**. [Sentinel](https://www.hashicorp.com/sentinel) is
-another framework for policy which is available in [Vault
-Enterprise](/docs/enterprise/index.html).  Since Sentinel is an enterprise-only
-feature, this guide focuses on writing ACL policies as a foundation.
-
-**NOTE:** HCL is JSON compatible; therefore, JSON can be used as completely
-valid input.
-
-## Reference Material
-
-- [Policies](/docs/concepts/policies.html#default-policy) documentation
-- [Policy API](/api/system/policy.html) documentation
-- [Getting Started guide](/intro/getting-started/policies.html) on policies
-
-~> **NOTE:** An [interactive
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policies) is
-also available if you do not have a Vault environment to perform the steps
-described in this guide.
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The scenario described in this guide introduces the following personas:
-
-- **`root`** sets up initial policies for `admin`
-- **`admin`** is empowered with managing a Vault infrastructure for a team or
-organizations
-- **`provisioner`** configures secret engines and creates policies for
-client apps
-
-
-## Challenge
-
-Since Vault centrally secures, stores, and controls access to secrets across
-distributed infrastructure and applications, it is critical to control
-permissions before any user or machine can gain access.
-
-
-## Solution
-
-Restrict the use of root policy, and write fine-grained policies to practice
-**least privileged**. For example, if an app gets AWS credentials from Vault,
-write policy grants to `read` from AWS secret engine but not to `delete`, etc.
-
-Policies are attached to tokens and roles to enforce client permissions on
-Vault.
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### Policy requirements
-
-Since this guide demonstrates the creation of an **`admin`** policy, log in with
-**`root`** token if possible. Otherwise, make sure that you have the following
-permissions:
-
-```shell
-# Manage auth methods broadly across Vault
-path "auth/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Create, update, and delete auth methods
-path "sys/auth/*"
-{
-  capabilities = ["create", "update", "delete", "sudo"]
-}
-
-# List auth methods
-path "sys/auth"
-{
-  capabilities = ["read"]
-}
-
-# Create and manage ACL policies via CLI
-path "sys/policy/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Create and manage ACL policies via API
-path "sys/policies/acl/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# To list policies - Step 3
-path "sys/policy"
-{
-  capabilities = ["read"]
-}
-
-# To perform Step 4
-path "sys/capabilities"
-{
-  capabilities = ["create", "update"]
-}
-
-# To perform Step 4
-path "sys/capabilities-self"
-{
-  capabilities = ["create", "update"]
-}
-
-# List, create, update, and delete key/value secrets
-path "secret/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage secret engines broadly across Vault
-path "sys/mounts/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# List existing secret engines
-path "sys/mounts"
-{
-  capabilities = ["read"]
-}
-
-# Read health checks
-path "sys/health"
-{
-  capabilities = ["read", "sudo"]
-}
-```
-
-
-## Steps
-
-The basic workflow of creating policies is:
-
-![Policy Creation Workflow](/img/vault-policy-authoring-workflow.png)
-
-This guide demonstrates basic policy authoring and management tasks.
-
-1. [Write ACL policies in HCL format](#step1)
-1. [Create policies](#step2)
-1. [View existing policies](#step3)
-1. [Check capabilities of a token](#step4)
-
-
-### <a name="step1"></a>Step 1: Write ACL policies in HCL format
-
-Remember, an empty policy grants **no permission** in the system. Therefore, ACL
-policies are defined for each path.
-
-```shell
-path "<PATH>" {
-  capabilities = [ "<LIST_OF_CAPABILITIES>" ]
-}
-```
-
--> The path can have a wildcard ("`*`") at the end to allow for
-namespacing. For example, "`secret/training_*`" grants permissions on any
-path starting with "`secret/training_`" (e.g. `secret/training_vault`).
-
-Define one or more [capabilities](/docs/concepts/policies.html#capabilities) on each path to control operations that are
-permitted.
-
-| Capability      | Associated HTTP verbs  |
-| --------------- |------------------------|
-| create          | POST/PUT               |
-| read            | GET                    |
-| update          | POST/PUT               |
-| delete          | DELETE                 |
-| list            | LIST
-
-
-#### Policy requirements
-
-The first step in creating policies is to **gather policy requirements**.
-
-**Example:**
-
-**`admin`** is a type of user empowered with managing a Vault infrastructure for
-a team or organizations. Empowered with sudo, the Administrator is focused on
-configuring and maintaining the health of Vault cluster(s) as well as
-providing bespoke support to Vault users.
-
-`admin` must be able to:
-
-- Enable and manage auth methods broadly across Vault
-- Manage the key/value secret engines at `secret/` path
-- Create and manage ACL policies broadly across Vault
-- Read system health check
-
-**`provisioner`** is a type of user or service that will be used by an automated
-tool (e.g. Terraform) to provision and configure a namespace within a Vault
-secret engine for a new Vault user to access and write secrets.
-
-`provisioner` must be able to:
-
-- Enable and manage auth methods
-- Manage the key/value secret engines at `secret/` path
-- Create and manage ACL policies
-
-
-Now, you are ready to author policies to fulfill these requirements.
-
-#### Example policy for admin
-
-`admin-policy.hcl`
-
-```shell
-# Manage auth methods broadly across Vault
-path "auth/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Create, update, and delete auth methods
-path "sys/auth/*"
-{
-  capabilities = ["create", "update", "delete", "sudo"]
-}
-
-# List auth methods
-path "sys/auth"
-{
-  capabilities = ["read"]
-}
-
-# List existing policies via CLI
-path "sys/policy"
-{
-  capabilities = ["read"]
-}
-
-# Create and manage ACL policies via CLI
-path "sys/policy/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Create and manage ACL policies via API
-path "sys/policies/acl/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# List, create, update, and delete key/value secrets
-path "secret/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage secret engines broadly across Vault
-path "sys/mounts/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# List existing secret engines
-path "sys/mounts"
-{
-  capabilities = ["read"]
-}
-
-# Read health checks
-path "sys/health"
-{
-  capabilities = ["read", "sudo"]
-}
-```
-
-#### Example policy for provisioner
-
-`provisioner-policy.hcl`
-
-```shell
-# Manage auth methods broadly across Vault
-path "auth/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Create, update, and delete auth methods
-path "sys/auth/*"
-{
-  capabilities = ["create", "update", "delete", "sudo"]
-}
-
-# List auth methods
-path "sys/auth"
-{
-  capabilities = ["read"]
-}
-
-# List existing policies via CLI
-path "sys/policy"
-{
-  capabilities = ["read"]
-}
-
-# Create and manage ACL policies via CLI
-path "sys/policy/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Create and manage ACL policies via API
-path "sys/policies/acl/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# List, create, update, and delete key/value secrets
-path "secret/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-```
-
-### <a name="step2"></a>Step 2: Create policies
-
-Now, create `admin` and `provisioner` policies in Vault.
-
-#### CLI command
-
-To create policies:
-
-```shell
-$ vault policy write <POLICY_NAME> <POLICY_FILE>
-```
-
-**Example:**
-
-```shell
-# Create admin policy
-$ vault policy write admin admin-policy.hcl
-
-# Create provisioner policy
-$ vault policy write provisioner provisioner-policy.hcl
-```
-
-**NOTE:** To update an existing policy, simply re-run the same command by
-passing your modified policy (`*.hcl`).
-
-#### API call using cURL
-
-To create a policy, use the
-[`sys/policies/acl`](/api/system/policies.html#create-update-acl-policy)
-endpoint:
-
-```shell
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request PUT \
-       --data <PAYLOAD> \
-       <VAULT_ADDRESS>/v1/sys/policies/acl/<POLICY_NAME>
-```
-
-Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
-stringified policy.
-
--> **NOTE:** To create ACL policies, you can use the
-[`sys/policy`](/api/system/policy.html) endpoint as well.
-
-**Example:**
-
-```shell
-# Create the API request payload. Use stringified policy expression.
-$ tee admin-payload.json <<EOF
-{
-  "policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete auth methods\npath \"sys/auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"sudo\"]\n}\n\n# List auth methods\npath \"sys/auth\"\n{\n  capabilities = [\"read\"]\n}\n\n# List existing policies\npath \"sys/policies\"\n{\n  capabilities = [\"read\"]\n}\n\n# Create and manage ACL policies broadly across Vault\npath \"sys/policies/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete key/value secrets\npath \"secret/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# Manage and manage secret engines broadly across Vault.\npath \"sys/mounts/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List existing secret engines.\npath \"sys/mounts\"\n{\n  capabilities = [\"read\"]\n}\n\n# Read health checks\npath \"sys/health\"\n{\n  capabilities = [\"read\", \"sudo\"]\n}"
-}
-EOF
-
-# Create admin policy
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT \
-       --data @admin-payload.json \
-       http://127.0.0.1:8200/v1/sys/policies/acl/admin
-
-# Create the API requset payload for creating provisioner policy
-$ tee provisioner-payload.json <<EOF
-{
-  "policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete auth methods\npath \"sys/auth/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"sudo\"]\n}\n\n# List existing policies\npath \"sys/policy\"\n{\n  capabilities = [\"read\"]\n}\n\n# Create and manage ACL policies\npath \"sys/policy/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\n\n# List, create, update, and delete key/value secrets\npath \"secret/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}"
-}
-EOF
-
-# Create provisioner policy
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT \
-       --data @provisioner-payload.json \
-       http://127.0.0.1:8200/v1/sys/policies/acl/provisioner
-```
-
-**NOTE:** To update an existing policy, simply re-run the same command by
-passing your modified policy in the request payload (`*.json`).
-
-
-### <a name="step3"></a>Step 3: View existing policies
-
-Make sure that you see the policies you created in [Step 2](#step2).
-
-#### CLI command
-
-The following command lists existing policies:
-
-```shell
-$ vault policy list
-```
-
-To view a specific policy:
-
-```shell
-$ vault policy read <POLICY_NAME>
-```
-
-**Example:**
-
-```shell
-# Read admin policy
-$ vault policy read admin
-
-# Mount and manage auth methods broadly across Vault
-path "auth/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-path "sys/auth/*"
-{
-  capabilities = ["create", "read", "update", "delete", "sudo"]
-}
-
-# Create and manage ACL policies broadly across Vault
-path "sys/policy/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-...
-```
-
-#### API call using cURL
-
-To list existing ACL policies, use the `sys/policies/acl` endpoint.
-
-```shell
-$ curl --request LIST --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policies/acl | jq
-```
-
-To read a specific policy, the endpoint path should be
-`sys/policies/acl/<POLICY_NAME>`.
-
--> **NOTE:** To read existing ACL policies, you can use the `sys/policy`
-endpoint as well.
-
-**Example:**
-
-```shell
-# Read the admin policy
-$ curl --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policies/acl/admin | jq
-{
-  "request_id": "3f826e5c-70a0-2998-8082-fe34c67c59d1",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "name": "admin",
-    "policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n  capabilities = [\"create\", \"read\" ...
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-### <a name="step4"></a>Step 4: Check capabilities of a token
-
-This step shows how to print out the permitted capabilities of a token on a
-path. This can help verifying what operations are granted based on the policies
-attached to the token.
-
-#### CLI command
-
-The command is:
-
-```shell
-$ vault token capabilities <TOKEN> <PATH>
-```
-
-**Example:**
-
-First, create a token attached to `admin` policy.
-
-```shell
-$ vault token create -policy="admin"
-Key                  Value
----                  -----
-token                2sHGlAHNj36LpqQ2Zevl2Owi
-token_accessor       4G4UIsQOMwifg7vMLqf6QIc3
-token_duration       768h
-token_renewable      true
-token_policies       ["admin" "default"]
-identity_policies    []
-policies             ["admin" "default"]
-```
-
-Now, fetch the capabilities of this token on the `sys/auth/approle` path.
-
-```plaintext
-$ vault token capabilities 2sHGlAHNj36LpqQ2Zevl2Owi sys/auth/approle
-create, delete, read, sudo, update
-```
-
-The result should match the policy rule you wrote on the `sys/auth/*` path. You
-can repeat the steps to generate a token for `provisioner` and check its
-capabilities on paths.
-
-In the absence of a token, it returns the capabilities of the current token
-invoking this command.
-
-```shell
-$ vault token capabilities sys/auth/approle
-root
-```
-
-#### API call using cURL
-
-Use the `sys/capabilities` endpoint.
-
-**Example:**
-
-First, create a token attached to the `admin` policy:
-
-```shell
-$ curl --request POST --header "X-Vault-Token: ..." --data '{ "policies":"admin" }' \
-       http://127.0.0.1:8200/v1/auth/token/create
-{
-   "request_id": "bd9b3216-f7e6-610c-4861-38b9112a1821",
-   "lease_id": "",
-   "renewable": false,
-   "lease_duration": 0,
-   "data": null,
-   "wrap_info": null,
-   "warnings": null,
-   "auth": {
-     "client_token": "3xlduc1vGMD7vKeGLyONAxdS",
-     "accessor": "FOoNv0YJSCqtPVCpW03qVeKd",
-     "policies": [
-       "admin",
-       "default"
-     ],
-     "token_policies": [
-       "admin",
-       "default"
-     ],
-     "metadata": null,
-     "lease_duration": 2764800,
-     "renewable": true,
-     "entity_id": ""
-   }
-}
-```
-
-Now, fetch the capabilities of this token on the `sys/auth/approle` path.
-
-```shell
-# Request payload
-$ tee payload.json <<EOF
-{
-  "token": "3xlduc1vGMD7vKeGLyONAxdS",
-  "path": "sys/auth/approle"
-}
-EOF
-
-$ curl --request POST --header "X-Vault-Token: ..." \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/capabilities | jq
-{
-  "sys/auth/approle": [
-    "create",
-    "delete",
-    "read",
-    "sudo",
-    "update"
-  ],
-  "capabilities": [
-    "create",
-    "delete",
-    "read",
-    "sudo",
-    "update"
-  ],
-  ...
-}
-```
-
-The result should match the policy rule you wrote on the `sys/auth/*` path. You can
-repeat the steps to generate a token for `provisioner` and check its
-capabilities on paths.
-
-To check the current token's capabilities permitted on a path, use
-the `sys/capabilities-self` endpoint.
-
-```plaintext
-$ curl --request POST --header "X-Vault-Token: ..." \
-       --data '{"path":"sys/auth/approle"}' \
-       http://127.0.0.1:8200/v1/sys/capabilities-self
-```
-
-
-## Next steps
-
-In this guide, you learned how to write policies based on given policy
-requirements. Next, the [AppRole Pull Authentication](/guides/identity/authentication.html)
-guide demonstrates how to associate policies to a role.
-
-To learn about Sentinel policies, refer to the [Sentinel
-Policies](/guides/identity/sentinel.html) guide.
diff --git a/website/source/guides/identity/policy-templating.html.md b/website/source/guides/identity/policy-templating.html.md
deleted file mode 100644
index 8ab5e4e4b036..000000000000
--- a/website/source/guides/identity/policy-templating.html.md
+++ /dev/null
@@ -1,622 +0,0 @@
----
-layout: "guides"
-page_title: "ACL Policy Path Templating - Guides"
-sidebar_current: "guides-identity-policy-templating"
-description: |-
-  As of 0.11, ACL policies support templating to allow non-static policy paths.
----
-
-# ACL Policy Path Templating
-
-Vault operates on a **secure by default** standard, and as such, an empty policy
-grants **no permissions** in the system. Therefore, policies must be created to
-govern the behavior of clients and instrument Role-Based Access Control (RBAC)
-by specifying access privileges (_authorization_).
-
-Since everything in Vault is path based, policy authors must be aware of
-all existing paths as well as paths to be created.
-
-The [Policies](/guides/identity/policies.html) guide walks you through the
-creation of ACL policies in Vault.
-
--> This guide highlights the use of ACL templating which was introduced in
-**Vault 0.11**.
-
-## Reference Material
-
-- [Templated Policies](/docs/concepts/policies.html#templated-policies)
-- [Policy API](/api/system/policy.html)
-- [Identity: Entities and Groups](/guides/identity/identity.html)
-- [Streamline Secrets Management with Vault Agent and Vault 0.11](https://youtu.be/zDnIqSB4tyA?t=24m37s)
-
-~> **NOTE:** An [interactive
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policy-templating)
-is also available if you do not have a Vault environment to perform the steps
-described in this guide.
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Challenge
-
-The only way to specify non-static paths in ACL policies was to use globs (`*`)
-at the end of paths.
-
-```hcl
-path "transit/keys/*" {
-  capabilities = [ "read" ]
-}
-
-path "secret/webapp_*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-```
-
-This makes many management and delegation tasks challenging. For example,
-allowing a user to change their own password by invoking the
-`auth/userpass/users/<user_name>/password` endpoint can require either a policy
-for _every user_ or requires the use of Sentinel which is a part of [Vault
-Enterprise](/docs/enterprise/sentinel/index.html).
-
-## Solution
-
-As of **Vault 0.11**, ACL templating capability is available to allow a subset
-of user information to be used within ACL policy paths.
-
--> **NOTE:** This feature leverages [Vault
-Identities](/docs/secrets/identity/index.html) to inject values into ACL policy
-paths.
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have an environment
-with **Vault 0.11** or later. Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault.
-
-Alternately, you can use the [Vault
-Playground](https://www.katacoda.com/hashicorp/scenarios/vault-playground)
-environment.
-
-~> This guide assumes that you know how to create ACL policies. If you don't,
-go through the interactive [Policy
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policies) or
-[Policies](/guides/identity/policies.html) guide first.
-
-### Policy requirements
-
-Since this guide demonstrates the creation of an `admin` policy, log in with the
-`root` token if possible. Otherwise, refer to the policy requirement in the
-[Policies](/guides/identity/policies.html#policy-requirements) guide.
-
-
-## Steps
-
-Assume that the following policy requirements were given:
-
-- Each _user_ can perform all operations on their allocated key/value secret
- path (`user-kv/data/<user_name>`)
-
-- The education _group_ has a dedicated key/value secret store for each region where
- all operations can be performed by the group members
- (`group-kv/data/education/<region>`)
-
-- The _group_ members can update the group information such as metadata about
- the group (`identity/group/id/<group_id>`)
-
-In this guide, you are going to perform the following steps:
-
-1. [Write templated ACL policies](#step1)
-1. [Deploy your policy](#step2)
-1. [Setup an entity and a group](#step3)
-1. [Test the ACL templating](#step4)
-
-### <a name="step1"></a>Step 1: Write templated ACL policies
-
-Policy authors can pass in a policy path containing double curly braces as
-templating delimiters: `{{<parameter>}}`.
-
-
-#### Available Templating Parameters
-
-|                                    Name                                |                                    Description                               |
-| :--------------------------------------------------------------------- | :--------------------------------------------------------------------------- |
-| `identity.entity.id`                                                   | The entity's ID                                                              |
-| `identity.entity.name`                                                 | The entity's name                                                            |
-| `identity.entity.metadata.<<metadata key>>`                            | Metadata associated with the entity for the given key                        |
-| `identity.entity.aliases.<<mount accessor>>.id`                        | Entity alias ID for the given mount                                          |
-| `identity.entity.aliases.<<mount accessor>>.name`                      | Entity alias name for the given mount                                        |
-| `identity.entity.aliases.<<mount accessor>>.metadata.<<metadata key>>` | Metadata associated with the alias for the given mount and metadata key      |
-| `identity.groups.ids.<<group id>>.name`                                | The group name for the given group ID                                        |
-| `identity.groups.names.<<group name>>.id`                              | The group ID for the given group name                                        |
-| `identity.groups.ids.<<group id>>.metadata.<<metadata key>>`           | Metadata associated with the group for the given key                         |
-| `identity.groups.names.<<group name>>.metadata.<<metadata key>>`       | Metadata associated with the group for the given key                         |
-
-
--> **NOTE:** Identity groups are not directly attached to a token and an entity
-can be associated with multiple groups. Therefore, in order to reference a
-group, the **group ID** or **group name** must be provided (e.g.
-`identity.groups.ids.59f001d5-dd49-6d63-51e4-357c1e7a4d44.name`).
-
-Example:
-
-This policy allows users to change their own password given that the username
-and password are defined in the `userpass` auth method. The mount accessor
-value (`auth_userpass_6671d643` in this example) can be read from the `sys/auth` endpoint.
-
-```hcl
-path "auth/userpass/users/{{identity.entity.aliases.auth_userpass_6671d643.name}}" {
-  capabilities = [ "update" ]
-  allowed_parameters = {
-    "password" = []
-  }
-}
-```
-
-#### Write the following policies:
-
-User template (`user-tmpl.hcl`)
-
-```hcl
-# Grant permissions on user specific path
-path "user-kv/data/{{identity.entity.name}}/*" {
-	capabilities = [ "create", "update", "read", "delete", "list" ]
-}
-
-# For Web UI usage
-path "user-kv/metadata" {
-  capabilities = ["list"]
-}
-```
-
-Group template (`group-tmpl.hcl`)
-
-```hcl
-# Grant permissions on the group specific path
-# The region is specified in the group metadata
-path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
-	capabilities = [ "create", "update", "read", "delete", "list" ]
-}
-
-# Group member can update the group information
-path "identity/group/id/{{identity.groups.names.education.id}}" {
-  capabilities = [ "update", "read" ]
-}
-
-# For Web UI usage
-path "group-kv/metadata" {
-  capabilities = ["list"]
-}
-
-path "identity/group/id" {
-  capabilities = [ "list" ]
-}
-```
-
-
-### <a name="step2"></a>Step 2: Deploy your policy
-
-- [CLI command](#step2-cli)
-- [API call using cURL](#step2-api)
-- [Web UI](#step2-ui)
-
-#### <a name="step2-cli"></a>CLI command
-
-```shell
-# Create the user-tmpl policy
-$ vault policy write user-tmpl user-tmpl.hcl
-
-# Create the group-tmpl policy
-$ vault policy write group-tmpl group-tmpl.hcl
-```
-
-
-#### <a name="step2-api"></a>API call using cURL
-
-To create a policy, use the `/sys/policies/acl` endpoint:
-
-```sh
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request PUT \
-       --data <PAYLOAD> \
-       <VAULT_ADDRESS>/v1/sys/policies/acl/<POLICY_NAME>
-```
-
-Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
-stringified policy.
-
-Example:
-
-```shell
-# API request payload for user-tmpl
-$ tee payload_user.json <<EOF
-{
-  "policy": "path "user-kv/data/{{identity.entity.name}}/*" {\n capabilities = [ "create", "update", "read", "delete", "list" ]\n } ..."
-}
-EOF
-
-# Create user-tmpl policy
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT
-       --data @payload_user.json \
-       http://127.0.0.1:8200/v1/sys/policies/acl/user-tmpl
-
-# API request payload for group-tmpl
-$ tee payload_group.json <<EOF
-{
-   "policy": "path "group-kv/data/{{identity.group.id}}/*" {\n capabilities = [ "create", "update", "read", "delete", "list" ]\n }"
-}
-EOF
-
-# Create group-tmpl policy
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT
-       --data @payload_group.json \
-       http://127.0.0.1:8200/v1/sys/policies/acl/group-tmpl
-```
-
-#### <a name="step2-ui"></a>Web UI
-
-Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
-then login.
-
-1. Click the **Policies** tab, and then select **Create ACL policy**.
-
-1. Toggle **Upload file**, and click **Choose a file** to select the
-   `user-tmpl.hcl` file you wrote at [Step 1](#step1).
-
-    ![Create Policy](/img/vault-ctrl-grp-2.png)
-
-    This loads the policy and sets the **Name** to `user-tmpl`.
-
-1. Click the **Create Policy** button.
-
-1. Repeat the steps to create the `group-tmpl` policy.
-
-
-### <a name="step3"></a>Step 3: Setup an entity and a group
-
-Let's create an entity, **`bob_smith`** with a user **`bob`** as its entity
-alias. Also, create a group, **`education`** and add the **`bob_smith`** entity
-as its group member.
-
-![Entity & Group](/img/vault-acl-templating.png)
-
--> This step only demonstrates CLI commands and Web UI to create
-entities and groups. Refer to the [Identity - Entities and
-Groups](/guides/identity/identity.html) guide if you need the full details.
-
-- [CLI command](#step3-cli)
-- [Web UI](#step3-ui)
-
-#### <a name="step3-cli"></a>CLI command
-
-The following command uses [`jq`](https://stedolan.github.io/jq/download/) tool
-to parse JSON output.
-
-```shell
-# Enable userpass
-$ vault auth enable userpass
-
-# Create a user, bob
-$ vault write auth/userpass/users/bob password="training"
-
-# Retrieve the userpass mount accessor and save it in a file named, accessor.txt
-$ vault auth list -format=json | jq -r '.["userpass/"].accessor' > accessor.txt
-
-# Create bob_smith entity and save the identity ID in the entity_id.txt
-$ vault write -format=json identity/entity name="bob_smith" policies="user-tmpl" \
-        | jq -r ".data.id" > entity_id.txt
-
-# Add an entity alias for the bob_smith entity
-$ vault write identity/entity-alias name="bob" \
-       canonical_id=$(cat entity_id.txt) \
-       mount_accessor=$(cat accessor.txt)
-
-# Finally, create education group and add bob_smith entity as a member
-# Save the generated group ID in the group_id.txt file
-$ vault write -format=json identity/group name="education" \
-      policies="group-tmpl" \
-      metadata=region="us-west" \
-      member_entity_ids=$(cat entity_id.txt)  \
-      | jq -r ".data.id" > group_id.txt
-```
-
-#### <a name="step3-ui"></a>Web UI
-
-1. Click the **Access** tab, and select **Enable new method**.
-
-1. Select **Username & Password** from the **Type** drop-down menu.
-
-1. Click **Enable Method**.
-
-1. Click the Vault CLI shell icon (**`>_`**) to open a command shell. Enter the
-following command to create a new user, **`bob`**.
-
-    ```plaintext
-    $ vault write auth/userpass/users/bob password="training"
-    ```
-    ![Create Policy](/img/vault-ctrl-grp-3.png)
-
-1. Click the icon (**`>_`**) again to hide the shell.
-
-1. From the **Access** tab, select **Entities** and then **Create entity**.
-
-1. Enter **`bob_smith`** in the **Name** field and enter **`user-tmpl`** in the
-**Policies** filed.
-
-1. Click **Create**.
-
-1. Select **Add alias**. Enter **`bob`** in the **Name** field and select
-**`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
-
-1. Select the **`bob_smith`** entity and copy its **ID** displayed under the
-**Details** tab.
-
-1. Click **Groups** from the left navigation, and select **Create group**.
-
-1. Enter **`education`** in the **Name**, and enter **`group-tmpl`** in the
-**Policies** fields. Under **Metadata**, enter **`region`** as a key and
-**`us-west`** as the key value. Enter the `bob_smith` entity ID in the **Member
-Entity IDs** field.
-    ![Group](/img/vault-acl-templating-2.png)
-
-1. Click **Create**.
-
-
-### <a name="step4"></a>Step 4: Test the ACL templating
-
-- [CLI command](#step4-cli)
-- [API call using cURL](#step4-api)
-- [Web UI](#step4-ui)
-
-#### <a name="step4-cli"></a>CLI Command
-
-1. Enable key/value v2 secrets engine at `user-kv` and `group-kv` paths.
-
-    ```plaintext
-    $ vault secrets enable -path=user-kv kv-v2
-
-    $ vault secrets enable -path=group-kv kv-v2
-    ```
-
-1. Log in as **`bob`**.
-
-    ```plaintext
-    $ vault login -method=userpass username="bob" password="training"
-
-    Key                    Value
-    ---                    -----
-    token                  5f2b2594-f0b4-0a7b-6f51-767345091dcc
-    token_accessor         78b652dd-4320-f18f-b882-0732b7ae9ac9
-    token_duration         768h
-    token_renewable        true
-    token_policies         ["default"]
-    identity_policies      ["group-tmpl" "user-tmpl"]
-    policies               ["default" "group-tmpl" "user-tmpl"]
-    token_meta_username    bob
-    ```
-
-1. Remember that `bob` is a member of the `bob_smith` entity; therefore, the
-"`user-kv/data/{{identity.entity.name}}/*`" expression in the `user-tmpl` policy
-translates to "**`user-kv/data/bob_smith/*`**". Let's test!
-
-    ```plaintext
-    $ vault kv put user-kv/bob_smith/apikey webapp="12344567890"
-    Key              Value
-    ---              -----
-    created_time     2018-08-30T18:28:30.845345444Z
-    deletion_time    n/a
-    destroyed        false
-    version          1
-    ```
-
-1. The region was set to `us-west` for the `education` group that the
-`bob_smith` belongs to. Therefore, the
-"`group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*`"
-expression in the `group-tmpl` policy translates to
-"**`group-kv/data/education/us-west/*`**". Let's verify.
-
-    ```plaintext
-    $ vault kv put group-kv/education/us-west/db_cred password="ABCDEFGHIJKLMN"
-    Key              Value
-    ---              -----
-    created_time     2018-08-30T18:29:02.023749491Z
-    deletion_time    n/a
-    destroyed        false
-    version          1
-    ```
-
-1. Verify that you can update the group information. The `group-tmpl` policy
-permits "update" and "read" on the
-"`identity/group/id/{{identity.groups.names.education.id}}`" path. In [Step
-2](#step2), you saved the `education` group ID in the `group_id.txt` file.
-
-    ```plaintext
-    $ vault write identity/group/id/$(cat group_id.txt) \
-            policies="group-tmpl" \
-            metadata=region="us-west" \
-            metadata=contact_email="james@example.com"
-    ```
-
-    Read the group information to verify that the data has been updated.
-
-    ```plaintext
-    $ vault read identity/group/id/$(cat group_id.txt)
-
-    Key                  Value
-    ---                  -----
-    alias                map[]
-    creation_time        2018-08-29T20:38:49.383960564Z
-    id                   d6ee454e-915a-4bef-9e43-4ffd7762cd4c
-    last_update_time     2018-08-29T22:52:42.005544616Z
-    member_entity_ids    [1a272450-d147-c3fd-63ae-f16b65b5ee02]
-    member_group_ids     <nil>
-    metadata             map[contact_email:james@example.com region:us-west]
-    modify_index         3
-    name                 education
-    parent_group_ids     <nil>
-    policies             [group-tmpl]
-    type                 internal
-    ```
-
-#### <a name="step4-api"></a>API call using cURL
-
-1. Enable key/value v2 secrets engine at `user-kv` and `group-kv` paths.
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-      "type": "kv",
-      "options": {
-        "version": "2"
-      }
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload.json \
-           https://127.0.0.1:8200/v1/sys/mounts/user-kv
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload.json \
-           https://127.0.0.1:8200/v1/sys/mounts/group-kv
-    ```
-
-1. Log in as **`bob`**.
-
-    ```plaintext
-    $ curl --request POST \
-           --data '{"password": "training"}' \
-           http://127.0.0.1:8200/v1/auth/userpass/login/bob | jq
-    ```
-
-    Copy the generated **`client_token`** value for `bob`.
-
-1. Remember that `bob` is a member of the `bob_smith` entity; therefore, the
-"`user-kv/data/{{identity.entity.name}}/*`" expression in the `user-tmpl` policy
-translates to "**`user-kv/data/bob_smith/*`**". Let's test!
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: <bob_client_token>" \
-           --request POST \
-           --data '{ "data": {"webapp": "12344567890"} }' \
-           http://127.0.0.1:8200/v1/user-kv/data/bob_smith/apikey
-    ```
-
-1. The region was set to `us-west` for the `education` group that the
-`bob_smith` belongs to. Therefore, the
-"`group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*`"
-expression in the `group-tmpl` policy translates to
-"**`group-kv/data/education/us-west/*`**". Let's verify.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: <bob_client_token>" \
-           --request POST \
-           --data '{ "data": {"password": "ABCDEFGHIJKLMN"} }' \
-           http://127.0.0.1:8200/v1/group-kv/data/education/us-west/db_cred
-    ```
-
-1. Verify that you can update the group information. The `group-tmpl` policy
-permits "update" and "read" on the
-"`identity/group/id/{{identity.groups.names.education.id}}`" path.
-
-    ```plaintext
-    $ tee group_info.json <<EOF
-    {
-      "metadata": {
-        "region": "us-west",
-        "contact_email": "james@example.com"
-      },
-      "policies": "group-tmpl"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: <bob_client_token>" \
-           --request POST \
-           --data @group_info.json \
-           http://127.0.0.1:8200/v1/identity/group/id/<education_group_id>
-    ```
-
-    Where the group ID is the ID returned in [Step 2](#step2). (NOTE: If you performed
-    Step 2 using the CLI commands, the group ID is stored in the `group_id.txt`
-    file. If you performed the tasks via Web UI, copy the `education` group ID
-    from UI.)
-
-    Read the group information to verify that the data has been updated.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: <bob_client_token>" \
-           http://127.0.0.1:8200/v1/identity/group/id/<education_group_id>
-    ```
-
-
-#### <a name="step4-ui"></a>Web UI
-
-1. In **Secrets** tab, select **Enable new engine**.
-
-1. Select the radio-button for **KV**, and then click **Next**.
-
-1. Enter **`user-kv`** in the path field, and then select **2** for KV
-version.
-
-1. Click **Enable Engine**.
-
-1. Return to **Secrets** and then select **Enable new engine** again.
-
-1. Select the radio-button for **KV**, and then click **Next**.
-
-1. Enter **`group-kv`** in the path field, and then select **2** for KV
-version.
-
-1. Click **Enable Engine**.
-
-1. Now, sign out as the current user so that you can log in as `bob`. ![Sign
-off](/img/vault-acl-templating-3.png)
-
-1. In the Vault sign in page, select **Username** and then enter **`bob`** in
-the **Username** field, and **`training`** in the **Password** field.
-
-1. Click **Sign in**.
-
-1. Remember that `bob` is a member of the `bob_smith` entity; therefore, the
-"`user-kv/data/{{identity.entity.name}}/*`" expression in the `user-tmpl` policy
-translates to "**`user-kv/data/bob_smith/*`**". Select **`user-kv`** secrets
-engine, and then select **Create secret**.
-
-1. Enter **`bob_smith/apikey`** in the **PATH FOR THIS SECRET** field,
-**`webapp`** in the key field, and **`12344567890`** in its value field.
-
-1. Click **Save**. You should be able to perform this successfully.
-
-1. The region was set to `us-west` for the `education` group that the
-`bob_smith` belongs to. Therefore, the
-"`group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*`"
-expression in the `group-tmpl` policy translates to
-"**`group-kv/data/education/us-west/*`**".  From the **Secrets** tab, select
-**`group-kv`** secrets engine, and then select **Create secret**.
-
-1. Enter **`education/us-west/db_cred`** in the **PATH FOR THIS SECRET** field.
-Enter **`password`** in the key field, and **`ABCDEFGHIJKLMN`** in its value
-field.
-
-1. Click **Save**. You should be able to perform this successfully.
-
-1. To verify that you can update the group information which is allowed by the
-"`identity/group/id/{{identity.groups.names.education.id}}`" expression in the
-`group-tmpl` policy, select the **Access** tab.
-
-1. Select **Groups**, and then **`education`**.
-
-1. Select **Edit group**. Add a new metadata where the key is
-**`contact_email`** and its value is **`james@example.com`**.
-
-1. Click **Save**. The group metadata should be successfully updated.
-
-
-## Next steps
-
-To learn about Sentinel policies to implement finer-grained policies, refer to
-the [Sentinel Policies](/guides/identity/sentinel.html) guide.
diff --git a/website/source/guides/identity/secure-intro.html.md b/website/source/guides/identity/secure-intro.html.md
deleted file mode 100644
index 60904d0831c1..000000000000
--- a/website/source/guides/identity/secure-intro.html.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-layout: "guides"
-page_title: "Secure Introduction of Vault Clients - Guides"
-sidebar_title: "Secure Introduction of Vault Clients"
-sidebar_current: "guides-identity-secure-intro"
-description: |-
-  This introductory guide walk through the mechanism of Vault clients to
-  authenticate with Vault. There are two approaches at a high-level: platform
-  integration, and trusted orchestrator.
----
-
-# Secure Introduction of Vault Clients
-
-A _secret_ is something that will elevate the risk if exposed to unauthorized
-entities and results in undesired consequences (e.g. unauthorized data access);
-therefore, only the ***trusted entities*** should have an access to your
-secrets.
-
-If you can securely get the first secret from an originator to a consumer, all
-subsequent secrets transmitted between this originator and consumer can be
-authenticated with the trust established by the successful distribution and user
-of that first secret. Getting the first secret to the consumer, is the ***secure
-introduction*** challenge.
-
-![Secure Introduction](/img/vault-secure-intro-1.png)
-
-The Vault authentication process verifies the secret consumer's identity and
-then generate a **token** to associate with that identity.
-[Tokens](/docs/concepts/tokens.html) are the core method for authentication
-within Vault which means that the secret consumer must first acquire a valid
-token.
-
-
-## Challenge
-
-How does a secret consumer (an application or machine) prove that it is the
-legitimate recipient for a secret so that it can acquire a token?
-
-How can you avoid persisting raw token values during our secure
-introduction?  
-
-## Secure Introduction Approach
-
-Vault's auth methods perform authentication of its client and assigning a set of
-policies which defines the permitted operations for the client.
-
-![Auth Method](/img/vault-auth-method.png)
-
-There are three basic approaches to securely authenticate a secret consumer:
-
-- [Platform Integration](#platform-integration)
-- [Trusted Orchestrator](#trusted-orchestrator)
-- [Vault Agent](#vault-agent)
-
-
-## Platform Integration
-
-In the **Platform Integration** model, Vault trusts the underlying platform
-(e.g. AliCloud, AWS, Azure, GCP) which assigns a token or cryptographic identity
-(such as IAM token, signed JWT) to virtual machine, container, or serverless
-function.
-
-Vault uses the provided identifier to verify the identity of the client by
-interacting with the underlying platform. After the client identity is verified,
-Vault returns a token to the client that is bound to their identity and policies
-that grant access to secrets.
-
-![Platform Integration](/img/vault-secure-intro-2.png)
-
-For example, suppose we have an application running on a virtual machine in AWS
-EC2. When that instance is started, an IAM token is provided via the machine
-local metadata URL. That IAM token is provided to Vault, as part of the AWS Auth
-Method, to login and authenticate the client. Vault uses that token to query the
-AWS API and verify the token validity and fetch additional metadata about the
-instance (Account ID, VPC ID, AMI, Region, etc). These properties are used to
-determine the identity of the client and to distinguish between different roles
-(e.g. a Web server versus an API server).
-
-Once validated and assigned to a role, Vault generates a token that is
-appropriately scoped and returns it to the client. All future requests from the
-client are made with the associated token, allowing Vault to efficiently
-authenticate the client and check for proper authorizations when consuming
-secrets.
-
-![Vault AWS EC2 Authentication Flow](/img/vault-aws-ec2-auth-flow.png)
-
-
-### Use Case
-
-When the client app is running on a VM hosted on a supported cloud platform, you
-can leverage the corresponding auth method to authenticate with Vault.
-
-### Reference Materials:
-
-- [AWS Auth Method](/docs/auth/aws.html)
-- [Azure Auth Method](/docs/auth/azure.html)
-- [GCP Auth Method](/docs/auth/gcp.html)
-
-
-## Trusted Orchestrator
-
-In the **Trusted Orchestrator** model, you have an _orchestrator_ which is
-already authenticated against Vault with privileged permissions. The
-orchestrator launches new applications and inject a mechanism they can use to
-authenticate (e.g. AppRole, PKI cert, token, etc) with Vault.
-
-![Trusted Orchestrator](/img/vault-secure-intro-3.png)
-
-For example, suppose [Terraform](https://www.terraform.io/) is being used as a
-trusted orchestrator. This means Terraform already has a Vault token, with
-enough capabilities to generate new tokens or create new mechanisms to
-authenticate such as an AppRole. Terraform can interact with platforms such as
-VMware to provision new virtual machines. VMware does not provide a
-cryptographic identity, so a platform integration isn't possible. Instead,
-Terraform can provision a new AppRole credential, and SSH into the new machine
-to inject the credentials. Terraform is creating the new credential in Vault,
-and making that credential available to the new resource. In this way, Terraform
-is acting as a trusted orchestrator and extending trust to the new machine. The
-new machine, or application running on it, can use the injected credentials to
-authenticate against Vault.
-
-![AppRole auth method workflow](/img/vault-secure-intro-4.png)
-
-
-### Use Case
-
-When you are using an orchestrator tool such as Chef to launch applications,
-this model can be applied regardless of where the applications are running.
-
-### Reference Materials:
-
-- [AppRole Auth Method](/docs/auth/approle.html)
-  - [AppRole Pull Authentication](/guides/identity/authentication.html)
-  - [AppRole with Terraform and Chef Demo](/guides/identity/approle-trusted-entities.html)
-- [TLS Certificates Auth Method](/docs/auth/cert.html)
-- [Token Auth Method](/docs/auth/token.html)
-  - [Cubbyhole Response Wrapping](/guides/secret-mgmt/cubbyhole.html)
-
-
-## Vault Agent
-
-Vault agent is a client daemon which automates the workflow of client login and
-token refresh. It can be used with either [platform
-integration](#platform-integration) or [trusted
-orchestrator](#trusted-orchestrator) approaches.
-
-#### Vault agent auto-auth:
-
-- Automatically authenticates to Vault for those [supported auth
-methods](/docs/agent/autoauth/methods/index.html)
-- Keeps token renewed (re-authenticates as needed) until the renewal is no
-longer allowed
-- Designed with robustness and fault tolerance
-
-![Vault Agent](/img/vault-secure-intro-5.png)
-
-To leverage this feature, run the vault binary in agent mode (`vault agent
--config=<config_file>`) on the client. The agent configuration file must specify
-the auth method and [sink](/docs/agent/autoauth/sinks/index.html) locations
-where the token to be written.
-
-When the agent is started, it will attempt to acquire a Vault token using the
-auth method specified in the agent configuration file.  On successful
-authentication, the resulting token is written to the sink locations.
-Optionally, this token can be response-wrapped or encrypted. Whenever the
-current token value changes, the agent writes to the sinks. If authentication
-fails, the agent waits for a while and then retry.
-
-The client can simply retrieve the token from the sink and connect to Vault
-using the token. This simplifies client integration since the Vault agent
-handles the login and token refresh logic.
-
-### Reference Materials:
-
-- [Streamline Secrets Management with Vault Agent and Vault 0.11](https://youtu.be/zDnIqSB4tyA)
-- [Vault Agent documentation](/docs/agent/index.html)
-- [Auto-Auth documentation](/docs/agent/autoauth/index.html)
-
-
-## Next steps
-
-When a [platform integration](#platform-integration) is available that should be
-preferred, as it is generally the simpler solution and works independent of the
-orchestration mechanism. For a [trusted orchestrator](#trusted-orchestrator),
-specific documentation for that orchestrator should be consulted on Vault
-integration.
diff --git a/website/source/guides/identity/sentinel.html.md b/website/source/guides/identity/sentinel.html.md
deleted file mode 100644
index f358b5659686..000000000000
--- a/website/source/guides/identity/sentinel.html.md
+++ /dev/null
@@ -1,612 +0,0 @@
----
-layout: "guides"
-page_title: "Sentinel - Guides"
-sidebar_title: "Sentinel Policies"
-sidebar_current: "guides-identity-sentinel"
-description: |-
-  Vault Enterprise supports Sentinel to provide a rich set of access control
-  functionality. This guide walks through the creation and usage of role
-  governing policies (RGPs) and endpoint governing policies (EGPs).
----
-
-# Sentinel Policies
-
-~> **Enterprise Only:** Sentinel is a part of _Vault Enterprise Premium_.
-
-_Sentinel_ is a language framework for policy build to be embedded in Vault
-Enterprise to enable fine-grained, logic-based policy decisions which cannot be
-fully handled by the ACL policies.
-
-**Role Governing Policies (RGPs)** and **Endpoint Governing
-Policies (EGPs)** can be defined using Sentinel:
-
-- RGPs are tied to particular tokens, identity entities, or identity groups
-- EGPs are tied to particular paths (e.g. `aws/creds/`)
-
-> This guide walks you through the authoring of Sentinel policies in Vault.  For
-ACL policy authoring, refer to the [Policies](/guides/identity/policies.html)
-guide.
-
-
-## Reference Material
-
-- [Sentinel Getting Started Guide](https://docs.hashicorp.com/sentinel/intro/getting-started/first-policy)
-- [Sentinel](https://docs.hashicorp.com/sentinel/) documentation
-- [Vault Sentinel](/docs/enterprise/sentinel/index.html) documentation
-- [Security and Fundamentals at Scale with Vault](https://www.youtube.com/watch?time_continue=121&v=yiPbKICFkvQ)
-- [Identity - Entities and Groups](/guides/identity/identity.html) guide
-
-
-## Estimated Time to Complete
-
-5 - 10 minutes
-
-
-## Challenge
-
-ACL policies are ***path-based*** that it has the following challenges:
-
-- Cannot grant permissions based on logics other than paths
-- Paths are merged in ACL policies which could potentially cause a conflict as
-the number of policies grows
-
-What if the policy requirement was to grant read permission on `secret/orders`
-path ***only if*** the request came from an IP address within a certain CIDR?
-
-
-## Solution
-
-Use Sentinel policies (RGPs and/or EGPs) to fulfill more complex policy
-requirements.
-
-Sentinel can access properties of the incoming requests and make a decision
-based on a certain set of conditions. Available properties include:
-
-- **request** - Information about the request itself (path, operation type,
- parameters, etc.)
-- **token** - Information about the token being used (creation time, attached
-  policies, etc.)
-- **identity** - Identity entities and all related data
-- **mfa** - Information about successful MFA validations
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a ***Vault
-Enterprise*** environment.  
-
-### Policy requirements
-
-Since this guide demonstrates the creation of policies, log in with highly
-privileged token such as **`root`**. Required permissions are:
-
-```shell
-# To list policies
-path "sys/policies/*"
-{
-  capabilities = ["list"]
-}
-
-# Create and manage EGPs
-path "sys/policies/egp/*"
-{
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-```
-
-
-## Steps
-
-This guide demonstrates basic Sentinel policy authoring and management tasks.
-
-1. [Write Sentinel Policies](#step1)
-1. [Test the Sentinel Policies](#step2)
-1. [Deploy your EGP policies](#step3)
-1. [Delete Sentinel Policies](#step4)
-
-
-### <a name="step1"></a>Step 1: Write Sentinel Policies
-
-#### Anatomy of Sentinel Policies
-
-```hcl
-import "<library>"
-
-<variable> = <value>
-
-main = rule {
-     <conditions_to_evaluate>
-}
-```
-
-- **`import`** - Enables your policy to access reusable libraries. There are a
-set of built-in [imports](https://docs.hashicorp.com/sentinel/imports/)
-available to help define your policy rules.
-
-- **`main`** (required) - Every Sentinel policy must have a **`main`** rule
-which is evaluated to determine the result of a policy.
-
-- **`rule`** - A first-class construct in Sentinel. It describes a set of
-conditions resulting in either true or false. (NOTE: Refer to the [Boolean
-Expressions](https://docs.hashicorp.com/sentinel/language/boolexpr) for the full
-list of available operators in writing rules.)
-
-- **`<variable>`** - Variables are dynamically typed in Sentinel. You can define
-its value explicitly or implicitly by the host system or [function](https://docs.hashicorp.com/sentinel/language/functions).
-
-~> **NOTE:** The Sentinel language supports many features such as functions,
-loops, slices, etc. You can learn about all of this in the [complete language
-guide](https://docs.hashicorp.com/sentinel/language/).
-
-#### Policy requirements
-
-In this guide, you are going to write Sentinel policies that fulfill the
-following requirements:
-
-1. Any incoming request against the "`secret/accounting/*`" to be performed
-during the business hours (7:00 am to 6:00 pm during the work days).
-
-1. Any `create`, `update` and `delete` operations against Key/Value secret
-engine (mounted at "`secret`") **must** come from an internal IP of
-`122.22.3.4/32` CIDR.
-
-
-#### Sentinel Policies
-
-Requirement #1: **`business-hrs.sentinel`**
-
-```shell
-import "time"
-
-# Expect requests to only happen during work days (Monday through Friday)
-# 0 for Sunday and 6 for Saturday
-workdays = rule {
-    time.now.weekday > 0 and time.now.weekday < 6
-}
-
-# Expect requests to only happen during work hours (7:00 am - 6:00 pm)
-workhours = rule {
-    time.now.hour > 7 and time.now.hour < 18
-}
-
-main = rule {
-    workdays and workhours
-}
-```
-
-Requirement #2: **`cidr-check.sentinel`**
-
-```shell
-import "sockaddr"
-import "strings"
-
-# Only care about create, update, and delete operations against secret path
-precond = rule {
-    request.operation in ["create", "update", "delete"] and
-    strings.has_prefix(request.path, "secret/")
-}
-
-# Requests to come only from our private IP range
-cidrcheck = rule {
-    sockaddr.is_contained(request.connection.remote_addr, "122.22.3.4/32")
-}
-
-# Check the precondition before execute the cidrcheck
-main = rule when precond {
-    cidrcheck
-}
-```
-
-> **NOTE:** The **`main`** has conditional rule (`when precond`) to ensure that
-the rule gets evaluated only if the request is relevant.
-
-~> Refer to the [Sentinel Properties](/docs/enterprise/sentinel/properties.html)
-documentation for available properties which Vault injects to Sentinel to allow
-fine-grained controls.
-
-
-
-### <a name="step2"></a>Step 2: Test the Sentinel Policies
-
-You can test the Sentinel policies prior to deployment in orders to validate
-syntax and to document expected behavior.
-
-1. First, you need to download the
-[Sentinel simulator](https://docs.hashicorp.com/sentinel/downloads.html).
-
-    **Example:**
-
-    ```plaintext
-    $ wget https://releases.hashicorp.com/sentinel/0.3.1/sentinel_0.3.1_darwin_amd64.zip
-    $ unzip sentinel_0.3.1_darwin_amd64.zip -d /usr/local/bin
-    ```
-
-1. Create a sub-folder named, **`test`** where `cidr-check.sentinel` and
-`business-hrs.sentinel` policies are located. Under the `test` folder, you want
-to create a sub-folder for each policy: **`cidr-check`** and **`business-hrs`**.
-
-    ```plaintext
-    $ mkdir -p test/business-hrs
-    $ mkdir -p test/cidr-check
-    ```
-
-    > **NOTE:** The test should be created under `/test/<policy_name>` folder.
-
-1. Write a passing test case in a file named, **`success.json`** under
-`test/business-hrs` directory.
-
-    ```plaintext
-    {
-        "global": {
-            "timespace": {
-                "weekday": 1,
-                "hour": 12
-            }
-        }
-    }
-    ```
-
-    Under **`global`**, you specify the mock test data. In this example, the
-    `weekday` is set to `1` which is **`Monday`** and `hour` is set to `12`
-    which is **`noon`**. Therefore, the `main` should return `true`.
-
-1. Write a failing test in a file named, **`fail.json`** under
-`test/business-hrs`.
-
-    ```plaintext
-    {
-        "global": {
-            "timespace": {
-                "weekday": 0,
-                "hour": 12
-            }
-        }
-    }
-    ```
-
-    The mock data is set to **`Sunday`** at **`noon`**; therefore, Therefore,
-    the `main` should return `false`.
-
-
-1. Similarly, write a passing test case for `cidr-check` policy,
-**`test/cidr-check/success.json`**:
-
-
-    ```plaintext
-    {
-      "global": {
-        "request": {
-          "connection": {
-              "remote_addr": "122.22.3.4"
-          },
-          "operation": "create",
-          "path": "secret/orders"        
-        }
-      }
-    ```
-
-    In this example, the `global` specifies the `create` operation is invoked on
-    `secret/orders` endpoint which initiated from an IP address `122.22.3.4`.
-    Therefore, the `main` should return `true`.
-
-1. Write a failing test for `cidr-check` policy, **`test/cidr-check/fail.json`**.
-
-    ```plaintext
-    {
-      "global": {
-        "request": {
-          "connection": {
-            "remote_addr": "122.22.3.10"
-          },
-          "operation": "create",
-          "path": "secret/orders"
-        }
-      },
-      "test": {
-        "precond": true,
-        "main": false
-      }
-    }
-    ```
-
-    This test will fail because of the IP address mismatch. However, the
-    `precond` should pass since the requested operation is `create` and the
-    targeted endpoint is `secret/orders`.
-
-    > The optional **`test`** definition adds more context to why the test
-    should fail.  The expected behavior is that the test fails because `main`
-    returns `false` but `precond` should return `true`.
-
-1. Now, you have written both success and failure tests:
-
-    ```plaintext
-    ├── business-hrs.sentinel
-    ├── cidr-check.sentinel
-    └── test
-        ├── business-hrs
-        │   ├── fail.json
-        │   └── success.json
-        └── cidr-check
-            ├── fail.json
-            └── success.json
-    ```
-
-1. Execute the test:
-
-    ```plaintext
-    $ sentinel test
-
-    PASS - business-hrs.sentinel
-      PASS - test/business-hrs/success.json  PASS - test/business-hrs/fail.json
-    PASS - cidr-check.sentinel
-      PASS - test/cidr-check/success.json  PASS - test/cidr-check/fail.json
-    ```
-
-    > **NOTE:** If you want to see the tracing and log output for those tests,
-    run the command with `-verbose` flag.
-
-### <a name="step3"></a>Step 3: Deploy your EGP policies
-
-Sentinel policies has three **enforcement levels**:
-
-| Level          | Description                                                   |
-|----------------|---------------------------------------------------------------|
-| advisory       | The policy is allowed to fail. Can be used as a tool to educate new users. |
-| soft-mandatory | The policy must pass unless an override is specified.         |
-| hard-mandatory | The policy must pass no matter what!                          |
-
-<br>
-
-Since both policies are tied to specific paths, the policy type that you are
-going to create is Endpoint Governing Policies (EGPs).
-
-#### CLI command
-
-1. Store the Base64 encoded `cidr-check.sentinel` policy in an environment
-variable named `POLICY`.
-
-    ```plaintext
-    $ POLICY=$(base64 cidr-check.sentinel)
-    ```
-
-1. Create a policy `cidr-check` with enforcement level of **hard-mandatory** to
-reject all requests coming from IP addressed that are not internal.
-
-    ```plaintext
-    $ vault write sys/policies/egp/cidr-check \
-            policy="${POLICY}" \
-            paths="secret/*" \
-            enforcement_level="hard-mandatory"
-    ```
-
-1. You can read the policy by executing the following command:
-
-    ```plaintext
-    $ vault read sys/policies/egp/cidr-check    
-    ```
-
-1. Repeat the steps to create a policy named `business-hrs`.
-
-    ```shell
-    # Encode the business-hrs policy
-    $ POLICY2=$(base64 business-hrs.sentinel)
-
-    # Create a policy with soft-mandatory enforcement-level
-    $ vault write sys/policies/egp/business-hrs \
-            policy="${POLICY2}" \
-            paths="secret/accounting/*" \
-            enforcement_level="soft-mandatory"
-
-    # To read the policy you just created
-    $ vault read sys/policies/egp/business-hrs        
-    ```
-
-
-#### API call using cURL
-
-To create EGP policies, use the `/sys/policies/egp` endpoint:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request PUT \
-       --data <PAYLOAD> \
-       <VAULT_ADDRESS>/v1/sys/policies/egp/<POLICY_NAME>
-```
-
-Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the Base64 encoded
-policy, endpoint paths, and enforcement level.
-
-
-1. Store the Base64 encoded `cidr-check.sentinel` policy in an environment
-variable named `POLICY`.
-
-    ```plaintext
-    $ POLICY=$(base64 cidr-check.sentinel)
-    ```
-
-1. Create API request payload.
-
-    ```plaintext
-    $ tee cidr-payload.json <<EOF
-    {
-      "policy": "${POLICY}",
-      "paths": ["secret/*"],
-      "enforcement_level": "hard-mandatory"
-    }
-    EOF
-    ```
-
-1. Create a policy `cidr-check` with enforcement level of **hard-mandatory** to
-reject all requests coming from IP addressed that are not internal.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request PUT \
-           --data @cidr-payload.json \
-           http://127.0.0.1:8200/v1/sys/policies/egp/cidr-check
-    ```
-
-1. Repeat the steps to create a policy named `business-hrs` with enforcement
-level of soft-mandatory.
-
-    ```shell
-    # Encode the business-hrs policy
-    $ POLICY2=$(base64 business-hrs.sentinel)
-
-    # Create the request payload
-    $ tee buz-hrs-payload.json <<EOF
-    {
-      "policy": "${POLICY2}",
-      "paths": ["secret/accounting/*"],
-      "enforcement_level": "soft-mandatory"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request PUT \
-           --data @buz-hrs-payload.json \
-           http://127.0.0.1:8200/v1/sys/policies/egp/business-hrs
-    ```
-
-1. You can list the EGPs that were created.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request LIST \
-           http://127.0.0.1:8200/v1/sys/policies/egp | jq
-    ```
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
-then login.
-
-1. Select **Policies** and select the **Endpoint Governing Policies** tab.
-
-1. Select **Create EGP policy**.
-
-1. Enter **`business-hrs`** in the **Name** field.  
-
-1. Enter the [**`business-hrs.sentinel`** policy](#sentinel-policies-1) in the
-**Policy** editor.
-
-1. Select **soft-mandatory** from the **Enforcement level** drop-down list.
-
-1. Enter **`secret/accounting/*`** in the **Paths** field, and then click
-**Create Policy**.
-
-  ![EGP](/img/vault-sentinel-1.png)
-
-1. Select **Endpoint Governing Policies** again, and then **Create EGP policy**.
-
-1. Enter **`cidr-check`** in the **Name** field.  
-
-1. Enter the [**`cidr-check.sentinel`** policy](#sentinel-policies-1) in the
-**Policy** editor.
-
-1. Leave the **Enforcement level** as hard-mandatory, and enter **`secret/*`**
-in the **Paths** field.
-
-1. Click **Create Policy**.
-
-<br>
-
-~> **NOTE:** Unlike ACL policies, EGPs are a _prefix walk_ which allows policies
-to be applied at various points at Vault API.  If you have EGPs tied to
-"**`secret/orders`**", "**`secret/*`**" and "**`*`**", all EGPs will be
-evaluated for a request on "**`secret/orders`**".
-
-
-#### Verification
-
-Once the policies were deployed, `create`, `update` and `delete` operations
-coming from an IP address other than `122.22.3.4` will be denied.
-
-```plaintext
-$ vault kv put secret/accounting/test acct_no="293472309423"
-
-Error writing data to secret/accounting/test: Error making API request.
-
-URL: PUT http://127.0.0.1:8200/v1/secret/accounting/test
-Code: 400. Errors:
-
-* 1 error occurred:
-
-* egp standard policy "cidr-check" evaluation resulted in denial.
-
-The specific error was:
-<nil>
-
-A trace of the execution for policy "cidr-check" is available:
-
-Result: false
-
-Description: Check the precondition before execute the cidrcheck
-
-Rule "main" (byte offset 442) = false
-  false (offset 314): sockaddr.is_contained
-
-Rule "cidrcheck" (byte offset 291) = false
-
-Rule "precond" (byte offset 113) = true
-  true (offset 134): request.operation in ["create", "update", "delete"]
-  true (offset 194): strings.has_prefix
-```
-
-Similarly, you will get an error if any request is made outside of the business
-hours defined by the `business-hrs` policy.
-
-!> **NOTE:** Like with ACL policies, **`root`** tokens are ***NOT*** subject to
-Sentinel policy checks.
-
-
-### <a name="step4"></a>Step 4: Delete Sentinel Policies
-
-#### CLI Command
-
-To delete EGPs:
-
-```shell
-# Delete the business-hrs EGP
-$ vault delete sys/policies/egp/business-hrs
-
-# Delete the cidr-check EGP
-$ vault delete sys/policies/egp/cidr-check
-```
-
-
-#### API call using cURL
-
-To delete EGPs:
-
-```shell
-# Delete the business-hrs EGP
-$ curl --header "X-Vault-Token: ..." \
-       --request DELETE \
-       http://127.0.0.1:8200/v1/sys/policies/egp/business-hrs
-
-# Delete the cidr-check EGP
-$ curl --header "X-Vault-Token: ..." \
-      --request DELETE \
-      http://127.0.0.1:8200/v1/sys/policies/egp/cidr-check
-```
-
-#### Web UI
-
-1. Select **Policies** and select the **Endpoint Governing Policies** tab.
-
-1. Select **Delete** from the policy menu for `business-hrs`.
-
-    ![Delete EGP](/img/vault-sentinel-2.png)
-
-1. When prompted, click **Delete** again to confirm.
-
-1. Repeat the steps to delete `cidr-check` policy.
-
-
-
-## Next steps
-
-Refer to the [Sentinel Properties](/docs/enterprise/sentinel/properties.html)
-documentation for the full list of properties available in Vault to write
-fine-grained policies to meet your organizational policy requirements.
diff --git a/website/source/guides/index.html.md b/website/source/guides/index.html.md
deleted file mode 100644
index f800c43e3847..000000000000
--- a/website/source/guides/index.html.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-layout: "guides"
-page_title: "Guides"
-sidebar_current: "guides"
-description: |-
-  This section provides various guides for common actions. Due to the nature of Vault, some of these procedures can be complex, so our goal is to provide guidance to do them safely.
----
-
-# Vault Guides
-
-Welcome to the Vault guides! If you are just getting started with Vault, please
-start with the [Vault introduction][intro] instead and then continue on to the
-guides. The guides provide examples for common Vault workflows and actions for
-both users and operators of Vault. Due to the nature of Vault, some of these
-procedures can be complex, so our goal is to provide guidance to do them safely.
-
-<br>
-
--> Please visit [_Katacoda_](https://www.katacoda.com/hashicorp) where a series
-of interactive tutorials are waiting for you to get started on learning Vault.
-
-
-
-
-[intro]: /intro/index.html
diff --git a/website/source/guides/operations/autounseal-aws-kms.html.md b/website/source/guides/operations/autounseal-aws-kms.html.md
deleted file mode 100644
index ac4162b7c726..000000000000
--- a/website/source/guides/operations/autounseal-aws-kms.html.md
+++ /dev/null
@@ -1,289 +0,0 @@
----
-layout: "guides"
-page_title: "Vault Auto-unseal using AWS KMS - Guides"
-sidebar_title: "Vault Auto-unseal with AWS KMS"
-sidebar_current: "guides-operations-autounseal-aws-kms"
-description: |-
-  In this guide, we'll show an example of how to use Terraform to provision an
-  instance that can utilize an encryption key from AWS Key Management Services
-  to unseal Vault.
----
-
-
-# Vault Auto-unseal using AWS Key Management Service
-
-~> **Enterprise Only:** Vault auto-unseal feature is a part of _Vault Enterprise Pro_.
-
-When a Vault server is started, it starts in a
-[***sealed***](/docs/concepts/seal.html) state and it does not know how to
-decrypt data. Before any operation can be performed on the Vault, it must be
-unsealed. Unsealing is the process of constructing the master key necessary to
-decrypt the data encryption key.
-
-![Unseal with Shamir's Secret Sharing](/img/vault-autounseal.png)
-
-This guide demonstrates an example of how to use Terraform to provision an
-instance that can utilize an encryption key from [AWS Key Management Services
-(KMS)](https://aws.amazon.com/kms/) to unseal Vault.
-
-## Reference Material
-
-- [Vault Auto Unseal](/docs/configuration/seal/index.html)
-- [Configuration: `awskms` Seal](/docs/configuration/seal/awskms.html)
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The steps described in this guide are typically performed by **operations**
-persona.
-
-## Challenge
-
-Vault unseal operation requires a quorum of existing unseal keys split by
-Shamir's Secret sharing algorithm. This is done so that the "_keys to the
-kingdom_" won't fall into one person's hand.  However, this process is manual
-and can become painful when you have many Vault clusters as there are now
-many different key holders with many different keys.
-
-## Solution
-
-Vault Enterprise supports opt-in automatic unsealing via cloud technologies:
-Amazon KMS, Azure Key Vault or GCP Cloud KMS. This feature enables operators to
-delegate the unsealing process to trusted cloud providers to ease operations in
-the event of partial failure and to aid in the creation of new or ephemeral
-clusters.
-
-![Unseal with AWS KMS](/img/vault-autounseal-2.png)
-
-## Prerequisites
-
-This guide assumes the following:   
-
-- Access to **Vault Enterprise 0.9.0 or later** 
-- A URL to download Vault Enterprise from (an Amazon S3 bucket will suffice)
-- AWS account for provisioning cloud resources
-- [Terraform installed](https://www.terraform.io/intro/getting-started/install.html)
-and basic understanding of its usage
-
-### Download demo assets
-
-Clone or download the demo assets from the
-[hashicorp/vault-guides](https://github.com/hashicorp/vault-guides/tree/master/operations/aws-kms-unseal/terraform-aws)
-GitHub repository to perform the steps described in this guide.
-
-
-## Steps
-
-This guide demonstrates how to implement and use the Auto-unseal feature using
-AWS KMS. Included is a Terraform configuration that has the following:   
-
-* Ubuntu 16.04 LTS with Vault Enterprise    
-* An instance profile granting the Amazon EC2 instance to an AWS KMS key
-* Vault configured with access to an AWS KMS key   
-
-
-[![YouTube](/img/vault-autounseal-4.png)](https://youtu.be/iRyqOEDFIiY)
-
-
-You are going to perform the following steps:
-
-1. [Provision the Cloud Resources](#step-1-provision-the-cloud-resources)
-1. [Test the Auto-unseal Feature](#step-2-test-the-auto-unseal-feature)
-1. [Clean Up](#step-3-clean-up)
-
-
-### Step 1: Provision the Cloud Resources
-
-**Task 1:** Be sure to set your working directory to where the
-[`/operations/aws-kms-unseal/terraform-aws`](#download-demo-assets) folder is
-located.
-
-The working directory should contain the provided Terraform files:
-
-```bash
-~/git/vault-guides/operations/aws-kms-unseal/terraform$ tree
-.
-├── README.md
-├── instance-profile.tf
-├── instance.tf
-├── main.tf
-├── ssh-key.tf
-├── terraform.tfvars.example
-├── userdata.tpl
-└── variables.tf
-```
-
-**Task 2:** Set your AWS credentials as environment variables:
-
-```plaintext
-$ export AWS_ACCESS_KEY_ID = "<YOUR_AWS_ACCESS_KEY_ID>"
-
-$ export AWS_SECRET_ACCESS_KEY = "<YOUR_AWS_SECRET_ACCESS_KEY>"
-```
-
-Create a file named **`terraform.tfvars`** and specify your Vault Enterprise
-binary download URL.
-
-**Example:**
-
-```plaintext
-vault_url = "https://s3-us-west-2.amazonaws.com/hc-enterprise-binaries/vault/ent/0.10.3/vault-enterprise_0.10.3%2Bent_linux_amd64.zip"
-```
-
-**Task 3:** Perform a **`terraform init`** to pull down the necessary provider
-resources. Then **`terraform plan`** to verify your changes and the resources that
-will be created. If all looks good, then perform a **`terraform apply`** to
-provision the resources.
-
-```plaintext
-$ terraform init
-Initializing provider plugins...
-...
-Terraform has been successfully initialized!
-
-
-$ terraform plan
-...
-Plan: 15 to add, 0 to change, 0 to destroy.
-
-
-$ terraform apply
-...
-Apply complete! Resources: 15 added, 0 changed, 0 destroyed.
-
-Outputs:
-
-connections = Connect to Vault via SSH   ssh ubuntu@192.0.2.1 -i private.key
-Vault Enterprise web interface  http://192.0.2.1:8200/ui
-```
-
-**NOTE:** The Terraform output will display the public IP address to SSH into
-your server as well as the Vault Enterprise web interface address.
-
-
-### Step 2: Test the Auto-unseal Feature
-
-SSH into the provisioned EC2 instance.
-
-```plaintext
-$ ssh ubuntu@192.0.2.1 -i private.key
-...
-Are you sure you want to continue connecting (yes/no)? yes
-```
-When you are prompted, enter "yes" to continue.
-
-To verify that Vault has been installed, run `vault status` command which should
-return "_server is not yet initialized_" message.
-
-```plaintext
-$ export VAULT_ADDR=http://127.0.0.1:8200
-
-$ vault status
-Error checking seal status: Error making API request.
-
-URL: GET http://127.0.0.1:8200/v1/sys/seal-status
-Code: 400. Errors:
-
-* server is not yet initialized
-```
-
-Run the **`vault operator init`** command to initialize the Vault server by
-setting its key share to be **`1`** as follow:
-
-```plaintext
-$ vault operator init -stored-shares=1 -recovery-shares=1 -recovery-threshold=1 -key-shares=1 -key-threshold=1
-Recovery Key 1: oOxAQfxcZitjqZfF3984De8rUckPeahQDUvmJ1A4JrQ=
-Initial Root Token: 54c4dbe3-d45b-79d9-18d0-602831a6a991
-
-Vault initialized successfully.
-
-Recovery key initialized with 1 keys and a key threshold of 1. Please
-securely distribute the above keys.
-```
-
-Stop and start the Vault server:
-
-```plaintext
-$ sudo systemctl stop vault
-
-$ vault status
-Error checking seal status: Get http://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: getsockopt: connection refused
-
-$ sudo systemctl start vault
-```
-
-Check the Vault status to verify that it has been started and unsealed.
-
-```plaintext
-$ vault status
-Type: shamir
-Sealed: false
-Key Shares: 1
-Key Threshold: 1
-Unseal Progress: 0
-Unseal Nonce:
-Version: 0.9.6+prem.hsm
-Cluster Name: vault-cluster-01cf6f33
-Cluster ID: fb787d8a-b882-fee8-b461-445320cde311
-
-High-Availability Enabled: false
-```
-
-Log into Vault using the generated initial root token:
-
-```plaintext
-$ vault login 54c4dbe3-d45b-79d9-18d0-602831a6a991
-Successfully authenticated! You are now logged in.
-token: 54c4dbe3-d45b-79d9-18d0-602831a6a991
-token_duration: 0
-token_policies: [root]
-```
-
-Review the Vault configuration file (`/etc/vault.d/vault.hcl`).
-
-```plaintext
-$ cat /etc/vault.d/vault.hcl
-storage "file" {
-  path = "/opt/vault"
-}
-listener "tcp" {
-  address     = "0.0.0.0:8200"
-  tls_disable = 1
-}
-seal "awskms" {
-  kms_key_id = "d7c1ffd9-8cce-45e7-be4a-bb38dd205966"
-}
-ui=true
-```
-
-Notice the Vault configuration file defines the [`awskms`
-stanza](/docs/configuration/seal/awskms.html) which sets the AWS KMS key ID to
-use for encryption and decryption.
-
-At this point, you should be able to launch the Vault Enterprise UI by entering
-the address provided in the `terraform apply` outputs (e.g. http://192.0.2.1:8200/ui)
-and log in with your initial root token.
-
-![Vault Enterprise UI Login](/img/vault-autounseal-3.png)
-
-
-### Step 3: Clean Up
-
-Once completed, execute the following commands to clean up:
-
-```plaintext
-$ terraform destroy -force
-
-$ rm -rf .terraform terraform.tfstate* private.key
-```
-
-
-## Next steps
-
-Once you have a Vault environment setup, the next step is to write policies.
-Read [Policies](/guides/identity/policies.html) to learn how to write policies
-to govern the behavior of clients.
diff --git a/website/source/guides/operations/deployment-guide.html.md b/website/source/guides/operations/deployment-guide.html.md
deleted file mode 100644
index 79d3693d67fe..000000000000
--- a/website/source/guides/operations/deployment-guide.html.md
+++ /dev/null
@@ -1,327 +0,0 @@
----
-layout: "guides"
-page_title: "Vault Deployment Guide - Guides"
-sidebar_current: "guides-operations-deployment-guide"
-description: |-
-  This deployment guide covers the steps required to install and
-  configure a single HashiCorp Vault cluster as defined in the
-  Vault Reference Architecture.
-ea_version: 1.0
----
-
-# Vault Deployment Guide
-
-This deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the [Vault Reference Architecture](/guides/operations/reference-architecture.html).
-
-Below are instructions for installing and configuring Vault on Linux hosts running the systemd system and service manager.
-
-## Reference Material
-
-This deployment guide is designed to work in combination with the [Vault Reference Architecture](/guides/operations/reference-architecture.html). Although not a strict requirement to follow the Vault Reference Architecture, please ensure you are familiar with the overall architecture design; for example installing Vault on multiple physical or virtual (with correct anti-affinity) hosts for high-availability and using Consul for the HA and storage backend.
-
-During the installation of Vault you should also review and apply the recommendations provided in the [Vault Production Hardening](/guides/operations/production.html) guide.
-
-## Overview
-
-To provide a highly-available single cluster architecture, we recommend Vault be deployed to more than one host, as shown in the [Vault Reference Architecture](/guides/operations/reference-architecture.html), and connected to a Consul cluster for persistent data storage.
-
-![Reference Diagram](/img/vault-ref-arch-2-02305ae7.png)
-
-The below setup steps should be completed on all Vault hosts.
-
-- [Download Vault](#download-vault)
-- [Install Vault](#install-vault)
-- [Configure systemd](#configure-systemd)
-- [Configure Consul](#configure-consul)
-- [Configure Vault](#configure-vault)
-- [Start Vault](#start-vault)
-
-## Download Vault
-
-Precompiled Vault binaries are available for download at [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/) and Vault Enterprise binaries are available for download by following the instructions made available to HashiCorp Vault customers.
-
-You should perform checksum verification of the zip packages using the SHA256SUMS and SHA256SUMS.sig files available for the specific release version. HashiCorp provides [a guide on checksum verification](https://www.hashicorp.com/security.html) for precompiled binaries.
-
-```text
-VAULT_VERSION="0.10.3"
-curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
-curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
-curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig
-```
-
-## Install Vault
-
-Unzip the downloaded package and move the `vault` binary to `/usr/local/bin/`. Check `vault` is available on the system path.
-
-```text
-unzip vault_${VAULT_VERSION}_linux_amd64.zip
-sudo chown root:root vault
-sudo mv vault /usr/local/bin/
-vault --version
-```
-
-The `vault` command features opt-in autocompletion for flags, subcommands, and arguments (where supported). Enable autocompletion.
-
-```text
-vault -autocomplete-install
-complete -C /usr/local/bin/vault vault
-```
-
-Give Vault the ability to use the mlock syscall without running the process as root. The mlock syscall prevents memory from being swapped to disk.
-
-```text
-sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
-```
-
-Create a unique, non-privileged system user to run Vault.
-
-```text
-sudo useradd --system --home /etc/vault.d --shell /bin/false vault
-```
-
-## Configure systemd
-
-Systemd uses [documented sane defaults](https://www.freedesktop.org/software/systemd/man/systemd.directives.html) so only non-default values must be set in the configuration file.
-
-Create a Vault service file at /etc/systemd/system/vault.service.
-
-```text
-sudo touch /etc/systemd/system/vault.service
-```
-
-Add the below configuration to the Vault service file:
-
-```text
-[Unit]
-Description="HashiCorp Vault - A tool for managing secrets"
-Documentation=https://www.vaultproject.io/docs/
-Requires=network-online.target
-After=network-online.target
-ConditionFileNotEmpty=/etc/vault.d/vault.hcl
-
-[Service]
-User=vault
-Group=vault
-ProtectSystem=full
-ProtectHome=read-only
-PrivateTmp=yes
-PrivateDevices=yes
-SecureBits=keep-caps
-AmbientCapabilities=CAP_IPC_LOCK
-Capabilities=CAP_IPC_LOCK+ep
-CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
-NoNewPrivileges=yes
-ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
-ExecReload=/bin/kill --signal HUP $MAINPID
-KillMode=process
-KillSignal=SIGINT
-Restart=on-failure
-RestartSec=5
-TimeoutStopSec=30
-StartLimitIntervalSec=60
-StartLimitBurst=3
-
-[Install]
-WantedBy=multi-user.target
-```
-
-The following parameters are set for the `[Unit]` stanza:
-
-- [`Description`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Description=) - Free-form string describing the vault service
-- [`Documentation`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Documentation=) - Link to the vault documentation
-- [`Requires`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=) - Configure a requirement dependency on the network service
-- [`After`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=) - Configure an ordering dependency on the network service being started before the vault service
-- [`ConditionFileNotEmpty`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#ConditionArchitecture=) - Check for a non-zero sized configuration file before vault is started
-
-The following parameters are set for the `[Service]` stanza:
-
-- [`User`, `Group`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#User=) - Run vault as the vault user
-- [`ProtectSystem`, `ProtectHome`, `PrivateTmp`, `PrivateDevices`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing) - Sandboxing settings to improve the security of the host by restricting vault privileges and access
-- [`SecureBits`, `Capabilities`, `CapabilityBoundingSet`, `AmbientCapabilities`](http://man7.org/linux/man-pages/man7/capabilities.7.html) - Configure the capabilities of the vault process
-- [`NoNewPrivileges`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NoNewPrivileges=) - Prevent vault and any child process from gaining new privileges
-- [`ExecStart`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=) - Start vault with the `server` argument and path to the configuration file
-- [`ExecReload`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecReload=) - Send vault a HUP signal to trigger a configuration reload in vault
-- [`KillMode`](https://www.freedesktop.org/software/systemd/man/systemd.kill.html#KillMode=) - Treat vault as a single process
-- [`KillSignal`](https://www.freedesktop.org/software/systemd/man/systemd.kill.html#KillSignal=) - Send SIGINT signal when shutting down vault
-- [`Restart`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartSec=) - Restart vault ([in a sealed state](/docs/concepts/seal.html)) unless it returned a clean exit code
-- [`RestartSec`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartSec=) - Restart vault after 5 seconds of it being considered 'failed'
-- [`TimeoutStopSec`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#TimeoutStopSec=) - Wait 30 seconds for a clean stop before sending a SIGKILL signal
-- [`StartLimitIntervalSec`, `StartLimitBurst`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval) - Limit vault to three start attempts in 60 seconds
-
-The following parameters are set for the `[Install]` stanza:
-
-- [`WantedBy`](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=) - Creates a weak dependency on vault being started by the multi-user run level
-
-## Configure Consul
-
-When using Consul as the storage backend for Vault, we recommend using Consul's [ACL system](https://www.consul.io/docs/guides/acl.html) to restrict access to the path where Vault stores data. This access restriction is an added security measure in addition to the [encryption Vault uses to protect data](/docs/internals/architecture.html) written to the storage backend.
-
-The Consul website provides documentation on [bootstrapping the ACL system](https://www.consul.io/docs/guides/acl.html#bootstrapping-acls), generating a management token and using that token to add some initial tokens for Consul agents, UI access etc. You should complete the bootstrapping section of the Consul documentation before continuing with this guide.
-
-Vault requires a Consul token with specific policy to limit the requests Vault can make to Consul endpoints.
-
-On a host running a Consul agent, and using a Consul management token, create a Consul client token with specific policy for Vault:
-
-### Consul < 1.4
-
-```text
-CONSUL_TOKEN="6609e426-1aeb-4b0d-c302-3a7568fbc1f9"
-curl \
-    --request PUT \
-    --header "X-Consul-Token: ${CONSUL_TOKEN}" \
-    --data \
-'{
-  "Name": "Vault Token",
-  "Type": "client",
-  "Rules": "node \"\" { policy = \"write\" } service \"vault\" { policy = \"write\" } agent \"\" { policy = \"write\" }  key \"vault/\" { policy = \"write\" } session \"\" { policy = \"write\" } "
-}' http://127.0.0.1:8500/v1/acl/create
-```
-
-### Consul >= 1.4
-
-```text
-CONSUL_TOKEN="6609e426-1aeb-4b0d-c302-3a7568fbc1f9"
-curl \
-    --request PUT \
-    --header "X-Consul-Token: ${CONSUL_TOKEN}" \
-    --data \
-'{
-  "Name": "Vault Token",
-  "Type": "client",
-  "Rules": "node_prefix \"\" { policy = \"write\" } service \"vault\" { policy = \"write\" } agent_prefix \"\" { policy = \"write\" }  key_prefix \"vault/\" { policy = \"write\" } session_prefix \"\" { policy = \"write\" } "
-}' http://127.0.0.1:8500/v1/acl/create
-```
-
-
-
-The response includes the value you will use as the `token` parameter value in Vault's storage stanza configuration. An example response:
-
-```json
-{"ID":"fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1"}
-```
-
-## Configure Vault
-
-Vault uses [documented sane defaults](/docs/configuration) so only non-default values must be set in the configuration file.
-
-Create a configuration file at /etc/vault.d/vault.hcl:
-
-```text
-sudo mkdir --parents /etc/vault.d
-sudo touch /etc/vault.d/vault.hcl
-sudo chown --recursive vault:vault /etc/vault.d
-sudo chmod 640 /etc/vault.d/vault.hcl
-```
-
-### Listener stanza
-
-The `listener` stanza configures the addresses and ports on which Vault will respond to requests.
-
-Add the below configuration to the Vault configuration file:
-
-```hcl
-listener "tcp" {
-  address       = "0.0.0.0:8200"
-  tls_cert_file = "/path/to/fullchain.pem"
-  tls_key_file  = "/path/to/privkey.pem"
-}
-```
-
-The following parameters are set for the `tcp` listener stanza:
-
-- [`address`](/docs/configuration/listener/tcp.html#address) `(string: "127.0.0.1:8200")` - Changing from the loopback address to allow external access to the Vault UI
-- [`tls_cert_file`](/docs/configuration/listener/tcp.html#tls_cert_file) `(string: <required-if-enabled>, reloads-on-SIGHUP)` - Must be set when using TLS
-- [`tls_key_file`](/docs/configuration/listener/tcp.html#tls_key_file) `(string: <required-if-enabled>, reloads-on-SIGHUP)` - Must be set when using TLS
-
-[More information about tcp listener configuration](/docs/configuration/listener/tcp.html).
-
-~> Vault should always be configured to use TLS to provide secure communication between clients and the Vault cluster. This requires a certificate file and key file be installed on each Linux host running Vault. The certificate file and key file must have permissions allowing the vault user/group to read them.
-
-### Seal stanza
-
-This is an __ENTERPRISE__ feature.
-
-If you are deploying [Vault Enterprise](https://www.hashicorp.com/products/vault), you can include `seal` stanza configuration to specify the seal type to use for additional data protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the Vault master key. This stanza is optional, and if this is not configured, Vault will use the Shamir algorithm to cryptographically split the master key.
-
-If you are deploying Vault Enterprise, you should review the [seal configuration section](/docs/configuration/seal/index.html) of our documentation.
-
-An example PKCS #11 compatible HSM example is:
-
-``` hcl
-seal "pkcs11" {
-  lib            = "/usr/vault/lib/libCryptoki2_64.so"
-  slot           = "0"
-  pin            = "AAAA-BBBB-CCCC-DDDD"
-  key_label      = "vault-hsm-key"
-  hmac_key_label = "vault-hsm-hmac-key"
-}
-```
-
-### Storage stanza
-
-The `storage` stanza configures the storage backend, which represents the location for the durable storage of Vault's data.
-
-Add the below configuration to the Vault configuration file:
-
-```hcl
-storage "consul" {
-  token = "{{ consul_token }}"
-}
-```
-
-The following parameters are set for the `consul` storage stanza:
-
-- [`token`](/docs/configuration/storage/consul.html#token) `(string: "")` - Specify the Consul ACL token with permission to read and write from `/vault` in Consul's key-value store
-
-[More information about consul storage configuration](/docs/configuration/storage/consul.html).
-
-~> Vault should always be configured to use a Consul token with a restrictive ACL policy to read and write from `/vault` in Consul's key-value store. This follows the principal of least privilege, ensuring Vault is unable to access Consul key-value data stored outside of the `/vault` path.
-
-### Telemetry stanza
-
-The `telemetry` stanza specifies various configurations for Vault to publish metrics to upstream systems.
-
-If you decide to configure Vault to publish telemetry data, you should review the [telemetry configuration section](/docs/configuration/telemetry.html) of our documentation.
-
-### High Availability Parameters
-
-The `api_addr` parameter configures the API address used in high availability scenarios, when client redirection is used instead of request forwarding. Client redirection is the fallback method used when request forwarding is turned off or there is an error performing the forwarding. As such, a redirect address is always required for all HA setups.
-
-This parameter value defaults to the `address` specified in the `listener` stanza, but Vault will log a `[WARN]` message if it is not explicitly configured.
-
-Add the below configuration to the Vault configuration file:
-
-```hcl
-api_addr = "{{ full URL to Vault API endpoint }}"
-```
-
-[More information about high availability configuration](/docs/configuration/#high-availability-parameters).
-
-### Vault UI
-
-Vault features a web-based user interface, allowing you to easily create, read, update, and delete secrets, authenticate, unseal, and more using a graphical user interface, rather than the CLI or API.
-
-Vault should not be deployed in a public internet facing environment, so enabling the Vault UI is typically of benefit to provide a more familiar experience to administrators who are not as comfortable working on the command line, or who do not have alternative access.
-
-Optionally, add the below configuration to the Vault configuration file to enable the Vault UI:
-
-```hcl
-ui = true
-```
-
-[More information about configuring the Vault UI](/docs/configuration/ui/index.html).
-
-## Start Vault
-
-Enable and start Vault using the systemctl command responsible for controlling systemd managed services. Check the status of the vault service using systemctl.
-
-```text
-sudo systemctl enable vault
-sudo systemctl start vault
-sudo systemctl status vault
-```
-
-## Next Steps
-
-- Read [Production Hardening](/guides/operations/production.html) to learn best
-  practices for a production hardening deployment of Vault.
diff --git a/website/source/guides/operations/disaster-recovery.html.md b/website/source/guides/operations/disaster-recovery.html.md
deleted file mode 100644
index 033091e96d40..000000000000
--- a/website/source/guides/operations/disaster-recovery.html.md
+++ /dev/null
@@ -1,622 +0,0 @@
----
-layout: "guides"
-page_title: "Vault Disaster Recovery Replication Setup - Guides"
-sidebar_title: "Disaster Recovery Setup"
-sidebar_current: "guides-operations-dr"
-description: |-
-  This guide demonstrates step-by-step instruction of setting up a disaster
-  recovery (DR) replications.
----
-
-# Vault Disaster Recovery Replication
-
-~> **Enterprise Only:** Disaster Recovery Replication is a part of _Vault Enterprise Pro_.
-
-It is inevitable for organizations to have a disaster recovery (DR) strategy to
-protect their Vault deployment against catastrophic failure of an entire
-cluster. Vault Enterprise supports multi-datacenter deployment where you can
-replicate data across datacenters for performance as well as disaster recovery.
-
-A cluster is the basic unit of Vault Enterprise replication which follows the
-leader-follower model. A leader cluster is referred to as the **primary**
-cluster and is considered the _system of record_. Data is streamed from the
-primary cluster to all **secondary** (follower) clusters.
-
-![Replication Pattern](/img/vault-ref-arch-8.png)
-
-~> **Important:** In DR replication, secondary clusters ***do not forward***
-service read or write requests until they are promoted and become a new primary
-- they essentially act as a warm standby cluster.
-
-
-The [Mount Filter](/guides/operations/mount-filter.html) guide provides step-by-step
-instructions on setting up performance replication.  This guide focuses on DR
-replication setup.
-
-
-## Reference Materials
-
-- [Performance Replication and Disaster Recovery (DR) Replication](/docs/enterprise/replication/index.html#performance-replication-and-disaster-recovery-dr-replication)
-- [DR Replication API](/api/system/replication-dr.html)
-- [Replication Setup & Guidance](/guides/operations/replication.html)
-- [Vault HA guide](/guides/operations/vault-ha-consul.html)
-
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Prerequisites
-
-This intermediate Vault operations guide assumes that you have some working
-knowledge of Vault.
-
-You need two Vault Enterprise clusters: one behaves as the **primary cluster**,
-and another becomes the **secondary**.
-
-![DR Prerequisites](/img/vault-dr-0.png)
-
-## Steps
-
-This guide walk through the following operations:
-
-1. [Enable DR Primary Replication](#step1)
-1. [Enable DR Secondary Replication](#step2)
-1. [Promote DR Secondary to Primary](#step3)
-1. [Demote DR Primary to Secondary](#step4)
-1. [Disable DR Primary](#step5)
-
-
-### <a name="step1"></a>Step 1: Enable DR Primary Replication
-
-#### CLI command
-
-1. Enable DR replication on the **primary** cluster.
-
-    ```plaintext
-    $ vault write -f sys/replication/dr/primary/enable
-    WARNING! The following warnings were returned from Vault:
-
-    * This cluster is being enabled as a primary for replication. Vault will be
-    unavailable for a brief period and will resume service shortly.
-    ```
-
-1. Generate a secondary token.
-
-    ```plaintext
-    $ vault write sys/replication/dr/primary/secondary-token id="secondary"
-    ```
-
-    The output should look similar to:
-
-    ```plaintext
-    Key                              Value
-    ---                              -----
-    wrapping_token:                  eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzEzLjU3LjIwLjQxOjgyMDAiLCJleHAiOjE1MjkzMzkzMzEsImlhdCI6MTUyOTMzNzUzMSwianRpIjoiZDZmMmMzZTItMTZjNS1mNTU0LWYxMzAtNzMzZDE0OWNiNTIzIiwidHlwZSI6IndyYXBwaW5nIn0.MIGIAkIArsC3s1x7GYnEbaYwAbYUj-Wgp4B3Q3kVXL0BbaKvsECySV4Pwtm--i24OSQfI9zAlsG8ZypOWJdngRa59wlhWdQCQgG22-I-aNWPehjsqmwwEADU-u37LUrR6O0MsUCqtfWYwIM9o7PFP1wMZ4JwDGftQXUH6hIrkXZDxnnGsSCJ1Vl75w
-    wrapping_accessor:               bab0ea36-23f6-d21d-4ca6-a9c3673766a3
-    wrapping_token_ttl:              30m
-    wrapping_token_creation_time:    2018-06-18 15:58:51.645117216 +0000 UTC
-    wrapping_token_creation_path:    sys/replication/dr/primary/secondary-token
-    ```
-
-    -> Copy the generated **`wrapping_token`** which you will need to enable the DR
-    secondary cluster.
-
-#### API call using cURL
-
-1. Enable DR replication on the **primary** cluster by invoking **`/sys/replication/dr/primary/enable`** endpoint.
-
-    **Example:**
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{}' \
-           https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/enable
-     {
-       "request_id": "ef38af20-9c1f-138a-2d03-bbb6410fb0fc",
-       "lease_id": "",
-       "renewable": false,
-       "lease_duration": 0,
-       "data": null,
-       "wrap_info": null,
-       "warnings": [
-         "This cluster is being enabled as a primary for replication. Vault will be
-         unavailable for a brief period and will resume service shortly."
-       ],
-       "auth": null
-     }
-    ```
-
-1. Generate a secondary token by invoking **`/sys/replication/dr/primary/secondary-token`** endpoint.
-
-    **Example:**
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{ "id": "secondary"}' \
-           https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/secondary-token | jq
-     {
-       "request_id": "",
-       "lease_id": "",
-       "renewable": false,
-       "lease_duration": 0,
-       "data": null,
-       "wrap_info": {
-         "token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzEzLjU3LjIwLjQxOjgyMDAiLCJleHAiOjE1MjkzNDQzMjcsImlhdCI6MTUyOTM0MjUyNywianRpIjoiYmRiZTJiNzEtODgwMS05YjZjLTNjMTQtMzVkNDI3NDQ3MjEzIiwidHlwZSI6IndyYXBwaW5nIn0.MIGIAkIBmESVVq_83l9hixTN7Ot0v5XQMsQfi1zV9APooZWkLvbS2olBWSQnskykQQH6GskMOi-ypOlAabqxWmfoCLA8-TICQgHRdkbJGgAQtWmjc8Z-ZEgymMv8YZq6qQxbUtPXloyM-cf_1Y1qmdGDYWtjPqoF5m1Bt_WkAJl9MguVb04QMWSotw",
-         "accessor": "7e56e9da-178c-119d-1d01-807a203fa0b3",
-         "ttl": 1800,
-         "creation_time": "2018-06-18T17:22:07.129747708Z",
-         "creation_path": "sys/replication/dr/primary/secondary-token"
-       },
-       "warnings": null,
-       "auth": null
-     }
-    ```
-
-    -> Copy the generated **`token`** which you will need to enable the DR
-    secondary cluster.
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g.
-https://cluster-A.example.com:8200/ui) and then login.
-
-1. Select **Replication** and check the **Disaster Recovery (DR)** radio button.
-  ![DR Replication - primary](/img/vault-dr-1.png)
-
-1. Click **Enable replication**.
-
-1. Select the **Secondaries** tab, and then click **Add**.
-  ![DR Replication - primary](/img/vault-dr-2.png)
-
-1. Populate the **Secondary ID** field, and click **Generate token**.
-  ![DR Replication - primary](/img/vault-dr-3.png)
-
-1. Click **Copy** to copy the token which you will need to enable the DR secondary cluster.
-  ![DR Replication - primary](/img/vault-dr-4.png)
-
-
-<br>
-
-### <a name="step2"></a>Step 2: Enable DR Secondary Replication
-
-The following operations must be performed on the DR secondary cluster.
-
-#### CLI command
-
-1. Enable DR replication on the **secondary** cluster.
-
-    ```plaintext
-    $ vault write sys/replication/dr/secondary/enable token="..."
-    ```
-    Where the `token` is the `wrapping_token` obtained from the primary cluster.
-
-    Expected output:
-
-    ```plaintext
-    WARNING! The following warnings were returned from Vault:
-
-    * Vault has successfully found secondary information; it may take a while to
-    perform setup tasks. Vault will be unavailable until these tasks and initial
-    sync complete.
-    ```
-
-    !> **NOTE:** This will immediately clear all data in the secondary cluster.
-
-#### API call using cURL
-
-1. Enable DR replication on the **secondary** cluster.
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-      "token": "..."
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload.json \
-           https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/enable | jq
-    {
-       "request_id": "7a9730c1-b6fc-6557-5c0a-081e1f89ed2d",
-       "lease_id": "",
-       "renewable": false,
-       "lease_duration": 0,
-       "data": null,
-       "wrap_info": null,
-       "warnings": [
-         "Vault has successfully found secondary information; it may take a while
-         to perform setup tasks. Vault will be unavailable until these tasks and
-         initial sync complete."
-       ],
-       "auth": null
-     }
-    ```
-
-    Where the `token` in `payload.json` is the token obtained from the primary
-    cluster.
-
-    !> **NOTE:** This will immediately clear all data in the secondary cluster.
-
-
-#### Web UI
-
-1. Now, launch the Vault UI for the **secondary** cluster (e.g. https://cluster-B.example.com:8200/ui) and click **Replication**.
-
-1. Check the **Disaster Recovery (DR)** radio button and select **secondary** under the **Cluster mode**. Paste the token you copied from the primary in the **Secondary activation token** field.
-  ![DR Replication - secondary](/img/vault-dr-5.png)
-
-1. Click **Enable replication**.
-  ![DR Replication - secondary](/img/vault-dr-5.2.png)
-
-  !> **NOTE:** This will immediately clear all data in the secondary cluster.
-
-
-
-<br>
-
-### <a name="step3"></a>Step 3: Promote DR Secondary to Primary
-
-This step walks you through the promotion of the secondary cluster to become the
-new primary when a catastrophic failure causes the primary cluster to be
-inoperable. Refer to the [_Important Note about Automated DR
-Failover_](#important) section for more background information.
-
-First, you must generate a **DR operation token** which you need to promote the
-secondary cluster. The process, outlined below using API calls, is the similar to [_Generating a Root Token (via CLI)_](/guides/operations/generate-root.html).
-
-#### From Terminal
-
-1. Generate an one time password (OTP) to use:
-
-    ```plaintext
-    $ vault operator generate-root -dr-token -generate-otp
-    HenFLWmt0AgrjWJp/RECzQ==
-    ```
-
-1. Start the DR operation token generation process by invoking **`/sys/replication/dr/secondary/generate-operation-token/attempt`** endpoint.
-
-    **Example:**
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-      "otp": "HenFLWmt0AgrjWJp/RECzQ=="
-    }
-    EOF
-
-    $ curl --request PUT \
-         --data @payload.json \
-         https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/generate-operation-token/attempt | jq
-     {
-       "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0",
-       "started": true,
-       "progress": 0,
-       "required": 3,
-       "complete": false,
-       "encoded_token": "",
-       "encoded_root_token": "",
-       "pgp_fingerprint": ""
-     }
-    ```
-
-    -> Distribute the generated **`nonce`** to each unseal key holder.
-
-1. In order to generate a DR operation token, a quorum of unseal keys must be
-entered by each key holder via **`/sys/replication/dr/secondary/generate-operation-token/update`** endpoint.
-
-    **Example:**
-
-    ```plaintext
-    $ tee payload_key1.json <<EOF
-    {
-      "key": "<primary_unseal_key_1>",
-      "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0"
-    }
-    EOF
-
-    $ curl --request PUT \
-           --data @payload_key1.json \
-           https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/generate-operation-token/update | jq
-     {
-       "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0",
-       "started": true,
-       "progress": 1,
-       "required": 3,
-       "complete": false,
-       "encoded_token": "",
-       "encoded_root_token": "",
-       "pgp_fingerprint": ""
-     }
-    ```
-
-    This operation must be executed by each unseal key holder. Once the quorum
-    has been reached, the output contains the encoded DR operation token
-    (`encoded_token`).
-
-    **Example:**
-
-    ```plaintext
-    $ curl --request PUT \
-         --data @payload_key3.json \
-         https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/generate-operation-token/update | jq
-    {
-      "nonce": "455bf989-6575-1262-c0d0-a94eaf60bdd0",
-      "started": true,
-      "progress": 3,
-      "required": 3,
-      "complete": true,
-      "encoded_token": "dKNQqNmh3JfJcSZdGlkttQ==",
-      "encoded_root_token": "",
-      "pgp_fingerprint": ""
-    }
-    ```
-
-1. Decode the generated DR operation token (`encoded_token`).
-
-    **Example:**
-
-    ```plaintext
-    $ vault operator generate-root -dr-token \
-            -decode="dKNQqNmh3JfJcSZdGlkttQ==" \
-            -otp="HenFLWmt0AgrjWJp/RECzQ=="
-
-    23e02f22-2ae6-94cc-d93f-5ee295e03e9d
-    ```
-
-1. Finally, promote the DR secondary to become the primary by invoking the
-**`sys/replication/dr/secondary/promote`** endpoint. The request payload must
-contains the DR operation token.  
-
-    **Example:**
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-	     "dr_operation_token": "23e02f22-2ae6-94cc-d93f-5ee295e03e9d"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-             --request POST \
-             --data @payload.json \
-             https://cluster-B.example.com:8200/v1/sys/replication/dr/secondary/promote | jq
-    {
-      "request_id": "3879546b-1dc7-8490-521b-80104ad761b5",
-      "lease_id": "",
-      "renewable": false,
-      "lease_duration": 0,
-      "data": null,
-      "wrap_info": null,
-      "warnings": [
-        "This cluster is being promoted to a replication primary. Vault will be unavailable
-        for a brief period and will resume service shortly."
-      ],
-      "auth": null
-    }
-    ```
-
-
-#### Web UI
-
-1. Click on **Generate OTP** to generate an OTP.  Then click **Copy OTP**.
-    ![DR Replication - secondary](/img/vault-dr-6.png)
-
-1. Click **Generate Operation Token**.
-
-1. A quorum of unseal keys must be entered to create a new operation token for
-the DR secondary.
-
-    ![DR Replication - secondary](/img/vault-dr-7.png)
-
-    -> This operation must be performed by each unseal-key holder.
-
-
-1. Once the quorum has been reached, the output displays the encoded DR operation token.  Click **Copy CLI command**.
-
-    ![DR Replication - secondary](/img/vault-dr-8.png)
-
-1. Execute the CLI command from a terminal to generate a DR operation token
-using the OTP generated earlier. (Be sure to enter your OTP in the command.)
-
-    **Example:**
-
-    ```
-    $ vault operator generate-root -dr-token \
-            -otp="vZpZZf5UI1nvB3A5/7Xq9A==" \          
-            -decode="cuplaFGYduDEY6ZVC5IfaA=="
-
-    cf703c0d-afcc-55b9-2b64-d66cf427f59c
-    ```
-
-1. Now, click **Promote** tab, and then enter the generated DR operation token.
-
-    ![DR Replication - secondary](/img/vault-dr-9-1.png)
-
-1. Click **Promote cluster**.
-
-    When you prompted, "_Are you sure you want to promote this cluster?_", click **Promote cluster** again to complete.
-
-    ![DR Replication - secondary](/img/vault-dr-9.png)
-
-<br>
-
-> Once the secondary cluster was successfully promoted, you should be able to
-log in using the original primary cluster's root token or via configured
-authentication method.  If desired, generate a [new root
-token](/guides/operations/generate-root.html).
-
-
-
-### <a name="step4"></a>Step 4: Demote DR Primary to Secondary
-
-If the _original_ DR primary cluster becomes operational again, you may want to
-utilize the cluster by making it a DR secondary cluster. This step explains how
-to demote the original DR primary cluster to a secondary.
-
-~> Remember that there is only **one** primary cluster available to the clients
-in DR replication.
-
-#### CLI command
-
-Execute the following command to demote the original DR primary cluster to a
-secondary.
-
-```plaintext
-$ vault write -f sys/replication/dr/primary/demote
-
-WARNING! The following warnings were returned from Vault:
-
-  * This cluster is being demoted to a replication secondary. Vault will be
-  unavailable for a brief period and will resume service shortly.
-```
-
-This secondary cluster will not attempt to connect to a primary (see the
-update-primary call), but will maintain knowledge of its cluster ID and can be
-reconnected to the same DR replication set without wiping local storage.
-
-
-#### API call using cURL
-
-Invoke the **`sys/replication/dr/secondary/enable`** endpoint to demote the
-original DR primary cluster to a secondary.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/demote | jq
-{
-   "request_id": "8a40adac-6eb7-c798-48d0-f7cdd25fdd6f",
-   "lease_id": "",
-   "renewable": false,
-   "lease_duration": 0,
-   "data": null,
-   "wrap_info": null,
-   "warnings": [
-     "This cluster is being demoted to a replication secondary. Vault will be unavailable for a brief period and will resume service shortly."
-   ],
-   "auth": null
-}
-```
-
-This secondary cluster will not attempt to connect to a primary (see the
-update-primary call), but will maintain knowledge of its cluster ID and can be
-reconnected to the same DR replication set without wiping local storage.
-
-#### Web UI
-
-Select **Replication** and click **Demote cluster**.
-
-![DR Replication - demotion](/img/vault-dr-10.png)
-
-When you prompted, "_Are you sure you want to demote this cluster?_", click
-**Demote cluster** again to complete.
-
-![DR Replication - demotion](/img/vault-dr-12.png)
-
-
-### <a name="step5"></a>Step 5: Disable DR Primary
-
-Once the DR secondary cluster was promoted to be the **new primary**, you may
-want to disable the DR replication on the _original_ primary when it becomes
-operational again.
-
-~> Remember that there is only **one** primary cluster available to the clients
-in DR replication.
-
-
-#### CLI command
-
-Execute the following command to disable DR replication.
-
-```plaintext
-$ vault write -f sys/replication/dr/primary/disable
-
-WARNING! The following warnings were returned from Vault:
-
-  * This cluster is having replication disabled. Vault will be unavailable for
-    a brief period and will resume service shortly.
-```
-
-Any secondaries will no longer be able to connect.
-
-
-#### API call using cURL
-
-Invoke the **`sys/replication/dr/primary/disable`** endpoint to disable DR
-replication.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       https://cluster-A.example.com:8200/v1/sys/replication/dr/primary/disable | jq
-{
-   "request_id": "92a5f57a-2f7b-11be-b9dd-0f028396fba8",
-   "lease_id": "",
-   "renewable": false,
-   "lease_duration": 0,
-   "data": null,
-   "wrap_info": null,
-   "warnings": [
-     "This cluster is having replication disabled. Vault will be unavailable for a brief period and will resume service shortly."
-   ],
-   "auth": null
-}
-```
-
-Any secondaries will no longer be able to connect.
-
-
-#### Web UI
-
-Select **Replication** and click **Disable replication**.
-
-![DR Replication - demotion](/img/vault-dr-11.png)
-
-When you prompted, "_Are you sure you want to disable replication on this
-cluster?_", click **Disable** again to complete.
-
-![DR Replication - demotion](/img/vault-dr-13.png)
-
-Any secondaries will no longer be able to connect.
-
-!> **Caution:** Once this is done, re-enabling the DR replication as a primary
-will change the cluster's ID.  Its connecting secondaries will require a wipe of
-the underlying storage even if they have connected before. If re-enabling DR
-replication as a secondary, its underlying storage will be wiped when connected
-to a primary.
-
-
-## <a name="important"></a>Important Note about Automated DR Failover
-
-Vault does not support an automatic failover/promotion of a DR secondary
-cluster, and this is a deliberate choice due to the difficulty in accurately
-evaluating why a failover should or shouldn't happen. For example, imagine a
-DR secondary loses its connection to the primary. Is it because the primary is
-down, or is it because networking between the two has failed?
-
-If the DR secondary promotes itself and clients start connecting to it, you now
-have two active clusters whose data sets will immediately start diverging.
-There's no way to understand simply from one perspective or the other which one
-of them is right.
-
-Vault's API supports programmatically performing various replication operations
-which allows the customer to write their own logic about automating some of
-these operations based on experience within their own environments. You can
-review the available replication APIs at the following links:
-
-- [Vault Replication API](/api/system/replication.html)
-- [DR Replication API](/api/system/replication-dr.html)
-- [Performance Replication API](/api/system/replication-performance.html)
-
-
-
-## Next steps
-
-Read [Production Hardening](/guides/operations/production.html) to learn more
-about the guidance on hardening the production deployments of Vault.
diff --git a/website/source/guides/operations/generate-root.html.md b/website/source/guides/operations/generate-root.html.md
deleted file mode 100644
index a7c2e669a49a..000000000000
--- a/website/source/guides/operations/generate-root.html.md
+++ /dev/null
@@ -1,159 +0,0 @@
----
-layout: "guides"
-page_title: "Generate Root Tokens using Unseal Keys - Guides"
-sidebar_title: "Root Token Generation"
-sidebar_current: "guides-operations-generate-root"
-description: |-
-  Generate a new root token using a threshold of unseal keys.
----
-
-# Generate Root Tokens Using Unseal Keys
-
-It is generally considered a best practice to not persist
-[root tokens][root-tokens]. Instead a root token should be generated using
-Vault's `operator generate-root` command only when absolutely necessary. This
-guide demonstrates regenerating a root token.
-
-1. Unseal the vault using the existing quorum of unseal keys. You do not need to
-  be authenticated to generate a new root token, but the Vault must be unsealed
-  and a quorum of unseal keys must be available.
-
-    ```shell
-    $ vault operator unseal
-    # ...
-    ```
-
-### Using OTP
-
-In this method, an OTP is XORed with the generated token on final output.
-
-1. Generate a one-time password (OTP) to use for XORing the resulting token:
-
-    ```text
-    $ vault operator generate-root -generate-otp
-    mOXx7iVimjE6LXQ2Zna6NA==
-    ```
-
-    Save this OTP because you will need it to get the decoded final root token.
-
-1. Initialize a root token generation, providing the OTP code from the step
-   above:
-
-    ```text
-    $ vault operator generate-root -init -otp=mOXx7iVimjE6LXQ2Zna6NA==
-    Nonce              f67f4da3-4ae4-68fb-4716-91da6b609c3e
-    Started            true
-    Progress           0/5
-    Complete           false
-    ```
-
-    The nonce value should be distributed to all unseal key holders.
-
-1. Each unseal key holder provides their unseal key:
-
-    ```text
-    $ vault operator generate-root
-    Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
-    Unseal Key (will be hidden): ...
-    ```
-
-    If there is a tty, Vault will prompt for the key and automatically
-    complete the nonce value. If there is no tty, or if the value is piped
-    from stdin, the user must specify the nonce value from the `-init`
-    operation.
-
-    ```text
-    $ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
-    ```
-
-1. When the quorum of unseal keys are supplied, the final user will also get
-   the encoded root token.
-
-    ```text
-    $ vault operator generate-root
-    Root generation operation nonce: f67f4da3-4ae4-68fb-4716-91da6b609c3e
-    Unseal Key (will be hidden):
-
-    Nonce         f67f4da3-4ae4-68fb-4716-91da6b609c3e
-    Started       true
-    Progress      5/5
-    Complete      true
-    Root Token    IxJpyqxn3YafOGhqhvP6cQ==
-    ```
-
-1. Decode the encoded token using the OTP:
-
-    ```text
-    $ vault operator generate-root \
-        -decode=IxJpyqxn3YafOGhqhvP6cQ== \
-        -otp=mOXx7iVimjE6LXQ2Zna6NA==
-
-    24bde68f-3df3-e137-cf4d-014fe9ebc43f
-    ```
-
-### Using PGP
-
-1. Initialize a root token generation, providing the path to a GPG public key
-   or keybase username of a user to encrypted the resulting token.
-
-    ```text
-    $ vault operator generate-root -init -pgp-key=keybase:sethvargo
-    Nonce              e24dec5e-f1ea-2dfe-ecce-604022006976
-    Started            true
-    Progress           0/5
-    Complete           false
-    PGP Fingerprint    e2f8e2974623ba2a0e933a59c921994f9c27e0ff
-    ```
-
-    The nonce value should be distributed to all unseal key holders.
-
-1. Each unseal key holder providers their unseal key:
-
-    ```text
-    $ vault operator generate-root
-    Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
-    Unseal Key (will be hidden): ...
-    ```
-
-    If there is a tty, Vault will prompt for the key and automatically
-    complete the nonce value. If there is no tty, or if the value is piped
-    from stdin, the user must specify the nonce value from the `-init`
-    operation.
-
-    ```text
-    $ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
-    ```
-
-1. When the quorum of unseal keys are supplied, the final user will also get
-   the encoded root token.
-
-    ```text
-    $ vault operator generate-root
-    Root generation operation nonce: e24dec5e-f1ea-2dfe-ecce-604022006976
-    Unseal Key (will be hidden):
-
-    Nonce              e24dec5e-f1ea-2dfe-ecce-604022006976
-    Started            true
-    Progress           1/1
-    Complete           true
-    PGP Fingerprint    e2f8e2974623ba2a0e933a59c921994f9c27e0ff
-    Root Token         wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg...
-    ```
-
-1. Decrypt the encrypted token using associated private key:
-
-    ```text
-    $ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | gpg --decrypt
-
-    d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
-    ```
-
-    or via keybase:
-
-    ```text
-    $ echo "wcFMA0RVkFtoqzRlARAAI3Ux8kdSpfgXdF9mg..." | base64 --decode | keybase pgp decrypt
-
-    d0f71e9b-ebff-6d8a-50ae-b8859f2e5671
-    ```
-
-[root-tokens]: /docs/concepts/tokens.html#root-tokens
diff --git a/website/source/guides/operations/index.html.md b/website/source/guides/operations/index.html.md
deleted file mode 100644
index 766c79e5c093..000000000000
--- a/website/source/guides/operations/index.html.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-layout: "guides"
-page_title: "Vault Operations - Guides"
-sidebar_title: "Vault Operations"
-sidebar_current: "guides-operations"
-description: |-
-  Vault architecture guide covers Vault infrastructure discussions including
-  installation.   
----
-
-# Vault Operations
-
-Vault Operations guides address Vault infrastructure discussions.  These
-guides are designed to help the operations team to plan and install a Vault
-cluster that meets your organization's needs.
-
-- [Vault Reference Architecture](/guides/operations/reference-architecture.html)
-guide provides guidance in the best practices of _Vault Enterprise_ implementations
-through use of a reference architecture. This example is to convey a general
-architecture, which is likely to be adapted to accommodate the specific needs of
-each implementation.
-
-- [Vault Deployment Guide](/guides/operations/deployment-guide.html) covers the
-steps required to install and configure a single HashiCorp Vault cluster as
-defined in the Vault Reference Architecture.
-
-- [Vault HA with Consul](/guides/operations/vault-ha-consul.html) guide
-walks you through a simple Vault HA cluster implementation which is backed by
-[HashiCorp Consul](https://www.consul.io/intro/index.html).
-
-- [Production Hardening](/guides/operations/production.html) guide provides
-guidance on best practices for a production hardened deployment of Vault.
-The recommendations are based on the [security model](/docs/internals/security.html)
-and focus on defense in depth.
-
-- [Root Token Generation](/guides/operations/generate-root.html) guide
-demonstrates the workflow of regenerating root tokens. It is considered to be a
-best practice not to persist the initial **root** token. If a root token needs
-to be regenerated, this guide helps you walk through the task.
-
-- [Rekeying & Rotating](/guides/operations/rekeying-and-rotating.html) guide
-provides a high-level overview of Shamir's Secret Sharing Algorithm, and how to
-perform _rekey_ and _rotate_ operations in Vault.
-
-- [Building Plugin Backends](/guides/operations/plugin-backends.html) guide
-provides steps to build, register, and mount non-database external plugin
-backends.
-
-
-
-## Vault Enterprise
-
-- [Replication Setup & Guidance](/guides/operations/replication.html)
-walks you through the commands to activate the Vault servers in replication mode.
-Please note that [Vault Replication](/docs/vault-enterprise/replication/index.html)
-is a Vault Enterprise feature.
-
-- [Disaster Recovery Replication Setup](/guides/operations/disaster-recovery.html)
-guide provides step-by-step instruction of setting up a disaster recovery (DR)
-cluster.
-
-- [Mount Filter](/guides/operations/mount-filter.html)
-guide demonstrates how to selectively filter out secret engines from being
-replicated across clusters. This feature can help organizations to comply with
-***General Data Protection Regulation (GDPR)***.
-
-- [Performance Standby Nodes](/guides/operations/performance-nodes.html) guide
-describes how Vault HA works with performance standby nodes.
-
-- [Multi-Tenant Pattern with Namespaces](/guides/operations/multi-tenant.html)
-guide discuss a pattern to isolate secrets using ACL Namespaces.
-
-- [Vault Auto-unseal using AWS Key Management Service (KMS)](/guides/operations/autounseal-aws-kms.html) guide demonstrates an example of
-how to use Terraform to provision an instance that utilizes an encryption key
-from AWS Key Management Service (KMS).
-
-- [Seal Wrap / FIPS 140-2](/guides/operations/seal-wrap.html)
-guide demonstrates how Vault's seal wrap feature works to encrypt your secrets
-leveraging FIPS 140-2 certified HSM.
-
-- [Vault Cluster Monitoring Guide](/guides/operations/monitoring.html) walks
-you through Vault cluster monitoring with telemetry collected by
-[Telegraf](https://www.influxdata.com/time-series-platform/telegraf/) and
-forwarded to
-[InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/) and
-[Grafana](https://grafana.com/) for analysis.
diff --git a/website/source/guides/operations/monitoring.html.md b/website/source/guides/operations/monitoring.html.md
deleted file mode 100644
index dbe1e11c05c3..000000000000
--- a/website/source/guides/operations/monitoring.html.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-layout: "guides"
-page_title: "Vault Cluster Monitoring - Guides"
-sidebar_title: "Vault Cluster Monitoring"
-sidebar_current: "guides-operations-monitoring"
-description: |-
-  Learn how to set up and manage Vault Enterprise Performance Replication.
----
-
-# Vault Cluster Monitoring
-
-~> [Download **Vault Cluster Monitoring Guide**](https://s3-us-west-2.amazonaws.com/hashicorp-education/whitepapers/Vault/Vault-Consul-Monitoring-Guide.pdf)
-
-
-This _Vault Cluster Monitoring Guide_ demonstrates monitoring of a Vault cluster
-configured  with Consul as its storage backend.
-
-The guide walks you through:
-
-- How to set up a monitoring stack ([Telegraf](https://www.influxdata.com/time-series-platform/telegraf/), [InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/), and [Grafana](https://grafana.com/)).
-- How to configure Vault and Consul to send telemetry to a monitoring agent.
-- Which metrics are important to monitor, and why.
-
-![Dashboard Example](/img/vault_cluster.png)
-
-
-## Reference Materials
-
-- [Vault Deployment Reference Architecture](/guides/operations/reference-architecture.html)
-- [Vault High Availability](/guides/operations/vault-ha-consul.html)
-- [Production Hardening](/guides/operations/production.html)
diff --git a/website/source/guides/operations/mount-filter.html.md b/website/source/guides/operations/mount-filter.html.md
deleted file mode 100644
index 9f855fc1098f..000000000000
--- a/website/source/guides/operations/mount-filter.html.md
+++ /dev/null
@@ -1,522 +0,0 @@
----
-layout: "guides"
-page_title: "Vault Mount Filter - Guides"
-sidebar_title: "Mount Filter"
-sidebar_current: "guides-operations-mount-filter"
-description: |-
-  This guide demonstrates how to selectively filter out secret mounts for
-  Performance Replication.
----
-
-# Vault Mount Filter
-
-~> **Enterprise Only:** Mount filter feature is a part of _Vault Enterprise Premium_.
-
-Mount filters are a new way of controlling which secrets are moved across
-clusters and physical regions as a result of replication. With mount filters,
-users can select which secret engines will be replicated as part of a
-performance replication relationship.
-
-By default, all non-local secret engines and associated data are replicated as
-part of replication. The mount filter feature allows users to whitelist or
-blacklist which secret engines are replicated, thereby allowing users to further
-control the movement of secrets across their infrastructure.
-
-![Performance Replication](/img/vault-mount-filter-2.png)
-
-
-## Reference Materials
-
-- Preparing for GDPR Compliance with HashiCorp Vault [webinar](https://www.hashicorp.com/resources/preparing-for-gdpr-compliance-with-hashicorp-vault)
-- Preparing for GDPR Compliance with HashiCorp Vault [blog post](https://www.hashicorp.com/blog/preparing-for-gdpr-compliance-with-hashicorp-vault)  
-- [Create Mounts Filter (API)](/api/system/replication-performance.html#create-mounts-filter)
-- [Performance Replication and Disaster Recovery (DR) Replication](/docs/enterprise/replication/index.html#performance-replication-and-disaster-recovery-dr-replication)
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Challenge
-
-[**General Data Protection Regulation (GDPR)**](https://www.eugdpr.org/) is designed
-to strengthen data protection and privacy for all individuals within the
-European Union.  It requires that personally identifiable data not be physically
-transferred to locations outside the European Union unless the region or country
-has an equal rigor of data protection regulation as the EU.
-
-Failure to abide by GDPR will result in fines as high as 20 million EUR or 4% of
-the global annual revenue (whichever greater).
-
-
-## Solution
-
-Leverage Vault's **mount filter** feature to abide by data movements and
-sovereignty regulations while ensuring performance access across geographically
-distributed regions.
-
-The [***Preparing for GDPR Compliance with HashiCorp
-Vault***](https://www.hashicorp.com/resources/preparing-for-gdpr-compliance-with-hashicorp-vault)
-webinar discusses the GDPR compliance further in details.
-
-[![YouTube](/img/vault-mount-filter.png)](https://youtu.be/hmf6sN4W8pE)
-
-## Prerequisites
-
-This intermediate Vault operations guide assumes that you have some working
-knowledge of Vault.
-
-You need two Vault Enterprise clusters: one representing the EU cluster, and
-another representing the US cluster both backed by Consul for storage.
-
-
-## Steps
-
-**Scenario:**  You have a Vault cluster in EU and wish to span across the United
-States by setting up a secondary cluster and enable the performance
-replication. However, some data must remain in EU and should ***not*** be
-replicated to the US cluster.
-
-![Guide Scenario](/img/vault-mount-filter-0.png)
-
-Leverage the mount filter feature to blacklist the secrets, that are subject to
-GDPR, from being replicated across the regions.
-
-1. [Segment GDPR and non-GDPR secret engines](#step1)
-1. [Enable performance replication with mount filter](#step2)
-1. [Verify the replication mount filter](#step3)
-1. [Enable a local secret engine](#step4)
-
-~> **NOTE:** Ensure that GDPR data is segmented by secret mount and blacklist
-the movement of those secret mounts to non-GDPR territories.
-
-
-### <a name="step1"></a>Step 1: Segment GDPR and non-GDPR secret engines
-
-In the EU cluster (primary cluster), enable key/value secret engines:
-
-- At **`EU_GDPR_data`** for GDPR data
-- At **`US_NON_GDPR_data`** for non-GDPR data localized for US
-
-#### CLI command
-
-```shell
-# For GDPR data
-$ vault secrets enable -path=EU_GDPR_data kv-v2
-
-# For non-GDPR data accessible in US
-$ vault secrets enable -path=US_NON_GDPR_data kv-v2
-```
-
-#### API call using cURL
-
-```shell
-# For GDPR data
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type":"kv-v2"}' \
-       https://eu-west-1.compute.com:8200/v1/sys/mounts/EU_GDPR_data
-
-# For non-GDPR data accessible in US
-$ curl --header "X-Vault-Token: ..." \
-      --request POST \
-      --data '{"type":"kv-v2"}' \
-      https://eu-west-1.compute.com:8200/v1/sys/mounts/US_NON_GDPR_data
-```
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g.
-https://eu-west-1.compute.com:8200/ui) and then login.
-
-Select **Enable new engine** and enter corresponding parameter values:
-
-![GDPR KV](/img/vault-mount-filter-3.png)
-
-![Non-GDPR KV](/img/vault-mount-filter-4.png)
-
-
-Click **Enable Engine** to complete.
-
-
-### <a name="step2"></a>Step 2: Enable performance replication with mount filter
-
-#### CLI command
-
-1. Enable performance replication on the **primary** cluster.
-
-    ```plaintext
-    $ vault write -f sys/replication/performance/primary/enable
-    WARNING! The following warnings were returned from Vault:
-
-    * This cluster is being enabled as a primary for replication. Vault will be
-    unavailable for a brief period and will resume service shortly.
-    ```
-
-1. Generate a secondary token.
-
-    ```plaintext
-    $ vault write sys/replication/performance/primary/secondary-token id="secondary"
-    Key                              Value
-    ---                              -----
-    wrapping_token:                  eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzE3Mi4zMS4yMC4xODA6ODIwMyIsImV4cCI6MTUyNTg0ODAxMywiaWF0IjoxNTI1ODQ2MjEzLCJqdGkiOiJlNTFiMjUxZi01ZTg2LTg4OWEtNGZmMy03NTQzMjRkNTdlMGQiLCJ0eXBlIjoid3JhcHBpbmcifQ.MIGGAkE2dDj3nmaoLHg7oldQ1iZPD0U8doyj3x3mQUVfTl8W99QYG8GM6VGVzhRPGvKctGriuo2oXN_8euWQb01M1y6n7gJBSu-qdXw-v2RieOyopAHls1bWhw4sO9Nlds8IDFA15vqkLXnq2g4_5lvlhxpP7B8dEOHvWXkHG4kJ_mKvrgR0dU0
-    wrapping_accessor:               6ded4fb0-5e8c-2a37-1b3e-823673220348
-    wrapping_token_ttl:              30m
-    wrapping_token_creation_time:    2018-05-09 06:10:13.437421436 +0000 UTC
-    wrapping_token_creation_path:    sys/replication/performance/primary/secondary-token
-    ```
-
-1. Create a **mount filter** to blacklist `EU_GDPR_data`.
-
-    ```plaintext
-    $ vault write sys/replication/performance/primary/mount-filter/secondary  \
-           mode="blacklist" paths="EU_GDPR_data/"
-    ```
-
-1. Enable performance replication on the **secondary** cluster.
-
-    ```plaintext
-    $ vault write sys/replication/performance/secondary/enable token="..."
-    ```
-    Where the `token` is the `wrapping_token` obtained from the primary cluster.
-
-    !> **NOTE:** This will immediately clear all data in the secondary cluster.
-
-#### API call using cURL
-
-1. Enable performance replication on the **primary** cluster.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"primary_cluster_addr":"https://eu-west-1.compute.com:8200"}' \
-           https://eu-west-1.compute.com:8200/v1/sys/replication/performance/primary/enable
-    ```
-
-1. Generate a secondary token.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{ "id": "secondary"}' \
-           https://eu-west-1.compute.com:8200/v1/sys/replication/performance/primary/secondary-token | jq
-      {
-       "request_id": "",
-       "lease_id": "",
-       "renewable": false,
-       "lease_duration": 0,
-       "data": null,
-       "wrap_info": {
-         "token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAzIiwiZXhwIjoxNTI1ODI5Njc2LCJpYXQiOjE1MjU4Mjc4NzYsImp0aSI6IjAwNmVkMDdjLWQ0MzYtZWViYy01OWYwLTdiMTU0ZGFmMDNiMCIsInR5cGUiOiJ3cmFwcGluZyJ9.MIGHAkF6saWWL-oRQMJIoUnaUOHNkcoHZCBwQs6mSMjPBopMi8DkGCJGBrh4jgV2mSzwFY1r5Ne7O66HmuMpm40MsYqjAQJCANSco_Sx5q6FmQSfoY-HtsVO1_YKWF4O6B7gYCvPKYkODMIwe5orCSgmIDyXHZt-REPm0sfdk4ZNyRCIRK5hDWyQ",
-         "accessor": "6ea2a4e2-2926-120f-f288-c2348c78fb3e",
-         "ttl": 1800,
-         "creation_time": "2018-05-09T01:04:36.514715311Z",
-         "creation_path": "sys/replication/performance/primary/secondary-token"
-       },
-       "warnings": null,
-       "auth": null
-     }
-    ```
-
-1. Create a **mount filter** to blacklist `EU_GDPR_data`.
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-      "mode": "blacklist",
-      "paths": [ "EU_GDPR_data/" ]
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload.json \
-           https://eu-west-1.compute.com:8200/v1/sys/replication/performance/primary/mount-filter/secondary
-    ```
-
-1. Enable performance replication on the **secondary** cluster.
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-      "token": "..."
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload.json \
-           https://us-central.compute.com:8201/v1/sys/replication/performance/secondary/enable
-    ```
-
-    Where the `token` in `payload.json` is the token obtained from the primary
-    cluster.
-
-    !> **NOTE:** This will immediately clear all data in the secondary cluster.
-
-
-#### Web UI
-
-1. Select **Replication** and check the **Performance** radio button.
-  ![Performance Replication - primary](/img/vault-mount-filter-5.png)
-
-1. Click **Enable replication**.
-
-1. Select the **Secondaries** tab, and then click **Add**.
-  ![Performance Replication - primary](/img/vault-mount-filter-6.png)
-
-1. Populate the **Secondary ID** field, and then select **Configure performance
-mount filtering** to set your mount filter options.  You can filter by
-whitelisting or blacklisting. For this example, select **Blacklist**.
-
-1. Check **EU_GDPR_data** to prevent it from being replicated to the secondary
-cluster.
-  ![Performance Replication - primary](/img/vault-mount-filter-7.png)
-
-1. Click **Generate token**.
-  ![Performance Replication - primary](/img/vault-mount-filter-8.png)
-
-1. Click **Copy** to copy the token.
-
-1. Now, launch the Vault UI for the secondary cluster (e.g. https://us-central.compute.com:8201/ui), and then click **Replication**.
-
-1. Check the **Performance** radio button, and then select **secondary** under the **Cluster mode**. Paste the token you copied from the primary.
-  ![Performance Replication - secondary](/img/vault-mount-filter-9.png)
-
-1. Click **Enable replication**.
-
-<br>
-
-~> **NOTE:** At this point, the secondary cluster must be unsealed using the
-**primary cluster's unseal key**. If the secondary is in an HA cluster, ensure
-that each standby is sealed and unsealed with the primary’s unseal keys. The
-secondary cluster mirrors the configuration of its primary cluster's backends
-such as auth methods, secret engines, audit devices, etc. It uses the primary as
-the _source of truth_ and passes token requests to the primary.
-
-
-Restart the secondary vault server (e.g. `https://us-central.compute.com:8201`)
-and unseal it with the primary cluster's unseal key.
-
-```plaintext
-$ vault operator unseal
-Unseal Key (will be hidden): <primary_cluster_unseal_key>
-```
-
-The initial root token on the secondary no longer works. Use the auth methods
-configured on the primary cluster to log into the secondary.
-
-**Example:**
-
-Enable and configure the userpass auth method on the **primary** cluster and
-create a new username and password.
-
-```shell
-# Enable the userpass auth method on the primary
-$ vault auth enable userpass
-
-# Create a user with admin policy
-$ vault write auth/userpass/users/james password="passw0rd" policy="admin"
-```
-
--> Alternatively, you can [generate a new root token](/guides/operations/generate-root.html)
-using the primary cluster's unseal key. However, it is recommended that root
-tokens are only used for just enough initial setup or in emergencies.
-
-
-Log into the **secondary** cluster using the enabled auth method.
-
-```plaintext
-$ vault login -method=userpass username=james password="passw0rd"
-```
-
-
-### <a name="step3"></a>Step 3: Verify the replication mount filter
-
-Once the replication completes, verify that the secrets stored in the
-`EU_GDPR_data` never get replicated to the US cluster.
-
-#### CLI command
-
-On the **EU** cluster, write some secrets:
-
-```shell
-# Write some secret at EU_GDPR_data/secret
-$ vault kv put EU_GDPR_data/secret pswd="password"
-Key              Value
----              -----
-created_time     2018-05-10T18:00:38.912587665Z
-deletion_time    n/a
-destroyed        false
-version          1
-
-# Write some secret at US_NON_GDPR_data/secret
-$ vault kv put US_NON_GDPR_data/secret apikey="my-api-key"
-Key              Value
----              -----
-created_time     2018-05-10T18:04:37.554665851Z
-deletion_time    n/a
-destroyed        false
-version          1
-```
-
-From the **US** cluster, read the secrets:
-
-```shell
-# Read the secrets at EU_GDPR_data/secret
-$ vault kv get EU_GDPR_data/secret
-No value found at EU_GDPR_data/secret
-
-# Read the secrets at US_NON_GDPR_data/secret
-$ vault kv get US_NON_GDPR_data/secret
-====== Metadata ======
-Key              Value
----              -----
-created_time     2018-05-10T18:09:07.717250408Z
-deletion_time    n/a
-destroyed        false
-version          1
-
-===== Data =====
-Key       Value
----       -----
-apikey    my-api-key
-```
-
-
-#### API call using cURL
-
-On the **EU** cluster, write some secret:
-
-```shell
-# Create the request payload
-$ tee payload.json <<EOF
-{
-  "data": {
-    "pswd": "password"
-  }
-}
-EOF
-
-# Write some secret at EU_GDPR_data/secret
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       https://eu-west-1.compute.com:8200/v1/EU_GDPR_data/data/secret
-
-# Create the request payload
-$ tee payload-us.json <<EOF
-{
- "data": {
-   "apikey": "my-api-key"
- }
-}
-EOF
-
-# Write some secret at US_NON_GDPR_data/secret
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload-us.json \
-       https://eu-west-1.compute.com:8200/v1/US_NON_GDPR_data/data/secret
-```
-
-From the **US** cluster, read the secrets:
-
-```shell
-# Read the secrets at EU_GDPR_data/secret
-$ curl --header "X-Vault-Token: ..." \
-       https://us-central.compute.com:8201/v1/EU_GDPR_data/data/secret | jq
-{
-  "errors": []
-}
-
-# Read the secrets at US_NON_GDPR_data/secret
-$ curl --header "X-Vault-Token: ..." \
-       https://us-central.compute.com:8201/v1/US_NON_GDPR_data/data/secret | jq
-{
-  "request_id": "f5eedb5b-9406-c519-f5a5-070336c10205",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": [
-    "Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get' for this operation."
-  ],
-  "auth": null
-}
-```
-
-#### Web UI
-
-On the **EU** cluster, select **EU_GDPR_data** > **Create secret**:
-
-![Secrets](/img/vault-mount-filter-12.png)
-
-Enter the values and click **Save**.  Repeat the step to write some secrets at
-the **US_NON_GDPR_data** path as well.
-
-
-On the **US** cluster, select **US_NON_GDPR_data**. You should be able to see
-the `apikey` under `US_NON_GDPR_data/secret`.
-
-![Secrets](/img/vault-mount-filter-13.png)
-
-The **EU_GDPR_data** data is not replicated, so you won't be able to see the
-secrets.
-
-
-### <a name="step4"></a>Step 4: Enable a local secret engine
-
-When replication is enabled, you can mark the secrets engine local only.  Local
-secret engines are not replicated or removed by replication.
-
-Login to the **secondary** cluster and enable key/value secret engine at
-`US_ONLY_data` to store secrets only valid for the US region.
-
-#### CLI command
-
-Pass the `-local` flag:
-
-```plaintext
-$ vault secrets enable -local -path=US_ONLY_data kv-v2
-```
-
-#### API call using cURL
-
-Pass the `local` parameter in the API request:
-
-```plaintext
-$ tee payload.json <<EOF
-{
-  "type": "kv-v2",
-  "local": true
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       https://us-central.compute.com:8201/v1/sys/mounts/US_ONLY_data
-```
-
-
-#### Web UI
-
-Be sure to select the check box for **Local** to keep it mounted locally within
-the cluster.
-
-![Local Secret](/img/vault-mount-filter-10.png)
-
-<br>
-
--> **NOTE:** `US_ONLY_data` only exists locally in the secondary cluster that
-you won't be able to see it from the primary cluster.
-
-
-
-
-## Next steps
-
-Read [Vault Deployment Reference
-Architecture](/guides/operations/reference-architecture.html) to learn more
-about the recommended deployment practices.
diff --git a/website/source/guides/operations/multi-tenant.html.md b/website/source/guides/operations/multi-tenant.html.md
deleted file mode 100644
index 9aa64c27e397..000000000000
--- a/website/source/guides/operations/multi-tenant.html.md
+++ /dev/null
@@ -1,1013 +0,0 @@
----
-layout: "guides"
-page_title: "Secure Multi-Tenancy with Namepaces - Guides"
-sidebar_title: "Multi-Tenant: Namespaces"
-sidebar_current: "guides-operations-multi-tenant"
-description: |-
-  This guide provides guidance in creating a multi-tenant environment.
----
-
-# Secure Multi-Tenancy with Namespaces
-
-~> **Enterprise Only:** The namespaces feature is a part of _Vault Enterprise Pro_.
-
-Everything in Vault is path-based, and often uses the terms `path` and
-`namespace` interchangeably. The application namespace pattern is a useful
-construct for providing Vault as a service to internal customers, giving them
-the ability to implement secure multi-tenancy within Vault in order to provide
-isolation and ensure teams can self-manage their own environments.
-
-
-## Reference Material
-
-- [Namespaces](/docs/enterprise/namespaces/index.html)
-- [Streamline Secrets Management with Vault Agent and Vault 0.11](https://youtu.be/zDnIqSB4tyA)
-- [Vault Deployment Reference Architecture](/guides/operations/reference-architecture.html)
-- [Policies](/guides/identity/policies.html) guide
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Personas
-
-The scenario described in this guide introduces the following personas:
-
-- **`operations`** is the cluster-level administrator with privileged policies
-- **`org-admin`** is the organization-level administrator
-- **`team-admin`** is the team-level administrator
-
-## Challenge
-
-When Vault is primarily used as a central location to manage secrets, multiple
-organizations within a company may need to be able to manage their secrets in a
-self-serving manner. This means that a company needs to implement a ***Vault as
-a Service*** model allowing each organization (tenant) to manage their own
-secrets and policies. The most importantly, tenants should be restricted to work
-only within their tenant scope.
-
-![Multi-Tenant](/img/vault-multi-tenant.png)
-
-## Solution
-
-Create a **namespace** dedicated to each team, organization, or app where
-they can perform all necessary tasks within their tenant namespace.  
-
-Each namespace can have its own:
-
-- Policies
-- Auth Methods
-- Secret Engines
-- Tokens
-- Identity entities and groups
-
-~> Tokens are locked to a namespace or child-namespaces.  Identity groups can
-pull in entities and groups from _other_ namespaces.
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a **Vault
-Enterprise** environment.  
-
--> **NOTE:** The creation of namespaces should be performed by a user with a
-highly privileged token such as **`root`** to set up isolated environments for
-each organization, team, or application.
-
-
-## Steps
-
-**Scenario:** In this guide, you are going to create a namespace dedicated to
-the Education organization which has Training and Certification teams. Delegate
-operational tasks to the team admins so that the Vault cluster operators won't
-have to be involved.
-
-![Scenario](/img/vault-multi-tenant-2.png)
-
-In this guide, you are going to perform the following steps:
-
-1. [Create namespaces](#step1)
-1. [Write policies](#step2)
-1. [Setup entities and groups](#step3)
-1. [Test the organization admin user](#step4)
-1. [Test the team admin user](#step5)
-1. [Audit ambient credentials](#step6)
-
-
-### <a name="step1"></a>Step 1: Create namespaces
-(**Persona:** operations)
-
-#### CLI command
-
-To create a new namespace, run: **`vault namespace create <namespace_name>`**
-
-1. Create a namespace dedicated to the **`education`** organizations:
-
-    ```plaintext
-    $ vault namespace create education
-    ````
-
-1. Create child namespaces called `training` and `certification` under the
-`education` namespace:
-
-    ```plaintext
-    $ vault namespace create -namespace=education training
-
-    $ vault namespace create -namespace=education certification
-    ````
-
-1. List the created namespaces:
-
-    ```plaintext
-    $ vault namespace list
-    education/
-
-    $ vault namespace list -namespace=education
-    certification/
-    training/
-    ```
-
-#### API call using cURL
-
-To create a new namespace, invoke **`sys/namespaces`** endpoint:
-
-```shell
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       <VAULT_ADDRESS>/v1/sys/namespaces/<NS_NAME>
-```
-
-Where `<TOKEN>` is your valid token, and `<NS_NAME>` is the desired namespace
-name.
-
-1. Create a namespace for the **`education`** organization:
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           http://127.0.0.1:8200/v1/sys/namespaces/education
-    ```
-
-1. Now, create a child namespace called **`training`** and **`certification`**
-under `education`. To do so, pass the top-level namespace name in the
-**`X-Vault-Namespace`** header.
-
-    ```shell
-    # Create a training namespace under education
-    # NOTE: Top-level namespace is in the API endpoint
-    $ curl --header "X-Vault-Token: ..." \
-           --header "X-Vault-Namespace: education" \
-           --request POST \
-           http://127.0.0.1:8200/v1/education/sys/namespaces/training
-
-    # Create a certification namespace under education
-    # NOTE: Pass the top-level namespace in the header
-    $ curl --header "X-Vault-Token: ..." \
-           --header "X-Vault-Namespace: education" \
-           --request POST \
-           http://127.0.0.1:8200/v1/sys/namespaces/certification
-    ```
-
-1. List the created namespaces:
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request LIST
-           http://127.0.0.1:8200/v1/sys/namespaces | jq
-    {
-       ...
-       "data": {
-         "keys": [
-           "education/"
-         ]
-       },
-       ...
-
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request LIST
-           http://127.0.0.1:8200/v1/education/sys/namespaces | jq
-     {
-       ...
-       "data": {
-         "keys": [
-           "certification/",
-           "training/"
-         ]
-       },
-       ...
-    ```
-
-
-#### Web UI
-
-1. Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui)
-and then login.
-
-1. Select **Access**.
-
-1. Select **Namespaces** and then click **Create a namespace**.
-
-1. Enter **`education`** in the **Path** field.
-
-1. Click **Save**.
-
-1. To create child namespaces, select the down-arrow on the upper left corner of
-the UI, and select **education** under **CURRENT NAMESPACE**.
-
-    ![NS Selection](/img/vault-multi-tenant-1.png)
-
-1. Under the **Access** tab, select **Namespaces** and then click **Create a namespace**.
-
-1. Enter **`training`** in the **Path** field, and click **Save**.
-
-1. Select **Create a namespace** again, and then enter **`certification`** in
-the **Path** field, and click **Save**.
-
-
-
-### <a name="step2"></a>Step 2: Write Policies
-(**Persona:** operations)
-
-In this scenario, there is an organization-level administrator who is a
-superuser within the scope of the **`education`** namespace.  Also, there is a
-team-level administrator for **`training`** and **`certification`**.
-
-
-#### Policy for education admin
-
-**Requirements:**
-
-- Create and manage namespaces
-- Create and manage policies
-- Enable and manage secret engines
-- Create and manage entities and groups
-- Manage tokens
-
-**`edu-admin.hcl`**
-
-```shell
-# Manage namespaces
-path "sys/namespaces/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage policies via API
-path "sys/policies/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage policies via CLI
-path "sys/policy/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# List policies via CLI
-path "sys/policy" {
-   capabilities = ["read", "update", "list"]
-}
-
-# Enable and manage secrets engines
-path "sys/mounts/*" {
-   capabilities = ["create", "read", "update", "delete", "list"]
-}
-
-# List available secret engines
-path "sys/mounts" {
-  capabilities = [ "read" ]
-}
-
-# Create and manage entities and groups
-path "identity/*" {
-   capabilities = ["create", "read", "update", "delete", "list"]
-}
-
-# Manage tokens
-path "auth/token/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-```
-
-
-#### Policy for training admin
-
-**Requirements:**
-
-- Create and manage child-namespaces
-- Create and manage policies
-- Enable and manage secret engines
-
-**`training-admin.hcl`**
-
-```shell
-# Manage namespaces
-path "sys/namespaces/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage policies via API
-path "sys/policies/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage policies via CLI
-path "sys/policy/*" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# List policies via CLI
-path "sys/policy" {
-  capabilities = ["read", "update", "list"]
-}
-
-# Enable and manage secrets engines
-path "sys/mounts/*" {
-   capabilities = ["create", "read", "update", "delete", "list"]
-}
-
-# List available secret engines
-path "sys/mounts" {
-  capabilities = [ "read" ]
-}
-```
-
-Now, let's deploy the policies!
-
--> Also, refer to the [Additional Discussion](#policy-with-namespaces) section
-to learn more about policy authoring with namespaces.
-
-
-#### CLI command
-
-To target a specific namespace, you can do one of the following:
-
-* Set **`VAULT_NAMESPACE`** so that all subsequent CLI commands will be
-executed against that particular namespace
-
-    ```plaintext
-    $ export VAULT_NAMESPACE=<namespace_name>
-    $ vault policy write <policy_name> <policy_file>
-    ```
-
-* Specify the target namespace with **`-namespace`** flag
-
-    ```plaintext
-    $ vault policy write -namespace=<namespace_name> <policy_name> <policy_file>
-    ```
-
-Since you have to deploy policies onto "`education`" and "`education/training`"
-namespaces, use "`-namespace`" flag instead of environment variable.
-
-Create **`edu-admin`** and **`training-admin`** policies.
-
-```shell
-# Create edu-admin policy under 'education' namespace
-$ vault policy write -namespace=education edu-admin edu-admin.hcl
-
-# Create training-admin policy under 'education/training' namespace
-$ vault policy write -namespace=education/training training-admin training-admin.hcl
-```
-
-#### API call using cURL
-
-To target a specific namespace, you can do one of the following:
-
-* Pass the target namespace in the **`X-Vault-Namespace`** header
-
-* Prepend the API endpoint with namespace name (e.g.
-**`<namespace_name>`**`/sys/policies/acl`)
-
-
-Create **`edu-admin`** and **`training-admin`** policies.
-
-```shell
-# Create a request payload
-$ tee edu-payload.json <<EOF
-{
-  "policy": "path \"sys/namespaces/education/*\" {\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n } ... "
-}
-EOF
-
-# Create edu-admin policy under 'education' namespace
-$ curl --header "X-Vault-Token: ..." \
-       --header "X-Vault-Namespace: education" \
-       --request PUT \
-       --data @edu-payload.json \
-       https://127.0.0.1:8200/v1/sys/policies/acl/edu-admin
-
-# Create a request payload
-$ tee training-payload.json <<EOF
-{
- "policy": "path \"sys/namespaces/education/training/*\" {\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n  }  ... "
-}
-EOF
-
-# Create training-admin policy under 'education/training' namespace
-# This example directs the target namespace in the API endpoint
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT \
-       --data @training-payload.json \
-       https://127.0.0.1:8200/v1/education/training/sys/policies/acl/training-admin
-```
-
-
-#### Web UI
-
-1. In the Web UI, make sure that the **CURRENT NAMESPACE** is set to
-**education** in the upper left menu.
-
-1. Click the **Policies** tab, and then select **Create ACL policy**.
-
-1. Toggle **Upload file** sliding switch, and click **Choose a file** to select your
-**`edu-admin.hcl`** file you authored.  This loads the policy and sets the
-**Name** to be `edu-admin`.
-
-1. Click **Create Policy** to complete.
-
-1. Set the **CURRENT NAMESPACE** to be **education/training** in the upper left
-menu.
-    ![Namespace](/img/vault-multi-tenant-6.png)
-
-1. In the **Policies** tab, select **Create ACL policy**.
-
-1. Toggle **Upload file**, and click **Choose a file** to select your
-**`training-admin.hcl`** file you authored.  
-
-1. Click **Create Policy**.
-
-
-### <a name="step3"></a>Step 3: Setup entities and groups
-(**Persona:** operations)
-
-Bob who is an organization-level administrator (superuser) has two accounts:
-**`bob`** and **`bsmith`**. You will create an entity, **Bob Smith** to
-associate those two accounts.
-
-Also, you are going to create a group for the team-level administrator, **Team
-Admin**, and add Bob Smith entity as a group member so that Bob can inherit the
-`training-admin` policy to manage the child namespace if he ever has to take
-over.
-
-![Entities and Groups](/img/vault-multi-tenant-3.png)
-
--> This step only demonstrates CLI commands and Web UI to create
-entities and groups.  Refer to the [Identity - Entities and
-Groups](/guides/identity/identity.html) guide if you need the full details.
-Also, read the [Additional Discussion](#additional-discussion) section for
-an example of setting up external groups.
-
-#### CLI Command
-
-```shell
-# First, you need to enable userpass auth method
-$ vault auth enable -namespace=education userpass
-
-# Create a user 'bob'
-$ vault write -namespace=education \
-        auth/userpass/users/bob password="password"
-
-# Create an entity for Bob Smith with 'edu-admin' policy attached
-# Save the generated entity ID in entity_id.txt file
-$ vault write -namespace=education -format=json identity/entity name="Bob Smith" \
-        policies="edu-admin" | jq -r ".data.id" > entity_id.txt
-
-# Get the mount accessor for userpass auth method and save it in accessor.txt file
-$ vault auth list -namespace=education -format=json \
-        | jq -r '.["userpass/"].accessor' > accessor.txt
-
-# Create an entity alias for Bob Smith to attach 'bob'
-$ vault write -namespace=education identity/entity-alias name="bob" \
-        canonical_id=$(cat entity_id.txt) mount_accessor=$(cat accessor.txt)
-
-# Create a group, "Training Admin" in education/training namespace
-$ vault write -namespace=education/training identity/group \
-        name="Training Admin" policies="training-admin" \
-        member_entity_ids=$(cat entity_id.txt)
-
-# Enable userpass auth method in training namespace
-$ vault auth enable -namespace=education/training userpass
-
-# Create a user 'bsmith'
-$ vault write -namespace=education/training \
-        auth/userpass/users/bsmith password="password"
-
-# Get the mount accessor for userpass auth method and save it in accessor2.txt file
-$ vault auth list -namespace=education/training -format=json \
-        | jq -r '.["userpass/"].accessor' > accessor2.txt
-
-# Add 'bsmith' to Bob Smith entity as its alias
-$ vault write -namespace=education identity/entity-alias name="bsmith" \
-        canonical_id=$(cat entity_id.txt) mount_accessor=$(cat accessor2.txt)        
-```
-
-
-#### Web UI
-
-1. In the Web UI, make sure that the **CURRENT NAMESPACE** is set to
-**education** in the upper left menu.
-
-1. Click the **Access** tab, and select **Enable new method**.
-
-1. Select **Username & Password** from the **Type** drop-down menu.
-
-1. Click **Enable Method**.
-
-1. Click the Vault CLI shell icon (**`>_`**) to open a command shell.  Enter the
-following command to create a new user, **`bob`**.
-
-    ```plaintext
-    vault write auth/userpass/users/bob password="password"
-    ```
-    ![Create Policy](/img/vault-multi-tenant-4.png)
-
-1. Click the icon (**`>_`**) again to hide the shell.
-
-1. From the **Access** tab, select **Entities** and then **Create entity**.
-
-1. Enter **`Bob Smith`** in the **Name** field, and **`edu-admin`** in the
-**Policies** field.   
-
-1. Click **Create**.
-
-1. Select **Add alias**.  Enter **`bob`** in the **Name** field and select
-**`userpass/ (userpass)`** from the **Auth Backend** drop-down list.
-
-1. Click **Create**.
-
-1. Click the **Access** tab and select **Entities**.
-
-1. Select the **`bob-smith`** entity and copy its **ID** displayed under the
-**Details** tab.
-
-1. Now, set the **CURRENT NAMESPACE** to **education/training**.
-    ![Namespace](/img/vault-multi-tenant-6.png)
-
-1. In the **Access** tab, select **Groups**, and select **Create group**.
-
-1. Paste in the entity ID in the **Member Entity IDs** field you copied.
-
-1. Enter **`Training Admin`** in the **Name** field, **`training-admin`** in the
-**Policies** field, and click **Create**.
-
-1. Click the **Access** tab, and select **Enable new method**.
-
-1. Select **Username & Password** from the **Type** drop-down menu.
-
-1. Click **Enable Method**.  Copy the mount accessor value which you will user later.
-    ![Namespace](/img/vault-multi-tenant-8.png)
-
-1. Click the Vault CLI shell icon (**`>_`**) to open a command shell.  Enter the
-following command to create a new user, **`bsmith`**.
-
-    ```plaintext
-    vault write auth/userpass/users/bsmith password="password"
-    ```
-
-1. Set the **CURRENT NAMESPACE** back to **education**.
-
-1. In the command shell, enter the following command.  Be sure to replace the
-`<Bob_Smith_entity_id>` with the value you copied at step 13, and
-`<mount_accessor>` with the value you copied at step 20.
-
-    ```plaintext
-    vault write identity/entity-alias name="bsmith" \
-            canonical_id=<Bob_Smith_entity_id> mount_accessor=<mount_accessor>
-    ```
-
-
-### <a name="step4"></a>Step 4: Test the organization admin user
-(**Persona:** org-admin)
-
-#### CLI Command
-
-Log in as **`bob`** into the `education` namespace:
-
-```plaintext
-$ vault login -namespace=education -method=userpass username="bob" password="password"
-
-Key                    Value
----                    -----
-token                  5ai0qpQeCdRHALzEY4Q8sW.28dk2
-token_accessor         9xXQmdx6Aq6zw1KX4gpzb.28dk2
-token_duration         768h
-token_renewable        true
-token_policies         ["default"]
-identity_policies      ["edu-admin"]
-policies               ["default" "edu-admin"]
-token_meta_username    bob
-```
-
-Notice that the user, `bob` only has `default` policy attached to his token
-(`token_policies`); however, he inherited the `edu-admin` policy from the `Bob
-Smith` entity (`identity_policies`).
-
-Test to make sure that `bob` can create a namespace, enable secrets engine, and
-whatever else that you want to verify.
-
-```shell
-# Set the target namespace as an env variable
-$ export VAULT_NAMESPACE="education"
-
-# Create a new namespace called 'web-app'
-$ vault namespace create web-app
-Success! Namespace created at: education/web-app/
-
-# Enable key/value v2 secrets engine at edu-secret
-$ vault secrets enable -path=edu-secret kv-v2
-Success! Enabled the kv-v2 secrets engine at: edu-secret/
-```
-
-Optionally, you can create new policies to test that `bob` can perform the
-operations as expected.  When you are done testing, unset the VAULT_NAMESPACE
-environment variable.  
-
-```plaintext
-$ unset VAULT_NAMESPACE
-```
-
-#### API call using cURL
-
-Log in as **`bob`** into the `education` namespace:
-
-```plaintext
-$ curl --header "X-Vault-Namespace: education" \
-       --request POST \
-       --data '{"password": "password"}' \
-       http://127.0.0.1:8200/v1/auth/userpass/login/bob | jq
-{
-   ...
-   "auth": {
-     "client_token": "5ai0qpQeCdRHALzEY4Q8sW.28dk2",
-     "accessor": "9xXQmdx6Aq6zw1KX4gpzb.28dk2",
-     "policies": [
-        "default",
-        "edu-admin"
-      ],
-      "token_policies": [
-        "default"
-      ],
-      "identity_policies": [
-        "edu-admin"
-      ],
-      "external_namespace_policies": {
-        "9dKXw": [
-          "training-admin"
-        ]
-      },
-     "metadata": {
-       "username": "bob"
-     },
-     ...
-   }
-}
-```
-
-Notice that the user, `bob` only has `default` policy attached to his token
-(`token_policies`); however, he inherited the `edu-admin` policy from the `Bob
-Smith` entity (`identity_policies`). Also, `training-admin` policy is listed
-under `external_namespace_policies` due to its membership to the Training Admin
-group in `education/training` namespace.
-
-Verify that `bob` can perform the operations permitted by the `edu-admin`
-policy.
-
-```shell
-# Create a new namespace called 'web-app'
-# Be sure to use generated bob's client token
-$ curl --header "X-Vault-Token: 5ai0qpQeCdRHALzEY4Q8sW.28dk2" \
-       --request POST \
-       http://127.0.0.1:8200/v1/education/sys/namespaces/web-app
-
-# Enable key/value v2 secrets engine at edu-secret
-$ curl --header "X-Vault-Token: 5ai0qpQeCdRHALzEY4Q8sW.28dk2" \
-       --request POST \
-       --data '{"type": "kv-v2"}' \
-       http://127.0.0.1:8200/v1/education/sys/mounts/edu-secret
-```
-
-
-#### Web UI
-
-1. Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui). If
-you are already logged in, sign out.
-
-1. At the **Sign in to Vault**, set the **Namespace** to **`education`**.
-
-1. Select the **Userpass** tab, and enter **`bob`** in the **Username** field,
-and **`password`** in the **Password** field.
-    ![Login](/img/vault-multi-tenant-5.png)
-
-1. Click **Sign in**.  Notice that the CURRENT NAMESPACE is set to **education**
-in the upper left corner of the UI.
-
-1. To add a new namespace, select **Access**.
-
-1. Select **Namespaces** and then click **Create a namespace**.
-
-1. Enter **`web-app`** in the **Path** field, and then click **Save**.
-
-1. Select **Secrets**, and then **Enable new engine**.
-
-1. Select **KV** from the **Secrets engine type** drop-down list, and enter
-**`edu-secret`** in the **Path** field.
-
-1. Click **Enable Engine** to finish.
-
-
-### <a name="step5"></a>Step 5: Test the team admin user
-(**Persona:** team-admin)
-
-#### CLI Command
-
-Log in as **`bsmith`** into the **`education/training`** namespace:
-
-```plaintext
-$ vault login -namespace=education/training -method=userpass username="bsmith" password="password"
-
-Key                    Value
----                    -----
-token                  5YNNjDDl6D8iW3eGQIlU0q.9dKXw
-token_accessor         6TVkDhdvEQXO2JaD64TVLv.9dKXw
-token_duration         768h
-token_renewable        true
-token_policies         ["default"]
-identity_policies      ["training-admin"]
-policies               ["default" "training-admin"]
-token_meta_username    bsmith
-```
-
-Notice that the user, `bsmith` inherited the `training-admin` policy from the
-`Training Admin` group (`training_admin`) which `Bob Smith` entity is a member
-of.
-
-Verify that `bsmith` can perform the operations permitted by the
-`training-admin` policy.
-
-```shell
-# Set the target namespace as an env variable
-$ export VAULT_NAMESPACE="education/training"
-
-# Create a new namespace called 'vault-training'
-$ vault namespace create vault-training
-Success! Namespace created at: education/training/vault-training/
-
-# Enable key/value v1 secrets engine at team-secret
-$ vault secrets enable -path=team-secret -version=1 kv
-Success! Enabled the kv secrets engine at: team-secret/
-```
-
-When you are done testing, unset the VAULT_NAMESPACE environment variable.  
-
-```plaintext
-$ unset VAULT_NAMESPACE
-```
-
-#### API call using cURL
-
-Log in as **`bsmith`** into the `education` namespace:
-
-```plaintext
-$ curl --header "X-Vault-Namespace: education/training" \
-       --request POST \
-       --data '{"password": "password"}' \
-       http://127.0.0.1:8200/v1/auth/userpass/login/bsmith | jq
-{
-   ...
-   "auth": {
-     "client_token": "5YNNjDDl6D8iW3eGQIlU0q.9dKXw",
-      "accessor": "6TVkDhdvEQXO2JaD64TVLv.9dKXw",
-      "display_name": "education-training-auth-userpass-bsmith",
-      "policies": [
-        "default",
-        "training-admin"
-      ],
-      "token_policies": [
-        "default"
-      ],
-      "identity_policies": [
-        "training-admin"
-      ],
-      "external_namespace_policies": {
-        "28dk2": [
-          "edu-admin"
-        ]
-      },
-      "metadata": {
-        "username": "bsmith"
-      },
-     ...
-   }
-}
-```
-
-Notice that the user, `bsmith` inherited the `training-admin` policy from the
-`Training Admin` group which `Bob Smith` entity is a member of.  Also,
-`edu-admin` policy is listed under `external_namespace_policies`.
-
-Verify that `bsmith` can perform the operations permitted by the
-`training-admin` policy.
-
-```shell
-# Create a new namespace called 'vault-training'
-# Be sure to use generated bsmith's client token
-$ curl --header "X-Vault-Token: 5YNNjDDl6D8iW3eGQIlU0q.9dKXw" \
-       --request POST \
-       http://127.0.0.1:8200/v1/education/training/sys/namespaces/web-app
-
-# Enable key/value v1 secrets engine at team-secret
-$ curl --header "X-Vault-Token: 5YNNjDDl6D8iW3eGQIlU0q.9dKXw" \
-       --request POST \
-       --data '{"type": "kv"}' \
-       http://127.0.0.1:8200/v1/education/training/sys/mounts/edu-secret
-```
-
-#### Web UI
-
-1. Open a web browser and launch the Vault UI (e.g. http://127.0.01:8200/ui). If
-you are already logged in, sign out.
-
-1. At the **Sign in to Vault**, set the **Namespace** to
-**`education/training`**.
-
-1. Select the **Userpass** tab, and enter **`bsmith`** in the **Username**
-field, and **`password`** in the **Password** field.
-
-1. Click **Sign in**.  
-
-1. To add a new namespace, select **Access**.
-
-1. Select **Namespaces** and then click **Create a namespace**.
-
-1. Enter **`vault-training`** in the **Path** field, and then click **Save**.
-
-1. Select **Secrets**, and then **Enable new engine**.
-
-1. Select **KV** from the **Secrets engine type** drop-down list, and enter
-**`team-secret`** in the **Path** field.
-
-1. Click **Enable Engine** to finish.
-
-### <a name="step6"></a>Step 6: Audit ambient credentials
-(**Persona:** operator)
-
-Many auth and secrets providers, such as AWS, Azure, GCP, and AliCloud, use ambient
-credentials to authenticate API calls. For example, AWS may:
-
-1. Use an access key and secret key configured in Vault.
-1. If not present, check for environment variables such as "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY".
-1. If not present, load credentials configured in "~/.aws/credentials".
-1. If not present, use instance metadata.
-
-This becomes a problem if these ambient credentials are not intended to be used within
-a particular namespace. 
-
-For example, suppose that your Vault server is running on an 
-AWS EC2 instance. You give the owner of a namespace a particular set of permissions to
-use for AWS. However, that owner _does not_ configure them. So, Vault falls back to using
-the credentials available in instance metadata, leading to a privilege escalation.
-
-To handle this:
-
-- Ensure no environment variables are available that could grant a privilege escalation.
-- Ensure that any privileges granted through instance metadata (in this example) or other 
-ambient identity info represent a _loss_ of privilege.
-- Directly configure the correct credentials in namespaces, and restrict access to that
-endpoint so credentials can't later be edited to use ambient credentials.
-
-<br>
-
-~> **Summary:** As this guide demonstrated, each namespace you created behaves
-as an **isolated** Vault environment. Once you sign into a namespace, there is
-no visibility into other namespaces regardless of its hierarchical relationship.
-Tokens, policies, and secrets engines are tied to its namespace; therefore, each
-client must acquire a valid token for each namespace to access their secrets.
-
-
-## Additional Discussion
-
-For the simplicity, this guide used the username and password (`userpass`) auth
-method which was enabled in the education namespace.  However, most likely, your
-organization uses LDAP auth method which is enabled in the **root** namespace
-instead.
-
-Here are the steps to create the "Training Admin" group as described in this
-guide using the LDAP auth method enabled in the root namespace.
-
-1. Enable and configure the desired auth method (e.g. LDAP) in the root
-namespace.
-
-    ```plaintext
-    $ vault auth enable ldap
-
-    $ vault write auth/ldap/config \
-            url="ldap://ldap.example.com" \
-            userdn="ou=Users,dc=example,dc=com" \
-            groupdn="ou=Groups,dc=example,dc=com" \
-            groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
-            groupattr="cn" \
-            upndomain="example.com" \
-            certificate=@ldap_ca_cert.pem \
-            insecure_tls=false \
-            starttls=true
-    ```
-
-1. Create an _external_ group in the root namespace.
-
-    ```shell
-    # Get the mount accessor for ldap auth method and save it in accessor.txt file
-    $ vault auth list -format=json \
-            | jq -r '.["ldap/"].accessor' > accessor.txt
-
-    # Create an external group and save the generated group ID in group_id.txt
-    $ vault write -format=json identity/group name="training_admin_root" \
-            type="external" \
-            | jq -r ".data.id" > group_id.txt    
-
-    # Create a group alias - assuming that the group name in LDAP is "ops_training"
-    $ vault write -format=json identity/group-alias name="ops_training" \
-            mount_accessor=$(cat accessor.txt) \
-            canonical_id=$(cat group_id.txt)             
-    ```
-
-1. In the `education/training` namespace, create an _internal_ group which has
-the external group (`training_admin_root`) as its member.
-
-    ```plaintext
-    $ vault write -namespace=education/training identity/group \
-            name="Training Admin" \
-            policies="training-admin" \
-            member_group_ids=$(cat group_id.txt)
-    ```
-
-### Policy with namespaces
-
-In this guide, you created policies in each namespace (`education` and
-`education/training`).  Therefore, you did not have to specify the target
-namespace in the policy paths.  
-
-If you want to create policies in the root namespace to control `education` and
-`education/training` namespaces, prepend the namespace in the paths.
-
-For example:
-
-```hcl
-# Manage policies in the 'education' namespace
-path "education/sys/policies/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage tokens in the 'education' namespace
-path "education/auth/token/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage policies under 'education/training' namespace
-path "education/training/sys/policies/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage tokens in the 'education/training' namespace
-path "education/training/auth/token/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-...
-```
-
-In [Step 2](#step2), you deployed the `training-admin` policy in the
-`education/training` namespace. The path is relative to the working namespace.
-So, if you want to create the `training-admin` policy in the **`education`**
-namespace instead, the paths starts with `training/` rather than
-`education/training/`.
-
-```hcl
-# Manage namespaces
-path "training/sys/namespaces/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage policies via API
-path "training/sys/policies/*" {
-   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# Manage policies via CLI
-path "training/sys/policy/*" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-...
-```
-
-~> **NOTE:** Important to remember that tokens are local to the namespace.
-Therefore, you need a valid token for the namespace you want to operate in. The
-token created in the `education` namespace is not valid in the
-`education/training` namespace. This is so that each namespace is completely
-isolated from one another to ensure a secure multi-tenant environment.
-
-
-
-## Next steps
-
-Refer to the [Sentinel Policies](/guides/identity/sentinel.html) guide if you
-need to write policies that allow you to embed finer control over the user
-access across those namespaces.
diff --git a/website/source/guides/operations/performance-nodes.html.md b/website/source/guides/operations/performance-nodes.html.md
deleted file mode 100644
index e1c7a650e36d..000000000000
--- a/website/source/guides/operations/performance-nodes.html.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-layout: "guides"
-page_title: "Performance Standby Nodes - Guides"
-sidebar_current: "guides-operations-performance-nodes"
-description: |-
-  This guide will walk you through a simple Vault Highly Available (HA) cluster
-  implementation. While this is not an exhaustive or prescriptive guide that
-  can be used as a drop-in production example, it covers the basics enough to
-  inform your own production setup.
----
-
-# Performance Standby Nodes
-
-~> **Enterprise Only:** Performance Standby Nodes feature is a part of _Vault Enterprise_.
-
-In [Vault High Availability](/guides/operations/vault-ha-consul.html) guide, it
-was explained that only one Vault server will be _active_ in a cluster and
-handles **all** requests (reads and writes).  The rest of the servers become the
-_standby_ nodes and simply forward requests to the _active_ node.  
-
-![HA Architecture](/img/vault-ha-consul-3.png)
-
-If you are running **_Vault Enterprise_ 0.11** or later with the Consul storage 
-backend, those standby nodes can handle most read-only requests. For example, 
-performance standbys can handle encryption/decryption of data using 
-[transit](/docs/secrets/transit/index.html) keys, GET requests of key/value 
-secrets and other requests that do not change underlying storage. This can 
-provide considerable improvements in throughput for traffic of this type, 
-resulting in aggregate performance increase linearly correlated to the number 
-of performance standby nodes deployed in a cluster.
-
-
-## Reference Materials
-
-- [Performance Standby Nodes](/docs/enterprise/performance-standby/index.html)
-- [High Availability Mode](/docs/concepts/ha.html)
-- [Consul Storage Backend](/docs/configuration/storage/consul.html)
-- [Vault Reference Architecture](/guides/operations/reference-architecture.html)
-
-
-## Server Configuration
-
-Performance standbys are enabled by default when the Vault Enterprise license
-includes this feature. If you wish to disable the performance standbys, you can
-do so by setting the
-[`disable_performance_standby`](/docs/configuration/index.html#vault-enterprise-parameters)
-flag to `true`.  
-
-Since any of the nodes in a cluster can get elected as active, it is recommended
-to keep this setting consistent across all nodes in the cluster.
-
-!> Consider a scenario where a node with performance standby _disabled_
-becomes the active node. The performance standby feature is
-disabled for the whole cluster although it is enabled on other nodes.
-
-
-## Enterprise Cluster
-
-A highly available Vault Enterprise cluster consists of multiple servers, and
-there will be only one active node. The rest can serve as performance standby
-nodes handling read-only requests locally.
-
-![Cluster Architecture](/img/vault-perf-standby-1.png)
-
-The number of performance standby nodes within a cluster depends on your Vault
-Enterprise license.
-
-Consider the following scenario:
-
-- A cluster contains **five** Vault servers
-- Your Vault Enterprise license allows **two** performance standby nodes
-
-![Cluster Architecture](/img/vault-perf-standby.png)
-
-In this scenario, the performance standby nodes running on VM 8 and VM 9 can
-process read-only requests. However, the _standby_ nodes running on VM 6 and VM
-10 simply forward all requests to the active node running on VM 7.
-
-
-> **NOTE:** The selection of performance standby node is determined by the
-active node. When a node is selected, it gets  promoted to become a performance
-standby. This is a race condition that there is no configuration
-parameter to specify which nodes to become performance standbys.
-
-
-## Next steps
-
-Read [Production Hardening](/guides/operations/production.html) to learn best
-practices for a production hardening deployment of Vault.
diff --git a/website/source/guides/operations/plugin-backends.html.md b/website/source/guides/operations/plugin-backends.html.md
deleted file mode 100644
index 8a284d87799c..000000000000
--- a/website/source/guides/operations/plugin-backends.html.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-layout: "guides"
-page_title: "Plugin Backends - Guides"
-sidebar_title: "Building Plugin Backends"
-sidebar_current: "guides-operations-plugin-backends"
-description: |-
-  Learn how to build, register, and mount a custom plugin backend.
----
-
-# Introduction
-
-Plugin backends utilize the [plugin system][plugin-system] to enable third-party
-secrets engines and auth methods.
-
-It is worth noting that even though [database secrets engines][database-backend]
-operate under the same underlying plugin mechanism, they are slightly different
-in design than plugin backends demonstrated in this guide. The database secrets
-engine manages multiple plugins under the same backend mount point, whereas
-plugin backends are kv backends that function as either secret or auth methods.
-
-This guide provides steps to build, register, and mount non-database external
-plugin backends.
-
-## Setup Vault
-
-Set `plugin_directory` to the desired path in the Vault configuration file.
-The path should exist and have proper lockdown on access permissions.
-
-```hcl
-# /etc/vault/config.d/plugins.hcl
-plugin_directory = "/etc/vault/vault_plugins"
-```
-
-If the Vault server is already running, you will need to tell it to reload its
-configuration by sending SIGHUP. If you stop and start the Vault server, you
-will need to unseal it again.
-
-## Compile Plugin
-
-Build the custom binary, and move it inside the `plugin_directory` path
-configured above. This guide uses `mock-plugin` that comes from Vault's
-[`logical/plugin/mock`](https://github.com/hashicorp/vault/tree/master/logical/plugin/mock/mock-plugin) package.
-
-Download the source (you would probably use your own plugin):
-
-```sh
-$ go get -f -u -d github.com/hashicorp/vault
-# ...
-$ cd $GOPATH/src/github.com/hashicorp/vault/sdk/plugin/mock/mock-plugin
-```
-
-Compile the plugin:
-
-```sh
-$ go build -o my-mock-plugin
-```
-
-Put the plugin in the directory:
-
-```sh
-$ mv my-mock-plugin /etc/vault/vault_plugins
-```
-
-Alternatively, if you wanted a custom version of a plugin built into Vault, such as AppRole:
-
-```sh
-$ cd $GOPATH/src/github.com/hashicorp/vault/builtin/credential/approle/cmd/approle
-$ go build
-$ mv approle /etc/vault/vault_plugins
-```
-
-## Register in Plugin Catalog
-
-Calculate the SHA256 sum of the compiled plugin binary, and use that to register
-the plugin into Vault's plugin catalog:
-
-```sh
-$ shasum -a 256 /etc/vault/vault_plugins/my-mock-plugin
-2c071aafa1b30897e60b79643e77592cb9d1e8f803025d44a7f9bbfa4779d615  /etc/vault/vault_plugins/my-mock-plugin
-
-$ vault write sys/plugins/catalog/secret/my-mock-plugin \
-    sha256=2c071aafa1b30897e60b79643e77592cb9d1e8f803025d44a7f9bbfa4779d615 \
-    command=my-mock-plugin
-Success! Data written to: sys/plugins/catalog/secret/my-mock-plugin
-```
-
-## Enable Plugin
-
-Enabling the plugin varies depending on if it's a secrets engine or auth method:
-
-```sh
-$ vault secrets enable -path=my-secrets-plugin my-mock-plugin
-Success! Enabled the my-mock-plugin plugin at: my-secrets-plugin/
-```
-
-If you try to mount this particular plugin as an auth method instead of a
-secrets engine, you will get an error:
-
-```sh
-$ vault auth enable -path=my-auth-plugin my-mock-plugin
-# ...
-* cannot mount 'my-mock-plugin' of type 'secret' as an auth method
-```
-
-## Perform Operations
-
-Each plugin responds to read, write, list, and delete as its own behavior.
-
-```text
-$ vault write my-secrets-plugin/kv/foo value=bar
-Key      Value
----      -----
-value    bar
-```
-
-## Disable Plugin
-
-When you are done using the plugin, disable it.
-
-```text
-$ vault secrets disable my-secrets-plugin
-Success! Disabled the secrets engine (if it existed) at: my-secrets-plugin/
-```
-
-[plugin-system]: /docs/internals/plugins.html
-[database-backend]: /docs/secrets/databases/index.html
diff --git a/website/source/guides/operations/production.html.md b/website/source/guides/operations/production.html.md
deleted file mode 100644
index 0fb84633ab40..000000000000
--- a/website/source/guides/operations/production.html.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-layout: "guides"
-page_title: "Production Hardening - Guides"
-sidebar_title: "Production Hardening"
-sidebar_current: "guides-operations-production-hardening"
-description: |-
-  This guide provides guidance on best practices for a production hardened deployment of HashiCorp Vault.
----
-
-# Production Hardening
-
-This guide provides guidance on best practices for a production hardened
-deployment of Vault.  The recommendations are based on the [security
-model](/docs/internals/security.html) and focus on defense in depth.
-
-~> **Apply When Possible!** This guide is meant to provide guidance for an
-_ideal_ deployment of Vault, not to document requirements.  It is entirely
-possible to use Vault without applying any of the following recommendations.
-These are best practice recommendations that should be applied when possible
-and practical.
-
-# Recommendations
-
-* **End-to-End TLS**. Vault should always be used with TLS in production. If
-  intermediate load balancers or reverse proxies are used to front Vault, they
-  should _not_ terminate TLS. This way traffic is always encrypted in transit
-  to Vault and minimizes risks introduced by intermediate layers.
-
-* **Single Tenancy**. Vault should be the only main process running on a
-  machine. This reduces the risk that another process running on the same
-  machine is compromised and can interact with Vault. Similarly, running on
-  bare metal should be preferred to a VM, and a VM preferred to a container.
-  This reduces the surface area introduced by additional layers of abstraction
-  and other tenants of the hardware. Both VM and container based deployments
-  work, but should be avoided when possible to minimize risk.
-
-* **Firewall traffic**. Vault listens on well known ports, use a local firewall
-  to restrict all incoming and outgoing traffic to Vault and essential system
-  services like NTP. This includes restricting incoming traffic to permitted
-  subnets and outgoing traffic to services Vault needs to connect to, such as
-  databases.
-
-* **Disable SSH / Remote Desktop**. When running a Vault as a single tenant
-  application, users should never access the machine directly. Instead, they
-  should access Vault through its API over the network. Use a centralized
-  logging and telemetry solution for debugging. Be sure to restrict access to
-  logs as need to know.
-
-* **Disable Swap**. Vault encrypts data in transit and at rest, however it must
-  still have sensitive data in memory to function. Risk of exposure should be
-  minimized by disabling swap to prevent the operating system from paging
-  sensitive data to disk. Vault attempts to ["memory lock" to physical memory
-  automatically](/docs/configuration/index.html#disable_mlock), but disabling
-  swap adds another layer of defense.
-
-* **Don't Run as Root**. Vault is designed to run as an unprivileged user, and
-  there is no reason to run Vault with root or Administrator privileges, which
-  can expose the Vault process memory and allow access to Vault encryption
-  keys. Running Vault as a regular user reduces its privilege. Configuration
-  files for Vault should have permissions set to restrict access to only the
-  Vault user.
-
-* **Turn Off Core Dumps**. A user or administrator that can force a core dump
-  and has access to the resulting file can potentially access Vault encryption
-  keys. Preventing core dumps is a platform-specific process; on Linux setting
-  the resource limit `RLIMIT_CORE` to `0` disables core dumps. This can be
-  performed by process managers and is also exposed by various shells; in Bash
-  `ulimit -c 0` will accomplish this.
-
-* **Immutable Upgrades**. Vault relies on an external storage backend for
-  persistence, and this decoupling allows the servers running Vault to be
-  managed immutably. When upgrading to new versions, new servers with the
-  upgraded version of Vault are brought online. They are attached to the same
-  shared storage backend and unsealed. Then the old servers are destroyed. This
-  reduces the need for remote access and upgrade orchestration which may
-  introduce security gaps.
-
-* **Avoid Root Tokens**. Vault provides a root token when it is first
-  initialized. This token should be used to setup the system initially,
-  particularly setting up auth methods so that users may
-  authenticate. We recommend treating Vault [configuration as
-  code](https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration/),
-  and using version control to manage policies. Once setup, the root token
-  should be revoked to eliminate the risk of exposure. Root tokens can be
-  [generated when needed](/guides/operations/generate-root.html), and should be
-  revoked as soon as possible.
-
-* **Enable Auditing**. Vault supports several auditing backends. Enabling
-  auditing provides a history of all operations performed by Vault and provides
-  a forensics trail in the case of misuse or compromise. Audit logs [securely
-  hash](/docs/audit/index.html) any sensitive data, but access should still be
-  restricted to prevent any unintended disclosures.
-
-* **Upgrade Frequently**. Vault is actively developed, and updating frequently
-  is important to incorporate security fixes and any changes in default
-  settings such as key lengths or cipher suites. Subscribe to the [Vault
-  mailing list](https://groups.google.com/forum/#!forum/vault-tool) and [GitHub
-  CHANGELOG](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md) for
-  updates.
-
-* **Configure SELinux / AppArmor**. Using additional mechanisms like SELinux
-  and AppArmor can help provide additional layers of security when using Vault.
-  While Vault can run on many operating systems, we recommend Linux due to the
-  various security primitives mentioned here.
-
-* **Restrict Storage Access**. Vault encrypts all data at rest, regardless of
-  which storage backend is used. Although the data is encrypted, an [attacker
-  with arbitrary control](/docs/internals/security.html) can cause data
-  corruption or loss by modifying or deleting keys. Access to the storage
-  backend should be restricted to only Vault to avoid unauthorized access or
-  operations.
-
-* **Disable Shell Command History**. You may want the `vault` command itself to
-  not appear in history at all. Refer to [additional methods](/guides/secret-mgmt/static-secrets.html#additional-discussion)
-  for guidance.
-
-* **Tweak ulimits**. It is possible that your Linux distribution has strict process `ulimits`.
-  Consider to review `ulimits` for maximum amount of open files, connections, etc. before
-  going into production; they may need increasing.
-
-* **Docker Containers**. To leverage the ["memory lock"](/docs/configuration/index.html#disable_mlock)
-  feature inside the Vault container you will likely need to use the `overlayfs2` or another supporting driver.
diff --git a/website/source/guides/operations/reference-architecture.html.md b/website/source/guides/operations/reference-architecture.html.md
deleted file mode 100644
index b914a0408cb8..000000000000
--- a/website/source/guides/operations/reference-architecture.html.md
+++ /dev/null
@@ -1,343 +0,0 @@
----
-layout: "guides"
-page_title: "Vault Reference Architecture - Guides"
-sidebar_title: "Reference Architecture"
-sidebar_current: "guides-operations-reference-architecture"
-description: |-
-  This guide provides guidance in the best practices of Vault
-  implementations through use of a reference architecture.
-ea_version: 1.0
----
-
-# Vault Reference Architecture
-
-The goal of this document is to recommend _HashiCorp Vault_ deployment
-practices. This reference architecture conveys a general architecture
-that should be adapted to accommodate the specific needs of each implementation.
-
-The following topics are addressed in this guide:
-
-- [Deployment Topology within One Datacenter](#one-dc)
-    - [Network Connectivity](#network-connectivity-details)
-    - [Deployment System Requirements](#deployment-system-requirements)
-    - [Hardware Considerations](#hardware-considerations)
-    - [Load Balancing](#load-balancing)
-    - [High Availability](#high-availability)
-- [Deployment Topology for Multiple Datacenters](#multi-dc)
-    - [Vault Replication](#vault-replication)
-- [Additional References](#additional-references)
-
--> This document assumes Vault uses Consul as the [storage
-backend](/docs/internals/architecture.html) since that is the recommended
-storage backend for production deployments.
-
-## <a name="one-dc"></a>Deployment Topology within One Datacenter
-
-This section explains how to deploy a Vault open source cluster in one datacenter.
-Support for [multiple datacenters](#multi-dc) is included in Vault Enterprise through
-cluster replication.
-
-### Reference Diagram
-
-Eight Nodes with [Consul Storage Backend](/docs/configuration/storage/consul.html)
-![Reference diagram](/img/vault-ref-arch-2.png)
-
-#### Design Summary
-
-This design is the recommended architecture for production environments, as it
-provides flexibility and resilience. Consul servers are separate
-from the Vault servers so that software upgrades are easier to perform. Additionally,
-separate Consul and Vault servers allows for separate sizing for each.
-Vault to Consul backend connectivity is over HTTP and should be
-secured with TLS as well as a Consul token to provide encryption of all traffic.  
-
--> Refer to the online documentation to learn more about running [Consul in encrypted mode](https://www.consul.io/docs/agent/options.html#encrypt).
-
-#### Failure Tolerance
-
-Typical distribution in a cloud environment is to spread Consul/Vault nodes into
-separate Availability Zones (AZs) within a high bandwidth, low latency network,
-such as an AWS Region. The diagram below shows Vault and Consul spread between
-AZs, with Consul servers in Redundancy Zone configurations, promoting a single
-voting member per AZ, providing both Zone and Node level failure protection.  
-
--> Refer to the online documentation to learn more about the [Consul leader election process](https://www.consul.io/docs/guides/leader-election.html).
-
-![Failure tolerance|40%](/img/vault-ref-arch-3.png)
-
-
-### Network Connectivity Details
-
-![Network Connectivity Details](/img/vault-ref-arch.png)
-
-### Deployment System Requirements
-
-The following table provides guidelines for server sizing. Of particular note is
-the strong recommendation to avoid non-fixed performance CPUs, or "Burstable
-CPU" in AWS terms, such as T-series instances.
-
-#### Sizing for Vault Servers
-
-| Size  | CPU      | Memory          | Disk      | Typical Cloud Instance Types               |
-|-------|----------|-----------------|-----------|--------------------------------------------|
-| Small | 2 core   | 4-8 GB RAM      | 25 GB     | **AWS:** m5.large                          |
-|       |          |                 |           | **Azure:** Standard_D2_v3                  |
-|       |          |                 |           | **GCE:** n1-standard-2, n1-standard-4      |
-| Large | 4-8 core | 16-32 GB RAM    | 50 GB     | **AWS:** m5.xlarge, m5.2xlarge             |
-|       |          |                 |           | **Azure:** Standard_D4_v3, Standard_D8_v3  |
-|       |          |                 |           | **GCE:** n1-standard-8, n1-standard-16     |
-
-#### Sizing for Consul Servers
-
-| Size  | CPU      | Memory          | Disk      | Typical Cloud Instance Types               |
-|-------|----------|-----------------|-----------|--------------------------------------------|
-| Small | 2 core   | 8-16 GB RAM     | 50 GB     | **AWS:** m5.large, m5.xlarge               |
-|       |          |                 |           | **Azure:** Standard_D2_v3, Standard_D4_v3  |
-|       |          |                 |           | **GCE:** n1-standard-4, n1-standard-8      |
-| Large | 4-8 core | 32-64+ GB RAM   | 100 GB    | **AWS:** m5.2xlarge, m5.4xlarge            |
-|       |          |                 |           | **Azure:** Standard_D4_v3, Standard_D8_v3  |
-|       |          |                 |           | **GCE:** n1-standard-16, n1-standard-32    |
-
-### Hardware Considerations
-
-The small size category would be appropriate for most initial production
-deployments, or for development/testing environments.  
-
-The large size is for production environments where there is a consistent high
-workload. That might be a large number of transactions, a large number of
-secrets, or a combination of the two.
-
-In general, processing requirements will be dependent on encryption workload and
-messaging workload (operations per second, and types of operations).  Memory
-requirements will be dependent on the total size of secrets/keys stored in
-memory and should be sized according to that data (as should the hard drive
-storage).  Vault itself has minimal storage requirements, but the underlying
-storage backend should have a relatively high-performance hard disk subsystem.
-If many secrets are being generated/rotated frequently, this information will
-need to flush to disk often and can impact performance if slower hard drives are
-used.
-
-Consul servers function in this deployment is to serve as the storage backend
-for Vault. This means that all content stored for persistence in Vault is
-encrypted by Vault, and written to the storage backend at rest. This data is
-written to the key-value store section of Consul's Service Catalog, which is
-required to be stored in its entirety in-memory on each Consul server. This
-means that memory can be a constraint in scaling as more clients authenticate to
-Vault, more secrets are persistently stored in Vault, and more temporary secrets
-are leased from Vault. This also has the effect of requiring vertical scaling on
-Consul server's memory if additional space is required, as the entire Service
-Catalog is stored in memory on each Consul server.
-
-Furthermore, network throughput is a common consideration for Vault and Consul
-servers. As both systems are HTTPS API driven, all incoming requests,
-communications between Vault and Consul, underlying gossip communication between
-Consul cluster members, communications with external systems (per auth or secret
-engine configuration, and some audit logging configurations) and responses
-consume network bandwidth.
-
-Due to network performance considerations in Consul cluster operations,
-replication of Vault datasets across network boundaries should be achieved
-through Performance or DR Replication, rather than spreading the Consul cluster
-across network and physical boundaries.  If a single consul cluster is spread
-across network segments that are distant or inter-regional, this can cause
-synchronization issues within the cluster or additional data transfer charges
-in some cloud providers.
-
-### Other Considerations
-
-[Vault Production Hardening Recommendations](/guides/operations/production.html)
-provides guidance on best practices for a production hardened deployment of
-Vault.
-
-## Load Balancing
-
-### <a name="consul-lb"></a>Load Balancing Using Consul Interface
-
-Consul can provide load balancing capabilities, but it requires that any Vault
-clients are Consul aware. This means that a client can either utilize Consul DNS
-or API interfaces to resolve the active Vault node. A client might access Vault
-via a URL like the following: `http://active.vault.service.consul:8200`
-
-This relies upon the operating system DNS resolution system, and
-the request could be forwarded to Consul for the actual IP address response.
-The operation can be completely transparent to legacy applications and would
-operate just as a typical DNS resolution operation.
-
-### <a name="external-lb"></a>Load Balancing Using External Load Balancer
-
-![Vault Behind a Load Balancer](/img/vault-ref-arch-9.png)
-
-External load balancers are supported as well, and would be placed in front of the
-Vault cluster, and would poll specific Vault URL's to detect the active node and
-route traffic accordingly. An HTTP request to the active node with the following
-URL will respond with a 200 status: `http://<Vault Node URL>:8200/v1/sys/health`
-
-The following is a sample configuration block from HAProxy to illustrate:
-
-```plaintext
-listen vault
-    bind 0.0.0.0:80
-    balance roundrobin
-    option httpchk GET /v1/sys/health
-    server vault1 192.168.33.10:8200 check
-    server vault2 192.168.33.11:8200 check
-    server vault3 192.168.33.12:8200 check
-```
-
-Note that the above block could be generated by Consul (with consul-template)
-when a software load balancer is used. This could be the case when the load
-balancer is software like Nginx, HAProxy, or Apache.
-
-**Example Consul Template for the above HAProxy block:**
-
-```plaintext
-listen vault
-   bind 0.0.0.0:8200
-   balance roundrobin
-   option httpchk GET /v1/sys/health{{range service "vault"}}
-   server {{.Node}} {{.Address}}:{{.Port}} check{{end}}
-```
-
-#### Client IP Address Handling
-
-There are two supported methods for handling client IP addressing behind a proxy
-or load balancer;
-[X-Forwarded-For Headers](https://www.vaultproject.io/docs/configuration/listener/tcp.html#x_forwarded_for_authorized_addrs)
-and [PROXY v1](https://www.vaultproject.io/docs/configuration/listener/tcp.html#proxy_protocol_authorized_addrs).  Both require a trusted load balancer and require IP address whitelisting to
-adhere to security best practices.
-
-### High Availability
-
-A Vault cluster is the highly-available unit of deployment within one
-datacenter. A recommended approach is three Vault servers with a Consul storage
-backend. With this configuration, during a Vault server outage, failover is
-handled immediately without human intervention.
-
-To learn more about setting up your Vault servers in HA mode, read [_Vault HA
-with Consul_](/guides/operations/vault-ha-consul.html) guide.
-
-> High-availability with [Performance Standby
-Nodes](/guides/operations/performance-nodes.html) and data-locality across
-datacenters requires Vault Enterprise.
-
-
-## <a name="multi-dc"></a>Deployment Topology for Multiple Datacenters
-
-<img src="/img/vault-ref-arch-6.png">
-
-### Vault Replication
-
-~> **Enterprise Only:** Vault replication feature is a part of _Vault Enterprise_.
-
-HashiCorp Vault Enterprise provides two modes of replication, **performance**
-and **disaster recovery**. The [Vault
-documentation](/docs/enterprise/replication/index.html) provides more detailed
-information on the replication capabilities within Vault Enterprise.
-
-![Replication Pattern](/img/vault-ref-arch-8.png)
-
-#### Performance Replication
-
-Vault performance replication allows for secrets management across many sites.
-Secrets, authentication methods, authorization policies and other details are
-replicated to be active and available in multiple locations.
-
--> Refer to the [Vault Mount Filter](/guides/operations/mount-filter.html) guide
-about filtering out secret engines from being replicated across regions.
-
-#### Disaster Recovery Replication
-
-Vault disaster recovery replication ensures that a standby Vault cluster is kept
-synchronized with an active Vault cluster.  This mode of replication includes
-data such as ephemeral authentication tokens, time-based token information as
-well as token usage data. This provides for aggressive recovery point objective
-in environments where preventing loss of ephemeral operational data is of the
-utmost concern.
-
-#### Cross-Region Disaster Recovery
-
-If your disaster recovery strategy is to plan for a loss of an entire data
-center, the following diagram illustrates a possible replication scenario.
-
-![Replication Pattern](/img/vault-ref-arch-4.png)
-
-In this scenario, if the Vault cluster in Region A fails and you promote the DR
-cluster in Region B to be the new primary, your applications will need to read
-and write secrets from the Vault cluster in Region B. This may or may not raise
-an issue for your applications, but you need to take that into a consideration
-during the planning.
-
-
-#### In-Region Disaster Recovery
-
-If your disaster recovery strategy is to plan for a loss of a cluster but not the
-entire data center, the following diagram illustrates a possible replication
-scenario.
-
-![Replication Pattern](/img/vault-ref-arch-7.png)
-
--> Refer to the [Vault Disaster Recovery Setup](/guides/operations/disaster-recovery.html) guide for additional information.
-
-#### Corruption or Sabotage Disaster Recovery
-
-Another common scenario to protect against, more prevalent in cloud environments
-that provide very high levels of intrinsic resiliency, might be the purposeful
-or accidental corruption of data and configuration, and or a loss of cloud account
-control.  Vault's DR Replication is designed to replicate live data, which would
-propagate intentional or accidental data corruption or deletion.  To protect against
-these possibilities, you should backup Vault's storage backend.  This is supported
-through the Consul Snapshot feature, which can be automated for regular archival
-backups.  A cold site or new infrastructure could be re-hydrated from a Consul
-snapshot.  
-
--> Refer to the online documentation to learn more about [Consul snapshots](https://www.consul.io/docs/commands/snapshot.html).
-
-#### Replication Notes
-
-- There is no set limit on number of clusters within a replication set. Largest
-deployments today are in the 30+ cluster range.
-- Any cluster within a Performance replication set can act as a Disaster
-Recovery primary cluster.
-- A cluster within a Performance replication set can also replicate to multiple
-Disaster Recovery secondary clusters.
-- While a Vault cluster can possess a replication role (or roles), there are no
-special considerations required in terms of infrastructure, and clusters can
-assume (or be promoted) to another role. Special circumstances related to mount
-filters and HSM usage may limit swapping of roles, but those are based on
-specific organization configurations.
-
-#### Considerations Related to Unseal proxy_protocol_behavior
-
-Using replication with Vault clusters integrated with HSM devices for automated
-unseal operations has some details that should be understood during the planning
-phase.
-
-- If a **performance** primary cluster utilizes an HSM, all other clusters
-within that replication set must use an HSM as well.
-- If a **performance** primary cluster does NOT utilize an HSM (uses Shamir
-  secret sharing method), the clusters within that replication set can be mixed,
-  such that some may use an HSM, others may use Shamir.
-
-For sake of this discussion, the cloud auto-unseal feature is treated as an
-HSM.
-
-## Additional References
-
-- Vault [architecture](/docs/internals/architecture.html) documentation explains
-each Vault component
-- To integrate Vault with existing LDAP server, refer to
-[LDAP Auth Method](/docs/auth/ldap.html) documentation
-- Refer to the [AppRole Pull
-Authentication](/guides/identity/authentication.html) guide to programmatically
-generate a token for a machine or app
-- Consul is an integral part of running a resilient Vault cluster, regardless of
-location.  Refer to the online [Consul documentation](https://www.consul.io/intro/getting-started/install.html) to
-learn more.
-
-## Next steps
-
-- Read [Production Hardening](/guides/operations/production.html) to learn best
-  practices for a production hardening deployment of Vault.
-
-- Read [Deployment Guide](/guides/operations/deployment-guide.html) to learn
-  the steps required to install and configure a single HashiCorp Vault cluster.
diff --git a/website/source/guides/operations/rekeying-and-rotating.html.md b/website/source/guides/operations/rekeying-and-rotating.html.md
deleted file mode 100644
index 7464eedb3268..000000000000
--- a/website/source/guides/operations/rekeying-and-rotating.html.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-layout: "guides"
-page_title: "Rekeying & Rotating Vault - Guides"
-sidebar_title: "Rekeying & Rotating"
-sidebar_current: "guides-operations-rekeying-and-rotating"
-description: |-
-  Vault supports generating new unseal keys as well as rotating the underlying
-  encryption keys. This guide covers rekeying and rotating Vault's encryption
-  keys.
----
-
-# Rekeying &amp; Rotating Vault
-
-~> **Advanced Topic** This guide presents an advanced topic that is not required
-for a basic understanding of Vault. Knowledge of this topic is not required for
-daily Vault use.
-
-## Background
-
-In order to prevent no one person from having complete access to the system,
-Vault employs [Shamir's Secret Sharing Algorithm][shamir]. Under this process,
-a secret is divided into a subset of parts such that a subset of those parts are
-needed to reconstruct the original secret. Vault makes heavy use of this
-algorithm as part of the [unsealing process](/docs/concepts/seal.html).
-
-When a Vault server is first initialized, Vault generates a master key and
-immediately splits this master key into a series of key shares following
-Shamir's Secret Sharing Algorithm. Vault never stores the master key, therefore,
-the only way to retrieve the master key is to have a quorum of unseal keys
-re-generate it.
-
-The master key is used to decrypt the underlying encryption key. Vault uses the
-encryption key to encrypt data at rest in a storage backend like the filesystem
-or Consul.
-
-Typically each of these key shares is distributed to trusted parties in the
-organization. These parties must come together to "unseal" the Vault by entering
-their key share.
-
-[![Vault Shamir Secret Sharing Algorithm](/img/vault-shamir-secret-sharing.svg)](/img/vault-shamir-secret-sharing.svg)
-
-[shamir]: https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
-
-In some cases, you may want to re-generate the master key and key shares. Here
-are a few examples:
-
-- Someone joins or leaves the organization
-- Security wants to change the number of shares or threshold of shares
-- Compliance mandates the master key be rotated at a regular interval
-
-In addition to rekeying the master key, there may be an independent desire to
-rotate the underlying encryption key Vault uses to encrypt data at rest.
-
-[![Vault Rekey vs Rotate](/img/vault-rekey-vs-rotate.svg)](/img/vault-rekey-vs-rotate.svg)
-
-In Vault, _rekeying_ and _rotating_ are two separate operations. The process for
-generating a new master key and applying Shamir's algorithm is called
-"rekeying". The process for generating a new encryption key for Vault to encrypt
-data at rest is called "rotating".
-
-Both rekeying the Vault and rotating Vault's underlying encryption key are fully
-online operations. Vault will continue to service requests uninterrupted during
-either of these processes.
-
-## Rekeying Vault
-
-Rekeying the Vault requires a quorum of unseal keys. Before continuing, you
-should ensure enough unseal key holders are available to assist with the
-rekeying to match the threshold configured when the keys were issued.
-
-First, initialize a rekeying operation. The flags represent the **newly
-desired** number of keys and threshold:
-
-```text
-$ vault operator rekey -init -key-shares=3 -key-threshold=2
-```
-
-This will generate a nonce value and start the rekeying process. All other
-unseal keys must also provide this nonce value. This nonce value is not a
-secret, so it is safe to distribute over insecure channels like chat, email, or
-carrier pigeon.
-
-```text
-Key               Value
----               -----
-Nonce             dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
-Started           true
-Rekey Progress    0/1
-New Shares        3
-New Threshold     2
-```
-
-Each unseal key holder runs the following command and enters their unseal key:
-
-```text
-$ vault operator rekey -nonce=<nonce>
-Rekey operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
-Key (will be hidden):
-```
-
-When the final unseal key holder enters their key, Vault will output the new
-unseal keys:
-
-```text
-Key 1: EDj4NZK6z5Y9rpr+TtihTulfdHvFzXtBYQk36dmBczuQ
-Key 2: sCkM1i5BGGNDFk5GsqtVolWRPyd5mWn2eZG0gUySiCF7
-Key 3: e5DUvDIH0cPU8Q+hh1KNVkkMc9lliliPVe9u3Fzbzv38
-
-Operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
-
-Vault rekeyed with 3 keys and a key threshold of 2. Please
-securely distribute the above keys. When the vault is re-sealed,
-restarted, or stopped, you must provide at least 2 of these keys
-to unseal it again.
-
-Vault does not store the master key. Without at least 2 keys,
-your vault will remain permanently sealed.
-```
-
-Like the initialization process, Vault supports PGP encrypting the resulting
-unseal keys and creating backup encryption keys for disaster recovery.
-
-## Rotating the Encryption Key
-
-Unlike rekeying the Vault, rotating Vault's encryption key does not require a
-quorum of unseal keys. Anyone with the proper permissions in Vault can perform
-the encryption key rotation.
-
-To trigger a key rotation, execute the command:
-
-```text
-$ vault operator rotate
-```
-
-This will output the key version and installation time:
-
-```text
-Key Term: 2
-Installation Time: ...
-```
-
-This will add a new key to the keyring. All new values written to the storage
-backend will be encrypted with this new key.
diff --git a/website/source/guides/operations/replication.html.md b/website/source/guides/operations/replication.html.md
deleted file mode 100644
index 5adedda0486c..000000000000
--- a/website/source/guides/operations/replication.html.md
+++ /dev/null
@@ -1,184 +0,0 @@
----
-layout: "guides"
-page_title: "Setting up Vault Enterprise Performance Replication - Guides"
-sidebar_title: "Replication Setup & Guidance"
-sidebar_current: "guides-operations-replication"
-description: |-
-  Learn how to set up and manage Vault Enterprise Performance Replication.
----
-
-# Replication Setup &amp; Guidance
-
-~> **Enterprise Only:** Vault replication feature is a part of _Vault Enterprise_.
-
-If you're unfamiliar with Vault Replication concepts, please first look at the
-[general information page](/docs/vault-enterprise/replication/index.html). More
-details can be found in the
-[replication internals](/docs/internals/replication.html) document.
-
-Vault replication also includes a complete API. For more information, please see
-the [Vault Replication API documentation](/api/system/replication.html)
-
-
-## Activating Performance Replication
-
-### Activating the Primary
-
-To activate the primary, run:
-
-
-    $ vault write -f sys/replication/performance/primary/enable
-
-
-There is currently one optional argument: `primary_cluster_addr`. This can be
-used to override the cluster address that the primary advertises to the
-secondary, in case the internal network address/pathing is different between
-members of a single cluster and primary/secondary clusters.
-
-### Fetching a Secondary Token
-
-To fetch a secondary bootstrap token, run:
-
-
-    $ vault write sys/replication/performance/primary/secondary-token id=<id>
-
-
-The value for `id` is opaque to Vault and can be any identifying value you want;
-this can be used later to revoke the secondary and will be listed when you read
-replication status on the primary. You will get back a normal wrapped response,
-except that the token will be JWT-formatted..
-
-### Activating a Secondary
-
-To activate a secondary using the fetched token, run:
-
-
-    $ vault write sys/replication/performance/secondary/enable token=<token>
-
-
-You must provide the full token value. Be very careful when running this
-command, as it will destroy all data currently stored in the secondary.
-
-There are a few optional arguments, with the one you'll most likely need being
-`primary_api_addr`, which can be used to override the API address of the
-primary cluster; otherwise the secondary will use the value embedded in the
-bootstrap token, which is the primary’s redirect address. If the primary has no
-redirect address (for instance, if it's not in an HA cluster), you'll need to
-set this value at secondary enable time.
-
-Once the secondary is activated and has bootstrapped, it will be ready for
-service and will maintain state with the primary. It is safe to seal/shutdown
-the primary and/or secondary; when both are available again, they will
-synchronize back into a replicated state.
-
-Note: if the secondary is in an HA cluster, you will need to ensure that each
-standby is sealed/unsealed with the new (primary’s) unseal keys. If one of the
-standbys takes over on active duty before this happens it will seal itself to
-remove it from rotation (e.g. if using Consul for service discovery), but if a
-standby does not attempt taking over it will throw errors. We hope to make this
-workflow better in a future update.
-
-### Secondary Tokens
-
-On a production system, after a secondary is activated, the enabled
-auth methods should be used to get tokens with appropriate policies,
-as policies and auth method configuration are replicated.
-
-The generate-root command can also be used to generate a root token local to
-the secondary cluster. After the secondary is activated, it will need to use the unseal or recovery keys from the Primary when generating a new root token or performing other commands that require unseal or recovery keys.
-
-#### Dev-Mode Root Tokens
-
-To ease development and testing, when both the primary and secondary are
-running in development mode, the initial root token created by the primary
-(including those with custom IDs specified with `-dev-root-token-id`) will be
-populated into the secondary upon activation. This allows a developer to keep a
-consistent `~/.vault-token` file or `VAULT_TOKEN` environment variable when
-working with both clusters.
-
-## Managing Vault Performance Replication
-
-Vault’s performance replication model is intended to allow horizontally scaling Vault’s
-functions rather than to act in a strict Disaster Recovery (DR) capacity. For more information on Vault's disaster recovery replication, look at the
-[general information page](/docs/vault-enterprise/replication/index.html).
-
-As a result, Vault performance replication acts on static items within Vault, meaning
-information that is not part of Vault’s lease-tracking system. In a practical
-sense, this means that all Vault information is replicated from the primary to
-secondaries except for tokens and secret leases.
-
-Because token information must be checked and possibly rewritten with each use
-(e.g. to decrement its use count), replicated tokens would require every call
-to be forwarded to the primary, decreasing rather than increasing total Vault
-throughput.
-
-Secret leases are tracked independently for two reasons: one, because every
-such lease is tied to a token and tokens are local to each cluster; and two,
-because tracking large numbers of leases is memory-intensive and tracking all
-leases in a replicated fashion could dramatically increase the memory
-requirements across all Vault nodes.
-
-We believe that this performance replication model provides significant utility for horizontally scaling Vault’s functionality.  However, it does mean
-that certain principles must be kept in mind.
-
-### Always Use the Local Cluster
-
-First and foremost, when designing systems to take advantage of replicated
-Vault, you must ensure that they always use the same Vault cluster for all
-operations, as only that cluster will know about the client’s Vault token.
-
-### Enabling a Secondary Wipes Storage
-
-Replication relies on having a shared keyring between primary and secondaries
-and also relies on having a shared understanding of the data store state. As a
-result, when replication is enabled, all of the secondary’s existing storage
-will be wiped. This is irrevocable. Make a backup first if there is a remote
-chance you’ll need some of this data at some future point.
-
-Generally, activating as a secondary will be the first thing that is done upon
-setting up a new cluster for replication.
-
-### Replicated vs. Local Backend Mounts
-
-All backend mounts (of all types) that can be enabled within Vault default to
-being mounted as a replicated mount. This means that mounts cannot be enabled
-on a secondary, and mounts enabled on the primary will replicate to
-secondaries.
-
-Mounts can also be marked local (via the `-local` flag on the Vault CLI or
-setting the `local` parameter to `true` in the API). This can only be performed
-at mount time; if a mount is local but should have been replicated, or vice
-versa, you must disable the backend and mount a new instance at that path with
-the local flag enabled.
-
-Local mounts do not propagate data from the primary to secondaries, and local
-mounts on secondaries do not have their data removed during the syncing
-process. The exception is during initial bootstrapping of a secondary from a
-state where replication is disabled; all data, including local mounts, is
-deleted at this time (as the encryption keys will have changed so data in local
-mounts would be unable to be read).
-
-### Audit Devices
-
-In normal Vault usage, if Vault has at least one audit device configured and
-is unable to successfully log to at least one device, it will block further
-requests.
-
-Replicated audit mounts must be able to successfully log on all replicated
-clusters. For example, if using the file audit device, the configured path must
-be able to be written to by all secondaries. It may be useful to use at least
-one local audit mount on each cluster to prevent such a scenario.
-
-### Never Have Two Primaries
-
-The replication model is not designed for active-active usage and enabling two
-primaries should never be done, as it can lead to data loss if they or their
-secondaries are ever reconnected.
-
-### Disaster Recovery
-
-Local backend mounts are not replicated and their use will require existing DR
-mechanisms if DR is necessary in your implementation.
-
-If you need true DR, look at the
-[general information page](/docs/vault-enterprise/replication/index.html) for information on Vault's disaster recovery replication.
diff --git a/website/source/guides/operations/seal-wrap.html.md b/website/source/guides/operations/seal-wrap.html.md
deleted file mode 100644
index e811730e31c6..000000000000
--- a/website/source/guides/operations/seal-wrap.html.md
+++ /dev/null
@@ -1,642 +0,0 @@
----
-layout: "guides"
-page_title: "Seal Wrap / FIPS 140-2 - Guides"
-sidebar_title: "Seal Wrap / FIPS 140-2"
-sidebar_current: "guides-operations-seal-wrap"
-description: |-
-  In this guide,
----
-
-
-# Seal Wrap / FIPS 140-2
-
-~> **Enterprise Only:** Vault's HSM auto-unseal and Seal Wrap features are a
-part of _Vault Enterprise_.
-
-***Vault Enterprise*** integrates with [HSM platforms](/docs/enterprise/hsm/index.html)
-to opt-in automatic [unsealing](/docs/concepts/seal.html#unsealing).
-HSM integration provides three pieces of special functionality:
-
-- **Master Key Wrapping**: Vault protects its master key by transiting it through
-the HSM for encryption rather than splitting into key shares
-- **Automatic Unsealing**: Vault stores its encrypted master key in storage,
-allowing for automatic unsealing
-- **Seal Wrapping** to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters
-
-![Unseal with HSM](/img/vault-hsm-autounseal.png)
-
-In some large organizations, there is a fair amount of complexity in designating
-key officers, who might be available to unseal Vault installations as the most
-common pattern is to deploy Vault immutably. As such automating unseal using an
-HSM provides a simplified yet secure way of unsealing Vault nodes as they get
-deployed.
-
-Vault pulls its encrypted master key from storage and transit it through the
-HSM for decryption via  **PKCS \#11 API**. Once the master key is decrypted,
-Vault uses the master key to decrypt the encryption key to resume with Vault
-operations.
-
-
-## Reference Material
-
-- [HashiCorp + AWS: Integrating CloudHSM with Vault Enterprise](https://www.hashicorp.com/resources/hashicorp-and-aws-integrating-cloudhsm-with-vault-e) webinar
-- [Seal Wrap documentation](/docs/enterprise/sealwrap/index.html)
-- [Vault Configuration - pkcs11 Seal](/docs/configuration/seal/pkcs11.html)
-- [Vault Enterprise HSM Support](/docs/enterprise/hsm/index.html)
-- [NIST SC-12: Cryptographic Key Establishment and Management](https://nvd.nist.gov/800-53/Rev4/control/SC-12)
-- [NIST SC-13: Cryptographic Protection](https://nvd.nist.gov/800-53/Rev4/control/SC-13)
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Challenge
-
-The Federal Information Processing Standard (FIPS) 140-2 is a U.S. Government
-computer security standard used to accredit cryptography modules. If your
-product or service does not follow FIPS' security requirements, it may
-complicate your ability to operate with U.S. Government data.
-
-Aside from doing business with U.S. government, your organization may care about
-FIPS which approves various cryptographic ciphers for hashing, signature, key
-exchange, and encryption for security.
-
-
-## Solution
-
-Integrate Vault with FIPS 140-2 certified HSM and enable the ***Seal Wrap***
-feature to protect your data.
-
-Vault encrypts secrets using 256-bit AES in GCM mode with a randomly generated
-nonce prior to writing them to its persistent storage. By enabling seal wrap,
-Vault wraps your secrets with **an extra layer of encryption** leveraging the
-HSM encryption and decryption.
-
-![Seal Wrap](/img/vault-seal-wrap.png)
-
-#### Benefits of the Seal Wrap:
-
-- Conformance with FIPS 140-2 directives on Key Storage and Key Transport as [certified by Leidos](/docs/enterprise/sealwrap/index.html#fips-140-2-compliance)
-- Supports FIPS level of security equal to HSM
-  * For example, if you use Level 3 hardware encryption on an HSM, Vault will be
-  using FIPS 140-2 Level 3 cryptography
-- Allows Vault to be deployed in high security [GRC](https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance)
-environments (e.g. PCI-DSS, HIPAA) where FIPS guidelines important for external audits
-- Pathway for Vault's use in managing  Department of Defense's (DOD) or North
-Atlantic Treaty Organization (NATO) military secrets
-
-
-## Prerequisites
-
-This intermediate operations guide assumes that you have:
-
-- A [supported HSM](/docs/enterprise/hsm/index.html) cluster to be integrated
-  with Vault
-- Vault Enterprise Premium
-
-
-
-## Steps
-
-This guide walks you through the following steps:
-
-1. [Configure HSM Auto-unseal](#step1)
-1. [Enable Seal Wrap](#step2)
-1. [Test the Seal Wrap Feature](#step3)
-
-
-
-### <a name="step1"></a>Step 1: Configure HSM Auto-unseal
-
-When a Vault server is started, it normally starts in a sealed state where a
-quorum of existing unseal keys is required to unseal it. By integrating Vault
-with HSM, your Vault server can be automatically unsealed by the trusted HSM key
-provider.
-
-#### Task 1: Write a Vault configuration file
-
-To integrate your Vault Enterprise server with an HSM cluster, the configuration
-file must define the [`PKCS11 seal` stanza](/docs/configuration/seal/pkcs11.html)
-providing necessary connection information.
-
-
-**Example: `config-hsm.hcl`**
-
-```shell
-# Provide your AWS CloudHSM cluster connection information
-seal "pkcs11" {
-  lib = "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so"
-  slot = "1"
-  pin = "vault:Password1"
-  key_label = "hsm_demo"
-  hmac_key_label = "hsm_hmac_demo"
-  generate_key = "true"
-}
-
-# Configure the storage backend for Vault
-storage "file" {
-  path = "/tmp/vault"
-}
-
-# Addresses and ports on which Vault will respond to requests
-listener "tcp" {
-  address     = "127.0.0.1:8200"
-  tls_disable = 1
-}
-
-ui = true
-```
-
-> **NOTE:** For the purpose of this guide, the storage backend is set to the
-local file system (`/tmp/vault`) to make the verification step easy.
-
-The example configuration defines the following in its **`seal`** stanza:
-
-- **`lib`** is set to the path to the PKCS \#11 library on the virtual machine
-  where Vault Enterprise is installed
-- **`slot`** should be set to the slot number to use
-- **`pin`** is the PKCS \#11 PIN for login
-- **`key_label`** defines the label of the key you want to use
-- **`hmac_key_label`** defines the label of the key you want to use for HMACing.
-  (NOTE: HMAC is optional and only used for mechanisms that do not support
-  authenticated data.)
-- **`generate_key`** is set to `true`.  If no existing key with the label
-  specified by `key_label` can be found at Vault initialization time, Vault
-  generates a key
-
-~> **IMPORTANT:** Having Vault generate its own key is the easiest way to get up
-and running, but for security, Vault marks the key as **non-exportable**. If
-your HSM key backup strategy requires the key to be exportable, you should
-generate the key yourself.  Refer to the [key generation  attributes](/docs/configuration/seal/pkcs11.html#vault-key-generation-attributes).
-
-
-
-
-#### Task 2: Initialize your Vault Enterprise server
-
-Start the Vault server with your Vault configuration file. For example, if your
-configuration file is located at `/home/ec2-user/config-hsm.hcl`, the command
-would look like:
-
-```plaintext
-$ vault server -config=/home/ec2-user/config-hsm.hcl
-
-  SDK Version: 2.03
-==> Vault server configuration:
-
-   HSM PKCS#11 Version: 2.40
-           HSM Library: Cavium PKCS#11 Interface
-   HSM Library Version: 1.0
-   HSM Manufacturer ID: Cavium Networks
-              HSM Type: pkcs11
-                   Cgo: enabled
-            Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
-             Log Level: info
-                 Mlock: supported: true, enabled: false
-               Storage: file
-               Version: Vault v0.10.1+ent.hsm
-           Version Sha: 0e628142d6b6e5cabfdb9680a6d669d38f15574f
-
-==> Vault server started! Log data will stream in below:
-```
-
-<br>
-
-In another terminal, set the `VAULT_ADDR` environment variable, and [initialize]
-(/intro/getting-started/deploy.html#initializing-the-vault) your Vault server.
-
-**Example:**
-
-```shell
-# Set the VAULT_ADDR environment variable
-$ export VAULT_ADDR="http://127.0.0.1:8200"
-
-# Initialize Vault
-$ vault operator init
-
-Recovery Key 1: 2bU2wOfmyMqYcsEYo4Mo9q4s/KAODgHHjcmZmFOo+XY=
-Initial Root Token: 8d726c6b-98ba-893f-23d5-be3d2fec480e
-
-Success! Vault is initialized
-
-Recovery key initialized with 1 key shares and a key threshold of 1. Please
-securely distribute the key shares printed above.
-```
-
-There is only a single master key created which is encrypted by the HSM using
-PKCS \#11, and then placed in the storage. When Vault needs to be unsealed, it
-grabs the HSM encrypted master key from the storage, round trips it through the
-HSM to decrypt the master key.
-
-~> **NOTE:** When Vault is initialized while using an HSM, rather than unseal
-keys being returned to the operator, **recovery keys** are returned. These are
-generated from an internal recovery key that is [split via Shamir's Secret
-Sharing](/docs/enterprise/hsm/behavior.html#initialization), similar to Vault's
-treatment of unseal keys when running without an HSM. Some Vault operations such
-as generation of a root token require these recovery keys.
-
-Login to the Vault using the generated root token to verify.
-
-```plaintext
-$ vault login 8d726c6b-98ba-893f-23d5-be3d2fec480e
-```
-
-#### Task 3: Verification
-
-Stop and restart the Vault server and then verify its status:
-
-```plaintext
-$ vault status
-
-Key                      Value
----                      -----
-Recovery Seal Type       shamir
-Sealed                   false
-Total Recovery Shares    1
-Threshold                1
-Version                  0.10.1+ent.hsm
-Cluster Name             vault-cluster-80556565
-Cluster ID               40316cdd-3d42-ec36-e7b0-6a7a0684568c
-HA Enabled               false
-```
-
-The `Sealed` status is **`false`** which means that the Vault was automatically
-unsealed upon its start. You can proceed with Vault operations.
-
-
-### <a name="step2"></a>Step 2: Enable Seal Wrap
-
--> **NOTE:** For FIPS 140-2 compliance, seal wrap requires FIPS
-140-2 Certified HSM which is supported by _Vault Enterprise Premium_.
-
-For some values, seal wrapping is **always enabled** including the recovery key, any
-stored key shares, the master key, the keyring, and more. When working with the
-key/value secret engine, you can enable seal wrap to wrap all data.
-
-
-### CLI command
-
-Check the enabled secret engines.
-
-```plaintext
-$ vault secrets list -format=json
-{
-  ...
-  "secret/": {
-    "type": "kv",
-    "description": "key/value secret storage",
-    "accessor": "kv_75820543",
-    "config": {
-      "default_lease_ttl": 0,
-      "max_lease_ttl": 0,
-      "force_no_cache": false
-    },
-    "options": {
-      "version": "1"
-    },
-    "local": false,
-    "seal_wrap": false
-  },
-  ...
-```
-
-Notice that the `seal_wrap` parameter is set to **`false`**.
-
-> For the purpose of comparing seal wrapped data against unwrapped data, enable
-additional key/value secret engine at the `secret2/` path.
-
-```shell
-# Pass the '-seal-wrap' flag when you enable the KV workflow
-$ vault secrets enable -path=secret2/ -version=1 -seal-wrap kv
-```
-
-The above command enabled [key/value version 1](/docs/secrets/kv/kv-v1.html) with
-seal wrap feature enabled.
-
-```plaintext
-$ vault secrets list -format=json
-{
-  ...
-  "secret2/": {
-    "type": "kv",
-    "description": "",
-    "accessor": "kv_bdd74241",
-    "config": {
-      "default_lease_ttl": 0,
-      "max_lease_ttl": 0,
-      "force_no_cache": false
-    },
-    "options": {
-      "version": "1"
-    },
-    "local": false,
-    "seal_wrap": true
-  },
-  ...
-```
-
-Notice that the `seal_wrap` parameter is set to **`true`** at `secret2/`.
-
-
-#### API call using cURL
-
-Check the enabled secret engines.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/sys/mounts | jq
-...
-  "secret/": {
-    "accessor": "kv_f05b8b9c",
-    "config": {
-      "default_lease_ttl": 0,
-      "force_no_cache": false,
-      "max_lease_ttl": 0
-    },
-    "description": "key/value secret storage",
-    "local": false,
-    "options": {
-      "version": "2"
-    },
-    "seal_wrap": false,
-    "type": "kv"
-  },
-...
-```
-
-Notice that the `seal_wrap` parameter is set to **`false`**.
-
-> For the purpose of comparing seal wrapped data against unwrapped data, enable
-additional key/value secret engine at the `secret2/` path.
-
-```shell
-# Set the seal_wrap parameter to true in the request payload
-$ tee payload.json <<EOF
-{
-  "type": "kv",
-  "options": {
-    "version": "1"
-  },
-  "seal_wrap": true
-}
-EOF
-
-# Enable kv secret engine at secret2/
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/mounts/secret2
-```
-
-The above command enabled [key/value version 1](/docs/secrets/kv/kv-v1.html) with
-seal wrap feature enabled.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/sys/mounts | jq
-{
-...
-  "secret2/": {
-    "accessor": "kv_724c81c9",
-    "config": {
-      "default_lease_ttl": 0,
-      "force_no_cache": false,
-      "max_lease_ttl": 0
-    },
-    "description": "",
-    "local": false,
-    "options": {
-      "version": "1"
-    },
-    "seal_wrap": true,
-    "type": "kv"
-  },
-  ...
-}
-```
-
-Notice that the `seal_wrap` parameter is set to **`true`** at `secret2/`.
-
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g. `http://127.0.0.1:8200/ui`) and
-then login.
-
-![Enable Secret Engine](/img/vault-seal-wrap-2.png)
-
-> For the purpose of comparing seal wrapped data against unwrapped data, enable
-additional key/value secret engine at the `secret2/` path.
-
-Select **Enable new engine**.  
-
-- Enter **`secret2`** in the path field
-- Select **Version 1** for KV version
-- Select the check box for **Seal Wrap**
-
-![Enable Secret Engine](/img/vault-seal-wrap-3.png)
-
-Click **Enable Engine**.
-
-
-### <a name="step3"></a>Step 3: Test the Seal Wrap Feature
-
-In this step, you are going to:
-
-1. Write some test data
-1. [View the encrypted secrets](#view-the-encrypted-secrets)
-
-#### CLI command
-
-Write a secret at `secret/unwrapped`.
-
-```shell
-# Write a key named 'password' with its value 'my-long-password'
-$ vault kv put secret/unwrapped password="my-long-password"
-
-# Read the path to verify
-$ vault kv get secret/unwrapped
-====== Data ======
-Key         Value
----         -----
-password    my-long-password
-```
-
-Write the same secret at `secret2/wrapped`.
-
-```shell
-# Write a key named 'password' with its value 'my-long-password'
-$ vault kv put secret2/wrapped password="my-long-password"
-
-# Read the path to verify
-$ vault kv get secret2/wrapped
-====== Data ======
-Key         Value
----         -----
-password    my-long-password
-```
-Using a valid token, you can write and read secrets the same way
-regardless of the seal wrap.
-
-
-
-#### API call using cURL
-
-Write a secret at `secret/unwrapped`.
-
-```shell
-# Create a payload
-$ tee payload.json <<EOF
-{
-  "data": {
-    "password": "my-long-password"
-  }
-}
-EOF
-
-# Write secret at 'secret/unwrapped'
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/secret/unwrapped
-
-# Read the path to verify
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/secret/unwrapped | jq
-{
-   "request_id": "cef0b061-3860-6a3c-8bba-1fdbf7be7bf1",
-   "lease_id": "",
-   "renewable": false,
-   "lease_duration": 2764800,
-   "data": {
-     "data": {
-       "password": "my-long-password"
-     }
-   },
-   "wrap_info": null,
-   "warnings": null,
-   "auth": null
-}       
-```
-
-Write the same secret at `secret2/wrapped`.
-
-```shell
-# Write the same secret at 'secret2/wrapped'
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/secret2/wrapped
-
-# Read the path to verify
-$ curl --header "X-Vault-Token: ..." \
-      http://127.0.0.1:8200/v1/secret2/wrapped | jq
-{
-  "request_id": "cc9ce831-2ca7-7115-a899-ce33767bdc2c",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 2764800,
-  "data": {
-    "data": {
-      "password": "my-long-password"
-    }
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-Using a valid token, you can write and read secrets the same way regardless of
-the seal wrap.
-
-#### Web UI
-
-Select **secret** and click **Create secret**.
-
-![Enable Secret Engine](/img/vault-seal-wrap-4.png)
-
-Enter the following:
-
-- PATH FOR THIS SECTE: `unwrapped`
-- key: `password`
-- value: `my-long-password`
-
-![Enable Secret Engine](/img/vault-seal-wrap-5.png)
-
-Click **Save**.
-
-Repeat the same step for **secret2** to write the same secret at the
-`secret2/wrapped` path.
-
-![Enable Secret Engine](/img/vault-seal-wrap-6.png)
-Click **Save**.
-
-
-Using a valid token, you can write and read secrets the same way
-regardless of the seal wrap.
-
-
-#### View the encrypted secrets
-
-Remember that the Vault server was configured to use the local file system
-(`/tmp/vault`) as its storage backend in this example.
-
-```shell
-# Configure the storage backend for Vault
-storage "file" {
-  path = "/tmp/vault"
-}
-```
-
-SSH into the machine where the Vault server is running, and check the stored
-values in the `/tmp/vault` directory.
-
-```plaintext
-$ cd /tmp/vault/sdk/logical
-```
-
-Under the `/tmp/vault/sdk/logical` directory, there are two sub-directories. One
-maps to `secret/` and another maps to `secret2/` although you cannot tell by
-the folder names.
-
-
-View the secret at rest.
-
-```shell
-# One of the directory maps to secret/unwrapped
-$ cd 2da357cd-55f2-7eed-c46e-c477b70bed18
-
-# View its content - password value is encrypted
-$ cat _unwrapped
-{"Value":"AAAAAQICk547prhuhMiBXLq2lx8ZkMpSB3p+GKHAwuMhKrZGSeqsFevMS6YoqTVlbvpU9B4zWPZ2HA
-SeNZ3YMw=="}
-
-# Another directory maps to secret2/wrapped
-$ cd ../5bcea44d-28a3-87af-393b-c6d398fe41d8
-
-# View its content - password value is encrypted
-$ cat _wrapped
-{"Value":"ClBAg9oN7zBBaDBZcsilDAyGkL7soPe7vBA5+ADADuyzo8GuHZHb9UFN2nF1h0OpKEgCIkG3JNHcXt
-tZqCi6szcuNBgF3pwhWGwB4FREM3b5CRIQYK7239Q92gRGrcBBeZD6ghogEtSBDmZJBahk7n4lIYF3X4iBqmwZgH
-Vo4lzWur7rzncgASofCIIhENEEGghoc21fZGVtbyINaHNtX2htYWNfZGVtb3M="}
-```
-
-Secrets are encrypted regardless; however, the seal-wrapped value is
-significantly longer despite the fact that both values are the same,
-`my-long-password`.
-
-
-~> When Vault's Seal Wrap feature is used with a FIPS 140-2 certified HSM, Vault
-will store Critical Security Parameters (CSPs) in a manner that is compliant
-with KeyStorage and KeyTransit requirements.
-
-
-
-## Next steps
-
-This guide used the local file system as the storage backend to keep it simple.
-To learn more about making your Vault cluster highly available, read the [Vault
-HA with Consul](/guides/operations/vault-ha-consul.html) guide.
diff --git a/website/source/guides/operations/vault-ha-consul.html.md b/website/source/guides/operations/vault-ha-consul.html.md
deleted file mode 100644
index ea58ae7734fb..000000000000
--- a/website/source/guides/operations/vault-ha-consul.html.md
+++ /dev/null
@@ -1,667 +0,0 @@
----
-layout: "guides"
-page_title: "Vault HA with Consul - Guides"
-sidebar_title: "Vault HA with Consul"
-sidebar_current: "guides-operations-vault-ha"
-description: |-
-  This guide will walk you through a simple Vault Highly Available (HA) cluster
-  implementation. While this is not an exhaustive or prescriptive guide that
-  can be used as a drop-in production example, it covers the basics enough to
-  inform your own production setup.
----
-
-# Vault High Availability (HA)
-
-Vault can run in a high availability (HA) mode to protect against  outages by
-running multiple Vault servers. Vault is typically bound by the IO limits of the
-storage backend rather than the compute requirements. Certain storage backends,
-such as Consul, provide additional coordination functions that enable Vault to
-run in an HA configuration while others provide a more robust backup and
-restoration process.
-
-When running in HA mode, Vault servers have two additional states: ***standby***
-and ***active***. Within a Vault cluster, only a single instance will be
-_active_ and handles all requests (reads and writes) and all _standby_ nodes
-redirect requests to the _active_ node.
-
-![Reference Architecture](/img/vault-ha-consul-3.png)
-
-> **NOTE:** As of version **0.11**, those standby nodes can handle most
-read-only requests and behave as read-replica nodes. This **Performance Standby
-Nodes** feature is included in _Vault Enterprise Premium_, and also available
-for _Vault Enterprise Pro_ with additional fee. This is particularly useful for
-processing high volume Encryption as a Service ([Transit secrets
-engine](/docs/secrets/transit/index.html)) requests. Read [Performance Standby
-Nodes](/docs/enterprise/performance-standby/index.html) documentation and a [guide](/guides/operations/performance-nodes.html) for more details.
-
-
-~> This guide will walk you through a simple Vault Highly Available (HA) cluster
-implementation. While this is not an exhaustive or prescriptive guide that can
-be used as a drop-in production example, it covers the **basics** enough to
-inform your own production setup.
-
-
-## Reference Materials
-
-- [High Availability Mode](/docs/concepts/ha.html)
-- [Consul Storage Backend](/docs/configuration/storage/consul.html)
-- [High Availability Parameters](/docs/configuration/index.html#high-availability-parameters)
-- [Consul Agent Configuration](https://www.consul.io/docs/agent/options.html)
-
-## Estimated Time to Complete
-
-25 minutes
-
-## Prerequisites
-
-This intermediate Vault operations guide assumes that you have some working
-knowledge of Vault and Consul.
-
-
-## Steps
-
-Our goal in following this guide is to arrive at a Vault HA setup
-consisting of the following:
-
-- 2 Vault servers: 1 active and 1 standby
-- Cluster of 3 Consul servers
-
-### Reference Diagram
-
-This diagram lays out the simple architecture details for reference:
-
-![Reference Architecture](/img/vault-ha-consul.png)
-
-You perform the following:
-
-- [Step 1: Setup a Consul Server Cluster](#step1)
-- [Step 2: Start and Verify the Consul Cluster State](#step2)
-- [Step 3: Setup Consul Client Agents on Vault Nodes](#step3)
-- [Step 4: Configure the Vault Servers](#step4)
-- [Step 5: Start Vault and Verify the State](#step5)
-
--> For the purpose of this guide, we will use the open source software editions of
-Vault and Consul; however, the setup is the same for Enterprise editions.
-
-
-### <a name="step1"></a>Step 1: Setup a Consul Server Cluster
-
-Our Consul servers in this guide will be defined by IP address only, but also
-referenced by a label:
-
-- **`consul_s1: 10.1.42.101`**
-- **`consul_s2: 10.1.42.102`**
-- **`consul_s3: 10.1.42.103`**
-
-The [Consul binary](https://www.consul.io/downloads.html) is presumed to be
-located in **`/usr/local/bin/consul`**, but if your case differs, you can adjust the
-path references accordingly.
-
-With that in mind, here is a basic Consul server configuration starting point:
-
-```plaintext
-{
-  "server": true,
-  "node_name": "$NODE_NAME",
-  "datacenter": "dc1",
-  "data_dir": "$CONSUL_DATA_PATH",
-  "bind_addr": "0.0.0.0",
-  "client_addr": "0.0.0.0",
-  "advertise_addr": "$ADVERTISE_ADDR",
-  "bootstrap_expect": 3,
-  "retry_join": ["$JOIN1", "$JOIN2", "$JOIN3"],
-  "ui": true,
-  "log_level": "DEBUG",
-  "enable_syslog": true,
-  "acl_enforce_version_8": false
-}
-```
-
-Note that some values contain variable placeholders while the rest have
-reasonable defaults. You should replace the following values in your own Consul
-server configuration based on the example:
-
-- **$NODE_NAME** this is a unique label for the node; in our case, this will be
-`consul_s1`, `consul_s2`, and `consul_s3` respectively.
-- **$CONSUL_DATA_PATH**: absolute path to Consul data directory; ensure that
-this directory is writable by the Consul process user.
-- **$ADVERTISE_ADDR**: set to address that you prefer the Consul
-servers advertise to the other servers in the cluster and should not be set to
-`0.0.0.0`; for this guide, it should be set to the Consul server’s IP address in
-each instance of the configuration file, or `10.1.42.101`,` 10.1.42.102`, and
-`10.1.42.103` respectively.
-- **$JOIN1**, **$JOIN2**, **$JOIN3**: This example uses the `retry_join`
-method of joining the server agents to form a cluster; as such, the values for
-this guide would be `10.1.42.101`, `10.1.42.102`, and `10.1.42.103` respectively.
-
-
-Note that the web user interface is enabled (`"ui": true`), and Consul will be
-logging at DEBUG level to the system log (`"log_level": "DEBUG"`). For the
-purpose of this guide, the **`acl_enforce_version_8`** is set to `false` so that
-we do not need to be concerned with ACLs in this guide. However, you would want
-to enable ACLs in a production environment and follow the [Consul ACL Guide](https://www.consul.io/docs/guides/acl.html#acl-agent-master-token) for
-details.
-
-Create a configuration file for each Vault server and save it as
-**`/usr/local/etc/consul/client_agent.json`**.
-
-#### `consul_s1.json` Example
-
-    {
-      "server": true,
-      "node_name": "consul_s1",
-      "datacenter": "dc1",
-      "data_dir": "/var/consul/data",
-      "bind_addr": "0.0.0.0",
-      "client_addr": "0.0.0.0",
-      "advertise_addr": "10.1.42.101",
-      "bootstrap_expect": 3,
-      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
-      "ui": true,
-      "log_level": "DEBUG",
-      "enable_syslog": true,
-      "acl_enforce_version_8": false
-    }
-
-#### `consul_s2.json` Example
-
-    {
-      "server": true,
-      "node_name": "consul_s2",
-      "datacenter": "dc1",
-      "data_dir": "/var/consul/data",
-      "bind_addr": "0.0.0.0",
-      "client_addr": "0.0.0.0",
-      "advertise_addr": "10.1.42.102",
-      "bootstrap_expect": 3,
-      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
-      "ui": true,
-      "log_level": "DEBUG",
-      "enable_syslog": true,
-      "acl_enforce_version_8": false
-    }
-
-#### `consul_s3.json` Example
-
-    {
-      "server": true,
-      "node_name": "consul_s3",
-      "datacenter": "dc1",
-      "data_dir": "/var/consul/data",
-      "bind_addr": "0.0.0.0",
-      "client_addr": "0.0.0.0",
-      "advertise_addr": "10.1.42.103",
-      "bootstrap_expect": 3,
-      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
-      "ui": true,
-      "log_level": "DEBUG",
-      "enable_syslog": true,
-      "acl_enforce_version_8": false
-    }
-
-#### Consul Server `systemd` Unit file
-
-You have Consul binaries and a reasonably basic configuration and now you just
-need to start Consul on each server instance; `systemd` is popular in most
-contemporary Linux distributions, so with that in mind, here is an example
-`systemd` unit file:
-
-```plaintext
-### BEGIN INIT INFO
-# Provides:          consul
-# Required-Start:    $local_fs $remote_fs
-# Required-Stop:     $local_fs $remote_fs
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Consul agent
-# Description:       Consul service discovery framework
-### END INIT INFO
-
-[Unit]
-Description=Consul server agent
-Requires=network-online.target
-After=network-online.target
-
-[Service]
-User=consul
-Group=consul
-PIDFile=/var/run/consul/consul.pid
-PermissionsStartOnly=true
-ExecStartPre=-/bin/mkdir -p /var/run/consul
-ExecStartPre=/bin/chown -R consul:consul /var/run/consul
-ExecStart=/usr/local/bin/consul agent \
-    -config-file=/usr/local/etc/consul/client_agent.json \
-    -pid-file=/var/run/consul/consul.pid
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-KillSignal=SIGTERM
-Restart=on-failure
-RestartSec=42s
-
-[Install]
-WantedBy=multi-user.target
-```
-
-Note that you might be interested in changing the values of the following
-depending on style, file system hierarchy standard adherence level, and so on:
-
-- **`-config-file`**
-- **`-pid-file`**
-
-Once the unit file is defined and saved (e.g.
-`/etc/systemd/system/consul.service`), be sure to perform a `systemctl daemon-reload`
-and then you can start your Consul service on each server.
-
-### <a name="step2"></a>Step 2: Start and Verify the Consul Cluster State
-
-Be sure that the ownership and permissions are correct on the directory you
-specified for the value of `data_dir`, and then start the Consul service on each
-system and verify the status:
-
-    $ sudo systemctl start consul
-    $ sudo systemctl status consul
-    ● consul.service - Consul server agent
-       Loaded: loaded (/etc/systemd/system/consul.service; enabled; vendor preset: enabled)
-       Active: active (running) since Mon 2018-03-19 17:33:14 UTC; 24h ago
-     Main PID: 2068 (consul)
-        Tasks: 13
-       Memory: 13.6M
-          CPU: 0m 52.784s
-       CGroup: /system.slice/consul.service
-               └─2068 /usr/local/bin/consul agent -config-file=/usr/local/etc/consul/client_agent.json -pid-file=/var/run/consul/consul.pid
-
-After starting all Consul server agents, let’s check the Consul cluster status:
-
-    $consul members
-    Node       Address           Status  Type    Build  Protocol  DC    Segment
-    consul_s1  10.1.42.101:8301  alive   server  1.0.6  2         dc1   <all>
-    consul_s2  10.1.42.102:8301  alive   server  1.0.6  2         dc1   <all>
-    consul_s3  10.1.42.103:8301  alive   server  1.0.6  2         dc1   <all>
-
-The cluster looks good and all 3 servers are shown; let’s make sure we have a
-leader before proceeding:
-
-    $consul operator raft list-peers
-    Node                   ID                                    Address           State     Voter  RaftProtocol
-    consul_s2              536b721f-645d-544a-c10d-85c2ca24e4e4  10.1.42.102:8300  follower  true   3
-    consul_s1              e10ba554-a4f9-6a8c-f662-81c8bb2a04f5  10.1.42.101:8300  follower  true   3
-    consul_s3              56370ec8-da25-e7dc-dfc6-bf5f27978a7a  10.1.42.103:8300  leader    true   3
-
-The above output shows that **`consul_s3`** is the current cluster leader in
-this example.  Now, you are good to move on to the Vault server configuration.
-
-
-### <a name="step3"></a>Step 3: Setup Consul Client Agents on Vault Nodes
-
-The Vault server nodes require **both** the Consul and Vault binaries on each node. Consul will be configured as a **client** agent and Vault will be configured as a server.
-
-![Reference Architecture](/img/vault-ha-consul-2.png)
-
-
-#### Consul Client Agent Configuration
-
-Since Consul is used to provide a highly available storage backend, you need to
-configure local Consul client agents on the Vault servers which will communicate
-with the Consul server cluster for registering health checks, service discovery, and cluster HA failover coordination (cluster leadership).
-
-~> Note that [it is not recommended to connect the Vault servers directly to the
-Consul servers](/docs/configuration/storage/consul.html#address).
-
-The Consul client agents will be using the same address as the Vault servers for
-network communication to the Consul server cluster, but they will be binding the
-**`client_address`** only to the loopback interface such that Vault can connect to
-it over the loopback interface.
-
-Here is the example configuration for the Consul client agent:
-
-    {
-      "server": false,
-      "datacenter": "dc1",
-      "node_name": "$NODE_NAME",
-      "data_dir": "$CONSUL_DATA_PATH",
-      "bind_addr": "$BIND_ADDR",
-      "client_addr": "127.0.0.1",
-      "retry_join": ["$JOIN1", "$JOIN2", "$JOIN3"],
-      "log_level": "DEBUG",
-      "enable_syslog": true,
-      "acl_enforce_version_8": false
-    }
-
-Similar to what you have done in [Step 1](#step1), replace the following values
-in your own Consul client agent configuration accordingly:
-
-- **$NODE_NAME** this is a unique label for the node; in
-our case, this will be `consul_c1` and `consul_c2` respectively.
-- **$CONSUL_DATA_PATH**: absolute path to Consul data directory; ensure that this
-directory is writable by the Consul process user.
-- **$BIND_ADDR**: this should be set
-to address that you prefer the Consul servers advertise to the other servers in
-the cluster and should not be set to `0.0.0.0`; for this guide, it should be set
-to the Vault server’s IP address in each instance of the configuration file, or
-`10.1.42.201` and `10.1.42.202` respectively.
-- **$JOIN1**, **$JOIN2**, **$JOIN3**: This example uses the `retry_join` method of
-joining the server agents to form a cluster; as such, the values for this guide
-would be `10.1.42.101`, `10.1.42.102`, and `10.1.42.103` respectively.
-
-Create a configuration file for each Vault server and save it as
-**`/usr/local/etc/consul/client_agent.json`**.
-
-#### `consul_c1.json` Example
-
-    {
-      "server": false,
-      "datacenter": "dc1",
-      "node_name": "consul_c1",
-      "data_dir": "/var/consul/data",
-      "bind_addr": "10.1.42.201",
-      "client_addr": "127.0.0.1",
-      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
-      "log_level": "DEBUG",
-      "enable_syslog": true,
-      "acl_enforce_version_8": false
-    }
-
-#### `consul_c2.json` Example
-
-    {
-      "server": false,
-      "datacenter": "dc1",
-      "node_name": "consul_c2",
-      "data_dir": "/var/consul/data",
-      "bind_addr": "10.1.42.202",
-      "client_addr": "127.0.0.1",
-      "retry_join": ["10.1.42.101", "10.1.42.102", "10.1.42.103"],
-      "log_level": "DEBUG",
-      "enable_syslog": true,
-      "acl_enforce_version_8": false
-    }
-
-#### Consul Server `systemd` Unit file
-
-You have Consul binaries and a reasonably basic client agent configuration and
-now you just need to start Consul on each of the Vault server instances. Here
-is an example `systemd` unit file:
-
-    ### BEGIN INIT INFO
-    # Provides:          consul
-    # Required-Start:    $local_fs $remote_fs
-    # Required-Stop:     $local_fs $remote_fs
-    # Default-Start:     2 3 4 5
-    # Default-Stop:      0 1 6
-    # Short-Description: Consul agent
-    # Description:       Consul service discovery framework
-    ### END INIT INFO
-
-    [Unit]
-    Description=Consul client agent
-    Requires=network-online.target
-    After=network-online.target
-
-    [Service]
-    User=consul
-    Group=consul
-    PIDFile=/var/run/consul/consul.pid
-    PermissionsStartOnly=true
-    ExecStartPre=-/bin/mkdir -p /var/run/consul
-    ExecStartPre=/bin/chown -R consul:consul /var/run/consul
-    ExecStart=/usr/local/bin/consul agent \
-        -config-file=/usr/local/etc/consul/client_agent.json \
-        -pid-file=/var/run/consul/consul.pid
-    ExecReload=/bin/kill -HUP $MAINPID
-    KillMode=process
-    KillSignal=SIGTERM
-    Restart=on-failure
-    RestartSec=42s
-
-    [Install]
-    WantedBy=multi-user.target
-
-Change the following values as necessary:
-
-- **`-config-file`**
-- **`-pid-file`**
-
-Once the unit file is defined and saved (e.g.
-`/etc/systemd/system/consul.service`), be sure to perform a `systemctl
-daemon-reload` and then you can start your Consul service on each Vault server.
-
-Start the Consul and verify its cluster state to be sure that the ownership and
-permissions are correct on the directory you specified for the value of
-`data_dir`, and then start the Consul service on each system and verify the
-status:
-
-    $ sudo systemctl start consul
-    $ sudo systemctl status consul
-    ● consul.service - Consul client agent
-       Loaded: loaded (/etc/systemd/system/consul.service; enabled; vendor preset: enabled)
-       Active: active (running) since Tue 2018-03-20 19:36:49 UTC; 6s ago
-     Main PID: 23758 (consul)
-        Tasks: 11
-       Memory: 9.8M
-          CPU: 571ms
-       CGroup: /system.slice/consul.service
-               └─23758 /usr/local/bin/consul agent -config-file=/usr/local/etc/consul/client_agent.json -pid-file=/var/run/consul/consul.pid
-
-After starting all Consul client agents, check the Consul cluster status:
-
-    $consul members
-    Node        Address           Status  Type    Build  Protocol  DC    Segment
-    consul_s1   10.1.42.101:8301  alive   server  1.0.6  2         dc1   <all>
-    consul_s2   10.1.42.102:8301  alive   server  1.0.6  2         dc1   <all>
-    consul_s3   10.1.42.103:8301  alive   server  1.0.6  2         dc1   <all>
-    consul_c1   10.1.42.201:8301  alive   client  1.0.6  2         arus  <default>
-    consul_c2   10.1.42.202:8301  alive   client  1.0.6  2         arus  <default>
-
-The above output shows 3 Consul server agents and 2 Consul client agents in the
-cluster.  Now, you are ready to configure the Vault servers.
-
-### <a name="step4"></a>Step 4: Configure the Vault Servers
-
-Now that we have a Consul cluster consisting of 3 servers and 2 client agents
-for our Vault servers, let’s get the configuration for Vault and a startup
-script together so that we can bootstrap the Vault HA setup.
-
-Our Vault servers in this guide are defined by IP address only, but referenced
-by a label as well:
-
-- **`vault_s1: 10.1.42.201`**
-- **`vault_s2: 10.1.42.202`**
-
-In our configuration file, we'll set up the following:
-
-- [**`tcp`**](/docs/configuration/listener/tcp.html) listener
-- [**`consul`**](/docs/configuration/storage/consul.html)  storage backend
-- [High Availability parameters](/docs/configuration/index.html#high-availability-parameters)
-
-This section assumes the Vault binary is located at **`/usr/local/bin/vault`**
-
-#### Vault Configuration
-
-    listener "tcp" {
-      address          = "0.0.0.0:8200"
-      cluster_address  = "0.0.0.0:8201"
-      tls_disable      = "true"
-    }
-
-    storage "consul" {
-      address = "127.0.0.1:8500"
-      path    = "vault/"
-    }
-
-    api_addr =  "$API_ADDR"
-    cluster_addr = "$CLUSTER_ADDR"
-
-
-We're setting the following parameters for our `tcp` listener:
-
-- `address` (string: "127.0.0.1:8200") – Specifies the address to bind to for listening.
-- `cluster_address` (string: "127.0.0.1:8201") – Specifies the address to bind to for cluster server-to-server requests. This defaults to one port higher than the value of address. This does not usually need to be set, but can be useful in case Vault servers are isolated from each other in such a way that they need to hop through a TCP load balancer or some other scheme in order to talk.
-
-This configuration allows for listening on all interfaces (such that a Vault
-command against the loopback address would succeed, for example).
-
-We're also explicitly setting Vault's [HA parameters](/docs/configuration/index.html#high-availability-parameters) (`api_addr` and `cluster_addr`). Often, it's not necessary to configure these two parameters when using Consul as Vault's storage backend, as Consul will attempt to automatically discover and advertise the address of the active Vault node. However, certain cluster configurations might require them to be explicitly set (accessing Vault through a load balancer, for example).
-
-For the sake of simplicity, we will assume that clients in our scenario connect directly to the Vault nodes (rather than through a load balancer). Review the [Client Redirection](/docs/concepts/ha.html#client-redirection) documentation for more information on client access patterns and their implications.
-
-Note that some values contain variable placeholders while the rest have
-reasonable defaults. You should replace the following values in your own Vault
-server configuration based on the example:
-
-- **$API_ADDR**: Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This can also be provided via the environment variable `VAULT_API_ADDR`. In general this should be set to a full URL that points to the value of the listener address. In our scenario, it will be `http://10.1.42.201:8200`
-and `http://10.1.42.202:8200` respectively.
-
-- **$CLUSTER_ADDR**: Specifies the address to advertise to other Vault servers in the cluster for request forwarding. This can also be provided via the environment variable `VAULT_CLUSTER_ADDR`. This is a full URL, like `api_addr`. In our scenario, it will be `https://10.1.42.201:8201` and
-`https://10.1.42.202:8201` respectively.
-
-> Note that the scheme here (https) is ignored; all cluster members will always
-use TLS with a private key/certificate.
-
-
-#### `vault_s1.hcl` Example
-
-    listener "tcp" {
-      address          = "0.0.0.0:8200"
-      cluster_address  = "10.1.42.201:8201"
-      tls_disable      = "true"
-    }
-
-    storage "consul" {
-      address = "127.0.0.1:8500"
-      path    = "vault/"
-    }
-
-    api_addr = "http://10.1.42.201:8200"
-    cluster_addr = "https://10.1.42.201:8201"
-
-
-#### `vault_s2.hcl` Example
-
-    listener "tcp" {
-      address          = "0.0.0.0:8200"
-      cluster_address  = "10.1.42.202:8201"
-      tls_disable      = "true"
-    }
-
-    storage "consul" {
-      address = "127.0.0.1:8500"
-      path    = "vault/"
-    }
-
-    api_addr = "http://10.1.42.202:8200"
-    cluster_addr = "https://10.1.42.202:8201"
-
-
-#### Vault Server `systemd` Unit file
-
-You have Vault binaries and a reasonably basic configuration along with local
-client agents configured.  Now, you just need to start Vault on each server
-instance. Here is an example `systemd` unit file:
-
-    ### BEGIN INIT INFO
-    # Provides:          vault
-    # Required-Start:    $local_fs $remote_fs
-    # Required-Stop:     $local_fs $remote_fs
-    # Default-Start:     2 3 4 5
-    # Default-Stop:      0 1 6
-    # Short-Description: Vault server
-    # Description:       Vault secret management tool
-    ### END INIT INFO
-
-    [Unit]
-    Description=Vault secret management tool
-    Requires=network-online.target
-    After=network-online.target
-
-    [Service]
-    User=vault
-    Group=vault
-    PIDFile=/var/run/vault/vault.pid
-    ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault_server.hcl -log-level=debug
-    ExecReload=/bin/kill -HUP $MAINPID
-    KillMode=process
-    KillSignal=SIGTERM
-    Restart=on-failure
-    RestartSec=42s
-    LimitMEMLOCK=infinity
-
-    [Install]
-    WantedBy=multi-user.target
-
-Note that you might be interested in changing the values of the following
-depending on style, file system hierarchy standard adherence level, and so on:
-
-- **`-config`**
-- **`-log-level`**
-
-Once the unit file is defined and saved as e.g.
-`/etc/systemd/system/vault.service`, be sure to perform a `systemctl daemon-reload`
-and then you can start your Vault service on each server.
-
-### <a name="step5"></a>Step 5: Start Vault and Verify the State
-
-Start the Vault service on each system and verify the status:
-
-    $ sudo systemctl start vault
-    $ sudo systemctl status vault
-    ● vault.service - Vault secret management tool
-       Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled)
-       Active: active (running) since Tue 2018-03-20 20:42:10 UTC; 42s ago
-     Main PID: 2080 (vault)
-        Tasks: 12
-       Memory: 71.7M
-          CPU: 50s
-       CGroup: /system.slice/vault.service
-               └─2080 /usr/local/bin/vault server -config=/home/ubuntu/vault_nano/config/vault_server.hcl -log-level=debu
-
-Now you’ll need to move on to [initializing and
-unsealing](/intro/getting-started/deploy.html#initializing-the-vault) each Vault
-instance.
-
-Once that is done, check Vault status on each of the servers.
-
-The **active** Vault server:
-
-    $ vault status
-    Key             Value
-    ---             -----
-    Seal Type       shamir
-    Sealed          false
-    Total Shares    5
-    Threshold       3
-    Version         0.9.5
-    Cluster Name    vault
-    Cluster ID      0ee91bd1-55ec-c84f-3c1d-dcc7f4f644a8
-    HA Enabled      true
-    HA Cluster      https://10.1.42.201:8201
-    HA Mode         active
-
-The **standby** Vault server:
-
-    vault status
-    Key                     Value
-    ---                     -----
-    Seal Type               shamir
-    Sealed                  false
-    Total Shares            5
-    Threshold               3
-    Version                 0.9.5
-    Cluster Name            vaultron
-    Cluster ID              0ee91bd1-55ec-c84f-3c1d-dcc7f4f644a8
-    HA Enabled              true
-    HA Cluster              https://10.1.42.201:8201
-    HA Mode                 standby
-    Active Node Address:    http://10.1.42.201:8200
-
-
-Vault servers are now operational in HA mode at this point, and you should be
-able to write a secret from either the active or the standby Vault instance and
-see it succeed as a test of request forwarding. Also, you can shut down the
-active instance (`sudo systemctl stop vault`) to simulate a system failure and
-see the standby instance assumes the leadership.
-
-
-## Next steps
-
-Read [Production Hardening](/guides/operations/production.html) to learn best
-practices for a production hardening deployment of Vault.
diff --git a/website/source/guides/secret-mgmt/app-integration.html.md b/website/source/guides/secret-mgmt/app-integration.html.md
deleted file mode 100644
index 0e55a9bd21c8..000000000000
--- a/website/source/guides/secret-mgmt/app-integration.html.md
+++ /dev/null
@@ -1,443 +0,0 @@
----
-layout: "guides"
-page_title: "Direct Application Integration - Guides"
-sidebar_title: "Direct Application Integration"
-sidebar_current: "guides-secret-mgmt-app-integration"
-description: |-
-  This guide demonstrates the use of Consul Template and Envconsul tools. To
-  understand the difference between the two tools, you are going to retrieve the
-  same information from Vault.
----
-
-# Direct Application Integration
-
-A modern system requires access to a multitude of secrets: database credentials,
-API keys for external services, credentials for service-oriented architecture
-communication, etc.  Vault steps in to provide a centralized secret management
-system.  The next step is to decide how your applications acquire the secrets
-from Vault.
-
-This guide introduces ***Consul Template*** and ***Envconsul*** to help you
-determine if these tools speed up the integration of your applications once
-secrets are securely managed by Vault.
-
--> **NOTE:** Both [Consul Template](https://github.com/hashicorp/consul-template)
-and  [Envconsul](https://github.com/hashicorp/consul-template) are open source
-tools.
-
-### Consul Template
-
-Despite its name, Consul Template does **not** require a Consul cluster to
-operate. It retrieves secrets from Vault and manages the acquisition and renewal
-lifecycle.
-
-
-### Envconsul
-
-Envconsul launches a subprocess which dynamically populates environment
-variables from secrets read from Vault.  Your applications then read those
-environment variables.  Despite its name, Envconsul does **not** require a
-Consul cluster to operate.  It enables flexibility and portability for
-applications across systems.
-
-
-## Reference Material
-
-- [Consul Template](https://github.com/hashicorp/consul-template)
-- [Envconsul](https://github.com/hashicorp/consul-template)
-- [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Challenge
-
-If your application code or script contains some secrets (e.g. database
-credentials), it makes a good sense to manage the secrets using Vault. However,
-it means that your application will need to retrieve the secrets at runtime.
-Does that mean the application developers must make some code change?
-
-Is there an easy way to retrieve the secrets from Vault and populate the
-application code or script with secrets as needed?
-
-
-## Solution
-
-Both ***Consul Template*** and ***Envconsul*** provide first-class support for
-Vault.  Leveraging these tools can minimize the level of changes introduced to
-your applications. Depending on the current application design, you may not need
-to make minimal to no code change.
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need:
-
-- A [Vault environment](/intro/getting-started/install.html)
-- [Consul Template](https://releases.hashicorp.com/consul-template/)
-- [Envconsul](https://releases.hashicorp.com/envconsul/)
-- [PostgreSQL](#postgresql)
-
-
-### PostgreSQL
-
-This guide uses the database secrets engine to demonstrate the use of Consul
-Template and Envconsul.  Therefore, you need a
-[PostgreSQL](https://www.postgresql.org/download/) server to connect to.
-
-~> Complete the [Secret as a Service: Dynamic
-Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide first if you are not
-familiar with `database` secrets engine.
-
-
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Enable database secrets engines at "database/" path
-path "sys/mounts/database" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Configure the database secret engine and create roles
-path "database/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Write ACL policies
-path "sys/policy/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Manage tokens for Consul Template & Envconsul to use
-path "auth/token/create" {
-  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-
-## Steps
-
-This guide demonstrates the use of Consul Template and Envconsul tools. To
-understand the difference between the two tools, you are going to retrieve the
-same information from Vault.
-
-1. [Setup Database Secrets Engine](#step1)
-1. [Generate Client Token](#step2)
-1. [Use Consul Template to Populate DB Credentials](#step3)
-1. [Use Envconsul to Retrieve DB Credentials](#step4)
-
-
-### <a name="step1"></a>Step 1: Setup Database Secrets Engine
-
-In this step, you are going to enable and configure the `database` secrets
-engine using `postgresql-database-plugin` where the database connection URL is
-`postgresql://root:rootpassword@localhost:5432/myapp`.  
-
-> **NOTE:** Your database connection URL is most likely different from this
-example. Be sure to use the correct [connection URL]
-(http://localhost:4567/api/secret/databases/postgresql.html#connection_url) to
-match your environment.
-
-~> Refer to the [PostgreSQL Database Secrets
-Engine](/docs/secrets/databases/postgresql.html) documentation or [Secret as a
-Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide if you
-are not familiar with `database` secrets engine. The detailed description of
-working with `database` secrets engine is out of scope for this guide.
-
-
-#### CLI command
-
-```shell
-# First, enable the database secrets engine
-$ vault secrets enable database
-
-# Configure the secret engine with appropriate parameter values
-$ vault write database/config/postgresql \
-      plugin_name=postgresql-database-plugin \
-      allowed_roles=* \
-      connection_url=postgresql://root:rootpassword@localhost:5432/myapp
-
-# Create readonly.sql to define a role permission in SQL
-$ tee readonly.sql <<EOF
-CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
-GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
-EOF
-
-# Create a role, "readonly"
-$ vault write database/roles/readonly db_name=postgresql creation_statements=@readonly.sql \
-    default_ttl=1h max_ttl=24h
-```
-
-
-#### API call using cURL
-
-```shell
-# Enable `database` secret engine using `/sys/mounts` endpoint
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type":"database"}' \
-       https://127.0.0.1:8200/v1/sys/mounts/database
-
-# Specify the database connection URL according to your environment
-$ tee payload.json <<EOF
-{
-	"plugin_name": "postgresql-database-plugin",
-	"allowed_roles": "*",
-	"connection_url": "postgresql://root:rootpassword@localhost:5432/myapp"
-}
-EOF
-
-# Configure the database secrets engine by passing the request payload
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/database/config/postgresql
-
-# Create the request payload to create a role
-$ tee payload.json <<EOF
-{
-  "db_name": "postgres",
-  "creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
-   GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
-  "default_ttl": "1h",
-  "max_ttl": "24h"
-}
-EOF
-
-# Create a role named, readonly
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/database/roles/readonly
-```
-
-
-### <a name="step2"></a>Step 2: Generate Client Token
-
-Consul Template tool itself is a Vault client. Therefore, it must have a valid
-token with policies permitting it to retrieve secrets from `database` secret
-engine you just configured in [Step 1](#step1).
-
-First, create a policy definition file, `db_creds.hcl`.  This policy allows read
-operation on the `database/creds/readonly` path to obtain the dynamically
-generated username and password to access the PostgreSQL database. In addition,
-the policy allows renewal of the lease if necessary.
-
-**`db_creds.hcl`**:
-
-```hcl
-path "database/creds/readonly" {
-  capabilities = [ "read" ]
-}
-
-path "/sys/leases/renew" {
-  capabilities = [ "update" ]
-}
-```
-
-Now, create a policy named, `db_creds` and generate a token with this policy
-attached.
-
-
-### CLI Command
-
-```shell
-# Create a `db_creds` policy
-$ vault policy write db_creds db_creds.hcl
-
-# Create a token with db_creds policy:
-$ vault token create -policy="db_creds"
-Key                  Value
----                  -----
-token                89956bf1-6f4d-435d-4cf3-7496e9520a87
-token_accessor       319eddff-42a1-eb2b-801e-dd8a0c0b07b4
-token_duration       768h
-token_renewable      true
-token_policies       ["db_creds" "default"]
-identity_policies    []
-policies             ["db_creds" "default"]
-```
-
-**NOTE:** This is the token that Consul Template uses to talk to Vault.
-Copy the **`token`** value and proceed to [Step 3](#step3).
-
-
-#### API call using cURL
-
-```shell
-# Create an API request payload
-$ tee payload.json <<EOF
-{
-  "policy": "path \"database/creds/readonly\" {\n capabilities = [ \"read\" ]\n } \n path \"sys/leases/renew\" {\n capabilities = [ \"update\" ] \n}"
-}
-EOF
-
-# Create db_creds policy
-$ curl --header "X-Vault-Token: ..." \
-       --request PUT \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/policy/db_creds
-
-# Generate a new token with db_creds policy
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"policies": ["db_creds"]}' \
-       http://127.0.0.1:8200/v1/auth/token/create | jq
-{
-  ...
-   "auth": {
-     "client_token": "37413eca-96aa-1d47-d09d-d1cad322c419",
-     "accessor": "a05aa3ce-b5d6-9e82-da7f-181d78d475e4",
-     "policies": [
-       "db_creds",
-       "default"
-     ],
-     "token_policies": [
-       "db_creds",
-       "default"
-     ],
-     ...
-}
-```
-
-**NOTE:** This is the token that Consul Template uses to talk to Vault.
-Copy the **`client_token`** value and proceed to [Step 3](#step3).
-
-
-### <a name="step3"></a>Step 3: Use Consul Template to Populate DB Credentials
-
-Assume that your application requires PostgreSQL database credentials to read
-data.  Its configuration file, **`config.yml`** looks like:
-
-```plaintext
-username: "<DB_USRENAME>"
-password: "<DB_PASSWORD>"
-database: "myapp"
-```
-
-To have Consul Template to populate the `<DB_USRENAME>` and `<DB_PASSWORD>`, you
-need to create a template file with Consul Template [templating
-language](https://github.com/hashicorp/consul-template#templating-language).
-
-
-1. Create a template file by replacing the username and password with
-   Consul Template syntax and save it as **`config.yml.tpl`**. The file should
-   contain the following:
-
-    ```plaintext
-    ---
-    {{- with secret "database/creds/readonly" }}
-    username: "{{ .Data.username }}"
-    password: "{{ .Data.password }}"
-    database: "myapp"
-    {{- end }}
-    ```
-
-    -> **NOTE:** This template reads secrets from `database/creds/readonly`
-    path in Vault. Set the `username` parameter value to "`.Data.username`" of
-    the secret output. Similarly, set the `password` to "`.Data.password`" value.
-
-1. Execute the `consul-template` command to populate `config.yml` file.
-
-    The Consul Template command is: `consul-template -template="<input_file>:<output_file>"`
-
-    The input file is the **`config.yml.tpl`** and specify the desired output
-    file name to be **`config.yml`**:
-
-    ```plaintext
-    $ VAULT_TOKEN=<token> consul-template -template="config.yml.tpl:config.yml" -once
-    ```
-
-    While `<token>` is the token you copied at [Step 2](#step2).
-
-
-1. Open the generated **`config.yml`** file to verify its content. It should
-   look similar to:
-
-    ```plaintext
-    $ cat config.yml
-    ---
-    username: "v-token-readonly-tu17xrtz345uz643980r-1527630039"
-    password: "A1a-7s0z9y223x2rp6v9"
-    database: "myapp"
-    ```
-
-    The `username` and `password` were retrieved from Vault and populated in the
-     `config.yml` file.
-
-
-> **Summary**: You need to create a templated version of your application
-scripts to leverage Consul Template.  However, it requires minimum effort to do
-so in comparison to writing an application which invokes Vault API to accomplish
-the same.
-
-
-
-### <a name="step4"></a>Step 4: Use Envconsul to Retrieve DB Credentials
-
-Create a file named, **`app.sh`** containing the following:
-
-```hcl
-#!/usr/bin/env bash
-
-cat <<EOT
-My connection info is:
-
-username: "${DATABASE_CREDS_READONLY_USERNAME}"
-password: "${DATABASE_CREDS_READONLY_PASSWORD}"
-database: "my-app"
-EOT
-```
-
-The main difference here is that the `app.sh` is reading ***environment
-variables*** to set `username` and `password` values; therefore, no templating
-is involved.
-
--> Notice that the environment variable name is derived from the secret _path_
-with key name.
-
-Run the Envconsul tool using the Vault token you generated at [Step 2](#step2).
-
-```plaintext
-$ VAULT_TOKEN=<token> envconsul -upcase -secret database/creds/readonly ./app.sh
-
-My connection info is:
-
-username: "v-token-readonly-ww1tq33s7z5uprpxxy68-1527631219"
-password: "A1a-u54wut0v605qwz95"
-database: "my-app"
-```
-
-The output should display the `username` and `password` populated.  
-
-The `-upcase` flag tells Envconsul to convert all environment variable keys to
-uppercase.  Otherwise, the default uses lowercase (e.g. `database_creds_readonly_username`).
-
-
-> **Summary:** If your application is designed to read secrets from environment
-variables, Envconsul requires minimal to no code change to integrate with Vault.
-
-
-
-## Next steps
-
-If the integration option is to directly invoke Vault API within your
-application, refer to the [_AppRole Pull
-Authentication_](/guides/identity/authentication.html) guide to learn about the
-AppRole auth method which is designed for applications.
diff --git a/website/source/guides/secret-mgmt/cubbyhole.html.md b/website/source/guides/secret-mgmt/cubbyhole.html.md
deleted file mode 100644
index 838e202f7b0b..000000000000
--- a/website/source/guides/secret-mgmt/cubbyhole.html.md
+++ /dev/null
@@ -1,556 +0,0 @@
----
-layout: "guides"
-page_title: "Cubbyhole Response Wrapping - Guides"
-sidebar_title: "Cubbyhole Response Wrapping"
-sidebar_current: "guides-secret-mgmt-cubbyhole"
-description: |-
-  Vault provides a capability to wrap Vault response and store it in a
-  "cubbyhole" where the holder of the one-time use wrapping token can unwrap to
-  uncover the secret.
----
-
-# Cubbyhole
-
-The term _cubbyhole_ comes from an Americanism where you get a "locker" or "safe
-place" to store your belongings or valuables. In Vault, cubbyhole is your
-"locker".  All secrets are namespaced under **your token**. If that token
-expires or is revoked, all the secrets in its cubbyhole are revoked as well.
-
-It is not possible to reach into another token's cubbyhole even as the root
-user. This is the key difference between the cubbyhole and the key/value secret
-engine. The secrets in the key/value secret engine are accessible to any token for as
-long as its policy allows it.
-
-
-## Reference Material
-
-- [Cubbyhole](/docs/secrets/cubbyhole/index.html)
-- [Response Wrapping](/docs/concepts/response-wrapping.html)
-
-~> **NOTE:** An [interactive
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-cubbyhole) is
-also available if you do not have a Vault environment to perform the steps
-described in this guide.
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The end-to-end scenario described in this guide involves two personas:
-
-- **`admin`** with privileged permissions to create tokens
-- **`apps`** trusted entity retrieving secrets from Vault
-
-## Challenge
-
-In order to tightly manage the secrets, you set the scope of who can do what
-using the [Vault policy](/docs/concepts/policies.html) and attach that to
-tokens, roles, entities, etc.
-
-Think of a case where you have a trusted entity (Chef, Jenkins, etc.) which
-reads secrets from Vault. This trusted entity must obtain a token. If the
-trusted entity or its host machine was rebooted, it must re-authenticate with
-Vault using a valid token.
-
-How can you securely distribute the initial token to the trusted entity?
-
-## Solution
-
-Use Vault's **cubbyhole response wrapping** where the initial token is stored in
-the cubbyhole secret engine. The wrapped secret can be unwrapped using the
-single-use wrapping token. Even the user or the system created the initial token
-won't see the original value. The wrapping token is short-lived and can be
-revoked just like any other tokens so that the risk of unauthorized access can
-be minimized.
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### <a name="policy"></a>Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Manage tokens
-path "auth/token/*" {
-  capabilities = [ "create", "read", "update", "delete", "sudo" ]
-}
-
-# Write ACL policies
-path "sys/policy/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Manage secret/dev secret engine - for Verification test
-path "secret/dev" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-## Steps
-
-Think of a scenario where apps read secrets from Vault. The `apps` need:
-
-- Policy granting "read" permission on the specific path (`secret/dev`)
-- Valid tokens to interact with Vault
-
-![Response Wrapping Scenario](/img/vault-cubbyhole.png)
-
-Setting the appropriate policies and token generation are done by the `admin`
-persona. For the `admin` to distribute the initial token to the app securely, it
-uses cubbyhole response wrapping. In this guide, you perform the following:
-
-1. [Create and wrap a token](#step1)
-2. [Unwrap the secret](#step2)
-
-**NOTE:** This guide demonstrates how the response wrapping works. To learn more
-about reading and writing secrets in Vault, refer to the [Static
-Secret](/guides/secret-mgmt/static-secrets.html) guide.
-
-### <a name="step1"></a>Step 1: Create and wrap a token
-(**Persona:** admin)
-
-To solve the [challenge](#challenge) addressed in this guide:
-
-1. More privileged token (`admin`) wraps a secret only the expecting client can
-read
-2. The receiving client (`app`) unwraps the secret to obtain the token
-
-When the response to `vault token create` request is wrapped, Vault inserts the
-generated token into the cubbyhole of a single-use token, returning that
-single-use wrapping token. Retrieving the secret requires an unwrap operation
-against this wrapping token.
-
-In this scenario, an [admin user](#personas) creates a token using response
-wrapping. To perform the steps in this guide, first create a policy for the app.
-
-`apps-policy.hcl`:
-
-```shell
-# For testing, read-only on secret/dev path
-path "secret/dev" {
-  capabilities = [ "read" ]
-}
-```
-
-#### CLI command
-
-First create an `apps` policy:
-
-```shell
-$ vault policy write apps apps-policy.hcl
-Policy 'apps' written.
-```
-
-To create a token using response wrapping:
-
-```shell
-$ vault token create -policy=<POLICY_NAME> -wrap-ttl=<WRAP_TTL>
-```
-
-Where the `<WRAP_TTL>` can be either an integer number of seconds or a string
-duration of seconds (15s), minutes (20m), or hours (25h).
-
-**Example:**
-
-Generate a token for `apps` persona using response wrapping with TTL of 120
-seconds.
-
-```shell
-$ vault token create -policy=apps -wrap-ttl=120
-
-Key                          	Value
----                          	-----
-wrapping_token:              	9ac59985-094f-a2de-aed8-bf688e436fbc
-wrapping_token_ttl:          	2m0s
-wrapping_token_creation_time:	2018-01-10 00:47:54.970185208 +0000 UTC
-wrapping_token_creation_path:	auth/token/create
-wrapped_accessor:            	195763a9-3f26-1fcf-6a1a-ee0a11e76cb1
-```
-
-The response is the wrapping token; therefore, the admin user does not even see
-the generated token from the `token create` command.
-
-
-#### API call using cURL
-
-First create an `apps` policy using `sys/policy` endpoint:
-
-```shell
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request PUT \
-       --data <PAYLOAD> \
-       <VAULT_ADDRESS>/v1/sys/policy/<POLICY_NAME>
-```
-
-Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes policy name and
-stringified policy.
-
-**Example:**
-
-```shell
-# Request payload
-$ cat payload.json
-{
-  "policy": "path \"secret/dev\" { capabilities = [ \"read\" ] }"
-}
-
-# API call to create a policy named, "apps"
-$ curl --header "X-Vault-Token: ..." --request PUT --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/policy/apps
-```
-
-Response wrapping is per-request and is triggered by providing to Vault the
-desired TTL for a response-wrapping token for that request. This is set using
-the **`X-Vault-Wrap-TTL`** header in the request and can be either an integer
-number of seconds or a string duration.
-
-```shell
-$ curl --header "X-Vault-Wrap-TTL: <TTL>" \
-       --header "X-Vault-Token: <TOKEN>" \
-       --request <HTTP_VERB> \
-       --data '<PARAMETERS>' \
-       <VAULT_ADDRESS>/v1/<ENDPOINT>
-```
-
-Where `<TTL>` can be either an integer number of seconds or a string duration of
-seconds (15s), minutes (20m), or hours (25h).
-
-**Example:**
-
-To wrap the response of token create request:
-
-```shell
-$ curl --header "X-Vault-Wrap-TTL: 120" \
-       --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"policies":["apps"]}' \
-       http://127.0.0.1:8200/v1/auth/token/create | jq
-{
-  "request_id": "",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": {
-    "token": "e095129f-123a-4fef-c007-1f6a487cfa78",
-    "ttl": 120,
-    "creation_time": "2018-01-10T01:43:38.025351336Z",
-    "creation_path": "auth/token/create",
-    "wrapped_accessor": "44e8253c-65b4-1690-1bf1-7902a7a6b2aa"
-  },
-  "warnings": null,
-  "auth": null
-}  
-```
-
-This API call generates a token for `apps` persona using response wrapping with
-TTL of 60 seconds. The admin user does not even see the generated token.
-
-
-### <a name="step2"></a>Step 2: Unwrap the secret
-(**Persona:** apps)
-
-The `apps` persona receives a wrapping token from the `admin`.  In order for the
-`apps` to acquire a valid token to read secrets from `secret/dev` path, it must
-run the unwrap operation using this token.
-
--> **NOTE:** If a client has been expecting delivery of a response-wrapping
-token and none arrives, this may be due to an attacker intercepting the token
-and then preventing it from traveling further. This should cause an alert to
-trigger an immediate investigation.
-
-The following tasks will be performed to demonstrate the client operations:
-
-1. Create a token with **`default`** policy
-2. Authenticate with Vault using this `default` token (less privileged token)
-3. Unwrap the secret to obtain more privileged token (**`apps`** persona token)
-4. Verify that you can read `secret/dev` using the `apps`token
-
-
-#### CLI command
-
-First, create a token with `default` policy:
-
-```shell
-# Create a token with `default` policy
-$ vault token create -policy=default
-Key            	Value
----            	-----
-token          	4522b2e8-27fe-bdc5-b932-d982f3166c6c
-token_accessor 	96108f48-7475-6190-b058-769a2e5ebc8e
-token_duration 	768h0m0s
-token_renewable	true
-token_policies 	[default]
-
-# Authenticate using the generated token
-$ vault login 4522b2e8-27fe-bdc5-b932-d982f3166c6c
-Successfully authenticated! You are now logged in.
-token: 4522b2e8-27fe-bdc5-b932-d982f3166c6c
-token_duration: 2764729
-token_policies: [default]
-
-# Verify that you do NOT have a permission to read secret/dev
-$ vault read secret/dev
-Error reading secret/dev: Error making API request.
-
-URL: GET http://<VAULT_ADDRESS>/v1/secret/dev
-Code: 403. Errors:
-
-* permission denied
-```
-
-The command to unwrap the wrapped secret is:
-
-```shell
-$ vault unwrap <WRAPPING_TOKEN>
-```
-Or
-
-```shell
-$ VAULT_TOKEN=<WRAPPING_TOKEN> vault unwrap
-```
-
-**Example:**
-
-```shell
-$ VAULT_TOKEN=9ac59985-094f-a2de-aed8-bf688e436fbc vault unwrap
-
-Key            	Value
----            	-----
-token          	7bb915b2-8a44-48b0-a71d-72b590252016
-token_accessor 	195763a9-3f26-1fcf-6a1a-ee0a11e76cb1
-token_duration 	768h0m0s
-token_renewable	true
-token_policies 	[apps default]
-```
-
-Verify that this token has `apps` policy attached.
-
-Once the client acquired the token, future requests can be made using this
-token.
-
-```shell
-$ vault login 7bb915b2-8a44-48b0-a71d-72b590252016
-
-$ vault read secret/dev
-No value found at secret/dev
-```
-
-#### API call using cURL
-
-First, create a token with `default` policy:
-
-```shell
-# Create a new token default policy
-$ curl --header "X-Vault-Token: ..." --request POST \
-     --data '{"policies": "default"}' \
-     http://127.0.0.1:8200/v1/auth/token/create | jq
-{
-  ...
-  "auth": {
-    "client_token": "5fe14760-b0fd-22dc-403c-14a05003b67f",
-    "accessor": "e709610e-916e-f7e3-b93b-41f4dfdca7a0",
-    "policies": [
-      "default"
-    ],
-    ...
- }
-}
-
-# Verify that you can NOT read secret/dev using default token
-$ curl --header "X-Vault-Token: 5fe14760-b0fd-22dc-403c-14a05003b67f" \
-       --request GET \
-       http://127.0.0.1:8200/v1/secret/dev | jq
-{
- "errors": [
-   "permission denied"
- ]
-}
-```
-
-Now, unwrap the secret using `/sys/wrapping/unwrap` endpoint:
-
-```shell
-$ curl --header "X-Vault-Token: <WRAPPING_TOKEN>" \
-       --request POST \
-       <VAULT_ADDRESS>/v1/sys/wrapping/unwrap
-```
-
-**Example:**
-
-```shell
-$ curl --header "X-Vault-Token: e095129f-123a-4fef-c007-1f6a487cfa78" \
-       --request POST \
-       http://127.0.0.1:8200/v1/sys/wrapping/unwrap | jq
-{
-  "request_id": "d704435d-c1cf-b8a3-52f6-ec50bc8246c4",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": null,
-  "wrap_info": null,
-  "warnings": null,
-  "auth": {
-    "client_token": "af5f7682-aa55-fa37-5039-ee116df56600",
-    "accessor": "19b5407e-b304-7cde-e946-54942325d3c1",
-    "policies": [
-      "apps",
-      "default"
-    ],
-    "metadata": null,
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
-
-Once the client acquired the token, future requests can be made using this
-token.
-
-```plaintext
-$ curl --header "X-Vault-Token: af5f7682-aa55-fa37-5039-ee116df56600" \
-       --request GET \
-       http://127.0.0.1:8200/v1/secret/dev | jq
-{
-  "errors": []
-}
-```
-
-Since there is no data in `secret/dev`, it returns an empty array.
-
-## Additional Discussion
-
-The `cubbyhole` secret engine provides your own private secret storage space
-where no one else can read (including `root`). This comes handy when you want to
-store a password tied to your username that should not be shared with anyone.
-
-The cubbyhole secret engine is mounted at the **`cubbyhole/`** prefix by
-default. The secrets you store in the `cubbyhole/` path are tied to your token
-and all tokens are permitted to read and write to the `cubbyhole` secret engine
-by the [`default`](/docs/concepts/policies.html#default-policy) policy.
-
-```shell
-...
-# Allow a token to manage its own cubbyhole
-path "cubbyhole/*" {
-    capabilities = ["create", "read", "update", "delete", "list"]
-}
-...
-```
-
-To test the cubbyhole secret engine, perform the following steps. (NOTE: Keep
-using the `apps` token from [Step 2](#step2) to ensure that you are logged in with
-non-root token.)
-
-#### CLI command
-
-Commands to write and read secrets to the `cubbyhole` secret engine:
-
-```shell
-# Write key-value pair(s) in your cubbyhole
-$ vault write cubbyhole/<PATH> <KEY>=<VALUE>
-
-# Read values from your cubbyhole
-$ vault write cubbyhole/<PATH>
-```
-
-**Example:**
-
-Write secrets under `cubbyhole/private/` path, and read it back.
-
-```shell
-# Write "token" to cubbyhole/private/access-token path
-$ vault write cubbyhole/private/access-token token="123456789abcdefg87654321"
-Success! Data written to: cubbyhole/private/access-token
-
-# Read value from cubbyhole/private/access-token path
-$ vault read cubbyhole/private/access-token
-Key  	Value
----  	-----
-token	123456789abcdefg87654321
-```
-
-Now, try to access the secret using the `root` token. It should NOT return the
-secret.
-
-```shell
-$ VAULT_TOKEN=<ROOT_TOKEN> vault read cubbyhole/private/access-token
-
-No value found at cubbyhole/private/access-token
-```
-
-#### API call using cURL
-
-The API to work with the `cubbyhole` secret engine is very similar to `secret` secret engine:
-
-```shell
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data <SECRETS> \
-       <VAULT_ADDRESS>/v1/cubbyhole/<PATH>
-```
-
-**Example:**
-
-Write secrets under `cubbyhole/private/` path, and read it back.
-
-```shell
-# Write "token" to cubbyhole/private/access-token path
-$ curl --header "X-Vault-Token: e095129f-123a-4fef-c007-1f6a487cfa78" --request POST \
-       --data '{"token": "123456789abcdefg87654321"}' \
-       http://127.0.0.1:8200/v1/cubbyhole/private/access-token
-
-# Read value from cubbyhole/private/access-token path
-$ curl --header "X-Vault-Token: e095129f-123a-4fef-c007-1f6a487cfa78" --request GET \
-       http://127.0.0.1:8200/v1/cubbyhole/private/access-token  | jq
-{
- "request_id": "b2ff9f04-7a72-7eb0-672f-225b5eb652df",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
-   "token": "123456789abcdefg87654321"
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-Now, try to access the secret using the `root` token. It should NOT return the
-secret.
-
-```shell
-$ curl --header "X-Vault-Token: root" --request GET \
-       http://127.0.0.1:8200/v1/cubbyhole/private/access-token  | jq
-{
- "errors": []
-}
-```
-
-Also, refer to [Cubbyhole Secret Engine (API)](/api/secret/cubbyhole/index.html).
-
-
-## Next steps
-
-The use of [AppRole Pull Authentication](/guides/identity/authentication.html) is a good
-use case to leverage the response wrapping. Go through the guide if you have not
-done so.  To better understand the lifecycle of Vault tokens, proceed to [Tokens
-and Leases](/guides/identity/lease.html) guide.
diff --git a/website/source/guides/secret-mgmt/db-root-rotation.html.md b/website/source/guides/secret-mgmt/db-root-rotation.html.md
deleted file mode 100644
index df7b83a54807..000000000000
--- a/website/source/guides/secret-mgmt/db-root-rotation.html.md
+++ /dev/null
@@ -1,372 +0,0 @@
----
-layout: "guides"
-page_title: "DB Root Credential Rotation - Guides"
-sidebar_title: "DB Root Credential Rotation"
-sidebar_current: "guides-secret-mgmt-db-root-rotation"
-description: |-
-  Vault enables the combined database secret engines to automate the rotation of
-  root credentials.
----
-
-# Database Root Credential Rotation
-
-## Database Secrets Engine
-
-Vault's [database secrets engine](/docs/secrets/databases/index.html) provides a
-centralized workflow for managing credentials for various database systems. By
-leveraging this, every service instance gets a unique set of database
-credentials instead of sharing one.  Having those credentials tied directly to
-each service instance and live only for the life of the service, any abnormal
-access pattern can be mapped to a specific service instance and its credential
-can be revoked immediately.
-
-This reduces the manual tasks performed by the database administrator and make
-the access to the database to be more efficient and secure.
-
-The [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
-guide demonstrates the primary workflow.
-
-## Reference Material
-
-- [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
-- [Database Secret Engine (API)](/api/secret/databases/index.html#rotate-root-credentials)
-- [PostgreSQL Database Plugin HTTP API](/api/secret/databases/postgresql.html)
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Challenge
-
-Because Vault is managing the database credentials on behalf of the database
-administrator, it must also be given a set of highly privileged credentials
-which can grant and revoke access to the database system.  Therefore, it is very
-common to give Vault the **root** credentials.
-
-However, these credentials are often long-lived and never change once configured
-on Vault. This may violate the _Governance, Risk and Compliance_ (GRC)
-surrounding that data stored in the database.
-
-
-## Solution
-
-Use the Vault's **`/database/rotate-root/:name`** API endpoint to rotate the
-root credentials stored for the database connection.
-
-![DB Root Credentials](/img/vault-db-root-rotation.png)
-
-~> **Best Practice:** Use this feature to rotate the root credentials
-immediately after the initial configuration of each database.
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### PostgreSQL
-
-This guide requires that you have a PostgreSQL server to connect to. If you
-don't have one, install [PostgreSQL](https://www.postgresql.org/download/).
-
-- Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/online-resources/) for details
-- [PostgreSQL Wiki](https://wiki.postgresql.org/wiki/First_steps) gives you a
-summary of basic commands to get started.
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Mount secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Configure the database secret engine and create roles
-path "database/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-Using Vault, you can easily rotate the root credentials for your database
-through the **`database/rotate-root/:name`** endpoint.
-
-This guide demonstrates the overall workflow to manage the database credentials
-including the root.
-
-You are going to perform the following:
-
-1. [Enable the database secret engine](#step1)
-1. [Configure PostgreSQL secret engine](#step2)
-1. [Verify the configuration (***Optional***)](#step3)
-1. [Rotate the root credentials](#step4)
-
-
-### <a name="step1"></a>Step 1: Enable the database secret engine
-
-#### CLI command
-
-Enable a database secret engine:
-
-```plaintext
-$ vault secrets enable database
-```
-
-**NOTE:** This example enables the database secret engine at the **`/database`**
-path in Vault.  
-
-#### API call using cURL
-
-To enable a database secret engine, use the **`/sys/mounts`** endpoint.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type":"database"}' \
-       https://127.0.0.1:8200/v1/sys/mounts/database
-```
-
-**NOTE:** This example mounts database secret engine at **`/database`**,
-and passes the secret engine type ("`database`") in the request payload.
-
-### <a name="step2"></a>Step 2: Configure PostgreSQL secret engine
-
-In the [Secret as a Service: Dynamic
-Secrets](/guides/secret-mgmt/dynamic-secrets.html#step2) guide, the PostgreSQL
-plugin was configured with its root credentials embedded in the `connection_url`
-(`root` and `rootpassword`) as below:
-
-```plaintext
-$ vault write database/config/postgresql \
-      plugin_name=postgresql-database-plugin \
-      allowed_roles="*" \
-      connection_url=postgresql://root:rootpassword@postgres.host.address:5432/postgres
-```
-
-The username and password can be templated using the format,
-**`{{<field-name>}}`**.
-
-~> In order to leverage the database root credential rotation feature, you must
-use the templated credentials: **`{{username}}`** and **`{{password}}`**.
-
-
-#### CLI command
-
-```plaintext
-$ vault write database/config/postgresql \
-     plugin_name=postgresql-database-plugin \
-     connection_url="postgresql://{{username}}:{{password}}@postgres.host.address:5432/postgres" \
-     allowed_roles="*" \
-     username="root" \
-     password="rootpassword"
-```
-
-Notice that the `connection_url` value contains the templated credentials, and
-`username` and `password` parameters are also passed to initiate the connection.
-
-
-Create a role, `readonly`:
-
-```shell
-# Create readonly.sql defining the role privilege  
-$ tee readonly.sql <<EOF
-CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
-GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
-EOF
-
-# Create a role named 'readonly' with TTL of 1 hr
-$ vault write database/roles/readonly db_name=postgresql \
-         creation_statements=@readonly.sql \
-         default_ttl=1h max_ttl=24h
-```
-
-#### API call using cURL
-
-```plaintext
-$ tee payload.json <<EOF
-{
-    "plugin_name": "postgresql-database-plugin",
-    "connection_url": "postgresql://{{username}}:{{password}}@postgres.host.address:5432/postgres",
-    "allowed_roles": "readonly",
-    "username": "root",
-    "password": "rootpassword"
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..."
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/database/config/postgresql
-```
-
-Notice that the `connection_url` value contains the templated credentials, and
-`username` and `password` parameters are also passed to initiate the connection.
-
-
-Create a role, `readonly`:
-
-```shell
-# Create the request payload
-$ tee payload.json <<EOF
-{
-	"db_name": "postgres",
-	"creation_statements": "CREATE ROLE '{{name}}' WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
-  GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{name}}';",
-	"default_ttl": "1h",
-	"max_ttl": "24h"
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..."
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/database/roles/readonly
-```
-
-
-### <a name="step3"></a>Step 3: Verify the configuration (***Optional***)
-
-Before rotate the root credentials, make sure that the secret engine was
-configured correctly.
-
-#### CLI command
-
-```shell
-# Get a new set of credentials
-$ vault read database/creds/readonly
-Key                Value
----                -----
-lease_id           database/creds/readonly/999c43f0-f79e-ba90-24a8-4de5af33a2e9
-lease_duration     1h
-lease_renewable    true
-password           A1a-u7wxtrpx09xp40yq
-username           v-root-readonly-x6q809467q98yp4yx4z4-1525378026e
-
-
-# Make sure that you can connect to the database using the Vault generated credentials
-$ psql -h postgres.host.address -p 5432 \
-       -U v-root-readonly-x6q809467q98yp4yx4z4-1525378026e postgres
-Password for user v-root-readonly-x6q809467q98yp4yx4z4-1525378026:
-
-postgres=> \du
-Role name                                       |                         Attributes                         | Member of
-------------------------------------------------+------------------------------------------------------------+----------
-postgres                                        | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
-v-root-readonly-x6q809467q98yp4yx4z4-1525378026 | Password valid until 2018-05-03 21:07:11+00                | {}
-
-postgres=> \q
-```
-
-
-#### API call using cURL
-
-```shell
-# Get a new set of credentials
-$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
-       http://127.0.0.1:8200/v1/database/creds/readonly | jq
-{
-   "request_id": "527970fd-f5e8-4de5-d4ed-1b7970eaef0b",
-   "lease_id": "database/creds/readonly/ac79265e-668c-242f-4f67-1dae33da094c",
-   "renewable": true,
-   "lease_duration": 3600,
-   "data": {
-     "password": "A1a-0tr8u15y0us2u08v",
-     "username": "v-root-readonly-x7v65y1xuprzxv9vpt80-1525378873"
-   },
-   "wrap_info": null,
-   "warnings": null,
-   "auth": null
-}
-
-# Make sure that you can connect to the database using the Vault generated credentials
-$ psql -h postgres.host.address -p 5432 \
-       -U v-root-readonly-x6q809467q98yp4yx4z4-1525378026e postgres
-Password for user v-root-readonly-x6q809467q98yp4yx4z4-1525378026:
-
-postgres=> \du
-Role name                                       |                         Attributes                         | Member of
-------------------------------------------------+------------------------------------------------------------+----------
-postgres                                        | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
-v-root-readonly-x6q809467q98yp4yx4z4-1525378026 | Password valid until 2018-05-03 21:07:11+00                | {}
-v-root-readonly-x7v65y1xuprzxv9vpt80-1525378873 | Password valid until 2018-05-03 21:21:18+00                | {}
-
-postgres=> \q
-```
-<br>
-
-This confirms that the Vault successfully connected to your PostgreSQL server
-and created a new user based on the privilege defined by `readonly.sql`.
-
-> The user credentials generated by the Vault has a limited TTL based on your
-configuration (`default_ttl`). In addition, you can revoke them if necessary.
-
-
-### <a name="step4"></a>Step 4: Rotate the root credentials
-
-Vault provides an API endpoint to easily rotate the root database credentials.
-
-#### CLI command
-
-```plaintext
-$ vault write -force database/rotate-root/postgresql
-```
-
-#### API call using cURL
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       http://127.0.0.1:8200/v1/database/rotate-root/postgresql
-```
-
-This is all you need to do.
-
----
-<br>
-
-Repeat [Step 3](#step3) to verify that Vault continues to generate database
-credentials after the root credential rotation.
-
-To verify that the root credential was rotated:
-
-```plaintext
-$ psql -h postgres.host.address -p 5432 -U root postgres
-Password for user root:
-```
-
-Entering the initial password (e.g. `rootpassword`) will ***not*** work since
-the password was rotated by the Vault.
-
-You can invoke the **`database/rotate-root/:name`** endpoint periodically to
-secure the root credential.
-
-
-~> **NOTE:** Once the root credential was rotated, only the Vault knows the new
-root password. This is the same for all root database credentials given to Vault.
-Therefore, you should create a separate superuser dedicated to the Vault usage
-which is not used for other purposes.  
-
-
-## Next steps
-
-In this guide, you learned how to rotate the root database credentials.
-
-Read the [AppRole Pull Authentication](/guides/identity/authentication.html)
-guide to learn about generating a client token for your app so that it can
-request database credentials from Vault.
diff --git a/website/source/guides/secret-mgmt/dynamic-secrets.html.md b/website/source/guides/secret-mgmt/dynamic-secrets.html.md
deleted file mode 100644
index 18586ec565c0..000000000000
--- a/website/source/guides/secret-mgmt/dynamic-secrets.html.md
+++ /dev/null
@@ -1,497 +0,0 @@
----
-layout: "guides"
-page_title: "Secret as a Service - Guides"
-sidebar_title: "Secret as a Service"
-sidebar_current: "guides-secret-mgmt-dynamic-secrets"
-description: |-
-  Vault can dynamically generate secrets on-demand for some systems.
----
-
-# Secret as a Service: Dynamic Secrets
-
-Vault can generate secrets on-demand for some systems. For example, when an app
-needs to access an Amazon S3 bucket, it asks Vault for AWS credentials. Vault
-will generate an AWS credential granting permissions to access the S3 bucket. In
-addition, Vault will automatically revoke this credential after the TTL is
-expired.
-
-The [Getting Started](/intro/getting-started/dynamic-secrets.html) guide walks
-you through the generation of dynamic AWS credentials.
-
-## Reference Material
-
-- [Getting Started - Dynamic Secrets](/intro/getting-started/dynamic-secrets.html)
-- [Secret Engines - Databases](/docs/secrets/databases/index.html)
-- [Role API](/api/secret/databases/index.html#create-role)
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The end-to-end scenario described in this guide involves two personas:
-
-- **`admin`** with privileged permissions to configure secret engines
-- **`apps`** read the secrets from Vault
-
-## Challenge
-
-Data protection is a top priority which means that the database credential
-rotation is a critical part of any data protection initiative. Each role has a
-different set of permissions granted to access the database. When a system is
-attacked by hackers, continuous credential rotation becomes necessary and needs
-to be automated.
-
-
-## Solution
-
-Applications ask Vault for database credential rather than setting them as
-environment variables. The administrator specifies the TTL of the database
-credentials to enforce its validity so that they are automatically revoked when
-they are no longer used.
-
-![Dynamic Secret Workflow](/img/vault-dynamic-secrets.png)
-
-Each app instance can get unique credentials that they don't have to share. By
-making those credentials to be short-lived, you reduced the change of the secret
-to being compromised. If an app was compromised, the credentials used by the app
-can be revoked rather than changing more global set of credentials.
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### PostgreSQL
-
-This guide requires that you have a PostgreSQL server to connect to. If you
-don't have one, install [PostgreSQL](https://www.postgresql.org/download/) to
-perform the steps described in this guide.
-
-- Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/online-resources/) for details
-- [PostgreSQL Wiki](https://wiki.postgresql.org/wiki/First_steps) gives you a
-summary of basic commands to get started.
-
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Mount secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Configure the database secret engine and create roles
-path "database/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Write ACL policies
-path "sys/policy/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Manage tokens for verification
-path "auth/token/create" {
-  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-## Steps
-
-In this guide, you are going to configure PostgreSQL secret engine, and create
-a read-only database role. The Vault generated PostgreSQL credentials will only
-have read permission.
-
-1. [Mount the database secret engine](#step1)
-2. [Configure PostgreSQL secret engine](#step2)
-3. [Create a role](#step3)
-4. [Request PostgreSQL credentials](#step4)
-5. [Validation](#validation)
-
-Step 1 through 3 need to be performed by an `admin` user.  Step 4 describes
-the commands that an `app` runs to get a database credentials from Vault.
-
-
-### <a name="step1"></a>Step 1: Mount the database secret engine
-(**Persona:** admin)
-
-As most of the secret engines, the [database secret engine](/docs/secrets/databases/index.html)
-must be mounted.
-
-#### CLI command
-
-To mount a database secret engine:
-
-```plaintext
-$ vault secrets enable <PATH>
-```
-
-**Example:**
-
-```plaintext
-$ vault secrets enable database
-```
-
-**NOTE:** In this guide, the database secret engine is mounted at the `/database path` in
-Vault.  However, it is possible to mount your secret engines at any location.
-
-#### API call using cURL
-
-Mount `database` secret engine using `/sys/mounts` endpoint:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data <PARAMETERS> \
-       <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
-```
-
-Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
-parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
-
-**Example:**
-
-The following example mounts database secret engine at `sys/mounts/database`
-path, and passed the secret engine type ("database") in the request payload.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type":"database"}' \
-       https://127.0.0.1:8200/v1/sys/mounts/database
-```
-
-**NOTE:** It is possible to mount your database secret engines at any location.
-
-
-### <a name="step2"></a>Step 2: Configure PostgreSQL secret engine
-(**Persona:** admin)
-
-The PostgreSQL secret engine needs to be configured with valid credentials. It
-is very common to give Vault the **root** credentials and let Vault manage the
-auditing and lifecycle credentials; it's much better than having one person
-manage the credentials.
-
-
-The following command configures the database secret engine using
-`postgresql-database-plugin` where the database connection URL is
-`postgresql://root:rootpassword@localhost:5432/myapp`.  The allowed role is
-`readonly` which you will create in [Step 3](#step3).
-
-**NOTE:** If your
-database connection URL is different from this example, be sure to replace the
-command with correct URL to match your environment.
-
-
-#### CLI command
-
-**Example:**
-
-```plaintext
-$ vault write database/config/postgresql \
-      plugin_name=postgresql-database-plugin \
-      allowed_roles=readonly \
-      connection_url=postgresql://root:rootpassword@localhost:5432/myapp
-```
-
-
-#### API call using cURL
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." --request POST --data @payload.json \
-    http://127.0.0.1:8200/v1/database/config/postgresql
-
-$ cat payload.json
-{
-	"plugin_name": "postgresql-database-plugin",
-	"allowed_roles": "readonly",
-	"connection_url": "postgresql://root:rootpassword@localhost:5432/myapp"
-}
-```
-
-<br>
-
-~> **NOTE:** Read the [Database Root Credential Rotation](/guides/secret-mgmt/db-root-rotation.html)
-guide to learn about rotating the root credential immediately after the initial
-configuration of each database.
-
-
-### <a name="step3"></a>Step 3: Create a role
-(**Persona:** admin)
-
-In [Step 2](#step2), you configured the PostgreSQL secret engine by passing **`readonly`** role
-as an allowed member. The next step is to define the `readonly` role. A role is
-a logical name that maps to a policy used to generate credentials.
-
--> Vault does not know what kind of PostgreSQL users you want to create. So,
-supply the information in SQL to create desired users.
-
-**Example:** `readonly.sql`
-
-```plaintext
-CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
-GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
-```
-
-The values within the `{{<value>}}` will be filled in by Vault. Notice that
-**`VALID_UNTIL`** clause. This tells PostgreSQL to revoke the credentials even
-if Vault is offline or unable to communicate with it.
-
-
-#### CLI command
-
-**Example:**
-
-```plaintext
-$ vault write database/roles/readonly db_name=postgresql creation_statements=@readonly.sql \
-    default_ttl=1h max_ttl=24h
-```
-
-The above command creates a role named, `readonly` with default TTL of 1
-hour, and max TTL of the credential is set to 24 hours. The `readonly.sql`
-statement is passed as the role creation statement.
-
-#### API call using cURL
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." --request POST --data @payload.json \
-    http://127.0.0.1:8200/v1/database/roles/readonly
-
-$ cat payload.json
-{
-	"db_name": "postgres",
-	"creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
-  GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
-	"default_ttl": "1h",
-	"max_ttl": "24h"
-}
-```
-
-The `db_name`, `creation_statements`, `default_ttl`, and `max_ttl` are set in
-the `role-payload.json`.
-
-
-### <a name="step4"></a>Step 4: Request PostgreSQL credentials
-(**Persona:** apps)
-
-Now, you are switching to [`apps` persona](#personas). To get a new set of
-PostgreSQL credentials, the client app needs to be able to **read** from the
-`readonly` role endpoint. Therefore, the app's token must have a policy granting
-the read permission.
-
-`apps-policy.hcl`
-
-```shell
-# Get credentials from the database secret engine
-path "database/creds/readonly" {
-  capabilities = [ "read" ]
-}
-```
-
-#### CLI command
-
-First create an `apps` policy, and generate a token so that you can authenticate
-as an `apps` persona.
-
-**Example:**
-
-```shell
-# Create "apps" policy
-$ vault policy write apps apps-policy.hcl
-Policy 'apps' written.
-
-# Create a new token with app policy
-$ vault token create -policy="apps"
-Key            	Value
----            	-----
-token          	e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
-token_accessor 	54700b7e-d828-a6c4-6141-96e71e002bd7
-token_duration 	768h0m0s
-token_renewable	true
-token_policies 	[apps default]
-```
-
-Use the returned token to perform the remaining.
-
-**NOTE:** [AppRole Pull Authentication](/guides/identity/authentication.html) guide
-demonstrates more sophisticated way of generating a token for your apps.
-
-```shell
-# Authenticate with Vault using the generated token first
-$ vault login e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
-Successfully authenticated! You are now logged in.
-token: e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
-token_duration: 2764277
-token_policies: [apps default]
-
-# Invoke the vault command
-$ vault read database/creds/readonly
-
-Key            	Value
----            	-----
-lease_id       	database/creds/readonly/4b5c6e82-df88-0dec-c0cb-f07eee8f0329
-lease_duration 	1h0m0s
-lease_renewable	true
-password       	A1a-4urzp0wu92r5s1q0
-username       	v-token-readonly-9x3qrw452wwz4w6421xt-1515625519
-```
-
-**NOTE:** Re-run the command and notice that Vault returns a different set of
-credentials each time. This means that each app instance can acquire a unique
-set of credentials.
-
-
-#### API call using cURL
-
-First create an `apps` policy, and generate a token so that you can authenticate
-as an `app` persona.
-
-```shell
-# Payload to pass in the API call
-$ cat payload.json
-{
-  "policy": "path \"database/creds/readonly\" {capabilities = [ \"read\" ]}"
-}
-
-# Create "apps" policy
-$ curl --header "X-Vault-Token: ..." --request PUT \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/policy/apps
-
-# Generate a new token with apps policy
-$ curl --header "X-Vault-Token: ..." --request POST \
-       --data '{"policies": ["apps"]}' \
-       http://127.0.0.1:8200/v1/auth/token/create | jq
-{
- "request_id": "e1737bc8-7e51-3943-42a0-2dbd6cb40e3e",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "wrap_info": null,
- "warnings": null,
- "auth": {
-   "client_token": "1c97b03a-6098-31cf-9d8b-b404e52dcb4a",
-   "accessor": "b10a3eb7-15fe-1924-600e-403cfda34c28",
-   "policies": [
-     "apps",
-     "default"
-   ],
-   "metadata": null,
-   "lease_duration": 2764800,
-   "renewable": true,
-   "entity_id": ""
- }
-}
-```
-
-Be sure to use the returned token to perform the remaining.
-
-**NOTE:** [AppRole Pull Authentication](/guides/identity/authentication.html) guide
-demonstrates more sophisticated way of generating a token for your apps.
-
-```plaintext
-$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
-       --request GET \
-       http://127.0.0.1:8200/v1/database/creds/readonly | jq
-{
-  "request_id": "e0e5a6c1-5e69-5cf3-c9d2-020af192de36",
-  "lease_id": "database/creds/readonly/7aa462ab-98cb-fdcb-b226-f0a0d37644cc",
-  "renewable": true,
-  "lease_duration": 3600,
-  "data": {
-    "password": "A1a-2680ut032xqt16tq",
-    "username": "v-token-readonly-6s4su6z93472x0r2787t-1515625742"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null
-}
-```
-
-### Validation
-
-(1) Generate a new set of credentials.
-
-```plaintext
-$ vault read database/creds/readonly
-
-Key            	Value
----            	-----
-lease_id       	database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
-lease_duration 	1h0m0s
-lease_renewable	true
-password       	A1a-w2xv2zsq4r5ru940
-username       	v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
-```
-
-The generated username is `v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434`.
-
-(2) Connect to the postgres as an admin user, and run the following psql commands.
-
-```plaintext
-$ psql -U postgres
-
-postgres > \du
-                                                       List of roles
-                    Role name                     |                         Attributes                         | Member of
---------------------------------------------------+------------------------------------------------------------+-----------
- postgres                                         | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
- v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434 | Password valid until 2018-01-11 00:37:14+00                | {}
-
-postgres > \q
- ```
-
-The `\du` command lists all users. You should be able to verify that the username generated by Vault exists.
-
-(3) Renew the lease for this credential by passing its **`lease_id`**.
-
-```plaintext
-$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
-
-Key            	Value
----            	-----
-lease_id       	database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
-lease_duration 	1h0m0s
-lease_renewable	true
-```
-
-(4) Revoke the generated credentials.
-
-```plaintext
-$ vault lease revoke database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
-```
-
-**NOTE:** If you run the command with **`-prefix=true`** flag, it revokes all
-secrets under `database/creds/readonly`.
-
-Now, when you check the list of users in PostgreSQL, none of the Vault generated
-user name exists.
-
-
-## Next steps
-
-This guide discussed how to generate credentials on-demand so that the access
-credentials no longer need to be written to disk. Next, learn about the
-[Tokens and Leases](/guides/identity/lease.html) so that you can control the
-lifecycle of those credentials.
diff --git a/website/source/guides/secret-mgmt/index.html.md b/website/source/guides/secret-mgmt/index.html.md
deleted file mode 100644
index 81b916711100..000000000000
--- a/website/source/guides/secret-mgmt/index.html.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-layout: "guides"
-page_title: "Secrets Management - Guides"
-sidebar_title: "Secrets Management"
-sidebar_current: "guides-secret-mgmt"
-description: |-
-   A very common use case of Vault is to manage your organization's secrets from
-   storing credentials and API keys to encrypting passwords for user signups.
-   Vault is meant to be a solution for all secret management needs.
----
-
-# Secrets Management
-
-Vault is a tool for securely accessing secrets. A secret is anything that you
-want to tightly control access to, such as API keys, passwords, certificates,
-and more. Vault provides a unified interface to any secret while providing
-tight access control and recording a detailed audit log.
-
-Secrets Management guides demonstrate features in Vault to securely store your
-secrets.
-
-- [Static Secrets](/guides/secret-mgmt/static-secrets.html) guide walks you
-through the steps to write secrets in Vault, and control who can access them.
-
-- [Versioned KV Secret Engine](/guides/secret-mgmt/versioned-kv.html) guide
-demonstrates the secret versioning capabilities provided by KV Secret Engine v2.
-
-- [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html)
- guide demonstrates the Vault feature to generate database credentials
- on-demand so that each application or system can obtain its own credentials,
- and its permissions can be tightly controlled.
-
-- [Database Root Credential Rotation](/guides/secret-mgmt/db-root-rotation.html)
-guide walks you through the steps to enable the rotation of the database root
-credentials for those managed by Vault.
-
-- [Cubbyhole Response Wrapping](/guides/secret-mgmt/cubbyhole.html) guide
-demonstrates a secure method to distribute secrets by wrapping them where only
-the expecting client can unwrap.
-
-- [One-Time SSH Password](/guides/secret-mgmt/ssh-otp.html) guide demonstrates
-the use of SSH secrets engine to generate a one-time password (OTP) every time a
-client wants to SSH into a remote host.
-
-- [Build Your Own Certificate Authority](/guides/secret-mgmt/pki-engine.html)
-guide walks you through the use of the PKI secrets engine to generate dynamic
-X.509 certificates.
-
-- [Direct Application Integration](/guides/secret-mgmt/app-integration.html)
-guide demonstrates the usage of _Consul Template_ and _Envconsul_ tool to
-retrieve secrets from Vault with no or minimum code change to your applications.
diff --git a/website/source/guides/secret-mgmt/pki-engine.html.md b/website/source/guides/secret-mgmt/pki-engine.html.md
deleted file mode 100644
index bdddf00e9f56..000000000000
--- a/website/source/guides/secret-mgmt/pki-engine.html.md
+++ /dev/null
@@ -1,708 +0,0 @@
----
-layout: "guides"
-page_title: "Build Your Own Certificate Authority - Guides"
-sidebar_title: "Build Your Own CA"
-sidebar_current: "guides-secret-mgmt-pki"
-description: |-
-  The PKI secrets engine generates dynamic X.509 certificates. With this secrets
-  engine, services can get certificates without going through the usual manual
-  process of generating a private key and CSR, submitting to a CA, and waiting
-  for a verification and signing process to complete. Vault's built-in
-  authentication and authorization mechanisms provide the verification
-  functionality.
----
-
-# Build Your Own Certificate Authority (CA)
-
-Vault's PKI secrets engine can dynamically generate X.509 certificates on
-demand. This allows services to acquire certificates without going through the
-usual manual process of generating a private key and Certificates Signing
-Request (CSR), submitting to a CA, and then wait for the verification and
-signing process to complete.
-
-
-## Reference Material
-
-- [PKI (Certificates) Secrets Engine](/docs/secrets/pki/index.html)
-- [PKI Secrets Engine (API)](/api/secret/pki/index.html)
-- [RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate
-Revocation List (CRL) Profile](https://tools.ietf.org/html/rfc5280)
-- [OpenSSL x509 Man Pages](https://www.openssl.org/docs/man1.1.0/apps/x509.html)
-
-
-## Estimated Time to Complete
-
-15 minutes
-
-
-## Personas
-
-The steps described in this guide are typically performed by **security
-engineer**.
-
-
-## Challenge
-
-Organizations should protect their website; however, the Traditional PKI process
-workflow takes a long time which motivates organizations to create certificates
-which do not expire for a year or more.
-
-
-## Solution
-
-Use Vault to create X509 certificates for usage in MTLS or other arbitrary PKI
-encryption.   While this can be used to create web server certificates.  If
-users do not import the CA chains, the browser will complain about self-signed
-certificates.
-
-Creating PKI certificates is generally a cumbersome process using traditional
-tools like `openssl` or even more advanced frameworks like CFSSL.   These tools
-also require a human component to verify certificate distribution meets
-organizational security policies.   
-
-Vault PKI secrets engine makes this a lot simpler.  The PKI secrets engine can
-be an Intermediate-Only certificate authority which potentially allows for
-higher levels of security.
-
-1. Store CA outside the Vault (air gapped)
-1. Create CSRs for the intermediates
-1. Sign CSR outside Vault and import intermediate
-1. Issue leaf certificates from the Intermediate CA
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault.
-
-Alternatively, you can use the [Vault
-Playground](https://www.katacoda.com/hashicorp/scenarios/vault-playground)
-environment.
-
-
-### <a name="policy"></a>Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Enable secrets engine
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# List enabled secrets engine
-path "sys/mounts" {
-  capabilities = [ "read", "list" ]
-}
-
-# Work with pki secrets engine
-path "pki*" {
-  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-In this guide, you are going to first generate a self-signed root certificate.
-Then you are going to generate an intermediate certificate which is signed by
-the root. Finally, you are going to generate a certificate for
-`test.example.com` domain.
-
-![Overview](/img/vault-pki-4.png)
-
-In this guide, you perform the following:
-
-1. [Generate Root CA](#step1)
-1. [Generate Intermediate CA](#step2)
-1. [Create a Role](#step3)
-1. [Request Certificates](#step4)
-1. [Revoke Certificates](#step5)
-1. [Remove Expired Certificates](#step6)
-
-
-
-### <a name="step1"></a>Step 1: Generate Root CA
-
-In this step, you are going to generate a self-signed root certificate using
-PKI secrets engine.
-
-#### CLI command
-
-1. First, enable the `pki` secrets engine at `pki` path:
-
-    ```plaintext
-    $ vault secrets enable pki
-    ```
-
-1. Tune the `pki` secrets engine to issue certificates with a maximum time-to-live (TTL) of 87600 hours.
-
-    ```plaintext
-    $ vault secrets tune -max-lease-ttl=87600h pki
-    ```
-
-1. Generate the ***root*** certificate and save the certificate in `CA_cert.crt`.
-
-    ```plaintext
-    $ vault write -field=certificate pki/root/generate/internal common_name="example.com" \
-            ttl=87600h > CA_cert.crt
-    ```
-
-    This generates a new self-signed CA certificate and private key. Vault will
-    _automatically_ revoke the generated root at the end of its lease period
-    (TTL); the CA certificate will sign its own Certificate Revocation List
-    (CRL).
-
-1. Configure the CA and CRL URLs:
-
-    ```plaintext
-    $ vault write pki/config/urls \
-            issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
-            crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
-    ```
-
-#### API call using cURL
-
-1. First, enable the `pki` secrets engine at `pki` path using `/sys/mounts` endpoint:
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: <TOKEN>" \
-           --request POST \
-           --data <PARAMETERS> \
-           <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
-    ```
-
-    Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
-    parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
-
-    **Example:**
-
-    The following example mounts `pki` secret engine.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"type":"pki"}' \
-           https://127.0.0.1:8200/v1/sys/mounts/pki
-    ```
-
-1. Tune the `pki` secrets engine to issue certificates with a maximum
-time-to-live (TTL) of 87600 hours.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"max_lease_ttl":"87600h"}' \
-           https://127.0.0.1:8200/v1/sys/mounts/pki/tune
-    ```
-
-1. Generate the ***root*** certificate and extract the CA certificate and save
-it as `CA_cert.crt`.
-
-    > **NOTE:** The following command uses `jq` tool to parse the output JSON.
-    You can install [`jq`](https://stedolan.github.io/jq/download/) or manually
-    copy and paste the certificate in a file, `CA_cert.crt`.
-
-    ```plaintext
-    $ tee payload.json <<EOF
-    {
-      "common_name": "example.com",
-      "ttl": "87600h"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload.json \
-           https://127.0.0.1:8200/v1/pki/root/generate/internal \
-           | jq -r ".data.certificate" > CA_cert.crt
-    ```
-
-    This generates a new self-signed CA certificate and private key. Vault will
-    _automatically_ revoke the generated root at the end of its lease period
-    (TTL); the CA certificate will sign its own Certificate Revocation List
-    (CRL).
-
-1. Configure the CA and CRL URLs:
-
-    ```plaintext
-    $ tee payload-url.json <<EOF
-    {
-      "issuing_certificates": "http://127.0.0.1:8200/v1/pki/ca",
-      "crl_distribution_points": "http://127.0.0.1:8200/v1/pki/crl"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload-url.json \
-           https://127.0.0.1:8200/v1/pki/config/urls
-    ```
-
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
-then login.
-
-1. Select **Enable new engine**.
-1. Select **PKI** from the **Secrets engine type** drop-down list.
-1. Click **More options** to expand and set the **Maximum lease TTL** to **`87600 hours`**.
-1. Click **Enable Engine**.
-1. Select **Configure**.
-1. Click **Configure CA**.
-1. Leave **CA Type** as **root**, and **Type** to be **internal**.  Enter
-**`example.com`** in the **Common Name** field.
-1. Select **Options** and then set **TTL** field to be **87600 hours**.
-1. Click **Save**.
-1. Click **Copy Certificate** and save it in a file named, **`CA_cert.crt`**.
-1. Click the **URLs** tab, and then set:
-    - Issuing certificates: `http://127.0.0.1:8200/v1/pki/ca`
-    - CRL Distribution Points: `http://127.0.0.1:8200/v1/pki/crl`
-    ![Configure URL](/img/vault-pki-1.png)
-1. Click **Save**.
-
-<br>
-
--> **NOTE:** To examine the generated root certificate, you can use
-[OpenSSL](https://www.openssl.org/source/).
-
-  ```shell
-  # Print the certificate in text form
-  $ openssl x509 -in CA_cert.crt -text
-
-  # Print the validity dates
-  $ openssl x509 -in CA_cert.crt -noout -dates
-  ```
-
-
-### <a name="step2"></a>Step 2: Generate Intermediate CA
-
-Now, you are going to create an intermediate CA using the root CA you regenerate
-in the previous step.
-
-#### CLI Command
-
-1. First, enable the `pki` secrets engine at **`pki_int`** path:
-
-    ```plaintext
-    $ vault secrets enable -path=pki_int pki
-    ```
-
-1. Tune the `pki_int` secrets engine to issue certificates with a maximum
-time-to-live (TTL) of 43800 hours.
-
-    ```plaintext
-    $ vault secrets tune -max-lease-ttl=43800h pki_int
-    ```
-
-1. Execute the following command to generate an intermediate and save the CSR as
-`pki_intermediate.csr`:
-
-    ```plaintext
-    $ vault write -format=json pki_int/intermediate/generate/internal \
-            common_name="example.com Intermediate Authority" ttl="43800h" \
-            | jq -r '.data.csr' > pki_intermediate.csr
-    ```
-
-1. Sign the intermediate certificate with the root certificate and save the
-generated certificate as `intermediate.cert.pem`:
-
-    ```plaintext
-    $ vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
-            format=pem_bundle ttl="43800h" \
-            | jq -r '.data.certificate' > intermediate.cert.pem
-    ```
-
-1. Once the CSR is signed and the root CA returns a certificate, it can be
-  imported back into Vault:
-
-    ```plaintext
-    $ vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
-    ```
-
-
-#### API call using cURL
-
-
-1. First, enable the `pki` secrets engine at **`pki_int`** path:
-
-    **Example:**
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"type":"pki"}' \
-           https://127.0.0.1:8200/v1/sys/mounts/pki_int
-    ```
-
-1. Tune the `pki_int` secrets engine to issue certificates with a maximum
-time-to-live (TTL) of 43800 hours.
-
-    ```plaintext
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data '{"max_lease_ttl":"43800h"}' \
-           https://127.0.0.1:8200/v1/sys/mounts/pki_int/tune
-    ```
-
-1. Generate an intermediate using the `/pki_int/intermediate/generate/internal`
-endpoint.
-
-    ```plaintext
-    $ tee payload-int.json <<EOF
-    {
-      "common_name": "example.com Intermediate Authority",
-      "ttl": "43800h"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload-int.json \
-           https://127.0.0.1:8200/v1/pki_int/intermediate/generate/internal | jq
-    ```
-
-    Copy the generated CSR.
-
-1. Sign the intermediate certificate with the root certificate and save the
-certificate as `intermediate.cert.pem`.  
-
-    -> **NOTE:** The API request payload should contain the CSR you obtained.
-
-    ```plaintext
-    $ tee payload-int-cert.json <<EOF
-    {
-      "csr": "...",
-      "format": "pem_bundle",
-      "ttl": "43800h"
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload-int-cert.json \
-           https://127.0.0.1:8200/v1/pki/root/sign-intermediate | jq
-    ```
-
-    > **NOTE:** The **`format`** in the payload specifies the format of the
-    returned data.  When `pem_bundle`, the certificate field will contain the
-    certificate.
-
-    Copy the generated certificate.
-
-1. Once the CSR is signed and the root CA returns a certificate, it can be
-imported back into Vault using the `/pki_int/intermediate/set-signed` endpoint.
-
-    -> **NOTE:** The API request payload should contain the certificate you
-    obtained.
-
-    ```plaintext
-    $ tee payload-signed.json <<EOF
-    {
-      "certificate": "..."
-    }
-    EOF
-
-    $ curl --header "X-Vault-Token: ..." \
-           --request POST \
-           --data @payload-signed.json \
-           https://127.0.0.1:8200/v1/pki_int/intermediate/set-signed
-    ```
-
-
-#### Web UI
-
-1. Select **Enable new engine** in the **Secrets** tab.
-1. Select **PKI** from the **Secrets engine type** drop-down list.
-1. Enter **`pki_int`** in the **Path** field.
-1. Click **More options** to expand and set the **Maximum lease TTL** to **`43800
-hours`**.
-1. Click **Enable Engine**.
-1. Select **Configure**.
-1. Click **Configure CA**.
-1. Select **intermediate** from **CA Type** drop-down list.  
-1. Enter **`example.com Intermediate Authority`** in the **Common Name** field.
-1. Enter **`43800`** in the **TTL** field, choose **`hours`** and then click **Save**.
-1. Click **Copy CSR** and save it in a file, `pki_intermediate.csr`.
-1. Select **pki** from the **Secrets** tab to return to the root CA.
-1. Select **Configure** and then click **Sign intermediate**.
-1. Paste in the CSR in the **Certificate Signing Request (CSR)** field.
-1. Enter **`example.com`** in the **Common Name**.
-1. Select **pem_bundle** from the **Format** drop-down list, and then click
-**Save**.
-1. Click **Copy Certificate** and save the generated certificate in a file, `intermediate.cert.pem`.
-1. Select **pki_int** from the **Secrets** tab to return to the intermediate CA.
-1. Select **Configure** and then click **Set signed intermediate**.
-1. Paste in the certificate in the **Signed Intermediate Certificate** field and
-then click **Save**.
-
-
-
-### <a name="step3"></a>Step 3: Create a Role
-
-A role is a logical name that maps to a policy used to generate those
-credentials. It allows [configuration
-parameters](/api/secret/pki/index.html#create-update-role) to control
-certificate common names, alternate names, the key usages that they are valid
-for, and more.
-
-Calling out some of the parameters:
-
-- **`allowed_domains`** - specifies the domains of the role (used with
-  `allow_bare_domains` and `allow-subdomains` options)
-- **`allow_bare_domains`** - specifies if clients can request certificates
-matching the value of the actual domains themselves
-- **`allow_subdomains`** - specifies if clients can request certificates with
-CNs that are subdomains of the CNs allowed by the other role options (NOTE: This
-  includes wildcard subdomains.)
-- **`allow_glob_domains`** - allows names specified in allowed_domains to
-contain glob patterns (e.g. ftp*.example.com)
-
-In this step, you are going to create a role named, **`example-dot-com`**.
-
-#### CLI Command
-
-Create a role named **`example-dot-com`** which allows subdomains.
-
-```plaintext
-$ vault write pki_int/roles/example-dot-com \
-        allowed_domains="example.com" \
-        allow_subdomains=true \
-        max_ttl="720h"
-```
-
-#### API call using cURL
-
-Create a role named **`example-dot-com`** which allows subdomains.
-
-```plaintext
-$ tee payload-role.json <<EOF
-{
-  "allowed_domains": "example.com",
-  "allow_subdomains": true,
-  "max_ttl": "720h"
-}
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload-role.json \
-       https://127.0.0.1:8200/v1/pki_int/roles/example-dot-com
-```
-
-#### Web UI
-
-Create a role named **`example-dot-com`** which allows subdomains.
-
-1. Click **pki_int** and then select **Create role**.
-1. Enter **`example-dot-com`** in the **Role name** field.
-1. Select **Options** to expand, and then set the **Max TTL** to **`43800
-hours`**.   Select **Hide Options**.
-1. Select **Domain Handling** to expand, and then select the **Allow
-subdomains** check-box. Enter **`example.com`** in the **Allowed domains**
-field.
-    ![Create Role](/img/vault-pki-2.png)
-1. Click **Create role**.
-
-
-### <a name="step4"></a>Step 4: Request Certificates
-
-Keep certificate lifetimes to be short to align with Vault's philosophy of
-short-lived secrets.
-
-#### CLI Command
-
-Execute the following command to request a new certificate for `test.example.com`
-domain based on the `example-dot-com` role:
-
-```plaintext
-$ vault write pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"
-
-Key                 Value
----                 -----
-certificate         -----BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIUTQABMCAsXjG6ExFTX8201xKVH4IwDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMB4XDTE4MDcyNDIxMTMxOVoX
-             ...
-
------END CERTIFICATE-----
-issuing_ca          -----BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIUbMYp39mdj7dKX033ZjK18rx05x8wDQYJKoZIhvcNAQEL
-             ...
-
------END CERTIFICATE-----
-private_key         -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAte1fqy2Ekj+EFqKV6N5QJlBgMo/U4IIxwLZI6a87yAC/rDhm
-W58liadXrwjzRgWeqVOoCRr/B5JnRLbyIKBVp6MMFwZVkynEPzDmy0ynuomSfJkM
-             ...
-
------END RSA PRIVATE KEY-----
-private_key_type    rsa
-serial_number       4d:00:01:30:20:2c:5e:31:ba:13:11:53:5f:cd:b4:d7:12:95:1f:82
-```
-
-The response contains the PEM-encoded private key, key type and certificate
-serial number.
-
-
-
-#### API call using cURL
-
-Invoke the **`/pki_int/issue/<role_name>`** endpoint to request a new certificate.
-
-**Example:**
-
-Request a certificate for `test.example.com` domain based on the
-`example-dot-com` role:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"common_name": "test.example.com", "ttl": "24h"}' \
-       https://127.0.0.1:8200/v1/pki_int/issue/example-dot-com | jq
-{
- "request_id": "6fa8d77d-0758-33ae-b5ea-8b3d15014fd1",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
-   "certificate": "-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUG7H0Pzpqm+...-----END CERTIFICATE-----",
-   "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDNTCCAh2gAwIBAgIUQhIX9D...-----END CERTIFICATE-----",
-   "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAr6IsROOW5...-----END RSA PRIVATE KEY-----",
-   "private_key_type": "rsa",
-   "serial_number": "1b:b1:f4:3f:3a:6a:9b:e8:33:af:f7:1b:b1:4d:57:7f:65:65:39:c1"
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-The response contains the PEM-encoded private key, key type and certificate
-serial number.
-
-
-#### Web UI
-
-1. Select **Secrets**.
-1. Select **pki_int** from the **Secrets Engines** list.
-1. Select **example-dot-com** under **Roles**.
-1. Enter **`test.example.com`** in the **Common Name** field.
-1. Select **Options** to expand, and then set the **TTL** to **`24 hours`**.  
-1. Select **Hide Options** and then click **Generate**.
-    ![Issue Certificate](/img/vault-pki-3.png)
-
-    > The response contains the PEM-encoded private key, key type and certificate
-    serial number.
-
-1. Click **Copy credentials** and save it in a file.
-
-<br>
-
--> **NOTE:** A certificate can be rotated at any time by simply issuing a new
-certificate with the same CN.
-
-
-### <a name="step5"></a>Step 5: Revoke Certificates
-
-If a certificate must be revoked, you can easily perform the revocation action
-which will cause the CRL to be regenerated. When the CRL is regenerated, any
-expired certificates are removed from the CRL.
-
-
-#### CLI Command
-
-In a certain circumstances, you may wish to revoke an issued certificate.
-
-To revoke:
-
-```plaintext
-$ vault write pki_int/revoke serial_number=<serial_number>
-```
-
-**Example:**
-
-```plaintext
-$ vault write pki_int/revoke serial_number="48:97:82:dd:f0:d3:d9:7e:53:25:ba:fd:f6:77:3e:89:e5:65:cc:e7"
-Key                        Value
----                        -----
-revocation_time            1532539632
-revocation_time_rfc3339    2018-07-25T17:27:12.165206399Z
-```
-
-
-#### API call using cURL
-
-Invoke the **`/pki_int/revoke`** endpoint to invoke a certificate using its
-serial number.
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"serial_number": "48:97:82:dd:f0:d3:d9:7e:53:25:ba:fd:f6:77:3e:89:e5:65:cc:e7"}' \
-       https://127.0.0.1:8200/v1/pki_int/revoke
-```
-
-#### Web UI
-
-1. Select **Secrets**.
-1. Select **pki_int** from the **Secrets Engines** list.
-1. Select the **eCertificates** tab.
-1. Select the serial number for the certificate you wish to revoke.
-1. Click **Revoke**.  At the confirmation, click **Revoke** again.
-
-
-### <a name="step6"></a>Step 6: Remove Expired Certificates
-
-Keep the storage backend and CRL by periodically removing certificates that have
-expired and are past a certain buffer period beyond their expiration time.
-
-#### CLI Command
-
-To remove revoked certificate and clean the CRL.
-
-```plaintext
-$ vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
-```
-
-#### API call using cURL
-
-Invoke the **`/pki_int/tidy`** endpoint to remove revoked certificate and clean
-the CRL.
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"tidy_cert_store": true, "tidy_revoked_certs": true}' \
-       https://127.0.0.1:8200/v1/pki_int/tidy
-```
-
-#### Web UI
-
-1. Select **Secrets**.
-1. Select **pki_int** from the **Secrets Engines** list.
-1. Select **Configure**.
-1. Select the **Tidy** tab.
-1. Select the check-box for **Tidy the Certificate Store** and **Tidy the Revocation List (CRL)**.
-1. Click **Save**.
-
-
-## Next steps
-
-Check out the [Streamline Certificate Management with HashiCorp
-Vault](https://www.hashicorp.com/resources/streamline-certificate-management-with-vault)
-webinar recording.
diff --git a/website/source/guides/secret-mgmt/ssh-otp.html.md b/website/source/guides/secret-mgmt/ssh-otp.html.md
deleted file mode 100644
index 12bfb279d916..000000000000
--- a/website/source/guides/secret-mgmt/ssh-otp.html.md
+++ /dev/null
@@ -1,438 +0,0 @@
----
-layout: "guides"
-page_title: "One-Time SSH Password - Guides"
-sidebar_title: "One-Time SSH Password"
-sidebar_current: "guides-secret-mgmt-ssh-otp"
-description: |-
-  The one-time SSH password secrets engine allows Vault to issue a one-time
-  password (OTP) every time a client wants to SSH into a remote host using a
-  helper command on the remote host to perform verification.
----
-
-# Vault SSH Secrets Engine: One-Time SSH Password
-
-In a distributed cloud environment, tenant and system is increasingly
-important part of the online security. If an attacker gains access to your
-virtual machines, they can get control of most running applications, local data
-as well as its connected machines and systems.  
-
-The Vault SSH secrets engine provides secure authentication and authorization
-for access to machines via the SSH protocol. It supports [signed SSH
-certificate](/docs/secrets/ssh/signed-ssh-certificates.html) and one-time SSH
-password modes. This guide demonstrates the one-time SSH password mode.
-
-
-## Reference Material
-
-- [One-Time SSH Passwords](/docs/secrets/ssh/one-time-ssh-passwords.html)
-- [SSH Secrets Engine (API)](/api/secret/ssh/index.html)
-- [Vault SSH Helper](https://github.com/hashicorp/vault-ssh-helper)
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Personas
-
-The end-to-end scenario described in this guide involves two personas:
-
-- **`operations`** with privileged permissions to setup SSH secrets engine
-- **`client`** trusted entity to request SSH OTP from Vault
-
-## Challenge
-
-By default, SSH servers use password authentication with optional public key
-authentication. If any user on the system has a fairly weak password, this
-allows an attacker to hijack the SSH connection.
-
-
-## Solution
-
-Vault can create a one-time password (OTP) for SSH authentication on a network
-every time a client wants to SSH into a remote host using a helper command on
-the remote host to perform verification.
-
-![SSH OTP Workflow](/img/vault-ssh-otp-1.png)
-
-An authenticated client requests an OTP from the Vault server. If the client is
-authorized, Vault issues and returns an OTP. The client uses this OTP during the
-SSH authentication to connect to the desired target host.
-
-When the client establishes an SSH connection, the OTP is received by the
-***Vault helper*** which validates the OTP with the Vault server. The Vault
-server then deletes this OTP, ensuring that it is **only used once**.
-
-~> Since the Vault server is contacted during SSH connection establishment, every
-login attempt and the correlating Vault lease information is logged to the audit
-secrets engine.
-
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault.
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for
-initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# To view in Web UI
-path "sys/mounts" {
-  capabilities = [ "read", "update" ]
-}
-
-# To configure the SSH secrets engine
-path "ssh/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# To enable secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-You will perform the following:
-
-1. [Install vault-ssh-helper](#step1)
-1. [Setup the SSH Secrets Engine](#step2)
-1. [Request an OTP](#step3)
-1. [Establish an SSH session](#step4)
-
-
-### <a name="step1"></a>Step 1: Install vault-ssh-helper
-(**Persona:** operations)
-
-The SSH secrets engine uses [Vault SSH
-Helper](https://github.com/hashicorp/vault-ssh-helper) to verify the OTP used
-during the SSH authentication. Therefore, the helper agent must be installed
-onto every ***target host***.  
-
-1. Download and install the latest version of `vault-ssh-helper` from
-[releases.hashicorp.com](https://releases.hashicorp.com/vault-ssh-helper).
-
-    **Example:**
-
-    ```shell
-    # Download the vault-ssh-helper
-    $ wget https://releases.hashicorp.com/vault-ssh-helper/0.1.4/vault-ssh-helper_0.1.4_linux_amd64.zip
-
-    # Unzip the vault-ssh-helper in /user/local/bin
-    $ sudo unzip -q vault-ssh-helper_0.1.4_linux_amd64.zip -d /usr/local/bin
-
-    # Make sure that vault-ssh-helper is executable
-    $ sudo chmod 0755 /usr/local/bin/vault-ssh-helper
-
-    # Set the usr and group of vault-ssh-helper to root
-    $ sudo chown root:root /usr/local/bin/vault-ssh-helper
-    ```
-
-1. Create a Vault SSH Helper configuration file,
-**`/etc/vault-ssh-helper.d/config.hcl`**.
-
-    ```hcl
-    vault_addr = "<VAULT_ADDRESS>"
-    ssh_mount_point = "ssh"
-    ca_cert = "/etc/vault-ssh-helper.d/vault.crt"
-    tls_skip_verify = false
-    allowed_roles = "*"
-    ```
-
-    Where the **`<VAULT_ADDRESS>`** is the address of the Vault server generating the OTP.
-
-    **Example:**
-
-    ```hcl
-    vault_addr = "https://198.51.100.10:8200"
-    ssh_mount_point = "ssh"
-    ca_cert = "/etc/vault-ssh-helper.d/vault.crt"
-    tls_skip_verify = false
-    allowed_roles = "*"
-    ```
-
-    > Refer to the [documentation](https://github.com/hashicorp/vault-ssh-helper#vault-ssh-helper-configuration)
-    for the entire list of configuration properties.
-
-
-1. Modify the **`/etc/pam.d/sshd`** file as follows:
-
-    ```shell
-    # PAM configuration for the Secure Shell service
-
-    # Standard Un*x authentication.
-    #@include common-auth
-    auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl
-    auth optional pam_unix.so not_set_pass use_first_pass nodelay
-
-    ...
-    ```
-
-    **NOTE:** `common-auth` is the standard Linux authentication module which is
-    commented out in favor of using our custom configuration.
-
-    > Refer to the
-    [documentation](https://github.com/hashicorp/vault-ssh-helper#pam-configuration)
-    for details about these parameter settings.
-
-
-1. Modify the **`/etc/ssh/sshd_config`** file.
-
-    ```plaintext
-    ChallengeResponseAuthentication yes
-    PasswordAuthentication no
-    UsePAM yes
-    ```
-
-    This enables the keyboard-interactive authentication and PAM authentication
-    modules. The password authentication is disabled.
-
-1. Restart the SSH service:
-
-    ```plaintext
-    $ sudo systemctl restart sshd
-    ```
-
-~> This step must be performed on **all** target hosts that you wish to connect
-using the Vault's one-time SSH password.
-
-
-
-### <a name="step2"></a>Step 2: Setup the SSH Secrets Engine
-(**Persona:** operations)
-
-On the ***Vault server***, you must enable the SSH secrets engine before you can
-perform the operation. Then you are going to create a role named,
-`otp_key_role`.
-
-#### CLI command
-
-First, enable the SSH secrets engine.
-
-```plaintext
-$ vault secrets enable ssh
-```
-
-Next, create a role.
-
-```plaintext
-$ vault write ssh/roles/otp_key_role key_type=otp \
-        default_user=ubuntu \
-        cidr_list=0.0.0.0/0
-```
-
-This creates `otp_key_role` with `ubuntu` as its default username for which a
-credential will be generated.
-
-#### API call using cURL
-
-Enable `ssh` secret engine using `/sys/mounts` endpoint:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data <PARAMETERS> \
-       <VAULT_ADDRESS>/v1/sys/mounts/<PATH>
-```
-
-Where `<TOKEN>` is your valid token, and `<PARAMETERS>` holds [configuration
-parameters](/api/system/mounts.html#enable-secrets-engine) of the secret engine.
-
-**Example:**
-
-The following example enables SSH secret engine at `sys/mounts/ssh`
-path, and passed the secret engine type (`ssh`) in the request payload.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type":"ssh"}' \
-       https://127.0.0.1:8200/v1/sys/mounts/ssh
-```
-
-Now, create a role using the `ssh/roles/otp_key_role` endpoint.
-
-```plaintext
-$ tee payload.json <<EOF
-{
-  "key_type": "otp",
-  "default_user": "ubuntu",
-  "cidr_list": "0.0.0.0/0"
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json
-       https://127.0.0.1:8200/v1/ssh/roles/otp_key_role   
-```
-
-This creates `otp_key_role` with `ubuntu` as its default username for which a
-credential will be generated.
-
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g. `http://127.0.0.1:8200/ui`) and
-then login.
-
-1. Select **Enable new engine** and select **SSH** from **Secrets engine type**
-drop-down list.
-
-1. Click **Enable Engine**.
-
-1. Select **Create role**.
-
-1. Enter **`otp_key_role`** in the **Role name** field, select **otp** from the
-**Key type** drop-down list, and then enter **`ubuntu`** in the **Default user**
-field.
-
-1. Select **More options** to expand the optional parameter fields, and then
-enter **`0.0.0.0/0`** in the **CIDR list** field.
-
-![Create Role](/img/vault-ssh-otp-2.png)
-
-1. Click **Create role**.
-
-<br>
-
-~> **NOTE:** Its recommended to create individual roles for each username to
-ensure absolute isolation between usernames. This is required for Dynamic Key
-type and OTP type. For the purpose of this guide, the **`cidr_list`** will be
-set to `0.0.0.0/0`. For production, be sure to set this parameter to be as
-granular as you can since there is no need to keep this role open to the world.
-
-
-### <a name="step3"></a>Step 3: Request an OTP
-(**Persona:** client)
-
-The client must have the following permission to request an OTP for
-`otp_key_role`.
-
-```hcl
-path "ssh/creds/otp_key_role" {
-  capabilities = [ "update" ]
-}
-```
-
-#### CLI command
-
-To generate an OTP credential for an IP of the remote host belongs to the
-`otp_key_role`:
-
-```plaintext
-$ vault write ssh/creds/otp_key_role ip=<REMOTE_HOST_IP>
-```
-
-**Example:**
-
-```plaintext
-$ vault write ssh/creds/otp_key_role ip=192.0.2.10
-Key                Value
----                -----
-lease_id           ssh/creds/otp_key_role/234bb081-d22e-3762-3ae5-744110ea4d0a
-lease_duration     768h
-lease_renewable    false
-ip                 192.0.2.10
-key                f1cb47ad-6255-0be8-6bd8-5c4b3b01c8df
-key_type           otp
-port               22
-username           ubuntu
-```
-
-The **`key`** value is the OTP to use during SSH authentication.
-
-
-#### API call using cURL
-
-To generate an OTP credential for an IP of the remote host belongs to the
-`otp_key_role`:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"ip": "<REMOTE_HOST_IP>"}'
-       https://127.0.0.1:8200/v1/ssh/creds/otp_key_role   
-```
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"ip": "192.0.2.10"}'
-       https://127.0.0.1:8200/v1/ssh/creds/otp_key_role  | jq
-{
-   "request_id": "83327e6b-cffb-ce77-c4e1-74a60dd69436",
-   "lease_id": "ssh/creds/otp_key_role/aebd080e-51a1-0fc6-ef5c-1e1c95ca729a",
-   "renewable": false,
-   "lease_duration": 2764800,
-   "data": {
-     "ip": "192.0.20.10",
-     "key": "6e472878-721a-b066-2cec-1bed0127ad44",
-     "key_type": "otp",
-     "port": 22,
-     "username": "ubuntu"
-   },
-   ...
-}
-```
-
-The **`key`** value is the OTP to use during SSH authentication.
-
-
-#### Web UI
-
-To generate an OTP credential for an IP of the remote host belongs to the
-`otp_key_role`:
-
-1. Select **`ssh`** under **Secrets Engines**.
-
-1. Select **otp_key_role** and enter **`ubuntu`** in the **Username** field, and
-enter the target host's IP address (e.g. `192.0.2.10`) in the **IP Address**
-field.
-
-1. Click **Generate**.
-
-1. Click **Copy credentials**.  This copies the OTP (`key` value).
-
-
-### <a name="step4"></a>Step 4: Establish an SSH session
-
-Simply, use the OTP generated at [Step 3](#step3) to authenticate:
-
-```plaintext
-$ ssh ubuntu@192.0.2.10
-Password: <Enter OTP>
-```
-
-<br>
-**NOTE:** If [`sshpass`](https://gist.github.com/arunoda/7790979) is installed,
-you can create a new OTP and SSH into the target host with single line of CLI
-command:
-
-```plaintext
-$ vault ssh -role otp_key_role -mode otp -strict-host-key-checking=no ubuntu@192.0.2.10
-```
-
-
-## Next steps
-
-Read the [Signed SSH
-Certificates](/docs/secrets/ssh/signed-ssh-certificates.html) documentation if
-you want to use signed SSH certificate so that the clients can use their local
-SSH keys to connect to the target hosts.
diff --git a/website/source/guides/secret-mgmt/static-secrets.html.md b/website/source/guides/secret-mgmt/static-secrets.html.md
deleted file mode 100644
index 6aa9bd0a6147..000000000000
--- a/website/source/guides/secret-mgmt/static-secrets.html.md
+++ /dev/null
@@ -1,650 +0,0 @@
----
-layout: "guides"
-page_title: "Static Secrets - Guides"
-sidebar_title: "Static Secrets"
-sidebar_current: "guides-secret-mgmt-static-secrets"
-description: |-
-  Vault supports generating new unseal keys as well as rotating the underlying
-  encryption keys. This guide covers rekeying and rotating Vault's encryption
-  keys.
----
-
-# Static Secrets - Key/Value Secret Engine
-
-Vault can be used to store any secret in a secure manner.  The secrets may be
-SSL certificates and keys for your organization's domain, credentials to connect
-to a corporate database server, etc. Storing such sensitive information in
-plaintext is not desirable. This guide demonstrates the use case of Vault as a
-Secret Storage.
-
-
-## Reference Material
-
-- [Key/Value Secret Engine](/docs/secrets/kv/index.html)
-- [Key/Value Secret Engine API](/api/secret/kv/index.html)
-- [Client libraries](/api/libraries.html) for Vault API for commonly used languages
-
-## Estimated Time to Complete
-
-10 minutes
-
-## Personas
-
-The end-to-end scenario described in this guide involves two personas:
-
-- **`devops`** with privileged permissions to write secrets
-- **`apps`** reads the secrets from Vault
-
-## Challenge
-
-Consider the following situations:
-
-- Developers use a single admin account to access a third-party app
-  (e.g. Splunk) and anyone who knows the user ID and password can log in as an
-  admin
-- SSH keys to connect to remote machines are shared and stored as a plaintext
-- API keys to invoke external system APIs are stored as a plaintext
-- An app integrates with LDAP, and its configuration information is in a
-  plaintext
-
-Organizations often seek an uniform workflow to securely store this sensitive
-information.
-
-## Solution
-
-Vault as centralized secret storage to secure any sensitive information. Vault
-encrypts these secrets using 256-bit AES in GCM mode with a randomly generated
-nonce prior to writing them to its persistent storage. The storage backend never
-sees the unencrypted value, so gaining access to the raw storage isn't enough to
-access your secrets.
-
-~> **NOTE:** This guide demonstrates secret management using [v2 of the KV
-secret engine](/docs/secrets/kv/kv-v2.html).
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for just
-enough initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# Write and manage secrets in key/value secret engine
-path "secret/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Create policies to permit apps to read secrets
-path "sys/policy/*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# Create tokens for verification & test
-path "auth/token/create" {
-  capabilities = [ "create", "update", "sudo" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-This guide demonstrates the basic steps to store secrets using Vault.  The
-scenario here is to store the following secrets:
-
-- API key (Google API)
-- Root certificate of a production database (MySQL)
-
-To store your API key within the configured physical storage for Vault, use the
-**key/value** secret engine via **`secret/`** prefixed path.
-
--> Key/Value secret engine passes through any operation back to the configured
-storage backend for Vault. For example, if your Vault server is configured with
-Consul as its storage backend, a "read" operation turns into a read from Consul
-at the same path.
-
-
-You will perform the following:
-
-1. [Enable KV Secret Engine v2](#step1)
-1. [Store the Google API key](#step2)
-1. [Store the root certificate for MySQL](#step3)
-1. [Generate a token for apps](#step4)
-1. [Retrieve the secrets](#step5)
-
-![Personas Introduction](/img/vault-static-secrets.png)
-
-Step 1 through 4 are performed by `devops` persona.  Step 5 describes the
-commands that `apps` persona runs to read secrets from Vault.
-
-### <a name="step1"></a>Step 1: Enable KV Secret Engine v2
-(**Persona:** devops)
-
-Currently, when you start the Vault server in [**dev
-mode**](/intro/getting-started/dev-server.html#starting-the-dev-server), it
-automatically enables **v2** of the KV secret engine at **`secret/`**. If you
-start the Vault server in non-dev mode, the default is v1.
-
-If you are running the server in **dev** mode, skip to [Step 2](#step2).
-Otherwise, you must perform one of the following:
-
-- Option 1: Upgrade the v1 of KV secret engine to v2
-- Option 2: Enable the KV secret engine v2 at a different path
-
-
-#### CLI command
-
-Option 1: To upgrade from **v1** to **v2**:
-
-```plaintext
-$ vault kv enable-versioning secret/
-```
-<br>
-Option 2: To enable the KV secret engine v2 at **`secret_v2/`**:
-
-```plaintext
-$ vault secrets enable -path=secret_v2/ kv-v2
-```
-
-Or
-
-```plaintext
-$ vault secrets enable -path=secret_v2/ -version=2 kv
-```
-
-
-#### API call using cURL
-
-Option 1: To upgrade from **v1** to **v2**:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data @payload.json \
-       <VAULT_ADDRESS>/v1/sys/mounts/secret/tune
-```
-
-Where `<TOKEN>` is your valid token, and `<VAULT_ADDRESS>` is where your vault
-server is running. The `payload.json` includes the version information.
-
-
-**Example:**
-
-```plaintext
-$ cat payload.json
-{
-  "options": {
-      "version": "2"
-  }
-}
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/mounts/secret/tune
-```
-
-<br>
-Option 2: To enable the KV secret engine v2 at **`secret_v2/`**:
-
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{"type":"kv-v2"}' \
-       https://127.0.0.1:8200/v1/sys/mounts/secret_v2
-```
-
-
-<br>
-
-~> **NOTE:** This guide assumes that you are working with KV secret engine
-**v2** which is mounted at **`secret/`**.
-
-
-### <a name="step2"></a>Step 2: Store the Google API key
-(**Persona:** devops)
-
-Everything after the **`secret/`** path is a key-value pair to write to the
-secret engine. You can specify multiple values. If the value has a space, you
-need to surround it with quotes. Having keys with spaces is permitted, but
-strongly discouraged because it can lead to unexpected client-side behavior.
-
-Let's assume that the path convention in your organization is
-**`secret/<OWNER>/apikey/<APP>`** for API keys. To store the Google API key used
-by the engineering team, the path would be `secret/eng/apikey/Google`. If you
-have an API key for New Relic owned by the DevOps team, the path would look like
-`secret/devops/apikey/New_Relic`.
-
-#### CLI command
-
-To create key/value secrets:
-
-```plaintext
-$ vault kv put secret/<PATH> <KEY>=VALUE>
-```
-
-The `<PATH>` can be anything you want it to be, and your organization should
-decide on the naming convention that makes most sense.
-
-**Example:**
-
-```plaintext
-$ vault kv put secret/eng/apikey/Google key=AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
-Success! Data written to: secret/eng/apikey/Google
-```
-
-The secret key is "key" and its value is "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI" in
-this example.
-
-#### API call using cURL
-
-Use `/secret/data/<PATH>` endpoint to create secrets:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       --request POST \
-       --data @payload.json \
-       <VAULT_ADDRESS>/v1/secret/data/<PATH>
-```
-
-Where `<TOKEN>` is your valid token, and `secret/data/<PATH>` is the path to
-your secrets. The [`payload.json`](/api/secret/kv/kv-v2.html#parameters-2)
-contains the parameters to invoke the endpoint.
-
-**Example:**
-
-```plaintext
-$ tee payload.json <<EOF
-{
-  "data": {
-    "key": "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI"
-  }
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/secret/data/eng/apikey/Google
-```
-
-The secret key is "key" and its value is
-"AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI" in this example.
-
-
-### <a name="step3"></a>Step 3: Store the root certificate for MySQL
-(**Persona:** devops)
-
-For the purpose of this guide, generate a new self-sign certificate using
-[OpenSSL](https://www.openssl.org/source/).
-
-```plaintext
-$ openssl req --request509 -sha256 -nodes -newkey rsa:2048 -keyout selfsigned.key -out cert.pem
-```
-
-Generated `cert.pem` file:
-
-```plaintext
------BEGIN CERTIFICATE-----
-MIIDSjCCAjICCQC47CQCg4u0kDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFDASBgNVBAMM
-C2V4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5tZUBleGFtcGxlLmNvbTAeFw0x
-ODAxMTcwMTMzNThaFw0xODAyMTYwMTMzNThaMGcxCzAJBgNVBAYTAlVTMQswCQYD
-VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEUMBIGA1UEAwwLZXhhbXBs
-ZS5jb20xHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1cPTXpnOeUXU4tgblNLSS2rcA7eIqzc6gnMY
-Sh76WxOaN8VncyJw89/28QYOSYeWRn4fYywbPhHpFmrY6+1gW/8y0+Yoj7TL2Mvs
-5m1ZH9eOS6kcnnX/lr+HCfJpTHokKk/Vxr0/p6agkdZq0OYMPAmiuw1M4afd5abm
-8s5R99b4DgQyNvRYJp+JMddz2cM8t2AKQH4rq2NEf/GBHqHpHKmaxTyX5Rh7zg/g
-WJQ/DjxUVLpbRy+soiUJTZzamrO0iu9fcww+1Q4TZsMWizA4ChQFI7uegKkZ2Alv
-SNItsv01FQH3IB7pNWuna3IXXY789R0Qp0Ha5ScryVc9syg4cQIDAQABMA0GCSqG
-SIb3DQEBCwUAA4IBAQBtUcuwL0rS/uhk4v53ALF+ryRoLF93wT+O9KOvK15Pi1dX
-oZ9yxu5GOGi59womsrDs1vNrBuIQNVQ69dbUYu1LkhgQGDUWQb8JpCp++WHWTIeP
-YTJ5C/Q1B3rXeQrVWPvO0bMCig+/G5DGtzZmKWMQGHhfOvSwrkA58YAwjC+rqexl
-skA+hQ2JiU4bzIxvlPLBOUA/p+TgUKtdzPY3lxyDO2p7+8ZD56B0PoW87zNJYRcu
-VdSr7er8UkUr5nVjcw/6MJeptmx6QaiHgTUSFf2HjFfzsBa/IY1VGr/8bOII+IFN
-iYQTLBNG0/q/PZGeMX/RHxmCzZz/7wE0CDPMLbyf
------END CERTIFICATE-----
-```
-
-**NOTE:** If you don't have OpenSSL, simply copy the above certificate and
-save it as `cert.pem`.
-
-
-#### CLI command
-
-The command is basically the same as the Google API key example. Now, the path
-convention for certificates is **`secret/<ENVIRONMENT>/cert/<SYSTEM>`**. To
-store the root certificate for production MySQL, the path becomes
-`secret/prod/cert/mysql`.
-
-**Example:**
-
-```plaintext
-$ vault kv put secret/prod/cert/mysql cert=@cert.pem
-```
-
-This example reads the root certificate from a PEM file from the disk, and store
-it under `secret/prod/cert/mysql` path.
-> **NOTE:** Any value begins with "@" is loaded from a file.
-
-
-#### API call using cURL
-
-To perform the same task using the Vault API, pass the token in the request header.
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @cert.pem \
-       http://127.0.0.1:8200/v1/secret/data/prod/cert/mysql
-```
-> **NOTE:** Any value begins with "@" is loaded from a file.
-
-
-### <a name="step4"></a>Step 4: Generate a token for apps
-(**Persona:** devops)
-
-To read the secrets, `apps` persona needs "read" permit on those secret engine
-paths. In this scenario, the `apps` policy must include the following:
-
-**Example:** `apps-policy.hcl`
-
-```shell
-# Read-only permit
-path "secret/data/eng/apikey/Google" {
-  capabilities = [ "read" ]  
-}
-
-# Read-only permit
-path "secret/data/prod/cert/mysql" {
-  capabilities = [ "read" ]
-}
-```
-
-
-#### CLI command
-
-First create `apps` policy, and generate a token so that you can authenticate
-as an `apps` persona, and read the secrets.
-
-```shell
-# Create "apps" policy
-$ vault policy write apps apps-policy.hcl
-Policy 'apps' written.
-
-# Create a new token with app policy
-$ vault token create -policy="apps"
-Key            	Value
----            	-----
-token          	e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
-token_accessor 	54700b7e--data828-a6c4-6141-96e71e002bd7
-token_duration 	768h0m0s
-token_renewable	true
-token_policies 	[apps default]
-```
-
-Now, `apps` can use this token to read the secrets.
-
-
-#### API call using cURL
-
-First create an `apps` policy, and generate a token so that you can authenticate
-as an `app` persona.
-
-**Example:**
-
-```shell
-# Payload to pass in the API call
-$ tee payload.json <<EOF
-{
-  "policy": "path \"secret/data/eng/apikey/Google\" { capabilities = [ \"read\" ] ...}"
-}
-EOF
-
-# Create "apps" policy
-$ curl --header "X-Vault-Token: ..." --request PUT \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/policy/apps
-
-# Generate a new token with apps policy
-$ curl --header "X-Vault-Token: ..." --request POST \
-       --data '{"policies": ["apps"]}' \
-       http://127.0.0.1:8200/v1/auth/token/create | jq
-{
- "request_id": "e1737bc8-7e51-3943-42a0-2dbd6cb40e3e",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "wrap_info": null,
- "warnings": null,
- "auth": {
-   "client_token": "1c97b03a-6098-31cf-9d8b-b404e52dcb4a",
-   "accessor": "b10a3eb7-15fe-1924-600e-403cfda34c28",
-   "policies": [
-     "apps",
-     "default"
-   ],
-   "metadata": null,
-   "lease_duration": 2764800,
-   "renewable": true,
-   "entity_id": ""
- }
-}
-```
-
-Now, `apps` can use this token to read the secrets.
-
-**NOTE:** For the purpose of this guide, you created a policy for `apps`
-persona, and generated a token for it. However, in a real world, you may have
-a dedicated `policy author`, or `admin` to write policies. Also, the
-consumer of the API key may be different from the consumer of the root
-certificate. Then each persona would have a policy based on what it needs to
-access.
-
-![Personas Introduction](/img/vault-static-secrets2.png)
-
-
-
-### <a name="step5"></a>Step 5: Retrieve the secrets
-(**Persona:** apps)
-
-Using the token from [Step 4](#step4), read the Google API key, and root certificate for
-MySQL.
-
-
-#### CLI command
-
-The command to read secret is:
-
-```plaintext
-$ vault kv get secret/<PATH>
-```
-
-**Example:**
-
-```shell
-# Authenticate with Vault using the generated token first
-$ vault login e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
-Successfully authenticated! You are now logged in.
-token: e4bdf7dc-cbbf-1bb1-c06c-6a4f9a826cf2
-token_duration: 2764277
-token_policies: [apps default]
-
-# Read the API key
-$ vault kv get secret/eng/apikey/Google
-Key             	Value
----             	-----
-refresh_interval	768h0m0s
-key             	AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
-```
-
-To return the key value alone, pass `-field=key` as an argument.
-
-```plaintext
-$ vault kv get -field=key secret/eng/apikey/Google
-AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
-```
-
-#### Root certificate example:
-
-The command is basically the same:
-
-```plaintext
-$ vault kv get -field=cert secret/prod/cert/mysql
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA6E2Uq0XqreZISgVMUu9pnoMsq+OoK1PI54rsA9vtDE6wiRk0GWhf5vD4DGf1
-...
-```
-
-#### API call using cURL
-
-Use `secret/` endpoint to retrieve secrets from key/value secret engine:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN_FROM_STEP4>" \
-       --request Get \
-       <VAULT_ADDRESS>/v1/secret/data/<PATH>
-```
-
-**Example:**
-
-Read the Google API key.
-
-```plaintext
-$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
-       --request GET \
-       http://127.0.0.1:8200/v1/secret/data/eng/apikey/Google | jq
-{
-"request_id": "5a2005ac-1149-2275-cab3-76cee71bf524",
-"lease_id": "",
-"renewable": false,
-"lease_duration": 2764800,
-"data": {
-  "key": "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI"
-},
-"wrap_info": null,
-"warnings": null,
-"auth": null
-}
-```
-
-**NOTE:** This example uses `jq` to parse the JSON output.
-
-Retrieve the key value with `jq`:
-
-```plaintext
-$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
-       --request GET \
-       http://127.0.0.1:8200/v1/secret/data/eng/apikey/Google | jq ".data.key"
-```
-
-#### Root certificate example:
-
-```plaintext
-$ curl --header "X-Vault-Token: 1c97b03a-6098-31cf-9d8b-b404e52dcb4a" \
-       --request GET \
-       http://127.0.0.1:8200/v1/secret/data/prod/cert/mysql | jq ".data.cert"
-```
-
-## Additional Discussion
-
-### Q: How do I enter my secrets without appearing in history?
-
-As a precaution, you may wish to avoid passing your secret as a part of the CLI
-command so that the secret won't appear in the history file.  Here are a few
-techniques you can use.
-
-#### Option 1: Use a dash "-"
-
-An easy technique is to use a dash "-" and then press Enter. This allows you to
-enter the secret in a new line. After entering the secret, press **`Ctrl+d`** to
-end the pipe and write the secret to the Vault.
-
-```plaintext
-$ vault kv put secret/eng/apikey/Google key=-
-
-AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI
-<Ctrl+d>
-```
-
-#### Option 2: Read the secret from a file
-
-Using the Google API key example, you can create a file containing the key (apikey.txt):
-
-```plaintext
-{
-  "key": "AAaaBBccDDeeOTXzSMT1234BB_Z8JzG7JkSVxI"
-}
-```
-
-The CLI command would look like:
-
-```plaintext
-$ vault kv put secret/eng/apikey/Google @apikey.txt
-```
-
-#### Option 3: Disable all vault command history
-
-Sometimes, you may not even want the vault command itself to appear in history
-at all.  The Option 1 and Option 2 prevents the secret to appear in the history;
-however, the vault command, `vault kv put secret/eng/apikey/Google` will appear
-in history.
-
-In bash:
-
-```plaintext
-$ export HISTIGNORE="&:vault*"
-```
-
-**NOTE:** This prevents the use of the Up arrow key for command history as well.
-
-
-### Q: How do I save multiple values?
-
-The two examples introduced in this guide only had a single key-value pair.  You
-can pass multiple values in the command.
-
-```plaintext
-$ vault kv put secret/dev/config/mongodb url=foo.example.com:35533 db_name=users \
- username=admin password=passw0rd
-```
-
-Or, read the secret from a file:
-
-```plaintext
-$ tee mongodb.txt <<EOF
-{
-    "url": "foo.example.com:35533",
-    "db_name": "users",
-    "username": "admin",
-    "password": "pa$$w0rd"
-}
-EOF
-
-$ vault kv put secret/dev/config/mongodb @mongodb.txt
-```
-
-## Next steps
-
-This guide introduced the CLI commands and API endpoints to read and write
-secrets in key/value secret engine. To keep it simple, the `devops` persona
-generated a token for `apps`.  Read [AppRole Pull
-Authentication](/guides/identity/authentication.html) guide to learn about
-programmatically generate a token for apps.
diff --git a/website/source/guides/secret-mgmt/versioned-kv.html.md b/website/source/guides/secret-mgmt/versioned-kv.html.md
deleted file mode 100644
index 2060d51e9e30..000000000000
--- a/website/source/guides/secret-mgmt/versioned-kv.html.md
+++ /dev/null
@@ -1,954 +0,0 @@
----
-layout: "guides"
-page_title: "Versioned KV Secret Engine - Guides"
-sidebar_title: "Versioned KV Secret Engine"
-sidebar_current: "guides-secret-mgmt-versioned-kv"
-description: |-
-  Vault 0.10.0 introduced version 2 of key-value secret engine which supports
-  versioning of your secrets so that you can undo the accidental deletion of
-  secrets, or compare the different versions of the secret.
----
-
-# Versioned Key/Value Secret Engine
-
-The [Static Secrets](/guides/secret-mgmt/static-secrets.html) guide introduced
-the basics of working with key-value secret engine. **Vault 0.10** introduced [_K/V
-Secrets Engine v2 with Secret
-Versioning_](https://www.hashicorp.com/blog/vault-0-10).  This guide
-demonstrates the new features introduced by the key-value secret engine v2.
-
-
-## Reference Material
-
-- [Static Secrets guide](/guides/secret-mgmt/static-secrets.html)
-- [KV Secrets Engine - Version 2](/docs/secrets/kv/kv-v2.html)
-- [KV Secrets Engine - Version 2 (API)](/api/secret/kv/kv-v2.html)
-
-~> **NOTE:** An [interactive
-tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-static-secrets) is
-also available if you do not have a Vault environment to perform the steps
-described in this guide.
-
-
-## Estimated Time to Complete
-
-10 minutes
-
-
-## Challenge
-
-The KV secret engine v1 does not provide a way to version or roll back secrets.
-This made it difficult to recover from unintentional data loss or overwrite when
-more than one user is writing at the same path.
-
-
-## Solution
-
-Run the **version 2** of KV secret engine which can retain a configurable
-number of secret versions. This enables older versions' data to be retrievable
-in case of unwanted deletion or updates of the data.  In addition, its
-_Check-and-Set_ operations can be used to protect the data from being overwritten
-unintentionally.
-
-![Versioned KV](/img/vault-versioned-kv-1.png)
-
-## Prerequisites
-
-To perform the tasks described in this guide, you need to have a Vault
-environment.  Refer to the [Getting
-Started](/intro/getting-started/install.html) guide to install Vault. Make sure
-that your Vault server has been [initialized and
-unsealed](/intro/getting-started/deploy.html).
-
-### Policy requirements
-
--> **NOTE:** For the purpose of this guide, you can use **`root`** token to work
-with Vault. However, it is recommended that root tokens are only used for
-initial setup or in emergencies. As a best practice, use tokens with
-appropriate set of policies based on your role in the organization.
-
-To perform all tasks demonstrated in this guide, your policy must include the
-following permissions:
-
-```shell
-# To view in Web UI
-path "sys/mounts" {
-  capabilities = [ "read", "update" ]
-}
-
-# Write and manage secrets in key-value secret engine
-path "secret*" {
-  capabilities = [ "create", "read", "update", "delete", "list" ]
-}
-
-# To enable secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-```
-
-If you are not familiar with policies, complete the
-[policies](/guides/identity/policies.html) guide.
-
-
-## Steps
-
-This guide demonstrates the basic commands for working with KV secret engine v2.  
-
-You will perform the following:
-
-1. [Check the KV secret engine version](#step1)
-2. [Write secrets](#step2)
-3. [Retrieve a specific version of secret](#step3)
-4. [Specify the number of versions to keep](#step4)
-5. [Delete versions of secret](#step5)
-6. [Permanently delete data](#step6)
-
-
-### <a name="step1"></a>Step 1: Check the KV secret engine version
-(**Persona:** devops)
-
-Before beginning, verify that you are using the v2 of the KV secret engine.
-
-#### CLI command
-
-To check the KV secret engine version:
-
-```plaintext
-$ vault secrets list -format=json
-...
-"secret/": {
-  "type": "kv",
-  "description": "key/value secret storage",
-  "accessor": "kv_f05b8b9c",
-  "config": {
-    "default_lease_ttl": 0,
-    "max_lease_ttl": 0,
-    "force_no_cache": false
-  },
-  "options": {
-    "version": "2"
-  },
-  ...
-```
-
-The indicated **`version`** should be **`2`**. If the version is **`1`**,
-upgrade it to v2.
-
-```plaintext
-$ vault kv enable-versioning secret/
-```
-
-#### API call using cURL
-
-To check the KV secret engine version:
-
-```plaintext
-$ curl --header "X-Vault-Token: <TOKEN>" \
-       <VAULT_ADDRESS>/v1/sys/mounts
-```
-
-Where `<TOKEN>` is your valid token, and `<VAULT_ADDRESS>` is where your vault
-server is running.
-
-
-**Example:**
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/sys/mounts | jq
-...
-  "secret/": {
-    "accessor": "kv_f05b8b9c",
-    "config": {
-      "default_lease_ttl": 0,
-      "force_no_cache": false,
-      "max_lease_ttl": 0,
-      "plugin_name": ""
-    },
-    "description": "key/value secret storage",
-    "local": false,
-    "options": {
-      "version": "2"
-    },
-    "seal_wrap": false,
-    "type": "kv"
-  },
-...
-```
-
-The indicated **`version`** should be **`2`**. If the version is **`1`**,
-upgrade it to v2.
-
-```plaintext
-$ cat payload.json
-{
-  "options": {
-      "version": "2"
-  }
-}
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/sys/mounts/secret/tune
-```
-
-#### Web UI
-
-Open a web browser and launch the Vault UI (e.g. `http://127.0.0.1:8200/ui`) and
-then login.
-
-![Web UI](/img/vault-versioned-kv-2.png)
-
-If `secret/` does not indicates **`v2`**, you can upgrade it from `v1` to `v2`
-by executing the following CLI command:
-
-```plaintext
-$ vault kv enable-versioning secret/
-```
-
-Alternatively, you can enable KV secret engine v2 at a different path by
-clicking **Enable new engine**. Select **KV** from the **Secret engine type**
-drop-down list.  Be sure that the **Version** is set to be **Version 2**.
-
-![Enabling kv-v2](/img/vault-versioned-kv-3.png)
-
-Click **Enable Engine** to complete.
-
-
-### <a name="step2"></a>Step 2: Write Secrets
-
-To understand how the versioning works, let's write some test data.
-
-#### CLI commands
-
-To write secrets, run `vault kv put` command instead of `vault write`:
-
-```plaintext
-$ vault kv put secret/customer/acme name="ACME Inc." contact_email="jsmith@acme.com"
-Key              Value
----              -----
-created_time     2018-04-14T00:05:47.115378933Z
-deletion_time    n/a
-destroyed        false
-version          1
-```
-
-To update the existing secret, run the `vault kv put` command again:
-
-```plaintext
-$ vault kv put secret/customer/acme name="ACME Inc." contact_email="john.smith@acme.com"
-Key              Value
----              -----
-created_time     2018-04-14T00:13:35.296018431Z
-deletion_time    n/a
-destroyed        false
-version          2
-```
-
-Now you have two versions of the `secret/customer/acme` data. Run `vault kv get`
-to read the data.
-
-```plaintext
-$ vault kv get secret/customer/acme
-====== Metadata ======
-Key              Value
----              -----
-created_time     2018-04-14T00:13:35.296018431Z
-deletion_time    n/a
-destroyed        false
-version          2
-
-======== Data ========
-Key              Value
----              -----
-contact_email    john.smith@acme.com
-name             ACME Inc.
-```
-
-#### API call using cURL
-
-Write some data at `secret/customer/acme`:
-
-```plaintext
-$ tee payload.json <<EOF
-{
-  "data": {
-    "name": "ACME Inc.",
-    "contact_email": "jsmith@acme.com"
-  }
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/secret/data/customer/acme
-```
-
-Notice that the endpoint for KV v2 is **`/secret/data/<path>`**; therefore, to
-write secrets at `secret/customer/acme`, the API endpoint becomes
-`/secret/data/customer/acme`.
-
-Update the secret to create another version:
-
-```plaintext
-$ tee payload.json <<EOF
-{
-  "data": {
-    "name": "ACME Inc.",
-    "contact_email": "john.smith@acme.com"
-  }
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/secret/data/customer/acme
-```
-
-Now you have two versions of the `secret/customer/acme` data. Read back the secret.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/secret/data/customer/acme
-{
-   "request_id": "7233b69d-35d9-6c1b-ae81-9a679a03082d",
-   "lease_id": "",
-   "renewable": false,
-   "lease_duration": 0,
-   "data": {
-     "data": {
-       "contact_email": "john.smith@acme.com",
-       "name": "ACME Inc."
-     },
-     "metadata": {
-       "created_time": "2018-04-14T00:59:11.27903511Z",
-       "deletion_time": "",
-       "destroyed": false,
-       "version": 2
-     }
-   },
-   "wrap_info": null,
-   "warnings": null,
-   "auth": null
-}
-```
-
-
-#### Web UI
-
-In the Web UI, select `secret/` and then click **Create secret**.
-
-![Write Secret](/img/vault-versioned-kv-5.png)
-
-Click **Save**.
-
-To update the existing secret, select **Edit**, change the `contact_email`
-value, and then click **Save**.
-
-![Write Secret](/img/vault-versioned-kv-6.png)
-
-
-### <a name="step3"></a>Step 3: Retrieve a Specific Version of Secret
-
-You may run into a situation where you need to view the secret before an update.
-
-#### CLI commands
-
-To retrieve the version 1 of the secret written at `secret/customer/acme`:
-
-```plaintext
-$ vault kv get -version=1 secret/customer/acme
-====== Metadata ======
-Key              Value
----              -----
-created_time     2018-04-14T00:05:47.115378933Z
-deletion_time    n/a
-destroyed        false
-version          1
-
-======== Data ========
-Key              Value
----              -----
-contact_email    jsmith@acme.com
-name             ACME Inc.
-```
-
-To read the **metadata** of `secret/customer/acme`:
-
-```plaintext
-$ vault kv metadata get secret/customer/acme
-======= Metadata =======
-Key                Value
----                -----
-created_time       2018-04-14T00:05:47.115378933Z
-current_version    2
-max_versions       0
-oldest_version     0
-updated_time       2018-04-14T00:13:35.296018431Z
-
-====== Version 1 ======
-Key              Value
----              -----
-created_time     2018-04-14T00:05:47.115378933Z
-deletion_time    n/a
-destroyed        false
-
-====== Version 2 ======
-Key              Value
----              -----
-created_time     2018-04-14T00:13:35.296018431Z
-deletion_time    n/a
-destroyed        false
-```
-
-
-#### API call using cURL
-
-To retrieve the version 1 of the secret written at `secret/customer/acme`:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/secret/data/customer/acme?version=1 | jq
-{
- "request_id": "3bf5a2c1-d89b-9dd5-9bb5-0bc61a4a6d83",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
-   "data": {
-     "contact_email": "jsmith@acme.com",
-     "name": "ACME Inc."
-   },
-   "metadata": {
-     "created_time": "2018-04-14T00:05:47.115378933Z",
-     "deletion_time": "",
-     "destroyed": false,
-     "version": 1
-   }
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-To read the **metadata** of `secret/customer/acme`:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
-{
- "request_id": "34708262-59cd-9a94-247f-3b1db0909050",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
-   "created_time": "2018-04-14T00:05:47.115378933Z",
-   "current_version": 2,
-   "max_versions": 0,
-   "oldest_version": 0,
-   "updated_time": "2018-04-14T00:13:35.296018431Z",
-   "versions": {
-     "1": {
-       "created_time": "2018-04-14T00:05:47.115378933Z",
-       "deletion_time": "",
-       "destroyed": false
-     },
-     "2": {
-       "created_time": "2018-04-14T00:13:35.296018431Z",
-       "deletion_time": "",
-       "destroyed": false
-     }
-   }
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-
-### <a name="step4"></a>Step 4: Specify the number of versions to keep
-
-By default, the `kv-v2` secret engine keeps up to 10 versions.  Let's limit the
-maximum number of versions to keep to be 4.
-
-#### CLI command
-
-To set the `secret/` to keep up to 4 versions:
-
-```shell
-$ vault write secret/config max_versions=4
-Success! Data written to: secret/config
-
-# View the configuration settings
-$ vault read secret/config
-Key             Value
----             -----
-cas_required    false
-max_versions    4
-```
-
-Alternatively, to limit the number of versions only on the
-**`secret/customer/acme`** path rather than the entire `secret/` engine:
-
-```plaintext
-$ vault kv metadata put -max-versions=4 secret/customer/acme
-```
-
-Overwrite the data a few more times to see what happens to the data.
-
-```plaintext
-$ vault kv metadata get secret/customer/acme
-======= Metadata =======
-Key                Value
----                -----
-created_time       2018-04-14T00:42:25.677078177Z
-current_version    6
-max_versions       0
-oldest_version     3
-updated_time       2018-04-16T00:17:23.930473344Z
-
-====== Version 3 ======
-Key              Value
----              -----
-created_time     2018-04-16T00:15:59.880368849Z
-deletion_time    n/a
-destroyed        false
-
-====== Version 4 ======
-Key              Value
----              -----
-created_time     2018-04-16T00:16:18.941331243Z
-deletion_time    n/a
-destroyed        false
-
-====== Version 5 ======
-Key              Value
----              -----
-created_time     2018-04-16T00:16:34.407951572Z
-deletion_time    n/a
-destroyed        false
-
-====== Version 6 ======
-Key              Value
----              -----
-created_time     2018-04-16T00:17:23.930473344Z
-deletion_time    n/a
-destroyed        false
-```
-
-In this example, the current version is 6. Notice that version 1 and 2 do not
-show up in the metadata. Because the kv secret engine is configured to keep only
-4 versions, the oldest two versions are permanently deleted and you won't be
-able to read them.
-
-```plaintext
-$ vault kv get -version=1 secret/customer/acme
-No value found at secret/data/customer/data
-```
-
-#### API call using cURL
-
-To set the `secret/` to keep up to 4 versions:
-
-```plaintext
-$ tee payload.json<<EOF
-{
-  "max_versions": 4,
-  "cas_required": false
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json
-       http://127.0.0.1:8200/v1/secret/config
-```
-
-To view the configuration:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/secret/config | jq
-{
- "request_id": "8addfed1-41eb-6a19-8342-93f493c51538",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
-   "cas_required": false,
-   "max_versions": 4
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-Alternatively, to limit the number of versions only on the
-**`secret/customer/acme`** path rather than the entire `secret/` engine:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json
-       http://127.0.0.1:8200/v1/secret/metadata/customer/acme
-```
-
-Invoke the `secret/metadata/customer/acme` endpoint instead.
-
-
-Overwrite the data a few more times to see what happens to the data.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
-{
- "request_id": "f2dd7f69-294c-e5c3-d582-f723005ea243",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
-   "created_time": "2018-04-14T00:42:25.677078177Z",
-   "current_version": 6,
-   "max_versions": 0,
-   "oldest_version": 3,
-   "updated_time": "2018-04-16T00:17:23.930473344Z",
-   "versions": {
-     "3": {
-       "created_time": "2018-04-16T00:15:59.880368849Z",
-       "deletion_time": "",
-       "destroyed": false
-     },
-     "4": {
-       "created_time": "2018-04-16T00:16:18.941331243Z",
-       "deletion_time": "",
-       "destroyed": false
-     },
-     "5": {
-       "created_time": "2018-04-16T00:16:34.407951572Z",
-       "deletion_time": "",
-       "destroyed": false
-     },
-     "6": {
-       "created_time": "2018-04-16T00:17:23.930473344Z",
-       "deletion_time": "",
-       "destroyed": false
-     }
-   }
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-In this example, the current version is 6. Notice that version 1 and 2 do not
-show up in the metadata. Because the kv secret engine is configured to keep only
-4 versions, the oldest two versions are permanently deleted and you won't be
-able to read them.
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       http://127.0.0.1:8200/v1/secret/data/customer/acme?version=1 | jq
-{
- "errors": []
-}
-```
-
-
-### <a name="step5"></a>Step 5: Delete versions of secret
-
-
-#### CLI command
-
-Let's delete versions 4 and 5:
-
-```shell
-$ vault kv delete -versions="4,5" secret/customer/acme
-Success! Data deleted (if it existed) at: secret/customer/acme
-
-# Check the metadata
-$ vault kv metadata get secret/customer/acme
-...
-====== Version 4 ======
-Key              Value
----              -----
-created_time     2018-04-16T00:12:25.404198622Z
-deletion_time    2018-04-16T01:04:01.160426888Z
-destroyed        false
-
-====== Version 5 ======
-Key              Value
----              -----
-created_time     2018-04-16T00:12:47.527981267Z
-deletion_time    2018-04-16T01:04:01.160427742Z
-destroyed        false
-...
-```
-
-The metadata on versions 4 and 5 reports its deletion timestamp
-(`deletion_time`); however, the `destroyed` parameter is set to `false`.
-
-If version 5 was deleted by mistake and you wish to recover, invoke the `vault
-kv undelete` command:
-
-```plaintext
-$ vault kv undelete -versions=5 secret/customer/acme
-Success! Data written to: secret/undelete/customer/acme
-```
-
-
-#### API call using cURL
-
-Let's delete versions 4 and 5:
-
-```shell
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{ "versions":[4,5] }'
-       http://127.0.0.1:8200/v1/secret/delete/customer/acme
-
-# Check the metadata
-$ curl --header "X-Vault-Token: ..." \
-      http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
-...
-"4": {
-   "created_time": "2018-04-16T00:16:18.941331243Z",
-   "deletion_time": "2018-04-16T01:17:42.003111567Z",
-   "destroyed": false
- },
- "5": {
-   "created_time": "2018-04-16T00:16:34.407951572Z",
-   "deletion_time": "2018-04-16T01:17:42.003111978Z",
-   "destroyed": false
- },
-...
-```
-
-The metadata on versions 4 and 5 reports its deletion timestamp
-(`deletion_time`); however, the `destroyed` parameter is set to `false`.
-
-If version 5 was deleted by mistake and you wish to recover, invoke the
-`/secret/undelete` endpoint:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{ "versions":[5] }'
-       http://127.0.0.1:8200/v1/secret/undelete/customer/acme
-```
-
-
-### <a name="step6"></a>Step 6: Permanently delete data
-
-#### CLI command
-
-To permanently delete a version of secret:
-
-```shell
-$ vault kv destroy -versions=4 secret/customer/acme
-Success! Data written to: secret/destroy/customer/acme
-
-# Check the metadata
-$ vault kv metadata get secret/customer/acme
-...
-====== Version 4 ======
-Key              Value
----              -----
-created_time     2018-04-16T00:12:25.404198622Z
-deletion_time    2018-04-16T01:04:01.160426888Z
-destroyed        true
-...
-```
-
-The metadata indicates that Version 4 is destroyed.
-
-If you wish to destroy all the keys and versions at `secret/customer/acme`,
-invoke the `vault kv metadata delete` command:
-
-```plaintext
-$ vault kv metadata delete secret/customer/acme
-Success! Data deleted (if it existed) at: secret/metadata/customer/acme
-```
-
-
-#### API call using cURL
-
-To permanently delete a version of secret:
-
-```shell
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data '{ "versions":[4] }'
-       http://127.0.0.1:8200/v1/secret/destroy/customer/acme
-
-# Check the metadata
-$ curl --header "X-Vault-Token: ..." \
-      http://127.0.0.1:8200/v1/secret/metadata/customer/acme | jq
-...
-  "4": {
-    "created_time": "2018-04-16T00:16:18.941331243Z",
-    "deletion_time": "2018-04-16T01:17:42.003111567Z",
-    "destroyed": true
-  },
-...
-```
-
-The metadata indicates that Version 4 is destroyed.
-
-If you wish to destroy all the keys and versions at `secret/customer/acme`,
-invoke the `secret/metadata` endpoint:
-
-```plaintext
-$ curl --header "X-Vault-Token: ..." \
-       --request DELETE
-       http://127.0.0.1:8200/v1/secret/metadata/customer/acme
-```
-
-
-### Additional Discussion
-
-The v2 of KV secret engine supports a **_Check-And-Set_** operation to prevent
-unintentional secret overwrite. When you pass the `cas` flag to Vault, it first
-checks if the key already exists.
-
-By default, _Check-And-Set_ operation is not enabled on the KV secret engine;
-therefore, write is always allowed (no checking is performed).  
-
-```plaintext
-$ vault read secret/config
-Key             Value
----             -----
-cas_required    false
-max_versions    0
-```
-
-#### CLI command
-
-To enable the **_Check-And-Set_** operation:
-
-```shell
-# Enable cas_requied on the secret engine mounted at secret/
-$ vault write secret/config cas-required=true
-
-# Enable cas_requied only on the secret/partner path
-$ vault kv metadata put -cas-required=true secret/partner
-```
-
-Once check-and-set is enabled, every write operation requires `cas` value to be
-passed. If you are sure that you want to overwrite the existing key-value, set
-`cas` to match the current version. Set `cas` to `0` if you want to write the
-secret _only if_ the key does not exist.
-
-**Example:**
-
-```shell
-# To write if the key does not already exists
-$ vault kv put -cas=0 secret/partner name="Example Co." partner_id="123456789"
-Key              Value
----              -----
-created_time     2018-04-16T22:58:15.798753323Z
-deletion_time    n/a
-destroyed        false
-version          1
-
-# To overwrite the secret, you must specify the current version with -cas flag
-$ vault kv put -cas=1 secret/partner name="Example Co." partner_id="ABCDEFGHIJKLMN"
-Key              Value
----              -----
-created_time     2018-04-16T23:00:28.66552289Z
-deletion_time    n/a
-destroyed        false
-version          2
-```
-
-#### API call using cURL
-
-To enable the **_Check-And-Set_** operation:
-
-```shell
-$ tee payload.json<<EOF
-{
-  "max_versions": 10,
-  "cas_required": true
-}
-EOF
-
-# Enable cas_requied on the secret engine mounted at secret/
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json
-       http://127.0.0.1:8200/v1/secret/config
-
-# Enable cas_requied only on the secret/partner path
-$ curl --header "X-Vault-Token: ..." \
-      --request POST \
-      --data @payload.json
-      http://127.0.0.1:8200/v1/secret/metadata/partner
-```
-
-Once check-and-set is enabled, every write operation requires `cas` value to be
-passed. If you are sure that you want to overwrite the existing key-value, set
-`cas` to match the current version. Set `cas` to `0` if you want to write the
-secret _only if_ the key does not exist.
-
-**Example:**
-
-```shell
-# Write if the key does not already exists
-$ tee payload.json <<EOF
-{
-  "options": {
-    "cas": 0
-  },
-  "data": {
-    "name": "Example Co.",
-    "partner_id": "123456789"
-  }
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/secret/data/partner
-
-# To overwrite the secret, you must pass the current version
-$ tee payload.json <<EOF
-{
-  "options": {
-    "cas": 1
-  },
-  "data": {
-    "name": "Example Co.",
-    "partner_id": "ABCDEFGHIJKLMN"
-  }
-}
-EOF
-
-$ curl --header "X-Vault-Token: ..." \
-       --request POST \
-       --data @payload.json \
-       http://127.0.0.1:8200/v1/secret/data/partner
-```
-
-<br>
-
-~> If the **`cas`** value is missing in your write request, the
-"`check-and-set parameter required for this call`" error will be returned.  If
-the `cas` does not match the current version number, you will receive the
-"`check-and-set parameter did not match the current version`" message.
-
-
-
-## Next steps
-
-This guide introduced the CLI commands and API endpoints to read and write
-static secrets in the key-value secret engine. Read [Secret as a Service: Dynamic Secrets](/guides/secret-mgmt/dynamic-secrets.html) guide to learn about the
-usage of database secret engine.
diff --git a/website/source/index.html.erb b/website/source/index.html.erb
deleted file mode 100644
index 5a204801b6fa..000000000000
--- a/website/source/index.html.erb
+++ /dev/null
@@ -1,136 +0,0 @@
----
-description: "Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, auditing, and provides secrets as a service through a unified API."
----
-
-<%= partial "partials/subnav" %>
-
-<hashi-hero _data="<%= encode(dato.vault_oss_page.hero) %>"></hashi-hero>
-
-<div class='g-section-block page-wrap'>
-
-  <%-# Text Section -%>
-
-  <section class='g-container remove-bottom-padding'>
-    <hashi-section-header
-      headline="Secure dynamic infrastructure across clouds and environments"
-      description="The shift from static, on-premise infrastructure to dynamic, multi-provider infrastructure changes the approach to security. Security in static infrastructure relies on dedicated servers, static IP addresses, and a clear network perimeter. Security in dynamic infrastructure is defined by ephemeral applications and servers, trusted sources of user and application identity, and software-based encryption."
-    ></hashi-section-header>    
-  </section>
-
-  <%-# Before After Diagram -%>
-
-  <section class="g-container before-after">
-    <hashi-before-after _data="<%= encode(dato.vault_product_page.static_dynamic_section.layout.content.last.to_hash(4)) %>"></hashi-before-after>
-  </section>
-
-  <%-# Use cases -%>
-
-  <section>
-    <div class='g-container'>
-      <hashi-use-cases _data="<%= encode({items: [
-        {
-          title: 'Secrets Management',
-          description: 'Audit access, automatically Centrally store, access, and deploy secrets across applications, systems, and infrastructure',
-          image: {
-            url: '/img/homepage/callouts/secrets.png',
-            alt: 'Vault secrets diagram',
-            format: 'png'
-          },
-          link: {
-            title: 'Learn More',
-            url: '/use-cases/secrets-management'
-          }
-        },
-        {
-          title: 'Data Encryption',
-          description: 'Keep secrets and application data secure with one centralized workflow to encrypt data in flight and at rest',
-          image: {
-            url: '/img/homepage/callouts/encryption.png',
-            alt: 'Vault encryption diagram',
-            format: 'png'
-          },
-          link: {
-            title: 'Learn More',
-            url: '/use-cases/data-encryption'
-          }
-        },
-        {
-          title: 'Identity-based Access',
-          description: 'Authenticate and access different clouds, systems, and endpoints using trusted identities',
-          image: {
-            url: '/img/homepage/callouts/identity.png',
-            alt: 'Vault identity access diagram',
-            format: 'png'
-          },
-          link: {
-            title: 'Learn More',
-            url: '/use-cases/identity-based-access'
-          }
-        }
-      ]}) %>"></hashi-use-cases>
-    </div>
-  </section>
-
-  <%-# Principles / Text & Content Blocks -%>
-
-  <section class='g-container'>
-    <hashi-section-header
-      headline="Vault Principles"
-    ></hashi-section-header>
-
-    <hashi-text-and-content _data='<%= encode({
-        text: "### API-driven
-
-Use policy to codify, protect, and automate access to secrets",
-        content: {
-          item_type: "sbc_code_block",
-          chrome: true,
-          code: "$ curl \\\n
---header \"X-Vault-Token: ...\" \\\n
---request POST \\\n
---data @payload.json \\\n
-https://127.0.0.1:8200/v1/secret/config"
-        }
-    }) %>'></hashi-text-and-content>
-
-<% secure_text_and_content = {
-  reverse_direction: true,
-  text: "### Secure with any identity
-
-Seamlessly integrate any trusted identity provider",
-  content: {
-    item_type: "sbc_logo_grid",
-    companies: dato.vault_product_page.principles_section.layout.content[2].content.companies.to_hash
-  }
-} %>
-
-    <hashi-text-and-content _data='<%= encode(secure_text_and_content) %>'></hashi-text-and-content>
-
-<% extend_text_and_content = {
-  text: "### Extend and integrate
-
-Securely manage secrets and access through a centralized workflow",
-  content: {
-    item_type: "sbc_logo_grid",
-    companies: dato.vault_product_page.principles_section.layout.content[3].content.companies.to_hash
-  }
-} %>
-
-    <hashi-text-and-content _data='<%= encode(extend_text_and_content) %>'></hashi-text-and-content>
-    
-  </section>
-
-  <section class='g-container'>
-    <hashi-section-header
-      headline="Open Source and Enterprise"
-      description="Vault Open Source addresses the *technical complexity* of managing secrets by leveraging trusted identities across distributed infrastructure and clouds. Vault Enterprise addresses the *organizational complexity* of large user bases and compliance requirements with collaboration and governance features."
-    ></hashi-section-header>
-
-    <div class='button-container'>
-      <hashi-button
-        title="Learn More"
-        url="https://www.hashicorp.com/products/vault/enterprise"
-      ></hashi-button>
-    </div>
-  </section>
-</div>
\ No newline at end of file
diff --git a/website/source/intro/getting-started/apis.html.md b/website/source/intro/getting-started/apis.html.md
deleted file mode 100644
index 5db1d3147a57..000000000000
--- a/website/source/intro/getting-started/apis.html.md
+++ /dev/null
@@ -1,277 +0,0 @@
----
-layout: "intro"
-page_title: "Using the HTTP APIs with Authentication"
-sidebar_title: "HTTP API"
-sidebar_current: "gettingstarted-apis"
-description: |-
-  Using the HTTP APIs for authentication and secret access.
----
-
-# Using the HTTP APIs with Authentication
-
-All of Vault's capabilities are accessible via the HTTP API in addition to the
-CLI. In fact, most calls from the CLI actually invoke the HTTP API. In some
-cases, Vault features are not available via the CLI and can only be accessed
-via the HTTP API.
-
-Once you have started the Vault server, you can use `curl` or any other http
-client to make API calls. For example, if you started the Vault server in
-[dev mode](/docs/concepts/dev-server.html), you could validate the
-initialization status like this:
-
-```text
-$ curl http://127.0.0.1:8200/v1/sys/init
-```
-
-This will return a JSON response:
-
-```json
-{
-  "initialized": true
-}
-```
-
-## Accessing Secrets via the REST APIs
-
-Machines that need access to information stored in Vault will most likely
-access Vault via its REST API. For example, if a machine were using
-[AppRole](/docs/auth/approle.html) for authentication, the application would
-first authenticate to Vault which would return a Vault API token. The
-application would use that token for future communication with Vault.
-
-For the purpose of this guide, we will use the following configuration which
-disables TLS and uses a file-based backend. TLS is disabled here only for
-example purposes; it should never be disabled in production.
-
-```hcl
-backend "file" {
-  path = "vault"
-}
-
-listener "tcp" {
-  tls_disable = 1
-}
-```
-
-Save this file on disk as `config.hcl` and then start the Vault server:
-
-```text
-$ vault server -config=config.hcl
-```
-
-At this point, we can use Vault's API for all our interactions. For example, we
-can initialize Vault like this:
-
-```text
-$ curl \
-    --request POST \
-    --data '{"secret_shares": 1, "secret_threshold": 1}' \
-    http://127.0.0.1:8200/v1/sys/init
-```
-
-The response should be JSON and looks something like this:
-
-```json
-{
-  "keys": [
-    "373d500274dd8eb95271cb0f868e4ded27d9afa205d1741d60bb97cd7ce2fe41"
-  ],
-  "keys_base64": [
-    "Nz1QAnTdjrlSccsPho5N7SfZr6IF0XQdYLuXzXzi/kE="
-  ],
-  "root_token": "6fa4128e-8bd2-fd02-0ea8-a5e020d9b766"
-}
-```
-
-This response contains our initial root token. It also includes the unseal key.
-You can use the unseal key to unseal the Vault and use the root token to perform
-other requests in Vault that require authentication.
-
-To make this guide easy to copy-and-paste, we will be using the environment
-variable `$VAULT_TOKEN` to store the root token. You can export this Vault
-token in your current shell like this:
-
-```sh
-$ export VAULT_TOKEN=6fa4128e-8bd2-fd02-0ea8-a5e020d9b766
-```
-
-Using the unseal key (not the root token) from above, you can unseal the Vault
-via the HTTP API:
-
-```text
-$ curl \
-    --request POST \
-    --data '{"key": "Nz1QAnTdjrlSccsPho5N7SfZr6IF0XQdYLuXzXzi/kE="}' \
-    http://127.0.0.1:8200/v1/sys/unseal
-```
-
-Note that you should replace `Nz1QAnT...` with the generated key from your
-output. This will return a JSON response:
-
-```json
-{
-  "sealed": false,
-  "t": 1,
-  "n": 1,
-  "progress": 0,
-  "nonce": "",
-  "version": "1.2.3",
-  "cluster_name": "vault-cluster-9d524900",
-  "cluster_id": "d69ab1b0-7e9a-2523-0d05-b0bfd09caeea"
-}
-```
-
-Now any of the available auth methods can be enabled and configured.
-For the purposes of this guide lets enable [AppRole](/docs/auth/approle.html)
-authentication.
-
-Start by enabling the AppRole authentication.
-
-```text
-$ curl \
-    --header "X-Vault-Token: $VAULT_TOKEN" \
-    --request POST \
-    --data '{"type": "approle"}' \
-    http://127.0.0.1:8200/v1/sys/auth/approle
-```
-
-Notice that the request to enable the AppRole endpoint needed an authentication
-token. In this case we are passing the root token generated when we started
-the Vault server. We could also generate tokens using any other authentication
-mechanisms, but we will use the root token for simplicity.
-
-Now create an AppRole with desired set of [ACL
-policies](/docs/concepts/policies.html). In the following command, it is being
-specified that the tokens issued under the AppRole `my-role`, should be
-associated with `dev-policy` and the `my-policy`.
-
-```text
-$ curl \
-    --header "X-Vault-Token: $VAULT_TOKEN" \
-    --request POST \
-    --data '{"policies": ["dev-policy", "my-policy"]}' \
-    http://127.0.0.1:8200/v1/auth/approle/role/my-role
-```
-
-The AppRole backend, in its default configuration expects two hard to guess
-credentials, a role ID and a secret ID. This command fetches the role ID of the
-`my-role`.
-
-```text
-$ curl \
-    --header "X-Vault-Token: $VAULT_TOKEN" \
-     http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
-```
-
-The response will include a `data` key with the `role_id`:
-
-```json
-{
-  "data": {
-    "role_id": "86a32a73-1f2b-05e0-113a-dfa930145d72"
-  }
-}
-```
-
-This command creates a new secret ID under the `my-role`.
-
-```text
-$ curl \
-    --header "X-Vault-Token: $VAULT_TOKEN" \
-    --request POST \
-    http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
-```
-
-The response will include the `secret_id` in the `data` key:
-
-```json
-{
-  "data": {
-    "secret_id": "cd4b2002-3e3b-aceb-378d-5caa84dffd14",
-    "secret_id_accessor": "6b9b58f6-d11a-c73c-ffa8-04a47d42716b"
-  }
-}
-```
-
-These two credentials can be supplied to the login endpoint to fetch a new
-Vault token.
-
-```text
-$ curl \
-    --request POST \
-    --data '{"role_id": "86a32a73-1f2b-05e0-113a-dfa930145d72", "secret_id": "cd4b2002-3e3b-aceb-378d-5caa84dffd14"}' \
-    http://127.0.0.1:8200/v1/auth/approle/login
-```
-
-The response will be JSON, under the key `auth`:
-
-```json
-{
-  "auth": {
-    "client_token": "50617721-dfb5-1916-7b13-4091e169d28c",
-    "accessor": "ada8d354-47c0-5d9e-50f9-d74e6de2df9b",
-    "policies": [
-      "default",
-      "dev-policy",
-      "my-policy"
-    ],
-    "metadata": {
-      "role_name": "my-role"
-    },
-    "lease_duration": 2764800,
-    "renewable": true
-  }
-}
-```
-
-The returned client token (`50617721...`) can be used to authenticate with
-Vault. This token will be authorized with specific capabilities on all the
-resources encompassed by the policies `default`, `dev-policy` and `my-policy`.
-
-The newly acquired token can be exported as a new `VAULT_TOKEN` and use it to
-authenticate Vault requests.
-
-```sh
-$ export VAULT_TOKEN="50617721-dfb5-1916-7b13-4091e169d28c"
-```
-
-```text
-$ curl \
-    --header "X-Vault-Token: $VAULT_TOKEN" \
-    --request POST \
-    --data '{"bar": "baz"}' \
-    http://127.0.0.1:8200/v1/secret/foo
-```
-
-This will create a new secret named "foo" with the given JSON contents. We can
-read this value back with the same token:
-
-```text
-$ curl \
-    --header "X-Vault-Token: $VAULT_TOKEN" \
-    http://127.0.0.1:8200/v1/secret/foo
-```
-
-This should return a response like this:
-
-```json
-{
-  "data": {
-    "bar": "baz"
-  },
-  "lease_duration": 2764800,
-  "renewable": false,
-  "request_id": "5e246671-ec05-6fc8-9f93-4fe4512f34ab"
-}
-```
-
-You can see the documentation on the [HTTP APIs](/api/index.html) for
-more details on other available endpoints.
-
-Congratulations! You now know all the basics to get started with Vault.
-
-## Next
-
-Next, we have a page dedicated to [next
-steps](/intro/getting-started/next-steps.html) depending on what you would like
-to achieve.
diff --git a/website/source/intro/getting-started/authentication.html.md b/website/source/intro/getting-started/authentication.html.md
deleted file mode 100644
index 66a01047e623..000000000000
--- a/website/source/intro/getting-started/authentication.html.md
+++ /dev/null
@@ -1,285 +0,0 @@
----
-layout: "intro"
-page_title: "Authentication - Getting Started"
-sidebar_title: "Authentication"
-sidebar_current: "gettingstarted-auth"
-description: |-
-  Authentication to Vault gives a user access to use Vault. Vault can authenticate using multiple methods.
----
-
-# Authentication
-
-Now that we know how to use the basics of Vault, it is important to understand
-how to authenticate to Vault itself. Up to this point, we have not "logged in"
-to Vault. When starting the Vault server in `dev` mode, it automatically logs
-you in as the root user with admin permissions. In a non-dev setup, you would
-have had to authenticate first.
-
-On this page, we'll talk specifically about authentication. On the next page, we
-talk about [authorization](/intro/getting-started/policies.html). Authentication
-is the mechanism of assigning an identity to a Vault user. The access control
-and permissions associated with an identity are authorization, and will not be
-covered on this page.
-
-Vault has pluggable auth methods, making it easy to authenticate with Vault
-using whatever form works best for your organization. On this page we will use
-the token auth method and the GitHub auth method.
-
-## Background
-
-Authentication is the process by which user or machine-supplied information is
-verified and converted into a Vault token with matching policies attached. The
-easiest way to think about Vault's authentication is to compare it to a website.
-
-When a user authenticates to a website, they enter their username, password, and
-maybe 2FA code. That information is verified against external sources (a
-database most likely), and the website responds with a success or failure. On
-success, the website also returns a signed cookie that contains a session id
-which uniquely identifies that user for this session. That cookie and session id
-are automatically carried by the browser to future requests so the user is
-authenticated. Can you imagine how terrible it would be to require a user to
-enter their login credentials on each page?
-
-Vault behaves very similarly, but it is much more flexible and pluggable than a
-standard website. Vault supports many different authentication mechanisms, but
-they all funnel into a single "session token", which we call the "Vault token".
-
-Authentication is simply the process by which a user or machine gets a Vault
-token.
-
-## Tokens
-
-Token authentication is enabled by default in Vault and cannot be disabled. When
-you start a dev server with `vault server -dev`, it outputs your _root token_.
-The root token is the initial access token to configure Vault. It has root
-privileges, so it can perform any operation within Vault.
-
-You can create more tokens:
-
-```text
-$ vault token create
-Key                Value
----                -----
-token              463763ae-0c3b-ff77-e137-af668941465c
-token_accessor     57b6b540-57c8-64c4-e9c6-0b18ab058144
-token_duration     ∞
-token_renewable    false
-token_policies     [root]
-```
-
-By default, this will create a child token of your current token that inherits
-all the same policies. The "child" concept here is important: tokens always have
-a parent, and when that parent token is revoked, children can also be revoked
-all in one operation. This makes it easy when removing access for a user, to
-remove access for all sub-tokens that user created as well.
-
-After a token is created, you can revoke it:
-
-```text
-$ vault token revoke 463763ae-0c3b-ff77-e137-af668941465c
-Success! Revoked token (if it existed)
-```
-
-In a [previous section](/intro/getting-started/dynamic-secrets.html#revoking-the-secret), we use the `vault lease revoke` command. This command
-is only used for revoking _leases_. For revoking _tokens_, use
-`vault token revoke`.
-
-To authenticate with a token:
-
-```text
-$ vault login a402d075-6d59-6129-1ac7-3718796d4346
-Success! You are now authenticated. The token information displayed below
-is already stored in the token helper. You do NOT need to run "vault login"
-again. Future Vault requests will automatically use this token.
-
-Key                Value
----                -----
-token              a402d075-6d59-6129-1ac7-3718796d4346
-token_accessor     7636b2f8-0cf1-e110-9b18-8f8b5ecf8351
-token_duration     ∞
-token_renewable    false
-token_policies     [root]
-```
-
-This authenticates with Vault. It will verify your token and let you know what
-access policies the token is associated with. If you want to test the `vault
-login` command, create a new token first.
-
-### Best Practice
-
-In practice, operators should not use the `token create` command to generate
-Vault tokens for users or machines. Instead, those users or machines should
-authenticate to Vault using any of Vault's configured auth methods such as
-GitHub, LDAP, AppRole, etc. For legacy applications which cannot generate their
-own token, operators may need to create a token in advance. Auth methods are
-discussed in more detail in the next section.
-
-## Auth Methods
-
-Vault supports many auth methods, but they must be enabled before use. Auth
-methods give you flexibility. Enabling and configuration are typically performed
-by a Vault operator or security team. As an example of a human-focused auth
-method, let's authenticate via GitHub.
-
-First, enable the GitHub auth method:
-
-```text
-$ vault auth enable -path=github github
-Success! Enabled github auth method at: github/
-```
-
-Just like secrets engines, auth methods default to their TYPE as the PATH, so
-the following commands are equivalent:
-
-```text
-$ vault auth enable -path=github github
-$ vault auth enable github
-```
-
-Unlike secrets engines which are enabled at the root router, auth methods are
-always prefixed with `auth/` in their path. So the GitHub auth method we just
-enabled is accessible at `auth/github`. As another example:
-
-```text
-$ vault auth enable -path=my-github github
-Success! Enabled github auth method at: my-github/
-```
-
-This would make the GitHub auth method accessible at `auth/my-github`. You can
-use `vault path-help` to learn more about the paths.
-
-Next, configure the GitHub auth method. Each auth method has different
-configuration options, so please see the documentation for the full details. In
-this case, the minimal set of configuration is to map teams to policies.
-
-```text
-$ vault write auth/github/config organization=hashicorp
-```
-
-With the GitHub auth method enabled, we first have to configure it. For GitHub,
-we tell it what organization users must be a part of, and map a team to a
-policy:
-
-```text
-$ vault write auth/github/config organization=hashicorp
-Success! Data written to: auth/github/config
-
-$ vault write auth/github/map/teams/my-team value=default,my-policy
-Success! Data written to: auth/github/map/teams/my-team
-```
-
-The first command configures Vault to pull authentication data from the
-"hashicorp" organization on GitHub. The next command tells Vault to map any
-users who are members of the team "my-team" (in the hashicorp organization) to
-map to the policies "default" and "my-policy". These policies do not have to
-exist in the system yet - Vault will just produce a warning when we login.
-
----
-
-As a user, you may want to find which auth methods are enabled and available:
-
-```text
-$ vault auth list
-Path       Type      Description
-----       ----      -----------
-github/    github    n/a
-token/     token     token based credentials
-```
-
-The `vault auth list` command will list all enabled auth methods. To learn more
-about how to authenticate to a particular auth method via the CLI, use the
-`vault auth help` command with the PATH or TYPE of an auth method:
-
-```text
-$ vault auth help github
-Usage: vault login -method=github [CONFIG K=V...]
-
-  The GitHub auth method allows users to authenticate using a GitHub
-  personal access token. Users can generate a personal access token from the
-  settings page on their GitHub account.
-
-  Authenticate using a GitHub token:
-
-      $ vault login -method=github token=abcd1234
-
-Configuration:
-
-  mount=<string>
-      Path where the GitHub credential method is mounted. This is usually
-      provided via the -path flag in the "vault login" command, but it can be
-      specified here as well. If specified here, it takes precedence over the
-      value for -path. The default value is "github".
-
-  token=<string>
-      GitHub personal access token to use for authentication.
-```
-
-Similarly, you can ask for help information about any CLI auth method, _even if
-it is not enabled_:
-
-```text
-$ vault auth help aws
-$ vault auth help userpass
-$ vault auth help token
-```
-
-As per the help output, authenticate to GitHub using the `vault login` command.
-Enter your [GitHub personal access token][gh-pat] and Vault will authenticate
-you.
-
-```text
-$ vault login -method=github
-GitHub Personal Access Token (will be hidden):
-Success! You are now authenticated. The token information displayed below
-is already stored in the token helper. You do NOT need to run "vault login"
-again. Future Vault requests will automatically use this token.
-
-Key                    Value
----                    -----
-token                  7efb3969-8743-880f-e234-afca6e12d790
-token_accessor         f7bfb6a3-c41e-eb87-5317-88a0aad200ae
-token_duration         768h
-token_renewable        true
-token_policies         [default my-policy]
-token_meta_org         hashicorp
-token_meta_username    my-user
-```
-
-Success! As the output indicates, Vault has already saved the resulting token in
-its token helper, so you do not need to run `vault login` again. However, this
-new user we just created does not have many permissions in Vault. To continue,
-re-authenticate as the root token:
-
-```text
-$ vault login <initial-root-token>
-```
-
-You can revoke any logins from an auth method using `vault token revoke` with
-the `-mode` argument. For example:
-
-```text
-$ vault token revoke -mode path auth/github
-```
-
-Alternatively, if you want to completely disable the GitHub auth method:
-
-```text
-$ vault auth disable github
-Success! Disabled the auth method (if it existed) at: github/
-```
-
-This will also revoke any logins for that auth method.
-
-## Next
-
-In this page you learned about how Vault authenticates users. You learned about
-the built-in token system as well as enabling other auth methods. At this point
-you know how Vault assigns an _identity_ to a user.
-
-The multiple auth methods Vault provides let you choose the most appropriate
-authentication mechanism for your organization.
-
-In this next section, we'll learn about
-[authorization and policies](/intro/getting-started/policies.html).
-
-[gh-pat]: https://help.github.com/articles/creating-an-access-token-for-command-line-use/
diff --git a/website/source/intro/getting-started/deploy.html.md b/website/source/intro/getting-started/deploy.html.md
deleted file mode 100644
index 733de327b603..000000000000
--- a/website/source/intro/getting-started/deploy.html.md
+++ /dev/null
@@ -1,270 +0,0 @@
----
-layout: "intro"
-page_title: "Deploy Vault - Getting Started"
-sidebar_title: "Deploy Vault"
-sidebar_current: "gettingstarted-deploy"
-description: |-
-  Learn how to deploy Vault into production, how to initialize it, configure it, etc.
----
-
-# Deploy Vault
-
-Up to this point, we have been working with the "dev" server, which
-automatically authenticated us, setup in-memory storage, etc. Now that you know
-the basics of Vault, it is important to learn how to deploy Vault into a real
-environment.
-
-On this page, we'll cover how to configure Vault, start Vault, the seal/unseal
-process, and scaling Vault.
-
-## Configuring Vault
-
-Vault is configured using [HCL][hcl] files. The configuration file for Vault is
-relatively simple:
-
-```hcl
-storage "consul" {
-  address = "127.0.0.1:8500"
-  path    = "vault/"
-}
-
-listener "tcp" {
- address     = "127.0.0.1:8200"
- tls_disable = 1
-}
-```
-
-Within the configuration file, there are two primary configurations:
-
-- `storage` - This is the physical backend that Vault uses for storage. Up to
-  this point the dev server has used "inmem" (in memory), but the example above
-  uses [Consul](https://www.consul.io), a much more production-ready backend.
-
-- `listener` - One or more listeners determine how Vault listens for API
-  requests. The example above listens on localhost port 8200 without TLS. In
-  your environment set `VAULT_ADDR=http://127.0.0.1:8200` so the Vault client
-  will connect without TLS.
-
-For now, copy and paste the configuration above to a file called `config.hcl`.
-It will configure Vault to expect an instance of Consul running locally.
-
-Starting a local Consul instance takes only a few minutes. Just follow the
-[Consul Getting Started Guide](https://www.consul.io/intro/getting-started/install.html)
-up to the point where you have installed Consul and started it with this command:
-
-```text
-$ consul agent -dev
-```
-
-## Starting the Server
-
-With the configuration in place, starting the server is simple, as shown below.
-Modify the `-config` flag to point to the proper path where you saved the
-configuration above.
-
-```text
-$ vault server -config=config.hcl
-==> Vault server configuration:
-
-         Log Level: info
-           Storage: consul
-        Listener 1: tcp (addr: "127.0.0.1:8200", tls: "disabled")
-
-==> Vault server started! Log data will stream in below:
-```
-
--> If you get a warning message about mlock not being supported, that is okay.
- However, you should run Vault on a system that supports mlock for maximum
- security.
-
-Vault outputs some information about its configuration, and then blocks.
-This process should be run using a resource manager such as systemd or
-upstart.
-
-You'll notice that you can't execute any commands. We don't have any
-auth information! When you first setup a Vault server, you have to start
-by _initializing_ it.
-
-On Linux, Vault may fail to start with the following error:
-
-```text
-$ vault server -config=example.hcl
-Error initializing core: Failed to lock memory: cannot allocate memory
-
-This usually means that the mlock syscall is not available.
-Vault uses mlock to prevent memory from being swapped to
-disk. This requires root privileges as well as a machine
-that supports mlock. Please enable mlock on your system or
-disable Vault from using it. To disable Vault from using it,
-set the `disable_mlock` configuration option in your configuration
-file.
-```
-
-For guidance on dealing with this issue, see the discussion of
-`disable_mlock` in [Server Configuration](/docs/configuration/index.html).
-
-## Initializing the Vault
-
-Initialization is the process configuring the Vault. This only happens once when
-the server is started against a new backend that has never been used with Vault
-before. When running in HA mode, this happens once _per cluster_, not _per
-server_.
-
-During initialization, the encryption keys are generated, unseal keys are
-created, and the initial root token is setup. To initialize Vault use `vault
-operator init`. This is an _unauthenticated_ request, but it only works on brand new
-Vaults with no data:
-
-```text
-$ vault operator init
-Unseal Key 1: E4GnjX+VP9G50uWQNcwpCflzGAMKGR38BbQywgq4I6L8
-Unseal Key 2: PYMxcCOswEYMNz7N6UW53Up6nu6y+SjAPwTJOTtkju3d
-Unseal Key 3: yuJ5cSxC7tSBR5mMVJ/WJ9bfhhfGb+uwWw9FQR0JKILh
-Unseal Key 4: 0vdvEFHM9PHEGMctJrl2ylHqoKQK8DLkfMU6ntmDz6jv
-Unseal Key 5: cI8yglWJX+jPf/yQG7Sg6SPWzy0WyrBPvaFTOAYkPJTx
-
-Initial Root Token: 62421926-81b9-b202-86f8-8850176c0cf3
-
-Vault initialized with 5 key shares and a key threshold of 3. Please securely
-distribute the key shares printed above. When the Vault is re-sealed,
-restarted, or stopped, you must supply at least 3 of these keys to unseal it
-before it can start servicing requests.
-
-Vault does not store the generated master key. Without at least 3 key to
-reconstruct the master key, Vault will remain permanently sealed!
-
-It is possible to generate new unseal keys, provided you have a quorum of
-existing unseal keys shares. See "vault operator rekey" for more information.
-```
-
-Initialization outputs two incredibly important pieces of information:
-the _unseal keys_ and the _initial root token_. This is the
-**only time ever** that all of this data is known by Vault, and also the
-only time that the unseal keys should ever be so close together.
-
-For the purpose of this getting started guide, save all of these keys
-somewhere, and continue. In a real deployment scenario, you would never
-save these keys together. Instead, you would likely use Vault's PGP and
-Keybase.io support to encrypt each of these keys with the users' PGP keys.
-This prevents one single person from having all the unseal keys. Please
-see the documentation on [using PGP, GPG, and Keybase](/docs/concepts/pgp-gpg-keybase.html)
-for more information.
-
-## Seal/Unseal
-
-Every initialized Vault server starts in the _sealed_ state. From
-the configuration, Vault can access the physical storage, but it can't
-read any of it because it doesn't know how to decrypt it. The process
-of teaching Vault how to decrypt the data is known as _unsealing_ the
-Vault.
-
-Unsealing has to happen every time Vault starts. It can be done via
-the API and via the command line. To unseal the Vault, you
-must have the _threshold_ number of unseal keys. In the output above,
-notice that the "key threshold" is 3. This means that to unseal
-the Vault, you need 3 of the 5 keys that were generated.
-
--> **Note:** Vault does not store any of the unseal key shards. Vault
-uses an algorithm known as
-[Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing)
-to split the master key into shards. Only with the threshold number of keys
-can it be reconstructed and your data finally accessed.
-
-Begin unsealing the Vault:
-
-```text
-$ vault operator unseal
-Unseal Key (will be hidden):
-Key                Value
----                -----
-Sealed             true
-Total Shares       5
-Unseal Progress    1/3
-Unseal Nonce       786e7190-d1e2-84d2-520c-022efee5b71e
-Version            (version unknown)
-HA Enabled         true
-HA Mode            sealed
-```
-
-After pasting in a valid key and confirming, you'll see that the Vault is still
-sealed, but progress is made. Vault knows it has 1 key out of 3. Due to the
-nature of the algorithm, Vault doesn't know if it has the _correct_ key until
-the threshold is reached.
-
-Also notice that the unseal process is stateful. You can go to another computer,
-use `vault operator unseal`, and as long as it's pointing to the same server,
-that other computer can continue the unseal process. This is incredibly
-important to the design of the unseal process: multiple people with multiple
-keys are required to unseal the Vault. The Vault can be unsealed from multiple
-computers and the keys should never be together. A single malicious operator
-does not have enough keys to be malicious.
-
-Continue with `vault operator unseal` to complete unsealing the Vault. To unseal
-the vault you must use three _different_ keys, the same key repeated will not
-work. As you use keys, as long as they are correct, you should soon see output
-like this:
-
-```text
-$ vault operator unseal
-Unseal Key (will be hidden):
-# ...
-
-$ vault operator unseal
-Unseal Key (will be hidden):
-# ...
-```
-
-When the value for `Sealed` changes to `false`, the Vault is unsealed:
-
-```text
-Key             Value
----             -----
-Sealed          false <--
-Total Shares    5
-Version         (version unknown)
-Cluster Name    vault-cluster-8a8b2c36
-Cluster ID      34e94a2e-2d8f-c7cc-271d-96fd438ccc6d
-HA Enabled      true
-HA Mode         standby
-HA Cluster      n/a
-```
-
-Feel free to play around with entering invalid keys, keys in different
-orders, etc. in order to understand the unseal process.
-
-Finally, authenticate as the initial root token (it was included in the output
-with the unseal keys):
-
-```text
-$ vault login 14d1316e-78f6-910b-a4cc-9ba6697ec814
-Success! You are now authenticated. The token information displayed below
-is already stored in the token helper. You do NOT need to run "vault login"
-again. Future Vault requests will automatically use this token.
-
-Key                Value
----                -----
-token              14d1316e-78f6-910b-a4cc-9ba6697ec814
-token_accessor     a8bbcc57-9be6-6584-a7a6-46290962fd33
-token_duration     ∞
-token_renewable    false
-token_policies     [root]
-```
-
-As a root user, you can reseal the Vault with `vault operator seal`. A single
-operator is allowed to do this. This lets a single operator lock down the
-Vault in an emergency without consulting other operators.
-
-When the Vault is sealed again, it clears all of its state (including the
-encryption key) from memory. The Vault is secure and locked down from access.
-
-## Next
-
-You now know how to configure, initialize, and unseal/seal Vault. This is the
-basic knowledge necessary to deploy Vault into a real environment. Once the
-Vault is unsealed, you access it as you have throughout this getting started
-guide (which worked with an unsealed Vault).
-
-Next, we have a [short tutorial](/intro/getting-started/apis.html) on using the
-HTTP APIs to authenticate and access secrets.
-
-[hcl]: https://github.com/hashicorp/hcl
diff --git a/website/source/intro/getting-started/dev-server.html.md b/website/source/intro/getting-started/dev-server.html.md
deleted file mode 100644
index fcaed0f4dfe0..000000000000
--- a/website/source/intro/getting-started/dev-server.html.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-layout: "intro"
-page_title: "Starting the Server - Getting Started"
-sidebar_title: "Starting the Server"
-sidebar_current: "gettingstarted-dev-server"
-description: |-
-  After installing Vault, the next step is to start the server.
----
-
-# Starting the Vault Server
-
-With Vault installed, the next step is to start a Vault server.
-
-Vault operates as a client/server application. The Vault server is the only
-piece of the Vault architecture that interacts with the data storage and
-backends. All operations done via the Vault CLI interact with the server over a
-TLS connection.
-
-In this page, we'll start and interact with the Vault server to understand how
-the server is started.
-
-## Starting the Dev Server
-
-First, we're going to start a Vault _dev server_. The dev server is a built-in,
-pre-configured server that is not very secure but useful for playing with Vault
-locally. Later in this guide we'll configure and start a real server.
-
-To start the Vault dev server, run:
-
-```text
-$ vault server -dev
-==> Vault server configuration:
-
-                     Cgo: disabled
-         Cluster Address: https://127.0.0.1:8201
-              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
-               Log Level: info
-                   Mlock: supported: false, enabled: false
-        Redirect Address: http://127.0.0.1:8200
-                 Storage: inmem
-                 Version: Vault v1.2.3
-             Version Sha: ...
-
-WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
-and starts unsealed with a single unseal key. The root token is already
-authenticated to the CLI, so you can immediately begin using Vault.
-
-You may need to set the following environment variable:
-
-    $ export VAULT_ADDR='http://127.0.0.1:8200'
-
-The unseal key and initial root token are displayed below in case you want to
-seal/unseal the Vault or re-authenticate.
-
-Unseal Key: 1aKM7rNnyW+7Jx1XDAXFswgkRVe+78JB28k/bel90jY=
-Root Token: root
-
-Development mode should NOT be used in production installations!
-
-==> Vault server started! Log data will stream in below:
-
-# ...
-```
-
-You should see output similar to that above. Vault does not fork, so it will
-continue to run in the foreground. Open another shell or terminal tab to run the
-remaining commands.
-
-The dev server stores all its data in-memory (but still encrypted), listens on
-`localhost` without TLS, and automatically unseals and shows you the unseal key
-and root access key. **Do not run a dev server in production!**
-
-With the dev server running, do the following three things before anything else:
-
-1.  Launch a new terminal session.
-
-2.  Copy and run the `export VAULT_ADDR ...` command from the terminal
-    output. This will configure the Vault client to talk to our dev server.
-
-3.  Save the unseal key somewhere. Don't worry about _how_ to save this
-    securely. For now, just save it anywhere.
-
-4.  Do the same as step 3, but with the root token. We'll use this later.
-
-## Verify the Server is Running
-
-As instructed, copy and execute `export VAULT_ADDR='http://127.0.0.1:8200'`.
-
-Verify the server is running by running the `vault status` command. This should
-succeed and exit with exit code 0.
-
-If it ran successfully, the output should look like the below:
-
-```text
-$ vault status
-Key             Value
----             -----
-Sealed          false
-Total Shares    1
-Version         (version unknown)
-Cluster Name    vault-cluster-81109a1a
-Cluster ID      f6e0aa8a-700e-38b8-5dc5-4265c880b2a1
-HA Enabled      false
-```
-
-If the output looks different, especially if the numbers are different or the
-Vault is sealed, then restart the dev server and try again. The only reason
-these would ever be different is if you're running a dev server from going
-through this guide previously.
-
-We'll cover what this output means later in the guide.
-
-## Next
-
-Congratulations! You've started your first Vault server. We haven't stored
-any secrets yet, but we'll do that in the next section.
-
-Next, we're going to
-[read and write our first secrets](/intro/getting-started/first-secret.html).
diff --git a/website/source/intro/getting-started/dynamic-secrets.html.md b/website/source/intro/getting-started/dynamic-secrets.html.md
deleted file mode 100644
index 93f460a3f621..000000000000
--- a/website/source/intro/getting-started/dynamic-secrets.html.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-layout: "intro"
-page_title: "Dynamic Secrets - Getting Started"
-sidebar_title: "Dynamic Secrets"
-sidebar_current: "gettingstarted-dynamic-secrets"
-description: |-
-  On this page we introduce dynamic secrets by showing you how to create AWS access keys with Vault.
----
-
-# Dynamic Secrets
-
-Now that you've experimented with the `kv` secrets engine, it is time to explore
-another feature of Vault: _dynamic secrets_.
-
-Unlike the `kv` secrets where you had to put data into the store yourself,
-dynamic secrets are generated when they are accessed. Dynamic secrets do not
-exist until they are read, so there is no risk of someone stealing them or
-another client using the same secrets. Because Vault has built-in revocation
-mechanisms, dynamic secrets can be revoked immediately after use, minimizing the
-amount of time the secret existed.
-
--> **Note:** Before starting this page, please register for an
-[AWS account](https://aws.amazon.com). We won't be using any features that
-cost money, so you shouldn't be charged for anything. However, we are not
-responsible for any charges you may incur.
-
-## Enable the AWS Secrets Engine
-
-Unlike the `kv` secrets engine which is enabled by default, the AWS secrets
-engine must be enabled before use. This step is usually done via configuration
-management.
-
-```text
-$ vault secrets enable -path=aws aws
-Success! Enabled the aws secrets engine at: aws/
-```
-
-The AWS secrets engine is now enabled at `aws/`. As we covered in the previous
-sections, different secrets engines allow for different behavior. In this case,
-the AWS secrets engine generates dynamic, on-demand AWS access credentials.
-
-## Configuring the AWS Secrets Engine
-
-After enabling the AWS secrets engine, you must configure it to authenticate and
-communicate with AWS. This requires privileged account credentials. If you are
-unfamiliar with AWS, use your root account keys.
-
-~> Do not use your root account keys in production. This is a getting started
-guide and is not "best practices" for production installations.
-
-```text
-$ vault write aws/config/root \
-    access_key=AKIAI4SGLQPBX6CSENIQ \
-    secret_key=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
-Success! Data written to: aws/config/root
-```
-
-These credentials are now stored in this AWS secrets engine. The engine will use
-these credentials when communicating with AWS in future requests.
-
-## Creating a Role
-
-The next step is to configure a "role". A "role" in Vault is a human-friendly
-identifier to an action. Think of it as a symlink.
-
-Vault knows how to create an IAM user via the AWS API, but it does not know what
-permissions, groups, and policies you want to attach to that user. This is where
-roles come in - roles map your configuration options to those API calls.
-
-For example, here is an IAM policy that enables all actions on EC2. When Vault
-generates an access key, it will automatically attach this policy. The generated
-access key will have full access to EC2 (as dictated by this policy), but not
-IAM or other AWS services. If you are not familiar with AWS' IAM policies, that
-is okay - just use this one for now.
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "ec2:*",
-      "Resource": "*"
-    }
-  ]
-}
-```
-
-As mentioned above, we need to map this policy document to a named role. To do
-that, write to `aws/roles/:name`:
-
-```text
-$ vault write aws/roles/my-role \
-    credential_type=iam_user \
-    policy_document=-<<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "ec2:*",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-Success! Data written to: aws/roles/my-role
-```
-
-Again, we're using a special path here `aws/roles/:name` to write an IAM policy
-to Vault. We just told Vault:
-
-> When I ask for a credential for "my-role", create it and attach the IAM policy `{ "Version": "2012..." }`.
-
-## Generating the Secret
-
-Now that the AWS secrets engine is enabled and configured with a role, we can
-ask Vault to generate an access key pair for that role by reading from
-`aws/creds/:name` where `:name` corresponds to the name of an existing role:
-
-```text
-$ vault read aws/creds/my-role
-Key                Value
----                -----
-lease_id           aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106e
-lease_duration     768h
-lease_renewable    true
-access_key         AKIAJELUDIANQGRXCTZQ
-secret_key         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
-security_token     <nil>
-```
-
-Success! The access and secret key can now be used to perform any EC2 operations
-within AWS. Notice that these keys are new, they are not the keys you entered
-earlier. If you were to run the command a second time, you would get a new
-access key pair. Each time you read from `aws/creds/:name`, Vault will connect
-to AWS and generate a new IAM user and key pair.
-
-Take careful note of the `lease_id` field in the output. This value is used for
-renewal, revocation, and inspection. Copy this `lease_id` to your clipboard.
-Note that the `lease_id` is the **full path**, not just the UUID at the end.
-
-## Revoking the Secret
-
-Vault will automatically revoke this credential after 768 hours (see
-`lease_duration` in the output), but perhaps we want to revoke it early. Once
-the secret is revoked, the access keys are no longer valid.
-
-To revoke the secret, use `vault lease revoke` with the lease ID that was outputted
-from `vault read` when you ran it:
-
-```text
-$ vault lease revoke aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106
-Success! Revoked lease: aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106e
-```
-
-Done! If you login to your AWS account, you will see that no IAM users exist. If
-you try to use the access keys that were generated, you will find that they no
-longer work.
-
-With such easy dynamic creation and revocation, you can hopefully begin to see
-how easy it is to work with dynamic secrets and ensure they only exist for the
-duration that they are needed.
-
-## Next
-
-On this page we experienced our first dynamic secret, and we also saw the
-revocation system in action. Dynamic secrets are incredibly powerful. As time
-goes on, we expect that more systems will support some sort of API to create
-access credentials, and Vault will be ready to get the most value out of this
-practice.
-
-Before going further, we're going to take a quick detour to learn about the
-[built-in help system](/intro/getting-started/help.html).
diff --git a/website/source/intro/getting-started/first-secret.html.md b/website/source/intro/getting-started/first-secret.html.md
deleted file mode 100644
index 7a8095df9b55..000000000000
--- a/website/source/intro/getting-started/first-secret.html.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-layout: "intro"
-page_title: "Your First Secret - Getting Started"
-sidebar_title: "Your First Secret"
-sidebar_current: "gettingstarted-first-secret"
-description: |-
-  With the Vault server running, let's read and write our first secret.
----
-
-# Your First Secret
-
-Now that the dev server is up and running, let's get straight to it and
-read and write our first secret.
-
-One of the core features of Vault is the ability to read and write
-arbitrary secrets securely. On this page, we'll do this using the CLI,
-but there is also a complete
-[HTTP API](/api/index.html)
-that can be used to programmatically do anything with Vault.
-
-Secrets written to Vault are encrypted and then written to backend
-storage. For our dev server, backend storage is in-memory, but in production
-this would more likely be on disk or in [Consul](https://www.consul.io).
-Vault encrypts the value before it is ever handed to the storage driver.
-The backend storage mechanism _never_ sees the unencrypted value and doesn't
-have the means necessary to decrypt it without Vault.
-
-## Writing a Secret
-
-Let's start by writing a secret. This is done very simply with the
-`vault kv` command, as shown below:
-
-```text
-$ vault kv put secret/hello foo=world
-Success! Data written to: secret/hello
-```
-
-This writes the pair `foo=world` to the path `secret/hello`. We'll
-cover paths in more detail later, but for now it is important that the
-path is prefixed with `secret/`, otherwise this example won't work. The
-`secret/` prefix is where arbitrary secrets can be read and written.
-
-You can even write multiple pieces of data, if you want:
-
-```text
-$ vault kv put secret/hello foo=world excited=yes
-Success! Data written to: secret/hello
-```
-
-`vault kv put` is a very powerful command. In addition to writing data
-directly from the command-line, it can read values and key pairs from
-`STDIN` as well as files. For more information, see the
-[command documentation](/docs/commands/index.html).
-
-~> **Warning:** The documentation uses the `key=value` based entry
-throughout, but it is more secure to use files if possible. Sending
-data via the CLI is often logged in shell history. For real secrets,
-please use files. See the link above about reading in from `STDIN` for more information.
-
-## Getting a Secret
-
-As you might expect, secrets can be gotten with `vault get`:
-
-```text
-$ vault kv get secret/hello
-Key                 Value
----                 -----
-refresh_interval    768h
-excited             yes
-foo                world
-```
-
-As you can see, the values we wrote are given back to us. Vault gets
-the data from storage and decrypts it.
-
-The output format is purposefully whitespace separated to make it easy
-to pipe into a tool like `awk`.
-
-This contains some extra information. Many secrets engines create leases for
-secrets that allow time-limited access to other systems, and in those cases
-`lease_id` would contain a lease identifier and `lease_duration` would contain
-the length of time for which the lease is valid, in seconds.
-
-Optional JSON output is very useful for scripts. For example below we use the
-`jq` tool to extract the value of the `excited` secret:
-
-```text
-$ vault kv get -format=json secret/hello | jq -r .data.data.excited
-yes
-```
-
-When supported, you can also get a field directly:
-
-```text
-$ vault kv get -field=excited secret/hello
-yes
-```
-
-## Deleting a Secret
-
-Now that we've learned how to read and write a secret, let's go ahead
-and delete it. We can do this with `vault delete`:
-
-```text
-$ vault kv delete secret/hello
-Success! Data deleted (if it existed) at: secret/hello
-```
-
-## Next
-
-In this section we learned how to use the powerful CRUD features of
-Vault to store arbitrary secrets. On its own this is already a useful
-but basic feature.
-
-Next, we'll learn the basics about [secrets engines](/intro/getting-started/secrets-engines.html).
diff --git a/website/source/intro/getting-started/help.html.md b/website/source/intro/getting-started/help.html.md
deleted file mode 100644
index 41059682ed59..000000000000
--- a/website/source/intro/getting-started/help.html.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-layout: "intro"
-page_title: "Built-in Help - Getting Started"
-sidebar_title: "Built-in Help"
-sidebar_current: "gettingstarted-help"
-description: |-
-  Vault has a built-in help system to learn about the available paths in Vault and how to use them.
----
-
-# Built-in Help
-
-You've now worked with `vault write` and `vault read` for multiple paths: the
-`kv` secrets engine with `kv/` and dynamic AWS credentials with the AWS secrets
-engine provider at `aws/`. In both cases, the structure and usage of each
-secrets engines differed, for example the AWS backend has special paths like
-`aws/config`.
-
-Instead of having to memorize or reference documentation constantly to determine
-what paths to use, Vault has a built-in help system. This help system can be
-accessed via the API or the command-line and generates human-readable help for
-any path.
-
-## Secrets Engines Overview
-
-This section assumes you have the AWS secrets engine enabled at `aws/`. If you
-do not, enable it before continuing:
-
-```text
-$ vault secrets enable -path=aws aws
-```
-
-With the secrets engine enabled, learn about it with the `vault path-help`
-command:
-
-```text
-$ vault path-help aws
-## DESCRIPTION
-
-The AWS backend dynamically generates AWS access keys for a set of
-IAM policies. The AWS access keys have a configurable lease set and
-are automatically revoked at the end of the lease.
-
-After mounting this backend, credentials to generate IAM keys must
-be configured with the "root" path and policies must be written using
-the "roles/" endpoints before any access keys can be generated.
-
-## PATHS
-
-The following paths are supported by this backend. To view help for
-any of the paths below, use the help command with any route matching
-the path pattern. Note that depending on the policy of your auth token,
-you may or may not be able to access certain paths.
-
-    ^config/lease$
-        Configure the default lease information for generated credentials.
-
-    ^config/root$
-        Configure the root credentials that are used to manage IAM.
-
-    ^creds/(?P<name>\w+)$
-        Generate an access key pair for a specific role.
-
-    ^roles/(?P<name>\w+)$
-        Read and write IAM policies that access keys can be made for.
-```
-
-The `vault path-help` command takes a path. By specifying a root path, it will
-give us the overview of that secrets engine. Notice how the help not only
-contains a description, but also the exact regular expressions used to match
-routes for this backend along with a brief description of what the route is for.
-
-## Path Help
-
-After seeing the overview, we can continue to dive deeper by getting help for an
-individual path. For this, just use `vault path-help` with a path that would
-match the regular expression for that path. Note that the path doesn't need to
-actually _work_. For example, we'll get the help below for accessing
-`aws/creds/my-non-existent-role`, even though we never created the role:
-
-```text
-$ vault path-help aws/creds/my-non-existent-role
-Request:        creds/my-non-existent-role
-Matching Route: ^creds/(?P<name>\w(([\w-.]+)?\w)?)$
-
-Generate an access key pair for a specific role.
-
-## PARAMETERS
-
-    name (string)
-        Name of the role
-
-## DESCRIPTION
-
-This path will generate a new, never before used key pair for
-accessing AWS. The IAM policy used to back this key pair will be
-the "name" parameter. For example, if this backend is mounted at "aws",
-then "aws/creds/deploy" would generate access keys for the "deploy" role.
-
-The access keys will have a lease associated with them. The access keys
-can be revoked by using the lease ID.
-```
-
-Within a path, we are given the parameters that this path requires. Some
-parameters come from the route itself. In this case, the `name` parameter is a
-named capture from the route regular expression. There is also a description of
-what that path does.
-
-Go ahead and explore more paths! Enable other secrets engines, traverse their
-help systems, and learn about what they do.
-
-## Next
-
-The help system may not be the most exciting feature of Vault, but it is
-indispensable in day-to-day usage. The help system lets you learn about how to
-use any backend within Vault without leaving the command line.
-
-Next, we will learn about
-[authentication](/intro/getting-started/authentication.html).
diff --git a/website/source/intro/getting-started/index.html.md b/website/source/intro/getting-started/index.html.md
deleted file mode 100644
index 92f69bf287c7..000000000000
--- a/website/source/intro/getting-started/index.html.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-layout: "intro"
-page_title: "Install Vault - Getting Started"
-sidebar_title: "Getting Started"
-sidebar_current: "gettingstarted"
-description: |-
-  The first step to using Vault is to get it installed.
----
-
-# Install Vault
-
-Vault must first be installed on your machine. Vault is distributed as
-a [binary package](/downloads.html) for all supported platforms and
-architectures. This page will not cover how to compile Vault from source,
-but compiling from source is covered in the [documentation](/docs/install/index.html)
-for those who want to be sure they're compiling source they trust into
-the final binary.
-
-## Installing Vault
-
-To install Vault, find the [appropriate package](/downloads.html) for
-your system and download it. Vault is packaged as a zip archive.
-
-After downloading Vault, unzip the package. Vault runs as a single binary
-named `vault`. Any other files in the package can be safely removed and
-Vault will still function.
-
-The final step is to make sure that the `vault` binary is available on the `PATH`.
-See [this page](https://stackoverflow.com/questions/14637979/how-to-permanently-set-path-on-linux)
-for instructions on setting the PATH on Linux and Mac.
-[This page](https://stackoverflow.com/questions/1618280/where-can-i-set-path-to-make-exe-on-windows)
-contains instructions for setting the PATH on Windows.
-
-## Verifying the Installation
-
-After installing Vault, verify the installation worked by opening a new
-terminal session and checking that the `vault` binary is available. By executing
-`vault`, you should see help output similar to the following:
-
-```text
-$ vault
-Usage: vault <command> [args]
-
-Common commands:
-    read        Read data and retrieves secrets
-    write       Write data, configuration, and secrets
-    delete      Delete secrets and configuration
-    list        List data or secrets
-    login       Authenticate locally
-    server      Start a Vault server
-    status      Print seal and HA status
-    unwrap      Unwrap a wrapped secret
-
-Other commands:
-    audit          Interact with audit devices
-    auth           Interact with auth methods
-    lease          Interact with leases
-    operator       Perform operator-specific tasks
-    path-help      Retrieve API help for paths
-    policy         Interact with policies
-    secrets        Interact with secrets engines
-    ssh            Initiate an SSH session
-    token          Interact with tokens
-```
-
-If you get an error that the binary could not be found, then your `PATH`
-environment variable was not setup properly. Please go back and ensure that your
-`PATH` variable contains the directory where Vault was installed.
-
-Otherwise, Vault is installed and ready to go!
-
-## Command Completion
-
-Vault also includes command-line completion for subcommands, flags, and path
-arguments where supported. To install command-line completion, you must be using
-Bash, ZSH or Fish. Unfortunately other shells are not supported at this time.
-
-To install completions, run:
-
-```sh
-$ vault -autocomplete-install
-```
-
-This will automatically install the helpers in your `~/.bashrc` or `~/.zshrc`, or to
-`~/.config/fish/completions/vault.fish` for Fish users. Then restart your terminal
-or reload your shell:
-
-```sh
-$ exec $SHELL
-```
-
-Now when you type `vault <tab>`, Vault will suggest options. This is very
-helpful for beginners and advanced Vault users.
-
-## Next
-
-Now Vault is installed we can start our first Vault server! [Let's do
-that now](/intro/getting-started/dev-server.html).
diff --git a/website/source/intro/getting-started/next-steps.html.md b/website/source/intro/getting-started/next-steps.html.md
deleted file mode 100644
index dc6006813a3b..000000000000
--- a/website/source/intro/getting-started/next-steps.html.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-layout: "intro"
-page_title: "Next Steps - Getting Started"
-sidebar_title: "Next Steps"
-sidebar_current: "gettingstarted-next-steps"
-description: |-
-  After completing the getting started guide, learn about what to do next with Vault.
----
-
-# Next Steps
-
-That concludes the getting started guide for Vault. Hopefully you're
-excited about the possibilities of Vault and ready to put this knowledge
-to use to improve your environment.
-
-We've covered the basics of all the core features of Vault in this guide.
-Due to the importance of securing secrets, we recommend reading the following
-as next steps.
-
-  * [Documentation](/docs/index.html) - The documentation is an in-depth
-    reference guide to all the features of Vault.
diff --git a/website/source/intro/getting-started/policies.html.md b/website/source/intro/getting-started/policies.html.md
deleted file mode 100644
index 0586b10d5eb0..000000000000
--- a/website/source/intro/getting-started/policies.html.md
+++ /dev/null
@@ -1,231 +0,0 @@
----
-layout: "intro"
-page_title: "Policies - Getting Started"
-sidebar_title: "Policies"
-sidebar_current: "gettingstarted-policies"
-description: |-
-  Policies in Vault control what a user can access.
----
-
-# Policies
-
-Policies in Vault control what a user can access. In the last section, we
-learned about _authentication_. This section is about _authorization_.
-
-For authentication Vault has multiple options or methods that can be enabled and
-used. For authorization and policies Vault always uses the same format. All auth
-methods map identities back to the core policies that are configured with Vault.
-
-There are some built-in policies that cannot be removed. For example, the `root`
-and `default` policies are required policies and cannot be deleted. The
-`default` policy provides a common set of permissions and is included on all
-tokens by default. The `root` policy gives a token super admin permissions,
-similar to a root user on a linux machine.
-
-## Policy Format
-
-Policies are authored in [HCL][hcl], but it is JSON compatible. Here is an
-example policy:
-
-```hcl
-# Normal servers have version 1 of KV mounted by default, so will need these
-# paths:
-path "secret/*" {
-  capabilities = ["create"]
-}
-path "secret/foo" {
-  capabilities = ["read"]
-}
-
-# Dev servers have version 2 of KV mounted by default, so will need these
-# paths:
-path "secret/data/*" {
-  capabilities = ["create"]
-}
-path "secret/data/foo" {
-  capabilities = ["read"]
-}
-```
-
-With this policy, a user could write any secret to `secret/`, except to
-`secret/foo`, where only read access is allowed. Policies default to deny, so
-any access to an unspecified path is not allowed.
-
-Do not worry about getting the exact policy format correct. Vault includes a
-command that will format the policy automatically according to specification. It
-also reports on any syntax errors.
-
-```text
-$ vault policy fmt my-policy.hcl
-```
-
-The policy format uses a prefix matching system on the API path to determine
-access control. The most specific defined policy is used, either an exact match
-or the longest-prefix glob match. Since everything in Vault must be accessed via
-the API, this gives strict control over every aspect of Vault, including
-enabling secrets engines, enabling auth methods, authenticating, as well as
-secret access.
-
-## Writing the Policy
-
-To write a policy using the command line, specify the path to a policy file to
-upload.
-
-```text
-$ vault policy write my-policy my-policy.hcl
-Success! Uploaded policy: my-policy
-```
-
-Here is an example you can copy-paste in the terminal:
-
-```text
-$ vault policy write my-policy -<<EOF
-# Normal servers have version 1 of KV mounted by default, so will need these
-# paths:
-path "secret/*" {
-  capabilities = ["create"]
-}
-path "secret/foo" {
-  capabilities = ["read"]
-}
-
-# Dev servers have version 2 of KV mounted by default, so will need these
-# paths:
-path "secret/data/*" {
-  capabilities = ["create"]
-}
-path "secret/data/foo" {
-  capabilities = ["read"]
-}
-EOF
-```
-
-To see the list of policies, run:
-
-```text
-$ vault policy list
-default
-my-policy
-root
-```
-
-To view the contents of a policy, run:
-
-```text
-$ vault policy read my-policy
-# Normal servers have version 1 of KV mounted by default, so will need these
-# paths:
-path "secret/*" {
-  capabilities = ["create"]
-}
-...
-```
-
-## Testing the Policy
-
-To use the policy, create a token and assign it to that policy:
-
-```text
-$ vault token create -policy=my-policy
-Key                Value
----                -----
-token              a4ebda12-23bf-5cf4-f80e-803ee2f37aab
-token_accessor     aba6256e-401e-9591-31b2-a27048cb15ed
-token_duration     768h
-token_renewable    true
-token_policies     [default my-policy]
-
-$ vault login a4ebda12-23bf-5cf4-f80e-803ee2f37aab
-Success! You are now authenticated. The token information displayed below
-is already stored in the token helper. You do NOT need to run "vault login"
-again. Future Vault requests will automatically use this token.
-
-Key                Value
----                -----
-token              a4ebda12-23bf-5cf4-f80e-803ee2f37aab
-token_accessor     aba6256e-401e-9591-31b2-a27048cb15ed
-token_duration     767h59m18s
-token_renewable    true
-token_policies     [default my-policy]
-```
-
-Verify that you can write any data to `secret/`, but only read from
-`secret/foo`:
-
-### Dev servers
-
-```text
-$ vault kv put secret/bar robot=beepboop
-Key              Value
----              -----
-created_time     2018-05-22T18:05:42.537496856Z
-deletion_time    n/a
-destroyed        false
-version          1
-
-$ vault kv put secret/foo robot=beepboop
-Error writing data to secret/data/foo: Error making API request.
-
-URL: PUT http://127.0.0.1:8200/v1/secret/data/foo
-Code: 403. Errors:
-
-* permission denied
-```
-
-### Non-dev servers
-
-```text
-$ vault kv put secret/bar robot=beepboop
-Success! Data written to: secret/bar
-
-$ vault kv put secret/foo robot=beepboop
-Error writing data to secret/foo: Error making API request.
-
-URL: PUT http://127.0.0.1:8200/v1/secret/foo
-Code: 403. Errors:
-
-* permission denied
-```
-
-You also do not have access to `sys` according to the policy, so commands like
-`vault policy list` or `vault secrets list` will not work. Re-authenticate as
-the initial root token to continue:
-
-```text
-$ vault login <initial-root-token>
-```
-
-## Mapping Policies to Auth Methods
-
-Vault is the single policy authority, unlike auth where you can enable multiple
-auth methods. Any enabled auth method must map identities to these core
-policies.
-
-We use the `vault path-help` system with your auth method to determine how the
-mapping is done, since it is specific to each auth method. For example, with
-GitHub, it is done by team using the `map/teams/<team>` path:
-
-```text
-$ vault write auth/github/map/teams/default value=my-policy
-Success! Data written to: auth/github/map/teams/default
-```
-
-For GitHub, the `default` team is the default policy set that everyone is
-assigned to no matter what team they're on.
-
-Other auth methods use alternate, but likely similar mechanisms for mapping
-policies to identity.
-
-## Next
-
-Policies are an important part of Vault. While using the root token is easiest
-to get up and running, you will want to restrict access to Vault very quickly,
-and the policy system is the way to do this.
-
-The syntax and function of policies is easy to understand and work with, and
-because auth methods all must map to the central policy system, you only have to
-learn this policy system.
-
-Next, we will cover how to [deploy Vault](/intro/getting-started/deploy.html).
-
-[HCL]: https://github.com/hashicorp/hcl
diff --git a/website/source/intro/getting-started/secrets-engines.html.md b/website/source/intro/getting-started/secrets-engines.html.md
deleted file mode 100644
index e693d4597279..000000000000
--- a/website/source/intro/getting-started/secrets-engines.html.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-layout: "intro"
-page_title: "Secrets Engines - Getting Started"
-sidebar_title: "Secrets Engines"
-sidebar_current: "gettingstarted-secret-backends"
-description: |-
-  secrets engines are what create, read, update, and delete secrets.
----
-
-# Secrets Engines
-
-Previously, we saw how to read and write arbitrary secrets to Vault. You may
-have noticed all requests started with `secret/`. Try using a different prefix -
-Vault will return an error:
-
-```text
-$ vault write foo/bar a=b
-# ...
-* no handler for route 'foo/bar'
-```
-
-The path prefix tells Vault which secrets engine it should route
-traffic to. When a request comes to Vault, it matches the initial path part using a
-longest prefix match and then passes the request to the corresponding secrets
-engine enabled at that path.
-
-By default, Vault enables a secrets engine called `kv` at the path `secret/`.
-The kv secrets engine reads and writes raw data to the backend storage.
-
-Vault supports many other secrets engines besides `kv`, and this feature makes
-Vault flexible and unique. For example, the `aws` secrets engine generates AWS
-IAM access keys on demand. The `database` secrets engine generates on-demand,
-time-limited database credentials. These are just a few examples of the many
-available secrets engines.
-
-For simplicity and familiarity, Vault presents these secrets engines similar to
-a filesystem. A secrets engine is enabled at a path. Vault itself performs
-prefix routing on incoming requests and routes the request to the correct
-secrets engine based on the path at which they were enabled.
-
-This page discusses secrets engines and the operations they support. This
-information is important to both operators who will configure Vault and users
-who will interact with Vault.
-
-## Enable a Secrets Engine
-
-To get started, enable another instance of the `kv` secrets engine at a
-different path. Just like a filesystem, Vault can enable a secrets engine at
-many different paths. Each path is completely isolated and cannot talk to other
-paths. For example, a `kv` secrets engine enabled at `foo` has no ability to
-communicate with a `kv` secrets engine enabled at `bar`.
-
-```text
-$ vault secrets enable -path=kv kv
-Success! Enabled the kv secrets engine at: kv/
-```
-
-The path where the secrets engine is enabled defaults to the name of the secrets engine. Thus, the following commands are actually equivalent:
-
-```text
-$ vault secrets enable -path=kv kv
-$ vault secrets enable kv
-```
-
-To verify our success and get more information about the secrets engine, use the
-`vault secrets list` command:
-
-```text
-$ vault secrets list
-Path          Type         Description
-----          ----         -----------
-cubbyhole/    cubbyhole    per-token private secret storage
-kv/           kv           n/a
-secret/       kv           key/value secret storage
-sys/          system       system endpoints used for control, policy and debugging
-```
-
-This shows there are 4 enabled secrets engines on this Vault server. You can see
-the type of the secrets engine, the corresponding path, and an optional
-description (or "n/a" if none was given).
-
-~> The `sys/` path corresponds to the system backend. While the system backend
-is not specifically discussed in this guide, there is plentiful documentation on
-the system backend. Many of these operations interact with Vault's core system
-and is not required for beginners.
-
-Take a few moments to read and write some data to the new `kv` secrets engine
-enabled at `kv/`. Here are a few ideas to get started:
-
-```text
-$ vault write kv/my-secret value="s3c(eT"
-
-$ vault write kv/hello target=world
-
-$ vault write kv/airplane type=boeing class=787
-
-$ vault list kv
-```
-
-## Disable a Secrets Engine
-
-When a secrets engine is no longer needed, it can be disabled. When a secrets
-engine is disabled, all secrets are revoked and the corresponding Vault data and
-configuration is removed. Any requests to route data to the original path would
-result in an error, but another secrets engine could now be enabled at that
-path.
-
-If, for some reason, Vault is unable to delete the data or revoke the leases,
-the disabling operation will fail. If this happens, the secrets engine will
-remain enabled and available, but the request will return an error.
-
-```text
-$ vault secrets disable kv/
-Success! Disabled the secrets engine (if it existed) at: kv/
-```
-
-Note that this command takes a PATH to the secrets engine as an argument, not
-the TYPE of the secrets engine.
-
-In addition to disabling a secrets engine, it is also possible to "move" a
-secrets engine to a new path. This is still a disruptive command. All
-configuration data is retained, but any secrets are revoked, since secrets are
-closely tied to their engine's paths.
-
-## What is a Secrets Engine?
-
-Now that you've successfully enabled and disabled a secrets engine... what is
-it? What is the point of a secrets engine?
-
-As mentioned above, Vault behaves similarly to a [virtual filesystem][vfs]. The
-read/write/delete/list operations are forwarded to the corresponding secrets
-engine, and the secrets engine decides how to react to those operations.
-
-This abstraction is incredibly powerful. It enables Vault to interface directly
-with physical systems, databases, HSMs, etc. But in addition to these physical
-systems, Vault can interact with more unique environments like AWS IAM, dynamic
-SQL user creation, etc. all while using the same read/write interface.
-
-## Next
-
-You now know about secrets engines and how to operate on them. This is important
-knowledge to move forward and learn about other secrets engines.
-
-Next, we'll use the AWS backend to
-[generate dynamic secrets](/intro/getting-started/dynamic-secrets.html).
-
-[vfs]: https://en.wikipedia.org/wiki/Virtual_file_system
diff --git a/website/source/intro/index.html.erb.md b/website/source/intro/index.html.erb.md
deleted file mode 100644
index c642ed3fccc7..000000000000
--- a/website/source/intro/index.html.erb.md
+++ /dev/null
@@ -1,3 +0,0 @@
----
-layout: 'intro'
----
diff --git a/website/source/layouts/api.erb b/website/source/layouts/api.erb
deleted file mode 100644
index 429799712978..000000000000
--- a/website/source/layouts/api.erb
+++ /dev/null
@@ -1,170 +0,0 @@
-<% @meganav_title = 'API Docs' %>
-
-<% wrap_layout :inner do %>
-  <% content_for :sidebar do %>
-    <div class="nav docs-nav">
-      <hashi-docs-sidenav
-        category='api'
-        current_page='<%= current_page.path %>'
-        data="<%= encode(get_sidebar_data('api')) %>"
-        order="<%= encode([
-          'overview',
-          'libraries',
-          'relatedtools',
-          '------------',
-          {
-            category: 'secret',
-            content: [
-              { category: 'ad' },
-              { category: 'alicloud' },
-              { category: 'aws' },
-              { category: 'azure' },
-              { category: 'consul' },
-              { category: 'cubbyhole' },
-              {
-                category: 'databases',
-                content: [
-                  'cassandra',
-                  'elasticdb',
-                  'influxdb',
-                  'hanadb',
-                  'mongodb',
-                  'mssql',
-                  'mysql-maria',
-                  'postgresql',
-                  'oracle'
-                ]
-              },
-              { category: 'gcp' },
-              { category: 'gcpkms' },
-              { category: 'kmip' },
-              {
-                category: 'kv',
-                content: ['kv-v1', 'kv-v2']
-              }, {
-                category: 'identity',
-                content: [
-                  'entity',
-                  'entity-alias',
-                  'group',
-                  'group-alias',
-                  'tokens',
-                  'lookup'
-                ]
-              },
-              { category: 'nomad' },
-              { category: 'pki' },
-              { category: 'rabbitmq' },
-              { category: 'ssh' },
-              { category: 'totp' },
-              { category: 'transit' },
-              '-----------------------',
-              { category: 'cassandra' },
-              { category: 'mongodb' },
-              { category: 'mssql' },
-              { category: 'mysql' },
-              { category: 'postgresql' }
-            ]
-          }, {
-            category: 'auth',
-            content: [
-            { category: 'alicloud' },
-            { category: 'approle' },
-            { category: 'aws' },
-            { category: 'azure' },
-            { category: 'cf' },
-            { category: 'github' },
-            { category: 'gcp' },
-            { category: 'jwt' },
-            { category: 'kerberos' },
-            { category: 'kubernetes' },
-            { category: 'ldap' },
-            { category: 'oci' },
-            { category: 'okta' },
-            { category: 'radius' },
-            { category: 'cert' },
-            { category: 'token' },
-            { category: 'userpass' },
-            { category: 'app-id' }
-            ]
-          }, {
-            category: 'system',
-            content: [
-              'audit',
-              'audit-hash',
-              'auth',
-              'capabilities',
-              'capabilities-accessor',
-              'capabilities-self',
-              'config-auditing',
-              'config-control-group',
-              'config-cors',
-              'config-state',
-              'config-ui',
-              'control-group',
-              'generate-root',
-              'health',
-              'host-info',
-              'init',
-              'internal-specs-openapi',
-              'internal-ui-mounts',
-              'key-status',
-              'leader',
-              'leases',
-              'license',
-              'metrics',
-              {
-                category: 'mfa',
-                content: [
-                  'duo',
-                  'okta',
-                  'pingid',
-                  'totp'
-                ]
-              },
-              'mounts',
-              'namespaces',
-              'plugins-reload-backend',
-              'plugins-catalog',
-              'policy',
-              'policies',
-              'pprof',
-              'raw',
-              'rekey',
-              'rekey-recovery-key',
-              'remount',
-              {
-                category: 'replication',
-                content: [
-                  'replication-performance',
-                  'replication-dr'
-                ]
-              },
-              'rotate',
-              'seal',
-              'seal-status',
-              'sealwrap-rewrap',
-              'step-down',
-              {
-                category: 'storage',
-                content: [
-                  'raft'
-                ]
-              },
-              'tools',
-              'unseal',
-              'wrapping-lookup',
-              'wrapping-rewrap',
-              'wrapping-unwrap',
-              'wrapping-wrap'
-            ]
-          }
-        ]) %>")
-      ></hashi-docs-sidenav>
-    </div>
-  <% end %>
-
-  <article class='g-content g-type-long-body vault'>
-    <%= yield %>
-  </article>
-<% end %>
diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb
deleted file mode 100644
index 239c61e70f22..000000000000
--- a/website/source/layouts/docs.erb
+++ /dev/null
@@ -1,441 +0,0 @@
-<% @meganav_title = 'Docs' %>
-
-<% wrap_layout :inner do %>
-  <% content_for :sidebar do %>
-    <div class="nav docs-nav">
-      <hashi-docs-sidenav
-        category='docs'
-        current_page='<%= current_page.path %>'
-        data="<%= encode(get_sidebar_data('docs')) %>"
-        order="<%= encode([
-          {
-            category: 'install',
-          }, {
-            category: 'internals',
-            content: [
-              'architecture',
-              'high-availability',
-              'security',
-              'telemetry',
-              'token',
-              'rotation',
-              'replication',
-              'plugins'
-            ]
-          }, {
-            category: 'concepts',
-            content: [
-              'dev-server',
-              'seal',
-              'lease',
-              'auth',
-              'tokens',
-              'response-wrapping',
-              'policies',
-              'ha',
-              'pgp-gpg-keybase',
-              'recovery-mode'
-            ]
-          }, {
-            category: 'configuration',
-            content: [
-              {
-                category: 'listener',
-                content: ['tcp']
-              }, {
-                category: 'seal',
-                content: [
-                  'alicloudkms',
-                  'awskms',
-                  'azurekeyvault',
-                  'gcpckms',
-                  'ocikms',
-                  'pkcs11',
-                  'transit'
-                ]
-              }, {
-                category: 'storage',
-                content: [
-                  'azure',
-                  'cassandra',
-                  'cockroachdb',
-                  'consul',
-                  'couchdb',
-                  'dynamodb',
-                  'etcd',
-                  'filesystem',
-                  'foundationdb',
-                  'google-cloud-spanner',
-                  'google-cloud-storage',
-                  'in-memory',
-                  'manta',
-                  'mssql',
-                  'mysql',
-                  'oci-object-storage',
-                  'postgresql',
-                  'raft',
-                  's3',
-                  'swift',
-                  'zookeeper'
-                ]
-              }, {
-                category: 'service-registration',
-                content: [
-                  'consul',
-                ]
-              },
-              'telemetry',
-              { category: 'ui' },
-              { category: 'entropy-augmentation' }
-            ]
-          }, {
-            category: 'commands',
-            content: [
-            'agent',
-            {
-              category: 'audit',
-              content: [
-                'disable',
-                'enable',
-                'list'
-              ]
-            }, {
-              category: 'auth',
-              content: [
-                'disable',
-                'enable',
-                'help',
-                'list',
-                'tune'
-              ]
-            },
-            'debug',
-            'delete',
-            {
-              category: 'kv',
-              content: [
-                'delete',
-                'destroy',
-                'enable-versioning',
-                'get',
-                'list',
-                'metadata',
-                'patch',
-                'put',
-                'rollback',
-                'undelete'
-              ]
-            },
-            {
-              category: 'lease',
-              content: ['renew', 'revoke']
-            },
-            'list',
-            'login',
-            'namespace',
-            {
-              category: 'operator',
-              content: [
-                'generate-root',
-                'init',
-                'key-status',
-                'migrate',
-                'rekey',
-                'rotate',
-                'seal',
-                'step-down',
-                'unseal'
-              ]
-            },
-            'path-help',
-            {
-              category: 'plugin',
-              content: [
-                'deregister',
-                'info',
-                'list',
-                'register'
-              ]
-            },
-            {
-              category: 'policy',
-              content: [
-                'delete',
-                'fmt',
-                'list',
-                'read',
-                'write'
-              ]
-            },
-            'read',
-            {
-              category: 'secrets',
-              content: [
-                'disable',
-                'enable',
-                'list',
-                'move',
-                'tune'
-              ]
-            },
-            'server',
-            'ssh',
-            'status',
-            {
-              category: 'token',
-              content: [
-                'capabilities',
-                'create',
-                'lookup',
-                'renew',
-                'revoke'
-              ]
-            },
-            'unwrap',
-            'version',
-            'write',
-            'token-helper'
-            ]
-          }, {
-            category: 'agent',
-            content: [
-              {
-                category: 'autoauth',
-                content: [
-                  {
-                    category: 'methods',
-                    content: [
-                      'alicloud',
-                      'approle',
-                      'aws',
-                      'azure',
-                      'cert',
-                      'cf',
-                      'gcp',
-                      'jwt',
-                      'kubernetes'
-                    ]
-                  }, {
-                    category: 'sinks',
-                    content: ['file']
-                  }
-                ]
-              },
-              { category: 'caching' },
-              { category: 'template' }
-            ]
-          },
-          '----------------',
-          {
-            category: 'secrets',
-            content: [
-              { category: 'ad' },
-              { category: 'alicloud' },
-              { category: 'aws' },
-              { category: 'azure' },
-              { category: 'consul' },
-              { category: 'cubbyhole' },
-              {
-                category: 'databases',
-                content: [
-                  'cassandra',
-                  'elasticdb',
-                  'influxdb',
-                  'hanadb',
-                  'mongodb',
-                  'mssql',
-                  'mysql-maria',
-                  'postgresql',
-                  'oracle',
-                  'custom'
-                ]
-              },
-              { category: 'gcp' },
-              { category: 'gcpkms' },
-              { category: 'kmip' },
-              {
-                category: 'kv',
-                content: ['kv-v1','kv-v2']
-              },
-              { category: 'identity' },
-              { category: 'nomad' },
-              { category: 'pki' },
-              { category: 'rabbitmq' },
-              {
-                category: 'ssh',
-                content: [
-                  'signed-ssh-certificates',
-                  'one-time-ssh-passwords',
-                  'dynamic-ssh-keys'
-                ]
-              },
-              { category: 'totp' },
-              { category: 'transit' },
-              '------------------------',
-              { category: 'cassandra' },
-              { category: 'mongodb' },
-              { category: 'mssql' },
-              { category: 'mysql' },
-              { category: 'postgresql' }
-            ]
-          }, {
-            category: 'auth',
-            content: [
-              'approle',
-              'alicloud',
-              'aws',
-              'azure',
-              'cf',
-              'gcp',
-              'jwt',
-              'kerberos',
-              'kubernetes',
-              'github',
-              'ldap',
-              'oci',
-              'okta',
-              'radius',
-              'cert',
-              'token',
-              'userpass',
-              '---------',
-              'app-id',
-              'mfa'
-            ]
-          }, {
-            category: 'audit',
-            content: [
-              'file',
-              'syslog',
-              'socket'
-            ]
-          }, {
-            category: 'plugin'
-          },
-          '----------------',
-          {
-            category: 'what-is-vault',
-          },
-          {
-            category: 'use-cases',
-          },
-          {
-            category: 'partnerships'
-          },
-          {
-            category: 'vs',
-            content: [
-              'chef-puppet-etc',
-              'hsm',
-              'dropbox',
-              'consul',
-              'kms',
-              'keywhiz',
-              'custom'
-            ]
-          },
-          '----------------',
-          {
-            category: 'platform',
-            content: [
-              {
-                category: 'k8s',
-                content: [
-                  {
-                    category: 'helm',
-                    content: [
-                      'run',
-                      'configuration',
-                      'examples'
-                    ]
-                  },
-                  {
-                    category: 'injector',
-                    content: [
-                      'installation',
-                      'examples'
-                    ]
-                  },
-                ]
-              },
-              {
-                category: 'aws-mp',
-                content: [
-                  'run'
-                ]
-              }
-            ]
-          },
-          '----------------',
-          {
-            category: 'upgrading',
-            content: [
-              'plugins',
-              'upgrade-to-0.5.0',
-              'upgrade-to-0.5.1',
-              'upgrade-to-0.6.0',
-              'upgrade-to-0.6.1',
-              'upgrade-to-0.6.2',
-              'upgrade-to-0.6.3',
-              'upgrade-to-0.6.4',
-              'upgrade-to-0.7.0',
-              'upgrade-to-0.8.0',
-              'upgrade-to-0.9.0',
-              'upgrade-to-0.9.1',
-              'upgrade-to-0.9.2',
-              'upgrade-to-0.9.3',
-              'upgrade-to-0.9.6',
-              'upgrade-to-0.10.0',
-              'upgrade-to-0.10.2',
-              'upgrade-to-0.10.4',
-              'upgrade-to-0.11.0',
-              'upgrade-to-0.11.2',
-              'upgrade-to-0.11.6',
-              'upgrade-to-1.0.0',
-              'upgrade-to-1.1.0',
-              'upgrade-to-1.1.1',
-              'upgrade-to-1.1.2',
-              'upgrade-to-1.2.0',
-              'upgrade-to-1.2.1',
-              'upgrade-to-1.2.4',
-              'upgrade-to-1.3.0'
-            ]
-          },
-          '----------------',
-          {
-            category: 'enterprise',
-            content: [
-              { category: 'replication' },
-              {
-                category: 'hsm',
-                content: ['behavior', 'security']
-              },
-              { category: 'entropy-augmentation' },
-              { category: 'sealwrap' },
-              { category: 'namespaces' },
-              { category: 'performance-standby' },
-              { category: 'control-groups' },
-              {
-                category: 'mfa',
-                content: [
-                  'mfa-duo',
-                  'mfa-okta',
-                  'mfa-pingid',
-                  'mfa-totp'
-                ]
-              },
-              {
-                category: 'sentinel',
-                content: ['examples', 'properties']
-              }
-            ]
-          }
-        ]) %>")
-      ></hashi-docs-sidenav>
-    </div>
-  <% end %>
-
-  <article class='g-content g-type-long-body vault'>
-    <%= yield %>
-  </article>
-<% end %>
diff --git a/website/source/layouts/guides.erb b/website/source/layouts/guides.erb
deleted file mode 100644
index 8ee72b69b7a9..000000000000
--- a/website/source/layouts/guides.erb
+++ /dev/null
@@ -1,70 +0,0 @@
-<% wrap_layout :inner do %>
-  <% content_for :sidebar do %>
-    <div class="nav docs-nav">
-      <hashi-docs-sidenav
-        category='guides'
-        current_page='<%= current_page.path %>'
-        data="<%= encode(get_sidebar_data('guides')) %>"
-        order="<%= encode([
-          {
-            category: 'getting-started',
-          }, {
-            category: 'operations',
-            content: [
-              'reference-architecture',
-              'vault-ha-consul',
-              'production',
-              'generate-root',
-              'rekeying-and-rotating',
-              'plugin-backends',
-              '--------------',
-              'replication',
-              'disaster-recovery',
-              'mount-filter',
-              'multi-tenant',
-              'autounseal-aws-kms',
-              'seal-wrap',
-              'monitoring'
-            ]
-          }, {
-            category: 'identity',
-            content: [
-              'secure-intro',
-              'policies',
-              'authentication',
-              'approle-trusted-entities',
-              'lease',
-              'identity',
-              '--------------',
-              'sentinel',
-              'control-groups'
-            ]
-          }, {
-            category: 'secret-mgmt',
-            content: [
-              'static-secrets',
-              'versioned-kv',
-              'dynamic-secrets',
-              'db-root-rotation',
-              'cubbyhole',
-              'ssh-otp',
-              'pki-engine',
-              'app-integration'
-            ]
-          }, {
-            category: 'encryption',
-            content: [
-              'transit',
-              'spring-demo',
-              'transit-rewrap'
-            ]
-          }
-        ]) %>")
-      ></hashi-docs-sidenav>
-    </div>
-  <% end %>
-
-  <article class='g-content g-type-long-body vault'>
-    <%= yield %>
-  </article>
-<% end %>
diff --git a/website/source/layouts/inner.erb b/website/source/layouts/inner.erb
deleted file mode 100644
index f0c6659a6345..000000000000
--- a/website/source/layouts/inner.erb
+++ /dev/null
@@ -1,13 +0,0 @@
-<% wrap_layout :layout do %>
-	<%= partial "partials/subnav" %>
-
-	<div class="content-wrap g-container">
-		<div id="sidebar" role="complementary">
-			<%= yield_content :sidebar %>
-		</div>
-
-		<div id="inner" role="main">
-			<%= yield %>
-		</div>
-	</div>
-<% end %>
diff --git a/website/source/layouts/intro.erb b/website/source/layouts/intro.erb
deleted file mode 100644
index 6a36535cfa3b..000000000000
--- a/website/source/layouts/intro.erb
+++ /dev/null
@@ -1,32 +0,0 @@
-<% wrap_layout :inner do %>
-  <% content_for :sidebar do %>
-    <div class="nav docs-nav">
-      <hashi-docs-sidenav
-        category='intro'
-        current_page='<%= current_page.path %>'
-        data="<%= encode(get_sidebar_data('intro')) %>"
-        order="<%= encode([
-          {
-            category: 'getting-started',
-            content: [
-              'dev-server',
-              'first-secret',
-              'secrets-engines',
-              'dynamic-secrets',
-              'help',
-              'authentication',
-              'policies',
-              'deploy',
-              'apis',
-              'next-steps'
-            ]
-          }
-        ]) %>")
-      ></hashi-docs-sidebar>
-    </div>
-  <% end %>
-
-  <article class='g-content g-type-long-body vault'>
-    <%= yield %>
-  </article>
-<% end %>
diff --git a/website/source/layouts/layout.erb b/website/source/layouts/layout.erb
deleted file mode 100644
index bda806c1be6c..000000000000
--- a/website/source/layouts/layout.erb
+++ /dev/null
@@ -1,76 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8">
-    <meta name="mobile-web-app-capable" content="yes">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <meta name="description" content="<%= description_for(current_page) %>">
-
-    <link rel="apple-touch-icon" sizes="180x180" href="/img/favicons/apple-touch-icon.png">
-    <link rel="icon" type="image/png" href="/img/favicons/favicon-32x32.png" sizes="32x32">
-    <link rel="icon" type="image/png" href="/img/favicons/favicon-16x16.png" sizes="16x16">
-    <link rel="manifest" href="/android-manifest.json">
-    <link rel="mask-icon" href="/img/favicons/safari-pinned-tab.svg" color="#23414a">
-    <meta name="msapplication-config" content="/microsoft-tile.xml" />
-    <meta name="theme-color" content="#ffffff">
-
-    <meta name="twitter:card" content="summary_large_image" />
-    <meta name="twitter:site" content="@HashiCorp" />
-    <meta name="twitter:creator" content="@HashiCorp" />
-    <meta property="og:url" content="<%= File.join(config[:base_url], current_page.url) %>" />
-    <meta property="og:title" content="<%= title_for(current_page) %>" />
-    <meta property="og:site_name" content="Vault by HashiCorp"/>
-    <meta property="og:image" content="<%= image_url("og-image.png") %>"/>
-    <meta property="og:image:width" content="1200"/>
-    <meta property="og:image:height" content="1200"/>
-    <meta property="og:description" content="<%= description_for(current_page) %>" />
-
-    <title><%= title_for(current_page) %></title>
-
-    <!-- Typekit script to import Klavika and Open Sans font -->
-    <script src="https://use.typekit.net/ypp5bnp.js"></script>
-    <script>try{Typekit.load({ async: false });}catch(e){}</script>
-
-    <link rel='stylesheet' href='/css/index.css' />
-
-    <script>
-      // segment analytics
-      !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on"];analytics.factory=function(t){return function(){var e=Array.prototype.slice.call(arguments);e.unshift(t);analytics.push(e);return analytics}};for(var t=0;t<analytics.methods.length;t++){var e=analytics.methods[t];analytics[e]=analytics.factory(e)}analytics.load=function(t,e){var n=document.createElement("script");n.type="text/javascript";n.async=!0;n.src="https://cdn.segment.com/analytics.js/v1/"+t+"/analytics.min.js";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(n,a);analytics._loadOptions=e};analytics.SNIPPET_VERSION="4.1.0";
-      analytics.page({
-        properties: {
-          url: window.location.href,
-          path: window.location.pathname,
-          search: window.location.search,
-          title: document.title,
-          referrer: document.referrer
-        }
-      });
-      }}();
-    </script>
-
-    <%= yield_content :head %>
-  </head>
-
-  <body id="<%= body_id_for(current_page) %>" class="<%= body_classes_for(current_page) %>">
-    <hashi-mega-nav title="<%= defined?(@meganav_title).nil? ? '' : @meganav_title %>" _data="<%= encode(dato.mega_nav) %>"></hashi-mega-nav>
-    <div id="consent-manager"></div>
-    <main><%= yield %></main>
-    <hashi-footer _data="<%= encode(dato.global_footer) %>"></hashi-footer>
-
-    <%= yield_content :scripts %>
-    <script src='/js/consent-manager.js'></script>
-    <script src='/js/main.js'></script>
-
-    <script type="application/ld+json">
-      {
-        "@context": "http://schema.org",
-        "@type": "Product",
-        "name": "Vault",
-        "alternateName": "Vault by HashiCorp",
-        "manufacturer": "HashiCorp",
-        "url": "https://www.vaultproject.io",
-        "logo": "<%= File.join(config[:base_url], '/img/logo-hashicorp.svg') %>"
-      }
-    </script>
-  </body>
-</html>
diff --git a/website/source/microsoft-tile.xml.builder b/website/source/microsoft-tile.xml.builder
deleted file mode 100644
index 621837defb9f..000000000000
--- a/website/source/microsoft-tile.xml.builder
+++ /dev/null
@@ -1,14 +0,0 @@
----
-layout: false
-noindex: true
----
-
-xml.instruct!
-xml.browserconfig do
-  xml.msapplication do
-    xml.tile do
-      xml.square150x150logo src: image_path("favicons/mstile-150x150.png")
-      xml.TileColor "#603cba"
-    end
-  end
-end
diff --git a/website/source/netlify-redirects b/website/source/netlify-redirects
deleted file mode 100644
index 66586f3a55a5..000000000000
--- a/website/source/netlify-redirects
+++ /dev/null
@@ -1,178 +0,0 @@
-# API landing
-/api  /api/overview
-
-# Docs landing
-/docs  /docs/install/index.html
-
-# Intro landing
-/intro /intro/getting-started/index.html
-
-/api/secret/generic/index.html  /api/secret/kv
-/api/system/renew.html  /api/system/leases
-/api/system/revoke-force.html /api/system/leases
-/api/system/revoke-prefix.html  /api/system/leases
-/api/system/revoke.html /api/system/leases
-/docs/auth/aws-ec2.html /docs/auth/aws
-/docs/commands/environment.html  /docs/commands/#environment-variables
-/docs/commands/help.html  /docs/commands/path-help
-/docs/commands/read-write.html /docs/commands#reading-and-writing-data
-/docs/config/index.html /docs/configuration
-/docs/configuration/storage/google-cloud.html  /docs/configuration/storage/google-cloud-storage
-/docs/configuration/storage/spanner.html /docs/configuration/storage/google-cloud-spanner
-/docs/enterprise/auto-unseal/index.html /docs/concepts/seal.html
-/docs/enterprise/hsm/configuration.html  /docs/configuration/seal/pkcs11
-/docs/enterprise/ui/index.html  /docs/configuration/ui
-/docs/guides/generate-root.html /guides/operations/generate-root
-/docs/guides/index.html /guides
-/docs/guides/production.html  /guides/operations/production
-/docs/guides/replication.html /guides/operations/replication
-/docs/guides/upgrading/index.html      /docs/upgrading
-/docs/guides/upgrading/upgrade-to-0.5.0.html /docs/upgrading/upgrade-to-0.5.0
-/docs/guides/upgrading/upgrade-to-0.5.1.html /docs/upgrading/upgrade-to-0.5.1
-/docs/guides/upgrading/upgrade-to-0.6.0.html /docs/upgrading/upgrade-to-0.6.0
-/docs/guides/upgrading/upgrade-to-0.6.1.html /docs/upgrading/upgrade-to-0.6.1
-/docs/guides/upgrading/upgrade-to-0.6.2.html /docs/upgrading/upgrade-to-0.6.2
-/docs/guides/upgrading/upgrade-to-0.6.3.html /docs/upgrading/upgrade-to-0.6.3
-/docs/guides/upgrading/upgrade-to-0.6.4.html /docs/upgrading/upgrade-to-0.6.4
-/docs/guides/upgrading/upgrade-to-0.7.0.html /docs/upgrading/upgrade-to-0.7.0
-/guides/upgrading/upgrade-to-0.5.0.html /docs/upgrading/upgrade-to-0.5.0
-/guides/upgrading/upgrade-to-0.5.1.html /docs/upgrading/upgrade-to-0.5.1
-/guides/upgrading/upgrade-to-0.6.0.html /docs/upgrading/upgrade-to-0.6.0
-/guides/upgrading/upgrade-to-0.6.1.html /docs/upgrading/upgrade-to-0.6.1
-/guides/upgrading/upgrade-to-0.6.2.html /docs/upgrading/upgrade-to-0.6.2
-/guides/upgrading/upgrade-to-0.6.3.html /docs/upgrading/upgrade-to-0.6.3
-/guides/upgrading/upgrade-to-0.6.4.html /docs/upgrading/upgrade-to-0.6.4
-/guides/upgrading/upgrade-to-0.7.0.html /docs/upgrading/upgrade-to-0.7.0
-/guides/upgrading/upgrade-to-0.8.0.html /docs/upgrading/upgrade-to-0.8.0
-/guides/upgrading/upgrade-to-0.9.0.html /docs/upgrading/upgrade-to-0.9.0
-/guides/upgrading/upgrade-to-0.9.1.html /docs/upgrading/upgrade-to-0.9.1
-/guides/upgrading/upgrade-to-0.9.2.html /docs/upgrading/upgrade-to-0.9.2
-/guides/upgrading/upgrade-to-0.9.3.html /docs/upgrading/upgrade-to-0.9.3
-/guides/upgrading/upgrade-to-0.9.6.html /docs/upgrading/upgrade-to-0.9.6
-/guides/upgrading/upgrade-to-0.10.0.html /docs/upgrading/upgrade-to-0.10.0
-/guides/upgrading/upgrade-to-0.10.2.html /docs/upgrading/upgrade-to-0.10.2
-/guides/upgrading/upgrade-to-0.10.4.html /docs/upgrading/upgrade-to-0.10.4
-/guides/upgrading/upgrade-to-0.11.0.html /docs/upgrading/upgrade-to-0.11.0
-/guides/upgrading/upgrade-to-0.11.2.html /docs/upgrading/upgrade-to-0.11.2
-/guides/upgrading/upgrade-to-1.0.html /docs/upgrading/upgrade-to-1.0.0
-/docs/http/sys-audit.html /api/system/audit
-/docs/http/sys-auth.html  /api/system/auth
-/docs/http/sys-health.html  /api/system/health
-/docs/http/sys-init.html  /api/system/init
-/docs/http/sys-key-status.html  /api/system/key-status
-/docs/http/sys-leader.html  /api/system/leader
-/docs/http/sys-mounts.html  /api/system/mounts
-/docs/http/sys-policy.html  /api/system/policy
-/docs/http/sys-raw.html /api/system/raw
-/docs/http/sys-rekey.html /api/system/rekey
-/docs/http/sys-remount.html /api/system/remount
-/docs/http/sys-renew.html /api/system/leases
-/docs/http/sys-revoke-prefix.html /api/system/leases
-/docs/http/sys-revoke.html  /api/system/leases
-/docs/http/sys-rotate.html  /api/system/rotate
-/docs/http/sys-seal-status.html /api/system/seal-status
-/docs/http/sys-seal.html  /api/system/seal
-/docs/http/sys-unseal.html  /api/system/unseal
-/docs/install/install.html  /docs/install
-/docs/install/upgrade-to-0.5.1.html  /docs/upgrading/upgrade-to-0.5.1
-/docs/install/upgrade-to-0.5.html /docs/upgrading/upgrade-to-0.5.0
-/docs/install/upgrade-to-0.6.1.html  /docs/upgrading/upgrade-to-0.6.1
-/docs/install/upgrade-to-0.6.2.html  /docs/upgrading/upgrade-to-0.6.2
-/docs/install/upgrade-to-0.6.html /docs/upgrading/upgrade-to-0.6.0
-/docs/install/upgrade.html  /docs/upgrading
-/docs/secrets/custom.html /docs/plugin
-/docs/secrets/generic/index.html  /docs/secrets/kv
-/docs/vault-enterprise/hsm/behavior.html /docs/enterprise/hsm/behavior
-/docs/vault-enterprise/hsm/configuration.html  /docs/enterprise/hsm/configuration
-/docs/vault-enterprise/hsm/index.html /docs/enterprise/hsm
-/docs/vault-enterprise/hsm/security.html /docs/enterprise/hsm/security
-/docs/vault-enterprise/identity/index.html /docs/enterprise/identity
-/docs/vault-enterprise/index.html /docs/enterprise
-/docs/vault-enterprise/mfa/index.html /docs/enterprise/mfa
-/docs/vault-enterprise/mfa/mfa-duo.html /docs/enterprise/mfa/mfa-duo
-/docs/vault-enterprise/mfa/mfa-okta.html /docs/enterprise/mfa/mfa-okta
-/docs/vault-enterprise/mfa/mfa-pingid.html /docs/enterprise/mfa/mfa-pingid
-/docs/vault-enterprise/mfa/mfa-totp.html /docs/enterprise/mfa/mfa-totp
-/docs/vault-enterprise/replication/index.html  /docs/enterprise/replication
-/docs/vault-enterprise/ui/index.html  /docs/configuration/ui
-/guides/authentication.html /guides/identity/authentication
-/guides/configuration/authentication.html  /guides/identity/authentication
-/guides/configuration/generate-root.html /guides/operations/generate-root
-/guides/configuration/lease.html  /guides/identity/lease
-/guides/configuration/plugin-backends.html /guides/operations/plugin-backends
-/guides/configuration/policies.html /guides/identity/policies
-/guides/configuration/rekeying-and-rotating.html /guides/operations/rekeying-and-rotating
-/guides/cubbyhole.html  /guides/secret-mgmt/cubbyhole
-/guides/dynamic-secret.html /guides/secret-mgmt/dynamic-secret
-/guides/generate-root.html  /guides/operations/generate-root
-/guides/lease.html  /guides/identity/lease
-/guides/plugin-backends.html  /guides/operations/plugin-backends
-/guides/policies.html /guides/identity/policies
-/guides/production.html /guides/operations/production
-/guides/rekeying-and-rotating.html /guides/operations/rekeying-and-rotating
-/guides/replication.html  /guides/operations/replication
-/guides/static-secrets.html /guides/secret-mgmt/static-secrets
-/intro/getting-started/acl.html /intro/getting-started/policies
-/intro/getting-started/secret-backends.html  /intro/getting-started/secrets-engines
-
-/guides/getting-started/index.html              https://learn.hashicorp.com/vault
-
-/guides/operations/index.html                   https://learn.hashicorp.com/vault/?track=operations#operations
-/guides/operations/reference-architecture.html  https://learn.hashicorp.com/vault/operations/ops-reference-architecture
-/guides/operations/deployment-guide.html        https://learn.hashicorp.com/vault/operations/ops-deployment-guide
-/guides/operations/vault-ha-consul.html         https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul
-/guides/operations/production.html              https://learn.hashicorp.com/vault/operations/production-hardening
-/guides/operations/generate-root.html           https://learn.hashicorp.com/vault/operations/ops-generate-root
-/guides/operations/rekeying-and-rotating.html   https://learn.hashicorp.com/vault/operations/ops-rekeying-and-rotating
-/guides/operations/plugin-backends.html         https://learn.hashicorp.com/vault/developer/plugin-backends
-/guides/operations/replication.html             https://learn.hashicorp.com/vault/operations/ops-replication
-/guides/operations/disaster-recovery.html       https://learn.hashicorp.com/vault/operations/ops-disaster-recovery
-/guides/operations/mount-filter.html            https://learn.hashicorp.com/vault/operations/mount-filter
-/guides/operations/performance-nodes.html       https://learn.hashicorp.com/vault/operations/performance-standbys
-/guides/operations/multi-tenant.html            https://learn.hashicorp.com/vault/operations/namespaces
-/guides/operations/autounseal-aws-kms.html      https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms
-/guides/operations/seal-wrap.html               https://learn.hashicorp.com/vault/operations/ops-seal-wrap
-/guides/operations/monitoring.html              https://learn.hashicorp.com/vault/operations/monitoring
-
-# Identity
-/guides/identity/index.html                     https://learn.hashicorp.com/vault?track=identity-access-management#identity-access-management
-/guides/identity/secure-intro.html              https://learn.hashicorp.com/vault/identity-access-management/iam-secure-intro
-/guides/identity/policies.html                  https://learn.hashicorp.com/vault/identity-access-management/iam-policies
-/guides/identity/policy-templating.html         https://learn.hashicorp.com/vault/identity-access-management/policy-templating
-/guides/identity/authentication.html            https://learn.hashicorp.com/vault/identity-access-management/iam-authentication
-/guides/identity/approle-trusted-entities.html  https://learn.hashicorp.com/vault/identity-access-management/iam-approle-trusted-entities
-/guides/identity/lease.html                     https://learn.hashicorp.com/vault/secrets-management/tokens
-/guides/identity/identity.html                  https://learn.hashicorp.com/vault/identity-access-management/iam-identity
-/guides/identity/sentinel.html                  https://learn.hashicorp.com/vault/identity-access-management/iam-sentinel
-/guides/identity/control-groups.html            https://learn.hashicorp.com/vault/identity-access-management/iam-control-groups
-
-# Secret management
-/guides/secret-mgmt/index.html                  https://learn.hashicorp.com/vault/?track=secrets-management#secrets-management
-/guides/secret-mgmt/static-secrets.html         https://learn.hashicorp.com/vault/secrets-management/sm-static-secrets
-/guides/secret-mgmt/versioned-kv.html           https://learn.hashicorp.com/vault/secrets-management/sm-versioned-kv
-/guides/secret-mgmt/dynamic-secrets.html        https://learn.hashicorp.com/vault/secrets-management/sm-dynamic-secrets
-/guides/secret-mgmt/db-root-rotation.html       https://learn.hashicorp.com/vault/secrets-management/db-root-rotation
-/guides/secret-mgmt/cubbyhole.html              https://learn.hashicorp.com/vault/secrets-management/sm-cubbyhole
-/guides/secret-mgmt/ssh-otp.html                https://learn.hashicorp.com/vault/secrets-management/sm-ssh-otp
-/guides/secret-mgmt/pki-engine.html             https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine
-/guides/secret-mgmt/app-integration.html        https://learn.hashicorp.com/vault/developer/sm-app-integration
-
-# Encryption
-/guides/encryption/index.html                   https://learn.hashicorp.com/vault/?track=encryption-as-a-service#encryption-as-a-service
-/guides/encryption/transit.html                 https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit
-/guides/encryption/spring-demo.html             https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-spring-demo
-/guides/encryption/transit-rewrap.html          https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit-rewrap
-
-# Rearranged out of `guides` but still on `.io`
-/guides/partnerships/index.html /docs/partnerships
-/intro/use-cases.html /docs/use-cases
-/intro/vs/index.html  /docs/vs
-/intro/vs/chef-puppet-etc.html /docs/vs/chef-puppet-etc
-/intro/vs/consul.html /docs/vs/consul
-/intro/vs/custom.html /docs/vs/custom
-/intro/vs/dropbox.html /docs/vs/dropbox
-/intro/vs/hsm.html /docs/vs/hsm
-/intro/vs/index.html /docs/vs
-/intro/vs/keywhiz.html /docs/vs/keywhiz
-/intro/vs/kms.html /docs/vs/kms
-/intro/what-is-vault/index.html /docs/what-is-vault
\ No newline at end of file
diff --git a/website/source/partials/_subnav.html.erb b/website/source/partials/_subnav.html.erb
deleted file mode 100644
index 2e5a56fd8c94..000000000000
--- a/website/source/partials/_subnav.html.erb
+++ /dev/null
@@ -1 +0,0 @@
-<hashi-product-subnav project_site="true" _data="<%= encode(getSubNavData) %>"></hashi-product-subnav>
\ No newline at end of file
diff --git a/website/source/partials/_tokenfields.html.md.erb b/website/source/partials/_tokenfields.html.md.erb
deleted file mode 100644
index e97fd626d746..000000000000
--- a/website/source/partials/_tokenfields.html.md.erb
+++ /dev/null
@@ -1,11 +0,0 @@
-- `token_ttl` `(integer: 0 or string: "")` - The incremental lifetime for
-generated tokens. This current value of this will be referenced at renewal
-time.
-- `token_max_ttl` `(integer: 0 or string: "")` - The maximum lifetime for
-generated tokens. This current value of this will be referenced at renewal
-time.
-- `token_policies` `(array: [] or comma-delimited string: "")` - List of
-policies to encode onto generated tokens. Depending on the auth method, this
-list may be supplemented by user/group/other values.
-
-<%= partial "partials/tokenstorefields" %>
diff --git a/website/source/partials/_tokenstorefields.html.md.erb b/website/source/partials/_tokenstorefields.html.md.erb
deleted file mode 100644
index c91f2bf3937c..000000000000
--- a/website/source/partials/_tokenstorefields.html.md.erb
+++ /dev/null
@@ -1,22 +0,0 @@
-- `token_bound_cidrs` `(array: [] or comma-delimited string: "")` - List of
-  CIDR blocks; if set, specifies blocks of IP addresses which can authenticate
-  successfully, and ties the resulting token to these blocks as well.
-- `token_explicit_max_ttl` `(integer: 0 or string: "")` - If set, will encode
-an [explicit max
-TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-onto the token. This is a hard cap even if `token_ttl` and `token_max_ttl`
-would otherwise allow a renewal.
-- `token_no_default_policy` `(bool: false)` - If set, the `default` policy will
-not be set on generated tokens; otherwise it will be added to the policies set
-in `token_policies`.
-- `token_num_uses` `(integer: 0)` - The maximum number of times a generated
-token may be used (within its lifetime); 0 means unlimited.
-- `token_period` `(integer: 0 or string: "")` - The
-[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
-if any, to set on the token.
-- `token_type` `(string: "")` - The type of token that should be generated. Can
-be `service`, `batch`, or `default` to use the mount's tuned default (which
-unless changed will be `service` tokens). For token store roles, there are two
-additional possibilities: `default-service` and `default-batch` which specify
-the type to return unless the client requests a different type at generation
-time.
diff --git a/website/source/partials/_use-case-cta-section.html.erb b/website/source/partials/_use-case-cta-section.html.erb
deleted file mode 100644
index 1a70a7d9e958..000000000000
--- a/website/source/partials/_use-case-cta-section.html.erb
+++ /dev/null
@@ -1,12 +0,0 @@
-<section class="g-section-block g-cta-section">
-    <div>
-        <h2>Ready to get started?</h2>
-        <a class="g-btn white download" href="/downloads.html">
-            <svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
-            <path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"></path>
-            </svg>
-            Download
-        </a>
-        <a class="g-btn white-outline" href="/docs">Explore Docs</a>
-    </div>
-</section>
\ No newline at end of file
diff --git a/website/source/robots.txt b/website/source/robots.txt
deleted file mode 100644
index 190c6ce04596..000000000000
--- a/website/source/robots.txt
+++ /dev/null
@@ -1,8 +0,0 @@
----
-layout: false
-noindex: true
----
-
-User-agent: *
-Disallow: /404
-Disallow: /500
diff --git a/website/source/security.html.erb b/website/source/security.html.erb
deleted file mode 100644
index aba12837dea1..000000000000
--- a/website/source/security.html.erb
+++ /dev/null
@@ -1,27 +0,0 @@
----
-layout: "inner"
-page_title: "Security"
-description: |-
-  Vault takes security very seriously. Please responsibly disclose any security vulnerabilities found and we'll handle it quickly.
----
-
-<h1>Security</h1>
-
-<p>
-We understand that many users place a high level of trust in HashiCorp and
-the tools we build. We apply best practices and focus on security to make
-sure we can maintain the trust of the community.
-</p>
-<p>
-We deeply appreciate any effort to disclose vulnerabilities responsibly.
-</p>
-<p>
-If you would like to report a vulnerability, please see the
-<a href="https://www.hashicorp.com/security.html">HashiCorp security page</a>,
-which has the proper email to communicate with as well as our PGP key.
-</p>
-<p>
-If you aren't reporting a security sensitive vulnerability, please
-open an issue on the standard <a href="https://github.com/hashicorp/vault">GitHub</a>
-repository.
-</p>
diff --git a/website/source/sitemap.xml.builder b/website/source/sitemap.xml.builder
deleted file mode 100644
index a2b5b1a55853..000000000000
--- a/website/source/sitemap.xml.builder
+++ /dev/null
@@ -1,19 +0,0 @@
----
-layout: false
----
-
-xml.instruct!
-xml.urlset 'xmlns' => "http://www.sitemaps.org/schemas/sitemap/0.9" do
-  sitemap
-    .resources
-    .select { |page| page.path =~ /\.html/ }
-    .select { |page| !page.data.noindex }
-    .each do |page|
-      xml.url do
-        xml.loc File.join(config[:base_url], page.url)
-        xml.lastmod Date.today.to_time.iso8601
-        xml.changefreq page.data.changefreq || "monthly"
-        xml.priority page.data.priority || "0.5"
-      end
-  end
-end
diff --git a/website/source/use-cases/data-encryption/index.html.erb b/website/source/use-cases/data-encryption/index.html.erb
deleted file mode 100644
index 8870618943f9..000000000000
--- a/website/source/use-cases/data-encryption/index.html.erb
+++ /dev/null
@@ -1,83 +0,0 @@
-<%= partial "partials/subnav" %>
-
-<div class='g-section-block page-wrap'>
-
-  <%-# Header / Buttons -%>
-
-  <section class='g-container'>
-    <hashi-section-header
-      headline="Encrypt Application Data in Low Trust Networks"
-      description="Keep application data secure with one centralized workflow to encrypt data in flight and at rest"
-      use_h1="true"
-    ></hashi-section-header>
-
-    <div class='button-container'>
-      <hashi-button
-        title="Download"
-        url="/downloads.html"
-      ></hashi-button>
-      <hashi-button
-        title="Get Started"
-        url="/intro"
-        classes="dark-outline"
-      ></hashi-button>
-    </div>
-  </section>
-
-  <%-# Before After Diagram -%>
-
-  <section>
-    <div class="g-container">
-      <hashi-before-after _data='<%= encode({
-        before_image: {
-          url: "https://www.datocms-assets.com/2885/1539885046-data-protectionchallenge.svg",
-          format: "svg"
-        },
-        before_headline: "The Challenge",
-        before_content: "All application data should be encrypted, but deploying a cryptography and key management infrastructure is expensive, hard to develop against, and not cloud or multi-datacenter friendly",
-        after_image: {
-          url: "https://www.datocms-assets.com/2885/1539885039-data-protectionsolution.svg",
-          format: "svg"
-        },
-        after_headline: "The Solution",
-        after_content: "Vault provides encryption as a service with centralized key management to simplify encrypting data in transit and at rest across clouds and data centers"
-      }) %>'></hashi-before-after>
-    </div>
-  </section>
-
-  <%-# Features / Text And Content -%>
-
-  <section class='g-container pad-bottom'>
-    <hashi-section-header headline="Encryption Features"></hashi-section-header>
-
-    <hashi-text-and-content _data='<%= encode({
-        text: "### API-driven Encryption
-
-Encrypt application data during transit and rest with AES 256-bit CBC data encryption and TLS in transit.",
-        content: {
-          item_type: "sbc_image",
-          image: {
-            url: "https://www.datocms-assets.com/2885/1539314348-eaas.png",
-            format: "png"
-          }
-        }
-    }) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        reverse_direction: true,
-        text: "### Encryption Key Rolling
-
-Update and roll new keys throughout distributed infrastructure while retaining the ability to decrypt encrypted data",
-        content: {
-          item_type: "sbc_image",
-          image: {
-            url: "https://www.datocms-assets.com/2885/1539314609-encryption-key-rolling.png",
-            format: "png"
-          }
-        }
-}) %>'></hashi-text-and-content>
-  </section>
-
-  <%= partial "partials/use-case-cta-section" %>
-
-</div>
\ No newline at end of file
diff --git a/website/source/use-cases/identity-based-access/index.html.erb b/website/source/use-cases/identity-based-access/index.html.erb
deleted file mode 100644
index 11d347ca0085..000000000000
--- a/website/source/use-cases/identity-based-access/index.html.erb
+++ /dev/null
@@ -1,170 +0,0 @@
-<%= partial "partials/subnav" %>
-
-<div class='g-section-block page-wrap'>
-
-  <%-# Header / Buttons -%>
-
-  <section class='g-container'>
-    <hashi-section-header
-      headline="Leverage Trusted Identities in Low Trust Networks"
-      description="Authenticate and access different clouds, systems, and endpoints using trusted identities"
-      use_h1="true"
-    ></hashi-section-header>
-
-    <div class='button-container'>
-      <hashi-button
-        title="Download"
-        url="/downloads.html"
-      ></hashi-button>
-      <hashi-button
-        title="Get Started"
-        url="/intro"
-        classes="dark-outline"
-      ></hashi-button>
-    </div>
-  </section>
-
-  <%-# Before After Diagram -%>
-
-  <section>
-    <div class="g-container">
-      <hashi-before-after _data='<%= encode({
-        before_image: {
-          url: "/img/use-cases/identity-based-access/challenge.png",
-          format: "png"
-        },
-        before_headline: "The Challenge",
-        before_content: "With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl",
-        after_image: {
-          url: "/img/use-cases/identity-based-access/solution.png",
-          format: "png"
-        },
-        after_headline: "The Solution",
-        after_content: "Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets"
-      }) %>'></hashi-before-after>
-    </div>
-  </section>
-
-  <%-# Features / Text And Content -%>
-
-  <section class='g-container pad-bottom'>
-    <hashi-section-header headline="Identity-based Access Features"></hashi-section-header>
-
-    <div class="g-text-and-content">
-      <div class="text">
-        <div>
-          <h3 id="secure-plugins">Identity Plugins</h3>
-          <p>Improve the extensibility of Vault with pluggable identity backends</p>
-        </div>
-      </div>
-      <div class="content logo-grid">
-        <ul class="g-logo-grid large">
-          <% ['aws', 'azure', 'gcp', 'kubernetes', 'nomad', 'okta', 'pivotalcf', 'ssh'].each do |logo| %>
-            <li><img src='/img/use-cases/identity-based-access/logos/<%= logo %>.png'></li>
-          <% end %>
-        </ul>
-      </div>
-    </div>
-
-    <hashi-text-and-content _data='<%= encode({
-        reverse_direction: true,
-        text: "### Entities
-
-Integrated identities across platforms and using this information for policy and access control decisions.",
-        content: {
-            item_type: "sbc_image",
-            image: {
-                url: "/img/use-cases/identity-based-access/screenshot-entities.png",
-                format: "png",
-            }
-        }
-    }) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        text: "### Control Groups
-
-Require multiple Identity Entities or members of Identity Groups to authorize an requested action.",
-        content: {
-            item_type: "sbc_image",
-            image: {
-                url: "/img/use-cases/identity-based-access/screenshot-control-groups.png",
-                format: "png",
-            }
-        }
-    }) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        reverse_direction: true,
-        text: "### ACL Templates and Policy Control
-
-Create and manage policies that authorize access control throughout your infrastructure and organization",
-        content: {
-          item_type: "sbc_code_block",
-          chrome: true,
-          code: "# User template (user-tmpl.hcl)
-# Grant permissions on user specific path
-
-path \"user-kv/data/{{identity.entity.name}}/*\" {
-  capabilities = [ \"create\", \"update\", \"read\", \"delete\", \"list\" ]
-}
-
-# For Web UI usage
-path \"user-kv/metadata\" {
-  capabilities = [\"list\"]
-}
-
-# Group template (group-tmpl.hcl)
-# Grant permissions on the group specific path
-# The region is specified in the group metadata
-path \"group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*\" {
-  capabilities = [ \"create\", \"update\", \"read\", \"delete\", \"list\" ]
-}
-
-# Group member can update the group information
-path \"identity/group/id/{{identity.groups.names.education.id}}\" {
-  capabilities = [ \"update\", \"read\" ]
-}
-
-# For Web UI usage
-path \"group-kv/metadata\" {
-  capabilities = [\"list\"]
-}
-
-path \"identity/group/id\" {
-  capabilities = [ \"list\" ]
-}"
-    }
-}) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        text: "### Identity Groups
-
-Group trusted identities into logical groups for group-based access control.",
-        content: {
-            item_type: "sbc_image",
-            image: {
-                url: "/img/use-cases/identity-based-access/screenshot-identity-groups.png",
-                format: "png",
-            }
-        }
-    }) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        reverse_direction: true,
-        text: "### Multi-factor Authentication
-
-Enforce MFA workflows when accessing a secret or a secret path",
-        content: {
-          item_type: "sbc_code_block",
-          chrome: true,
-          code: "$ curl \
---header \"X-Vault-Token: ...\" \\
---header \"X-Vault-MFA:my_totp:695452\" \\
-http://127.0.0.1:8200/v1/secret/foo"
-        }
-}) %>'></hashi-text-and-content>
-  </section>
-
-  <%= partial "partials/use-case-cta-section" %>
-
-</div>
\ No newline at end of file
diff --git a/website/source/use-cases/secrets-management/index.html.erb b/website/source/use-cases/secrets-management/index.html.erb
deleted file mode 100644
index bc4d3471dcbe..000000000000
--- a/website/source/use-cases/secrets-management/index.html.erb
+++ /dev/null
@@ -1,169 +0,0 @@
-<%= partial "partials/subnav" %>
-
-<div class='g-section-block page-wrap'>
-
-  <%-# Header / Buttons -%>
-
-  <section class='g-container'>
-    <hashi-section-header
-      headline="Secrets Management in Low Trust Networks"
-      description="Centrally store, access, and deploy secrets across applications, systems, and infrastructure"
-      use_h1="true"
-    ></hashi-section-header>
-
-    <div class='button-container'>
-      <hashi-button
-        title="Download"
-        url="/downloads.html"
-      ></hashi-button>
-      <hashi-button
-        title="Get Started"
-        url="/intro"
-        classes="dark-outline"
-      ></hashi-button>
-    </div>
-  </section>
-
-  <%-# Before After Diagram -%>
-
-  <section class="pad-bottom">
-    <div class="g-container">
-      <hashi-before-after _data='<%= encode({
-        before_image: {
-          url: "https://www.datocms-assets.com/2885/1539885048-secrets-managementchallenge.svg",
-          format: "svg"
-        },
-        before_headline: "The Challenge",
-        before_content: "Secrets for applications and systems need to be centralized and static IP-based solutions don\'t scale in dynamic environments with frequently changing applications and machines",
-        after_image: {
-          url: "https://www.datocms-assets.com/2885/1539885054-secrets-managementsolution.svg",
-          format: "svg"
-        },
-        after_headline: "The Solution",
-        after_content: "Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity"
-      }) %>'></hashi-before-after>
-    </div>
-  </section>
-
-  <%-# Case Study Slider -%>
-
-  <section class="g-section-block theme-black-background-white-text">
-    <div class="g-container">
-      <hashi-case-study-slider _data="<%= encode(dato.vault_product_page.use_case_pages[0].content[2].layout.content[0].to_hash(4)) %>" dark='<%= true %>'></hashi-case-study-slider>
-    </div>
-  </section>
-
-  <%-# Features / Text And Content -%>
-
-  <section class='g-container pad-bottom'>
-    <hashi-section-header headline="Secret Management Features"></hashi-section-header>
-
-    <hashi-text-and-content _data='<%= encode({
-        text: "### Dynamic Secrets
-
-Dynamically create, revoke, and rotate secrets programmatically",
-        content: {
-            item_type: "sbc_image",
-            image: {
-                url: "https://www.datocms-assets.com/2885/1538684923-dynamic-secrets-screenshot.jpg",
-                format: "jpg",
-                size: 71545,
-                width: 668,
-                height: 504
-            }
-        }
-    }) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        reverse_direction: true,
-        text: "### Secret Storage
-
-Encrypt data while at rest, in the storage backend of your choice",
-        content: {
-          item_type: "sbc_code_block",
-          chrome: true,
-          code: "$ cat vault.config
-
-storage \"consul\" {
-    address = \"127.0.0.1:8500\"
-    path    = \"vault\"
-}
-
-listener \"tcp\" {
-    address = \"127.0.0.1:8200\"
-}
-
-telemetry {
-    statsite_address = \"127.0.0.1:8125\"
-    disable_hostname = true
-}"
-    }
-}) %>'></hashi-text-and-content>
-
-<% secure_text_and_content = {
-        text: "### Secure Plugins
-
-Improve the extensibility of Vault with pluggable secret backends",
-        content: {
-            item_type: "sbc_logo_grid",
-            companies: dato.vault_product_page.use_case_pages[0].content[3].layout.content[4].content.companies.to_hash
-        }
-
-} %>
-    <hashi-text-and-content _data='<%= encode(secure_text_and_content) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        reverse_direction: true,
-        text: "### Detailed Audit Logs
-
-Detailed audit log of all client interaction (authentication, token creation, secret access & revocation)",
-        content: {
-          item_type: "sbc_code_block",
-          chrome: true,
-          code: "$ cat audit.log | jq {
-    \"time\": \"2018-08-27T13:17:11.609621226Z\",
-    \"type\": \"response\",
-    \"auth\": {
-        \"client_token\": \"hmac-sha256:5c40f1e051ea75b83230a5bf16574090f697dfa22a78e437f12c1c9d226f45a5\",
-        \"accessor\": \"hmac-sha256:f254a2d442f172f0b761c9fd028f599ad91861ed16ac3a1e8d96771fd920e862\",
-        \"display_name\": \"token\",
-        \"metadata\": null,
-        \"entity_id\": \"\"
-    }
-}"
-    }
-}) %>'></hashi-text-and-content>
-
-    <hashi-text-and-content _data='<%= encode({
-        text: "### Leasing & Revoking Secrets
-
-Manage authorization and create time-based tokens for automatic revocation or manual revocation",
-        content: {
-          item_type: "sbc_code_block",
-          chrome: true,
-          code: "$ vault read database/creds/readonly
-
-Key             Value
----             -----
-lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
-lease_duration  1h0m0s
-lease_renewable true
-password        A1a-w2xv2zsq4r5ru940
-username        v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
-[...]
-
-$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
-
-Key             Value
----             -----
-lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
-lease_duration  1h0m0s
-lease_renewable true
-$ vault lease revoke database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809"
-    }
-}) %>'></hashi-text-and-content>
-  </section>
-
-  <%= partial "partials/use-case-cta-section" %>
-
-</div>
\ No newline at end of file